Skip to main content

Gen.Variant.Kazy.535458_d4a55cc7b4


Gen:Variant.Kazy.535458 (B) (Emsisoft), Gen:Variant.Kazy.535458 (AdAware), ZeroAccess.YR (Lavasoft MAS)Behaviour: Malware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: d4a55cc7b461baa492d09def48760fb6

SHA1: 9e299ead1493fd92c710ac91f6749976d29b01a0

SHA256: 2c790a7829b5f3c3f27ed9d4daba7562c0889eef1303fb9c568d7af6b5f497eb

SSDeep: 12288:LTV JiEdghdusjrGSPl8xkXCb3GgiQvdvUEuXK8awp9st5IQxq2M:Pxpjr/DXQiQdUEcX2hM

Size: 625664 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-01-06 02:36:08

Analyzed on: WindowsXP SP3 32-bit

Summary: Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

%original file name%.exe:3076
%original file name%.exe:3928
%original file name%.exe:2184
%original file name%.exe:2656
%original file name%.exe:2840
%original file name%.exe:4024
%original file name%.exe:4092
%original file name%.exe:2320
%original file name%.exe:3552
%original file name%.exe:2484
%original file name%.exe:2480
%original file name%.exe:3792
%original file name%.exe:2120
%original file name%.exe:3852
%original file name%.exe:2400
%original file name%.exe:3996
%original file name%.exe:548
%original file name%.exe:1916
%original file name%.exe:348
%original file name%.exe:1460
%original file name%.exe:1672
%original file name%.exe:2912
%original file name%.exe:1792
%original file name%.exe:1796
%original file name%.exe:3644
%original file name%.exe:1068
%original file name%.exe:3564
%original file name%.exe:1824
%original file name%.exe:3568
%original file name%.exe:2996
%original file name%.exe:2496
%original file name%.exe:928
%original file name%.exe:2412
%original file name%.exe:2392
%original file name%.exe:828
%original file name%.exe:2256
%original file name%.exe:2796
%original file name%.exe:2252
%original file name%.exe:3772
%original file name%.exe:2900
%original file name%.exe:2472
%original file name%.exe:3628
%original file name%.exe:2772
%original file name%.exe:2776
%original file name%.exe:3140
%original file name%.exe:3272
%original file name%.exe:3148
%original file name%.exe:2308
%original file name%.exe:2540
%original file name%.exe:1716
%original file name%.exe:2980
%original file name%.exe:4048
%original file name%.exe:3388
%original file name%.exe:2176
%original file name%.exe:3160
%original file name%.exe:2076
%original file name%.exe:3580
%original file name%.exe:3956
%original file name%.exe:304
%original file name%.exe:3216
%original file name%.exe:2764
%original file name%.exe:380
%original file name%.exe:1932
%original file name%.exe:1776
%original file name%.exe:240
%original file name%.exe:388
%original file name%.exe:2836
%original file name%.exe:3508
%original file name%.exe:2276
%original file name%.exe:244
%original file name%.exe:2576
%original file name%.exe:1840
%original file name%.exe:3016
%original file name%.exe:2992
%original file name%.exe:3096
%original file name%.exe:644
%original file name%.exe:2676
%original file name%.exe:3188
%original file name%.exe:2372
%original file name%.exe:1224
%original file name%.exe:3124
%original file name%.exe:1228
%original file name%.exe:3696
%original file name%.exe:2800
%original file name%.exe:1900
%original file name%.exe:2880
%original file name%.exe:3368
%original file name%.exe:1980
%original file name%.exe:3692
%original file name%.exe:3360
%original file name%.exe:1988
%original file name%.exe:3088
%original file name%.exe:1032
%original file name%.exe:3084
%original file name%.exe:2360
%original file name%.exe:3600
%original file name%.exe:2152
%original file name%.exe:636
%original file name%.exe:2580
%original file name%.exe:2420
%original file name%.exe:464
%original file name%.exe:3892
%original file name%.exe:1596
%original file name%.exe:3520
%original file name%.exe:3288
%original file name%.exe:2188
%original file name%.exe:3280
%original file name%.exe:220
%original file name%.exe:3688
%original file name%.exe:3444
%original file name%.exe:3680
%original file name%.exe:1028
%original file name%.exe:2892
%original file name%.exe:3964
%original file name%.exe:3532
%original file name%.exe:816
%original file name%.exe:1452
%original file name%.exe:3116
%original file name%.exe:2100
%original file name%.exe:2692
%original file name%.exe:1108
%original file name%.exe:4080
%original file name%.exe:2736
%original file name%.exe:3868
%original file name%.exe:2868
%original file name%.exe:3632
%original file name%.exe:2436
%original file name%.exe:3460
%original file name%.exe:2816
%original file name%.exe:2948
%original file name%.exe:3068
%original file name%.exe:1052
%original file name%.exe:2944
%original file name%.exe:2340
%original file name%.exe:2228
%original file name%.exe:3196
%original file name%.exe:3432
%original file name%.exe:4004
%original file name%.exe:2348
%original file name%.exe:1196
%original file name%.exe:1568
%original file name%.exe:2036
%original file name%.exe:2672
%original file name%.exe:3480
%original file name%.exe:2748
%original file name%.exe:3812
%original file name%.exe:2500
%original file name%.exe:3916
%original file name%.exe:2724
%original file name%.exe:612
%original file name%.exe:1816
%original file name%.exe:1608
%original file name%.exe:3428
%original file name%.exe:3228
%original file name%.exe:1860
%original file name%.exe:1600
%original file name%.exe:940
%original file name%.exe:356
%original file name%.exe:2004
%original file name%.exe:3224
%original file name%.exe:2604
%original file name%.exe:3340
%original file name%.exe:804
cscript.exe:3920
cscript.exe:1300
cscript.exe:2848
cscript.exe:3712
cscript.exe:3228
cscript.exe:2304
cscript.exe:132
cscript.exe:2860
cscript.exe:3412
cscript.exe:3344
cscript.exe:2172
cscript.exe:3808
cscript.exe:2524
cscript.exe:1072
cscript.exe:2528
cscript.exe:344
cscript.exe:1376
cscript.exe:2244
cscript.exe:280
cscript.exe:548
cscript.exe:348
cscript.exe:3992
cscript.exe:2460
cscript.exe:1524
cscript.exe:2916
cscript.exe:3936
cscript.exe:1796
cscript.exe:1956
cscript.exe:3336
cscript.exe:3152
cscript.exe:1228
cscript.exe:3640
cscript.exe:2316
cscript.exe:2992
cscript.exe:1064
cscript.exe:2996
cscript.exe:3244
cscript.exe:2804
cscript.exe:2264
cscript.exe:2060
cscript.exe:3848
cscript.exe:2064
cscript.exe:2252
cscript.exe:2288
cscript.exe:2904
cscript.exe:3940
cscript.exe:1028
cscript.exe:2828
cscript.exe:3032
cscript.exe:3308
cscript.exe:1484
cscript.exe:3148
cscript.exe:4044
cscript.exe:2308
cscript.exe:3476
cscript.exe:3472
cscript.exe:2544
cscript.exe:2548
cscript.exe:2788
cscript.exe:1256
cscript.exe:2384
cscript.exe:368
cscript.exe:2072
cscript.exe:3108
cscript.exe:2668
cscript.exe:3844
cscript.exe:3812
cscript.exe:2280
cscript.exe:3956
cscript.exe:2764
cscript.exe:380
cscript.exe:244
cscript.exe:240
cscript.exe:3268
cscript.exe:2832
cscript.exe:3316
cscript.exe:3392
cscript.exe:2272
cscript.exe:3012
cscript.exe:3468
cscript.exe:2208
cscript.exe:644
cscript.exe:2792
cscript.exe:2376
cscript.exe:2928
cscript.exe:2596
cscript.exe:3596
cscript.exe:2592
cscript.exe:3804
cscript.exe:2456
cscript.exe:2452
cscript.exe:3004
cscript.exe:3000
cscript.exe:2196
cscript.exe:3900
cscript.exe:3164
cscript.exe:1900
cscript.exe:2200
cscript.exe:2880
cscript.exe:3368
cscript.exe:1980
cscript.exe:3364
cscript.exe:2560
cscript.exe:3696
cscript.exe:2368
cscript.exe:2684
cscript.exe:188
cscript.exe:2680
cscript.exe:2428
cscript.exe:3600
cscript.exe:2624
cscript.exe:3608
cscript.exe:3524
cscript.exe:3728
cscript.exe:3724
cscript.exe:2188
cscript.exe:220
cscript.exe:868
cscript.exe:3904
cscript.exe:3376
cscript.exe:3440
cscript.exe:3684
cscript.exe:3500
cscript.exe:3964
cscript.exe:2108
cscript.exe:2752
cscript.exe:2100
cscript.exe:1512
cscript.exe:740
cscript.exe:1160
cscript.exe:2436
cscript.exe:3324
cscript.exe:2632
cscript.exe:3672
cscript.exe:2948
cscript.exe:3736
cscript.exe:2344
cscript.exe:1052
cscript.exe:1968
cscript.exe:4000
cscript.exe:2224
cscript.exe:3436
cscript.exe:1568
cscript.exe:1112
cscript.exe:2500
cscript.exe:2648
cscript.exe:2724
cscript.exe:2644
cscript.exe:1276
cscript.exe:3484
cscript.exe:3352
cscript.exe:3056
cscript.exe:2132
cscript.exe:3052
cscript.exe:3780
cscript.exe:1040
cscript.exe:3540
cscript.exe:3380
cscript.exe:948
cscript.exe:4012
cscript.exe:3788
cscript.exe:804

The Malware injects its code into the following process(es):

fGAwoYMM.exe:1864
reIEcoQI.exe:232
NesIMIQs.exe:228

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:3076 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AikAYYsE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EosMskMk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AikAYYsE.bat (0 bytes)

The process %original file name%.exe:3928 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZyEgAEoE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XYwgogYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XiEscooM.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEIssgcU.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZyEgAEoE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XiEscooM.bat (0 bytes)

The process %original file name%.exe:2184 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cAkkgUUE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EegIIkAM.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EegIIkAM.bat (0 bytes)

The process %original file name%.exe:2656 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QCowssYQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZQcQcsMg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QCowssYQ.bat (0 bytes)

The process %original file name%.exe:2840 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iigQokYY.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KeYQEIQA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iigQokYY.bat (0 bytes)

The process %original file name%.exe:4024 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xqsMAIQM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ocAAsUsQ.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xqsMAIQM.bat (0 bytes)

The process %original file name%.exe:4092 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uiswAccA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FyowAYIU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FyowAYIU.bat (0 bytes)

The process %original file name%.exe:2320 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eKAQckoA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lsUYUoIM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uyoEIMoU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\huwEcEoU.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eKAQckoA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uyoEIMoU.bat (0 bytes)

The process %original file name%.exe:3552 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tQMsAcUs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fqMUsgso.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mskosYkY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DMMwAEck.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tQMsAcUs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fqMUsgso.bat (0 bytes)

The process %original file name%.exe:2484 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WockIEgs.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PMsUEkgA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WockIEgs.bat (0 bytes)

The process %original file name%.exe:2480 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LQQkEMwU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PyoUwIEM.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LQQkEMwU.bat (0 bytes)

The process %original file name%.exe:3792 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wYYMYUks.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uWwogccE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uWwogccE.bat (0 bytes)

The process %original file name%.exe:2120 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AKkIUoYc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vucYgcYk.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AKkIUoYc.bat (0 bytes)

The process %original file name%.exe:3852 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QaIUcAUs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LkEsggoM.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LkEsggoM.bat (0 bytes)

The process %original file name%.exe:2400 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rusAscwU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bwAMEsMM.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rusAscwU.bat (0 bytes)

The process %original file name%.exe:3996 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QosEYAco.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SOwIEUsE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SOwIEUsE.bat (0 bytes)

The process %original file name%.exe:548 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kyUYYwoQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JKwIUoow.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kyUYYwoQ.bat (0 bytes)

The process %original file name%.exe:1916 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nyQUoEcY.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XEwcwMok.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nyQUoEcY.bat (0 bytes)

The process %original file name%.exe:348 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aGoUYMEw.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dIwoAwMk.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dIwoAwMk.bat (0 bytes)

The process %original file name%.exe:1460 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aIEUsUoo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XgkEoAAs.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UIoIMMkw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NIEUkEIA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XgkEoAAs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UIoIMMkw.bat (0 bytes)

The process %original file name%.exe:1672 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eOAEcIoQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oksIgYMU.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eOAEcIoQ.bat (0 bytes)

The process %original file name%.exe:2912 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MyUQoIAQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LUYIIcQw.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LUYIIcQw.bat (0 bytes)

The process %original file name%.exe:1792 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HYMkQgQI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BMgEYgUQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BMgEYgUQ.bat (0 bytes)

The process %original file name%.exe:1796 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oEkYUEEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qCYIgMss.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cIUoMMwM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWsksgII.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cIUoMMwM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jWsksgII.bat (0 bytes)

The process %original file name%.exe:3644 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rUoMYAwc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DskEMwcU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DskEMwcU.bat (0 bytes)

The process %original file name%.exe:1068 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FyEcwAgo.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lOkkQMMo.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lOkkQMMo.bat (0 bytes)

The process %original file name%.exe:3564 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OOskgIEQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hmUEwsUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XikMAgEM.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\maEEAYAc.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hmUEwsUQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\maEEAYAc.bat (0 bytes)

The process %original file name%.exe:1824 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rYggkkYk.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AisAYoYc.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AisAYoYc.bat (0 bytes)

The process %original file name%.exe:3568 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DmAUkMkg.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YoEIoEUo.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DmAUkMkg.bat (0 bytes)

The process %original file name%.exe:2996 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NSEoowcQ.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AQQwMooM.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AQQwMooM.bat (0 bytes)

The process %original file name%.exe:2496 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FYUcQoYE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uCYQAUgM.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FYUcQoYE.bat (0 bytes)

The process %original file name%.exe:928 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MwscoIgU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FyscQsgU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FyscQsgU.bat (0 bytes)

The process %original file name%.exe:2412 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gGowookg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\twQEgQwc.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\twQEgQwc.bat (0 bytes)

The process %original file name%.exe:2392 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\usQswYoI.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jIAwMYgc.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jIAwMYgc.bat (0 bytes)

The process %original file name%.exe:828 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iukgEUQU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gWIQIwko.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iukgEUQU.bat (0 bytes)

The process %original file name%.exe:2256 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sIgQQwEk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HuYYAIMU.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sIgQQwEk.bat (0 bytes)

The process %original file name%.exe:2796 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aAUYQgcA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gIkgIoEA.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gIkgIoEA.bat (0 bytes)

The process %original file name%.exe:2252 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wMMoQEAA.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VwsMMMoA.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VwsMMMoA.bat (0 bytes)

The process %original file name%.exe:3772 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LmscEwQs.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SOAAMwEU.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SOAAMwEU.bat (0 bytes)

The process %original file name%.exe:2900 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oqEocAIc.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xEMIcsIQ.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xEMIcsIQ.bat (0 bytes)

The process %original file name%.exe:2472 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EaMcAQsY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WeMwscsk.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WeMwscsk.bat (0 bytes)

The process %original file name%.exe:3628 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kKosksok.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oIIkcYgU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oIIkcYgU.bat (0 bytes)

The process %original file name%.exe:2772 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MMcoYcMY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HyIIUMAg.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HyIIUMAg.bat (0 bytes)

The process %original file name%.exe:2776 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KycAAEYU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zUgMgAwQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zUgMgAwQ.bat (0 bytes)

The process %original file name%.exe:3140 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KucAAkkA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gaAcQMIY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\quEssMww.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HOUkEEEo.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KucAAkkA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HOUkEEEo.bat (0 bytes)

The process %original file name%.exe:3272 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IOIcQEck.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uccUUcQU.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uccUUcQU.bat (0 bytes)

The process %original file name%.exe:3148 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DcMYEkIw.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kgAgsEMk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DcMYEkIw.bat (0 bytes)

The process %original file name%.exe:2308 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\okkEMMAo.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vqEgAwYs.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\okkEMMAo.bat (0 bytes)

The process %original file name%.exe:2540 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TiwEAwQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZKgckogQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZKgckogQ.bat (0 bytes)

The process %original file name%.exe:1716 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gassAQcw.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QYgwYEgE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QYgwYEgE.bat (0 bytes)

The process %original file name%.exe:2980 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jGQksQEI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QWMkAQkU.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jGQksQEI.bat (0 bytes)

The process %original file name%.exe:4048 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kOgMkckU.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vaUsIQko.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vaUsIQko.bat (0 bytes)

The process %original file name%.exe:3388 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OIEokAEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jOswgwUQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jOswgwUQ.bat (0 bytes)

The process %original file name%.exe:2176 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qMQEEYEc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lkcUYYEU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lkcUYYEU.bat (0 bytes)

The process %original file name%.exe:3160 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EWUwYsIQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fWcQEEco.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EWUwYsIQ.bat (0 bytes)

The process %original file name%.exe:2076 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wKwwYkwY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\muwkMIQU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\muwkMIQU.bat (0 bytes)

The process %original file name%.exe:3580 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MowosgAg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKUIYQoU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QcIwEgYs.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hiQIocMA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MowosgAg.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QcIwEgYs.bat (0 bytes)

The process %original file name%.exe:3956 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zIkoEwMo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PwUYEsEI.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PwUYEsEI.bat (0 bytes)

The process %original file name%.exe:304 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LUEgUMsI.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hikAIoww.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hikAIoww.bat (0 bytes)

The process %original file name%.exe:3216 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oEAoIIQg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UkMAMcwo.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UkMAMcwo.bat (0 bytes)

The process %original file name%.exe:2764 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZoEQccQc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vaYMQYcY.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vaYMQYcY.bat (0 bytes)

The process %original file name%.exe:380 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eUQAEYEE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NiocYYMA.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eUQAEYEE.bat (0 bytes)

The process %original file name%.exe:1932 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rGgIoEcg.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lQgkQkkU.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lQgkQkkU.bat (0 bytes)

The process %original file name%.exe:1776 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OgEUgsUQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\waoUYMAk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OgEUgsUQ.bat (0 bytes)

The process %original file name%.exe:240 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aUYIYMcY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AcscEkgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PMcgQQAE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aaMskYwI.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AcscEkgI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PMcgQQAE.bat (0 bytes)

The process %original file name%.exe:388 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vCEIEkIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOMkEIsA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MCAQgAkY.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LGAIkYII.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vCEIEkIA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOMkEIsA.bat (0 bytes)

The process %original file name%.exe:2836 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bKMsIogI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PUsYggkI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PUsYggkI.bat (0 bytes)

The process %original file name%.exe:3508 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ziAggAYA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qCAgIUck.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qCAgIUck.bat (0 bytes)

The process %original file name%.exe:2276 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xYYoQMgo.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ykoMYoUI.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ykoMYoUI.bat (0 bytes)

The process %original file name%.exe:244 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RisUIwgo.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dcMwcEEo.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RisUIwgo.bat (0 bytes)

The process %original file name%.exe:2576 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zeAwMMEw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MIMQwQYs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iiocMYsc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mQoMUUYk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lYccoAEI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imAAgYIA.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (540 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MIMQwQYs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\imAAgYIA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zeAwMMEw.bat (0 bytes)

The process %original file name%.exe:1840 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JOQEMAYI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DWAskUMs.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JOQEMAYI.bat (0 bytes)

The process %original file name%.exe:3016 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PKgQYwQo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AAIEMYkg.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PKgQYwQo.bat (0 bytes)

The process %original file name%.exe:2992 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MMcYokEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EykYYwgc.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EykYYwgc.bat (0 bytes)

The process %original file name%.exe:3096 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EeMkIAcE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QcYAIwUs.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QcYAIwUs.bat (0 bytes)

The process %original file name%.exe:644 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NcMAUock.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\acQEowkw.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NcMAUock.bat (0 bytes)

The process %original file name%.exe:2676 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hKgEoIUM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZQgcgkkk.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZQgcgkkk.bat (0 bytes)

The process %original file name%.exe:3188 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UIwgokYs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSgIokoM.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fSgIokoM.bat (0 bytes)

The process %original file name%.exe:2372 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yUMEkMIY.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hSUIIQsY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yUMEkMIY.bat (0 bytes)

The process %original file name%.exe:1224 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nkQQMgkY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fAoIAQMg.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fAoIAQMg.bat (0 bytes)

The process %original file name%.exe:3124 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bYUIAUMI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GqEAEEUM.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\bYUIAUMI.bat (0 bytes)

The process %original file name%.exe:1228 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WkEcYYwg.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qmgoYkYI.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qmgoYkYI.bat (0 bytes)

The process %original file name%.exe:3696 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eOcoQssE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TSIkAsgI.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eOcoQssE.bat (0 bytes)

The process %original file name%.exe:2800 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XQYUAQQk.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jkEwYIQk.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jkEwYIQk.bat (0 bytes)

The process %original file name%.exe:1900 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rWQoAwEI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CqEcUEAM.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rWQoAwEI.bat (0 bytes)

The process %original file name%.exe:2880 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vgooIccw.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vsUooIoM.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vgooIccw.bat (0 bytes)

The process %original file name%.exe:3368 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iusQYcoc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TSwkQQUU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TSwkQQUU.bat (0 bytes)

The process %original file name%.exe:1980 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HeMwUYcA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\feIwEIcE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BkwoUkcU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VogYcwgw.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VogYcwgw.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BkwoUkcU.bat (0 bytes)

The process %original file name%.exe:3692 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jmccUQEo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PMYIooQc.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PMYIooQc.bat (0 bytes)

The process %original file name%.exe:3360 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WGEgYcgA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aegogUoI.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WGEgYcgA.bat (0 bytes)

The process %original file name%.exe:1988 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\suQYYwYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QUkMIgcY.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\suQYYwYI.bat (0 bytes)

The process %original file name%.exe:3088 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NGgEEIwc.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EsgYwUQU.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EsgYwUQU.bat (0 bytes)

The process %original file name%.exe:1032 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iucscMwE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aEUkEMEA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iucscMwE.bat (0 bytes)

The process %original file name%.exe:3084 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sqgkkQkg.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BGAUYsgg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sqgkkQkg.bat (0 bytes)

The process %original file name%.exe:2360 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nCEswUkU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zukoUEcs.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zukoUEcs.bat (0 bytes)

The process %original file name%.exe:3600 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OqggowoY.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SscAogYQ.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OqggowoY.bat (0 bytes)

The process %original file name%.exe:2152 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AwMsEgwM.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QeUEQggs.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AwMsEgwM.bat (0 bytes)

The process %original file name%.exe:636 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GkcEMscM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AwcssIcs.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AwcssIcs.bat (0 bytes)

The process %original file name%.exe:2580 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ruMAUcsE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wUssIscA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ruMAUcsE.bat (0 bytes)

The process %original file name%.exe:2420 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kuYIIUQI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wOUgUAks.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kuYIIUQI.bat (0 bytes)

The process %original file name%.exe:464 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RYEAscMY.bat (4 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3777 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xKIMEUMQ.bat (112 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3753 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RYEAscMY.bat (0 bytes)

The process %original file name%.exe:3892 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AsYEQcIQ.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CQcgMokE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CQcgMokE.bat (0 bytes)

The process %original file name%.exe:1596 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ugcUIIgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VKUAQgYU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VKUAQgYU.bat (0 bytes)

The process %original file name%.exe:3520 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZUMYskUw.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zCQwsIwQ.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZUMYskUw.bat (0 bytes)

The process %original file name%.exe:3288 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SekAcgcA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JoogQMEI.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\geIIMoMo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LAcAswsY.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SekAcgcA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LAcAswsY.bat (0 bytes)

The process %original file name%.exe:2188 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YsMQoIYI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KsUkMUks.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YsMQoIYI.bat (0 bytes)

The process %original file name%.exe:3280 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jUwkoYgI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XWgQgsEo.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jUwkoYgI.bat (0 bytes)

The process %original file name%.exe:220 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xeAQgQAU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bUkAUAIo.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xeAQgQAU.bat (0 bytes)

The process %original file name%.exe:3688 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KSwQYcME.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fEQoAkYQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fEQoAkYQ.bat (0 bytes)

The process %original file name%.exe:3444 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XwYcEwwU.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SCMEwUYQ.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SCMEwUYQ.bat (0 bytes)

The process %original file name%.exe:3680 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KkwYUUIw.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mmUswwQM.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mmUswwQM.bat (0 bytes)

The process %original file name%.exe:1028 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PSgwwgAE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eQwEkQkM.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PSgwwgAE.bat (0 bytes)

The process %original file name%.exe:2892 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AEMcgUcU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XwoYsUQI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XwoYsUQI.bat (0 bytes)

The process %original file name%.exe:3964 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sMoAsQUY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lcYgUUsk.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lcYgUUsk.bat (0 bytes)

The process %original file name%.exe:3532 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mecYwwgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IsgIgwEE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IsgIgwEE.bat (0 bytes)

The process %original file name%.exe:816 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LUIUowgI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yuoUQUwo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MgkIIUsQ.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rEskQEYA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LUIUowgI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yuoUQUwo.bat (0 bytes)

The process %original file name%.exe:1452 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jMoMQAQM.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NEscsQsc.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jMoMQAQM.bat (0 bytes)

The process %original file name%.exe:3116 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zCAkIwYc.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wMEocYwo.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wMEocYwo.bat (0 bytes)

The process %original file name%.exe:2100 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\boQIYsUY.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hEoscAoQ.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hEoscAoQ.bat (0 bytes)

The process %original file name%.exe:2692 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HacEYgQg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VCcIAgYY.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VCcIAgYY.bat (0 bytes)

The process %original file name%.exe:1108 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wQoAEoQQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NCMsAMoU.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wQoAEoQQ.bat (0 bytes)

The process %original file name%.exe:4080 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CiwcUowk.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cSEAgEss.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CiwcUowk.bat (0 bytes)

The process %original file name%.exe:2736 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xEgwMMcc.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wmoMQkwo.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xEgwMMcc.bat (0 bytes)

The process %original file name%.exe:3868 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kMckAIEY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\doAUAoYI.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\doAUAoYI.bat (0 bytes)

The process %original file name%.exe:2868 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kkcgUwQM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tWYkAIco.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kkcgUwQM.bat (0 bytes)

The process %original file name%.exe:3632 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eMEwQkoM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WcIYgkQQ.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eMEwQkoM.bat (0 bytes)

The process %original file name%.exe:2436 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZkIIEkkU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WgYUAEoo.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZkIIEkkU.bat (0 bytes)

The process %original file name%.exe:3460 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cKsEUggA.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VOIcIsEQ.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cKsEUggA.bat (0 bytes)

The process %original file name%.exe:2816 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BswcogUk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TWAIQkQU.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BswcogUk.bat (0 bytes)

The process %original file name%.exe:2948 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OQwgQYcg.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RYsQkAwM.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RYsQkAwM.bat (0 bytes)

The process %original file name%.exe:3068 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RUMEkMIU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gIkgEEwM.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RUMEkMIU.bat (0 bytes)

The process %original file name%.exe:1052 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sqYEYIsw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JuUUkUEk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sqYEYIsw.bat (0 bytes)

The process %original file name%.exe:2944 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pWQAMgIY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MOUQQUsY.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pWQAMgIY.bat (0 bytes)

The process %original file name%.exe:2340 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GaoYUAEw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cYAUooAc.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cYAUooAc.bat (0 bytes)

The process %original file name%.exe:2228 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SGkEEsEQ.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RQgoYwMg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SGkEEsEQ.bat (0 bytes)

The process %original file name%.exe:3196 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jiQkcUcQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZoAMUowU.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZoAMUowU.bat (0 bytes)

The process %original file name%.exe:3432 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tqMMYcsk.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pAMIYYQE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pAMIYYQE.bat (0 bytes)

The process %original file name%.exe:4004 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aUswAQso.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QYIkswoc.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QYIkswoc.bat (0 bytes)

The process %original file name%.exe:2348 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tcEwUAIg.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bAkMUsYY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tcEwUAIg.bat (0 bytes)

The process %original file name%.exe:1196 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cawckwMs.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DqsEEkss.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cawckwMs.bat (0 bytes)

The process %original file name%.exe:1568 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zAkQQIEk.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nmwwwgoI.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zAkQQIEk.bat (0 bytes)

The process %original file name%.exe:2036 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wmcUEIYg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xqMcAcsw.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xqMcAcsw.bat (0 bytes)

The process %original file name%.exe:2672 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VwQgoMcw.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The process %original file name%.exe:3480 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IeMUkcAc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vUkkUoYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ieUkAYsM.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MwQQkAUg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IeMUkcAc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vUkkUoYM.bat (0 bytes)

The process %original file name%.exe:2748 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mQwAEAAQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jmscsoIY.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jmscsoIY.bat (0 bytes)

The process %original file name%.exe:3812 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gyUEQQAk.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NMgcQksw.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NMgcQksw.bat (0 bytes)

The process %original file name%.exe:2500 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aisIAAAE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JUAcIkss.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aisIAAAE.bat (0 bytes)

The process %original file name%.exe:3916 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\suwUoEMw.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HWosQYYI.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\suwUoEMw.bat (0 bytes)

The process %original file name%.exe:2724 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AAoQUIsI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pmYgMwsI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pmYgMwsI.bat (0 bytes)

The process %original file name%.exe:612 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scgcYYQI.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vmoogEMM.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\scgcYYQI.bat (0 bytes)

The process %original file name%.exe:1816 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KuowMoog.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XmAIEwsA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KuowMoog.bat (0 bytes)

The process %original file name%.exe:1608 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kUkYsIUE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rEQcAUUg.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rEQcAUUg.bat (0 bytes)

The process %original file name%.exe:3428 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BqcAYQgM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rcAQosEI.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rcAQosEI.bat (0 bytes)

The process %original file name%.exe:3228 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EggcIsww.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PysUoIwc.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PysUoIwc.bat (0 bytes)

The process %original file name%.exe:1860 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\maAQoIcg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dkAUggUo.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dkAUggUo.bat (0 bytes)

The process %original file name%.exe:1600 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GEYQgwYo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ioIwUkQg.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WCkMsAwU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SQAsAscY.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SQAsAscY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ioIwUkQg.bat (0 bytes)

The process %original file name%.exe:940 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gEgoMoos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wgoMcQAc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nSEoAoww.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mMcckssw.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nSEoAoww.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mMcckssw.bat (0 bytes)

The process %original file name%.exe:356 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YIQcssYE.bat (4 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OKogQIAc.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YIQcssYE.bat (0 bytes)

The process %original file name%.exe:2004 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SEQUsIoA.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IeoEQkQc.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IeoEQkQc.bat (0 bytes)

The process %original file name%.exe:3224 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ckIcsIAA.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YiYAsAAU.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YiYAsAAU.bat (0 bytes)

The process %original file name%.exe:2604 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mUUQEwow.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JcAIIAsk.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JcAIIAsk.bat (0 bytes)

The process %original file name%.exe:3340 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RscEMcgY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lWYMAEEw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dGkswsIU.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bUgQYUww.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lWYMAEEw.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bUgQYUww.bat (0 bytes)

The process %original file name%.exe:804 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IkkQUQow.bat (112 bytes)
C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VosAgIgw.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VosAgIgw.bat (0 bytes)

The process NesIMIQs.exe:228 makes changes in the file system.


The Malware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
C:\totalcmd\TcUsbRun.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)

Registry activity

The process %original file name%.exe:3076 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 9A 62 BB BB F0 23 F4 7B E6 CC 69 8A 28 8F 26"

The process %original file name%.exe:3928 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 5B 86 1A 08 A2 C3 54 AD 7A 9E 5E 61 D1 C2 B1"

The process %original file name%.exe:2184 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 2A 5F 48 D9 9C 19 4F A6 0D B2 F5 4F 6B DB 66"

The process %original file name%.exe:2656 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 E0 6A C7 5B DC 77 25 E7 43 C3 49 18 9E B6 01"

The process %original file name%.exe:2840 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 76 93 67 DF 13 C9 3A C6 17 16 92 A4 19 AB 08"

The process %original file name%.exe:4024 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "87 17 5C 7B B4 17 BA 21 45 10 AE 67 8E 92 7D DB"

The process %original file name%.exe:4092 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 01 C0 DA 69 C5 BD 70 B1 86 B9 3C 2C F6 CA 9D"

The process %original file name%.exe:2320 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 C0 65 54 F8 FF C8 3E 1D 40 CC BE 11 BA 4B 84"

The process %original file name%.exe:3552 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB D9 A6 8D 43 D8 7D D0 23 C1 54 07 EF B6 12 CE"

The process %original file name%.exe:2484 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE CB 91 10 6A 85 58 2D 15 68 BB 2B 32 2A 70 1F"

The process %original file name%.exe:2480 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 B1 CB E9 3C 9D C7 63 D2 5C EE 42 72 2F 9C 90"

The process %original file name%.exe:3792 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 50 A8 22 99 6B B9 62 91 B3 05 C9 10 16 DF 81"

The process %original file name%.exe:2120 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF F6 E8 D0 77 06 0A 86 07 7C C3 BB CD A9 64 61"

The process %original file name%.exe:3852 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF ED 8C C1 D1 D7 41 70 D1 85 57 4F 72 50 9B 88"

The process %original file name%.exe:2400 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB B5 54 C4 E6 CD 33 B3 2C CE 4F 1A E8 42 6F 1D"

The process %original file name%.exe:3996 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A EC A7 5D A0 BB 87 7D B4 3E 0A E1 E0 22 C6 B0"

The process %original file name%.exe:548 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 2D 5A 73 E7 A7 DD 65 A8 28 64 62 47 EB 40 D5"

The process %original file name%.exe:1916 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 4B 72 D5 88 68 A7 E8 33 9B 63 61 BC 12 75 77"

The process %original file name%.exe:348 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F C6 9D EA 23 8C BB 61 49 6C 6C 47 19 80 38 63"

The process %original file name%.exe:1460 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 57 3A E2 8E 87 A9 90 3C E3 B8 CF 7E EF CE 51"

The process %original file name%.exe:1672 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 67 C7 2E B8 87 B1 96 2A B7 2B 56 DC C1 7A EF"

The process %original file name%.exe:2912 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD DB FF 40 C8 5F A7 0B BC 37 82 3C 57 DB DF 65"

The process %original file name%.exe:1792 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 C4 C6 87 B1 4F 4C 15 06 72 B7 BB A4 86 1C 40"

The process %original file name%.exe:1796 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 28 53 B4 60 83 91 A8 15 7A A8 18 90 B7 DE C5"

The process %original file name%.exe:3644 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 11 4F EE A8 4A 65 9B 3D 50 EB 77 47 15 EA 24"

The process %original file name%.exe:1068 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 D0 CD C3 A0 52 25 0C E3 6C C7 A9 2E BD 7E CA"

The process %original file name%.exe:3564 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 0D 78 39 DD A8 51 A6 71 5A 09 22 D0 99 3C 32"

The process %original file name%.exe:1824 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 AA 9F 6F 1E 69 E5 45 19 D6 E8 68 5D 08 78 17"

The process %original file name%.exe:3568 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 10 95 E7 5F 31 01 57 A5 BA 24 68 4A AC F2 BB"

The process %original file name%.exe:2996 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 15 60 44 25 7E 52 93 68 AD 70 7F 35 02 36 5C"

The process %original file name%.exe:2496 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 30 86 B4 51 E4 BA 09 A9 A3 BF DB C2 93 38 4F"

The process %original file name%.exe:928 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 C5 EC A5 86 04 67 CC 6B 59 C3 1F 57 B8 46 F3"

The process %original file name%.exe:2412 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 3B 18 3E CF B6 2E 19 DD B2 46 9F 07 BC 8A 99"

The process %original file name%.exe:2392 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 09 9A 99 91 15 CD 45 70 2D C0 87 57 C4 9C D2"

The process %original file name%.exe:828 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 C6 C5 7F C8 E7 78 9D 5E 5D A6 81 EB FF 2B 12"

The process %original file name%.exe:2256 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 23 52 9B E1 5A 3D 23 FE 4D 0D 7D 4D 96 B4 12"

The process %original file name%.exe:2796 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 23 B5 71 86 C2 A7 8F A6 09 7C 50 7D 50 E1 0A"

The process %original file name%.exe:2252 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 8A A5 76 5A 66 A8 14 80 FC 98 8F 77 AC 80 07"

The process %original file name%.exe:3772 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F EA 86 3C 46 62 09 31 A4 D0 76 52 9F B5 E6 5C"

The process %original file name%.exe:2900 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA F6 90 AC 78 46 25 4E 74 A3 19 79 8A DA D3 83"

The process %original file name%.exe:2472 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3B 4C 28 D6 85 81 8E D0 39 53 8F 1D CE 00 D8 1C"

The process %original file name%.exe:3628 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 D1 E2 F1 98 5F 71 13 8A 22 75 84 37 43 8C DA"

The process %original file name%.exe:2772 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 D1 4D A7 0A CB 61 25 5C 64 9F 18 69 A9 BE C2"

The process %original file name%.exe:2776 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 A4 54 E4 25 09 F7 DE A6 DD 13 FA A7 7C 14 F5"

The process %original file name%.exe:3140 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E DD C4 B2 BE 63 0E B8 0F F4 84 88 D3 F0 B4 6A"

The process %original file name%.exe:3272 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 68 95 DA 46 C8 49 42 56 1F 4E 37 4D 43 15 53"

The process %original file name%.exe:3148 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 64 4A F5 E9 5C 9D 75 55 74 F8 DF 21 C2 3E 5F"

The process %original file name%.exe:2308 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 54 1B 52 02 82 B5 6E E1 45 24 87 D7 F5 ED A8"

The process %original file name%.exe:2540 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 0F AA 8B 4C 83 6B 80 43 8B 2E DF 28 93 A8 29"

The process %original file name%.exe:1716 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 E6 AB F3 7F B8 78 D8 57 5A 3F 05 25 F4 53 9D"

The process %original file name%.exe:2980 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE CA 60 8B 5D B1 F7 60 C4 24 2D 8A DC 9D CC B7"

The process %original file name%.exe:4048 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A F5 D6 63 A8 31 32 10 36 A0 4F 51 90 41 9E 59"

The process %original file name%.exe:3388 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 51 36 24 0C 57 EA 18 C7 67 35 D6 BE 9B 75 90"

The process %original file name%.exe:2176 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 AE 89 56 EE 17 0F F9 84 6D 71 38 92 BA 04 E2"

The process %original file name%.exe:3160 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 B5 18 6F A9 7D DF EB 80 14 9E 5B D1 F4 CF E1"

The process %original file name%.exe:2076 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 F4 B1 D2 67 BA E2 90 10 B9 4B 4B 8B 48 50 6D"

The process %original file name%.exe:3580 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 3C F6 ED F4 35 D8 E9 3E 9B 07 16 6F 21 F3 33"

The process %original file name%.exe:3956 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 BC 61 63 C0 F0 D8 28 15 8D 09 45 86 4F C8 9A"

The process %original file name%.exe:304 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 0C 54 4A 64 62 26 04 EA 1C C2 96 AF F2 B6 EB"

The process %original file name%.exe:3216 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 8E CC 0F B7 D7 37 FF 94 D7 28 AF F2 A3 BB 43"

The process %original file name%.exe:2764 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 B2 98 94 36 40 43 1C 5E 7E 95 32 0A 96 5A B5"

The process %original file name%.exe:380 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 E3 41 B6 20 8D DC 02 74 BF DA 60 71 0D E5 FF"

The process %original file name%.exe:1932 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 DC 27 41 E4 59 53 AE B4 8F A6 83 5C 76 49 FB"

The process %original file name%.exe:1776 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 43 83 2A A2 2B FF 02 9A 7D FD 4A ED 0E 13 D0"

The process %original file name%.exe:240 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED D1 69 11 DC B0 3D 74 29 9D 6B 24 8D C5 6F DE"

The process %original file name%.exe:388 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 F4 BF 39 7B 29 EB 02 4F 8B CE 59 7E 80 8B 53"

The process %original file name%.exe:2836 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 24 79 89 9D 12 0B E5 C6 23 61 FD 37 AE C2 04"

The process %original file name%.exe:3508 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 87 E2 62 68 02 FC F6 88 B3 8D 1D 45 95 AC 7B"

The process %original file name%.exe:2276 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 50 3E E6 F7 2F B2 04 B2 70 67 AA 99 08 43 45"

The process %original file name%.exe:244 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 ED 36 13 ED B0 D4 A9 F1 DF E2 2B 67 CA 8E AF"

The process %original file name%.exe:2576 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 25 7C 79 8E F2 2B 0C A8 F0 75 1E A9 6A 4B 4E"

The process %original file name%.exe:1840 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 16 27 BD ED CF D2 B0 11 C5 5B D1 DF 9E B4 24"

The process %original file name%.exe:3016 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 26 C9 DE 6E BF 54 66 81 89 BD D0 8A 4F A8 F0"

The process %original file name%.exe:2992 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F D8 38 58 39 07 88 F9 57 4D 81 53 35 AD 77 B1"

The process %original file name%.exe:3096 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 40 B9 16 F6 C7 AA 18 4D BC 58 39 E8 60 CD CD"

The process %original file name%.exe:644 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 60 B6 A3 FA 7A 34 3F A4 85 8D AE BA DB F5 09"

The process %original file name%.exe:2676 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 9E 79 48 E4 84 9E 59 B3 4C 91 57 FC 67 63 A5"

The process %original file name%.exe:3188 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 D3 04 8F 6A 75 90 DA D2 86 DC AD 43 CD 6F 74"

The process %original file name%.exe:2372 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 CC 0B 26 82 26 D7 08 F6 2A 4A C4 2E 1B B7 A2"

The process %original file name%.exe:1224 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 69 1B 5E B8 18 67 0E 7F 15 AE 27 84 A8 8E 2F"

The process %original file name%.exe:3124 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 AE 4D 3D 3A 91 F0 5F 6C C4 38 73 FC 1D 0C 72"

The process %original file name%.exe:1228 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 03 1C 53 B8 34 8E 93 B3 02 04 B0 EE B4 47 C3"

The process %original file name%.exe:3696 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 45 B8 4D 1B 30 D1 62 34 A6 54 07 FF 75 02 F8"

The process %original file name%.exe:2800 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 46 F8 D7 40 C8 4E 4A 2E D4 D6 09 1C 5F A2 DF"

The process %original file name%.exe:1900 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 3B 55 9B 25 56 AF E5 B7 69 D2 24 72 AF DA 11"

The process %original file name%.exe:2880 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 C2 7B 23 7A AD 46 0E F4 AE 37 4F D3 5A AE A1"

The process %original file name%.exe:3368 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 63 A8 68 8E 7A 54 FB B0 B8 72 E0 3F 88 56 0A"

The process %original file name%.exe:1980 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B B8 F2 24 92 85 1B 58 10 40 F3 44 70 0F AE 3E"

The process %original file name%.exe:3692 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 2D A8 9E DE 2D BC 6A 15 D3 F1 94 A6 3A 78 71"

The process %original file name%.exe:3360 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 89 E5 69 87 A1 65 E4 98 9D 3A 87 14 0F D1 10"

The process %original file name%.exe:1988 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 F6 3C E0 A9 A2 DD 31 BE 9F E3 42 2C 9C 38 DF"

The process %original file name%.exe:3088 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D D3 2D 32 97 8F CC 6F 02 F4 17 9E FF 3C 61 D3"

The process %original file name%.exe:1032 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 06 ED 3A B7 9F B4 88 7C B1 7F EE 9E C6 7D E3"

The process %original file name%.exe:3084 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 18 B2 35 8B B3 79 F9 17 C8 5C CA FD CE 23 54"

The process %original file name%.exe:2360 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 4E 70 59 84 F1 31 53 6E BD 85 01 3A 0F 3F 3B"

The process %original file name%.exe:3600 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 3E 63 2C 69 0E 91 75 87 57 75 0C EB FC 8B 88"

The process %original file name%.exe:2152 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 89 6F D6 8F 26 58 D7 CE 24 13 A8 A8 56 BF 8A"

The process %original file name%.exe:636 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 9F F3 F3 DA 7F 15 9F 69 26 8E 70 EC A7 62 DA"

The process %original file name%.exe:2580 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 3B 9B 0B 1B 24 EE A0 65 C2 B0 F1 18 A2 A1 E3"

The process %original file name%.exe:2420 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 04 BA 76 13 64 C1 05 94 B7 AD B1 7E 6C 8A FE"

The process %original file name%.exe:464 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 25 67 3A 26 60 F5 89 AC 8A 10 9A C6 8A 57 61"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:3892 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 20 6E 45 3A 33 64 1E A4 75 4D E4 93 B5 B8 3D"

The process %original file name%.exe:1596 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C AD 3A FB 20 7D A9 E8 63 16 8B 82 A6 9A 3C 55"

The process %original file name%.exe:3520 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 6A C0 98 70 FF A4 87 6E 15 09 A7 52 43 46 EB"

The process %original file name%.exe:3288 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 25 86 97 80 48 F0 5A 6F 2E 15 87 60 15 8F B8"

The process %original file name%.exe:2188 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 37 0B 83 3D 6A 74 F5 20 56 71 56 4F 7C A8 D3"

The process %original file name%.exe:3280 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 B5 5F 68 B8 8C AD 8B A2 59 D5 2A 4A 40 51 D7"

The process %original file name%.exe:220 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 65 EE 4F 18 64 DA 38 8C F8 85 5B 7E 97 44 40"

The process %original file name%.exe:3688 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 23 90 FE 7E 8A 7D 8A BA 57 F9 86 CA 6C E1 26"

The process %original file name%.exe:3444 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 9E 36 EB 6B A9 4A A1 52 53 4D B1 50 8F F5 A9"

The process %original file name%.exe:3680 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D E9 7E 35 DD BD 5D BC B6 54 3C 0E AA 5D 70 9A"

The process %original file name%.exe:1028 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 6D D5 A7 30 C9 A5 A2 7C AA 2B 94 F5 A2 D1 71"

The process %original file name%.exe:2892 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 34 4E 2D 36 F2 FF 17 D6 82 CE BE AE FE A3 64"

The process %original file name%.exe:3964 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 01 71 C1 BE 45 C5 5D 0D 79 E6 19 19 35 1D B4"

The process %original file name%.exe:3532 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 34 27 0D 28 B9 23 68 65 32 DE 0F C6 29 45 51"

The process %original file name%.exe:816 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 7D 42 D4 C4 D2 2A FB AA 10 7C BA 9E CA 28 AB"

The process %original file name%.exe:1452 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 FC A8 A3 AE EB 86 35 73 2E 71 CB B9 07 75 14"

The process %original file name%.exe:3116 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 78 87 FC F8 B0 A5 C9 65 D2 22 A4 DE F0 7D A9"

The process %original file name%.exe:2100 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 1A A0 40 F1 A8 FF 28 F6 FA 2F AD A5 0E AC B5"

The process %original file name%.exe:2692 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 54 9F 23 3D EF 06 FD 59 81 C3 2C 33 44 5C 17"

The process %original file name%.exe:1108 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 E5 00 44 7C E4 21 86 93 A0 F1 7B 98 D5 C2 B5"

The process %original file name%.exe:4080 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 C4 A4 CA 47 E9 6B CA E7 93 DF A5 16 A9 3F 10"

The process %original file name%.exe:2736 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 7A 12 B7 C4 47 A5 0D 59 00 F8 52 6D F7 F7 C1"

The process %original file name%.exe:3868 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 04 E4 A9 80 FD BE D0 0D DD 3F EF 3E 83 90 C6"

The process %original file name%.exe:2868 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 B9 C7 D3 6C 10 DE 6F FF 41 6E D2 09 51 D9 4A"

The process %original file name%.exe:3632 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D BA B7 8E 0C 45 66 21 DC 3B F5 3E 00 D2 D3 C1"

The process %original file name%.exe:2436 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 5C 8C 4E 2D C9 D3 26 41 1E 8C A2 8A 26 38 A0"

The process %original file name%.exe:3460 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 E2 F7 59 D8 4B 21 0F B1 CC 56 7D BC DB AB E4"

The process %original file name%.exe:2816 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 DB D6 81 3D 76 9E 9B 7B A1 B5 8C 92 C1 40 7D"

The process %original file name%.exe:2948 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 6C 1F 27 97 9A BD 9E EA 90 25 B9 19 F8 ED 0C"

The process %original file name%.exe:3068 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 ED AA 85 98 B0 FB CB B4 54 57 80 F4 5E 74 E6"

The process %original file name%.exe:1052 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "75 EA 79 A7 D2 59 DB 39 58 08 56 FF 38 6E 8B 77"

The process %original file name%.exe:2944 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 62 DD 0E 7B 9E 71 C0 4D 0E AF 38 4A 3A EF 1C"

The process %original file name%.exe:2340 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 32 55 1C AC 56 9B AB B6 00 D9 CF 69 AB 3A 03"

The process %original file name%.exe:2228 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 B0 F9 82 B6 0C 17 18 C9 3F 41 C9 FC 5D A6 11"

The process %original file name%.exe:3196 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC 0A AF DB DC 2E 3C 4C B6 F6 46 BA D3 AE 5D 3B"

The process %original file name%.exe:3432 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "82 90 A0 00 DB CD FE ED D9 F7 49 F6 D9 11 80 2D"

The process %original file name%.exe:4004 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 92 2C 0F 7E 10 F0 B4 DC 22 AF 27 34 27 90 06"

The process %original file name%.exe:2348 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 04 8B 3C E0 C6 CF 27 D0 67 BF E7 2F DE 04 26"

The process %original file name%.exe:1196 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C B6 3A 83 93 0B 94 F4 70 87 69 BA F8 D3 65 E2"

The process %original file name%.exe:1568 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 76 0F 79 19 90 F3 D9 6E 7E 05 72 9A F0 5C 62"

The process %original file name%.exe:2036 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 73 F3 47 14 1A 2D 46 53 9A C9 39 84 07 30 57"

The process %original file name%.exe:2672 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 41 5C D1 28 CF 9A BA 08 12 E7 41 A8 DC C1 61"

The process %original file name%.exe:3480 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 CC 09 8D 22 FF 75 D4 CD 62 F5 78 B3 6C E4 C7"

The process %original file name%.exe:2748 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 1D EE EB FF 3E 94 BC 68 EF CE 7F 93 5A 3E 20"

The process %original file name%.exe:3812 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 EC 62 AE EE 43 F7 EA 2F 39 75 81 F4 63 3A 7D"

The process %original file name%.exe:2500 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 91 CD 61 36 23 C9 52 03 ED 62 85 CB C1 33 3F"

The process %original file name%.exe:3916 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 5C BA FA 84 42 53 8F 6C 3F A6 8E 2C B6 4C 86"

The process %original file name%.exe:2724 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 F5 5B 2F 4F ED 75 BA C7 B4 E3 FC 4D 5B 9F C2"

The process %original file name%.exe:612 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "41 D2 E5 CC C4 65 0E 01 8F E8 8F 6E C4 37 F7 6A"

The process %original file name%.exe:1816 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE C6 AF 72 15 73 94 28 25 C1 E1 BC 8B AD 85 E5"

The process %original file name%.exe:1608 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 F6 3F 36 4A AA 83 9E 36 3E 1D 10 BD 2C 3E F4"

The process %original file name%.exe:3428 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 01 5A 89 19 59 81 77 F2 1E E0 2C BD CF 56 62"

The process %original file name%.exe:3228 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 19 00 BA 57 14 52 D1 B9 35 3A C5 86 43 FA 5B"

The process %original file name%.exe:1860 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 07 E2 B9 0A 03 83 1C 02 A6 05 2E 63 DC FB 19"

The process %original file name%.exe:1600 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 5A 49 7F 01 FA AA 2D C6 55 BA 53 03 06 7C DC"

The process %original file name%.exe:940 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 7C F1 15 3C AD 71 27 B0 EC 0A 01 3F 5D 27 84"

The process %original file name%.exe:356 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 DD 6F 8F FE 77 77 EE 1E A6 D1 AC 8F 41 1B 1E"

The process %original file name%.exe:2004 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 85 D4 4D 47 8C 51 47 CF 97 CD 50 34 7F 9B 73"

The process %original file name%.exe:3224 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 41 74 A3 7B C0 57 75 DF 52 91 9C C5 6F CC 86"

The process %original file name%.exe:2604 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 C8 41 24 F2 7D 7A 97 E3 E2 42 61 44 61 54 79"

The process %original file name%.exe:3340 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 36 31 36 CA A7 81 CD 45 EE EE F3 09 A8 C2 A0"

The process %original file name%.exe:804 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 DA 97 D6 8E A7 6A 7C 63 64 0F 3D 1B 10 CB 4F"

The process cscript.exe:3920 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 A6 8D 35 88 31 78 C1 C5 5A AF EB 87 60 07 50"

The process cscript.exe:1300 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 89 E4 15 8C 5F BC 29 9A 41 F1 D2 60 72 BC 4F"

The process cscript.exe:2848 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 0B 7F 39 48 CB 32 9F DA 9D 13 63 03 3C 19 AE"

The process cscript.exe:3712 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 6C F6 9B 95 1E 33 8C A1 AF BC 96 81 51 FF 47"

The process cscript.exe:3228 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF B3 6F 99 7C 05 C4 11 8A 14 AB BC 24 A1 F7 13"

The process cscript.exe:2304 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 C9 D3 E3 79 6E FC F5 AA 1A F2 64 C7 A0 3F 39"

The process cscript.exe:132 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A 36 FA A7 20 75 C3 C2 55 85 28 37 41 CC 6B 4D"

The process cscript.exe:2860 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D6 2D 00 B9 AB 7B 0A 2F 1C FD C3 AE D7 AF DD AE"

The process cscript.exe:3412 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 41 82 C1 B3 D8 1F AD 7B D1 53 6E D1 6E 72 B3"

The process cscript.exe:3344 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 6D CF E5 6A 22 DA B2 83 80 67 30 45 7B E0 2A"

The process cscript.exe:2172 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E9 24 40 13 F6 11 06 F8 7B 77 C4 44 C7 FD 11 6C"

The process cscript.exe:3808 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 F2 2B CB 7C A7 AE FE 5B E6 07 DD 7C 6F 9A B4"

The process cscript.exe:2524 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 E4 40 40 14 48 37 CF E4 18 F5 14 96 E0 80 4C"

The process cscript.exe:1072 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 2D AD 73 BF 40 E6 40 6C 66 40 87 CA 73 AF AD"

The process cscript.exe:2528 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 B4 F8 6F 53 05 06 04 50 29 53 9F 14 31 BA F7"

The process cscript.exe:344 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 79 C0 CB 0E C3 09 25 F0 F1 0F 04 D6 64 6B 35"

The process cscript.exe:1376 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 B1 9A 5C 13 1F C0 37 22 AD A5 2D 64 B3 BB 64"

The process cscript.exe:2244 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 AB C9 F2 73 D3 71 74 CC C4 7A E1 BA 03 79 F4"

The process cscript.exe:280 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 C1 F3 33 CE 4B 6F 77 79 B1 46 07 1D 56 3A 73"

The process cscript.exe:548 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A 45 4F E5 1D B6 4E 7A 69 11 C1 D0 FC F3 87 4F"

The process cscript.exe:348 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 4B B6 FB D1 67 80 AC 1E 9F 7D 0B 93 D8 8C 7B"

The process cscript.exe:3992 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 8F B5 ED AC 32 FC 0A BF 11 54 1E 1B E1 0E 77"

The process cscript.exe:2460 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 41 CB 4E 72 E5 3B 17 FE 48 74 9E 84 4E B8 C8"

The process cscript.exe:1524 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 93 FE 96 42 DE 1A 2A 17 C9 C2 72 B8 DF A0 32"

The process cscript.exe:2916 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 4B 18 09 85 8B 33 4D 97 99 BC C7 4D 17 0A 27"

The process cscript.exe:3936 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B5 83 6B 81 7A F9 2E C1 91 56 68 07 EE C6 5E 02"

The process cscript.exe:1796 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 5B 94 89 12 24 C0 E4 0C E2 FA F7 0D B8 7E 35"

The process cscript.exe:1956 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 EF 85 E6 C0 D7 E6 35 6C 0B 72 15 73 BC DA BF"

The process cscript.exe:3336 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 1B 47 11 BD 88 70 DD CC 30 93 54 D9 80 8F FE"

The process cscript.exe:3152 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 0E A6 34 E8 A3 4A 07 80 83 63 07 EC D2 32 3B"

The process cscript.exe:1228 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 E7 F8 10 36 E7 F1 29 47 63 70 DB 53 51 A3 00"

The process cscript.exe:3640 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 7F E6 10 25 51 99 6C A3 F3 62 58 CD D5 8F A7"

The process cscript.exe:2316 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 8A 88 F8 C7 BB 4E D8 61 A3 1E 54 DC 81 5D 3E"

The process cscript.exe:2992 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 6D 18 AD 03 6D 1F B3 1F A2 C3 21 03 9D CE 36"

The process cscript.exe:1064 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "94 79 4E 1F 0C E8 89 D3 80 A7 09 0D B6 05 5B 4F"

The process cscript.exe:2996 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 2C F2 7C 3E 87 7F 00 12 06 77 B3 E0 DC A6 EE"

The process cscript.exe:3244 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 42 D7 A5 C5 48 24 BF DC 1D D5 E2 1A 61 A1 14"

The process cscript.exe:2804 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 BF 29 92 BA EA 5C BC AB B0 D8 D6 58 21 FB 20"

The process cscript.exe:2264 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F5 E4 FA 7C 60 9A AC 55 64 CE EB 3F 42 D2 50 D5"

The process cscript.exe:2060 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 0E F6 5C 0D 24 DD 46 91 3A 7A 25 F7 F2 58 68"

The process cscript.exe:3848 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 A0 08 CA BB A1 C7 41 5C 6F EF 21 6D F3 4E CC"

The process cscript.exe:2064 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 7B 41 8B 2A B2 1D EC 7F B2 E0 75 A8 DE A8 8E"

The process cscript.exe:2252 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 F9 59 29 DD 3A AB F4 F7 85 93 37 84 9E CC 96"

The process cscript.exe:2288 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 73 B3 78 EF B9 50 10 4E 7D 41 6C 44 14 68 ED"

The process cscript.exe:2904 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C E6 DA C3 EA C6 08 C1 C9 E1 BD 3A 89 33 94 95"

The process cscript.exe:3940 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 B5 A7 3D AF A5 D3 C6 41 CE 63 40 3B E8 AA 9D"

The process cscript.exe:1028 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0B 5C 49 CD BC CB 91 4A 23 37 C9 B3 D5 62 5D C4"

The process cscript.exe:2828 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 31 71 13 7C 6A 48 BF 58 39 D1 71 B4 16 2F 23"

The process cscript.exe:3032 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 68 A3 AA D8 59 75 76 67 88 72 08 4F 97 A3 F6"

The process cscript.exe:3308 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B C1 E5 43 2D C7 22 34 D7 F3 C5 BB A1 EB FD 58"

The process cscript.exe:1484 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 37 76 90 02 96 9A F5 86 01 26 F5 C3 90 F1 CF"

The process cscript.exe:3148 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 58 3A 64 24 1F 07 1C 51 53 8A C2 9D 02 B9 3A"

The process cscript.exe:4044 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 87 7A 34 0E EE 83 99 B7 15 8E 52 9C BF 73 24"

The process cscript.exe:2308 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C CA BC 0F AD 3F 8C 5E 63 B7 4E 2F 50 16 4A E0"

The process cscript.exe:3476 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 6E 25 F2 16 F1 A0 EE 20 BA 54 0E 85 A4 B8 CC"

The process cscript.exe:3472 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 66 D6 D5 19 47 DF 39 73 4D B5 EF 8C A8 A9 F5"

The process cscript.exe:2544 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 43 1C DC 4E 2C 14 17 1F 8F C0 EA 91 21 FA 6E"

The process cscript.exe:2548 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 0B B1 E6 D5 26 0E 19 03 BD 67 84 7A 5F 9B 62"

The process cscript.exe:2788 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 0D 30 0D 0B EA 56 5B 5E AA E1 4D 2B 8F 40 D1"

The process cscript.exe:1256 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9C 8B 6D 41 D0 14 62 6E 3A FF E3 29 EA AF 57 F1"

The process cscript.exe:2384 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 A2 49 E3 27 76 6A 86 25 4C A1 06 FC 75 98 A3"

The process cscript.exe:368 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C7 06 7B 74 7A B6 00 7E A0 9B 95 65 CA 76 FF B5"

The process cscript.exe:2072 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF A0 71 2A 74 62 09 4D 28 75 36 86 02 02 FA 21"

The process cscript.exe:3108 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 D4 74 3F 77 5C 36 D0 51 3C CE 10 D1 15 03 0E"

The process cscript.exe:2668 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 63 02 A5 2C 46 03 4C 8E 28 5A 01 71 19 26 55"

The process cscript.exe:3844 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C 04 D4 68 9C 85 E4 A0 D5 38 3D FD 4B 00 FE A2"

The process cscript.exe:3812 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 18 FC 3F 9D 9E 75 83 C6 A7 EC 6E 00 C6 C3 15"

The process cscript.exe:2280 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 55 9C 99 2F D9 5F F2 05 68 15 1D 0E 44 B8 3D"

The process cscript.exe:3956 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 9F 55 AB 65 1F AC 60 B9 56 AE 3F 68 76 49 DB"

The process cscript.exe:2764 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 40 10 8E EA C4 D7 D8 3A 59 9F 33 83 85 D2 56"

The process cscript.exe:380 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 97 FA 77 89 7D E4 AE B5 40 17 D4 60 70 4B 10"

The process cscript.exe:244 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 22 AC AB CA A8 8B F7 2F D9 D4 0A 09 D3 5D 69"

The process cscript.exe:240 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 87 4F 3F 49 58 4C CE 29 35 9A B2 53 93 33 01"

The process cscript.exe:3268 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE FA 09 74 2C 89 E9 44 3D 6F 96 9F 3C A4 8E 6B"

The process cscript.exe:2832 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 99 7F B4 C4 CB A4 3C 02 8A C2 3C D0 CE 06 C8"

The process cscript.exe:3316 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 29 DC 7E FE 98 88 97 BF 8B 21 AE 9C 42 44 E0"

The process cscript.exe:3392 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 AD 08 78 FB CD 2B 8A 68 34 5A 60 EE B5 3C 8C"

The process cscript.exe:2272 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 88 11 F6 14 EE 8E 55 0C CA 9E F8 8B 40 C7 C0"

The process cscript.exe:3012 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 B9 C5 E5 7C 1F 40 1E FD 43 4B 1B 0A 17 21 8F"

The process cscript.exe:3468 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "80 EC 19 DD B6 D5 3F FC 2D B0 19 A2 E6 BB 2D 98"

The process cscript.exe:2208 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F F0 CD 7D 35 48 88 7D 81 93 1D 8F 29 7F 19 D9"

The process cscript.exe:644 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 2D E2 08 EE 0D D8 46 2C 66 C8 E8 FF 5B DE F1"

The process cscript.exe:2792 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 B2 8F 4A 7F 51 B9 FE 0B A1 B8 B7 F6 F4 28 6B"

The process cscript.exe:2376 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 74 26 A9 39 24 67 F1 AA 08 D5 B6 01 B9 B6 8F"

The process cscript.exe:2928 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE 17 A2 16 4D 53 6A 45 38 B2 22 68 B5 6D A2 05"

The process cscript.exe:2596 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1F 16 9D 43 FB 11 84 4B D6 48 3A EC 16 5D D1 0F"

The process cscript.exe:3596 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 35 5D 54 8D 6C 26 47 46 4A AD 3A F4 34 2F 2F"

The process cscript.exe:2592 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 73 DD 35 01 A1 3D 1D DF 97 F9 F3 0F DC 76 20"

The process cscript.exe:3804 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 6C DC E3 B1 B3 4E E2 CF 37 4B 44 40 6A C9 C7"

The process cscript.exe:2456 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 B1 48 96 32 C5 36 B1 62 00 8F 56 C9 41 FB 43"

The process cscript.exe:2452 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 79 B5 68 47 18 94 84 E1 15 76 42 0A FD 3B 09"

The process cscript.exe:3004 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 DF 33 85 77 FF 15 16 2E DE E7 91 AE C5 3D 5A"

The process cscript.exe:3000 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 F8 5B 3B 85 46 E3 89 D8 30 B9 AC 31 D7 0A 5E"

The process cscript.exe:2196 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AC C9 5B 7E 26 F9 2B 60 1B 16 24 2A 0B 8D 54 38"

The process cscript.exe:3900 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 6E 5D D7 BB 85 6B 35 7F 06 01 3D 3E 8A 47 F2"

The process cscript.exe:3164 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 48 10 D0 60 E8 CC 2F 40 DE 04 10 75 0C 6A F2"

The process cscript.exe:1900 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 07 3B 43 B3 DE 16 74 3B 92 6F 62 4A E4 FF 3E"

The process cscript.exe:2200 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 C7 9D 2F B4 26 D6 94 8C 7B 43 2B 07 4C 96 5F"

The process cscript.exe:2880 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 97 45 07 F8 58 92 A0 28 25 E9 D0 14 3F DA E3"

The process cscript.exe:3368 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 8B F2 E3 93 2B EF 27 17 5F 42 EE D3 05 52 32"

The process cscript.exe:1980 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 98 C2 91 D1 3B C2 49 8C 10 B8 EA 07 7A 3D 07"

The process cscript.exe:3364 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 64 CC 6B F2 BD A7 12 21 29 12 CB 42 81 F1 E4"

The process cscript.exe:2560 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 5B FC D9 51 F6 54 90 B6 EC 1F 1D 7C E8 D6 C4"

The process cscript.exe:3696 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD EB 93 74 C3 15 24 C5 3D 2E 88 05 2B 18 1D C2"

The process cscript.exe:2368 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 DE 87 CD 3D 1A 21 02 7B AF B9 35 F7 98 71 B3"

The process cscript.exe:2684 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 30 AB 5E 9F 6E 64 8F 0E 37 55 3D F6 B7 51 58"

The process cscript.exe:188 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 D2 B2 11 2B 3E BF C2 20 44 A5 9B 54 F3 86 73"

The process cscript.exe:2680 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F F0 E8 9B 25 2D 6D 35 A9 9B 63 80 E9 A2 F2 51"

The process cscript.exe:2428 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 09 C0 17 9C 29 04 BC 50 12 28 72 FF CC 61 4C"

The process cscript.exe:3600 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 BA 39 5D E2 A2 FB 40 F0 1B 4D 28 09 93 EE DE"

The process cscript.exe:2624 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B B1 D6 78 5C CA C8 D4 BD D9 A5 E1 83 F4 C3 7B"

The process cscript.exe:3608 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 47 0C C8 8C 6E 00 09 18 FE 85 86 CC D8 57 42"

The process cscript.exe:3524 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 83 DC D1 D4 F9 9F AA FF 63 B2 54 A9 AE 7E F0"

The process cscript.exe:3728 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 00 4C 07 7F 49 68 6C E4 ED 9E BD A0 BD 05 CD"

The process cscript.exe:3724 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 7E 65 8E F1 A1 75 07 AF 43 F3 B1 B4 2A E6 0F"

The process cscript.exe:2188 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 83 CE B5 1F D7 20 2A D6 3E 5C 15 D3 27 66 5A"

The process cscript.exe:220 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F 3C D2 A4 57 E5 D5 5A 0F 1F 40 A9 11 28 B4 E7"

The process cscript.exe:868 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 83 1F D4 24 3E 23 CB 4B 6A 85 08 B0 2C DF 43"

The process cscript.exe:3904 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A FD 39 0D D2 29 D3 01 2B F9 13 AB BE 83 67 95"

The process cscript.exe:3376 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 65 FA 3C 88 D4 E2 0F D3 03 F4 7F D8 57 61 AA"

The process cscript.exe:3440 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 07 FA C5 50 08 31 28 85 0D 62 B7 43 5F C6 B7"

The process cscript.exe:3684 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C B5 6C DD 78 7F 0F CA FA 93 AE 5A 4A 42 12 DB"

The process cscript.exe:3500 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 34 58 7D D4 AF 79 B0 B6 14 E0 C4 4E 91 36 ED"

The process cscript.exe:3964 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 0E CB F4 FD 15 9F E6 80 6C D9 80 E4 73 5D 7E"

The process cscript.exe:2108 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 88 CB A5 66 60 60 5C 59 C5 10 4C 6C F2 D7 E9"

The process cscript.exe:2752 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F 2C 7D DA 6C 64 BC 0E 83 26 D9 E6 7D 58 6B BA"

The process cscript.exe:2100 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 94 01 CA 8B 21 B4 1D 99 93 2C 15 54 F4 1B 13"

The process cscript.exe:1512 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 F2 35 D1 60 06 22 2D D9 EE 94 27 44 8D 6E 70"

The process cscript.exe:740 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 08 BC F0 7C B5 EC EC 0C 2F 96 C3 9F CA 0E 1B"

The process cscript.exe:1160 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 57 F5 94 7C D4 3B 9D EC A3 B6 57 A2 C8 52 E7"

The process cscript.exe:2436 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 40 59 40 61 E6 59 0C 51 71 C5 E1 81 E2 35 B9"

The process cscript.exe:3324 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F E5 00 D0 F7 8A D1 4F 71 B8 92 9F D7 A0 82 3A"

The process cscript.exe:2632 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "54 DD 16 0C 4C 84 A0 11 6A E3 80 DD A3 3E 56 7B"

The process cscript.exe:3672 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 3F 4C 91 B0 F2 5B 7A 9E 35 6F 59 41 08 02 74"

The process cscript.exe:2948 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "70 0D F0 1E 9B 4E 34 0F 42 75 3E FD 75 36 91 1C"

The process cscript.exe:3736 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 5C B8 D7 1B C2 23 7A 6D C5 57 B9 BB F7 89 39"

The process cscript.exe:2344 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 11 15 81 83 E3 D8 12 9E DF B7 D3 C2 5A 56 97"

The process cscript.exe:1052 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 04 D0 4F FC A0 75 28 E5 9F 0F 72 1E D7 E9 47"

The process cscript.exe:1968 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 4C 8F 22 CF 1D 0D DF 4A E2 6C B4 48 D8 D2 1D"

The process cscript.exe:4000 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 38 6B 07 09 60 86 C8 E1 79 2F 30 AE BB B4 EB"

The process cscript.exe:2224 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 1C 27 BA E2 35 54 A0 05 92 8F 09 71 68 F4 DB"

The process cscript.exe:3436 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 FD 10 07 4E 07 2A 90 17 7F FE 67 88 42 55 BA"

The process cscript.exe:1568 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 12 73 17 B2 48 96 90 96 63 22 64 09 CA 5F 20"

The process cscript.exe:1112 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4F A7 20 20 B2 1D 38 26 FF 2D 26 5A 63 D9 D5 99"

The process cscript.exe:2500 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 6D FB 43 7B E8 5F 7C 37 03 A2 B4 8E 76 42 6C"

The process cscript.exe:2648 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 21 DE 09 78 AF 33 95 80 01 63 3B 75 DC E2 86"

The process cscript.exe:2724 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 B0 39 2D 7B 19 37 87 A7 E9 50 E6 8C 0A 17 B0"

The process cscript.exe:2644 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A F2 04 A8 F7 19 20 C2 E7 DE 9B F9 A2 93 6C 95"

The process cscript.exe:1276 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 0F 38 53 35 AF 21 A1 CC 88 7C 1D A3 5D 78 79"

The process cscript.exe:3484 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 37 1B B0 27 76 7F C1 CF AD 3C 30 CD AA 91 A9"

The process cscript.exe:3352 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 1C 48 96 A9 22 07 B9 B3 A1 09 8A E0 35 B7 06"

The process cscript.exe:3056 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 74 FA C3 25 11 20 AD 50 3C 31 24 7E F3 E0 E8"

The process cscript.exe:2132 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 E8 05 27 C5 43 45 88 23 1A A1 8A DA 62 05 74"

The process cscript.exe:3052 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "08 70 DD 98 30 C7 30 74 C3 D8 41 BC C6 4D C7 0E"

The process cscript.exe:3780 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 F6 E0 B0 3A 1F EB 81 2D E1 24 DD E8 B4 BE 20"

The process cscript.exe:1040 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 7F FD 08 7E A3 51 C9 90 F0 25 68 63 98 61 A3"

The process cscript.exe:3540 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 1E BD 93 52 48 97 0F 5A 48 7C F7 56 CB 46 86"

The process cscript.exe:3380 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5D 4D 51 85 F3 2A 7D ED 7E EF A8 A4 73 B5 04 94"

The process cscript.exe:948 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 DE 86 E9 89 CE BD 73 88 0A F0 BE C6 C2 A9 91"

The process cscript.exe:4012 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 70 76 B5 D9 50 84 21 A2 82 EF 0C 83 EB B9 4C"

The process cscript.exe:3788 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 73 E1 03 36 B9 49 08 0D B3 70 8B 5F 23 74 48"

The process cscript.exe:804 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 B2 E3 D0 93 27 7C 9E A9 DE 9D BB 12 85 0D 08"

The process fGAwoYMM.exe:1864 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 FB 98 89 4B 3D 40 06 21 18 4E 37 65 C4 9D 6C"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:232 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CE 5B 75 54 DB 88 01 DB 99 BA 45 B0 F7 C3 A5 02"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process NesIMIQs.exe:228 makes changes in the system registry.


The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E 90 79 A8 81 C4 C1 EC BA 03 47 B3 84 A1 EE 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

Dropped PE files

MD5 File path
ea444919153b1ea3caa97c5a585f7e54c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
d321ce3cf1145738c1ea2f52c191a5d6c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
47e399279029e85267fd8865d0c997ebc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
a5576bc6bc5c17ec7febcf42c3ee37ecc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
a82e3e7d3d519a68ea02d33974d14679c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
23c0b2ce5868abc6a21c8464e7094368c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
cd9d76486adec521f078a85f908b6b96c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
549558d8f62b028c73e62cdc698390e8c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
b5ca216b77f903c52c96b5f14d4a92f2c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
2dfc069c83d2ad472a77bef44017f149c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
58ddac82b891e557f7fded1ca29ae1d2c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
c8545eeccaf825010779465e6bdaffedc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
7b6324a2214c4b8c4559befda4f7d54dc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
1c727ef641b3387971cf19c78136d962c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
766281aeecd3eb5b95d8a90907bd0b58c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
303e24d8121470cc72e6978f7463af67c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
e46718313d0f7231485bd29850de6c0cc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
15ebc6d1d0b0faf7853104ff92b55bdac:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
4dd07f3657d600bbc0fc4e16152ad62cc:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
a4677186e2f2ba20b738f236207dcbdec:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
c4cd550b3d4a8077fe2590bc3e31c3eec:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
7eac824a090fb1204540f344f964b1c0c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
1f6dd2a82bbcb6a38024ff9356cb545ec:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
14710a842395b3ea6a72462406da5d35c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
fd6211db908ddd3f23890fc27496ec49c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
0db5bc30aa334ac4b005edf49da3a4a4c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
9cc2103e853d53bdcecab4edcc2095e7c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
09cd66ef54842b89490d2213f71349cdc:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
710eb6adfe160454dae78af739a0feecc:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
ff3e958c3cd1e9c569f173b47cd0d12ec:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
e2c95931d23e1e0afd8f3a6459a829bdc:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
cdc806c90603982a251679acfe5a4daec:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe
91d7d06cf285617e06a449829be45e1ac:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe
6d869dd8f2facc82a06749b242bb15f3c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe
b9e20cf1e7b445756e6efb37e840997fc:\Perl\eg\IEExamples\ie_animated.gif.exe
9a0a8bc268cd1f5acd9a2ff00ba0177bc:\Perl\eg\IEExamples\psbwlogo.gif.exe
75dec60e92cbff22a143b35bbbea424ac:\Perl\eg\aspSamples\ASbanner.gif.exe
d74cc4573df68700df52989f2a9075b2c:\Perl\eg\aspSamples\Main_Banner.gif.exe
c1cccd3653766f00c504a60322335a15c:\Perl\eg\aspSamples\psbwlogo.gif.exe
12d92b5eb0a5ea18c3359599c0d7b13fc:\Perl\html\images\AS_logo.gif.exe
0e6e64fccc4c728cc2d91cf5d440da88c:\Perl\html\images\PerlCritic_run.png.exe
c1aaa23b0c4b6bd43cc5053d1d9d9be0c:\Perl\html\images\aslogo.gif.exe
41fdb494501bcf42fff58697b49f1d44c:\Perl\html\images\ppm_gui.png.exe
64511caa0328596148f3609e07cfbc0bc:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
153121332888687b286291afa24b5780c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
842324367495dea4fb51fed4956729aec:\Perl\lib\Devel\NYTProf\js\asc.png.exe
e1fc57abb59cfeec789d20726078b801c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
53fe52b473e1a192156c73e10c1ff4f9c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
d761d07d163501bb9ae99ba6eafbb80bc:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
ca41537705631665e8e57d9ab5bc8d41c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
c18f349d38de8e21ee5a1347d0aa3cabc:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
acdff9b0cbc6c9485dcae828fe5f1522c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
c1a4c43aa40130ad82db29326b2b7797c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
8ccf76190ca5972ef70cfd0165220661c:\Perl\lib\Mozilla\CA\cacert.pem.exe
31cd0309693e79fcd077f497daa4a50fc:\totalcmd\TCMADMIN.EXE.exe
0fb0756a7098613b186c9fc4ef5b70f1c:\totalcmd\TCMDX32.EXE.exe
15085fed107eac9562235d99e3982356c:\totalcmd\TCUNINST.EXE.exe
2a1a8d92232fc1d5e222b9e485788688c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3076
    %original file name%.exe:3928
    %original file name%.exe:2184
    %original file name%.exe:2656
    %original file name%.exe:2840
    %original file name%.exe:4024
    %original file name%.exe:4092
    %original file name%.exe:2320
    %original file name%.exe:3552
    %original file name%.exe:2484
    %original file name%.exe:2480
    %original file name%.exe:3792
    %original file name%.exe:2120
    %original file name%.exe:3852
    %original file name%.exe:2400
    %original file name%.exe:3996
    %original file name%.exe:548
    %original file name%.exe:1916
    %original file name%.exe:348
    %original file name%.exe:1460
    %original file name%.exe:1672
    %original file name%.exe:2912
    %original file name%.exe:1792
    %original file name%.exe:1796
    %original file name%.exe:3644
    %original file name%.exe:1068
    %original file name%.exe:3564
    %original file name%.exe:1824
    %original file name%.exe:3568
    %original file name%.exe:2996
    %original file name%.exe:2496
    %original file name%.exe:928
    %original file name%.exe:2412
    %original file name%.exe:2392
    %original file name%.exe:828
    %original file name%.exe:2256
    %original file name%.exe:2796
    %original file name%.exe:2252
    %original file name%.exe:3772
    %original file name%.exe:2900
    %original file name%.exe:2472
    %original file name%.exe:3628
    %original file name%.exe:2772
    %original file name%.exe:2776
    %original file name%.exe:3140
    %original file name%.exe:3272
    %original file name%.exe:3148
    %original file name%.exe:2308
    %original file name%.exe:2540
    %original file name%.exe:1716
    %original file name%.exe:2980
    %original file name%.exe:4048
    %original file name%.exe:3388
    %original file name%.exe:2176
    %original file name%.exe:3160
    %original file name%.exe:2076
    %original file name%.exe:3580
    %original file name%.exe:3956
    %original file name%.exe:304
    %original file name%.exe:3216
    %original file name%.exe:2764
    %original file name%.exe:380
    %original file name%.exe:1932
    %original file name%.exe:1776
    %original file name%.exe:240
    %original file name%.exe:388
    %original file name%.exe:2836
    %original file name%.exe:3508
    %original file name%.exe:2276
    %original file name%.exe:244
    %original file name%.exe:2576
    %original file name%.exe:1840
    %original file name%.exe:3016
    %original file name%.exe:2992
    %original file name%.exe:3096
    %original file name%.exe:644
    %original file name%.exe:2676
    %original file name%.exe:3188
    %original file name%.exe:2372
    %original file name%.exe:1224
    %original file name%.exe:3124
    %original file name%.exe:1228
    %original file name%.exe:3696
    %original file name%.exe:2800
    %original file name%.exe:1900
    %original file name%.exe:2880
    %original file name%.exe:3368
    %original file name%.exe:1980
    %original file name%.exe:3692
    %original file name%.exe:3360
    %original file name%.exe:1988
    %original file name%.exe:3088
    %original file name%.exe:1032
    %original file name%.exe:3084
    %original file name%.exe:2360
    %original file name%.exe:3600
    %original file name%.exe:2152
    %original file name%.exe:636
    %original file name%.exe:2580
    %original file name%.exe:2420
    %original file name%.exe:464
    %original file name%.exe:3892
    %original file name%.exe:1596
    %original file name%.exe:3520
    %original file name%.exe:3288
    %original file name%.exe:2188
    %original file name%.exe:3280
    %original file name%.exe:220
    %original file name%.exe:3688
    %original file name%.exe:3444
    %original file name%.exe:3680
    %original file name%.exe:1028
    %original file name%.exe:2892
    %original file name%.exe:3964
    %original file name%.exe:3532
    %original file name%.exe:816
    %original file name%.exe:1452
    %original file name%.exe:3116
    %original file name%.exe:2100
    %original file name%.exe:2692
    %original file name%.exe:1108
    %original file name%.exe:4080
    %original file name%.exe:2736
    %original file name%.exe:3868
    %original file name%.exe:2868
    %original file name%.exe:3632
    %original file name%.exe:2436
    %original file name%.exe:3460
    %original file name%.exe:2816
    %original file name%.exe:2948
    %original file name%.exe:3068
    %original file name%.exe:1052
    %original file name%.exe:2944
    %original file name%.exe:2340
    %original file name%.exe:2228
    %original file name%.exe:3196
    %original file name%.exe:3432
    %original file name%.exe:4004
    %original file name%.exe:2348
    %original file name%.exe:1196
    %original file name%.exe:1568
    %original file name%.exe:2036
    %original file name%.exe:2672
    %original file name%.exe:3480
    %original file name%.exe:2748
    %original file name%.exe:3812
    %original file name%.exe:2500
    %original file name%.exe:3916
    %original file name%.exe:2724
    %original file name%.exe:612
    %original file name%.exe:1816
    %original file name%.exe:1608
    %original file name%.exe:3428
    %original file name%.exe:3228
    %original file name%.exe:1860
    %original file name%.exe:1600
    %original file name%.exe:940
    %original file name%.exe:356
    %original file name%.exe:2004
    %original file name%.exe:3224
    %original file name%.exe:2604
    %original file name%.exe:3340
    %original file name%.exe:804
    cscript.exe:3920
    cscript.exe:1300
    cscript.exe:2848
    cscript.exe:3712
    cscript.exe:3228
    cscript.exe:2304
    cscript.exe:132
    cscript.exe:2860
    cscript.exe:3412
    cscript.exe:3344
    cscript.exe:2172
    cscript.exe:3808
    cscript.exe:2524
    cscript.exe:1072
    cscript.exe:2528
    cscript.exe:344
    cscript.exe:1376
    cscript.exe:2244
    cscript.exe:280
    cscript.exe:548
    cscript.exe:348
    cscript.exe:3992
    cscript.exe:2460
    cscript.exe:1524
    cscript.exe:2916
    cscript.exe:3936
    cscript.exe:1796
    cscript.exe:1956
    cscript.exe:3336
    cscript.exe:3152
    cscript.exe:1228
    cscript.exe:3640
    cscript.exe:2316
    cscript.exe:2992
    cscript.exe:1064
    cscript.exe:2996
    cscript.exe:3244
    cscript.exe:2804
    cscript.exe:2264
    cscript.exe:2060
    cscript.exe:3848
    cscript.exe:2064
    cscript.exe:2252
    cscript.exe:2288
    cscript.exe:2904
    cscript.exe:3940
    cscript.exe:1028
    cscript.exe:2828
    cscript.exe:3032
    cscript.exe:3308
    cscript.exe:1484
    cscript.exe:3148
    cscript.exe:4044
    cscript.exe:2308
    cscript.exe:3476
    cscript.exe:3472
    cscript.exe:2544
    cscript.exe:2548
    cscript.exe:2788
    cscript.exe:1256
    cscript.exe:2384
    cscript.exe:368
    cscript.exe:2072
    cscript.exe:3108
    cscript.exe:2668
    cscript.exe:3844
    cscript.exe:3812
    cscript.exe:2280
    cscript.exe:3956
    cscript.exe:2764
    cscript.exe:380
    cscript.exe:244
    cscript.exe:240
    cscript.exe:3268
    cscript.exe:2832
    cscript.exe:3316
    cscript.exe:3392
    cscript.exe:2272
    cscript.exe:3012
    cscript.exe:3468
    cscript.exe:2208
    cscript.exe:644
    cscript.exe:2792
    cscript.exe:2376
    cscript.exe:2928
    cscript.exe:2596
    cscript.exe:3596
    cscript.exe:2592
    cscript.exe:3804
    cscript.exe:2456
    cscript.exe:2452
    cscript.exe:3004
    cscript.exe:3000
    cscript.exe:2196
    cscript.exe:3900
    cscript.exe:3164
    cscript.exe:1900
    cscript.exe:2200
    cscript.exe:2880
    cscript.exe:3368
    cscript.exe:1980
    cscript.exe:3364
    cscript.exe:2560
    cscript.exe:3696
    cscript.exe:2368
    cscript.exe:2684
    cscript.exe:188
    cscript.exe:2680
    cscript.exe:2428
    cscript.exe:3600
    cscript.exe:2624
    cscript.exe:3608
    cscript.exe:3524
    cscript.exe:3728
    cscript.exe:3724
    cscript.exe:2188
    cscript.exe:220
    cscript.exe:868
    cscript.exe:3904
    cscript.exe:3376
    cscript.exe:3440
    cscript.exe:3684
    cscript.exe:3500
    cscript.exe:3964
    cscript.exe:2108
    cscript.exe:2752
    cscript.exe:2100
    cscript.exe:1512
    cscript.exe:740
    cscript.exe:1160
    cscript.exe:2436
    cscript.exe:3324
    cscript.exe:2632
    cscript.exe:3672
    cscript.exe:2948
    cscript.exe:3736
    cscript.exe:2344
    cscript.exe:1052
    cscript.exe:1968
    cscript.exe:4000
    cscript.exe:2224
    cscript.exe:3436
    cscript.exe:1568
    cscript.exe:1112
    cscript.exe:2500
    cscript.exe:2648
    cscript.exe:2724
    cscript.exe:2644
    cscript.exe:1276
    cscript.exe:3484
    cscript.exe:3352
    cscript.exe:3056
    cscript.exe:2132
    cscript.exe:3052
    cscript.exe:3780
    cscript.exe:1040
    cscript.exe:3540
    cscript.exe:3380
    cscript.exe:948
    cscript.exe:4012
    cscript.exe:3788
    cscript.exe:804

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\AikAYYsE.bat (4 bytes)
    C:\d4a55cc7b461baa492d09def48760fb6 (180 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EosMskMk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZyEgAEoE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XYwgogYI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XiEscooM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fEIssgcU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cAkkgUUE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EegIIkAM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QCowssYQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZQcQcsMg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iigQokYY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KeYQEIQA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xqsMAIQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ocAAsUsQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uiswAccA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FyowAYIU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eKAQckoA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lsUYUoIM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uyoEIMoU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\huwEcEoU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tQMsAcUs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fqMUsgso.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mskosYkY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DMMwAEck.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WockIEgs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PMsUEkgA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LQQkEMwU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PyoUwIEM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wYYMYUks.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uWwogccE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AKkIUoYc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vucYgcYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QaIUcAUs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LkEsggoM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rusAscwU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bwAMEsMM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QosEYAco.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SOwIEUsE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kyUYYwoQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JKwIUoow.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nyQUoEcY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XEwcwMok.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aGoUYMEw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dIwoAwMk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aIEUsUoo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XgkEoAAs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UIoIMMkw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NIEUkEIA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eOAEcIoQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oksIgYMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MyUQoIAQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LUYIIcQw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HYMkQgQI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BMgEYgUQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oEkYUEEw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qCYIgMss.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cIUoMMwM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jWsksgII.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rUoMYAwc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DskEMwcU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FyEcwAgo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lOkkQMMo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OOskgIEQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hmUEwsUQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XikMAgEM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\maEEAYAc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rYggkkYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AisAYoYc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DmAUkMkg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YoEIoEUo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NSEoowcQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AQQwMooM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FYUcQoYE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uCYQAUgM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MwscoIgU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FyscQsgU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gGowookg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\twQEgQwc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\usQswYoI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jIAwMYgc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iukgEUQU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gWIQIwko.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sIgQQwEk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HuYYAIMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aAUYQgcA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gIkgIoEA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wMMoQEAA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VwsMMMoA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LmscEwQs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SOAAMwEU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oqEocAIc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xEMIcsIQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EaMcAQsY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WeMwscsk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kKosksok.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oIIkcYgU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MMcoYcMY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HyIIUMAg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KycAAEYU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zUgMgAwQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KucAAkkA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gaAcQMIY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\quEssMww.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HOUkEEEo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IOIcQEck.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uccUUcQU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DcMYEkIw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kgAgsEMk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\okkEMMAo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vqEgAwYs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TiwEAwQA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZKgckogQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gassAQcw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QYgwYEgE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jGQksQEI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QWMkAQkU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kOgMkckU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vaUsIQko.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OIEokAEY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jOswgwUQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qMQEEYEc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lkcUYYEU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EWUwYsIQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fWcQEEco.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wKwwYkwY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\muwkMIQU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MowosgAg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nKUIYQoU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QcIwEgYs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hiQIocMA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zIkoEwMo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PwUYEsEI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LUEgUMsI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hikAIoww.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oEAoIIQg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UkMAMcwo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZoEQccQc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vaYMQYcY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eUQAEYEE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NiocYYMA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rGgIoEcg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lQgkQkkU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OgEUgsUQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\waoUYMAk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aUYIYMcY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AcscEkgI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PMcgQQAE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aaMskYwI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vCEIEkIA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MOMkEIsA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MCAQgAkY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LGAIkYII.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bKMsIogI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PUsYggkI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ziAggAYA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qCAgIUck.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xYYoQMgo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ykoMYoUI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RisUIwgo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dcMwcEEo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zeAwMMEw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MIMQwQYs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iiocMYsc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mQoMUUYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lYccoAEI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\imAAgYIA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JOQEMAYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DWAskUMs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PKgQYwQo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AAIEMYkg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MMcYokEY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EykYYwgc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EeMkIAcE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QcYAIwUs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NcMAUock.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\acQEowkw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hKgEoIUM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZQgcgkkk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UIwgokYs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fSgIokoM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yUMEkMIY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hSUIIQsY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nkQQMgkY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fAoIAQMg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bYUIAUMI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GqEAEEUM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WkEcYYwg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qmgoYkYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eOcoQssE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TSIkAsgI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XQYUAQQk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jkEwYIQk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rWQoAwEI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CqEcUEAM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vgooIccw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vsUooIoM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iusQYcoc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TSwkQQUU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HeMwUYcA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\feIwEIcE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BkwoUkcU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VogYcwgw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jmccUQEo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PMYIooQc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WGEgYcgA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aegogUoI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\suQYYwYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QUkMIgcY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NGgEEIwc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EsgYwUQU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iucscMwE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aEUkEMEA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqgkkQkg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BGAUYsgg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nCEswUkU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zukoUEcs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OqggowoY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SscAogYQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AwMsEgwM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QeUEQggs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GkcEMscM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AwcssIcs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ruMAUcsE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wUssIscA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kuYIIUQI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wOUgUAks.bat (112 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (3921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RYEAscMY.bat (4 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3777 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xKIMEUMQ.bat (112 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3753 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AsYEQcIQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CQcgMokE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ugcUIIgk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VKUAQgYU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZUMYskUw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zCQwsIwQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SekAcgcA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JoogQMEI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\geIIMoMo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LAcAswsY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YsMQoIYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KsUkMUks.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jUwkoYgI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XWgQgsEo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xeAQgQAU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bUkAUAIo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KSwQYcME.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fEQoAkYQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XwYcEwwU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SCMEwUYQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KkwYUUIw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mmUswwQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PSgwwgAE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eQwEkQkM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AEMcgUcU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XwoYsUQI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sMoAsQUY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lcYgUUsk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mecYwwgk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IsgIgwEE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LUIUowgI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yuoUQUwo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MgkIIUsQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rEskQEYA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jMoMQAQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NEscsQsc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zCAkIwYc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wMEocYwo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\boQIYsUY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hEoscAoQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HacEYgQg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VCcIAgYY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wQoAEoQQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NCMsAMoU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CiwcUowk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cSEAgEss.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xEgwMMcc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wmoMQkwo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kMckAIEY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\doAUAoYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kkcgUwQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tWYkAIco.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eMEwQkoM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WcIYgkQQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZkIIEkkU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WgYUAEoo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cKsEUggA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VOIcIsEQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BswcogUk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TWAIQkQU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OQwgQYcg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RYsQkAwM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RUMEkMIU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gIkgEEwM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqYEYIsw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JuUUkUEk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pWQAMgIY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MOUQQUsY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GaoYUAEw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cYAUooAc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SGkEEsEQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RQgoYwMg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jiQkcUcQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZoAMUowU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tqMMYcsk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pAMIYYQE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aUswAQso.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QYIkswoc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tcEwUAIg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bAkMUsYY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cawckwMs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DqsEEkss.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zAkQQIEk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nmwwwgoI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wmcUEIYg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xqMcAcsw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VwQgoMcw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IeMUkcAc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vUkkUoYM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ieUkAYsM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MwQQkAUg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mQwAEAAQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jmscsoIY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gyUEQQAk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NMgcQksw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aisIAAAE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JUAcIkss.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\suwUoEMw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HWosQYYI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AAoQUIsI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pmYgMwsI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\scgcYYQI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vmoogEMM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KuowMoog.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XmAIEwsA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kUkYsIUE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rEQcAUUg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BqcAYQgM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rcAQosEI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EggcIsww.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PysUoIwc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\maAQoIcg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dkAUggUo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GEYQgwYo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ioIwUkQg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WCkMsAwU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SQAsAscY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gEgoMoos.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wgoMcQAc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nSEoAoww.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mMcckssw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YIQcssYE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OKogQIAc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SEQUsIoA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IeoEQkQc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ckIcsIAA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YiYAsAAU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mUUQEwow.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JcAIIAsk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RscEMcgY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lWYMAEEw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dGkswsIU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bUgQYUww.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IkkQUQow.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VosAgIgw.bat (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\KAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
    C:\totalcmd\TcUsbRun.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40966184966184965.524147a741cb4fab49e737845c06ed0589f54
.rdata62259240965121.9268710b0a061bb0523a8c1b941334d040738
.data6266881645122.1794329cd33dc07262d68c56cdf4a44da62dd
.rsrc630784444446083.561898ea8f9ce3e86478897c4c3c7940833b3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://google.com/216.58.209.206

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1

Host: google.com

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=dN66VMfSDamt8webtYDYDA

Content-Length: 262

Date: Sat, 17 Jan 2015 22:13:08 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=dN66VMfSDamt8webtYDYDA">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=dN66VMfSDamt8webtYDYDA..Content-Length: 262..Date: Sat, 17 Jan 2015 22:13:08 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=dN66VMfSDamt8webtYDYDA">here</A>...</BODY></HTML>....

GET / HTTP/1.1

Host: google.com

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=od66VOvbOM-AZIv8gPgB

Content-Length: 260

Date: Sat, 17 Jan 2015 22:13:53 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=od66VOvbOM-AZIv8gPgB">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=od66VOvbOM-AZIv8gPgB..Content-Length: 260..Date: Sat, 17 Jan 2015 22:13:53 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=od66VOvbOM-AZIv8gPgB">here</A>...</BODY></HTML>....

GET / HTTP/1.1

Host: google.com

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VIqACpGu8wfO3ILACQ

Content-Length: 262

Date: Sat, 17 Jan 2015 22:12:04 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VIqACpGu8wfO3ILACQ">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VIqACpGu8wfO3ILACQ..Content-Length: 262..Date: Sat, 17 Jan 2015 22:12:04 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VIqACpGu8wfO3ILACQ">here</A>...</BODY></HTML>....

GET / HTTP/1.1

Host: google.com

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VOyAE4-u8wfq44K4BA

Content-Length: 262

Date: Sat, 17 Jan 2015 22:12:04 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VOyAE4-u8wfq44K4BA">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VOyAE4-u8wfq44K4BA..Content-Length: 262..Date: Sat, 17 Jan 2015 22:12:04 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=NN66VOyAE4-u8wfq44K4BA">here</A>...</BODY></HTML>....

GET / HTTP/1.1

Host: google.com

HTTP/1.1 302 Found

Cache-Control: private

Content-Type: text/html; charset=UTF-8

Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=t966VJupGaWt8wfywYBw

Content-Length: 260

Date: Sat, 17 Jan 2015 22:14:15 GMT

Server: GFE/2.0

Alternate-Protocol: 80:quic,p=0.02

<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=t966VJupGaWt8wfywYBw">here</A>...</BODY></HTML>..HTTP/1.1 302 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=t966VJupGaWt8wfywYBw..Content-Length: 260..Date: Sat, 17 Jan 2015 22:14:15 GMT..Server: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD><meta http-equiv="content-type" content="text/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=t966VJupGaWt8wfywYBw">here</A>...</BODY></HTML>....

Map

The Malware connects to the servers at the folowing location(s):

Strings from Dumps

fGAwoYMM.exe_1864:

.text

.text

`.rdata

`.rdata

@.data

@.data

3E.Pcq:P!V^

3E.Pcq:P!V^

#%Xkq.

#%Xkq.

.JF{

.JF{

U%Sa@

U%Sa@

('%D^q-*

('%D^q-*

?|Q%f

?|Q%f

SE?.rn~M*

SE?.rn~M*

.Dhe4

.Dhe4

E.IdJWH

E.IdJWH

%k%cn>x_

%k%cn>x_

?%uRc!

?%uRc!

%3.UGiO0

%3.UGiO0

]w.LQ

]w.LQ

I 4keyy

I 4keyy

L%C['

L%C['

7.BLP

7.BLP

;.StH

;.StH

>.Qlx #6

>.Qlx #6

Microsoft Windows

Microsoft Windows

%doi,

%doi,

P.yrBX.

P.yrBX.

PB]%C

PB]%C

%FoS(

%FoS(

F<.cs>

F<.cs>

user32.dll

user32.dll

kernel32.dll

kernel32.dll

ZwRequestPort

ZwRequestPort

ntdll.dll

ntdll.dll

fGAwoYMM.exe_1864_rwx_00401000_00069000:

3E.Pcq:P!V^

3E.Pcq:P!V^

#%Xkq.

#%Xkq.

.JF{

.JF{

U%Sa@

U%Sa@

('%D^q-*

('%D^q-*

?|Q%f

?|Q%f

SE?.rn~M*

SE?.rn~M*

.Dhe4

.Dhe4

E.IdJWH

E.IdJWH

%k%cn>x_

%k%cn>x_

?%uRc!

?%uRc!

%3.UGiO0

%3.UGiO0

]w.LQ

]w.LQ

I 4keyy

I 4keyy

L%C['

L%C['

7.BLP

7.BLP

;.StH

;.StH

>.Qlx #6

>.Qlx #6

Microsoft Windows

Microsoft Windows

%doi,

%doi,

P.yrBX.

P.yrBX.

PB]%C

PB]%C

%FoS(

%FoS(

F<.cs>

F<.cs>

fGAwoYMM.exe_1864_rwx_00900000_00068000:

3E.Pcq:P!V^

3E.Pcq:P!V^

#%Xkq.

#%Xkq.

.JF{

.JF{

U%Sa@

U%Sa@

('%D^q-*

('%D^q-*

?|Q%f

?|Q%f

SE?.rn~M*

SE?.rn~M*

.Dhe4

.Dhe4

E.IdJWH

E.IdJWH

%k%cn>x_

%k%cn>x_

?%uRc!

?%uRc!

%3.UGiO0

%3.UGiO0

]w.LQ

]w.LQ

I 4keyy

I 4keyy

L%C['

L%C['

7.BLP

7.BLP

;.StH

;.StH

>.Qlx #6

>.Qlx #6

$g.Gd

$g.Gd

P.yrBX.

P.yrBX.

PB]%C

PB]%C

%FoS(

%FoS(

F<.cs>

F<.cs>

fGAwoYMM.exe_1864_rwx_00980000_00001000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

NesIMIQs.exe_228:

.text

.text

`.rdata

`.rdata

@.data

@.data

3E.Pcq:P!V^

3E.Pcq:P!V^

#%Xkq.

#%Xkq.

:4.aK1

:4.aK1

t$.qo&

t$.qo&

.CUj

.CUj

D~%UmHgb

D~%UmHgb

@udp,*q>h

@udp,*q>h

J.YU

J.YU

b%}_%X^

b%}_%X^

T.TG#x

T.TG#x

.XGs[

.XGs[

Windows Internet Explorer

Windows Internet Explorer

Windows Task Manager

Windows Task Manager

taskmgr.exetaskkill /F /IM taskmgr.exe /T

taskmgr.exetaskkill /F /IM taskmgr.exe /T

v\6DÁ

v\6DÁ

`A YÑ

`A YÑ

`@,RÐ

`@,RÐ

bV

bV

%F(^q\x

%F(^q\x

iI%fv- px

iI%fv- px

iF%fv- px

iF%fv- px

x.dJ5

x.dJ5

pA,^jUx.lG,^VGx3d_4s

pA,^jUx.lG,^VGx3d_4s

x=kAx.lG,^VGx3d_4^d]

x=kAx.lG,^VGx3d_4^d]

3%>RO%x1

3%>RO%x1

pKx.pP=

pKx.pP=

j]t^Vxx-2}xOG

j]t^Vxx-2}xOG

v[x.pQUtQ[=^IR5

v[x.pQUtQ[=^IR5

v[x.pQxO3

v[x.pQxO3

jWx.dA3s

jWx.dA3s

l]x.qJx2qWUtIV.

l]x.qJx2qWUtIV.

>R.dJ1

>R.dJ1

dWqP%u7

dWqP%u7

\Z%0X~]

\Z%0X~]

\Z%0X~

\Z%0X~

>.Qlx #6

>.Qlx #6

Vp

Microsoft Windows
.Ry g
kernel32.dll
user32.dll
fGAwoYMM.exe_1864_rwx_00BC0000_00001000:
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM
fGAwoYMM.exe_1864_rwx_00BD0000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs
fGAwoYMM.exe_1864_rwx_00BE0000_00001000:
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.inf
fGAwoYMM.exe_1864_rwx_00BF0000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.inf
fGAwoYMM.exe_1864_rwx_00C00000_00001000:
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe
reIEcoQI.exe_232:
.text
`.rdata
@.data
3E.Pcq:P!V^
#%Xkq.
.JF{
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
2software\microsoft\windows\currentversion\run
P.yrBX.
PB]%C
%FoS(
F<.cs>
ntdll.dll
kernel32.dll
user32.dll
fGAwoYMM.exe_1864_rwx_00C10000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe
fGAwoYMM.exe_1864_rwx_00C40000_00001000:
fGAwoYMM.exe
fGAwoYMM.exe_1864_rwx_00C50000_00001000:
NesIMIQs.exe
fGAwoYMM.exe_1864_rwx_00C60000_00001000:
taskkill /FI "USERNAME eq adm" /F /IM fGAwoYMM.exe
fGAwoYMM.exe_1864_rwx_00C70000_00001000:
taskkill /FI "USERNAME eq adm" /F /IM NesIMIQs.exe
fGAwoYMM.exe_1864_rwx_00C80000_00001000:
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe
fGAwoYMM.exe_1864_rwx_00C90000_00001000:
%Documents and Settings%\All Users\KAAo.txt
fGAwoYMM.exe_1864_rwx_00CA0000_00001000:
notepad.exe "%Documents and Settings%\All Users\KAAo.txt"
fGAwoYMM.exe_1864_rwx_00CB0000_00001000:
%Documents and Settings%\All Users\JuwEIgUE
NesIMIQs.exe_228_rwx_00401000_00069000:
3E.Pcq:P!V^
#%Xkq.
:4.aK1
t$.qo&
.CUj 
D~%UmHgb
@udp,*q>h
 J.YU
b%}_%X^
T.TG#x
.XGs[
Windows Internet Explorer
Windows Task Manager
taskmgr.exetaskkill /F /IM taskmgr.exe /T
v\6DÁ
`A YÑ
`@,RÐ
bV
%F(^q\x
iI%fv- px
iF%fv- px
x.dJ5
pA,^jUx.lG,^VGx3d_4s
x=kAx.lG,^VGx3d_4^d]
3%>RO%x1
pKx.pP=
j]t^Vxx-2}xOG
v[x.pQUtQ[=^IR5
v[x.pQxO3
jWx.dA3s
l]x.qJx2qWUtIV.
>R.dJ1
dWqP%u7
\Z%0X~]
\Z%0X~
>.Qlx #6
Vp
Microsoft Windows
.Ry g
NesIMIQs.exe_228_rwx_00900000_00068000:
3E.Pcq:P!V^
#%Xkq.
.JF{
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
$g.Gd
P.yrBX.
PB]%C
%FoS(
F<.cs>NesIMIQs.exe_228_rwx_00980000_00001000:
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
NesIMIQs.exe_228_rwx_00BB0000_00001000:
.hhr}
NesIMIQs.exe_228_rwx_00BC0000_00001000:
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM
NesIMIQs.exe_228_rwx_00BD0000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs
NesIMIQs.exe_228_rwx_00BE0000_00001000:
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.inf
NesIMIQs.exe_228_rwx_00BF0000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.inf
NesIMIQs.exe_228_rwx_00C00000_00001000:
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe
NesIMIQs.exe_228_rwx_00C10000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe
NesIMIQs.exe_228_rwx_00C40000_00001000:
fGAwoYMM.exe
NesIMIQs.exe_228_rwx_00C50000_00001000:
NesIMIQs.exe
NesIMIQs.exe_228_rwx_00C60000_00001000:
taskkill /FI "USERNAME eq adm" /F /IM fGAwoYMM.exe
NesIMIQs.exe_228_rwx_00C70000_00001000:
taskkill /FI "USERNAME eq adm" /F /IM NesIMIQs.exe
NesIMIQs.exe_228_rwx_00C80000_00001000:
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe
NesIMIQs.exe_228_rwx_00C90000_00001000:
%Documents and Settings%\All Users\KAAo.txt
NesIMIQs.exe_228_rwx_00CA0000_00001000:
notepad.exe "%Documents and Settings%\All Users\KAAo.txt"
NesIMIQs.exe_228_rwx_00CB0000_00001000:
%Documents and Settings%\All Users\JuwEIgUE
NesIMIQs.exe_228_rwx_01100000_02300000:
ole32.dll
kernel32.dll
user32.dll
:yffp%u
{F.ru
=m.JS
.Nf}c
6,%U_
%C& ~A
;C.uc
0OW%X
%.C}|-
uDP)]
.IVlG
$.HER
.AfWn
.beV0S?
Mc.YfD
*.Nvdc
%SbwF
q.zFY((X
T.''.ImiZ
gm-is}L
-Ocv}L
*7 ?.Ok//
%%uF~
WK.ye
q.Dxl(
a.Sxl
).jvos}e#
r\4,z\>-Z}
y.HDM
!.ufm
3" %xH
.Kx1!\:
51d%d
L.ULO
_U6^!%X
$a'e.YR
_/xr'%X
o#.MXE
%fO $vO"T
ZYòNesIMIQs.exe_228_rwx_03900000_01E00000:
.text
`.rdata
@.data
.rsrc
@.reloc
u%Uh`
QSSSh
QVSSh
t.PSh
T$lRSSh| "
UDPQRh
L$ QSSh
L$,QSSh
QSSShlVU
RVSShlVU
t.Ph\
tGHt.Ht&
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
\N is not supported in a class
inflate 1.2.5 Copyright 1995-2010 Mark Adler
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
RtlRunOnceExecuteOnce
advapi32_hack::try_hack: bad PE passed
advapi32_hack::try_hack: cannot read import table
advapi32_hack::try_hack: cannot find section .text
.data
advapi32_hack::try_hack: cannot find section .data
advapi32_hack::try_hack: cannot read section .text
Cannot read module %s, error %d
Cannot read exports of %s, error %d
advapi32_hack::try_hack: cannot read exports, error %d
.apiset
Bad .apiset catalog - don`t fit in section
String in cat item %d not in section
Value in cat item %d not in section
Bad referred in cat item %d
Double mapped value in cat item %d not in section
Bad double referred in cat item %d
BaseSrvRegisterWowExec
BaseSrvGetProcessShutdownParam
BaseSrvSetProcessShutdownParam
basesrv.dll
Unknown size of BaseServerApiDispatchTable: %d
ServerDll[%d] %p
csrsrv.dll
CsrExecServerThread
ServerDll[%d]:
ApiDispatchTable: %p %s
ConnectRoutine: %p %s
DisconnectRoutine: %p %s
HardErrorRoutine: %p %s
AddProcessRoutine: %p %s
ShutdownProcessRoutine: %p %s
Cannot open dir %S, error %d
clean_old_drvs: error %d on deleting file %S
Cannot find resource %X
Cannot load resource %X
Resource %d has zero length
Cannot lock resource %X
Cannot unpack resource %X
Cannot create file %S, error %d
1.2.5
Decompress buffer %d bytes too small
DxDvpWaitForVideoPortSync
DxDvpUpdateVideoPort
DxDvpGetVideoPortConnectInfo
DxDvpGetVideoPortOutputFormats
DxDvpGetVideoPortLine
DxDvpGetVideoPortInputFormats
DxDvpGetVideoPortFlipStatus
DxDvpGetVideoPortField
DxDvpGetVideoPortBandwidth
DxDvpFlipVideoPort
DxDvpDestroyVideoPort
DxDvpCreateVideoPort
DxDvpCanCreateVideoPort
DxDdSetColorKey
Cannot read gaDxgFuncs handlers, readed %X bytes
.rdata
Cannot read DxgCoreInterface handlers, readed %X bytes
Unknown acpi table version: %X
SBP2PORT_Mask
STORMINIPORT_Mask
STORPORT_Mask
TCPIP6_Mask
WSOCKTRANSPORT_Mask
FCPORT_Mask
SOFTPCI_Mask
TCPIP_Mask
SCSIMINIPORT_Mask
SCSIPORT_Mask
Unknown KdComponentTableSize size %X
dump_kd_masks return %X bytes, error %d, ntstatus %X
dump_kd_masks return %X bytes, error %d
dump_kd_masks(%s) return %X bytes, error %d, ntstatus %X
dump_kd_masks(%s) return %X bytes, error %d
%-*s: %X
read_kopts_length(%s) return %X bytes, error %d, ntstatus %X
read_kopts_length(%s) return %X bytes, error %d
Cannot alloc %X bytes
Cannot realloc %X bytes for %s
read_kopts(%s) return %X bytes, error %d, ntstatus %X
read_kopts(%s) return %X bytes, error %d
%S (%s): %X
%S (%s):
dump_kopts(%s) return %X bytes, error %d, ntstatus %X
dump_kopts(%s) return %X bytes, error %d
MmSupportWriteWatch
KiPassiveWatchdogTimeout
ViImageExecutionOptions
DbgkErrorPortStartTimeout
DbgkErrorPortCommTimeout
MmDisablePagingExecutive
CmDefaultLanguageId
DbgkpMaxModuleMsgs
IoCountOperations
KeDelayExecutionThread
resolve_IoFreeIrp: bad addr of %s
get_interrupt_dispatch: cannot alloc %d bytes
Unknown kernel options: %S
PsGetProcessWin32WindowStation
KeIsExecutingDpc
bad addr of KeIsExecutingDpc
Bad pnp handler item %d (%d)
Cannot find %s
ks.sys: cannot get KoCreateInstance
ImportContext
ExportContext
SpChangeAccountPasswordFn
CallPackagePassthrough
%SystemRoot%\System32\
GetServiceAccountPassword
DPAPIPasswordChangeForGMSA
GetCredentialKey
INotifyPasswordChanged
%s PolicyChangeNotificationCallbacks
PolicyChangeNotificationCallback[%d]: %d items
[%d] %p %p %p %p %s
lsasrv_hack::try_hack: bad PE passed
lsasrv_hack::try_hack: cannot find section .data
lsasrv_hack::try_hack: cannot read section .data
lsasrv_hack::try_hack: bad section passed
lsasrv_hack::try_hack: cannot read exports, error %d
LsaICallPackagePassthrough
lsasrv.dll
VaultLogonSessionNotification: %p %s
Start of driver %S failed !
WSPJoinLeaf
MSAFD_WSPSendMsg
MSAFD_WSPRecvMsg
mswsock.dll
CheckProc: cannot open process PID %d, error %d, ntstatus %X
CheckProc: cannot open process PID %d, error %d
threaded_processes_checker exception occured, error %X
MyWindowsChecker: len %d, kernel name %s
Cannot get kernel name, error %d
Kill process %d
Check processes in %d threads
Cannot find process %d
Usage: %S [options]
-wmi - report about WMI entries
-uem - check for Unknown Executable Memory
-npo - dump RPC Named Pipes Owner
-rdata - check .rdata sections too
-rpc - report about RPC interfaces
DeriveKey
NotifyChangeKey
EnumKeys
IsAlgSupported
FreeKey
DeleteKey
FinalizeKey
SetKeyProperty
CreatePersistedKey
OpenKey
OpenPrivateKey
ImportKey
ImportMasterKey
GetKeyProperty
GenerateSessionKeys
GenerateMasterKey
ExportKey
CreateEphemeralKey
ComputeEapKeyBlock
ncrypt_hack::check_in_proc: cannot alloc %d bytes
GetKeyStorageInterface
Cannot load %s (copy of %s), error %d
Cannot load module %s, error %d
Cannot read module %s import table
NdisMRegisterMiniportDriver
resolve_minidrivers_list: bad addr of NdisMRegisterMiniportDriver
NdisMRegisterMiniport
resolve_minidrivers_list: cannot find NdisMRegisterMiniport
resolve_minidrivers_list: bad addr of NdisMRegisterMiniport
resolve_miniports_list: cannot find NdisIMInitializeDeviceInstanceEx
resolve_miniports_list: bad addr of NdisIMInitializeDeviceInstanceEx
OID_CO_TAPI_DONT_REPORT_DIGITS
OID_CO_TAPI_REPORT_DIGITS
OID_QOS_OPERATIONAL_PARAMETERS
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA_EX
OID_TCP_TASK_IPSEC_OFFLOAD_V2_UPDATE_SA
OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA
OID_TCP_CONNECTION_OFFLOAD_PARAMETERS
OID_FFP_SUPPORT
OID_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
OID_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
OID_TCP_OFFLOAD_HARDWARE_CAPABILITIES
OID_TCP_OFFLOAD_PARAMETERS
OID_TCP_OFFLOAD_CURRENT_CONFIG
OID_TCP6_OFFLOAD_STATS
OID_TCP4_OFFLOAD_STATS
OID_TCP_TASK_IPSEC_DELETE_UDPESP_SA
OID_TCP_TASK_IPSEC_ADD_UDPESP_SA
OID_TCP_SAN_SUPPORT
OID_TCP_TASK_IPSEC_DELETE_SA
OID_TCP_TASK_IPSEC_ADD_SA
OID_TCP_TASK_OFFLOAD
OID_DOT11_SUPPORTED_DSSS_CHANNEL_LIST
OID_DOT11_SUPPORTED_OFDM_FREQUENCY_LIST
OID_DOT11_QOS_TX_QUEUES_SUPPORTED
OID_DOT11_AP_JOIN_REQUEST
OID_DOT11_HR_CCA_MODE_SUPPORTED
OID_DOT11_FREQUENCY_BANDS_SUPPORTED
OID_DOT11_SUPPORTED_DATA_RATES_VALUE
OID_DOT11_SUPPORTED_RX_ANTENNA
OID_DOT11_SUPPORTED_TX_ANTENNA
OID_DOT11_REG_DOMAINS_SUPPORT_VALUE
OID_DOT11_CCA_MODE_SUPPORTED
OID_DOT11_SUPPORTED_POWER_LEVELS
OID_DOT11_DIVERSITY_SUPPORT
OID_DOT11_SUPPORTED_PHY_TYPES
OID_DOT11_OPERATIONAL_RATE_SET
OID_DOT11_JOIN_REQUEST
OID_DOT11_CURRENT_OPERATION_MODE
OID_DOT11_OPERATION_MODE_CAPABILITY
OID_802_11_SUPPORTED_RATES
OID_802_11_NETWORK_TYPES_SUPPORTED
OID_802_11_REMOVE_KEY
OID_802_11_ADD_KEY
OID_IRDA_SUPPORTED_SPEEDS
OID_ATM_SUPPORTED_AAL_TYPES
OID_ATM_SUPPORTED_SERVICE_CATEGORY
OID_ATM_SUPPORTED_VC_RATES
OID_FDDI_PORT_ACTION
OID_FDDI_PORT_HARDWARE_PRESENT
OID_FDDI_PORT_LER_FLAG
OID_FDDI_PORT_PC_WITHHOLD
OID_FDDI_PORT_PCM_STATE
OID_FDDI_PORT_CONNNECT_STATE
OID_FDDI_PORT_LER_ALARM
OID_FDDI_PORT_LER_CUTOFF
OID_FDDI_PORT_LEM_CT
OID_FDDI_PORT_LEM_REJECT_CT
OID_FDDI_PORT_LER_ESTIMATE
OID_FDDI_PORT_LCT_FAIL_CT
OID_FDDI_PORT_EB_ERROR_CT
OID_FDDI_PORT_PC_LS
OID_FDDI_PORT_BS_FLAG
OID_FDDI_PORT_MAINT_LS
OID_FDDI_PORT_INDEX
OID_FDDI_PORT_CONNECTION_CAPABILITIES
OID_FDDI_PORT_PMD_CLASS
OID_FDDI_PORT_MAC_LOOP_TIME
OID_FDDI_PORT_AVAILABLE_PATHS
OID_FDDI_PORT_MAC_PLACEMENT
OID_FDDI_PORT_REQUESTED_PATHS
OID_FDDI_PORT_CURRENT_PATH
OID_FDDI_PORT_MAC_INDICATED
OID_FDDI_PORT_CONNECTION_POLICIES
OID_FDDI_PORT_NEIGHBOR_TYPE
OID_FDDI_PORT_MY_TYPE
OID_FDDI_MAC_DOWNSTREAM_PORT_TYPE
OID_FDDI_SMT_MSG_TIME_STAMP
OID_FDDI_SMT_BYPASS_PRESENT
OID_FDDI_SMT_MAC_INDEXES
OID_FDDI_SMT_PORT_INDEXES
OID_TCP_RSC_STATISTICS
OID_SWITCH_PORT_UPDATED
OID_GEN_OPERATIONAL_STATUS
OID_SWITCH_PORT_TEARDOWN
OID_SWITCH_PORT_FEATURE_STATUS_QUERY
OID_SWITCH_PORT_DELETE
OID_SWITCH_PORT_CREATE
OID_SWITCH_PORT_ARRAY
OID_SWITCH_PORT_PROPERTY_ENUM
OID_SWITCH_PORT_PROPERTY_DELETE
OID_SWITCH_PORT_PROPERTY_UPDATE
OID_SWITCH_PORT_PROPERTY_ADD
OID_NIC_SWITCH_DELETE_VPORT
OID_NIC_SWITCH_ENUM_VPORTS
OID_NIC_SWITCH_VPORT_PARAMETERS
OID_NIC_SWITCH_CREATE_VPORT
OID_GEN_MINIPORT_RESTART_ATTRIBUTES
OID_GEN_PORT_AUTHENTICATION_PARAMETERS
OID_GEN_PORT_STATE
OID_GEN_ENUMERATE_PORTS
OID_GEN_TRANSPORT_HEADER_OFFSET
OID_GEN_SUPPORTED_GUIDS
OID_GEN_MEDIA_SUPPORTED
OID_GEN_SUPPORTED_LIST
Cannot read gWfpGlobal, readed %X bytes
Cannot read Wfp callout count, readed %X bytes
Cannot read Wfp callouts, readed %X bytes
Cannot read WFP index functions, readed %X bytes
iphlpapi.dll
%SystemRoot%\System32\iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
GetExtendedTcpTable
GetExtendedUdpTable
Failed to snapshot TCP endpoints, error %d
Failed to snapshot UDP endpoints, error %d
Cannot alloc %d bytes for UDP extended table
Cannot alloc %d bytes for TCP extended table
ntdll_hack::try_hack: bad PE passed
ntdll_hack::try_hack: cannot find section .text
ntdll_hack::try_hack: cannot read section .text
ntdll_hack::try_hack: bad section passed
ntdll_hack::try_hack: cannot read exports, error %d
%s channel hooks:
ChannelHook[%d]: %p (%p - %s) %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
ChannelHook[%d]: %p (%p) %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
MallocSpy: %p vtbl %p - %s
webclient
msiexec32
msiexec
tftp
ftp32
cmd32
ccmexec32
ccmexec
chrome
opera
firefox
Process PID %d raise dwwin PID %d
Cannot alloc new process PID %d %S
Cannot open svchost process PID %d, error %d
proc_list::read: CreateToolhelp32Snapshot failed with error %d
PID %d Parent PID %d service {%S} %S
PID %d Parent PID %d %S
PID %d Parent PID %d kind {%S} %S
read_service_exe_name(%S): cannot expand string %S
ExWindowStationOpenProcedureCallout
ExWindowStationParseProcedureCallout
ExWindowStationDeleteProcedureCallout
ExWindowStationCloseProcedureCallout
ExWindowStationOkToCloseProcedureCallout
read_w8_callout failed, len %d, returned %d bytes, error %d, ntstatus %X
read_w8_callout failed, len %d, returned %d bytes, error %d
PsWin32CallBack: %p %p %s
check_callouts: cannot alloc %X bytes (size %d)
check_callouts failed, error %d, status %X
check_callouts failed, error %d
Callouts (%d):
%s: %p %s
ark_check_callbacks: cannot read size of callbacks list, error %d, ntstatus %X
ark_check_callbacks: cannot read size of callbacks list, error %d
ark_check_callbacks: cannot read %d bytes (readed %d), error %d, ntstatus %X
ark_check_callbacks: cannot read %d bytes (readed %d), error %d
CB: %S, total %X:
%p (%s)
check_shutdown_callbacks: cannot read size of callbacks list, error %d, ntstatus %X
check_shutdown_callbacks: cannot read size of callbacks list, error %d
check_shutdown_callbacks: cannot read callbacks list of %s, error %d, ntstatus %X
check_shutdown_callbacks: cannot read callbacks list of %s, error %d
%s - %d:
FastIoUnlockAllByKey
MJ_CREATE_NAMED_PIPE
%s!%s.%s patched by %s, addr %p
%s!%s[%d] patched by %s, addr %p
Cannot open driver dumpfile %s, error %d
Cannot open kernel dumpfile %s, error %d
Cannot read driver %s, error %d
hal.dll
Shadow SDT: %p, limit %X
win32k.sys
Cannot relocate section %s.%s
Cannot alloc %X bytes for reading driver section %s.%s
Driver %s!%s has %X patched bytes !
.orig
.kmem
Cannot read driver section %s.%s (flags %X) at %p size %X readed %X, error %d, ntstatus %X
Cannot read driver section %s.%s (flags %X) at %p size %X readed %X, error %d
Cannot read kernel %s, error %d
ntoskrnl.exe
Cannot alloc %X bytes for reading kernel sections
Cannot relocate section %s
KernelSection %s rva %X, size %X, 0x%X relocs has 0x%X patched bytes !
Cannot read (whole) section %s (flags %X) at %p size %X (readed %X), error %d
\SystemRoot\system32\hal.dll
\SystemRoot\system32\halapic.dll
\SystemRoot\system32\halmps.dll
\SystemRoot\system32\halacpi.dll
\SystemRoot\system32\halaacpi.dll
\SystemRoot\system32\halmacpi.dll
%SystemRoot%\System32\hal.dll
halapic.dll
halmps.dll
halacpi.dll
halaacpi.dll
halmacpi.dll
Driver %S DrvObj %p:
DriverUnload patched by %s, addr %p
DriverStartIo patched by %s, addr %p
AddDevice patched by %s, addr %p
Handler %s patched by %s, addr %p
Handler %s patched, addr %p
Handler %d patched by %s, addr %p
Handler %d patched, addr %p
FastIOHandler %s patched by %s, addr %p
FastIOHandler %s patched, addr %p
FastIOHandler %d patched by %s, addr %p
FastIOHandler %d patched, addr %p
FS_FILTER_CALLBACKS %s patched by %s, addr %p
FS_FILTER_CALLBACKS %s patched, addr %p
FS_FILTER_CALLBACKS %d patched by %s, addr %p
FS_FILTER_CALLBACKS %d patched, addr %p
StartIo patched by %s, addr %p
read_fsmjxxx(%S): cannot make full driver name
read_fsmjxxx(%S) failed, error %d, ntstatus %X
read_fsmjxxx(%S) failed, error %d
read_mjxxx(%s): cannot make full driver name
read_mjxxx(%S) failed, error %d, ntstatus %X
read_mjxxx(%S) failed, error %d
Cannot alloc %X bytes for driver %s EAT checking
read_driver_eat %s failed, error %d, status %X
read_driver_eat %s failed, error %d
Export addr %s.%s patched by %s !
Export addr %s.%s patched !
Export addr %s.%d patched by %s !
Export addr %s.%d patched!
\hal.dll
\SystemRoot\system32\drivers\ndis.sys
ndis.sys
drivers\ndis.sys
\SystemRoot\system32\DRIVERS\tdi.sys
tdi.sys
drivers\tdi.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
tcpip.sys
drivers\tcpip.sys
\SystemRoot\system32\DRIVERS\netio.sys
netio.sys
drivers\netio.sys
\SystemRoot\system32\DRIVERS\fltmgr.sys
fltmgr.sys
drivers\fltmgr.sys
\SystemRoot\system32\DRIVERS\ks.sys
ks.sys
drivers\ks.sys
\SystemRoot\system32\DRIVERS\dxg.sys
drivers\dxg.sys
\SystemRoot\system32\DRIVERS\dxgkrnl.sys
drivers\dxgkrnl.sys
\SystemRoot\system32\DRIVERS\watchdog.sys
drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\ksecdd.sys
ksecdd.sys
drivers\ksecdd.sys
\SystemRoot\System32\Drivers\Ntfs.sys
ntfs.sys
\SystemRoot\system32\CLFS.SYS
CLFS.SYS
\SystemRoot\system32\drivers\ataport.sys
ataport.sys
\SystemRoot\system32\drivers\atapi.sys
atapi.sys
\SystemRoot\system32\drivers\peauth.sys
peauth.sys
\SystemRoot\system32\drivers\WDFLDR.sys
WDFLDR.sys
\SystemRoot\system32\drivers\usbstor.sys
usbstor.sys
\SystemRoot\system32\drivers\usbd.sys
usbd.sys
\SystemRoot\system32\drivers\USBPORT.sys
USBPORT.sys
\SystemRoot\system32\drivers\usbohci.sys
usbohci.sys
\SystemRoot\system32\drivers\usbehci.sys
usbehci.sys
\SystemRoot\system32\drivers\usbhub.sys
usbhub.sys
\SystemRoot\system32\drivers\usbccgp.sys
usbccgp.sys
\SystemRoot\system32\drivers\discache.sys
discache.sys
\SystemRoot\system32\drivers\termdd.sys
termdd.sys
\SystemRoot\system32\drivers\rdppr.sys
rdppr.sys
\SystemRoot\system32\drivers\mssmbios.sys
mssmbios.sys
\SystemRoot\system32\drivers\1394BUS.SYS
1394BUS.SYS
\SystemRoot\system32\drivers\BATTC.SYS
BATTC.SYS
\SystemRoot\system32\drivers\bthport.sys
bthport.sys
\SystemRoot\system32\drivers\drmk.sys
drmk.sys
\SystemRoot\system32\drivers\HIDPARSE.SYS
HIDPARSE.SYS
\SystemRoot\system32\drivers\HIDCLASS.SYS
HIDCLASS.SYS
\SystemRoot\system32\drivers\msiscsi.sys
msiscsi.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
PCIIDEX.SYS
\SystemRoot\system32\drivers\portcls.sys
portcls.sys
\SystemRoot\system32\drivers\smsmdm.sys
smsmdm.sys
\SystemRoot\system32\drivers\STREAM.SYS
STREAM.SYS
\SystemRoot\system32\drivers\vga.sys
vga.sys
\SystemRoot\system32\drivers\VIDEOPRT.SYS
VIDEOPRT.SYS
\SystemRoot\system32\drivers\vmstorfl.sys
vmstorfl.sys
\SystemRoot\system32\drivers\Dxapi.sys
Dxapi.sys
\SystemRoot\system32\drivers\dxgthk.sys
dxgthk.sys
\SystemRoot\system32\drivers\dxgmms1.sys
dxgmms1.sys
\SystemRoot\system32\drivers\spsys.sys
spsys.sys
\SystemRoot\system32\drivers\winhv.sys
winhv.sys
\SystemRoot\system32\drivers\HdAudio.sys
HdAudio.sys
\SystemRoot\System32\cdd.dll
cdd.dll
\SystemRoot\System32\ATMFD.DLL
ATMFD.DLL
\SystemRoot\System32\RDPDD.dll
RDPDD.dll
\SystemRoot\system32\drivers\vwifibus.sys
vwifibus.sys
\SystemRoot\system32\drivers\nwifi.sys
nwifi.sys
\SystemRoot\system32\drivers\vwififlt.sys
vwififlt.sys
\SystemRoot\system32\drivers\wfplwf.sys
wfplwf.sys
\SystemRoot\system32\drivers\wfplwfs.sys
wfplwfs.sys
\SystemRoot\system32\drivers\tmtdi.sys
tmtdi.sys
\SystemRoot\system32\drivers\netvsc60.sys
netvsc60.sys
\SystemRoot\system32\drivers\mslldp.sys
mslldp.sys
\SystemRoot\system32\drivers\netvsc63.sys
netvsc63.sys
\SystemRoot\system32\drivers\ndiscap.sys
ndiscap.sys
\SystemRoot\system32\drivers\agilevpn.sys
agilevpn.sys
\SystemRoot\system32\drivers\asyncmac.sys
asyncmac.sys
\SystemRoot\system32\drivers\mpsdrv.sys
mpsdrv.sys
\SystemRoot\system32\drivers\rspndr.sys
rspndr.sys
\SystemRoot\system32\drivers\ndisuio.sys
ndisuio.sys
\SystemRoot\system32\drivers\lltdio.sys
lltdio.sys
\SystemRoot\system32\drivers\NDProxy.sys
NDProxy.sys
\SystemRoot\system32\drivers\raspppoe.sys
raspppoe.sys
\SystemRoot\system32\drivers\ndiswan.sys
ndiswan.sys
\SystemRoot\system32\drivers\wanarp.sys
wanarp.sys
\SystemRoot\system32\drivers\bthpan.sys
bthpan.sys
\SystemRoot\system32\drivers\rassstp.sys
rassstp.sys
\SystemRoot\system32\drivers\raspptp.sys
raspptp.sys
\SystemRoot\system32\drivers\rasl2tp.sys
rasl2tp.sys
\SystemRoot\system32\drivers\rasacd.sys
rasacd.sys
\SystemRoot\system32\drivers\tunnel.sys
tunnel.sys
\SystemRoot\system32\drivers\tunmp.sys
tunmp.sys
\SystemRoot\system32\drivers\pacer.sys
pacer.sys
\SystemRoot\system32\drivers\NDISTAPI.SYS
NDISTAPI.SYS
\SystemRoot\system32\drivers\msgpc.sys
msgpc.sys
\SystemRoot\system32\drivers\partmgr.sys
partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
volmgr.sys
\SystemRoot\system32\drivers\volmgrx.sys
volmgrx.sys
\SystemRoot\system32\drivers\mountmgr.sys
mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
iaStor.sys
\SystemRoot\system32\drivers\volsnap.sys
volsnap.sys
\SystemRoot\system32\drivers\ACPI.sys
acpi.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
WppRecorder.sys
\SystemRoot\System32\Drivers\Mouclass.sys
Mouclass.sys
\SystemRoot\System32\Drivers\kbdclass.sys
kbdclass.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
Fastfat.sys
\SystemRoot\System32\Drivers\bowser.sys
bowser.sys
\SystemRoot\System32\Drivers\rdbss.sys
rdbss.sys
\SystemRoot\System32\Drivers\msfs.sys
msfs.sys
\SystemRoot\System32\Drivers\NetBIOS.sys
NetBIOS.sys
\SystemRoot\System32\Drivers\mup.sys
mup.sys
\SystemRoot\System32\Drivers\dfs.sys
dfs.sys
\SystemRoot\System32\Drivers\dfsc.sys
dfsc.sys
\SystemRoot\System32\Drivers\npfs.SYS
npfs.sys
\SystemRoot\System32\Drivers\luafv.SYS
luafv.sys
\SystemRoot\System32\Drivers\MRxSmb.SYS
MRxSmb.sys
\SystemRoot\System32\Drivers\MRxSmb10.SYS
MRxSmb10.sys
\SystemRoot\System32\Drivers\MRxSmb20.SYS
MRxSmb20.sys
\SystemRoot\System32\Drivers\MRxDAV.SYS
MRxDAV.sys
\SystemRoot\system32\Drivers\fltmgr.sys
\SystemRoot\system32\Drivers\TDI.SYS
\SystemRoot\system32\Drivers\tdx.sys
\SystemRoot\system32\Drivers\ipfltdrv.sys
\SystemRoot\system32\Drivers\tcpip.sys
\SystemRoot\System32\drivers\afd.sys
afd.sys
\SystemRoot\System32\drivers\netbt.sys
\SystemRoot\System32\drivers\NETIO.sys
\SystemRoot\System32\drivers\srv.sys
srv.sys
\SystemRoot\System32\drivers\srv2.sys
srv2.sys
\SystemRoot\System32\drivers\srvnet.sys
\SystemRoot\System32\drivers\sr.sys
sr.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\http.sys
http.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\msrpc.sys
msrpc.sys
\SystemRoot\system32\DRIVERS\disk.sys
disk.sys
\SystemRoot\system32\DRIVERS\ftdisk.sys
ftdisk.sys
\SystemRoot\system32\DRIVERS\Storport.SYS
Storport.SYS
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
CLASSPNP.SYS
\SystemRoot\system32\Drivers\ks.sys
\SystemRoot\System32\Drivers\ksecdd.sys
ksecdd.SYS
\SystemRoot\system32\kdcom.dll
kdcom.dll
\SystemRoot\System32\Drivers\cng.sys
cng.sys
\SystemRoot\system32\PSHED.dll
PSHED.dll
\SystemRoot\system32\CI.dll
CI.dll
\SystemRoot\system32\DRIVERS\WMILIB.SYS
wmilib.sys
Cannot find %s for IAT resolving of %s
Cannot alloc %X bytes for drivers IAT checking
Cannot find %s import %s.%s
Cannot find %s import %s.%d
IAT %s %s.%s patched, addr %p
IAT %s %s.%d patched, addr %p
IAT %s %s.%s patched by %s, addr %p
IAT %s %s.%d patched by %s, addr %p
%s has %d patched IAT entries (total %d)
reading of IAT %s failed, readed %X, actual IAT size %X, error %d
check_exts count failed, error %d, ntstatus %X
check_exts count failed, error %d
check_exts: cannot alloc %X bytes
check_exts failed, error %d, ntstatus %X
check_exts failed, error %d
Ext[%X]:
Handler1: %p %s
Handler2: %p %s
Handler3: %p %s
Table: %X items %p %s
Item[%X]: %p %s
IRP_MJ_CREATE_NAMED_PIPE
Unknown fltmgr: FrameList %X FilterSize %X cbn %X
Unknown fltmgr: FrameList %X FilterSize %X
FltMgr: index %d
FRAME[%d] %p
%s: %p
NormalizeNameComponent: %p %s
NormalizeContextCleanup: %p %s
PreOperation: %p %s
PostOperation: %p %s
check_ks: cannot read size of ks list, error %d, ntstatus %X
check_ks: cannot read size of ks list, error %d
ks count: %X
check_ks: cannot alloc %X bytes
check_ks: cannot read ks list, error %d, ntstatus %X
check_ks: cannot read ks list, error %d
ks[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
ChangeAccountPassword
ImportSecurityContext
ExportSecurityContext
gKsecpBCryptExtension: %p %s
gKsecpSslExtension: %p %s
SecTable.%s patched %p %s
dxg.sys
dxgkrnl.sys
Win32kCallout: %p %s
SessionStartCallout: %p %s
KTIMER %p DPC %p DefRoutine %p %s
Cannot find KPRCB.DpcRoutineActive
Unknown KPRCB: DpcRoutineActive %X WorkerRoutine %X
Unknown KPRCB: DpcRoutineActive %X
Processor %d:
KTIMERS[%d]: %X
Patched %s   %X by %s
Patched ord.%d   %X by %s
Patched %s   %X
Patched ord.%d   %X
Patched %s by %s
Patched ord.%d by %s
Patched %s
Patched ord.%d
Exception %X occured during EAT checking of %s
check_module_iat(%s) - cannot find exports for %s
check_module_iat(%s): zeroed ImportLookUp, cannot check import
Cannot find ordinal %X in module %s (%s) in import table of %s
Cannot find symbol %s in module %s (%s) in import table of %s
(%s) %s.%s hooked in %s: my IAT %p, must be %p
(%s) %s.%d hooked in %s: my IAT %p, must be %p
apfn %s patched by %s, addr %p
apfn[%d] patched by %s, addr %p
apfn %s patched, addr %p
apfn[%d] patched, addr %p
%s%s!%s patched by %s, addr %p
%s%s![%d] patched by %s, addr %p
%s%s!%s patched, addr %p
%s%s![%d] patched, addr %p
LSA SP %s has %d patched functions in SECPKG_FUNCTION_TABLE:
PID %d: LSA SP %s has %d patched functions in SECPKG_USER_FUNCTION_TABLE:
PID %d: LSA SP %s has %d patched functions in CallPackageDispatch:
ole32 hooked by %s
Cannot relocate section %s!%s
Exception %X occured on checking %s!%s
Module %s!%s has %X patched bytes !
Exception %X occured on check_module_iat(%s)
MyModule: %p %s
%SystemRoot%\System32\ncrypt.dll
%SystemRoot%\System32\ntdsa.dll
%SystemRoot%\System32\kernelbase.dll
%SystemRoot%\System32\kernel32.dll
%SystemRoot%\System32\user32.dll
%SystemRoot%\System32\umpnpmgr.dll
%SystemRoot%\System32\combase.dll
%SystemRoot%\System32\ole32.dll
%SystemRoot%\System32\imm32.dll
%SystemRoot%\System32\rpcrt4.dll
%SystemRoot%\System32\mswsock.dll
%SystemRoot%\System32\advapi32.dll
%SystemRoot%\System32\cryptbase.dll
%SystemRoot%\System32\apisetschema.dll
read_ndis_oid_handlers failed, returned %d bytes, error %d, ntstatus %X
read_ndis_oid_handlers failed, returned %d bytes, error %d
[%X] %s: post %p %s
[%X] %s: pre %p %s
[%X] %s: pre %p (%s) post %p (%s)
[%X] %X: post %p %s
[%X] %X: pre %p %s
[%X] %X: pre %p (%s) post %p (%s)
read_tcp_off_handlers failed, returned %d bytes, error %d, ntstatus %X
read_tcp_off_handlers failed, returned %d bytes, error %d
TcpOfflineHandlers:
TcpOffloadEventIndicate: %p %s
TcpOffloadReceiveIndicate: %p %s
TcpOffloadSendComplete: %p %s
TcpOffloadReceiveComplete: %p %s
TcpOffloadDisconnectComplete: %p %s
TcpOffloadForwardComplete: %p %s
Cannot alloc %X bytes from reading filter block
read_ndis_filter_block: len %d, returned %d bytes, error %d, ntstatus %X
read_ndis_filter_block: len %d, returned %d bytes, error %d
check_ndis - reading of TDI callback failed, error %d, ntstatus %X
check_ndis - reading of TDI callback failed, error %d
check_ndis - reading of TDI PnP handler failed, error %d, ntstatus %X
check_ndis - reading of TDI PnP handler failed, error %d
TDI callback %p patched by %s
TDI PnP handler %p patched by %s
check_ndis - reading of providers count failed, error %d, ntstatus %X
check_ndis - reading of providers count failed, error %d
check_ndis: %d providers
check_ndis: cannot alloc %X bytes
Cannot store provider_block %p (%d)
check_ndis: stored %d provider_blocks
check_ndis - reading of interfaces count failed, error %d, ntstatus %X
check_ndis - reading of interfaces count failed, error %d
check_ndis: %d interfaces, size of miniport %X
Interface[%d]:
check_ndis - reading of protocols count failed, error %d, ntstatus %X
check_ndis - reading of protocols count failed, error %d
check_ndis: %d protocols, size of protocol %X
check_ndis: stored %d protocols
check_ndis - reading of minidrivers count failed, error %d, ntstatus %X
check_ndis - reading of minidrivers count failed, error %d
check_ndis: %d minidrivers, size of minidriver %X, sizeof(ndis50) %X, sizeof(ndis52) %X
Cannot store minidriver %d (%p)
Stored %d mini-drivers
check_ndis - reading of miniports count failed, error %d, ntstatus %X
check_ndis - reading of miniports count failed, error %d
check_ndis: %d miniports, size of miniport %X
check_ndis: read %d miniports, total %X
Miniport[%d] %p:
check_ndis: stored %d miniports, sizeof(miniport_block_w7) %X
check_ndis - reading of open_blocks count failed, error %d, ntstatus %X
check_ndis - reading of open_blocks count failed, error %d
check_ndis: %d open_blocks, size of open_block %X
check_ndis: read %d open_blocks, total %X
Open_Block[%d]:
Cannot store open_block %p (%d)
check_ndis: stored %d open_blocks
check_ndis - reading of filter_drivers count failed, error %d, ntstatus %X
check_ndis - reading of filter_drivers count failed, error %d
check_ndis: %d filter_drivers, size of open_block %X
check_ndis: read %d filter_drivers, total %X
FilterDriver[%d]:
check_ndis: stored %d filter_drivers, %d filter_blocks
Passive
read_punicode_string failed, len %d, returned %d bytes, error %d, ntstatus %X
read_punicode_string failed, len %d, returned %d bytes, error %d
Cannot read NDIS_MINIPORT_INTERRUPT %p
NDIS_MINIPORT_INTERRUPT:
MiniportIsr: %p %s
MiniportDpc: %p %s
Cannot read NDIS_MINIPORT_INTERRUPT_CHARACTERISTICS %p
NDIS_MINIPORT_INTERRUPT_CHARACTERISTICS:
InterruptHandler: %p %s
InterruptDpcHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
MessageInterruptHandler: %p %s
MessageInterruptDpcHandler: %p %s
DisableMessageInterruptHandler: %p %s
EnableMessageInterruptHandler: %p %s
MiniportIsr: %p %s
MiniportDpc: %p %s
MiniportMessageIsr: %p %s
MiniportMessageInterruptDpc: %p %s
MiniportIsr: %p %s
MiniportDpc: %p %s
MiniportEnableInterrupt: %p %s
MiniportDisableInterrupt: %p %s
MiniportMessageIsr: %p %s
MiniportMessageInterruptDpc: %p %s
MiniportDisableMessageInterrupt: %p %s
MiniportEnableMessageInterrupt: %p %s
NDIS Protocol[%d]: %S
MajorNdisVersion %d
MinorNdisVersion %d
Flags %X
OpenAdapterCompleteHandler: %p %s
CloseAdapterCompleteHandler: %p %s
SendCompleteHandler: %p %s
TransferDataCompleteHandler: %p %s
ResetCompleteHandler: %p %s
RequestCompleteHandler: %p %s
ReceiveHandler: %p %s
ReceiveCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
ReceivePacketHandler: %p %s
BindAdapterHandler: %p %s
UnbindAdapterHandler: %p %s
PnPEventHandler: %p %s
UnloadHandler: %p %s
CoSendCompleteHandler: %p %s
CoStatusHandler: %p %s
CoReceivePacketHandler: %p %s
CoAfRegisterNotifyHandler: %p %s
MajorNdisVersion %d
MinorNdisVersion %d
MajorDriverVersion %d
MinorDriverVersion %d
Flags %X
IsIPv4 %d
IsIPv6 %d
IsNdisTest6 %d
BindAdapterHandlerEx: %p %s
UnbindAdapterHandlerEx: %p %s
OpenAdapterCompleteHandlerEx: %p %s
CloseAdapterCompleteHandlerEx: %p %s
PnPEventHandler: %p %s
UnloadHandler: %p %s
UninstallHandler: %p %s
RequestCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
ReceiveNetBufferListsHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
CoStatusHandler: %p %s
CoAfRegisterNotifyHandler: %p %s
CoReceiveNetBufferListsHandler: %p %s
CoSendNetBufferListsCompleteHandler: %p %s
OpenAdapterCompleteHandler: %p %s
CloseAdapterCompleteHandler: %p %s
SendCompleteHandler: %p %s
TransferDataCompleteHandler: %p %s
ResetCompleteHandler: %p %s
ReceiveHandler: %p %s
ReceiveCompleteHandler: %p %s
ReceivePacketHandler: %p %s
BindAdapterHandler: %p %s
UnbindAdapterHandler: %p %s
CoSendCompleteHandler: %p %s
CoReceivePacketHandler: %p %s
OidRequestCompleteHandler: %p %s
InitiateOffloadCompleteHandler: %p %s
TerminateOffloadCompleteHandler: %p %s
UpdateOffloadCompleteHandler: %p %s
InvalidateOffloadCompleteHandler: %p %s
QueryOffloadCompleteHandler: %p %s
IndicateOffloadEventHandler: %p %s
TcpOffloadSendCompleteHandler: %p %s
TcpOffloadReceiveCompleteHandler: %p %s
TcpOffloadDisconnectCompleteHandler: %p %s
TcpOffloadForwardCompleteHandler: %p %s
TcpOffloadEventHandler: %p %s
TcpOffloadReceiveIndicateHandler: %p %s
Unknown NDIS Type %X and Size %X
DirectOidRequestCompleteHandler: %p %s
AllocateSharedMemoryHandler: %p %s
FreeSharedMemoryHandler: %p %s
Unknown ndis protocol size: %X
NDIS MiniDriver[%d] %p
MajorNdisVersion: %d
MinorNdisVersion: %d
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CancelSendPacketsHandler: %p %s
PnPEventNotifyHandler: %p %s
AdapterShutdownHandler: %p %s
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CancelSendPacketsHandler: %p %s
PnPEventNotifyHandler: %p %s
AdapterShutdownHandler: %p %s
ISRHandlerEx: %p %s
HandleInterruptHandlerEx: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
ReturnPacketsHandlerEx: %p %s
RequestTimeoutDpcHandler: %p %s
MajorNdisVersion: %d
MinorNdisVersion: %d
MajorDriverVersion: %d
MinorDriverVersion: %d
Flags: %X
SetOptionsHandler: %p %s
InitializeHandlerEx: %p %s
HaltHandlerEx: %p %s
UnloadHandler: %p %s
PauseHandler: %p %s
RestartHandler: %p %s
OidRequestHandler: %p %s
SendNetBufferListsHandler: %p %s
ReturnNetBufferListsHandler: %p %s
CancelSendHandler: %p %s
CheckForHangHandlerEx: %p %s
ResetHandlerEx: %p %s
DevicePnPEventNotifyHandler: %p %s
ShutdownHandlerEx: %p %s
CancelOidRequestHandler: %p %s
DirectOidRequestHandler: %p %s
CancelDirectOidRequestHandler: %p %s
NDIS MiniPort[%d] %p
State: %s
MediaType: %s
AdapterType: %s
DefaultSendAuthorizationState: %s
DefaultRcvAuthorizationState: %s
DefaultPortSendAuthorizationState: %s
DefaultPortRcvAuthorizationState: %s
NextCancelSendNetBufferListsHandler: %p %s
PacketIndicateHandler: %p %s
SendCompleteHandler: %p %s
SendResourcesHandler: %p %s
ResetCompleteHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
SendPacketsHandler: %p %s
DeferredSendHandler: %p %s
EthRxIndicateHandler: %p %s
NextSendNetBufferListsHandler: %p %s
EthRxCompleteHandler: %p %s
SavedNextSendNetBufferListsHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
TDCompleteHandler: %p %s
QueryCompleteHandler: %p %s
SetCompleteHandler: %p %s
WanSendCompleteHandler: %p %s
WanRcvHandler: %p %s
WanRcvCompleteHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
WSendPacketsHandler: %p %s
NextSendPacketsHandler: %p %s
FinalSendPacketsHandler: %p %s
TopIndicateNetBufferListsHandler: %p %s
TopIndicateLoopbackNetBufferListsHandler: %p %s
Ndis5PacketIndicateHandler: %p %s
MiniportReturnPacketHandler: %p %s
SynchronousReturnPacketHandler: %p %s
TopNdis5PacketIndicateHandler: %p %s
AllocateSharedMemoryHandler: %p %s
FreeSharedMemoryHandler: %p %s
SetBusData: %p %s
GetBusData: %p %s
NoFilter.CancelSendHandler %p %s
NoFilter.SendNetBufferListsCompleteHandler %p %s
NoFilter.IndicateNetBufferListsHandler %p %s
NoFilter.SaveIndicateNetBufferListsHandler %p %s
NoFilter.ReturnNetBufferListsHandler %p %s
NoFilter.SendNetBufferListsHandler %p %s
Next.CancelSendHandler %p %s
Next.SendNetBufferListsCompleteHandler %p %s
Next.IndicateNetBufferListsHandler %p %s
Next.SaveIndicateNetBufferListsHandler %p %s
Next.ReturnNetBufferListsHandler %p %s
Next.SendNetBufferListsHandler %p %s
Name: %S
BaseName: %S
SymbolicLinkName: %S
NextCancelSendNetBufferListsHandler %p %s
TrRxIndicateHandler: %p %s
TrRxCompleteHandler: %p %s
IndicateNetBufferListsHandler: %p %s
NextReturnNetBufferLists: %p %s
SavedIndicateNetBufferListsHandler: %p %s
SavedPacketIndicateHandler: %p %s
ShutdownHandler: %p %s
NDIS MiniPort[%d] %S
BusType: %s
PacketIndicateHandler: %p %s
SendCompleteHandler: %p %s
SendResourcesHandler: %p %s
ResetCompleteHandler: %p %s
DeferredSendHandler: %p %s
EthRxIndicateHandler: %p %s
TrRxIndicateHandler: %p %s
FddiRxIndicateHandler: %p %s
EthRxCompleteHandler: %p %s
TrRxCompleteHandler: %p %s
FddiRxCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
TDCompleteHandler: %p %s
QueryCompleteHandler: %p %s
SetCompleteHandler: %p %s
WanSendCompleteHandler: %p %s
WanRcvHandler: %p %s
WanRcvCompleteHandler: %p %s
AdapterInstanceName: %S
OpenBlock [%d] %p
RootName: %S
BindName: %S
ProtocolMajorVersion: %X
NextSendHandler: %p %s
NextReturnNetBufferListsHandler: %p %s
SendHandler: %p %s
TransferDataHandler: %p %s
WanReceiveHandler: %p %s
SendPacketsHandler: %p %s
ResetHandler: %p %s
RequestHandler: %p %s
OidRequestHandler: %p %s
WSendHandler: %p %s
WTransferDataHandler: %p %s
WSendPacketsHandler: %p %s
CancelSendPacketsHandler: %p %s
ProtSendNetBufferListsComplete: %p %s
NextSendNetBufferListsComplete: %p %s
ReceiveNetBufferLists: %p %s
SavedSendNBLHandler: %p %s
SavedSendPacketsHandler: %p %s
SavedCancelSendPacketsHandler: %p %s
SavedSendHandler: %p %s
Ndis5WanSendHandler: %p %s
ProtSendCompleteHandler: %p %s
OidRequestCompleteHandler %p %s
OpenFlags: %X
DirectOidRequestHandler: %p %s
RootName: %S
BindName: %S
Flags: %X
SendHandler: %p %s
WanSendHandler: %p %s
TransferDataHandler: %p %s
WanReceiveHandler: %p %s
SendPacketsHandler: %p %s
ResetHandler: %p %s
RequestHandler: %p %s
WSendHandler: %p %s
WTransferDataHandler: %p %s
WSendPacketsHandler: %p %s
CancelSendPacketsHandler: %p %s
Flags %X
Mtu %X
PromiscuousMode %d
AccessType %s
DirectionType %s
ConnectionType %s
MediaType %s
MediaConnectState %s
AdminStatus %s
OperStatus %s
InterfaceGuid %s
NetworkGuid %s
ifIndex %X
ifDescr %S
ifAlias %S
FilterDriverCharacteristics[%d]:
FriendlyName: %S
UniqueName: %S
ServiceName: %S
SetOptionsHandler: %p %s
SetFilterModuleOptionsHandler: %p %s
AttachHandler: %p %s
DetachHandler: %p %s
RestartHandler: %p %s
PauseHandler: %p %s
SendNetBufferListsHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
CancelSendNetBufferListsHandler: %p %s
ReceiveNetBufferListsHandler: %p %s
ReturnNetBufferListsHandler: %p %s
OidRequestHandler: %p %s
OidRequestCompleteHandler: %p %s
CancelOidRequestHandler: %p %s
DevicePnPEventNotifyHandler: %p %s
NetPnPEventHandler: %p %s
StatusHandler: %p %s
DirectOidRequestHandler: %p %s
DirectOidRequestCompleteHandler: %p %s
CancelDirectOidRequestHandler: %p %s
InterfaceGuid: %s
FilterState: %s
NextSendNetBufferListsHandler: %p %s
NextSendNetBufferListsCompleteHandler: %p %s
NextIndicateReceiveNetBufferListsHandler: %p %s
NextReturnNetBufferListsHandler: %p %s
NextCancelSendNetBufferListsHandler: %p %s
SetFilterModuleOptionalHandlers: %p %s
OidRequestHandler: %p %s
OidRequestCompleteHandler: %p %s
CancelRequestHandler: %p %s
DevicePnPEventNotifyHandler: %p %s
NetPnPEventHandler: %p %s
StatusHandler: %p %s
FilterSendNetBufferListsHandler: %p %s
FilterIndicateReceiveNetBufferListsHandler: %p %s
FilterCancelSendNetBufferListsHandler: %p %s
InitiateOffloadCompleteHandler: %p %s
TerminateOffloadCompleteHandler: %p %s
UpdateOffloadCompleteHandler: %p %s
InvalidateOffloadCompleteHandler: %p %s
QueryOffloadCompleteHandler: %p %s
IndicateOffloadEventHandler: %p %s
TcpOffloadSendCompleteHandler: %p %s
TcpOffloadReceiveCompleteHandler: %p %s
TcpOffloadDisconnectCompleteHandler: %p %s
TcpOffloadForwardCompleteHandler: %p %s
TcpOffloadEventHandler: %p %s
TcpOffloadReceiveIndicateHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
DirectOidRequestHandler: %p %s
DirectOidRequestCompleteHandler: %p %s
CancelDirectOidRequestHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
Provider[%d]: %p
QueryObjectHandler: %p %s
SetObjectHandler: %p %s
FilterDriverBlock[%d]
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
ClCreateVcHandler: %p %s
ClDeleteVcHandler: %p %s
ClOidRequestHandler: %p %s
ClOidRequestCompleteHandler: %p %s
ClOpenAfCompleteHandlerEx: %p %s
ClCloseAfCompleteHandler: %p %s
ClRegisterSapCompleteHandler: %p %s
ClDeregisterSapCompleteHandler: %p %s
ClMakeCallCompleteHandler: %p %s
ClModifyCallQoSCompleteHandler: %p %s
ClCloseCallCompleteHandler: %p %s
ClAddPartyCompleteHandler: %p %s
ClDropPartyCompleteHandler: %p %s
ClIncomingCallHandler: %p %s
ClIncomingCallQoSChangeHandler: %p %s
ClIncomingCloseCallHandler: %p %s
ClIncomingDropPartyHandler: %p %s
ClCallConnectedHandler: %p %s
ClNotifyCloseAfHandler: %p %s
CmCreateVcHandler: %p %s
CmDeleteVcHandler: %p %s
CmOpenAfHandler: %p %s
CmCloseAfHandler: %p %s
CmRegisterSapHandler: %p %s
CmDeregisterSapHandler: %p %s
CmMakeCallHandler: %p %s
CmCloseCallHandler: %p %s
CmIncomingCallCompleteHandler: %p %s
CmAddPartyHandler: %p %s
CmDropPartyHandler: %p %s
CmActivateVcCompleteHandler: %p %s
CmDeactivateVcCompleteHandler: %p %s
CmModifyCallQoSHandler: %p %s
CmOidRequestHandler: %p %s
CmOidRequestCompleteHandler: %p %s
CmNotifyCloseAfCompleteHandler: %p %s
DriverVersion: %X
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendNetBufferListsHandler: %p %s
CoRequestHandler: %p %s
CoOidRequestHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
AddDeviceHandler: %p %s
RemoveDeviceHandler: %p %s
FilterResourceRequirementsHandler: %p %s
StartDeviceHandler: %p %s
ServiceName: %S
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendNetBufferListsHandler: %p %s
CoRequestHandler: %p %s
CoOidRequestHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
AddDeviceHandler: %p %s
RemoveDeviceHandler: %p %s
FilterResourceRequirementsHandler: %p %s
StartDeviceHandler: %p %s
OpenNDKAdapterHandler: %p %s
CloseNDKAdapterHandler: %p %s
IdleNotificationHandler: %p %s
CancelIdleNotificationHandler: %p %s
AllocateNetBufferListForwardingContextHandler: %p %s
FreeNetBufferListForwardingContextHandler: %p %s
AddNetBufferListDestinationHandler: %p %s
SetNetBufferListSourceHandler: %p %s
GrowNetBufferListDestinationsHandler: %p %s
GetNetBufferListDestinationsHandler: %p %s
UpdateNetBufferListDestinationsHandler: %p %s
CopyNetBufferListInfoHandler: %p %s
ReferenceSwitchNicHandler: %p %s
DereferenceSwitchNicHandler: %p %s
ReferenceSwitchPortHandler: %p %s
DereferenceSwitchPortHandler: %p %s
ReportFilteredNetBufferListsHandler: %p %s
ImageName: %S
SetNetBufferListSwitchContextHandler: %p %s
GetNetBufferListSwitchContextHandler: %p %s
netio legacy handler %p %s
read netio legacy handler failed, error %d, status %X
read netio legacy handler failed, error %d
%p %s
read netio WfpNblInfoDispTable failed, error %d, status %X
read netio WfpNblInfoDispTable failed, error %d
netio MacShim %p %s
WfpShim[%d] %p %s
Unknown WFP callout size %d
WFP callout[%d]:
ClassifyCallback: %p %s
NotifyCallback: %p %s
uFlowDeleteFunction: %p %s
Exception %X on sysptr seed reading at %p
Decode system scheme - %s
Decode scheme - %s
Cannot read my process cookie, error %X
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X (%p) %s
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X %p
SystemFunction%3.3d (%p) %s
PFNCLIENT.%s patched by %s (%p)
PFNCLIENT.%s patched %p
check_user32_pfnclient: exception %X occured
PFNCLIENTWORKER.%s patched by %s (%p)
PFNCLIENTWORKER.%s patched %p
ConsoleCtrlHandler[%d]: %s (%p)
ConsoleCtrlHandler[%d]: %p UNKNOWN
ConsoleCtrlHandler: %s (%p)
UnhandledExceptionFilter: %s (%p)
ShimModule: %s (%p)
RtlpStartThreadFunc: %s (%p)
RtlpExitThreadFunc: %s (%p)
RtlpUnhandledExceptionFilter: %s (%p)
RtlSecureMemoryCacheCallback: %s (%p)
TppLogpRoutine: %s (%p)
CsrServerApiRoutine: %s (%p)
LdrpManifestProberRoutine: %s (%p)
LdrpCreateActCtxLanguage: %s (%p)
LdrpReleaseActCtx: %s (%p)
LdrpAppCompatDllRedirectionCallbackFunction: %s (%p)
%s%s!%s patched by %s (addr %p)
%s%s.%d patched by %s (addr %p)
%s%s.%d patched, addr %p
PID %d trace callbacks: %d
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X %p %s
Process PID %d has the same token as system process: %p !!!
Process PID %d token: %p
%p %s %8X
%p %s %8X
CheckProc: cannot get modules list for PID %d (%S), error %d, ntstatus %X
CheckProc: cannot get modules list for PID %d (%S), error %d
CheckProcess PID %d (%S):
PEB.PostProcessInitRoutine: %p %s
PEB.PostProcessInitRoutine: %p UNKNOWN
PEB.pShimData: %p
PEB.AppCompat: %p
PEB.FastPebLockRoutine: %p %s
PEB.FastPebLockRoutine: %p UNKNOWN
PEB.FastPebUnlockRoutine: %p %s
PEB.FastPebUnlockRoutine: %p UNKNOWN
Module: %s at %p
Cannot read %s, PID %d, error %d
PID %d: LSA SP %s has %d patched functions in SECPKG_FUNCTION_TABLE:
PID %d: ncrypt has %d patched functions
PID %d: mswsock has %d patched functions in SockProcTable
PID %d: mswsock has %d patched functions in NspVector
PID %d: mswsock has %d patched MSAFD functions
SHAREDINFO.aheList: %p
PID %d: ntdsa has %d patched functions
PID %d - ole32 hooked by %s
PID %d - ole32 hooked by unknown module, addr %p
PID %d: rpcrt4 has %d patched functions
PID %d: basesrv has %d patched user functions
PID %d: winsrv has %d patched user functions
PID %d: winsrv has %d patched cons functions
PID %d: lsasrv has %d patched functions
PID %d: lsasrv has %d patched functions in LsapSspiExtension
PID %d: lsasrv has %d patched functions in LsapLookupExtension
PID %d: lsasrv has %d patched functions in LsapLsasrvIfTable
Cannot alloc %X bytes for EAT checking of %s, PID %d
Cannot read EAT of %s, PID %d
Cannot alloc %X bytes for checking section %s of %s, PID %d
Cannot read section %s content %X bytes of %s, PID %d
Cannot make section %s of %s, PID %d
Module %s section %s has %X patched bytes, PID %d
PID %d: user32 has %d patched imm32 functions
PID %d: advapi32 has %d patched functions
PID %d: kernel32 has %d patched functions
ShimHandler[%d]: %p %s
ShimHandler[%d]: %p UNKNOWN, located at %p
ApplicationRecoveryCallback: %s (%p)
%s, PID %d:
Cannot alloc %X bytes for IAT checking of %s, PID %d
Cannot read IAT (size %X at %p) of %s, PID %d
Cannot find function %s.%s for module %s process %d
Cannot find function %s.%d for module %s process %d
IAT Patched %s.%s in module %s process %d by %s
IAT Patched %s.%s in module %s process %d, addr %p
IAT Patched %s.%d in module %s process %d by %s
IAT Patched %s.%d in module %s process %d
Cannot alloc %X bytes for delayed IAT checking of %s, PID %d
Cannot read delayed IAT (size %X at %p) of %s, PID %d
Cannot find delayed function %s.%s for module %s process %d
Cannot find delayed function %s.%d for module %s process %d
LdrpDllNotificationList: %d
%p %s
Read %d QueuedWorkerItems:
[%d] %p %s
check_drivers_reinit: cannot read size of list, error %d, status %X
check_drivers_reinit: cannot read size of list, error %d
check_drivers_reinit: cannot alloc %X bytes
check_drivers_reinit: cannot read list, error %d, ntstatus %X
check_drivers_reinit: cannot read list, error %d
[%d] Drv %p %s routine %p %s
read_shutdown_notificators: cannot read size of %s, error %d, status %X
read_shutdown_notificators: cannot read size of %s, error %d
read_shutdown_notificators: cannot alloc %X bytes
read_shutdown_notificators: cannot read %s, error %d, ntstatus %X
read_shutdown_notificators: cannot read %s, error %d
[%d] DevObj %p Drv %p (addr %p) %s
[%d] DevObj %p Drv %p %s
MailSlot: %S, server %d (%S)
MailSlot: %S, server %d
NamedPipe: %S, server %d (%S)
NamedPipe: %S, server %d
Flags: %X, server %d (%S)
Flags: %X, creator %d, server %d
Flags: %X, server %d
Endpoints: %d
Endpoint %S PID %d (%S):
Endpoint %S:
RPC controls: %d
%S: %S
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d
Cannot load kernel %s
Unknown scheduler: ReadySummary %X DispatcherReadyListHead %X
Unknown scheduler: ReadySummary %X DeferredReadyListHead %X
Unknown scheduler: ReadySummary %X
Readed %d threads, total %d
Thread %p ProcID %X ThreadID %X Win32Thread %p %s
Thread %p ProcID %X ThreadID %X Priority %d Win32Thread %p
Thread %p ProcID %X ThreadID %X %s
Thread %p ProcID %X ThreadID %X Priority %d
reading count of threads on processor %d failed, error %X
%d threads
reading of threads on processor %d failed, error %X
Scheduler index %d
reading count of threads failed, error %X
reading of threads failed, error %X
Cannot find ETHREAD.ServiceTable
Unknown version of ETHREAD, offset %X
Cannot alloc %X bytes for ProcessesAndThreadsInformation
Cannot realloc %X bytes for ProcessesAndThreadsInformation
ProcessesAndThreadsInformation failed, error %X
read_sdt for threadID %X failed, error %d, status %X
read_sdt for threadID %X failed, error %d
ProcessID %X (%S) ThreadID %X SDT %p %s
ProcessID %X ThreadID %X SDT %p %s
read_thread_token for threadID %X failed, error %d, status %X
read_thread_token for threadID %X failed, error %d
ProcessID %X (%S) ThreadID %X token %p ImpersonationLevel %d
ProcessID %X ThreadID %X token %p ImpersonationLevel %d
Cannot detect ETHREAD.StartAddress
Unknown kernel %s, StartAddress %X, IrpList %X, StackLimit %X, StackBase %X
Unknown kernel %s, StartAddress %X, StackLimit %X, StackBase %X
Unknown kernel %s, StartAddress %X, IrpList %X
Unknown kernel %s, StartAddress %X
Cannot read count of system threads, ntstatus %X
Cannot alloc %d bytes
Cannot read system threads, ntstatus %X
%d System Threads
Thread %p Start %p %c stack %p limit %p %s
read IPSec status failed, error %d, status %X
read IPSec status failed, error %d
IPSec status %X
IPSecHandler: %p %s
IPSecQueryStatus: %p %s
IPSecSendCmplt: %p %s
IPSecNdisStatus: %p %s
IPSecRcvFWPacket: %p %s
check_tdi_pnp_clnts: cannot read size of clnts list, error %d, ntstatus %X
check_tdi_pnp_clnts: cannot read size of clnts list, error %d
check_tdi_pnp_clnts: cannot alloc %X bytes
check_tdi_pnp_clnts: cannot read clnts list, error %d, ntstatus %X
check_tdi_pnp_clnts: cannot read clnts list, error %d
TDI PnP clients: %d (readed %d)
[%d]: version %X %S
PnPPowerHandler: %p %s
BindHandler: %p %s
UnBindHandler: %p %s
AddAddressHandler: %p %s
DelAddressHandler: %p %s
Microsoft-Windows-Windows Firewall With Advanced Security
Microsoft-Windows-Kernel-Boot
Microsoft-Windows-EQoS
Microsoft-Windows-XWizards
ASP.NET Events
Microsoft-Windows-UIRibbon
Microsoft-Windows-WPD-CompositeClassDriver
Microsoft-Windows-Wired-AutoConfig
Microsoft-Windows-PrintService
Microsoft-Windows-ApplicationExperience-LookupServiceTrigger
Microsoft-Windows-IDCRL
Microsoft-Windows-MPS-DRV
Microsoft-Windows-P2P-Mesh
Microsoft-Windows-TabletPC-MathRecognizer
Microsoft-Windows-Spell-Checking
Microsoft-Windows-Fax
Microsoft-Windows-GroupPolicy
Microsoft-Windows-Crashdump
Microsoft-Windows-PrintSpooler
Microsoft-Windows-LanguagePackSetup
Microsoft-Windows-OneX
Microsoft-Windows-OfflineFiles-CscApi
Microsoft-Windows-ADSI
Microsoft-Windows-Dhcp-Client
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Microsoft-Windows-NlaSvc
Microsoft-Windows-Diagnosis-MSDE
Microsoft-Windows-SpoolerWin32SPL
Microsoft-Windows-SPB-ClassExtension
Microsoft-Windows-Kernel-Memory
Microsoft-Windows-Application Server-Applications
Microsoft-Windows-MUI
Microsoft-Windows-P2P-Collab
Microsoft-Windows-Security-Netlogon
Microsoft-Windows-SQM-Events
Microsoft-Windows-USB-USBPORT
Microsoft-Windows-SendTo
Microsoft-Windows-AIT
Microsoft-Windows-P2P-CRP
PrintFilterPipelineSvc_ObjectsGuid
Microsoft-Windows-IME-JPPRED
Microsoft-Windows-WMP
Microsoft-Windows-Eqos-SQM-Provider
MSDADIAG.ETW
Microsoft-Windows-Processor-Aggregator
Microsoft-Windows-ErrorReportingConsole
Microsoft-Windows-SmartCard-TPM-VCard-Module
Microsoft-Windows-User Profiles Service
Microsoft-Windows-Crypto-CNG
Microsoft-Windows-LinkLayerDiscoveryProtocol
Microsoft-Windows-TaskbarCPL
Microsoft-Windows-Networking-Correlation
Microsoft-Windows-RestartManager
Microsoft-Windows-WMPDMCCore
Microsoft-Windows-TCPIP
Microsoft-Windows-MSDTC
Microsoft-Windows-Resources-MrmBc
Microsoft-Windows-Time-Service
Microsoft-Windows-HomeGroup-ProviderService
Microsoft-Windows-DriverFrameworks-UserMode
Microsoft-Windows-Runtime-Networking
Microsoft-Windows-Network-Connection-Broker
Microsoft-Windows-Shell-AppWizCpl
Microsoft-Windows-PDC
Microsoft-Windows-Biometrics
Microsoft-Windows-IME-SCDICCOMPILER
Microsoft-Windows-Wininit
Microsoft-Windows-Dwm-Dwm
Microsoft-Windows-Photo-Image-Codec
Microsoft-Windows-TaskScheduler
Microsoft-Windows-osk
Microsoft-Windows-Kernel-PowerTrigger
Microsoft-Windows-EventLog-WMIProvider
Microsoft-Windows-IME-OEDCompiler
Microsoft-Windows-WER-SystemErrorReporting
Microsoft-Windows-Deplorch
Microsoft-Windows-SPB-HIDI2C
Microsoft-Windows-UxTheme
Microsoft-Windows-BfeTriggerProvider
Microsoft-Windows-Media-Streaming
Microsoft-Windows-Remotefs-UTProvider
Microsoft-Windows-Ntfs-SQM
Microsoft-Windows-User-PnP
Microsoft-Windows-AltTab
Microsoft-Windows-Kernel-StoreMgr
Microsoft-Windows-WindowsColorSystem
Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport
Microsoft-Windows-MSMPEG2ADEC
Microsoft-Windows-TerminalServices-PnPDevices
Microsoft-Windows-GettingStarted
Microsoft-Windows-Narrator
Windows Wininit Trace
Microsoft-Windows-FileHistory-UI
Microsoft-Windows-MediaFoundation-PlayAPI
Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Microsoft-Windows-BitLocker-Driver-Performance
Microsoft-Windows-PerfProc
Microsoft-Windows-Resource-Leak-Diagnostic
Microsoft-Windows-WebServices
Microsoft-Windows-FileHistory-Service
Microsoft-Windows-MediaEngine
Microsoft-Windows-StartupRepair
Microsoft-Windows-Security-IdentityStore
Microsoft-Windows-IME-SCSetting
Microsoft-Windows-FileHistory-EventListener
Microsoft-Windows-Program-Compatibility-Assistant
Microsoft-Windows-DesktopActivityModerator
Microsoft-Windows-MemoryDiagnostics-Schedule
Microsoft-Windows-FileHistory-Engine
Microsoft-Windows-PerfDisk
Microsoft-Windows-OOBE-Machine-Core
Microsoft-Windows-WLAN-AutoConfig
Microsoft-Windows-FileHistory-ConfigManager
Microsoft-Windows-Search-ProfileNotify
Microsoft-Windows-PerfCtrs
UMPass Driver Trace
Microsoft-Windows-FileHistory-Catalog
Microsoft-Windows-WlanDlg
Microsoft-Windows-CDROM
Microsoft-Windows-Crypto-NCrypt
Certificate Services Client CredentialRoaming Trace
Microsoft-Windows-CredUI
Windows Firewall Service
Microsoft-Windows-FileHistory-Core
Microsoft-Windows-Direct3D11
Microsoft-Windows-DirectoryServices-Deployment
Microsoft-Windows-All-User-Install-Agent
Microsoft-Windows-Kernel-Licensing-StartServiceTrigger
Microsoft-Windows-ServerManager-ManagementProvider
Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider
Microsoft-Windows-IIS-W3SVC-WP
Microsoft-Windows-TerminalServices-MediaRedirection-DShow
Microsoft-Windows-Rdms-UI
Microsoft-Windows-Feedback-Service-TriggerProvider
Microsoft-Windows-Eventlog
Microsoft-Windows-CodeIntegrity
Microsoft-Windows-WPDClassInstaller
Microsoft-Windows-NetworkAccessProtection
Microsoft-Windows-UIAutomationCore
Microsoft-Windows-StartLmhosts
Microsoft-Windows-IME-Broker
Microsoft-Windows-Kernel-Process
Microsoft-Windows-CertificateServicesClient
Microsoft-Windows-AppXDeployment
Microsoft-Windows-Shell-Core
Microsoft-Windows-Anytime-Upgrade
Microsoft-Windows-PCI
Microsoft-Windows-WPD-MTPBT
Microsoft-Windows-CertificationAuthorityClient-CertCli
Microsoft-Windows-Srv2
Microsoft-Windows-TunnelDriver-SQM-Provider
Microsoft-Windows-Security-Licensing-SLC
Microsoft-Windows-ATAPort
Microsoft-Windows-Recovery
Microsoft-Windows-GenericRoaming
Microsoft-Windows-Sdbus-SQM
Microsoft-Windows-DirectComposition
Microsoft-Windows-P2PIMSvc
Microsoft-Windows-WCN-Config-Registrar
Microsoft-Windows-WPD-API
Microsoft-Windows-P2P-PNRP
Microsoft-Windows-DeviceUx
Windows Mobile Performance Hooks
Microsoft-Windows-ProcessStateManager
Windows Connect Now
Microsoft-Windows-Networking-RealTimeCommunication
Microsoft-Windows-EventSystem
Microsoft-Windows-Spaceport
Windows Mobile Remote API
Microsoft-Windows-Dhcp-Nap-Enforcement-Client
Microsoft-Windows-WinNat
Windows Mobile AirSync Engine 2
Microsoft-Windows-WCN-Config-Registrar-Secure
Windows Mobile AirSync Engine 1
Microsoft-Windows-Security-Kerberos
Windows Mobile ActiveSync Engine
Microsoft-Windows-WSC-SRV
Microsoft-Windows-Eventlog-ForwardPlugin
Windows Mobile Serial Connectivity
Microsoft-Windows-TerminalServices-SessionBroker-Client
Microsoft-Windows-WMPNSS-PublicAPI
Windows Mobile Desktop Passthrough
Microsoft-Windows-RPC-Events
Microsoft-Windows-LanguageProfile
Microsoft-Windows-Anytime-Upgrade-Events
Microsoft-Windows-Management-UI
Microsoft-Windows-SMBClient
Microsoft-Windows-TerminalServices-RdpSoundDriver
Microsoft-Windows-Dwm-Api
Microsoft-Windows-QoS-qWAVE
Microsoft-Windows-Kernel-Tm-Trigger
Microsoft-Windows-IPNAT
Microsoft-Windows-NetworkBridge
Microsoft-Windows-MPS-CLNT
Microsoft-Windows-Diagnosis-Scheduled
Microsoft-Windows-WMPNSS-Service
Microsoft-Windows-DxpTaskRingtone
Microsoft-Windows-Kernel-AppCompat
Microsoft-Windows-TimeBroker
Microsoft-Windows-DeviceConfidence
Microsoft-Windows-Shell-Shwebsvc
Microsoft-Windows-Diagnostics-Performance
Windows NetworkMap Trace
Microsoft-Windows-TerminalServices-Printers
Microsoft-Windows-AppLocker
Microsoft-Windows-Audio
Microsoft-Windows-LLTD-MapperIO
Microsoft-Windows-HotspotAuth
Microsoft-Windows-Firewall-CPL
Microsoft-Windows-Kernel-IoTrace
Microsoft-Windows-Perflib
Microsoft-Windows-BootUX
Microsoft-Windows-WMPDMCUI
Microsoft-Windows-Disk
Microsoft-Windows-IME-JPLMP
Microsoft-Windows-Security-SPP-UX-Notifications
Microsoft-Windows-TerminalServices-ClientActiveXCore
Microsoft-Windows-IIS-IISReset
Microsoft-Windows-WindowsUIImmersive
Windows Firewall Control Panel
Microsoft-Windows-DeviceSetupManager
Microsoft-Windows-EnrollmentPolicyWebService
Microsoft-Windows-IME-Roaming
Microsoft-Windows-SetupQueue
Microsoft-Windows-SmartCard-Audit
Microsoft-Windows-Servicing
Microsoft-Windows-ACL-UI
Microsoft-Windows-WWAN-CFE
Microsoft-Windows-FCRegSvc
Microsoft-Windows-IIS-IisMetabaseAudit
Microsoft-Windows-Kernel-WDI
Microsoft-Windows-TabletPC-MathInput
Microsoft-Windows-Kernel-General
Windows Media Player Trace
Microsoft-Windows-DxpTaskDLNA
Microsoft-Windows-User Profiles General
Microsoft-Windows-Kernel-WSService-StartServiceTrigger
Microsoft-Windows-WebAuth
Microsoft-Windows-API-Tracing
Microsoft-Windows-FunctionDiscovery
Microsoft-Windows-StickyNotes
Microsoft-Windows-WCN-WscEapPeer-Trace
Microsoft-Windows-QoS-WMI-Diag
Microsoft-Windows-NetworkProvisioning
Microsoft-Windows-Network-DataUsage
Microsoft-Windows-AppSruProv
Microsoft-Windows-WebcamExperience
Microsoft-Windows-EaseOfAccess
Microsoft-Windows-Spellchecking-Host
Microsoft-Windows-IME-CandidateUI
Microsoft-Windows-TPM-WMI
Microsoft-Windows-Security-SPP
Microsoft-Windows-DirectShow-KernelSupport
Microsoft-Windows-Diagnosis-AdvancedTaskManager
Microsoft-Windows-ThemeCPL
Windows Mobile Co-installer
Microsoft-Windows-MPRMSG
Microsoft-Windows-EnhancedStorage-EhStorCertDrv
Microsoft-Windows-NdisImPlatformEventProvider
Microsoft-Windows-FunctionDiscoveryHost
Microsoft-Windows-MediaFoundation-MSVideoDSP
Microsoft-Windows-IME-JPTIP
Windows Kernel Trace
Microsoft-SQLServerDataTools
Microsoft-Windows-ASN1
Microsoft-Windows-Crypto-BCrypt
Microsoft-Windows-HealthCenterCPL
Microsoft-Windows-XAML
Microsoft-Windows-PDFReader
Microsoft-Windows-TerminalServices-ServerUSBDevices
Microsoft-Windows-WWAN-SVC-EVENTS
Microsoft-Windows-Search-ProtocolHandlers
Microsoft-Windows-IdCtrls
Microsoft-Windows-User-ControlPanel
Microsoft-Windows-Runtime-Media
Microsoft-Windows-CAPI2
Windows Mobile Sync Handlers
Microsoft-Windows-PowerCfg
Microsoft-Windows-SrumTelemetry
Microsoft-Windows-Base-Filtering-Engine-Connections
Microsoft-Windows-Sidebar
Microsoft-Windows-NDF-HelperClassDiscovery
Microsoft-Windows-PerfNet
Microsoft-Windows-PortableDeviceStatusProvider
Microsoft-Windows-TabletPC-Platform-Manipulations
Microsoft-Windows-Subsys-SMSS
Microsoft-Windows-LDAP-Client
Microsoft-Windows-Security-SPP-UX-GC
Microsoft-Windows-Media Center Extender
Microsoft-Windows-DiskDiagnostic
Microsoft-Windows-TSF-msutb
Microsoft-Windows-Reliability-Analysis-Agent
{B6501BA0-C61A-C4E6-6FA2-A4E7F8C8E7A0}
Microsoft-Windows-Kernel-Processor-Power
Microsoft-Windows-NCSI
Microsoft-Windows-NetworkConnectivityStatus
Microsoft-Windows-wmvdecod
Microsoft-Windows-ServiceTriggerPerfEventProvider
Microsoft-Windows-Service Pack Installer
Microsoft-Windows-Bluetooth-HidGatt
Microsoft-Windows-TabletPC-Platform-Input-Ninput
Microsoft-Windows-Tcpip-SQM-Provider
Microsoft-Windows-MPS-SRV
Microsoft-Windows-KnownFolders
Microsoft-Windows-NAPIPSecEnf
Microsoft-Windows-EnrollmentWebService
Microsoft-Windows-Deduplication-Change
Microsoft-Windows-OfflineFiles-CscFastSync
Microsoft-Windows-UxInit
Microsoft-Windows-BranchCacheClientEventProvider
Microsoft-Windows-Forwarding
Microsoft-Windows-RPC-Proxy-LBS
Microsoft-Windows-Kernel-Disk
Microsoft-Windows-TriggerEmulatorProvider
Microsoft-Windows-SystemHealthAgent
Microsoft-Windows-Memory-Diagnostic-Task-Handler
Microsoft-Windows-Winsock-WS2HELP
Microsoft-Windows-ThemeUI
Microsoft-Windows-TerminalServices-MediaRedirection
Microsoft-Windows-TerminalServices-ClientUSBDevices
Microsoft-Windows-TabletPC-CoreInkRecognition
Microsoft-Windows-COM
Microsoft-Windows-PnPMgrTriggerProvider
Microsoft-Windows-LoadPerf
Microsoft-Windows-System-Restore
Microsoft-Windows-UserAccountControl
Microsoft-Windows-Services-Svchost
Microsoft-Windows-PushNotifications-Developer
Microsoft-Windows-LiveId
Microsoft-Windows-Security-SPP-UX
Microsoft-Windows-VAN
Microsoft-Windows-FirstUX-PerfInstrumentation
Microsoft-Windows-Kernel-Tm
Microsoft-Windows-Kernel-ShimEngine
Microsoft-Windows-EapHost
Microsoft-Windows-CertPolEng
Microsoft-Windows-MsLbfoEventProvider
Microsoft-Windows-Complus
Microsoft-Windows-EFS
Microsoft-Windows-WwaHost
Microsoft-Windows-ServerManager
Microsoft-Windows-ComDlg32
Microsoft-Windows-MP4SDECD
Microsoft-Windows-PeopleNearMe
Microsoft-Windows-SmartCard-Bluetooth-Profile
Microsoft-Windows-TZUtil
Microsoft-Windows-ApplicationExperience-SwitchBack
Microsoft-Windows-UI-Input-Inking
Microsoft-Windows-VDRVROOT
Windows Firewall NetShell Plugin
Windows Firewall API
Microsoft-Windows-Kernel-Acpi
Microsoft-Windows-WinRM
Microsoft-Windows-Direct3D10_1
Microsoft-Windows-Kernel-LicensingSqm
Microsoft-Windows-SpoolerSpoolss
Microsoft-Windows-FilterManager
Microsoft-Windows-ActionQueue
Microsoft-Windows-IME-KRAPI
Microsoft-Windows-Resource-Exhaustion-Detector
Microsoft-Windows-ApplicationExperienceInfrastructure
Microsoft-Windows-StorSqm
Microsoft-Windows-Search
Microsoft-Windows-HttpEvent
Microsoft-Windows-AxInstallService
Microsoft-Windows-Diagnosis-PerfHost
Microsoft-Windows-International
Microsoft-Windows-CertificateServicesClient-CredentialRoaming
Microsoft-Windows-SoftwareRestrictionPolicies
Microsoft-Windows-Windows Defender
Microsoft-Windows-ShareMedia-ControlPanel
Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Microsoft-Windows-WPD-MTPUS
Microsoft-Windows-DirectWrite
Microsoft-Windows-RPCSS
Microsoft-Windows-DeviceSync
Microsoft-Windows-NcdAutoSetup
Microsoft-Windows-Diagnosis-PCW
Microsoft-Windows-DistributedCOM
ATA Port Driver Tracing Provider
Microsoft-Windows-WebdavClient-LookupServiceTrigger
Microsoft-Windows-USB-USBXHCI
Microsoft-Windows-Diagnosis-PLA
Microsoft-Windows-WlanConn
Microsoft-Windows-Winlogon
Microsoft-Windows-stobject
Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter
Microsoft-Windows-D3D10Level9
Microsoft-Windows-WAS-ListenerAdapter
Microsoft-Windows-ServerManager-MultiMachine
Microsoft-Windows-AppxPackagingOM
Microsoft-Windows-PushNotifications-Platform
Microsoft-Windows-OOBE-Machine-Plugins-Wireless
Microsoft-Windows-IME-JPAPI
SBP2 Port Driver Tracing Provider
Microsoft-Windows-BranchCacheEventProvider
Microsoft-Windows-Immersive-Shell-API
Microsoft-Windows-ntshrui
Microsoft-Windows-KPSSVC
Microsoft-Windows-BitLocker-DrivePreparationTool
Microsoft-Windows-EapMethods-Sim
Microsoft-Windows-Shell-ZipFolder
Microsoft-Windows-Search-Core
Microsoft-Windows-OfflineFiles-CscNetApi
Microsoft-Windows-Diagnosis-WDI
Microsoft-Windows-PortableDeviceSyncProvider
Microsoft-Windows-Diagnostics-PerfTrack-Counters
Microsoft-Windows-Speech-TTS
Microsoft-Windows-Component-Resources-MrmCore-Events
Microsoft-Windows-BranchCache
Microsoft-Windows-SystemEventsBroker
Microsoft-Windows-VolumeControl
Microsoft-Windows-Win32k
Microsoft-Windows-Kernel-WHEA
Microsoft-Windows-P2P-Meetings
Microsoft-Windows-Diagnosis-WDC
Microsoft-Windows-Serial-ClassExtension
Microsoft-Windows-KPSSVC-WPP
Microsoft-Windows-CertificateServices-Deployment
Microsoft-Windows-PerfOS
Microsoft-Windows-ResetEng
Microsoft-Windows-Runtime-Graphics
Microsoft-Windows-IPSEC-SRV
Microsoft-Windows-CorruptedFileRecovery-Server
Windows Mobile Bluetooth Connectivity
Microsoft-Windows-DLNA-Namespace
Microsoft-Windows-WLAN-MediaManager
Certificate Services Client Trace
Microsoft-Windows-BranchCacheSMB
Microsoft-Windows-PrintService-USBMon
Microsoft-Windows-OOBE-Machine
Microsoft-Windows-DXP
Microsoft-Windows-Immersive-Shell
Microsoft-Windows-OOBE-Machine-Plugins
Microsoft-Windows-Reliability-Analysis-Engine
Microsoft-Windows-Application-Experience
Microsoft-Windows-KdsSvc
Microsoft-Windows-MediaFoundation-Platform
Microsoft-Windows-Security-Configuration-Wizard
Microsoft-Windows-DisplayColorCalibration
Windows Mobile Device Center Base
Microsoft-Windows-WPD-MTPClassDriver
Microsoft-Windows-DNS-Client
Microsoft-Windows-MSDTC Client
Microsoft-Windows-NDIS-PacketCapture
Windows Remote Management Trace
Microsoft-Windows-MSPaint
Microsoft-Windows-HomeGroup-ListenerService
Microsoft-Windows-Sensor-Service-Trigger
Microsoft-Windows-EapMethods-Ttls
Microsoft-Windows-Remotefs-Smb
Microsoft-Windows-SMBWitnessClient
Microsoft-Windows-USB-USBHUB
Microsoft-Windows-DirectWrite-FontCache
Microsoft-Windows-WindowsBackup
Microsoft-Windows-NWiFi
Microsoft-Windows-WER-Diag
Microsoft-Windows-UAC
Microsoft-Windows-LUA
Microsoft-Windows-AppID
Microsoft-Windows-IIS-WMSVC
Microsoft-Windows-Shell-OpenWith
Microsoft-Windows-MediaFoundation-MFReadWrite
Microsoft-Windows-BrokerInfrastructure
Microsoft-Windows-Fault-Tolerant-Heap
Microsoft-Windows-Shell-DefaultPrograms
Microsoft-Windows-Dism-Cli
Microsoft-Windows-SMBDirect
Microsoft-Windows-IME-SCTIP
Microsoft-Windows-EnergyEfficiencyWizard
Microsoft-Windows-ParentalControls
Microsoft-Windows-Smartcard-Server
Microsoft-Windows-FMS
Microsoft-Windows-Devices-Location
Microsoft-Windows-LLTD-Responder
Microsoft-Windows-MsLbfoSysEvtProvider
sqlos
Microsoft-Windows-TerminalServices-RemoteConnectionManager
Microsoft-Windows-SCPNP
Microsoft-Windows-Wordpad
WMI_Tracing_Client_Operations
Microsoft-Windows-Security-Audit-Configuration-Client
Microsoft-Windows-EFSADU
Windows Notification Facility Provider
Microsoft-Windows-DiagCpl
Windows NetworkItemFactory Trace
Microsoft-Windows-ApplicationExperience-Cache
Microsoft-Windows-ResourcePublication
Microsoft-Windows-FailoverClustering-Client
Microsoft-Windows-Runtime-Networking-BackgroundTransfer
Microsoft-Windows-AppHost
Microsoft-Windows-NetAdapterCim-Diag
Microsoft-Windows-IIS-FTP
Microsoft-Windows-Iphlpsvc
Microsoft-Windows-WinINet
Microsoft-Windows-TabletPC-InputPersonalization
Microsoft-Windows-SpoolerFilterPipelineSVC
Microsoft-Windows-Globalization
Microsoft-Windows-Bits-Client
Microsoft-Windows-WFP
Microsoft-Windows-Services
Microsoft-Windows-IdleTriggerProvider
Microsoft-Windows-DxgKrnl
Microsoft-Windows-HealthCenter
Microsoft-Windows-OtpCredentialProviderEvt
Microsoft-Windows-MemoryDiagnostics-Results
Microsoft-Windows-Ncasvc
Microsoft-Windows-SystemSettings
Microsoft-Windows-PDH
Microsoft-Windows-WMPNSSUI
Microsoft-Windows-BdeTriggerProvider
Microsoft-Windows-Diagnostics-PerfTrack
Microsoft-Windows-IIS-APPHOSTSVC
Microsoft-Windows-CoreWindow
Microsoft-Windows-Help
Microsoft-Windows-WindowsUpdateClient
Microsoft-Windows-IIS-W3SVC-PerfCounters
Microsoft-Windows-WMI
Microsoft-Windows-TabletPC-Platform-Input-Wisp
Microsoft-Windows-ProcessExitMonitor
Microsoft-Windows-IME-JPSetting
Microsoft-Windows-Diagnosis-Scripted
Microsoft-Windows-GroupPolicyTriggerProvider
File Kernel Trace; Operation Set 2
Microsoft-Windows-IIS-Configuration
Microsoft-Windows-Diagnosis-TaskManager
Microsoft-Windows-Diagnosis-DPS
Microsoft-Windows-UserPnp
Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging
Microsoft-Windows-Schannel-Events
NetJoin
Microsoft-Windows-TabletPC-InputPanel
Microsoft-Windows-FileServices-ServerManager-EventProvider
Microsoft-Windows-MediaFoundation-Performance
Microsoft-Windows-EndpointTriggerProvider
Microsoft-Windows-IME-KRTIP
Microsoft-Windows-Mobile-Broadband-Experience-SmsApi
Microsoft-Windows-Hyper-V-Netvsc
Microsoft-Windows-DirectSound
Microsoft-Windows-TabletPC-Platform-Input-Core
Microsoft-Windows-PushNotifications-InProc
Microsoft-Windows-Kernel-Network
Microsoft-Windows-DiskDiagnosticResolver
Microsoft-Windows-NdisImPlatformSysEvtProvider
Microsoft-Windows-MeetingSpace
Microsoft-Windows-Base-Filtering-Engine-Resource-Flows
Microsoft-Windows-RasServer
Microsoft-Windows-VHDMP
Microsoft-Windows-WindowsSystemAssessmentTool
Microsoft-Windows-DCLocator
Microsoft-Windows-Diagnosis-MSDT
Microsoft-Windows-WLGPA
SQLSRV32.1
Microsoft-Windows-CertificateServicesClient-CertEnroll
Microsoft-Windows-IME-TCCORE
Microsoft-Windows-SmartCard-Bluetooth-Transport
Microsoft-Windows-WMVENCOD
Microsoft-Windows-mobsync
Microsoft-Windows-EFSTriggerProvider
Microsoft-Windows-DUSER
Microsoft-Windows-DiskDiagnosticDataCollector
Microsoft-Windows-DirectAccess-MediaManager
Microsoft-Windows-DisplaySwitch
Microsoft-Windows-PackageStateRoaming
Microsoft-Windows-Crypto-DPAPI
Microsoft-Windows-IME-CustomerFeedbackManagerUI
sqlserver
Microsoft-Windows-User-Loader
Microsoft-Windows-NetworkProfileTriggerProvider
Microsoft-Windows-NetworkProfile
Windows Firewall API - GP
Microsoft-Windows-CmiSetup
Microsoft-Windows-Sysprep
Microsoft-Windows-Windeploy
Microsoft-Windows-Setup
Microsoft-Windows-OobeLdr
Microsoft-Windows-SetupUGC
Microsoft-Windows-Audit
Microsoft-Windows-SetupCl
Microsoft-Windows-Winsrv
Microsoft-Windows-WinHttp
Microsoft-Windows-RadioManager
Microsoft-Windows-Websocket-Protocol-Component
Microsoft-Windows-WebIO
Microsoft-Windows-Dwm-Core
Microsoft-Windows-Registry-SQM-Provider
Microsoft-Windows-WHEA-Logger
Microsoft-Windows-PeerToPeerDrtEventProvider
Microsoft-Windows-BitLocker-Driver
Microsoft-Windows-SettingSync
Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal
Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
Microsoft-Windows-PowerShell
Microsoft-Windows-DirectShow-Core
Microsoft-Windows-Kernel-Power
Microsoft-Windows-msmpeg2venc
Microsoft-Windows-MPEG2_DLNA-Encoder
Microsoft-Windows-Remote-FileSystem-Log
Microsoft-Windows-Kernel-PnP
Microsoft-Windows-AppXDeployment-Server
Microsoft-Windows-Folder Redirection
Microsoft-Windows-OfflineFiles-CscUM
Microsoft-Windows-ServerManager-DeploymentProvider
Microsoft-Windows-ServiceReportingApi
Microsoft-Windows-StorDiag
Microsoft-Windows-IME-CustomerFeedbackManager
Microsoft-Windows-Kernel-EventTracing
Microsoft-Windows-Kernel-BootDiagnostics
Microsoft-Windows-DXGI
Microsoft-Windows-Build-RegDll
Microsoft-Windows-PNRPSvc
Microsoft-Windows-Ndu
Microsoft-Windows-Firewall
Microsoft-Windows-Wcmsvc
Microsoft-Windows-OLEACC
Microsoft-Windows-MSDTC Client 2
Microsoft-Windows-InputSwitch
Microsoft-Windows-Runtime-WebAPI
Microsoft-Windows-HAL
Microsoft-Windows-International-RegionalOptionsControlPanel
Microsoft-Windows-RPC
Microsoft-Windows-MFH264Enc
Microsoft-Windows-SharedAccess_NAT
Microsoft-Windows-DeviceAssociationService
Microsoft-Windows-Bluetooth-MTPEnum
Microsoft-Windows-BitLocker-API
{C5BFFE2E-9D87-D568-A09E-08FC83D0C7C2}
Microsoft-Windows-IPMIProvider
Microsoft-Windows-IME-TIP
Microsoft-Windows-WindowsToGo-StartupOptions
Microsoft-Windows-Backup
Microsoft-Windows-WMP-MediaDeliveryEngine
Microsoft-Windows-PrintBRM
Microsoft-Windows-ServerManager-ConfigureSMRemoting
Microsoft-Windows-Video-For-Windows
Microsoft-Windows-ClearTypeTextTuner
Microsoft-Windows-Subsys-Csr
Microsoft-Windows-USB-UCX
Microsoft-Windows-RemoteApp and Desktop Connections
Windows Winlogon Trace
Microsoft-Windows-RasSstp
Microsoft-Windows-UAC-FileVirtualization
Microsoft-Windows-ClassicSruMon
Microsoft-Windows-Security-IdentityListener
Microsoft-Windows-WWAN-MM-EVENTS
Microsoft-Windows-MsiServer
Microsoft-Windows-PhotoAcq
Microsoft-Windows-Power-Troubleshooter
Microsoft-Windows-DxpTaskSyncProvider
Microsoft-Windows-Remotefs-Rdbss
Microsoft-Windows-AppIDServiceTrigger
Microsoft-Windows-Kernel-File
Microsoft-Windows-TSF-msctf
Microsoft-Windows-PowerCpl
Microsoft-Windows-LanGPA
Microsoft-Windows-WWAN-MediaManager
Microsoft-Windows-PrimaryNetworkIcon
Microsoft-Windows-OfflineFiles
Microsoft-Windows-UIAnimation
Microsoft-Windows-Security-Auditing
Microsoft-Windows-WCN-Config-Registrar-Wizard-Trace
Microsoft-Windows-WWAN-NDISUIO-EVENTS
Microsoft-Windows-NetworkManagerTriggerProvider
Microsoft-Windows-Winsock-AFD
Microsoft-Windows-Remote-FileSystem-Monitor
Microsoft-Windows-WABSyncProvider
.NET Common Language Runtime
Microsoft-Windows-MSMPEG2VDEC
Microsoft-Windows-DateTimeControlPanel
Windows Firewall Driver
Microsoft-Windows-IIS-W3SVC
Microsoft-Windows-WWAN-UI-EVENTS
Microsoft-Windows-Speech-UserExperience
Microsoft-Windows-Dism-Api
Microsoft-Windows-Store-Client-UI
Microsoft-Windows-Calculator
Microsoft-Windows-Shell-ConnectedAccountState
Microsoft-Windows-PrintDialogs
Microsoft-Windows-Network-and-Sharing-Center
Microsoft-Windows-Crypto-RNG
Microsoft-Windows-MSDTC 2
Microsoft-Windows-SpellChecker
Microsoft-Windows-propsys
Microsoft-Windows-WPD-MTPIP
Microsoft-Windows-Documents
Microsoft-Windows-StorPort
Microsoft-Windows-Magnification
Microsoft-Windows-Shell-AuthUI
Microsoft-Windows-Dwm-Redir
Microsoft-Windows-BTH-BTHUSB
Microsoft-Windows-Ntfs
Microsoft-Windows-Sens
Microsoft-Windows-UserAccessLogging
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Microsoft-Windows-COM-Perf
Microsoft-Windows-StorageSpaces-BackgroundAgent
Microsoft-Windows-Kernel-Prefetch
Portable Device Connectivity API Trace
Microsoft-Windows-RemoteAssistance
Microsoft-Windows-MF
Microsoft-Windows-MediaFoundation-MSVProc
Microsoft-Windows-TBS
Microsoft-Windows-FeedbackTool
Microsoft-Windows-WlanPref
Microsoft-Windows-OfflineFiles-CscDclUser
Microsoft-Windows-Http-SQM-Provider
Microsoft-Windows-Wireless-Network-Setup-Wizard-Trace
Microsoft-Windows-MCT
Microsoft-Windows-HotStart
Microsoft-Windows-Diagnostics-Networking
Microsoft-Windows-Sensors
Microsoft-Windows-SmbServer
Microsoft-Windows-USB-USBHUB3
Microsoft-Windows-Dot3MM
Microsoft-Windows-KernelStreaming
Microsoft-Windows-Mobile-Broadband-Experience-Api
Microsoft-Windows-VolumeSnapshot-Driver
Microsoft-Windows-MobilityCenter
Microsoft-Windows-OfflineFiles-CscService
Microsoft-Windows-Superfetch
Microsoft-Windows-IPBusEnum
Microsoft-Windows-Mprddm
Microsoft-Windows-Dwm-Udwm
Microsoft-Windows-AppModel-State
Microsoft-Windows-WCN-FD-Provider-Trace
Microsoft-Windows-Resource-Exhaustion-Resolver
Microsoft-Windows-Iphlpsvc-Trace
Microsoft-Windows-WUSA
Microsoft-Windows-TerminalServices-LocalSessionManager
Microsoft-Windows-RPC-FirewallManager
Microsoft-Windows-WCN-Common-Trace
Microsoft-Windows-MediaFoundation-MFCaptureEngine
Microsoft-Windows-ReadyBoostDriver
Microsoft-Windows-DUI
Microsoft-Windows-WMP-Setup_WM
Microsoft-Windows-Direct3D10
Microsoft-Windows-DfsSvc
Microsoft-Windows-IME-SCCORE
Microsoft-Windows-NTLM
Microsoft-Windows-VWiFi
Microsoft-Windows-Kernel-PnPConfig
Microsoft-Windows-Winsock-SQM
Microsoft-Windows-SpoolerSpoolSV
Microsoft-Windows-Netshell
Microsoft-Windows-UserModePowerService
Microsoft-Windows-HttpService
HTTP Service Trace
Microsoft-Windows-D3D9
Microsoft-Windows-AppModel-Runtime
Microsoft-Windows-CEIP
Microsoft-Windows-Directory-Services-SAM
Microsoft-Windows-SpoolerTCPMon
Microsoft-Windows-ReadyBoost
Microsoft-Windows-L2NACP
Microsoft-Windows-LLTD-Mapper
Microsoft-Windows-Deduplication
Microsoft-Windows-HomeGroup-ControlPanel
Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task
Microsoft-Windows-DomainJoinManagerTriggerProvider
Microsoft-Windows-SruMon
Microsoft-Windows-ELS-Hyphenation
TCPIP Service Trace
Microsoft-Windows-DriverFrameworks-KernelMode
Microsoft-Windows-CorruptedFileRecovery-Client
Microsoft-Windows-WMI-Activity
Microsoft-Windows-COMRuntime
Microsoft-Windows-WAS
Microsoft-Windows-Wnv
Microsoft-Windows-Shsvcs
Microsoft-Windows-NDIS
Microsoft-Windows-WinMDE
File Kernel Trace; Operation Set 1
Microsoft-Windows-Proximity-Common
Microsoft-Windows-Ntfs-UBPM
Microsoft-Windows-Kernel-Registry
Microsoft-Windows-RemoteDesktopServices-RemoteDesktopSessionManager
Microsoft-Windows-TunnelDriver
Microsoft-Windows-QoS-Pacer
Microsoft-Windows-EventCollector
Microsoft-Windows-OOBE-Machine-DUI
Microsoft-Windows-IME-TCTIP
Microsoft-Windows-WCNWiz
Microsoft-Windows-Display
Microsoft-Windows-OcSetup
Microsoft-Windows-DesktopWindowManager-Diag
Microsoft-Windows-FileInfoMinifilter
Microsoft-Windows-TextPredictionEngine
Microsoft-Windows-NetworkGCW
Microsoft-Windows-DHCPv6-Client
Microsoft-Windows-PlayToManager
NDIS_STATUS_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
NDIS_STATUS_PORT_STATE
MS_Windows_AeLookupServiceTrigger_Provider
Microsoft_Windows_SQM_Provider
MS_Windows_AIT_Provider
NDIS_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
NDIS_TCP_OFFLOAD_CURRENT_CONFIG
PARPORT_WMI_ALLOCATE_FREE_COUNTS_GUID
NDIS_GEN_ENUMERATE_PORTS
GUID_QOS_TC_SUPPORTED
MS1394_PortVendorRegisterAccessGuid
iSCSI_PersistentLoginsGuid
iSCSI_PortalInfoClassGuid
SerailPortPerfGuid
PortClsEvent
UdpIpGuid
TcpIpGuid
iSCSI_OperationsGuid
CTLGUID_usbport
NDIS_STATUS_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
iSCSI_DiscoveryOperationsGuid
SerialPortNameGuid
CTLGUID_WebClntTrace
POINTER_PORT_WMI_STD_DATA_GUID
KEYBOARD_PORT_WMI_STD_DATA_GUID
MSKeyboard_ClassInformationGuid
NDIS_GEN_CO_MEDIA_SUPPORTED
MS_Windows_AeSwitchBack_Provider
SerialPortHWGuid
MS_SM_PortInformationMethods
ataport_CtlGuid
storport_CtlGuid
MS1394_PortDriverInformationGuid
BTHPORT_WMI_HCI_PACKET_INFO
SerialPortCommGuid
iScsiLBOperationsGuid
MS_Windows_AeCache_Provider
NDIS_GEN_PORT_STATE
WindowsBackup TracingControlGuid
WmiMonitorListedSupportedSourceModes_GUID
NDIS_GEN_MEDIA_SUPPORTED
CTLGUID_certprop
BTHPORT_WMI_SDP_SERVER_LOG_INFO
KEYBOARD_PORT_WMI_EXTENDED_ID
iSCSIRedirectPortalGuid
NDIS_GEN_PORT_AUTHENTICATION_PARAMETERS
BTHPORT_WMI_SDP_DATABASE_EVENT
NDIS_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
iSCSI_TCPIPConfigGuid
SerialPortPropertiesGuid
PortCls_IrpProcessing
iSCSI_SecurityConfigOperationsGuid
NDIS_TCP_OFFLOAD_PARAMETERS
PortCls_PowerState
Microsoft_Windows_GameUx
iSCSI_InitiatorLoginStatisticsGuid
MS1394_PortErrorInformationGuid
PortCls_PinState
CTLGUID_PortCls
NDIS_TCP_OFFLOAD_HARDWARE_CAPABILITIES
CTRLGUID_MF_PIPELINE
.PX`i`
`.HBS
&{%UD(_
dump_wmi_guidentries failed, error %d, status %X
dump_wmi_guidentries failed, error %d
dump_wmi_guidentries: cannot alloc %X bytes (total %d)
dump_wmi_guidentries: read failed, error %d, status %X
dump_wmi_guidentries: read failed, error %d
WMI guidentries: total %X readed %X:
[%X] %X flag %X refcnt %X - %s
[%X] %X flag %X refcnt %X %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
dump_wmi_regentries failed, error %d, status %X
dump_wmi_regentries failed, error %d
dump_wmi_regentries: cannot alloc %X bytes (total %d)
dump_wmi_regentries: read failed, error %d, status %X
dump_wmi_regentries: read failed, error %d
WMI regentries: total %X readed %X:
[%X] flags %X refcnt %X dev %p prov %X DS %p %s
[%X] flags %X refcnt %X cb %p prov %X DS %p %s
Etw[%d]:
Type %X Index %X InternalCB %p (%s) %s
Type %X Index %X InternalCB %p %s
Type %X Index %X InternalCB %p (%s) ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Type %X Index %X InternalCB %p ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
dump_Etw: exception occured, code %X
dump_Etws: exception occured, code %X
KPRCB.EtwSupport %p:
KPRCB[%d].EtwSupport %p:
read_kernel_etws count failed, error %d, ntstatus %X
read_kernel_etws count failed, error %d
read_kernel_etws: cannot alloc %X bytes
read_kernel_etws failed, error %d, ntstatus %X
read_kernel_etws failed, error %d
KEtw[%X]:
KEtw[%X]: RefCount %d, KProvider - %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
KEtw[%X]: RefCount %d %s
[%X] %p %s
Type %X InUse %d Index %X InternalCB %p (%s) %s
Type %X InUse %d Index %X InternalCB %p %s
Type %X InUse %d Index %X InternalCB %p (%s) ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Type %X InUse %d Index %X InternalCB %p ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
EtwCallback[%d] %p %s:
EtwCallback[%d]:
EtwTrace[%d] %p Ctx %p %s:
EtwTrace[%d] %p Ctx %p %s - %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Unknown type %d for Etw[%d]
DEVINTERFACE_MT_TRANSPORT
DEVINTERFACE_KEYBOARD
DEVINTERFACE_COMPORT
DEVINTERFACE_VIAMINIPORT
DEVINTERFACE_STORAGEPORT
DEVINTERFACE_IRPORT
check_pnp_notifiers failed, error %d, status %X
check_pnp_notifiers failed, error %d
check_pnp_notifiers: cannot alloc %X bytes (total %d)
check_pnp_notifiers: read failed, error %d, status %X
check_pnp_notifiers: read failed, error %d
Pnp Notifiers: total %d, readed %d
Pnp[%d] %p %s %s addr %p
Pnp[%d] %s %s addr %p %s
check_pnp_handlers failed, error %d, status %X
check_pnp_handlers failed, error %d
PlugPlayHandlerTable: %d items
PlugPlayHandlerTable[%d] %p %s
PlugPlayHandlerTable[%d] %p
check_sess_notify, error %d, status %X
check_sess_notify, error %d
check_sess_notify: cannot alloc %X bytes (total %d)
check_sess_notify: read failed, error %d, status %X
check_sess_notify: read failed, error %d
IopSessionNotifications: %d
SessionNotifier[%d]: class %d len %X session %p cb %p %s
check_sess_term_ntfs failed, error %d, status %X
check_sess_term_ntfs failed, error %d
check_sess_term_ntfs: cannot alloc %X bytes (total %d)
check_sess_term_ntfs: read failed, error %d, status %X
check_sess_term_ntfs: read failed, error %d
LogonSessionTerminatedRoutines: %d
[%d] %p %s
check_fs_changes failed, error %d, status %X
check_fs_changes failed, error %d
check_fs_changes: cannot alloc %X bytes (total %d)
check_fs_changes: read failed, error %d, status %X
check_fs_changes: read failed, error %d
FS Change notifiers: %d (actual %d)
DriverObj %p addr %p %s
Cannot read count for %s, error %d
Count of %s is too big - %X
Cannot read %s table, error %d
Cannot read entry %d from table of %s, error %d
check_vista_cmp_list get count failed, error %d, status %X
check_vista_cmp_list get count failed, error %d
check_vista_cmp_list failed, error %d, status %X
check_vista_cmp_list failed, error %d
check_ai_cbs: cannot read ExpDisQueryAttributeInformation, error %d, ntstatus %X
check_ai_cbs: cannot read ExpDisQueryAttributeInformation, error %d
ExpDisQueryAttributeInformation %p %s
check_ai_cbs: cannot read ExpDisSetAttributeInformation, error %d, ntstatus %X
check_ai_cbs: cannot read ExpDisSetAttributeInformation, error %d
ExpDisSetAttributeInformation %p %s
check_dbgk_lkmd: cannot read DbgkLkmd_cblist, error %d, ntstatus %X
check_dbgk_lkmd: cannot read DbgkLkmd_cblist, error %d
DbgkLkmd[%d] callback %p %s
check_fsrtl: cannot read FltMgrCallbacks, error %d, ntstatus %X
check_fsrtl: cannot read FltMgrCallbacks, error %d
FltMgrCallbacks: %p %s
check_fsrtl: cannot read FsRtlpMupCalls, error %d, ntstatus %X
check_fsrtl: cannot read FsRtlpMupCalls, error %d
FsRtlpMupCalls: %p %s
check_Iof: cannot read pIofCallDriver, error %d, ntstatus %X
check_Iof: cannot read pIofCallDriver, error %d
pIofCallDriver %p patched by %s
check_Iof: cannot read pIofCompleteRequest, error %d, ntstatus %X
check_Iof: cannot read pIofCompleteRequest, error %d
pIofCompleteRequest %p patched by %s
check_Iof: cannot read pIoAllocateIrp, error %d, ntstatus %X
check_Iof: cannot read pIoAllocateIrp, error %d
pIoAllocateIrp %p patched by %s
check_Iof: cannot read pIoFreeIrp, error %d, ntstatus %X
check_Iof: cannot read pIoFreeIrp, error %d
pIoFreeIrp %p patched by %s
check_Iof: cannot read HvlpHypercallCodeVa, error %d, ntstatus %X
check_Iof: cannot read HvlpHypercallCodeVa, error %d
HvlpHypercallCodeVa %p patched by %s
%SystemRoot%\System32\sxssrv.dll
%SystemRoot%\System32\csrsrv.dll
%SystemRoot%\System32\basesrv.dll
%SystemRoot%\System32\winsrv.dll
%SystemRoot%\System32\lsasrv.dll
%SystemRoot%\System32\ntdll.dll
KiDebugRoutine %p hooked by %s
PspLegoNotifyRoutine %p hooked by %s
KiTimeUpdateNotifyRoutine %p hooked by %s
KiSwapContextNotifyRoutine %p hooked by %s
KiThreadSelectNotifyRoutine %p hooked by %s
Sysenter patched, addr %p not in %s !!!
Mailslot: %S
NamedPipe: %S
DEVCLASS_MULTIPORTSERIAL
DEVCLASS_PORTS
DEVCLASS_KEYBOARD
DEVCLASS_APMSUPPORT
read_dev_chrs(%S) failed, ntstatus %X
DrvObj %p name %S %s
DrvObj %p nameLen %X %s
dev_props failed, status %X
ClassGUID: %S
ClassGUID: %S - %s
Cannot open directory %S, error %X
Cannot realloc %d bytes
Cannot open device directory, error %X
Cannot open driver directory, error %X
Cannot open FileSystem directory, error %X
Unknown HAL private dispatch table version %X
HalAcpiTimerInit: %p %s
HalAcpiTimerCarry: %p %s
HalAcpiMachineStateInit: %p %s
HalAcpiQueryFlags: %p %s
HalAcpiPicStateIntact: %p %s
HalRestoreInterruptControllerState: %p %s
HalPciInterfaceReadConfig: %p %s
HalPciInterfaceWriteConfig: %p %s
HalSetVectorState: %p %s
HalGetApicVersion: %p %s
HalSetMaxLegacyPciBusNumber: %p %s
HalIsVectorValid: %p %s
HalAcpiGetTableDispatch: %p %s
HalAcpiGetRsdpDispatch: %p %s
HalAcpiGetFacsMappingDispatch: %p %s
HalAcpiGetAllTablesDispatch: %p %s
HalAcpiPmRegisterAvailable: %p %s
HalAcpiPmRegisterRead: %p %s
HalAcpiPmRegisterWrite: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
HalMmMemoryUsage: %p %s
HalAllocateMapRegisters: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalAllocateMapRegisters: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalTscSynchronization: %p %s
HalWheaInitProcessorGenericSection: %p %s
HalStopLegacyUsbInterrupts: %p %s
HalReadWheaPhysicalMemory: %p %s
HalWriteWheaPhysicalMemory: %p %s
HalDpMaskLevelTriggeredInterrupts: %p %s
HalDpUnmaskLevelTriggeredInterrupts: %p %s
HalDpGetInterruptReplayState: %p %s
HalDpReplayInterrupts: %p %s
HalQueryIoPortAccessSupported: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalAllocateMapRegisters: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalTscSynchronization: %p %s
HalWheaInitProcessorGenericSection: %p %s
HalStopLegacyUsbInterrupts: %p %s
HalReadWheaPhysicalMemory: %p %s
HalWriteWheaPhysicalMemory: %p %s
HalInterruptMaskLevelTriggeredLines: %p %s
HalInterruptUnmaskLevelTriggeredLines: %p %s
HalDpGetInterruptReplayState: %p %s
HalDpReplayInterrupts: %p %s
HalQueryIoPortAccessSupported: %p %s
KdSetupIntegratedDeviceForDebugging: %p %s
KdReleaseIntegratedDeviceForDebugging: %p %s
HalEnlightenmentInitialize: %p %s
HalAllocateEarlyPages: %p %s
HalMapEarlyPages: %p %s
HalTimerGetClockOwner: %p %s
HalTimerGetClockConfiguration: %p %s
HalTimerNotifyProcessorFreeze: %p %s
HalTimerPrepareProcessorForIdle: %p %s
HalDiagRegisterLogRoutine: %p %s
HalTimerResumeProcessorFromIdle: %p %s
HalTimerResetLastClockTick: %p %s
HalVectorToIDTEntryEx: %p %s
HalSecondaryInterruptQueryPrimaryInformation: %p %s
HalMaskInterrupt: %p %s
HalUnmaskInterrupt: %p %s
HalIsInterruptTypeSecondary: %p %s
HalAllocateGsivForSecondaryInterrupt: %p %s
HalAddInterruptRemapping: %p %s
HalRemoveInterruptRemapping: %p %s
HalSaveAndDisableEnlightenment: %p %s
HalRestoreHvEnlightenment: %p %s
HalPciEarlyRestore: %p %s
HalInterruptGetLocalIdentifier: %p %s
HalAllocatePmcCounterSet: %p %s
HalCollectPmcCounters: %p %s
HalFreePmcCounterSet: %p %s
HalTimerQueryCycleCounter: %p %s
HalTimerGetNextTickDuration: %p %s
HalPciMarkHiberPhase: %p %s
HalInterruptQueryProcessorRestartEntryPoint: %p %s
HalInterruptRequestSecondaryInterrupt: %p %s
HalInterruptEnumerateUnmaskedInterrupts: %p %s
HalBiosDisplayReset: %p %s
HalGetDmaAdapter: %p %s
HalCheckPowerButton: %p %s
HalMapPhysicalMemoryWriteThrough64: %p %s
HalUnmapVirtualAddress: %p %s
HalKdReadPCIConfig: %p %s
HalKdWritePCIConfig: %p %s
HalTimerQueryWakeTime: %p %s
HalTimerReportIdleStateUsage: %p %s
HalKdEnumerateDebuggingDevices: %p %s
HalFlushIoRectangleExternalCache: %p %s
HalPowerEarlyRestore: %p %s
HalQueryCapsuleCapabilities: %p %s
HalUpdateCapsule: %p %s
HalPciMultiStageResumeCapable: %p %s
check_hal_private_disp_table: cannot read table, error %d, ntstatus %X
check_hal_private_disp_table: cannot read table, error %d
check_hal_disp_table: cannot read table, error %d, ntstatus %X
check_hal_disp_table: cannot read table, error %d
HalQuerySystemInformation: %p %s
HalSetSystemInformation: %p %s
HalQueryBusSlots: %p %s
HalExamineMBR: %p %s
HalIoReadPartitionTable: %p %s
HalIoSetPartitionInformation: %p %s
HalIoWritePartitionTable: %p %s
HalReferenceHandlerForBus %p %s
HalReferenceBusHandler %p %s
HalDereferenceBusHandler %p %s
HalInitPnpDriver %p %s
HalInitPowerManagement %p %s
HalGetDmaAdapter %p %s
HalGetInterruptTranslator %p %s
HalStartMirroring %p %s
HalEndMirroring %p %s
HalMirrorPhysicalMemory %p %s
HalEndOfBoot %p %s
HalMirrorVerify %p %s
HalGetCachedAcpiTable %p %s
HalSetPciErrorHandlerCallback %p %s
read_hal_apci_disp_table return %X bytes, error %d, ntstatus %X
read_hal_apci_disp_table return %X bytes, error %d
Bad HalAcpiDispatchTable version: %X
read_gdt_size failed, error %d, ntstatus %X
read_gdt_size failed, error %d
Cannot alloc %d bytes for GDT entries
read_gdt failed, error %d, ntstatus %X
read_gdt failed, error %d
Descriptor[%d] %s S %d DPL %d type %X base %X limit %X
WinChecker::dump_ldt failed, error %X, ntstatus %X
WinChecker::dump_ldt failed, error %X
WinChecker::dump_ldt: cannot alloc ldt array, size %X
Ldt[%d]:
Base: X
Limit: X
AVL: %d
D/B: %d
DPL: %d
G: %d
P: %d
S: %d
Type: %d
Cannot read code for kinterrupt(%X) thunk, error %d
IDT patched: unknown type %X selector %X addr %p for int%X
IDT patched: unknown selector %X for int%X
IDT patched: int%X has unknown selector %X base %X limit %X addr %p
IDT patched: int%X addr %p by module %s
IDT int%X addr %p KINTERRUPT %p
IDT patched: int%X addr %p
Int%X: selector %X type TASK DPL %X base %X limit %X
Int%X: selector %X type %X DPL %X addr %p base %X limit %X
Int%X: selector %X type %X DPL %X addr %p
read_idt_size failed, error %d, ntstatus %X
read_idt_size failed, error %d
read_idt: cannot alloc %d bytes for IDT storage
read_idt failed, error %d, ntstatus %X
read_idt failed, error %d
Cannot read kinterrupt (%X), error %d
KInterrupt %X (%p):
Size %X type %X
ServiceRoutine %p %s
DispatchAddress %p %s
check_ob_types: cannot read size of ObTypes list, error %d, ntstatus %X
check_ob_types: cannot read size of ObTypes list, error %d
check_ob_types: cannot read %d bytes (readed %d), error %d, ntstatus %X
check_ob_types: cannot read %d bytes (readed %d), error %d
fill_ob_type: cannot read ObType %S (%X), error %d
Cannot read ObType %S (%X), error %d
ObType %S:
DumpProcedure: %p %s
OpenProcedure: %p %s
CloseProcedure: %p %s
DeleteProcedure: %p %s
ParseProcedure: %p %s
SecurityProcedure: %p %s
QueryNameProcedure: %p %s
OkayToCloseProcedure: %p %s
ZwAlpcConnectPortEx
ZwOpenKeyTransactedEx
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwCreateKeyTransacted
ZwAlpcSendWaitReceivePort
ZwAlpcImpersonateClientOfPort
ZwAlpcDisconnectPort
ZwAlpcDeletePortSection
ZwAlpcCreatePortSection
ZwAlpcCreatePort
ZwAlpcConnectPort
ZwAlpcAcceptConnectPort
ZwUnloadKey2
ZwQueryOpenSubKeysEx
ZwLoadKeyEx
ZwQueryPortInformationProcess
ZwWaitForKeyedEvent
ZwReleaseKeyedEvent
ZwOpenKeyedEvent
ZwCreateKeyedEvent
ZwUnloadKeyEx
ZwSaveKeyEx
ZwRenameKey
ZwLockRegistryKey
ZwLockProductActivationKeys
ZwCompressKey
ZwCompactKeys
ZwYieldExecution
ZwUnloadKey
ZwSetValueKey
ZwSetThreadExecutionState
ZwSetInformationKey
ZwSetDefaultHardErrorPort
ZwSecureConnectPort
ZwSaveMergedKeys
ZwSaveKey
ZwRestoreKey
ZwRequestWaitReplyPort
ZwRequestPort
ZwReplyWaitReplyPort
ZwReplyWaitReceivePortEx
ZwReplyWaitReceivePort
ZwReplyPort
ZwReplaceKey
ZwRegisterThreadTerminatePort
ZwQueryValueKey
ZwQueryOpenSubKeys
ZwQueryMultipleValueKey
ZwQueryKey
ZwQueryInformationPort
ZwOpenKey
ZwNotifyChangeMultipleKeys
ZwNotifyChangeKey
ZwLoadKey2
ZwLoadKey
ZwListenPort
ZwImpersonateClientOfPort
ZwFlushKey
ZwEnumerateValueKey
ZwEnumerateKey
ZwDeleteValueKey
ZwDeleteKey
ZwDelayExecution
ZwCreateWaitablePort
ZwCreatePort
ZwCreateNamedPipeFile
ZwCreateKey
ZwConnectPort
ZwCompleteConnectPort
ZwAcceptConnectPort
FindKiServiceTable: relocation type %d found at X
Cannot read body of %s !
Cannot extract index of %s, error %d
kernel %s don`t contains KeServiceDescriptorTable function !
Cannot find SDT in %s
Cannot read ntdll.dll
Cannot read body of %s!
Cannot read body of ZwYieldExecution!
Cannot extract index of ZwYieldExecution, error %d
Cannot extract index of ZwPlugPlayControl , error %d
%s: %p
SDT entry %X (%s) hooked %p %s!
SDT entry %X hooked %p %s!
Need unhook %d items in SSDT
UNHOOK_ITEM: Index %X Offset %X
Unhook SSDT failed, lasterror %d
Unhooked %d SSDT items
NtUserSetProcessRestrictionExemption
NtUserAcquireIAMKey
NtGdiDdDDICreateKeyedMutex2
NtGdiDdDDIOpenKeyedMutex2
NtGdiDdDDIAcquireKeyedMutex2
NtGdiDdDDIReleaseKeyedMutex2
NtUserSetTHQAPublicKey
NtGdiDdDDIReleaseKeyedMutex
NtGdiDdDDIAcquireKeyedMutex
NtGdiDdDDIDestroyKeyedMutex
NtGdiDdDDIOpenKeyedMutex
NtGdiDdDDICreateKeyedMutex
NtUserEndTouchOperation
NtUserSfmDxReportPendingBindingsToDwm
NtGdiDDCCIGetTimingReport
NtUserUnregisterSessionPort
NtUserRegisterSessionPort
NtUserRegisterErrorReportingDialog
NtGdiSetOPMSigningKeyAndSequenceNumbers
NtGdiGetCertificateSize
NtGdiGetCertificate
NtUserWaitForMsgAndEvent
NtUserVkKeyScanEx
NtUserUnregisterHotKey
NtUserUnlockWindowStation
NtUserUnloadKeyboardLayout
NtUserUnhookWindowsHookEx
NtUserSetWindowStationUser
NtUserSetWindowsHookEx
NtUserSetWindowsHookAW
NtUserSetProcessWindowStation
NtUserSetKeyboardState
NtUserSetImeHotKey
NtUserSetConsoleReserveKeys
NtUserRegisterHotKey
NtUserOpenWindowStation
NtUserMapVirtualKeyEx
NtUserLockWindowStation
NtUserLoadKeyboardLayoutEx
NtUserGetProcessWindowStation
NtUserGetKeyState
NtUserGetKeyNameText
NtUserGetKeyboardState
NtUserGetKeyboardLayoutName
NtUserGetKeyboardLayoutList
NtUserGetImeHotKey
NtUserGetCPD
NtUserGetAsyncKeyState
NtUserCreateWindowStation
NtUserCloseWindowStation
NtUserCheckImeHotKey
NtUserCallMsgFilter
NtUserAlterWindowStyle
NtUserActivateKeyboardLayout
NtGdiScaleViewportExtEx
NtGdiDvpWaitForVideoPortSync
NtGdiDvpUpdateVideoPort
NtGdiDvpGetVideoPortConnectInfo
NtGdiDvpGetVideoPortOutputFormats
NtGdiDvpGetVideoPortLine
NtGdiDvpGetVideoPortInputFormats
NtGdiDvpGetVideoPortFlipStatus
NtGdiDvpGetVideoPortField
NtGdiDvpGetVideoPortBandwidth
NtGdiDvpFlipVideoPort
NtGdiDvpDestroyVideoPort
NtGdiDvpCreateVideoPort
NtGdiDvpCanCreateVideoPort
NtGdiDdSetColorKey
read_shadow_sdt failed, error %d
check_win32k_sdt: cannot alloc %d bytes
Cannot read win32k_sdt at %p size %X, error %d
win32k_sdt[%d] (%s) hooked, addr %p %s
win32k_sdt[%d] hooked, addr %p %s
GetNamedPipeServerProcessId
read_kddb read %X bytes, error %d
cannot read MmNonPagedPoolStart (%p), error %d
cannot read MmNonPagedPoolEnd (%p), error %d
cannot read MmPagedPoolStart (%p), error %d
cannot read MmPagedPoolEnd (%p), error %d
cannot read KernelVerifier (%p), error %d
WindowsType: %S
ETHREAD.StartAddress %X
KiProcessorBlock: %p (%X)
KernelVerifier: %X
KeBugCheckCallbackList: %p (%X)
WorkerRoutine: %p %s
IdleFunction: %p %s
IdleFunction: %p %s
KPRCB[%d].WorkerRoutine: %p %s
KPRCB[%d].IdleFunction: %p %s
KPRCB[%d].IdleFunction: %p %s
read_kpcr return %X bytes, error %d, ntstatus %X
read_kpcr return %X bytes, error %d
KPCR[%d] %p major %X minor %X
KPCR[%d] %p
get_os_info return %X bytes, error %d, ntstatus %X
get_os_info return %X bytes, error %d
NtMajorVersion: %d
NtMinorVersion: %d
BuildNumber: %d
GlobalFlag: %X
Processors: %d
MmVerifierFlags %d
MmSystemSize %d %s
DebuggerEnabled %d
DebuggerNotPresent %d
SafeBootMode %d
NXSupportPolicy %X
CR0 %8.8X %s
CR4 %8.8X %s
Cannot open mailslot %S, error %d
get_mail_slot_owner(%S): returned %d bytes, error %d, ntstatus %X
get_mail_slot_owner(%S): returned %d bytes, error %d
Cannot open named pipe %S, error %d
GetNamedPipeServerProcessId(%S) failed, error %d
get_named_pipe_owner(%S): returned %d bytes, error %d, ntstatus %X
get_named_pipe_owner(%S): returned %d bytes, error %d
read_lpc_port_chars: len %d, returned %d bytes, error %d, ntstatus %X
read_lpc_port_chars: len %d, returned %d bytes, error %d
read_unicode_string: len %d, returned %d bytes, error %d, ntstatus %X
read_unicode_string: len %d, returned %d bytes, error %d
read_drivers_list: cannot get size of drivers list, returned %d bytes, error %d, ntstatus %X
read_drivers_list: cannot get size of drivers list, returned %d bytes, error %d
read_drivers_list: cannot alloc %X bytes for driver list
read_drivers_list: cannot read drivers list, error %d, ntstatus %X
read_drivers_list: cannot read drivers list, error %d
%p:%X flags %X LoadCount %d %s
read_KiThreadSelectNotifyRoutine failed, error %d
read_KiSwapContextNotifyRoutine failed, error %d
read_KiTimeUpdateNotifyRoutine failed, error %d
read_PspLegoNotifyRoutine failed, error %d
read_KiDebugRoutine failed, error %d
read_msrs failed, error %d, ntstatus %X
read_msrs failed, error %d
IManageProcess: Cannot OpenProcess %d
IManageProcess: Cannot open process %d
read_win32_process for PID %X failed, error %d, status %X
read_win32_process for PID %X failed, error %d
read_dword(%p, PID %d) failed, error %d, ntstatus %X
read_dword(%p, PID %d) failed, error %d
read_ptr(%p, PID %d) failed, error %d, ntstatus %X
read_ptr(%p, PID %d) failed, error %d
rp_ReadProcessMemory(%p size %X) from %p error %d
read_token for PID %X failed, error %d, status %X
read_token for PID %X failed, error %d
open_proc(%d, access %X) failed, error %d, ntstatus %X
open_proc(%d, access %X) failed, error %d
rp_OpenProcess(%d, access %X) dwRet %d, error %d
rp_TerminateProcess(%p, %X) dwRet %d, error %d
Major %d Minor %d BuildNumber %d PlatformId %d ServicePackMajor %d ServicePackMinor %d SuiteMask %d ProductType %d CSDVersion %S
ProductType: %X
Cannot open RPC control, error %X
msgsvcsend
_ILocalObjectExporter
IVsShell
IWbemLoginClientID
ICertProtect
_IBTFTPApiEvents
_s_PasswordRecovery
wininet_UrlCache
_IObjectExporter
WMsgAPIs
WMsgKAPIs
INCryptKeyIso
HttpProxyMgrProvider
IKeySvcR
WcnTransportRpc
IPortResolve
IWbemLoginHelper
LRpcSIDKey
ISmartCardRootCerts
IDebugPortSupplier2
IAsyncOperation
IPipelineElement
OnlineProviderCertInterface
IBackgroundCopyJobHttpOptions
HttpProxyMgrClient
IStaticPortMappingCollection
IKeySvc
s_WindowsShutdown
IWebBrowser2
IDebugPortSupplierLocale2
IUPnPHttpHeaderControl
WINHTTP_AUTOPROXY_SERVICE
IErcLuaSupport
IDebugPortSupplier3
IKeySvc2
BackupKey
IWerReport
ICertPassage
IStaticPortMapping
IDebugPortSupplierEx2
IWbemLevel1Login
IWebBrowserApp
msgsvc
IShellWindows
RpcBindingFromStringBinding(%S) failed: %d
RpcMgmtInqIfIds(%S) failed: %d
RpcStringBindingCompose failed: %d
RpcBindingFromStringBinding failed: %d
RpcMgmtInqIfIds failed: %d
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d : %s
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d : (%s)
RpcMgmtEpEltInqBegin failed: %d
Cannot read npc table, readed %X bytes
rpcrt4
%s.AddressChangeFn: %p %s
rpcrt4_hack::check_myself: exception %d occured
rpcrt4_hack::try_hack: cannot find RpcServerRegisterIfEx
I_RpcInitNdrImports
load_driver(%S) returned %X
Loaded kernel driver: %S
Error loading kernel driver: %ls - 0xx
Error loading kernel driver: %S - 0xx
Error loading kernel driver: %S - OpenSCManager 0xx
tcpip
ClientImmProcessKey
fnHkOPTINLPEVENTMSG
fnHkINLPMSG
fnSENTDDEMSG
fnDWORDOPTINLPMSG
RealMsgWaitForMultipleObjectsEx
PEB.KernelCallbackTable patched, %p
user32_hack::try_hack: bad PE passed
user32_hack::try_hack: cannot read import table
pfnWowMsgBoxIndirectCallback
Unknown apfnDispatch size: %d
%s_hack::try_hack: bad PE passed
%s_hack::try_hack: cannot read exports, error %d
%s_hack::try_hack: cannot find section .data
%s_hack::try_hack: cannot read section .data
%s_hack::try_hack: cannot read section .rdata
%s_hack::try_hack: cannot find section .text
%s_hack::try_hack: cannot read section .text
DxgkReleaseKeyedMutex2
DxgkAcquireKeyedMutex2
DxgkOpenKeyedMutex2
DxgkCreateKeyedMutex2
DxgkReleaseKeyedMutex
DxgkAcquireKeyedMutex
DxgkDestroyKeyedMutex
DxgkOpenKeyedMutex
DxgkCreateKeyedMutex
Cannot read gDxgkInterface, readed %X bytes
WindowHasShadow
DisableProcessWindowsGhosting
zzzUnhookWindowsHook
xxxUpdateWindows
xxxArrangeIconicWindows
SetWindowState
ClearWindowState
SetMsgBox
GetKeyboardType
GetKeyboardLayout
RemotePassthruDisable
xxxRemotePassthruEnable
Cannot read gpsi, readed %X bytes
Cannot read gpsi handlers, readed %X bytes
Cannot read apfnSimpleCall, readed %X bytes
Cannot read gapfnMessageCall, readed %X bytes
Cannot read gapfnScSendMessage, readed %X bytes
Cannot read gaNewProcAddresses, readed %X bytes
Cannot open logfile %S
Cannot create stop event, error %d
Driver %S loaded from %S
SrvGetConsoleKeyboardLayoutName
SrvSetConsoleKeyShortcuts
SrvGetConsoleAliasExes
SrvGetConsoleAliasExesLength
SrvVDMConsoleOperation
SrvGetLargestConsoleWindowSize
SrvExitWindowsEx
winsrv.dll
Unknown size of ConsoleServerApiDispatchTable: %d
Unknown size of UserServerApiDispatchTable: %d
CallUserpExitWindowsEx
GetConsoleAliasExesInternal
GetConsoleAliasExesLengthInternal
SetConsoleKeyShortcuts
GetConsoleKeyboardLayoutNameWorker
SetConsoleOutputCPInternal
GetConsoleOutputCP
GetLargestConsoleWindowSize
reg_ccs_services::read failed - error %d
Cannot open key %S, error %d
SafeSecondaryLog(%d) failed, error %d
SafeSecondaryLog failed, error %d
SafeSendLog(%d) failed, error %d
SafeSendLog failed, error %d
Bad memory %p len %X in dump_hex_buffer
Cannot alloc %d bytes for delayed imports
Cannot alloc %d bytes for imports
read_import_safe(%s) failed %X
Cannot realloc %d bytes for iat
read_delayed_safe(%s) failed %X
store2md_cache: cannot alloc %d bytes
store2md_cache: cannot realloc, alloced %d bytes
wdigest.dll
tspkg.dll
schannel.dll
pku2u.dll
negoexts.dll
msv1_0.dll
livessp.dll
kerberos.dll
umpnpmgr.dll
combase.dll
ntdsa.dll
ntdll.dll
cryptbase.dll
ncrypt.dll
rpcrt4.dll
imm32.dll
user32.dll
kernelbase.dll
kernel32.dll
advapi32.dll
ole32.dll
Cannot alloc %X bytes for relocs
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
WS2_32.dll
RPCRT4.dll
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
RegCloseKey
RegOpenKeyExW
RegOpenKeyExA
RegCreateKeyExW
ADVAPI32.dll
GetWindowsDirectoryW
GetCPInfo
RegQueryInfoKeyW
RegEnumKeyW
zcÁ
.?AVMyWindowsChecker@@
.?AV?$rpcrt4_hack@U_IMAGE_NT_HEADERS@@@@
.?AVtcpip_hack@@
.?AV?$import_holder@U_IMAGE_NT_HEADERS@@@CMN@@
.?AVinmem_import_holder@CMN@@
.?AVimport_holder_intf@CMN@@
.?AVmodule_import@CMN@@
aR.Rn
X.UJ^A
w%xyW
f.Gkf
%0X0m0
>$?(?,?0?
3&4;456?90:
77g7
7>7[7`7|7
6#8*878^8~8
11_1
0#101#202
0 11h1J3
6%7S7
7*717>7[8
=!>&>9>>>
7&7@7l78N8V8z8
:);4;>;\;
0%0X0
= >$>(>,>0>
?,?4?\?|?
.----/01/01/01
KERNEL32.DLL
mscoree.dll
U%SystemRoot%\system32\svchost.exe
%SystemRoot%\system32\svchost
WSOCKTRANSPORT
TCPIP6
TCPIP
STORPORT
STORMINIPORT
SOFTPCI
SCSIPORT
SCSIMINIPORT
SBP2PORT
FCPORT
PassiveWatchdogTimeout
sImageExecutionOptions
ErrorPortStartTimeout
ErrorPortCommTimeout
DisablePagingExecutive
DebuggerMaxModuleMsgs
CountOperations
B\\.\
Psapi.dll
sWindows PowerShell
tHost Process for Windows Tasks
Windows Problem Reporting 32 bit
Windows Problem Reporting
Windows Modules Installer
mWindows Start-Up Application
tWindows Search Indexer
sWindows Server Initial Configuration Tasks
Windows Media Player
Dump Reporting Tool
Error Reporter
rWindows Control Panel 32 bit
Windows Control Panel
Windows Connect Now - Config Registrar Service
Windows Media Player Network Sharing Service
Windows firewall
Windows Error Reporting Service
tWindows Defender
vError reporting service
eWindows update service
Windows Image Acquisition
WebClient
tWindows Security Center Notification App
yWindows Based Script Host
Windows installer 32 bit
Windows installer
Windows 16-bit Virtual Machine
Windows Management Instrumentation
Windows User Mode Driver Manager
MS tftp
MS ftp 32 bit
MS ftp
Microsoft Help and Support Center
Cmd.exe 32 bit
Cmd.exe
Windows Logon User Interface Host
Windows update
tGoogle Chrome
rOpera Internet Browser
Mozilla Thunderbird Mail and News Client
dFirefox browser
Services.exe
%SystemRoot%\msagent\agentsvr.exe
%SystemRoot%\System32\dfrgfat.exe
%SystemRoot%\System32\dfrgntfs.exe
%SystemRoot%\System32\services.exe
%SystemRoot%\System32\svchost.exe
%SystemRoot%\System32\alg.exe
%SystemRoot%\System32\spoolsv.exe
%SystemRoot%\System32\net.exe
%SystemRoot%\System32\net1.exe
%SystemRoot%\System32\cmd.exe
%SystemRoot%\System32\notepad.exe
%SystemRoot%\System32\calc.exe
%SystemRoot%\System32\PTF.exe
%SystemRoot%\System32\tPTF.exe
%SystemRoot%\System32\telnet.exe
%SystemRoot%\System32\taskkill.exe
%SystemRoot%\System32\ctfmon.exe
%SystemRoot%\System32\wdfmgr.exe
%SystemRoot%\System32\mmc.exe
%SystemRoot%\System32\userinit.exe
%SystemRoot%\System32\wbem\wmiprvse.exe
%SystemRoot%\System32\wbem\wmiadap.exe
%SystemRoot%\explorer.exe
%SystemRoot%\System32\lsass.exe
%SystemRoot%\System32\winlogon.exe
%SystemRoot%\System32\LogonUI.exe
%SystemRoot%\System32\wuauclt.exe
%SystemRoot%\System32\wuauclt1.exe
%SystemRoot%\System32\CCM\CcmExec.exe
%SystemRoot%\System32\csrss.exe
%SystemRoot%\System32\smss.exe
\SystemRoot\System32\smss.exe
%SystemRoot%\System32\inetsrv\w3wp.exe
%SystemRoot%\System32\schtasks.exe
%SystemRoot%\System32\tstheme.exe
%SystemRoot%\System32\control.exe
%SystemRoot%\System32\taskmgr.exe
%SystemRoot%\System32\dwwin.exe
%SystemRoot%\System32\drwtsn32.exe
%SystemRoot%\System32\dumprep.exe
%SystemRoot%\System32\dfssvc.exe
%SystemRoot%\System32\dllhost.exe
%SystemRoot%\System32\ntvdm.exe
%SystemRoot%\System32\rundll32.exe
%SystemRoot%\System32\msiexec.exe
%SystemRoot%\System32\mshta.exe
%SystemRoot%\System32\regsvr32.exe
%SystemRoot%\System32\cscript.exe
%SystemRoot%\System32\wscript.exe
%SystemRoot%\System32\wscntfy.exe
%SystemRoot%\System32\mstsc.exe
%SystemRoot%\System32\dashost.exe
far.exe
Far.exe
CLSID\{FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7}\InprocServer32
CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\LocalServer32
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
iedw.exe
%SystemRoot%\System32\oobechk.exe
%SystemRoot%\System32\oobe.exe
%SystemRoot%\System32\psxss.exe
%SystemRoot%\System32\internat.exe
AcroRd32.exe
excel.exe
outlook.exe
winword.exe
powerpnt.exe
wmplayer.exe
firefox.exe
thunderbird.exe
Opera.exe
WinRAR.exe
%SystemRoot%\System32\wininit.exe
%SystemRoot%\System32\lsm.exe
%SystemRoot%\System32\dwm.exe
%SystemRoot%\System32\werfault.exe
%SystemRoot%\System32\taskeng.exe
%SystemRoot%\System32\conime.exe
%SystemRoot%\System32\wudfhost.exe
%SystemRoot%\System32\taskhost.exe
%SystemRoot%\System32\conhost.exe
%SystemRoot%\System32\rdpclip.exe
%SystemRoot%\System32\SearchFilterHost.exe
%SystemRoot%\System32\SearchProtocolHost.exe
csrss.exe
svchost.exe
alg.exe
sPptpMiniport
Tcpip
psapi.dll
127.0.0.1
\\.\pipe\
\\.\mailslot\
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\\.\Pipe\
\\.\Mailslot\
ncacn_ip_tcp:
ncadg_ip_udp:
\\pipe\\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
RemediationExe
SOFTWARE\Classes\SCCM.VAppLauncher\shell\Open\command
SOFTWARE\Classes\CLSID\{00AAB372-0D6D-4976-B5F5-9BC7605E30BB}\LocalServer32
SOFTWARE\Classes\CLSID\{3C296D07-90AE-4FAC-86F9-65EAA8B82D22}\LocalServer32
SOFTWARE\Classes\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}\LocalServer32
SOFTWARE\Classes\CLSID\{03e64e17-b220-4052-9b9b-155f9cb8e016}\LocalServer32
SOFTWARE\Classes\CLSID\{1F69F884-285E-418E-9715-B9EEE402DD5F}\LocalServer32
Software\Microsoft\Windows\CurrentVersion\WINEVT\publishers
Windows checker
1.0.0.3432
wincheck.exe
0, 0, 8, 16
NesIMIQs.exe_228_rwx_05740000_00001000:
.text
`.rdata
@.data
NesIMIQs.exe_228_rwx_05750000_00001000:
.text
`.rdata
@.data
NesIMIQs.exe_228_rwx_06010000_00001000:
notepad.exe "%Documents and Settings%\%current user%\myfile"
NesIMIQs.exe_228_rwx_06020000_00001000:
%Documents and Settings%\%current user%\myfile
reIEcoQI.exe_232_rwx_00401000_00069000:
3E.Pcq:P!V^
#%Xkq.
.JF{
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
2software\microsoft\windows\currentversion\run
P.yrBX.
PB]%C
%FoS(
F<.cs>reIEcoQI.exe_232_rwx_00680000_00068000:
3E.Pcq:P!V^
#%Xkq.
.JF{
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
$g.Gd
P.yrBX.
PB]%C
%FoS(
F<.cs>reIEcoQI.exe_232_rwx_00700000_00001000:
%WinDir%\TEMP
reIEcoQI.exe_232_rwx_00940000_00001000:
%Documents and Settings%\LocalService\dUskcAww\fGAwoYMM
reIEcoQI.exe_232_rwx_00950000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs
reIEcoQI.exe_232_rwx_00960000_00001000:
%Documents and Settings%\LocalService\dUskcAww\fGAwoYMM.inf
reIEcoQI.exe_232_rwx_00970000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.inf
reIEcoQI.exe_232_rwx_00980000_00001000:
%Documents and Settings%\LocalService\dUskcAww\fGAwoYMM.exe
reIEcoQI.exe_232_rwx_00990000_00001000:
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe
reIEcoQI.exe_232_rwx_009C0000_00001000:
fGAwoYMM.exe
reIEcoQI.exe_232_rwx_009D0000_00001000:
NesIMIQs.exe
reIEcoQI.exe_232_rwx_009E0000_00001000:
taskkill /FI "USERNAME eq SYSTEM" /F /IM fGAwoYMM.exe
reIEcoQI.exe_232_rwx_009F0000_00001000:
taskkill /FI "USERNAME eq SYSTEM" /F /IM NesIMIQs.exe