MD5: faf3e2458ada4f8aaa19e334132270b1
SHA1: f73a57b0a9dfd0bc834a490fdf58706ad8756419
SHA256: 506850321a7fcbbfa2b52e51b14ca233bc38b959e8e92a45f9e96f22f39787bf
SSDeep: 12288:N30lq7bgOcX8mvEQyQJwSHtQRqYk9Pmi6nx:iq7bgHXevaw6Lui6nx
Size: 560128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2018-01-10 05:24:08
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2788

The Trojan injects its code into the following process(es):

Update.exe:2008

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:2788 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe\Update.exe (2173377 bytes)

The process Update.exe:2008 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe\Share64.exe (1383 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\back.url (79 bytes)

The Trojan deletes the following file(s):

C:\%original file name%.exe (0 bytes)

Registry activity

The process %original file name%.exe:2788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process Update.exe:2008 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 10.1.10.11
Legal Copyright: Copyright (C) 2017, sfysrvfv
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 10.1.10.11
File Description:
Comments:
Language: Language Neutral

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://hateroki.date/lp/thanks.php	198.54.117.244
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI=	178.255.83.1
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc=	178.255.83.1
hxxp://crl.comodoca.com.cdn.cloudflare.net/COMODORSACertificationAuthority.crl	104.16.93.188
hxxp://ocsp.usertrust.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAanQ4DU6/7UNbWj9+Fqvdg=	178.255.83.1
nc-img.com	104.25.80.63
www.namecheap.com	104.16.99.56
ocsp.comodoca.com	178.255.83.1
nogarukagolova.bit	145.249.107.233

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET CURRENT_EVENTS DNS Query Domain .bit

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:49 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: CCFCF173116965BEE0CFAB1DEEA04E80A34DA43F

Cache-Control: max-age=309692,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp21

Content-Length: 727

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2018
0410110222Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22... .n..u6l..n..|......20180410110222Z....20180417110222Z0...*.H..
...........Ws?.:.I3=.F.z.....@...}.8.W..[,..}..8......(..I.j..hK...76.
_.u.....t3... 7j.g..l0r.\.....?..............O....v.G ..X.?..........t
...Q1.....Rf.q..6..?.../.l.|;2V.w.....h......./......0 d...J;..=...T.B
..U^.f.wj.U...?..p3.).'..g......._-.'.7.Q.....?^76..N.O...r...l.....Y?
.mR.......;.........nwTb......Y....p..T.....N..GQg.Q....I?e/*.....c...
...6..o".....aO.[T.5`5".~....BW.-...ua..n..E..^.N.......Q...ho.|....M$
.'.j..).6&.J..$V.Fs.rR.9u.A.|......y.g..5._(.x.A4.@.....kJ.6..Sf..z.R.
R....LG....>^..c..)QT4..........D..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAanQ4DU6/7UNbWj9+Fqvdg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:51:01 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: E710E339234494658EC044CEC5F0E505779DFE7B

Cache-Control: max-age=309680,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp13

Content-Length: 727

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2018
0410110222Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22.....C.....5....j......20180410110222Z....20180417110222Z0...*.H..
...........&.E..3.c.... }........v.....cnD..*............yPt.s1T1: ..k
......uD%...x..-(....y....F...A..7.5.<3.._...a...R...E.[.....P.....
8...;..1....7[N....A...........`.td.@.w.W..P...... ..i......X-6Z.~@...
.6.M..\........$......zn.)D..I.*g..:..,.0. .i.e7S....._...S...EE.%g.C.
.I.&F.#&......`....fF...4...F.......6.W....t4].O[..[a.m(.....@.@]...B.
.d...9.u..<.|%6..59n.......:.qS...zT.Zl.4S...............z...(6 #..
...d.QOx{...;..L.}I..4.P..z{I...l.......V.....v..j......<.....>.
$....~.|(......c....f..M........ ...L..e.x..p..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:44 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: F574E8D18975079DE4D90E382B09F4724F7ACFA8

Cache-Control: max-age=309697,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp21

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2018041
0110222Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20180410110222Z....20180417110222Z0...*.H........
......;-..,#A.....#:....JC..%.....o)..(..X;.....^h..f>7.....(....C.
O..z$))..z.......f"..)/.g..q.l............R.....C............jUy.....n
.V..........8R..w.gk.I0....0}.l8..Y".0...#T.#..3.7.S...O.2W.FE..N..hD.
.. x#.4..]). ..V...Y.\.........$..`..J......|.q..c..sD..

GET /COMODORSACertificationAuthority.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:54 GMT

Content-Type: application/x-pkcs7-crl

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d3d5e7bf8245de34f2bfa4ac7aa522d971523652654; expires=Sat, 13-Apr-19 20:50:54 GMT; path=/; domain=.crl.comodoca.com; HttpOnly

Last-Modified: Fri, 13 Apr 2018 07:25:32 GMT

ETag: W/"5ad05b6c-335"

X-CCACDN-Mirror-ID: rmdccacrl10

Cache-Control: public, max-age=3600

CF-Cache-Status: HIT

Expires: Fri, 13 Apr 2018 21:50:54 GMT

Server: cloudflare

CF-RAY: 40b0cec214dc8b04-KBP
32c..0..(0......0...*.H........0..1.0...U....GB1.0...U....Greater Manc
hester1.0...U....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO 
RSA Certification Authority..180413072532Z..180417072532Z0$0".....bRfQ
H..S..D..i..170103163621Z.00.0...U.#..0.....~.=...<....8...22.0...U
......."0...*.H.............D..X....>.#..8.0<.....cb...G..{...#j
..MQ@..=....\v,................!f.|8.-..g .{u.J...X.......a..I.wp..u..
.t..V..P3....0.F.z$...r...s.e.....vq.R8...|r41.uml.8....|......r.K.w..
.<..A.5..:s.l... D...W!2....PZ.'.6....x........P.1.....aY.8XR.].~..
{..f...V.<..J.....r...w^......2..6...:......n....t...o...}Q.....vv.
...6...kw.......8.Ok....x.@.~3..`.s..)..!...*K..K..G... ..=...;.......
1%c.H.7T..q{.H.a.H .{\.....'.[.O......f.c.>...`...-@y.g..Cl../..<
;...S.@Dc.w....g!........T.....U.......:;..,..R..'_..6. W.. ....e:58..
0..HTTP/1.1 200 OK..Date: Fri, 13 Apr 2018 20:50:54 GMT..Content-Type:
 application/x-pkcs7-crl..Transfer-Encoding: chunked..Connection: keep
-alive..Set-Cookie: __cfduid=d3d5e7bf8245de34f2bfa4ac7aa522d9715236526
54; expires=Sat, 13-Apr-19 20:50:54 GMT; path=/; domain=.crl.comodoca.
com; HttpOnly..Last-Modified: Fri, 13 Apr 2018 07:25:32 GMT..ETag: W/"
5ad05b6c-335"..X-CCACDN-Mirror-ID: rmdccacrl10..Cache-Control: public,
 max-age=3600..CF-Cache-Status: HIT..Expires: Fri, 13 Apr 2018 21:50:5
4 GMT..Server: cloudflare..CF-RAY: 40b0cec214dc8b04-KBP..32c..0..(0...
...0...*.H........0..1.0...U....GB1.0...U....Greater Manchester1.0...U
....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO RSA Certi
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:44 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: F574E8D18975079DE4D90E382B09F4724F7ACFA8

Cache-Control: max-age=309697,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp21

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2018041
0110222Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20180410110222Z....20180417110222Z0...*.H........
......;-..,#A.....#:....JC..%.....o)..(..X;.....^h..f>7.....(....C.
O..z$))..z.......f"..)/.g..q.l............R.....C............jUy.....n
.V..........8R..w.gk.I0....0}.l8..Y".0...#T.#..3.7.S...O.2W.FE..N..hD.
.. x#.4..]). ..V...Y.\.........$..`..J......|.q..c..sD..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:49 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: CCFCF173116965BEE0CFAB1DEEA04E80A34DA43F

Cache-Control: max-age=309692,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp13

Content-Length: 727

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2018
0410110222Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22... .n..u6l..n..|......20180410110222Z....20180417110222Z0...*.H..
...........Ws?.:.I3=.F.z.....@...}.8.W..[,..}..8......(..I.j..hK...76.
_.u.....t3... 7j.g..l0r.\.....?..............O....v.G ..X.?..........t
...Q1.....Rf.q..6..?.../.l.|;2V.w.....h......./......0 d...J;..=...T.B
..U^.f.wj.U...?..p3.).'..g......._-.'.7.Q.....?^76..N.O...r...l.....Y?
.mR.......;.........nwTb......Y....p..T.....N..GQg.Q....I?e/*.....c...
...6..o".....aO.[T.5`5".~....BW.-...ua..n..E..^.N.......Q...ho.|....M$
.'.j..).6&.J..$V.Fs.rR.9u.A.|......y.g..5._(.x.A4.@.....kJ.6..Sf..z.R.
R....LG....>^..c..)QT4..........D..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCEAanQ4DU6/7UNbWj9+Fqvdg= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:51:01 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: E710E339234494658EC044CEC5F0E505779DFE7B

Cache-Control: max-age=309680,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp21

Content-Length: 727

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2018
0410110222Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22.....C.....5....j......20180410110222Z....20180417110222Z0...*.H..
...........&.E..3.c.... }........v.....cnD..*............yPt.s1T1: ..k
......uD%...x..-(....y....F...A..7.5.<3.._...a...R...E.[.....P.....
8...;..1....7[N....A...........`.td.@.w.W..P...... ..i......X-6Z.~@...
.6.M..\........$......zn.)D..I.*g..:..,.0. .i.e7S....._...S...EE.%g.C.
.I.&F.#&......`....fF...4...F.......6.W....t4].O[..[a.m(.....@.@]...B.
.d...9.u..<.|%6..59n.......:.qS...zT.Zl.4S...............z...(6 #..
...d.QOx{...;..L.}I..4.P..z{I...l.......V.....v..j......<.....>.
$....~.|(......c....f..M........ ...L..e.x..p..

GET /COMODORSACertificationAuthority.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:54 GMT

Content-Type: application/x-pkcs7-crl

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d4597d7378816fc3a0c59f4692a7a48631523652654; expires=Sat, 13-Apr-19 20:50:54 GMT; path=/; domain=.crl.comodoca.com; HttpOnly

Last-Modified: Fri, 13 Apr 2018 07:25:32 GMT

ETag: W/"5ad05b6c-335"

X-CCACDN-Mirror-ID: rmdccacrl10

Cache-Control: public, max-age=3600

CF-Cache-Status: HIT

Expires: Fri, 13 Apr 2018 21:50:54 GMT

Server: cloudflare

CF-RAY: 40b0cec2162a8219-KBP
32c..0..(0......0...*.H........0..1.0...U....GB1.0...U....Greater Manc
hester1.0...U....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO 
RSA Certification Authority..180413072532Z..180417072532Z0$0".....bRfQ
H..S..D..i..170103163621Z.00.0...U.#..0.....~.=...<....8...22.0...U
......."0...*.H.............D..X....>.#..8.0<.....cb...G..{...#j
..MQ@..=....\v,................!f.|8.-..g .{u.J...X.......a..I.wp..u..
.t..V..P3....0.F.z$...r...s.e.....vq.R8...|r41.uml.8....|......r.K.w..
.<..A.5..:s.l... D...W!2....PZ.'.6....x........P.1.....aY.8XR.].~..
{..f...V.<..J.....r...w^......2..6...:......n....t...o...}Q.....vv.
...6...kw.......8.Ok....x.@.~3..`.s..)..!...*K..K..G... ..=...;.......
1%c.H.7T..q{.H.a.H .{\.....'.[.O......f.c.>...`...-@y.g..Cl../..<
;...S.@Dc.w....g!........T.....U.......:;..,..R..'_..6. W.. ....e:58..
0..HTTP/1.1 200 OK..Date: Fri, 13 Apr 2018 20:50:54 GMT..Content-Type:
 application/x-pkcs7-crl..Transfer-Encoding: chunked..Connection: keep
-alive..Set-Cookie: __cfduid=d4597d7378816fc3a0c59f4692a7a486315236526
54; expires=Sat, 13-Apr-19 20:50:54 GMT; path=/; domain=.crl.comodoca.
com; HttpOnly..Last-Modified: Fri, 13 Apr 2018 07:25:32 GMT..ETag: W/"
5ad05b6c-335"..X-CCACDN-Mirror-ID: rmdccacrl10..Cache-Control: public,
 max-age=3600..CF-Cache-Status: HIT..Expires: Fri, 13 Apr 2018 21:50:5
4 GMT..Server: cloudflare..CF-RAY: 40b0cec2162a8219-KBP..32c..0..(0...
...0...*.H........0..1.0...U....GB1.0...U....Greater Manchester1.0...U
....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO RSA Certi
<<< skipped >>>

GET /lp/thanks.php HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: hateroki.date

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Fri, 13 Apr 2018 20:50:33 GMT

Content-Type: text/html; charset=UTF-8

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=15

Vary: Accept-Encoding

Set-Cookie: .s=07b4988ba48a4d10b4649f4b6de1a6db; domain=.VVV.namecheap.com; path=/; samesite=lax; httponly

Set-Cookie: x-ncpl-csrf=e6945e1ad3484f66a8bfa099910729b2; domain=.VVV.namecheap.com; path=/; samesite=lax; httponly

X-Proxy-Cache: HIT
e81..<html>..<head lang="en">...<meta charset="UTF-8"/&
gt;...<title>Registrant WHOIS contact information verification |
 Namecheap.com</title>...<meta name="viewport" content="width
=device-width, initial-scale=1"/>...<link rel="shortcut icon" hr
ef="hXXps://VVV.namecheap.com/assets/img/nc-icon/favicon.ico"/>...&
lt;script type="text/javascript">var nc_main=function(e){function t
(i){if(r[i])return r[i].exports;var n=r[i]={i:i,l:!1,exports:{}};retur
n e[i].call(n.exports,n,n.exports,t),n.l=!0,n.exports}var r={};return 
t.m=e,t.c=r,t.d=function(e,r,i){t.o(e,r)||Object.defineProperty(e,r,{c
onfigurable:!1,enumerable:!0,get:i})},t.n=function(e){var r=e&&e.__esM
odule?function(){return e.default}:function(){return e};return t.d(r,"
a",r),r},t.o=function(e,t){return Object.prototype.hasOwnProperty.call
(e,t)},t.p="",t(t.s=0)}([function(e,t,r){"use strict";Object.definePro
perty(t,"__esModule",{value:!0});var i=r(1),n=(r.n(i),r(2)),o=r(3);win
dow.ncScriptLoader=new n.a,window.NC=o},function(e,t){},function(e,t,r
){"use strict";r.d(t,"a",function(){return i});var i=function(){functi
on e(){this.scriptsConfiguration={paths:{}},this.loadingQueue={},this.
loadedModules=[]}return e.prototype.config=function(e){var t=!0===e.cr
ossorigin;for(var r in e.paths)if(null==this.scriptsConfiguration.path
s[r]){var i=e.paths[r];this.scriptsConfiguration.paths[r]={path:-1===i
.indexOf(".js")?i ".js":i,crossorigin:t}}return this},e.prototype.requ
ire=function(e,t){for(var r=this.createOnCallCallback(e,t),i=[],n=
<<< skipped >>>

GET /COMODORSACertificationAuthority.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:54 GMT

Content-Type: application/x-pkcs7-crl

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d5c437c31032aac9234d05f4fafb7833c1523652654; expires=Sat, 13-Apr-19 20:50:54 GMT; path=/; domain=.crl.comodoca.com; HttpOnly

Last-Modified: Fri, 13 Apr 2018 07:25:32 GMT

ETag: W/"5ad05b6c-335"

X-CCACDN-Mirror-ID: rmdccacrl10

Cache-Control: public, max-age=3600

CF-Cache-Status: HIT

Expires: Fri, 13 Apr 2018 21:50:54 GMT

Server: cloudflare

CF-RAY: 40b0cec2125f824f-KBP
32c..0..(0......0...*.H........0..1.0...U....GB1.0...U....Greater Manc
hester1.0...U....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO 
RSA Certification Authority..180413072532Z..180417072532Z0$0".....bRfQ
H..S..D..i..170103163621Z.00.0...U.#..0.....~.=...<....8...22.0...U
......."0...*.H.............D..X....>.#..8.0<.....cb...G..{...#j
..MQ@..=....\v,................!f.|8.-..g .{u.J...X.......a..I.wp..u..
.t..V..P3....0.F.z$...r...s.e.....vq.R8...|r41.uml.8....|......r.K.w..
.<..A.5..:s.l... D...W!2....PZ.'.6....x........P.1.....aY.8XR.].~..
{..f...V.<..J.....r...w^......2..6...:......n....t...o...}Q.....vv.
...6...kw.......8.Ok....x.@.~3..`.s..)..!...*K..K..G... ..=...;.......
1%c.H.7T..q{.H.a.H .{\.....'.[.O......f.c.>...`...-@y.g..Cl../..<
;...S.@Dc.w....g!........T.....U.......:;..,..R..'_..6. W.. ....e:58..
0..HTTP/1.1 200 OK..Date: Fri, 13 Apr 2018 20:50:54 GMT..Content-Type:
 application/x-pkcs7-crl..Transfer-Encoding: chunked..Connection: keep
-alive..Set-Cookie: __cfduid=d5c437c31032aac9234d05f4fafb7833c15236526
54; expires=Sat, 13-Apr-19 20:50:54 GMT; path=/; domain=.crl.comodoca.
com; HttpOnly..Last-Modified: Fri, 13 Apr 2018 07:25:32 GMT..ETag: W/"
5ad05b6c-335"..X-CCACDN-Mirror-ID: rmdccacrl10..Cache-Control: public,
 max-age=3600..CF-Cache-Status: HIT..Expires: Fri, 13 Apr 2018 21:50:5
4 GMT..Server: cloudflare..CF-RAY: 40b0cec2125f824f-KBP..32c..0..(0...
...0...*.H........0..1.0...U....GB1.0...U....Greater Manchester1.0...U
....Salford1.0...U....COMODO CA Limited1 0)..U..."COMODO RSA Certi
<<< skipped >>>

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBR8sWZUnKvbRO5iJhat9GV793rVlAQUrb2YejS0Jvf6xCZU7wO94CTLVBoCECdm7lbrSfOOq9dwovyE3iI= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.usertrust.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:44 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: F574E8D18975079DE4D90E382B09F4724F7ACFA8

Cache-Control: max-age=309697,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp21

Content-Length: 471

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0.........z4.&...&T....$.T...2018041
0110222Z0s0q0I0... ........|.fT...D.b&...e{.z.......z4.&...&T....$.T..
.'f.V.I....p...."....20180410110222Z....20180417110222Z0...*.H........
......;-..,#A.....#:....JC..%.....o)..(..X;.....^h..f>7.....(....C.
O..z$))..z.......f"..)/.g..q.l............R.....C............jUy.....n
.V..........8R..w.gk.I0....0}.l8..Y".0...#T.#..3.7.S...O.2W.FE..N..hD.
.. x#.4..]). ..V...Y.\.........$..`..J......|.q..c..sD..

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBReAhtobFzTvhaRmVeJ38QUchY9AwQUu69+Aj36pvE8hI6t7jiY7NkyMtQCECsuburZdTZsFIpu26N8jAc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.comodoca.com

HTTP/1.1 200 OK

Date: Fri, 13 Apr 2018 20:50:49 GMT

Server: Apache

Last-Modified: Tue, 10 Apr 2018 11:02:22 GMT

Expires: Tue, 17 Apr 2018 11:02:22 GMT

ETag: CCFCF173116965BEE0CFAB1DEEA04E80A34DA43F

Cache-Control: max-age=309692,public,no-transform,must-revalidate

X-OCSP-Responder-ID: rmdccaocsp21

Content-Length: 727

Connection: close

Content-Type: application/ocsp-response
0..........0..... .....0......0...0........~.=...<....8...22...2018
0410110222Z0s0q0I0... ........^..hl\.....W....r.=.....~.=...<....8.
..22... .n..u6l..n..|......20180410110222Z....20180417110222Z0...*.H..
...........Ws?.:.I3=.F.z.....@...}.8.W..[,..}..8......(..I.j..hK...76.
_.u.....t3... 7j.g..l0r.\.....?..............O....v.G ..X.?..........t
...Q1.....Rf.q..6..?.../.l.|;2V.w.....h......./......0 d...J;..=...T.B
..U^.f.wj.U...?..p3.).'..g......._-.'.7.Q.....?^76..N.O...r...l.....Y?
.mR.......;.........nwTb......Y....p..T.....N..GQg.Q....I?e/*.....c...
...6..o".....aO.[T.5`5".~....BW.-...ua..n..E..^.N.......Q...ho.|....M$
.'.j..).6&.J..$V.Fs.rR.9u.A.|......y.g..5._(.x.A4.@.....kJ.6..Sf..z.R.
R....LG....>^..c..)QT4..........D..

The Trojan connects to the servers at the folowing location(s):

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

185.121.177.177

31.171.251.118

51.255.48.78

130.255.73.90

104.238.186.189

89.18.27.167

dnsapi.dll

%d.%d.%d.%d

taskmgr.exe

ProcessHacker.exe

procexp.exe

ProcessLasso.exe

SystemExplorer.exe

AnVir.exe

TMX64.exe

nogarukagolova.bit

Share64.exe

Update.exe

hXXp://hateroki.date/lp/thanks.php

URL=file:///

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetCPInfo

MsgWaitForMultipleObjects

shell32.dll

ShellExecuteA

1U1e1<3a3{3

:0;9<9=@=

1 2(272|2

.text

P`.data

`@.eh_fram

0@.bss

.rsrc

%UUUU

UUUU%UUUU

pipe

libgcc_s_dw2-1.dll

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

stratum tcp://

.nicehash.com

%d.%d.%d

libuv/%s

libjansson/%s

unable to open %s: %s

%s:%d: %s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--no-huge-pages disable huge pages support

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

Huge pages support was successfully enabled, but reboot required to use it

%s/%s (Windows NT %lu.%lu

) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.14.1

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

_ntdll.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 7.1.0

GCC: (Rev1, Built by MSYS2 project) 7.2.0

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

<requestedExecutionLevel level="asInvoker"/>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

KWindows

UrlMon

<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Setup" type="win32"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

%S^(/

.iMiT

.kf5;t

%f**u$;

d%SZ{

jL:p.Pc

9.dg8

L.Pa8

o8]~=Ð)

y%c]B

mq.%Xl0P

y)h%D

6h.AC

3u.uo

V{.vq

Ó|X

$=-DK%D

5WZL%X

.uA&k

x$B%d

n$zeN.mo

%D^G`t

ERz%c{

,hW.aH 

.QSUj

&L.Sg/

1>,C.Rz

.tKlQ

!.uGEC

mSGt$

X%u2W

v%s>}&

D?.su

..hA&

o%Xe3

1*2024282<2

1$1,141 2$2

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

%s.Seek not implemented$Operation not allowed on sorted list

Thread creation error: %s

Thread Error: %s (%d)

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

ntdll.dll

Cadvapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

tmsvcrt.dll

10.1.10.11

Update.exe_2008_rwx_00272000_0005B000:

.idata

.tls`,`

!-T%C

ZA.YX!#

I%UnRP

kernel32.dllj

$ @** ](

'g.yy`5

T@.HW*

!&-&!/,`

?456789:;<=

!"#$%&'()* ,-./0123

5.48.78

taskmgr.exe

nogarukagolova.bit

/lp/thanks.php(

Sc.ur#?

URL=fR

Keyboard

1U1e1<3a3{3

%HM)

@.eh_fFw

.CRT`-8

b~.UB

!?.tI

\%F<!

%CQSd

u>%s8

J-O}6}

%X}Pm

=T%.AT

E)ae%d#N

4Y|#%u

%_T%F

%C (7A

.Nl&NHb

k]3

%fP!,4,fE

ox%Fr

s\
%Nn

Ý)6

{8%Se

xW.wX% `

{l$ %cV

D`%S"

Um`K%dJ

& TcpVU4T

"qxcT#qP%D-

A &s%DU

gP@-t}

!_}'-;="-

Cx@%X|D

`UÝ

8F.tFK:

<2(}('(}$

-R}p5

xpexE

pipe.

p%%ux

l`-Z}

=$
)

m<%DP

`.CtG

-Z}d|t

:!%u;

-q}ld

%d]T@

:!%D"lT(

!.AP)

(!>%xn

<F%XA

|$ <" ,@

XL%d!

-t}D\t6<V*

&5P%7X#5

`d`.uX

gip@]t%c

).VtA4"

.vXhE1

<%4|C%D"2

libgcc_s_dw2-1.dll

"%s" hash self-test failed

[%d-

stratum tcp`9.

`.of%

PASSWORD@

&1*%sa

D@2%%CxA

POOL #%d

MbP?%f

L!.%c!1uM@-m_r

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

uX

figB.ga#

SUPPORT@1G

ObsSHU

1.14.1

\\?\b

.hNferl

PC_TCP_

u.io.

%l.R/udp 4$,

.hr"5

PC7VIE!.iE

<`}7@-:@

%s(%g, %g) (

V=%0X H=`4@T

2@.si

@0>t-XA}E

-u#.qG42

.MmPSe(`

%s3;v

u %F-

%d,%*|"B

`.OpB

E@.lc

@.np[0

|`%sa-

aK@%u@eL

@.ngE

%E<A%fR

IPHLP@W.DL

msvcrt

edOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/ "

1f676c76-80e1-4239-95bb-83d0f6d0da7

evice\HarddiskVolume1\Users\"%CurrentUserName%"\AppData\Roaming\Adobe\Update.exe

OS=Windows_NT

Path=C:\Perl\site\bin;C:\Perl\bin;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;c:\Program Files\Wireshark

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;

C:\Windows\system32\oleaut32.dll

Update.exe_2008_rwx_60000000_000C8000:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

185.121.177.177

31.171.251.118

51.255.48.78

130.255.73.90

104.238.186.189

89.18.27.167

dnsapi.dll

%d.%d.%d.%d

taskmgr.exe

ProcessHacker.exe

procexp.exe

ProcessLasso.exe

SystemExplorer.exe

AnVir.exe

TMX64.exe

nogarukagolova.bit

Share64.exe

Update.exe

hXXp://hateroki.date/lp/thanks.php

URL=file:///

user32.dll

GetKeyboardType

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetCPInfo

MsgWaitForMultipleObjects

shell32.dll

ShellExecuteA

1U1e1<3a3{3

:0;9<9=@=

1 2(272|2

.text

P`.data

`@.eh_fram

0@.bss

.rsrc

%UUUU

UUUU%UUUU

pipe

libgcc_s_dw2-1.dll

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

stratum tcp://

.nicehash.com

%d.%d.%d

libuv/%s

libjansson/%s

unable to open %s: %s

%s:%d: %s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--no-huge-pages disable huge pages support

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

Huge pages support was successfully enabled, but reboot required to use it

%s/%s (Windows NT %lu.%lu

) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.14.1

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

_ntdll.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 7.1.0

GCC: (Rev1, Built by MSYS2 project) 7.2.0

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

<requestedExecutionLevel level="asInvoker"/>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

KWindows

UrlMon

<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Setup" type="win32"/>

<requestedExecutionLevel level="asInvoker" uiAccess="false"/>

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

%s.Seek not implemented$Operation not allowed on sorted list

Thread creation error: %s

Thread Error: %s (%d)

Cannot assign a %s to a %sECheckSynchronize called from thread $%x, which is NOT the main thread%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Interface not supported

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

ntdll.dll

Cadvapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

tmsvcrt.dll

Share64.exe_3140:

.text

P`.data

.rdata

`@.eh_fram

0@.bss

.idata

.rsrc

%UUUU

UUUU%UUUU

pipe

libgcc_s_dw2-1.dll

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

stratum tcp://

.nicehash.com

%d.%d.%d

libuv/%s

libjansson/%s

unable to open %s: %s

%s:%d: %s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--no-huge-pages disable huge pages support

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

Huge pages support was successfully enabled, but reboot required to use it

%s/%s (Windows NT %lu.%lu

) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.14.1

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

_ntdll.dll

kernel32.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 7.1.0

GCC: (Rev1, Built by MSYS2 project) 7.2.0

RegCloseKey

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

<requestedExecutionLevel level="asInvoker"/>

<!--The ID below indicates application support for Windows Vista -->

<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

<!--The ID below indicates application support for Windows 7 -->

<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>

<!--The ID below indicates application support for Windows 8 -->

<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>

<!--The ID below indicates application support for Windows 8.1 -->

<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>

<!--The ID below indicates application support for Windows 10 -->

<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>

ntdll.dll

Cadvapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

tmsvcrt.dll

conhost.exe_536:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

iexplore.exe_2956:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

)user32.dll

Kernel32.DLL

)xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

iexplore.exe_3244:

.text

`.data

.rsrc

@.reloc

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... )) 

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

)user32.dll

Kernel32.DLL

)xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

SearchProtocolHost.exe_2684:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

MSSHooks.dll

IMM32.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSPortManager

SrchPHHttp

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerSchema

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

</MSG></TRC>

<MSG>

<ERR> 0xx=

<LOC> %s(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%s"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

PROPSYS.dll

ntdll.dll

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

2 2(20282|2

4%5S5

Software\Microsoft\Windows Search

https

kernel32.dll

msTracer.dll

msfte.dll

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

tquery.dll

%s\%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<LOC> %S(%d) </LOC>

tagname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

Windows

7.00.7601.17610

SearchFilterHost.exe_1304:

.text

`.data

.rsrc

@.reloc

ADVAPI32.dll

ntdll.DLL

KERNEL32.dll

msvcrt.dll

USER32.dll

ole32.dll

OLEAUT32.dll

TQUERY.DLL

IMM32.dll

MSSHooks.dll

mscoree.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyExW

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCreateKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegEnumKeyExW

ReportEventW

_amsg_exit

SearchFilterHost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

<requestedExecutionLevel

3 3(30383|3

kernel32.dll

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

Windows Search Service

tquery.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

<Exception><HR>0xx</HR><eip>%p</eip><module>%S</module><line>%d</line></Exception>

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

<MSG>

<ERR> 0xx=

<LOC> %S(%d) </LOC>

tid="0x%x"

pid="0x%x"

tagname="%S"

tagid="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

logname="%S"

</MSG></TRC>

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s

winhttp.dll

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

Windows

7.00.7601.17610

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:2788
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe\Update.exe (2173377 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Adobe\Share64.exe (1383 bytes)
   C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\back.url (79 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.