Generic.Malware.SBdldprng.C021D3F7_80cb6d8cb6

by malwarelabrobot on April 14th, 2018 in Malware Descriptions.

Generic.Malware.SBdldprng.C021D3F7 (BitDefender), TrojanDropper:Win32/Dowque.A (Microsoft), Trojan-Dropper.Win32.Agent.athb (Kaspersky), Trojan.Win32.Dowque.ls (v) (VIPRE), BackDoor.Graybird.75 (DrWeb), Generic.Malware.SBdldprng.C021D3F7 (B) (Emsisoft), BackDoor-AWQ.b.gen.w (McAfee), Trojan.Gen.2 (Symantec), Backdoor.Win32.HacDef (Ikarus), Win32:Evo-gen [Susp] (AVG), Win32:Evo-gen [Susp] (Avast), TROJ_DOWQUE.NY (TrendMicro), Generic.Malware.SBdldprng.C021D3F7 (AdAware), Trojan.Win32.Ceatrg.FD, GenericInjector.YR, TrojanDropperPolymorph1.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Backdoor, Malware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 80cb6d8cb63133017abaaf649cc41dbf
SHA1: 4e538a75f67f2456eb5b88c307716e48f5233eae
SHA256: 111455360eb2abdd6df5294840ced3f718201895a6bc782b0c2789f5cdaca02d
SSDeep: 6144:8ZOiUbn8Wyd9mxoWIxgpUR070XAcDh2y9v m6S:7b8Fd9ax8o70X1Drz
Size: 449133 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Generic creates the following process(es):

MIck.exe:1880
888.exe:2896
FUCK.exe:2856
6543.exe:3820
netsh.exe:1628
netsh.exe:2472
netsh.exe:1780
netsh.exe:3800
netsh.exe:3732
netsh.exe:1836
netsh.exe:2340
netsh.exe:3692
netsh.exe:952
netsh.exe:3436
netsh.exe:1716
netsh.exe:2016
netsh.exe:2240
netsh.exe:2876
netsh.exe:2180
netsh.exe:1592
netsh.exe:2836
netsh.exe:3228
netsh.exe:4052
netsh.exe:3784
netsh.exe:2992
netsh.exe:3680
netsh.exe:1972
netsh.exe:1688
DrvInst.exe:892
8881.exe:3320
%original file name%.exe:2668

The Generic injects its code into the following process(es):

WerFault.exe:1464
calc.exe:2128

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MIck.exe:1880 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\TraceLog.txt (462 bytes)

The process 888.exe:2896 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\828000.dll (108 bytes)
C:\NT_Path.jpg (67 bytes)
C:\ProgramData\Aebblnroq.psd (3912007 bytes)
C:\Net-Temp.ini (3824 bytes)

The Generic deletes the following file(s):

C:\ProgramData\Aebblnroq.psd (0 bytes)
C:\Net-Temp.ini (0 bytes)

The process FUCK.exe:2856 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\Windows\Temp\FUCK.bat (14 bytes)

The Generic deletes the following file(s):

C:\Windows\Temp\__tmp_rar_sfx_access_check_5069236 (0 bytes)

The process 6543.exe:3820 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe (72 bytes)

The process DrvInst.exe:892 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\Windows\inf\setupapi.dev.log (414 bytes)

The process 8881.exe:3320 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5069190.dll (55 bytes)
C:\5069767.vbs (500 bytes)

The process %original file name%.exe:2668 makes changes in the file system.
The Generic creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DeL!.bAt (132 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6543.exe (72 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\888.exe (284 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MIck.exe (180 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FUCK.exe (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8881.exe (98 bytes)

Registry activity

The process WerFault.exe:1464 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug]
"ExceptionRecord" = "1D 00 00 C0 00 00 00 00 00 00 00 00 20 FE 12 00"

[HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

[HKCU\Software\Microsoft\Windows\Windows Error Reporting\Debug\UIHandles]
"FirstLevelConsentDialog" = "Type: REG_QWORD, Length: 8"

The process MIck.exe:1880 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:
To automatically run itself each time Windows is booted, the Generic adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"M.s_2.0" = "%Program Files%\svchost.exe"

The process 888.exe:2896 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\RemoteAccess\RouterManagers\Ip]
"DLLPath" = "C:\828000.dll"

[HKLM\SOFTWARE\329730036\Parameters]
"ServiceDll" = "C:\ProgramData\Aebblnroq.psd"

[HKLM\SOFTWARE\163676141]
"imgsvc" = "StiSvc, Tomcat9"

The process calc.exe:2128 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process FUCK.exe:2856 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\WinRAR SFX]
"c%%windows%temp" = "C:\Windows/temp"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process 6543.exe:3820 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

The process netsh.exe:1628 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}"
"whenChanged" = "1523628702"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"ipsecID" = "{3552f2ac-8191-47a4-ab05-f88db67dba3f}"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{4d09e12d-1ae2-4f55-8442-4a0693653753}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4d09e12d-1ae2-4f55-8442-4a0693653753}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}, SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}, SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}"
"ClassName" = "ipsecPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"ipsecName" = "yunxu"
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"whenChanged" = "1523628701"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecID" = "{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
"Name" = "ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecName" = "445celue"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"Name" = "ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3552f2ac-8191-47a4-ab05-f88db67dba3f}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"description"

The process netsh.exe:2472 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "jujue"
"Name" = "ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ClassName" = "ipsecFilter"
"ipsecID" = "{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecDataType" = "256"
"whenChanged" = "1523628694"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"description"

The process netsh.exe:1780 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "jujue"
"Name" = "ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ClassName" = "ipsecFilter"
"ipsecID" = "{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecDataType" = "256"
"whenChanged" = "1523628698"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"description"

The process netsh.exe:3800 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "jujue"
"Name" = "ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ClassName" = "ipsecFilter"
"ipsecID" = "{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecDataType" = "256"
"whenChanged" = "1523628697"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"description"

The process netsh.exe:3732 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628698"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:1836 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}]
"ipsecName" = "jujue"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}]
"whenChanged" = "1523628700"
"Name" = "ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}"
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
"ipsecID" = "{4349000f-9f02-4e23-9217-194c636cf27b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}, SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}"
"ClassName" = "ipsecPolicy"
"ipsecDataType" = "256"
"ipsecID" = "{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"
"Name" = "ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"
"whenChanged" = "1523628701"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56d50349-4c29-4a48-bff6-60d101eb7dfa}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{56d50349-4c29-4a48-bff6-60d101eb7dfa}"
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecName" = "445celue"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4349000f-9f02-4e23-9217-194c636cf27b}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"description"

The process netsh.exe:2340 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4d09e12d-1ae2-4f55-8442-4a0693653753}]
"Name" = "ipsecNegotiationPolicy{4d09e12d-1ae2-4f55-8442-4a0693653753}"
"ipsecName" = "yunxu"
"ipsecDataType" = "256"
"whenChanged" = "1523628700"
"ClassName" = "ipsecNegotiationPolicy"
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecNegotiationPolicyAction" = "{8a171dd2-77e3-11d1-8659-a04f00000000}"
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4d09e12d-1ae2-4f55-8442-4a0693653753}]
"ipsecID" = "{4d09e12d-1ae2-4f55-8442-4a0693653753}"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{4d09e12d-1ae2-4f55-8442-4a0693653753}]
"description"

The process netsh.exe:3692 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "jujue"
"Name" = "ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ClassName" = "ipsecFilter"
"ipsecID" = "{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecDataType" = "256"
"whenChanged" = "1523628696"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"description"

The process netsh.exe:952 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628699"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:3436 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "jujue"
"Name" = "ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ClassName" = "ipsecFilter"
"ipsecID" = "{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecDataType" = "256"
"whenChanged" = "1523628696"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"description"

The process netsh.exe:1716 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628699"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:2016 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628698"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:2240 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628700"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:2876 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628701"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:2180 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"ipsecID" = "{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"whenChanged" = "1523628693"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"whenChanged" = "1523628693"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"Name" = "ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecID" = "{ed643a7b-998c-4cd1-8c26-58303e829644}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}]
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ClassName" = "ipsecISAKMPPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}]
"ipsecID" = "{e6b10787-7965-4c95-86e4-fe0f9167f88a}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"ipsecNegotiationPolicyAction" = "{8a171dd3-77e3-11d1-8659-a04f00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"Name" = "ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ClassName" = "ipsecPolicy"
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"whenChanged" = "1523628694"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecID" = "{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}]
"whenChanged" = "1523628694"
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"Name" = "ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"ipsecDataType" = "256"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}]
"Name" = "ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"ClassName" = "ipsecNegotiationPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecName" = "445celue"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"ipsecNegotiationPolicyType" = "{62f49e13-6c37-11d1-864c-14a300000000}"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{9dd298e3-e672-4f17-8dcc-a3a1c4742fd6}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{e6b10787-7965-4c95-86e4-fe0f9167f88a}]
"description"

The process netsh.exe:1592 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}"
"whenChanged" = "1523628701"
"Name" = "ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"
"ClassName" = "ipsecPolicy"
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecName" = "445celue"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"ipsecID" = "{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}"

[HKLM\System\CurrentControlSet\services\IPSec]
"OperationMode" = "3"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ed643a7b-998c-4cd1-8c26-58303e829644}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{71d0b6a9-f20c-47eb-b848-855c93cc7a7b}]
"description"

The process netsh.exe:2836 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "jujue"
"Name" = "ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ClassName" = "ipsecFilter"
"ipsecID" = "{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecDataType" = "256"
"whenChanged" = "1523628697"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"description"

The process netsh.exe:3228 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The process netsh.exe:4052 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628699"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:3784 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56d50349-4c29-4a48-bff6-60d101eb7dfa}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecNegotiationPolicy"
"ipsecID" = "{56d50349-4c29-4a48-bff6-60d101eb7dfa}"
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"
"whenChanged" = "1523628700"
"Name" = "ipsecNegotiationPolicy{56d50349-4c29-4a48-bff6-60d101eb7dfa}"
"ipsecName" = "jujue"
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"
"ipsecDataType" = "256"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{56d50349-4c29-4a48-bff6-60d101eb7dfa}]
"description"

The process netsh.exe:2992 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecName" = "jujue"
"Name" = "ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ClassName" = "ipsecFilter"
"ipsecID" = "{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}"
"ipsecDataType" = "256"
"whenChanged" = "1523628695"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{448bccfc-f0e7-4db5-bdc5-2ec111920c4a}]
"description"

The process netsh.exe:3680 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628700"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:1972 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"Name" = "ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ClassName" = "ipsecFilter"
"ipsecID" = "{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}"
"ipsecDataType" = "256"
"ipsecName" = "yunxu"
"whenChanged" = "1523628697"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{fa6b20f4-2ae2-4d7f-af57-6393492c76ac}]
"description"

The process netsh.exe:1688 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E\@%SystemRoot%\system32]
"eapqec.dll,-102" = "1.0"
"eapqec.dll,-103" = "Microsoft Corporation"
"eapqec.dll,-100" = "EAP Quarantine Enforcement Client"
"eapqec.dll,-101" = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."
"dhcpqec.dll,-102" = "Microsoft Corporation"
"dhcpqec.dll,-103" = "1.0"
"dhcpqec.dll,-100" = "DHCP Quarantine Enforcement Client"
"dhcpqec.dll,-101" = "Provides DHCP based enforcement for NAP"
"tsgqec.dll,-102" = "1.0"
"tsgqec.dll,-103" = "Microsoft Corporation"
"tsgqec.dll,-100" = "RD Gateway Quarantine Enforcement Client"
"tsgqec.dll,-101" = "Provides RD Gateway enforcement for NAP"
"napipsec.dll,-1" = "IPsec Relying Party"
"napipsec.dll,-3" = "Microsoft Corporation"
"napipsec.dll,-2" = "Provides IPsec based enforcement for Network Access Protection"
"napipsec.dll,-4" = "1.0"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

The process DrvInst.exe:892 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"Service" = "umbus"

[HKLM\System\CurrentControlSet\Enum\UMB\UMB\1&841921d&0&TSBUS\Device Parameters]
"InterfaceGUIDs" = "{65A9A6CF-64CD-480b-843E-32C86E1BA19F}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\PnpLockdownFiles\%SystemPath%\system32\DRIVERS]
"umbus.sys" = "1"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"ClassGUID" = "{4d36e97d-e325-11ce-bfc1-08002be10318}"
"DeviceCharacteristics" = "256"

[HKU\.DEFAULT\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\System\CurrentControlSet\Enum\UMB\UMB\1&841921d&0&TSBUS\Device Parameters]
"RootBus" = "0"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"Security" = "01 00 04 90 00 00 00 00 00 00 00 00 00 00 00 00"

[HKLM\System\CurrentControlSet\Control\GroupOrderList]
"Extended Base" = "14 00 00 00 01 00 00 00 02 00 00 00 04 00 00 00"

The Generic deletes the following value(s) in system registry:

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"UpperFilters"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\PnPSysprep\ServiceStartTypeBackup]
"umbus"

[HKLM\System\CurrentControlSet\Control\CriticalDeviceDatabase\UMB#umbus]
"DeviceType"
"LowerFilters"
"Exclusive"

The process 8881.exe:3320 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\services\w3wp\Parameters]
"ServiceDll" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5069190.dll"

[HKLM\System\CurrentControlSet\services\w3wp]
"Group" = "Default"
"Description" = "IIS Worker Process"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"w3wp" = "w3wp"

The process %original file name%.exe:2668 makes changes in the system registry.
The Generic creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Generic deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
e47f4546614d9de2bc12bffcca23b336 c:\828000.dll
a22ce23d47f96aa0ced8e66bc960c758 c:\Program Files\svchost.exe
2bf10749ea178577e7cdee390269e326 c:\ProgramData\Aebblnroq.psd
2bf10749ea178577e7cdee390269e326 c:\Users\All Users\Aebblnroq.psd
6b6aeebbbb0ce5229c54210f08e1b206 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\5069190.dll
86e95e05072a50f505a7fb616ca8b16d c:\Users\"%CurrentUserName%"\AppData\Local\Temp\6543.exe
9e9c845d073b43e0765b367faac20329 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\888.exe
168848cd6fed0999ade2670a24f22435 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\8881.exe
9566fa38cd99596c044058cde19fd26a c:\Users\"%CurrentUserName%"\AppData\Local\Temp\FUCK.exe
86e95e05072a50f505a7fb616ca8b16d c:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
51138beea3e2c21ec44d0932c71762a8 c:\Windows\System32\w3wp.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
CODE 4096 24184 24576 4.47386 0a2778fb88a5e3a9bf171ff738fefbd6
DATA 28672 3324 3584 3.51769 890bde7ec1abe5cd89b01ca248b0f6ef
BSS 32768 3753 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 36864 2394 2560 3.02591 cd7f6cb3c8547839ac78fbe8f7fb4fbe
.tls 40960 8 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 45056 24 512 0.14174 a59d5deeda3151a72e3841f3a8a37fbd
.reloc 49152 1524 1536 4.58871 36547dfbaa5395c6cf4986b948531ee7
.rsrc 53248 512 512 2.09861 4a525b74f181df0095eec64b54c92784

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 9
386cca1f9647164647ee8c1c684819c2
3a79e5aaaf04a5e146bd631cef708d6f
fdde11fd183779c68d50e0e57fe9c3b7
f4f9b22fd7213792e8eb0a923aef0b0b
32f78bc7142e0ac5ef5368c4b7198ce2
82180b3dc79c71c15d10ce7f52c05db0
1861951dd4e1319ef0c383fc4b3af177
47ce88fef250540a84ef18457657484f
a71bfaed67c921be6888e5872ba16533

URLs

URL IP
rj.6c1.me 123.142.209.27
pf.6c1.me 123.142.209.27


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Generic connects to the servers at the folowing location(s):

8881.exe_3320:

.text
`.data
.rsrc
`.rdata
@.data
@.reloc
SSSSh
WinExec
GetProcessHeap
KERNEL32.dll
ADVAPI32.dll
MSVCRT.dll
MainDll.dll
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
SYSTEM\CurrentControlSet\Services\%s\Parameters
%%SystemRoot%%\System32\svchost.exe -k "%s"
userenv.dll
%s\%d.bak
SYSTEM\CurrentControlSet\Services\%s
Rundll32 "%s",Uninstall
Rundll32 "%s",DllUpdate %s
%s\shell\open\command
%s %s
Applications\iexplore.exe\shell\open\command
rj.6c1.me
2018-04-13 17:11
%s:%d:%s
GUpdate%s
%s "%s",MainThread
\Rundll32.exe
%s\%s.exe
%d*%sMHz
kernel32.dll
Windows Server 2016
Windows 10
Windows 8.1
Windows 8
Windows Server 2012
Windows 7
Windows Vista
Windows Server 2008
Windows Server 2003
Windows XP
Windows Server 2000
Windows NT
Oleaut32.dll
Ole32.dll
wininet.dll
RegDeleteKeyA
RegCreateKeyExA
RegCloseKey
RegEnumKeyExA
RegOpenKeyExA
ws2_32.dll
EnumWindows
ExitWindowsEx
User32.dll
user32.dll
InternetOpenUrlA
5!5)545;5]5
4P5F5K5g5m5y5
M-%.2d-%.2d %.2d:%.2d
ShellExecuteA
shell32.dll
rundll32.exe "%s",MainThread
rundll32.exe
"%s",MainThread
%s%d.dll
MFC42.DLL
_acmdln
USER32.dll
ntdll.dll
1, 0, 0, 1
Load.EXE

MIck.exe_1880:

.text
`.rdata
@.data
.rsrc
__MSVCRT_HEAP_SELECT
user32.dll
WinExec
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegCreateKeyExA
RegOpenKeyA
ADVAPI32.dll
WS2_32.dll
PSAPI.DLL
iphlpapi.dll
NETAPI32.dll
GetCPInfo
pf.6c1.me
C:\TraceLog.txt
[u:u:u: u:u:u] %s
GetUrlCacheEntryInfoA
URLDownloadToCacheFileA
wininet.dll
urlmon.dll
winlogon.exe
kernel32.dll
The process pid is %d
svchost.exe
0.0.0.0
CPU(%d) %d.GHZ @%d.Mb
%u Mbps
%u Gbps
%d.%d.%d.%d
windows
1314520
5201314
123456789
password
Password1
at \\%s %d:%d %s
F:\hackshen.exe
\\%s\F$\hackshen.exe
E:\hackshen.exe
\\%s\E$\hackshen.exe
D:\hackshen.exe
\\%s\D$\hackshen.exe
C:\hackshen.exe
\\%s\C$\hackshen.exe
\\%s\admin$\hackshen.exe
\\%s\ipc$
mpr.dll
WSASocket() failed: %d
WSAStartup failed: %d
GET %s HTTP/1.1
Host: %s:%d
User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)
Host: %s
%s %s%s
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*
User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)
.DEFAULT\Keyboard Layout\Toggle
Hotkey
SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd\Tds\tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp
SYSTEM\CurrentControlSet\Control\Terminal Server\RDPTcp
PortNumber
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
SOFTWARE\Policies\Microsoft\Windows\Installer
SOFTWARE\Microsoft\Windows\CurrentVersion\netcache
%.f|%d%%
%Program Files%\svchost.exe
zcÁ
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MIck.exe
1, 0, 0, 1
Install.exe

svchost.exe_1968:

.idata
.rdata
P.reloc
P.rsrc
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.25 (jaunty) Firefox/3.8
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.56.5 (KHTML, like Gecko) Version/5.1.6 Safari/534.56.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
co.uk
POST / HTTP/1.
HEAD / HTTP/1.
/ HTTP/1.
Content-Type: application/x-www-form-urlencoded
Microsoft\WinNT.tmp
calc.exe
127.0.0.1
encpassword
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\WinNT.tmp
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
wsock32.dll
shfolder.dll
shell32.dll
ShellExecuteA
urlmon.dll
URLDownloadToFileA
MPHTTP
KWindows
MPUDP

svchost.exe_3140:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

calc.exe_2128:

.text
`.data
.rsrc
@.reloc
SHELL32.dll
SHLWAPI.dll
gdiplus.dll
ADVAPI32.dll
ntdll.DLL
OLEAUT32.dll
UxTheme.dll
ole32.dll
COMCTL32.dll
KERNEL32.dll
USER32.dll
RPCRT4.dll
WINMM.dll
VERSION.dll
GDI32.dll
msvcrt.dll
j.KXK
FTPWSjr
FtPWSjP
SSShG
.u&SSh
Invalid parameter passed to C runtime function.
WindowsCodecs.dll
ntdll.dll
ShellExecuteExW
GdiplusShutdown
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegDeleteKeyW
RegCreateKeyExW
RegCloseKey
GetProcessHeap
EnumChildWindows
EnumDesktopWindows
GetKeyState
__crtGetStringTypeW
__crtLCMapStringW
_acmdln
_amsg_exit
calc.pdb
name="Microsoft.Windows.Shell.calc"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
KEYWp
>6441111,5
.Zu,]
>z.jO`
.nsEm
5Url]GOqE
6"%CM
B<$$.HpB
W.Ft6#
9 9(9-949@9
5(5.575=5
99x9
; ;%; ;1;
<%<*<0<6<
5%5S5
^[\ \-]?{\d*}\%c?{\d*}(e[\ \-]?{\d*})?\b*$
USER32.DLL
hXXp://VVV.microsoft.com/applets/calc/templates/v1
xmlns:calcTemplate='hXXp://VVV.microsoft.com/applets/calc/templates/v1'
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\slui.exe
\sppuinotify.dll
imageres.dll
datetime_operation
Software\Microsoft\Windows\CurrentVersion\Applets\
mshelp://windows/?id=f15f7d3e-ee9c-465a-a7e8-4e6af5cfee5d
ErrorCode: %d, Line: %d Column: %d; Error: %s
^{[\ \-]?}{\d*\%c?\d*}({e}[\ \-]?{\d*})?$
kernel32.dll
Microsoft-Windows-Calculator/Diagnostic
Microsoft-Windows-Calculator/Debug
Windows Calculator
6.1.7601.17514 (win7sp1_rtm.101119-1850)
CALC.EXE
Windows
Operating System
6.1.7601.17514

calc.exe_2128_rwx_00400000_00011000:

.idata
.rdata
P.reloc
P.rsrc
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Windows 2000
Windows XP
Windows Server 2003
Windows Server 2003 R2
Windows Vista
Windows Server 2008
Windows Server 2008 R2
Windows 7
Windows 8
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 5.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.0.14) Gecko/2009082707 Firefox/3.0.14 (.NET CLR 3.5.30729)
Mozilla/5.0 (X11; U; Linux i686; it-IT; rv:1.9.0.2) Gecko/2008092313 Ubuntu/9.25 (jaunty) Firefox/3.8
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/534.55.3 (KHTML, like Gecko) Version/5.1.5 Safari/534.55.3
Mozilla/5.0 (Windows NT 5.1) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-GB; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; Media Center PC 6.0; InfoPath.2; MS-RTC LM 8)
Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)
Mozilla/5.0 (Windows; U; Windows NT 5.1; pl; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 GTB5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_6_8) AppleWebKit/534.57.2 (KHTML, like Gecko) Version/5.1.7 Safari/534.57.2
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/534.56.5 (KHTML, like Gecko) Version/5.1.6 Safari/534.56.5
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_4) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.52 Safari/536.5
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.2 (KHTML, like Gecko) Chrome/4.0.221.7 Safari/532.2
Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/536.5 (KHTML, like Gecko) Chrome/19.0.1084.46 Safari/536.5
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; U; Linux i686; pl; rv:1.8.0.3) Gecko/20060426 Firefox/1.5.0.3
Mozilla/4.0 (compatible; MSIE 6.0; Windows 98; Win 9x 4.90)
Mozilla/5.0 (iPhone; CPU iPhone OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_7_3) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
co.uk
POST / HTTP/1.
HEAD / HTTP/1.
/ HTTP/1.
Content-Type: application/x-www-form-urlencoded
Microsoft\WinNT.tmp
calc.exe
127.0.0.1
encpassword
C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\WinNT.tmp
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
wsock32.dll
shfolder.dll
shell32.dll
ShellExecuteA
urlmon.dll
URLDownloadToFileA
MPHTTP
KWindows
MPUDP

svchost.exe_2904:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

WerFault.exe_1464:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
ntdll.DLL
KERNEL32.dll
USER32.dll
msvcrt.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
IMM32.dll
wer.dll
COMCTL32.dll
faultrep.dll
Starting kernel vertical - %S
rundll32.exe
NtQueryInformationProcess failed with status: 0x%x
Reporting never started for process id %u
StringCchPrintf failed with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
StringCchCopy failed with 0x%x
Invalid arg in %s
wdi.dll
dbgeng.dll
dbghelp.dll
SETUPAPI.dll
SHELL32.dll
VERSION.dll
WTSAPI32.dll
WerFault.pdb
PSShD
tSSh,<
t.PSj6
t5SSh
SShx`
tsShxc
t.Ph0j
_amsg_exit
RegCloseKey
RegCreateKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegQueryInfoKeyW
GetProcessHeap
GetWindowsDirectoryW
RegDeleteKeyW
ReportEventW
RegOpenKeyW
RegSetKeyValueW
GetProcessWindowStation
EnumWindows
NtAlpcSendWaitReceivePort
NtAlpcConnectPort
ShipAssert
ntdll.dll
RegisterErrorReportingDialog
WerReportSubmit
WerReportAddFile
WerReportCreate
WerReportCloseHandle
WerReportSetUIOption
WerpGetReportConsent
WerpSetIntegratorReportId
WerpReportCancel
WerpAddRegisteredDataToReport
WerReportAddDump
WerpCreateIntegratorReportId
WerpSetReportFlags
WerpGetReportFlags
WerpIsTransportAvailable
WerReportSetParameter
WerpInitiateCrashReporting
version="1.0.0.0"
name="Microsoft.Windows.Feedback.Watson"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<asmv3:windowsSettings xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">
</asmv3:windowsSettings>
<requestedExecutionLevel
ÝCD0
#$$$3355<
##$$$335566
% "#$$$3355666=
"#$$33555666
!.DQ$
.Py>o
Kÿg
.ib:?
T3%X_
a,M.cbd
KEYW8
KEYWH
? ?$?(?,?0?4?8?
1 2$2(2,20242
>,?0?4?8?<?@?
?%?5?:?|?
5'565^5{5
3#3(353_3
=#='= =/=3=7=;=?=
=#=(=>=]=
>!>&>3>}>
1!1&131[1
Microsoft\Windows\WindowsErrorReporting\WerFault
%s %s
Global\WerKernelVerticalReporting
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl
CrashDumpEnabled.Old
CrashDumpEnabled.New
%SystemRoot%\MEMORY.DMP
LiveKernelReports
Software\Microsoft\Windows\Windows Error Reporting\LiveKernelReports
LiveKernelReportsPath
BCCode=%x&BCP1=%p&BCP2=%p&BCP3=%p&BCP4=%p&OS Version=%u_%u_%u&Service Pack=%u_%u&Product=%u_%u
*WerKernelReporting
%SYSTEMROOT%\SYSTEM32\WerFault.exe -k -rq
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
SOFTWARE\Microsoft\Windows\Windows Error Reporting\KernelFaults\Queue
sysdata.xml
%s -k -q
SOFTWARE\Microsoft\Windows NT\CurrentVersion
<OSVER>%u.%u.%u %u.%u</OSVER>
<OSLANGUAGE>%u</OSLANGUAGE>
<ARCHITECTURE>%u</ARCHITECTURE>
<PRODUCTTYPE>%u</PRODUCTTYPE>
<FILESIZE>%u</FILESIZE>
<CREATIONDATE>d-d-d d:d:d</CREATIONDATE>
<NAME>%s</NAME>
<DATA>%s</DATA>
<ERROR>Failed at Step: %s with error 0x%x</ERROR>
%sDrivers\%s.sys
</%s>
<%s>%s</%s>
%u.%u.%u.%u
*.mrk
WER-%u-%u.sysdata.xml
Software\Microsoft\Windows\CurrentVersion\CEIPRole\RolesInWER
SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability\MemoryDiagnostic
Web Server
Software\Microsoft\Windows\Windows Error Reporting\Debug
%SystemRoot%\Minidump
0xx (0xx, 0xx, 0xx, 0xx)
%s\%2.2d%2.2d%2.2d-%u-%2.2d.dmp
*.dmp
Software\Microsoft\Windows\Windows Error Reporting
Software\Policies\Microsoft\Windows\Windows Error Reporting
\KernelObjects\SystemErrorPortReady
%s\%s
Microsoft.Windows.Setup
\WindowsErrorReportingServicePort
(0x%x): %s
%u %s
WindowsNTVersion
%u.%u
ErrorPort
\StringFileInfo\xx\%s
HKEY_USERS\
HKEY_CURRENT_CONFIG\
HKEY_CLASSES_ROOT\
HKEY_LOCAL_MACHINE\
HKEY_CURRENT_USER\
%s="%s"
%s.%s
%s %d
Software\Microsoft\Windows\Windows Error Reporting\Hangs
_NT_EXECUTABLE_IMAGE_PATH
wxmu.dmp
wxhu.dmp
axmu.dmp
axhu.dmp
hu.kdmp
mu.kdmp
hu.dmp
mu.dmp
Software\Microsoft\.NETFramework
NOT_TCPIP
sos.dll
version.xml
.version.xml
%s.xml
memory.hdmp
minidump.mdmp
Local\WERReportingForProcess%d
atk.kdmp
Software\Microsoft\Windows\Windows Error Reporting\Hangs\NHRTimes
%i|%d|%d
xxxxxxxxxxxxxxxx
xx
%d.%d.%d.%d
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)
D:P(A;;GA;;;BA)(A;;GA;;;SY)(A;;GA;;;%s)S:(ML;;NR;;;HI)
dc.noreflect
dc.xpmemdump
dc.xpdata
dc.CustomDump
dc.expmodmem
dc.expmoddata
dc.OnDemandKdmp
dc.xpmodmem
dc.xpmoddata
default=%s
memory=%s
module=%s
.dbgcfg.ini
ElevatedDataCollectionStatus.txt
Open process failed unexpectedly: 0X%X
Attempting to cross-proc reporting process!
Elevation:Administrator!new:%s
Reflection attempt failed: 0X%X
Attempting to reflect reporting process!
Could not collect dump for reflection cross process: 0x%x
Could not collect xproc for reflection: 0x%x
CollectFile for reflection failed: 0x%x
Could not collect dump for cross process: 0x%x
CollectReflectionDump failed with: 0x%x
0 processes found for xproc module: %s
Could not collect cross dump from module: 0x%x
CollectCrossProcessModuleDumps failed: 0x%x
CollectCrossProcessDumps failed: 0x%x
KernelDump failed: 0x%x
ProcessHandle
%s|%s
rpcrt4
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
sntdll.dll
WerDiagController.dll
Software\Microsoft\Windows\Windows Error Reporting\Plugins
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
Software\Microsoft\Windows\Windows Error Reporting\Plugins\FDR\CurrentSession
%s\%s\%u-%u.etl
%s\%s\%u-%u.etl_%d
Microsoft\Windows\FDR
%s-%d
Software\Microsoft\Windows\Windows Error Reporting\Plugins\DriverVerifier
Software\Microsoft\Windows\Windows Error Reporting\Plugins\AppRecorder
%d-AppRecorderEnabled
%s /stop
psr.exe
Software\Microsoft\Windows\Windows Error Reporting\RuntimeExceptionHelperModules
verifier.dll
nVerifier.dll
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\%s
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
lsvchost.exe
"%s" "%s" "%s"
%s\system32\cofire.exe
psapi.dll
sfc_os.dll
werfault.exe
%s\%s-(PID-%u)-%u
%s\%s-(PID-%u).dmp
%s\*-(PID-*)-*
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit\%s
SOFTWARE\Microsoft\Windows NT\CurrentVersion\SilentProcessExit
kernel32.dll
kernelbase.dll
ReportingMode
WinShipAssert
WindowsMessageReportingB1
Windows
ws2_32.dll
Software\Microsoft\SQMClient\%s\AdaptiveSqm\ManifestInfo
%s\Sqm%d.bin
CorporateWerPortNumber
BypassDataThrottling
Software\Microsoft\Windows\Windows Error Reporting\Consent
Windows Problem Reporting
6.1.7600.16385 (win7_rtm.090713-1255)
WerFault.exe
Windows
Operating System
6.1.7600.16385
Microsoft-Windows-WER-Diag/Operational

svchost.exe_3224:

.text
`.data
.rsrc
@.reloc
msvcrt.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNEL32.dll
NTDLL.DLL
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
RPCRT4.dll
ole32.dll
ntdll.dll
_amsg_exit
RegCloseKey
RegOpenKeyExW
GetProcessHeap
svchost.pdb
version="5.1.0.0"
name="Microsoft.Windows.Services.SvcHost"
<description>Host Process for Windows Services</description>
<requestedExecutionLevel
Software\Microsoft\Windows NT\CurrentVersion\Svchost
Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost
\PIPE\
Host Process for Windows Services
6.1.7600.16385 (win7_rtm.090713-1255)
svchost.exe
Windows
Operating System
6.1.7600.16385

w3wp.exe_1304:

.text
`.data
.rsrc
@.reloc
KERNEL32.dll
USER32.dll
msvcrt.dll
imagehlp.dll
ntdll.dll
?.ulf
.ue9]
ole32.dll
_amsg_exit
_wcmdln
rundll32.pdb
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\UNC\
rundll32.exe
Windows host process (Rundll32)
6.1.7600.16385 (win7_rtm.090713-1255)
RUNDLL32.EXE
Windows
Operating System
6.1.7600.16385


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    MIck.exe:1880
    888.exe:2896
    FUCK.exe:2856
    6543.exe:3820
    netsh.exe:1628
    netsh.exe:2472
    netsh.exe:1780
    netsh.exe:3800
    netsh.exe:3732
    netsh.exe:1836
    netsh.exe:2340
    netsh.exe:3692
    netsh.exe:952
    netsh.exe:3436
    netsh.exe:1716
    netsh.exe:2016
    netsh.exe:2240
    netsh.exe:2876
    netsh.exe:2180
    netsh.exe:1592
    netsh.exe:2836
    netsh.exe:3228
    netsh.exe:4052
    netsh.exe:3784
    netsh.exe:2992
    netsh.exe:3680
    netsh.exe:1972
    netsh.exe:1688
    DrvInst.exe:892
    8881.exe:3320
    %original file name%.exe:2668

  2. Delete the original Generic file.
  3. Delete or disinfect the following files created/modified by the Generic:

    C:\TraceLog.txt (462 bytes)
    C:\828000.dll (108 bytes)
    C:\NT_Path.jpg (67 bytes)
    C:\ProgramData\Aebblnroq.psd (3912007 bytes)
    C:\Net-Temp.ini (3824 bytes)
    C:\Windows\Temp\FUCK.bat (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\svchost.exe (72 bytes)
    C:\Windows\inf\setupapi.dev.log (414 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\5069190.dll (55 bytes)
    C:\5069767.vbs (500 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\~DeL!.bAt (132 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\6543.exe (72 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\888.exe (284 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\MIck.exe (180 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\FUCK.exe (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\8881.exe (98 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "M.s_2.0" = "%Program Files%\svchost.exe"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2024 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now