Gen.Variant.Kazy.535561_3570882d35

by malwarelabrobot on January 20th, 2015 in Malware Descriptions.

Gen:Variant.Kazy.535561 (B) (Emsisoft), Gen:Variant.Kazy.535561 (AdAware), ZeroAccess.YR (Lavasoft MAS)
Behaviour: Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 3570882d35aae624e691509f5da41ae9
SHA1: f91cdbfdd07e090db3e91bb290a5ab77e1cffda6
SHA256: 56a7c9aabf205d4fa81d52893fca85172b5565df104772c231be8c317b78d43f
SSDeep: 12288:w/IWZLRDCfreFGrOvfeoWnJfb4VtRBxIyfSv7NzyeIw:w/IWJRDCisiDWn1i/BxIya7XT
Size: 652288 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-06 02:36:08
Analyzed on: WindowsXP SP3 32-bit


Summary:

Malware. Malware, short for malicious software, is any software used to disrupt computer operation, gather sensitive information, or gain access to private computer systems.

Payload

No specific payload has been found.

Process activity

The Malware creates the following process(es):

cscript.exe:3920
cscript.exe:2848
cscript.exe:1148
cscript.exe:3288
cscript.exe:1308
cscript.exe:3048
cscript.exe:1224
cscript.exe:3324
cscript.exe:4020
cscript.exe:2092
cscript.exe:3044
cscript.exe:3652
cscript.exe:3556
cscript.exe:1948
cscript.exe:3284
cscript.exe:2488
cscript.exe:2324
cscript.exe:1940
cscript.exe:2328
cscript.exe:2528
cscript.exe:1944
cscript.exe:3856
cscript.exe:2248
cscript.exe:2292
cscript.exe:2244
cscript.exe:3180
cscript.exe:2844
cscript.exe:2464
cscript.exe:3488
cscript.exe:1096
cscript.exe:3764
cscript.exe:3568
cscript.exe:3768
cscript.exe:3480
cscript.exe:3936
cscript.exe:2856
cscript.exe:3400
cscript.exe:3204
cscript.exe:264
cscript.exe:3408
cscript.exe:3644
cscript.exe:1556
cscript.exe:1060
cscript.exe:3036
cscript.exe:3240
cscript.exe:2496
cscript.exe:536
cscript.exe:2096
cscript.exe:412
cscript.exe:2416
cscript.exe:2792
cscript.exe:2252
cscript.exe:2148
cscript.exe:2288
cscript.exe:4076
cscript.exe:2872
cscript.exe:3940
cscript.exe:1328
cscript.exe:1236
cscript.exe:1088
cscript.exe:2104
cscript.exe:2828
cscript.exe:3148
cscript.exe:2784
cscript.exe:3384
cscript.exe:3380
cscript.exe:3932
cscript.exe:2788
cscript.exe:3388
cscript.exe:2664
cscript.exe:2144
cscript.exe:2260
cscript.exe:2668
cscript.exe:3580
cscript.exe:3664
cscript.exe:3956
cscript.exe:2768
cscript.exe:3816
cscript.exe:2444
cscript.exe:2524
cscript.exe:3588
cscript.exe:2932
cscript.exe:4060
cscript.exe:3668
cscript.exe:3156
cscript.exe:3456
cscript.exe:3312
cscript.exe:2832
cscript.exe:4056
cscript.exe:2044
cscript.exe:2276
cscript.exe:4052
cscript.exe:3016
cscript.exe:1648
cscript.exe:3468
cscript.exe:3968
cscript.exe:2164
cscript.exe:1984
cscript.exe:432
cscript.exe:3120
cscript.exe:2372
cscript.exe:2928
cscript.exe:620
cscript.exe:3808
cscript.exe:2592
cscript.exe:572
cscript.exe:2920
cscript.exe:2808
cscript.exe:3124
cscript.exe:252
cscript.exe:3452
cscript.exe:2568
cscript.exe:1632
cscript.exe:3368
cscript.exe:1980
cscript.exe:2056
cscript.exe:4068
cscript.exe:2904
cscript.exe:4064
cscript.exe:2688
cscript.exe:2368
cscript.exe:2364
cscript.exe:3080
cscript.exe:2812
cscript.exe:560
cscript.exe:3872
cscript.exe:2588
cscript.exe:3072
cscript.exe:228
cscript.exe:3172
cscript.exe:2952
cscript.exe:1916
cscript.exe:3884
cscript.exe:3904
cscript.exe:3688
cscript.exe:2216
cscript.exe:1624
cscript.exe:2896
cscript.exe:1748
cscript.exe:2696
cscript.exe:2516
cscript.exe:2080
cscript.exe:2512
cscript.exe:3188
cscript.exe:2860
cscript.exe:4084
cscript.exe:3636
cscript.exe:2432
cscript.exe:3864
cscript.exe:3532
cscript.exe:1896
cscript.exe:3228
cscript.exe:2992
cscript.exe:2228
cscript.exe:3340
cscript.exe:1612
cscript.exe:2220
cscript.exe:2420
cscript.exe:320
cscript.exe:1692
cscript.exe:2492
cscript.exe:2504
cscript.exe:3524
cscript.exe:4092
cscript.exe:204
cscript.exe:2720
cscript.exe:2728
cscript.exe:3700
cscript.exe:484
cscript.exe:2340
cscript.exe:1280
cscript.exe:4012
cscript.exe:3788
cscript.exe:3420
cscript.exe:4016
cscript.exe:2084
cscript.exe:3988
cscript.exe:3980
cscript.exe:2224
%original file name%.exe:216
%original file name%.exe:3920
%original file name%.exe:2980
%original file name%.exe:2960
%original file name%.exe:4004
%original file name%.exe:3928
%original file name%.exe:1260
%original file name%.exe:3492
%original file name%.exe:2840
%original file name%.exe:3416
%original file name%.exe:4028
%original file name%.exe:3556
%original file name%.exe:3552
%original file name%.exe:1940
%original file name%.exe:2528
%original file name%.exe:2404
%original file name%.exe:3816
%original file name%.exe:1468
%original file name%.exe:2152
%original file name%.exe:2652
%original file name%.exe:2240
%original file name%.exe:3760
%original file name%.exe:2708
%original file name%.exe:3832
%original file name%.exe:3768
%original file name%.exe:2704
%original file name%.exe:2468
%original file name%.exe:2924
%original file name%.exe:3336
%original file name%.exe:1496
%original file name%.exe:2260
%original file name%.exe:3640
%original file name%.exe:3248
%original file name%.exe:3036
%original file name%.exe:3200
%original file name%.exe:2312
%original file name%.exe:3840
%original file name%.exe:2144
%original file name%.exe:2392
%original file name%.exe:532
%original file name%.exe:2252
%original file name%.exe:2288
%original file name%.exe:3680
%original file name%.exe:2196
%original file name%.exe:1080
%original file name%.exe:3276
%original file name%.exe:3144
%original file name%.exe:3308
%original file name%.exe:3148
%original file name%.exe:2600
%original file name%.exe:2784
%original file name%.exe:304
%original file name%.exe:3380
%original file name%.exe:3576
%original file name%.exe:2788
%original file name%.exe:2380
%original file name%.exe:2268
%original file name%.exe:2660
%original file name%.exe:1652
%original file name%.exe:2072
%original file name%.exe:364
%original file name%.exe:4060
%original file name%.exe:2076
%original file name%.exe:3844
%original file name%.exe:308
%original file name%.exe:1236
%original file name%.exe:3584
%original file name%.exe:2444
%original file name%.exe:2524
%original file name%.exe:300
%original file name%.exe:2284
%original file name%.exe:2448
%original file name%.exe:2608
%original file name%.exe:3668
%original file name%.exe:3156
%original file name%.exe:3456
%original file name%.exe:3312
%original file name%.exe:3012
%original file name%.exe:908
%original file name%.exe:1648
%original file name%.exe:3096
%original file name%.exe:2596
%original file name%.exe:2612
%original file name%.exe:624
%original file name%.exe:2296
%original file name%.exe:3056
%original file name%.exe:1584
%original file name%.exe:3168
%original file name%.exe:252
%original file name%.exe:3452
%original file name%.exe:2568
%original file name%.exe:1984
%original file name%.exe:1624
%original file name%.exe:3368
%original file name%.exe:2056
%original file name%.exe:3512
%original file name%.exe:3360
%original file name%.exe:3696
%original file name%.exe:656
%original file name%.exe:2688
%original file name%.exe:2684
%original file name%.exe:3084
%original file name%.exe:2112
%original file name%.exe:2680
%original file name%.exe:3080
%original file name%.exe:2116
%original file name%.exe:2360
%original file name%.exe:2584
%original file name%.exe:560
%original file name%.exe:3876
%original file name%.exe:3072
%original file name%.exe:2180
%original file name%.exe:3520
%original file name%.exe:3288
%original file name%.exe:2956
%original file name%.exe:3284
%original file name%.exe:2952
%original file name%.exe:3140
%original file name%.exe:3448
%original file name%.exe:2204
%original file name%.exe:4076
%original file name%.exe:3532
%original file name%.exe:4072
%original file name%.exe:3060
%original file name%.exe:2100
%original file name%.exe:4080
%original file name%.exe:2464
%original file name%.exe:2736
%original file name%.exe:2864
%original file name%.exe:1208
%original file name%.exe:2732
%original file name%.exe:2636
%original file name%.exe:3864
%original file name%.exe:3600
%original file name%.exe:2940
%original file name%.exe:2344
%original file name%.exe:1968
%original file name%.exe:3852
%original file name%.exe:3432
%original file name%.exe:1612
%original file name%.exe:3344
%original file name%.exe:3180
%original file name%.exe:2508
%original file name%.exe:2748
%original file name%.exe:1564
%original file name%.exe:2648
%original file name%.exe:2724
%original file name%.exe:3912
%original file name%.exe:612
%original file name%.exe:2644
%original file name%.exe:3624
%original file name%.exe:3356
%original file name%.exe:3352
%original file name%.exe:2972
%original file name%.exe:3700
%original file name%.exe:2976
%original file name%.exe:1804
%original file name%.exe:3544
%original file name%.exe:3428
%original file name%.exe:3540
%original file name%.exe:2336
%original file name%.exe:1800
%original file name%.exe:3116
%original file name%.exe:3220
%original file name%.exe:476
%original file name%.exe:1572
%original file name%.exe:2008

The Malware injects its code into the following process(es):

fGAwoYMM.exe:1216
reIEcoQI.exe:348
NesIMIQs.exe:944

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:216 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\liYsAowU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cYEgkgsA.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\liYsAowU.bat (0 bytes)

The process %original file name%.exe:3920 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BIMogocE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NgsYkkkg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NgsYkkkg.bat (0 bytes)

The process %original file name%.exe:2980 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wWgwoUwE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aUwUgEAI.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aUwUgEAI.bat (0 bytes)

The process %original file name%.exe:2960 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GQskgQEQ.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UIsAAcAc.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UIsAAcAc.bat (0 bytes)

The process %original file name%.exe:4004 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jyIoEEgU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yagEkkQM.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yagEkkQM.bat (0 bytes)

The process %original file name%.exe:3928 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gwMwcYcM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mccMQwUY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GgEAMYQc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NYksQock.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\mccMQwUY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GgEAMYQc.bat (0 bytes)

The process %original file name%.exe:1260 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TiEQQgck.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JmwgYgYM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JmwgYgYM.bat (0 bytes)

The process %original file name%.exe:3492 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JsgsMYgU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MccQggUw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MccQggUw.bat (0 bytes)

The process %original file name%.exe:2840 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\isAYsEEo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OWkwckoc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\isAYsEEo.bat (0 bytes)

The process %original file name%.exe:3416 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QqwAEgIA.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KOQokkww.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QqwAEgIA.bat (0 bytes)

The process %original file name%.exe:4028 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SisMsUsU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gGkkkAwQ.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gGkkkAwQ.bat (0 bytes)

The process %original file name%.exe:3556 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qaQYkQog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZosQEAQs.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZosQEAQs.bat (0 bytes)

The process %original file name%.exe:3552 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rcgkoUYE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wGEQcccU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\rcgkoUYE.bat (0 bytes)

The process %original file name%.exe:1940 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oOMAQUwk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wiAsEIQY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wiAsEIQY.bat (0 bytes)

The process %original file name%.exe:2528 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\baUEcQQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ccksoMUw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ccksoMUw.bat (0 bytes)

The process %original file name%.exe:2404 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ryEsokIw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aEwUQMoM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gKMkcoYY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jSQQcIoA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aEwUQMoM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gKMkcoYY.bat (0 bytes)

The process %original file name%.exe:3816 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hqQcgsws.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MwgUMMEU.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IQEscYkE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lUoAEkcQ.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MwgUMMEU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IQEscYkE.bat (0 bytes)

The process %original file name%.exe:1468 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UygsIEQU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ngQUEMEc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ngQUEMEc.bat (0 bytes)

The process %original file name%.exe:2152 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fessQcIc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UYgMgMEo.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fessQcIc.bat (0 bytes)

The process %original file name%.exe:2652 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iKwoIoIs.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ewoIwcIs.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iKwoIoIs.bat (0 bytes)

The process %original file name%.exe:2240 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RwEMkkcc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kYwIUYcs.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kYwIUYcs.bat (0 bytes)

The process %original file name%.exe:3760 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\emAQUEkc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qEQIkcAg.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qEQIkcAg.bat (0 bytes)

The process %original file name%.exe:2708 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KossIMsw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VwIkUkck.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KossIMsw.bat (0 bytes)

The process %original file name%.exe:3832 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MgoUscsg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LekQQUwE.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LekQQUwE.bat (0 bytes)

The process %original file name%.exe:3768 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AcsYsEgI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vqQkMkQw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vqQkMkQw.bat (0 bytes)

The process %original file name%.exe:2704 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ySsEMEIM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bcogEccY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ySsEMEIM.bat (0 bytes)

The process %original file name%.exe:2468 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FGsosYUs.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAUAQokk.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RAUAQokk.bat (0 bytes)

The process %original file name%.exe:2924 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kkIoUsMo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TCowEYgE.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CoYgMEII.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyQwUIso.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TCowEYgE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jyQwUIso.bat (0 bytes)

The process %original file name%.exe:3336 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qKIkcckQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zeIUcMcQ.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qKIkcckQ.bat (0 bytes)

The process %original file name%.exe:1496 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ySMAwwoQ.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OgYwwwEM.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OgYwwwEM.bat (0 bytes)

The process %original file name%.exe:2260 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qUQAkAAc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CukcoooE.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qUQAkAAc.bat (0 bytes)

The process %original file name%.exe:3640 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xwkkUYkg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AUwMcAcg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xwkkUYkg.bat (0 bytes)

The process %original file name%.exe:3248 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RAMooEEs.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eGsQAIoE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eGsQAIoE.bat (0 bytes)

The process %original file name%.exe:3036 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NecMEckU.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\daEckQMY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NecMEckU.bat (0 bytes)

The process %original file name%.exe:3200 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ywgkgUMM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JOAcUwIo.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ywgkgUMM.bat (0 bytes)

The process %original file name%.exe:2312 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tksYssEo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KykswgAA.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tksYssEo.bat (0 bytes)

The process %original file name%.exe:3840 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oYgwwcwM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KqIsQwgM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\acoIMkQg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\KSQwQAow.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oYgwwcwM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\acoIMkQg.bat (0 bytes)

The process %original file name%.exe:2144 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QSIksksE.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mmoMMoMk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QSIksksE.bat (0 bytes)

The process %original file name%.exe:2392 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DiUkUYYk.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qkcUMAoE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qkcUMAoE.bat (0 bytes)

The process %original file name%.exe:532 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vEAowsQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RCwUEIIk.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RCwUEIIk.bat (0 bytes)

The process %original file name%.exe:2252 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IKkMgsIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NqwQIsYI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IoosYkwg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eMMAQwos.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QiQgsEcM.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qacQIgYk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IKkMgsIA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NqwQIsYI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IoosYkwg.bat (0 bytes)

The process %original file name%.exe:2288 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zGEwcgAM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lcIkAgok.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lcIkAgok.bat (0 bytes)

The process %original file name%.exe:3680 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SyMIAsII.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tKAcEwoY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SyMIAsII.bat (0 bytes)

The process %original file name%.exe:2196 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tYEgMMMM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LAwgcYEg.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LAwgcYEg.bat (0 bytes)

The process %original file name%.exe:1080 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CikcYUco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FoAsoUEI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uEscUwwQ.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xokYkIks.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CikcYUco.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xokYkIks.bat (0 bytes)

The process %original file name%.exe:3276 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GuMMkMAQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jcMQQUQM.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GuMMkMAQ.bat (0 bytes)

The process %original file name%.exe:3144 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uOEoUcgo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CwkUkIYQ.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uOEoUcgo.bat (0 bytes)

The process %original file name%.exe:3308 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nSUokoQI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IoUIQIcs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tWYMckUc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fWoQsoAM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tWYMckUc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fWoQsoAM.bat (0 bytes)

The process %original file name%.exe:3148 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CUwAQYUU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XIAMkYYY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XIAMkYYY.bat (0 bytes)

The process %original file name%.exe:2600 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NEgQcgAQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BkoocwAc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BkoocwAc.bat (0 bytes)

The process %original file name%.exe:2784 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oUcEYAcM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XgAgEUsg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oUcEYAcM.bat (0 bytes)

The process %original file name%.exe:304 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TcwAIEIk.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VKoEMEQQ.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TcwAIEIk.bat (0 bytes)

The process %original file name%.exe:3380 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xyYsMssw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GQkwQoks.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GQkwQoks.bat (0 bytes)

The process %original file name%.exe:3576 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RoAEMcIc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xEQAYUYA.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xEQAYUYA.bat (0 bytes)

The process %original file name%.exe:2788 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\JkQAwgcI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qCowIsQE.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YikUcMoQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BuYIcoIo.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qCowIsQE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BuYIcoIo.bat (0 bytes)

The process %original file name%.exe:2380 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AUAswwAw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oKIsksAw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oKIsksAw.bat (0 bytes)

The process %original file name%.exe:2268 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\beAswEMg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fSocYIMU.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\beAswEMg.bat (0 bytes)

The process %original file name%.exe:2660 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kSYQQssY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LKAMgggk.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kSYQQssY.bat (0 bytes)

The process %original file name%.exe:1652 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ywccMYog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZEcAgwow.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZEcAgwow.bat (0 bytes)

The process %original file name%.exe:2072 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SIoUsYgY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zmokUMIU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SIoUsYgY.bat (0 bytes)

The process %original file name%.exe:364 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MsYUwUAg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hYMoQgAE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aAksMYsw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqIkAAwU.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oqIkAAwU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aAksMYsw.bat (0 bytes)

The process %original file name%.exe:4060 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xUscAwEE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vgoIoooU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DQUowMQA.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fsMwEcoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lMUMEMMY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oAkccgIM.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fsMwEcoY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lMUMEMMY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xUscAwEE.bat (0 bytes)

The process %original file name%.exe:2076 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FockEoIM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pWgoQwYU.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pWgoQwYU.bat (0 bytes)

The process %original file name%.exe:3844 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VaIIQUgU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uSgMAkwg.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uSgMAkwg.bat (0 bytes)

The process %original file name%.exe:308 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TacMAsUc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vywYkkwA.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xWkAkcwM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JWcscQwg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vywYkkwA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\TacMAsUc.bat (0 bytes)

The process %original file name%.exe:1236 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gIYUQMoA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YEosskQQ.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gIYUQMoA.bat (0 bytes)

The process %original file name%.exe:3584 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dEYMgYEY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mWgQIIsQ.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GIwIwQIc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sOAcgIsk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dEYMgYEY.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GIwIwQIc.bat (0 bytes)

The process %original file name%.exe:2444 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LIAQAwYU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iCggoEAc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iCggoEAc.bat (0 bytes)

The process %original file name%.exe:2524 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oKQkIIoM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jasEQEwU.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oKQkIIoM.bat (0 bytes)

The process %original file name%.exe:300 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AKEIUksM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JygQQcUg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AKEIUksM.bat (0 bytes)

The process %original file name%.exe:2284 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gcYcQcUc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AEUgoYUw.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gcYcQcUc.bat (0 bytes)

The process %original file name%.exe:2448 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hCgEwUEI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XkAMQMoM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JywQssoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FGkUAwcI.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FGkUAwcI.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JywQssoY.bat (0 bytes)

The process %original file name%.exe:2608 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UsMMwIsY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hwQIYkcI.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UsMMwIsY.bat (0 bytes)

The process %original file name%.exe:3668 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aSIooUAY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZKowcMgQ.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aSIooUAY.bat (0 bytes)

The process %original file name%.exe:3156 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UqwMcQgw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mMkgYwQE.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UqwMcQgw.bat (0 bytes)

The process %original file name%.exe:3456 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\osgUYosg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hGsMMsQY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwIoIQkI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jogwMUsg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\osgUYosg.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hGsMMsQY.bat (0 bytes)

The process %original file name%.exe:3312 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gEgYIsgg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EWUQYEMU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EgwwMIQU.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EgwwMIQU.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EWUQYEMU.bat (0 bytes)

The process %original file name%.exe:3012 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\xUUYEIIs.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vmUYwkwA.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vmUYwkwA.bat (0 bytes)

The process %original file name%.exe:908 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\yGgkQMks.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tewYAYgQ.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tewYAYgQ.bat (0 bytes)

The process %original file name%.exe:1648 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cQAQEAgI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vIYUwIAg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vIYUwIAg.bat (0 bytes)

The process %original file name%.exe:3096 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QKgwoQIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gsYsAUUs.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QKgwoQIA.bat (0 bytes)

The process %original file name%.exe:2596 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zecwYcco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qOowEsYE.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aecIgkMQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LOsMMQkY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zecwYcco.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\aecIgkMQ.bat (0 bytes)

The process %original file name%.exe:2612 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ewUEQEwE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zQcoYAIo.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zQcoYAIo.bat (0 bytes)

The process %original file name%.exe:624 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ruIsUAoQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jckMYAYc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NWUwQQYM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XqAQYgco.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tCUAEoQc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dGcccAws.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (615 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ruIsUAoQ.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\XqAQYgco.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NWUwQQYM.bat (0 bytes)

The process %original file name%.exe:2296 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KWcoogIA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pukQEAkc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwIQQsUw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OcIcwYEs.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KWcoogIA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uwIQQsUw.bat (0 bytes)

The process %original file name%.exe:3056 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QeIoAMMc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZUQgIcIs.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZUQgIcIs.bat (0 bytes)

The process %original file name%.exe:1584 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RgIgAcsM.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\eqcIIMws.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\eqcIIMws.bat (0 bytes)

The process %original file name%.exe:3168 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HkwgkkUk.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LeoAQMgM.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LeoAQMgM.bat (0 bytes)

The process %original file name%.exe:252 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gCgsQIoY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zWEQUQEE.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gCgsQIoY.bat (0 bytes)

The process %original file name%.exe:3452 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iEkUUwMw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\FwIUIMYg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FwIUIMYg.bat (0 bytes)

The process %original file name%.exe:2568 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KugkUkAo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SEMoIkgQ.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SEMoIkgQ.bat (0 bytes)

The process %original file name%.exe:1984 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YIEgYwUA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\raEkcYgU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YIEgYwUA.bat (0 bytes)

The process %original file name%.exe:1624 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KgEIEAYU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UwQowcYc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UwQowcYc.bat (0 bytes)

The process %original file name%.exe:3368 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UKIwgkII.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hqEccoUk.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hqEccoUk.bat (0 bytes)

The process %original file name%.exe:2056 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FeYswIwM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bGcEIMEw.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\FeYswIwM.bat (0 bytes)

The process %original file name%.exe:3512 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SqsgIkcE.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AkEkQQoE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AkEkQQoE.bat (0 bytes)

The process %original file name%.exe:3360 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aacQcooA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\iOAsAgYI.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aacQcooA.bat (0 bytes)

The process %original file name%.exe:3696 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aWoMccUI.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EYUQwogI.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\aWoMccUI.bat (0 bytes)

The process %original file name%.exe:656 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gAkQwcYc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gwIgkQoY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\gAkQwcYc.bat (0 bytes)

The process %original file name%.exe:2688 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BeQMYUQw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\PQUkIYAI.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PQUkIYAI.bat (0 bytes)

The process %original file name%.exe:2684 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kuEEoUoc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dYQYMcIY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kuEEoUoc.bat (0 bytes)

The process %original file name%.exe:3084 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RyIwscgw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\fWQoQcQo.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fWQoQcQo.bat (0 bytes)

The process %original file name%.exe:2112 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kokQocIU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yAgkAckI.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kokQocIU.bat (0 bytes)

The process %original file name%.exe:2680 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uucoEAIQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\QeUIAgwc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\uucoEAIQ.bat (0 bytes)

The process %original file name%.exe:3080 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NkggUEwA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sEsgkIwU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kiYoAIss.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vCEEUokA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NkggUEwA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\kiYoAIss.bat (0 bytes)

The process %original file name%.exe:2116 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ycQswsIY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uegQEUUc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ycQswsIY.bat (0 bytes)

The process %original file name%.exe:2360 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\DuoUAEsk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HakwwIEE.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CMAUAUcc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (615 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cUwsgkYA.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZmAswwUE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rcIMIQII.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CMAUAUcc.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cUwsgkYA.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZmAswwUE.bat (0 bytes)

The process %original file name%.exe:2584 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BQAAcEwI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\cEYsUggk.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BQAAcEwI.bat (0 bytes)

The process %original file name%.exe:560 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YgQYwIUM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rgccAEok.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bWQMYcYc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IeUkIsoI.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YgQYwIUM.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\bWQMYcYc.bat (0 bytes)

The process %original file name%.exe:3876 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQAggYAU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zUkgIwIA.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dQAggYAU.bat (0 bytes)

The process %original file name%.exe:3072 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nOkEgYsE.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MaQosQMM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xkAsUAMk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\uKAswgAs.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nOkEgYsE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xkAsUAMk.bat (0 bytes)

The process %original file name%.exe:2180 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oikokEMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZIMwooMg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZIMwooMg.bat (0 bytes)

The process %original file name%.exe:3520 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ACIMEMog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vCYsoYsw.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vCYsoYsw.bat (0 bytes)

The process %original file name%.exe:3288 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XmMgMgcQ.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zCIsMgQw.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XmMgMgcQ.bat (0 bytes)

The process %original file name%.exe:2956 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UqgAggQo.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VyoYwMME.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VyoYwMME.bat (0 bytes)

The process %original file name%.exe:3284 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jQMgEgMc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pwsIEIIE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pwsIEIIE.bat (0 bytes)

The process %original file name%.exe:2952 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OykYYoMg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sWgUwgMI.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sWgUwgMI.bat (0 bytes)

The process %original file name%.exe:3140 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AWgQEwYs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gsYUAYAo.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AWgQEwYs.bat (0 bytes)

The process %original file name%.exe:3448 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\KAYUQcMI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IsEkEQMs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xicYUsMY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\JcYYgIAg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\IsEkEQMs.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xicYUsMY.bat (0 bytes)

The process %original file name%.exe:2204 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BQEYoYQU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CQscUAMo.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BQEYoYQU.bat (0 bytes)

The process %original file name%.exe:4076 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sqUoYYko.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AMUwUIck.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AMUwUIck.bat (0 bytes)

The process %original file name%.exe:3532 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EqAgYgwY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZaQIMYUA.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EqAgYgwY.bat (0 bytes)

The process %original file name%.exe:4072 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YuggAgkg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zekYQMYI.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YuggAgkg.bat (0 bytes)

The process %original file name%.exe:3060 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VQkwIIQo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rwIsoIgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tsgYMgos.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\yuwQEQMA.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tsgYMgos.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VQkwIIQo.bat (0 bytes)

The process %original file name%.exe:2100 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TYAAQYYw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AYEAoEwE.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OcwcgwwI.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lKgksMso.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\AYEAoEwE.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OcwcgwwI.bat (0 bytes)

The process %original file name%.exe:4080 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sqQAMwsg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vwkMcMkE.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vwkMcMkE.bat (0 bytes)

The process %original file name%.exe:2464 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BQoMEkQM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UkcAsQUA.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UkcAsQUA.bat (0 bytes)

The process %original file name%.exe:2736 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\fEQwwcYI.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BAwEIYII.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BAwEIYII.bat (0 bytes)

The process %original file name%.exe:2864 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jUMggAUM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ymMQoUcw.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jUMggAUM.bat (0 bytes)

The process %original file name%.exe:1208 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ucUQYows.bat (4 bytes)
%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3897 bytes)
%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (4089 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3801 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wqwoAAkM.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ucUQYows.bat (0 bytes)

The process %original file name%.exe:2732 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\pqwAsEMY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tmcQEsAw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tmcQEsAw.bat (0 bytes)

The process %original file name%.exe:2636 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zwEQQAEw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LQoEcQME.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\zwEQQAEw.bat (0 bytes)

The process %original file name%.exe:3864 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\oQAIIQMU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\xOEYoUgk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\UEQIkEYg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suEIAcwA.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\UEQIkEYg.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\suEIAcwA.bat (0 bytes)

The process %original file name%.exe:3600 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iUUkUwow.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\zAgcwMgk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iUUkUwow.bat (0 bytes)

The process %original file name%.exe:2940 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ksYwAwQM.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ZskQEYUI.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ksYwAwQM.bat (0 bytes)

The process %original file name%.exe:2344 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ecgAYgMw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\pCkMMcYM.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ecgAYgMw.bat (0 bytes)

The process %original file name%.exe:1968 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iWAMYYUQ.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\wesIsIYg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\iWAMYYUQ.bat (0 bytes)

The process %original file name%.exe:3852 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qksQQEIw.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dWcMUscU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qksQQEIw.bat (0 bytes)

The process %original file name%.exe:3432 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XsksgQQs.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YEcUYEww.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XsksgQQs.bat (0 bytes)

The process %original file name%.exe:1612 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RmAckkYs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EQAgEUgk.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EQAgEUgk.bat (0 bytes)

The process %original file name%.exe:3344 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kAcAMwQw.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\hosoggYQ.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\kAcAMwQw.bat (0 bytes)

The process %original file name%.exe:3180 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qEsAMsAk.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dMsEEAUk.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\dMsEEAUk.bat (0 bytes)

The process %original file name%.exe:2508 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XqwowQUY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\jgMUAskk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CGwIMkkM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nwooAggo.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\jgMUAskk.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CGwIMkkM.bat (0 bytes)

The process %original file name%.exe:2748 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QWsMYIYc.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nKAgkoAg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\QWsMYIYc.bat (0 bytes)

The process %original file name%.exe:1564 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\hGcwYQYM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ecwMUYMg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ciQIcAws.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nSQcMAks.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nSQcMAks.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ecwMUYMg.bat (0 bytes)

The process %original file name%.exe:2648 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VeUsAooY.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\giQYokMM.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\giQYokMM.bat (0 bytes)

The process %original file name%.exe:2724 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RygIYQUg.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OKoAwoog.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IyogAYQc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lMwYAsIc.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OKoAwoog.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IyogAYQc.bat (0 bytes)

The process %original file name%.exe:3912 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\LggQUMQY.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tYkggEsk.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tYkggEsk.bat (0 bytes)

The process %original file name%.exe:612 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZegowMwY.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YgAUMEwg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ZegowMwY.bat (0 bytes)

The process %original file name%.exe:2644 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XqYEIkUU.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GyocsEAY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\GyocsEAY.bat (0 bytes)

The process %original file name%.exe:3624 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lgoIEogs.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqwIUMog.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\gKQkwQog.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HWMkccMo.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dUAcUIsM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\doIEwksg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (615 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\doIEwksg.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\oqwIUMog.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\HWMkccMo.bat (0 bytes)

The process %original file name%.exe:3356 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wIYEowYc.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\SckwYYgg.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\SckwYYgg.bat (0 bytes)

The process %original file name%.exe:3352 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\HEYYkogk.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\EEEwYsUg.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\EEEwYsUg.bat (0 bytes)

The process %original file name%.exe:2972 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VQMgwkIY.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\VugcEkQU.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\VQMgwkIY.bat (0 bytes)

The process %original file name%.exe:3700 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TiUAEwks.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IkUMUQIU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TiUAEwks.bat (0 bytes)

The process %original file name%.exe:2976 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cGcQUQwI.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\LmUIcccg.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\cGcQUQwI.bat (0 bytes)

The process %original file name%.exe:1804 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\qosQQkoY.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\OEMAcUcQ.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OEMAcUcQ.bat (0 bytes)

The process %original file name%.exe:3544 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\lCYUIIwU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tUkwgUUk.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\GUsIwMUU.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YOogwcwk.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\tUkwgUUk.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\lCYUIIwU.bat (0 bytes)

The process %original file name%.exe:3428 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wGYgcYcU.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\mUooMAoc.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\wGYgcYcU.bat (0 bytes)

The process %original file name%.exe:3540 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\TeAAwgok.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\vuAMAkoM.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\vuAMAkoM.bat (0 bytes)

The process %original file name%.exe:2336 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\OgQIcUgM.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\esIwQUYg.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (410 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AKskUAsg.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\sMYsUQEk.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\sMYsUQEk.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\AKskUAsg.bat (0 bytes)

The process %original file name%.exe:1800 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MGwwcEMc.bat (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\qmYQYsQY.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MGwwcEMc.bat (0 bytes)

The process %original file name%.exe:3116 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\MKsMkgko.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\NQMYQEYU.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\NQMYQEYU.bat (0 bytes)

The process %original file name%.exe:3220 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\PgQQcAkE.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\YwowMIgw.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\YwowMIgw.bat (0 bytes)

The process %original file name%.exe:476 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\XEYUYEwY.bat (112 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RCwsEEIE.bat (4 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RCwsEEIE.bat (0 bytes)

The process %original file name%.exe:1572 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\veMcQIIs.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tSkUUYcY.bat (112 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\veMcQIIs.bat (0 bytes)

The process %original file name%.exe:2008 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\moMcockw.bat (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\WGIwUsco.bat (4 bytes)
C:\3570882d35aae624e691509f5da41ae9 (205 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\WGIwUsco.bat (0 bytes)

The process NesIMIQs.exe:944 makes changes in the file system.
The Malware creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
C:\totalcmd\TcUsbRun.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\KAAo.txt (55978 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)

The Malware deletes the following file(s):

%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp (0 bytes)
C:\totalcmd\TCMDX32.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp (0 bytes)
C:\totalcmd\TCUNINST.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp (0 bytes)
C:\totalcmd\TOTALCMD.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp (0 bytes)
C:\totalcmd\TCMADMIN.EXE (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp (0 bytes)
%Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg (0 bytes)
%Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg (0 bytes)

Registry activity

The process cscript.exe:3920 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 F8 3C 8B 1F 62 B1 1D B1 72 F7 30 56 CD B2 81"

The process cscript.exe:2848 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 F5 9C B9 EA A9 85 2C 81 E4 63 46 9C 51 DE F0"

The process cscript.exe:1148 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 62 32 D7 97 84 5B BE F6 9D 2D 0D 7D C0 5B CF"

The process cscript.exe:3288 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 16 E1 AF 55 DD 22 60 5B F5 6F C8 43 5A 5C 59"

The process cscript.exe:1308 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 91 E2 73 A4 33 A3 6B 9A 25 79 7F 95 08 EB 0E"

The process cscript.exe:3048 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9A F8 30 5D 7B 25 C4 2A 44 50 4E 01 BC B5 6C EC"

The process cscript.exe:1224 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "51 DF A3 92 5F E1 B2 3A 14 8A F8 A8 CA 97 85 C8"

The process cscript.exe:3324 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C3 64 A9 47 E0 69 58 CE 74 9D F1 EF 91 12 A3 FC"

The process cscript.exe:4020 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 AB CB 44 13 9B D6 9A 9E A8 02 C6 F6 C8 06 EA"

The process cscript.exe:2092 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 CB 65 34 2F 8E 52 54 7E B1 54 1B 27 2D 4B 2C"

The process cscript.exe:3044 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 68 44 C4 A6 B5 81 10 7C 6D 52 3D 87 08 6E 26"

The process cscript.exe:3652 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9D 41 8D 88 E6 F9 50 9E D2 25 C1 D6 58 D0 96 64"

The process cscript.exe:3556 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 1D 55 BC C1 6B 5B 9B 80 69 0B 04 64 AE 98 AF"

The process cscript.exe:1948 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 05 0E E6 5C 69 44 40 FF 01 E2 2F 5F 1F 3D 8C"

The process cscript.exe:3284 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 E1 44 22 F5 31 E3 6E 19 3E 98 50 46 06 B1 30"

The process cscript.exe:2488 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 7C 60 B1 AC BF 70 EF A2 02 87 AF E4 2E B4 3F"

The process cscript.exe:2324 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 70 BA 50 72 D2 3C 16 BD F0 BE C5 0C 9B 62 78"

The process cscript.exe:1940 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 D9 74 5D A1 2B 54 5E BE 1C 5A 91 23 33 DA 10"

The process cscript.exe:2328 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 86 58 72 FB 91 84 37 A1 21 53 11 9B DA 1D 41"

The process cscript.exe:2528 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 45 D2 04 AF 1D 90 A8 49 97 C7 29 56 25 B1 DA"

The process cscript.exe:1944 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 5D A7 66 47 35 92 18 22 54 6D 15 75 9C F9 79"

The process cscript.exe:3856 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 B0 05 F3 E1 F4 F6 60 6B A9 69 3A FC 49 8E 46"

The process cscript.exe:2248 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 43 08 64 F1 FA 31 46 89 4B 46 84 9F 4B C3 AA"

The process cscript.exe:2292 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA C3 92 43 AB 42 38 7A 4A 7E 9F 06 6D 18 66 26"

The process cscript.exe:2244 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA C4 A5 77 04 05 8C C9 EA A6 86 DF 8A E6 9A 02"

The process cscript.exe:3180 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "68 85 CD DF 9B 22 40 7E 87 0E FB 2D 43 4B 28 1A"

The process cscript.exe:2844 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 62 3D BC 9E 52 51 99 A3 EE 1B D4 63 49 E5 E6"

The process cscript.exe:2464 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 CD 2E C0 7B AC A7 AB C0 5D 19 ED 64 93 1D 2A"

The process cscript.exe:3488 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "22 55 10 BB F0 4C 6A 54 D1 34 EF 11 F7 69 1C 7E"

The process cscript.exe:1096 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 94 3E 18 EA 7F 99 0A F3 24 6D 88 B0 60 BB 79"

The process cscript.exe:3764 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 6E B2 56 FF E3 34 50 A5 D1 74 68 B6 5E 4E 8C"

The process cscript.exe:3568 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B8 05 8E EF 94 A8 63 7E C0 D5 4C C1 66 41 C2 4B"

The process cscript.exe:3768 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 E3 E6 BF DD A4 8A 89 2E E9 96 5D C9 50 A1 9D"

The process cscript.exe:3480 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "23 73 BB E6 5E B5 C4 E6 CB 96 85 93 91 13 E4 14"

The process cscript.exe:3936 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 AC FA 07 22 BE 19 57 1D 40 35 29 56 3E 16 7B"

The process cscript.exe:2856 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6E A3 69 44 B4 A0 C5 27 24 0F 17 51 6A 0F 65 EA"

The process cscript.exe:3400 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E 1E 6C 8F 35 2B 0F AF F0 DC 83 88 8F 98 E5 3D"

The process cscript.exe:3204 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B E2 92 2B 6F 19 BF 4E 37 B8 2F C4 D9 E2 B7 58"

The process cscript.exe:264 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 6F 3A C8 B1 65 9D EF 98 58 2C A8 C7 67 26 5E"

The process cscript.exe:3408 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 35 35 A2 65 5F 7A BC 11 5D 0E 13 75 1D DB DB"

The process cscript.exe:3644 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 4F 03 EE 98 99 05 9B 6E 57 E7 16 3A 1D E2 D6"

The process cscript.exe:1556 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 88 6D 29 08 10 F3 C6 64 2D 2B D7 60 21 26 7A"

The process cscript.exe:1060 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 16 8B F6 0A 37 8F 66 92 C8 7A 16 12 0C 52 F5"

The process cscript.exe:3036 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "44 0B 35 2F D6 85 27 51 56 7A FB F3 BA E8 A4 EC"

The process cscript.exe:3240 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 84 15 48 AF 71 9A 9F 13 6F 30 68 C2 2A B9 8C"

The process cscript.exe:2496 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3A E2 1F 64 53 07 66 1D F4 6C 8F 3C 44 FC 6F 01"

The process cscript.exe:536 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 2D 28 D1 50 EF 45 72 A8 41 C4 6D 4A 1B 1B 6A"

The process cscript.exe:2096 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 05 05 B7 AF 6B B4 99 43 20 37 A5 59 F0 FA C7"

The process cscript.exe:412 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 16 6F 91 F1 1E 12 0A EE 11 B9 93 1E 03 6D 50"

The process cscript.exe:2416 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 E9 FA 0F 55 21 0B FD 34 79 94 E1 92 1E 5E 08"

The process cscript.exe:2792 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 1B 22 A7 79 4C 40 07 5E 76 A6 41 C0 55 18 91"

The process cscript.exe:2252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 23 27 4C D2 7D 18 2D 55 6F F0 C0 26 C4 A9 0A"

The process cscript.exe:2148 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D8 26 27 3C D7 BD D8 BE EC 81 52 D5 10 34 90 5E"

The process cscript.exe:2288 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 0C 6D 7D AB EC 82 9D 81 CC 1C A2 3D 82 FD 13"

The process cscript.exe:4076 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C6 02 91 FD EE 8E CD 70 2F 4A 4B 7C 14 F2 AC E6"

The process cscript.exe:2872 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 93 86 9A D9 6B 9A 92 ED AB 10 23 98 62 C6 5B"

The process cscript.exe:3940 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "77 BA E1 B5 B5 4F 27 06 27 DF 45 66 D7 ED 3F 5C"

The process cscript.exe:1328 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 C4 EE BE A4 30 10 8B C4 9D 42 8B 02 06 AB 7C"

The process cscript.exe:1236 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 30 E5 32 74 FB 2F 1D 4F B8 4B 59 B5 C1 4B AA"

The process cscript.exe:1088 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 40 70 FC 0E 28 06 77 DA C5 79 23 D3 25 A9 2E"

The process cscript.exe:2104 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 4E 47 04 45 8A 73 2B 29 EE 81 94 3D F4 9F B3"

The process cscript.exe:2828 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B C3 7E 25 92 46 96 6D 80 1E 89 A2 6A 95 92 BD"

The process cscript.exe:3148 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A FC A2 28 B6 5D 2E EC 28 82 90 F2 B3 A7 97 31"

The process cscript.exe:2784 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 12 0C F5 AC FF 64 36 C6 0E EE 57 1E 47 DB 44"

The process cscript.exe:3384 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA EA 20 5C E4 38 65 7E F7 33 14 B2 44 E4 56 B7"

The process cscript.exe:3380 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "85 4F A2 58 9D 27 92 19 E2 23 A3 85 12 CB 2A BB"

The process cscript.exe:3932 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "71 DE 7A 95 6B CD AB 67 13 AF CF 3E 23 0D BC 59"

The process cscript.exe:2788 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 56 E0 BA 41 29 50 81 6A 96 7D 9A 1A 32 41 05"

The process cscript.exe:3388 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 4F AC 6A 6E 8F D8 F3 0B B5 81 FF 9A DF DC 22"

The process cscript.exe:2664 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 7A 5C 87 4A 27 67 A7 59 CB 5D 70 69 56 DC 30"

The process cscript.exe:2144 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 28 7A DE D1 8A B8 E5 11 4A 9B C7 AA CF 39 4A"

The process cscript.exe:2260 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 C3 10 D7 8B 49 40 45 66 22 6D 32 BF B4 44 FF"

The process cscript.exe:2668 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 9A 80 C7 72 A5 6E 86 89 7D 39 12 AF DF B3 0D"

The process cscript.exe:3580 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B 97 35 13 4D 5A 4B 71 CA 16 EB 37 9C AF 98 55"

The process cscript.exe:3664 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF B9 68 F0 5F 5E 6A 69 0B 68 D0 61 3A 12 B0 A7"

The process cscript.exe:3956 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 07 36 FF CA E7 26 6F 4A 70 F6 0F 0F 82 02 64"

The process cscript.exe:2768 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E B9 C6 47 A5 4A 31 52 9E 2E D3 9B A2 58 9B BA"

The process cscript.exe:3816 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "47 98 EE 85 8E C6 36 ED 57 25 D8 B4 AB 22 97 A7"

The process cscript.exe:2444 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B A8 FF 60 DF F0 0E 8F AD 36 90 D6 D9 4E B6 07"

The process cscript.exe:2524 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 3B EC 6D 6A A9 7F 1E 72 DE BC E6 A1 26 11 29"

The process cscript.exe:3588 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D F2 86 E0 50 72 76 AA C6 41 DE C7 B7 DA 4B 58"

The process cscript.exe:2932 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 D6 25 3F F9 FC 45 5A FD D1 B6 91 A6 0D A2 8B"

The process cscript.exe:4060 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E 5B 52 7B 16 F6 EF E4 20 18 EA 81 DC B4 97 E5"

The process cscript.exe:3668 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 7F 6F 5C A9 7D 09 88 3A A8 CA C9 AC 41 3A F7"

The process cscript.exe:3156 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E3 39 89 30 CB 14 77 01 31 4B E2 0D 1C C2 39 E1"

The process cscript.exe:3456 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC 70 29 5B 6C 57 93 62 F0 74 6F E2 1B 3E 49 8C"

The process cscript.exe:3312 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F4 0F 8C D5 73 F1 A9 E1 27 FB 0A 39 03 EF FA EB"

The process cscript.exe:2832 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 0D A6 24 D5 23 39 B6 97 E1 8B 72 F6 D7 B0 C7"

The process cscript.exe:4056 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 2E ED F3 96 66 82 E1 5C B5 27 A0 B9 D9 43 41"

The process cscript.exe:2044 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB C5 13 79 3B 5B AA 52 9D 82 D0 8D 38 22 7F 3F"

The process cscript.exe:2276 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 0D 0D 1C B2 71 D7 AB 77 AB 16 E9 3F AD C1 A3"

The process cscript.exe:4052 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "24 7F 7B 7B 8C 0C 7E E1 FB 4E 36 44 AA DB 38 87"

The process cscript.exe:3016 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 D2 6F 59 A7 79 D6 A2 1B B0 24 AC 98 58 6F F1"

The process cscript.exe:1648 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 B0 CD 68 B3 94 04 30 CA 2D 00 A3 B1 1B C0 E2"

The process cscript.exe:3468 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC AB 6F 99 B9 83 10 A5 F3 2A CB 82 1B 5D AD AF"

The process cscript.exe:3968 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 6D E5 C3 E1 2E 71 A2 6A 99 A1 B0 06 F5 70 86"

The process cscript.exe:2164 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2A E7 14 3A 35 A7 65 ED 91 FE B3 50 72 AE A6 D6"

The process cscript.exe:1984 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EF 80 F2 1D F8 3D 58 98 7E 0E 86 E2 FE 51 93 23"

The process cscript.exe:432 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 61 84 4D F6 1C 5A 12 3D D0 59 0F CD AD 9A ED"

The process cscript.exe:3120 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 0E C8 6F BA 5B E2 FA 7D BB 3D D3 6E 4D 90 FA"

The process cscript.exe:2372 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E0 B3 16 E0 B1 4C 9D 45 30 E9 36 50 24 8E 2A 08"

The process cscript.exe:2928 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4B 01 11 94 AD 86 0D 9C 91 57 1B 6C F8 61 DE A2"

The process cscript.exe:620 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "53 E3 4B 45 48 41 DC CE 4D 98 CE 26 66 EE 6D 17"

The process cscript.exe:3808 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 88 38 8C 0E 9B 18 D5 DF E0 65 69 3E 8B 96 15"

The process cscript.exe:2592 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 64 26 D1 80 9D 2B DF 94 7A 99 78 BF 68 8C 7D"

The process cscript.exe:572 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C9 51 53 62 33 BC D2 1D 05 21 65 D9 11 CA 90 D0"

The process cscript.exe:2920 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F F6 21 50 0A 2A 40 77 CB B3 4D 57 FE FA 83 2C"

The process cscript.exe:2808 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 D1 7C 00 E7 A7 76 8A D5 93 FB 99 D2 8E A6 65"

The process cscript.exe:3124 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2F 74 EF BC 85 85 52 B9 C6 11 F3 1F 25 73 EE 24"

The process cscript.exe:252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 62 67 F7 B5 37 2E 2E 1B 40 38 70 B6 1F 3E C8"

The process cscript.exe:3452 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED 11 1C ED 47 1E 92 CA DA F4 EA E2 A2 80 17 54"

The process cscript.exe:2568 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 02 0D F8 C9 8F 4E 6B 12 39 09 3C D7 6D 8D 59"

The process cscript.exe:1632 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 98 CD A4 B4 B5 4C B2 FD 6C F3 5F 46 AC 2F 21"

The process cscript.exe:3368 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 7E 7D 4A FC 1C 5C D4 BC 8F BA CC F0 79 12 8E"

The process cscript.exe:1980 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "39 E2 76 E1 4F 8E 8F 6B 33 F9 BB 22 25 D5 18 F2"

The process cscript.exe:2056 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 F5 43 6E 4B 32 B0 83 63 FA 3A CE 1F 8F 28 75"

The process cscript.exe:4068 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 B8 06 43 50 E0 60 5E 80 A9 C5 9B 44 47 B1 CC"

The process cscript.exe:2904 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 54 D1 B7 9E 9D 4C 25 DC 71 11 F8 67 EE 72 C2"

The process cscript.exe:4064 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 89 D9 F7 A8 08 34 C9 5C 9D F2 FE BB 9E CC 17"

The process cscript.exe:2688 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C C1 D9 F2 A0 75 4C 1D 2B 32 4F 0C 57 11 43 5D"

The process cscript.exe:2368 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 42 13 BD 10 FA 9C 3C 06 40 09 16 35 2D B1 21"

The process cscript.exe:2364 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 00 4C 6E 49 99 93 8E FC 04 5A F7 15 B2 25 ED"

The process cscript.exe:3080 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 91 97 53 AC 3B 48 56 CA E2 75 5A 9A E5 C5 0F"

The process cscript.exe:2812 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 6B 78 F5 83 04 E3 8F 20 E8 B8 EE 1A 03 10 D3"

The process cscript.exe:560 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD A3 F5 6A 39 24 C4 B0 E7 1D CD AA A6 1B 91 5D"

The process cscript.exe:3872 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 3D 59 C8 97 EF 9D 97 CD C1 4D F6 C1 DD BB 44"

The process cscript.exe:2588 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EE B6 71 33 AB 45 38 AE 40 EF B2 32 58 6F D0 B7"

The process cscript.exe:3072 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 12 AF 12 6C 96 D3 38 D5 B8 84 B4 0D B4 13 B3"

The process cscript.exe:228 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 5D 5D E4 28 2A B3 6A F9 86 26 2F 31 97 9B 86"

The process cscript.exe:3172 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 1E DA 08 E6 BC 0B E7 60 F0 7C EC 39 E5 2F CA"

The process cscript.exe:2952 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "73 40 B0 8A AC A2 83 B4 B5 FC 85 B6 4E 69 D1 2C"

The process cscript.exe:1916 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 64 6C 33 EE 1C 2A C4 A5 B5 A7 80 1C 85 43 48"

The process cscript.exe:3884 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 6F 91 DD 13 BD 8B 2E EC CD F0 17 3F 89 E2 69"

The process cscript.exe:3904 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6C 79 CB 02 81 60 27 50 1E 7C 0F 34 01 E2 DD AC"

The process cscript.exe:3688 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 8C 3E 47 E6 23 FA 56 94 DF D8 41 B2 7C 79 E9"

The process cscript.exe:2216 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "59 DC CD 2C 93 FD 23 D5 95 36 F3 FE 95 05 14 CB"

The process cscript.exe:1624 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 36 F8 5A 1B 2F F2 59 DD 18 6B AD 80 4E CA 68"

The process cscript.exe:2896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 1C FE 89 00 26 FF EA CC 49 C6 1D 9A 0F 62 74"

The process cscript.exe:1748 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 95 E5 7F BB 31 C3 87 18 E9 D7 30 8B 6F 07 AB"

The process cscript.exe:2696 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 4E 27 0D 5E 9A F5 2A 12 DC 31 99 4F 1F 9F D6"

The process cscript.exe:2516 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 04 94 F2 56 85 6B 55 45 11 08 71 D3 D8 E9 C4"

The process cscript.exe:2080 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D DA 89 B8 2E 02 41 E6 A7 E8 DA 5E 41 35 4E F9"

The process cscript.exe:2512 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BA FB 0C E3 A1 97 25 91 31 23 67 24 9D EC 1A 4F"

The process cscript.exe:3188 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 35 75 BF 7B 62 D3 4B EB 82 AB A7 F5 B0 AF 65"

The process cscript.exe:2860 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 21 D2 02 D7 96 2E 60 ED 04 60 35 3D 31 11 7E"

The process cscript.exe:4084 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 59 C7 76 95 FA 5A F0 CE 6F 4C AE DC AE D5 F4"

The process cscript.exe:3636 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E 54 E2 43 5B 96 ED A7 24 EC 2B 23 FC DF 77 EC"

The process cscript.exe:2432 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 B0 65 00 73 46 03 68 95 80 52 56 0E E9 0E 95"

The process cscript.exe:3864 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD CE 7C 88 EB B8 E7 4E D0 B9 CD 45 14 26 77 97"

The process cscript.exe:3532 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 08 2B D9 2E F9 62 FD CF C2 30 35 82 08 3F 38"

The process cscript.exe:1896 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 3F 73 0A BF 9A 28 BB 0D E0 77 67 DC FB 23 C4"

The process cscript.exe:3228 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 D2 14 B7 D2 BB DF 52 5A F2 31 06 14 37 0B 69"

The process cscript.exe:2992 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 3A 72 AA A4 13 56 33 96 DD EA 2B 1B DD C8 F7"

The process cscript.exe:2228 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 04 2F 7F 26 D1 3D 06 3A 5E D1 9B 51 C7 13 3D"

The process cscript.exe:3340 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 A6 7E A3 0A B7 11 2E A1 1B BD 32 E3 82 A2 8F"

The process cscript.exe:1612 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 B4 28 4F 05 19 C4 96 17 BA D0 16 04 EE 3B 29"

The process cscript.exe:2220 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 E5 CF 71 16 AC BD 58 74 A9 37 3E 7D 25 8D C2"

The process cscript.exe:2420 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 B3 2E C5 12 D0 9B CE 73 81 B8 45 15 F8 C6 F5"

The process cscript.exe:320 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "35 EB 6E 06 95 85 AB 47 4F B2 B0 BD CB DA 77 7A"

The process cscript.exe:1692 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 91 13 B5 FE EA 21 A1 1F 31 3B 29 4A 31 8F 60"

The process cscript.exe:2492 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 7F E2 44 63 88 86 4C 74 3D E1 C4 01 CE 89 CE"

The process cscript.exe:2504 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D3 EB CF C9 87 E5 70 60 B1 DC F0 3D D7 75 FE 85"

The process cscript.exe:3524 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 9E E7 25 95 CB 90 86 B8 F1 09 1A DF 04 FF 33"

The process cscript.exe:4092 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 24 27 BA 32 19 8F 92 F8 9A 40 25 6E F3 34 CB"

The process cscript.exe:204 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 23 91 C1 EF C1 41 4C 63 D8 B9 95 38 3A 15 EB"

The process cscript.exe:2720 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A F4 00 F5 0A 09 2E 76 5C DF 53 84 5E CA 1D CA"

The process cscript.exe:2728 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E DB 24 36 3E 9B C9 EB 26 4B 47 BD 34 D0 0B 80"

The process cscript.exe:3700 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 63 97 4C AF 03 7F 3B A5 63 2A 04 60 96 4A 14"

The process cscript.exe:484 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 97 B4 09 6B 1E 2C A1 58 4C 21 16 A9 FF 42 37"

The process cscript.exe:2340 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 84 89 80 95 48 FB 01 A0 57 17 E3 8D AB 03 2E"

The process cscript.exe:1280 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 E5 8C 5B EF 40 44 1B E2 74 8E CF 5E E8 65 4B"

The process cscript.exe:4012 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "42 5B 09 FD 19 24 38 86 A9 8F 96 DA 3D B7 A3 EB"

The process cscript.exe:3788 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 05 82 3F E6 57 8C B0 E2 F9 D8 5B 31 B2 32 FD"

The process cscript.exe:3420 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 34 45 FF 1F C2 1A E6 E8 11 3B 5F 60 BC EA B9"

The process cscript.exe:4016 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 0B E6 42 81 22 34 92 F1 4F CD A2 77 41 02 92"

The process cscript.exe:2084 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 6D 75 4C DD 11 DA F9 AC B4 F2 25 A7 71 C0 10"

The process cscript.exe:3988 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 8D 03 B6 DB AE D5 BB DF BB 83 6A 25 6F EE 36"

The process cscript.exe:3980 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 D8 F1 31 E5 8C 4B A6 92 F5 3B 88 59 A9 82 9C"

The process cscript.exe:2224 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 EC 35 31 DF C1 0A 99 69 5E 68 EE 45 BB 07 36"

The process fGAwoYMM.exe:1216 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 2E 9C 9E 8A B3 E4 D4 00 2A F0 2E 41 7C F5 8D"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

The process reIEcoQI.exe:348 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E AA E9 A2 AD C0 98 DD 23 73 65 C5 F1 49 DB A8"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:216 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD CF 9F F1 3A 77 6C F0 7B E4 11 62 C7 6C B0 9E"

The process %original file name%.exe:3920 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DF 8E 12 FA AF 78 09 C6 D2 15 8C EC A7 B2 BB 74"

The process %original file name%.exe:2980 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC D0 4B E0 C1 98 FA 19 E4 A5 C5 77 79 92 89 63"

The process %original file name%.exe:2960 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 7C 67 6F 59 40 06 82 6B F1 B8 C5 AB 11 33 B4"

The process %original file name%.exe:4004 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E 14 15 E4 A8 87 28 A9 D1 8B 33 10 DE FA 80 8A"

The process %original file name%.exe:3928 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 E9 0F D7 D6 BD 80 00 56 D0 98 12 46 19 82 00"

The process %original file name%.exe:1260 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 4E BA 53 BF 07 A7 22 FF FE 06 17 FF 59 0F 52"

The process %original file name%.exe:3492 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 4F 4A F9 92 17 49 F7 97 EE 7F 67 16 85 C1 75"

The process %original file name%.exe:2840 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C C3 47 3C 6F 3D 52 A8 FB 62 F5 9E BA 6A 8B A8"

The process %original file name%.exe:3416 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 04 1F 6B AA 65 44 B3 23 63 F2 49 25 B7 AF 6D"

The process %original file name%.exe:4028 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E 48 7B B5 BC C5 63 56 7D 23 A7 B2 AD EA EB 19"

The process %original file name%.exe:3556 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 42 EC 79 D6 E7 A0 90 2C 69 D7 80 F9 E4 EF 11"

The process %original file name%.exe:3552 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8C 92 49 4D E0 EC C6 11 D7 30 E5 36 57 83 6C F5"

The process %original file name%.exe:1940 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 22 4B 25 42 11 F5 E3 DD D3 83 E7 EB 99 08 40"

The process %original file name%.exe:2528 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7B 76 19 3F C9 9D 94 3C F0 37 B9 D9 AC FA 7D 37"

The process %original file name%.exe:2404 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6F AD 9A 99 50 56 C5 FA E7 7E 50 E8 A1 C4 5A 97"

The process %original file name%.exe:3816 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "95 50 45 B9 87 CC 51 B1 A1 5B 86 48 07 FE EF 8F"

The process %original file name%.exe:1468 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 27 8D C1 B1 54 1F 1A AF AF 9A 54 A4 39 4A DD"

The process %original file name%.exe:2152 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F0 A7 E9 36 26 50 64 7F 2A A5 E8 5C 23 0D 0F 90"

The process %original file name%.exe:2652 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "30 1E 78 72 CE 87 36 BA F5 FF 97 D2 F9 6A 76 53"

The process %original file name%.exe:2240 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3F F4 55 29 53 BE F8 35 FD 1A 7A F1 FC 57 17 11"

The process %original file name%.exe:3760 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 ED C2 27 63 0F 34 B4 9D CD 4E 03 6C 2D D7 C2"

The process %original file name%.exe:2708 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D8 0E 63 C0 26 5C 1E 09 F6 5A DD F0 46 C9 7D"

The process %original file name%.exe:3832 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 8E DC 14 5A 69 C2 E0 14 78 79 B7 8F C3 50 9F"

The process %original file name%.exe:3768 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 FD 5A E5 40 33 F1 2D F0 EF 8D F1 FC D0 20 8B"

The process %original file name%.exe:2704 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 25 EC EC C1 8A 32 65 F6 86 20 5A 35 75 9A 3A"

The process %original file name%.exe:2468 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 D1 20 D6 F3 1E 5C 1A D4 54 71 6F C8 20 98 76"

The process %original file name%.exe:2924 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F B5 33 8D BD 39 7B 93 F8 2A 1F BE 93 01 0D 8D"

The process %original file name%.exe:3336 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA F4 04 B4 22 03 4F 05 36 3A 25 D4 BE FD 99 DD"

The process %original file name%.exe:1496 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD EA 48 F4 DC EA 7C 3A 9D D5 8C E4 64 B8 30 C9"

The process %original file name%.exe:2260 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 FF 56 3E 93 44 F4 CB 0F D2 3E 3A 18 62 C7 D9"

The process %original file name%.exe:3640 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 62 1F BC 39 BA D1 18 D1 56 49 36 D5 45 C1 0D"

The process %original file name%.exe:3248 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 8E ED B8 30 73 9F 85 80 E0 88 A0 0B AA A9 E4"

The process %original file name%.exe:3036 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "63 CD D8 B5 C3 9B 28 ED 84 06 C8 61 26 32 53 B9"

The process %original file name%.exe:3200 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B 6A 0A 47 0A 63 1F 80 F1 05 94 AE 37 AE 9E F3"

The process %original file name%.exe:2312 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6B 1B E9 2C BB E5 42 37 FB 37 0B 98 51 E0 77 41"

The process %original file name%.exe:3840 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 6D 85 43 6A 41 F0 D7 4A 26 92 6D 52 F7 34 50"

The process %original file name%.exe:2144 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E1 1B 94 B3 9D 9C B9 F9 0A 5D 0A 86 78 BB 3C 14"

The process %original file name%.exe:2392 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 99 6F AD E7 1D D5 77 A9 98 C1 68 B6 23 ED 67"

The process %original file name%.exe:532 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "02 C9 6B D8 4B 72 EA DD A0 15 68 8D A0 4C 1D 29"

The process %original file name%.exe:2252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "ED D8 F0 CA 4B E6 1D A6 20 3C E6 EC 73 9E 27 A7"

The process %original file name%.exe:2288 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 88 88 D3 01 D6 E0 0B BB 1A 74 AA D2 B8 5D 8F"

The process %original file name%.exe:3680 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FD 8A 77 6E 02 26 8C 1B 30 0F 0B 7B BE 7B 6D 2D"

The process %original file name%.exe:2196 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 9C 95 4D 79 80 34 DA FA 71 FE 52 E7 9B EA BA"

The process %original file name%.exe:1080 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 08 53 1C A2 47 2C B2 47 5A 9C 84 89 6E 91 F3"

The process %original file name%.exe:3276 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF A2 68 C6 1B 7D BF 59 0A 60 66 A2 FE 93 97 7D"

The process %original file name%.exe:3144 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FC EC 52 A0 5E AD 86 A6 F6 63 C4 CE D4 55 D8 1E"

The process %original file name%.exe:3308 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 1A F6 8F AB 37 69 F1 03 FE A7 1E 79 8F 22 7D"

The process %original file name%.exe:3148 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 2C FD 66 77 BE 7D E5 5E 2E 2E A8 EA 9C 00 69"

The process %original file name%.exe:2600 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A0 89 7A 41 38 0B 66 0A 9D 69 8A 4C E3 20 4C 10"

The process %original file name%.exe:2784 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2E BC 32 B8 4B 56 EB DA 88 02 C9 7C 83 D6 8E 76"

The process %original file name%.exe:304 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BF 63 F1 49 4C 9D 06 58 36 BB 57 55 71 14 FF 61"

The process %original file name%.exe:3380 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 26 C7 EC 56 4D D1 69 6B B0 FD A2 E1 F1 C2 AB"

The process %original file name%.exe:3576 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "15 B4 E5 C2 DB AF 6B 5A B7 68 25 FC 29 7A BB 36"

The process %original file name%.exe:2788 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C8 84 DC C0 B2 B2 BE D6 7A BF 15 A5 D8 D0 4D A6"

The process %original file name%.exe:2380 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 1D F7 14 F3 8B 42 EF 95 3E D1 4F AC 6D 4A 2E"

The process %original file name%.exe:2268 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4C 8C DF F4 F2 9F E8 F1 C3 2D FE 3B CB C6 94 39"

The process %original file name%.exe:2660 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 AA 88 03 10 BF 4F 1A 7D E0 5F E2 BE AE 11 C2"

The process %original file name%.exe:1652 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B6 85 92 B3 52 22 ED 27 59 4E 0B 89 56 95 BC BF"

The process %original file name%.exe:2072 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CC 24 C9 CE D2 0C A5 B1 64 D6 3E 73 D2 F6 0F C1"

The process %original file name%.exe:364 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C F5 C3 E7 C5 EE 68 18 2B 09 A5 63 59 CC D5 50"

The process %original file name%.exe:4060 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2B B0 C6 A3 82 7A E3 A0 92 27 99 1E DE D2 C7 7C"

The process %original file name%.exe:2076 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D1 8D AA 84 AE D0 F7 7F BC 97 42 A7 9F B3 29 0C"

The process %original file name%.exe:3844 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 9E D8 A6 F6 F0 2E 9F 6D B6 A3 32 EF 75 C7 10"

The process %original file name%.exe:308 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 E2 B2 3F BD EF 39 02 29 FC 85 EF 05 A4 2C A5"

The process %original file name%.exe:1236 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5C DB 78 8B 5B 18 FA 12 FD A8 B4 CE 1E 2D 1F 7B"

The process %original file name%.exe:3584 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A 49 BE 1F C5 25 59 18 54 75 4B 87 49 25 2E 70"

The process %original file name%.exe:2444 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 75 23 F4 F9 48 09 C9 F3 CE 97 8B 90 12 2A 4D"

The process %original file name%.exe:2524 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 8A A6 44 71 2C 3A 59 55 2E 58 73 28 31 40 4E"

The process %original file name%.exe:300 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 16 14 3D EE 29 0A B3 6A 2C B3 56 ED 08 4A A8"

The process %original file name%.exe:2284 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "67 E9 0D 0A 16 B0 62 E7 15 A0 98 97 3A 99 95 A9"

The process %original file name%.exe:2448 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 17 DE A0 FA D4 25 82 4B 78 03 34 27 EF 56 55"

The process %original file name%.exe:2608 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D2 E6 C4 84 18 74 44 22 A1 BC 74 BF 5F 95 AA AC"

The process %original file name%.exe:3668 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "14 4E FD F8 F3 9B 1C E2 00 AF 2E 0A 6A AF 07 1C"

The process %original file name%.exe:3156 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 E5 FF B2 1A 56 B9 5D F9 02 79 94 48 35 2F 4B"

The process %original file name%.exe:3456 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C 2A C2 4F BA CA E6 0F 49 05 2C 68 E5 CB 86 DB"

The process %original file name%.exe:3312 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4E DD 2D A9 B5 F9 F0 B5 5E 1A 53 18 70 42 6E F7"

The process %original file name%.exe:3012 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "65 C2 B2 59 65 25 C5 81 17 FA 75 EF 7F F2 D7 CC"

The process %original file name%.exe:908 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9E 86 DE C0 7F 40 2F 81 99 FD 65 D8 91 EA 7A AA"

The process %original file name%.exe:1648 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 2D 53 00 9D 71 0F 57 CF B0 82 82 C6 63 D3 57"

The process %original file name%.exe:3096 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E F5 4E C6 6E A0 17 31 24 CC 69 64 45 36 F9 1E"

The process %original file name%.exe:2596 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A5 79 96 69 89 51 F6 68 08 59 F3 72 9B 35 52 A6"

The process %original file name%.exe:2612 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 6D 7C 83 91 FF AB 52 79 64 0A 75 DA 3F 1B 40"

The process %original file name%.exe:624 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 7D AA DD 4C 2B 06 66 B8 FE 00 1D 13 83 12 BB"

The process %original file name%.exe:2296 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 DA 8D CE 09 0A 58 D9 AB AC 79 22 BB 8F 00 9A"

The process %original file name%.exe:3056 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 DD E8 56 44 D6 BB 21 82 24 71 5A 1A 5B 09 B5"

The process %original file name%.exe:1584 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 2E E2 8A 2C C1 B9 50 3A D8 D7 8C 56 83 88 B1"

The process %original file name%.exe:3168 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E A0 24 48 BB 15 25 4A 12 6D E9 1C 7D 94 5A D7"

The process %original file name%.exe:252 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 26 92 48 15 C7 75 EB 02 D9 1D 6E 78 0B 1D 47"

The process %original file name%.exe:3452 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D D2 70 F9 C2 10 06 2F 41 FA 1D 48 12 31 CD EE"

The process %original file name%.exe:2568 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2D 7F E7 5D 68 77 3C 41 E5 C5 BE BA 0C F7 23 72"

The process %original file name%.exe:1984 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A8 C4 6B C4 62 B8 DF 2D 08 1B 1F 3F 17 3A 9C C4"

The process %original file name%.exe:1624 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 C2 83 2B E7 FF FC C5 E5 5A AB DC A6 0F 70 5B"

The process %original file name%.exe:3368 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 0A 79 01 AB E6 2B 2A 92 41 C2 60 4A A0 FA 40"

The process %original file name%.exe:2056 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 80 1F D4 5D F3 FF FF E0 07 B7 50 B2 C6 6D 59"

The process %original file name%.exe:3512 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 6B 6D DE D9 BC 97 68 16 CC 33 24 4D EE 5F D4"

The process %original file name%.exe:3360 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 36 BE 2E 12 60 A0 9B C0 06 0B B9 FE 2F 56 97"

The process %original file name%.exe:3696 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C1 EA 0B 74 78 4D AD CD 86 AD 6A D9 11 5E 4B BE"

The process %original file name%.exe:656 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 EE 23 29 F9 75 C3 3B B3 62 15 60 7A C1 BB 97"

The process %original file name%.exe:2688 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7D 7C 1B 70 29 81 1D 0A 7C C7 5C 7E 04 B6 98 5D"

The process %original file name%.exe:2684 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA A0 28 F1 A1 3A 2F 2C DE 80 A3 3D 86 02 12 5C"

The process %original file name%.exe:3084 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 59 A3 A0 2B 1A AB D2 6C C9 33 9E 62 62 60 D7"

The process %original file name%.exe:2112 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 6F A3 43 10 58 D7 14 B6 57 82 57 AA 42 7E 4E"

The process %original file name%.exe:2680 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "25 4A 73 63 20 97 FE BC 47 8A 0E 56 7D 35 34 13"

The process %original file name%.exe:3080 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DB 1D 92 0F 89 AE 2A 45 7A 56 62 CA 78 42 42 82"

The process %original file name%.exe:2116 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C D1 DE 99 4A 37 6D 1D 49 A8 F6 AE 8E 94 76 B3"

The process %original file name%.exe:2360 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "10 DD 13 7C D1 47 E2 A4 3B 0C DA 56 9B F1 A7 97"

The process %original file name%.exe:2584 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 60 7D B6 16 9A 57 C0 31 6A 09 6B 7E 03 88 49"

The process %original file name%.exe:560 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB BC DE 22 D4 5A 4B 6F C2 8D DE 3C 8C BD 36 92"

The process %original file name%.exe:3876 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D7 E3 5F DC E3 A0 96 44 AA AF E4 EF 38 18 E2 F5"

The process %original file name%.exe:3072 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 34 34 65 92 A8 C7 0E 0C 7A 9E E1 02 04 81 13"

The process %original file name%.exe:2180 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D9 CE AE C1 64 36 A6 F3 0E 93 BA 40 A7 23 CA 35"

The process %original file name%.exe:3520 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CB 9B E7 83 7C 23 44 D4 FD E5 13 B9 47 D9 9D 0D"

The process %original file name%.exe:3288 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 C7 7E F6 05 99 FE DF C4 BD C0 28 DC 0E 76 EF"

The process %original file name%.exe:2956 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 78 9A 08 D7 5A CD 16 7A 29 CA 40 25 4B A1 47"

The process %original file name%.exe:3284 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 50 24 60 A6 5F 13 6B BA 12 DE 14 4A 56 38 2E"

The process %original file name%.exe:2952 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D F3 CC 41 4F 3A AD 73 4C 49 F6 60 69 9A 6B 0B"

The process %original file name%.exe:3140 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "13 3A 96 8A D7 AD 71 64 A7 C5 F3 0A 86 FE 05 72"

The process %original file name%.exe:3448 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 F3 2B E6 58 C5 87 C4 8A 15 56 52 6C 7F 98 C8"

The process %original file name%.exe:2204 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E B3 A8 30 B9 E2 F4 A1 73 0C 8C 55 4E 61 79 C4"

The process %original file name%.exe:4076 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B9 F9 83 F0 52 89 ED 23 33 BC 03 E7 C6 C9 48 0A"

The process %original file name%.exe:3532 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F D6 B8 10 C4 B1 20 E0 04 63 5A D0 1F A1 3C 03"

The process %original file name%.exe:4072 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "34 C8 E2 91 CD 6E C6 0E 2B F1 BD D6 FD B8 19 71"

The process %original file name%.exe:3060 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 B2 6C 14 70 AC 68 15 FB 50 EB F6 E4 AA 60 33"

The process %original file name%.exe:2100 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 7B EC B2 98 95 E0 69 9C 02 B1 A9 D4 41 9C C3"

The process %original file name%.exe:4080 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC AE 5E 44 7D E1 44 0A A6 08 B6 A7 34 66 34 FF"

The process %original file name%.exe:2464 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "49 A9 C4 F9 C4 1A 8C B2 98 90 B6 96 5C 7F F8 B7"

The process %original file name%.exe:2736 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1A 46 CC C6 F1 97 70 BA CA CE 61 FB E6 D0 B8 6D"

The process %original file name%.exe:2864 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA A9 38 21 43 BE 55 8C BC C9 B0 A4 69 C5 10 71"

The process %original file name%.exe:1208 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AF 24 7B 13 73 F0 5B 6C 20 CD 09 89 76 D6 77 3F"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

The process %original file name%.exe:2732 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 51 02 BB 73 BC B8 2C 98 30 7B 8C D2 2F 24 A2"

The process %original file name%.exe:2636 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1B AF CB 60 AC D8 19 78 1E 24 D6 F9 0B 8A 31 0C"

The process %original file name%.exe:3864 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 6D 24 EB D6 94 10 73 DA 63 B2 EB 49 38 D8 E1"

The process %original file name%.exe:3600 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D AA 51 EA 06 6A DB 1E 9B F2 E2 4A 83 E9 B2 31"

The process %original file name%.exe:2940 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 72 C3 DE F0 84 9A B7 92 F5 09 31 B1 BB 06 2E"

The process %original file name%.exe:2344 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "29 A1 32 4F 61 C8 26 01 E5 2F D7 28 24 28 F9 DF"

The process %original file name%.exe:1968 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 91 49 C1 C2 5C 98 16 8F 77 13 CE 9D 0A 68 12"

The process %original file name%.exe:3852 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B4 12 49 7F B5 EF 84 D2 9D DF 81 FA 88 10 22 F7"

The process %original file name%.exe:3432 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE 06 4C 54 06 6C 44 26 18 0B 71 69 F0 85 78 F9"

The process %original file name%.exe:1612 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 1D F2 67 92 C7 A3 5F 2C 51 8E A9 D5 8E 3F 48"

The process %original file name%.exe:3344 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 BA 30 A7 78 E0 1C E2 3E D4 39 BA 79 5C C1 1A"

The process %original file name%.exe:3180 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D5 EB 35 0D 8E 10 40 D1 AD 46 6F AB 45 4C 49 BF"

The process %original file name%.exe:2508 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E E2 53 48 7D 40 29 DA 2B B3 D3 87 FA A7 98 3A"

The process %original file name%.exe:2748 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 1C 95 C2 9F 21 3D D1 C0 FD 33 34 C2 4A EF 67"

The process %original file name%.exe:1564 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "03 C4 2F 70 68 08 54 07 44 44 13 15 C4 83 CE 1D"

The process %original file name%.exe:2648 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A FE 18 E1 44 76 9C 24 DF 1E 22 1B 36 71 EC 26"

The process %original file name%.exe:2724 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1D 1C B3 42 32 70 2E AF ED FC E4 17 13 7C 30 43"

The process %original file name%.exe:3912 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "D0 02 06 12 1B 66 21 3D 2F 96 C1 8F B6 98 68 8E"

The process %original file name%.exe:612 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 D1 17 1D 59 44 C9 DA 97 0C C4 9E 0B 59 C2 F4"

The process %original file name%.exe:2644 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "88 05 0F 0D 02 FE 31 3B AB 6B A7 3D E6 60 23 F2"

The process %original file name%.exe:3624 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E EE A6 5F 9A 8C 7A FC 47 41 64 8A E8 EC 84 E9"

The process %original file name%.exe:3356 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 D5 97 D1 CD 62 48 0D AA 79 1A 89 AD 96 82 AD"

The process %original file name%.exe:3352 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 92 B0 FD 51 01 1A 05 5D 28 96 43 F0 B7 E1 36"

The process %original file name%.exe:2972 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 0A AF 2A F4 7E B1 22 D1 74 20 42 07 5A 89 F6"

The process %original file name%.exe:3700 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE 02 BF 7C 44 29 A0 55 44 B9 6C 04 09 7F 51 99"

The process %original file name%.exe:2976 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "58 55 55 81 FD 2F 00 F6 E5 E7 87 06 4E 94 25 34"

The process %original file name%.exe:1804 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CF 45 31 C9 72 CB 79 5D 88 C0 81 C3 05 28 7E C5"

The process %original file name%.exe:3544 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 40 9E 32 DE 4E E9 BB 43 36 CC B5 07 1E FB ED"

The process %original file name%.exe:3428 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB 42 65 C9 91 DC FE D0 07 60 C8 F5 69 16 5E FF"

The process %original file name%.exe:3540 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 9D 31 1A 71 8A 98 2C 6A 10 A6 70 72 A2 68 63"

The process %original file name%.exe:2336 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 9C 19 96 79 99 B6 F4 DE D5 E5 EB 02 2F 7C A9"

The process %original file name%.exe:1800 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "48 B7 EA C8 40 78 75 49 60 42 FA 9D C2 C8 B4 17"

The process %original file name%.exe:3116 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C2 61 88 A5 F8 03 6C 57 41 F9 5E 58 BD 13 BF CD"

The process %original file name%.exe:3220 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B2 CB 17 51 BA 01 0D 47 D8 96 6B D9 F3 3C 18 A8"

The process %original file name%.exe:476 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "76 F0 31 C9 71 8A A3 D6 98 C1 F5 E8 11 7D C2 DE"

The process %original file name%.exe:1572 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 C6 E9 44 A2 5E A7 58 A3 A8 67 ED 8C D5 56 B6"

The process %original file name%.exe:2008 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4A 76 27 CA C4 0C 88 5F B9 24 A6 11 3A 99 A2 AE"

The process NesIMIQs.exe:944 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5E D5 1E AD 4C 7B A1 8F 82 1C 64 81 E3 93 A4 45"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

To automatically run itself each time Windows is booted, the Malware adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

Dropped PE files

MD5 File path
deb026fbbaf882ccf31f35552402a559 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe
9dfa096aaf8a88c52fc41246a418f3fa c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe
7fab9998b62ad8d227bef90b1fada3d9 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe
ed4a76c6cdf3efd15a17d3947e06382e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe
ed5d29fa6cefd14378ed82dc3416d7e2 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe
e3bddfeaa7d9a059abdb2789ea998aa1 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe
78fb2181bb0d8b8c25f335e0e0376f05 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe
25a81953b90c374d967c5c1c0b7ec975 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe
c893316cda4c3c1a3c766316fd88ee53 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe
8bae00d5a6a2157dfebfe3d4b731357e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe
d60753dd6d3c1bad29dd48017703556b c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe
ba3a8b929e3ac8fb0feb1b4d5860c1ac c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe
92ed5226b0fb3c35bd81e300d797d31d c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe
20140ac8d136526dba37c54a81262777 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe
098643a5f7994f723131b25375f9b799 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe
dc6262bb34beef0e4b62d23bf1583c8e c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe
2f7b2fb06ebbb89844a46211015d18be c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe
4a28a387675f8e37bf9d36c93635b515 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe
ace1a823cd0d898070fbad6c3cf7cb2f c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe
7b1efc954968b194e40946910992e617 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe
8e9ab9a36bcc5e194b56d422f5fb9fea c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe
cf04200c0fd72e1e2bafbe1459828c8b c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe
8c0aac849cf937fa3a2f2208f2603f77 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe
c4629c5531d346a6d6ddfbe728474a43 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe
46489e2a679776af099ba0bc9d350363 c:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe
c3661516e8b94243a141698988c62536 c:\Documents and Settings\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe
f9a8fcebacb169ba792828945a8df0ed c:\Documents and Settings\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe
ff1ae2a6f90e4eb9a3e590ea9340a243 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe
9ce8ef0c3db650a3025ac89f5b3f8cdb c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe
25b56ff7db224f6c963b8a97c081adf4 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe
911ecdab3043e1c23d79702b907b67c5 c:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe
9982a069f9806aa3f2382da8b3f96f84 c:\Documents and Settings\All Users\JuwEIgUE\reIEcoQI.exe
48560ba776fcf2e970e37ecb81048262 c:\Documents and Settings\All Users\hcYYccwo\NesIMIQs.exe
8ef5d3d2c19c0290103bb3a1d5bef8db c:\Documents and Settings\"%CurrentUserName%"\dUskcAww\fGAwoYMM.exe
78c79094404047e9eb23b9aa4deac6ca c:\Perl\eg\IEExamples\ie_animated.gif.exe
215dadae08756e013dbf83a18cf9cf0f c:\Perl\eg\IEExamples\psbwlogo.gif.exe
d570667c6faf31ed6cb506b254ba80a6 c:\Perl\eg\aspSamples\ASbanner.gif.exe
3a6f69b57ea3472ac980f86c0195618b c:\Perl\eg\aspSamples\Main_Banner.gif.exe
20ba7df2cae0ea1c329df4c949c7f929 c:\Perl\eg\aspSamples\psbwlogo.gif.exe
3c1301912f4340eba7ea028699dad684 c:\Perl\html\images\AS_logo.gif.exe
c2beb0f17a553de8a36c50b610740206 c:\Perl\html\images\PerlCritic_run.png.exe
3a94e74821af6b3e2e1ab80046e4f9c4 c:\Perl\html\images\aslogo.gif.exe
5231f2d8bc20ecd0cc935efb956126ec c:\Perl\html\images\ppm_gui.png.exe
c31c93ed813712a5b55f6fe6f00b6312 c:\Perl\lib\ActivePerl\PPM\images\gecko.png.exe
cb1a020880daa5229457e7e99297c933 c:\Perl\lib\ActivePerl\PPM\images\perl_48x48.png.exe
da39961064a83be64058517ac4985250 c:\Perl\lib\Devel\NYTProf\js\asc.png.exe
7f4c8396727e7463a19a431b70a936ac c:\Perl\lib\Devel\NYTProf\js\bg.png.exe
6844bdc493605916804b04f0b333b23c c:\Perl\lib\Devel\NYTProf\js\desc.png.exe
aa0b4131e64af2c48b4ad05abaf0db41 c:\Perl\lib\Devel\NYTProf\js\jit\gradient.png.exe
504a9487d7826ebc62f258dfd6d81151 c:\Perl\lib\Devel\NYTProf\js\jit\gradient20.png.exe
8479071689f182e4f13722d27e7c8121 c:\Perl\lib\Devel\NYTProf\js\jit\gradient30.png.exe
5daeaaad0d39d7d98676df81f19d3e51 c:\Perl\lib\Devel\NYTProf\js\jit\gradient40.png.exe
00034435c193869826e1fed49b183816 c:\Perl\lib\Devel\NYTProf\js\jit\gradient50.png.exe
ae235fcebef4dcf97a4fa02a67859849 c:\Perl\lib\Mozilla\CA\cacert.pem.exe
6cb09c486234eb7e0681c36592d4c2a1 c:\totalcmd\TCMADMIN.EXE.exe
274f64c67bf1b17a2226f971cd122eca c:\totalcmd\TCMDX32.EXE.exe
06f8d279c8c690877938ce84b9f08b42 c:\totalcmd\TCUNINST.EXE.exe
cd2879176568fb0dfd33a12a3af7a650 c:\totalcmd\TOTALCMD.EXE.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 647168 645120 5.52622 eae46ce96a01fdf2e61760479273ba50
.rdata 651264 4096 512 1.46778 50ba15386f0da310236bb9027176005b
.data 655360 321 512 3.86956 e9bce2a5396f1d70ede4512dc49b6a6d
.rsrc 659456 4444 4608 3.15061 051d1ef7c80c47c0502fd5089cc4b59b

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://google.com/ 216.58.209.174


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET / HTTP/1.1
Host: google.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=PcW8VOzbMqat8wfHloHQAw
Content-Length: 262
Date: Mon, 19 Jan 2015 08:50:05 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.02
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=PcW8VOzbMqat
8wfHloHQAw">here</A>...</BODY></HTML>..HTTP/1.1 3
02 Found..Cache-Control: private..Content-Type: text/html; charset=UTF
-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=PcW8VOzbMqat8wfHl
oHQAw..Content-Length: 262..Date: Mon, 19 Jan 2015 08:50:05 GMT..Serve
r: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD&g
t;<meta http-equiv="content-type" content="text/html;charset=utf-8"
>.<TITLE>302 Moved</TITLE></HEAD><BODY>.<
;H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://
VVV.google.com.ua/?gfe_rd=cr&ei=PcW8VOzbMqat8wfHloHQAw">here<
;/A>...</BODY></HTML>....



GET / HTTP/1.1
Host: google.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=2cS8VNSGI6it8wef_oLADA
Content-Length: 262
Date: Mon, 19 Jan 2015 08:48:25 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.02
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=2cS8VNSGI6it
8wef_oLADA">here</A>...</BODY></HTML>..HTTP/1.1 3
02 Found..Cache-Control: private..Content-Type: text/html; charset=UTF
-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=2cS8VNSGI6it8wef_
oLADA..Content-Length: 262..Date: Mon, 19 Jan 2015 08:48:25 GMT..Serve
r: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD&g
t;<meta http-equiv="content-type" content="text/html;charset=utf-8"
>.<TITLE>302 Moved</TITLE></HEAD><BODY>.<
;H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://
VVV.google.com.ua/?gfe_rd=cr&ei=2cS8VNSGI6it8wef_oLADA">here<
;/A>...</BODY></HTML>....



GET / HTTP/1.1
Host: google.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=RMW8VN_yBqat8wfHloHQAw
Content-Length: 262
Date: Mon, 19 Jan 2015 08:50:12 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.02
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=RMW8VN_yBqat
8wfHloHQAw">here</A>...</BODY></HTML>..HTTP/1.1 3
02 Found..Cache-Control: private..Content-Type: text/html; charset=UTF
-8..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=RMW8VN_yBqat8wfHl
oHQAw..Content-Length: 262..Date: Mon, 19 Jan 2015 08:50:12 GMT..Serve
r: GFE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD&g
t;<meta http-equiv="content-type" content="text/html;charset=utf-8"
>.<TITLE>302 Moved</TITLE></HEAD><BODY>.<
;H1>302 Moved</H1>.The document has moved.<A HREF="hXXp://
VVV.google.com.ua/?gfe_rd=cr&ei=RMW8VN_yBqat8wfHloHQAw">here<
;/A>...</BODY></HTML>....



GET / HTTP/1.1
Host: google.com


HTTP/1.1 302 Found
Cache-Control: private
Content-Type: text/html; charset=UTF-8
Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=2cS8VOmUIqWt8wfywYBw
Content-Length: 260
Date: Mon, 19 Jan 2015 08:48:25 GMT
Server: GFE/2.0
Alternate-Protocol: 80:quic,p=0.02
<HTML><HEAD><meta http-equiv="content-type" content="te
xt/html;charset=utf-8">.<TITLE>302 Moved</TITLE></HE
AD><BODY>.<H1>302 Moved</H1>.The document has mov
ed.<A HREF="hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=2cS8VOmUIqWt
8wfywYBw">here</A>...</BODY></HTML>..HTTP/1.1 302
 Found..Cache-Control: private..Content-Type: text/html; charset=UTF-8
..Location: hXXp://VVV.google.com.ua/?gfe_rd=cr&ei=2cS8VOmUIqWt8wfywYB
w..Content-Length: 260..Date: Mon, 19 Jan 2015 08:48:25 GMT..Server: G
FE/2.0..Alternate-Protocol: 80:quic,p=0.02..<HTML><HEAD>&l
t;meta http-equiv="content-type" content="text/html;charset=utf-8">
.<TITLE>302 Moved</TITLE></HEAD><BODY>.<H1&
gt;302 Moved</H1>.The document has moved.<A HREF="hXXp://VVV.
google.com.ua/?gfe_rd=cr&ei=2cS8VOmUIqWt8wfywYBw">here</A>
;...</BODY></HTML>....

The Malware connects to the servers at the folowing location(s):

fGAwoYMM.exe_1216:

.text
`.rdata
@.data
3E.Pcq:P!V^
#%Xkq.
.JF{<
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
Microsoft Windows
V.Gwcx#
P.yrBX.
PB]%C
%FoS(
F<.cS
user32.dll
GetProcessHeap
kernel32.dll

fGAwoYMM.exe_1216_rwx_00401000_00069000:

3E.Pcq:P!V^
#%Xkq.
.JF{<
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
Microsoft Windows
am_.rm_.rw#$q9
P.yrBX.
PB]%C
%FoS(
F<.cS

fGAwoYMM.exe_1216_rwx_00900000_00068000:

3E.Pcq:P!V^
#%Xkq.
.JF{<
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
$g.Gd
P.yrBX.
PB]%C
%FoS(
F<.cS

fGAwoYMM.exe_1216_rwx_00980000_00001000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

NesIMIQs.exe_944:

.text
`.rdata
@.data
3E.Pcq:P!V^
#%Xkq.
9b.ufQ
nEc.zi
H.kyu
~ \%F
O?GI
8L.bJ
(U .UP6
A%X.K
%8%x[
dC@&%U
Cw%fi
]Vei..MZ
'.USW
q.Kps&
&%Sbm(
9E.li
%C?tcX
/p,
Windows Internet Explorer
Windows Task Manager
taskmgr.exetaskkill /F /IM taskmgr.exe /T
reIEcoQI.exe
ec.exe
!W%uK
>.Qlx #6
Microsoft Windows
|=k%s
{1.zJ
user32.dll
ntdll.dll
kernel32.dll

fGAwoYMM.exe_1216_rwx_00BC0000_00001000:

%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM

fGAwoYMM.exe_1216_rwx_00BD0000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs

fGAwoYMM.exe_1216_rwx_00BE0000_00001000:

%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.inf

fGAwoYMM.exe_1216_rwx_00BF0000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.inf

fGAwoYMM.exe_1216_rwx_00C00000_00001000:

%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe

reIEcoQI.exe_348:

.text
`.rdata
@.data
3E.Pcq:P!V^
#%Xkq.
.JF{<
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
Y.aL9\
;.StH 
>.Qlx #6
2software\microsoft\windows\currentversion\run
P.yrBX.
PB]%C
%FoS(
F<.cS
ole32.dll
ws2_32.dll
user32.dll
kernel32.dll

fGAwoYMM.exe_1216_rwx_00C10000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe

fGAwoYMM.exe_1216_rwx_00C40000_00001000:

fGAwoYMM.exe

fGAwoYMM.exe_1216_rwx_00C50000_00001000:

NesIMIQs.exe

fGAwoYMM.exe_1216_rwx_00C60000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM fGAwoYMM.exe

fGAwoYMM.exe_1216_rwx_00C70000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM NesIMIQs.exe

fGAwoYMM.exe_1216_rwx_00C80000_00001000:

%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe

fGAwoYMM.exe_1216_rwx_00C90000_00001000:

%Documents and Settings%\All Users\KAAo.txt

fGAwoYMM.exe_1216_rwx_00CA0000_00001000:

notepad.exe "%Documents and Settings%\All Users\KAAo.txt"

fGAwoYMM.exe_1216_rwx_00CB0000_00001000:

%Documents and Settings%\All Users\JuwEIgUE

NesIMIQs.exe_944_rwx_00401000_00069000:

3E.Pcq:P!V^
#%Xkq.
9b.ufQ
nEc.zi
H.kyu
~ \%F
O?GI
8L.bJ
(U .UP6
A%X.K
%8%x[
dC@&%U
Cw%fi
]Vei..MZ
'.USW
q.Kps&
&%Sbm(
9E.li
%C?tcX
/p,
Windows Internet Explorer
Windows Task Manager
taskmgr.exetaskkill /F /IM taskmgr.exe /T
reIEcoQI.exe
ec.exe
!W%uK
>.Qlx #6
Microsoft Windows
|=k%s
{1.zJ

NesIMIQs.exe_944_rwx_00900000_00068000:

3E.Pcq:P!V^
#%Xkq.
.JF{<
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
$g.Gd
P.yrBX.
PB]%C
%FoS(
F<.cS

NesIMIQs.exe_944_rwx_00980000_00001000:

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp

NesIMIQs.exe_944_rwx_00BC0000_00001000:

%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM

NesIMIQs.exe_944_rwx_00BD0000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs

NesIMIQs.exe_944_rwx_00BE0000_00001000:

%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.inf

NesIMIQs.exe_944_rwx_00BF0000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.inf

NesIMIQs.exe_944_rwx_00C00000_00001000:

%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe

NesIMIQs.exe_944_rwx_00C10000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe

NesIMIQs.exe_944_rwx_00C40000_00001000:

fGAwoYMM.exe

NesIMIQs.exe_944_rwx_00C50000_00001000:

NesIMIQs.exe

NesIMIQs.exe_944_rwx_00C60000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM fGAwoYMM.exe

NesIMIQs.exe_944_rwx_00C70000_00001000:

taskkill /FI "USERNAME eq adm" /F /IM NesIMIQs.exe

NesIMIQs.exe_944_rwx_00C80000_00001000:

%Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe

NesIMIQs.exe_944_rwx_00C90000_00001000:

%Documents and Settings%\All Users\KAAo.txt

NesIMIQs.exe_944_rwx_00CA0000_00001000:

notepad.exe "%Documents and Settings%\All Users\KAAo.txt"

NesIMIQs.exe_944_rwx_00CB0000_00001000:

%Documents and Settings%\All Users\JuwEIgUE

NesIMIQs.exe_944_rwx_01100000_02300000:

ntdll.dll
kernel32.dll
user32.dll
5b.iL
5 .ku
1.ObFd
1.PoW
3eXEC'
CRTQ
].em9
m]xL.CB
%c%?E
'n"%Sv
c%?Î
;b.Qm%
!B,MüUl
Î?EB
;%UG#e
.Nf#$
ce_Î
!-.Tu
Fj2%Xi
uvi%D
%f,Bb
Î?E
.Mr~>
Î?%
E4~7|\%x
9'%d=
.sS'NI
%fj*J
,.OH@no
&%SBN
%.pbp
.PBNY
LPy8@!.xBp
y8@}.XBE>
09.pH5
Pj%dr/
1.POgW
.ViaP
>.pb,*
q?/%F
c.um0$
.un0d
.Dj0d
%D}g0d
.Po~0D
Î0$
zM.Dt0$
%dgb0
.DdrF
.HnrF
.HlRF
.HmrF
.DerF
.DfrF
ß3[
.DgrF
.HirF
.HjrF
.IrRF
.DxrF
.DzrF
.HiRF
.DjrF
.DkrF
.HorF
.HkrF
.RFT7
.Df2F
.EU]F3S
%D}@P7
.uys@
v%u3r
g#I.rF
wf.lh
.RMGsE
.IkRF\
.IkRF
.StPf
,l.HL]
.RF\K
H.SFT
nFTpE
.eH1vVT
.CH1fV
.RL.&
&Rb%F
.VL!vV
6Mo
ZMo
AM.VF
.FqvV
.Dq&V
^Mo
Mo<
.NHq6
.IQ]V
.YMYR
.IG]08
.Lg}F
%D_}*
Lÿ|
.HQ]VD
:[%dX 
%U-Jd
.tg;(fT

NesIMIQs.exe_944_rwx_03900000_01E00000:

.text
`.rdata
@.data
.rsrc
@.reloc
u%Uh`
QSSSh
QVSSh
t.PSh
T$lRSSh| "
UDPQRh
L$ QSSh
L$,QSSh
QSSShlVU
RVSShlVU
t.Ph\
tGHt.Ht&
operand of unlimited repeat could match the empty string
POSIX named classes are supported only within a class
erroffset passed as NULL
POSIX collating elements are not supported
this version of PCRE is not compiled with PCRE_UTF8 support
PCRE does not support \L, \l, \N{name}, \U, or \u
support for \P, \p, and \X has not been compiled
this version of PCRE is not compiled with PCRE_UCP support
\N is not supported in a class
inflate 1.2.5 Copyright 1995-2010 Mark Adler
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
RtlRunOnceExecuteOnce
advapi32_hack::try_hack: bad PE passed
advapi32_hack::try_hack: cannot read import table
advapi32_hack::try_hack: cannot find section .text
.data
advapi32_hack::try_hack: cannot find section .data
advapi32_hack::try_hack: cannot read section .text
Cannot read module %s, error %d
Cannot read exports of %s, error %d
advapi32_hack::try_hack: cannot read exports, error %d
.apiset
Bad .apiset catalog - don`t fit in section
String in cat item %d not in section
Value in cat item %d not in section
Bad referred in cat item %d
Double mapped value in cat item %d not in section
Bad double referred in cat item %d
BaseSrvRegisterWowExec
BaseSrvGetProcessShutdownParam
BaseSrvSetProcessShutdownParam
basesrv.dll
Unknown size of BaseServerApiDispatchTable: %d
ServerDll[%d] %p
csrsrv.dll
CsrExecServerThread
ServerDll[%d]:
ApiDispatchTable: %p %s
ConnectRoutine: %p %s
DisconnectRoutine: %p %s
HardErrorRoutine: %p %s
AddProcessRoutine: %p %s
ShutdownProcessRoutine: %p %s
Cannot open dir %S, error %d
clean_old_drvs: error %d on deleting file %S
Cannot find resource %X
Cannot load resource %X
Resource %d has zero length
Cannot lock resource %X
Cannot unpack resource %X
Cannot create file %S, error %d
1.2.5
Decompress buffer %d bytes too small
DxDvpWaitForVideoPortSync
DxDvpUpdateVideoPort
DxDvpGetVideoPortConnectInfo
DxDvpGetVideoPortOutputFormats
DxDvpGetVideoPortLine
DxDvpGetVideoPortInputFormats
DxDvpGetVideoPortFlipStatus
DxDvpGetVideoPortField
DxDvpGetVideoPortBandwidth
DxDvpFlipVideoPort
DxDvpDestroyVideoPort
DxDvpCreateVideoPort
DxDvpCanCreateVideoPort
DxDdSetColorKey
Cannot read gaDxgFuncs handlers, readed %X bytes
.rdata
Cannot read DxgCoreInterface handlers, readed %X bytes
Unknown acpi table version: %X
SBP2PORT_Mask
STORMINIPORT_Mask
STORPORT_Mask
TCPIP6_Mask
WSOCKTRANSPORT_Mask
FCPORT_Mask
SOFTPCI_Mask
TCPIP_Mask
SCSIMINIPORT_Mask
SCSIPORT_Mask
Unknown KdComponentTableSize size %X
dump_kd_masks return %X bytes, error %d, ntstatus %X
dump_kd_masks return %X bytes, error %d
dump_kd_masks(%s) return %X bytes, error %d, ntstatus %X
dump_kd_masks(%s) return %X bytes, error %d
%-*s: %X
read_kopts_length(%s) return %X bytes, error %d, ntstatus %X
read_kopts_length(%s) return %X bytes, error %d
Cannot alloc %X bytes
Cannot realloc %X bytes for %s
read_kopts(%s) return %X bytes, error %d, ntstatus %X
read_kopts(%s) return %X bytes, error %d
%S (%s): %X
%S (%s):
dump_kopts(%s) return %X bytes, error %d, ntstatus %X
dump_kopts(%s) return %X bytes, error %d
MmSupportWriteWatch
KiPassiveWatchdogTimeout
ViImageExecutionOptions
DbgkErrorPortStartTimeout
DbgkErrorPortCommTimeout
MmDisablePagingExecutive
CmDefaultLanguageId
DbgkpMaxModuleMsgs
IoCountOperations
KeDelayExecutionThread
resolve_IoFreeIrp: bad addr of %s
get_interrupt_dispatch: cannot alloc %d bytes
Unknown kernel options: %S
PsGetProcessWin32WindowStation
KeIsExecutingDpc
bad addr of KeIsExecutingDpc
Bad pnp handler item %d (%d)
Cannot find %s
ks.sys: cannot get KoCreateInstance
ImportContext
ExportContext
SpChangeAccountPasswordFn
CallPackagePassthrough
%SystemRoot%\System32\
GetServiceAccountPassword
DPAPIPasswordChangeForGMSA
GetCredentialKey
INotifyPasswordChanged
%s PolicyChangeNotificationCallbacks
PolicyChangeNotificationCallback[%d]: %d items
[%d] %p %p %p %p %s
lsasrv_hack::try_hack: bad PE passed
lsasrv_hack::try_hack: cannot find section .data
lsasrv_hack::try_hack: cannot read section .data
lsasrv_hack::try_hack: bad section passed
lsasrv_hack::try_hack: cannot read exports, error %d
LsaICallPackagePassthrough
lsasrv.dll
VaultLogonSessionNotification: %p %s
Start of driver %S failed !
WSPJoinLeaf
MSAFD_WSPSendMsg
MSAFD_WSPRecvMsg
mswsock.dll
CheckProc: cannot open process PID %d, error %d, ntstatus %X
CheckProc: cannot open process PID %d, error %d
threaded_processes_checker exception occured, error %X
MyWindowsChecker: len %d, kernel name %s
Cannot get kernel name, error %d
Kill process %d
Check processes in %d threads
Cannot find process %d
Usage: %S [options]
-wmi - report about WMI entries
-uem - check for Unknown Executable Memory
-npo - dump RPC Named Pipes Owner
-rdata - check .rdata sections too
-rpc - report about RPC interfaces
DeriveKey
NotifyChangeKey
EnumKeys
IsAlgSupported
FreeKey
DeleteKey
FinalizeKey
SetKeyProperty
CreatePersistedKey
OpenKey
OpenPrivateKey
ImportKey
ImportMasterKey
GetKeyProperty
GenerateSessionKeys
GenerateMasterKey
ExportKey
CreateEphemeralKey
ComputeEapKeyBlock
ncrypt_hack::check_in_proc: cannot alloc %d bytes
GetKeyStorageInterface
Cannot load %s (copy of %s), error %d
Cannot load module %s, error %d
Cannot read module %s import table
NdisMRegisterMiniportDriver
resolve_minidrivers_list: bad addr of NdisMRegisterMiniportDriver
NdisMRegisterMiniport
resolve_minidrivers_list: cannot find NdisMRegisterMiniport
resolve_minidrivers_list: bad addr of NdisMRegisterMiniport
resolve_miniports_list: cannot find NdisIMInitializeDeviceInstanceEx
resolve_miniports_list: bad addr of NdisIMInitializeDeviceInstanceEx
OID_CO_TAPI_DONT_REPORT_DIGITS
OID_CO_TAPI_REPORT_DIGITS
OID_QOS_OPERATIONAL_PARAMETERS
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA_EX
OID_TCP_TASK_IPSEC_OFFLOAD_V2_UPDATE_SA
OID_TCP_TASK_IPSEC_OFFLOAD_V2_DELETE_SA
OID_TCP_TASK_IPSEC_OFFLOAD_V2_ADD_SA
OID_TCP_CONNECTION_OFFLOAD_PARAMETERS
OID_FFP_SUPPORT
OID_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
OID_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
OID_TCP_OFFLOAD_HARDWARE_CAPABILITIES
OID_TCP_OFFLOAD_PARAMETERS
OID_TCP_OFFLOAD_CURRENT_CONFIG
OID_TCP6_OFFLOAD_STATS
OID_TCP4_OFFLOAD_STATS
OID_TCP_TASK_IPSEC_DELETE_UDPESP_SA
OID_TCP_TASK_IPSEC_ADD_UDPESP_SA
OID_TCP_SAN_SUPPORT
OID_TCP_TASK_IPSEC_DELETE_SA
OID_TCP_TASK_IPSEC_ADD_SA
OID_TCP_TASK_OFFLOAD
OID_DOT11_SUPPORTED_DSSS_CHANNEL_LIST
OID_DOT11_SUPPORTED_OFDM_FREQUENCY_LIST
OID_DOT11_QOS_TX_QUEUES_SUPPORTED
OID_DOT11_AP_JOIN_REQUEST
OID_DOT11_HR_CCA_MODE_SUPPORTED
OID_DOT11_FREQUENCY_BANDS_SUPPORTED
OID_DOT11_SUPPORTED_DATA_RATES_VALUE
OID_DOT11_SUPPORTED_RX_ANTENNA
OID_DOT11_SUPPORTED_TX_ANTENNA
OID_DOT11_REG_DOMAINS_SUPPORT_VALUE
OID_DOT11_CCA_MODE_SUPPORTED
OID_DOT11_SUPPORTED_POWER_LEVELS
OID_DOT11_DIVERSITY_SUPPORT
OID_DOT11_SUPPORTED_PHY_TYPES
OID_DOT11_OPERATIONAL_RATE_SET
OID_DOT11_JOIN_REQUEST
OID_DOT11_CURRENT_OPERATION_MODE
OID_DOT11_OPERATION_MODE_CAPABILITY
OID_802_11_SUPPORTED_RATES
OID_802_11_NETWORK_TYPES_SUPPORTED
OID_802_11_REMOVE_KEY
OID_802_11_ADD_KEY
OID_IRDA_SUPPORTED_SPEEDS
OID_ATM_SUPPORTED_AAL_TYPES
OID_ATM_SUPPORTED_SERVICE_CATEGORY
OID_ATM_SUPPORTED_VC_RATES
OID_FDDI_PORT_ACTION
OID_FDDI_PORT_HARDWARE_PRESENT
OID_FDDI_PORT_LER_FLAG
OID_FDDI_PORT_PC_WITHHOLD
OID_FDDI_PORT_PCM_STATE
OID_FDDI_PORT_CONNNECT_STATE
OID_FDDI_PORT_LER_ALARM
OID_FDDI_PORT_LER_CUTOFF
OID_FDDI_PORT_LEM_CT
OID_FDDI_PORT_LEM_REJECT_CT
OID_FDDI_PORT_LER_ESTIMATE
OID_FDDI_PORT_LCT_FAIL_CT
OID_FDDI_PORT_EB_ERROR_CT
OID_FDDI_PORT_PC_LS
OID_FDDI_PORT_BS_FLAG
OID_FDDI_PORT_MAINT_LS
OID_FDDI_PORT_INDEX
OID_FDDI_PORT_CONNECTION_CAPABILITIES
OID_FDDI_PORT_PMD_CLASS
OID_FDDI_PORT_MAC_LOOP_TIME
OID_FDDI_PORT_AVAILABLE_PATHS
OID_FDDI_PORT_MAC_PLACEMENT
OID_FDDI_PORT_REQUESTED_PATHS
OID_FDDI_PORT_CURRENT_PATH
OID_FDDI_PORT_MAC_INDICATED
OID_FDDI_PORT_CONNECTION_POLICIES
OID_FDDI_PORT_NEIGHBOR_TYPE
OID_FDDI_PORT_MY_TYPE
OID_FDDI_MAC_DOWNSTREAM_PORT_TYPE
OID_FDDI_SMT_MSG_TIME_STAMP
OID_FDDI_SMT_BYPASS_PRESENT
OID_FDDI_SMT_MAC_INDEXES
OID_FDDI_SMT_PORT_INDEXES
OID_TCP_RSC_STATISTICS
OID_SWITCH_PORT_UPDATED
OID_GEN_OPERATIONAL_STATUS
OID_SWITCH_PORT_TEARDOWN
OID_SWITCH_PORT_FEATURE_STATUS_QUERY
OID_SWITCH_PORT_DELETE
OID_SWITCH_PORT_CREATE
OID_SWITCH_PORT_ARRAY
OID_SWITCH_PORT_PROPERTY_ENUM
OID_SWITCH_PORT_PROPERTY_DELETE
OID_SWITCH_PORT_PROPERTY_UPDATE
OID_SWITCH_PORT_PROPERTY_ADD
OID_NIC_SWITCH_DELETE_VPORT
OID_NIC_SWITCH_ENUM_VPORTS
OID_NIC_SWITCH_VPORT_PARAMETERS
OID_NIC_SWITCH_CREATE_VPORT
OID_GEN_MINIPORT_RESTART_ATTRIBUTES
OID_GEN_PORT_AUTHENTICATION_PARAMETERS
OID_GEN_PORT_STATE
OID_GEN_ENUMERATE_PORTS
OID_GEN_TRANSPORT_HEADER_OFFSET
OID_GEN_SUPPORTED_GUIDS
OID_GEN_MEDIA_SUPPORTED
OID_GEN_SUPPORTED_LIST
Cannot read gWfpGlobal, readed %X bytes
Cannot read Wfp callout count, readed %X bytes
Cannot read Wfp callouts, readed %X bytes
Cannot read WFP index functions, readed %X bytes
iphlpapi.dll
%SystemRoot%\System32\iphlpapi.dll
AllocateAndGetTcpExTableFromStack
AllocateAndGetUdpExTableFromStack
GetExtendedTcpTable
GetExtendedUdpTable
Failed to snapshot TCP endpoints, error %d
Failed to snapshot UDP endpoints, error %d
Cannot alloc %d bytes for UDP extended table
Cannot alloc %d bytes for TCP extended table
ntdll_hack::try_hack: bad PE passed
ntdll_hack::try_hack: cannot find section .text
ntdll_hack::try_hack: cannot read section .text
ntdll_hack::try_hack: bad section passed
ntdll_hack::try_hack: cannot read exports, error %d
%s channel hooks:
ChannelHook[%d]: %p (%p - %s) %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
ChannelHook[%d]: %p (%p) %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
MallocSpy: %p vtbl %p - %s
webclient
msiexec32
msiexec
tftp
ftp32
cmd32
ccmexec32
ccmexec
chrome
opera
firefox
Process PID %d raise dwwin PID %d
Cannot alloc new process PID %d %S
Cannot open svchost process PID %d, error %d
proc_list::read: CreateToolhelp32Snapshot failed with error %d
PID %d Parent PID %d service {%S} %S
PID %d Parent PID %d %S
PID %d Parent PID %d kind {%S} %S
read_service_exe_name(%S): cannot expand string %S
ExWindowStationOpenProcedureCallout
ExWindowStationParseProcedureCallout
ExWindowStationDeleteProcedureCallout
ExWindowStationCloseProcedureCallout
ExWindowStationOkToCloseProcedureCallout
read_w8_callout failed, len %d, returned %d bytes, error %d, ntstatus %X
read_w8_callout failed, len %d, returned %d bytes, error %d
PsWin32CallBack: %p %p %s
check_callouts: cannot alloc %X bytes (size %d)
check_callouts failed, error %d, status %X
check_callouts failed, error %d
Callouts (%d):
%s: %p %s
ark_check_callbacks: cannot read size of callbacks list, error %d, ntstatus %X
ark_check_callbacks: cannot read size of callbacks list, error %d
ark_check_callbacks: cannot read %d bytes (readed %d), error %d, ntstatus %X
ark_check_callbacks: cannot read %d bytes (readed %d), error %d
CB: %S, total %X:
%p (%s)
check_shutdown_callbacks: cannot read size of callbacks list, error %d, ntstatus %X
check_shutdown_callbacks: cannot read size of callbacks list, error %d
check_shutdown_callbacks: cannot read callbacks list of %s, error %d, ntstatus %X
check_shutdown_callbacks: cannot read callbacks list of %s, error %d
%s - %d:
FastIoUnlockAllByKey
MJ_CREATE_NAMED_PIPE
%s!%s.%s patched by %s, addr %p
%s!%s[%d] patched by %s, addr %p
Cannot open driver dumpfile %s, error %d
Cannot open kernel dumpfile %s, error %d
Cannot read driver %s, error %d
hal.dll
Shadow SDT: %p, limit %X
win32k.sys
Cannot relocate section %s.%s
Cannot alloc %X bytes for reading driver section %s.%s
Driver %s!%s has %X patched bytes !
.orig
.kmem
Cannot read driver section %s.%s (flags %X) at %p size %X readed %X, error %d, ntstatus %X
Cannot read driver section %s.%s (flags %X) at %p size %X readed %X, error %d
Cannot read kernel %s, error %d
ntoskrnl.exe
Cannot alloc %X bytes for reading kernel sections
Cannot relocate section %s
KernelSection %s rva %X, size %X, 0x%X relocs has 0x%X patched bytes !
Cannot read (whole) section %s (flags %X) at %p size %X (readed %X), error %d
\SystemRoot\system32\hal.dll
\SystemRoot\system32\halapic.dll
\SystemRoot\system32\halmps.dll
\SystemRoot\system32\halacpi.dll
\SystemRoot\system32\halaacpi.dll
\SystemRoot\system32\halmacpi.dll
%SystemRoot%\System32\hal.dll
halapic.dll
halmps.dll
halacpi.dll
halaacpi.dll
halmacpi.dll
Driver %S DrvObj %p:
DriverUnload patched by %s, addr %p
DriverStartIo patched by %s, addr %p
AddDevice patched by %s, addr %p
Handler %s patched by %s, addr %p
Handler %s patched, addr %p
Handler %d patched by %s, addr %p
Handler %d patched, addr %p
FastIOHandler %s patched by %s, addr %p
FastIOHandler %s patched, addr %p
FastIOHandler %d patched by %s, addr %p
FastIOHandler %d patched, addr %p
FS_FILTER_CALLBACKS %s patched by %s, addr %p
FS_FILTER_CALLBACKS %s patched, addr %p
FS_FILTER_CALLBACKS %d patched by %s, addr %p
FS_FILTER_CALLBACKS %d patched, addr %p
StartIo patched by %s, addr %p
read_fsmjxxx(%S): cannot make full driver name
read_fsmjxxx(%S) failed, error %d, ntstatus %X
read_fsmjxxx(%S) failed, error %d
read_mjxxx(%s): cannot make full driver name
read_mjxxx(%S) failed, error %d, ntstatus %X
read_mjxxx(%S) failed, error %d
Cannot alloc %X bytes for driver %s EAT checking
read_driver_eat %s failed, error %d, status %X
read_driver_eat %s failed, error %d
Export addr %s.%s patched by %s !
Export addr %s.%s patched !
Export addr %s.%d patched by %s !
Export addr %s.%d patched!
\hal.dll
\SystemRoot\system32\drivers\ndis.sys
ndis.sys
drivers\ndis.sys
\SystemRoot\system32\DRIVERS\tdi.sys
tdi.sys
drivers\tdi.sys
\SystemRoot\system32\DRIVERS\tcpip.sys
tcpip.sys
drivers\tcpip.sys
\SystemRoot\system32\DRIVERS\netio.sys
netio.sys
drivers\netio.sys
\SystemRoot\system32\DRIVERS\fltmgr.sys
fltmgr.sys
drivers\fltmgr.sys
\SystemRoot\system32\DRIVERS\ks.sys
ks.sys
drivers\ks.sys
\SystemRoot\system32\DRIVERS\dxg.sys
drivers\dxg.sys
\SystemRoot\system32\DRIVERS\dxgkrnl.sys
drivers\dxgkrnl.sys
\SystemRoot\system32\DRIVERS\watchdog.sys
drivers\watchdog.sys
\SystemRoot\system32\DRIVERS\ksecdd.sys
ksecdd.sys
drivers\ksecdd.sys
\SystemRoot\System32\Drivers\Ntfs.sys
ntfs.sys
\SystemRoot\system32\CLFS.SYS
CLFS.SYS
\SystemRoot\system32\drivers\ataport.sys
ataport.sys
\SystemRoot\system32\drivers\atapi.sys
atapi.sys
\SystemRoot\system32\drivers\peauth.sys
peauth.sys
\SystemRoot\system32\drivers\WDFLDR.sys
WDFLDR.sys
\SystemRoot\system32\drivers\usbstor.sys
usbstor.sys
\SystemRoot\system32\drivers\usbd.sys
usbd.sys
\SystemRoot\system32\drivers\USBPORT.sys
USBPORT.sys
\SystemRoot\system32\drivers\usbohci.sys
usbohci.sys
\SystemRoot\system32\drivers\usbehci.sys
usbehci.sys
\SystemRoot\system32\drivers\usbhub.sys
usbhub.sys
\SystemRoot\system32\drivers\usbccgp.sys
usbccgp.sys
\SystemRoot\system32\drivers\discache.sys
discache.sys
\SystemRoot\system32\drivers\termdd.sys
termdd.sys
\SystemRoot\system32\drivers\rdppr.sys
rdppr.sys
\SystemRoot\system32\drivers\mssmbios.sys
mssmbios.sys
\SystemRoot\system32\drivers\1394BUS.SYS
1394BUS.SYS
\SystemRoot\system32\drivers\BATTC.SYS
BATTC.SYS
\SystemRoot\system32\drivers\bthport.sys
bthport.sys
\SystemRoot\system32\drivers\drmk.sys
drmk.sys
\SystemRoot\system32\drivers\HIDPARSE.SYS
HIDPARSE.SYS
\SystemRoot\system32\drivers\HIDCLASS.SYS
HIDCLASS.SYS
\SystemRoot\system32\drivers\msiscsi.sys
msiscsi.sys
\SystemRoot\system32\drivers\PCIIDEX.SYS
PCIIDEX.SYS
\SystemRoot\system32\drivers\portcls.sys
portcls.sys
\SystemRoot\system32\drivers\smsmdm.sys
smsmdm.sys
\SystemRoot\system32\drivers\STREAM.SYS
STREAM.SYS
\SystemRoot\system32\drivers\vga.sys
vga.sys
\SystemRoot\system32\drivers\VIDEOPRT.SYS
VIDEOPRT.SYS
\SystemRoot\system32\drivers\vmstorfl.sys
vmstorfl.sys
\SystemRoot\system32\drivers\Dxapi.sys
Dxapi.sys
\SystemRoot\system32\drivers\dxgthk.sys
dxgthk.sys
\SystemRoot\system32\drivers\dxgmms1.sys
dxgmms1.sys
\SystemRoot\system32\drivers\spsys.sys
spsys.sys
\SystemRoot\system32\drivers\winhv.sys
winhv.sys
\SystemRoot\system32\drivers\HdAudio.sys
HdAudio.sys
\SystemRoot\System32\cdd.dll
cdd.dll
\SystemRoot\System32\ATMFD.DLL
ATMFD.DLL
\SystemRoot\System32\RDPDD.dll
RDPDD.dll
\SystemRoot\system32\drivers\vwifibus.sys
vwifibus.sys
\SystemRoot\system32\drivers\nwifi.sys
nwifi.sys
\SystemRoot\system32\drivers\vwififlt.sys
vwififlt.sys
\SystemRoot\system32\drivers\wfplwf.sys
wfplwf.sys
\SystemRoot\system32\drivers\wfplwfs.sys
wfplwfs.sys
\SystemRoot\system32\drivers\tmtdi.sys
tmtdi.sys
\SystemRoot\system32\drivers\netvsc60.sys
netvsc60.sys
\SystemRoot\system32\drivers\mslldp.sys
mslldp.sys
\SystemRoot\system32\drivers\netvsc63.sys
netvsc63.sys
\SystemRoot\system32\drivers\ndiscap.sys
ndiscap.sys
\SystemRoot\system32\drivers\agilevpn.sys
agilevpn.sys
\SystemRoot\system32\drivers\asyncmac.sys
asyncmac.sys
\SystemRoot\system32\drivers\mpsdrv.sys
mpsdrv.sys
\SystemRoot\system32\drivers\rspndr.sys
rspndr.sys
\SystemRoot\system32\drivers\ndisuio.sys
ndisuio.sys
\SystemRoot\system32\drivers\lltdio.sys
lltdio.sys
\SystemRoot\system32\drivers\NDProxy.sys
NDProxy.sys
\SystemRoot\system32\drivers\raspppoe.sys
raspppoe.sys
\SystemRoot\system32\drivers\ndiswan.sys
ndiswan.sys
\SystemRoot\system32\drivers\wanarp.sys
wanarp.sys
\SystemRoot\system32\drivers\bthpan.sys
bthpan.sys
\SystemRoot\system32\drivers\rassstp.sys
rassstp.sys
\SystemRoot\system32\drivers\raspptp.sys
raspptp.sys
\SystemRoot\system32\drivers\rasl2tp.sys
rasl2tp.sys
\SystemRoot\system32\drivers\rasacd.sys
rasacd.sys
\SystemRoot\system32\drivers\tunnel.sys
tunnel.sys
\SystemRoot\system32\drivers\tunmp.sys
tunmp.sys
\SystemRoot\system32\drivers\pacer.sys
pacer.sys
\SystemRoot\system32\drivers\NDISTAPI.SYS
NDISTAPI.SYS
\SystemRoot\system32\drivers\msgpc.sys
msgpc.sys
\SystemRoot\system32\drivers\partmgr.sys
partmgr.sys
\SystemRoot\system32\drivers\volmgr.sys
volmgr.sys
\SystemRoot\system32\drivers\volmgrx.sys
volmgrx.sys
\SystemRoot\system32\drivers\mountmgr.sys
mountmgr.sys
\SystemRoot\system32\drivers\iaStor.sys
iaStor.sys
\SystemRoot\system32\drivers\volsnap.sys
volsnap.sys
\SystemRoot\system32\drivers\ACPI.sys
acpi.sys
\SystemRoot\System32\Drivers\WppRecorder.sys
WppRecorder.sys
\SystemRoot\System32\Drivers\Mouclass.sys
Mouclass.sys
\SystemRoot\System32\Drivers\kbdclass.sys
kbdclass.sys
\SystemRoot\System32\Drivers\Fastfat.SYS
Fastfat.sys
\SystemRoot\System32\Drivers\bowser.sys
bowser.sys
\SystemRoot\System32\Drivers\rdbss.sys
rdbss.sys
\SystemRoot\System32\Drivers\msfs.sys
msfs.sys
\SystemRoot\System32\Drivers\NetBIOS.sys
NetBIOS.sys
\SystemRoot\System32\Drivers\mup.sys
mup.sys
\SystemRoot\System32\Drivers\dfs.sys
dfs.sys
\SystemRoot\System32\Drivers\dfsc.sys
dfsc.sys
\SystemRoot\System32\Drivers\npfs.SYS
npfs.sys
\SystemRoot\System32\Drivers\luafv.SYS
luafv.sys
\SystemRoot\System32\Drivers\MRxSmb.SYS
MRxSmb.sys
\SystemRoot\System32\Drivers\MRxSmb10.SYS
MRxSmb10.sys
\SystemRoot\System32\Drivers\MRxSmb20.SYS
MRxSmb20.sys
\SystemRoot\System32\Drivers\MRxDAV.SYS
MRxDAV.sys
\SystemRoot\system32\Drivers\fltmgr.sys
\SystemRoot\system32\Drivers\TDI.SYS
\SystemRoot\system32\Drivers\tdx.sys
\SystemRoot\system32\Drivers\ipfltdrv.sys
\SystemRoot\system32\Drivers\tcpip.sys
\SystemRoot\System32\drivers\afd.sys
afd.sys
\SystemRoot\System32\drivers\netbt.sys
\SystemRoot\System32\drivers\NETIO.sys
\SystemRoot\System32\drivers\srv.sys
srv.sys
\SystemRoot\System32\drivers\srv2.sys
srv2.sys
\SystemRoot\System32\drivers\srvnet.sys
\SystemRoot\System32\drivers\sr.sys
sr.sys
\SystemRoot\System32\win32k.sys
\SystemRoot\System32\drivers\http.sys
http.sys
\SystemRoot\System32\drivers\fwpkclnt.sys
\SystemRoot\system32\DRIVERS\msrpc.sys
msrpc.sys
\SystemRoot\system32\DRIVERS\disk.sys
disk.sys
\SystemRoot\system32\DRIVERS\ftdisk.sys
ftdisk.sys
\SystemRoot\system32\DRIVERS\Storport.SYS
Storport.SYS
\SystemRoot\system32\DRIVERS\CLASSPNP.SYS
CLASSPNP.SYS
\SystemRoot\system32\Drivers\ks.sys
\SystemRoot\System32\Drivers\ksecdd.sys
ksecdd.SYS
\SystemRoot\system32\kdcom.dll
kdcom.dll
\SystemRoot\System32\Drivers\cng.sys
cng.sys
\SystemRoot\system32\PSHED.dll
PSHED.dll
\SystemRoot\system32\CI.dll
CI.dll
\SystemRoot\system32\DRIVERS\WMILIB.SYS
wmilib.sys
Cannot find %s for IAT resolving of %s
Cannot alloc %X bytes for drivers IAT checking
Cannot find %s import %s.%s
Cannot find %s import %s.%d
IAT %s %s.%s patched, addr %p
IAT %s %s.%d patched, addr %p
IAT %s %s.%s patched by %s, addr %p
IAT %s %s.%d patched by %s, addr %p
%s has %d patched IAT entries (total %d)
reading of IAT %s failed, readed %X, actual IAT size %X, error %d
check_exts count failed, error %d, ntstatus %X
check_exts count failed, error %d
check_exts: cannot alloc %X bytes
check_exts failed, error %d, ntstatus %X
check_exts failed, error %d
Ext[%X]:
Handler1: %p %s
Handler2: %p %s
Handler3: %p %s
Table: %X items %p %s
Item[%X]: %p %s
IRP_MJ_CREATE_NAMED_PIPE
Unknown fltmgr: FrameList %X FilterSize %X cbn %X
Unknown fltmgr: FrameList %X FilterSize %X
FltMgr: index %d
FRAME[%d] %p
%s: %p
NormalizeNameComponent: %p %s
NormalizeContextCleanup: %p %s
PreOperation: %p %s
PostOperation: %p %s
check_ks: cannot read size of ks list, error %d, ntstatus %X
check_ks: cannot read size of ks list, error %d
ks count: %X
check_ks: cannot alloc %X bytes
check_ks: cannot read ks list, error %d, ntstatus %X
check_ks: cannot read ks list, error %d
ks[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
ChangeAccountPassword
ImportSecurityContext
ExportSecurityContext
gKsecpBCryptExtension: %p %s
gKsecpSslExtension: %p %s
SecTable.%s patched %p %s
dxg.sys
dxgkrnl.sys
Win32kCallout: %p %s
SessionStartCallout: %p %s
KTIMER %p DPC %p DefRoutine %p %s
Cannot find KPRCB.DpcRoutineActive
Unknown KPRCB: DpcRoutineActive %X WorkerRoutine %X
Unknown KPRCB: DpcRoutineActive %X
Processor %d:
KTIMERS[%d]: %X
Patched %s   %X by %s
Patched ord.%d   %X by %s
Patched %s   %X
Patched ord.%d   %X
Patched %s by %s
Patched ord.%d by %s
Patched %s
Patched ord.%d
Exception %X occured during EAT checking of %s
check_module_iat(%s) - cannot find exports for %s
check_module_iat(%s): zeroed ImportLookUp, cannot check import
Cannot find ordinal %X in module %s (%s) in import table of %s
Cannot find symbol %s in module %s (%s) in import table of %s
(%s) %s.%s hooked in %s: my IAT %p, must be %p
(%s) %s.%d hooked in %s: my IAT %p, must be %p
apfn %s patched by %s, addr %p
apfn[%d] patched by %s, addr %p
apfn %s patched, addr %p
apfn[%d] patched, addr %p
%s%s!%s patched by %s, addr %p
%s%s![%d] patched by %s, addr %p
%s%s!%s patched, addr %p
%s%s![%d] patched, addr %p
LSA SP %s has %d patched functions in SECPKG_FUNCTION_TABLE:
PID %d: LSA SP %s has %d patched functions in SECPKG_USER_FUNCTION_TABLE:
PID %d: LSA SP %s has %d patched functions in CallPackageDispatch:
ole32 hooked by %s
Cannot relocate section %s!%s
Exception %X occured on checking %s!%s
Module %s!%s has %X patched bytes !
Exception %X occured on check_module_iat(%s)
MyModule: %p %s
%SystemRoot%\System32\ncrypt.dll
%SystemRoot%\System32\ntdsa.dll
%SystemRoot%\System32\kernelbase.dll
%SystemRoot%\System32\kernel32.dll
%SystemRoot%\System32\user32.dll
%SystemRoot%\System32\umpnpmgr.dll
%SystemRoot%\System32\combase.dll
%SystemRoot%\System32\ole32.dll
%SystemRoot%\System32\imm32.dll
%SystemRoot%\System32\rpcrt4.dll
%SystemRoot%\System32\mswsock.dll
%SystemRoot%\System32\advapi32.dll
%SystemRoot%\System32\cryptbase.dll
%SystemRoot%\System32\apisetschema.dll
read_ndis_oid_handlers failed, returned %d bytes, error %d, ntstatus %X
read_ndis_oid_handlers failed, returned %d bytes, error %d
[%X] %s: post %p %s
[%X] %s: pre %p %s
[%X] %s: pre %p (%s) post %p (%s)
[%X] %X: post %p %s
[%X] %X: pre %p %s
[%X] %X: pre %p (%s) post %p (%s)
read_tcp_off_handlers failed, returned %d bytes, error %d, ntstatus %X
read_tcp_off_handlers failed, returned %d bytes, error %d
TcpOfflineHandlers:
TcpOffloadEventIndicate: %p %s
TcpOffloadReceiveIndicate: %p %s
TcpOffloadSendComplete: %p %s
TcpOffloadReceiveComplete: %p %s
TcpOffloadDisconnectComplete: %p %s
TcpOffloadForwardComplete: %p %s
Cannot alloc %X bytes from reading filter block
read_ndis_filter_block: len %d, returned %d bytes, error %d, ntstatus %X
read_ndis_filter_block: len %d, returned %d bytes, error %d
check_ndis - reading of TDI callback failed, error %d, ntstatus %X
check_ndis - reading of TDI callback failed, error %d
check_ndis - reading of TDI PnP handler failed, error %d, ntstatus %X
check_ndis - reading of TDI PnP handler failed, error %d
TDI callback %p patched by %s
TDI PnP handler %p patched by %s
check_ndis - reading of providers count failed, error %d, ntstatus %X
check_ndis - reading of providers count failed, error %d
check_ndis: %d providers
check_ndis: cannot alloc %X bytes
Cannot store provider_block %p (%d)
check_ndis: stored %d provider_blocks
check_ndis - reading of interfaces count failed, error %d, ntstatus %X
check_ndis - reading of interfaces count failed, error %d
check_ndis: %d interfaces, size of miniport %X
Interface[%d]:
check_ndis - reading of protocols count failed, error %d, ntstatus %X
check_ndis - reading of protocols count failed, error %d
check_ndis: %d protocols, size of protocol %X
check_ndis: stored %d protocols
check_ndis - reading of minidrivers count failed, error %d, ntstatus %X
check_ndis - reading of minidrivers count failed, error %d
check_ndis: %d minidrivers, size of minidriver %X, sizeof(ndis50) %X, sizeof(ndis52) %X
Cannot store minidriver %d (%p)
Stored %d mini-drivers
check_ndis - reading of miniports count failed, error %d, ntstatus %X
check_ndis - reading of miniports count failed, error %d
check_ndis: %d miniports, size of miniport %X
check_ndis: read %d miniports, total %X
Miniport[%d] %p:
check_ndis: stored %d miniports, sizeof(miniport_block_w7) %X
check_ndis - reading of open_blocks count failed, error %d, ntstatus %X
check_ndis - reading of open_blocks count failed, error %d
check_ndis: %d open_blocks, size of open_block %X
check_ndis: read %d open_blocks, total %X
Open_Block[%d]:
Cannot store open_block %p (%d)
check_ndis: stored %d open_blocks
check_ndis - reading of filter_drivers count failed, error %d, ntstatus %X
check_ndis - reading of filter_drivers count failed, error %d
check_ndis: %d filter_drivers, size of open_block %X
check_ndis: read %d filter_drivers, total %X
FilterDriver[%d]:
check_ndis: stored %d filter_drivers, %d filter_blocks
Passive
read_punicode_string failed, len %d, returned %d bytes, error %d, ntstatus %X
read_punicode_string failed, len %d, returned %d bytes, error %d
Cannot read NDIS_MINIPORT_INTERRUPT %p
NDIS_MINIPORT_INTERRUPT:
MiniportIsr: %p %s
MiniportDpc: %p %s
Cannot read NDIS_MINIPORT_INTERRUPT_CHARACTERISTICS %p
NDIS_MINIPORT_INTERRUPT_CHARACTERISTICS:
InterruptHandler: %p %s
InterruptDpcHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
MessageInterruptHandler: %p %s
MessageInterruptDpcHandler: %p %s
DisableMessageInterruptHandler: %p %s
EnableMessageInterruptHandler: %p %s
MiniportIsr: %p %s
MiniportDpc: %p %s
MiniportMessageIsr: %p %s
MiniportMessageInterruptDpc: %p %s
MiniportIsr: %p %s
MiniportDpc: %p %s
MiniportEnableInterrupt: %p %s
MiniportDisableInterrupt: %p %s
MiniportMessageIsr: %p %s
MiniportMessageInterruptDpc: %p %s
MiniportDisableMessageInterrupt: %p %s
MiniportEnableMessageInterrupt: %p %s
NDIS Protocol[%d]: %S
MajorNdisVersion %d
MinorNdisVersion %d
Flags %X
OpenAdapterCompleteHandler: %p %s
CloseAdapterCompleteHandler: %p %s
SendCompleteHandler: %p %s
TransferDataCompleteHandler: %p %s
ResetCompleteHandler: %p %s
RequestCompleteHandler: %p %s
ReceiveHandler: %p %s
ReceiveCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
ReceivePacketHandler: %p %s
BindAdapterHandler: %p %s
UnbindAdapterHandler: %p %s
PnPEventHandler: %p %s
UnloadHandler: %p %s
CoSendCompleteHandler: %p %s
CoStatusHandler: %p %s
CoReceivePacketHandler: %p %s
CoAfRegisterNotifyHandler: %p %s
MajorNdisVersion %d
MinorNdisVersion %d
MajorDriverVersion %d
MinorDriverVersion %d
Flags %X
IsIPv4 %d
IsIPv6 %d
IsNdisTest6 %d
BindAdapterHandlerEx: %p %s
UnbindAdapterHandlerEx: %p %s
OpenAdapterCompleteHandlerEx: %p %s
CloseAdapterCompleteHandlerEx: %p %s
PnPEventHandler: %p %s
UnloadHandler: %p %s
UninstallHandler: %p %s
RequestCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
ReceiveNetBufferListsHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
CoStatusHandler: %p %s
CoAfRegisterNotifyHandler: %p %s
CoReceiveNetBufferListsHandler: %p %s
CoSendNetBufferListsCompleteHandler: %p %s
OpenAdapterCompleteHandler: %p %s
CloseAdapterCompleteHandler: %p %s
SendCompleteHandler: %p %s
TransferDataCompleteHandler: %p %s
ResetCompleteHandler: %p %s
ReceiveHandler: %p %s
ReceiveCompleteHandler: %p %s
ReceivePacketHandler: %p %s
BindAdapterHandler: %p %s
UnbindAdapterHandler: %p %s
CoSendCompleteHandler: %p %s
CoReceivePacketHandler: %p %s
OidRequestCompleteHandler: %p %s
InitiateOffloadCompleteHandler: %p %s
TerminateOffloadCompleteHandler: %p %s
UpdateOffloadCompleteHandler: %p %s
InvalidateOffloadCompleteHandler: %p %s
QueryOffloadCompleteHandler: %p %s
IndicateOffloadEventHandler: %p %s
TcpOffloadSendCompleteHandler: %p %s
TcpOffloadReceiveCompleteHandler: %p %s
TcpOffloadDisconnectCompleteHandler: %p %s
TcpOffloadForwardCompleteHandler: %p %s
TcpOffloadEventHandler: %p %s
TcpOffloadReceiveIndicateHandler: %p %s
Unknown NDIS Type %X and Size %X
DirectOidRequestCompleteHandler: %p %s
AllocateSharedMemoryHandler: %p %s
FreeSharedMemoryHandler: %p %s
Unknown ndis protocol size: %X
NDIS MiniDriver[%d] %p
MajorNdisVersion: %d
MinorNdisVersion: %d
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CancelSendPacketsHandler: %p %s
PnPEventNotifyHandler: %p %s
AdapterShutdownHandler: %p %s
CheckForHangHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
HaltHandler %p %s
HandleInterruptHandler: %p %s
InitializeHandler: %p %s
ISRHandler: %p %s
QueryInformationHandler: %p %s
ReconfigureHandler: %p %s
ResetHandler: %p %s
SendHandler: %p %s
SetInformationHandler: %p %s
TransferDataHandler: %p %s
ReturnPacketHandler: %p %s
SendPacketsHandler: %p %s
AllocateCompleteHandler: %p %s
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendPacketsHandler: %p %s
CoRequestHandler: %p %s
CancelSendPacketsHandler: %p %s
PnPEventNotifyHandler: %p %s
AdapterShutdownHandler: %p %s
ISRHandlerEx: %p %s
HandleInterruptHandlerEx: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
ReturnPacketsHandlerEx: %p %s
RequestTimeoutDpcHandler: %p %s
MajorNdisVersion: %d
MinorNdisVersion: %d
MajorDriverVersion: %d
MinorDriverVersion: %d
Flags: %X
SetOptionsHandler: %p %s
InitializeHandlerEx: %p %s
HaltHandlerEx: %p %s
UnloadHandler: %p %s
PauseHandler: %p %s
RestartHandler: %p %s
OidRequestHandler: %p %s
SendNetBufferListsHandler: %p %s
ReturnNetBufferListsHandler: %p %s
CancelSendHandler: %p %s
CheckForHangHandlerEx: %p %s
ResetHandlerEx: %p %s
DevicePnPEventNotifyHandler: %p %s
ShutdownHandlerEx: %p %s
CancelOidRequestHandler: %p %s
DirectOidRequestHandler: %p %s
CancelDirectOidRequestHandler: %p %s
NDIS MiniPort[%d] %p
State: %s
MediaType: %s
AdapterType: %s
DefaultSendAuthorizationState: %s
DefaultRcvAuthorizationState: %s
DefaultPortSendAuthorizationState: %s
DefaultPortRcvAuthorizationState: %s
NextCancelSendNetBufferListsHandler: %p %s
PacketIndicateHandler: %p %s
SendCompleteHandler: %p %s
SendResourcesHandler: %p %s
ResetCompleteHandler: %p %s
DisableInterruptHandler: %p %s
EnableInterruptHandler: %p %s
SendPacketsHandler: %p %s
DeferredSendHandler: %p %s
EthRxIndicateHandler: %p %s
NextSendNetBufferListsHandler: %p %s
EthRxCompleteHandler: %p %s
SavedNextSendNetBufferListsHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
TDCompleteHandler: %p %s
QueryCompleteHandler: %p %s
SetCompleteHandler: %p %s
WanSendCompleteHandler: %p %s
WanRcvHandler: %p %s
WanRcvCompleteHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
WSendPacketsHandler: %p %s
NextSendPacketsHandler: %p %s
FinalSendPacketsHandler: %p %s
TopIndicateNetBufferListsHandler: %p %s
TopIndicateLoopbackNetBufferListsHandler: %p %s
Ndis5PacketIndicateHandler: %p %s
MiniportReturnPacketHandler: %p %s
SynchronousReturnPacketHandler: %p %s
TopNdis5PacketIndicateHandler: %p %s
AllocateSharedMemoryHandler: %p %s
FreeSharedMemoryHandler: %p %s
SetBusData: %p %s
GetBusData: %p %s
NoFilter.CancelSendHandler %p %s
NoFilter.SendNetBufferListsCompleteHandler %p %s
NoFilter.IndicateNetBufferListsHandler %p %s
NoFilter.SaveIndicateNetBufferListsHandler %p %s
NoFilter.ReturnNetBufferListsHandler %p %s
NoFilter.SendNetBufferListsHandler %p %s
Next.CancelSendHandler %p %s
Next.SendNetBufferListsCompleteHandler %p %s
Next.IndicateNetBufferListsHandler %p %s
Next.SaveIndicateNetBufferListsHandler %p %s
Next.ReturnNetBufferListsHandler %p %s
Next.SendNetBufferListsHandler %p %s
Name: %S
BaseName: %S
SymbolicLinkName: %S
NextCancelSendNetBufferListsHandler %p %s
TrRxIndicateHandler: %p %s
TrRxCompleteHandler: %p %s
IndicateNetBufferListsHandler: %p %s
NextReturnNetBufferLists: %p %s
SavedIndicateNetBufferListsHandler: %p %s
SavedPacketIndicateHandler: %p %s
ShutdownHandler: %p %s
NDIS MiniPort[%d] %S
BusType: %s
PacketIndicateHandler: %p %s
SendCompleteHandler: %p %s
SendResourcesHandler: %p %s
ResetCompleteHandler: %p %s
DeferredSendHandler: %p %s
EthRxIndicateHandler: %p %s
TrRxIndicateHandler: %p %s
FddiRxIndicateHandler: %p %s
EthRxCompleteHandler: %p %s
TrRxCompleteHandler: %p %s
FddiRxCompleteHandler: %p %s
StatusHandler: %p %s
StatusCompleteHandler: %p %s
TDCompleteHandler: %p %s
QueryCompleteHandler: %p %s
SetCompleteHandler: %p %s
WanSendCompleteHandler: %p %s
WanRcvHandler: %p %s
WanRcvCompleteHandler: %p %s
AdapterInstanceName: %S
OpenBlock [%d] %p
RootName: %S
BindName: %S
ProtocolMajorVersion: %X
NextSendHandler: %p %s
NextReturnNetBufferListsHandler: %p %s
SendHandler: %p %s
TransferDataHandler: %p %s
WanReceiveHandler: %p %s
SendPacketsHandler: %p %s
ResetHandler: %p %s
RequestHandler: %p %s
OidRequestHandler: %p %s
WSendHandler: %p %s
WTransferDataHandler: %p %s
WSendPacketsHandler: %p %s
CancelSendPacketsHandler: %p %s
ProtSendNetBufferListsComplete: %p %s
NextSendNetBufferListsComplete: %p %s
ReceiveNetBufferLists: %p %s
SavedSendNBLHandler: %p %s
SavedSendPacketsHandler: %p %s
SavedCancelSendPacketsHandler: %p %s
SavedSendHandler: %p %s
Ndis5WanSendHandler: %p %s
ProtSendCompleteHandler: %p %s
OidRequestCompleteHandler %p %s
OpenFlags: %X
DirectOidRequestHandler: %p %s
RootName: %S
BindName: %S
Flags: %X
SendHandler: %p %s
WanSendHandler: %p %s
TransferDataHandler: %p %s
WanReceiveHandler: %p %s
SendPacketsHandler: %p %s
ResetHandler: %p %s
RequestHandler: %p %s
WSendHandler: %p %s
WTransferDataHandler: %p %s
WSendPacketsHandler: %p %s
CancelSendPacketsHandler: %p %s
Flags %X
Mtu %X
PromiscuousMode %d
AccessType %s
DirectionType %s
ConnectionType %s
MediaType %s
MediaConnectState %s
AdminStatus %s
OperStatus %s
InterfaceGuid %s
NetworkGuid %s
ifIndex %X
ifDescr %S
ifAlias %S
FilterDriverCharacteristics[%d]:
FriendlyName: %S
UniqueName: %S
ServiceName: %S
SetOptionsHandler: %p %s
SetFilterModuleOptionsHandler: %p %s
AttachHandler: %p %s
DetachHandler: %p %s
RestartHandler: %p %s
PauseHandler: %p %s
SendNetBufferListsHandler: %p %s
SendNetBufferListsCompleteHandler: %p %s
CancelSendNetBufferListsHandler: %p %s
ReceiveNetBufferListsHandler: %p %s
ReturnNetBufferListsHandler: %p %s
OidRequestHandler: %p %s
OidRequestCompleteHandler: %p %s
CancelOidRequestHandler: %p %s
DevicePnPEventNotifyHandler: %p %s
NetPnPEventHandler: %p %s
StatusHandler: %p %s
DirectOidRequestHandler: %p %s
DirectOidRequestCompleteHandler: %p %s
CancelDirectOidRequestHandler: %p %s
InterfaceGuid: %s
FilterState: %s
NextSendNetBufferListsHandler: %p %s
NextSendNetBufferListsCompleteHandler: %p %s
NextIndicateReceiveNetBufferListsHandler: %p %s
NextReturnNetBufferListsHandler: %p %s
NextCancelSendNetBufferListsHandler: %p %s
SetFilterModuleOptionalHandlers: %p %s
OidRequestHandler: %p %s
OidRequestCompleteHandler: %p %s
CancelRequestHandler: %p %s
DevicePnPEventNotifyHandler: %p %s
NetPnPEventHandler: %p %s
StatusHandler: %p %s
FilterSendNetBufferListsHandler: %p %s
FilterIndicateReceiveNetBufferListsHandler: %p %s
FilterCancelSendNetBufferListsHandler: %p %s
InitiateOffloadCompleteHandler: %p %s
TerminateOffloadCompleteHandler: %p %s
UpdateOffloadCompleteHandler: %p %s
InvalidateOffloadCompleteHandler: %p %s
QueryOffloadCompleteHandler: %p %s
IndicateOffloadEventHandler: %p %s
TcpOffloadSendCompleteHandler: %p %s
TcpOffloadReceiveCompleteHandler: %p %s
TcpOffloadDisconnectCompleteHandler: %p %s
TcpOffloadForwardCompleteHandler: %p %s
TcpOffloadEventHandler: %p %s
TcpOffloadReceiveIndicateHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
DirectOidRequestHandler: %p %s
DirectOidRequestCompleteHandler: %p %s
CancelDirectOidRequestHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
Provider[%d]: %p
QueryObjectHandler: %p %s
SetObjectHandler: %p %s
FilterDriverBlock[%d]
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
ClCreateVcHandler: %p %s
ClDeleteVcHandler: %p %s
ClOidRequestHandler: %p %s
ClOidRequestCompleteHandler: %p %s
ClOpenAfCompleteHandlerEx: %p %s
ClCloseAfCompleteHandler: %p %s
ClRegisterSapCompleteHandler: %p %s
ClDeregisterSapCompleteHandler: %p %s
ClMakeCallCompleteHandler: %p %s
ClModifyCallQoSCompleteHandler: %p %s
ClCloseCallCompleteHandler: %p %s
ClAddPartyCompleteHandler: %p %s
ClDropPartyCompleteHandler: %p %s
ClIncomingCallHandler: %p %s
ClIncomingCallQoSChangeHandler: %p %s
ClIncomingCloseCallHandler: %p %s
ClIncomingDropPartyHandler: %p %s
ClCallConnectedHandler: %p %s
ClNotifyCloseAfHandler: %p %s
CmCreateVcHandler: %p %s
CmDeleteVcHandler: %p %s
CmOpenAfHandler: %p %s
CmCloseAfHandler: %p %s
CmRegisterSapHandler: %p %s
CmDeregisterSapHandler: %p %s
CmMakeCallHandler: %p %s
CmCloseCallHandler: %p %s
CmIncomingCallCompleteHandler: %p %s
CmAddPartyHandler: %p %s
CmDropPartyHandler: %p %s
CmActivateVcCompleteHandler: %p %s
CmDeactivateVcCompleteHandler: %p %s
CmModifyCallQoSHandler: %p %s
CmOidRequestHandler: %p %s
CmOidRequestCompleteHandler: %p %s
CmNotifyCloseAfCompleteHandler: %p %s
DriverVersion: %X
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendNetBufferListsHandler: %p %s
CoRequestHandler: %p %s
CoOidRequestHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
AddDeviceHandler: %p %s
RemoveDeviceHandler: %p %s
FilterResourceRequirementsHandler: %p %s
StartDeviceHandler: %p %s
ServiceName: %S
CoCreateVcHandler: %p %s
CoDeleteVcHandler: %p %s
CoActivateVcHandler: %p %s
CoDeactivateVcHandler: %p %s
CoSendNetBufferListsHandler: %p %s
CoRequestHandler: %p %s
CoOidRequestHandler: %p %s
InitiateOffloadHandler: %p %s
TerminateOffloadHandler: %p %s
UpdateOffloadHandler: %p %s
InvalidateOffloadHandler: %p %s
QueryOffloadHandler: %p %s
TcpOffloadSendHandler: %p %s
TcpOffloadReceiveHandler: %p %s
TcpOffloadDisconnectHandler: %p %s
TcpOffloadForwardHandler: %p %s
TcpOffloadReceiveReturnHandler: %p %s
AddDeviceHandler: %p %s
RemoveDeviceHandler: %p %s
FilterResourceRequirementsHandler: %p %s
StartDeviceHandler: %p %s
OpenNDKAdapterHandler: %p %s
CloseNDKAdapterHandler: %p %s
IdleNotificationHandler: %p %s
CancelIdleNotificationHandler: %p %s
AllocateNetBufferListForwardingContextHandler: %p %s
FreeNetBufferListForwardingContextHandler: %p %s
AddNetBufferListDestinationHandler: %p %s
SetNetBufferListSourceHandler: %p %s
GrowNetBufferListDestinationsHandler: %p %s
GetNetBufferListDestinationsHandler: %p %s
UpdateNetBufferListDestinationsHandler: %p %s
CopyNetBufferListInfoHandler: %p %s
ReferenceSwitchNicHandler: %p %s
DereferenceSwitchNicHandler: %p %s
ReferenceSwitchPortHandler: %p %s
DereferenceSwitchPortHandler: %p %s
ReportFilteredNetBufferListsHandler: %p %s
ImageName: %S
SetNetBufferListSwitchContextHandler: %p %s
GetNetBufferListSwitchContextHandler: %p %s
netio legacy handler %p %s
read netio legacy handler failed, error %d, status %X
read netio legacy handler failed, error %d
%p %s
read netio WfpNblInfoDispTable failed, error %d, status %X
read netio WfpNblInfoDispTable failed, error %d
netio MacShim %p %s
WfpShim[%d] %p %s
Unknown WFP callout size %d
WFP callout[%d]:
ClassifyCallback: %p %s
NotifyCallback: %p %s
uFlowDeleteFunction: %p %s
Exception %X on sysptr seed reading at %p
Decode system scheme - %s
Decode scheme - %s
Cannot read my process cookie, error %X
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X (%p) %s
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X %p
SystemFunction%3.3d (%p) %s
PFNCLIENT.%s patched by %s (%p)
PFNCLIENT.%s patched %p
check_user32_pfnclient: exception %X occured
PFNCLIENTWORKER.%s patched by %s (%p)
PFNCLIENTWORKER.%s patched %p
ConsoleCtrlHandler[%d]: %s (%p)
ConsoleCtrlHandler[%d]: %p UNKNOWN
ConsoleCtrlHandler: %s (%p)
UnhandledExceptionFilter: %s (%p)
ShimModule: %s (%p)
RtlpStartThreadFunc: %s (%p)
RtlpExitThreadFunc: %s (%p)
RtlpUnhandledExceptionFilter: %s (%p)
RtlSecureMemoryCacheCallback: %s (%p)
TppLogpRoutine: %s (%p)
CsrServerApiRoutine: %s (%p)
LdrpManifestProberRoutine: %s (%p)
LdrpCreateActCtxLanguage: %s (%p)
LdrpReleaseActCtx: %s (%p)
LdrpAppCompatDllRedirectionCallbackFunction: %s (%p)
%s%s!%s patched by %s (addr %p)
%s%s.%d patched by %s (addr %p)
%s%s.%d patched, addr %p
PID %d trace callbacks: %d
Trace[%d] %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X %p %s
Process PID %d has the same token as system process: %p !!!
Process PID %d token: %p
%p %s %8X
%p %s %8X
CheckProc: cannot get modules list for PID %d (%S), error %d, ntstatus %X
CheckProc: cannot get modules list for PID %d (%S), error %d
CheckProcess PID %d (%S):
PEB.PostProcessInitRoutine: %p %s
PEB.PostProcessInitRoutine: %p UNKNOWN
PEB.pShimData: %p
PEB.AppCompat: %p
PEB.FastPebLockRoutine: %p %s
PEB.FastPebLockRoutine: %p UNKNOWN
PEB.FastPebUnlockRoutine: %p %s
PEB.FastPebUnlockRoutine: %p UNKNOWN
Module: %s at %p
Cannot read %s, PID %d, error %d
PID %d: LSA SP %s has %d patched functions in SECPKG_FUNCTION_TABLE:
PID %d: ncrypt has %d patched functions
PID %d: mswsock has %d patched functions in SockProcTable
PID %d: mswsock has %d patched functions in NspVector
PID %d: mswsock has %d patched MSAFD functions
SHAREDINFO.aheList: %p
PID %d: ntdsa has %d patched functions
PID %d - ole32 hooked by %s
PID %d - ole32 hooked by unknown module, addr %p
PID %d: rpcrt4 has %d patched functions
PID %d: basesrv has %d patched user functions
PID %d: winsrv has %d patched user functions
PID %d: winsrv has %d patched cons functions
PID %d: lsasrv has %d patched functions
PID %d: lsasrv has %d patched functions in LsapSspiExtension
PID %d: lsasrv has %d patched functions in LsapLookupExtension
PID %d: lsasrv has %d patched functions in LsapLsasrvIfTable
Cannot alloc %X bytes for EAT checking of %s, PID %d
Cannot read EAT of %s, PID %d
Cannot alloc %X bytes for checking section %s of %s, PID %d
Cannot read section %s content %X bytes of %s, PID %d
Cannot make section %s of %s, PID %d
Module %s section %s has %X patched bytes, PID %d
PID %d: user32 has %d patched imm32 functions
PID %d: advapi32 has %d patched functions
PID %d: kernel32 has %d patched functions
ShimHandler[%d]: %p %s
ShimHandler[%d]: %p UNKNOWN, located at %p
ApplicationRecoveryCallback: %s (%p)
%s, PID %d:
Cannot alloc %X bytes for IAT checking of %s, PID %d
Cannot read IAT (size %X at %p) of %s, PID %d
Cannot find function %s.%s for module %s process %d
Cannot find function %s.%d for module %s process %d
IAT Patched %s.%s in module %s process %d by %s
IAT Patched %s.%s in module %s process %d, addr %p
IAT Patched %s.%d in module %s process %d by %s
IAT Patched %s.%d in module %s process %d
Cannot alloc %X bytes for delayed IAT checking of %s, PID %d
Cannot read delayed IAT (size %X at %p) of %s, PID %d
Cannot find delayed function %s.%s for module %s process %d
Cannot find delayed function %s.%d for module %s process %d
LdrpDllNotificationList: %d
%p %s
Read %d QueuedWorkerItems:
[%d] %p %s
check_drivers_reinit: cannot read size of list, error %d, status %X
check_drivers_reinit: cannot read size of list, error %d
check_drivers_reinit: cannot alloc %X bytes
check_drivers_reinit: cannot read list, error %d, ntstatus %X
check_drivers_reinit: cannot read list, error %d
[%d] Drv %p %s routine %p %s
read_shutdown_notificators: cannot read size of %s, error %d, status %X
read_shutdown_notificators: cannot read size of %s, error %d
read_shutdown_notificators: cannot alloc %X bytes
read_shutdown_notificators: cannot read %s, error %d, ntstatus %X
read_shutdown_notificators: cannot read %s, error %d
[%d] DevObj %p Drv %p (addr %p) %s
[%d] DevObj %p Drv %p %s
MailSlot: %S, server %d (%S)
MailSlot: %S, server %d
NamedPipe: %S, server %d (%S)
NamedPipe: %S, server %d
Flags: %X, server %d (%S)
Flags: %X, creator %d, server %d
Flags: %X, server %d
Endpoints: %d
Endpoint %S PID %d (%S):
Endpoint %S:
RPC controls: %d
%S: %S
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d
Cannot load kernel %s
Unknown scheduler: ReadySummary %X DispatcherReadyListHead %X
Unknown scheduler: ReadySummary %X DeferredReadyListHead %X
Unknown scheduler: ReadySummary %X
Readed %d threads, total %d
Thread %p ProcID %X ThreadID %X Win32Thread %p %s
Thread %p ProcID %X ThreadID %X Priority %d Win32Thread %p
Thread %p ProcID %X ThreadID %X %s
Thread %p ProcID %X ThreadID %X Priority %d
reading count of threads on processor %d failed, error %X
%d threads
reading of threads on processor %d failed, error %X
Scheduler index %d
reading count of threads failed, error %X
reading of threads failed, error %X
Cannot find ETHREAD.ServiceTable
Unknown version of ETHREAD, offset %X
Cannot alloc %X bytes for ProcessesAndThreadsInformation
Cannot realloc %X bytes for ProcessesAndThreadsInformation
ProcessesAndThreadsInformation failed, error %X
read_sdt for threadID %X failed, error %d, status %X
read_sdt for threadID %X failed, error %d
ProcessID %X (%S) ThreadID %X SDT %p %s
ProcessID %X ThreadID %X SDT %p %s
read_thread_token for threadID %X failed, error %d, status %X
read_thread_token for threadID %X failed, error %d
ProcessID %X (%S) ThreadID %X token %p ImpersonationLevel %d
ProcessID %X ThreadID %X token %p ImpersonationLevel %d
Cannot detect ETHREAD.StartAddress
Unknown kernel %s, StartAddress %X, IrpList %X, StackLimit %X, StackBase %X
Unknown kernel %s, StartAddress %X, StackLimit %X, StackBase %X
Unknown kernel %s, StartAddress %X, IrpList %X
Unknown kernel %s, StartAddress %X
Cannot read count of system threads, ntstatus %X
Cannot alloc %d bytes
Cannot read system threads, ntstatus %X
%d System Threads
Thread %p Start %p %c stack %p limit %p %s
read IPSec status failed, error %d, status %X
read IPSec status failed, error %d
IPSec status %X
IPSecHandler: %p %s
IPSecQueryStatus: %p %s
IPSecSendCmplt: %p %s
IPSecNdisStatus: %p %s
IPSecRcvFWPacket: %p %s
check_tdi_pnp_clnts: cannot read size of clnts list, error %d, ntstatus %X
check_tdi_pnp_clnts: cannot read size of clnts list, error %d
check_tdi_pnp_clnts: cannot alloc %X bytes
check_tdi_pnp_clnts: cannot read clnts list, error %d, ntstatus %X
check_tdi_pnp_clnts: cannot read clnts list, error %d
TDI PnP clients: %d (readed %d)
[%d]: version %X %S
PnPPowerHandler: %p %s
BindHandler: %p %s
UnBindHandler: %p %s
AddAddressHandler: %p %s
DelAddressHandler: %p %s
Microsoft-Windows-Windows Firewall With Advanced Security
Microsoft-Windows-Kernel-Boot
Microsoft-Windows-EQoS
Microsoft-Windows-XWizards
ASP.NET Events
Microsoft-Windows-UIRibbon
Microsoft-Windows-WPD-CompositeClassDriver
Microsoft-Windows-Wired-AutoConfig
Microsoft-Windows-PrintService
Microsoft-Windows-ApplicationExperience-LookupServiceTrigger
Microsoft-Windows-IDCRL
Microsoft-Windows-MPS-DRV
Microsoft-Windows-P2P-Mesh
Microsoft-Windows-TabletPC-MathRecognizer
Microsoft-Windows-Spell-Checking
Microsoft-Windows-Fax
Microsoft-Windows-GroupPolicy
Microsoft-Windows-Crashdump
Microsoft-Windows-PrintSpooler
Microsoft-Windows-LanguagePackSetup
Microsoft-Windows-OneX
Microsoft-Windows-OfflineFiles-CscApi
Microsoft-Windows-ADSI
Microsoft-Windows-Dhcp-Client
Microsoft-Windows-CertificateServicesClient-AutoEnrollment
Microsoft-Windows-NlaSvc
Microsoft-Windows-Diagnosis-MSDE
Microsoft-Windows-SpoolerWin32SPL
Microsoft-Windows-SPB-ClassExtension
Microsoft-Windows-Kernel-Memory
Microsoft-Windows-Application Server-Applications
Microsoft-Windows-MUI
Microsoft-Windows-P2P-Collab
Microsoft-Windows-Security-Netlogon
Microsoft-Windows-SQM-Events
Microsoft-Windows-USB-USBPORT
Microsoft-Windows-SendTo
Microsoft-Windows-AIT
Microsoft-Windows-P2P-CRP
PrintFilterPipelineSvc_ObjectsGuid
Microsoft-Windows-IME-JPPRED
Microsoft-Windows-WMP
Microsoft-Windows-Eqos-SQM-Provider
MSDADIAG.ETW
Microsoft-Windows-Processor-Aggregator
Microsoft-Windows-ErrorReportingConsole
Microsoft-Windows-SmartCard-TPM-VCard-Module
Microsoft-Windows-User Profiles Service
Microsoft-Windows-Crypto-CNG
Microsoft-Windows-LinkLayerDiscoveryProtocol
Microsoft-Windows-TaskbarCPL
Microsoft-Windows-Networking-Correlation
Microsoft-Windows-RestartManager
Microsoft-Windows-WMPDMCCore
Microsoft-Windows-TCPIP
Microsoft-Windows-MSDTC
Microsoft-Windows-Resources-MrmBc
Microsoft-Windows-Time-Service
Microsoft-Windows-HomeGroup-ProviderService
Microsoft-Windows-DriverFrameworks-UserMode
Microsoft-Windows-Runtime-Networking
Microsoft-Windows-Network-Connection-Broker
Microsoft-Windows-Shell-AppWizCpl
Microsoft-Windows-PDC
Microsoft-Windows-Biometrics
Microsoft-Windows-IME-SCDICCOMPILER
Microsoft-Windows-Wininit
Microsoft-Windows-Dwm-Dwm
Microsoft-Windows-Photo-Image-Codec
Microsoft-Windows-TaskScheduler
Microsoft-Windows-osk
Microsoft-Windows-Kernel-PowerTrigger
Microsoft-Windows-EventLog-WMIProvider
Microsoft-Windows-IME-OEDCompiler
Microsoft-Windows-WER-SystemErrorReporting
Microsoft-Windows-Deplorch
Microsoft-Windows-SPB-HIDI2C
Microsoft-Windows-UxTheme
Microsoft-Windows-BfeTriggerProvider
Microsoft-Windows-Media-Streaming
Microsoft-Windows-Remotefs-UTProvider
Microsoft-Windows-Ntfs-SQM
Microsoft-Windows-User-PnP
Microsoft-Windows-AltTab
Microsoft-Windows-Kernel-StoreMgr
Microsoft-Windows-WindowsColorSystem
Microsoft-Windows-RemoteDesktopServices-RemoteFX-VM-User-Mode-Transport
Microsoft-Windows-MSMPEG2ADEC
Microsoft-Windows-TerminalServices-PnPDevices
Microsoft-Windows-GettingStarted
Microsoft-Windows-Narrator
Windows Wininit Trace
Microsoft-Windows-FileHistory-UI
Microsoft-Windows-MediaFoundation-PlayAPI
Microsoft-Windows-CertificateServicesClient-Lifecycle-System
Microsoft-Windows-BitLocker-Driver-Performance
Microsoft-Windows-PerfProc
Microsoft-Windows-Resource-Leak-Diagnostic
Microsoft-Windows-WebServices
Microsoft-Windows-FileHistory-Service
Microsoft-Windows-MediaEngine
Microsoft-Windows-StartupRepair
Microsoft-Windows-Security-IdentityStore
Microsoft-Windows-IME-SCSetting
Microsoft-Windows-FileHistory-EventListener
Microsoft-Windows-Program-Compatibility-Assistant
Microsoft-Windows-DesktopActivityModerator
Microsoft-Windows-MemoryDiagnostics-Schedule
Microsoft-Windows-FileHistory-Engine
Microsoft-Windows-PerfDisk
Microsoft-Windows-OOBE-Machine-Core
Microsoft-Windows-WLAN-AutoConfig
Microsoft-Windows-FileHistory-ConfigManager
Microsoft-Windows-Search-ProfileNotify
Microsoft-Windows-PerfCtrs
UMPass Driver Trace
Microsoft-Windows-FileHistory-Catalog
Microsoft-Windows-WlanDlg
Microsoft-Windows-CDROM
Microsoft-Windows-Crypto-NCrypt
Certificate Services Client CredentialRoaming Trace
Microsoft-Windows-CredUI
Windows Firewall Service
Microsoft-Windows-FileHistory-Core
Microsoft-Windows-Direct3D11
Microsoft-Windows-DirectoryServices-Deployment
Microsoft-Windows-All-User-Install-Agent
Microsoft-Windows-Kernel-Licensing-StartServiceTrigger
Microsoft-Windows-ServerManager-ManagementProvider
Microsoft-Windows-Diagnosis-ScriptedDiagnosticsProvider
Microsoft-Windows-IIS-W3SVC-WP
Microsoft-Windows-TerminalServices-MediaRedirection-DShow
Microsoft-Windows-Rdms-UI
Microsoft-Windows-Feedback-Service-TriggerProvider
Microsoft-Windows-Eventlog
Microsoft-Windows-CodeIntegrity
Microsoft-Windows-WPDClassInstaller
Microsoft-Windows-NetworkAccessProtection
Microsoft-Windows-UIAutomationCore
Microsoft-Windows-StartLmhosts
Microsoft-Windows-IME-Broker
Microsoft-Windows-Kernel-Process
Microsoft-Windows-CertificateServicesClient
Microsoft-Windows-AppXDeployment
Microsoft-Windows-Shell-Core
Microsoft-Windows-Anytime-Upgrade
Microsoft-Windows-PCI
Microsoft-Windows-WPD-MTPBT
Microsoft-Windows-CertificationAuthorityClient-CertCli
Microsoft-Windows-Srv2
Microsoft-Windows-TunnelDriver-SQM-Provider
Microsoft-Windows-Security-Licensing-SLC
Microsoft-Windows-ATAPort
Microsoft-Windows-Recovery
Microsoft-Windows-GenericRoaming
Microsoft-Windows-Sdbus-SQM
Microsoft-Windows-DirectComposition
Microsoft-Windows-P2PIMSvc
Microsoft-Windows-WCN-Config-Registrar
Microsoft-Windows-WPD-API
Microsoft-Windows-P2P-PNRP
Microsoft-Windows-DeviceUx
Windows Mobile Performance Hooks
Microsoft-Windows-ProcessStateManager
Windows Connect Now
Microsoft-Windows-Networking-RealTimeCommunication
Microsoft-Windows-EventSystem
Microsoft-Windows-Spaceport
Windows Mobile Remote API
Microsoft-Windows-Dhcp-Nap-Enforcement-Client
Microsoft-Windows-WinNat
Windows Mobile AirSync Engine 2
Microsoft-Windows-WCN-Config-Registrar-Secure
Windows Mobile AirSync Engine 1
Microsoft-Windows-Security-Kerberos
Windows Mobile ActiveSync Engine
Microsoft-Windows-WSC-SRV
Microsoft-Windows-Eventlog-ForwardPlugin
Windows Mobile Serial Connectivity
Microsoft-Windows-TerminalServices-SessionBroker-Client
Microsoft-Windows-WMPNSS-PublicAPI
Windows Mobile Desktop Passthrough
Microsoft-Windows-RPC-Events
Microsoft-Windows-LanguageProfile
Microsoft-Windows-Anytime-Upgrade-Events
Microsoft-Windows-Management-UI
Microsoft-Windows-SMBClient
Microsoft-Windows-TerminalServices-RdpSoundDriver
Microsoft-Windows-Dwm-Api
Microsoft-Windows-QoS-qWAVE
Microsoft-Windows-Kernel-Tm-Trigger
Microsoft-Windows-IPNAT
Microsoft-Windows-NetworkBridge
Microsoft-Windows-MPS-CLNT
Microsoft-Windows-Diagnosis-Scheduled
Microsoft-Windows-WMPNSS-Service
Microsoft-Windows-DxpTaskRingtone
Microsoft-Windows-Kernel-AppCompat
Microsoft-Windows-TimeBroker
Microsoft-Windows-DeviceConfidence
Microsoft-Windows-Shell-Shwebsvc
Microsoft-Windows-Diagnostics-Performance
Windows NetworkMap Trace
Microsoft-Windows-TerminalServices-Printers
Microsoft-Windows-AppLocker
Microsoft-Windows-Audio
Microsoft-Windows-LLTD-MapperIO
Microsoft-Windows-HotspotAuth
Microsoft-Windows-Firewall-CPL
Microsoft-Windows-Kernel-IoTrace
Microsoft-Windows-Perflib
Microsoft-Windows-BootUX
Microsoft-Windows-WMPDMCUI
Microsoft-Windows-Disk
Microsoft-Windows-IME-JPLMP
Microsoft-Windows-Security-SPP-UX-Notifications
Microsoft-Windows-TerminalServices-ClientActiveXCore
Microsoft-Windows-IIS-IISReset
Microsoft-Windows-WindowsUIImmersive
Windows Firewall Control Panel
Microsoft-Windows-DeviceSetupManager
Microsoft-Windows-EnrollmentPolicyWebService
Microsoft-Windows-IME-Roaming
Microsoft-Windows-SetupQueue
Microsoft-Windows-SmartCard-Audit
Microsoft-Windows-Servicing
Microsoft-Windows-ACL-UI
Microsoft-Windows-WWAN-CFE
Microsoft-Windows-FCRegSvc
Microsoft-Windows-IIS-IisMetabaseAudit
Microsoft-Windows-Kernel-WDI
Microsoft-Windows-TabletPC-MathInput
Microsoft-Windows-Kernel-General
Windows Media Player Trace
Microsoft-Windows-DxpTaskDLNA
Microsoft-Windows-User Profiles General
Microsoft-Windows-Kernel-WSService-StartServiceTrigger
Microsoft-Windows-WebAuth
Microsoft-Windows-API-Tracing
Microsoft-Windows-FunctionDiscovery
Microsoft-Windows-StickyNotes
Microsoft-Windows-WCN-WscEapPeer-Trace
Microsoft-Windows-QoS-WMI-Diag
Microsoft-Windows-NetworkProvisioning
Microsoft-Windows-Network-DataUsage
Microsoft-Windows-AppSruProv
Microsoft-Windows-WebcamExperience
Microsoft-Windows-EaseOfAccess
Microsoft-Windows-Spellchecking-Host
Microsoft-Windows-IME-CandidateUI
Microsoft-Windows-TPM-WMI
Microsoft-Windows-Security-SPP
Microsoft-Windows-DirectShow-KernelSupport
Microsoft-Windows-Diagnosis-AdvancedTaskManager
Microsoft-Windows-ThemeCPL
Windows Mobile Co-installer
Microsoft-Windows-MPRMSG
Microsoft-Windows-EnhancedStorage-EhStorCertDrv
Microsoft-Windows-NdisImPlatformEventProvider
Microsoft-Windows-FunctionDiscoveryHost
Microsoft-Windows-MediaFoundation-MSVideoDSP
Microsoft-Windows-IME-JPTIP
Windows Kernel Trace
Microsoft-SQLServerDataTools
Microsoft-Windows-ASN1
Microsoft-Windows-Crypto-BCrypt
Microsoft-Windows-HealthCenterCPL
Microsoft-Windows-XAML
Microsoft-Windows-PDFReader
Microsoft-Windows-TerminalServices-ServerUSBDevices
Microsoft-Windows-WWAN-SVC-EVENTS
Microsoft-Windows-Search-ProtocolHandlers
Microsoft-Windows-IdCtrls
Microsoft-Windows-User-ControlPanel
Microsoft-Windows-Runtime-Media
Microsoft-Windows-CAPI2
Windows Mobile Sync Handlers
Microsoft-Windows-PowerCfg
Microsoft-Windows-SrumTelemetry
Microsoft-Windows-Base-Filtering-Engine-Connections
Microsoft-Windows-Sidebar
Microsoft-Windows-NDF-HelperClassDiscovery
Microsoft-Windows-PerfNet
Microsoft-Windows-PortableDeviceStatusProvider
Microsoft-Windows-TabletPC-Platform-Manipulations
Microsoft-Windows-Subsys-SMSS
Microsoft-Windows-LDAP-Client
Microsoft-Windows-Security-SPP-UX-GC
Microsoft-Windows-Media Center Extender
Microsoft-Windows-DiskDiagnostic
Microsoft-Windows-TSF-msutb
Microsoft-Windows-Reliability-Analysis-Agent
{B6501BA0-C61A-C4E6-6FA2-A4E7F8C8E7A0}
Microsoft-Windows-Kernel-Processor-Power
Microsoft-Windows-NCSI
Microsoft-Windows-NetworkConnectivityStatus
Microsoft-Windows-wmvdecod
Microsoft-Windows-ServiceTriggerPerfEventProvider
Microsoft-Windows-Service Pack Installer
Microsoft-Windows-Bluetooth-HidGatt
Microsoft-Windows-TabletPC-Platform-Input-Ninput
Microsoft-Windows-Tcpip-SQM-Provider
Microsoft-Windows-MPS-SRV
Microsoft-Windows-KnownFolders
Microsoft-Windows-NAPIPSecEnf
Microsoft-Windows-EnrollmentWebService
Microsoft-Windows-Deduplication-Change
Microsoft-Windows-OfflineFiles-CscFastSync
Microsoft-Windows-UxInit
Microsoft-Windows-BranchCacheClientEventProvider
Microsoft-Windows-Forwarding
Microsoft-Windows-RPC-Proxy-LBS
Microsoft-Windows-Kernel-Disk
Microsoft-Windows-TriggerEmulatorProvider
Microsoft-Windows-SystemHealthAgent
Microsoft-Windows-Memory-Diagnostic-Task-Handler
Microsoft-Windows-Winsock-WS2HELP
Microsoft-Windows-ThemeUI
Microsoft-Windows-TerminalServices-MediaRedirection
Microsoft-Windows-TerminalServices-ClientUSBDevices
Microsoft-Windows-TabletPC-CoreInkRecognition
Microsoft-Windows-COM
Microsoft-Windows-PnPMgrTriggerProvider
Microsoft-Windows-LoadPerf
Microsoft-Windows-System-Restore
Microsoft-Windows-UserAccountControl
Microsoft-Windows-Services-Svchost
Microsoft-Windows-PushNotifications-Developer
Microsoft-Windows-LiveId
Microsoft-Windows-Security-SPP-UX
Microsoft-Windows-VAN
Microsoft-Windows-FirstUX-PerfInstrumentation
Microsoft-Windows-Kernel-Tm
Microsoft-Windows-Kernel-ShimEngine
Microsoft-Windows-EapHost
Microsoft-Windows-CertPolEng
Microsoft-Windows-MsLbfoEventProvider
Microsoft-Windows-Complus
Microsoft-Windows-EFS
Microsoft-Windows-WwaHost
Microsoft-Windows-ServerManager
Microsoft-Windows-ComDlg32
Microsoft-Windows-MP4SDECD
Microsoft-Windows-PeopleNearMe
Microsoft-Windows-SmartCard-Bluetooth-Profile
Microsoft-Windows-TZUtil
Microsoft-Windows-ApplicationExperience-SwitchBack
Microsoft-Windows-UI-Input-Inking
Microsoft-Windows-VDRVROOT
Windows Firewall NetShell Plugin
Windows Firewall API
Microsoft-Windows-Kernel-Acpi
Microsoft-Windows-WinRM
Microsoft-Windows-Direct3D10_1
Microsoft-Windows-Kernel-LicensingSqm
Microsoft-Windows-SpoolerSpoolss
Microsoft-Windows-FilterManager
Microsoft-Windows-ActionQueue
Microsoft-Windows-IME-KRAPI
Microsoft-Windows-Resource-Exhaustion-Detector
Microsoft-Windows-ApplicationExperienceInfrastructure
Microsoft-Windows-StorSqm
Microsoft-Windows-Search
Microsoft-Windows-HttpEvent
Microsoft-Windows-AxInstallService
Microsoft-Windows-Diagnosis-PerfHost
Microsoft-Windows-International
Microsoft-Windows-CertificateServicesClient-CredentialRoaming
Microsoft-Windows-SoftwareRestrictionPolicies
Microsoft-Windows-Windows Defender
Microsoft-Windows-ShareMedia-ControlPanel
Microsoft-Windows-CertificateServicesClient-Lifecycle-User
Microsoft-Windows-WPD-MTPUS
Microsoft-Windows-DirectWrite
Microsoft-Windows-RPCSS
Microsoft-Windows-DeviceSync
Microsoft-Windows-NcdAutoSetup
Microsoft-Windows-Diagnosis-PCW
Microsoft-Windows-DistributedCOM
ATA Port Driver Tracing Provider
Microsoft-Windows-WebdavClient-LookupServiceTrigger
Microsoft-Windows-USB-USBXHCI
Microsoft-Windows-Diagnosis-PLA
Microsoft-Windows-WlanConn
Microsoft-Windows-Winlogon
Microsoft-Windows-stobject
Microsoft-Windows-Mobile-Broadband-Experience-SmsRouter
Microsoft-Windows-D3D10Level9
Microsoft-Windows-WAS-ListenerAdapter
Microsoft-Windows-ServerManager-MultiMachine
Microsoft-Windows-AppxPackagingOM
Microsoft-Windows-PushNotifications-Platform
Microsoft-Windows-OOBE-Machine-Plugins-Wireless
Microsoft-Windows-IME-JPAPI
SBP2 Port Driver Tracing Provider
Microsoft-Windows-BranchCacheEventProvider
Microsoft-Windows-Immersive-Shell-API
Microsoft-Windows-ntshrui
Microsoft-Windows-KPSSVC
Microsoft-Windows-BitLocker-DrivePreparationTool
Microsoft-Windows-EapMethods-Sim
Microsoft-Windows-Shell-ZipFolder
Microsoft-Windows-Search-Core
Microsoft-Windows-OfflineFiles-CscNetApi
Microsoft-Windows-Diagnosis-WDI
Microsoft-Windows-PortableDeviceSyncProvider
Microsoft-Windows-Diagnostics-PerfTrack-Counters
Microsoft-Windows-Speech-TTS
Microsoft-Windows-Component-Resources-MrmCore-Events
Microsoft-Windows-BranchCache
Microsoft-Windows-SystemEventsBroker
Microsoft-Windows-VolumeControl
Microsoft-Windows-Win32k
Microsoft-Windows-Kernel-WHEA
Microsoft-Windows-P2P-Meetings
Microsoft-Windows-Diagnosis-WDC
Microsoft-Windows-Serial-ClassExtension
Microsoft-Windows-KPSSVC-WPP
Microsoft-Windows-CertificateServices-Deployment
Microsoft-Windows-PerfOS
Microsoft-Windows-ResetEng
Microsoft-Windows-Runtime-Graphics
Microsoft-Windows-IPSEC-SRV
Microsoft-Windows-CorruptedFileRecovery-Server
Windows Mobile Bluetooth Connectivity
Microsoft-Windows-DLNA-Namespace
Microsoft-Windows-WLAN-MediaManager
Certificate Services Client Trace
Microsoft-Windows-BranchCacheSMB
Microsoft-Windows-PrintService-USBMon
Microsoft-Windows-OOBE-Machine
Microsoft-Windows-DXP
Microsoft-Windows-Immersive-Shell
Microsoft-Windows-OOBE-Machine-Plugins
Microsoft-Windows-Reliability-Analysis-Engine
Microsoft-Windows-Application-Experience
Microsoft-Windows-KdsSvc
Microsoft-Windows-MediaFoundation-Platform
Microsoft-Windows-Security-Configuration-Wizard
Microsoft-Windows-DisplayColorCalibration
Windows Mobile Device Center Base
Microsoft-Windows-WPD-MTPClassDriver
Microsoft-Windows-DNS-Client
Microsoft-Windows-MSDTC Client
Microsoft-Windows-NDIS-PacketCapture
Windows Remote Management Trace
Microsoft-Windows-MSPaint
Microsoft-Windows-HomeGroup-ListenerService
Microsoft-Windows-Sensor-Service-Trigger
Microsoft-Windows-EapMethods-Ttls
Microsoft-Windows-Remotefs-Smb
Microsoft-Windows-SMBWitnessClient
Microsoft-Windows-USB-USBHUB
Microsoft-Windows-DirectWrite-FontCache
Microsoft-Windows-WindowsBackup
Microsoft-Windows-NWiFi
Microsoft-Windows-WER-Diag
Microsoft-Windows-UAC
Microsoft-Windows-LUA
Microsoft-Windows-AppID
Microsoft-Windows-IIS-WMSVC
Microsoft-Windows-Shell-OpenWith
Microsoft-Windows-MediaFoundation-MFReadWrite
Microsoft-Windows-BrokerInfrastructure
Microsoft-Windows-Fault-Tolerant-Heap
Microsoft-Windows-Shell-DefaultPrograms
Microsoft-Windows-Dism-Cli
Microsoft-Windows-SMBDirect
Microsoft-Windows-IME-SCTIP
Microsoft-Windows-EnergyEfficiencyWizard
Microsoft-Windows-ParentalControls
Microsoft-Windows-Smartcard-Server
Microsoft-Windows-FMS
Microsoft-Windows-Devices-Location
Microsoft-Windows-LLTD-Responder
Microsoft-Windows-MsLbfoSysEvtProvider
sqlos
Microsoft-Windows-TerminalServices-RemoteConnectionManager
Microsoft-Windows-SCPNP
Microsoft-Windows-Wordpad
WMI_Tracing_Client_Operations
Microsoft-Windows-Security-Audit-Configuration-Client
Microsoft-Windows-EFSADU
Windows Notification Facility Provider
Microsoft-Windows-DiagCpl
Windows NetworkItemFactory Trace
Microsoft-Windows-ApplicationExperience-Cache
Microsoft-Windows-ResourcePublication
Microsoft-Windows-FailoverClustering-Client
Microsoft-Windows-Runtime-Networking-BackgroundTransfer
Microsoft-Windows-AppHost
Microsoft-Windows-NetAdapterCim-Diag
Microsoft-Windows-IIS-FTP
Microsoft-Windows-Iphlpsvc
Microsoft-Windows-WinINet
Microsoft-Windows-TabletPC-InputPersonalization
Microsoft-Windows-SpoolerFilterPipelineSVC
Microsoft-Windows-Globalization
Microsoft-Windows-Bits-Client
Microsoft-Windows-WFP
Microsoft-Windows-Services
Microsoft-Windows-IdleTriggerProvider
Microsoft-Windows-DxgKrnl
Microsoft-Windows-HealthCenter
Microsoft-Windows-OtpCredentialProviderEvt
Microsoft-Windows-MemoryDiagnostics-Results
Microsoft-Windows-Ncasvc
Microsoft-Windows-SystemSettings
Microsoft-Windows-PDH
Microsoft-Windows-WMPNSSUI
Microsoft-Windows-BdeTriggerProvider
Microsoft-Windows-Diagnostics-PerfTrack
Microsoft-Windows-IIS-APPHOSTSVC
Microsoft-Windows-CoreWindow
Microsoft-Windows-Help
Microsoft-Windows-WindowsUpdateClient
Microsoft-Windows-IIS-W3SVC-PerfCounters
Microsoft-Windows-WMI
Microsoft-Windows-TabletPC-Platform-Input-Wisp
Microsoft-Windows-ProcessExitMonitor
Microsoft-Windows-IME-JPSetting
Microsoft-Windows-Diagnosis-Scripted
Microsoft-Windows-GroupPolicyTriggerProvider
File Kernel Trace; Operation Set 2
Microsoft-Windows-IIS-Configuration
Microsoft-Windows-Diagnosis-TaskManager
Microsoft-Windows-Diagnosis-DPS
Microsoft-Windows-UserPnp
Microsoft-Windows-Security-SPP-UX-GenuineCenter-Logging
Microsoft-Windows-Schannel-Events
NetJoin
Microsoft-Windows-TabletPC-InputPanel
Microsoft-Windows-FileServices-ServerManager-EventProvider
Microsoft-Windows-MediaFoundation-Performance
Microsoft-Windows-EndpointTriggerProvider
Microsoft-Windows-IME-KRTIP
Microsoft-Windows-Mobile-Broadband-Experience-SmsApi
Microsoft-Windows-Hyper-V-Netvsc
Microsoft-Windows-DirectSound
Microsoft-Windows-TabletPC-Platform-Input-Core
Microsoft-Windows-PushNotifications-InProc
Microsoft-Windows-Kernel-Network
Microsoft-Windows-DiskDiagnosticResolver
Microsoft-Windows-NdisImPlatformSysEvtProvider
Microsoft-Windows-MeetingSpace
Microsoft-Windows-Base-Filtering-Engine-Resource-Flows
Microsoft-Windows-RasServer
Microsoft-Windows-VHDMP
Microsoft-Windows-WindowsSystemAssessmentTool
Microsoft-Windows-DCLocator
Microsoft-Windows-Diagnosis-MSDT
Microsoft-Windows-WLGPA
SQLSRV32.1
Microsoft-Windows-CertificateServicesClient-CertEnroll
Microsoft-Windows-IME-TCCORE
Microsoft-Windows-SmartCard-Bluetooth-Transport
Microsoft-Windows-WMVENCOD
Microsoft-Windows-mobsync
Microsoft-Windows-EFSTriggerProvider
Microsoft-Windows-DUSER
Microsoft-Windows-DiskDiagnosticDataCollector
Microsoft-Windows-DirectAccess-MediaManager
Microsoft-Windows-DisplaySwitch
Microsoft-Windows-PackageStateRoaming
Microsoft-Windows-Crypto-DPAPI
Microsoft-Windows-IME-CustomerFeedbackManagerUI
sqlserver
Microsoft-Windows-User-Loader
Microsoft-Windows-NetworkProfileTriggerProvider
Microsoft-Windows-NetworkProfile
Windows Firewall API - GP
Microsoft-Windows-CmiSetup
Microsoft-Windows-Sysprep
Microsoft-Windows-Windeploy
Microsoft-Windows-Setup
Microsoft-Windows-OobeLdr
Microsoft-Windows-SetupUGC
Microsoft-Windows-Audit
Microsoft-Windows-SetupCl
Microsoft-Windows-Winsrv
Microsoft-Windows-WinHttp
Microsoft-Windows-RadioManager
Microsoft-Windows-Websocket-Protocol-Component
Microsoft-Windows-WebIO
Microsoft-Windows-Dwm-Core
Microsoft-Windows-Registry-SQM-Provider
Microsoft-Windows-WHEA-Logger
Microsoft-Windows-PeerToPeerDrtEventProvider
Microsoft-Windows-BitLocker-Driver
Microsoft-Windows-SettingSync
Microsoft-Windows-Mobile-Broadband-Experience-Api-Internal
Microsoft-Windows-EnhancedStorage-EhStorTcgDrv
Microsoft-Windows-PowerShell
Microsoft-Windows-DirectShow-Core
Microsoft-Windows-Kernel-Power
Microsoft-Windows-msmpeg2venc
Microsoft-Windows-MPEG2_DLNA-Encoder
Microsoft-Windows-Remote-FileSystem-Log
Microsoft-Windows-Kernel-PnP
Microsoft-Windows-AppXDeployment-Server
Microsoft-Windows-Folder Redirection
Microsoft-Windows-OfflineFiles-CscUM
Microsoft-Windows-ServerManager-DeploymentProvider
Microsoft-Windows-ServiceReportingApi
Microsoft-Windows-StorDiag
Microsoft-Windows-IME-CustomerFeedbackManager
Microsoft-Windows-Kernel-EventTracing
Microsoft-Windows-Kernel-BootDiagnostics
Microsoft-Windows-DXGI
Microsoft-Windows-Build-RegDll
Microsoft-Windows-PNRPSvc
Microsoft-Windows-Ndu
Microsoft-Windows-Firewall
Microsoft-Windows-Wcmsvc
Microsoft-Windows-OLEACC
Microsoft-Windows-MSDTC Client 2
Microsoft-Windows-InputSwitch
Microsoft-Windows-Runtime-WebAPI
Microsoft-Windows-HAL
Microsoft-Windows-International-RegionalOptionsControlPanel
Microsoft-Windows-RPC
Microsoft-Windows-MFH264Enc
Microsoft-Windows-SharedAccess_NAT
Microsoft-Windows-DeviceAssociationService
Microsoft-Windows-Bluetooth-MTPEnum
Microsoft-Windows-BitLocker-API
{C5BFFE2E-9D87-D568-A09E-08FC83D0C7C2}
Microsoft-Windows-IPMIProvider
Microsoft-Windows-IME-TIP
Microsoft-Windows-WindowsToGo-StartupOptions
Microsoft-Windows-Backup
Microsoft-Windows-WMP-MediaDeliveryEngine
Microsoft-Windows-PrintBRM
Microsoft-Windows-ServerManager-ConfigureSMRemoting
Microsoft-Windows-Video-For-Windows
Microsoft-Windows-ClearTypeTextTuner
Microsoft-Windows-Subsys-Csr
Microsoft-Windows-USB-UCX
Microsoft-Windows-RemoteApp and Desktop Connections
Windows Winlogon Trace
Microsoft-Windows-RasSstp
Microsoft-Windows-UAC-FileVirtualization
Microsoft-Windows-ClassicSruMon
Microsoft-Windows-Security-IdentityListener
Microsoft-Windows-WWAN-MM-EVENTS
Microsoft-Windows-MsiServer
Microsoft-Windows-PhotoAcq
Microsoft-Windows-Power-Troubleshooter
Microsoft-Windows-DxpTaskSyncProvider
Microsoft-Windows-Remotefs-Rdbss
Microsoft-Windows-AppIDServiceTrigger
Microsoft-Windows-Kernel-File
Microsoft-Windows-TSF-msctf
Microsoft-Windows-PowerCpl
Microsoft-Windows-LanGPA
Microsoft-Windows-WWAN-MediaManager
Microsoft-Windows-PrimaryNetworkIcon
Microsoft-Windows-OfflineFiles
Microsoft-Windows-UIAnimation
Microsoft-Windows-Security-Auditing
Microsoft-Windows-WCN-Config-Registrar-Wizard-Trace
Microsoft-Windows-WWAN-NDISUIO-EVENTS
Microsoft-Windows-NetworkManagerTriggerProvider
Microsoft-Windows-Winsock-AFD
Microsoft-Windows-Remote-FileSystem-Monitor
Microsoft-Windows-WABSyncProvider
.NET Common Language Runtime
Microsoft-Windows-MSMPEG2VDEC
Microsoft-Windows-DateTimeControlPanel
Windows Firewall Driver
Microsoft-Windows-IIS-W3SVC
Microsoft-Windows-WWAN-UI-EVENTS
Microsoft-Windows-Speech-UserExperience
Microsoft-Windows-Dism-Api
Microsoft-Windows-Store-Client-UI
Microsoft-Windows-Calculator
Microsoft-Windows-Shell-ConnectedAccountState
Microsoft-Windows-PrintDialogs
Microsoft-Windows-Network-and-Sharing-Center
Microsoft-Windows-Crypto-RNG
Microsoft-Windows-MSDTC 2
Microsoft-Windows-SpellChecker
Microsoft-Windows-propsys
Microsoft-Windows-WPD-MTPIP
Microsoft-Windows-Documents
Microsoft-Windows-StorPort
Microsoft-Windows-Magnification
Microsoft-Windows-Shell-AuthUI
Microsoft-Windows-Dwm-Redir
Microsoft-Windows-BTH-BTHUSB
Microsoft-Windows-Ntfs
Microsoft-Windows-Sens
Microsoft-Windows-UserAccessLogging
Microsoft-Windows-RemoteDesktopServices-RdpCoreTS
Microsoft-Windows-COM-Perf
Microsoft-Windows-StorageSpaces-BackgroundAgent
Microsoft-Windows-Kernel-Prefetch
Portable Device Connectivity API Trace
Microsoft-Windows-RemoteAssistance
Microsoft-Windows-MF
Microsoft-Windows-MediaFoundation-MSVProc
Microsoft-Windows-TBS
Microsoft-Windows-FeedbackTool
Microsoft-Windows-WlanPref
Microsoft-Windows-OfflineFiles-CscDclUser
Microsoft-Windows-Http-SQM-Provider
Microsoft-Windows-Wireless-Network-Setup-Wizard-Trace
Microsoft-Windows-MCT
Microsoft-Windows-HotStart
Microsoft-Windows-Diagnostics-Networking
Microsoft-Windows-Sensors
Microsoft-Windows-SmbServer
Microsoft-Windows-USB-USBHUB3
Microsoft-Windows-Dot3MM
Microsoft-Windows-KernelStreaming
Microsoft-Windows-Mobile-Broadband-Experience-Api
Microsoft-Windows-VolumeSnapshot-Driver
Microsoft-Windows-MobilityCenter
Microsoft-Windows-OfflineFiles-CscService
Microsoft-Windows-Superfetch
Microsoft-Windows-IPBusEnum
Microsoft-Windows-Mprddm
Microsoft-Windows-Dwm-Udwm
Microsoft-Windows-AppModel-State
Microsoft-Windows-WCN-FD-Provider-Trace
Microsoft-Windows-Resource-Exhaustion-Resolver
Microsoft-Windows-Iphlpsvc-Trace
Microsoft-Windows-WUSA
Microsoft-Windows-TerminalServices-LocalSessionManager
Microsoft-Windows-RPC-FirewallManager
Microsoft-Windows-WCN-Common-Trace
Microsoft-Windows-MediaFoundation-MFCaptureEngine
Microsoft-Windows-ReadyBoostDriver
Microsoft-Windows-DUI
Microsoft-Windows-WMP-Setup_WM
Microsoft-Windows-Direct3D10
Microsoft-Windows-DfsSvc
Microsoft-Windows-IME-SCCORE
Microsoft-Windows-NTLM
Microsoft-Windows-VWiFi
Microsoft-Windows-Kernel-PnPConfig
Microsoft-Windows-Winsock-SQM
Microsoft-Windows-SpoolerSpoolSV
Microsoft-Windows-Netshell
Microsoft-Windows-UserModePowerService
Microsoft-Windows-HttpService
HTTP Service Trace
Microsoft-Windows-D3D9
Microsoft-Windows-AppModel-Runtime
Microsoft-Windows-CEIP
Microsoft-Windows-Directory-Services-SAM
Microsoft-Windows-SpoolerTCPMon
Microsoft-Windows-ReadyBoost
Microsoft-Windows-L2NACP
Microsoft-Windows-LLTD-Mapper
Microsoft-Windows-Deduplication
Microsoft-Windows-HomeGroup-ControlPanel
Microsoft-Windows-Mobile-Broadband-Experience-Parser-Task
Microsoft-Windows-DomainJoinManagerTriggerProvider
Microsoft-Windows-SruMon
Microsoft-Windows-ELS-Hyphenation
TCPIP Service Trace
Microsoft-Windows-DriverFrameworks-KernelMode
Microsoft-Windows-CorruptedFileRecovery-Client
Microsoft-Windows-WMI-Activity
Microsoft-Windows-COMRuntime
Microsoft-Windows-WAS
Microsoft-Windows-Wnv
Microsoft-Windows-Shsvcs
Microsoft-Windows-NDIS
Microsoft-Windows-WinMDE
File Kernel Trace; Operation Set 1
Microsoft-Windows-Proximity-Common
Microsoft-Windows-Ntfs-UBPM
Microsoft-Windows-Kernel-Registry
Microsoft-Windows-RemoteDesktopServices-RemoteDesktopSessionManager
Microsoft-Windows-TunnelDriver
Microsoft-Windows-QoS-Pacer
Microsoft-Windows-EventCollector
Microsoft-Windows-OOBE-Machine-DUI
Microsoft-Windows-IME-TCTIP
Microsoft-Windows-WCNWiz
Microsoft-Windows-Display
Microsoft-Windows-OcSetup
Microsoft-Windows-DesktopWindowManager-Diag
Microsoft-Windows-FileInfoMinifilter
Microsoft-Windows-TextPredictionEngine
Microsoft-Windows-NetworkGCW
Microsoft-Windows-DHCPv6-Client
Microsoft-Windows-PlayToManager
NDIS_STATUS_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
NDIS_STATUS_PORT_STATE
MS_Windows_AeLookupServiceTrigger_Provider
Microsoft_Windows_SQM_Provider
MS_Windows_AIT_Provider
NDIS_TCP_CONNECTION_OFFLOAD_CURRENT_CONFIG
NDIS_TCP_OFFLOAD_CURRENT_CONFIG
PARPORT_WMI_ALLOCATE_FREE_COUNTS_GUID
NDIS_GEN_ENUMERATE_PORTS
GUID_QOS_TC_SUPPORTED
MS1394_PortVendorRegisterAccessGuid
iSCSI_PersistentLoginsGuid
iSCSI_PortalInfoClassGuid
SerailPortPerfGuid
PortClsEvent
UdpIpGuid
TcpIpGuid
iSCSI_OperationsGuid
CTLGUID_usbport
NDIS_STATUS_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
iSCSI_DiscoveryOperationsGuid
SerialPortNameGuid
CTLGUID_WebClntTrace
POINTER_PORT_WMI_STD_DATA_GUID
KEYBOARD_PORT_WMI_STD_DATA_GUID
MSKeyboard_ClassInformationGuid
NDIS_GEN_CO_MEDIA_SUPPORTED
MS_Windows_AeSwitchBack_Provider
SerialPortHWGuid
MS_SM_PortInformationMethods
ataport_CtlGuid
storport_CtlGuid
MS1394_PortDriverInformationGuid
BTHPORT_WMI_HCI_PACKET_INFO
SerialPortCommGuid
iScsiLBOperationsGuid
MS_Windows_AeCache_Provider
NDIS_GEN_PORT_STATE
WindowsBackup TracingControlGuid
WmiMonitorListedSupportedSourceModes_GUID
NDIS_GEN_MEDIA_SUPPORTED
CTLGUID_certprop
BTHPORT_WMI_SDP_SERVER_LOG_INFO
KEYBOARD_PORT_WMI_EXTENDED_ID
iSCSIRedirectPortalGuid
NDIS_GEN_PORT_AUTHENTICATION_PARAMETERS
BTHPORT_WMI_SDP_DATABASE_EVENT
NDIS_TCP_CONNECTION_OFFLOAD_HARDWARE_CAPABILITIES
iSCSI_TCPIPConfigGuid
SerialPortPropertiesGuid
PortCls_IrpProcessing
iSCSI_SecurityConfigOperationsGuid
NDIS_TCP_OFFLOAD_PARAMETERS
PortCls_PowerState
Microsoft_Windows_GameUx
iSCSI_InitiatorLoginStatisticsGuid
MS1394_PortErrorInformationGuid
PortCls_PinState
CTLGUID_PortCls
NDIS_TCP_OFFLOAD_HARDWARE_CAPABILITIES
CTRLGUID_MF_PIPELINE
.PX`i`
`.HBS
&{%UD(_
dump_wmi_guidentries failed, error %d, status %X
dump_wmi_guidentries failed, error %d
dump_wmi_guidentries: cannot alloc %X bytes (total %d)
dump_wmi_guidentries: read failed, error %d, status %X
dump_wmi_guidentries: read failed, error %d
WMI guidentries: total %X readed %X:
[%X] %X flag %X refcnt %X - %s
[%X] %X flag %X refcnt %X %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
dump_wmi_regentries failed, error %d, status %X
dump_wmi_regentries failed, error %d
dump_wmi_regentries: cannot alloc %X bytes (total %d)
dump_wmi_regentries: read failed, error %d, status %X
dump_wmi_regentries: read failed, error %d
WMI regentries: total %X readed %X:
[%X] flags %X refcnt %X dev %p prov %X DS %p %s
[%X] flags %X refcnt %X cb %p prov %X DS %p %s
Etw[%d]:
Type %X Index %X InternalCB %p (%s) %s
Type %X Index %X InternalCB %p %s
Type %X Index %X InternalCB %p (%s) ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Type %X Index %X InternalCB %p ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
dump_Etw: exception occured, code %X
dump_Etws: exception occured, code %X
KPRCB.EtwSupport %p:
KPRCB[%d].EtwSupport %p:
read_kernel_etws count failed, error %d, ntstatus %X
read_kernel_etws count failed, error %d
read_kernel_etws: cannot alloc %X bytes
read_kernel_etws failed, error %d, ntstatus %X
read_kernel_etws failed, error %d
KEtw[%X]:
KEtw[%X]: RefCount %d, KProvider - %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
KEtw[%X]: RefCount %d %s
[%X] %p %s
Type %X InUse %d Index %X InternalCB %p (%s) %s
Type %X InUse %d Index %X InternalCB %p %s
Type %X InUse %d Index %X InternalCB %p (%s) ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Type %X InUse %d Index %X InternalCB %p ProviderId: %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
EtwCallback[%d] %p %s:
EtwCallback[%d]:
EtwTrace[%d] %p Ctx %p %s:
EtwTrace[%d] %p Ctx %p %s - %8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X
Unknown type %d for Etw[%d]
DEVINTERFACE_MT_TRANSPORT
DEVINTERFACE_KEYBOARD
DEVINTERFACE_COMPORT
DEVINTERFACE_VIAMINIPORT
DEVINTERFACE_STORAGEPORT
DEVINTERFACE_IRPORT
check_pnp_notifiers failed, error %d, status %X
check_pnp_notifiers failed, error %d
check_pnp_notifiers: cannot alloc %X bytes (total %d)
check_pnp_notifiers: read failed, error %d, status %X
check_pnp_notifiers: read failed, error %d
Pnp Notifiers: total %d, readed %d
Pnp[%d] %p %s %s addr %p
Pnp[%d] %s %s addr %p %s
check_pnp_handlers failed, error %d, status %X
check_pnp_handlers failed, error %d
PlugPlayHandlerTable: %d items
PlugPlayHandlerTable[%d] %p %s
PlugPlayHandlerTable[%d] %p
check_sess_notify, error %d, status %X
check_sess_notify, error %d
check_sess_notify: cannot alloc %X bytes (total %d)
check_sess_notify: read failed, error %d, status %X
check_sess_notify: read failed, error %d
IopSessionNotifications: %d
SessionNotifier[%d]: class %d len %X session %p cb %p %s
check_sess_term_ntfs failed, error %d, status %X
check_sess_term_ntfs failed, error %d
check_sess_term_ntfs: cannot alloc %X bytes (total %d)
check_sess_term_ntfs: read failed, error %d, status %X
check_sess_term_ntfs: read failed, error %d
LogonSessionTerminatedRoutines: %d
[%d] %p %s
check_fs_changes failed, error %d, status %X
check_fs_changes failed, error %d
check_fs_changes: cannot alloc %X bytes (total %d)
check_fs_changes: read failed, error %d, status %X
check_fs_changes: read failed, error %d
FS Change notifiers: %d (actual %d)
DriverObj %p addr %p %s
Cannot read count for %s, error %d
Count of %s is too big - %X
Cannot read %s table, error %d
Cannot read entry %d from table of %s, error %d
check_vista_cmp_list get count failed, error %d, status %X
check_vista_cmp_list get count failed, error %d
check_vista_cmp_list failed, error %d, status %X
check_vista_cmp_list failed, error %d
check_ai_cbs: cannot read ExpDisQueryAttributeInformation, error %d, ntstatus %X
check_ai_cbs: cannot read ExpDisQueryAttributeInformation, error %d
ExpDisQueryAttributeInformation %p %s
check_ai_cbs: cannot read ExpDisSetAttributeInformation, error %d, ntstatus %X
check_ai_cbs: cannot read ExpDisSetAttributeInformation, error %d
ExpDisSetAttributeInformation %p %s
check_dbgk_lkmd: cannot read DbgkLkmd_cblist, error %d, ntstatus %X
check_dbgk_lkmd: cannot read DbgkLkmd_cblist, error %d
DbgkLkmd[%d] callback %p %s
check_fsrtl: cannot read FltMgrCallbacks, error %d, ntstatus %X
check_fsrtl: cannot read FltMgrCallbacks, error %d
FltMgrCallbacks: %p %s
check_fsrtl: cannot read FsRtlpMupCalls, error %d, ntstatus %X
check_fsrtl: cannot read FsRtlpMupCalls, error %d
FsRtlpMupCalls: %p %s
check_Iof: cannot read pIofCallDriver, error %d, ntstatus %X
check_Iof: cannot read pIofCallDriver, error %d
pIofCallDriver %p patched by %s
check_Iof: cannot read pIofCompleteRequest, error %d, ntstatus %X
check_Iof: cannot read pIofCompleteRequest, error %d
pIofCompleteRequest %p patched by %s
check_Iof: cannot read pIoAllocateIrp, error %d, ntstatus %X
check_Iof: cannot read pIoAllocateIrp, error %d
pIoAllocateIrp %p patched by %s
check_Iof: cannot read pIoFreeIrp, error %d, ntstatus %X
check_Iof: cannot read pIoFreeIrp, error %d
pIoFreeIrp %p patched by %s
check_Iof: cannot read HvlpHypercallCodeVa, error %d, ntstatus %X
check_Iof: cannot read HvlpHypercallCodeVa, error %d
HvlpHypercallCodeVa %p patched by %s
%SystemRoot%\System32\sxssrv.dll
%SystemRoot%\System32\csrsrv.dll
%SystemRoot%\System32\basesrv.dll
%SystemRoot%\System32\winsrv.dll
%SystemRoot%\System32\lsasrv.dll
%SystemRoot%\System32\ntdll.dll
KiDebugRoutine %p hooked by %s
PspLegoNotifyRoutine %p hooked by %s
KiTimeUpdateNotifyRoutine %p hooked by %s
KiSwapContextNotifyRoutine %p hooked by %s
KiThreadSelectNotifyRoutine %p hooked by %s
Sysenter patched, addr %p not in %s !!!
Mailslot: %S
NamedPipe: %S
DEVCLASS_MULTIPORTSERIAL
DEVCLASS_PORTS
DEVCLASS_KEYBOARD
DEVCLASS_APMSUPPORT
read_dev_chrs(%S) failed, ntstatus %X
DrvObj %p name %S %s
DrvObj %p nameLen %X %s
dev_props failed, status %X
ClassGUID: %S
ClassGUID: %S - %s
Cannot open directory %S, error %X
Cannot realloc %d bytes
Cannot open device directory, error %X
Cannot open driver directory, error %X
Cannot open FileSystem directory, error %X
Unknown HAL private dispatch table version %X
HalAcpiTimerInit: %p %s
HalAcpiTimerCarry: %p %s
HalAcpiMachineStateInit: %p %s
HalAcpiQueryFlags: %p %s
HalAcpiPicStateIntact: %p %s
HalRestoreInterruptControllerState: %p %s
HalPciInterfaceReadConfig: %p %s
HalPciInterfaceWriteConfig: %p %s
HalSetVectorState: %p %s
HalGetApicVersion: %p %s
HalSetMaxLegacyPciBusNumber: %p %s
HalIsVectorValid: %p %s
HalAcpiGetTableDispatch: %p %s
HalAcpiGetRsdpDispatch: %p %s
HalAcpiGetFacsMappingDispatch: %p %s
HalAcpiGetAllTablesDispatch: %p %s
HalAcpiPmRegisterAvailable: %p %s
HalAcpiPmRegisterRead: %p %s
HalAcpiPmRegisterWrite: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
HalMmMemoryUsage: %p %s
HalAllocateMapRegisters: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalAllocateMapRegisters: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalTscSynchronization: %p %s
HalWheaInitProcessorGenericSection: %p %s
HalStopLegacyUsbInterrupts: %p %s
HalReadWheaPhysicalMemory: %p %s
HalWriteWheaPhysicalMemory: %p %s
HalDpMaskLevelTriggeredInterrupts: %p %s
HalDpUnmaskLevelTriggeredInterrupts: %p %s
HalDpGetInterruptReplayState: %p %s
HalDpReplayInterrupts: %p %s
HalQueryIoPortAccessSupported: %p %s
HalHandlerForBus: %p %s
HalHandlerForConfigSpace: %p %s
HalLocateHiberRanges: %p %s
HalRegisterBusHandler: %p %s
HalSetWakeEnable: %p %s
HalSetWakeAlarm: %p %s
HalPciTranslateBusAddress: %p %s
HalPciAssignSlotResources: %p %s
HalHaltSystem: %p %s
HalFindBusAddressTranslation: %p %s
HalResetDisplay: %p %s
HalAllocateMapRegisters: %p %s
KdSetupPciDeviceForDebugging: %p %s
KdReleasePciDeviceforDebugging: %p %s
KdGetAcpiTablePhase0: %p %s
KdCheckPowerButton: %p %s
HalVectorToIDTEntry: %p %s
KdMapPhysicalMemory64: %p %s
KdUnmapVirtualAddress: %p %s
KdGetPciDataByOffset: %p %s
KdSetPciDataByOffset: %p %s
HalGetInterruptVector: %p %s
HalGetVectorInput: %p %s
HalLoadMicrocode: %p %s
HalUnloadMicrocode: %p %s
HalMcUpdatePostUpdate: %p %s
HalAllocateMessageTarget: %p %s
HalFreeMessageTarget: %p %s
HalDpReplaceBegin: %p %s
HalDpReplaceTarget: %p %s
HalDpReplaceControl: %p %s
HalDpReplaceEnd: %p %s
HalPrepareForBugcheck: %p %s
HalQueryWakeTime: %p %s
HalReportIdleStateUsage: %p %s
HalTscSynchronization: %p %s
HalWheaInitProcessorGenericSection: %p %s
HalStopLegacyUsbInterrupts: %p %s
HalReadWheaPhysicalMemory: %p %s
HalWriteWheaPhysicalMemory: %p %s
HalInterruptMaskLevelTriggeredLines: %p %s
HalInterruptUnmaskLevelTriggeredLines: %p %s
HalDpGetInterruptReplayState: %p %s
HalDpReplayInterrupts: %p %s
HalQueryIoPortAccessSupported: %p %s
KdSetupIntegratedDeviceForDebugging: %p %s
KdReleaseIntegratedDeviceForDebugging: %p %s
HalEnlightenmentInitialize: %p %s
HalAllocateEarlyPages: %p %s
HalMapEarlyPages: %p %s
HalTimerGetClockOwner: %p %s
HalTimerGetClockConfiguration: %p %s
HalTimerNotifyProcessorFreeze: %p %s
HalTimerPrepareProcessorForIdle: %p %s
HalDiagRegisterLogRoutine: %p %s
HalTimerResumeProcessorFromIdle: %p %s
HalTimerResetLastClockTick: %p %s
HalVectorToIDTEntryEx: %p %s
HalSecondaryInterruptQueryPrimaryInformation: %p %s
HalMaskInterrupt: %p %s
HalUnmaskInterrupt: %p %s
HalIsInterruptTypeSecondary: %p %s
HalAllocateGsivForSecondaryInterrupt: %p %s
HalAddInterruptRemapping: %p %s
HalRemoveInterruptRemapping: %p %s
HalSaveAndDisableEnlightenment: %p %s
HalRestoreHvEnlightenment: %p %s
HalPciEarlyRestore: %p %s
HalInterruptGetLocalIdentifier: %p %s
HalAllocatePmcCounterSet: %p %s
HalCollectPmcCounters: %p %s
HalFreePmcCounterSet: %p %s
HalTimerQueryCycleCounter: %p %s
HalTimerGetNextTickDuration: %p %s
HalPciMarkHiberPhase: %p %s
HalInterruptQueryProcessorRestartEntryPoint: %p %s
HalInterruptRequestSecondaryInterrupt: %p %s
HalInterruptEnumerateUnmaskedInterrupts: %p %s
HalBiosDisplayReset: %p %s
HalGetDmaAdapter: %p %s
HalCheckPowerButton: %p %s
HalMapPhysicalMemoryWriteThrough64: %p %s
HalUnmapVirtualAddress: %p %s
HalKdReadPCIConfig: %p %s
HalKdWritePCIConfig: %p %s
HalTimerQueryWakeTime: %p %s
HalTimerReportIdleStateUsage: %p %s
HalKdEnumerateDebuggingDevices: %p %s
HalFlushIoRectangleExternalCache: %p %s
HalPowerEarlyRestore: %p %s
HalQueryCapsuleCapabilities: %p %s
HalUpdateCapsule: %p %s
HalPciMultiStageResumeCapable: %p %s
check_hal_private_disp_table: cannot read table, error %d, ntstatus %X
check_hal_private_disp_table: cannot read table, error %d
check_hal_disp_table: cannot read table, error %d, ntstatus %X
check_hal_disp_table: cannot read table, error %d
HalQuerySystemInformation: %p %s
HalSetSystemInformation: %p %s
HalQueryBusSlots: %p %s
HalExamineMBR: %p %s
HalIoReadPartitionTable: %p %s
HalIoSetPartitionInformation: %p %s
HalIoWritePartitionTable: %p %s
HalReferenceHandlerForBus %p %s
HalReferenceBusHandler %p %s
HalDereferenceBusHandler %p %s
HalInitPnpDriver %p %s
HalInitPowerManagement %p %s
HalGetDmaAdapter %p %s
HalGetInterruptTranslator %p %s
HalStartMirroring %p %s
HalEndMirroring %p %s
HalMirrorPhysicalMemory %p %s
HalEndOfBoot %p %s
HalMirrorVerify %p %s
HalGetCachedAcpiTable %p %s
HalSetPciErrorHandlerCallback %p %s
read_hal_apci_disp_table return %X bytes, error %d, ntstatus %X
read_hal_apci_disp_table return %X bytes, error %d
Bad HalAcpiDispatchTable version: %X
read_gdt_size failed, error %d, ntstatus %X
read_gdt_size failed, error %d
Cannot alloc %d bytes for GDT entries
read_gdt failed, error %d, ntstatus %X
read_gdt failed, error %d
Descriptor[%d] %s S %d DPL %d type %X base %X limit %X
WinChecker::dump_ldt failed, error %X, ntstatus %X
WinChecker::dump_ldt failed, error %X
WinChecker::dump_ldt: cannot alloc ldt array, size %X
Ldt[%d]:
Base: X
Limit: X
AVL: %d
D/B: %d
DPL: %d
G: %d
P: %d
S: %d
Type: %d
Cannot read code for kinterrupt(%X) thunk, error %d
IDT patched: unknown type %X selector %X addr %p for int%X
IDT patched: unknown selector %X for int%X
IDT patched: int%X has unknown selector %X base %X limit %X addr %p
IDT patched: int%X addr %p by module %s
IDT int%X addr %p KINTERRUPT %p
IDT patched: int%X addr %p
Int%X: selector %X type TASK DPL %X base %X limit %X
Int%X: selector %X type %X DPL %X addr %p base %X limit %X
Int%X: selector %X type %X DPL %X addr %p
read_idt_size failed, error %d, ntstatus %X
read_idt_size failed, error %d
read_idt: cannot alloc %d bytes for IDT storage
read_idt failed, error %d, ntstatus %X
read_idt failed, error %d
Cannot read kinterrupt (%X), error %d
KInterrupt %X (%p):
Size %X type %X
ServiceRoutine %p %s
DispatchAddress %p %s
check_ob_types: cannot read size of ObTypes list, error %d, ntstatus %X
check_ob_types: cannot read size of ObTypes list, error %d
check_ob_types: cannot read %d bytes (readed %d), error %d, ntstatus %X
check_ob_types: cannot read %d bytes (readed %d), error %d
fill_ob_type: cannot read ObType %S (%X), error %d
Cannot read ObType %S (%X), error %d
ObType %S:
DumpProcedure: %p %s
OpenProcedure: %p %s
CloseProcedure: %p %s
DeleteProcedure: %p %s
ParseProcedure: %p %s
SecurityProcedure: %p %s
QueryNameProcedure: %p %s
OkayToCloseProcedure: %p %s
ZwAlpcConnectPortEx
ZwOpenKeyTransactedEx
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwCreateKeyTransacted
ZwAlpcSendWaitReceivePort
ZwAlpcImpersonateClientOfPort
ZwAlpcDisconnectPort
ZwAlpcDeletePortSection
ZwAlpcCreatePortSection
ZwAlpcCreatePort
ZwAlpcConnectPort
ZwAlpcAcceptConnectPort
ZwUnloadKey2
ZwQueryOpenSubKeysEx
ZwLoadKeyEx
ZwQueryPortInformationProcess
ZwWaitForKeyedEvent
ZwReleaseKeyedEvent
ZwOpenKeyedEvent
ZwCreateKeyedEvent
ZwUnloadKeyEx
ZwSaveKeyEx
ZwRenameKey
ZwLockRegistryKey
ZwLockProductActivationKeys
ZwCompressKey
ZwCompactKeys
ZwYieldExecution
ZwUnloadKey
ZwSetValueKey
ZwSetThreadExecutionState
ZwSetInformationKey
ZwSetDefaultHardErrorPort
ZwSecureConnectPort
ZwSaveMergedKeys
ZwSaveKey
ZwRestoreKey
ZwRequestWaitReplyPort
ZwRequestPort
ZwReplyWaitReplyPort
ZwReplyWaitReceivePortEx
ZwReplyWaitReceivePort
ZwReplyPort
ZwReplaceKey
ZwRegisterThreadTerminatePort
ZwQueryValueKey
ZwQueryOpenSubKeys
ZwQueryMultipleValueKey
ZwQueryKey
ZwQueryInformationPort
ZwOpenKey
ZwNotifyChangeMultipleKeys
ZwNotifyChangeKey
ZwLoadKey2
ZwLoadKey
ZwListenPort
ZwImpersonateClientOfPort
ZwFlushKey
ZwEnumerateValueKey
ZwEnumerateKey
ZwDeleteValueKey
ZwDeleteKey
ZwDelayExecution
ZwCreateWaitablePort
ZwCreatePort
ZwCreateNamedPipeFile
ZwCreateKey
ZwConnectPort
ZwCompleteConnectPort
ZwAcceptConnectPort
FindKiServiceTable: relocation type %d found at X
Cannot read body of %s !
Cannot extract index of %s, error %d
kernel %s don`t contains KeServiceDescriptorTable function !
Cannot find SDT in %s
Cannot read ntdll.dll
Cannot read body of %s!
Cannot read body of ZwYieldExecution!
Cannot extract index of ZwYieldExecution, error %d
Cannot extract index of ZwPlugPlayControl , error %d
%s: %p
SDT entry %X (%s) hooked %p %s!
SDT entry %X hooked %p %s!
Need unhook %d items in SSDT
UNHOOK_ITEM: Index %X Offset %X
Unhook SSDT failed, lasterror %d
Unhooked %d SSDT items
NtUserSetProcessRestrictionExemption
NtUserAcquireIAMKey
NtGdiDdDDICreateKeyedMutex2
NtGdiDdDDIOpenKeyedMutex2
NtGdiDdDDIAcquireKeyedMutex2
NtGdiDdDDIReleaseKeyedMutex2
NtUserSetTHQAPublicKey
NtGdiDdDDIReleaseKeyedMutex
NtGdiDdDDIAcquireKeyedMutex
NtGdiDdDDIDestroyKeyedMutex
NtGdiDdDDIOpenKeyedMutex
NtGdiDdDDICreateKeyedMutex
NtUserEndTouchOperation
NtUserSfmDxReportPendingBindingsToDwm
NtGdiDDCCIGetTimingReport
NtUserUnregisterSessionPort
NtUserRegisterSessionPort
NtUserRegisterErrorReportingDialog
NtGdiSetOPMSigningKeyAndSequenceNumbers
NtGdiGetCertificateSize
NtGdiGetCertificate
NtUserWaitForMsgAndEvent
NtUserVkKeyScanEx
NtUserUnregisterHotKey
NtUserUnlockWindowStation
NtUserUnloadKeyboardLayout
NtUserUnhookWindowsHookEx
NtUserSetWindowStationUser
NtUserSetWindowsHookEx
NtUserSetWindowsHookAW
NtUserSetProcessWindowStation
NtUserSetKeyboardState
NtUserSetImeHotKey
NtUserSetConsoleReserveKeys
NtUserRegisterHotKey
NtUserOpenWindowStation
NtUserMapVirtualKeyEx
NtUserLockWindowStation
NtUserLoadKeyboardLayoutEx
NtUserGetProcessWindowStation
NtUserGetKeyState
NtUserGetKeyNameText
NtUserGetKeyboardState
NtUserGetKeyboardLayoutName
NtUserGetKeyboardLayoutList
NtUserGetImeHotKey
NtUserGetCPD
NtUserGetAsyncKeyState
NtUserCreateWindowStation
NtUserCloseWindowStation
NtUserCheckImeHotKey
NtUserCallMsgFilter
NtUserAlterWindowStyle
NtUserActivateKeyboardLayout
NtGdiScaleViewportExtEx
NtGdiDvpWaitForVideoPortSync
NtGdiDvpUpdateVideoPort
NtGdiDvpGetVideoPortConnectInfo
NtGdiDvpGetVideoPortOutputFormats
NtGdiDvpGetVideoPortLine
NtGdiDvpGetVideoPortInputFormats
NtGdiDvpGetVideoPortFlipStatus
NtGdiDvpGetVideoPortField
NtGdiDvpGetVideoPortBandwidth
NtGdiDvpFlipVideoPort
NtGdiDvpDestroyVideoPort
NtGdiDvpCreateVideoPort
NtGdiDvpCanCreateVideoPort
NtGdiDdSetColorKey
read_shadow_sdt failed, error %d
check_win32k_sdt: cannot alloc %d bytes
Cannot read win32k_sdt at %p size %X, error %d
win32k_sdt[%d] (%s) hooked, addr %p %s
win32k_sdt[%d] hooked, addr %p %s
GetNamedPipeServerProcessId
read_kddb read %X bytes, error %d
cannot read MmNonPagedPoolStart (%p), error %d
cannot read MmNonPagedPoolEnd (%p), error %d
cannot read MmPagedPoolStart (%p), error %d
cannot read MmPagedPoolEnd (%p), error %d
cannot read KernelVerifier (%p), error %d
WindowsType: %S
ETHREAD.StartAddress %X
KiProcessorBlock: %p (%X)
KernelVerifier: %X
KeBugCheckCallbackList: %p (%X)
WorkerRoutine: %p %s
IdleFunction: %p %s
IdleFunction: %p %s
KPRCB[%d].WorkerRoutine: %p %s
KPRCB[%d].IdleFunction: %p %s
KPRCB[%d].IdleFunction: %p %s
read_kpcr return %X bytes, error %d, ntstatus %X
read_kpcr return %X bytes, error %d
KPCR[%d] %p major %X minor %X
KPCR[%d] %p
get_os_info return %X bytes, error %d, ntstatus %X
get_os_info return %X bytes, error %d
NtMajorVersion: %d
NtMinorVersion: %d
BuildNumber: %d
GlobalFlag: %X
Processors: %d
MmVerifierFlags %d
MmSystemSize %d %s
DebuggerEnabled %d
DebuggerNotPresent %d
SafeBootMode %d
NXSupportPolicy %X
CR0 %8.8X %s
CR4 %8.8X %s
Cannot open mailslot %S, error %d
get_mail_slot_owner(%S): returned %d bytes, error %d, ntstatus %X
get_mail_slot_owner(%S): returned %d bytes, error %d
Cannot open named pipe %S, error %d
GetNamedPipeServerProcessId(%S) failed, error %d
get_named_pipe_owner(%S): returned %d bytes, error %d, ntstatus %X
get_named_pipe_owner(%S): returned %d bytes, error %d
read_lpc_port_chars: len %d, returned %d bytes, error %d, ntstatus %X
read_lpc_port_chars: len %d, returned %d bytes, error %d
read_unicode_string: len %d, returned %d bytes, error %d, ntstatus %X
read_unicode_string: len %d, returned %d bytes, error %d
read_drivers_list: cannot get size of drivers list, returned %d bytes, error %d, ntstatus %X
read_drivers_list: cannot get size of drivers list, returned %d bytes, error %d
read_drivers_list: cannot alloc %X bytes for driver list
read_drivers_list: cannot read drivers list, error %d, ntstatus %X
read_drivers_list: cannot read drivers list, error %d
%p:%X flags %X LoadCount %d %s
read_KiThreadSelectNotifyRoutine failed, error %d
read_KiSwapContextNotifyRoutine failed, error %d
read_KiTimeUpdateNotifyRoutine failed, error %d
read_PspLegoNotifyRoutine failed, error %d
read_KiDebugRoutine failed, error %d
read_msrs failed, error %d, ntstatus %X
read_msrs failed, error %d
IManageProcess: Cannot OpenProcess %d
IManageProcess: Cannot open process %d
read_win32_process for PID %X failed, error %d, status %X
read_win32_process for PID %X failed, error %d
read_dword(%p, PID %d) failed, error %d, ntstatus %X
read_dword(%p, PID %d) failed, error %d
read_ptr(%p, PID %d) failed, error %d, ntstatus %X
read_ptr(%p, PID %d) failed, error %d
rp_ReadProcessMemory(%p size %X) from %p error %d
read_token for PID %X failed, error %d, status %X
read_token for PID %X failed, error %d
open_proc(%d, access %X) failed, error %d, ntstatus %X
open_proc(%d, access %X) failed, error %d
rp_OpenProcess(%d, access %X) dwRet %d, error %d
rp_TerminateProcess(%p, %X) dwRet %d, error %d
Major %d Minor %d BuildNumber %d PlatformId %d ServicePackMajor %d ServicePackMinor %d SuiteMask %d ProductType %d CSDVersion %S
ProductType: %X
Cannot open RPC control, error %X
msgsvcsend
_ILocalObjectExporter
IVsShell
IWbemLoginClientID
ICertProtect
_IBTFTPApiEvents
_s_PasswordRecovery
wininet_UrlCache
_IObjectExporter
WMsgAPIs
WMsgKAPIs
INCryptKeyIso
HttpProxyMgrProvider
IKeySvcR
WcnTransportRpc
IPortResolve
IWbemLoginHelper
LRpcSIDKey
ISmartCardRootCerts
IDebugPortSupplier2
IAsyncOperation
IPipelineElement
OnlineProviderCertInterface
IBackgroundCopyJobHttpOptions
HttpProxyMgrClient
IStaticPortMappingCollection
IKeySvc
s_WindowsShutdown
IWebBrowser2
IDebugPortSupplierLocale2
IUPnPHttpHeaderControl
WINHTTP_AUTOPROXY_SERVICE
IErcLuaSupport
IDebugPortSupplier3
IKeySvc2
BackupKey
IWerReport
ICertPassage
IStaticPortMapping
IDebugPortSupplierEx2
IWbemLevel1Login
IWebBrowserApp
msgsvc
IShellWindows
RpcBindingFromStringBinding(%S) failed: %d
RpcMgmtInqIfIds(%S) failed: %d
RpcStringBindingCompose failed: %d
RpcBindingFromStringBinding failed: %d
RpcMgmtInqIfIds failed: %d
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d : %s
%8.8X-%4.4X-%4.4X-%2.2X%2.2X-%2.2X%2.2X%2.2X%2.2X%2.2X%2.2X version %d.%d : (%s)
RpcMgmtEpEltInqBegin failed: %d
Cannot read npc table, readed %X bytes
rpcrt4
%s.AddressChangeFn: %p %s
rpcrt4_hack::check_myself: exception %d occured
rpcrt4_hack::try_hack: cannot find RpcServerRegisterIfEx
I_RpcInitNdrImports
load_driver(%S) returned %X
Loaded kernel driver: %S
Error loading kernel driver: %ls - 0xx
Error loading kernel driver: %S - 0xx
Error loading kernel driver: %S - OpenSCManager 0xx
tcpip
ClientImmProcessKey
fnHkOPTINLPEVENTMSG
fnHkINLPMSG
fnSENTDDEMSG
fnDWORDOPTINLPMSG
RealMsgWaitForMultipleObjectsEx
PEB.KernelCallbackTable patched, %p
user32_hack::try_hack: bad PE passed
user32_hack::try_hack: cannot read import table
pfnWowMsgBoxIndirectCallback
Unknown apfnDispatch size: %d
%s_hack::try_hack: bad PE passed
%s_hack::try_hack: cannot read exports, error %d
%s_hack::try_hack: cannot find section .data
%s_hack::try_hack: cannot read section .data
%s_hack::try_hack: cannot read section .rdata
%s_hack::try_hack: cannot find section .text
%s_hack::try_hack: cannot read section .text
DxgkReleaseKeyedMutex2
DxgkAcquireKeyedMutex2
DxgkOpenKeyedMutex2
DxgkCreateKeyedMutex2
DxgkReleaseKeyedMutex
DxgkAcquireKeyedMutex
DxgkDestroyKeyedMutex
DxgkOpenKeyedMutex
DxgkCreateKeyedMutex
Cannot read gDxgkInterface, readed %X bytes
WindowHasShadow
DisableProcessWindowsGhosting
zzzUnhookWindowsHook
xxxUpdateWindows
xxxArrangeIconicWindows
SetWindowState
ClearWindowState
SetMsgBox
GetKeyboardType
GetKeyboardLayout
RemotePassthruDisable
xxxRemotePassthruEnable
Cannot read gpsi, readed %X bytes
Cannot read gpsi handlers, readed %X bytes
Cannot read apfnSimpleCall, readed %X bytes
Cannot read gapfnMessageCall, readed %X bytes
Cannot read gapfnScSendMessage, readed %X bytes
Cannot read gaNewProcAddresses, readed %X bytes
Cannot open logfile %S
Cannot create stop event, error %d
Driver %S loaded from %S
SrvGetConsoleKeyboardLayoutName
SrvSetConsoleKeyShortcuts
SrvGetConsoleAliasExes
SrvGetConsoleAliasExesLength
SrvVDMConsoleOperation
SrvGetLargestConsoleWindowSize
SrvExitWindowsEx
winsrv.dll
Unknown size of ConsoleServerApiDispatchTable: %d
Unknown size of UserServerApiDispatchTable: %d
CallUserpExitWindowsEx
GetConsoleAliasExesInternal
GetConsoleAliasExesLengthInternal
SetConsoleKeyShortcuts
GetConsoleKeyboardLayoutNameWorker
SetConsoleOutputCPInternal
GetConsoleOutputCP
GetLargestConsoleWindowSize
reg_ccs_services::read failed - error %d
Cannot open key %S, error %d
SafeSecondaryLog(%d) failed, error %d
SafeSecondaryLog failed, error %d
SafeSendLog(%d) failed, error %d
SafeSendLog failed, error %d
Bad memory %p len %X in dump_hex_buffer
Cannot alloc %d bytes for delayed imports
Cannot alloc %d bytes for imports
read_import_safe(%s) failed %X
Cannot realloc %d bytes for iat
read_delayed_safe(%s) failed %X
store2md_cache: cannot alloc %d bytes
store2md_cache: cannot realloc, alloced %d bytes
wdigest.dll
tspkg.dll
schannel.dll
pku2u.dll
negoexts.dll
msv1_0.dll
livessp.dll
kerberos.dll
umpnpmgr.dll
combase.dll
ntdsa.dll
ntdll.dll
cryptbase.dll
ncrypt.dll
rpcrt4.dll
imm32.dll
user32.dll
kernelbase.dll
kernel32.dll
advapi32.dll
ole32.dll
Cannot alloc %X bytes for relocs
SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\RebootRequired
WS2_32.dll
RPCRT4.dll
GetProcessHeap
GetWindowsDirectoryA
KERNEL32.dll
RegCloseKey
RegOpenKeyExW
RegOpenKeyExA
RegCreateKeyExW
ADVAPI32.dll
GetWindowsDirectoryW
GetCPInfo
RegQueryInfoKeyW
RegEnumKeyW
zcÁ
.?AVMyWindowsChecker@@
.?AV?$rpcrt4_hack@U_IMAGE_NT_HEADERS@@@@
.?AVtcpip_hack@@
.?AV?$import_holder@U_IMAGE_NT_HEADERS@@@CMN@@
.?AVinmem_import_holder@CMN@@
.?AVimport_holder_intf@CMN@@
.?AVmodule_import@CMN@@
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
aR.Rn
X.UJ^A
w%xyW
f.Gkf
%0X0m0
>$?(?,?0?
3&4;456?90:
77g7
7>7[7`7|7
6#8*878^8~8
<#<0<^<@=
11_1
0#101#202
0 11h1J3
< <$<(<,<0<
6%7S7
7*717>7[8
=!>&>9>>>
7&7@7l78N8V8z8
:);4;>;\;
0%0X0
= >$>(>,>0>
?,?4?<?\?|?
.----/01/01/01
KERNEL32.DLL
mscoree.dll
U%SystemRoot%\system32\svchost.exe
%SystemRoot%\system32\svchost
WSOCKTRANSPORT
TCPIP6
TCPIP
STORPORT
STORMINIPORT
SOFTPCI
SCSIPORT
SCSIMINIPORT
SBP2PORT
FCPORT
PassiveWatchdogTimeout
sImageExecutionOptions
ErrorPortStartTimeout
ErrorPortCommTimeout
DisablePagingExecutive
DebuggerMaxModuleMsgs
CountOperations
B\\.\
Psapi.dll
sWindows PowerShell
tHost Process for Windows Tasks
Windows Problem Reporting 32 bit
Windows Problem Reporting
Windows Modules Installer
mWindows Start-Up Application
tWindows Search Indexer
sWindows Server Initial Configuration Tasks
Windows Media Player
Dump Reporting Tool
Error Reporter
rWindows Control Panel 32 bit
Windows Control Panel
Windows Connect Now - Config Registrar Service
Windows Media Player Network Sharing Service
Windows firewall
Windows Error Reporting Service
tWindows Defender
vError reporting service
eWindows update service
Windows Image Acquisition
WebClient
tWindows Security Center Notification App
yWindows Based Script Host
Windows installer 32 bit
Windows installer
Windows 16-bit Virtual Machine
Windows Management Instrumentation
Windows User Mode Driver Manager
MS tftp
MS ftp 32 bit
MS ftp
Microsoft Help and Support Center
Cmd.exe 32 bit
Cmd.exe
Windows Logon User Interface Host
Windows update
tGoogle Chrome
rOpera Internet Browser
Mozilla Thunderbird Mail and News Client
dFirefox browser
Services.exe
%SystemRoot%\msagent\agentsvr.exe
%SystemRoot%\System32\dfrgfat.exe
%SystemRoot%\System32\dfrgntfs.exe
%SystemRoot%\System32\services.exe
%SystemRoot%\System32\svchost.exe
%SystemRoot%\System32\alg.exe
%SystemRoot%\System32\spoolsv.exe
%SystemRoot%\System32\net.exe
%SystemRoot%\System32\net1.exe
%SystemRoot%\System32\cmd.exe
%SystemRoot%\System32\notepad.exe
%SystemRoot%\System32\calc.exe
%SystemRoot%\System32\PTF.exe
%SystemRoot%\System32\tPTF.exe
%SystemRoot%\System32\telnet.exe
%SystemRoot%\System32\taskkill.exe
%SystemRoot%\System32\ctfmon.exe
%SystemRoot%\System32\wdfmgr.exe
%SystemRoot%\System32\mmc.exe
%SystemRoot%\System32\userinit.exe
%SystemRoot%\System32\wbem\wmiprvse.exe
%SystemRoot%\System32\wbem\wmiadap.exe
%SystemRoot%\explorer.exe
%SystemRoot%\System32\lsass.exe
%SystemRoot%\System32\winlogon.exe
%SystemRoot%\System32\LogonUI.exe
%SystemRoot%\System32\wuauclt.exe
%SystemRoot%\System32\wuauclt1.exe
%SystemRoot%\System32\CCM\CcmExec.exe
%SystemRoot%\System32\csrss.exe
%SystemRoot%\System32\smss.exe
\SystemRoot\System32\smss.exe
%SystemRoot%\System32\inetsrv\w3wp.exe
%SystemRoot%\System32\schtasks.exe
%SystemRoot%\System32\tstheme.exe
%SystemRoot%\System32\control.exe
%SystemRoot%\System32\taskmgr.exe
%SystemRoot%\System32\dwwin.exe
%SystemRoot%\System32\drwtsn32.exe
%SystemRoot%\System32\dumprep.exe
%SystemRoot%\System32\dfssvc.exe
%SystemRoot%\System32\dllhost.exe
%SystemRoot%\System32\ntvdm.exe
%SystemRoot%\System32\rundll32.exe
%SystemRoot%\System32\msiexec.exe
%SystemRoot%\System32\mshta.exe
%SystemRoot%\System32\regsvr32.exe
%SystemRoot%\System32\cscript.exe
%SystemRoot%\System32\wscript.exe
%SystemRoot%\System32\wscntfy.exe
%SystemRoot%\System32\mstsc.exe
%SystemRoot%\System32\dashost.exe
far.exe
Far.exe
CLSID\{FC7D9E02-3F9E-11d3-93C0-00C04F72DAF7}\InprocServer32
CLSID\{73FDDC80-AEA9-101A-98A7-00AA00374959}\LocalServer32
CLSID\{0002DF01-0000-0000-C000-000000000046}\LocalServer32
iedw.exe
%SystemRoot%\System32\oobechk.exe
%SystemRoot%\System32\oobe.exe
%SystemRoot%\System32\psxss.exe
%SystemRoot%\System32\internat.exe
AcroRd32.exe
excel.exe
outlook.exe
winword.exe
powerpnt.exe
wmplayer.exe
firefox.exe
thunderbird.exe
Opera.exe
WinRAR.exe
%SystemRoot%\System32\wininit.exe
%SystemRoot%\System32\lsm.exe
%SystemRoot%\System32\dwm.exe
%SystemRoot%\System32\werfault.exe
%SystemRoot%\System32\taskeng.exe
%SystemRoot%\System32\conime.exe
%SystemRoot%\System32\wudfhost.exe
%SystemRoot%\System32\taskhost.exe
%SystemRoot%\System32\conhost.exe
%SystemRoot%\System32\rdpclip.exe
%SystemRoot%\System32\SearchFilterHost.exe
%SystemRoot%\System32\SearchProtocolHost.exe
csrss.exe
svchost.exe
alg.exe
sPptpMiniport
Tcpip
psapi.dll
127.0.0.1
\\.\pipe\
\\.\mailslot\
SOFTWARE\Microsoft\Windows NT\CurrentVersion
\\.\Pipe\
\\.\Mailslot\
ncacn_ip_tcp:
ncadg_ip_udp:
\\pipe\\
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\
SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell
RemediationExe
SOFTWARE\Classes\SCCM.VAppLauncher\shell\Open\command
SOFTWARE\Classes\CLSID\{00AAB372-0D6D-4976-B5F5-9BC7605E30BB}\LocalServer32
SOFTWARE\Classes\CLSID\{3C296D07-90AE-4FAC-86F9-65EAA8B82D22}\LocalServer32
SOFTWARE\Classes\CLSID\{D63B10C5-BB46-4990-A94F-E40B9D520160}\LocalServer32
SOFTWARE\Classes\CLSID\{03e64e17-b220-4052-9b9b-155f9cb8e016}\LocalServer32
SOFTWARE\Classes\CLSID\{1F69F884-285E-418E-9715-B9EEE402DD5F}\LocalServer32
Software\Microsoft\Windows\CurrentVersion\WINEVT\publishers
Windows checker
1.0.0.3432
wincheck.exe
0, 0, 8, 16

NesIMIQs.exe_944_rwx_05740000_00001000:

.text
`.rdata
@.data

NesIMIQs.exe_944_rwx_05750000_00001000:

.text
`.rdata
@.data

NesIMIQs.exe_944_rwx_06010000_00001000:

notepad.exe "%Documents and Settings%\%current user%\myfile"

NesIMIQs.exe_944_rwx_06020000_00001000:

%Documents and Settings%\%current user%\myfile

reIEcoQI.exe_348_rwx_00401000_00069000:

3E.Pcq:P!V^
#%Xkq.
.JF{<
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
Y.aL9\
;.StH 
>.Qlx #6
2software\microsoft\windows\currentversion\run
P.yrBX.
PB]%C
%FoS(
F<.cS

reIEcoQI.exe_348_rwx_00680000_00068000:

3E.Pcq:P!V^
#%Xkq.
.JF{<
U%Sa@
('%D^q-*
?|Q%f
SE?.rn~M*
.Dhe4
E.IdJWH
%k%cn>x_
?%uRc!
%3.UGiO0
]w.LQ
I 4keyy
L%C['
7.BLP
;.StH 
>.Qlx #6
$g.Gd
P.yrBX.
PB]%C
%FoS(
F<.cS

reIEcoQI.exe_348_rwx_00700000_00001000:

%WinDir%\TEMP

reIEcoQI.exe_348_rwx_00940000_00001000:

%Documents and Settings%\LocalService\dUskcAww\fGAwoYMM

reIEcoQI.exe_348_rwx_00950000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs

reIEcoQI.exe_348_rwx_00960000_00001000:

%Documents and Settings%\LocalService\dUskcAww\fGAwoYMM.inf

reIEcoQI.exe_348_rwx_00970000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.inf

reIEcoQI.exe_348_rwx_00980000_00001000:

%Documents and Settings%\LocalService\dUskcAww\fGAwoYMM.exe

reIEcoQI.exe_348_rwx_00990000_00001000:

%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe

reIEcoQI.exe_348_rwx_009C0000_00001000:

fGAwoYMM.exe

reIEcoQI.exe_348_rwx_009D0000_00001000:

NesIMIQs.exe

reIEcoQI.exe_348_rwx_009E0000_00001000:

taskkill /FI "USERNAME eq SYSTEM" /F /IM fGAwoYMM.exe

reIEcoQI.exe_348_rwx_009F0000_00001000:

taskkill /FI "USERNAME eq SYSTEM" /F /IM NesIMIQs.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    cscript.exe:3920
    cscript.exe:2848
    cscript.exe:1148
    cscript.exe:3288
    cscript.exe:1308
    cscript.exe:3048
    cscript.exe:1224
    cscript.exe:3324
    cscript.exe:4020
    cscript.exe:2092
    cscript.exe:3044
    cscript.exe:3652
    cscript.exe:3556
    cscript.exe:1948
    cscript.exe:3284
    cscript.exe:2488
    cscript.exe:2324
    cscript.exe:1940
    cscript.exe:2328
    cscript.exe:2528
    cscript.exe:1944
    cscript.exe:3856
    cscript.exe:2248
    cscript.exe:2292
    cscript.exe:2244
    cscript.exe:3180
    cscript.exe:2844
    cscript.exe:2464
    cscript.exe:3488
    cscript.exe:1096
    cscript.exe:3764
    cscript.exe:3568
    cscript.exe:3768
    cscript.exe:3480
    cscript.exe:3936
    cscript.exe:2856
    cscript.exe:3400
    cscript.exe:3204
    cscript.exe:264
    cscript.exe:3408
    cscript.exe:3644
    cscript.exe:1556
    cscript.exe:1060
    cscript.exe:3036
    cscript.exe:3240
    cscript.exe:2496
    cscript.exe:536
    cscript.exe:2096
    cscript.exe:412
    cscript.exe:2416
    cscript.exe:2792
    cscript.exe:2252
    cscript.exe:2148
    cscript.exe:2288
    cscript.exe:4076
    cscript.exe:2872
    cscript.exe:3940
    cscript.exe:1328
    cscript.exe:1236
    cscript.exe:1088
    cscript.exe:2104
    cscript.exe:2828
    cscript.exe:3148
    cscript.exe:2784
    cscript.exe:3384
    cscript.exe:3380
    cscript.exe:3932
    cscript.exe:2788
    cscript.exe:3388
    cscript.exe:2664
    cscript.exe:2144
    cscript.exe:2260
    cscript.exe:2668
    cscript.exe:3580
    cscript.exe:3664
    cscript.exe:3956
    cscript.exe:2768
    cscript.exe:3816
    cscript.exe:2444
    cscript.exe:2524
    cscript.exe:3588
    cscript.exe:2932
    cscript.exe:4060
    cscript.exe:3668
    cscript.exe:3156
    cscript.exe:3456
    cscript.exe:3312
    cscript.exe:2832
    cscript.exe:4056
    cscript.exe:2044
    cscript.exe:2276
    cscript.exe:4052
    cscript.exe:3016
    cscript.exe:1648
    cscript.exe:3468
    cscript.exe:3968
    cscript.exe:2164
    cscript.exe:1984
    cscript.exe:432
    cscript.exe:3120
    cscript.exe:2372
    cscript.exe:2928
    cscript.exe:620
    cscript.exe:3808
    cscript.exe:2592
    cscript.exe:572
    cscript.exe:2920
    cscript.exe:2808
    cscript.exe:3124
    cscript.exe:252
    cscript.exe:3452
    cscript.exe:2568
    cscript.exe:1632
    cscript.exe:3368
    cscript.exe:1980
    cscript.exe:2056
    cscript.exe:4068
    cscript.exe:2904
    cscript.exe:4064
    cscript.exe:2688
    cscript.exe:2368
    cscript.exe:2364
    cscript.exe:3080
    cscript.exe:2812
    cscript.exe:560
    cscript.exe:3872
    cscript.exe:2588
    cscript.exe:3072
    cscript.exe:228
    cscript.exe:3172
    cscript.exe:2952
    cscript.exe:1916
    cscript.exe:3884
    cscript.exe:3904
    cscript.exe:3688
    cscript.exe:2216
    cscript.exe:1624
    cscript.exe:2896
    cscript.exe:1748
    cscript.exe:2696
    cscript.exe:2516
    cscript.exe:2080
    cscript.exe:2512
    cscript.exe:3188
    cscript.exe:2860
    cscript.exe:4084
    cscript.exe:3636
    cscript.exe:2432
    cscript.exe:3864
    cscript.exe:3532
    cscript.exe:1896
    cscript.exe:3228
    cscript.exe:2992
    cscript.exe:2228
    cscript.exe:3340
    cscript.exe:1612
    cscript.exe:2220
    cscript.exe:2420
    cscript.exe:320
    cscript.exe:1692
    cscript.exe:2492
    cscript.exe:2504
    cscript.exe:3524
    cscript.exe:4092
    cscript.exe:204
    cscript.exe:2720
    cscript.exe:2728
    cscript.exe:3700
    cscript.exe:484
    cscript.exe:2340
    cscript.exe:1280
    cscript.exe:4012
    cscript.exe:3788
    cscript.exe:3420
    cscript.exe:4016
    cscript.exe:2084
    cscript.exe:3988
    cscript.exe:3980
    cscript.exe:2224
    %original file name%.exe:216
    %original file name%.exe:3920
    %original file name%.exe:2980
    %original file name%.exe:2960
    %original file name%.exe:4004
    %original file name%.exe:3928
    %original file name%.exe:1260
    %original file name%.exe:3492
    %original file name%.exe:2840
    %original file name%.exe:3416
    %original file name%.exe:4028
    %original file name%.exe:3556
    %original file name%.exe:3552
    %original file name%.exe:1940
    %original file name%.exe:2528
    %original file name%.exe:2404
    %original file name%.exe:3816
    %original file name%.exe:1468
    %original file name%.exe:2152
    %original file name%.exe:2652
    %original file name%.exe:2240
    %original file name%.exe:3760
    %original file name%.exe:2708
    %original file name%.exe:3832
    %original file name%.exe:3768
    %original file name%.exe:2704
    %original file name%.exe:2468
    %original file name%.exe:2924
    %original file name%.exe:3336
    %original file name%.exe:1496
    %original file name%.exe:2260
    %original file name%.exe:3640
    %original file name%.exe:3248
    %original file name%.exe:3036
    %original file name%.exe:3200
    %original file name%.exe:2312
    %original file name%.exe:3840
    %original file name%.exe:2144
    %original file name%.exe:2392
    %original file name%.exe:532
    %original file name%.exe:2252
    %original file name%.exe:2288
    %original file name%.exe:3680
    %original file name%.exe:2196
    %original file name%.exe:1080
    %original file name%.exe:3276
    %original file name%.exe:3144
    %original file name%.exe:3308
    %original file name%.exe:3148
    %original file name%.exe:2600
    %original file name%.exe:2784
    %original file name%.exe:304
    %original file name%.exe:3380
    %original file name%.exe:3576
    %original file name%.exe:2788
    %original file name%.exe:2380
    %original file name%.exe:2268
    %original file name%.exe:2660
    %original file name%.exe:1652
    %original file name%.exe:2072
    %original file name%.exe:364
    %original file name%.exe:4060
    %original file name%.exe:2076
    %original file name%.exe:3844
    %original file name%.exe:308
    %original file name%.exe:1236
    %original file name%.exe:3584
    %original file name%.exe:2444
    %original file name%.exe:2524
    %original file name%.exe:300
    %original file name%.exe:2284
    %original file name%.exe:2448
    %original file name%.exe:2608
    %original file name%.exe:3668
    %original file name%.exe:3156
    %original file name%.exe:3456
    %original file name%.exe:3312
    %original file name%.exe:3012
    %original file name%.exe:908
    %original file name%.exe:1648
    %original file name%.exe:3096
    %original file name%.exe:2596
    %original file name%.exe:2612
    %original file name%.exe:624
    %original file name%.exe:2296
    %original file name%.exe:3056
    %original file name%.exe:1584
    %original file name%.exe:3168
    %original file name%.exe:252
    %original file name%.exe:3452
    %original file name%.exe:2568
    %original file name%.exe:1984
    %original file name%.exe:1624
    %original file name%.exe:3368
    %original file name%.exe:2056
    %original file name%.exe:3512
    %original file name%.exe:3360
    %original file name%.exe:3696
    %original file name%.exe:656
    %original file name%.exe:2688
    %original file name%.exe:2684
    %original file name%.exe:3084
    %original file name%.exe:2112
    %original file name%.exe:2680
    %original file name%.exe:3080
    %original file name%.exe:2116
    %original file name%.exe:2360
    %original file name%.exe:2584
    %original file name%.exe:560
    %original file name%.exe:3876
    %original file name%.exe:3072
    %original file name%.exe:2180
    %original file name%.exe:3520
    %original file name%.exe:3288
    %original file name%.exe:2956
    %original file name%.exe:3284
    %original file name%.exe:2952
    %original file name%.exe:3140
    %original file name%.exe:3448
    %original file name%.exe:2204
    %original file name%.exe:4076
    %original file name%.exe:3532
    %original file name%.exe:4072
    %original file name%.exe:3060
    %original file name%.exe:2100
    %original file name%.exe:4080
    %original file name%.exe:2464
    %original file name%.exe:2736
    %original file name%.exe:2864
    %original file name%.exe:1208
    %original file name%.exe:2732
    %original file name%.exe:2636
    %original file name%.exe:3864
    %original file name%.exe:3600
    %original file name%.exe:2940
    %original file name%.exe:2344
    %original file name%.exe:1968
    %original file name%.exe:3852
    %original file name%.exe:3432
    %original file name%.exe:1612
    %original file name%.exe:3344
    %original file name%.exe:3180
    %original file name%.exe:2508
    %original file name%.exe:2748
    %original file name%.exe:1564
    %original file name%.exe:2648
    %original file name%.exe:2724
    %original file name%.exe:3912
    %original file name%.exe:612
    %original file name%.exe:2644
    %original file name%.exe:3624
    %original file name%.exe:3356
    %original file name%.exe:3352
    %original file name%.exe:2972
    %original file name%.exe:3700
    %original file name%.exe:2976
    %original file name%.exe:1804
    %original file name%.exe:3544
    %original file name%.exe:3428
    %original file name%.exe:3540
    %original file name%.exe:2336
    %original file name%.exe:1800
    %original file name%.exe:3116
    %original file name%.exe:3220
    %original file name%.exe:476
    %original file name%.exe:1572
    %original file name%.exe:2008

  2. Delete the original Malware file.
  3. Delete or disinfect the following files created/modified by the Malware:

    %Documents and Settings%\%current user%\Local Settings\Temp\liYsAowU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cYEgkgsA.bat (112 bytes)
    C:\3570882d35aae624e691509f5da41ae9 (205 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BIMogocE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NgsYkkkg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wWgwoUwE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aUwUgEAI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GQskgQEQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UIsAAcAc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jyIoEEgU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yagEkkQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gwMwcYcM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mccMQwUY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GgEAMYQc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NYksQock.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TiEQQgck.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JmwgYgYM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JsgsMYgU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MccQggUw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\isAYsEEo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OWkwckoc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QqwAEgIA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KOQokkww.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SisMsUsU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gGkkkAwQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qaQYkQog.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZosQEAQs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rcgkoUYE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wGEQcccU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oOMAQUwk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wiAsEIQY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\baUEcQQU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ccksoMUw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ryEsokIw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aEwUQMoM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gKMkcoYY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jSQQcIoA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hqQcgsws.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MwgUMMEU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IQEscYkE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lUoAEkcQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UygsIEQU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ngQUEMEc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fessQcIc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UYgMgMEo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iKwoIoIs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ewoIwcIs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RwEMkkcc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kYwIUYcs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\emAQUEkc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qEQIkcAg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KossIMsw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VwIkUkck.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MgoUscsg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LekQQUwE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AcsYsEgI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vqQkMkQw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ySsEMEIM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bcogEccY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FGsosYUs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAUAQokk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kkIoUsMo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TCowEYgE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CoYgMEII.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jyQwUIso.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qKIkcckQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zeIUcMcQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ySMAwwoQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OgYwwwEM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qUQAkAAc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CukcoooE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xwkkUYkg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AUwMcAcg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAMooEEs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eGsQAIoE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NecMEckU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\daEckQMY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ywgkgUMM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JOAcUwIo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tksYssEo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KykswgAA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oYgwwcwM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KqIsQwgM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\acoIMkQg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KSQwQAow.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QSIksksE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mmoMMoMk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DiUkUYYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qkcUMAoE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vEAowsQA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RCwUEIIk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IKkMgsIA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NqwQIsYI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IoosYkwg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eMMAQwos.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QiQgsEcM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qacQIgYk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zGEwcgAM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lcIkAgok.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SyMIAsII.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tKAcEwoY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tYEgMMMM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LAwgcYEg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CikcYUco.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FoAsoUEI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uEscUwwQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xokYkIks.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GuMMkMAQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jcMQQUQM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uOEoUcgo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CwkUkIYQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nSUokoQI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IoUIQIcs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tWYMckUc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fWoQsoAM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CUwAQYUU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XIAMkYYY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NEgQcgAQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BkoocwAc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oUcEYAcM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XgAgEUsg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TcwAIEIk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VKoEMEQQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xyYsMssw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GQkwQoks.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RoAEMcIc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xEQAYUYA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JkQAwgcI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qCowIsQE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YikUcMoQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BuYIcoIo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AUAswwAw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oKIsksAw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\beAswEMg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fSocYIMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kSYQQssY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LKAMgggk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ywccMYog.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZEcAgwow.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SIoUsYgY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zmokUMIU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MsYUwUAg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hYMoQgAE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aAksMYsw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oqIkAAwU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xUscAwEE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vgoIoooU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DQUowMQA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fsMwEcoY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lMUMEMMY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oAkccgIM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FockEoIM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pWgoQwYU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VaIIQUgU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uSgMAkwg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TacMAsUc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vywYkkwA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xWkAkcwM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JWcscQwg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gIYUQMoA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YEosskQQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dEYMgYEY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mWgQIIsQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GIwIwQIc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sOAcgIsk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LIAQAwYU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iCggoEAc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oKQkIIoM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jasEQEwU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AKEIUksM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JygQQcUg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gcYcQcUc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AEUgoYUw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hCgEwUEI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XkAMQMoM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JywQssoY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FGkUAwcI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UsMMwIsY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hwQIYkcI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aSIooUAY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZKowcMgQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UqwMcQgw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mMkgYwQE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\osgUYosg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hGsMMsQY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uwIoIQkI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jogwMUsg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gEgYIsgg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EWUQYEMU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EgwwMIQU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xUUYEIIs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vmUYwkwA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yGgkQMks.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tewYAYgQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cQAQEAgI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vIYUwIAg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QKgwoQIA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gsYsAUUs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zecwYcco.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qOowEsYE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aecIgkMQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LOsMMQkY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ewUEQEwE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zQcoYAIo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ruIsUAoQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jckMYAYc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NWUwQQYM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XqAQYgco.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tCUAEoQc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dGcccAws.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KWcoogIA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pukQEAkc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uwIQQsUw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OcIcwYEs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QeIoAMMc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZUQgIcIs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RgIgAcsM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\eqcIIMws.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HkwgkkUk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LeoAQMgM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gCgsQIoY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zWEQUQEE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iEkUUwMw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FwIUIMYg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KugkUkAo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SEMoIkgQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YIEgYwUA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\raEkcYgU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KgEIEAYU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UwQowcYc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UKIwgkII.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hqEccoUk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\FeYswIwM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bGcEIMEw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SqsgIkcE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AkEkQQoE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aacQcooA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iOAsAgYI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\aWoMccUI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EYUQwogI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gAkQwcYc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gwIgkQoY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BeQMYUQw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PQUkIYAI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kuEEoUoc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dYQYMcIY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RyIwscgw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fWQoQcQo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kokQocIU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yAgkAckI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uucoEAIQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QeUIAgwc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NkggUEwA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sEsgkIwU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kiYoAIss.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vCEEUokA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ycQswsIY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uegQEUUc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\DuoUAEsk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HakwwIEE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CMAUAUcc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cUwsgkYA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZmAswwUE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rcIMIQII.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BQAAcEwI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cEYsUggk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YgQYwIUM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rgccAEok.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\bWQMYcYc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IeUkIsoI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dQAggYAU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zUkgIwIA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nOkEgYsE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MaQosQMM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xkAsUAMk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\uKAswgAs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oikokEMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZIMwooMg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ACIMEMog.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vCYsoYsw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XmMgMgcQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zCIsMgQw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UqgAggQo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VyoYwMME.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jQMgEgMc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pwsIEIIE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OykYYoMg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sWgUwgMI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AWgQEwYs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gsYUAYAo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\KAYUQcMI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IsEkEQMs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xicYUsMY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\JcYYgIAg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BQEYoYQU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CQscUAMo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqUoYYko.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AMUwUIck.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EqAgYgwY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZaQIMYUA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YuggAgkg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zekYQMYI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VQkwIIQo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rwIsoIgk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tsgYMgos.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\yuwQEQMA.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TYAAQYYw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AYEAoEwE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OcwcgwwI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lKgksMso.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sqQAMwsg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vwkMcMkE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BQoMEkQM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UkcAsQUA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\fEQwwcYI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BAwEIYII.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jUMggAUM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ymMQoUcw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ucUQYows.bat (4 bytes)
    %Documents and Settings%\All Users\JuwEIgUE\reIEcoQI.exe (3897 bytes)
    %Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe (4089 bytes)
    %Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe (3801 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wqwoAAkM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pqwAsEMY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tmcQEsAw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zwEQQAEw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LQoEcQME.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oQAIIQMU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\xOEYoUgk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\UEQIkEYg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\suEIAcwA.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iUUkUwow.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\zAgcwMgk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ksYwAwQM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZskQEYUI.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ecgAYgMw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\pCkMMcYM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\iWAMYYUQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wesIsIYg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qksQQEIw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dWcMUscU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XsksgQQs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YEcUYEww.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RmAckkYs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EQAgEUgk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\kAcAMwQw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hosoggYQ.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qEsAMsAk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dMsEEAUk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XqwowQUY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\jgMUAskk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CGwIMkkM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nwooAggo.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\QWsMYIYc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nKAgkoAg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\hGcwYQYM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ecwMUYMg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ciQIcAws.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nSQcMAks.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VeUsAooY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\giQYokMM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RygIYQUg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OKoAwoog.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IyogAYQc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lMwYAsIc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LggQUMQY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tYkggEsk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\ZegowMwY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YgAUMEwg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XqYEIkUU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GyocsEAY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lgoIEogs.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\oqwIUMog.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\gKQkwQog.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HWMkccMo.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\dUAcUIsM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\doIEwksg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wIYEowYc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\SckwYYgg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\HEYYkogk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\EEEwYsUg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VQMgwkIY.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\VugcEkQU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TiUAEwks.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IkUMUQIU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\cGcQUQwI.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\LmUIcccg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qosQQkoY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OEMAcUcQ.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\lCYUIIwU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tUkwgUUk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\GUsIwMUU.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YOogwcwk.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\wGYgcYcU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\mUooMAoc.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\TeAAwgok.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\vuAMAkoM.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\OgQIcUgM.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\esIwQUYg.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\AKskUAsg.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\sMYsUQEk.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MGwwcEMc.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\qmYQYsQY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MKsMkgko.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\NQMYQEYU.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\PgQQcAkE.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\YwowMIgw.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\XEYUYEwY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RCwsEEIE.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\veMcQIIs.bat (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tSkUUYcY.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\moMcockw.bat (112 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\WGIwUsco.bat (4 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dog.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\New Stories (Highway Blues).wma.exe (7726 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\adm.bmp.exe (2321 bytes)
    C:\totalcmd\TCUNINST.EXE.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\guitar.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\lift-off.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Sunset.jpg.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\kick.bmp.exe (2321 bytes)
    C:\totalcmd\TOTALCMD.EXE.exe (30812 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\butterfly.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\palm tree.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\guest.bmp.exe (2321 bytes)
    C:\totalcmd\TcUsbRun.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\duck.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\red flower.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\dirt bike.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\horses.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\KAAo.txt (55978 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\pink flower.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\astronaut.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\cat.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\chess.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\ball.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\skater.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Blue hills.jpg.exe (3073 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\beach.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Water lilies.jpg.exe (3361 bytes)
    C:\totalcmd\TCMDX32.EXE.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\frog.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\fish.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\airplane.bmp.exe (2321 bytes)
    C:\totalcmd\TCMADMIN.EXE.exe (3073 bytes)
    %Documents and Settings%\All Users\Documents\My Pictures\Sample Pictures\Winter.jpg.exe (3361 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\car.bmp.exe (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe (5441 bytes)
    %Documents and Settings%\All Users\Documents\My Music\Sample Music\Beethoven's Symphony No. 9 (Scherzo).wma.exe (7433 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\snowflake.bmp.exe (2321 bytes)
    %Documents and Settings%\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\drip.bmp.exe (2321 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "fGAwoYMM.exe" = "%Documents and Settings%\%current user%\dUskcAww\fGAwoYMM.exe"

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "NesIMIQs.exe" = "%Documents and Settings%\All Users\hcYYccwo\NesIMIQs.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now