MD5: 40accddf1913377216a4438472c6fb68
SHA1: 7f559fc24ed84c4a8edda92299d31c616df940c8
SHA256: 5d46f7273ce25576bde513b83718a9967a8757529d644f791e743c405525ef3c
SSDeep: 12288:UDdUcnPYUjGDB8YaDwC1ol5BL7DrBWoVw0LvK3jtHhiTn4F5ErkJZs3w:UDdU YdDB8YIwCOl5BL7RW4wuv jDQ7O
Size: 782280 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, MicrosoftVisualC, MicrosoftVisualCv50v60MFC, MicrosoftVisualC50, Armadillov171
Company: Canon IT Solutions Inc.
Created at: 2002-08-02 10:01:18
Analyzed on: Windows7Ada SP1 64-bit

Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

Process activity

The Worm creates the following process(es):

%original file name%.exe:3304
egui.exe:2604
ekrn.exe:2988
DrvInst.exe:3772
DrvInst.exe:2880
DrvInst.exe:3456
DrvInst.exe:612
DrvInst.exe:2152
DrvInst.exe:1664
Setup.exe:1408
Setup.exe:2788
mobsync.exe:1416
MsiExec.exe:704
MsiExec.exe:3464
MsiExec.exe:3000

The Worm injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3304 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft2463.tmp\pftw1.pkg (550 bytes)
%Program Files% (x86)\ESET\CITSINST\SetupNotification.xml (197 bytes)
%Program Files% (x86)\ESET\CITSINST\Setup.exe (174574 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext2443.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf2442.tmp (4 bytes)
%Program Files% (x86)\ESET\CITSINST\SetupLauncherV2.xml (4 bytes)
%Program Files% (x86)\ESET\CITSINST\eula_ess.txt (20 bytes)

The process ekrn.exe:2988 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\ProgramData\ESET\ESET Smart Security\Logs\epfwlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\urllog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Charon\CACHE.NDB (389233 bytes)
C:\Windows\System32\drivers\eamonm.sys (245 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwUser.dat (720 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata.dat (676 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwTmp2.dat (23 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\ipstree.db-journal (544 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc1.bin.full.2014.11.03.05.11.43 (852 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\ipstree.db (5 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc21.bin.full.2014.10.15.23.36.04 (1 bytes)
C:\ProgramData\ESET\ESET Smart Security\epfwdata.bin (258 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\virlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\local.db (244143 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\hipslog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\parentallog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\warnlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\spamlog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\sc2.bin.full.2005.02.11.04.44.13 (9 bytes)
C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata2.dat (394 bytes)
%Program Files%\ESET\ESET Smart Security\emesj007_32.dat (176 bytes)
C:\Windows\System32\drivers\edevmon.sys (241 bytes)
C:\ProgramData\ESET\ESET Smart Security\EpfwTemp.dat (285 bytes)
C:\ProgramData\ESET\ESET Smart Security\HipsRules.bin (168 bytes)
%Program Files%\ESET\ESET Smart Security\speclean.new (589 bytes)
C:\ProgramData\ESET\ESET Smart Security\Logs\devctrllog.dat (60 bytes)
C:\ProgramData\ESET\ESET Smart Security\HipsRules.xml (32 bytes)
C:\ProgramData\ESET\ESET Smart Security\local.db-journal (544 bytes)

The process DrvInst.exe:3772 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_neutral_d20c42e70c913283\epfw.PNF (6492 bytes)
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5541.tmp (1 bytes)
C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5540.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1688 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\inf\oem13.inf (1 bytes)

The process DrvInst.exe:2880 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624C.tmp (5 bytes)
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624B.tmp (8 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1867 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1836 bytes)
C:\Windows\inf\oem16.inf (5 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\System32\DriverStore\FileRepository\edevmon.inf_amd64_neutral_b3219a1046723b4d\edevmon.PNF (5703 bytes)

The process DrvInst.exe:3456 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\infpub.dat (248 bytes)
C:\Windows\inf\oem9.inf (1 bytes)
C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET5206.tmp (1 bytes)
C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET51F6.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1532 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (308 bytes)
C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_neutral_de35935fbadc0b42\ehdrv.PNF (5619 bytes)

The process DrvInst.exe:612 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\inf\oem15.inf (2 bytes)
C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D4.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (2396 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1867 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D5.tmp (2 bytes)
C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_neutral_6def4c43f49cc607\eamonm.PNF (6779 bytes)

The process DrvInst.exe:2152 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5735.tmp (2 bytes)
C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwlwf.inf_amd64_neutral_82eebfb309dd569f\epfwlwf.PNF (4666 bytes)
C:\Windows\inf\oem14.inf (2 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (2492 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1331 bytes)
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5734.tmp (8 bytes)
C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5736.tmp (44 bytes)

The process DrvInst.exe:1664 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53D9.tmp (8 bytes)
C:\Windows\System32\DriverStore\infpub.dat (248 bytes)
C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53DA.tmp (1 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_neutral_30e8a68da2d9957f\epfwwfp.PNF (8695 bytes)
C:\Windows\inf\oem12.inf (1 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (1920 bytes)
C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
C:\Windows\System32\DriverStore\infstor.dat (884 bytes)

The process Setup.exe:1408 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ess_nt64_JPN.msi (10848492 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\cfg[1].xml (145 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cfg.xml (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\CheckDriver64[1].exe (225705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DownloadConfig.xml (388 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\ess_nt64_JPN[1].msi (40838206 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ESETDebugLog.txt (151204 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\DownloadConfig[1].xml (1321 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CheckDriver64.exe (61540 bytes)

The process Setup.exe:2788 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\eula_ess.txt (20 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherV2.xml (196 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Setup[1].dat (4878362 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherV2[1].xml (241 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupNotification[1].xml (73 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ESETDebugLog.txt (29202 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherVer.xml (759 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupNotification.xml (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup.exe (1298341 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherVer[1].xml (759 bytes)

The process MsiExec.exe:704 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Installer\MSIF1F1.tmp (708 bytes)
C:\Windows\Installer\MSIF1E1.tmp (708 bytes)
C:\Windows\Installer\MSIF260.tmp (708 bytes)
C:\Windows\Installer\MSIFCB3.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inxF141.tmp (33 bytes)
C:\Windows\Installer\MSIF104.tmp (708 bytes)
C:\ProgramData\ESET\ESET Smart Security\Installer\c8a.msi (638042 bytes)
C:\Windows\Installer\MSIF172.tmp (708 bytes)
C:\Windows\Installer\MSI7DF6.tmp (708 bytes)
C:\Windows\Installer\MSIF37A.tmp (708 bytes)
C:\Windows\Installer\MSI7D2A.tmp (708 bytes)

The process MsiExec.exe:3464 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Windows\Installer\MSI7894.tmp (180 bytes)

The process MsiExec.exe:3000 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3839.tmp (1327 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386A.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12EA.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D1.tmp (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C51.tmp (277 bytes)
%Program Files%\ESET\ESET Smart Security\msvcp110.dll (663 bytes)
%Program Files%\ESET\ESET Smart Security\em023_32.dat (31071 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3939.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E91.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BFF.tmp (4073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138C.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1634.tmp (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP386B.tmp (47 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126A.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FB.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DB.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E49.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35CC.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EE.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13C0.tmp (21585 bytes)
%Program Files%\ESET\ESET Smart Security\em006_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1134.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DC8.tmp (36 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1114.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E5E.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1258.tmp (260 bytes)
C:\Windows\System32\drivers\SET54B5.tmp (63 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39EC.tmp (3905 bytes)
C:\Windows\System32\DriverStore\infpub.dat (1488 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3829.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D40.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD2.tmp (8 bytes)
C:\Windows\Installer\MSI5380.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B49.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39C9.tmp (616 bytes)
%Program Files%\ESET\ESET Smart Security\em004_32.dat (7726 bytes)
%Program Files%\ESET\ESET Smart Security\em031_32.dat (3361 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B4A.tmp (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FA1.tmp (749 bytes)
C:\Windows\System32\catroot2\dberr.txt (4929 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3925.tmp (509 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130D.tmp (272 bytes)
C:\Windows\Installer\MSIFCE3.tmp (708 bytes)
C:\Windows\Installer\MSIFCE4.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1D4B.tmp (34578 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1223.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C50.tmp (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DA0.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DCA.tmp (2938 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36DA.tmp (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DA5.tmp (209 bytes)
C:\Windows\System32\DriverStore\FileRepository\epfwlwf.inf_amd64_neutral_82eebfb309dd569f\epfwlwf.PNF (3650 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4557.tmp (135 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP14AC.tmp (29628 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4C.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D5.tmp (255 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38F5.tmp (2772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BEF.tmp (3821 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC6.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1248.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A6A.tmp (996 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4A.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FB2.tmp (2628 bytes)
C:\Windows\System32\drivers\SET52E0.tmp (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EF.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F8F.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A9.tmp (1 bytes)
C:\Windows\Installer\MSIF59F.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1194.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1212.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP394A.tmp (3268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP138B.tmp (672 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3827.tmp (279 bytes)
%Program Files%\ESET\ESET Smart Security\em015_32.dat (6 bytes)
%Program Files%\ESET\ESET Smart Security\em001_32.dat (4545 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4526.tmp (301 bytes)
%Program Files%\ESET\ESET Smart Security\msvcr110.dll (851 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6218.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B7A.tmp (8729 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CB4.tmp (4 bytes)
C:\Windows\Installer\MSI56DC.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F18.tmp (54 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDD.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1635.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1667.tmp (75333 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DF4.tmp (12604 bytes)
C:\Windows\System32\drivers\SET61D3.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C7.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CEA.tmp (1038 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1400.tmp (22384 bytes)
C:\Windows\Installer\MSIF4B4.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E92.tmp (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B47.tmp (112 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF13B0.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3828.tmp (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3ED6.tmp (3 bytes)
%Program Files%\ESET\ESET Smart Security\em020_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D0A.tmp (2 bytes)
C:\Windows\Installer\MSIF5CF.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11FF.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D61.tmp (2380 bytes)
%Program Files%\ESET\ESET Smart Security\em018_32.dat (1425 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5F.tmp (1648 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DFA.tmp (3917 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12B2.tmp (295 bytes)
%Program Files%\ESET\ESET Smart Security\em006_64.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38C0.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35DE.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE2.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F90.tmp (27 bytes)
C:\Windows\System32\drivers\SET590B.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F91.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11A4.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5507.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131F.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DB8.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1331.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF387E.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B7.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A2.tmp (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3C0C.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1259.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36EB.tmp (102 bytes)
C:\Windows\System32\drivers\SET565B.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126B.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3937.tmp (258 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D50.tmp (1848 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387D.tmp (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A8.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E6F.tmp (1881 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13AF.tmp (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B6.tmp (280 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C84.tmp (1399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1222.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127F.tmp (294 bytes)
C:\Windows\Installer\MSI636D.tmp (708 bytes)
C:\Windows\System32\config\SYSTEM.LOG1 (10099 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E48DDEA3BF68DF580551FA0F27950B54 (1328 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F19.tmp (286 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3826.tmp (102 bytes)
%Program Files%\ESET\ESET Smart Security\em009_64.dat (8281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1646.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1367.tmp (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1247.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39CA.tmp (271 bytes)
%Program Files%\ESET\ESET Smart Security\em010_32.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C8B.tmp (3279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1101.tmp (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF132F.tmp (252 bytes)
%Program Files%\ESET\ESET Smart Security\em003_32.dat (7547 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1342.tmp (274 bytes)
%Program Files%\ESET\ESET Smart Security\em018_64.dat (673 bytes)
C:\Windows\Installer\MSI518C.tmp (708 bytes)
%Program Files%\ESET\ESET Smart Security\em000_64.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E8.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F8E.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FC.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DD1.tmp (169 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3F.tmp (35 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1379.tmp (290 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E4B.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DA.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1366.tmp (282 bytes)
C:\Windows\Installer\MSI6205.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1290.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4546.tmp (802 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6217.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1355.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5D.tmp (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127D.tmp (264 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3869.tmp (108 bytes)
C:\Windows\Installer\MSI4F0B.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35CB.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D2B.tmp (214 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A8E.tmp (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126D.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DE3.tmp (12 bytes)
C:\Windows\System32\DriverStore\infstrng.dat (5088 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BC9.tmp (182 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CB5.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET539E.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET538D.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138A.tmp (285 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39DB.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EA3.tmp (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A9F.tmp (2077 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CD9.tmp (1063 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE4.tmp (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1102.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DC9.tmp (260 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D3E.tmp (252 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D3.tmp (15 bytes)
%Program Files%\ESET\ESET Smart Security\em017_64.dat (30427 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A8D.tmp (37 bytes)
%Program Files%\ESET\ESET Smart Security\em009_32.dat (7726 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C0B.tmp (81 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D0B.tmp (267 bytes)
%Program Files%\ESET\ESET Smart Security\em002_32.dat (259130 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB5.tmp (1840 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3926.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36FC.tmp (1386 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386C.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6071.tmp (2 bytes)
%Program Files%\ESET\ESET Smart Security\em008_64.dat (4185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C4.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1235.tmp (301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A7B.tmp (553 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4E62.tmp (9890 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131E.tmp (267 bytes)
C:\Windows\System32\config (768 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3ED7.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126C.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1378.tmp (66 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387F.tmp (2200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC8.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP473E.tmp (1555561 bytes)
C:\Windows\System32\drivers\SET633B.tmp (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35DD.tmp (94 bytes)
%Program Files%\ESET\ESET Smart Security\em024_32.dat (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4547.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDE.tmp (261 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38BF.tmp (100 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C3.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD3.tmp (282 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP396A.tmp (3607 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DA1.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C1D.tmp (3124 bytes)
C:\Windows\System32\config\SYSTEM (10952 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5506.tmp (8 bytes)
C:\Windows\Installer\MSI797F.tmp (708 bytes)
C:\Windows\Installer\MSIFD24.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11ED.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FC.tmp (2 bytes)
%Program Files%\ESET\ESET Smart Security\updater.dll (507 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38E4.tmp (2920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D7.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F7C.tmp (29 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1234.tmp (288 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4569.tmp (1634611 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BFB.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1330.tmp (253 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6070.tmp (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C8.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1353.tmp (273 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1200.tmp (259 bytes)
%Program Files%\ESET\ESET Smart Security\em021_32.dat (15019 bytes)
%Program Files%\ESET\ESET Smart Security\em000_32.dat (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDC.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E90.tmp (269 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD4.tmp (564 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B5.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B48.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD5.tmp (278 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127E.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF139E.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1246.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BFA.tmp (714 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C5.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3938.tmp (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E9.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C64.tmp (2437 bytes)
%Program Files%\ESET\ESET Smart Security\em015_64.dat (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36EC.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C3F.tmp (198 bytes)
C:\Windows\Installer\MSI54E8.tmp (708 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (1024 bytes)
%Program Files%\ESET\ESET Smart Security\em022_32.dat (1281 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C52.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1354.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BE8.tmp (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF14CC.tmp (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BCA.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC5.tmp (71 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP139D.tmp (40 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A7C.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130C.tmp (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FD.tmp (44 bytes)
%Program Files%\ESET\ESET Smart Security\em019_32.dat (1281 bytes)
%Program Files%\ESET\ESET Smart Security\em028_64.dat (8 bytes)
%Program Files%\ESET\ESET Smart Security\em005_32.dat (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36D9.tmp (1 bytes)
C:\Windows\Installer\MSIFD04.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1211.tmp (271 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1103.tmp (276 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E8F.tmp (3 bytes)
%Program Files%\ESET\ESET Smart Security\em008_32.dat (3073 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FB.tmp (277 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F7D.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39DA.tmp (93 bytes)
%Program Files%\ESET\ESET Smart Security\em017_32.dat (30427 bytes)
C:\Windows\inf\oem14.PNF (4666 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3AEE.tmp (2575 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3D.tmp (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4525.tmp (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1365.tmp (256 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF10F1.tmp (285 bytes)
C:\Windows\Installer\MSI7CF9.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP40EF.tmp (1577253 bytes)
C:\Windows\Temp\OLD60E6.tmp (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F08.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DB7.tmp (79 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38D2.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4558.tmp (294 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DA6.tmp (265 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BE9.tmp (301 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E48DDEA3BF68DF580551FA0F27950B54 (573 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11D9.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F07.tmp (853 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DC.tmp (295 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D6.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1647.tmp (279 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C40.tmp (283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B36.tmp (262 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B35.tmp (401 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B5A.tmp (7861 bytes)
C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3936.tmp (52 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1389.tmp (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1193.tmp (277 bytes)
C:\Windows\Installer\MSI637E.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A6B.tmp (294 bytes)
C:\Windows\Installer\MSI6030.tmp (708 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F1A.tmp (1597880 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDB.tmp (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35EE.tmp (1185 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3EA4.tmp (268 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB6.tmp (2390 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC7.tmp (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP389F.tmp (2901 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D2C.tmp (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C53.tmp (277 bytes)
C:\Windows\System32\drivers\SET5FEE.tmp (89 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38E3.tmp (289 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A1.tmp (286 bytes)

Registry activity

The process egui.exe:2604 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\ESET\ESET Security\CurrentVersion\Plugins\01000800]
"OutlookIntegrationChangeCounter" = "96847905"

The process ekrn.exe:2988 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\eamonm\Parameters]
"Flags" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"PluginId" = "16777474"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020104]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"DisplayName" = "EPFW POP3スキャナの設定"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"ModuleID" = "16778752"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\SoftGrid\4.5\Client\AppFS\ServiceInclusions]
"Eset" = "ekrn"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"StartFailSettings" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ArchivesBuild" = "1202"

[HKLM\System\CurrentControlSet\Services\ehdrv\Parameters]
"Flags" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010106]
"DisplayName" = "アイドル状態検査"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ei2" = "Type: REG_QWORD, Length: 8"
"ei3" = "Type: REG_QWORD, Length: 8"
"ei1" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroup" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ei4" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"ActionCode" = "2"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"PluginId" = "16777728"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"ScannerBuild" = "21372"
"AdvheurBuild" = "1119"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"Path" = "Filters/Web/HTTP"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"SMTP_Flags" = "4"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01030200]
"DisplayName" = "EPFW HTTPスキャナの設定"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"TriggerSettings" = "327680"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"Path" = "Filters/File/AMON"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"RegistrationHiddenFields" = "24576"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"PluginId" = "16777474"

[HKLM\System\CurrentControlSet\Control\Session Manager\Environment]
"ESET_OPTIONS" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000300\Profiles\@My profile]
"SmonModuleBuild" = "1036"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010104]
"DisplayName" = "ドキュメント保護の設定"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"UpdateServerGroupOld" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\100]
"LastExec" = "1422540389"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010104]
"Path" = "Filters/File/DMON"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"TranslatorBuild" = "1331"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\System\CurrentControlSet\services\edevmon\Parameters]
"Flags" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020102]
"PluginId" = "16777474"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerBuild" = "21372"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersion" = "10817 (20141203)"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010107]
"Path" = "Scanners/File/FirstScan"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"UniqueID" = "54CA3E5D45534555"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"DisplayName" = "自動スタートアップファイルスキャナの設定"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020104]
"PluginId" = "16777474"

[HKCU\Software\ESET\ESET Security\CurrentVersion\Plugins\01000300]
"stats" = "00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020102]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020104]
"DisplayName" = ""

[HKLM\System\CurrentControlSet\services\eamonm]
"Start" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020101]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020102]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles]
"Enable" = "1"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0A 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\1]
"LastExec" = "1422540425"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"TriggerType" = "4"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"ScannerVersionId" = "10817"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010106]
"PluginId" = "16777472"
"Path" = "Scanners/File/IdleScanner"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\4]
"LastExec" = "1422540385"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"CleanerBuild" = "1133"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010101]
"PluginId" = "16777473"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"FailSafeServer" = "http://update.eset.com/eset_upd/"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Name" = "自動スタートアップファイルのチェック"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020201]
"DisplayName" = "EPFW IMAPスキャナの設定"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"RegistrationType" = "24"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010107]
"DisplayName" = "最初の検査"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Params" = "3C 3F 78 6D 6C 20 76 65 72 73 69 6F 6E 3D 22 31"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020103]
"Path" = "Filters/Email"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000300\Profiles\@My profile]
"SmonAutostart" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020103]
"PluginId" = "16777474"
"DisplayName" = ""

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings\RegisteringRequest]
"EvCode" = "01008645-A9D1-5461-6D69-472FE228CACD"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020201]
"Path" = "Filters/Email/IMAP"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler]
"TimeStamp" = "3305826572"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"Path" = "Filters/Email/POP3"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100\Profiles]
"Active" = "@Smart scan"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"CustomerCareProduct" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Flags" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"ScanExecuteAH" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings\RegisteringRequest]
"CustomCode" = "12"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"Path" = "Scanners/File/Startup"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\3]
"Enabled" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020200]
"PluginId" = "16777728"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010104]
"PluginId" = "16777475"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020201]
"PluginId" = "16777728"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Profiles\@My profile]
"InstallApp" = "ess_nt64_JPN.msi"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01020100]
"DisplayName" = ""

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010107]
"PluginId" = "16777472"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"PluginId" = "16777472"
"DisplayName" = "コンピュータの検査の設定"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000101\Profiles\@My profile]
"AutoStart" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"CrashDumpSupport" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"AuxParams" = "3C 21 5B 43 44 41 54 41 5B 3C 3F 78 6D 6C 20 76"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Engines]
"PerseusBuild" = "1671"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Tracing\ekrn_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000d00\Profiles\@My profile]
"Enable" = "1"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Info]
"SpecleanBuild" = "1010"

[HKLM\System\CurrentControlSet\Services\ehdrv\Parameters]
"EsjVer32" = "7"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000600\Profiles\@My profile]
"ProxyEnabled" = "2"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010102]
"PluginId" = "16778752"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000001\Profiles\@My profile]
"selfdefense" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scanners\01010100]
"Path" = "Scanners/File/On-demmand"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000F00\Settings]
"data" = "ED EE 31 1C 1D D9 27 14 2B 2A 20 1E 1F EC DB E8"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000800\Profiles\@My profile]
"OutlookIntegrationChangeCounter" = "946853755"

The Worm deletes the following registry key(s):

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\5]

The process DrvInst.exe:3772 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:2880 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:3456 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:612 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:2152 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:1664 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

The process Setup.exe:1408 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadNetworkName" = "Network 4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadDecision" = "0"
"WpadDecisionTime" = "7E 25 E9 C8 CC 3B D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "26 56 74 73 CC 3B D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 41 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionTime" = "26 56 74 73 CC 3B D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoDetect"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{D186C145-D9FF-466B-8E22-09949D17DA4E}]
"WpadDetectedUrl"

The process Setup.exe:2788 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies]
"CachePrefix" = "Cookie:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History]
"CachePrefix" = "Visited:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content]
"CachePrefix" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadNetworkName" = "Network 3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDecision" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDecisionReason" = "1"

"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDecisionTime" = "6D A9 6D 45 CC 3B D0 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f3-c8-bd]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoDetect"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{9C99CCBB-10A0-4B2A-A5BE-4CAC43F74632}]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-f5-e5-a3]
"WpadDetectedUrl"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process mobsync.exe:1416 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"SyncTime" = "00 00 00 00 00 00 00 00"
"Connected" = "1"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr]
"StartAtLogin" = "0"

[HKCU\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr\HandlerInstances\{750FDF10-2A26-11D1-A3EA-080036587F03}]
"Enabled" = "1"

The process MsiExec.exe:704 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Exchange\Client\Extensions]
"Eset Outlook Plugin" = "4.0;C:\PROGRA~1\ESET\ESETSM~1\x86\EPLGOU~1.DLL;1;11010111111000"
"Outlook Setup Extension" = "4.0;Outxxx.dll;7;000000000000000;0000000000;OutXXX"

The Worm deletes the following value(s) in system registry:

[HKCU\Software\ESET\Setup]
"CAError"
"CADuration"

The process MsiExec.exe:3000 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\CLASS\{F12D3CF8-B11D-457E-8641-BE2AF2D6D204}]
"UpperFilters" = "edevmon"

[HKLM\System\CurrentControlSet\Control\Class\{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}]
"UpperFilters" = "ksthunk, edevmon"

[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterAdapterParams\AdapterParam]
"Type" = "int"

[HKCU\Software\ESET\Setup]
"CADuration" = "InstSupp!CompileModules=20|"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"HelpText" = "ESET NDIS 6.0 LightWeight Filter. This component provides network filtering in ESET Smart Security."

[HKCR\Drives\Shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"CoServices" = "EpfwLWF"
"FilterType" = "2"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{BFC85452-8E68-46B6-9D74-DEE1293E1BE9}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\epfwwfp\EpfwWfp.inf"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "ESET Smart Security - Context Menu Shell Extension"

[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterDriverParams\DriverParam]
"Type" = "int"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"TimeStamp" = "DF 07 01 00 04 00 1D 00 0E 00 06 00 12 00 D9 02"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"UpperBind" = "Ndisuio, RasPppoe, rspndr, lltdio, Tcpip"
"Export" = "\Device\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{71340F0E-B554-4C0C-B88A-E53829621ADD}]
"NoRemove" = "1"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi\Interfaces]
"UpperRange" = "noupper"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdateAttempt" = "1422540376"

[HKLM\System\CurrentControlSet\Control\Class\{50DD5230-BA8A-11D1-BF5D-0000F805F530}]
"UpperFilters" = "scfilter, edevmon"

[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterAdapterParams\AdapterParam]
"Default" = "10"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"RootDevice" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"

[HKCR\*\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\C802CA01BC3064BFC0510CC762FFAA20BFE8EC61]
"Blob" = "03 00 00 00 01 00 00 00 14 00 00 00 C8 02 CA 01"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PnP Filter" = "06 00 00 00 01 00 00 00 03 00 00 00 04 00 00 00"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"InstallTimestamp" = "DF 07 01 00 04 00 1D 00 0E 00 06 00 12 00 D9 02"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{BFC85452-8E68-46B6-9D74-DEE1293E1BE9}]
"DriverVer" = "09/11/2014, 8.0.300.0"

[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterDriverParams\DriverParam]
"ParamDesc" = "Driverparam for lwf"

[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"(Default)" = "%Program Files%\ESET\ESET Smart Security\shellExt.dll"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E978-E325-11CE-BFC1-08002BE10318}]
"LowerFilters" = "edevmon"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007]
"NetCfgInstanceId" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\5]
"TriggerSettings" = "1422541555"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"NDIS" = "18 00 00 00 01 00 00 00 02 00 00 00 03 00 00 00"

[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Export" = "\Device\NdisWan_{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\NdisWan_{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\NdisWan_{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\NdisWan_{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\NdisWan_{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\NdisWan_{CFCD29B3-A836-426F-8329-8362EC941293}"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0006\Linkage]
"FilterList" = "{B1422D78-82BA-4FD0-B38A-6203899A1A72}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"PNP_TDI" = "0A 00 00 00 05 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdateCertTimestamp" = "Type: REG_QWORD, Length: 8"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"FilterClass" = "compression"

[HKCR\Folder\ShellEx\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKLM\System\CurrentControlSet\services\eamonm\Instances]
"DefaultInstance" = "AmonMinifilter Instance"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"InstallTime" = "1422540376"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E967-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "PartMgr, edevmon"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{AA904D87-89F6-45E0-A250-58977AF033BC}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\eamonm\eamonm.inf"

[HKLM\System\CurrentControlSet\services\eamonm\Instances\AmonMinifilter Instance]
"Altitude" = "328700"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Plugins\01000400\Settings]
"LastUpdate" = "1422540376"

[HKLM\System\CurrentControlSet\Control\CLASS\{EEC5AD98-8080-425F-922A-DABF3DE3F69A}]
"UpperFilters" = "edevmon"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{F6834708-ABE2-4DD3-A2C5-5FF0D8FC8450}]
"NetComponentId" = "ESET_EpfwLWF"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0008\Linkage]
"FilterList" = "{360A33D7-AC4E-4F80-8799-45E95D991A99}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"FilterRunType" = "1"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"InfSection" = "Install"
"Characteristics" = "262144"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E96D-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "edevmon"

[HKLM\System\CurrentControlSet\services\edevmon\Instances\DevmonMinifilter Instance]
"Altitude" = "400800"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi]
"Service" = "EpfwLWF"

[HKLM\System\CurrentControlSet\Services\NdisWan\Linkage]
"Route" = "{D720734D-0C14-4C25-829D-F6B4814978B3}, {50CD5E3E-0F08-4519-A9EF-B9802ED12701}, {5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, {B22E8C55-CC74-4FBE-B907-F46D25953BEC}, {CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, {CFCD29B3-A836-426F-8329-8362EC941293}"
"Bind" = "\Device\{D720734D-0C14-4C25-829D-F6B4814978B3}, \Device\{50CD5E3E-0F08-4519-A9EF-B9802ED12701}, \Device\{5D403E7A-7554-4DD5-A8CF-7099B00A9E2D}, \Device\{B22E8C55-CC74-4FBE-B907-F46D25953BEC}, \Device\{CACEFAA3-95D9-4B5B-B275-FF35DF23713E}, \Device\{CFCD29B3-A836-426F-8329-8362EC941293}"

[HKLM\System\CurrentControlSet\Control\Class\{E0CBF06C-CD8B-4647-BB8A-263B43F0F974}]
"LowerFilters" = "edevmon"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"LocDescription" = "@oem14.inf,%epfwlwf_desc%;Epfw NDIS LightWeight Filter"

[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.app.log" = "4096"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\Scheduler\5]
"Enabled" = "1"

[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved]
"{B089FE88-FB52-11D3-BDF1-0050DA34150D}" = "ESET Smart Security - Context Menu Shell Extension"

[HKCR\Drive\shellex\ContextMenuHandlers\ESET Smart Security - Context Menu Shell Extension]
"(Default)" = "{B089FE88-FB52-11D3-BDF1-0050DA34150D}"

[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterDriverParams\DriverParam]
"Default" = "5"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"FSFilter Anti-Virus" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{C93C1454-258D-4656-AEDF-86147BCE4EF3}]
"DriverVer" = "07/18/2014, 8.0.103.0"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0007\Linkage]
"FilterList" = "{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}-{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}-0000, {4AB0D2BA-E805-472C-9283-2A108EC5CAE2}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000, {4AB0D2BA-E805-472C-9283-2A108EC5CAE2}-{B70D6460-3635-4D42-B866-B8AB1A24454C}-0000"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi\Interfaces]
"LowerRange" = "nolower"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"InfPath" = "C:\Windows\INF\oem14.inf"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"Base" = "15 00 00 00 0E 00 00 00 01 00 00 00 02 00 00 00"
"Streams Drivers" = "02 00 00 00 01 00 00 00 02 00 00 00"

[HKLM\System\CurrentControlSet\Control\Class\{36FC9E60-C465-11CF-8056-444553540000}]
"LowerFilters" = "edevmon"

[HKLM\System\CurrentControlSet\services\EpfwLWF\Parameters\NdisAdapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
"AdapterParam" = "10"

[HKLM\System\CurrentControlSet\services\EpfwLWF\FilterAdapterParams\AdapterParam]
"ParamDesc" = "Adapterparam for lwf"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{F6834708-ABE2-4DD3-A2C5-5FF0D8FC8450}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\epfwlwf\EpfwLwf.inf"

[HKLM\System\CurrentControlSet\services\eamonm\Instances\AmonMinifilter Instance]
"Flags" = "0"

[HKLM\SYSTEM\Setup\SetupapiLogStatus]
"setupapi.dev.log" = "4096"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{F6834708-ABE2-4DD3-A2C5-5FF0D8FC8450}]
"DriverVer" = "07/18/2014, 8.0.103.0"

[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}]
"(Default)" = "ESET Smart Security - Context Menu Shell Extension"

[HKLM\System\CurrentControlSet\services\edevmon\Instances]
"DefaultInstance" = "DevmonMinifilter Instance"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "edevmon"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\29\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]
"(Default)" = "ESET Setup"

[HKCR\Wow6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"(Default)" = "%Program Files%\ESET\ESET Smart Security\x86\shellExt.dll"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{2FA4DECB-D060-41F6-AFCC-770F7D0F1FFD}]
"DriverVer" = "07/18/2014, 8.0.103.0"

[HKLM\System\CurrentControlSet\Control\Network]
"Config" = "00 00 00 00 00 00 00 00 2B 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{2FA4DECB-D060-41F6-AFCC-770F7D0F1FFD}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\ehdrv\ehdrv.inf"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002bE10318}\0005\Linkage]
"FilterList" = "{0D252192-084F-4C37-8DED-14986BA82F63}-{B5F4D659-7DAA-4565-8E41-BE220ED60542}-0000"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{C93C1454-258D-4656-AEDF-86147BCE4EF3}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\epfw\epfw.inf"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"ComponentID" = "ESET_EpfwLWF"

[HKCR\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}\Ndi\Interfaces]
"FilterMediaTypes" = "ethernet"

[HKLM\System\CurrentControlSet\services\edevmon\Instances\DevmonMinifilter Instance]
"Flags" = "0"

[HKLM\SOFTWARE\ESET\ESET Security\CurrentVersion\InstalledVersionInfo\Groups]
"Groups" = "core,win,amon,epfw,antispam,systemstatus,hips,protoscan,parental,horus,lic_suite_c,iris,speclean"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{085DA68B-B60F-4A1D-80ED-247E78B67DAA}]
"DriverVer" = "07/18/2014, 8.0.103.0"

[HKLM\System\CurrentControlSet\services\eamonm]
"SupportedFeatures" = "3"

[HKLM\System\CurrentControlSet\Control\Network\{4d36e974-e325-11ce-bfc1-08002be10318}\{F7A0C547-B619-442B-8E5C-FD7D0E1B069D}]
"Description" = "Epfw NDIS LightWeight Filter"

[HKLM\System\CurrentControlSet\Control\Class\{4D36E980-E325-11CE-BFC1-08002BE10318}]
"UpperFilters" = "edevmon"

[HKLM\System\CurrentControlSet\services\EpfwLWF\Parameters\NdisAdapters\{4AB0D2BA-E805-472C-9283-2A108EC5CAE2}]
"InterfaceGuid" = "F4 CF E2 E5 F9 81 E4 11 A3 B3 00 50 56 21 01 74"

[HKCR\Wow6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}]
"(Default)" = "ESET Smart Security - Context Menu Shell Extension"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{AA904D87-89F6-45E0-A250-58977AF033BC}]
"DriverVer" = "07/31/2014, 8.0.105.0"

[HKCR\Wow6432Node\CLSID\{B089FE88-FB52-11D3-BDF1-0050DA34150D}\InProcServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\ESET\Setup\Drivers\{085DA68B-B60F-4A1D-80ED-247E78B67DAA}]
"Inf0" = "%Program Files%\ESET\ESET Smart Security\Drivers\edevmon\edevmon.inf"

The Worm deletes the following registry key(s):

[HKLM\System\CurrentControlSet\Control\Network\NetCfgLockHolder]

The Worm deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates]
"C802CA01BC3064BFC0510CC762FFAA20BFE8EC61"

[HKLM\System\CurrentControlSet\services\eamonm]
"DeleteFlag"

[HKLM\System\CurrentControlSet\services\ehdrv]
"DeleteFlag"

[HKLM\System\CurrentControlSet\services\edevmon]
"DeleteFlag"

[HKLM\System\CurrentControlSet\Services\ekrn]
"DeleteFlag"

[HKLM\System\CurrentControlSet\services\epfwwfp]
"DeleteFlag"

[HKLM\System\CurrentControlSet\services\epfw]
"DeleteFlag"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\epfw.sys" the Worm controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\DRIVERS\ehdrv.sys" the Worm controls operations with a system registry by installing the registry notifier.

Propagation

VersionInfo

Company Name: Canon IT Solutions Inc.
Product Name: ESET Smart Security
Product Version: 8.0
Legal Copyright:
Legal Trademarks:
Original Filename: stub32i.exe
Internal Name: stub32
File Version: 8.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 23
ade12b7f6d249b7041a83d1e1ea0f538
91f5d4f37d60d820430034d5c9e5cd6a
06daf6ddb3e48031f93215e168f26dd8
03d284177b1d6ee5d2c4d3a46a0f034d
0bc91e0b13d6663d3120bb06a1c6871f
509b9f3a1d3d100c7ffbba3dd7979dbf
1c74d7b22e032778bb017edf9ac75291
a9dbb9d4402b929ddd45169cd1af361d
1a4abb53488268be17dd94040ad85a07
7dd7a25e422fa6f7c8efa63e16586ace
f0a9d972298a64b6d161628e1891e57c
fc0666a84dbeadc8a44e0957c2894099
814742fdf3c4d4774b7a0800c80f20d0
fdc372bc94375a8599fca86fa98ea17c
19ed66518c51eced1cfa0cb11e8aebfb
a754a01ed2f105f709425fc217db1e5c
13ed73d1b556d86cb0ff88bed0fbc76b
4a1531d0d0ee5bc704e66be394fa207c
4ed36626785be88e6ee85ba7ee96553a
46d7285a59eaf4e183fa42609b36d749
11599378a69e43886037507bc0f372a9
0c295b8872c939184ab0ac86395b5f50
cc77ef78fbe70e0595ed16e49aea8e7f

URLs

URL	IP
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupLauncherVer.xml	54.231.225.64
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/Setup.dat	54.231.225.64
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupLauncherV2.xml	54.231.225.64
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/SetupNotification.xml	54.231.225.64
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/DownloadConfig.xml	54.231.225.64
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver64.exe	54.231.225.64
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/cfg.xml	54.231.225.64
hxxp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/latest/ess_nt64_JPN.msi	54.231.225.64
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11d044446177b573
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c2cb19876e000e1
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEB/j3kABn4M6/11VuZjXEqg=
hxxp://a1363.dscg.akamai.net/pki/crl/products/microsoftrootcert.crl
hxxp://e10088.dscb.akamaiedge.net/pki/CRL/products/Microsoft Windows Hardware Compatibility PCA(1).crl
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl	87.245.202.16
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c=	23.42.27.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c2cb19876e000e1	87.245.202.24
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEB/j3kABn4M6/11VuZjXEqg=	23.42.27.27
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11d044446177b573	87.245.202.24
hxxp://www.microsoft.com/pki/CRL/products/Microsoft Windows Hardware Compatibility PCA(1).crl	23.64.223.148

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

SURICATA UDPv4 invalid checksum
SURICATA IPv4 invalid checksum
ET POLICY User-Agent (Launcher)
ET POLICY Executable served from Amazon S3
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBS56bKHAoUD+Oyl+0LhPg9JxyQm4gQUf9Nlp8Ld7LvwMAnzQzn6Aq8zMTMCEFIA5aolVvwahu2WydRLM8c= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1762

content-transfer-encoding: binary

Cache-Control: max-age=418493, public, no-transform, must-revalidate

Last-Modified: Tue, 27 Jan 2015 10:17:02 GMT

Expires: Tue, 3 Feb 2015 10:17:02 GMT

Date: Thu, 29 Jan 2015 14:05:30 GMT

Connection: keep-alive
0..........0..... .....0......0...0......;O}a.!..u...au..eUNp..2015012
7101702Z0s0q0I0... ...................B.>.I.$&.....e......0..C9...3
13..R...%V.......K3.....20150127101702Z....20150203101702Z0...*.H.....
........A8~....@.........C..l..2....#:....U.^.....`.DE.....!F....7..u.
.Q.r...!R......?......ajn...k.....K.(..ZmP..QK@........W.R..HP........
F..,...]%..zA.<..I.....K.?...Y.`.....\............:B.\......d....R.
e|..t.~.$...>3./m>.@.....ZM{?.....N......%b.{UUb>.t.q..4/....
0...0...0...........2...'U.BM...g.B0...*.H........0..1.0...U....US1.0.
..U....VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1(c) 2
006 VeriSign, Inc. - For authorized use only1E0C..U...<VeriSign Cla
ss 3 Public Primary Certification Authority - G50...141202000000Z..151
216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Sy
mantec Trust Network1?0=..U...6Symantec Class 3 PCA - G5 OCSP Responde
r Certificate 30.."0...*.H.............0...............2&..PL...,..2..
..:..tH...`JG.%..*...s.c%...?t..J..0.q....~..k@X.l.i....0..kk..h.9"1.5
?..s.....3[...u......]...R0..Z}....l..I.Y.....j\H.q...#.uw.4qz.#.J....
.@2$"..$l.B.......D.ye..(..2.........@...... ...."... E..0M,..b{.^..s'
....f.6.pr4.J........'j..........0...0...U.......0.0l..U. .e0c0a..`.H.
..E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...http:
//VVV.symauth.com/rpa0...U.%..0... .......0...U...........0... .....0.
.....0!..U....0...0.1.0...U....TGV-B-2760...U......;O}a.!..u...au..eUN
p0...U.#..0.....e......0..C9...3130...*.H.............(.&..Dgr.Ve.
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTSqZMG5M8TA9rdzkbCnNwuMAd5VgQUz5mp6nsm9EvJjo/X8AUm7+PSp50CEB/j3kABn4M6/11VuZjXEqg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.verisign.com

HTTP/1.1 200 OK

Server: nginx/1.4.7

Content-Type: application/ocsp-response

Content-Length: 1725

content-transfer-encoding: binary

Cache-Control: max-age=361385, public, no-transform, must-revalidate

Last-Modified: Mon, 26 Jan 2015 18:27:04 GMT

Expires: Mon, 2 Feb 2015 18:27:04 GMT

Date: Thu, 29 Jan 2015 14:05:30 GMT

Connection: keep-alive
0..........0..... .....0......0...0......u\..3Oo?U...H.....O!..2015012
6182704Z0s0q0I0... ...................F....0.yV......{&.K......&......
....@...:.]U.........20150126182704Z....20150202182704Z0...*.H........
.....D.go,....N...bE!.......4e.....gi.....k.D...k.............ba32x.x.
m....c.7..78WJ...l.Ge.{.....9.L. ...3(....c5..8..`{n:Fv.~?.S.........s
J.............7u>.yE.......EM.P.@E.h'.OK..).j{%:...."...F".E....\.y
..@./hwv..b}@D=....f..........nd........?C..........}p....0...0...0...
......./...nj0...}..i..0...*.H........0..1.0...U....US1.0...U....VeriS
ign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at h
ttps://VVV.verisign.com/rpa (c)101.0,..U...%VeriSign Class 3 Code Sign
ing 2010 CA0...141204000000Z..150304235959Z0..1.0...U....US1.0...U....
VeriSign, Inc.1.0...U....VeriSign Trust Network1:08..U...1VeriSign Cla
ss 3 Code Signing 2010 OCSP Responder0.."0...*.H.............0........
.4.4...........o....?..f.........I.!.b.L...L..U.........rM.,.....=..cR
4d.~*..k..x......=.WT.<.A2n1.qZyM.M..Q_...8....9....d.... ...'.....
....h..Z..I...(.b.jK..DO.ra..gb..j..A.(....mrzU.w.......Bv...l.:s..L..
..y.....u..n.)W......Y!....Q...,.i|.....:.Mu..DD1.........0...0...U...
.0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign
.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. 
by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U......
..0... .....0......0"..U....0...0.1.0...U....TGV-B-24600...*.H........
......pjd....VpE.6.tO..@.....7.=.. ...........hi.......>....Q.?
<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?11d044446177b573 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT

If-None-Match: "0b2464b1797cf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 304 Not Modified

Content-Type: application/octet-stream

Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT

ETag: "0b2464b1797cf1:0"

Cache-Control: max-age=86400

Date: Thu, 29 Jan 2015 14:05:30 GMT

Connection: keep-alive
....


GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?7c2cb19876e000e1 HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Mar 2014 20:20:10 GMT

If-None-Match: "0b96c77303ecf1:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: ctldl.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT

Accept-Ranges: bytes

ETag: "805a83f2b9cecf1:0"

Server: Microsoft-IIS/8.5

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 56928

Date: Thu, 29 Jan 2015 14:05:30 GMT

Connection: keep-alive
MSCF....`.......,...................I.................,E.Y .authroot.s
tl..Y-..8..CK...<T...g.v!M.d..f.%d..}K..5..F. ...T..%.,YJ.,!T......
_..x.<=O.....yy....;3..>.|..~..\.....|......;..8..~.za...."A...q
.......g..m......<X........j"I........!..-w.....w....P...H..(.?}..2
.N. .u..a. ...=.C..D.F>rC.. ..|).=.. ..3b.8H.M...(...u8.%...W.g...\
YB.m:.....dE.........V....$....Dn:....0...S."...o..q.....K...I..K...(x
%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,
....`0$z.@..&.x"....T..H...<........~..E..".....<<.\B(.......
..............@.....L.........KNAy8/"...f.......k..Jm7j....R.5q....Rz.
.!@...].......Y.[........4.. .D8..&...t.J^O..Q.._..1.J.m5<'k.,....%
T....i.\.;.;q..S./ 8.?Bu.............}D.Q....L....*..[.."e......15m...
_.0.M........#..v!..<...@..?sc.y....*.....tX[........{.W4.Q...^u@..
*..QP.......~.L9N....2r...4.....B..-\(...b.d...K...O.8..Un.......V.<
;.......A...V.....(..s..f..q.{N0.hS.,..;M.|G|.@.M.._.....7._6...C.0...
A;L....%...M=Y.....f.JV.(.5.....0..?*...KZ....jM...8.6U...#...ew.?..?.
..........WE.Or..O>..{.'W2.........3m.O.u..Z8....H4@.w}.o:?~....]&l
t;!...%....}@.d...L.p.a.g ..K."..N1!%..S.bT.H.-.....e..`.0$...0t..DX..
{.....#./...8.5..M...T.......D......V\C.zy.....3E:..>.{..).QW......
q....9..n..1....8%,.........r.p@.>. ...Q.?.p..7.?..7...&..!........
.`. .=....Sf..q.l.A.....L...t.}g..;...f....=.e.~.z....C..*R....H-..=..
.f..(t'.."....F...g._....n.J..U.4vr`}.....1..o@.....@.#...R. L8....z..
].|......3..y..-./....K..6{...s.<R`.}6....?.......-..@.g..S....
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/DownloadConfig.xml HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: 4FwE137l MHp61PRfhFRBpj8e9CObM2o2iKiZwaMp56ZUGBTTDp49S1bzBKaIgY8GXs96LqIQnc=

x-amz-request-id: 49FCC778966F35AB

Date: Thu, 29 Jan 2015 14:03:48 GMT

Last-Modified: Mon, 26 Jan 2015 03:02:52 GMT

ETag: "dfc4125c3b35ffd0f95bc1d5eef5461a"

Accept-Ranges: bytes

Content-Type: text/xml

Content-Length: 10768

Server: AmazonS3
<?xml version="1.0" encoding="UTF-8"?>..<DownloadConfig>..
.<PackageDownloadServerCount>16</PackageDownloadServerCount&g
t;...<Package00>....<PackageDownloadURL>hXXp://s3-ap-north
east-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver86.e
xe</PackageDownloadURL>....<PackageVersion>8.0</Package
Version>....<PackageName>Driver Check Tool</PackageName>
;....<PackageFileName>CheckDriver86.exe</PackageFileName>.
...<PackageFileSize>316</PackageFileSize>....<ProductTy
pe>1</ProductType>....<Architecture>0</Architecture&
gt;....<ExecType>2</ExecType>....<SaveFilePath>*USER
TEMP*CheckDriver86.exe</SaveFilePath>....<ExecCommand>*USE
RTEMP*CheckDriver86.exe</ExecCommand>....<PackageHash>4216
09822a77d8ac594125dcaa144b85</PackageHash>....<TargetOS>0&
lt;/TargetOS>....<ErrorSkip>0</ErrorSkip>...</Packag
e00>...<Package01>....<PackageDownloadURL>hXXp://s3-ap-
northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDrive
r64.exe</PackageDownloadURL>....<PackageVersion>8.0</Pa
ckageVersion>....<PackageName>Driver Check Tool</PackageNa
me>....<PackageFileName>CheckDriver64.exe</PackageFileName
>....<PackageFileSize>457</PackageFileSize>....<Prod
uctType>1</ProductType>....<Architecture>1</Architec
ture>....<ExecType>2</ExecType>....<SaveFilePath
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/tools/CheckDriver64.exe HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: j38fk6YeQFsZzNJL15cLgvMmsSjv0ZDGeE25chnrjqOdljX5NCl p16sOyND1UrsQ2UGECSFJgA=

x-amz-request-id: BD93EE8A8A6D40F8

Date: Thu, 29 Jan 2015 14:03:50 GMT

Last-Modified: Fri, 05 Dec 2014 09:10:09 GMT

ETag: "38626347a09aa38da32800bcf171d7e9"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 467024

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......?...{.kA{.kA
{.kA...Aq.kA...A`.kA{.jAP.kA\M.A..kA\M.Ar.kA\M.A..kA\M.A~.kA\M.Az.kA\M
.Az.kARich{.kA................PE..d....?.Q..........#......^..........
...........@.....................................D....................
..............................................T........Q......P.......
....`|...............................................p.. .......@.....
...............text....\.......^.................. ..`.rdata...w...p..
.x...b..............@..@.data...P........8..................@....pdata
...Q.......R..................@..@.rsrc...T............d..............
@..@..................................................................
......................................................................
......................................................................
......................................................................
............................................H...............H.\$.WH.. 
..H....%.....t.H.......H..H.\$0H.. _..@SUVWATAUAVH......H.D$h....L...D
$@.....D$D....H.L$@..._..I...c...3..t\..H..A...I....e..3.D....;..H....
H.......u...@........H..H...P.H.x.H..$.....S;..L....H.......u...@...r.
...H..I...P.H...H.D$0.";..L....H.......u...@...A....H..I...P.H...H.D$8
..:..L....H.......u...@........H..I...P.H...H..$....A..@...H.T$XI.....
...H..H.r.H...H...H;.................H..H;.......H...P H...~..|.H;.u.L
....F...BH..A......V...L..H..u........F.A.D$..F....Hc.L...L.F.H..I
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/tools/cfg.xml HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: 8kEwxzZLv EJeP yoRApSb0WGL0PJvThdtHCYDXPcTMO3WQvMNlXIt5h1Y5zMe aIfoGRLI4tzI=

x-amz-request-id: 99222B4CDD7201B4

Date: Thu, 29 Jan 2015 14:03:51 GMT

Last-Modified: Thu, 08 Jan 2015 05:49:13 GMT

ETag: "a74dde7c0d759ca808a2f4130bfcd9ca"

Accept-Ranges: bytes

Content-Type: text/xml

Content-Length: 3169

Server: AmazonS3
<?xml version="1.0" encoding="utf-8"?>.<ESET>. <SECTION
 ID="1000103">.  <SETTINGS>.   <PLUGINS>.    <PLUGIN
 ID="1000600">.     <PROFILES>.      <NODE NAME="@My profi
le" TYPE="SUBNODE">.       <NODE NAME="SMTP_Flags" VALUE="4" TYP
E="DWORD" />.       <NODE NAME="CloudEnabled" VALUE="1" TYPE="DW
ORD" />.       <NODE NAME="CloudFlags" VALUE="0" TYPE="DWORD" /&
gt;.       <NODE NAME="Scheduler" TYPE="SUBNODE">.       <NOD
E NAME="Reset" VALUE="0" TYPE="DWORD" />.       <NODE NAME="Elev
ationFlags" VALUE="2" TYPE="DWORD" />.        <TASK>.        
 <NODE NAME="Name" VALUE=".........................................
............. " TYPE="STRING" />.         <NODE NAME="ActionCode
" VALUE="2" TYPE="DWORD" />.         <NODE NAME="ModuleID" VALUE
="1000600" TYPE="DWORD" />.         <NODE NAME="TriggerType" VAL
UE="4" TYPE="DWORD" />.         <NODE NAME="TriggerSettings" VAL
UE="50000" TYPE="DWORD" />.         <NODE NAME="StartFailSetting
s" VALUE="0" TYPE="DWORD" />.         <NODE NAME="Enabled" VALUE
="0" TYPE="DWORD" />.         <NODE NAME="LastExec" VALUE="FFFFF
FFF" TYPE="DWORD" />.         <NODE NAME="Flags" VALUE="1" TYPE=
"DWORD" />.         <NODE NAME="RegId" VALUE="3" TYPE="DWORD" /&
gt;.         <NODE NAME="DeleteThis" VALUE="0" TYPE="DWORD" />. 
        <NODE NAME="EnableThis" VALUE="0" TYPE="DWORD" />.      
   <NODE NAME="DisableThis" VALUE="0" TYPE="DWORD" />.      
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/latest/ess_nt64_JPN.msi HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: zxv4XH1OUcmPQM/SUGs/xkefjr 9gaj2K3aUWgPCZdg27PU5OHRgv8a7GpUCYB6h6K/KHfjf3Ns=

x-amz-request-id: 41DCFE4E9B6B286A

Date: Thu, 29 Jan 2015 14:03:52 GMT

Last-Modified: Thu, 08 Jan 2015 05:43:38 GMT

ETag: "c8f9f8726b44d98123a22f0d062d9e93-2"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 83861504

Server: AmazonS3
........................>..........................................
.......................................... ...$...(...,...0...4...8...
<...@...D...H...L..................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /pki/CRL/products/Microsoft Windows Hardware Compatibility PCA(1).crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Sat, 03 Jan 2015 06:02:10 GMT

Accept-Ranges: bytes

ETag: "c9b2f1cf1a27d01:0"

Server: Microsoft-IIS/8.0

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

VTag: 43820326300000000

X-Powered-By: ASP.NET

X-Powered-By: ARR/2.5

X-Powered-By: ASP.NET

Content-Length: 573

Cache-Control: max-age=112

Date: Thu, 29 Jan 2015 14:05:55 GMT

Connection: keep-alive

X-CCC: PL

X-CID: 2
0..90..!...0...*.H........0..1.0...U....US1.0...U....Washington1.0...U
....Redmond1.0...U....Microsoft Corporation1503..U...,Microsoft Window
s Hardware Compatibility PCA..150102214534Z..150502220534Z.a0_0...U.#.
.0...(..a.|.?.k..".j ..>-0... .....7.........0...U......m0... .....
7......150402215534Z0...*.H.............[.0.92W..'..E..,ew..o.Z......F
$a.n...5m....I.........7..hl..u...j._aI.....kjo.O4..Q......Jn.^.<(.
.............4..t........ ....f.S.Q.%....{......."/......o..........-.
.M.........ld...5..#9 ..t<.X.F...<.%..)...i.B....{..m..._.|...k.
.o.....nq.p~..pXk|<..X..,HTTP/1.1 200 OK..Content-Type: application
/pkix-crl..Last-Modified: Sat, 03 Jan 2015 06:02:10 GMT..Accept-Ranges
: bytes..ETag: "c9b2f1cf1a27d01:0"..Server: Microsoft-IIS/8.0..P3P: CP
="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAM
o CNT COM INT NAV ONL PHY PRE PUR UNI"..VTag: 43820326300000000..X-Pow
ered-By: ASP.NET..X-Powered-By: ARR/2.5..X-Powered-By: ASP.NET..Conten
t-Length: 573..Cache-Control: max-age=112..Date: Thu, 29 Jan 2015 14:0
5:55 GMT..Connection: keep-alive..X-CCC: PL..X-CID: 2..0..90..!...0...
*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0.
..U....Microsoft Corporation1503..U...,Microsoft Windows Hardware Comp
atibility PCA..150102214534Z..150502220534Z.a0_0...U.#..0...(..a.|.?.k
..".j ..>-0... .....7.........0...U......m0... .....7......15040221
5534Z0...*.H.............[.0.92W..'..E..,ew..o.Z......F$a.n...5m....I.
........7..hl..u...j._aI.....kjo.O4..Q......Jn.^.<(............
<<< skipped >>>

GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.microsoft.com

HTTP/1.1 200 OK

Content-Type: application/pkix-crl

Last-Modified: Wed, 07 Jan 2015 06:02:43 GMT

Accept-Ranges: bytes

ETag: "88c4768d3f2ad01:0"

Server: Microsoft-IIS/8.0

VTag: 438542942000000000

P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"

X-Powered-By: ASP.NET

Content-Length: 813

Cache-Control: max-age=900

Date: Thu, 29 Jan 2015 14:05:55 GMT

Connection: keep-alive
0..)0......0...*.H........0_1.0.....&...,d....com1.0.....&...,d....mic
rosoft1-0 ..U...$Microsoft Root Certificate Authority..150106214825Z..
150407100825Z0.0...a......../..100208014912Z._0]0...U.#..0......`@V'..
%..*..S.Y..0... .....7.......0...U......(0... .....7......150406215825
Z0...*.H..............vQ..r..L.Q.N..=#.......V;..r../\.m..<.."...F/
U....(:.....xm.....P.e.F..BE8......=...G....6t:...?...L..B.v..p.M.....
...z..Q.%J.6..I.......8...U. .g..=T=K....L..$w...^....y~..-a.'...*s#N.
o..Qs.$h..:duV'~....8.6..w..b3.... .~)...|.I.y".>R.nJq.ws...3.....f
}.E)\......EB.d\.2.....h...lMjT.7..lj.'lj.b....".L.Os6{.s...@....f.|7z
.. ......>..Q...(......._....UM.EN.@.K\]#..Y.*.......T. .C.....A'..
5FW.ETDvX..tE.....g5.....&..&.....x.^H;...../7..'9.t.I&<[.HX.j....Q
w......}...qy3..q`<.....LB.9w|....;..Qw..a ..=.C.:.....HTTP/1.1 200
 OK..Content-Type: application/pkix-crl..Last-Modified: Wed, 07 Jan 20
15 06:02:43 GMT..Accept-Ranges: bytes..ETag: "88c4768d3f2ad01:0"..Serv
er: Microsoft-IIS/8.0..VTag: 438542942000000000..P3P: CP="ALL IND DSP 
COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT 
NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 813..
Cache-Control: max-age=900..Date: Thu, 29 Jan 2015 14:05:55 GMT..Conne
ction: keep-alive..0..)0......0...*.H........0_1.0.....&...,d....com1.
0.....&...,d....microsoft1-0 ..U...$Microsoft Root Certificate Authori
ty..150106214825Z..150407100825Z0.0...a......../..100208014912Z._0]0..
.U.#..0......`@V'..%..*..S.Y..0... .....7.......0...U......(0... .
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/DownloadConfig.xml HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: B59Ub1cHK6O9VGqS889GVG32O4dE1Mbx/b35FryYj2QQb24z8hJCP fQ nQXtKdysAv4Q06L2PU=

x-amz-request-id: 0F82194ED31E2EA1

Date: Thu, 29 Jan 2015 14:03:47 GMT

Last-Modified: Mon, 26 Jan 2015 03:02:52 GMT

ETag: "dfc4125c3b35ffd0f95bc1d5eef5461a"

Accept-Ranges: bytes

Content-Type: text/xml

Content-Length: 10768

Server: AmazonS3
<?xml version="1.0" encoding="UTF-8"?>..<DownloadConfig>..
.<PackageDownloadServerCount>16</PackageDownloadServerCount&g
t;...<Package00>....<PackageDownloadURL>hXXp://s3-ap-north
east-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDriver86.e
xe</PackageDownloadURL>....<PackageVersion>8.0</Package
Version>....<PackageName>Driver Check Tool</PackageName>
;....<PackageFileName>CheckDriver86.exe</PackageFileName>.
...<PackageFileSize>316</PackageFileSize>....<ProductTy
pe>1</ProductType>....<Architecture>0</Architecture&
gt;....<ExecType>2</ExecType>....<SaveFilePath>*USER
TEMP*CheckDriver86.exe</SaveFilePath>....<ExecCommand>*USE
RTEMP*CheckDriver86.exe</ExecCommand>....<PackageHash>4216
09822a77d8ac594125dcaa144b85</PackageHash>....<TargetOS>0&
lt;/TargetOS>....<ErrorSkip>0</ErrorSkip>...</Packag
e00>...<Package01>....<PackageDownloadURL>hXXp://s3-ap-
northeast-1.amazonaws.com/c-its/download/eset/cw/v8he/tools/CheckDrive
r64.exe</PackageDownloadURL>....<PackageVersion>8.0</Pa
ckageVersion>....<PackageName>Driver Check Tool</PackageNa
me>....<PackageFileName>CheckDriver64.exe</PackageFileName
>....<PackageFileSize>457</PackageFileSize>....<Prod
uctType>1</ProductType>....<Architecture>1</Architec
ture>....<ExecType>2</ExecType>....<SaveFilePath
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/SetupLauncherVer.xml HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: NUn2RtwutcFNtNriysVdbDjup2rdLxN6bVsB/2IUwrj4osFSU2HJZaruIaQ 2bhv

x-amz-request-id: FB2E43318108B71C

Date: Thu, 29 Jan 2015 14:02:32 GMT

Last-Modified: Thu, 08 Jan 2015 06:00:33 GMT

ETag: "6d7d0b88bb3d4d97afbcdf869911c55e"

Accept-Ranges: bytes

Content-Type: text/xml

Content-Length: 759

Server: AmazonS3
<?xml version="1.0" encoding="UTF-8"?>..<SetupLauncherVer>
...<SetupLauncherVerData>....<LastVersion>30803</LastVe
rsion>....<SetupExe>hXXp://s3-ap-northeast-1.amazonaws.com/c-
its/download/eset/cw/v8he/Setup.dat</SetupExe>....<SetupLaunc
herXMLVersion>00802</SetupLauncherXMLVersion>....<SetupLau
ncherURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/download/eset
/cw/v8he/SetupLauncherV2.xml</SetupLauncherURL>....<SetupNoti
ficationVersion>00802</SetupNotificationVersion>....<Setup
NotificationURL>hXXp://s3-ap-northeast-1.amazonaws.com/c-its/downlo
ad/eset/cw/v8he/SetupNotification.xml</SetupNotificationURL>....
<ESSLatestVersion>8.00.304.07</ESSLatestVersion>....<EA
VLatestVersion>8.00.304.07</EAVLatestVersion>...</SetupLau
ncherVerData>..</SetupLauncherVer>......


GET /c-its/download/eset/cw/v8he/Setup.dat HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: AgpKJ9S7NrRGWuMaBDorgKNEoEDtd3XBzTUPQPlg/g9Rc22B51Sw3c483cem8aw0

x-amz-request-id: 41FA081651E8874A

Date: Thu, 29 Jan 2015 14:02:32 GMT

Last-Modified: Wed, 17 Dec 2014 05:06:50 GMT

ETag: "331e374dff5d39687261babde003fa6f"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 10131816

Server: AmazonS3
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......O..T........
........................`...,E......,E......,E......,E..$...,E......,E
......Rich............................PE..L......T....................
.`......r#....... ....@...............................................
..........................<........p...@..............h...........P
'..............................h4..@............ ..........@..........
..........text............................... ..`.rdata..`.... .......
 ..............@..@.data...Xn.......0..................@....rsrc....@.
..p...P...0..............@..@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
..................................................................
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/SetupLauncherV2.xml HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: yDZoFhrU18  XrtyHMfOyeADRHySqtGBdPtotTiw07kpX3iIG6JgaIYjcea0v1fe

x-amz-request-id: 7CDDF9C2A908B104

Date: Thu, 29 Jan 2015 14:02:56 GMT

Last-Modified: Wed, 17 Dec 2014 05:06:53 GMT

ETag: "05baed2454892dd2e37e9b317bfd3ef8"

Accept-Ranges: bytes

Content-Type: text/xml

Content-Length: 4638

Server: AmazonS3
...<?xml version="1.0" encoding="UTF-8"?>..<LaunchData>...
<LaunchBase>....<ProductType>1</ProductType>....<
PackageType>7</PackageType>....<ManualType>1</Manual
Type>....<PackageVersionWin>7.0</PackageVersionWin>....
<PackageVersionMac>5.0</PackageVersionMac>....<Download
erVersion>30803</DownloaderVersion>....<SetupLauncherXMLVe
rsion>00802</SetupLauncherXMLVersion>....<ProviderType>
CW</ProviderType>....<ShowOnlineUserRegistButton>0</Sho
wOnlineUserRegistButton>....<EnableServerCheck>0</EnableSe
rverCheck>....<InstallType>0</InstallType>...</Launc
hBase>...<DownloadServerData>....<DownloadServerCount>2
</DownloadServerCount>....<DownloadServer0>hXXp://s3-ap-no
rtheast-1.amazonaws.com/c-its/download/eset/cw/v8he</DownloadServer
0>....<DownloadServer1>hXXp://download.canon-its.jp/download/
eset/cw/v8he</DownloadServer1>...</DownloadServerData>...&
lt;ConfrictRegistory>....<ConfrictDataCount>18</ConfrictDa
taCount>....<ConfrictPackage00 PackageName="G DATA Software">
SYSTEM\CurrentControlSet\Services\AVKWCtl</ConfrictPackage00>...
.<ConfrictPackage01 PackageName="AVAST Antivirus">Software\ALWIL
 Software\Avast\4.0</ConfrictPackage01>....<ConfrictPackage02
 PackageName="AVAST Antivirus">Software\Wow6432Node\ALWIL Software\
Avast\4.0</ConfrictPackage02>....<ConfrictPackage03 Packa
<<< skipped >>>

GET /c-its/download/eset/cw/v8he/SetupNotification.xml HTTP/1.1

User-Agent: CITS Install Launcher

Host: s3-ap-northeast-1.amazonaws.com

HTTP/1.1 200 OK

x-amz-id-2: 5yx7BHWGKGrKKFmVQ63p8gm7IuX2gNO4svYcwOsQ8SfReF3bUBtwCI36XTvlnPVx

x-amz-request-id: 37592F96B77220FF

Date: Thu, 29 Jan 2015 14:02:56 GMT

Last-Modified: Fri, 05 Dec 2014 09:05:14 GMT

ETag: "78fa9cca99944b28f9a9b5a9c0d44fe3"

Accept-Ranges: bytes

Content-Type: text/xml

Content-Length: 2294

Server: AmazonS3
...<?xml version="1.0" encoding="UTF-8"?>..<NotificationDataS
et>...<NotificationVersion>00802</NotificationVersion>.
..<NotificationDataValueCount>5</NotificationDataValueCount&g
t;...<NotificationDataValue00>....<NFDTitle>...2014...12..
.11.........................................._BR_.....................
..............................V8.0....................................
........................_BR_</NFDTitle>....<NFDURL>hXXp://
canon-its.jp/product/eset/</NFDURL>....<NFDConditionType>2
</NFDConditionType>....<NFDConditionValue>99</NFDCondit
ionValue>....<STRCOLOR>23,55,94</STRCOLOR>...</Notif
icationDataValue00>...<NotificationDataValue01>....<NFDTit
le>................................................................
......................................................................
....</NFDTitle>....<NFDURL>hXXp://canon-its.jp/supp/eset/e
tpc40137.html</NFDURL>....<NFDConditionType>2</NFDCondi
tionType>....<NFDConditionValue>99</NFDConditionValue>.
...<STRCOLOR>23,55,94</STRCOLOR>...</NotificationDataVa
lue01>...<NotificationDataValue02>....<NFDTitle>...ESET
......................................................................
.................Web...........................</NFDTitle>....&l
t;NFDURL></NFDURL>....<NFDConditionType>2</NFDCondit
ionType>....<NFDConditionValue>99</NFDConditionValue&g
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

!"#$%..&'()* ,-

t.WVj

.uIC;

RtlFormatCurrentUserKeyPath

RegCreateKeyExW

CryptCATCatalogInfoFromContext

CertOpenStore

CertCloseStore

CertEnumCertificatesInStore

CertEnumCRLsInStore

CertControlStore

MsiViewExecute

WTHelperGetProvCertFromChain

CertNameToStrW

CryptUIDlgViewCertificateW

CertAddCertificateContextToStore

CertAddEncodedCertificateToStore

CertCreateCertificateChainEngine

CertGetCertificateChain

CertFreeCertificateContext

CertFreeCertificateChain

CertFreeCertificateChainEngine

WerReportCreate

WerReportAddDump

WerReportSubmit

ReportFault

WerReportCloseHandle

NtAcceptConnectPort

NtRequestPort

NtRequestWaitReplyPort

NtReplyWaitReceivePort

NtReplyPort

NtImpersonateClientOfPort

NtCreatePort

NtConnectPort

NtCompleteConnectPort

RegDeleteKeyExW

CertCreateCertificateContext

CertSetCertificateContextProperty

PFXImportCertStore

CertDuplicateCertificateContext

?456789:;<=

!"#$%&'()* ,-./0123

00006666

####====

&&&&6666????

""""****

2222::::

$$$$\\\\

G1.3.6.1.4.1.311.2.1.4

<VeriSign Class 3 Public Primary Certification Authority - G50

#hXXp://logo.verisign.com/vslogo.gif0

DhXXp://crl.microsoft.com/pki/crl/products/MicrosoftCodeVerifRoot.crl0

=hXXp://VVV.microsoft.com/pki/certs/MicrosoftCodeVerifRoot.crt0

.Class 3 Public Primary Certification Authority0

Thawte Certification1

ESET Module Signing Certificate

deflate 1.2.3 Copyright 1995-2005 Jean-loup Gailly

1.2.3

inflate 1.2.3 Copyright 1995-2005 Mark Adler

application/x-www-form-urlencoded

NtCreateKey

NtDeleteKey

NtDeleteValueKey

NtEnumerateKey

NtEnumerateValueKey

NtOpenKey

NtQueryValueKey

NtSetValueKey

%H:%M:%S

SupportRequestXML_GZ

SupportRequestXML

SupportRequest

SupportRequestAttachment_GZ

SupportRequestAttachment

/supportrequest/

"We've all heard that a million monkeys banging on a million typewriters will eventually reproduce the entire works of Shakespeare. Now, thanks to the Internet, we know this is not true." -- Robert Wilensky

hXXp://

multipart/form-data; boundary=%s

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

-----BEGIN PUBLIC KEY-----

-----END PUBLIC KEY-----

-----BEGIN RSA PRIVATE KEY-----

-----END RSA PRIVATE KEY-----

-----BEGIN PRIVATE KEY-----

-----END PRIVATE KEY-----

-----BEGIN ENCRYPTED PRIVATE KEY-----

-----END ENCRYPTED PRIVATE KEY-----

-----BEGIN CERTIFICATE REQUEST-----

-----END CERTIFICATE REQUEST-----

1.2.840.113549.1.7.2

1.2.840.113549.1.9.3

1.2.840.113549.1.9.4

1.3.6.1.4.1.311.10.1

1.2.840.113549.1.9.6

1.2.840.113549.1.9.5

1.2.840.113549.1.7.1

1.2.840.113549.2.2

1.2.840.113549.2.5

1.3.14.3.2.26

2.16.840.1.101.3.4.2.4

2.16.840.1.101.3.4.2.1

2.16.840.1.101.3.4.2.2

2.16.840.1.101.3.4.2.3

%u.%u

1.2.840.113549.1.1.2

1.2.840.113549.1.1.4

1.2.840.113549.1.1.5

1.3.14.3.2.29

1.2.840.10040.4.3

CERTIFICATE

1.2.840.113549.1.1.14

1.2.840.113549.1.1.11

1.2.840.113549.1.1.12

1.2.840.113549.1.1.13

-----BEGIN %s-----

-----END %s-----

2.5.29.35

2.5.29.14

2.5.29.19

s=0x%p,0x%x,0x%x

RegOpenKeyExW

RegQueryInfoKeyW

RegCloseKey

RegEnumKeyExW

RegEnumKeyW

RegDeleteKeyW

HTTP/

X-Bypass-Cache

hXXps://

%d.%d %d

HTTP/1.1

MS Windows

00000001

smtp/%s

charset=%s,

username="%s",

realm="%s",

nonce="%s",

nc=%s,

cnonce="%s",

digest-uri="%s",

response=%s,

qop=%s

EHLO %s

LOGIN

AUTH LOGIN

HELO %s

MAIL FROM: <%S>

%COMPUTERNAME%

RCPT TO: <%S>

From: %S

To: %S

Date: %s, %d %s %d d:d:d %cdd

boundary="%s"

Content-Type: text/plain; charset="Windows-%d"

ntdll.dll

KERNEL32.DLL

kernel32.dll

msvcr80.dll

x:

<NODE NAME="GUI_Version" VALUE="%s" TYPE="STRING" />

<NODE NAME="Language" VALUE="%x" TYPE="DWORD" />

<NODE NAME="Personal" VALUE="%d" TYPE="DWORD" />

<NODE NAME="AntiStealth" VALUE="%d" TYPE="DWORD" />

<NODE NAME="SelfDefense" VALUE="%d" TYPE="DWORD" />

<NODE NAME="VersionLoader" VALUE="%s" TYPE="STRING" />

<NODE NAME="VersionAntiStealth" VALUE="%s" TYPE="STRING" />

<NODE NAME="VersionSysInspector" VALUE="%s" TYPE="STRING" />

<NODE NAME="StandAlone" VALUE="%x" TYPE="DWORD" />

<NODE NAME="SD_RegistryProtected" VALUE="%x" TYPE="DWORD" />

<NODE NAME="SD_ProcessesProtected" VALUE="%x" TYPE="DWORD" />

<NODE NAME="Feature_Node_TaskScheduler" VALUE="%x" TYPE="DWORD" />

<NODE NAME="Feature_Node_Rootkits" VALUE="%x" TYPE="DWORD" />

<NODE NAME="Feature_Script_RebootRequest" VALUE="%x" TYPE="DWORD" />

<NODE NAME="FastList" VALUE="%d" TYPE="DWORD" />

<NODE NAME="FastListNoRepo" VALUE="%d" TYPE="DWORD" />

<NODE NAME="FastListSkipModules" VALUE="%d" TYPE="DWORD" />

<NODE NAME="WantCloud" VALUE="%d" TYPE="DWORD" />

ekrn.pdb

KERNEL32.dll

MsgWaitForMultipleObjects

USER32.dll

WS2_32.dll

GDI32.dll

RegOpenKeyW

ReportEventW

RegOpenKeyA

RegUnLoadKeyW

RegLoadKeyW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

MSVCP110.dll

MSVCR110.dll

_calloc_crt

_crt_debugger_hook

__crtUnhandledException

__crtTerminateProcess

__crtGetShowWindowMode

_amsg_exit

_acmdln

__crtSetUnhandledExceptionFilter

GetProcessHeap

.?AVCCrashDumpSupport@@

.?AVCAppCrashDumpSupport@@

.?AV?$CParamStructHelper@U_CCE_REPORT_EVENT_PARAMS@@@@

.?AV?$CArrayNoThrow@U_URL_CONTROL_PLUGIN_ELEM@@ABU1@@@

.?AV?$CSortedArray@U_URL_CONTROL_PLUGIN_ELEM@@ABU1@@@

.?AV?$CAutoFree@UECP_REQ_MSG_DATA@CECPMsgDataStorage@@$1?free@@YAXPAX@Z@@

.?AV?$CAutoFreePtr@UECP_REQ_MSG_DATA@CECPMsgDataStorage@@$1?free@@YAXPAX@Z@@

.?AV?$CParamStructHelper@U_CCE_WEB_LOGIN_ASSOCIATION_NOTIFY_PARAMS@@@@

.?AVCECPRequestMessageWebloginDissociation@@

.?AVCECPRequestMessageWebloginAssociation@@

.?AVCECPRequestMessageWebloginAuthentication@@

.?AVCECPResponseCommandWebloginAssociation@@

.?AV?$CExportConfigList@VCShowMessagesConfig@@@@

.?AVCExportConfig@@

.?AV?$CParamStructHelper@U_CCE_EXECUTE_GUI_CMD_DATA_PARAMS@@@@

.?AV?$CArray@U_ONE_REQUEST@CSupportRequests@@ABU12@@@

.?AV?$RefCountObj@VX509CertificateCollection@@@@

.?AVWinCertStoreImpl@@

.?AVCertStoreInterface@@

.?AV?$RefCountObj@VX509Certificate@@@@

.?AV?$CArrayNoThrow@V?$CountedPtr@VX509Certificate@@@@ABV1@@@

.?AVAuthorityKeyIdentifierExtension@@

.?AVSubjectKeyIdentifierExtension@@

.?AV?$CArray@VCHTTPBuffer@@ABV1@@@

.?AVCHTTPBuffer@@

.?AVCTransport@@

.?AVCTransportSSL@@

.?AV?$CArray@V?$CStringT@_WV?$StrTraitATL@_WV?$ChTraitsCRT@_W@ATL@@@ATL@@@ATL@@ABV12@@@

.?AVCECPRequestCommandWebloginDissociation@@

.?AVCECPRequestCommandWebloginAssociation@@

.?AVCECPRequestCommandWebloginAuthentication@@

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS></application></compatibility></assembly>

7Œ8N8d8q8~8

2 2$2(2,2024282<2_2

1 1%1 111

7&8-8V8f8}8

9 9$9(9,90949

=!=2>|>6?

5$5(5,5054585<5

9 9$9(9,9094989<9@9

7 7$7(7,70747

>,>0>4>8><>\>`>

5!5R5C5J5T5\5`5r5v5

6 6%6U6_6e6o6

4%5U5

:0:4:8:<:@:

3 3$3(3,3034383<3@3

7 7$7(7,7074787<7

5 5<5@5\5`5|5

requested feature requires XML_DTD support in Expat

unexpected parser state - please send a bug report

xml=hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/XML/1998/namespace

hXXp://VVV.w3.org/2000/xmlns/

msi.dll

advapi32.dll

shell32.dll

userenv.dll

user32.dll

wtsapi32.dll

secur32.dll

Security.dll

iphlpapi.dll

ws2_32.dll

wintrust.dll

crypt32.dll

cryptui.dll

powrprof.dll

wer.dll

faultrep.dll

netapi32.dll

rasapi32.dll

mpr.dll

rpcrt4.dll

wlanapi.dll

setupapi.dll

dbghelp.dll

psapi.dll

%seset_x_%x.%s

%u,%d

%d.%d.%d

PasswordChangedFlag

LinkUrl

UsernamePassword

Windows

%d.%d

\\.\ehdrv

SupportMail

SupportCompany

SupportCountry

CustomerCareWeb

RAClientPort

RAClientPassword

RAClientPortAlt

RAClientPasswordAlt

SMTP_Enabled

SMTP_Flags

SMTP_Server

SMTP_SenderAddress

SMTP_Address

SMTP_Username

SMTP_Password

MsgFormatVirus

MsgFormatError

MsgMinStatusSend

MsgMinStatusLog

ProxyPort

ProxyPassword

NapSupportEnabled

CrashDumpSupport

*.doc|*.rtf|*.xl?|*.dbf|*.mdb|*.sxw|*.sxc|*.doc?|*.dot?|*.xls?|*.xlt?|*.ppt?|*.pot?|*.pps?

WebClientID

WebClientComputerName

WebClientToken

LockPassword

Node_d

LastExec

Software\ESET\ESET Security\CurrentVersion\Scheduler\%u

.DEFAULT

virlog.dat

warnlog.dat

HIPS: P=%u R=%u

EHttpSrv

shellExt.dll

{B089FE88-FB52-11D3-BDF1-0050DA34150D}

SECTION;ID=#01000103\STATUS\RECORD;PLUGIN=#%X;UNIQUEID=#%X

SYSTEM\CurrentControlSet\Services\%s

SUPPORT

PASSWORD

ppeset.dll

SECTION;ID=#01000103\BACKGROUND_ACTIVITY\RECORD;PLUGIN=#%X;UNIQUEID=#%X

ecmd.exe

%Y-%m-%dT%H:%M:%SZ

nomsg

edf.eset.com

<cmd_null/>

<cmd name='

</cmd>

%sMSG_X_X_X.ecm

e%s*.ecm

CMDLINE

WEB_USER_ID

%sdd%c.dat

%u.%u.%u %s

%u MB

P=%u R=%u

%d min

eguiProduct.dll

Software\ESET\ESET Security\CurrentVersion\Scanners\X

%s\X

SECTION;ID=#01000103\SETTINGS\PLUGINS\PLUGIN;ID=%X\PROFILES\NODE;NAME="%s";TYPE=SUBNODE

ekrnLang.dll

explorer.exe

egui.exe

startupcore.exe

nt4ldr.exe" "

nt4ldr.exe

egui.exe" /hide

startupcore.exe"

${Username}=%s|${DistributorGUID}=%s|${ExpirationState}=%u|${ExpirationDate}=%s|${LicenseType}=%u|${LicenseCancelled}=%u|${PasswordChanged}=%u|${ProductName}=%s|${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${AdditionalArguments}=%s|${DaysToExpire}=%u|${DaysExpired}=%u|${ExpireDaysWord}=%s|${ExpiredDaysWord}=%s

nod32api.dll

nod32aui.dll

Software\ESET\ESET Security\CurrentVersion\Plugins\APIx

${ProductType}=%s|${ProductVersion}=%s|${ProductLanguage}=%u|${UpdateTag}=%s|${Platform}=%s|${DaysToExpire}=%i|${EvalId}=%u

eScan\*.dat

ekrn.exe

TypesSupported

Import settings failed in plugin: X

*.lic

GROUP;NAME=PLUGIN_INFO_X

%USERNAME%

%SCANNER%

reqX.xml

*.xml

EKRN/EGUI.support.form.req

EKRN/SCHEDULER.req

EKRN/RA.req

*.zip

OID.Unknown=

NODX.lic

xem000_32.dat

iploc.eset.com

%i.%i.%i.%i%c%c

\??\PHYSICALDRIVE%d

\\.\PHYSICALDRIVE%d

NOD_SHMEM_%s%x

SERVER;NAME=X_X

OPTION;OPTNAME=ListeningPort

OPTION;OPTNAME=CertificateChainFile

OPTION;OPTNAME=CertificateType

OPTION;OPTNAME=PrivateKeyFile

OPTION;OPTNAME=PrivateKeyType

GLOBAL\OPTION;OPTNAME=ListeningPort

SYSTEM\CurrentControlSet\Services\%s\Parameters

%s\%s

SupportRequests\

\\%s\mailslot\messngr

SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\

\BaseNamedObjects\NODCOMMXToXCommPort

NODCOMMXToXReceiverMutex

NODCOMMXToXCommMutex

NODCOMMXToXSendEvent

NODCOMMXToXAckEvent

NODCOMMXToXSection

%sNODCOMMXToXBroadcastMutex

%sNODCOMMXToXBroadcast

\Device\LanmanRedirector\;%c:

\\.\MountPointManager

{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}

{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}

{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}

\\.\root\SecurityCenter

pathToSignedProductExe

SOFTWARE\Microsoft\Windows NT\CurrentVersion

SOFTWARE\Microsoft\Windows\CurrentVersion

(%u MHz)

SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

NTUSER.DAT

%s_%s

RegUnLoadKey key='%s' Result=%x

Software\Microsoft\Windows\CurrentVersion\Explorer

%s_%s\%s\%s

%s\%s\%s

%USERPROFILE%

'GetUserProfileInt' subkey '%s' failed!

comctl32.dll

wzcsapi.dll

<WLANProfile xmlns="hXXp://VVV.microsoft.com/networking/WLAN/profile/v1">

<name>%s</name>

0fa1201d-4330-4fa8-8ae9-b877473b6441

e6cf1350-c01b-414d-a61f-263d14d133b4

Important

boot.ini

\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders

\Microsoft\Windows\CurrentVersion

\Microsoft\Windows NT\CurrentVersion

\\.\physicaldrive%lu

{830B4F09-F236-4c2e-96BF-D4C0191A9B4F}

{524032E4-E071-44c8-9139-E99FC2697F44}

{60042969-6CCA-46cd-81D4-22A056C989F3}

{5C70CD3A-8913-4d93-94F7-79182EF1B930}

{46B223A0-8EB6-47ba-AD5D-B69E3C1511D9}

{45210F63-3ABB-49ec-9E1F-6BE0C6EFAA39}

{03400AF0-EB11-4b87-B204-49168F392DC9}

{7EA86DCE-8271-4417-AA6C-526E8A4B748B}

{92147EEA-7C84-4055-9E6A-F32CD6A609C0}

{BAADCF1E-4EFB-4116-9F05-58F6D23C2E0D}

{9F6A9C27-9CCD-4236-9B36-974D9D7F3442}

{1EDE29DD-DC3F-426c-8021-0596D6696639}

EventSystem.EventSubscription

{d5978630-5b9f-11d1-8dd2-00aa004abd5e}

{d5978650-5b9f-11d1-8dd2-00aa004abd5e}

x-x-x-xx-xxxxxx

(lX-X-X-XX-XXXXXX)

{lX-X-X-XX-XXXXXX}

lX-X-X-XX-XXXXXX

XXXXXXXXXXXXXXXX

report-suspicion

lpasswd

passwd

hXXp://VVV.eset.com/2012/02/ecp

weblogin-authentication

weblogin-association

send-webcam-snapshot

weblogin-dissociation

AntiVirusProduct.instanceGuid="{E5E70D32-0101-4F12-8FB0-D96ACA4F34C0}"

AntiSpywareProduct.instanceGuid="{E5E70D32-0101-4B98-A4D6-D1D15C3BB448}"

FirewallProduct.instanceGuid="{E5E70D32-0101-4340-86A3-A7B0F1C8FFE0}"

gui.webpurchase.show

gui.webrenew.show

-ddd-dd

-ddd-dd-%d

SysInspector.exe

"%s" /gen="%s" /supersilent %s %s %s %s %s

8.0.304.0

{%TimeStamp% - Module %Scanner% - Threat Alert triggered on computer %ComputerName%: %InfectedObject% contains %VirusName%.

%TimeStamp% - During execution of %ProgramName% on the computer %ComputerName%, the following warning occurred: %ErrorDescription%

Operating system information

Operating system:

Operating system version:

Operating system type:

%s(Version of common control components:

%s %s

once, %s.

repeatedly, every <%d> minutes.

Every day at %s.

at %s on the following days:

at <EVENT%s><INTERVAL%s>.

Task will not be run.%Task will be run as soon as possible.LTask will be run if it has not completed within the last <INTERVAL%d> hours.

& (At maximum every <INTERVAL%u> hours)

<Virus signature database successfully updated to version %s.&The program modules have been updated.

%s!Remaining trial period:

%s day(s)

dUser does not have administrator privileges. The Anti-Stealth technology is working in limited mode.qAnti-Stealth initialization could not be fully completed. The Anti-Stealth technology is working in limited mode.

4Error submitting ThreatSense.Net data to RA: TimeoutIError submitting ThreatSense.Net data to RA: Synchronization lost on exitKError submitting ThreatSense.Net data to RA: Synchronization lost on submit

Could not retrieve MAC address.:Authentication to ESET Remote Administrator Server failed.GAuthentication to ESET Remote Administrator Server ended up with error.6Connection to ESET Remote Administrator Server failed.

but could not be deleted from their original location!0The file %s is too large to submit for analysis!.%d files are too large to submit for analysis!

OAn error occurred while running a service script. No operations were performed.LThe service script "%s" was run successfully. All operations were processed.

[The service script "%s" was processed partially. %s completed successfully while %d failed.MThe service script "%s" ran unsuccessfully. No operations could be processed.(%d operation|%d operations|%d operations(%d operation|%d operations|%d operations

Gaming mode enabled. All pop-up windows are suppressed and scheduled tasks paused. Gaming mode can be disabled here: <A ID="7" TYPE="SERVICE" PLUGIN="0x01000600" RA="14">Disable Gaming mode</A>

Enable email protection&Email protection is currently disabledV<A ID="2" TYPE="SERVICE" PLUGIN="0x01000600" RA="3">Enable Email client protection</A> Web access protection is currently disabled

Web access antivirus protection disabled by user. <A ID="3" TYPE="SERVICE" PLUGIN="0x01000600" RA="4">Enable Web access protection</A>

Enable web access protection Web access protection is currently disabledT<A ID="3" TYPE="SERVICE" PLUGIN="0x01000600" RA="4">Enable web access protection</A>

Gaming mode enabledL<A ID="7" TYPE="SERVICE" PLUGIN="0x01000600" RA="14">Disable Gaming mode</A>"Operating system is not up to date

This computer does not have all available operating system updates installed. Please install the missing updates by means of the Windows Update service. For more information, click <A ID="1">here</A>.)Display information about missing updates

pThe latest version of Windows Update is not installed. To update the operating system, click <A ID="2">here</A>.

Run operating system update"Operating system is not up to date

The lifetime of this version will end in ${DaysToExpire} day(s). We recommend that you download a newer version from <A TYPE="WEB" URL="${UrlWeb}/betaexpire?lng=${LangID}product=${ProductType}version=${ProductVersion}&platform=${Platform}&updategroup=${UpdateTag}">here</A>. Your license will expire shortly

<A TYPE="WEB" URL="${UrlWeb}/betaexpire?lng=${LangID}&product=${ProductType}&version=${ProductVersion}&platform=${Platform}&updategroup=${UpdateTag}">Download latest version</A>

The lifetime of this trial version will end in ${DaysToExpire} day(s). To purchase the full version of the program, visit <A TYPE="WEB" URL="${UrlWeb}/evalexpire?lng=${LangID}&product=${ProductType}&version=${ProductVersion}&platform=${Platform}&updategroup=${UpdateTag}&evalid=${EvalId}">our website</A>. If you have already acquired a license, you can <A ID="252" TYPE="SERVICE" PLUGIN="0x01000400">upgrade the program to the full version.</A>

<A TYPE="WEB" URL="${UrlWeb}/evalexpire?lng=${LangID}&product=${ProductType}&version=${ProductVersion}&platform=${Platform}&updategroup=${UpdateTag}&evalid=${EvalId}">Purchase full version</A>

The lifetime of this version has ended. We recommend that you download a newer version from <A TYPE="WEB" URL="${UrlWeb}/betaexpire?lng=${LangID}&product=${ProductType}&version=${ProductVersion}&platform=${Platform}&updategroup=${UpdateTag}">here</A>.

The lifetime of this trial version has ended. To purchase the full version of the program, visit <A TYPE="WEB" URL="${UrlWeb}/evalexpire?lng=${LangID}&product=${ProductType}&version=${ProductVersion}&platform=${Platform}&updategroup=${UpdateTag}&evalid=${EvalId}">our website</A>. If you have already acquired a license, you can <A ID="252" TYPE="SERVICE" PLUGIN="0x01000400">upgrade the program to the full version.</A>

Your license expire shortlym<A TYPE="WEB" URL="${UrlWeb}/renew?lng=${LangID}&dguid=${DistributorGUID}&user=${Username}">Renew license</A>

License expiredm<A TYPE="WEB" URL="${UrlWeb}/renew?lng=${LangID}&dguid=${DistributorGUID}&user=${Username}">Renew license</A>

To ensure up-to-date protection, contact your network administrator or <A TYPE="WEB" URL="${UrlWeb}/renew?lng=${LangID}&dguid=${DistributorGUID}&user=${Username}">renew your license online</A>. If you have already received a new license (Username and Password), enter it <A ID="254" TYPE="SERVICE" PLUGIN="0x01000400">here</A>.

<A TYPE="COMMAND" COMMAND="gui.weblogindlg.show">Enable ESET Anti-Theft</A> <A ID="250" TYPE="SERVICE" PLUGIN="0x01000F00">Do not remind me again</A>

ESET Anti-Theft is availableK<A TYPE="COMMAND" COMMAND="gui.weblogindlg.show">Enable ESET Anti-Theft</A>CProtection of your device ends in ${DaysToExpire} ${ExpireDaysWord}

<A TYPE="COMMAND" COMMAND="gui.webrenew.show">Buy a new license</A> today to make sure you are protected.

<A TYPE="COMMAND" COMMAND="gui.webrenew.show">Buy a new license</A> today to make sure you are protected or <A TYPE="COMMAND" COMMAND="updater.activationdlg.show">activate your new license</A>.$Protection of your device ends today

<A TYPE="COMMAND" COMMAND="gui.webrenew.show">Buy a new license</A> today to make sure you are protected or <A TYPE="COMMAND" COMMAND="updater.activationdlg.show">activate your new license</A>.&Protection of your device ends shortly

<A TYPE="COMMAND" COMMAND="gui.webrenew.show">Buy a new license</A> today to make sure you are protected or <A TYPE="COMMAND" COMMAND="updater.activationdlg.show">activate your new license</A>.

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Scan a system with an anti-rootkit tool.
   
2. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3304
   egui.exe:2604
   ekrn.exe:2988
   DrvInst.exe:3772
   DrvInst.exe:2880
   DrvInst.exe:3456
   DrvInst.exe:612
   DrvInst.exe:2152
   DrvInst.exe:1664
   Setup.exe:1408
   Setup.exe:2788
   mobsync.exe:1416
   MsiExec.exe:704
   MsiExec.exe:3464
   MsiExec.exe:3000
   

3. Delete the original Worm file.
   
4. Delete or disinfect the following files created/modified by the Worm:
   

   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\pft2463.tmp\pftw1.pkg (550 bytes)
   %Program Files% (x86)\ESET\CITSINST\SetupNotification.xml (197 bytes)
   %Program Files% (x86)\ESET\CITSINST\Setup.exe (174574 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ext2443.tmp (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\plf2442.tmp (4 bytes)
   %Program Files% (x86)\ESET\CITSINST\SetupLauncherV2.xml (4 bytes)
   %Program Files% (x86)\ESET\CITSINST\eula_ess.txt (20 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\epfwlog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\urllog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Charon\CACHE.NDB (389233 bytes)
   C:\Windows\System32\drivers\eamonm.sys (245 bytes)
   C:\ProgramData\ESET\ESET Smart Security\EpfwUser.dat (720 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata.dat (676 bytes)
   C:\ProgramData\ESET\ESET Smart Security\EpfwTmp2.dat (23 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Antispam\ipstree.db-journal (544 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Antispam\sc1.bin.full.2014.11.03.05.11.43 (852 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Antispam\sc21.bin.full.2014.10.15.23.36.04 (1 bytes)
   C:\ProgramData\ESET\ESET Smart Security\epfwdata.bin (258 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\virlog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\local.db (244143 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\hipslog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\parentallog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\warnlog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\spamlog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Antispam\sc2.bin.full.2005.02.11.04.44.13 (9 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Antispam\asdata2.dat (394 bytes)
   %Program Files%\ESET\ESET Smart Security\emesj007_32.dat (176 bytes)
   C:\Windows\System32\drivers\edevmon.sys (241 bytes)
   C:\ProgramData\ESET\ESET Smart Security\EpfwTemp.dat (285 bytes)
   C:\ProgramData\ESET\ESET Smart Security\HipsRules.bin (168 bytes)
   %Program Files%\ESET\ESET Smart Security\speclean.new (589 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Logs\devctrllog.dat (60 bytes)
   C:\ProgramData\ESET\ESET Smart Security\HipsRules.xml (32 bytes)
   C:\ProgramData\ESET\ESET Smart Security\local.db-journal (544 bytes)
   C:\Windows\System32\DriverStore\FileRepository\epfw.inf_amd64_neutral_d20c42e70c913283\epfw.PNF (6492 bytes)
   C:\Windows\System32\DriverStore\infpub.dat (252 bytes)
   C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5541.tmp (1 bytes)
   C:\Windows\System32\DriverStore\Temp\{6df6e753-e866-2723-f43f-6e0e79bd4327}\SET5540.tmp (8 bytes)
   C:\Windows\System32\DriverStore\infstrng.dat (1688 bytes)
   C:\Windows\System32\DriverStore\INFCACHE.0 (1861 bytes)
   C:\Windows\System32\DriverStore\infstor.dat (404 bytes)
   C:\Windows\inf\oem13.inf (1 bytes)
   C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624C.tmp (5 bytes)
   C:\Windows\System32\DriverStore\Temp\{422a73c5-3dc1-0e71-1d0a-a41cb3dc203b}\SET624B.tmp (8 bytes)
   C:\Windows\inf\oem16.inf (5 bytes)
   C:\Windows\System32\DriverStore\FileRepository\edevmon.inf_amd64_neutral_b3219a1046723b4d\edevmon.PNF (5703 bytes)
   C:\Windows\inf\oem9.inf (1 bytes)
   C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET5206.tmp (1 bytes)
   C:\Windows\System32\DriverStore\Temp\{1042aa9f-8284-0214-d5a5-547aeceec801}\SET51F6.tmp (8 bytes)
   C:\Windows\System32\DriverStore\FileRepository\ehdrv.inf_amd64_neutral_de35935fbadc0b42\ehdrv.PNF (5619 bytes)
   C:\Windows\inf\oem15.inf (2 bytes)
   C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D4.tmp (8 bytes)
   C:\Windows\System32\DriverStore\Temp\{2e85bf33-6eaf-58be-9776-27051c99bb20}\SET60D5.tmp (2 bytes)
   C:\Windows\System32\DriverStore\FileRepository\eamonm.inf_amd64_neutral_6def4c43f49cc607\eamonm.PNF (6779 bytes)
   C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5735.tmp (2 bytes)
   C:\Windows\System32\DriverStore\FileRepository\epfwlwf.inf_amd64_neutral_82eebfb309dd569f\epfwlwf.PNF (4666 bytes)
   C:\Windows\inf\oem14.inf (2 bytes)
   C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5734.tmp (8 bytes)
   C:\Windows\System32\DriverStore\Temp\{4e346155-59ba-1784-6565-7e5a55fe8113}\SET5736.tmp (44 bytes)
   C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53D9.tmp (8 bytes)
   C:\Windows\System32\DriverStore\Temp\{0ee18e09-b437-220b-1f07-5f576c6bf261}\SET53DA.tmp (1 bytes)
   C:\Windows\System32\DriverStore\FileRepository\epfwwfp.inf_amd64_neutral_30e8a68da2d9957f\epfwwfp.PNF (8695 bytes)
   C:\Windows\inf\oem12.inf (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ess_nt64_JPN.msi (10848492 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\cfg[1].xml (145 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\cfg.xml (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\CheckDriver64[1].exe (225705 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\DownloadConfig.xml (388 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\ess_nt64_JPN[1].msi (40838206 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ESETDebugLog.txt (151204 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\046C1ZNT\DownloadConfig[1].xml (1321 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CheckDriver64.exe (61540 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\eula_ess.txt (20 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherV2.xml (196 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\Setup[1].dat (4878362 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherV2[1].xml (241 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupNotification[1].xml (73 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupLauncherVer.xml (759 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\SetupNotification.xml (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Setup.exe (1298341 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\F7QBP14P\SetupLauncherVer[1].xml (759 bytes)
   C:\Windows\Installer\MSIF1F1.tmp (708 bytes)
   C:\Windows\Installer\MSIF1E1.tmp (708 bytes)
   C:\Windows\Installer\MSIF260.tmp (708 bytes)
   C:\Windows\Installer\MSIFCB3.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inxF141.tmp (33 bytes)
   C:\Windows\Installer\MSIF104.tmp (708 bytes)
   C:\ProgramData\ESET\ESET Smart Security\Installer\c8a.msi (638042 bytes)
   C:\Windows\Installer\MSIF172.tmp (708 bytes)
   C:\Windows\Installer\MSI7DF6.tmp (708 bytes)
   C:\Windows\Installer\MSIF37A.tmp (708 bytes)
   C:\Windows\Installer\MSI7D2A.tmp (708 bytes)
   C:\Windows\Installer\MSI7894.tmp (180 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3839.tmp (1327 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386A.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12EA.tmp (277 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D1.tmp (81 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C51.tmp (277 bytes)
   %Program Files%\ESET\ESET Smart Security\msvcp110.dll (663 bytes)
   %Program Files%\ESET\ESET Smart Security\em023_32.dat (31071 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3939.tmp (259 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E91.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BFF.tmp (4073 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138C.tmp (282 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1634.tmp (21 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP386B.tmp (47 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126A.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FB.tmp (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DB.tmp (283 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E49.tmp (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35CC.tmp (282 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EE.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13C0.tmp (21585 bytes)
   %Program Files%\ESET\ESET Smart Security\em006_32.dat (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1134.tmp (284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DC8.tmp (36 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1114.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E5E.tmp (261 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1258.tmp (260 bytes)
   C:\Windows\System32\drivers\SET54B5.tmp (63 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39EC.tmp (3905 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3829.tmp (272 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D40.tmp (253 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD2.tmp (8 bytes)
   C:\Windows\Installer\MSI5380.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B49.tmp (9 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39C9.tmp (616 bytes)
   %Program Files%\ESET\ESET Smart Security\em004_32.dat (7726 bytes)
   %Program Files%\ESET\ESET Smart Security\em031_32.dat (3361 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B4A.tmp (255 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FA1.tmp (749 bytes)
   C:\Windows\System32\catroot2\dberr.txt (4929 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3925.tmp (509 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130D.tmp (272 bytes)
   C:\Windows\Installer\MSIFCE3.tmp (708 bytes)
   C:\Windows\Installer\MSIFCE4.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1D4B.tmp (34578 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1223.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C50.tmp (14 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DA0.tmp (4 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DCA.tmp (2938 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36DA.tmp (280 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DA5.tmp (209 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4557.tmp (135 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP14AC.tmp (29628 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4C.tmp (258 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D5.tmp (255 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38F5.tmp (2772 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BEF.tmp (3821 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC6.tmp (272 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1248.tmp (265 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A6A.tmp (996 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E4A.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FB2.tmp (2628 bytes)
   C:\Windows\System32\drivers\SET52E0.tmp (673 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11EF.tmp (265 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F8F.tmp (253 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A9.tmp (1 bytes)
   C:\Windows\Installer\MSIF59F.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1194.tmp (279 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1212.tmp (265 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP394A.tmp (3268 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP138B.tmp (672 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3827.tmp (279 bytes)
   %Program Files%\ESET\ESET Smart Security\em015_32.dat (6 bytes)
   %Program Files%\ESET\ESET Smart Security\em001_32.dat (4545 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4526.tmp (301 bytes)
   %Program Files%\ESET\ESET Smart Security\msvcr110.dll (851 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6218.tmp (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B7A.tmp (8729 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CB4.tmp (4 bytes)
   C:\Windows\Installer\MSI56DC.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F18.tmp (54 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDD.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1635.tmp (277 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1667.tmp (75333 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DF4.tmp (12604 bytes)
   C:\Windows\System32\drivers\SET61D3.tmp (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C7.tmp (279 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CEA.tmp (1038 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1400.tmp (22384 bytes)
   C:\Windows\Installer\MSIF4B4.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E92.tmp (264 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B47.tmp (112 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF13B0.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3828.tmp (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3ED6.tmp (3 bytes)
   %Program Files%\ESET\ESET Smart Security\em020_32.dat (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D0A.tmp (2 bytes)
   C:\Windows\Installer\MSIF5CF.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11FF.tmp (258 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D61.tmp (2380 bytes)
   %Program Files%\ESET\ESET Smart Security\em018_32.dat (1425 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5F.tmp (1648 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DFA.tmp (3917 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12B2.tmp (295 bytes)
   %Program Files%\ESET\ESET Smart Security\em006_64.dat (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38C0.tmp (295 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF35DE.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE2.tmp (274 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F90.tmp (27 bytes)
   C:\Windows\System32\drivers\SET590B.tmp (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F91.tmp (256 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11A4.tmp (282 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5507.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131F.tmp (259 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DB8.tmp (260 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1331.tmp (279 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF387E.tmp (283 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B7.tmp (274 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A2.tmp (301 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3C0C.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1259.tmp (260 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36EB.tmp (102 bytes)
   C:\Windows\System32\drivers\SET565B.tmp (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126B.tmp (258 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3937.tmp (258 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D50.tmp (1848 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387D.tmp (9 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{36018cd7-5d84-2dfc-c129-69056c0ccb26}\SET51A8.tmp (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E6F.tmp (1881 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP13AF.tmp (72 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B6.tmp (280 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C84.tmp (1399 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1222.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127F.tmp (294 bytes)
   C:\Windows\Installer\MSI636D.tmp (708 bytes)
   C:\Windows\System32\config\SYSTEM.LOG1 (10099 bytes)
   C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E48DDEA3BF68DF580551FA0F27950B54 (1328 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F19.tmp (286 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3826.tmp (102 bytes)
   %Program Files%\ESET\ESET Smart Security\em009_64.dat (8281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1646.tmp (2 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1367.tmp (278 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1247.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39CA.tmp (271 bytes)
   %Program Files%\ESET\ESET Smart Security\em010_32.dat (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C8B.tmp (3279 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1101.tmp (290 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF132F.tmp (252 bytes)
   %Program Files%\ESET\ESET Smart Security\em003_32.dat (7547 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1342.tmp (274 bytes)
   %Program Files%\ESET\ESET Smart Security\em018_64.dat (673 bytes)
   C:\Windows\Installer\MSI518C.tmp (708 bytes)
   %Program Files%\ESET\ESET Smart Security\em000_64.dat (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E8.tmp (261 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F8E.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FC.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DD1.tmp (169 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3F.tmp (35 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1379.tmp (290 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E4B.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DA.tmp (284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1366.tmp (282 bytes)
   C:\Windows\Installer\MSI6205.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1290.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4546.tmp (802 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{0952b920-530d-40ae-9119-6716e6753972}\SET6217.tmp (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1355.tmp (253 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E5D.tmp (5 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127D.tmp (264 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3869.tmp (108 bytes)
   C:\Windows\Installer\MSI4F0B.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35CB.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D2B.tmp (214 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A8E.tmp (288 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126D.tmp (269 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4DE3.tmp (12 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BC9.tmp (182 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CB5.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET539E.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{3e4cb4c4-cff0-66bb-5fdf-ae5bb85f7c5a}\SET538D.tmp (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF138A.tmp (285 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF39DB.tmp (265 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EA3.tmp (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A9F.tmp (2077 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CD9.tmp (1063 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DE4.tmp (273 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1102.tmp (282 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DC9.tmp (260 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D3E.tmp (252 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38D3.tmp (15 bytes)
   %Program Files%\ESET\ESET Smart Security\em017_64.dat (30427 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A8D.tmp (37 bytes)
   %Program Files%\ESET\ESET Smart Security\em009_32.dat (7726 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C0B.tmp (81 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D0B.tmp (267 bytes)
   %Program Files%\ESET\ESET Smart Security\em002_32.dat (259130 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB5.tmp (1840 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3926.tmp (265 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36FC.tmp (1386 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF386C.tmp (284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6071.tmp (2 bytes)
   %Program Files%\ESET\ESET Smart Security\em008_64.dat (4185 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C4.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1235.tmp (301 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3A7B.tmp (553 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4E62.tmp (9890 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF131E.tmp (267 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3ED7.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF126C.tmp (261 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1378.tmp (66 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP387F.tmp (2200 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4CC8.tmp (272 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP473E.tmp (1555561 bytes)
   C:\Windows\System32\drivers\SET633B.tmp (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35DD.tmp (94 bytes)
   %Program Files%\ESET\ESET Smart Security\em024_32.dat (26 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4547.tmp (295 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDE.tmp (261 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38BF.tmp (100 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C3.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD3.tmp (282 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP396A.tmp (3607 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4DA1.tmp (279 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3C1D.tmp (3124 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{5cadd27b-46c2-14bd-4a2c-b653bc48cd62}\SET5506.tmp (8 bytes)
   C:\Windows\Installer\MSI797F.tmp (708 bytes)
   C:\Windows\Installer\MSIFD24.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11ED.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FC.tmp (2 bytes)
   %Program Files%\ESET\ESET Smart Security\updater.dll (507 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP38E4.tmp (2920 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D7.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4F7C.tmp (29 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1234.tmp (288 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4569.tmp (1634611 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BFB.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1330.tmp (253 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{50488ef9-8b01-3005-4d82-403c5c48db10}\SET6070.tmp (8 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11C8.tmp (272 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1353.tmp (273 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1200.tmp (259 bytes)
   %Program Files%\ESET\ESET Smart Security\em021_32.dat (15019 bytes)
   %Program Files%\ESET\ESET Smart Security\em000_32.dat (55 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BDC.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3E90.tmp (269 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4FD4.tmp (564 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11B5.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B48.tmp (256 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4FD5.tmp (278 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF127E.tmp (268 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF139E.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1246.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BFA.tmp (714 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12C5.tmp (256 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3938.tmp (18 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12E9.tmp (283 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C64.tmp (2437 bytes)
   %Program Files%\ESET\ESET Smart Security\em015_64.dat (6 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF36EC.tmp (274 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C3F.tmp (198 bytes)
   C:\Windows\Installer\MSI54E8.tmp (708 bytes)
   C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD (1024 bytes)
   %Program Files%\ESET\ESET Smart Security\em022_32.dat (1281 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4C52.tmp (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1354.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3BE8.tmp (1 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF14CC.tmp (284 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4BCA.tmp (268 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC5.tmp (71 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP139D.tmp (40 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A7C.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF130C.tmp (272 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\{669a3b5f-d6b8-5df6-c030-b305d3f2fd60}\SET56FD.tmp (44 bytes)
   %Program Files%\ESET\ESET Smart Security\em019_32.dat (1281 bytes)
   %Program Files%\ESET\ESET Smart Security\em028_64.dat (8 bytes)
   %Program Files%\ESET\ESET Smart Security\em005_32.dat (601 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP36D9.tmp (1 bytes)
   C:\Windows\Installer\MSIFD04.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1211.tmp (271 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1103.tmp (276 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3E8F.tmp (3 bytes)
   %Program Files%\ESET\ESET Smart Security\em008_32.dat (3073 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12FB.tmp (277 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4F7D.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP39DA.tmp (93 bytes)
   %Program Files%\ESET\ESET Smart Security\em017_32.dat (30427 bytes)
   C:\Windows\inf\oem14.PNF (4666 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3AEE.tmp (2575 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4D3D.tmp (64 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4525.tmp (3 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1365.tmp (256 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF10F1.tmp (285 bytes)
   C:\Windows\Installer\MSI7CF9.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP40EF.tmp (1577253 bytes)
   C:\Windows\Temp\OLD60E6.tmp (44 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3F08.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3DB7.tmp (79 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38D2.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4558.tmp (294 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3DA6.tmp (265 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3BE9.tmp (301 bytes)
   C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E48DDEA3BF68DF580551FA0F27950B54 (573 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11D9.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F07.tmp (853 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF11DC.tmp (295 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12D6.tmp (268 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1647.tmp (279 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C40.tmp (283 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4B36.tmp (262 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B35.tmp (401 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4B5A.tmp (7861 bytes)
   C:\Windows\System32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\696F3DE637E6DE85B458996D49D759AD (813 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3936.tmp (52 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP1389.tmp (55 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF1193.tmp (277 bytes)
   C:\Windows\Installer\MSI637E.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3A6B.tmp (294 bytes)
   C:\Windows\Installer\MSI6030.tmp (708 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3F1A.tmp (1597880 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4BDB.tmp (31 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP35EE.tmp (1185 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF3EA4.tmp (268 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP3EB6.tmp (2390 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP4CC7.tmp (10 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NUP389F.tmp (2901 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4D2C.tmp (259 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF4C53.tmp (277 bytes)
   C:\Windows\System32\drivers\SET5FEE.tmp (89 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF38E3.tmp (289 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\NSF12A1.tmp (286 bytes)

5. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   "egui" = "%Program Files%\ESET\ESET Smart Security\egui.exe /hide /waitservice"

6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.