Win32.Ramnit_d949444465

by malwarelabrobot on June 3rd, 2017 in Malware Descriptions.

Win32.Ramnit (BitDefender), Virus:Win32/Parite.C (Microsoft), Virus.Win32.Parite.c (Kaspersky), Virus.Win32.Ramnit.a (v) (VIPRE), Trojan.DownLoader24.50970 (DrWeb), Win32.Ramnit (B) (Emsisoft), W32/Pate.c (McAfee), W32.Pinfi.B (Symantec), Backdoor.Farfli (Ikarus), Win32.Ramnit (FSecure), Win32/Parite (AVG), Win32:Parite (Avast), PE_PARITE.A (TrendMicro), Win32.Ramnit (AdAware), Trojan.Win32.Bumat.FD, Virus.Win32.Parite.B.FD, VirusParite.YR, GenericInjector.YR, VirusVirut.YR (Lavasoft MAS)
Behaviour: Trojan, Backdoor, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: d9494444655a8490e2ab03e6485c37ee
SHA1: 9449662c974c86cbcf1edd3ff7b505ed18f0b97b
SHA256: a61cc358f7e9fd953dc025b17d5c1bfdd126dc092533abb96e0642c551065deb
SSDeep: 12288:R1b84GXMMHxGMjD4O4H9kRqb8JrZGy8A3/BKe:78WMH4MjD4bH9wi8JkSZ3
Size: 587742 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-04 15:35:59
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WerFault.exe:4056
wermgr.exe:2528
chrome.exe:3656
osmism.exe:3172
osmism.exe:3032
d9494444655a8490e2ab03e6485c37eeSrv.exe:3400
osmismSrv.exe:1652

The Trojan injects its code into the following process(es):

%original file name%.exe:452
chrome.exe:3144
iexplore.exe:3720
Explorer.EXE:284
conhost.exe:1068

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WerFault.exe:4056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFDFD.tmp.appcompat.txt (3 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFE2E.tmp.hdmp (9605 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFE1D.tmp.WERInternalMetadata.xml (3 bytes)
C:\Windows\Temp\WERFE2E.tmp.hdmp (463377 bytes)
C:\Windows\Temp\WERFDFD.tmp.appcompat.txt (2056 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFEFA.tmp.mdmp (7433 bytes)
C:\Windows\Temp\WERFE1D.tmp.WERInternalMetadata.xml (51370 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\Report.wer (183602 bytes)
C:\Windows\Temp\WERFEFA.tmp.mdmp (145765 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WERFDFD.tmp (0 bytes)
C:\Windows\Temp\WERFEFA.tmp (0 bytes)
C:\Windows\Temp\WERFDFD.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WERFE2E.tmp.hdmp (0 bytes)
C:\Windows\Temp\WERFE2E.tmp (0 bytes)
C:\Windows\Temp\WERFE1D.tmp.WERInternalMetadata.xml (0 bytes)
C:\Windows\Temp\WERFE1D.tmp (0 bytes)
C:\Windows\Temp\WERFEFA.tmp.mdmp (0 bytes)

The process wermgr.exe:2528 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\Report.wer.tmp (185640 bytes)

The process %original file name%.exe:452 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\d9494444655a8490e2ab03e6485c37eeSrv.exe (120 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\lybF575.tmp (11190 bytes)
C:\Windows\System32\osmism.exe (3361 bytes)

The process chrome.exe:3144 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (80 bytes)

The process osmism.exe:3172 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\osmismSrv.exe (120 bytes)
C:\Windows\Temp\sybF6BD.tmp (11190 bytes)

The process osmism.exe:3032 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\dybF823.tmp (11190 bytes)

The process d9494444655a8490e2ab03e6485c37eeSrv.exe:3400 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Microsoft\DesktopLayer.exe (120 bytes)

The Trojan deletes the following file(s):

%Program Files%\Microsoft\pxF611.tmp (0 bytes)

The process osmismSrv.exe:1652 makes changes in the file system.
The Trojan deletes the following file(s):

%Program Files%\Microsoft\pxF72A.tmp (0 bytes)

Registry activity

The process WerFault.exe:4056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057A]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057B]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057A]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"148" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000005823" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057B]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000005823]
"149" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 00 00 00 00"

The process wermgr.exe:2528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2"

The process %original file name%.exe:452 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Pqrstu Wxyabcde Ghi]
"Description" = "Pqrstuvw Yabcdefgh Jklmnop Rstuvwxy Bcd"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"kukuqi" = "c:\%original file name%.exe"

The process chrome.exe:3144 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"
"failed_count" = "0"

The Trojan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "c:\windows\system32\userinit.exe,,c:\windows\system32\osmismsrv.exe,c:\program files\microsoft\desktoplayer.exe"

Dropped PE files

MD5 File path
fe763c2d71419352141c77c310e600d2 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\lybF575.tmp
fe763c2d71419352141c77c310e600d2 c:\Windows\Temp\dybF823.tmp
fe763c2d71419352141c77c310e600d2 c:\Windows\Temp\sybF6BD.tmp
7e3bf4fb1f5ebf62e2e6c1fdcea35d94 c:\d9494444655a8490e2ab03e6485c37eeSrv.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
ZwCreateUserProcess
ZwCreateProcessEx
NtCreateProcess
ZwCreateFile

Propagation

VersionInfo

Company Name:
Product Name: BaiduYunGuanjia Application
Product Version: 5.4.3
Legal Copyright: Baidu. All rights reserved.
Legal Trademarks:
Original Filename: BaiduYunGuanjia.exe
Internal Name: BaiduYunGuanjia
File Version: 5.4.3
File Description: BaiduYunGuanjia
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 217088 217088 4.46475 3a73850b1ff7cdfce3cb43363cbd885b
.rdata 221184 32466 32768 3.4965 f6a46f5ac6c5f17480c31cd2d7c2da6e
.data 253952 61981 32768 2.25449 6d2e69634a0275ad19d497ac36fe34f8
.rsrc 319488 61440 61440 5.02329 5619bb31540fd60e9f1b4a278470e5a6
lqsxufp 380928 4096 0 0 d41d8cd98f00b204e9800998ecf8427e
.rmnet 385024 61440 61440 5.48049 600cb0a3ee5fcffaf8bbef46f9aaa4d0
.heb 446464 4096 4096 4.82679 b824e5e0a852e89909e2863d23b3b0bd

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
ilo.brenz.pl 148.81.111.121
google.com 216.58.209.174
ant.trenz.pl 148.81.111.121
fget-career.com 89.185.44.100
dns.msftncsi.com
oyebhx.com


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32/Ramnit Checkin
ET TROJAN Known Hostile Domain ilo.brenz.pl Lookup

Traffic

.HHN.X)2F......"....n._..KA.......r.U....f..fj.[......h.XA.$




:irc 001 pyfqgxte :Hi virtu.:irc 376 pyfqgxte :End of /MOTD command.:i
rc 001 pyfqgxte :Hi virtu.:irc 376 pyfqgxte :End of /MOTD command...

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_452:

.text
.rdata
.data
.rsrc
.rmnet
deflate 1.1.4 Copyright 1995-2002 Jean-loup Gailly
inflate 1.1.4 Copyright 1995-2002 Mark Adler
CCmdTarget
commctrl_DragListMsg
COMCTL32.DLL
CNotSupportedException
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
user32.dll
GetWindowsDirectoryA
WinExec
GetProcessHeap
CreatePipe
DisconnectNamedPipe
PeekNamedPipe
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
GetKeyState
SetProcessWindowStation
OpenWindowStationA
GetProcessWindowStation
MapVirtualKeyA
EnumWindows
USER32.dll
GDI32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyA
RegOpenKeyA
RegSetKeySecurity
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
RegQueryInfoKeyA
RegRestoreKeyA
RegSaveKeyA
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHDeleteKeyA
SHLWAPI.dll
WINMM.dll
SETUPAPI.dll
WS2_32.dll
COMCTL32.dll
InternetOpenUrlA
WININET.dll
AVICAP32.dll
MSVFW32.dll
NETAPI32.dll
PSAPI.DLL
WTSAPI32.dll
GetCPInfo
SetWindowsHookExA
CreateDialogIndirectParamA
UnhookWindowsHookEx
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
WINSPOOL.DRV
comdlg32.dll
\Tencent\Users\*.*
{4D36E972-E325-11CE-BFC1-08002BE10318}
\Application Data\Microsoft\Network\Connections\pbk\rasphone.pbk
Microsoft\Network\Connections\pbk\rasphone.pbk
%s\%s
advapi32.dll
RasDialParams!%s#0
%s\shell\open\command
%s\*.*
%s%s*.*
%s%s%s
SYSTEM\CurrentControlSet\Services\%s
Applications\iexplore.exe\shell\open\command
shlwapi.dll
kernel32.dll
%s.exe
%s\%x.sg
:]%d-%d-%d %d:%d:%d
Cloud.exe
%SystemRoot%\system32\
360tray.exe
360sd.exe
kxetray.exe
KSafeTray.exe
QQPCRTP.exe
BaiduSd.exe
baiduSafeTray.exe
KvMonXP.exe
RavMonD.exe
QUHLPSVC.EXE
mssecess.exe
cfp.exe
SPIDer.exe
DR.WEB
acs.exe
V3Svc.exe
AYAgent.aye
avgwdsvc.exe
f-secure.exe
avp.exe
Mcshield.exe
egui.exe
knsdtray.exe
TMBMSRV.exe
avcenter.exe
ashDisp.exe
rtvscan.exe
remupd.exe
vsserv.exe
PSafeSysTray.exe
ad-watch.exe
K7TSecurity.exe
UnThreat.exe
QQ.exe
YY.exe
9158.exe
SinaShow.exe
hXXp://
hXXps://
Mozilla/4.0 (compatible)
%s%s%s%s
password
12345678
5201314
1314520
%d.%d.%d.%d
mpr.dll
\\%s\ipc$
\\%s\admin$\hackshen.exe
\\%s\C$\hackshen.exe
C:\hackshen.exe
\\%s\D$\hackshen.exe
D:\hackshen.exe
\\%s\E$\hackshen.exe
E:\hackshen.exe
\\%s\F$\hackshen.exe
F:\hackshen.exe
at \\%s %d:%d %s
userenv.dll
Kernel32.dll
%s Win7
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
%c%c%c%c%c%c.exe
%-24s %-15s %s
%-24s %-15s 0x%x(%d)
\cmd.exe
Http/1.1 403 Forbidden
HTTP/1.0 200 OK
\termsrv_t.dll
127.0.0.1
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\%s
PortNumber
00000%s
SAM\SAM\Domains\Account\Users\Names\%s
\termsrv.dll
csrss.exe
drwtsn32.exe
%SystemRoot%\system32\termsrv_t.dll
%s:%d
Windows %s SP%d
Ýay %dHour %dMin
RDP-Tcp
explorer.exe
olSet\Services\%s
nsocket-di:%d
1.1.4
.?AVCCmdTarget@@
.PAVCException@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCUserException@@
.PAVCObject@@
.PAVCSimpleException@@
.PAVCResourceException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
zcÁ
c:\%original file name%.exe
EhXXp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
>hXXp://VVV.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
ChXXp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
<hXXp://VVV.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
$Microsoft Root Certificate Authority0
?hXXp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
8hXXp://VVV.microsoft.com/pki/certs/MicrosoftRootCert.crt0
$Microsoft Root Certificate Authority
.tq[m
hXXp://microsoft.com0
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAyd1MXJ 7w9Mna/dXi97web kJ9hmhzCnaahZNMMBJJP7xTBG
-----END RSA PRIVATE KEY-----
-----BEGIN CERTIFICATE-----
-----END CERTIFICATE-----
ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK mfokotdb
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
Srv.exe
c:\d9494444655a8490e2ab03e6485c37eeSrv.exe
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
SHELL32.DLL
3Kernel32.dll
Software\Microsoft\Windows\CurrentVersion\Explorer
ntdll.dll
5.4.3
BaiduYunGuanjia.exe
osoft.VC90.CRT.man
L{DE351A42-8E59-11D0-8C47-00C04FC295EE
,Microsoft.vc90.CRT.ca
(*.*)
106.42.73.61
2528-6142
nedwp.exe

%original file name%.exe_452_rwx_003E0000_00008000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK pyfqgxte
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb
C-428A-AF16-245107A1AA49}
0E2AB03E6485C37EE\DUMPS\D9494444655A8490E2AB03E6485C37EE.EXE_452_RWX_003D0000_00001000.DMP
DATA.XML
C:\PROGRAM FILES\ADOBE\READER 9.0\READER\LOGTRANSPORT2.EXE
7pjcmiy.com
yawzoe.com
pxtxyu.com
zomvrl.com
xpgskv.com
pekwok.com
wiajcv.com
pizsmh.com
ivypfl.com
sgqiaa.com
lybjkm.com
nvskdo.com
qcbsnd.com
dutdan.com
miepbn.com
szyjjz.com
oxppys.com
kjiukh.com
kgboya.com
ownvpl.com
uvidde.com
qvtwii.com
kguile.com
qipmog.com
ixivky.com
awomwp.com
yieyui.com
qfaeye.com
bycurb.com
iwaoro.com
vxobtt.com
demmyb.com
jkhvbj.com
zkyzbi.com
ebafob.com
usulku.com
ebdzkk.com
ewapuw.com
icuwtu.com
pjkdod.com
hjqijy.com
bisbse.com
iaukiq.com
cqfkya.com
opysey.com
gigmbc.com
wayiop.com
yyhsqs.com
eysrod.com
pesgid.com
roisvg.com
audeiu.com
qiefaj.com
yzrioi.com
cvyemx.com
iymcwy.com
jabadn.com
ayavxp.com
vhllvx.com
cbuhza.com
eiobgh.com
keuowe.com
gwvdar.com
erkgwh.com
fviwfd.com
azgadg.com
dsvjec.com
liokee.com
wajigb.com
xomzbe.com
qfeneu.com
xjzwpi.com
srgyyy.com
keydlt.com
yzehon.com
lhkivi.com
nuouxr.com
amuoan.com
xsozak.com
mazujz.com
pxnyij.com
gcpbyn.com
rsallg.com
dopibj.com
tyuqav.com
oyebhx.com
zxxpnf.com
ywsjrj.com
grikia.com
liogzr.com
nazaxd.com
zpiwea.com
gocuxw.com
tpxuvf.com
utmbnl.com
vxvgab.com
gssjwx.com
ysygyd.com
oufiac.com
ukajgg.com

%original file name%.exe_452_rwx_00456000_00007000:

ADVAPI32.DLL
JOIN #.%d
DSTAMP %ddd
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ilo.brenz.pl
ant.trenz.pl
NICK mfokotdb
SFC.DLL
SFC_OS.DLL
USER32.DLL
SHLWAPI.DLL
WSOCK32.DLL
WININET.DLL
%.6x . . :%c%.8x%x  *%s
KERNEL32.DLL
windowsupdate
drweb

%original file name%.exe_452_rwx_0045E000_00010000:

Srv.exe
c:\d9494444655a8490e2ab03e6485c37eeSrv.exe
kernel32.dll
.rsrc
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
KERNEL32.DLL
SHELL32.DLL
USER32.DLL
3Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
Software\Microsoft\Windows\CurrentVersion\Explorer
106.42.73.61
2528-6142
nedwp.exe

chrome.exe_3144:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
D$,j.Xf
j.Yf;
_tcPVj@
.PjRW
ole32.dll
POWRPROF.dll
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
user32.dll
c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc
c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\build\slave\win-pgo\build\src\base\threading\thread_local_win.cc
0123456789
(flags = 0x%x)
Histogram: %s recorded %d samples
.syzygy
.thunks
Windows NT
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
UMA.CreatePersistentHistogram.Result
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
widevinecdmadapter.dll
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
chrome-sxs
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc
iexplore.exe
googlechrome
googlechromeframe
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_commands.cc
Cannot initialize AppCommands from an invalid key.
Skipping over key "
Failed to open key "
Cannot initialize an AppCommand from an invalid key.
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_command.cc
CHROME_MAIN_TICKS
user_experience_metrics.reporting_enabled
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\misc\uuid.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
create a new pipe and send its name via HANDLE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
pipe-name
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc
duplicate key
--annotation requires KEY=VALUE
--handshake-handle and --pipe-name are incompatible
--handshake-handle or --pipe-name is required
SetProcessShutdownParameters
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
reserved key
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %d.%d.%d.%s%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
kernel32.dll
c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateSize
GetCertificate
GetCertificateSizeByHandle
GetCertificateByHandle
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
::GetNamedPipeClientProcessId
\\.\pipe\crashpad_%d_
ImpersonateNamedPipeClient
ConnectNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
Crashpad/0.8.0
WinHttpOpen
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpSendRequest
%%x
--%s%sContent-Disposition: form-data; name="%s"
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
0x%llx   0x%llx (%s)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc
<failed to retrieve error message (0x%x)>
(0xx)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_local_alloc.cc
SetNamedPipeHandleState
WaitNamedPipe
TransactNamedPipe: expected
TransactNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
chrome_elf.dll
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
ADVAPI32.dll
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHandleCount
KERNEL32.dll
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
WTSAPI32.dll
RPCRT4.dll
GetCPInfo
GetProcessHeap
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="54.0.2840.59" version="54.0.2840.59" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
3 3*363@3
6 6%6-646
-0F3K4U4g4m4r4}4
1$3 303{3
081?1_1?3
4!4%4)4{4
9—9d9
; <0<6<;<
<&=.=6=>=~=
? ?$?(?,?
5 5$5(5,5
5 5$5(5,5054585
9,9094989
< <$<(<,<0<4<
4 4<4@4\4`4|4
5 5<5@5\5`5|5
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
PreReadChromeChildInBrowser
${windows}
Ndebug.log
\StringFileInfo\xx\%ls
ntdll.dll
shell32.dll
resources.pak
script.log
chrome
pepflashplayer.dll
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Chrome
chrome_child.dll
chrome.dll
Google Chrome Canary
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
ChromeCanary
Chrome Canary HTML Document
ChromeSSHTM
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}
Google Chrome binaries
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
Google Chrome
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
ChromeHTML
Chrome HTML Document
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{5C65F4B0-3651-4514-B207-D10CB699B14B}
Google Chrome Frame
Chrome in a Frame.
Google\Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
WebAccessible
-chromeframe
-chrome
lSOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
pipe\
egdi32.dll
tntdll.dll
xntdll.dll
Chrome_MessageWindow
Failed to create directory %ls, last error is %d
Chrome SxS\Application
winhttp.dll
54.0.2840.59
chrome_exe

%original file name%.exe_452_rwx_00581000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxpX
RemotePort
LocalPort
ReportLevel4oX
0.0.0.0
%d.%d.%d.%d
Portt:\
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~Z
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
Uh%uZ
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

chrome.exe_3144_rwx_00060000_00001000:

WYw%Program Files%\Microsoft\DesktopLayer.exe

chrome.exe_3144_rwx_20010000_00009000:

.text
.rdata
@.data
.reloc
Srv.exe
kernel32.dll

iexplore.exe_3720:

.text
`.data
.rsrc
@.reloc
>.uzf
.us;}
IEFRAME.dll
MLANG.dll
iertutil.dll
urlmon.dll
ole32.dll
SHELL32.dll
SHLWAPI.dll
msvcrt.dll
USER32.dll
KERNEL32.dll
ADVAPI32.dll
RegOpenKeyExW
RegCloseKey
GetWindowsDirectoryW
_amsg_exit
_wcmdln
UrlApplySchemeW
PathIsURLW
UrlCanonicalizeW
UrlCreateFromPathW
iexplore.pdb
KEYW
KEYWh
KEYWD
.ENNNG.
a.ry.v
l.igM4
?1%SGf
xh.JW^
.97777"7" " " !
3.... )) 
8888888888888
8888888888
.lPV)
úW1
.ApX/
H.ZAf
ð[U
%s!FK
1YYYY1YY9GEAA=77YRNNNW:.VT1
888777777
Y.hilkRROMLK=C,
..(((($$
3...((((%
3....(.''$
3.2...((((%
33.2....(,'
55323222...
(%&'00443445?
00.,,,4(
000.,,9(
0020..9(
003200;(
(#'( (''''!'!
Microsoft.InternetExplorer.Default
user32.dll
Kernel32.DLL
xfire.exe
wlmail.exe
winamp.exe
waol.exe
sidebar.exe
psocdesigner.exe
np.exe
netscape.exe
netcaptor.exe
neoplanet.exe
msn.exe
mshtmpad.exe
mshta.exe
loader42.exe
infopath.exe
iexplore.exe
iepreview.exe
groove.exe
explorer.exe
dreamweaver.exe
contribute.exe
aol.exe
{28fb17e0-d393-439d-9a21-9474a070473a}
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
DShell32.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe
Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}
"%s" %s
Kernel32.dll
\AppPatch\sysmain.sdb
-extoff go.microsoft.com/fwlink/?LinkId=106323
-extoff go.microsoft.com/fwlink/?LinkId=106322
-extoff go.microsoft.com/fwlink/?LinkId=106320
kernel32.dll
{00000000-0000-0000-0000-000000000000}
\\?\Volume
shell:%s
Imaging_CreateWebPagePreview_Perftrack
Browseui_Tabs_Tearoff_BetweenWindows
Frame_URLEntered
Imaging_CreateWebPagePreview
WS_ExecuteQuery
Shdocvw_BaseBrowser_FireEvent_WindowStateChanged
IdleTask_Execution_Time
9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)
IEXPLORE.EXE
Windows
9.00.8112.16421

chrome.exe_3656:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
D$,j.Xf
j.Yf;
_tcPVj@
.PjRW
ole32.dll
POWRPROF.dll
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
user32.dll
c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc
c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\build\slave\win-pgo\build\src\base\threading\thread_local_win.cc
0123456789
(flags = 0x%x)
Histogram: %s recorded %d samples
.syzygy
.thunks
Windows NT
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
UMA.CreatePersistentHistogram.Result
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
widevinecdmadapter.dll
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
chrome-sxs
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc
iexplore.exe
googlechrome
googlechromeframe
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_commands.cc
Cannot initialize AppCommands from an invalid key.
Skipping over key "
Failed to open key "
Cannot initialize an AppCommand from an invalid key.
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_command.cc
CHROME_MAIN_TICKS
user_experience_metrics.reporting_enabled
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\misc\uuid.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
create a new pipe and send its name via HANDLE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
pipe-name
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc
duplicate key
--annotation requires KEY=VALUE
--handshake-handle and --pipe-name are incompatible
--handshake-handle or --pipe-name is required
SetProcessShutdownParameters
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
reserved key
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %d.%d.%d.%s%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
kernel32.dll
c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateSize
GetCertificate
GetCertificateSizeByHandle
GetCertificateByHandle
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
::GetNamedPipeClientProcessId
\\.\pipe\crashpad_%d_
ImpersonateNamedPipeClient
ConnectNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
Crashpad/0.8.0
WinHttpOpen
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpSendRequest
%%x
--%s%sContent-Disposition: form-data; name="%s"
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
0x%llx   0x%llx (%s)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc
<failed to retrieve error message (0x%x)>
(0xx)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_local_alloc.cc
SetNamedPipeHandleState
WaitNamedPipe
TransactNamedPipe: expected
TransactNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
chrome_elf.dll
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
ADVAPI32.dll
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHandleCount
KERNEL32.dll
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
WTSAPI32.dll
RPCRT4.dll
GetCPInfo
GetProcessHeap
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="54.0.2840.59" version="54.0.2840.59" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
3 3*363@3
6 6%6-646
-0F3K4U4g4m4r4}4
1$3 303{3
081?1_1?3
4!4%4)4{4
9—9d9
; <0<6<;<
<&=.=6=>=~=
? ?$?(?,?
5 5$5(5,5
5 5$5(5,5054585
9,9094989
< <$<(<,<0<4<
4 4<4@4\4`4|4
5 5<5@5\5`5|5
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
PreReadChromeChildInBrowser
${windows}
Ndebug.log
\StringFileInfo\xx\%ls
ntdll.dll
shell32.dll
resources.pak
script.log
chrome
pepflashplayer.dll
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Chrome
chrome_child.dll
chrome.dll
Google Chrome Canary
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
ChromeCanary
Chrome Canary HTML Document
ChromeSSHTM
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}
Google Chrome binaries
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
Google Chrome
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
ChromeHTML
Chrome HTML Document
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{5C65F4B0-3651-4514-B207-D10CB699B14B}
Google Chrome Frame
Chrome in a Frame.
Google\Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
WebAccessible
-chromeframe
-chrome
lSOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
pipe\
egdi32.dll
tntdll.dll
xntdll.dll
Chrome_MessageWindow
Failed to create directory %ls, last error is %d
Chrome SxS\Application
winhttp.dll
%Program Files%\Google\Chrome\Application\chrome.exe
54.0.2840.59
chrome_exe

iexplore.exe_3720_rwx_00060000_00001000:

WYwC:\Windows\system32\osmismSrv.exe

iexplore.exe_3720_rwx_20010000_00009000:

.text
.rdata
@.data
.reloc
Srv.exe
kernel32.dll

svchost.exe_3588:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

Explorer.EXE_284_rwx_048A1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxp
RemotePort
LocalPort
ReportLevel4o
0.0.0.0
%d.%d.%d.%d
Portt:
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s

conhost.exe_1068_rwx_005C1000_00071000:

UDPSockError
NMUDP
Errmsg
Port
TNMUDP
TNMUDPxp\
RemotePort
LocalPort
ReportLevel4o\
0.0.0.0
%d.%d.%d.%d
Portt:`
AutoHotkeysp
AutoHotkeys
:].tJ
EInvalidGraphicOperation
KeyPreview
WindowStatep
OnKeyDown
OnKeyPressL~^
OnKeyUp
ssHotTrack
TWindowState
poProportional
TWMKey
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
Uh%u^
TDragOperation
TKeyEvent
TKeyPressEvent
crSQLWait
%s (%s)
IMM32.DLL
EInvalidOperation
%s[%d]
%s_%d
USER32.DLL
comctl32.dll
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
kernel32.dll
Portions Copyright (c) 1983,99 Borland
explorer.exe
Software\Microsoft\Windows\CurrentVersion\Explorer
*.TMP
Kernel32.dll
ADVAPI32.dll
RegOpenKeyExA
RegCloseKey
readbook.exe
rundll32.exe
wry.exe
*.exe
*.scr
UdpT
UdpOnDataReceived
xxtype.cpp
derv->tpClass.tpcFlags & CF_HAS_BASES
Inappropriate I/O control operation
Broken pipe
Operation not permitted
%H:%M:%S
%m/%d/%y
%A, %B %d, %Y
d/d/d d:d:d.d
An exception (X) occurred during DllEntryPoint or DllMain in module:
xx.cpp
varType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpClass.tpcDtorAddr
(errPtr->ERRcInitDtc >= varType->tpClass.tpcDtorCount) || flags
memType->tpClass.tpcFlags & CF_HAS_DTOR
varType->tpArr.tpaElemType->tpClass.tpcFlags & CF_HAS_DTOR
dttPtr->dttType->tpPtr.tppBaseType->tpClass.tpcFlags & CF_HAS_DTOR
IS_CLASS(dttPtr->dttType->tpMask) && (dttPtr->dttType->tpClass.tpcFlags & CF_HAS_DTOR)
elemType->tpClass.tpcFlags & CF_HAS_DTOR
ReportLevel
GetCPInfo
GetProcessHeap
GetWindowsDirectoryA
RegCreateKeyExA
RegFlushKey
SetViewportOrgEx
ActivateKeyboardLayout
EnumThreadWindows
EnumWindows
GetKeyNameTextA
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardState
GetKeyboardType
LoadKeyboardLayoutA
MapVirtualKeyA
MsgWaitForMultipleObjects
SetWindowsHookExA
UnhookWindowsHookEx
€00404
8 @ @ @ @ @
.text
`.data
.idata
@.edata
@.rsrc
@.reloc
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Operation aborted%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
I/O error %d
Integer overflow Invalid floating point operation
Invalid data type for '%s'
Failed to set data for '%s'
Failed to get data for '%s'/Menu '%s' is already being used by another form*Windows socket error: %s (%d), on API '%s'
Asynchronous socket error %d
- Dock zone has no control%List does not allow duplicates ($0%x)!'%s' is not a valid integer value
Alt  Clipboard does not support Icons
!Control '%s' has no parent window
Error reading %s%s%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d) Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WerFault.exe:4056
    wermgr.exe:2528
    chrome.exe:3656
    osmism.exe:3172
    osmism.exe:3032
    d9494444655a8490e2ab03e6485c37eeSrv.exe:3400
    osmismSrv.exe:1652

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFDFD.tmp.appcompat.txt (3 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFE2E.tmp.hdmp (9605 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFE1D.tmp.WERInternalMetadata.xml (3 bytes)
    C:\Windows\Temp\WERFE2E.tmp.hdmp (463377 bytes)
    C:\Windows\Temp\WERFDFD.tmp.appcompat.txt (2056 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\WERFEFA.tmp.mdmp (7433 bytes)
    C:\Windows\Temp\WERFE1D.tmp.WERInternalMetadata.xml (51370 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\Report.wer (183602 bytes)
    C:\Windows\Temp\WERFEFA.tmp.mdmp (145765 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_osmism.exe_58afd61ad333734326ea2f1ca7af941adb5f5398_cab_0fcbffa2\Report.wer.tmp (185640 bytes)
    C:\d9494444655a8490e2ab03e6485c37eeSrv.exe (120 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\lybF575.tmp (11190 bytes)
    C:\Windows\System32\osmism.exe (3361 bytes)
    %Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (80 bytes)
    C:\Windows\System32\osmismSrv.exe (120 bytes)
    C:\Windows\Temp\sybF6BD.tmp (11190 bytes)
    C:\Windows\Temp\dybF823.tmp (11190 bytes)
    %Program Files%\Microsoft\DesktopLayer.exe (120 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "kukuqi" = "c:\%original file name%.exe"

  6. Remove the references to the Trojan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "c:\windows\system32\userinit.exe,,c:\windows\system32\osmismsrv.exe,c:\program files\microsoft\desktoplayer.exe"

  7. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  8. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now