Win32.Expiro.Gen.4_10b3854e07

by malwarelabrobot on August 14th, 2017 in Malware Descriptions.

Win32.Expiro.Gen.5 (BitDefender), UDS:DangerousObject.Multi.Generic (Kaspersky), Virus.Win32.Expiro.dp (v) (VIPRE), Win32.Expiro.Gen.5 (B) (Emsisoft), Generic Obfuscated.g (McAfee), W32.Xpiro.I (Symantec), Win32.Expiro.Gen.5 (FSecure), Win32:MalOb-FE [Cryp] (AVG), Win32:MalOb-FE [Cryp] (Avast), Win32.Expiro.Gen.4 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, VirusExpiro.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 10b3854e07c5cbdeec853b6ccfa371e8
SHA1: 1a91982b9ee7fa374b17633fbfcade9e8c45b03e
SHA256: 07bc355ff4a10eab026ef0b5193354cd3c3aa78bf1ed7d09160d9661ad654dd5
SSDeep: 12288:IuPsDm3/m5PUfqHv ccEp/lnrQIf4p6X:IvS/sMiHv vEpRQLY
Size: 504832 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-11-09 01:32:28
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WerFault.exe:3340
FlashPlayerUpdateService.exe:160
FlashPlayerUpdateService.exe:2732
wermgr.exe:3832
msdtc.exe:2820
FlashPlayerInstaller.exe:1768

The Trojan injects its code into the following process(es):

%original file name%.exe:1792
dllhost.exe:2508

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WerFault.exe:3340 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER8EC8.tmp.WERInternalMetadata.xml (3 bytes)
C:\Windows\Temp\WER8EF7.tmp.hdmp (606659 bytes)
C:\Windows\Temp\WER8DEC.tmp.appcompat.txt (16006 bytes)
C:\Windows\Temp\WER8EC8.tmp.WERInternalMetadata.xml (53648 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\Report.wer (171900 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER8DEC.tmp.appcompat.txt (31 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER8EF7.tmp.hdmp (168482 bytes)
C:\Windows\Temp\WER98E7.tmp.mdmp (238736 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER98E7.tmp.mdmp (15278 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WER98E7.tmp (0 bytes)
C:\Windows\Temp\WER8EF7.tmp.hdmp (0 bytes)
C:\Windows\Temp\WER8DEC.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WER8EC8.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WER8EC8.tmp (0 bytes)
C:\Windows\Temp\WER8DEC.tmp (0 bytes)
C:\Windows\Temp\WER98E7.tmp.mdmp (0 bytes)
C:\Windows\Temp\WER8EF7.tmp (0 bytes)

The process FlashPlayerUpdateService.exe:160 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Microsoft.NET\Framework\v4.0.30319\agmkmlpm.tmp (274 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
C:\Windows\Temp\{9A71E180-99B2-4D73-A9D5-CD61CA7B7113}\fpi.tmp (3510797 bytes)
C:\Windows\System32\FlashPlayerInstaller.exe (12387 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\{9A71E180-99B2-4D73-A9D5-CD61CA7B7113}\fpi.tmp (0 bytes)
C:\Windows\Temp\{9A71E180-99B2-4D73-A9D5-CD61CA7B7113} (0 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\agmkmlpm.tmp (0 bytes)

The process FlashPlayerUpdateService.exe:2732 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\FlashInstall32.log (82 bytes)

The process %original file name%.exe:1792 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\hjmoqhep.tmp (766 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
C:\ProgramData\McAfee\MCLOGS\PartnerCustom\10b3854e07c5cbdeec853b6ccfa371e8\10b3854e07c5cbdeec853b6ccfa371e8000.log (546 bytes)
C:\Windows\ehome\cegandcd.tmp (336 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
C:\Windows\ehome\dlamdmgi.tmp (800 bytes)
%Program Files%\Google\Update\bomnjomh.tmp (384 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\iibejbpb.tmp (304 bytes)
C:\Windows\System32\Macromed\Flash\nghjmjpk.tmp (507 bytes)
C:\Windows\System32\ifmpncoc.tmp (301 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7433 bytes)
C:\Windows\System32\jdfkglda.tmp (252 bytes)
C:\Windows\System32\alg.exe (1425 bytes)
C:\Windows\ehome\ehsched.exe (2105 bytes)
%Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
C:\ProgramData\McAfee Security Scan\ftstate.ini (1394 bytes)
C:\Windows\System32\dllhost.exe (1281 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ndgapmna.tmp (1 bytes)
C:\Windows\ehome\ehrecvr.exe (5873 bytes)
C:\Windows\System32\FXSSVC.exe (5441 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\hjmoqhep.tmp (0 bytes)
%Program Files%\Google\Update\bomnjomh.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\iibejbpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\nghjmjpk.tmp (0 bytes)
C:\Windows\System32\ifmpncoc.tmp (0 bytes)
C:\Windows\System32\jdfkglda.tmp (0 bytes)
C:\Windows\ehome\dlamdmgi.tmp (0 bytes)
C:\Windows\ehome\cegandcd.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ndgapmna.tmp (0 bytes)

The process dllhost.exe:2508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\nllgbmha.tmp (508 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (2105 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\hdpmggmc.tmp (333 bytes)
C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64D68604-B96B-4F93-8E98-6E5C7ECA5AB9}.crmlog (623 bytes)
%Program Files%\WinPcap\rpcapd.exe (2105 bytes)
%Program Files%\WinPcap\ollefhpn.tmp (352 bytes)
C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6449DAA2-11E9-4EC1-8705-3C2DA8ED4E32}.crmlog (1600 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\Macromed\Flash\nllgbmha.tmp (0 bytes)
%Program Files%\WinPcap\ollefhpn.tmp (0 bytes)
C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64D68604-B96B-4F93-8E98-6E5C7ECA5AB9}.crmlog (0 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\hdpmggmc.tmp (0 bytes)

The process wermgr.exe:3832 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\Report.wer.tmp (175218 bytes)

The process msdtc.exe:2820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\SOFTWARE (89458 bytes)
C:\Windows (288 bytes)
C:\$Directory (768 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (83503 bytes)
C:\Windows\System32\Msdtc\MSDTC.LOG (2580 bytes)
C:\Windows\System32\Msdtc\Trace\dtctrace.log (16 bytes)
C:\Windows\System32 (192 bytes)

The process FlashPlayerInstaller.exe:1768 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (546 bytes)
C:\Windows\System32\Macromed\Temp\{213BAE2D-F86C-443A-BE98-BB1216CFCC40}\fpb.tmp (1093 bytes)
C:\Windows\System32\FlashPlayerApp.exe (803 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe (50 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.dll (545 bytes)
C:\Windows\System32\Macromed\Flash\FlashInstall32.log (9 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (449 bytes)
C:\Windows\System32\Macromed\Temp\{D63324E1-A4E8-4834-B97A-B820EF7B8FC4}\fpb.tmp (50 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_26_0_0_151.ocx (12387 bytes)
C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\Macromed\Temp (0 bytes)
C:\Windows\System32\Macromed\Temp\{D63324E1-A4E8-4834-B97A-B820EF7B8FC4} (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashInstall.log (0 bytes)
C:\Windows\System32\Macromed\Temp\{213BAE2D-F86C-443A-BE98-BB1216CFCC40}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.exe (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.dll (0 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (0 bytes)
C:\Windows\System32\Macromed\Temp\{D63324E1-A4E8-4834-B97A-B820EF7B8FC4}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Temp\{213BAE2D-F86C-443A-BE98-BB1216CFCC40} (0 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_23_0_0_185.ocx (0 bytes)

Registry activity

The process WerFault.exe:3340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14D]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\152]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\155]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000587]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D4]
"149" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\150]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\151]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057F]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14B]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\148\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000305C]
"145" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\147]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D7]
"14C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\151]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14D]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14D\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DB" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057D]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14A\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D5" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000581]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\148]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000586]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\148]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\154]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14E]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\146]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D3]
"148" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\154]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000582]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000588]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\146]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14C\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D7" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14B]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14A]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14F]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14E\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DC" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\152]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F2]
"151" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14C]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057E]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\147]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\152]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000579]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\152\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\146\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030B1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14A]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057A]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057C]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B11]
"150" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\147]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14A]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14C]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\145]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\154]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\153]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\147\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000302F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14C]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14F\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B0E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057D]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14D]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000588]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\153]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000579]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D6]
"14B" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000585]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14B\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D6" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000583]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\149]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\145]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B0E]
"14F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\146]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000584]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000581]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14E]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\150]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14F]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000583]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\149]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14A]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\146]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F3]
"152" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14C]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000582]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000580]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057A]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D5]
"14A" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\153]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\150]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"155" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DB]
"14D" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\147]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DC]
"14E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\150\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B11" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\155]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\145]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000584]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\151]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\149]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000302F]
"147" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14B]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\145]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14E]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\151]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\148]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030B1]
"146" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\143]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\155]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057B]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\153]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14C]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\154\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\150]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\155]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057F]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000587]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\155\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030FC]
"153" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\149]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14A]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\147]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\143]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\152]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\153]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\154]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "4D 4F 43 E0 01 00 00 00 00 00 00 00 6F D3 BC 75"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14B]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000585]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000589]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057C]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\155]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\146]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\000000000000057B]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\151]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14E]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\148]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000586]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\152]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14D]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\148]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14F]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\151\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F2" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14D]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\149]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000589]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\145]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14F]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E3]
"154" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\LruList\0000000000000580]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14B]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\145\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000305C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\153\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030FC" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\150]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\149\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D4" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14E]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\154]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\14F]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

The Trojan deletes the following value(s) in system registry:

[\REGISTRY\A\{0AE2870A-914A-11E6-8980-0050563844C4}\DefaultObjectStore\ObjectTable\143]
"AeFileID"
"AeProgramID"

The process FlashPlayerUpdateService.exe:160 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"qagentrt.dll,-10" = "System Health Authentication"
"p2pcollab.dll,-8042" = "Peer to Peer Trust"
"fveui.dll,-844" = "BitLocker Data Recovery Agent"
"fveui.dll,-843" = "BitLocker Drive Encryption"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"UpdateAttempts" = "1"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30\52C64B7E\@%SystemRoot%\system32]
"dnsapi.dll,-103" = "Domain Name System (DNS) Server Trust"

The process FlashPlayerUpdateService.exe:2732 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"

The process wermgr.exe:3832 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf"

The process FlashPlayerInstaller.exe:1768 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\ShockwaveFlash.ShockwaveFlash.22]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
"(Default)" = "FlashBroker"

[HKCR\ShockwaveFlash.ShockwaveFlash.24]
"(Default)" = "Shockwave Flash Object"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe,-17"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"Extension" = ".spl"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayName" = "Adobe Flash Player 26 ActiveX"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe]
"DisableExceptionChainValidation" = "0"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
"(Default)" = "Macromedia Flash Paper"

[HKCR\ShockwaveFlash.ShockwaveFlash]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isMSI" = "0"

[HKCR\ShockwaveFlash.ShockwaveFlash.25\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"LocalizedString" = "@C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe,-101"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"18.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.26"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"25.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"16.0" = "4294967295"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.26"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"

[HKCR\ShockwaveFlash.ShockwaveFlash.19]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.1]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.26]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isScriptDebugger" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"Publisher" = "Adobe Systems Incorporated"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"6.0" = "4294967295"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "FlashFactory.FlashFactory"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoRepair" = "1"
"NoModify" = "1"
"EstimatedSize" = "19647"

[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
"(Default)" = "IFlashBroker6"

[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\System.ControlPanel.Category\C:\Windows\system32]
"FlashPlayerCPLApp.cpl" = "10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMajor" = "26"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"PlayerPath" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"7.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_26_0_0_151_ActiveX.exe]
"DisableExceptionChainValidation" = "0"

[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
"(Default)" = ""

[HKCR\FlashFactory.FlashFactory.1]
"(Default)" = "Macromedia Flash Factory Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"15.0" = "4294967295"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCR\ShockwaveFlash.ShockwaveFlash.8]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"22.0" = "4294967295"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\FlashFactory.FlashFactory\CurVer]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"8.0" = "4294967295"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType]
"Release" = "1"

[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"currentVersion" = "26,0,0,151"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"20.0" = "4294967295"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"13.0" = "4294967295"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
"(Default)" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"11.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.6]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\.mfp]
"(Default)" = "MacromediaFlashPaper.MacromediaFlashPaper"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"Version" = "26.0.0.151"

[HKCR\ShockwaveFlash.ShockwaveFlash.21]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\ShockwaveFlash.ShockwaveFlash.14]
"(Default)" = "Shockwave Flash Object"

[HKCR\.swf]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.18]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.15]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe -nohome %1"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"(Default)" = "Shockwave Flash"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.25]
"(Default)" = "Shockwave Flash Object"

[HKCR\.spl]
"Content Type" = "application/futuresplash"

[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags" = "65536"

[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"Policy" = "3"

[HKCR\FlashFactory.FlashFactory.1\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"9.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"14.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppPath" = "C:\Windows\system32\Macromed\Flash"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"21.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash" = ""

[HKCR\ShockwaveFlash.ShockwaveFlash.3]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags" = "0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\ShockwaveFlash.ShockwaveFlash.7]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"10.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.11]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.23]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"UninstallString" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe -maintain activex"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\FlashFactory.FlashFactory]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.5]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.20]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx, 1"

[HKCR\ShockwaveFlash.ShockwaveFlash.9]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"12.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.sol]
"Content Type" = "text/plain"

[HKCR\ShockwaveFlash.ShockwaveFlash.16]
"(Default)" = "Shockwave Flash Object"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"Extension" = ".swf"

[HKCR\ShockwaveFlash.ShockwaveFlash.13]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayVersion" = "26.0.0.151"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppName" = "FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"26.0" = "151"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx, 1"

[HKCR\.sor]
"Content Type" = "text/plain"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash" = ""

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"19.0" = "4294967295"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"UninstallerPath" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"24.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLInfoAbout" = "http://www.adobe.com"

[HKCR\.swf]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\.spl]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"17.0" = "4294967295"
"23.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.4]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.mfp]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.24\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayIcon" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"RequiresIESysFile" = "4.70.0.1155"

[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isESR" = "0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.10]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"(Default)" = "FlashBroker"

[HKCR\ShockwaveFlash.ShockwaveFlash.17]
"(Default)" = "Shockwave Flash Object"

[HKCR\FlashFactory.FlashFactory\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.12]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.26\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_23_0_0_185_ActiveX.exe]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.4]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
[HKCR\FlashFactory.FlashFactory.1]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF}]
[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\ShockwaveFlash.ShockwaveFlash.21]
[HKCR\ShockwaveFlash.ShockwaveFlash.20]
[HKCR\ShockwaveFlash.ShockwaveFlash.23]
[HKCR\ShockwaveFlash.ShockwaveFlash.22]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\FlashFactory.FlashFactory\CurVer]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\.mfp]
[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl]
[HKCR\FlashFactory.FlashFactory]
[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open]
[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.3]
[HKCR\ShockwaveFlash.ShockwaveFlash.1]
[HKCR\ShockwaveFlash.ShockwaveFlash.6]
[HKCR\ShockwaveFlash.ShockwaveFlash.7]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
[HKCR\ShockwaveFlash.ShockwaveFlash.5]
[HKCR\ShockwaveFlash.ShockwaveFlash.8]
[HKCR\ShockwaveFlash.ShockwaveFlash.9]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
[HKCR\ShockwaveFlash.ShockwaveFlash.10]
[HKCR\ShockwaveFlash.ShockwaveFlash.11]
[HKCR\ShockwaveFlash.ShockwaveFlash.12]
[HKCR\ShockwaveFlash.ShockwaveFlash.13]
[HKCR\ShockwaveFlash.ShockwaveFlash.14]
[HKCR\ShockwaveFlash.ShockwaveFlash.15]
[HKCR\ShockwaveFlash.ShockwaveFlash.16]
[HKCR\ShockwaveFlash.ShockwaveFlash.17]
[HKCR\ShockwaveFlash.ShockwaveFlash.18]
[HKCR\ShockwaveFlash.ShockwaveFlash.19]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\.spl]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
[HKCR\FlashFactory.FlashFactory\CLSID]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\FlashFactory.FlashFactory.1\CLSID]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"CurrentVersion"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash"

[HKCR\.sol]
"Content Type"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCR\.sor]
"Content Type"

Dropped PE files

MD5 File path
30b1d0d476739845864b31db3d678476 c:\Windows\System32\Macromed\Flash\Flash32_26_0_0_151.ocx
43a19b2d132d0eff5b29ecd57ba0d17c c:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.dll
d3e6add1b26bc1a450fc4fccba5814c7 c:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: McAfee, Inc.
Product Name: McAfee Security Scanner
Product Version: 3,0,0,0
Legal Copyright: Copyright (c) 2011 McAfee, Inc.
Legal Trademarks:
Original Filename: SSScheduler.exe
Internal Name: SSScheduler
File Version: 3,0,285,0
File Description: McAfee Security Scanner Scheduler
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 166590 166912 4.61186 0ff757e7fd2f73659b0b7a535083bc0a
.rdata 172032 47896 48128 3.10042 ebad57262af253982148a7b1132fada9
.data 221184 15488 6656 2.89705 fc4a04d412d71a43a208f5e9d898a5f1
.rsrc 237568 27904 28160 4.01101 141990ed9c16dc71c90f5af1abb674b2
.reloc 266240 659456 253952 5.46088 79eb4ad611663b13d0348d6c3978c473

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1293.d.akamai.net/pub/flashplayer/update/current/sau/26/install/install_all_win_ax_sgn.z
fpdownload.macromedia.com 23.64.224.74
fpdownload2.macromedia.com 62.140.236.138


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pub/flashplayer/update/current/sau/26/install/install_all_win_ax_sgn.z HTTP/1.1
Connection: Keep-Alive
User-Agent: Download Flash Player Installer/1.0
Host: fpdownload2.macromedia.com


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 08 Aug 2017 08:29:19 GMT
ETag: "13306de-55639c27fd232"
Accept-Ranges: bytes
Content-Length: 20121310
Content-Encoding: x-compress
Date: Sun, 13 Aug 2017 03:52:27 GMT
Connection: keep-alive
0..3....*.H.........3..0..3.....1.0... ......0..2....*.H.........2....
.2..MZ......................@.........................................
......!..L.!This program cannot be run in DOS mode....$........M..],..
],..],..C~P.Y,...cB.X,..TTA.E,..z...Y,..z...R,..],...,..TTP..,..TTW..,
..C~@.\,..],C.\,..TTE.\,..Rich],..................PE..L...:.vY........
.........@..../.....|C.......P....@..........................03.....m.
2...@..........................................p...q............2.....
..2.L$...S..................................@............P..x.........
...................text....?.......@.................. ..`.rdata......
.P.......D..............@..@.data....4...0......................@....r
src....q...p...r...6..............@..@.reloc..R5....2..6....2.........
....@..B..............................................................
......................................................................
......................................................................
......................................................................
.....................................................V.t$..D6.......P.
"...Y.p..@...@.......^.... ..`......L$......I..H.....t..........t..@. 
A..3......t..I..DH..3..VW.|$...................;.~.2.. .B........LA..G
....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..0.j...
.J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V..........%...;
.^u..t$..8.....t.3.@..3....SV....W..t..@...3. F.@..W..........F.Y...TB
.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s.f..9v
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1792:

.text
`.rdata
@.data
.rsrc
@.reloc
t"j.Xf;D$Dt
xSSSh
FTPjKS
FtPj;S
C.PjRV
Av.SCv%
ADVAPI32.dll
SHELL32.dll
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
GetProcessWindowStation
operator
{70CC02EB-86C3-4468-B962-86194D4F7410}
{D7F77FF8-15D8-4321-8DBF-BDBDE16EE4F0}
\WinInit.Ini
%s=%s
CryptMsgGetParam
CertGetSubjectCertificateFromStore
CertGetCertificateChain
CertVerifyCertificateChainPolicy
CertGetCertificateContextProperty
CertFreeCertificateContext
CertFreeCertificateChain
CryptMsgClose
CertCloseStore
CertGetNameStringW
1.3.6.1.5.5.7.3.3
1.2.840.113549.1.9.6
1.2.840.113549.1.9.5
Our time has passed: start finding next run time from tomorrow
dwDayOfMonth >= timestruct.tm_mday
dwDayOfMonth < timestruct.tm_mday
isn't a McAfee signed exe
E:\BuildEngineSpace\Temp\0ae3108a-0ef7-4a45-9fe8-0378577ebab1\build\Win32\Release\SSScheduler.pdb
ShellExecuteExW
GetWindowsDirectoryA
KERNEL32.dll
MsgWaitForMultipleObjectsEx
USER32.dll
OLEAUT32.dll
SHLWAPI.dll
GetProcessHeap
GetCPInfo
zcÁ
hNULhYa.hh5
/..gMKK
<assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="SSScheduler.exe" type="win32"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
7"7)7.7<7
8 8(80888@8
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll
Bv.TBv
sfc_os.dll
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
Zole32.dll
%s_mtx1
crtdll.dll
*shell32.dll
%s_mtx%u
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe
ekernel32.dll
nKERNEL32.DLL
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
%s\%s
%s%s\%s
%s_%s
%0.3u%s
[%s]$
[PID:] TID:]]$
[%s:]]$
[%s()]$
%s/%s/%s %s:%s:%s %s$
%s -- (%s)$
log.ini
%%%ds
3c224a00-5d51-11cf-b3ca-000000000001
\crypt32.dll
\Wintrust.dll
McUICnt.exe
Global\C9F7C095-181A-43EC-B0D8-98606268223C
Global\2811EF01-4781-4B5A-AAF2-6379EC652A3E
SecurityScanner.dll /auto /nosplash
misp://SecurityScanner.dll::default.htm
misp://SecurityScanner.dll::help.htm
E:\BuildEngineSpace\Temp\0ae3108a-0ef7-4a45-9fe8-0378577ebab1\Freetools\src\include\SSConfig.h
5ABE8520-1533-40C5-AD09-953C574F14BC
Global\6e37ae0b-776b-41c4-ab10-d32ac8cac790
ftconfig.ini
ftstate.ini
McSSConfig::readStaticConfigValues - FirstInstallWait value found in ftstate.ini
McSSConfig::readStaticConfigValues - FirstInstallWait value NOT found in ftstate.ini
McSSConfig::readStaticConfigValues - FirstInstallWait value found in ftconfig.ini
McSSConfig::readStaticConfigValues - FirstInstallWait value NOT found in ftconfig.ini
ScanUrl
McSSConfig::readStaticConfigValues - ScanUrl value found in ini
McSSConfig::readStaticConfigValues - ScanUrl value NOT found in ini
McSSConfig::readStaticConfigValues - ScanUrl =
HelpUrl
McSSConfig::readStaticConfigValues - HelpUrl value found in ini
McSSConfig::readStaticConfigValues - HelpUrl value NOT found in ini
McSSConfig::readStaticConfigValues - HelpUrl =
McUicnt.exe
Cannot create mutex. LastError - %u
SSScheduler.cpp
Couldn't launch command '%s' with parameters '%s' (%d)
Failed to read task '%s' - continuing (task will not run)
Couldn't read task command %s - continuing
Failed to write task %s after recalculating scheduled run - continuing
Failed to write one-time task %s after disabling - continuing
Failed to write chain task '%s' while enabling - continuing.
Failed to read chain task '%s' while enabling - continuing.
Couldn't write task command: %d
Couldn't write task: %d
Couldn't write initial task: %d
c:\%original file name%.exe
3,0,285,0
SSScheduler.exe

%original file name%.exe_1792_rwx_003D4000_0009E000:

.text
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
KERNEL32.dll
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll
Bv.TBv
sfc_os.dll
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
Zole32.dll
%s_mtx1
crtdll.dll
*shell32.dll
%s_mtx%u
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe

dllhost.exe_2508:

.text
`.data
.rsrc
@.reloc
KERNEL32.dll
msvcrt.dll
ole32.dll
ntdll.dll
dllhost.pdb
_wcmdln
_amsg_exit
(8((<)((
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll
K.$%D,3
Bv.TBv
sfc_os.dll
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
T%s_37
Zole32.dll
k%c:\
crtdll.dll
@%X%X
shell32.dll
*shell32.dll
(%u.%u.%u
%s%s\
\%c:\
SetupWeb_
_sfx.exe
||MSASCui.exe|msseces.exe|mseinstall.exe|Tcpview.exe|cav_installer.exe|cfw_installer.exe|cispremium_installer.exe|PandaCloudAntivirus.exe|60Second.exe|Antivirus_Free_Edition.exe|OnlineArmorSetup.exe|McAfeeSetup.exe|Vba32.NT.T.exe|Vba32.P.exe|Vba32.S.exe|Vba32.Vista.exe|Vba32.W.exe|Vba32Check.exe|Vba32RCSInstallTuner.exe|avgmfapx.exe|avg_remover_expiro.exe|
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Policies\Microsoft\Windows\System
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
%s\%s
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe
6.1.7600.16385 (win7_rtm.090713-1255)
dllhost.exe
Windows
Operating System
6.1.7600.16385

dllhost.exe_2508_rwx_01001000_00001000:

dllhost.pdb
KERNEL32.dll
_wcmdln
_amsg_exit
msvcrt.dll
ole32.dll
ntdll.dll

dllhost.exe_2508_rwx_01004000_0009F000:

(8((<)((
.text
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
KERNEL32.dll
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll
K.$%D,3
Bv.TBv
sfc_os.dll
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
T%s_37
Zole32.dll
k%c:\
crtdll.dll
@%X%X
shell32.dll
*shell32.dll
(%u.%u.%u
%s%s\
\%c:\
SetupWeb_
_sfx.exe
||MSASCui.exe|msseces.exe|mseinstall.exe|Tcpview.exe|cav_installer.exe|cfw_installer.exe|cispremium_installer.exe|PandaCloudAntivirus.exe|60Second.exe|Antivirus_Free_Edition.exe|OnlineArmorSetup.exe|McAfeeSetup.exe|Vba32.NT.T.exe|Vba32.P.exe|Vba32.S.exe|Vba32.Vista.exe|Vba32.W.exe|Vba32Check.exe|Vba32RCSInstallTuner.exe|avgmfapx.exe|avg_remover_expiro.exe|
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Policies\Microsoft\Windows\System
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
%s\%s
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe

msdtc.exe_2820:

.text
`.data
.rsrc
@.reloc
KERNEL32.dll
NTDLL.DLL
ole32.dll
msvcrt.dll
MSDTCTM.dll
VERSION.dll
USER32.dll
ADVAPI32.dll
d:\w7rtm\com\complus\dtc\inc\tracedstrsafe.h
DBGHELP.DLL
\DtcInstall.log
ld-ld-ld ld:ld : DTC Install error = %d, %s, %s (%d)
msdtcexe.pdb
_wcmdln
_amsg_exit
RtlReportException
ntdll.dll
SetProcessWindowStation
OpenWindowStationW
GetProcessWindowStation
CloseWindowStation
GetSystemWindowsDirectoryA
RegCloseKey
RegOpenKeyExW
RegOpenKeyExA
ReportEventW
version="5.1.0.0"
name="Microsoft.Windows.DTC.MSDTC"
<requestedExecutionLevel
9.UF2
%sZp3
s.kw:R
W.ZBh{T>
7677.hN
:87/-)(/
yxC5%CrJ
0 1-121V1b1g1}1
1-13181>1
d:\w7rtm\com\complus\src\inc\utsem.h
d:\w7rtm\com\complus\dtc\shared\util\dtcini.cpp
%s\%s
LoadLibrary(DbgHelp.dll) failed.
%s\%s.dmp
%s_ldldld_ldldld
d:\w7rtm\com\complus\src\shared\util\utsem.cpp
comres.dll
*** Error Code = 0xx : %s
File: %s, Line: %d
%u.%u.%u.%u
comsvcs.dll
Comsvcs.dll file version info: %s %s %s
%s\%s*.dmp
%s %d %s full
RunDll32 comsvcs.dll,MiniDump
%s\%s_d_d_d_d_d_d.dmp
d:\w7rtm\com\complus\src\shared\util\svcerr.cpp
0xX (%u)
Process.Thread=<%d.%d>
File: %s:%d
hr=0xx
*** Error in %s(%d), %s: %s
0xx [S] [lS] %s (%s@d): %s
ld-ld-ld ld:ld:ld:ld : [%4x.%4x]
%s\MSDTC-%d.log
UnregisterWait returned the 0x%x error code.
d:\w7rtm\com\complus\dtc\shared\trace\src\traceoutputsettings.cpp
Unable to open output key
Debug out enabled is now %d
Memory buffer size is now %d
Using new trace file path: %s
Unable to open sources key
Unable to read level for source %S
Now tracing %S at level %d
Unable to open MSDTC\Tracing settings key
2001.12.8530.16385 (win7_rtm.090713-1255)
MSDTC.EXE
Windows
Operating System
6.1.7600.16385

svchost.exe_3236:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WerFault.exe:3340
    FlashPlayerUpdateService.exe:160
    FlashPlayerUpdateService.exe:2732
    wermgr.exe:3832
    msdtc.exe:2820
    FlashPlayerInstaller.exe:1768

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER8EC8.tmp.WERInternalMetadata.xml (3 bytes)
    C:\Windows\Temp\WER8EF7.tmp.hdmp (606659 bytes)
    C:\Windows\Temp\WER8DEC.tmp.appcompat.txt (16006 bytes)
    C:\Windows\Temp\WER8EC8.tmp.WERInternalMetadata.xml (53648 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\Report.wer (171900 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER8DEC.tmp.appcompat.txt (31 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER8EF7.tmp.hdmp (168482 bytes)
    C:\Windows\Temp\WER98E7.tmp.mdmp (238736 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\WER98E7.tmp.mdmp (15278 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\agmkmlpm.tmp (274 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
    C:\Windows\Temp\{9A71E180-99B2-4D73-A9D5-CD61CA7B7113}\fpi.tmp (3510797 bytes)
    C:\Windows\System32\FlashPlayerInstaller.exe (12387 bytes)
    C:\Windows\System32\Macromed\Flash\FlashInstall32.log (82 bytes)
    C:\Windows\System32\hjmoqhep.tmp (766 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
    C:\ProgramData\McAfee\MCLOGS\PartnerCustom\10b3854e07c5cbdeec853b6ccfa371e8\10b3854e07c5cbdeec853b6ccfa371e8000.log (546 bytes)
    C:\Windows\ehome\cegandcd.tmp (336 bytes)
    C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
    C:\Windows\ehome\dlamdmgi.tmp (800 bytes)
    %Program Files%\Google\Update\bomnjomh.tmp (384 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\iibejbpb.tmp (304 bytes)
    C:\Windows\System32\Macromed\Flash\nghjmjpk.tmp (507 bytes)
    C:\Windows\System32\ifmpncoc.tmp (301 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7433 bytes)
    C:\Windows\System32\jdfkglda.tmp (252 bytes)
    C:\Windows\System32\alg.exe (1425 bytes)
    C:\Windows\ehome\ehsched.exe (2105 bytes)
    %Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
    C:\ProgramData\McAfee Security Scan\ftstate.ini (1394 bytes)
    C:\Windows\System32\dllhost.exe (1281 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ndgapmna.tmp (1 bytes)
    C:\Windows\ehome\ehrecvr.exe (5873 bytes)
    C:\Windows\System32\FXSSVC.exe (5441 bytes)
    C:\Windows\System32\Macromed\Flash\nllgbmha.tmp (508 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (2105 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\hdpmggmc.tmp (333 bytes)
    C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64D68604-B96B-4F93-8E98-6E5C7ECA5AB9}.crmlog (623 bytes)
    %Program Files%\WinPcap\rpcapd.exe (2105 bytes)
    %Program Files%\WinPcap\ollefhpn.tmp (352 bytes)
    C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{6449DAA2-11E9-4EC1-8705-3C2DA8ED4E32}.crmlog (1600 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_7974c6dc7eabf4df46a36a6e3b768b2b39eaf51_cab_0d0499bf\Report.wer.tmp (175218 bytes)
    C:\Windows\System32\config\SOFTWARE (89458 bytes)
    C:\$Directory (768 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (83503 bytes)
    C:\Windows\System32\Msdtc\MSDTC.LOG (2580 bytes)
    C:\Windows\System32\Msdtc\Trace\dtctrace.log (16 bytes)
    C:\Windows\System32\Macromed\Temp\{213BAE2D-F86C-443A-BE98-BB1216CFCC40}\fpb.tmp (1093 bytes)
    C:\Windows\System32\FlashPlayerApp.exe (803 bytes)
    C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe (50 bytes)
    C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.dll (545 bytes)
    C:\Windows\System32\Macromed\Flash\activex.vch (449 bytes)
    C:\Windows\System32\Macromed\Temp\{D63324E1-A4E8-4834-B97A-B820EF7B8FC4}\fpb.tmp (50 bytes)
    C:\Windows\System32\Macromed\Flash\Flash32_26_0_0_151.ocx (12387 bytes)
    C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now