Gen.Variant.Zusy.224839_25f433e9a9

by malwarelabrobot on August 27th, 2017 in Malware Descriptions.

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Zusy.224839 (B) (Emsisoft), Gen:Variant.Zusy.224839 (AdAware), Trojan.Win32.Swrort.3.FD, GenericPhysicalDrive0.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 25f433e9a98748125325fff7f9c02e9b
SHA1: 80f19b6808dff9647c9f077b2c40dc6e009acbaf
SHA256: 7e7efc23f08d4d39c761e3a27a4f9ed2adb0cee32f3892c2a7e25377bf4ac91d
SSDeep: 196608:La18yN6OL86DrHE1GEMDEYqkSyJkARffYO0yPipZh X3u:LO7EG86DmGEeEdyrfJv33
Size: 8389632 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-07-29 23:52:38
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

WerFault.exe:4020
WerFault.exe:1728
%original file name%.exe:1992
notepad.exe:2616

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\25f433e9a98748125325fff7f9c02e9b.cfg (50 bytes)

Registry activity

The process WerFault.exe:4020 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "63 73 6D E0 09 00 00 00 00 00 00 00 6F D3 4D 75"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process WerFault.exe:1728 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "74 03 00 C0 01 00 00 00 00 00 00 00 0B 38 20 77"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process notepad.exe:2616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASAPI32]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASMANCS]
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\notepad_RASMANCS]
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 85554 86016 4.41359 fd4edb5c5aea944944285eaa2feb0579
.rdata 90112 18046 18432 3.57766 3055a092860ca809fdf1dfcc7ce0e3e6
.data 110592 12736 4608 1.71786 9b2bccca7f715a73460211e4f71afe02
.reloc 126976 3526 3584 4.52669 f497d595e12b35fb76c8a08ccff0419c
.Fd 131072 8275736 8275968 5.54507 8ea69137410e503dedc84a50d0ba38df

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
cms4.aimjunkies.com
cms10.aimjunkies.com
cms5.aimjunkies.com
cms2.aimjunkies.com
cms3.aimjunkies.com
cms8.aimjunkies.com
cms6.aimjunkies.com
cms9.aimjunkies.com
cms1.aimjunkies.com
cms7.aimjunkies.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1992:

.text
`.rdata
@.data
.reloc
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
GetProcessWindowStation
operator
#8/)>ƒ
kernel32.dll
ntdll.dll
%s X
C:\mylog.log
KERNEL32.dll
GetProcessHeap
GetCPInfo
InitOnceExecuteOnce
>">.>5>>>
.UPX0
`.UPX1
`.reloc
@.rsrc
f=_
%sTdx
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
hXXp://pki-ocsp.symauth.com0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
MFC Loader.exe
c.mZz
yWS2_32.dll
HttpOpenRequestA
URLDownloadToFileA
ZADVAPI32.dll
.CNjx8h
ole32.dll
.ZJuZ
C.lb.K
imagehlp.dll
msi.dll
SbsVQ.Af
WTSAPI32.dll
COMCTL32.dll
urlmon.dll
^Qe×B]
.FM;Rk[O{
;.bac
.ZDGnG
sF|
53<.ErI
a[.ulFwN#
jqO.Od(&
h.FO8d
S.jh%
H%f.p
VM`.Tue\.
h.rIQ
%uhNj
%Cl>I
%0ugp(
-%xy5
2".PH
.Gly0
PSAPI.DLL
ShellExecuteExA
comdlg32.dll
@(k%X
EkR.IY
WINMM.dll
USER32.dll
)r,d.Ir
/.Wq_
RegOpenKeyExA
VERSION.dll
SHELL32.dll
WININET.dll
4G4s4
5-53595?5
7$8)8.838
5&7-747}7P8
5 5%5-5[5
9œ9
3$3 30373<3
: :.:<:{:
1 1$1(1,1014181<1
; ;$;(;,;0;|;
> >$>(>,>0>4>8>\>`>
; ;$;(;,;0;4;8;<;@;|;
6$6,646<6
829=9`9}9
9 9$9(9,9094989
1.24282<2@2
; ;(;0;8;@;3>
ud%sK:
H~<.IX
.gE]8
l.kVv
>GHv&.IlG
_Sl.NC-
zogExe
sUk.Kk;
g@CN[%sy
WW;.NO
|.wMj
.hCA\R4~Z
4#i%s
D G|.mZ
l.Oc/
5.cs.
U&@.NG(
FJ%x^
*.OGH
.En?P$J
[m.yZ
vM.Jb
w.stR
n1.mG
?.XW/z0
&e%u'>_[
WW%so
<5.Iof
.SL}PT
R.ZV-
&,.Ye0H
@Lh%c
.uT@ZQ
pGV7%S
Bh-i}
.wd,H
;.Lxs#
b{J%Sb
Úd5!
.QzCG
>.yz;WSC
c1wi%d
.JO|=
.Kfh,g
-m}'3
%CIg@
.sRUY
<xy.dO5
D:\'=ay
.TjhM
{wOa?n%U
.DcA{
;S.kFy
.ru$PA
q].jJq
<uER%D
U8^%s"wW
.mX.mz,
Z.VZg4
%S&d_
%X&ma
.eW"b
#*.xR33z
1Í-
c.OEa
c.jQvw0bs
:[k.zcva
0}e%dp-
u6.Bys"w
>oy%f
ûFud
X.ylyH:O
'8.sbG
o.bqc
P`p%UW{;
.YW~_(
.Xj1`
k.vo5
%dM]N
M%XG"1
E%#fTp$)
#j^M,
oGj*F%u
j!R%syX
.Fcgw
|Q%XB
.oJ&`
 [.cb~
;'%u{
\ 5%xxuT
ÛVZ
 Pa.tB
W:\<8
.isD,
aZ0.mr
8%U; j
}0%X q
?.NBzw
gW.XJ(qGB\
.lV2M
ox.iNK&L
=-h4.cj
.KNPpg
wioI%F
d;.iu
nN_%x(PI&/t
Ls.Sx
%4x]:.
%U%)(
.mE]_E
Ô.v
.lX2I
udP[`
Z9A.DX
Hf.ok
[.ehy
R&.PJOj
-M.xd
D.Qt.
D.jPr{
F%UVs
E%XJ>
z.PyZ
oÙx
<<d.MR
:k.Qc
k:-m}
.ZB; >
.%XX g2
.kQsn
.EvUI
5 %S')
(|(.Ng
%I.Cc
.ve@/A\"q
<N^.gI%nmt
.Hoy/[
).Uy.
B|%uIX
O.IF){
f.tkMVv
0a%fu
{U.cD
;.mfV"V
.BzU3[
X.HfW
t.MrxD
.hm8l
?.KG"
qAHÓ
.Jbr[i
]{e.tQ
g.KWZ4
!.pjq
ouRL
9YLs%S
3(.AJ
iP.ls
^-1}x
/V.PSW6
.mK_2
w%fgI
%dR,V
o.Idg
I"?gy%X;<
.lV:,
/B.aU>V
wEb?t
TXbS%f";
Lc0z].JU
<E.zG
0Z.bE
S9?70%F
^6.dN9
Qc>.eI
N.nYt
%.EcA&$].
B%dU]e
h.eHw
E8.VR
GcRT
a5.gf
Z.hkN
ow.IzS
3%xWn
xo%f,
gS8.sM
6:.hAa
UrlZ8
z.JTQ
-SxF}
q.cE>
-K.Tqg
%CQOXv
2?%f$
gAe.BR
p].hj
5k_.Dk
@%XK:
S.sa_
x d|.HA
HCr$%C
~rY.qp
[ml
/Ag%c
[Qq.Yi
.CIF83
%fU>J
_a.Lf
h%DQ^
n%S?_
kj2q%X
CC.VU
.nuR;
.Kry*.
%c`*;
=4%sb
)`H%C
U.tkU
e.Vk^
2(.Vx
G.beu9
hc.iEU
R.AOST
Q].UK
Rxj.fR
5'-G}8#
|&%8xTo
"{=%f
.Kj\B
@3t.oc
a.Fr!
%U^3&a9
|.Mft
)u.Mi
=%D]zQ
u\
{Pj]%x
- .Sq
.Ddfa
#GO%S
kv.nv
}.oG:
:2{%d
B.iJA
G.wdZ
L%sRr
%C ew
.rc-,
lP%U@
%uma*
%u})R
O@%srD}
a%D[G
3Ît&
1A.Eu
$.AEVU"
 {kf.QOU
P.DHR=
.AEAnS6w$
x.vU(
%FnFk
%x!Ye
<%d\N&
%;
%x"AMU
I.Bs#
%ma.ue
{i.iB
x*~o`weB
~.ePC
C%cxX
#%.f#I
.cgwD
}B,%f
#xÿt
->.NzP
S.vHj
.yk):
Aj.hdx
D %D]V
}.QZ4L)
AL1?-F}o
.cD)e
.CXGW
OSql
OaB.GQ
%Dq2Od
v.EH/F
jLc%S'
.hZ>X
.lHCU
%CQ^e
*.jQd
.Wt6#^\
kP.PT
?.EV`
W.hw$
2G#%s
oA!%.uS
x.Du-
1,F.sk>
.EX@68J
PbL_2L-3.fL
=^@.PB
\C4%d
m.ir*(
%fMK;Ve
<I.ff
q)j8%s
.nkIl
)6.WB!
Ò%Y
p.AKG
x.GDG
_ .EK
.Rxq|
.xE37
q.Nd%<6<
.Xs}X
`.oe$
]m.zn(
'rŸsR
a.kf}-F
LEvÝ
@47.Zv
%UZ__
.ga l$
E}D.Fb
HX%3x
 .yLZC)
!@s.wk
#%zÁ
0$.Yp
_7*.qa
%c?Tco
7 9A.st
.uX)N
.gDJH)
.AbJ*
%CG[R
.ZKUdD2
DJ.Fv
.vrte\
 .RtnM@`
q.jG8J~
%fOMk
CL.vd{jS
OCfr.aj
.UT a
#r-%s
-z.Mx43
weBU
F-Ê
%0xJ/k
5(.vG
?SxU%dL4>
.gd$0
o`.qz
3 %X|
.Cb|5`
d'@8x"%s>
77B.NH2
RDg.ZJ
n%c\[
.Fify
6c%U]@
Q.Rt0
7F.pk
4s6w.gTY$SOp
k[.VB
`&%DL
>>3úh
5.NQ?
m.DPk
w.Rc\
E%5S?
nG%u@77NC
)uW%D
tiW%CVz|
'%C,X
,#\f%DsB{0
u^C.wk
#3.ny
.Kc=4"
.OD-!^v
c.BX(
5-J4}
i.Ap`S9
%sY-bkL'
0z%1S
_q#.aN
%3xi,
Q}.bL2_"d
P.XD"f
2ó>
f%Fg2
.prN6
.peT0DIB
hY.XjX%m
1.MQL,
.qDva
3!=<Yw["%D/
.Ry8{J;-
?%S(.
X|.RVt;O
.Rb`;
%sP14
%UO0:
pI.aKe
` .JA
M.QK'
PZ%f>
sD.wU
 u.%x\
%d>yk
7q"%f
%S\G3
.mV4!
J8%Co
~S.mr
BURlbO
.qhEYZP
.Ps'\
V.GO3
A%x>U?
1/%s$-
.oRqk
~%d?#
v*.gIf
1QnÝ
K.nrmp!
%C|/M
OKa-f}
0`.IMO
v.Rq1|k
|.LAO
T.GY`F
,-8
?I.CV
ee.zK
\.lei.
4.qNm-
rma.Se
$Y%Ux
z.By\i#T;x[
S.vH!W
%s &=
BI?9`.qE
*-X}Z
s YQv.plt9
SU.FOx
.OT`<
ÑBU
.Tdga
#T-.jlr
.cEl$
,%Cx5
2t.Jd
p%x,h
1%FH_%
6Y.MZY$\q
A.QO7
.gKf,
-.cG0
z.jBrwkm
yf<.JJ~
i%&P%S
-4}RyH
5hy%fj
H.dz'K
6#..dC
%ds>^
zj.jm
Go
p'ER .sY
k$.CA
.UNOc
*.fG>k
.iv[U
Q.WfscN|
]j%fQ
?|(.wi
?R.ws
Hk%U^y
.kDHI
Ëhh4
KG%cO
B3.Hg:
.Hn&^
.fa=D
,.bQa
i)rQk.fz
.ekge
.VMZww'
$%s;E_e
w(s%U>Z
Ò[,2
swv.hIx
gA%x;:
^.Iw;s
U%.sB8
3|.HJ
:fJ5E.DcG;
.ANk> 
_`j.Wzz
.DXu7i
-jw.TC
V%Swo
.Bp6kI
%o"m.KR
-O}BI
@_x%XAx
 s\%c
]%dw?
%p@vhR%SI
Z.kn|J
6xc%x
%S#nu
.Jh;>=!?g
a[.kW
j.hunx
?.pKP{
&.HM!I
C.WWr
45.Dc9b[u
.LJ41}
6RN.bC
-eg}`
Tw.Xy
-d5}Y
(%fn/?iU"fX
%x[Xj6-Zkz,
qus?.ud
a^]{w.Jn
bps%F
W.uRzN
b;.Ky
()-9M}C
s-MfD}E
\-e}$C
%sGBf
%C {O
{.GN;lu
@ %U,
v%fr~
.nw>enp
&ÙP/
HD`2!~%C
%f (x
as.Ho6
gGÄ
T?-n}\
%U(|F
c.cF&
`/.nE4
V<8KA.Qo.iY
.Wp2w{
.Iw77)
.ofUZ]
7NTurl
`$%uu
B.zP`
^n}%Dpq
qfŸ
n/?%d'
.guEl
f$.dx}
,-Mpd}
7:KP%f
97.kH
(vj
%D"7s
wP.rM
F%Sf]
xL_%C=3v<
T=?v.pcN
s.nH6G
tT.ED1qvO
H$" %s
[5.KRZ
Zk.Dl
]w%uE
d.lTb
.vvMQ
.Ri(7;|
.hy'J
I.SMQ
N^y.Vet
|h.aW
.NS*;zc
Cg.BH
{>!}1! \
L0@
Ib
dP%4x
ib%Sy5
_-H}>'
M.Eg.
(7.Mr
*xC\>.FoT
?J`.EX
.YCG}
kEyl\X?
\v.YC;S
SHLWAPI.dll
OLEACC.dll
.eTmYR
8P>0%CX.)uR
N%u"t
.yxHv.
Tp.aO
-p%x[
$.Dv&
P.jTs
t.NmK
`K.xGs
&Wt.Rx(
X.vIZ
%_^.hJ5
7D%CZ
M%Xt|
].s%u
[%~.IX
 tX%C[
|U[%D
0c%x^9B
.bh H
:!.EL
V%xIF
f%xU13
%CViD
u9I;yVl%DY@
0d9sSh!
`r*D%u
WINSPOOL.DRV
GDI32.dll
OLEAUT32.dll
RPCRT4.dll
t.Gey#,
8.Pii
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
dkernel32.dll
USER32.DLL
c:\%original file name%.exe
0, 0, 0, 0

%original file name%.exe_1992_rwx_00420000_007E5000:




.text
`.rdata
@.data
.UPX0
`.UPX1
`.reloc
@.rsrc
f=_
%sTdx
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
hXXp://pki-ocsp.symauth.com0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
MFC Loader.exe
c.mZz
yWS2_32.dll
HttpOpenRequestA
URLDownloadToFileA
ZADVAPI32.dll
.CNjx8h
ole32.dll
.ZJuZ
C.lb.K
imagehlp.dll
msi.dll
SbsVQ.Af
WTSAPI32.dll
COMCTL32.dll
urlmon.dll
^Qe×B]
.FM;Rk[O{
;.bac
.ZDGnG
sF|
53<.ErI
a[.ulFwN#
jqO.Od(&
h.FO8d
S.jh%
H%f.p
VM`.Tue\.
h.rIQ
%uhNj
%Cl>I
%0ugp(
-%xy5
2".PH
.Gly0
PSAPI.DLL
ShellExecuteExA
comdlg32.dll
@(k%X
EkR.IY
WINMM.dll
USER32.dll
)r,d.Ir
/.Wq_
RegOpenKeyExA
VERSION.dll
SHELL32.dll
WININET.dll
4G4s4
5-53595?5
7$8)8.838
5&7-747}7P8
5 5%5-5[5
9œ9
3$3 30373<3
: :.:<:{:
1 1$1(1,1014181<1
; ;$;(;,;0;|;
> >$>(>,>0>4>8>\>`>
; ;$;(;,;0;4;8;<;@;|;
6$6,646<6
829=9`9}9
9 9$9(9,9094989
1.24282<2@2
; ;(;0;8;@;3>
ud%sK:
H~<.IX
.gE]8
l.kVv
>GHv&.IlG
_Sl.NC-
zogExe
sUk.Kk;
g@CN[%sy
WW;.NO
|.wMj
.hCA\R4~Z
4#i%s
D G|.mZ
l.Oc/
5.cs.
U&@.NG(
FJ%x^
*.OGH
.En?P$J
[m.yZ
vM.Jb
w.stR
n1.mG
?.XW/z0
&e%u'>_[
WW%so
<5.Iof
.SL}PT
R.ZV-
&,.Ye0H
@Lh%c
.uT@ZQ
pGV7%S
Bh-i}
.wd,H
;.Lxs#
b{J%Sb
Úd5!
.QzCG
>.yz;WSC
c1wi%d
.JO|=
.Kfh,g
-m}'3
%CIg@
.sRUY
<xy.dO5
D:\'=ay
.TjhM
{wOa?n%U
.DcA{
;S.kFy
.ru$PA
q].jJq
<uER%D
U8^%s"wW
.mX.mz,
Z.VZg4
%S&d_
%X&ma
.eW"b
#*.xR33z
1Í-
c.OEa
c.jQvw0bs
:[k.zcva
0}e%dp-
u6.Bys"w
>oy%f
ûFud
X.ylyH:O
'8.sbG
o.bqc
P`p%UW{;
.YW~_(
.Xj1`
k.vo5
%dM]N
M%XG"1
E%#fTp$)
#j^M,
oGj*F%u
j!R%syX
.Fcgw
|Q%XB
.oJ&`
 [.cb~
;'%u{
\ 5%xxuT
ÛVZ
 Pa.tB
W:\<8
.isD,
aZ0.mr
8%U; j
}0%X q
?.NBzw
gW.XJ(qGB\
.lV2M
ox.iNK&L
=-h4.cj
.KNPpg
wioI%F
d;.iu
nN_%x(PI&/t
Ls.Sx
%4x]:.
%U%)(
.mE]_E
Ô.v
.lX2I
udP[`
Z9A.DX
Hf.ok
[.ehy
R&.PJOj
-M.xd
D.Qt.
D.jPr{
F%UVs
E%XJ>
z.PyZ
oÙx
<<d.MR
:k.Qc
k:-m}
.ZB; >
.%XX g2
.kQsn
.EvUI
5 %S')
(|(.Ng
%I.Cc
.ve@/A\"q
<N^.gI%nmt
.Hoy/[
).Uy.
B|%uIX
O.IF){
f.tkMVv
0a%fu
{U.cD
;.mfV"V
.BzU3[
X.HfW
t.MrxD
.hm8l
?.KG"
qAHÓ
.Jbr[i
]{e.tQ
g.KWZ4
!.pjq
ouRL
9YLs%S
3(.AJ
iP.ls
^-1}x
/V.PSW6
.mK_2
w%fgI
%dR,V
o.Idg
I"?gy%X;<
.lV:,
/B.aU>V
wEb?t
TXbS%f";
Lc0z].JU
<E.zG
0Z.bE
S9?70%F
^6.dN9
Qc>.eI
N.nYt
%.EcA&$].
B%dU]e
h.eHw
E8.VR
GcRT
a5.gf
Z.hkN
ow.IzS
3%xWn
xo%f,
gS8.sM
6:.hAa
UrlZ8
z.JTQ
-SxF}
q.cE>
-K.Tqg
%CQOXv
2?%f$
gAe.BR
p].hj
5k_.Dk
@%XK:
S.sa_
x d|.HA
HCr$%C
~rY.qp
[ml
/Ag%c
[Qq.Yi
.CIF83
%fU>J
_a.Lf
h%DQ^
n%S?_
kj2q%X
CC.VU
.nuR;
.Kry*.
%c`*;
=4%sb
)`H%C
U.tkU
e.Vk^
2(.Vx
G.beu9
hc.iEU
R.AOST
Q].UK
Rxj.fR
5'-G}8#
|&%8xTo
"{=%f
.Kj\B
@3t.oc
a.Fr!
%U^3&a9
|.Mft
)u.Mi
=%D]zQ
u\
{Pj]%x
- .Sq
.Ddfa
#GO%S
kv.nv
}.oG:
:2{%d
B.iJA
G.wdZ
L%sRr
%C ew
.rc-,
lP%U@
%uma*
%u})R
O@%srD}
a%D[G
3Ît&
1A.Eu
$.AEVU"
 {kf.QOU
P.DHR=
.AEAnS6w$
x.vU(
%FnFk
%x!Ye
<%d\N&
%;
%x"AMU
I.Bs#
%ma.ue
{i.iB
x*~o`weB
~.ePC
C%cxX
#%.f#I
.cgwD
}B,%f
#xÿt
->.NzP
S.vHj
.yk):
Aj.hdx
D %D]V
}.QZ4L)
AL1?-F}o
.cD)e
.CXGW
OSql
OaB.GQ
%Dq2Od
v.EH/F
jLc%S'
.hZ>X
.lHCU
%CQ^e
*.jQd
.Wt6#^\
kP.PT
?.EV`
W.hw$
2G#%s
oA!%.uS
x.Du-
1,F.sk>
.EX@68J
PbL_2L-3.fL
=^@.PB
\C4%d
m.ir*(
%fMK;Ve
<I.ff
q)j8%s
.nkIl
)6.WB!
Ò%Y
p.AKG
x.GDG
_ .EK
.Rxq|
.xE37
q.Nd%<6<
.Xs}X
`.oe$
]m.zn(
'rŸsR
a.kf}-F
LEvÝ
@47.Zv
%UZ__
.ga l$
E}D.Fb
HX%3x
 .yLZC)
!@s.wk
#%zÁ
0$.Yp
_7*.qa
%c?Tco
7 9A.st
.uX)N
.gDJH)
.AbJ*
%CG[R
.ZKUdD2
DJ.Fv
.vrte\
 .RtnM@`
q.jG8J~
%fOMk
CL.vd{jS
OCfr.aj
.UT a
#r-%s
-z.Mx43
weBU
F-Ê
%0xJ/k
5(.vG
?SxU%dL4>
.gd$0
o`.qz
3 %X|
.Cb|5`
d'@8x"%s>
77B.NH2
RDg.ZJ
n%c\[
.Fify
6c%U]@
Q.Rt0
7F.pk
4s6w.gTY$SOp
k[.VB
`&%DL
>>3úh
5.NQ?
m.DPk
w.Rc\
E%5S?
nG%u@77NC
)uW%D
tiW%CVz|
'%C,X
,#\f%DsB{0
u^C.wk
#3.ny
.Kc=4"
.OD-!^v
c.BX(
5-J4}
i.Ap`S9
%sY-bkL'
0z%1S
_q#.aN
%3xi,
Q}.bL2_"d
P.XD"f
2ó>
f%Fg2
.prN6
.peT0DIB
hY.XjX%m
1.MQL,
.qDva
3!=<Yw["%D/
.Ry8{J;-
?%S(.
X|.RVt;O
.Rb`;
%sP14
%UO0:
pI.aKe
` .JA
M.QK'
PZ%f>
sD.wU
 u.%x\
%d>yk
7q"%f
%S\G3
.mV4!
J8%Co
~S.mr
BURlbO
.qhEYZP
.Ps'\
V.GO3
A%x>U?
1/%s$-
.oRqk
~%d?#
v*.gIf
1QnÝ
K.nrmp!
%C|/M
OKa-f}
0`.IMO
v.Rq1|k
|.LAO
T.GY`F
,-8
?I.CV
ee.zK
\.lei.
4.qNm-
rma.Se
$Y%Ux
z.By\i#T;x[
S.vH!W
%s &=
BI?9`.qE
*-X}Z
s YQv.plt9
SU.FOx
.OT`<
ÑBU
.Tdga
#T-.jlr
.cEl$
,%Cx5
2t.Jd
p%x,h
1%FH_%
6Y.MZY$\q
A.QO7
.gKf,
-.cG0
z.jBrwkm
yf<.JJ~
i%&P%S
-4}RyH
5hy%fj
H.dz'K
6#..dC
%ds>^
zj.jm
Go
p'ER .sY
k$.CA
.UNOc
*.fG>k
.iv[U
Q.WfscN|
]j%fQ
?|(.wi
?R.ws
Hk%U^y
.kDHI
Ëhh4
KG%cO
B3.Hg:
.Hn&^
.fa=D
,.bQa
i)rQk.fz
.ekge
.VMZww'
$%s;E_e
w(s%U>Z
Ò[,2
swv.hIx
gA%x;:
^.Iw;s
U%.sB8
3|.HJ
:fJ5E.DcG;
.ANk> 
_`j.Wzz
.DXu7i
-jw.TC
V%Swo
.Bp6kI
%o"m.KR
-O}BI
@_x%XAx
 s\%c
]%dw?
%p@vhR%SI
Z.kn|J
6xc%x
%S#nu
.Jh;>=!?g
a[.kW
j.hunx
?.pKP{
&.HM!I
C.WWr
45.Dc9b[u
.LJ41}
6RN.bC
-eg}`
Tw.Xy
-d5}Y
(%fn/?iU"fX
%x[Xj6-Zkz,
qus?.ud
a^]{w.Jn
bps%F
W.uRzN
b;.Ky
()-9M}C
s-MfD}E
\-e}$C
%sGBf
%C {O
{.GN;lu
@ %U,
v%fr~
.nw>enp
&ÙP/
HD`2!~%C
%f (x
as.Ho6
gGÄ
T?-n}\
%U(|F
c.cF&
`/.nE4
V<8KA.Qo.iY
.Wp2w{
.Iw77)
.ofUZ]
7NTurl
`$%uu
B.zP`
^n}%Dpq
qfŸ
n/?%d'
.guEl
f$.dx}
,-Mpd}
7:KP%f
97.kH
(vj
%D"7s
wP.rM
F%Sf]
xL_%C=3v<
T=?v.pcN
s.nH6G
tT.ED1qvO
H$" %s
[5.KRZ
Zk.Dl
]w%uE
d.lTb
.vvMQ
.Ri(7;|
.hy'J
I.SMQ
N^y.Vet
|h.aW
.NS*;zc
Cg.BH
{>!}1! \
L0@
Ib
dP%4x
ib%Sy5
_-H}>'
M.Eg.
(7.Mr
*xC\>.FoT
?J`.EX
.YCG}
kEyl\X?
\v.YC;S
SHLWAPI.dll
OLEACC.dll
.eTmYR
8P>0%CX.)uR
N%u"t
.yxHv.
Tp.aO
-p%x[
$.Dv&
P.jTs
t.NmK
`K.xGs
&Wt.Rx(
X.vIZ
%_^.hJ5
7D%CZ
M%Xt|
].s%u
[%~.IX
 tX%C[
|U[%D
0c%x^9B
.bh H
:!.EL
V%xIF
f%xU13
%CViD
u9I;yVl%DY@
0d9sSh!
`r*D%u
WINSPOOL.DRV
GDI32.dll
OLEAUT32.dll
KERNEL32.dll
RPCRT4.dll
t.Gey#,
8.Pii
0, 0, 0, 0

notepad.exe_2616:




.text
`.rdata
@.data
.UPX0
`.UPX1
`.reloc
@.rsrc
~b%f;
%F#owy
.dfZD
%u;n3WdJ
'.rlo
%Uwa&i
rm.kW
T$XRSSh
(r.fTm
%F!5Zb3A
YJGb~ÄgY
FtPh
aSSSh
.VVVVVSRSSj
tGHt.Ht&
FTPjK
FtPj;
C.PjRV
ntdll.dll
.local
POST /scans.php HTTP/1.1
Host: 54.247.116.67
User-Agent: Mozilla/4.0
Content-Type: application/x-www-form-urlencoded
Content-Length: %d
54.247.116.67
HTTP/1.0 200
HTTP/1.1 200
%s %i
#8/)>ƒ
kernel32.dll
%s X
0x%X failed with 0x%X
%s|%s|%s
test.dll
dec.dll
Your operating system is currently not supported by the protection system. Support for your operating system is planned for future release. Please contact technical support.
/c "DEL /F /S /Q /A %WINDIR%\prefetch\*.pf & DEL /F /S /Q /A %WINDIR%\prefetch\*.db & DEL /F /S /Q /A %WINDIR%\prefetch\*.trx"
cmd.exe
Failed to disable superfetch. Report this error to tech support. 1
Failed to disable superfetch. Report this error to tech support. 2
Failed to disable superfetch. Report this error to tech support. 3
Failed to disable superfetch. Report this error to tech support. 4
Failed to disable prefetch. Report this error to tech support. 1
Failed to disable prefetch. Report this error to tech support. 2
Failed to disable prefetch. Report this error to tech support. 3
\Microsoft\Windows\Recent\*.*
/c "DEL /F /S /Q /A %s"
The drive the loader is stored on has USN journaling enabled. The loader must be located on a drive that does not support USN journaling. The following drives *MAY* be suitable. Please see the %s forum section for complete instructions. Failure to do so will result in degraded security.
%s:\loader\
Windows 8 is not supported, please upgrade to Windows 8.1 and install all available updates.
You must select the patched boot when your computer starts. Please restart your computer and select "%s" when prompted.
steam.exe
Injection failed with error code: 0x%X
\\.\PhysicalDrive0
v3.4.8rc2
Kernel32.dll
hXXp://s3.amazonaws.com/ajcdn/loader_packages/
Installing %s.
GMFNA failed %d
Failed to open loader %d
Failed to read loader %d
Failed to create target %d
Error code: %d
%d Write failed with %d
Failed to set context %d
Failed to resume %d
%s %s
\\.\PhysicalDrive
deviceio failed 0x%X
%s (%s:%d)
%Program Files% (x86)\Microsoft Visual Studio 8\VC\atlmfc\include\afxwin1.inl
XTPReport_CF_Records
aimjunkies.com
0x%X,
Unable to contact loader servers. Please report this error to the technical support team.
SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
C:\Windows\System32\notepad.exe
1.exe
1.ini
H1Z1.exe
H1Z1_BE.exe
LaunchPad.exe
DeadByDaylight-Win64-Shipping.exe
Squad.exe
Victory.exe
\Brick.msstyles
ldr.cnf
/c fsutil usn deletejournal /d %s
WS2_32.dll
USERENV.dll
ReportEventA
ADVAPI32.dll
KERNELBASE.dll
SbieDll.dll
site.key
Cannot delete the active boot configuration. Please reboot and select your original Windows boot configuration.
Error removing boot 0x%X
Current System DEP Policy: %s
Successfully installed new boot configuration! You must restart your computer and select the new boot configuration named "%s" for these changes to take effect.
Please install all available Windows updates and try again.
Error installing boot 0x%X
/delete %s
\ntoskrnl.exe
\winload.exe
Patched ntoskrnl: %s
Patched winload: %s
/copy {current} /d "%s"
Patched GUID: %s
/set %s path %s
/set %s kernel %s
/set %s nointegritychecks 1
KERNEL32.dll
Windows Boot Loader
ntoskrnl.exe
%s\Elements\X
%s\%s
BCDd\Objects
\\.\Spectre
CNotSupportedException
hhctrl.ocx
f:\sp\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
commctrl_DragListMsg
f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp
CCmdTarget
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Software\Microsoft\Windows\CurrentVersion\Policies\Network
Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32
%s%s.dll
f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp
CHttpConnection
CHttpFile
hXXp://
WININET.DLL
HTTP/1.0
comctl32.dll
comdlg32.dll
f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp
f:\sp\vctools\vc7libs\ship\atlmfc\src\mfc\filetxt.cpp
user32.dll
MSWHEEL_ROLLMSG
command.com
mscoree.dll
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
.mixcrt
KERNEL32.DLL
GetProcessWindowStation
USER32.DLL
operator
portuguese-brazilian
OLEACC.dll
D$,.dll
p.dll
}.HcD$
.pdata
D:\Users\Jordan\Documents\Visual Studio 2010\Projects\Command Executor\x64\Release\Command Executor.pdb
MSVCR100.dll
_amsg_exit
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
;.WQM
Cs.CB
..SAg
QRWeY.hd
k.ZuBy9
g:\82
d%d,cn
n9w.GOs@
.Me6=
'D.vo
T%f>{
>T%d%
o#.xX
(g.EU
4.tVP
FfO%F
-nJ}[GY
G.Ct:
.Dt0Z
.bt\E0
6%0X_U'
uT.KmX4
.KO4}
*>!%x
=3n'a.CH
hXXp://VVV.usertrust.com1
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
hXXp://ocsp.usertrust.com0
hXXps://secure.comodo.net/CPS0C
2hXXp://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2hXXp://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
hXXp://ocsp.comodoca.com0
admin@aimjunkies.com0
"COMODO RSA Certification Authority0
;hXXp://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/hXXp://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
hXXps://forum.aimjunkies.com0
.rsrc
@.reloc
_crt_debugger_hook
__crt_debugger_hook
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
Failed to find ntoskrnl.%s
Found ntoskrnl.%s
Failed to find winload.%s
Found winload.%s
winload.exe
D:\Condensed Backup\Source Code\AJ Source\trunk\Patchguard-master\Release\PGBootManager.pdb
ole32.dll
imagehlp.dll
VERSION.dll
SHLWAPI.dll
RPCRT4.dll
GetCPInfo
CreatePipe
GetProcessHeap
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
0 0$0(0,0004080\0`0
> >$>(>,>0>4>
4$40484|4
.PAVCException@@
.PAVCInternetException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCCmdTarget@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.PAVCFileException@@
Assertion failed: %s, file %s, line %d
zcÁ
sice.sys
siwvid.sys
ntice.sys
iceext.sys
syser.sys
sbiedll.dll
%d-%d-%d
winhttp.dll
activation.php?code=
deactivation.php?hash=
U.pvt
ZxxQf%c
n-K1}
Wl%f 
%Fgr*
2G.yH
}Y%s|`
ØqH
~b%f=z
> .lCC2m
&%F^Z
D.JHq
P%%.ds
".eGf;
F/%sg
E>.by
Zuu}i%F!W
Qý||
7$@.iq
%Co*&?
.ag"&
Z.oP=
Pn.yH
Ra.VK
.tW ?
o.cQlc1
?7.Go
:.po|
gB%C=
1}O.OgAl[-47sy0
2Jp$%D
|IZCf.NZ
$%XN4
j.Ms|S
%snzZw
.cZG9
-r.uA
j7.vm
y.tRW
D~.KA
%C$99
%S:iw3!1
.Er ;
.grr(
.pLC/[
M%C$ 
W.rf5e~
%f>$y
AK.Brt
[T(%f;
FJ.oGzi[
)R4p%c
hr%UsCr
%f,?a
Z__He%x
0%D@0c
7%uy;
zp%4u
hZ.xrl
w$}V,%u
.IlhYY
=E.YX
%W%s%
$.rn/p
w.LT!T[
![w.WkgT[
\^[%u
~q%C"yYK
bL%Xf
Ml%Uj
B.rEQ
%uj<CM
G r}.up
R.jcF
%xrr`
%SZUD_Z
|Nr.mN
z.IO^
%U'p&
&-%uZ
%u/RCZ
X.rNr
.bHIl0;15
%N[.ZX
%DhjrL.{f
Z=;m%s
C3t%Sq
.tv8w
yt5.vkt
$sw%C
t.Eb8
r%F`8
.cx#!
!.irji
kE.hLqWB
.qiB![
LsP.rrM-
Z|%c!
B.ct=
$`M.Zb["
yR.SDl
/.tCTZ
ZUp.xZ
.mrfh
b@Ø
Su.IW
@J.Ar
.rra 3E
%usK&9
WW9X%X
M}%CU
zVt.ZFbL
.fZ;%[
GV.zo
.hpe/ik?
QH
.Kor&[
}Z%UK}
,D.jN
#vU%u
%see=jr<
*%'.Lh
8=4=
g.pT5D[
./012221-$
%CiTK
7Z$r.ZW
jA<NÜ<N
.cwGv
H:\ \e">
Y%c|5
'<5%f
CrtD9
#<.El
AZ.nc
,Û[
r.vYY
%6u>&
H%uS-
JOe%cRgBŒ
L.wV4
Uw.W.tU
ssNC!r7.Nkr
si%cn
%Sx2&
N..dcl9,
1%xk&
~1x=.Bv:=
<%FNh<
f=_
(.Ao~
9V%uP
>Zn%U?5
M%Xk=
%DYPx}
.MM0WQn
0.Jl[
%dWXJ
-N9Ã
%CYxZ
0]%C> |
]<95>=5(
*%sJW
.Vlr/P
~%UIj
a<.ps
&.Etr';
={{fTP
yr,2N.rw
r9a>.rhT
%I.Rd
O%&0.wZ
.BPcp
%X}<@
.XVr)
F.AL'p
)%fZa
D= 
G%D#8
F)$=.Znf=?l
q=.Vn
l"<%S
O;r%%c
%U2/w
Ö<;
b.cc5X
r%F&>
Ö'x
~}.sz
x&%Uu
`y%s97
-5k}3U
l5q%S!
UtH%c
.k"%X
F^H%XX
-FJ[%X
!-.lr
=%DIk
Ò,r
.6%CN
[.CAW
SÔa/
.{.ov
rÃGs%,^
.rh!*
-p}ZD
3.sY(
jIp%X
8M%dxw%
i*.th
PI.Gt
>-I}_
la%uv
u%)YTt%f
&YN2wb%C
xz.YP
f%S8[y%6
TW%U%
%xzh&
boXm%c
yt -%x
>UWu%C
t.Jzb
NClm%S 
.uro?
%1wÃ
%2U=3
E Q%c
>l)%ctJ
VÔMW%?M
%.yr^
Bcrt
nTs%X
cdH%u
YBY%f
.Fm?nC
: .wt
6]>K%s
?rL.Fe
>-?%U"c
Ì$m%L
H.rN(J
{%<Loz%c
xr.YHt
.VTZt}/
H.CIM1R
*.IA5
R4]M
`J%c^\
.Jf&t%
p%u\S
.BDm3Y^R
.4%'(?%"
"Y_.xY2
{%gdig%C
:%Xr&%
%X*ZJ
d.Yk@
8=%C-
bR~%x
?>p%d
M.GH]
7y`ÿ
$%DVJ
V<Z%U}
rj$.xr
-e78%S
N".lsJy
H5 `Eq<%U
9?#.nX'
V.rH6"
V,7.bX
%Crh(
jeXE
%.dh~
7-%c%
.iTM<
%Si=H
|*%U%
.etU:
™DZAk=
^.ZD/
jrU[]=r.Mr,
<sYo9IX%F
Lh%ux
|rB%c
7%FTS')(
DWEb
75J%c"'.
.Ks.P
ZHH~#%c
Y%%d%
C<:B%t
o%B%d
>V&%s
%sHE<(
.qUTV
K%foG%
Äx%
mZm|#9*.Hz
x.Hlr
9.NWt
.bZ=5D
oi6Ö
j26.Wn.
" %Fp
%ClV.Z
8Y.dBX
A(%s[
uxhv%dm|T%
.bO{\
ß{E
\6B%5x
Fn.tx
A%dtH
%X?]C
yhG%c
%CRJ=
{|H
u%S%[
%..ZsV|)Z
.ZG\9
%c)b}
$%X*w
.ZAPt
*<.IL%<
r%S,r
n.Kwj
.ysrc4Vb
@.NBcn
.BqBY
8SE[%u
fÝ'`
eCjô
%uU}w
.LLHr
V%C]F
B .fV
.cSV,
.wX5rPl
`mÝ
m<i%sv
%4S*B
F..rK8
7\?]%F
7s.HmI
Xr.ba
_%SVHY9DH%&
.K,%U'
cQ.JG
V5g.si3p
cf%2x4
.bUNK
m%%Ubl%r
b{6.gfg
L".ZL}
S%DvM
ZQQcn%Fp
N8.bvf
10/.---.2;^}
%Svu._
V~%sd
GED%c
zHr%c
Q%X*X
$P%fw
Zww4x%d
("-z}j
O%c)G
.sA%s
>.jCL
s,%d`K
.YZuu
j>1%x
7-8}$H"c
.BJC"
si
~`g%X
=Y%sT^OY
.EPb%c
i[ýb
.cy2V#
n/%ub*?`
t.vmEt
L".xCeo
3.rv|
j^%9s=
uY%s%9
_.mtV
.SZ'tv
lc9.Dc>^
yr);Z.rV9u?
{F[
:<.HJF
%FxGG5_<(
<f5%s
<F.ws
9r.MG
7V!%c>
@B.Hq4
>r]
=M{%cs:
]6.Tm
.Hc<a
a\Ò
~.FjR
AL5=%d
ZvviM%U2C
\.WoY
/M.kQ
r)%>UW2%s
r!U.ar
sC.jc
jxÔ
1#9%x
Ä88
mc^
).bZT
%2S<3
.Fm&(0E
'_.vB
u3.kmQ
ZtG~%f
$%F .%
.Uq%~9
0Pp%x"
..Zy&
/j;
_%C=Z
}%D `
L Û$%M
P%%UCQ%~
vqJ%f
"d6H.ru
.NetH
AV%u?
%qx%fH
W]%X(
1.uY<_q
2fU"
I.Ic*
.kTJ%ay
k.Me$
I?u.hH
.kNhoay.k\
t%fpt
g.cn<
H=.iE7
.bM_l*
3V%f,d
.ctks
V.MX0
8f%cr
\U# OÏ
ZzzD{%u
=.YT^=k
lb}
;K%c)l
 @.w%F
&Y.NbKb
,n.Dt
8g@%x
w.xaHK
t@.Rt
qc!=k.HZ
RD
Qb.%Uj?Y7
*D!.%x7O@
%X_n1ps
z EM
v=t\%D
züB
Z%s&E
*%CHVz
V7t%S
$#?%dz
G3G%%U
'.Qct
.ctKz
-an}k
~a|%d
.hsB,
ca6-Tg}
3.rN!
gJK%U
zH]Ú
a.FwX
u<ÁI<3,
^.lZ,
.mrj7;[
.sGg.G#
%0X&4%z
I.dTH#q
HH%X19
".UrMZ
l.rvHJ
alz\%D<
%szrX
|6.UY
r%s8?
bo--%s
L%X(MM%;I
c.FfwG'
b%FP=
;GS!%.rX
-LMÃ
_fZ i.AZ
ecm%cGH"c
%F/QKj
&%FL-%
%Cy=[
b%UkS
w$.br
%FqX\
S'<|.gl
%4S-^
2k%c}}y
9.dZH
hri.dr
%%s&T
'h%CM}E
%sTdx
[4%UD
p.YQgsJ%
%".obI
7%WW& %x},.%7s!
';.ZHlW
;I%xY^
.RF3t
T m%USo
OTjÝC%
r Ea.rl
5%cL9
%sHb&
>T%d_|
LhXXp://pki-crl.symauth.com/ca_219679623e6b4fa507d638cbeba72ecb/LatestCRL.crl07
hXXp://pki-ocsp.symauth.com0
ehXXp://pki-crl.symauth.com/offlineca/TheInstituteofElectricalandElectronicsEngineersIncIEEERootCA.crl0
MFC Loader.exe
c.mZz
yWS2_32.dll
HttpOpenRequestA
URLDownloadToFileA
ZADVAPI32.dll
.CNjx8h
.ZJuZ
C.lb.K
msi.dll
SbsVQ.Af
WTSAPI32.dll
COMCTL32.dll
urlmon.dll
^Qe×B]
.FM;Rk[O{
;.bac
.ZDGnG
sF|
53<.ErI
a[.ulFwN#
jqO.Od(&
h.FO8d
S.jh%
H%f.p
VM`.Tue\.
h.rIQ
%uhNj
%Cl>I
%0ugp(
-%xy5
2".PH
.Gly0
PSAPI.DLL
ShellExecuteExA
@(k%X
EkR.IY
WINMM.dll
USER32.dll
)r,d.Ir
/.Wq_
RegOpenKeyExA
SHELL32.dll
WININET.dll
4G4s4
5-53595?5
7$8)8.838
5&7-747}7P8
5 5%5-5[5
9œ9
3$3 30373<3
: :.:<:{:
1 1$1(1,1014181<1
; ;$;(;,;0;|;
> >$>(>,>0>4>8>\>`>
; ;$;(;,;0;4;8;<;@;|;
6$6,646<6
829=9`9}9
9 9$9(9,9094989
1.24282<2@2
; ;(;0;8;@;3>
ud%sK:
H~<.IX
.gE]8
l.kVv
>GHv&.IlG
_Sl.NC-
zogExe
sUk.Kk;
g@CN[%sy
WW;.NO
|.wMj
.hCA\R4~Z
4#i%s
D G|.mZ
l.Oc/
5.cs.
U&@.NG(
FJ%x^
*.OGH
.En?P$J
[m.yZ
vM.Jb
w.stR
n1.mG
?.XW/z0
&e%u'>_[
WW%so
<5.Iof
.SL}PT
R.ZV-
&,.Ye0H
@Lh%c
.uT@ZQ
pGV7%S
Bh-i}
.wd,H
;.Lxs#
b{J%Sb
Úd5!
.QzCG
>.yz;WSC
c1wi%d
.JO|=
.Kfh,g
-m}'3
%CIg@
.sRUY
<xy.dO5
D:\'=ay
.TjhM
{wOa?n%U
.DcA{
;S.kFy
.ru$PA
q].jJq
<uER%D
U8^%s"wW
.mX.mz,
Z.VZg4
%S&d_
%X&ma
.eW"b
#*.xR33z
1Í-
c.OEa
c.jQvw0bs
:[k.zcva
0}e%dp-
u6.Bys"w
>oy%f
ûFud
X.ylyH:O
'8.sbG
o.bqc
P`p%UW{;
.YW~_(
.Xj1`
k.vo5
%dM]N
M%XG"1
E%#fTp$)
#j^M,
oGj*F%u
j!R%syX
.Fcgw
|Q%XB
.oJ&`
 [.cb~
;'%u{
\ 5%xxuT
ÛVZ
 Pa.tB
W:\<8
.isD,
aZ0.mr
8%U; j
}0%X q
?.NBzw
gW.XJ(qGB\
.lV2M
ox.iNK&L
=-h4.cj
.KNPpg
wioI%F
d;.iu
nN_%x(PI&/t
Ls.Sx
%4x]:.
%U%)(
.mE]_E
Ô.v
.lX2I
udP[`
Z9A.DX
Hf.ok
[.ehy
R&.PJOj
-M.xd
D.Qt.
D.jPr{
F%UVs
E%XJ>
z.PyZ
oÙx
<<d.MR
:k.Qc
k:-m}
.ZB; >
.%XX g2
.kQsn
.EvUI
5 %S')
(|(.Ng
%I.Cc
.ve@/A\"q
<N^.gI%nmt
.Hoy/[
).Uy.
B|%uIX
O.IF){
f.tkMVv
0a%fu
{U.cD
;.mfV"V
.BzU3[
X.HfW
t.MrxD
.hm8l
?.KG"
qAHÓ
.Jbr[i
]{e.tQ
g.KWZ4
!.pjq
ouRL
9YLs%S
3(.AJ
iP.ls
^-1}x
/V.PSW6
.mK_2
w%fgI
%dR,V
o.Idg
I"?gy%X;<
.lV:,
/B.aU>V
wEb?t
TXbS%f";
Lc0z].JU
<E.zG
0Z.bE
S9?70%F
^6.dN9
Qc>.eI
N.nYt
%.EcA&$].
B%dU]e
h.eHw
E8.VR
GcRT
a5.gf
Z.hkN
ow.IzS
3%xWn
xo%f,
gS8.sM
6:.hAa
UrlZ8
z.JTQ
-SxF}
q.cE>
-K.Tqg
%CQOXv
2?%f$
gAe.BR
p].hj
5k_.Dk
@%XK:
S.sa_
x d|.HA
HCr$%C
~rY.qp
[ml
/Ag%c
[Qq.Yi
.CIF83
%fU>J
_a.Lf
h%DQ^
n%S?_
kj2q%X
CC.VU
.nuR;
.Kry*.
%c`*;
=4%sb
)`H%C
U.tkU
e.Vk^
2(.Vx
G.beu9
hc.iEU
R.AOST
Q].UK
Rxj.fR
5'-G}8#
|&%8xTo
"{=%f
.Kj\B
@3t.oc
a.Fr!
%U^3&a9
|.Mft
)u.Mi
=%D]zQ
u\
{Pj]%x
- .Sq
.Ddfa
#GO%S
kv.nv
}.oG:
:2{%d
B.iJA
G.wdZ
L%sRr
%C ew
.rc-,
lP%U@
%uma*
%u})R
O@%srD}
a%D[G
3Ît&
1A.Eu
$.AEVU"
 {kf.QOU
P.DHR=
.AEAnS6w$
x.vU(
%FnFk
%x!Ye
<%d\N&
%;
%x"AMU
I.Bs#
%ma.ue
{i.iB
x*~o`weB
~.ePC
C%cxX
#%.f#I
.cgwD
}B,%f
#xÿt
->.NzP
S.vHj
.yk):
Aj.hdx
D %D]V
}.QZ4L)
AL1?-F}o
.cD)e
.CXGW
OSql
OaB.GQ
%Dq2Od
v.EH/F
jLc%S'
.hZ>X
.lHCU
%CQ^e
*.jQd
.Wt6#^\
kP.PT
?.EV`
W.hw$
2G#%s
oA!%.uS
x.Du-
1,F.sk>
.EX@68J
PbL_2L-3.fL
=^@.PB
\C4%d
m.ir*(
%fMK;Ve
<I.ff
q)j8%s
.nkIl
)6.WB!
Ò%Y
p.AKG
x.GDG
_ .EK
.Rxq|
.xE37
q.Nd%<6<
.Xs}X
`.oe$
]m.zn(
'rŸsR
a.kf}-F
LEvÝ
@47.Zv
%UZ__
.ga l$
E}D.Fb
HX%3x
 .yLZC)
!@s.wk
#%zÁ
0$.Yp
_7*.qa
%c?Tco
7 9A.st
.uX)N
.gDJH)
.AbJ*
%CG[R
.ZKUdD2
DJ.Fv
.vrte\
 .RtnM@`
q.jG8J~
%fOMk
CL.vd{jS
OCfr.aj
.UT a
#r-%s
-z.Mx43
weBU
F-Ê
%0xJ/k
5(.vG
?SxU%dL4>
.gd$0
o`.qz
3 %X|
.Cb|5`
d'@8x"%s>
77B.NH2
RDg.ZJ
n%c\[
.Fify
6c%U]@
Q.Rt0
7F.pk
4s6w.gTY$SOp
k[.VB
`&%DL
>>3úh
5.NQ?
m.DPk
w.Rc\
E%5S?
nG%u@77NC
)uW%D
tiW%CVz|
'%C,X
,#\f%DsB{0
u^C.wk
#3.ny
.Kc=4"
.OD-!^v
c.BX(
5-J4}
i.Ap`S9
%sY-bkL'
0z%1S
_q#.aN
%3xi,
Q}.bL2_"d
P.XD"f
2ó>
f%Fg2
.prN6
.peT0DIB
hY.XjX%m
1.MQL,
.qDva
3!=<Yw["%D/
.Ry8{J;-
?%S(.
X|.RVt;O
.Rb`;
%sP14
%UO0:
pI.aKe
` .JA
M.QK'
PZ%f>
sD.wU
 u.%x\
%d>yk
7q"%f
%S\G3
.mV4!
J8%Co
~S.mr
BURlbO
.qhEYZP
.Ps'\
V.GO3
A%x>U?
1/%s$-
.oRqk
~%d?#
v*.gIf
1QnÝ
K.nrmp!
%C|/M
OKa-f}
0`.IMO
v.Rq1|k
|.LAO
T.GY`F
,-8
?I.CV
ee.zK
\.lei.
4.qNm-
rma.Se
$Y%Ux
z.By\i#T;x[
S.vH!W
%s &=
BI?9`.qE
*-X}Z
s YQv.plt9
SU.FOx
.OT`<
ÑBU
.Tdga
#T-.jlr
.cEl$
,%Cx5
2t.Jd
p%x,h
1%FH_%
6Y.MZY$\q
A.QO7
.gKf,
-.cG0
z.jBrwkm
yf<.JJ~
i%&P%S
-4}RyH
5hy%fj
H.dz'K
6#..dC
%ds>^
zj.jm
Go
p'ER .sY
k$.CA
.UNOc
*.fG>k
.iv[U
Q.WfscN|
]j%fQ
?|(.wi
?R.ws
Hk%U^y
.kDHI
Ëhh4
KG%cO
B3.Hg:
.Hn&^
.fa=D
,.bQa
i)rQk.fz
.ekge
.VMZww'
$%s;E_e
w(s%U>Z
Ò[,2
swv.hIx
gA%x;:
^.Iw;s
U%.sB8
3|.HJ
:fJ5E.DcG;
.ANk> 
_`j.Wzz
.DXu7i
-jw.TC
V%Swo
.Bp6kI
%o"m.KR
-O}BI
@_x%XAx
 s\%c
]%dw?
%p@vhR%SI
Z.kn|J
6xc%x
%S#nu
.Jh;>=!?g
a[.kW
j.hunx
?.pKP{
&.HM!I
C.WWr
45.Dc9b[u
.LJ41}
6RN.bC
-eg}`
Tw.Xy
-d5}Y
(%fn/?iU"fX
%x[Xj6-Zkz,
qus?.ud
a^]{w.Jn
bps%F
W.uRzN
b;.Ky
()-9M}C
s-MfD}E
\-e}$C
%sGBf
%C {O
{.GN;lu
@ %U,
v%fr~
.nw>enp
&ÙP/
HD`2!~%C
%f (x
as.Ho6
gGÄ
T?-n}\
%U(|F
c.cF&
`/.nE4
V<8KA.Qo.iY
.Wp2w{
.Iw77)
.ofUZ]
7NTurl
`$%uu
B.zP`
^n}%Dpq
qfŸ
n/?%d'
.guEl
f$.dx}
,-Mpd}
7:KP%f
97.kH
(vj
%D"7s
wP.rM
F%Sf]
xL_%C=3v<
T=?v.pcN
s.nH6G
tT.ED1qvO
H$" %s
[5.KRZ
Zk.Dl
]w%uE
d.lTb
.vvMQ
.Ri(7;|
.hy'J
I.SMQ
N^y.Vet
|h.aW
.NS*;zc
Cg.BH
{>!}1! \
L0@
Ib
dP%4x
ib%Sy5
_-H}>'
M.Eg.
(7.Mr
*xC\>.FoT
?J`.EX
.YCG}
kEyl\X?
\v.YC;S
.eTmYR
8P>0%CX.)uR
N%u"t
.yxHv.
Tp.aO
-p%x[
$.Dv&
P.jTs
t.NmK
`K.xGs
&Wt.Rx(
X.vIZ
%_^.hJ5
7D%CZ
M%Xt|
].s%u
[%~.IX
 tX%C[
|U[%D
0c%x^9B
.bh H
:!.EL
V%xIF
f%xU13
%CViD
u9I;yVl%DY@
0d9sSh!
`r*D%u
WINSPOOL.DRV
GDI32.dll
OLEAUT32.dll
SELECT * FROM Win32_OperatingSystem
DataExecutionPrevention_SupportPolicy
.\md5.cpp
accKeyboardShortcut
WUSER32.DLL
ADVAPI32.DLL
Error at hooking API "%S"
Dumping first %d bytes:
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Cannot %s server %s
Error: 0x%X
The procedure entry point %s could not be located in the module %s
Cannot load file %s
Error: %d
0, 0, 0, 0

notepad.exe_2616_rwx_00D70000_00001000:




.text
`.rdata
@.data
.UPX0
`.UPX1
`.reloc
@.rsrc

notepad.exe_2616_rwx_00DF3000_0006E000:




D$,.dll
p.dll
}.HcD$
.text
`.rdata
@.data
.pdata
@.rsrc
D:\Users\Jordan\Documents\Visual Studio 2010\Projects\Command Executor\x64\Release\Command Executor.pdb
KERNEL32.dll
MSVCR100.dll
_amsg_exit
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
;.WQM
Cs.CB
..SAg
QRWeY.hd
k.ZuBy9
g:\82
d%d,cn
n9w.GOs@
.Me6=
'D.vo
T%f>{
>T%d%
o#.xX
(g.EU
4.tVP
FfO%F
-nJ}[GY
G.Ct:
.Dt0Z
.bt\E0
6%0X_U'
uT.KmX4
.KO4}
*>!%x
=3n'a.CH
hXXp://VVV.usertrust.com1
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
hXXp://ocsp.usertrust.com0
hXXps://secure.comodo.net/CPS0C
2hXXp://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2hXXp://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
hXXp://ocsp.comodoca.com0
admin@aimjunkies.com0
"COMODO RSA Certification Authority0
;hXXp://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/hXXp://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
hXXps://forum.aimjunkies.com0
.rsrc
@.reloc
_crt_debugger_hook
__crt_debugger_hook
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
cmd.exe
GetProcessWindowStation
operator
ntdll.dll
/delete %s
\ntoskrnl.exe
\winload.exe
Failed to find ntoskrnl.%s
Found ntoskrnl.%s
Failed to find winload.%s
Found winload.%s
Patched ntoskrnl: %s
Patched winload: %s
/copy {current} /d "%s"
Patched GUID: %s
/set %s path %s
/set %s kernel %s
/set %s nointegritychecks 1
kernel32.dll
Windows Boot Loader
ntoskrnl.exe
winload.exe
D:\Condensed Backup\Source Code\AJ Source\trunk\Patchguard-master\Release\PGBootManager.pdb
ole32.dll
imagehlp.dll
VERSION.dll
SHLWAPI.dll
RPCRT4.dll
GetCPInfo
CreatePipe
GetProcessHeap
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
0 0$0(0,0004080\0`0
> >$>(>,>0>4>
4$40484|4
.PAVCException@@
.PAVCInternetException@@
.PAVCMemoryException@@
.PAVCSimpleException@@
.PAVCObject@@
.PAVCNotSupportedException@@
.PAVCInvalidArgException@@
.?AVCNotSupportedException@@
.PAVCOleException@@
.?AVCCmdTarget@@
.?AVCTestCmdUI@@
.?AVCCmdUI@@
.PAVCUserException@@
.PAVCResourceException@@
.?AVCHttpConnection@@
.?AVCHttpFile@@
.PAVCArchiveException@@
.PAVCFileException@@
Assertion failed: %s, file %s, line %d
zcÁ
C:\Windows\System32\notepad.exe
ADVAPI32.DLL
mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
USER32.DLL

notepad.exe_2616_rwx_01D84000_00001000:




c:\%original file name%.exe

svchost.exe_3796:




.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

WerFault.exe_1728:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
IMM32.dll
wer.dll
COMCTL32.dll
faultrep.dll
Starting kernel vertical - %S
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
wdi.dll
dbgeng.dll
dbghelp.dll
SETUPAPI.dll
SHELL32.dll
VERSION.dll
WTSAPI32.dll
WerFault.pdb
PSShD
tSSh,<E
t.PSj6
t5SSh
SShx`E
tsShxcE
t.Ph0jE
_amsg_exit
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetWindowsDirectoryW
RegDeleteKeyW
ReportEventW
RegOpenKeyW
RegSetKeyValueW
GetProcessWindowStation
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
ShipAssert
ntdll.dll
RegisterErrorReportingDialog
WerReportSubmit
WerReportAddFile
WerReportCreate
WerReportCloseHandle
WerReportSetUIOption
WerpGetReportConsent
WerpSetIntegratorReportId
WerpReportCancel
WerpAddRegisteredDataToReport
WerReportAddDump
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerReportSetParameter
WerpInitiateCrashReporting
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel
ÝCD0
#$$$3355<
##$$$335566
% "#$$$3355666=
"#$$33555666
!.DQ$
.Py>o
Kÿg
.ib:?
T3%X_
a,M.cbd
KEYW8
KEYWH
? ?$?(?,?0?4?8?
1 2$2(2,20242
>,?0?4?8?<?@?
?%?5?:?|?
5'565^5{5
3#3(353_3
=#='= =/=3=7=;=?=
=#=(=>=]=
>!>&>3>}>
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<OSVER>%u.%u.%u %u.%u</OSVER>
<OSLANGUAGE>%u</OSLANGUAGE>
<ARCHITECTURE>%u</ARCHITECTURE>
<PRODUCTTYPE>%u</PRODUCTTYPE>
<FILESIZE>%u</FILESIZE>
<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>
<NAME>%s</NAME>
<DATA>%s</DATA>
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
%sDrivers\%s.sys
</%s>
<%s>%s</%s>
%u.%u.%u.%u
*.mrk
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
%s\%s
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
(0x%x): %s
%u %s
WindowsNTVersion
%u.%u
ErrorPort
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
%s="%s"
%s.%s
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxhu.dmp
axmu.dmp
axhu.dmp
hu.kdmp
mu.kdmp
hu.dmp
mu.dmp
Software\Microsoft\.NETFramework
NOT_TCPIP
sos.dll
Fversion.xml
.version.xml
%s.xml
memory.hdmp
minidump.mdmp
Local\WERReportingForProcess%d
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
xxxxxxxxxxxxxxxx
xx
%d.%d.%d.%d
HD:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
G.ref
dc.noreflect
dc.xpmemdump
dc.xpdata
dc.CustomDump
dc.expmodmem
dc.expmoddata
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmoddata
default=%s
memory=%s
module=%s
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
%s|%s
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
G%s /stop
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
"%s" "%s" "%s"
%s\system32\cofire.exe
psapi.dll
sfc_os.dll
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernelbase.dll
ReportingMode
EWinShipAssert
WindowsMessageReportingB1
Windows
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
CorporateWerPortNumber
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
Windows
Operating System
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational

WerFault.exe_4020:




.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
IMM32.dll
wer.dll
COMCTL32.dll
faultrep.dll
Starting kernel vertical - %S
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
wdi.dll
dbgeng.dll
dbghelp.dll
SETUPAPI.dll
SHELL32.dll
VERSION.dll
WTSAPI32.dll
WerFault.pdb
PSShD
tSSh,<E
t.PSj6
t5SSh
SShx`E
tsShxcE
t.Ph0jE
_amsg_exit
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetWindowsDirectoryW
RegDeleteKeyW
ReportEventW
RegOpenKeyW
RegSetKeyValueW
GetProcessWindowStation
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
ShipAssert
ntdll.dll
RegisterErrorReportingDialog
WerReportSubmit
WerReportAddFile
WerReportCreate
WerReportCloseHandle
WerReportSetUIOption
WerpGetReportConsent
WerpSetIntegratorReportId
WerpReportCancel
WerpAddRegisteredDataToReport
WerReportAddDump
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerReportSetParameter
WerpInitiateCrashReporting
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel
ÝCD0
#$$$3355<
##$$$335566
% "#$$$3355666=
"#$$33555666
!.DQ$
.Py>o
Kÿg
.ib:?
T3%X_
a,M.cbd
KEYW8
KEYWH
? ?$?(?,?0?4?8?
1 2$2(2,20242
>,?0?4?8?<?@?
?%?5?:?|?
5'565^5{5
3#3(353_3
=#='= =/=3=7=;=?=
=#=(=>=]=
>!>&>3>}>
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<OSVER>%u.%u.%u %u.%u</OSVER>
<OSLANGUAGE>%u</OSLANGUAGE>
<ARCHITECTURE>%u</ARCHITECTURE>
<PRODUCTTYPE>%u</PRODUCTTYPE>
<FILESIZE>%u</FILESIZE>
<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>
<NAME>%s</NAME>
<DATA>%s</DATA>
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
%sDrivers\%s.sys
</%s>
<%s>%s</%s>
%u.%u.%u.%u
*.mrk
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
%s\%s
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
(0x%x): %s
%u %s
WindowsNTVersion
%u.%u
ErrorPort
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
%s="%s"
%s.%s
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxhu.dmp
axmu.dmp
axhu.dmp
hu.kdmp
mu.kdmp
hu.dmp
mu.dmp
Software\Microsoft\.NETFramework
NOT_TCPIP
sos.dll
Fversion.xml
.version.xml
%s.xml
memory.hdmp
minidump.mdmp
Local\WERReportingForProcess%d
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
xxxxxxxxxxxxxxxx
xx
%d.%d.%d.%d
HD:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
G.ref
dc.noreflect
dc.xpmemdump
dc.xpdata
dc.CustomDump
dc.expmodmem
dc.expmoddata
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmoddata
default=%s
memory=%s
module=%s
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
%s|%s
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
G%s /stop
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
"%s" "%s" "%s"
%s\system32\cofire.exe
psapi.dll
sfc_os.dll
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernelbase.dll
ReportingMode
EWinShipAssert
WindowsMessageReportingB1
Windows
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
CorporateWerPortNumber
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
Windows
Operating System
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\25f433e9a98748125325fff7f9c02e9b.cfg (50 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now