Win32.Expiro.Gen.4_c78ba9cfd9

Win32.Expiro.Gen.4 (B) (Emsisoft), Win32.Expiro.Gen.4 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, VirusExpiro.YR (Lavasoft MAS) Behaviour: Trojan, Virus The description has been aut...
Blog rating:5 out of5 with1 ratings

Win32.Expiro.Gen.4_c78ba9cfd9

by malwarelabrobot on December 17th, 2016 in Malware Descriptions.

Win32.Expiro.Gen.4 (B) (Emsisoft), Win32.Expiro.Gen.4 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR, VirusExpiro.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: c78ba9cfd91fb30a09a95d46465b8637
SHA1: 4390ba60d5de3b6f8112441ff1fb1106821f11e9
SHA256: f58c63d9dde3f13b268654c64c42493b91745fb67e1d97e3853820b2a7833632
SSDeep: 12288:2Ki/GhbphjUVvbE1Tv7D2lYZ8nPtq Nr9VQnxnda/:yehbpVUVQ1HD2zlZ4a
Size: 512000 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2015-03-23 01:12:25
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WerFault.exe:2308
FlashPlayerUpdateService.exe:2576
FlashPlayerUpdateService.exe:1820
wermgr.exe:2640
FlashPlayerInstaller.exe:1700

The Trojan injects its code into the following process(es):

%original file name%.exe:1964
rpcapd.exe:760

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WerFault.exe:2308 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\WERBA6A.tmp.WERInternalMetadata.xml (53648 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer (166906 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBAB9.tmp.hdmp (167984 bytes)
C:\Windows\Temp\WER487.tmp.WERDataCollectionFailure.txt (158 bytes)
C:\Windows\Temp\WERB663.tmp.appcompat.txt (12656 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBA6A.tmp.WERInternalMetadata.xml (3 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WER487.tmp.WERDataCollectionFailure.txt (80 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERB663.tmp.appcompat.txt (31 bytes)
C:\Windows\Temp\WERBAB9.tmp.hdmp (498066 bytes)
C:\Windows\Temp\WERE0EF.tmp.mdmp (4808 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WERBAB9.tmp (0 bytes)
C:\Windows\Temp\WERBA6A.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WERE0EF.tmp (0 bytes)
C:\Windows\Temp\WERBA6A.tmp (0 bytes)
C:\Windows\Temp\WER487.tmp (0 bytes)
C:\Windows\Temp\WER487.tmp.WERDataCollectionFailure.txt (0 bytes)
C:\Windows\Temp\WERB663.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WERB663.tmp (0 bytes)
C:\Windows\Temp\WERBAB9.tmp.hdmp (0 bytes)
C:\Windows\Temp\WERE0EF.tmp.mdmp (0 bytes)

The process FlashPlayerUpdateService.exe:2576 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\FlashInstall.log (892 bytes)

The process FlashPlayerUpdateService.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E}\fpi.tmp (1655206 bytes)
C:\Windows\System32\FlashPlayerInstaller.exe (11464 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E}\fpi.tmp (0 bytes)
C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E} (0 bytes)

The process %original file name%.exe:1964 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\jopmedjd.tmp (320 bytes)
%Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
C:\Windows\System32\olkelmpl.tmp (305 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\cfeecjkk.tmp (1 bytes)
C:\Windows\ehome\ehrecvr.exe (5873 bytes)
C:\Windows\ehome\qnnboobi.tmp (800 bytes)
%Program Files%\Google\Update\ghfbjkol.tmp (388 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ohefgafj.tmp (304 bytes)
C:\Windows\ehome\ehsched.exe (2105 bytes)
C:\Windows\System32\snmptrap.exe (1281 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7547 bytes)
%Program Files%\WinPcap\rpcapd.exe (2105 bytes)
C:\Windows\System32\fpohabbd.tmp (257 bytes)
C:\Windows\System32\Macromed\Flash\ljlplcmi.tmp (507 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
C:\Windows\System32\hmbgnolk.tmp (766 bytes)
C:\Windows\microsoft.net\framework\v4.0.30319\ilhblimb.tmp (274 bytes)
%Program Files%\WinPcap\iigafjee.tmp (356 bytes)
C:\Windows\System32\FXSSVC.exe (5441 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
C:\Windows\System32\alg.exe (1425 bytes)
C:\Windows\System32\msiexec.exe (1425 bytes)
C:\Windows\ehome\dadlhgbe.tmp (340 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\cfeecjkk.tmp (0 bytes)
C:\Windows\System32\jopmedjd.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\ljlplcmi.tmp (0 bytes)
%Program Files%\Google\Update\ghfbjkol.tmp (0 bytes)
C:\Windows\System32\fpohabbd.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ohefgafj.tmp (0 bytes)
C:\Windows\System32\olkelmpl.tmp (0 bytes)
C:\Windows\ehome\qnnboobi.tmp (0 bytes)
C:\Windows\System32\hmbgnolk.tmp (0 bytes)
C:\Windows\ehome\dadlhgbe.tmp (0 bytes)
C:\Windows\microsoft.net\framework\v4.0.30319\ilhblimb.tmp (0 bytes)
%Program Files%\WinPcap\iigafjee.tmp (0 bytes)

The process wermgr.exe:2640 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer.tmp (178224 bytes)

The process FlashPlayerInstaller.exe:1700 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\FlashInstall.log (2 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (544 bytes)
C:\Windows\System32\FlashPlayerApp.exe (802 bytes)
C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126}\fpb.tmp (50 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.dll (542 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (443 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe (50 bytes)
C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_24_0_0_186.ocx (11464 bytes)
C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96}\fpb.tmp (1086 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\Macromed\Temp (0 bytes)
C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.exe (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.dll (0 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (0 bytes)
C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96} (0 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_23_0_0_185.ocx (0 bytes)
C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126} (0 bytes)

Registry activity

The process WerFault.exe:2308 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059B]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D4" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D4]
"14E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000058E]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000598]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000595]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030FC" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030B1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F2" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DC" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D7]
"151" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030B1]
"14B" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D6" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B0E]
"154" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E3]
"159" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000596]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D6]
"150" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000598]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DC]
"153" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059D]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030FC]
"158" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059A]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"15A" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059F]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B11" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D7" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000594]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000593]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000591]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000594]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000591]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B11]
"155" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059E]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000593]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059A]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D3]
"14D" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000592]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DB" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059C]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\00000000000005A0]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000597]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\151]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059B]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000596]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059D]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000302F]
"14C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DB]
"152" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\00000000000005A0]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F2]
"156" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14B]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000599]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "4D 4F 43 E0 01 00 00 00 00 00 00 00 6F D3 33 75"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D5]
"14F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D5" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000305C]
"14A" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14F]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\159\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\153]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14A\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000305C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\15A]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000599]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\156]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14D]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14C\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000302F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\155]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F3]
"157" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059C]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\152]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000058E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\000000000000059F]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000595]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B0E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\LruList\0000000000000592]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\14E]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\157]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\150]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\154]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{06F15909-953B-11E6-8F98-00505633B551}\DefaultObjectStore\ObjectTable\158]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

The process FlashPlayerUpdateService.exe:2576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"

The process FlashPlayerUpdateService.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"UpdateAttempts" = "1"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F\52C64B7E]
"LanguageList" = "en-US, en"

The process wermgr.exe:2640 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483"

The process FlashPlayerInstaller.exe:1700 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\ShockwaveFlash.ShockwaveFlash.22]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
"(Default)" = "FlashBroker"

[HKCR\ShockwaveFlash.ShockwaveFlash.24]
"(Default)" = "Shockwave Flash Object"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe,-17"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"Extension" = ".spl"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayName" = "Adobe Flash Player 24 ActiveX"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe]
"DisableExceptionChainValidation" = "0"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
"(Default)" = "Macromedia Flash Paper"

[HKCR\ShockwaveFlash.ShockwaveFlash]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"LocalizedString" = "@C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe,-101"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"18.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.24"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"16.0" = "4294967295"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"

[HKCR\ShockwaveFlash.ShockwaveFlash.19]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.1]
"(Default)" = "Shockwave Flash Object"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isScriptDebugger" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"Publisher" = "Adobe Systems Incorporated"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"6.0" = "4294967295"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "FlashFactory.FlashFactory"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoRepair" = "1"
"NoModify" = "1"
"EstimatedSize" = "19364"

[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
"(Default)" = "IFlashBroker6"

[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\System.ControlPanel.Category\C:\Windows\system32]
"FlashPlayerCPLApp.cpl" = "10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMajor" = "24"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"PlayerPath" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"7.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"

[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
"(Default)" = ""

[HKCR\FlashFactory.FlashFactory.1]
"(Default)" = "Macromedia Flash Factory Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"15.0" = "4294967295"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCR\ShockwaveFlash.ShockwaveFlash.8]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"22.0" = "4294967295"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\FlashFactory.FlashFactory\CurVer]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"8.0" = "4294967295"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType]
"Release" = "1"

[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"currentVersion" = "24,0,0,186"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"20.0" = "4294967295"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"13.0" = "4294967295"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
"(Default)" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"11.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.6]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"

[HKCR\.mfp]
"(Default)" = "MacromediaFlashPaper.MacromediaFlashPaper"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"Version" = "24.0.0.186"

[HKCR\ShockwaveFlash.ShockwaveFlash.21]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\ShockwaveFlash.ShockwaveFlash.14]
"(Default)" = "Shockwave Flash Object"

[HKCR\.swf]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.18]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.15]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe -nohome %1"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"(Default)" = "Shockwave Flash"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Shockwave Flash Object"

[HKCR\.spl]
"Content Type" = "application/futuresplash"

[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags" = "65536"

[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"

[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"Policy" = "3"

[HKCR\FlashFactory.FlashFactory.1\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"9.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLInfoAbout" = "http://www.adobe.com"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"14.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppPath" = "C:\Windows\system32\Macromed\Flash"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"21.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash" = ""

[HKCR\ShockwaveFlash.ShockwaveFlash.3]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags" = "0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\ShockwaveFlash.ShockwaveFlash.7]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"10.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.11]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.23]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"UninstallString" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe -maintain activex"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\FlashFactory.FlashFactory]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.5]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.20]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx, 1"

[HKCR\ShockwaveFlash.ShockwaveFlash.9]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"12.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.sol]
"Content Type" = "text/plain"

[HKCR\ShockwaveFlash.ShockwaveFlash.16]
"(Default)" = "Shockwave Flash Object"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"Extension" = ".swf"

[HKCR\ShockwaveFlash.ShockwaveFlash.13]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayVersion" = "24.0.0.186"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppName" = "FlashUtil32_24_0_0_186_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx, 1"

[HKCR\.sor]
"Content Type" = "text/plain"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash" = ""

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"19.0" = "4294967295"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"UninstallerPath" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"24.0" = "186"

[HKCR\.swf]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\.spl]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"17.0" = "4294967295"
"23.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.4]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_24_0_0_186_ActiveX.exe]
"DisableExceptionChainValidation" = "0"

[HKCR\.mfp]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.24\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayIcon" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"RequiresIESysFile" = "4.70.0.1155"

[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isESR" = "0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.10]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"(Default)" = "FlashBroker"

[HKCR\ShockwaveFlash.ShockwaveFlash.17]
"(Default)" = "Shockwave Flash Object"

[HKCR\FlashFactory.FlashFactory\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.12]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_24_0_0_186.ocx"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_23_0_0_185_ActiveX.exe]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.4]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
[HKCR\FlashFactory.FlashFactory.1]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF}]
[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\ShockwaveFlash.ShockwaveFlash.21]
[HKCR\ShockwaveFlash.ShockwaveFlash.20]
[HKCR\ShockwaveFlash.ShockwaveFlash.23]
[HKCR\ShockwaveFlash.ShockwaveFlash.22]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\FlashFactory.FlashFactory\CurVer]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\.mfp]
[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl]
[HKCR\FlashFactory.FlashFactory]
[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open]
[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.3]
[HKCR\ShockwaveFlash.ShockwaveFlash.1]
[HKCR\ShockwaveFlash.ShockwaveFlash.6]
[HKCR\ShockwaveFlash.ShockwaveFlash.7]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
[HKCR\ShockwaveFlash.ShockwaveFlash.5]
[HKCR\ShockwaveFlash.ShockwaveFlash.8]
[HKCR\ShockwaveFlash.ShockwaveFlash.9]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
[HKCR\ShockwaveFlash.ShockwaveFlash.10]
[HKCR\ShockwaveFlash.ShockwaveFlash.11]
[HKCR\ShockwaveFlash.ShockwaveFlash.12]
[HKCR\ShockwaveFlash.ShockwaveFlash.13]
[HKCR\ShockwaveFlash.ShockwaveFlash.14]
[HKCR\ShockwaveFlash.ShockwaveFlash.15]
[HKCR\ShockwaveFlash.ShockwaveFlash.16]
[HKCR\ShockwaveFlash.ShockwaveFlash.17]
[HKCR\ShockwaveFlash.ShockwaveFlash.18]
[HKCR\ShockwaveFlash.ShockwaveFlash.19]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\.spl]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
[HKCR\FlashFactory.FlashFactory\CLSID]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\FlashFactory.FlashFactory.1\CLSID]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"CurrentVersion"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash"

[HKCR\.sol]
"Content Type"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCR\.sor]
"Content Type"

Dropped PE files

MD5 File path
800f88b199abbcafb7051124dff1cefd c:\Windows\System32\Macromed\Flash\Flash32_24_0_0_186.ocx
22407f4f761e98bc6ad4ffa85754e789 c:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.dll
afcdf06dbdacb2c58045cac3a924e46b c:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Oracle Corporation
Product Name: Java(TM) Platform SE 8 U45
Product Version: 8.0.450.15
Legal Copyright: Copyright (c) 2015
Legal Trademarks:
Original Filename: javaws.exe
Internal Name: Java(TM) Web Start Launcher
File Version: 11.45.2.15
File Description: Java(TM) Web Start Launcher
Comments:
Language: Japanese (Japan)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 161516 161792 4.5952 f2c4ce65eec17c03b7c200bfbff8ad4e
.rdata 167936 24540 24576 3.30206 4755585d4da43d579320150225175fd5
.data 192512 126872 33280 2.62812 54c45ec744e1b2bdf667fa3dc63b440b
.rsrc 319488 32896 33280 4.10399 f1b687dd25bd88ddf34a7ea2e09c3949
.reloc 356352 421888 258048 5.44606 b7106950a556979601167fa8f084d6f0

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1293.d.akamai.net/pub/flashplayer/update/current/sau/23/install/install_all_win_ax_sgn.z
hxxp://a1293.d.akamai.net/get/flashplayer/update/current/install/version.xml24.0.0.186~installVector=9&previousVersion=23.0.0.185&lang=en&cpuWordLength=32&playerType=ax&os=win&osVer=13
hxxp://fpdownload2.macromedia.com/get/flashplayer/update/current/install/version.xml24.0.0.186~installVector=9&previousVersion=23.0.0.185&lang=en&cpuWordLength=32&playerType=ax&os=win&osVer=13 212.30.134.174
hxxp://fpdownload2.macromedia.com/pub/flashplayer/update/current/sau/23/install/install_all_win_ax_sgn.z 212.30.134.174
fpdownload.macromedia.com 2.16.66.8


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /get/flashplayer/update/current/install/version.xml24.0.0.186~installVector=9&previousVersion=23.0.0.185&lang=en&cpuWordLength=32&playerType=ax&os=win&osVer=13 HTTP/1.1
User-Agent: Adobe Flash Player
Host: fpdownload2.macromedia.com
Cache-Control: no-cache


HTTP/1.1 404 Not Found
Server: Apache
Content-Length: 380
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 15 Dec 2016 22:15:05 GMT
Connection: keep-alive
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>404 Not Found</title>.</head><
body>.<h1>Not Found</h1>.<p>The requested URL /ge
t/flashplayer/update/current/install/version.xml24.0.0.186~installV..



GET /pub/flashplayer/update/current/sau/23/install/install_all_win_ax_sgn.z HTTP/1.1
Connection: Keep-Alive
User-Agent: Download Flash Player Installer/1.0
Host: fpdownload2.macromedia.com


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 13 Dec 2016 09:36:52 GMT
ETag: "12e9b1c-54386f5d34ce6"
Accept-Ranges: bytes
Content-Length: 19831580
Content-Encoding: x-compress
Date: Thu, 15 Dec 2016 22:14:15 GMT
Connection: keep-alive
0.......*.H............0........1.0... ......0....o..*.H...........^..
...XMZ......................@.........................................
......!..L.!This program cannot be run in DOS mode....$........M..],..
],..],..C~P.Y,...cB.X,..TTA.E,..z...Y,..z...R,..],...,..TTP..,..TTW..,
..C~@.\,..],C.\,..TTE.\,..Rich],..........................PE..L...w.LX
.....................B ......0.......@....@...........................
......`.....@.................................<........`....*......
....t..X........#...C..............................(...@............@.
.l............................text...),.......................... ..`.
rdata.......@.......2..............@..@.data....4... .................
.....@....rsrc.....*..`....*.."..............@..@.reloc...4.......6...
>..............@..B................................................
......................................................................
......................................................................
......................................................................
......................................................."...V.t$..D6...
....P.3...Y.p..@...@.......^.... ..`......L$......I..H.....t..........
t..@. A..3......t..I..DH..3..VW.|$...................;.~.2.. .B.......
.LA..G....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..
0.j....J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V.........
.%...;.^u..t$..8.....t.3.@..3....SV....W..t..@...3. F.@..W..........F.
Y...TB.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1964:

.text
`.rdata
@.data
.rsrc
@.reloc
f9.tW
RegOpenKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
ADVAPI32.dll
SHELL32.dll
deploy.dll
Broken pipe
Inappropriate I/O control operation
Operation not permitted
GetProcessWindowStation
operator
SHLWAPI.dll
c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u45\3627\build\windows-i586\deploy\jre-image\bin\javaws.pdb
RegCloseKey
RegOpenKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegEnumKeyW
RegCreateKeyExW
ShellExecuteW
CreatePipe
GetSystemWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
USER32.dll
ole32.dll
OLEAUT32.dll
WSOCK32.dll
PeekNamedPipe
GetCPInfo
GetProcessHeap
total cmdline length: %d
total arguments: : %d
PROP (%s, %s)
127.0.0.1
osName: <%s>, osArch<%s>, quoteWholeProperty: %d
zcÁ
<assemblyIdentity version="11.45.2.15"
name="javaws.exe"
<description>Java Web Start Launcher</description>
<requestedExecutionLevel
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<!-- Indicate this JDK version is Windows 7 compatible -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
3333333333330
333333333307
PP%d(jjjjj
< <3<:<|<
0)000;0`0
2%3-343>3
8*9094989<9
.data
.idata
.reloc
.edata
Q\,.sg
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux<i_[O[a:.DSiRn%It
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT41=N@cMdj
CRTDLL.DLL
3$33393@3
;"; ;5;;;
4$4-4;4`4
4H4d4m4v4
kkqvx_.dll
.rdata
.pdata
@.idata
oovBlK7%2XJi
kkqvx_64.dll
22EnumDesktopWindows
user32.dll
%s_mtx%u
48CreatePipe
47PeekNamedPipe
09WinExec
d.tmp
zrundll32.exe
)rsvp.exe
dchrome.exe
consent.exe
sfc_os.dll
|sfc_os.dll
.SysFreeString
oleaut32.dll
crtdll.dll
Qsfc.dll
sfc.dll
shell32.dll
{shell32.dll
%s_mtx1
$.exe
25RegEnumKeyExA
04RegCloseKey
00RegOpenKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
3advapi32.dll
Load failed in %s at function %s
11.45.2
Load failed in %s at function order:%d
11.0.0
\system32\javaws.exe
\sysWow64\javaws.exe
Error:x in SHGetFolderPathEx(FOLDERID_LocalAppDataLow, 0, NULL, pPath, MAX_PATH)
COM Error:x %s
Error:x in SHGetFolderPathW(NULL, CSIDL_APPDATA, NULL, 0, pPath)
Error:x in SHGetSpecialFolderPathW(NULL, pPath, CSIDL_APPDATA, TRUE)
Error:x in GetUserPathW(szPath)
Error:x in SHGetFolderPathEx(FOLDERID_LocalAppDataLow, 0, NULL, szPath, MAX_PATH)
Error:x in ::SHGetFolderPathW(0, CSIDL_COMMON_APPDATA, NULL, SHGFP_TYPE_CURRENT, szPath)
%s\Oracle\Java\java.settings.cfg
%s\%s
bin\java.exe
bin\client\jvm.dll
bin\server\jvm.dll
-ABCDEFFEDCBA}
%sd-d-d%s
-ABCDEFFEDCBB}
-ABCDEFFEDCBC}
{E19F9331-3110-11D4-991C-005004D3B3DB}
SOFTWARE\Classes\CLSID\%s\InprocServer32
Mozilla
Mozilla Firefox
mozilla.org
Advapi32.dll
IDispatch error #%d
%b %d %H:%M:%S
.d
[x]
P:d T:d %s%s
deployment.expiration.check.enabled
\bin\msvcr100.dll
\bin\deploy.dll
hXXp://java.com/inst-dl-redirect
\bin\javaw.exe
\lib\deploy.jar"
com.sun.deploy.panel.ControlPanel -userConfig "
deployment.modified.timestamp
deployment.expiration.decision
deployment.expiration.decision.timestamp
deployment.expiration.decision.suppression
deployment.expiration.decision.ttl
DeploymentRuleSet.jar
%s\Sun\Java\Deployment\%s
mscoree.dll
nKERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
WUSER32.DLL
%s%c%s
com.sun.javaws.Main
-Djnlpx.vmargs=%s
-Djavaplugin.user.profile=%s
-Djnlp.start.time=%lld
-Dsun.perflog%s
-Djnlp.launchTime%s
plugin.jar
deploy.jar
javaws.jar
%s%c%s%c%s%c%s%c%s%c%s
-Xbootclasspath/a:%s
-Xbootclasspath/p:%s
-Djava.ext.dirs=%s%c%s%c%s%c%s
-Djnlpx.home=%s
-Djnlpx.home=%s%c%s
-Djnlpx.splashport=%d
-splash:%s
-Djnlpx.jvm=%s
-Djnlpx.remove=%s
-Djava.security.policy=file:%s%cjavaws.policy
-Djava.awt.headless=true
MOZILLA_HOME
-Djava.security.manager
-Xms%s
-Xmx%s
-Djnlpx.heapsize=%s,%s
javaws.singleinstance.init
javaws.singleinstance.ack
javaws.singleinstance.init.openprint
deployment.webjava.enabled
deployment.expired.version
%d/%d/%d
08/14/2015
-import
-Djnlpx.origFilenameArg=
-Djnlp.fx=
-Djnlp.fx=%s
-Djnlp.tk=jfx
-Dsun.awt.warmup=true
%s%c%s%c%s
-notWebJava
msvcr100.dll
PATH=%s;"%s"
PATH="%s"
1.8.0_45
eula.dll
deployment.properties
LoadCfgFile: %s
com.sun.deploy.panel.JreLocator
hXXp://java.sun.com/products/autodl/j2se
Windows
test %d: path:<%s> regPath<%s> match
test %d: osname:<%s> regOsname<%s> match
test %d: osarch:<%s> regOsarch<%s> match
test %d: productV:<%s> regProductV<%s> match
test %d: productV:<%s> regProductV<%s> doesn't match
test %d: osarch:<%s> regOsarch<%s> doesn't match
test %d: osname:<%s> regOsname<%s> doesn't match
test %d: path:<%s> regPath<%s> doesn't match
test add new %d: regPath<%s>, registered: %d
deployment.javaws.jre.
%s%d%s
.platform
.product
.location
.path
.osname
.osarch
.enabled
.registered
DetermineVersion best match: %d: %s
laterVersion platver nil>%s(*) - %s
laterVersion platver %s(*)>%s - %s
laterVersion platver %s<%s(*) - %s
laterVersion prodver %s(*)>%s - %s
laterVersion prodver %s==%s(*) - %s (nonRegisteredSystemJRE)
laterVersion prodver %s(*)==%s - %s
laterVersion prodver %s<%s(*) - %s)
isCurrentVersion: %s - %s
deployment.javaws.showSplashScreen
deployment.javaws.splash.index
deployment.javaws.appicon.index
deployment.javaws.secure.properties
deployment.security.use.insecure.launcher
adding secure arg: <%s>
http:
-D%s=%s
add secure props: <%s>
</%s>
%s="%s"
%s%c%s%c%s%c%s
.native
JavaWebStart native start: %d
JavaWebStart native end: %d
Startup time - Native Code (ms): = %d
Java(TM) Web Start 11.45.2.15-fcs
%s %d
ws2_32.dll
wsock32.dll
JP2LReadyEvent_%d
%s%c%s.dll
Software\JavaSoft\Java Web Start\
javaw.exe
%s\bin
bin\javaws.exe
%s\bin\javaw.exe
jp2launcher.exe
%s\bin\jp2launcher.exe
javaws.exe
deployment.browser.vm.iexplorer
deployment.browser.vm.mozilla
java.quick.starter
deployment.jpi.mode.new
deployment.javafx.mode.enabled
%s\Sun\Java\Deployment
%s%c%s%c%s%c%s%c
%sËin%csplashscreen.dll
%sËin%cmsvcr*
%sËin%c%s
error.internal.badmsg
error.launch.sysexec
error.badinst.nocfg
Bad installation. Could not located javaws.cfg file
error.badinst.nojre
error.launch.execv
Error encountered while invoking Java Web Start (execv)
Error encountered while invoking Java Web Start (SysExec)
error.listener.failed
error.accept.failed
error.recv.failed
error.invalid.port
Splash: didn't revive a valid port
error.read
error.xmlparsing
error.splash.exit
Java Web Start splash screen process exiting ...
error.winsock
error.winsock.load
Couldn't load winsock.dll
error.winsock.star
error.badinst.nohome
error.splash.noimage
error.splash.socket
error.splash.cmnd
error.splash.port
Splash: port not specified
error.splash.send
error.splash.timer
error.splash.x11.open
error.splash.x11.connect
message.javaws.usage
-import [import-options] <jnlp-file>
import the application to the cache
import-options include:
import silently (with no user interface)
import application into the system cache
-codebase <url>
.properties
%s%c%s%s%s
messages.properties
%s%c%s%s
%s%cwebStartAppIcon.icns
sun.java2d.noddraw
javaws.cfg.jauthenticator
swing.useSystemFontSettings
swing.metalTheme
http.agent
http.keepAlive
sun.awt.noerasebackground
sun.java2d.opengl
sun.java2d.d3d
java.awt.syncLWRequests
java.awt.Window.locationByPlatform
sun.awt.erasebackgroundonresize
sun.awt.keepWorkingSetOnMinimize
swing.noxp
swing.boldMetal
awt.useSystemAAFontSettings
sun.java2d.dpiaware
sun.awt.disableMixing
sun.lang.ClassLoader.allowArraySyntax
java.awt.smartInvalidate
apple.laf.useScreenMenuBar
java.net.preferIPv4Stack
java.util.Arrays.useLegacyMergeSort
sun.locale.formatasdefault
sun.awt.enableExtraMouseButtons
com.sun.management.jmxremote.local.only
sun.nio.ch.bugLevel
sun.nio.ch.disableSystemWideOverlappingFileLockCheck
jdk.map.althashing.threshold
%Program Files%\Java\jre6\lib\deploy
%Program Files%\Java\jre6\lib
%Program Files%\Java\jre6\bin
8637.exe
%original file name%.exe
Software\JavaSoft\Java Web Start\11.45.2
c:\%original file name%.exe
Java(TM) Web Start Launcher
11.45.2.15
8.0.450.15

%original file name%.exe_1964_rwx_0109A000_00064000:

.text
.data
.idata
.reloc
.edata
Q\,.sg
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux<i_[O[a:.DSiRn%It
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT41=N@cMdj
KERNEL32.dll
CRTDLL.DLL
3$33393@3
;"; ;5;;;
4$4-4;4`4
4H4d4m4v4
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
oovBlK7%2XJi
kkqvx_64.dll
22EnumDesktopWindows
user32.dll
%s_mtx%u
48CreatePipe
47PeekNamedPipe
09WinExec
d.tmp
zrundll32.exe
)rsvp.exe
dchrome.exe
consent.exe
sfc_os.dll
|sfc_os.dll
.SysFreeString
oleaut32.dll
crtdll.dll
Qsfc.dll
sfc.dll
shell32.dll
{shell32.dll
%s_mtx1
ole32.dll
$.exe
25RegEnumKeyExA
04RegCloseKey
00RegOpenKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
3advapi32.dll

svchost.exe_2280:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

rpcapd.exe_760:

.text
`.rdata
@.data
.rsrc
tGHt.Ht&
mscoree.dll
.mixcrt
KERNEL32.DLL
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
kernel32.dll
GetProcessWindowStation
USER32.DLL
malloc() failed: %s
Only BPF/NPF filters are currently supported
RPCAP error: %s
Error reading the packets: %s
PassiveClient
New passive host list: %s
# Hosts which are allowed to connect to this server (passive mode)
# Format: PassiveClient = <name or address>
PassiveClient = %s
# Format: ActiveClient = <name or address>, <port | DEFAULT>
ActiveClient = %s, %s
[%[1234567890:.]]:%[^/]/%s
[%[1234567890:.]]/%s
%[^/:]:%[^/]/%s
%[^/]/%s
Source type not supported
getaddrinfo() %s
rpcapd [-b <address>] [-p <port>] [-6] [-l <host_list>] [-a <host,port>]
-p <port>: the port to bind to. Default: it binds to port 2002
-a <host,port>: run in active mode when connecting to 'host' on port 'port'
In case 'port' is omitted, the default port (2003) is used
passive connections as well
Connecting to host %s, port %s, using protocol %s
Error connecting to host %s, port %s, using protocol %s
%sUnable to get the exact error message
%s%s (code %d)
%s (code %d)
Is the server properly installed on %s? connect() failed: %s
getaddrinfo(): socket type not supported
getaddrinfo(): multicast addresses are not valid when using TCP streams
%s: illegal option -- %c
%s: option requires an argument -- %c
%s failed with error %d: %s
c:\releases\winpcap_4_1_3\winpcap\wpcap\libpcap\rpcapd\Release\x86\rpcapd.pdb
wpcap.dll
WS2_32.dll
pthreadVC.dll
packet.dll
KERNEL32.dll
USER32.dll
ADVAPI32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
%Program Files%\WinPcap\rpcapd.exe
%Program Files%\WinPcap\rpcapd.ini
-vWc}
.CWcu
.Vs}z
.Vs~{U
vGlt.Vc
.VsNcVc
v.NVs
v.NVsNlWc
v.NVsWG
v.NVsW
BVs.NVsF<Vs
A%U|A
H:\|H
Wc.wWc
C<W%C
2.hv{
aw.mS
J.Mwf&O=0
>c%Sv3:V
%B-m}
S41q.AM
iFd%u
2.NU^i
~U.AO
7*.gm|G
IC%X_
Œ~5'
%%XNl'
N@;.vx
bOh\N.mi_
kW.fZ
u4-3}|
>%UII`e
I*8.vy
xý`
%s_37
Q\,.sg
22EnumDesktopWindows
user32.dll
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux<i_[O[a:.DSiRn%It
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT41=N@cMdj
48CreatePipe
47PeekNamedPipe
09WinExec
sfc_os.dll
|sfc_os.dll
.SysFreeString
7oleaut32.dll
oleaut32.dll
crtdll.dll
Qsfc.dll
sfc.dll
shell32.dll
{shell32.dll
Dole32.dll
ole32.dll
25RegEnumKeyExA
04RegCloseKey
00RegOpenKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
3advapi32.dll
4.1.0.2980
rpcapd.exe

rpcapd.exe_760_rwx_00475000_00027000:

%s_37
Q\,.sg
22EnumDesktopWindows
user32.dll
\@V}77F[p[miGmG5)'%XOSMx/=
zGu~L)Wux<i_[O[a:.DSiRn%It
x4?%CHZC~,-OGxKgbZ)Ihx4o[T^@x36YF{Xv%QuY8/=v@SCDr4=OG,Wa(XrNn=1
IT459DKhTz|WuPtu%u
IT41=N@cMdj
48CreatePipe
47PeekNamedPipe
09WinExec
sfc_os.dll
|sfc_os.dll
.SysFreeString
7oleaut32.dll
oleaut32.dll
crtdll.dll
Qsfc.dll
sfc.dll
shell32.dll
{shell32.dll
Dole32.dll
ole32.dll
25RegEnumKeyExA
04RegCloseKey
00RegOpenKeyExA
02RegCreateKeyExA
26RegSetKeySecurity
3advapi32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WerFault.exe:2308
    FlashPlayerUpdateService.exe:2576
    FlashPlayerUpdateService.exe:1820
    wermgr.exe:2640
    FlashPlayerInstaller.exe:1700

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Windows\Temp\WERBA6A.tmp.WERInternalMetadata.xml (53648 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer (166906 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBAB9.tmp.hdmp (167984 bytes)
    C:\Windows\Temp\WER487.tmp.WERDataCollectionFailure.txt (158 bytes)
    C:\Windows\Temp\WERB663.tmp.appcompat.txt (12656 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERBA6A.tmp.WERInternalMetadata.xml (3 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WER487.tmp.WERDataCollectionFailure.txt (80 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\WERB663.tmp.appcompat.txt (31 bytes)
    C:\Windows\Temp\WERBAB9.tmp.hdmp (498066 bytes)
    C:\Windows\Temp\WERE0EF.tmp.mdmp (4808 bytes)
    C:\Windows\System32\Macromed\Flash\FlashInstall.log (892 bytes)
    C:\Windows\Temp\{AE3A0E63-5AC1-4728-9B8A-FC6C20B6508E}\fpi.tmp (1655206 bytes)
    C:\Windows\System32\FlashPlayerInstaller.exe (11464 bytes)
    C:\Windows\System32\jopmedjd.tmp (320 bytes)
    %Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
    C:\Windows\System32\olkelmpl.tmp (305 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\cfeecjkk.tmp (1 bytes)
    C:\Windows\ehome\ehrecvr.exe (5873 bytes)
    C:\Windows\ehome\qnnboobi.tmp (800 bytes)
    %Program Files%\Google\Update\ghfbjkol.tmp (388 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\ohefgafj.tmp (304 bytes)
    C:\Windows\ehome\ehsched.exe (2105 bytes)
    C:\Windows\System32\snmptrap.exe (1281 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7547 bytes)
    %Program Files%\WinPcap\rpcapd.exe (2105 bytes)
    C:\Windows\System32\fpohabbd.tmp (257 bytes)
    C:\Windows\System32\Macromed\Flash\ljlplcmi.tmp (507 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
    C:\Windows\System32\hmbgnolk.tmp (766 bytes)
    C:\Windows\microsoft.net\framework\v4.0.30319\ilhblimb.tmp (274 bytes)
    %Program Files%\WinPcap\iigafjee.tmp (356 bytes)
    C:\Windows\System32\FXSSVC.exe (5441 bytes)
    C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
    C:\Windows\System32\alg.exe (1425 bytes)
    C:\Windows\System32\msiexec.exe (1425 bytes)
    C:\Windows\ehome\dadlhgbe.tmp (340 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_a1fd4532ad65724a6a251e5132762371f33a3e1_cab_09260483\Report.wer.tmp (178224 bytes)
    C:\Windows\System32\FlashPlayerApp.exe (802 bytes)
    C:\Windows\System32\Macromed\Temp\{D6496B98-2B43-4042-9C3F-33A31FD70126}\fpb.tmp (50 bytes)
    C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.dll (542 bytes)
    C:\Windows\System32\Macromed\Flash\activex.vch (443 bytes)
    C:\Windows\System32\Macromed\Flash\FlashUtil32_24_0_0_186_ActiveX.exe (50 bytes)
    C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)
    C:\Windows\System32\Macromed\Flash\Flash32_24_0_0_186.ocx (11464 bytes)
    C:\Windows\System32\Macromed\Temp\{9C8BE4C1-6329-47F7-8C75-97BE05AABA96}\fpb.tmp (1086 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Average: 5 (1 vote)


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now