MD5: c42e5513429f584f94154689ece548ef
SHA1: e5fce77a6391bb35cc20d819f87d8cdc310cd7b8
SHA256: 6ffd1be87bd82a9a2754adf99c2bcb0ec0dad42e8bda4795a6c8400096934b9e
SSDeep: 6144:NG5AA8EJ/ga7Jzw6DQ07rPd5WuG0s8wXOdW8HCQ/0:NFTK4a1zw60Adc0iYEQ/0
Size: 290816 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-03-02 20:30:28
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WerFault.exe:1732
%original file name%.exe:3308
wermgr.exe:2944

The Trojan injects its code into the following process(es):

svchost.exe:576

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WerFault.exe:1732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER540A.tmp.hdmp (38825 bytes)
C:\Windows\Temp\WER540A.tmp.hdmp (371136 bytes)
C:\Windows\Temp\WER5524.tmp.mdmp (163553 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\Report.wer (193230 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER53FA.tmp.WERInternalMetadata.xml (3 bytes)
C:\Windows\Temp\WER53FA.tmp.WERInternalMetadata.xml (51540 bytes)
C:\Windows\Temp\WER53E9.tmp.appcompat.txt (3760 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER5524.tmp.mdmp (3073 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER53E9.tmp.appcompat.txt (3 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WER540A.tmp (0 bytes)
C:\Windows\Temp\WER53FA.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WER5524.tmp.mdmp (0 bytes)
C:\Windows\Temp\WER53FA.tmp (0 bytes)
C:\Windows\Temp\WER540A.tmp.hdmp (0 bytes)
C:\Windows\Temp\WER53E9.tmp (0 bytes)
C:\Windows\Temp\WER53E9.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WER5524.tmp (0 bytes)

The process %original file name%.exe:3308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\AppPatch\NetSyst96.dll (118569 bytes)
%Program Files%\Microsoft Meeting\svchost.exe (1715 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NetSyst96[1].dll (115321 bytes)

The process wermgr.exe:2944 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\Report.wer.tmp (205380 bytes)

Registry activity

The process WerFault.exe:1732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"145" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000573]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000573]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\145]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc"

The process %original file name%.exe:3308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\c42e5513429f584f94154689ece548ef_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\c42e5513429f584f94154689ece548ef_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
"EnableFileTracing" = "0"
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\c42e5513429f584f94154689ece548ef_RASMANCS]
"FileDirectory" = "%windir%\tracing"
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\c42e5513429f584f94154689ece548ef_RASAPI32]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\c42e5513429f584f94154689ece548ef_RASMANCS]
"EnableFileTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process wermgr.exe:2944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: 54d Application
Product Version: 1, 0, 0, 1
Legal Copyright: Copyright (C) 2017
Legal Trademarks:
Original Filename: 54d.EXE
Internal Name: 54d
File Version: 1, 0, 0, 1
File Description: 54d MFC Application
Comments:
Language: English (United States)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://nd.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678
hxxp://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=12345678	103.7.30.86
198107.f3322.net	171.92.208.116
198207.f3322.net	114.105.151.155
dns.msftncsi.com	131.107.255.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY HTTP Request on Unusual Port Possibly Hostile

Traffic

GET /fcg-bin/cgi_get_portrait.fcg?uins=12345678 HTTP/1.1

Host: users.qzone.qq.com

HTTP/1.1 200 OK

X-Powered-By: TSW/Node.js

Cache-Control: max-age=86400

Connection: close

Keep-Alive: timeout=10

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.vmp0

.vmp1

.reloc

u.hp.D

KERNEL32.dll

imagehlp.dll

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

ntdll.dll

kernel32.dll

%s%s.dll

%s (%s:%d)

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

CCmdTarget

CNotSupportedException

comctl32.dll

comdlg32.dll

shell32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl

hhctrl.ocx

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

mfcm90.dll

ole32.dll

Please contact the application's support team for more information.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

operator

GetProcessWindowStation

USER32.DLL

Dw=WININET.dll

OLEACC.dll

InternetOpenUrlA

.?AVCCmdTarget@@

hXXp://198107.f3322.net:81/NetSyst96.dll

.PAVCException@@

.?AVCCmdUI@@

.PAVCMemoryException@@

.PAVCOleException@@

.PAVCObject@@

.PAVCSimpleException@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.?AVCTestCmdUI@@

.PAVCUserException@@

.PAVCResourceException@@

.PAVCArchiveException@@

.?AV?$CFixedStringT@V?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@$0BAA@@ATL@@

.?AV?$CStringT@_WV?$StrTraitMFC@_WV?$ChTraitsCRT@_W@ATL@@@@@ATL@@

.PAVCFileException@@

.PAVCOleDispatchException@@

zcÁ

%Program Files%\AppPatch\NetSyst96.dll

%Program Files%\Microsoft Meeting\svchost.exe

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

`h.ei

The ordinal %u could not be located in the dynamic link library %s

H:\eY

.JIG@

PH%xx

_i"sZ.Pj5

(-Ò

sqLS

.hg!k

%xWnC

The procedure entry point %s could not be located in the dynamic link library %s

ADVAPI32.dll

_ z%X

%KERNEL32.dll

DOLEAUT32.dll

.BWJd

BfCWINSPOOL.DRV

GDI32.dll

USER32.dll

.oledlg.dll

fD.dB

COMDLG32.dll

SHLWAPI.dll

y.FEJ

-d;.dX

Lj4>%F

.JCsdu

.dFGR

KR.yun

i.mt1

%F_`d

-N.Yl

H.KmY

tW}5%f

Dm.rX

Wu.FLx

.gwWd

accKeyboardShortcut

mscoree.dll

ekernel32.dll

KERNEL32.DLL

1, 0, 0, 1

54d.EXE

All Files (*.*)

No error message is available.#Attempted an unsupported operation.$A required resource was unavailable.

Command failed.)Insufficient memory to perform operation.PSystem registry entries have been removed and the INI file (if any) was deleted.BNot all of the system registry entries (or INI file) were removed.FThis program requires the file %s, which was not found on this system.tThis program is linked to the missing export %s in the file %s. This machine may have an incompatible version of %s.

Destination disk drive is full.5Unable to read from %1, it is opened by someone else.AUnable to write to %1, it is read-only or opened by someone else.1Encountered an unexpected error while reading %1.1Encountered an unexpected error while writing %1.

#Unable to load mail system support.

svchost.exe_576_rwx_0044C000_00018000:

`h.ei

svchost.exe_576_rwx_00466000_00001000:

The ordinal %u could not be located in the dynamic link library %s

svchost.exe_576_rwx_00487000_00001000:

fD.dB

svchost.exe_576_rwx_10001000_00348000:

D$%SS

t;Jt%UQJPSt

@43434343

deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly

inflate 1.1.4 Copyright 1995-2002 Mark Adler

This software is derived from the GNU GPL XviD codec (1.3.0).

Software\Microsoft\Windows\CurrentVersion\run

\StringFileInfo\%s\CompanyName

000%x

Software\Microsoft\Windows\CurrentVersion\Run

%d * %d:

(%d-d-d d:d:d)

<%s> %s

%d.%d.%d.%d

Ourlog

%s\*.*

%s%s%s

%s%s*.*

%Y-%m-%d %H:%M

%s : %u

InternalGetUdpTableWithOwnerPid

AllocateAndGetUdpExTableFromStack

InternalGetTcpTable2

AllocateAndGetTcpExTableFromStack

%d-%d-%d %d:%d:%d

hXXp://

\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat

\Local Settings\History\History.IE5\index.dat

%Y-%m-%d %H:%M:%S

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\*.url

%sDocuments and Settings\%s\Favorites

%sUsers\%s\Favorites

192.168.1.2

GET %s HTTP/1.1

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

Host: %s:%d

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

:] %s

:] %d-%d-%d %d:%d:%d

%s\dllcache\magnify.exe

%s\dllcache\osk.exe

%s\dllcache\sethc.exe

%s\magnify.exe

%s\osk.exe

%s\sethc.exe

\dllcache\termsrvhack.dll

\termsrvhack.dll

%SystemRoot%\system32\termsrvhack.dll

SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

TSDISCON %s

LOGOFF %s

taskkill /f /im cmd.exe

cmd.exe

taskkill /f /im taskmgr.exe

taskmgr.exe

taskkill /f /im regedit.exe

regedit.exe

taskkill /f /im mmc.exe

mmc.exe

taskkill /f /im mstsc.exe

mstsc.exe

taskkill /f /im QQ.exe

QQ.exe

taskkill /f /im Maxthon.exe

Maxthon.exe

taskkill /f /im Firefox.exe

Firefox.exe

taskkill /f /im Chrome.exe

Chrome.exe

taskkill /f /im sogouexplorer.exe

sogouexplorer.exe

taskkill /f /im 360SE.exe

360SE.exe

taskkill /f /im IEXPLORE.exe

IEXPLORE.exe

taskkill /f /im s.exe

s.exe

PortNumber

%d/%d

\cmd.exe

explorer.exe

All Users\Microsoft\Network\Connections\Pbk\rasphone.pbk

Microsoft\Network\Connections\pbk\rasphone.pbk

Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk

AppData\Roaming\Microsoft\Network\Connections\Pbk\_hiddenPbk\rasphone.pbk

%s\%s

AppData\Roaming\Microsoft\Network\Connections\pbk\rasphone.pbk

%USERPROFILE%

RasDialParams!%s#0

Iphlpapi.dll

rasphone.pbk

\Application Data\Tencent\Users\*.*

\AppData\Roaming\Tencent\Users\*.*

/IP (%s)

Net123.dat

mgui.exe

mcagent.exe

Pavsrv50.exe

SHesvchost.exe

onlinent.exe

pasvc.exe

fsaa.exe

vba32ldr.exe

spider.exe

ccapp.exe

bdnagent.exe

MsMpEng.exe

v3lsvc.exe

AYAgent.aye

avgui.exe

baidusdSvc.exe

QQPCRTP.exe

ksafe.exe

rtvscan.exe

ashDisp.exe

avcenter.exe

pccmain.exe

knsdtray.exe

kxetray.exe

egui.exe

Mcshield.exe

RavMonD.exe

KvMonXP.exe

avp.exe

360sd.exe

360tray.exe

%d %c %d

1.1.4

xvid-1.3.2

%d st:%lld if:%d

XviDd%c

%Program Files%\Microsoft Meeting

12345678

198207.f3322.net

%Program Files%\Microsoft Meeting\svchost.exe

hXXp://users.qzone.qq.com/fcg-bin/cgi_get_portrait.fcg?uins=%s

hXXp://VVV.ip138.com/ips138.asp?ip=%s&action=2

hXXp://dns.aizhan.com/?q=%s

Windows Microsoft Adobe Flash

8":["hXXp://qlogo3.store.qq.com/qzone/12345678/12345678/100",80288,-1,0,0,0,"",0]})

svchost.exe

2017-04-24 10:45

C:\Windows\svchost.dat

~~}}}~~}}}

PeekNamedPipe

DisconnectNamedPipe

CreatePipe

WinExec

GetProcessHeap

GetWindowsDirectoryA

RegCreateKeyA

RegQueryInfoKeyA

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyExA

RegOpenKeyA

RegOpenKeyExA

RegCloseKey

ShellExecuteA

MapVirtualKeyA

keybd_event

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

ExitWindowsEx

EnumWindows

InternetOpenUrlA

.text

`.rodata

`.rotext

`.rdata

@.data

.rsrc

@.reloc

""""$$$$&&&&((((****,,,,....00002222444466668888::::<<<<>>>>

#*1892 $

%,3:;4-&

'.5<=6/7>?

"#()01* $%&',-./2389:;4567<=>?

"*2:# 3;

$,4<%-5=

&.6>'/7?

iphlpapi.dll

lIngress.exe

arpguard.exe

zrclient.exe

zrupdate.exe

zreboot.exe

This user account is used by the Visual Studio .NET Debugger

ntdll.dll

svchost.exe_3740:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

<description>Host Process for Windows Services</description>

<requestedExecutionLevel

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   WerFault.exe:1732
   %original file name%.exe:3308
   wermgr.exe:2944
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER540A.tmp.hdmp (38825 bytes)
   C:\Windows\Temp\WER540A.tmp.hdmp (371136 bytes)
   C:\Windows\Temp\WER5524.tmp.mdmp (163553 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\Report.wer (193230 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER53FA.tmp.WERInternalMetadata.xml (3 bytes)
   C:\Windows\Temp\WER53FA.tmp.WERInternalMetadata.xml (51540 bytes)
   C:\Windows\Temp\WER53E9.tmp.appcompat.txt (3760 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER5524.tmp.mdmp (3073 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\WER53E9.tmp.appcompat.txt (3 bytes)
   %Program Files%\AppPatch\NetSyst96.dll (118569 bytes)
   %Program Files%\Microsoft Meeting\svchost.exe (1715 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\NetSyst96[1].dll (115321 bytes)
   C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_svchost.exe_ac564b64d13986da4ea92bf91ebd18c896f7991e_cab_06d055dc\Report.wer.tmp (205380 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.