Packed.Win32.MoleBoxVS_715690f93c – Adaware

Trojan.Win32.Swrort.3.FD, GenericAutorunWorm.YR, GenericInjector.YR, PackedMoleBoxVS.YR (Lavasoft MAS)Behaviour: Trojan, Worm, Packed, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 715690f93c7a1f79468deffc8e432147

SHA1: b3f09bf8a88eb6aa67cb71258ba49d48c540da32

SHA256: a605dd89c34c37ca3fff432507df43cb8d6f754cc75e0c099c0d8334e7adcb62

SSDeep: 98304:19Y02Ch0TDVy7pfFPNeTp39u1bSJEwF1QKTwhhLf0iNBwox1uTyX1vyJzsq R:1xnWDVy9fF1eTR b RF1QIwvfbwoiylN

Size: 5012656 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:52

Analyzed on: WindowsXP SP3 32-bit

Summary: Packed. A packed file can be a compressed and/or encrypted in a manner that prevents matching the memory image of that file and the actual file on disk. Sometimes used for copy protection, packers are often used to make Spyware less easy to analyze/detect.

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Packed's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Packed creates the following process(es):

net1.exe:580
net1.exe:1368
ping.exe:1484
net.exe:2008
net.exe:916
%original file name%.exe:1332
sort.exe:1788
sort.exe:868
find.exe:1376
find.exe:1264

The Packed injects its code into the following process(es):

getsusp_300373.exe:900

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process getsusp_300373.exe:900 makes changes in the file system.

The Packed creates and/or writes to the following file(s):

C:\ (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A8D2383C68A1A48B9237A20571B2203 (360 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
%WinDir%\GetSusp.sys (588 bytes)
%Documents and Settings%\All Users\Documents\My Music (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\570FB14ABC805C46708F32F92F10C3B4 (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData (8 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%Documents and Settings%\All Users\Documents (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
%Documents and Settings%\%current user% (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
%Program Files%\Common Files\System (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D41693DAFE5DEF0C36959FF1FCEF5C96 (603 bytes)
%System%\config\SystemProfile (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\Default User\NTUSER.DAT (36 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\Default User (540 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
%WinDir% (1264 bytes)
C:\$Directory (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\207B9FD92391B9B2A60A89B4C965D5DF (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Network.xsl (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D41693DAFE5DEF0C36959FF1FCEF5C96 (308 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\config (96 bytes)
%System%\wbem (1064 bytes)
%Documents and Settings%\All Users\Start Menu (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\All Users\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (44 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (130 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\CatRoot2\dberr.txt (155 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\570FB14ABC805C46708F32F92F10C3B4 (573 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%System% (8396 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WFV3.tmp (8 bytes)
%Documents and Settings%\Default User\Start Menu\Programs (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Files.xsl (784 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A8D2383C68A1A48B9237A20571B2203 (1 bytes)
%Documents and Settings%\%current user%\Local Settings (4 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\GetSusp.xsl (196 bytes)
%Documents and Settings%\All Users (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\Default User\ntuser.dat.LOG (1560 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\207B9FD92391B9B2A60A89B4C965D5DF (588 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\NetworkService (4 bytes)

The Packed deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\GetSusp.opt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp.opt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (0 bytes)

The process %original file name%.exe:1332 makes changes in the file system.

The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.dll (7370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libintl3.dll (3713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (5356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\gawk.exe (8159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\uniq.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.exe (7821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\zip.exe (7631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\PsInfo.exe (10556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\du.exe (6070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wput.exe (2603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\regex2.dll (2289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sleep.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\date.exe (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pcre3.dll (4114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\autorunsc.exe (14680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\grep.exe (3739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pslist.exe (7328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libeay32.dll (29364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libssl32.dll (5340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\ssleay32.dll (6842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libiconv2.dll (28246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wget.exe (14326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\getsusp_300373.exe (51601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\unzip.exe (4782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\psloglist.exe (4656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sed.exe (1240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\SARS_o.bat (5704 bytes)

The Packed deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

The process sort.exe:1788 makes changes in the file system.

The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SARS\XP7_info.txt (2 bytes)

The process sort.exe:868 makes changes in the file system.

The Packed creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SARS.LOG (2 bytes)

Registry activity

The process net1.exe:580 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE D0 93 1A 79 08 52 A2 57 C9 C8 01 7C 96 98 FF"

The process net1.exe:1368 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 CF 91 61 D4 98 2B 8A E5 9C 9C E7 A5 6C 0B FB"

The process ping.exe:1484 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 97 9D F3 7B AD C1 33 A3 C9 68 5A 79 D2 4C 17"

The process net.exe:2008 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 3F 55 F9 1E E8 CB DA E0 CF DF 15 59 83 EE 94"

The process net.exe:916 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E 2B 63 BB 5A 28 79 6B 9F 6C 2E 82 AE AA BD 67"

The process getsusp_300373.exe:900 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD ED CA CD AE 39 F9 C5 7A C4 B3 93 A4 4C 1F E1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE]
"1" = "\Device\HarddiskVolume1\Documents and Settings\Default User\NTUSER.DAT"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Packed deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\Control\hivelist\\REGISTRY\MACHINE]
"1"

The process %original file name%.exe:1332 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D 43 8A B7 33 F5 3A 24 80 54 64 AF F6 1C 25 09"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Security Analysis Response Script - Auto Upload\Components]
"Main" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process sort.exe:1788 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 D8 4D 0A 79 7A D7 F4 4D FF 08 DB 9F 83 65 27"

The process sort.exe:868 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 8B A8 5D B6 56 5E 77 C9 B8 FE 86 77 79 9A F4"

The process find.exe:1376 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF FC F1 45 A9 A4 A1 9E 03 12 E4 49 47 05 E0 C0"

The process find.exe:1264 makes changes in the system registry.

The Packed creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 15 0A A9 23 99 6E 53 C4 31 0D E2 E9 34 CB F9"

Dropped PE files

MD5	File path
53e433146f2060b01e80128652d63c36	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\PsInfo.exe
3872fdfe8b16111a123b215956db4fac	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\autorunsc.exe
449ddec37abe10b10400e97906528784	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\blat.dll
c7b92f83bd2658d2ca70c24dd8df20c9	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\blat.exe
5e978ec5f615396eaa1b14334197b68e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\date.exe
96ef10196a343b237a21a06c66fe02c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\du.exe
327c50edeb8e370392d5d55018b193c0	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\gawk.exe
83a3d89f40a05038760110b1e6e54762	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\grep.exe
6b854ffc12e5e2c32683a03714cf6c5d	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libeay32.dll
331f570aa7c20bc93deb7b237b21cc9c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libiconv2.dll
db7aabf38d66b4f8152f12e0f313d00c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libintl3.dll
37580b9354e984bf7c1a2b4ed7fa824b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\libssl32.dll
57cac848fa14ae38f14f9441f8933282	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\pcre3.dll
ad06aa36e330434560593590330222e6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\pslist.exe
328ba584bd06c3083e3a66cb47779eac	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\psloglist.exe
547c43567ab8c08eb30f6c6bacb479a3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\regex2.dll
289c007f63e4216757e3c03c38555133	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\sed.exe
b23b2c00cb9f44b9b2d05012cfee1db4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\sleep.exe
3f73eb468ad5f5977ca2f4cd36c46b94	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\ssleay32.dll
959312470e74c3b2220e74ff181abece	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\uniq.exe
fecf803f7d84d4cfa81277298574d6e6	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\unzip.exe
aa173375c21ea31b8cc615dccb54e43b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\wget.exe
f7438fb5b244eb8a4f409dc660b469e3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\wput.exe
79aef4a7acaeb0e979537a4bc3dcc851	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\SARS\executables\zip.exe
4857084657ceff6cc7891dce8ada8507	c:\WINDOWS\GetSusp.sys

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Packed's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
net1.exe:580
net1.exe:1368
ping.exe:1484
net.exe:2008
net.exe:916
%original file name%.exe:1332
sort.exe:1788
sort.exe:868
find.exe:1376
find.exe:1264
Delete the original Packed file.
Delete or disinfect the following files created/modified by the Packed:
C:\ (4 bytes)
%Documents and Settings%\Default User\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Playlists (4 bytes)
%Documents and Settings%\%current user%\Favorites (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\System Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8A8D2383C68A1A48B9237A20571B2203 (360 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\A8FABA189DB7D25FBA7CAC806625FD30 (96 bytes)
%WinDir%\GetSusp.sys (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\570FB14ABC805C46708F32F92F10C3B4 (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70 (232 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5 (164 bytes)
%Documents and Settings%\%current user%\Application Data\Adobe\Acrobat\9.0 (4 bytes)
%System%\drivers (32 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Communications (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\3130B1871A126520A8C47861EFE3ED4D (240 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E04822AD18D472EA5B582E6E6F8C6B9A (256 bytes)
%Program Files%\Common Files\System (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Accessories\Entertainment (4 bytes)
%Documents and Settings%\LocalService (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\D41693DAFE5DEF0C36959FF1FCEF5C96 (603 bytes)
%System%\config\SystemProfile (4 bytes)
%WinDir%\WinSxS (12 bytes)
%Documents and Settings%\Default User\NTUSER.DAT (36 bytes)
%WinDir%\AppPatch (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar5.tmp (2712 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\A8FABA189DB7D25FBA7CAC806625FD30 (224 bytes)
C:\$Directory (1792 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab4.tmp (54 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\207B9FD92391B9B2A60A89B4C965D5DF (324 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\3130B1871A126520A8C47861EFE3ED4D (521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Network.xsl (4 bytes)
C:\PROGRAM FILES (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\D41693DAFE5DEF0C36959FF1FCEF5C96 (308 bytes)
%Documents and Settings%\%current user%\My Documents (4 bytes)
%System%\wbem (1064 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs (4 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\GetSusp1.tmp (44 bytes)
C:\DOCUMENTS AND SETTINGS (4 bytes)
%Documents and Settings%\Default User\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6 (130 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\0797C381B2F87EB5A1D5573BD15BA4F4 (37 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004 (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Cab6.tmp (54 bytes)
%Program Files%\Internet Explorer (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5 (933 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004 (408 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E04822AD18D472EA5B582E6E6F8C6B9A (528 bytes)
%WinDir%\REGISTRATION (4 bytes)
%System%\CatRoot2\dberr.txt (155 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\570FB14ABC805C46708F32F92F10C3B4 (573 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\SystemCache\6.0 (8 bytes)
%Documents and Settings%\NetworkService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\LocalService\Local Settings (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\E8974A4669383843486E5AFDB09650F5 (2 bytes)
%Program Files%\COMMON FILES (4 bytes)
%Documents and Settings%\LocalService\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\0797C381B2F87EB5A1D5573BD15BA4F4 (240 bytes)
%Documents and Settings%\%current user%\Application Data\Sun\Java\Deployment\cache\6.0 (8 bytes)
%Program Files%\Common Files\Microsoft Shared (4 bytes)
%Documents and Settings%\%current user%\APPLICATION DATA (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WFV3.tmp (8 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70 (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\Files.xsl (784 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5 (4 bytes)
%System%\oobe (96 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft (4 bytes)
%Program Files%\Common Files\VMware\Drivers (4 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Games (4 bytes)
%Program Files%\WIRESHARK (16 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8A8D2383C68A1A48B9237A20571B2203 (1 bytes)
%Documents and Settings%\Default User\Application Data\Microsoft (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\E8974A4669383843486E5AFDB09650F5 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\XP7\Logs\GetSusp.xsl (196 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\C554DCF706A5AAB8B360FAD227EAB9C7 (1 bytes)
%Documents and Settings%\Default User\ntuser.dat.LOG (1560 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\C554DCF706A5AAB8B360FAD227EAB9C7 (176 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\207B9FD92391B9B2A60A89B4C965D5DF (588 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Accessories\Accessibility (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\8DFDF057024880D7A081AFBF6D26B92F (176 bytes)
%Documents and Settings%\NetworkService\Local Settings (4 bytes)
%WinDir%\WinSxS\Policies\x86_Policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775 (4 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\Content\8DFDF057024880D7A081AFBF6D26B92F (533 bytes)
%Documents and Settings%\%current user%\Application Data\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6 (224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Tar7.tmp (2712 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.dll (7370 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libintl3.dll (3713 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\spltmp.bmp (5356 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\gawk.exe (8159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\uniq.exe (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\blat.exe (7821 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\zip.exe (7631 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\PsInfo.exe (10556 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\du.exe (6070 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wput.exe (2603 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\regex2.dll (2289 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sleep.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\date.exe (246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pcre3.dll (4114 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\autorunsc.exe (14680 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv2.tmp\AdvSplash.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\grep.exe (3739 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\pslist.exe (7328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libeay32.dll (29364 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libssl32.dll (5340 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\ssleay32.dll (6842 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\libiconv2.dll (28246 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\wget.exe (14326 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\getsusp_300373.exe (51601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\unzip.exe (4782 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\psloglist.exe (4656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\executables\sed.exe (1240 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\SARS_o.bat (5704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS\XP7_info.txt (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SARS.LOG (2 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Schlumberger Security Operations Team
Product Name: Security Analysis Response Script - Automatic Upload
Product Version: 1.0.7.6
Legal Copyright: (c) 2008-2013 - Unpublished work. All rights reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.7.6
File Description: Tool for IR Data Collection.
Comments:
Language: Language Neutral

Company Name: Schlumberger Security Operations TeamProduct Name: Security Analysis Response Script - Automatic UploadProduct Version: 1.0.7.6Legal Copyright: (c) 2008-2013 - Unpublished work. All rights reserved.Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.7.6File Description: Tool for IR Data Collection.Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	225280	130952	131072	3.4391	7861b17ec4aec8476bdfecd2dc4490bd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://e6845.ce.akamaiedge.net/pca3.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2004.crl
hxxp://crl.slb.com/CertData/SRV001PKI_Schlumberger Corporate Root CA(1).crt	199.6.154.95
hxxp://a26.d.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://e6845.ce.akamaiedge.net/CSC3-2009-2.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g5.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2010.crl
hxxp://e6845.ce.akamaiedge.net/pca3-g2.crl
hxxp://e6845.ce.akamaiedge.net/CSC3-2009.crl
hxxp://a1363.g.akamai.net/pki/crl/products/WinIntPCA.crl
hxxp://a1363.g.akamai.net/pki/crl/products/tspca.crl
hxxp://crl.usertrust.com/UTN-USERFirst-Object.crl	178.255.83.2
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftRootAuthority.crl
hxxp://a1363.g.akamai.net/pki/crl/products/MicWinHarComPCA_2010-11-01.crl
hxxp://crl.microsoft.com/pki/crl/products/tspca.crl	205.237.69.73
hxxp://crl.microsoft.com/pki/crl/products/WinIntPCA.crl	205.237.69.73
hxxp://crl.verisign.com/pca3-g5.crl	23.9.117.163
hxxp://csc3-2009-2-crl.verisign.com/CSC3-2009-2.crl	23.9.117.163
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftRootAuthority.crl	205.237.69.73
hxxp://crl.verisign.com/pca3-g2.crl	23.9.117.163
hxxp://crl.verisign.com/pca3.crl	23.9.117.163
hxxp://csc3-2010-crl.verisign.com/CSC3-2010.crl	23.9.117.163
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt	205.237.69.74
hxxp://CSC3-2004-crl.verisign.com/CSC3-2004.crl
hxxp://csc3-2009-crl.verisign.com/CSC3-2009.crl	23.9.117.163
hxxp://crl.microsoft.com/pki/crl/products/MicWinHarComPCA_2010-11-01.crl	205.237.69.73
csc3-2004-crl.verisign.com	23.9.117.163

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /UTN-USERFirst-Object.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.usertrust.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Wed, 25 Jun 2014 17:26:14 GMT

Content-Type: application/x-pkcs7-crl

Content-Length: 75433

Last-Modified: Tue, 24 Jun 2014 19:46:01 GMT

Connection: close

X-CCACDN-Mirror-ID: t8edcacrl3

Accept-Ranges: bytes

0..&.0..%....0...*.H........0..1.0...U....US1.0...U....UT1.0...U....Salt Lake City1.0...U....The USERTRUST Network1!0...U....hXXp://VVV.usertrust.com1.0...U....UTN-USERFirst-Object..140624194601Z..140628194601Z0..$.0"....2EY..aU..........050525083740Z0".....Iv...h ..ys.....050525090148Z0!..u.......|..xk.0...050602000000Z0".....6.z..........7..050602075356Z0"....!.$.KM(C@="..o}..050603153950Z0".......W%Ny.vD.q..Y..050607084159Z0".......3W]...$.#\F4..050613095931Z0!......(.62..2PLr.q..050630164737Z0"....BLA......)..5....050707141212Z0!..Wa........q#......050711082844Z0!.._j.....o...'...m..050715130339Z0!..?........N]B..Z...050721083234Z0!..RO.)@..Q...p._....050726090436Z0".....k......1.g......050729091017Z0"....l........o... ...050729134103Z0"....v.R..~...?.(..&..050803165854Z0!..6..;....sC.M.s:...050809135135Z0!...........^nH.U.(..050810132024Z0"......;.S...wU-K.c...050810211644Z0"......d..#IE..#|.g#..050811182050Z0"....!..|....]rR..-r..050817085053Z0"......Ai..xJ..q]Xi...050822140450Z0!..>...........t'6...050824025640Z0!..?3..rd5>ocV.. ....050824075512Z0"....|..5u[.}<..[.@...050908092147Z0!..GJ.C...<NM.i......050912092806Z0!....(.8....U.1.'....050912144650Z0!..*.(ECy.V.?x.3S_k..050915103419Z0!......./.....L...r..050919144257Z0!..Y....=....#.......050929000000Z0!..p.,.g.x..z:q~.....050930114111Z0"....-.."...\w...~....050930123007Z0!....o0........P.H...051004084832Z0".......=6......4.....051005122403Z0!..md\\...~.v.o......051013100954Z0!...6.D...hR..BO._...051013110610Z0!..5.x.1..6.p~}>.....0510181

<<< skipped >>>

GET /pki/crl/products/WinIntPCA.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Mon, 05 Apr 2010 23:14:32 GMT

Accept-Ranges: bytes

ETag: "07ca8bf15d5ca1:0"

Server: Microsoft-IIS/8.0

VTag: 279616832800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 528

Cache-Control: max-age=900

Date: Wed, 25 Jun 2014 17:25:49 GMT

Connection: keep-alive

0...0.....0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1806..U.../Microsoft Windows Verification Intermediate PCA..100405230430Z.A0?0...U.#..0.....[3.A...BrvWo..%Sz.0... .....7.......0...U.......0...*.H.............P^0...8..(3k&.SD..F6g.C...l...,...=.'V..u..l=..Qz..<...u...>.......A..:.........2./....u*. =.G..B&)"...'.I. x ......vOP...N..CE...Z. C407...U... ."..#.Z7P...E.t..$i..n..p......-.;...@.d..8.z....z....t[..X...0...n..}.D#.8....Nx.H- .....~.kC..`qFZ`w.............

GET /pki/crl/products/tspca.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 24 May 2014 05:04:54 GMT

Accept-Ranges: bytes

ETag: "8ab194b3d77cf1:0"

Server: Microsoft-IIS/8.0

VTag: 791326843100000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 521

Cache-Control: max-age=900

Date: Wed, 25 Jun 2014 17:25:50 GMT

Connection: keep-alive

0...0.....0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Timestamping PCA..140514201017Z..440513202154Z.A0?0...U.#..0...o.N?..4.K......;AC..0... .....7.......0...U......)0...*.H..............*..6k..s...e".x(........C..L......rE/^......m....t.....I^.W.. ........`.Qa....V.c.3oA.....7.w...>.)...[IeO!.lm.....8`.v....Y.......z?.......n).~.:....\.l>.J.I2.17>.*...tl9.C.z."..BP..N. ..0....H......J?...>XF.G.....@....".Y..V.].?.7..7`.7...r...~.3..c..4.HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Sat, 24 May 2014 05:04:54 GMT..Accept-Ranges: bytes..ETag: "8ab194b3d77cf1:0"..Server: Microsoft-IIS/8.0..VTag: 791326843100000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 521..Cache-Control: max-age=900..Date: Wed, 25 Jun 2014 17:25:50 GMT..Connection: keep-alive..0...0.....0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Timestamping PCA..140514201017Z..440513202154Z.A0?0...U.#..0...o.N?..4.K......;AC..0... .....7.......0...U......)0...*.H..............*..6k..s...e".x(........C..L......rE/^......m....t.....I^.W.. ........`.Qa....V.c.3oA.....7.w...>.)...[IeO!.lm.....8`.v....Y.......z?.......n).~.:....\.l>.J.I2.17>.*...tl9.C.z."..BP..N. ..0....H......J?...>XF.G.....@....".Y..V.].?.7..7`.7...r...~.3..c..4.....

<<< skipped >>>

GET /pki/crl/products/MicrosoftRootAuthority.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sun, 22 Jun 2014 05:05:27 GMT

Accept-Ranges: bytes

ETag: "ec45e394d78dcf1:0"

Server: Microsoft-IIS/8.0

VTag: 791166943900000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 603

Cache-Control: max-age=900

Date: Wed, 25 Jun 2014 17:26:31 GMT

Connection: keep-alive

0..W0..?...0...*.H........0p1 0)..U..."Copyright (c) 1997 Microsoft Corp.1.0...U....Microsoft Corporation1!0...U....Microsoft Root Authority..140621173809Z..140920055809Z0:0...:..../...V..091210010336Z0........$... ..020225080156Z._0]0...U.#..0...J\u".F....9.N...`...0... .....7.......0...U......$0... .....7......140919174809Z0...*.H.............S.>l.._....)j.k%..vm.'Y.....Q......p,..X.#..6......8...............xT..>.E..H.#......U...'.../....p....(5.....,..F:.......~.....M.."......I"....;0.]..,.OI}.....f.2~.].,u...hp.W,.'wj..%<......Y.N.. ..u',.. ..v$#A....l..9..m.T:s... .>Z.k...l.....kVyi......o.....

GET /pki/crl/products/MicWinHarComPCA_2010-11-01.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.microsoft.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 24 May 2014 05:04:55 GMT

Accept-Ranges: bytes

ETag: "4af46b4d77cf1:0"

Server: Microsoft-IIS/8.0

VTag: 438117044800000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 588

Cache-Control: max-age=900

Date: Wed, 25 Jun 2014 17:26:31 GMT

Connection: keep-alive

0..H0..0...0...*.H..

GET /CSC3-2009.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "295161c3f5c709ceee58f31341af4cb2:1403687411"

Last-Modified: Wed, 25 Jun 2014 09:10:11 GMT

Accept-Ranges: bytes

Content-Length: 2249

Date: Wed, 25 Jun 2014 17:25:49 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091.0,..U...%VeriSign Class 3 Code Signing 2009 CA..140625090003Z..140709090003Z0...0!.....zOR.D...,oMa...090525061903Z0!......t.o=(..(..G...090520231844Z0!... ....M...m.Q.&...090517075442Z0!...T.Ay(..U...:_|...090608072333Z0!... .(.....F..9.....090805090059Z0!.......P..._}..;.x..090714150126Z0!.....5=.qOV[.cyg.&..090528172131Z0!...K...=$.6.........090521015930Z0!...-H...D...tDXUN...090527062050Z0!.......-.'@..<B{....090525110212Z0!......x..m*[.7.h#"..090702070220Z0!.....%.o.....kT.....090527062152Z0!..!.*;....)..Ef..k..090529084018Z0!..#.}h..."..........090527050204Z0!..$.I^./@.:7.p.,v...090521201736Z0!..&.5{.....Q;D......090521184343Z0!..&...T[.~y.........090903081104Z0!...q..m...G..i^.....090521025017Z0!../a.nS..[lA.lCB....090527045238Z0!..0.....R..iX.px....090605052910Z0!..2.h..).n......p;..090713144756Z0!..:.............. ..090605052934Z0!..;.0.*.v..*....P...090601001940Z0!..?..}p 2I..o.\..u..090527061825Z0!..?....@.Z`......l..090527022214Z0!..B..h~a..]..L.2....100512125735Z0!..B.U..ZF...........090527041620Z0!..F'....?xxnx.6Q....090528003453Z0!..F|A..r....#.@.&...090527062259Z0!..L.r....F..^..i.t..090608130549Z0!..Q...Y...Exm.._7...090520225737Z0!..TH..~.. ..({......090723115618Z0!..U.59Z..[.G.RmyR1..090527071534Z0!..V ].h.../".V<8-...090611075746Z0!..gHT...j5zdG....K..090521205535Z0!..mje.......;.......090521012215Z0!..p^..E.{.>.........09

<<< skipped >>>

GET /CSC3-2004.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: CSC3-2004-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "bad60e8883e1e3037719ce5c0095e6e4:1403687410"

Last-Modified: Wed, 25 Jun 2014 09:10:10 GMT

Accept-Ranges: bytes

Content-Length: 96299

Date: Wed, 25 Jun 2014 17:25:34 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0..x&0..w.0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)041.0,..U...%VeriSign Class 3 Code Signing 2004 CA..140625090001Z..140705090001Z0..v$0!.....'...._.=.t.{...060411095352Z0!........]...n.d.^...041210180734Z0!....B.38..I....Z.Z..060522202503Z0!.....V..=.&..p.K_...041223173514Z0!...$fd{........ZKI..050727182105Z0!...'..P..Tk....i ...081114114704Z0!...*m.......$.e.iw..050113162826Z0!...4..&.....(.V.bD..060717184318Z0!...>.h`a.nZM.VIP....061027222850Z0!...?..!.....Z..%....080514074106Z0!...A.*T-.NB>Ro.S.~..070627153307Z0!...Wf....0?.1.<G4...080827011731Z0!...[.}7.8.t.........070607081209Z0!...^.@.....1..v..`..061207041025Z0!...ol4....{.........080520210256Z0!.....oP...._. .a....061205224400Z0!.....}...../5.=.....041018225848Z0!.....B.w5$.h..,."...060707142917Z0!....]....d..........041217144015Z0!.........1.9.fwI.a..050926191715Z0!............*.>W....041221185802Z0!...."....J..l.......050712133504Z0!....X.r..'7hK._.....080804054612Z0!....Q)..6.....4.[...051018015040Z0!.........Y.=.U=y....060308034429Z0!....:..I.. ......Y..060912161745Z0!......t..Au...e `...060406020106Z0!........&.zR.....J..080220163354Z0!...%.&.f./....>.H...070216105424Z0!...8....n..#b.dM....090505134237Z0!...E..1..>..........070621145128Z0!...L.k'.W..!.;w0....060711202546Z0!...U.......Te.c.....080829025216Z0!...qo..b..>...C.....081214140650Z0!.......?....War.y...061019142712Z0!.......^i7.6_m..W...070122210641Z0!....&.G.E.

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Date: Wed, 25 Jun 2014 17:25:43 GMT

Connection: keep-alive

X-CCC: US

X-CID: 2

1401CF3DB40B609892HTTP/1.1 200 OK..Content-Type: text/plain..Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT..Accept-Ranges: bytes..ETag: "806f4cbb43dcf1:0"..Server: Microsoft-IIS/7.5..X-Powered-By: ASP.NET..Content-Length: 18..Date: Wed, 25 Jun 2014 17:25:43 GMT..Connection: keep-alive..X-CCC: US..X-CID: 2..1401CF3DB40B609892..

GET /CertData/SRV001PKI_Schlumberger Corporate Root CA(1).crt HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.slb.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Connection: Keep-Alive

Set-Cookie: ISAWPLB{69E13F28-20AA-4495-9939-BA543948AF92}={3DA5B21E-753C-42F2-A8FD-AE14C3BA35B2}; HttpOnly; Path=/

Content-Length: 1544

Date: Wed, 25 Jun 2014 17:25:42 GMT

Content-Type: application/x-x509-ca-cert

ETag: "0253321785cb1:0"

Server: Microsoft-IIS/7.5

Accept-Ranges: bytes

Last-Modified: Mon, 15 Nov 2010 22:48:18 GMT

0...0..........m.......A..H_7fb0...*.H........0..1.0...U....US1.0...U....Texas1.0...U....Houston1.0...U....slb.com1.0...U....Schlumberger1'0%..U....Schlumberger Corporate Root CA0...071018201958Z..301115164814Z0..1.0...U....US1.0...U....Texas1.0...U....Houston1.0...U....slb.com1.0...U....Schlumberger1'0%..U....Schlumberger Corporate Root CA0.."0...*.H.............0.........L....%..2 ....qJ........R...c........Aq.?.")...]j.l.........B.`... ..]........h..'..v....['...a\..t-i...55.xW.J....Jt.=.....\&.g|(x..; }g?..4.$W~....{xt..........J...Y{i.3g.ae...Y....So~..3.....$..."AjF....F...L).3....w...B.}....z.....=B.u...Q.....F.go..d.W).t *.O..@[.....j.s.r.S........6\.YO.....W.(...Q....Q.M".......:.t9......k.O...0..g...zNh$b...=....=X...I.t.D..<R.@.P|,39t.|........,w..W.gy..,.(.!..|...XQ.k....l....[........*.......e'.be.....8le.?G......b.".N.....lyQB....T!.dt.jd..n..U.L.9.....m.xr..S.......v0t0...U........0...U.......0....0...U........P)..=.!..7...V}...0... .....7.......0#.. .....7........-.Pi..W........SQ.0...*.H............. ..^.R....-..pe....h...f1;...F........V.x.....GT ......'..........j.....fQ..4..gfJ.>.$..1....Y....w.W..V......o.2c.......5./_....X......'........Y...%....G .Z....^..;-._.%.|2..[@..2\r.....T1.|vv... b..k=...V..`Lx(.x.D.P.........-...9G..l..:....[......<9....K...'G.(.bG........f.`.~.L..1..@(.<....Cu......#.T=..}a.;f@..!....}....f.;......=.% K...3H7%B.0.f....c. .&..q...*...2.P_$.q.....M...:N.5x.....{.H.*=.yI............*.6....V`;.S......~...;lY.HLt..9..U..V..Rt&pB....z..\Vw.n."...uW..q....l

<<< skipped >>>

GET /CSC3-2009-2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2009-2-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "3149437b01e8720b11bd72c13d900647:1403687410"

Last-Modified: Wed, 25 Jun 2014 09:10:10 GMT

Accept-Ranges: bytes

Content-Length: 37388

Date: Wed, 25 Jun 2014 17:25:46 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0......0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA..140625090002Z..140709090002Z0...0!.....V..t..'.F(z....121202220203Z0!.... .;...9.7.......090826054212Z0!...\.)../F..^p..s...100722072726Z0!......P....A.x......100708154305Z0!.......O#.`n.5j.9...100930040708Z0!..../..8~p...h......091006052837Z0!.....(../L....--aK..091029040207Z0!...aW.....B.!.0..t..090909121104Z0!...g,..4(vv....mJ_..100514054218Z0!.....V.....(..-..p..090826162211Z0!....O..,J.N.n...Ly..091028032204Z0!....42r...I.Y@...3..100526162150Z0!.........}..Dt...!..090922192227Z0!.......2l....7i..?..101109030426Z0!.....p%...l,AogP....100523060224Z0!...,.P.C......*.....100303082219Z0!...NRPL.............100413090225Z0!....1w....d.&..8....091026111702Z0!......F....e........090608081352Z0!.....6..d6.7..4.....100924123027Z0!....$..*...s..&s....100219210742Z0!......Q_.G..|.......091009145530Z0!........>..O...=72..100616160934Z0!....Xlm$|".su.......090619194406Z0!......J)..E......C..100922142243Z0!...D......u.y.Iy{k..101026130323Z0!...El...)>..W..<K...101004225456Z0!...p..wy.i.zc...X...091117001921Z0!.....,{..^..........091203194409Z0!....B....d...*.P.@..100705023431Z0!.......m. .V.....~..101111134216Z0!...2.R.i.{..........091029071123Z0!...`F..q2..O.:......100602074221Z0!...a{.-...@...'.....100723194022Z0!........fW.y.,s.....101011182226Z0!....Um..}.8)........100324085953Z0!....,u.boxr....Z....

<<< skipped >>>

GET /CSC3-2010.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: csc3-2010-crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "94bf67ac76d178e0363ec64a6a88e27a:1403687411"

Last-Modified: Wed, 25 Jun 2014 09:10:11 GMT

Accept-Ranges: bytes

Content-Length: 130966

Date: Wed, 25 Jun 2014 17:25:47 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0....0...x...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://www.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Signing 2010 CA..140625090004Z..140709090004Z0...Z0!....c..k....D.k.....120708062201Z0!... _...u.t.=.<.&...130218061114Z0!...&..].....P.k.:...120125130117Z0!...7P.x....8.Q...s..130227010252Z0!...J.....Q..Y.[.....110404153956Z0!...d...=..q!_...g9..130729145216Z0!...l.....h2<.H......120329152211Z0!...q.9...`H.*.Y.C...120525202212Z0!...s...TM.......0...121221080842Z0!...t..,.. ...eL.....130314222305Z0!...y..r.HW.v.....w..140423054643Z0!..../u.......A..5...101214165045Z0!.....0.Xc...%...iM..121102230226Z0!.......S.a&.X5t.E]..111206083350Z0!....c.(....B.[M83...140108164517Z0!....A.Sv.....f,.....110609003155Z0!.....z......!.ID{]..101228182208Z0!....b^......{d.J'...130102154110Z0!.......n........'u..140521222808Z0!......0..........I..130912181631Z0!....6e...~..T.......130131012247Z0!.........bD#*u......130226223939Z0!.......@..'$.).;}\..130121172259Z0!....7.v..........n..120724160733Z0!....P;.Y..d...c.(...120209181451Z0!.....].bb[.....!....140328205453Z0!.....a...L`..IV.....130402103508Z0!......fFW.z.....@T..130117000242Z0!...........].{7.....120730000000Z0!...".......Z.V.,.e..121031192224Z0!...'....[.1......g..130318195659Z0!...,GI.jH.|...J.....120518121623Z0!...<%a.=.d.......O..120424164254Z0!...@........... .a..121109212441Z0!...L.&L..o.8..=6....110311141238Z0!...L...5...s $.=.=..130205142241Z0!...O.c.........t...

<<< skipped >>>

GET /pca3.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"

Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT

Accept-Ranges: bytes

Content-Length: 933

Date: Wed, 25 Jun 2014 17:25:33 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P....020923171548Z0!............R.e.53..010207212458Z0!..!......Y...ISi....010706171411Z0!..$-..I{r....u<._...080403172226Z0!..&.."?..y..51}..1..010706172118Z0!..4....2....{W......080605175030Z0!..B....c............070411175910Z0!..H.Py...N....* ....010207212031Z0!..N....-.1Gq.@...C..040401175251Z0!..Y......w`G........070411175657Z0!..Z`..H.@B....Z.*q..080403172017Z0!..l....I...Y..] .c..010706171749Z0"......T=deQ...1u.]...010207212247Z0".....p..1..7<.....e..010207211822Z0...*.H............_.w..J.l....[..H.X..)x.^.....S.O..v....K|.~.RP.k^.R.0........oF.l.w..4.W...A...}..8*.:rO6........%.C...........6$s....rQ....v...HTTP/1.1 200 OK..Server: Apache..ETag: "aee817f55f40eda0bc5c25e988a42128:1396125923"..Last-Modified: Sat, 29 Mar 2014 20:45:23 GMT..Accept-Ranges: bytes..Content-Length: 933..Date: Wed, 25 Jun 2014 17:25:33 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0...0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority..140320000000Z..140630235959Z0..x0!...v....a_>..2......020924164823Z0!.....A.....{2..Y.#..140129175709Z0!...,.|.|...<...j ...080605174907Z0!...`y..q.......fh...020923171400Z0!...?A....a.nF`.P.

<<< skipped >>>

GET /pca3-g5.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"

Last-Modified: Sat, 29 Mar 2014 21:25:08 GMT

Accept-Ranges: bytes

Content-Length: 533

Date: Wed, 25 Jun 2014 17:25:47 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140320000000Z..140630235959Z0...*.H.............}...a.D[..8..i.....g8..S..tt..a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..F.q....2^X..w.i'.&..n...4v8. &|/Y.B..%..J..g0."k.0....A..7.)h...=5....'Z........y.Ye.......M.._5.9..B.*.. .4z@.7#...... UL.F......iDg..6...'z$.E.E..*..g...2.@D.....&v...o..>..k1N...P...iHTTP/1.1 200 OK..Server: Apache..ETag: "895f8ccd92dfec674c94f0d04d1b63bc:1396128308"..Last-Modified: Sat, 29 Mar 2014 21:25:08 GMT..Accept-Ranges: bytes..Content-Length: 533..Date: Wed, 25 Jun 2014 17:25:47 GMT..Connection: keep-alive..Content-Type: application/pkix-crl..0...0..0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Class 3 Public Primary Certification Authority - G5..140320000000Z..140630235959Z0...*.H.............}...a.D[..8..i.....g8..S..tt..a.e.B]..v.l9.m.....~.G(l...G..#z{...Za..F.q....2^X..w.i'.&..n...4v8. &|/Y.B..%..J..g0."k.0....A..7.)h...=5....'Z........y.Ye.......M.._5.9..B.*.. .4z@.7#...... UL.F......iDg..6...'z$.E.E..*..g...2.@D.....&v...o..>..k1N...P...i....

<<< skipped >>>

GET /pca3-g2.crl HTTP/1.1

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: crl.verisign.com

Connection: Keep-Alive

Cache-Control: no-cache

Pragma: no-cache

HTTP/1.1 200 OK

Server: Apache

ETag: "072641a27cd10308fabc881f069f37c1:1396126208"

Last-Modified: Sat, 29 Mar 2014 20:50:08 GMT

Accept-Ranges: bytes

Content-Length: 1415

Date: Wed, 25 Jun 2014 17:25:48 GMT

Connection: keep-alive

Content-Type: application/pkix-crl

0...0...0...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1<0:..U...3Class 3 Public Primary Certification Authority - G21:08..U...1(c) 1998 VeriSign, Inc. - For authorized use only1.0...U....VeriSign Trust Network..140320000000Z..140630235959Z0...0!...=...X.FL...3..I..080403173458Z0!...SJs|.."E.G.......070412172616Z0!....E........W6.n...140129192923Z0!.......jvO..!....]..040401180422Z0!......\*....bO-.....080403173459Z0!....I..:.<....9..m..070412172523Z0!.........R.E!..=t...070522172634Z0!....}.....}.}.(q.C..040401180606Z0!...`.6..,...u.~x.:..080403173459Z0!.........wX.....~...080606171636Z0!..$.Jn>.t..d_j..."..040401180518Z0!.. ..N*(.}H..j......070412172308Z0!.. ..3.J......d..9..070522172711Z0!..50.h.:....s.K"....040401180542Z0!..7_f...s...........080403173459Z0!..<.J..y..)..~x7.e..080606171735Z0!..NS.c.f......7.p...070412172213Z0!..N.k;..-...9J..-...070522172748Z0!..Q..2pRv.WC.:..f...030109181346Z0!..Tq..m..*..........140129192925Z0!..^..CX4.3... F.R...070522172548Z0!..^..)..P3...7...L..080403173459Z0!..e........O.^.S....080403173457Z0!..jP....Wv..[.v.5H..070412172102Z0!..nk.l.!y.~...7G@...070412171752Z0!..r.q.I-Ln./........080403173458Z0!..t8....D...........080606171524Z0!..t.xn.tS....O_.....070412171951Z0!..v......Qnw..W.g...140129192921Z0...*.H................V.!F.Y..p.V......s..%..*l.z=...R./.F....q.......D.t......0b..?.R:9.(.|.....VBp8.......PZ...[o\p...U...........$).V.D....B@....

<<< skipped >>>

Map

The Packed connects to the servers at the folowing location(s):

Strings from Dumps

cmd.exe_1076:

.text

`.data

.rsrc

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

USER32.dll

SetConsoleInputExeNameW

APerformUnaryOperation: '%c'

APerformArithmeticOperation: '%c'

ADVAPI32.dll

SHELL32.dll

MPR.dll

RegEnumKeyW

RegDeleteKeyW

RegCloseKey

RegOpenKeyW

RegCreateKeyExW

RegOpenKeyExW

ShellExecuteExW

CmdBatNotification

GetWindowsDirectoryW

GetProcessHeap

GetCPInfo

GetConsoleOutputCP

_pipe

GetProcessWindowStation

cmd.pdb

%EXEDIR%\%GETSUSPCMD% --silent --ePO --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%

MOVE %EXEDIR%\%computername%\*.zip %EXEDIR% 1>NUL 2>NUL

IF NOT ERRORLEVEL 0 CALL :writesarslogentry mcafee_getsusp, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %GETSUSPCMD% --silent --offline --COMMENT="SARS Version %SARSVer% COMPUTERNAME: %computername% DATE: ÚTESTAMP%" --ZIPPATH=%EXEDIR%"

CALL :writesarslogentry mcafee_getsusp, "End Running McAfee GetSusp Version %GETSUSPCMD%"

ECHO * This system appears to be running Windows 2000 *

ECHO * This operating system is no longer supported *

ECHO * http://www.ithelp.slb.com *

IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This system appears to be running Windows 2000 *"

IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* This operating system is no longer supported *"

IF DEFINED DEBUG CALL :writesarslogentry os_warning, "* http://www.ithelp.slb.com *"

::References: http://www.dostips.com/DtTipsStringManipulation.php#Snippets.MidString

ECHO * Script Version: %SARSVer%

ECHO * Date/Time: ÚTESTAMP%

ECHO * Computer Name: %COMPUTERNAME%

IF DEFINED DEBUG CALL :writesarslogentry banner, "* Script Version: %SARSVer%"

IF DEFINED DEBUG CALL :writesarslogentry banner, "* Date/Time: ÚTESTAMP%"

IF DEFINED DEBUG CALL :writesarslogentry banner, "* Computer Name: %COMPUTERNAME%"

IF DEFINED DEBUG CALL :writesarslogentry banner, "* Spawned From: %SPAWNLOCATION%"

::Executes the GNU date utility becuase it is more accurate and returns a DATE

FOR /f %%a in ('%SPATH%\date.exe -u %%Y%%m%%d') DO SET archive_date=%%a

IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u %%Y%%m%%d"

FOR /f %%a in ('%SPATH%\date.exe -u %%H%%M%%S') DO SET archive_time=%%a

IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_archive_name, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %SPATH%\date.exe -u %%H%%M%%S"

SET ARCNME=%archive_date%_%archive_time%_%computername%

IF DEFINED DEBUG CALL :writesarslogentry get_archive_name, "Archive Name ==> %archive_date%_%archive_time%_%computername%"

::1.0.7.0

get_web_version

CALL :get_web_version

::Gets the current version posted on the WEB.

:get_web_version <value></value>

CALL :writesarslogentry get_web_version, "Start Checking the posted Web Version of SARS"

CALL :reachable REACHABLE "www.secops.slb.com"

IF DEFINED DEBUG ECHO [get_web_version]Connectivity www.secops.slb.com got an ANSWER of %REACHABLE%

IF %REACHABLE%==N SET /p SARSWeb=%SARSVer% & GOTO :EOF

CALL :writesarslogentry get_web_version, "Getting currently published SARS Version!"

TITLE %SARSTITLE%

IF DEFINED DEBUG ECHO [get_web_version]About to run WGET

%EXEDIR%\wget --output-document=%LOGDIR%\web_version.txt --connect-timeout=2 --verbose http://www.secops.slb.com/version/sars/ 1> %LOGDIR%\web_errors.txt 2> %LOGDIR%\web_output.txt

IF DEFINED DEBUG ECHO [get_web_version]Executed the WGET Command

IF NOT ERRORLEVEL 0 CALL :writesarslogentry get_web_version, "ERROR: (%ERRORLEVEL%) EXECUTING COMMAND: %EXEDIR%\wget --output

CMD Internal Error %s

)(&&())))(&))

)&((&)&))&())

)&((&)&)&()))

)(&&()))&))))

CMD.EXE

()|&=,;"

COPYCMD

\XCOPY.EXE

CMDCMDLINE

WKERNEL32.DLL

Software\Policies\Microsoft\Windows\System

0123456789

cmd.exe

DIRCMD

%d.%d.d

Ungetting: '%s'

DisableCMD

GeToken: (%x) '%s'

%s\Shell\Open\Command

%x %c

*** Unknown type: %x

Args: `%s'

Cmd: %s Type: %x

%s (%s) %s

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373 --silent --ePO --offline --COMMENT="SARS Version 1.0.7.6 COMPUTERNAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe

NAME: XP7 DATE: 20140625_172535" --ZIPPATH=C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables

o %eMail% -f %fromeMail% %subj% %server% %mdebug% %x%"

nameOperations

> %LOGDIR%\%COMPUTERNAME%_pending_moves.txt"

ort.csv >> FOUNDINMDL.txt

.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

NDOWS;%WinDir%\System32\Wbem;c:\Program Files\Wireshark;C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables

-vi "slb.atosorigin-asp.com" ^| sort ^| uniq -ui') do findstr /I /C:"%%A" mdl_export.csv >> FOUNDINMDL.txt

CMDEXTVERSION

KEYS

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables

%s %s

(%s) %s

%s %s%s

&()[]{}^=;!%' ,`~

d%sd%s

-%sd%sd%sd

d%sd%sd

%s=%s

X-X

.COM;.EXE;.BAT;.CMD;.VBS;.JS;.WS

<> -*/%()|^&=,

\CMD.EXE

Windows Command Processor

5.1.2600.5512 (xpsp.080413-2111)

Cmd.Exe

Windows

Operating System

5.1.2600.5512

Press any key to continue . . . %0

operable program or batch file.

The system cannot execute the specified program.

and press any key when ready. %0

Microsoft Windows XP [Version %1]%0

a pipe operation.

KEYS is on.

KEYS is off.

The process tried to write to a nonexistent pipe.

The switch /Y may be preset in the COPYCMD environment variable.

to prompt on overwrites unless COPY command is being executed from

Switches may be preset in the DIRCMD environment variable. Override

Quits the CMD.EXE program (command interpreter) or the current batch

CMD.EXE. If executed from outside a batch script, it

will quit CMD.EXE

ERRORLEVEL that number. If quitting CMD.EXE, sets the process

Displays or sets a search path for executable files.

Type PATH ; to clear all search-path settings and direct cmd.exe to search

Changes the cmd.exe command prompt.

$B | (pipe)

$V Windows XP version number

Displays, sets, or removes cmd.exe environment variables.

Displays the Windows XP version.

Tells cmd.exe whether to verify that your files are written correctly to a

Records comments (remarks) in a batch file or CONFIG.SYS.

Press any key to continue . . . %0

Directs cmd.exe to a labeled line in a batch program.

NOT Specifies that Windows XP should carry out

will execute the command after the ELSE keyword if the

I The new environment will be the original environment passed

to the cmd.exe and not the current environment.

SEPARATE Start 16-bit Windows program in separate memory space

SHARED Start 16-bit Windows program in shared memory space

If it is an internal cmd command or a batch file then

the command processor is run with the /K switch to cmd.exe.

If it is not an internal cmd command or batch file then

parameters These are the parameters passed to the command/program

under Windows XP.

Starts a new instance of the Windows XP command interpreter

CMD [/A | /U] [/Q] [/D] [/E:ON | /E:OFF] [/F:ON | /F:OFF] [/V:ON | /V:OFF]

/D Disable execution of AutoRun commands from registry (see below)

/A Causes the output of internal commands to a pipe or file to be ANSI

/U Causes the output of internal commands to a pipe or file to be

variable var at execution time. The %var% syntax expands variables

of an executable file.

If /D was NOT specified on the command line, then when CMD.EXE starts, it

either or both are present, they are executed first.

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\AutoRun

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\AutoRun

can enable or disable extensions for all invocations of CMD.EXE on a

following REG_DWORD values in the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\EnableExtensions

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\EnableExtensions

particular invocation of CMD.EXE with the /V:ON or /V:OFF switch. You

can enable or disable completion for all invocations of CMD.EXE on a

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\DelayedExpansion

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\DelayedExpansion

at execution time.

CMD.EXE with the /F:ON or /F:OFF switch. You can enable or disable

completion for all invocations of CMD.EXE on a machine and/or user logon

the registry using REGEDT32.EXE:

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\CompletionChar

HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor\PathCompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\CompletionChar

HKEY_CURRENT_USER\Software\Microsoft\Command Processor\PathCompletionChar

Shift key with the control character will move through the list

&()[]{}^=;!%' ,`~

Command Processor Extensions enabled by default. Use CMD /? for details.

ASSOC [.ext[=[fileType]]]

.ext Specifies the file extension to associate the file type with

ASSOC .pl=PerlScript

FTYPE PerlScript=perl.exe %%1 %%*

script.pl 1 2 3

set PATHEXT=.pl;%%PATHEXT%%

The restartable option to the COPY command is not supported by

this version of the operating system.

The following usage of the path operator in batch-parameter

The unicode output option to CMD.EXE is not supported by this

version of the operating system.

If Command Extensions are enabled the DATE command supports

If Command Extensions are enabled the TIME command supports

If Command Extensions are enabled the PROMPT command supports

is pretty simple and supports the following operations, in decreasing

! ~ - - unary operators

* / %% - arithmetic operators

- - arithmetic operators

&= ^= |= <<= >>=

If you use any of the logical or modulus operators, you will need to

values. If SET /A is executed from the command line outside of a

assignment operator requires an environment variable name to the left of

the assignment operator. Numeric values are decimal numbers, unless

occurrence of the remaining portion of str1.

Finally, support for delayed environment variable expansion has been

added. This support is always disabled by default, but may be

enabled/disabled via the /V command line switch to CMD.EXE. See CMD /?

of text is read, not when it is executed. The following example

So the actual FOR loop we are executing is:

%Í%% - expands to the current directory string.

%ÚTE%% - expands to current date using same format as DATE command.

%%CMDEXTVERSION%% - expands to the current Command Processor Extensions

%%CMDCMDLINE%% - expands to the original command line that invoked the

If Command Extensions are enabled the SHIFT command supports

control is passed to the statement after the label specified. You must

%%4 %%5 ...)

CMD /? for details.

This works because on old versions of CMD.EXE, SETLOCAL does NOT

command execution.

non-executable files may be invoked through their file association just

by typing the name of the file as a command. (e.g. WORD.DOC would

launch the application associated with the .DOC file extension).

When executing an application that is a 32-bit GUI application, CMD.EXE

the command prompt. This new behavior does NOT occur if executing

When executing a command line whose first token is the string "CMD "

without an extension or path qualifier, then "CMD" is replaced with

the value of the COMSPEC variable. This prevents picking up CMD.EXE

When executing a command line whose first token does NOT contain an

extension, then CMD.EXE uses the value of the PATHEXT

.COM;.EXE;.BAT;.CMD

When searching for an executable, if there is no match on any extension,

If Command Extensions are enabled, and running on the Windows XP

forms of the FOR command are supported:

Walks the directory tree rooted at [drive:]path, executing the FOR

passes the first blank separated token from each line of each file.

is a quoted string which contains one or more keywords to specify

different parsing options. The keywords are:

be passed to the for body for each iteration.

where a back quoted string is executed as a

FOR /F "eol=; tokens=2,3* delims=, " %%i in (myfile.txt) do @echo %%i %%j %%k

would parse each line in myfile.txt, ignoring lines that begin with

a semicolon, passing the 2nd and 3rd token from each line to the for

line, which is passed to a child CMD.EXE and the output is captured

IF CMDEXTVERSION number command

The CMDEXTVERSION conditional works just like ERRORLEVEL, except it is

CMDEXTVERSION conditional is never true when Command Extensions are

%%CMDCMDLINE%% will expand into the original command line passed to

CMD.EXE prior to any processing by CMD.EXE, provided that there is not

already an environment variable with the name CMDCMDLINE, in which case

%%CMDEXTVERSION%% will expand into a string representation of the

current value of CMDEXTVERSION, provided that there is not already

an environment variable with the name CMDEXTVERSION, in which case you

under Windows XP, as command line editing is always enabled.

CMD.EXE was started with the above path as the current directory.

UNC paths are not supported. Defaulting to Windows directory.

CMD does not support UNC paths as current directories.

UNC paths not supported for current directory. Using

to create temporary drive letter to support UNC current

Missing operand.

Missing operator.

The COMSPEC environment variable does not point to CMD.EXE.

The FAT File System only support Last Write Times

of a batch script is reached, an implied ENDLOCAL is executed for any

application execution.

The switch /Y may be present in the COPYCMD environment variable.

to prompt on overwrites unless MOVE command is being executed from

when CMD.EXE started. This value either comes from the current console

The COLOR command sets ERRORLEVEL to 1 if an attempt is made to execute

getsusp_300373.exe_900:

!Win32 .EXE.

.MPRESS1

`.MPRESS2

`.rsrc

t4Jt.Ju1 ]

N8SSh

PWSSh(

Pj.j.SW

Pj*j%SW

[u.jD

!"#$%&'()* ,-..CC/0C122C34456789:CC;<=>?@AACCCCCCBBBBBBBB

Ht.Ht!

It.It

SSh0~q

F( %U

3333333

?\u%f

FTPh8

St.Ht

FTPh

.itst

PSSSh

SSSSh

FTPQ

F4PSSh

t j%S

!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB

FTPS

d/d/%d d:d

HTTPS

161.69.31.104

GetUdpTable

AllocateAndGetUdpExTableFromStack

GetExtendedUdpTable

GetTcpTable

AllocateAndGetTcpExTableFromStack

GetExtendedTcpTable

%u.%u.%u.%u:%u

<?xml-stylesheet type="text/xsl" href="Logs\GetSusp.xsl"?>

<?xml-stylesheet type="text/xsl" href="Network.xsl"?>

<?xml-stylesheet type="text/xsl" href="Files.xsl"?>

\GetSusp.sys

GetSusp1.tmp

Logs\McAfee-Product.txt

Logs\Files.xml

Logs\Files.xsl

Logs\Trace.log

Logs\Network.xsl

Logs\Network.xml

Logs\GetSusp.xsl

Logs\GetSusp.log

GetSusp.tmp

GetSusp.xml

\Windows\assembly\GAC_MSIL

avvclean.dat

avvnames.dat

avvscan.dat

XXXXXX

FramePkg.exe

\MCAFEE SECURITY SCAN\UNINSTALL.EXE

\Windows\assembly\NativeImages

Autoconfig-Url

Proxy-Port

3.0.0.373

EngineVersionMajor %d

AVDatVersion %d

AVDatDate %s

Task/Actions/Exec/Arguments

Task/Actions/Exec/Command

Windows-Firewall

%commonprogramw6432%

%commonprogramfiles%

Run-Key

\Prefetch\NTOSBOOT-B00DFAAD.pf

0123456789

%WinDir%\assembly\NativeImages

Received unknown IO request type %d

rundll32.exe

server_passwd

url_artemis

url_upload

Unknown-Error %d

Windows 2000

Windows XP

Web Edition

Windows Server 2003,

Windows XP Professional x64 Edition

Windows Home Server

Windows Storage Server 2003

Windows Server 2003 R2,

Web Server Edition

Windows Server 2012

Windows 8

Windows Server 2008 R2

Windows 7

Windows Server 2008

Windows Vista

--password

1.3.6.1.4.1.311.72.1.1

Status: 0x%x

network.proxy.autoconfig_url

network.proxy.http_port

"network.proxy.http"

network.proxy.type

network.proxy

.rsrc

config.dat

u.u

'%s' Driver

KERNEL32.dll

%WinDir%\TEST.EXE

).EXPORT

).COPY

.ITEM

.dump

midiOutShortMsg

midiOutLongMsg

keybd_event

WinExecErrorW

WinExecErrorA

WinExec

WaitNamedPipeW

WaitNamedPipeA

WSARecvMsg

WSAAsyncGetServByPort

VkKeyScanW

VkKeyScanExW

VkKeyScanExA

VkKeyScanA

UpdateICMRegKeyW

UpdateICMRegKeyA

UnregisterHotKey

UnloadKeyboardLayout

UnhookWindowsHookEx

UnhookWindowsHook

TransactNamedPipe

TileWindows

ShellExecuteW

ShellExecuteExW

ShellExecuteExA

ShellExecuteA

SetWindowsHookW

SetWindowsHookExW

SetWindowsHookExA

SetWindowsHookA

SetViewportOrgEx

SetViewportExtEx

SetProcessWindowStation

SetProcessShutdownParameters

SetNamedPipeHandleState

SetKeyboardState

SetConsoleOutputCP

ScaleViewportExtEx

SHFileOperationW

SHFileOperationA

ReportEventW

ReportEventA

RegisterHotKey

RegUnLoadKeyW

RegUnLoadKeyA

RegSetKeySecurity

RegSaveKeyW

RegSaveKeyA

RegRestoreKeyW

RegRestoreKeyA

RegReplaceKeyW

RegReplaceKeyA

RegQueryInfoKeyW

RegQueryInfoKeyA

RegOpenKeyW

RegOpenKeyExW

RegOpenKeyExA

RegOpenKeyA

RegNotifyChangeKeyValue

RegLoadKeyW

RegLoadKeyA

RegGetKeySecurity

RegFlushKey

RegEnumKeyW

RegEnumKeyExW

RegEnumKeyExA

RegEnumKeyA

RegDeleteKeyW

RegDeleteKeyA

RegCreateKeyW

RegCreateKeyExW

RegCreateKeyExA

RegCreateKeyA

RegCloseKey

ProcessHRC

PeekNamedPipe

OpenWindowStationW

OpenWindowStationA

OleExecute

OffsetViewportOrgEx

OemKeyScan

MsgWaitForMultipleObjects

MapVirtualKeyW

MapVirtualKeyExW

MapVirtualKeyExA

MapVirtualKeyA

LoadKeyboardLayoutW

LoadKeyboardLayoutA

ImpersonateNamedPipeClient

ImmSimulateHotKey

ImmGetVirtualKey

GetWindowsDirectoryW

GetWindowsDirectoryA

GetViewportOrgEx

GetViewportExtEx

GetTcpStatisticsEx

GetTcpStatistics

GetServiceKeyNameW

GetServiceKeyNameA

GetProcessWindowStation

GetProcessShutdownParameters

GetProcessHeaps

GetProcessHeap

GetNamedPipeInfo

GetNamedPipeHandleStateW

GetNamedPipeHandleStateA

GetLargestConsoleWindowSize

GetKeyboardType

GetKeyboardState

GetKeyboardLayoutNameW

GetKeyboardLayoutNameA

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextW

GetKeyNameTextA

GetConsoleOutputCP

GetCPInfo

GetAsyncKeyState

FindExecutableW

FindExecutableA

ExitWindowsEx

EnumWindows

EnumWindowStationsW

EnumWindowStationsA

EnumThreadWindows

EnumPortsW

EnumPortsA

EnumDesktopWindows

EnumChildWindows

DisconnectNamedPipe

DeletePortW

DeletePortA

CreateWindowStationW

CreateWindowStationA

CreatePipe

CreateNamedPipeW

CreateNamedPipeA

CreateIoCompletionPort

CreateDialogIndirectParamW

CreateDialogIndirectParamA

ConnectNamedPipe

ConfigurePortW

ConfigurePortA

CloseWindowStation

CascadeWindows

CallNamedPipeW

CallNamedPipeA

CallMsgFilterW

CallMsgFilterA

ArrangeIconicWindows

AddPortW

AddPortA

ActivateKeyboardLayout

WINSTART.BAT

AUTOEXEC.BAT

SCRIPT.INI

NICK

OUTLOOK.APPLICATION

SCRIPTING.FILESYSTEMOBJECT

SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\

HKEY_LOCAL_MACHINE\

MSGBOX

JOIN

.GzVBj/&IA42[vrC89pEhqO

.encode

%s:x

%s:x,x,x

KERNEL32.DLL

%WinDir%\

/usr/lib/test.so

%WinDir%\TEST.DLL

%WinDir%

join

export

.memory_hook

ÌdiouxXeEfgGnpsSaA

%WinDir%\SYSTEM32\

%WinDir%\SYSTEM

%d.d.d

Timer, %u, 1/100ms,

EINF, AV_APIVERSION_V%c

%s DAT version %ld.ld (%d.d)

Driver version %ld (%d.d)

API version (%s - %s) API: V%d.d

MCSCAN32.DLL

EREP, %d,

rwabs32.dll

MCTOOL.EXE

calwin32.dll

mcscan.log

mcscan.vlt

seqnum_%ld_thread_%s_

[%s;%s;%s]

Scan started at: %s

Scan completed at: %s

, %s: '%s'

%s: '%s'

* %4s........ GFS Disabled

,not scanned (code %d)

,not scanned (not executable).

%s, %u, %u, %u,

%s, %u, %u, %u

%s, %s

%s, %lu

,%s {

, %s, %s

%s:%d

%sx

x -> x

x [ xx ]

%s %s, %s

%s, %u

%s %lu

%s %d

%s (%s - action %d)

,not repaired (code %d)

%s %s

, normal hit "%s"

, negative hit "%s"

, "%s"

%s%lu

Leaving container (%d)

Entering container (%d)

RegDeleteKeyExW

scan.dat

names.dat

clean.dat

extra.dat

%s%c%s

RegDeleteKeyExA

%s (ID X, VER X)

ERR_OPERATION_FAILED

%s(X)

Runtime Check failed: %s in %s at line %d.

1.0.4

WFV*.tmp

%c_%s

\\.\MCSCAN32.VXD

.data

.petite

.tlsdir

.neolit

.avp-md

.ficken

.BJFnt

.pklstb

Emu Buffer written to %s

(x)x:

-_@{}~`!#() =[]

SYSTEM.INI

WIN.INI

NTVDM.EXE

VDMDBG.DLL

PSAPI.DLL

windows

^$.[()|? *\

.tbz2

x.OLE

lld.ie

lx.OLE

kernel32.dll

.relo2

x.EXE

PEBUNDLE.LNK

TEMP$01.EXE

x.%.3s

x.EML

::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable

::DataSpace/Storage/MSCompressed/Transform/{0A9007C6-4076-11D3-8789-0000F8105754}/InstanceData/ResetTable

LINKCMDL.OLE

%lu%s

lX.VCH

lX.OLE

__SRP_%x

"$"#,##0_);\(

wininit.ini

%s %s==0x%lx

%s - %s %s - %s 0x%lx %s 0x%lx

%s - %s %s - retrieved 0x%lx bytes from cache position 0x%lx

%s - %s %s - Read FAILURE error code %d %s 0x%lx %s 0x%lx

%s - %s read in 0 bytes - %s 0x%lx %s 0x%lx

%s - %s %s %s 0x%lx %s 0x%lx

%s - %s %s - read 0x%lx %s 0x%lx

%s - %s %s %d %s 0x%lx %s 0x%lx

%s - %s 0x%lx,%s 0x%lx

NTDLL.DLL

\\.\vwin32

\\.\PhysicalDrive%ud

\\.\%c:

Address_x.mem

%s_x.mem

PID\%d

Ntdll.dll

Kernel32.dll

x.PDF

dwordbe:x

dword:x

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\

HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\

script00.wsc

content%d.rtf

attach%d.dat

X.%s

0000000000000000000

h.dllhel32hkern

rsrc.rsrrelo.relUPX1UPX0ExeS.eda

rsrc.rsrrelo.relnoesExeS.eda.res

.Ncryo

.De-vir

x.B64

x.bin

operator

1.2.5

.?AV?$TIndexedManifestSection@E@@

.?AVCNAICmdTarget@@

.?AVCPublicKeySection@@

.?AVCExecLibrary@@

.?AVItfIndexedValidationDataStore@@

.?AVCFileContentDecoratorBufferOperationsToBlockOperations@@

.?AV?$TKeyDataSet@UTOpt@CEmuOpt@EmulatorCPU@@I@@

.?AV?$TKeyDataSet@KI@@

.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpSym@CGenDecode@@@@I@@

.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpLib@CGenDecode@@@@I@@

.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@KKK@@ABU1@K@@@@I@@

.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@III@@ABU1@I@@@@I@@

.?AV?$TKeyDataSet@UTFindEP@CiPEPolyHeur@@I@@

.?AV?$TKeyDataSet@UCMap@CEmuPEFile@@I@@

.?AVIImportRec@@

.?AVCWin32ImportRec@@

.?AVCEmuRegistryKey@@

.?AVCMD5@@

.?AVCImportantBlockSubStrategy@@

.?AVCHashValue@CObjectReporter@@

.?AVCObjectReporter@@

.?AVCDATMsg@@

Replace and press any key when ready

.?AVCImportMap@CFNCallGraph@@

.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@@@

.?AV?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@

.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@

.?AVCOM2EXEFile@@

.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@@@

.?AV?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@

.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@

.?AVW32EXEFile@@

.?AVW32EXEUncompress@@

.?AVCexeFile@@

.?AVexe32packFile@@

.?AVCW32EXEUncompressExt@@

.?AVEXEBundleDirectory@@

.?AVPEBundleEXEFile@@

.?AVPEBundleEXERepair@@

.?AVJoinerDirectory@@

.?AVexe32packDecode@@

.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@@@

.?AV?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@

.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@

.?AVWebScript@@

.?AVCHTMLWebScript@@

.?AVWebScriptDecode@@

.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@@@

.?AV?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@

.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@

.?AVLZEXEFile@@

.?AVCOLE2Operator@@

.?AVIOLE2Operator@@

.?AVProcessHandler@@

.?AVCRegOperator@@

.?AVIRegOperator@@

.?AVXRegOperator@CRegOperator@@

.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@@@

.?AV?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@

.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@

.?AVW32EXEFile2@@

.?AVEXEStealthFile@@

.?AV?$TGenericSeqParserArraySequenceImpl_GenericInner@V?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@@@

.?AV?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@

.?AVCO12Operator@@

.?AVIO12Operator@@

.?AVXO12Operator@CO12Operator@@

zcÁ

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe

.BJ!J~s

$D.FS

T.FaV

S_%cGrB\

zM%C{n

'I.EZT

.vrgW

.qyxdf

.Cr$!

/k%X#

;|K%C

.DT.^

RS9_%D<\

.=9_r.zDa

FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE

xmlns:xsl="http://www.w3.org/1999/XSL/Transform">

To download the latest version of GetSusp <A HREF="http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe">Click Here</A>

For GetSusp Suspicious Files Report, click on <A HREF="Logs\Files.xml">File Log</A>

For GetSusp Network log, click on <A HREF="Logs\Network.xml">Network Log</A>

For information on installed McAfee products, click on <A HREF="Logs\McAfee-Product.txt">McAfee Product Log</A>

<A HREF="http://community.mcafee.com/community/security/malware_discussion">McAfee Community</A>

<h4 style="text-align:center">Network Statistics Report</h4>

<xsl:text>https://www.virustotal.com/file/</xsl:text>

.text

h.rdata

H.data

B.reloc

c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_x86\i386\getsusp.pdb

ntoskrnl.exe

Thawte Certification1

http://ocsp.thawte.com0

.http://crl.thawte.com/ThawteTimestampingCA.crl0

http://ts-ocsp.ws.symantec.com07

http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<</pre><pre> http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(</pre><pre>.Class 3 Public Primary Certification Authority0</pre><pre>2Terms of use at https://www.verisign.com/rpa (c)041.0,</pre><pre>https://www.verisign.com/rpa01</pre><pre>http://crl.verisign.com/pca3.crl0</pre><pre>.Class 3 Public Primary Certification Authority</pre><pre>Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0</pre><pre>n.aAHu</pre><pre>https://www.verisign.com/rpa0</pre><pre>/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0u</pre><pre>http://ocsp.verisign.com0?</pre><pre>3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0</pre><pre>http://www.mcafee.com 0</pre><pre>.pdata</pre><pre>c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_amd64\amd64\getsusp.pdb</pre><pre>getsusp.exe</pre><pre>VERSION.dll</pre><pre>COMCTL32.dll</pre><pre>WINHTTP.dll</pre><pre>WinHttpOpen</pre><pre>WS2_32.dll</pre><pre>USERENV.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>MAPI32.dll</pre><pre>WINTRUST.dll</pre><pre>CRYPT32.dll</pre><pre>CryptMsgClose</pre><pre>.6$$$~~~</pre><pre>hNULhYa.hh5</pre><pre><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="McAfee.GetSusp" type="win32"></assemblyIdentity><description>McAfee Labs GetSusp</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="highestAvailable" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo></assembly></pre><pre>\\.\GetSusp</pre><pre>ERROR: Login failed due to invalid proxy credentials</pre><pre>Login failed for user '%s'</pre><pre>eiphlpapi.dll</pre><pre>Please enter id and password.</pre><pre>%s ... is Suspicious !!!</pre><pre>%s\%s\ntuser.dat</pre><pre>\autorun.vnf</pre><pre>\autorun.ini</pre><pre>\autorun.inf</pre><pre>%COMPUTERNAME%</pre><pre>.EngineVersionMinor</pre><pre>reg export HKLM\SOFTWARE\MCAFEE Logs\McAfee-Product.txt</pre><pre>regedit /e Logs\McAfee-Product.txt HKEY_LOCAL_MACHINE\SOFTWARE\MCAFEE</pre><pre>Scan results are saved at %s.</pre><pre>GetSusp scan identified (%d) Suspicious file(s) and (%d) Unknown file(s).</pre><pre>%c Possibly Infected:.............%d</pre><pre>Boot Sector(s):.................%d</pre><pre>Master Boot Record(s):....%d</pre><pre>%s !!!</pre><pre>\Local Settings\Temporary Internet Files\Content.IE5</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>\Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>RunOnce key values for '%s'</pre><pre>\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Run key values for '%s'</pre><pre>\$Recycle.Bin</pre><pre>%SYSTEMDRIVE%</pre><pre>\Microsoft.NET\Framework</pre><pre>\Windows NT</pre><pre>\Windows Media Player</pre><pre>\Opera</pre><pre>\Mozilla Firefox\Plugins</pre><pre>\Mozilla Firefox\Components</pre><pre>\Mozilla Firefox</pre><pre>\COMMON FILES\Microsoft Shared\Web Folders</pre><pre>Please specify Proxy address and port</pre><pre>\GetSusp.opt</pre><pre>Status: %u%%</pre><pre>Suspicious: %u</pre><pre>Unknown: %u</pre><pre>The GetSusp executable has been modified and may be infected.</pre><pre>-- Send only the report</pre><pre>-- Specify proxy address and port</pre><pre>-- Specify automatic configuration script url</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe</pre><pre>Unable to load scan engine, support DLL not found.</pre><pre>B%s ... is OK.</pre><pre>dnsapi.dll</pre><pre>Report saved to %s</pre><pre>Report</pre><pre>Could not write to %s file.</pre><pre>\GetSusp.txt</pre><pre>This operation will involve the transferring of files and other information from this machine, potentially including personal data to McAfee. Please confirm you have read and agree to this and the below license agreement before continuing</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.xml</pre><pre>Failed to execute GetSusp from long path.</pre><pre>%s could not be scanned (%d)!!!</pre><pre>%s ... is Unknown Scan Object !!!</pre><pre>%s ... is Zero Byte File !!!</pre><pre>%s ... Scan Aborted !!!</pre><pre>%s ... is Block-Char-Fifo Files !!!</pre><pre>%s ... is Out-Of-Memory !!!</pre><pre>%s ... is Encrypted !!!</pre><pre>%s ... is Corrupted !!!</pre><pre>Cannot save report file while a scan is in progress.</pre><pre>%s ... is Unknown !!!</pre><pre>chrome</pre><pre>firefox</pre><pre>http\shell\open\command</pre><pre>https://getclean.mcafee.com/getsusp</pre><pre>AutoConfigURL</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>\prefs.js</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>\StringFileInfo\XX\%s</pre><pre>L\\.\SSFILTERDEV</pre><pre>\\.\WGUARDNT</pre><pre>3c224a00-5d51-11cf-b3ca-000000000001</pre><pre>/0123456789:;<=></pre><pre>0000000000000000</pre><pre>X\\?\</pre><pre>\\?\UNC</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>USER32.DLL</pre><pre>Save report to file</pre><pre>McAfee GetSusp 3.0.0.373</pre><pre>Report all scanned files</pre><pre>Port</pre><pre>Password:</pre><pre>getsusp.sys</pre><pre>5500-1093</pre><b>getsusp_300373.exe_900_rwx_00401000_00443000:</b><pre>t4Jt.Ju1 ]</pre><pre>N8SSh</pre><pre>PWSSh(</pre><pre>Pj.j.SW</pre><pre>Pj*j%SW</pre><pre>[u.jD</pre><pre>!"#$%&'()* ,-..CC/0C122C34456789:CC;<=>?@AACCCCCCBBBBBBBB</pre><pre>Ht.Ht!</pre><pre>It.It</pre><pre>SSh0~q</pre><pre>F( %U</pre><pre>3333333</pre><pre>?\u%f</pre><pre>FTPh8</pre><pre>St.Ht</pre><pre>FTPh</pre><pre>.itst</pre><pre>PSSSh</pre><pre>SSSSh</pre><pre>FTPQ</pre><pre>F4PSSh</pre><pre>t j%S</pre><pre>!!!!!!""#$%&'(((((())* ,-.CCCCCCCC//C01234445656789:;9:;CCC<=>?@AB</pre><pre>FTPS</pre><pre>d/d/%d d:d</pre><pre>HTTPS</pre><pre>161.69.31.104</pre><pre>GetUdpTable</pre><pre>AllocateAndGetUdpExTableFromStack</pre><pre>GetExtendedUdpTable</pre><pre>GetTcpTable</pre><pre>AllocateAndGetTcpExTableFromStack</pre><pre>GetExtendedTcpTable</pre><pre>%u.%u.%u.%u:%u</pre><pre><?xml-stylesheet type="text/xsl" href="Logs\GetSusp.xsl"?></pre><pre><?xml-stylesheet type="text/xsl" href="Network.xsl"?></pre><pre><?xml-stylesheet type="text/xsl" href="Files.xsl"?></pre><pre>\GetSusp.sys</pre><pre>GetSusp1.tmp</pre><pre>Logs\McAfee-Product.txt</pre><pre>Logs\Files.xml</pre><pre>Logs\Files.xsl</pre><pre>Logs\Trace.log</pre><pre>Logs\Network.xsl</pre><pre>Logs\Network.xml</pre><pre>Logs\GetSusp.xsl</pre><pre>Logs\GetSusp.log</pre><pre>GetSusp.tmp</pre><pre>GetSusp.xml</pre><pre>\Windows\assembly\GAC_MSIL</pre><pre>avvclean.dat</pre><pre>avvnames.dat</pre><pre>avvscan.dat</pre><pre>XXXXXX</pre><pre>FramePkg.exe</pre><pre>\MCAFEE SECURITY SCAN\UNINSTALL.EXE</pre><pre>\Windows\assembly\NativeImages</pre><pre>Autoconfig-Url</pre><pre>Proxy-Port</pre><pre>3.0.0.373</pre><pre>EngineVersionMajor %d</pre><pre>AVDatVersion %d</pre><pre>AVDatDate %s</pre><pre>Task/Actions/Exec/Arguments</pre><pre>Task/Actions/Exec/Command</pre><pre>Windows-Firewall</pre><pre>%commonprogramw6432%</pre><pre>%commonprogramfiles%</pre><pre>Run-Key</pre><pre>\Prefetch\NTOSBOOT-B00DFAAD.pf</pre><pre>0123456789</pre><pre>%WinDir%\assembly\NativeImages</pre><pre>Received unknown IO request type %d</pre><pre>rundll32.exe</pre><pre>server_passwd</pre><pre>url_artemis</pre><pre>url_upload</pre><pre>Unknown-Error %d</pre><pre>Windows 2000</pre><pre>Windows XP</pre><pre>Web Edition</pre><pre>Windows Server 2003,</pre><pre>Windows XP Professional x64 Edition</pre><pre>Windows Home Server</pre><pre>Windows Storage Server 2003</pre><pre>Windows Server 2003 R2,</pre><pre>Web Server Edition</pre><pre>Windows Server 2012</pre><pre>Windows 8</pre><pre>Windows Server 2008 R2</pre><pre>Windows 7</pre><pre>Windows Server 2008</pre><pre>Windows Vista</pre><pre>--password</pre><pre>1.3.6.1.4.1.311.72.1.1</pre><pre>Status: 0x%x</pre><pre>network.proxy.autoconfig_url</pre><pre>network.proxy.http_port</pre><pre>"network.proxy.http"</pre><pre>network.proxy.type</pre><pre>network.proxy</pre><pre>.rsrc</pre><pre>config.dat</pre><pre>u.u</pre><pre>Copyright (c) McAfee Inc. u. Created on u-%s-u. Version:%u.u</pre><pre>'%s' Driver</pre><pre>KERNEL32.dll</pre><pre>%WinDir%\TEST.EXE</pre><pre>).EXPORT</pre><pre>).COPY</pre><pre>.ITEM</pre><pre>.dump</pre><pre>midiOutShortMsg</pre><pre>midiOutLongMsg</pre><pre>keybd_event</pre><pre>WinExecErrorW</pre><pre>WinExecErrorA</pre><pre>WinExec</pre><pre>WaitNamedPipeW</pre><pre>WaitNamedPipeA</pre><pre>WSARecvMsg</pre><pre>WSAAsyncGetServByPort</pre><pre>VkKeyScanW</pre><pre>VkKeyScanExW</pre><pre>VkKeyScanExA</pre><pre>VkKeyScanA</pre><pre>UpdateICMRegKeyW</pre><pre>UpdateICMRegKeyA</pre><pre>UnregisterHotKey</pre><pre>UnloadKeyboardLayout</pre><pre>UnhookWindowsHookEx</pre><pre>UnhookWindowsHook</pre><pre>TransactNamedPipe</pre><pre>TileWindows</pre><pre>ShellExecuteW</pre><pre>ShellExecuteExW</pre><pre>ShellExecuteExA</pre><pre>ShellExecuteA</pre><pre>SetWindowsHookW</pre><pre>SetWindowsHookExW</pre><pre>SetWindowsHookExA</pre><pre>SetWindowsHookA</pre><pre>SetViewportOrgEx</pre><pre>SetViewportExtEx</pre><pre>SetProcessWindowStation</pre><pre>SetProcessShutdownParameters</pre><pre>SetNamedPipeHandleState</pre><pre>SetKeyboardState</pre><pre>SetConsoleOutputCP</pre><pre>ScaleViewportExtEx</pre><pre>SHFileOperationW</pre><pre>SHFileOperationA</pre><pre>ReportEventW</pre><pre>ReportEventA</pre><pre>RegisterHotKey</pre><pre>RegUnLoadKeyW</pre><pre>RegUnLoadKeyA</pre><pre>RegSetKeySecurity</pre><pre>RegSaveKeyW</pre><pre>RegSaveKeyA</pre><pre>RegRestoreKeyW</pre><pre>RegRestoreKeyA</pre><pre>RegReplaceKeyW</pre><pre>RegReplaceKeyA</pre><pre>RegQueryInfoKeyW</pre><pre>RegQueryInfoKeyA</pre><pre>RegOpenKeyW</pre><pre>RegOpenKeyExW</pre><pre>RegOpenKeyExA</pre><pre>RegOpenKeyA</pre><pre>RegNotifyChangeKeyValue</pre><pre>RegLoadKeyW</pre><pre>RegLoadKeyA</pre><pre>RegGetKeySecurity</pre><pre>RegFlushKey</pre><pre>RegEnumKeyW</pre><pre>RegEnumKeyExW</pre><pre>RegEnumKeyExA</pre><pre>RegEnumKeyA</pre><pre>RegDeleteKeyW</pre><pre>RegDeleteKeyA</pre><pre>RegCreateKeyW</pre><pre>RegCreateKeyExW</pre><pre>RegCreateKeyExA</pre><pre>RegCreateKeyA</pre><pre>RegCloseKey</pre><pre>ProcessHRC</pre><pre>PeekNamedPipe</pre><pre>OpenWindowStationW</pre><pre>OpenWindowStationA</pre><pre>OleExecute</pre><pre>OffsetViewportOrgEx</pre><pre>OemKeyScan</pre><pre>MsgWaitForMultipleObjects</pre><pre>MapVirtualKeyW</pre><pre>MapVirtualKeyExW</pre><pre>MapVirtualKeyExA</pre><pre>MapVirtualKeyA</pre><pre>LoadKeyboardLayoutW</pre><pre>LoadKeyboardLayoutA</pre><pre>ImpersonateNamedPipeClient</pre><pre>ImmSimulateHotKey</pre><pre>ImmGetVirtualKey</pre><pre>GetWindowsDirectoryW</pre><pre>GetWindowsDirectoryA</pre><pre>GetViewportOrgEx</pre><pre>GetViewportExtEx</pre><pre>GetTcpStatisticsEx</pre><pre>GetTcpStatistics</pre><pre>GetServiceKeyNameW</pre><pre>GetServiceKeyNameA</pre><pre>GetProcessWindowStation</pre><pre>GetProcessShutdownParameters</pre><pre>GetProcessHeaps</pre><pre>GetProcessHeap</pre><pre>GetNamedPipeInfo</pre><pre>GetNamedPipeHandleStateW</pre><pre>GetNamedPipeHandleStateA</pre><pre>GetLargestConsoleWindowSize</pre><pre>GetKeyboardType</pre><pre>GetKeyboardState</pre><pre>GetKeyboardLayoutNameW</pre><pre>GetKeyboardLayoutNameA</pre><pre>GetKeyboardLayoutList</pre><pre>GetKeyboardLayout</pre><pre>GetKeyState</pre><pre>GetKeyNameTextW</pre><pre>GetKeyNameTextA</pre><pre>GetConsoleOutputCP</pre><pre>GetCPInfo</pre><pre>GetAsyncKeyState</pre><pre>FindExecutableW</pre><pre>FindExecutableA</pre><pre>ExitWindowsEx</pre><pre>EnumWindows</pre><pre>EnumWindowStationsW</pre><pre>EnumWindowStationsA</pre><pre>EnumThreadWindows</pre><pre>EnumPortsW</pre><pre>EnumPortsA</pre><pre>EnumDesktopWindows</pre><pre>EnumChildWindows</pre><pre>DisconnectNamedPipe</pre><pre>DeletePortW</pre><pre>DeletePortA</pre><pre>CreateWindowStationW</pre><pre>CreateWindowStationA</pre><pre>CreatePipe</pre><pre>CreateNamedPipeW</pre><pre>CreateNamedPipeA</pre><pre>CreateIoCompletionPort</pre><pre>CreateDialogIndirectParamW</pre><pre>CreateDialogIndirectParamA</pre><pre>ConnectNamedPipe</pre><pre>ConfigurePortW</pre><pre>ConfigurePortA</pre><pre>CloseWindowStation</pre><pre>CascadeWindows</pre><pre>CallNamedPipeW</pre><pre>CallNamedPipeA</pre><pre>CallMsgFilterW</pre><pre>CallMsgFilterA</pre><pre>ArrangeIconicWindows</pre><pre>AddPortW</pre><pre>AddPortA</pre><pre>ActivateKeyboardLayout</pre><pre>WINSTART.BAT</pre><pre>AUTOEXEC.BAT</pre><pre>SCRIPT.INI</pre><pre>NICK</pre><pre>OUTLOOK.APPLICATION</pre><pre>SCRIPTING.FILESYSTEMOBJECT</pre><pre>SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\RUN\</pre><pre>HKEY_LOCAL_MACHINE\</pre><pre>MSGBOX</pre><pre>JOIN</pre><pre>.GzVBj/&IA42[vrC89pEhqO</pre><pre>.encode</pre><pre>%s:x</pre><pre>%s:x,x,x</pre><pre>KERNEL32.DLL</pre><pre>%WinDir%\</pre><pre>/usr/lib/test.so</pre><pre>%WinDir%\TEST.DLL</pre><pre>%WinDir%</pre><pre>join</pre><pre>export</pre><pre>.memory_hook</pre><pre>ÌdiouxXeEfgGnpsSaA</pre><pre>%WinDir%\SYSTEM32\</pre><pre>%WinDir%\SYSTEM</pre><pre>%d.d.d</pre><pre>Timer, %u, 1/100ms,</pre><pre>EINF, AV_APIVERSION_V%c</pre><pre>%s DAT version %ld.ld (%d.d)</pre><pre>Driver version %ld (%d.d)</pre><pre>API version (%s - %s) API: V%d.d</pre><pre>MCSCAN32.DLL</pre><pre>EREP, %d,</pre><pre>rwabs32.dll</pre><pre>MCTOOL.EXE</pre><pre>calwin32.dll</pre><pre>mcscan.log</pre><pre>mcscan.vlt</pre><pre>seqnum_%ld_thread_%s_</pre><pre>[%s;%s;%s]</pre><pre>Scan started at: %s</pre><pre>Scan completed at: %s</pre><pre>, %s: '%s'</pre><pre>%s: '%s'</pre><pre>* %4s........ GFS Disabled</pre><pre>,not scanned (code %d)</pre><pre>,not scanned (not executable).</pre><pre>%s, %u, %u, %u,</pre><pre>%s, %u, %u, %u</pre><pre>%s, %s</pre><pre>%s, %lu</pre><pre>,%s {</pre><pre>, %s, %s</pre><pre>%s:%d</pre><pre>%sx</pre><pre> x -> x</pre><pre> x [ xx ]</pre><pre>%s %s, %s</pre><pre>%s, %u</pre><pre>%s %lu</pre><pre>%s %d</pre><pre>%s (%s - action %d)</pre><pre>,not repaired (code %d)</pre><pre>%s %s</pre><pre>, normal hit "%s"</pre><pre>, negative hit "%s"</pre><pre>, "%s"</pre><pre>%s%lu</pre><pre>Leaving container (%d)</pre><pre>Entering container (%d)</pre><pre>RegDeleteKeyExW</pre><pre>scan.dat</pre><pre>names.dat</pre><pre>clean.dat</pre><pre>extra.dat</pre><pre>%s%c%s</pre><pre>RegDeleteKeyExA</pre><pre>%s (ID X, VER X)</pre><pre>ERR_OPERATION_FAILED</pre><pre>%s(X)</pre><pre>Runtime Check failed: %s in %s at line %d.</pre><pre>1.0.4</pre><pre>WFV*.tmp</pre><pre>vd</pre><pre>%c_%s</pre><pre>\\.\MCSCAN32.VXD</pre><pre>.data</pre><pre>.petite</pre><pre>.tlsdir</pre><pre>.neolit</pre><pre>.avp-md</pre><pre>.ficken</pre><pre>.BJFnt</pre><pre>.pklstb</pre><pre>Emu Buffer written to %s</pre><pre>(x)x:</pre><pre>-_@{}~`!#() =[]</pre><pre>SYSTEM.INI</pre><pre>WIN.INI</pre><pre>NTVDM.EXE</pre><pre>VDMDBG.DLL</pre><pre>PSAPI.DLL</pre><pre>windows</pre><pre>^$.[()|? *\</pre><pre>.tbz2</pre><pre>x.OLE</pre><pre>lld.ie</pre><pre>lx.OLE</pre><pre>kernel32.dll</pre><pre>.relo2</pre><pre>x.EXE</pre><pre>PEBUNDLE.LNK</pre><pre>TEMP$01.EXE</pre><pre>x.%.3s</pre><pre>x.EML</pre><pre>::DataSpace/Storage/MSCompressed/Transform/{7FC28940-9D31-11D0-9B27-00A0C91E9C7C}/InstanceData/ResetTable</pre><pre>::DataSpace/Storage/MSCompressed/Transform/{0A9007C6-4076-11D3-8789-0000F8105754}/InstanceData/ResetTable</pre><pre>LINKCMDL.OLE</pre><pre>%lu%s</pre><pre>lX.VCH</pre><pre>lX.OLE</pre><pre>__SRP_%x</pre><pre>"$"#,##0_);\(</pre><pre>wininit.ini</pre><pre>%s %s==0x%lx</pre><pre>%s - %s %s - %s 0x%lx %s 0x%lx</pre><pre>%s - %s %s - retrieved 0x%lx bytes from cache position 0x%lx</pre><pre>%s - %s %s - Read FAILURE error code %d %s 0x%lx %s 0x%lx</pre><pre>%s - %s read in 0 bytes - %s 0x%lx %s 0x%lx</pre><pre>%s - %s %s %s 0x%lx %s 0x%lx</pre><pre>%s - %s %s - read 0x%lx %s 0x%lx</pre><pre>%s - %s %s %d %s 0x%lx %s 0x%lx</pre><pre>%s - %s 0x%lx,%s 0x%lx</pre><pre>NTDLL.DLL</pre><pre>\\.\vwin32</pre><pre>\\.\PhysicalDrive%ud</pre><pre>\\.\%c:</pre><pre>Address_x.mem</pre><pre>%s_x.mem</pre><pre>PID\%d</pre><pre>Ntdll.dll</pre><pre>Kernel32.dll</pre><pre>x.PDF</pre><pre>x,</pre><pre>dwordbe:x</pre><pre>dword:x</pre><pre>HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\</pre><pre>HKLM\Software\Microsoft\Windows\CurrentVersion\App Paths\</pre><pre>HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\</pre><pre>script00.wsc</pre><pre>content%d.rtf</pre><pre>attach%d.dat</pre><pre>X.%s</pre><pre>0000000000000000000</pre><pre>h.dllhel32hkern</pre><pre>rsrc.rsrrelo.relUPX1UPX0ExeS.eda</pre><pre>rsrc.rsrrelo.relnoesExeS.eda.res</pre><pre>.Ncryo</pre><pre>.De-vir</pre><pre>x.B64</pre><pre>x.bin</pre><pre>operator</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>1.2.5</pre><pre>zip 1.01 Copyright 1998-2004 Gilles Vollant - http://www.winimage.com/zLibDll</pre><pre>.?AV?$TIndexedManifestSection@E@@</pre><pre>.?AVCNAICmdTarget@@</pre><pre>.?AVCPublicKeySection@@</pre><pre>.?AVCExecLibrary@@</pre><pre>.?AVItfIndexedValidationDataStore@@</pre><pre>.?AVCFileContentDecoratorBufferOperationsToBlockOperations@@</pre><pre>.?AV?$TKeyDataSet@UTOpt@CEmuOpt@EmulatorCPU@@I@@</pre><pre>.?AV?$TKeyDataSet@KI@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpSym@CGenDecode@@@@I@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@UTImpLib@CGenDecode@@@@I@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@KKK@@ABU1@K@@@@I@@</pre><pre>.?AV?$TKeyDataSet@U?$TObjSetRecord@V?$TSetBase@U?$TDataSetRecord@III@@ABU1@I@@@@I@@</pre><pre>.?AV?$TKeyDataSet@UTFindEP@CiPEPolyHeur@@I@@</pre><pre>.?AV?$TKeyDataSet@UCMap@CEmuPEFile@@I@@</pre><pre>.?AVIImportRec@@</pre><pre>.?AVCWin32ImportRec@@</pre><pre>.?AVCEmuRegistryKey@@</pre><pre>.?AVCMD5@@</pre><pre>.?AVCImportantBlockSubStrategy@@</pre><pre>.?AVCHashValue@CObjectReporter@@</pre><pre>.?AVCObjectReporter@@</pre><pre>.?AVCDATMsg@@</pre><pre>Replace and press any key when ready</pre><pre>.?AVCImportMap@CFNCallGraph@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@@@</pre><pre>.?AV?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VCOM2EXEFile@@$0EDEPENDC@@@$0DL@@@</pre><pre>.?AVCOM2EXEFile@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@@@</pre><pre>.?AV?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile@@$0FHDDDCFI@@@$0DB@@@</pre><pre>.?AVW32EXEFile@@</pre><pre>.?AVW32EXEUncompress@@</pre><pre>.?AVCexeFile@@</pre><pre>.?AVexe32packFile@@</pre><pre>.?AVCW32EXEUncompressExt@@</pre><pre>.?AVEXEBundleDirectory@@</pre><pre>.?AVPEBundleEXEFile@@</pre><pre>.?AVPEBundleEXERepair@@</pre><pre>.?AVJoinerDirectory@@</pre><pre>.?AVexe32packDecode@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@@@</pre><pre>.?AV?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VWebScript@@$0FHFDEDFC@@@$0CP@@@</pre><pre>.?AVWebScript@@</pre><pre>.?AVCHTMLWebScript@@</pre><pre>.?AVWebScriptDecode@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@@@</pre><pre>.?AV?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VLZEXEFile@@$0EMFKFI@@@$0BE@@@</pre><pre>.?AVLZEXEFile@@</pre><pre>.?AVCOLE2Operator@@</pre><pre>.?AVIOLE2Operator@@</pre><pre>.?AVProcessHandler@@</pre><pre>.?AVCRegOperator@@</pre><pre>.?AVIRegOperator@@</pre><pre>.?AVXRegOperator@CRegOperator@@</pre><pre>.?AV?$TFactory@V?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@@@</pre><pre>.?AV?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@</pre><pre>.?AV?$WrapArchiveGFS@V?$CompressedFileCreator@VW32EXEFile2@@$0FHDDDCFI@@@$0DB@@@</pre><pre>.?AVW32EXEFile2@@</pre><pre>.?AVEXEStealthFile@@</pre><pre>.?AV?$TGenericSeqParserArraySequenceImpl_GenericInner@V?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@@@</pre><pre>.?AV?$TGenericSequenceParserImplGenericOuter@VIGenericSequenceParserChar_Types@@VIGenericSequenceParserChar_BufferArray@@VCNAICmdTarget@@@@</pre><pre>.?AVCO12Operator@@</pre><pre>.?AVIO12Operator@@</pre><pre>.?AVXO12Operator@CO12Operator@@</pre><pre>zcÁ</pre><pre>C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\SARS\executables\getsusp_300373.exe</pre><pre>.BJ!J~s</pre><pre>$D.FS</pre><pre>T.FaV</pre><pre>S_%cGrB\</pre><pre>zM%C{n</pre><pre>'I.EZT</pre><pre>.vrgW</pre><pre>.qyxdf</pre><pre>.Cr$!</pre><pre>/k%X#</pre><pre>;|K%C</pre><pre>.DT.^</pre><pre>RS9_%D<\</pre><pre>.=9_r.zDa</pre><pre>FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE</pre><pre>xmlns:xsl="http://www.w3.org/1999/XSL/Transform"></pre><pre>To download the latest version of GetSusp <A HREF="http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe">Click Here</A></pre><pre>For GetSusp Suspicious Files Report, click on <A HREF="Logs\Files.xml">File Log</A></pre><pre>For GetSusp Network log, click on <A HREF="Logs\Network.xml">Network Log</A></pre><pre>For information on installed McAfee products, click on <A HREF="Logs\McAfee-Product.txt">McAfee Product Log</A></pre><pre><A HREF="http://community.mcafee.com/community/security/malware_discussion">McAfee Community</A></pre><pre><h4 style="text-align:center">Network Statistics Report</h4></pre><pre><xsl:text>https://www.virustotal.com/file/</xsl:text></pre><pre>.text</pre><pre>h.rdata</pre><pre>H.data</pre><pre>B.reloc</pre><pre>c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_x86\i386\getsusp.pdb</pre><pre>ntoskrnl.exe</pre><pre>Thawte Certification1</pre><pre>http://ocsp.thawte.com0</pre><pre>.http://crl.thawte.com/ThawteTimestampingCA.crl0</pre><pre>http://ts-ocsp.ws.symantec.com07</pre><pre> http://ts-aia.ws.symantec.com/tss-ca-g2.cer0<</pre><pre> http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(</pre><pre>.Class 3 Public Primary Certification Authority0</pre><pre>2Terms of use at https://www.verisign.com/rpa (c)041.0,</pre><pre>https://www.verisign.com/rpa01</pre><pre>http://crl.verisign.com/pca3.crl0</pre><pre>.Class 3 Public Primary Certification Authority</pre><pre>Dhttp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0</pre><pre>n.aAHu</pre><pre>https://www.verisign.com/rpa0</pre><pre>/http://CSC3-2004-crl.verisign.com/CSC3-2004.crl0u</pre><pre>http://ocsp.verisign.com0?</pre><pre>3http://CSC3-2004-aia.verisign.com/CSC3-2004-aia.cer0</pre><pre>http://www.mcafee.com 0</pre><pre>.pdata</pre><pre>c:\buildbot\getsusp-s1\getsuspwip\driver\objfre_wnet_amd64\amd64\getsusp.pdb</pre><pre>getsusp.exe</pre><pre>VERSION.dll</pre><pre>COMCTL32.dll</pre><pre>WINHTTP.dll</pre><pre>WinHttpOpen</pre><pre>WS2_32.dll</pre><pre>USERENV.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>ADVAPI32.dll</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>MAPI32.dll</pre><pre>WINTRUST.dll</pre><pre>CRYPT32.dll</pre><pre>CryptMsgClose</pre><pre>\\.\GetSusp</pre><pre>ERROR: Login failed due to invalid proxy credentials</pre><pre>Login failed for user '%s'</pre><pre>eiphlpapi.dll</pre><pre>Please enter id and password.</pre><pre>%s ... is Suspicious !!!</pre><pre>%s\%s\ntuser.dat</pre><pre>\autorun.vnf</pre><pre>\autorun.ini</pre><pre>\autorun.inf</pre><pre>%COMPUTERNAME%</pre><pre>.EngineVersionMinor</pre><pre>reg export HKLM\SOFTWARE\MCAFEE Logs\McAfee-Product.txt</pre><pre>regedit /e Logs\McAfee-Product.txt HKEY_LOCAL_MACHINE\SOFTWARE\MCAFEE</pre><pre>Scan results are saved at %s.</pre><pre>GetSusp scan identified (%d) Suspicious file(s) and (%d) Unknown file(s).</pre><pre>%c Possibly Infected:.............%d</pre><pre>Boot Sector(s):.................%d</pre><pre>Master Boot Record(s):....%d</pre><pre>%s !!!</pre><pre>\Local Settings\Temporary Internet Files\Content.IE5</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files</pre><pre>\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad</pre><pre>SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>Software\Microsoft\Windows NT\CurrentVersion\Winlogon</pre><pre>\Software\Microsoft\Windows\CurrentVersion\RunOnce</pre><pre>RunOnce key values for '%s'</pre><pre>\Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>Run key values for '%s'</pre><pre>\$Recycle.Bin</pre><pre>%SYSTEMDRIVE%</pre><pre>\Microsoft.NET\Framework</pre><pre>\Windows NT</pre><pre>\Windows Media Player</pre><pre>\Opera</pre><pre>\Mozilla Firefox\Plugins</pre><pre>\Mozilla Firefox\Components</pre><pre>\Mozilla Firefox</pre><pre>\COMMON FILES\Microsoft Shared\Web Folders</pre><pre>Please specify Proxy address and port</pre><pre>\GetSusp.opt</pre><pre>Status: %u%%</pre><pre>Suspicious: %u</pre><pre>Unknown: %u</pre><pre>The GetSusp executable has been modified and may be infected.</pre><pre>-- Send only the report</pre><pre>-- Specify proxy address and port</pre><pre>-- Specify automatic configuration script url</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.exe</pre><pre>Unable to load scan engine, support DLL not found.</pre><pre>B%s ... is OK.</pre><pre>dnsapi.dll</pre><pre>Report saved to %s</pre><pre>Report</pre><pre>Could not write to %s file.</pre><pre>\GetSusp.txt</pre><pre>This operation will involve the transferring of files and other information from this machine, potentially including personal data to McAfee. Please confirm you have read and agree to this and the below license agreement before continuing</pre><pre>http://downloadcenter.mcafee.com/products/mcafee-avert/GetSusp/GetSusp.xml</pre><pre>Failed to execute GetSusp from long path.</pre><pre>%s could not be scanned (%d)!!!</pre><pre>%s ... is Unknown Scan Object !!!</pre><pre>%s ... is Zero Byte File !!!</pre><pre>%s ... Scan Aborted !!!</pre><pre>%s ... is Block-Char-Fifo Files !!!</pre><pre>%s ... is Out-Of-Memory !!!</pre><pre>%s ... is Encrypted !!!</pre><pre>%s ... is Corrupted !!!</pre><pre>Cannot save report file while a scan is in progress.</pre><pre>%s ... is Unknown !!!</pre><pre>chrome</pre><pre>firefox</pre><pre>http\shell\open\command</pre><pre>https://getclean.mcafee.com/getsusp</pre><pre>AutoConfigURL</pre><pre>Software\Microsoft\Windows\CurrentVersion\Internet Settings</pre><pre>\prefs.js</pre><pre>\Mozilla\Firefox\Profiles</pre><pre>\StringFileInfo\XX\%s</pre><pre>L\\.\SSFILTERDEV</pre><pre>\\.\WGUARDNT</pre><pre>3c224a00-5d51-11cf-b3ca-000000000001</pre><pre>/0123456789:;<=></pre><pre>0000000000000000</pre><pre>X\\?\</pre><pre>\\?\UNC</pre><pre>mscoree.dll</pre><pre>- Attempt to initialize the CRT more than once.</pre><pre>- CRT not initialized</pre><pre>- floating point support not loaded</pre><pre>USER32.DLL</pre><pre>Save report to file</pre><pre>McAfee GetSusp 3.0.0.373</pre><pre>Report all scanned files</pre><pre>Port</pre><pre>Password:</pre><pre>getsusp.sys</pre></pre>