Win32.Expiro.Gen.4_2828f32fc2

by malwarelabrobot on August 30th, 2017 in Malware Descriptions.

Trojan.Win32.Vilsel.cysh (Kaspersky), Win32.Expiro.Gen.4 (B) (Emsisoft), Win32.Expiro.Gen.4 (AdAware), mzpefinder_pcap_file.YR, VirusExpiro.YR (Lavasoft MAS)
Behaviour: Trojan, Virus


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 2828f32fc2536f67a6fea9bde01871f1
SHA1: 7584900b0cf2e9cefc1881463bbbd6fc64230993
SHA256: c5534fd606bdb99dbd1b6a09d62793f4a029448102b787b8be3014cdbc49e6f9
SSDeep: 12288:Rq7b1Etk1Hc0yjBvFNJ00kbmoEBTeo60ui z4jYE:M7b1Etk187Klbm3BT9zS4j
Size: 480768 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: StdLib
Created at: 2016-01-04 06:09:53
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

WerFault.exe:3096
FlashPlayerUpdateService.exe:1924
FlashPlayerUpdateService.exe:1996
wermgr.exe:3164
msdtc.exe:2180
FlashPlayerInstaller.exe:3992

The Trojan injects its code into the following process(es):

dllhost.exe:1956
%original file name%.exe:3684

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process WerFault.exe:3096 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WERA814.tmp.mdmp (15278 bytes)
C:\Windows\Temp\WERA814.tmp.mdmp (271144 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WER9F79.tmp.appcompat.txt (31 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WER9FB9.tmp.WERInternalMetadata.xml (3 bytes)
C:\Windows\Temp\WER9F79.tmp.appcompat.txt (16006 bytes)
C:\Windows\Temp\WERA037.tmp.hdmp (583266 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WERA037.tmp.hdmp (168482 bytes)
C:\Windows\Temp\WER9FB9.tmp.WERInternalMetadata.xml (53648 bytes)
C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\Report.wer (171900 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\WERA814.tmp.mdmp (0 bytes)
C:\Windows\Temp\WERA814.tmp (0 bytes)
C:\Windows\Temp\WERA037.tmp (0 bytes)
C:\Windows\Temp\WER9F79.tmp.appcompat.txt (0 bytes)
C:\Windows\Temp\WERA037.tmp.hdmp (0 bytes)
C:\Windows\Temp\WER9F79.tmp (0 bytes)
C:\Windows\Temp\WER9FB9.tmp (0 bytes)
C:\Windows\Temp\WER9FB9.tmp.WERInternalMetadata.xml (0 bytes)

The process FlashPlayerUpdateService.exe:1924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\FlashInstall32.log (84 bytes)

The process FlashPlayerUpdateService.exe:1996 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\{431306BD-DDEE-47BD-9145-B849BF9F0248}\fpi.tmp (3791632 bytes)
C:\Windows\System32\FlashPlayerInstaller.exe (12387 bytes)

The Trojan deletes the following file(s):

C:\Windows\Temp\{431306BD-DDEE-47BD-9145-B849BF9F0248}\fpi.tmp (0 bytes)
C:\Windows\Temp\{431306BD-DDEE-47BD-9145-B849BF9F0248} (0 bytes)

The process dllhost.exe:1956 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\gllpflgc.tmp (508 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{AB1C8188-0F4C-4E74-A362-88B4B1478BF5}.crmlog (1600 bytes)
%Program Files%\WinPcap\gpqfnmbf.tmp (352 bytes)
C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64D68604-B96B-4F93-8E98-6E5C7ECA5AB9}.crmlog (623 bytes)
%Program Files%\WinPcap\rpcapd.exe (2105 bytes)

The Trojan deletes the following file(s):

%Program Files%\WinPcap\gpqfnmbf.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\gllpflgc.tmp (0 bytes)
C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64D68604-B96B-4F93-8E98-6E5C7ECA5AB9}.crmlog (0 bytes)

The process wermgr.exe:3164 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\Report.wer.tmp (175218 bytes)

The process msdtc.exe:2180 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\config\SOFTWARE (58470 bytes)
C:\$Directory (1536 bytes)
C:\Windows\System32\config\SOFTWARE.LOG1 (60670 bytes)
C:\Windows\System32\Msdtc\MSDTC.LOG (2772 bytes)
C:\Windows\System32\Msdtc\Trace\dtctrace.log (16 bytes)
C:\Windows\System32 (192 bytes)

The process FlashPlayerInstaller.exe:3992 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (546 bytes)
C:\Windows\System32\FlashPlayerApp.exe (803 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_26_0_0_151.ocx (12387 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.dll (545 bytes)
C:\Windows\System32\Macromed\Flash\FlashInstall32.log (9 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (449 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe (50 bytes)
C:\Windows\System32\Macromed\Temp\{C5D3312D-21BC-4439-8FCF-5B8C291A00D5}\fpb.tmp (50 bytes)
C:\Windows\System32\Macromed\Temp\{385A1608-B96E-4F3C-B894-EC96A74D288A}\fpb.tmp (1093 bytes)
C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)

The Trojan deletes the following file(s):

C:\Windows\System32\Macromed\Temp (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashInstall.log (0 bytes)
C:\Windows\System32\Macromed\Temp\{385A1608-B96E-4F3C-B894-EC96A74D288A} (0 bytes)
C:\Windows\System32\Macromed\Temp\{C5D3312D-21BC-4439-8FCF-5B8C291A00D5} (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.exe (0 bytes)
C:\Windows\System32\Macromed\Flash\FlashUtil32_23_0_0_185_ActiveX.dll (0 bytes)
C:\Windows\System32\Macromed\Flash\activex.vch (0 bytes)
C:\Windows\System32\Macromed\Temp\{C5D3312D-21BC-4439-8FCF-5B8C291A00D5}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Temp\{385A1608-B96E-4F3C-B894-EC96A74D288A}\fpb.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\Flash32_23_0_0_185.ocx (0 bytes)

The process %original file name%.exe:3684 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\Macromed\Flash\ikbbfgpa.tmp (507 bytes)
%Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
C:\Windows\System32\dllhost.exe (1281 bytes)
C:\Windows\ehome\ehrecvr.exe (5873 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aeoedpji.tmp (333 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (2105 bytes)
C:\Windows\ehome\iodlfdan.tmp (336 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\hefcgmqa.tmp (304 bytes)
C:\Windows\ehome\ehsched.exe (2105 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7433 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\gfafhlpc.tmp (1 bytes)
C:\Windows\ehome\mojbjjee.tmp (800 bytes)
C:\Windows\System32\abddhdmk.tmp (315 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
C:\Windows\System32\msiexec.exe (1425 bytes)
%Program Files%\Google\Update\gmfhpmpj.tmp (384 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cpdiekip.tmp (274 bytes)
C:\Windows\System32\FXSSVC.exe (5441 bytes)
C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
C:\Windows\System32\hakjliho.tmp (301 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
C:\Windows\System32\alg.exe (1425 bytes)
C:\Windows\System32\hejdoghn.tmp (766 bytes)
C:\Windows\System32\bhcmmkom.tmp (252 bytes)

The Trojan deletes the following file(s):

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aeoedpji.tmp (0 bytes)
C:\Windows\System32\bhcmmkom.tmp (0 bytes)
C:\Windows\ehome\mojbjjee.tmp (0 bytes)
C:\Windows\System32\Macromed\Flash\ikbbfgpa.tmp (0 bytes)
C:\Windows\ehome\iodlfdan.tmp (0 bytes)
C:\Windows\System32\abddhdmk.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v2.0.50727\hefcgmqa.tmp (0 bytes)
C:\Windows\System32\hakjliho.tmp (0 bytes)
%Program Files%\Google\Update\gmfhpmpj.tmp (0 bytes)
C:\Windows\System32\hejdoghn.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v4.0.30319\cpdiekip.tmp (0 bytes)
C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\gfafhlpc.tmp (0 bytes)

Registry activity

The process WerFault.exe:3096 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058C]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000587]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000582]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore]
"_CurrentObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F3]
"153" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058B]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000583]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D4]
"14A" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000588]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D6" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B11" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000589]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000584]
"ObjectLru" = "Type: REG_QWORD, Length: 8"
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\156]
"_Usn_" = "Type: REG_QWORD, Length: 8"
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000305C]
"146" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\144]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D7]
"14D" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\144]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030F2]
"152" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000589]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D4" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057E]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000585]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DB" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058A]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\156]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058C]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030DC" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030B1]
"147" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058A]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DC]
"14F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList]
"CurrentLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030B1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D6]
"14C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E3]
"155" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D7" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058B]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000587]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\156\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000055E1" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000302F" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\156]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058D]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000580]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030FC]
"154" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000586]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000582]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"1000000002B0E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000581]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\156]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000580]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000581]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\150]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000586]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000030DB]
"14E" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B11]
"151" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F2" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030FC" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\155]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14C]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000044D5" = "Type: REG_QWORD, Length: 8"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "4D 4F 43 E0 01 00 00 00 00 00 00 00 6F D3 99 75"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000055E1]
"156" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000585]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14E]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058E]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"100000000305C" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\151]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153\Indexes\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}]
"10000000030F3" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000583]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\148]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\153]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\100000000302F]
"148" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057F]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\149]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\0000000000000588]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000058D]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057F]
"ObjectId" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14D]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\147]
"_Usn_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\152]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14F]
"_ObjectId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14B]
"_FileId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\146]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\14A]
"_UsnJournalId_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\154]
"_ObjectLru_" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\1000000002B0E]
"150" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D5]
"14B" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\LruList\000000000000057E]
"ObjectLru" = "Type: REG_QWORD, Length: 8"

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\IndexTable\FileIdIndex-{f80abb43-5224-11e3-bc81-806e6f6e6963}\10000000044D3]
"149" = "Type: REG_QWORD, Length: 8"

The Trojan deletes the following value(s) in system registry:

[\REGISTRY\A\{DF823AE1-9139-11E6-A7F6-0050563BAEAC}\DefaultObjectStore\ObjectTable\144]
"AeFileID"
"AeProgramID"

The process FlashPlayerUpdateService.exe:1924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"LastUpdateCheck" = "Type: REG_QWORD, Length: 8"
"UpdateAttempts" = "0"
"CheckFrequency" = "1"

The process FlashPlayerUpdateService.exe:1996 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayerSAU]
"UpdateAttempts" = "1"

[HKU\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

The process dllhost.exe:1956 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\System]
"EnableSmartScreen" = "0"

[HKLM\SOFTWARE\Microsoft\Security Center\Svc\S-1-5-21-732923889-1296844034-1208581001-1000]
"EnableNotifications" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer]
"HideSCAHealth" = "1"

The process wermgr.exe:3164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug]
"StoreLocation" = "C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad"

The process FlashPlayerInstaller.exe:3992 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\ShockwaveFlash.ShockwaveFlash.22]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
"(Default)" = "FlashBroker"

[HKCR\ShockwaveFlash.ShockwaveFlash.24]
"(Default)" = "Shockwave Flash Object"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe,-17"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"Extension" = ".spl"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayName" = "Adobe Flash Player 26 ActiveX"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerUpdateService.exe]
"DisableExceptionChainValidation" = "0"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
"(Default)" = "Macromedia Flash Paper"

[HKCR\ShockwaveFlash.ShockwaveFlash]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isMSI" = "0"

[HKCR\ShockwaveFlash.ShockwaveFlash.25\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"LocalizedString" = "@C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe,-101"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"HelpLink" = "http://www.adobe.com/go/flashplayer_support/"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"18.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.26"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"25.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
"(Default)" = "IShockwaveFlash"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"16.0" = "4294967295"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash.26"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLUpdateInfo" = "http://www.adobe.com/go/getflashplayer/"

[HKCR\ShockwaveFlash.ShockwaveFlash.19]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.1]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.26]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isScriptDebugger" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"Publisher" = "Adobe Systems Incorporated"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"6.0" = "4294967295"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
"(Default)" = "0"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "FlashFactory.FlashFactory"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"NoRepair" = "1"
"NoModify" = "1"
"EstimatedSize" = "19647"

[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
"(Default)" = "131473"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
"(Default)" = "IFlashBroker6"

[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Extended Properties\System.ControlPanel.Category\C:\Windows\system32]
"FlashPlayerCPLApp.cpl" = "10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMajor" = "26"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashPlayerApp.exe]
"DisableExceptionChainValidation" = "0"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"PlayerPath" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"7.0" = "4294967295"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_26_0_0_151_ActiveX.exe]
"DisableExceptionChainValidation" = "0"

[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
"(Default)" = ""

[HKCR\FlashFactory.FlashFactory.1]
"(Default)" = "Macromedia Flash Factory Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"15.0" = "4294967295"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKCR\ShockwaveFlash.ShockwaveFlash.8]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
"(Default)" = "IFlashObject"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"22.0" = "4294967295"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\FlashFactory.FlashFactory\CurVer]
"(Default)" = "FlashFactory.FlashFactory.1"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"8.0" = "4294967295"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveXReleaseType]
"Release" = "1"

[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"currentVersion" = "26,0,0,151"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"20.0" = "4294967295"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"13.0" = "4294967295"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
"(Default)" = "0"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"11.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.6]
"(Default)" = "Shockwave Flash Object"

[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\.mfp]
"(Default)" = "MacromediaFlashPaper.MacromediaFlashPaper"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"Version" = "26.0.0.151"

[HKCR\ShockwaveFlash.ShockwaveFlash.21]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\ShockwaveFlash.ShockwaveFlash.14]
"(Default)" = "Shockwave Flash Object"

[HKCR\.swf]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.18]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.15]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
"(Default)" = "%Program Files%\Internet Explorer\iexplore.exe -nohome %1"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
"(Default)" = "Shockwave Flash"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.25]
"(Default)" = "Shockwave Flash Object"

[HKCR\.spl]
"Content Type" = "application/futuresplash"

[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags" = "65536"

[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"Policy" = "3"

[HKCR\FlashFactory.FlashFactory.1\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"9.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"14.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppPath" = "C:\Windows\system32\Macromed\Flash"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"21.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"VersionMinor" = "0"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash" = ""

[HKCR\ShockwaveFlash.ShockwaveFlash.3]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB6E-AE6D-11CF-96B8-444553540000}]
"Compatibility Flags" = "0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
"(Default)" = "_IShockwaveFlashEvents"

[HKCR\ShockwaveFlash.ShockwaveFlash.7]
"(Default)" = "Shockwave Flash Object"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"10.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.11]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.23]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
"Enabled" = "1"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"(Default)" = "{FAB3E735-69C7-453B-A446-B6823C6DF1C9}"

[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"UninstallString" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe -maintain activex"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 03 00 00 00 09 00 00 00 00 00 00 00"

[HKCR\FlashFactory.FlashFactory]
"(Default)" = "Macromedia Flash Factory Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
"(Default)" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.5]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.20]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx, 1"

[HKCR\ShockwaveFlash.ShockwaveFlash.9]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
"Version" = "1.0"

[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"12.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.sol]
"Content Type" = "text/plain"

[HKCR\ShockwaveFlash.ShockwaveFlash.16]
"(Default)" = "Shockwave Flash Object"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"Extension" = ".swf"

[HKCR\ShockwaveFlash.ShockwaveFlash.13]
"(Default)" = "Shockwave Flash Object"

[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayVersion" = "26.0.0.151"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
"AppName" = "FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"26.0" = "151"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx, 1"

[HKCR\.sor]
"Content Type" = "text/plain"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash" = ""

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"19.0" = "4294967295"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"UninstallerPath" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"24.0" = "4294967295"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"URLInfoAbout" = "http://www.adobe.com"

[HKCR\.swf]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\.spl]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKLM\SOFTWARE\Macromedia\FlashPlayer\SafeVersions]
"17.0" = "4294967295"
"23.0" = "4294967295"

[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.4]
"(Default)" = "Shockwave Flash Object"

[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\.mfp]
"Content Type" = "application/x-shockwave-flash"

[HKCR\ShockwaveFlash.ShockwaveFlash.24\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"DisplayIcon" = "C:\Windows\system32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe"

[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
"RequiresIESysFile" = "4.70.0.1155"

[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
"(Default)" = "ShockwaveFlash.ShockwaveFlash"

[HKLM\SOFTWARE\Macromedia\FlashPlayerActiveX]
"isESR" = "0"

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11CF-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.10]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
"(Default)" = "FlashBroker"

[HKCR\ShockwaveFlash.ShockwaveFlash.17]
"(Default)" = "Shockwave Flash Object"

[HKCR\FlashFactory.FlashFactory\CLSID]
"(Default)" = "{D27CDB70-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.12]
"(Default)" = "Shockwave Flash Object"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
"(Default)" = "{D27CDB6B-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\ShockwaveFlash.ShockwaveFlash.26\CLSID]
"(Default)" = "{D27CDB6E-AE6D-11cf-96B8-444553540000}"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"(Default)" = "C:\Windows\system32\Macromed\Flash\Flash32_26_0_0_151.ocx"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}]
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FlashUtil32_23_0_0_185_ActiveX.exe]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.6\CLSID]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\ShockwaveFlash.ShockwaveFlash.21\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.11\CLSID]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{FAF199D2-BFA7-4394-A4DE-044A08E59B32}]
[HKCR\ShockwaveFlash.ShockwaveFlash.19\CLSID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Adobe Flash Player ActiveX]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.22\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Version]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\TypeLib]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}]
[HKCR\ShockwaveFlash.ShockwaveFlash.9\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.4]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\VersionIndependentProgID]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\ShockwaveFlash.ShockwaveFlash.7\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.13\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper]
[HKCR\FlashFactory.FlashFactory.1]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.16\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Control]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\TypeLib]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage]
[HKCR\ShockwaveFlash.ShockwaveFlash\CurVer]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.swf]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ProgID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{31CAF6E4-D6AA-4090-A050-A5AC8972E9EF}]
[HKCR\ShockwaveFlash.ShockwaveFlash.23\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.10\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\Programmable]
[HKCR\ShockwaveFlash.ShockwaveFlash.21]
[HKCR\ShockwaveFlash.ShockwaveFlash.20]
[HKCR\ShockwaveFlash.ShockwaveFlash.23]
[HKCR\ShockwaveFlash.ShockwaveFlash.22]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\FlashFactory.FlashFactory\CurVer]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\.mfp]
[HKCR\ShockwaveFlash.ShockwaveFlash.5\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\MiscStatus\1]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95801-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\Elevation]
[HKCR\Interface\{D27CDB6D-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.spl]
[HKCR\FlashFactory.FlashFactory]
[HKCR\ShockwaveFlash.ShockwaveFlash.18\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash.8\CLSID]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\DefaultIcon]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{7DD95802-9882-11CF-9FA9-00AA006C42C4}]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\EnableFullPage\.mfp]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Implemented Categories\{59FB2056-D625-48D0-A944-1A85B5AB2640}]
[HKCR\ShockwaveFlash.ShockwaveFlash.12\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\Version]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open]
[HKCR\ShockwaveFlash.ShockwaveFlash.4\CLSID]
[HKCR\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR]
[HKCR\ShockwaveFlash.ShockwaveFlash.3]
[HKCR\ShockwaveFlash.ShockwaveFlash.1]
[HKCR\ShockwaveFlash.ShockwaveFlash.6]
[HKCR\ShockwaveFlash.ShockwaveFlash.7]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell\open\command]
[HKCR\ShockwaveFlash.ShockwaveFlash.5]
[HKCR\ShockwaveFlash.ShockwaveFlash.8]
[HKCR\ShockwaveFlash.ShockwaveFlash.9]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32]
[HKCR\ShockwaveFlash.ShockwaveFlash.10]
[HKCR\ShockwaveFlash.ShockwaveFlash.11]
[HKCR\ShockwaveFlash.ShockwaveFlash.12]
[HKCR\ShockwaveFlash.ShockwaveFlash.13]
[HKCR\ShockwaveFlash.ShockwaveFlash.14]
[HKCR\ShockwaveFlash.ShockwaveFlash.15]
[HKCR\ShockwaveFlash.ShockwaveFlash.16]
[HKCR\ShockwaveFlash.ShockwaveFlash.17]
[HKCR\ShockwaveFlash.ShockwaveFlash.18]
[HKCR\ShockwaveFlash.ShockwaveFlash.19]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid]
[HKCR\.spl]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.1\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0]
[HKCR\ShockwaveFlash.ShockwaveFlash.3\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32]
[HKCR\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\FLAGS]
[HKCR\ShockwaveFlash.ShockwaveFlash.15\CLSID]
[HKCR\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0]
[HKCR\ShockwaveFlash.ShockwaveFlash.20\CLSID]
[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\TypeLib]
[HKCR\MacromediaFlashPaper.MacromediaFlashPaper\shell]
[HKCR\Interface\{86230738-D762-4C50-A2DE-A753E5B1686F}\ProxyStubClsid32]
[HKCR\FlashFactory.FlashFactory\CLSID]
[HKCR\Interface\{299817DA-1FAC-4CE2-8F48-A108237013BD}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.14\CLSID]
[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\TypeLib]
[HKCR\FlashFactory.FlashFactory.1\CLSID]
[HKCR\Interface\{D27CDB6C-AE6D-11CF-96B8-444553540000}\ProxyStubClsid32]
[HKCR\ShockwaveFlash.ShockwaveFlash.17\CLSID]
[HKCR\ShockwaveFlash.ShockwaveFlash]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Macromedia\FlashPlayer]
"CurrentVersion"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{D27CDB70-AE6D-11cf-96B8-444553540000}]
"Compatibility Flags"

[HKCR\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCR\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32]
"ThreadingModel"

[HKCR\MIME\Database\Content Type\application/x-shockwave-flash]
"CLSID"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/x-shockwave-flash"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\NavigatorPluginsList\Shockwave Flash]
"application/futuresplash"

[HKCR\.sol]
"Content Type"

[HKCR\MIME\Database\Content Type\application/futuresplash]
"CLSID"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCR\.sor]
"Content Type"

Dropped PE files

MD5 File path
30b1d0d476739845864b31db3d678476 c:\Windows\System32\Macromed\Flash\Flash32_26_0_0_151.ocx
43a19b2d132d0eff5b29ecd57ba0d17c c:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.dll
d3e6add1b26bc1a450fc4fccba5814c7 c:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Cisco WebEx LLC
Product Name: WebEx Application Sharing
Product Version: 1030,1503,1000,2900
Legal Copyright: (c) 1997-2015 Cisco and/or its affiliates. All rights reserved.
Legal Trademarks:
Original Filename: atsckernel.exe
Internal Name: atsckernel.exe
File Version: 1030,1503,1000,2900
File Description: WebEx Application Sharing Host launcher
Comments: 10/29/2015 T30(Unicode)
Language: Spanish (Spain, International Sort)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 136757 137216 4.59287 9c1802a7ff7c02c129ea6e2b625104ee
.rdata 143360 55402 55808 3.23387 5e558daf3a5c0ea8e7f59d13fb5b90de
.data 200704 18048 8192 2.74186 448686f70ab878b4d6001d75a816ad17
.rsrc 221184 24372 24576 4.18528 23e40eaa851fe723aed865a93d4af2e1
.reloc 245760 659456 253952 5.46635 223aa0135d9b28ae74f2e3b029e7aad8

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://a1293.d.akamai.net/pub/flashplayer/update/current/sau/26/install/install_all_win_ax_sgn.z
hxxp://fpdownload2.macromedia.com/pub/flashplayer/update/current/sau/26/install/install_all_win_ax_sgn.z 62.140.236.138
fpdownload.macromedia.com 23.64.224.74


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /pub/flashplayer/update/current/sau/26/install/install_all_win_ax_sgn.z HTTP/1.1
Connection: Keep-Alive
User-Agent: Download Flash Player Installer/1.0
Host: fpdownload2.macromedia.com


HTTP/1.1 200 OK
Server: Apache
Last-Modified: Tue, 08 Aug 2017 08:29:19 GMT
ETag: "13306de-55639c27fd232"
Accept-Ranges: bytes
Content-Length: 20121310
Content-Encoding: x-compress
Date: Mon, 28 Aug 2017 21:17:24 GMT
Connection: keep-alive
0..3....*.H.........3..0..3.....1.0... ......0..2....*.H.........2....
.2..MZ......................@.........................................
......!..L.!This program cannot be run in DOS mode....$........M..],..
],..],..C~P.Y,...cB.X,..TTA.E,..z...Y,..z...R,..],...,..TTP..,..TTW..,
..C~@.\,..],C.\,..TTE.\,..Rich],..................PE..L...:.vY........
.........@..../.....|C.......P....@..........................03.....m.
2...@..........................................p...q............2.....
..2.L$...S..................................@............P..x.........
...................text....?.......@.................. ..`.rdata......
.P.......D..............@..@.data....4...0......................@....r
src....q...p...r...6..............@..@.reloc..R5....2..6....2.........
....@..B..............................................................
......................................................................
......................................................................
......................................................................
.....................................................V.t$..D6.......P.
"...Y.p..@...@.......^.... ..`......L$......I..H.....t..........t..@. 
A..3......t..I..DH..3..VW.|$...................;.~.2.. .B........LA..G
....DB...NHHf..IIf;.u...u..._^...V.t$...W............w...;.~.2..0.j...
.J. ........LA..F..DB...O@@f..AAf;.u...u..._^......L$.V..........%...;
.^u..t$..8.....t.3.@..3....SV....W..t..@...3. F.@..W..........F.Y...TB
.......ABBOu._^.....[.....u...P..I.SVW3..tH.2.....vI...f..0s.f..9v
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_3684:

.text
`.rdata
@.data
.rsrc
@.reloc
YY=ATASt%SW
Iumj.Xjn
SShh<
WmsgSendMessage
AppsIsShared
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
GetProcessWindowStation
operator
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
D:\ec\ws\official_Train_T30L10NSP6_client_682736_201602280128\020p\maps\Release\atsckernel.pdb
SHLWAPI.dll
RPCRT4.dll
KERNEL32.dll
ExitWindowsEx
GetKeyState
keybd_event
MapVirtualKeyW
EnumDesktopWindows
USER32.dll
GDI32.dll
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegCreateKeyW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
GetProcessHeap
GetCPInfo
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="true"></requestedExecutionLevel>
;";.;?;?>
9%9U9
0&0,090@0\0}0
5C6k6y6Œ8\8c8k8p8t8x8
9 9%9*939
; <@<\<|<
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll
sfc_os.dll
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
Zole32.dll
%s_mtx1
crtdll.dll
shell32.dll
*shell32.dll
%s_mtx%u
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe
Rpc kernel call back error: %x
CASCtrlAgent::Run:%x,%d
Mouse pos: %d, %d, %x
Get HitTest code(%d, %d): %d, %d, %x
CASCtrlAgent::OnShadowVirtualKeyEvent get WinKey/MenuKey up
CASCtrlAgent::OnShadowVirtualKeyEvent skipped, because %x is not shared
CASCtrlAgent::OnShadowVirtualKeyEvent skipped, because %x is with AS_NOREMOTECONTROLWINDOW_PROP
SetClipboardViewer err[%d]
PostThreadMessage CTRL_ALT_DEL_COMMAND %d ret=%d err=%d
CTRL_ALT_DEL_COMMAND %d %d
wmsgapi.dll
Wmsg Send Message in WTS dialog: %d,%d,%d,%d
CASCtrlAgent::Simulate Win   D Key
Fail to translate vkey: %x, %x
WM_AS_VIRTUALKEY *
WM_AS_MOUSEEVENTF_LEFTDOWN %d %d
Get Pointer: %d, %d
WM_AS_MOUSEEVENTF_LEFTUP %d %d
LoadLibrary %s fail...
call AsKeAsStart %x, %x, %x
NTGdiHookAsEnd(%x,%x)
Set resource dll: %s
atres.dll
BringSharedAppToFront:BringWindowToTop(%x) fail(freezen).
call AppsInit %d
\pipe\atsckernel
\pipe\atscctrlrpc
rpcrt4.dll
LoadASKernel fail %s
CreateEvent ATASKERNEL_EVENT failed %d
kernel_path %s
RunRPCSrv fail %s
Run RPC server at %s,%s
The RPC server is not compatible to the calling client.WebEx application sharing will switch to in-context mode.
Error Code: %d
WebEx Application Sharing
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
Check UAC desktop[%d]
GetSecurityInfo Error %u
AllocateAndInitializeSid Error %u
SetEntriesInAcl Error %u
SetSercurityInfo Error %u
lpstrCmdLine %s ...
_tWinMain %s getcmdline=%s
_tWinMain empty cmdline, exit. %s
AsKeGetMonitorNum %d
call APPS_ESC_DISABLEINPUT %d, %d
call ChangeDisplaySettingsEx %d %d %s
dwmapi.dll
\dwmapi.dll
CBlankScreenAgentImpl::BlankScreen %d
CBlankScreenAgentImpl::DoBlankScreen, MonitorCount=%d
CBlankScreenAgentImpl::DoBlankScreen, MonitorCount=%d is shared
CBlankScreenAgentImpl::DoBlankScreen, MonitorCount=%d is not attached
CBlankScreenAgentImpl::DoBlankScreen Index=%d, Result=%d
CBlankScreenAgentImpl::SetupOverlayRegistery, ConsoleSession=%d
CBlankScreenAgentImpl::SetupOverlayRegistery,get sid %d
CBlankScreenAgentImpl::SetupOverlayRegistery,get session user token success,sid= %s
CBlankScreenAgentImpl::SetupOverlayRegistery,get session user token failed %d
CBlankScreenWnd::Init DPI Scale in Windows 8: %f
CBlankScreenWnd::Init failed to create mask winodw %d,%d,%d,%d
CBlankScreenWnd::Init after high DPI Scale in Windows 8: %ld,%ld,%ld,%ld
CBlankScreenWnd::BlankOn after high DPI Scale in Windows 8: %ld,%ld,%ld,%ld
CBlankScreenWnd::OnClose received!!!, hWnd=0x%x
End Session: %x
psapi.dll
wbxtra_huhuhu_huhuhu.wbt
wbxtra_*.wbt
WaitForSingleObject Failed, ret = %u, err = %u
WBXTRA_{608462E6-C570-4d01-B29A-63DDB7D9914C}
delete dumpfile [%s], ret = %d, err = %d
SOFTWARE\WebEx\wbxtrace
mscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
PSAPI.dll
USER32.DLL
SysShadow
SHCore.dll
Wtsapi32.dll
Advapi32.dll
c:\%original file name%.exe
Cisco WebEx LLC
WebEx Application Sharing Host launcher
1030,1503,1000,2900
atsckernel.exe

%original file name%.exe_3684_rwx_00CAE000_0003C000:

; <@<\<|<
.text
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
KERNEL32.dll
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll

dllhost.exe_1956:

.text
`.data
.rsrc
@.reloc
KERNEL32.dll
msvcrt.dll
ole32.dll
ntdll.dll
dllhost.pdb
_wcmdln
_amsg_exit
(8((<)((
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll
K.$%D,3
sfc_os.dll
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
T%s_37
Zole32.dll
k%c:\
crtdll.dll
@%X%X
shell32.dll
*shell32.dll
(%u.%u.%u
%s%s\
\%c:\
SetupWeb_
_sfx.exe
||MSASCui.exe|msseces.exe|mseinstall.exe|Tcpview.exe|cav_installer.exe|cfw_installer.exe|cispremium_installer.exe|PandaCloudAntivirus.exe|60Second.exe|Antivirus_Free_Edition.exe|OnlineArmorSetup.exe|McAfeeSetup.exe|Vba32.NT.T.exe|Vba32.P.exe|Vba32.S.exe|Vba32.Vista.exe|Vba32.W.exe|Vba32Check.exe|Vba32RCSInstallTuner.exe|avgmfapx.exe|avg_remover_expiro.exe|
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Policies\Microsoft\Windows\System
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
%s\%s
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe
6.1.7600.16385 (win7_rtm.090713-1255)
dllhost.exe
Windows
Operating System
6.1.7600.16385

%original file name%.exe_3684_rwx_00CEB000_00062000:

sfc_os.dll
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
Zole32.dll
%s_mtx1
crtdll.dll
shell32.dll
*shell32.dll
%s_mtx%u
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
<%C!O[
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe

dllhost.exe_1956_rwx_01001000_00001000:

dllhost.pdb
KERNEL32.dll
_wcmdln
_amsg_exit
msvcrt.dll
ole32.dll
ntdll.dll

msdtc.exe_2180:

.text
`.data
.rsrc
@.reloc
KERNEL32.dll
NTDLL.DLL
ole32.dll
msvcrt.dll
MSDTCTM.dll
VERSION.dll
USER32.dll
ADVAPI32.dll
d:\w7rtm\com\complus\dtc\inc\tracedstrsafe.h
DBGHELP.DLL
\DtcInstall.log
ld-ld-ld ld:ld : DTC Install error = %d, %s, %s (%d)
msdtcexe.pdb
_wcmdln
_amsg_exit
RtlReportException
ntdll.dll
SetProcessWindowStation
OpenWindowStationW
GetProcessWindowStation
CloseWindowStation
GetSystemWindowsDirectoryA
RegCloseKey
RegOpenKeyExW
RegOpenKeyExA
ReportEventW
version="5.1.0.0"
name="Microsoft.Windows.DTC.MSDTC"
<requestedExecutionLevel
9.UF2
%sZp3
s.kw:R
W.ZBh{T>
7677.hN
:87/-)(/
yxC5%CrJ
0 1-121V1b1g1}1
1-13181>1
d:\w7rtm\com\complus\src\inc\utsem.h
d:\w7rtm\com\complus\dtc\shared\util\dtcini.cpp
%s\%s
LoadLibrary(DbgHelp.dll) failed.
%s\%s.dmp
%s_ldldld_ldldld
d:\w7rtm\com\complus\src\shared\util\utsem.cpp
comres.dll
*** Error Code = 0xx : %s
File: %s, Line: %d
%u.%u.%u.%u
comsvcs.dll
Comsvcs.dll file version info: %s %s %s
%s\%s*.dmp
%s %d %s full
RunDll32 comsvcs.dll,MiniDump
%s\%s_d_d_d_d_d_d.dmp
d:\w7rtm\com\complus\src\shared\util\svcerr.cpp
0xX (%u)
Process.Thread=<%d.%d>
File: %s:%d
hr=0xx
*** Error in %s(%d), %s: %s
0xx [S] [lS] %s (%s@d): %s
ld-ld-ld ld:ld:ld:ld : [%4x.%4x]
%s\MSDTC-%d.log
UnregisterWait returned the 0x%x error code.
d:\w7rtm\com\complus\dtc\shared\trace\src\traceoutputsettings.cpp
Unable to open output key
Debug out enabled is now %d
Memory buffer size is now %d
Using new trace file path: %s
Unable to open sources key
Unable to read level for source %S
Now tracing %S at level %d
Unable to open MSDTC\Tracing settings key
2001.12.8530.16385 (win7_rtm.090713-1255)
MSDTC.EXE
Windows
Operating System
6.1.7600.16385

dllhost.exe_1956_rwx_01004000_0009F000:

(8((<)((
.text
.data
.idata
.reloc
.edata
nn.lrF
.Os{Z i/
mbLtd0d{FC)Bm8Tv(-prFY9WgbF}o? {P
wzZtd6jt\Y'U`8Qp(%dsJS#F{bJubhgqI
ayN&r.jnFQ#Qk;@j%/k;F]5L{`Sl&<lz\]bIl5K``/
a[X(E,u@&j*jbJE.YiyUcd7|k
ub.mwBT-
V]v}L.gLpVM
<%C!O[
KERNEL32.dll
CRTDLL.DLL
4(5-5@5{5
1$1*1/1{1
5 :$:(:,:
kkqvx_.dll
.rdata
@.data
.pdata
@.idata
T.PM9
$o.UC
qHG;rXqEuN_nOv* Jq.UO5{{
H3.rs
%s{<?{
kkqvx_64.dll
K.$%D,3
sfc_os.dll
oleaut32.dll
09WinExec
47PeekNamedPipe
48CreatePipe
T%s_37
Zole32.dll
k%c:\
crtdll.dll
@%X%X
shell32.dll
*shell32.dll
(%u.%u.%u
%s%s\
\%c:\
SetupWeb_
_sfx.exe
||MSASCui.exe|msseces.exe|mseinstall.exe|Tcpview.exe|cav_installer.exe|cfw_installer.exe|cispremium_installer.exe|PandaCloudAntivirus.exe|60Second.exe|Antivirus_Free_Edition.exe|OnlineArmorSetup.exe|McAfeeSetup.exe|Vba32.NT.T.exe|Vba32.P.exe|Vba32.S.exe|Vba32.Vista.exe|Vba32.W.exe|Vba32Check.exe|Vba32RCSInstallTuner.exe|avgmfapx.exe|avg_remover_expiro.exe|
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
25RegEnumKeyExA
26RegSetKeySecurity
00RegOpenKeyExA
04RegCloseKey
02RegCreateKeyExA
advapi32.dll
$SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
Software\Policies\Microsoft\Windows\System
asfc.dll
sfc.dll
22EnumDesktopWindows
user32.dll
%s\%s
3.tmp
rsvp.exe
rundll32.exe
chrome.exe
consent.exe

svchost.exe_1020:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    WerFault.exe:3096
    FlashPlayerUpdateService.exe:1924
    FlashPlayerUpdateService.exe:1996
    wermgr.exe:3164
    msdtc.exe:2180
    FlashPlayerInstaller.exe:3992

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WERA814.tmp.mdmp (15278 bytes)
    C:\Windows\Temp\WERA814.tmp.mdmp (271144 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WER9F79.tmp.appcompat.txt (31 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WER9FB9.tmp.WERInternalMetadata.xml (3 bytes)
    C:\Windows\Temp\WER9F79.tmp.appcompat.txt (16006 bytes)
    C:\Windows\Temp\WERA037.tmp.hdmp (583266 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\WERA037.tmp.hdmp (168482 bytes)
    C:\Windows\Temp\WER9FB9.tmp.WERInternalMetadata.xml (53648 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\Report.wer (171900 bytes)
    C:\Windows\System32\Macromed\Flash\FlashInstall32.log (84 bytes)
    C:\Windows\Temp\{431306BD-DDEE-47BD-9145-B849BF9F0248}\fpi.tmp (3791632 bytes)
    C:\Windows\System32\FlashPlayerInstaller.exe (12387 bytes)
    C:\Windows\System32\Macromed\Flash\gllpflgc.tmp (508 bytes)
    C:\Windows\System32\Macromed\Flash\FlashPlayerUpdateService.exe (3073 bytes)
    C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{AB1C8188-0F4C-4E74-A362-88B4B1478BF5}.crmlog (1600 bytes)
    %Program Files%\WinPcap\gpqfnmbf.tmp (352 bytes)
    C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{64D68604-B96B-4F93-8E98-6E5C7ECA5AB9}.crmlog (623 bytes)
    %Program Files%\WinPcap\rpcapd.exe (2105 bytes)
    C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_infocard.exe_8962182c5b835ed2d312d75a1aa433a1c364fa4_cab_0c0da8ad\Report.wer.tmp (175218 bytes)
    C:\Windows\System32\config\SOFTWARE (58470 bytes)
    C:\$Directory (1536 bytes)
    C:\Windows\System32\config\SOFTWARE.LOG1 (60670 bytes)
    C:\Windows\System32\Msdtc\MSDTC.LOG (2772 bytes)
    C:\Windows\System32\Msdtc\Trace\dtctrace.log (16 bytes)
    C:\Windows\System32\FlashPlayerApp.exe (803 bytes)
    C:\Windows\System32\Macromed\Flash\Flash32_26_0_0_151.ocx (12387 bytes)
    C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.dll (545 bytes)
    C:\Windows\System32\Macromed\Flash\activex.vch (449 bytes)
    C:\Windows\System32\Macromed\Flash\FlashUtil32_26_0_0_151_ActiveX.exe (50 bytes)
    C:\Windows\System32\Macromed\Temp\{C5D3312D-21BC-4439-8FCF-5B8C291A00D5}\fpb.tmp (50 bytes)
    C:\Windows\System32\Macromed\Temp\{385A1608-B96E-4F3C-B894-EC96A74D288A}\fpb.tmp (1093 bytes)
    C:\Windows\System32\FlashPlayerCPLApp.cpl (144 bytes)
    C:\Windows\System32\Macromed\Flash\ikbbfgpa.tmp (507 bytes)
    %Program Files%\Google\Update\GoogleUpdate.exe (2105 bytes)
    C:\Windows\System32\dllhost.exe (1281 bytes)
    C:\Windows\ehome\ehrecvr.exe (5873 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aeoedpji.tmp (333 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe (2105 bytes)
    C:\Windows\ehome\iodlfdan.tmp (336 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\hefcgmqa.tmp (304 bytes)
    C:\Windows\ehome\ehsched.exe (2105 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\infocard.exe (7433 bytes)
    C:\Windows\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\gfafhlpc.tmp (1 bytes)
    C:\Windows\ehome\mojbjjee.tmp (800 bytes)
    C:\Windows\System32\abddhdmk.tmp (315 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_state.exe (1425 bytes)
    C:\Windows\System32\msiexec.exe (1425 bytes)
    %Program Files%\Google\Update\gmfhpmpj.tmp (384 bytes)
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\cpdiekip.tmp (274 bytes)
    C:\Windows\System32\FXSSVC.exe (5441 bytes)
    C:\Windows\System32\hakjliho.tmp (301 bytes)
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe (1425 bytes)
    C:\Windows\System32\alg.exe (1425 bytes)
    C:\Windows\System32\hejdoghn.tmp (766 bytes)
    C:\Windows\System32\bhcmmkom.tmp (252 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now