MemScan.Joke.FakeFormat.105_9c712d50b2

by malwarelabrobot on September 15th, 2017 in Malware Descriptions.

Trojan.Win32.Agent.hzu (Kaspersky), MemScan:Joke.FakeFormat.105 (B) (Emsisoft), MemScan:Joke.FakeFormat.105 (AdAware), Trojan.MSIL.Bladabindi.2.FD, Trojan.Win32.Delphi.FD, Trojan.Win32.Iconomon.FD, Trojan.Win32.Sasfis.FD, VirTool.Win32.DelfInject.FD, GenericInjector.YR (Lavasoft MAS)
Behaviour: Trojan, VirTool


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9c712d50b2c1e2e2f35c50b11a03b214
SHA1: e56cdd1876bb51c465b412a03d65e35588c32fa8
SHA256: 89c0d8ef3c10b079acdefd6f4b70cad1c1e8565bc924b082413e81535fc025fe
SSDeep: 24576:H/orwSpIlNNFNHriYS60lrRzGfB1yKEEak6zQ0kONN:H9SalNn09RzYPz0p
Size: 836567 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, BorlandDelphiv30, UPolyXv05_v6
Company: Tocesocela
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The MemScan creates the following process(es):

chrome.exe:2764
file3Srv.exe:3104
file2.exe:2372

The MemScan injects its code into the following process(es):

chrome.exe:1948
%original file name%.exe:3676
file3.exe:572

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process chrome.exe:1948 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (80 bytes)

The process %original file name%.exe:3676 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hdr.tmp (571756 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3.exe (2001 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file5.empty (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp.dat (14600 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file4.empty (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Header.dat (96 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file2.exe (1047 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file6.empty (15 bytes)

The MemScan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Header.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp.dat (0 bytes)

The process file3.exe:572 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3Srv.exe (113 bytes)

The process file3Srv.exe:3104 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

%Program Files%\Microsoft\DesktopLayer.exe (113 bytes)

The MemScan deletes the following file(s):

%Program Files%\Microsoft\pxF42D.tmp (0 bytes)

The process file2.exe:2372 makes changes in the file system.
The MemScan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xyz.vbs (10 bytes)

The MemScan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xyz.vbs (0 bytes)

Registry activity

The process chrome.exe:1948 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"
"failed_count" = "0"

The MemScan adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

The process %original file name%.exe:3676 makes changes in the system registry.
The MemScan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The MemScan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5 File path
3e1c595c2a91992d09701ad1e2fdfaba c:\Users\"%CurrentUserName%"\AppData\Local\Temp\file2.exe
ef4a4fead423fdeeaf62a48e7e8f67bf c:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3.exe
ff5e1f27193ce51eec318714ef038bef c:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3Srv.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: ?????????? ??????????
Product Name: HD Player
Product Version: 2.3.3.1
Legal Copyright: (c) ?????????? ??????????. ??? ????? ????????.
Legal Trademarks: (c) ?????????? ??????????. ??? ????? ????????.
Original Filename:
Internal Name:
File Version: 2.3.3.1
File Description: ???? ?????????? Windows
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 456860 457216 4.53982 578b99c7c1d5bf5d598f8f334c5f35b4
.itext 462848 1944 2048 4.21305 51b22683ba2c32291df17c4774ffe0c9
.data 466944 22540 23040 4.33592 5a458c2fb1b9a25eadfb8f388ba78750
.bss 491520 19144 0 0 d41d8cd98f00b204e9800998ecf8427e
.idata 512000 11450 11776 3.55714 8037b211dc916d222befeb114faa9819
.tls 524288 52 0 0 d41d8cd98f00b204e9800998ecf8427e
.rdata 528384 24 512 0.117936 e92a87b0668c60c7d9eb59dc756191c5
.reloc 532480 28200 28672 4.62323 8dcfdbcf9b673afaf4d567de8eb3407b
.rsrc 561152 24780 25088 3.27249 38ad3386eda2775d10e2a0f49bade29c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The MemScan connects to the servers at the folowing location(s):

%original file name%.exe_3676:

.text
`.itext
`.data
.idata
.rdata
@.reloc
B.rsrc
kernel32.dll
Windows
MSWHEEL_ROLLMSG
MSH_WHEELSUPPORT_MSG
MSH_SCROLL_LINES_MSG
$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)
oleaut32.dll
EVariantBadIndexError
ssShift
htKeyword
EInvalidOperation
%s_%d
USER32.DLL
EInvalidGraphicOperation
Uh.kB
SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
uxtheme.dll
PasswordChar
OnKeyDown
OnKeyPressp
OnKeyUp
clWebSnow
clWebFloralWhite
clWebLavenderBlush
clWebOldLace
clWebIvory
clWebCornSilk
clWebBeige
clWebAntiqueWhite
clWebWheat
clWebAliceBlue
clWebGhostWhite
clWebLavender
clWebSeashell
clWebLightYellow
clWebPapayaWhip
clWebNavajoWhite
clWebMoccasin
clWebBurlywood
clWebAzure
clWebMintcream
clWebHoneydew
clWebLinen
clWebLemonChiffon
clWebBlanchedAlmond
clWebBisque
clWebPeachPuff
clWebTan
clWebYellow
clWebDarkOrange
clWebRed
clWebDarkRed
clWebMaroon
clWebIndianRed
clWebSalmon
clWebCoral
clWebGold
clWebTomato
clWebCrimson
clWebBrown
clWebChocolate
clWebSandyBrown
clWebLightSalmon
clWebLightCoral
clWebOrange
clWebOrangeRed
clWebFirebrick
clWebSaddleBrown
clWebSienna
clWebPeru
clWebDarkSalmon
clWebRosyBrown
clWebPaleGoldenrod
clWebLightGoldenrodYellow
clWebOlive
clWebForestGreen
clWebGreenYellow
clWebChartreuse
clWebLightGreen
clWebAquamarine
clWebSeaGreen
clWebGoldenRod
clWebKhaki
clWebOliveDrab
clWebGreen
clWebYellowGreen
clWebLawnGreen
clWebPaleGreen
clWebMediumAquamarine
clWebMediumSeaGreen
clWebDarkGoldenRod
clWebDarkKhaki
clWebDarkOliveGreen
clWebDarkgreen
clWebLimeGreen
clWebLime
clWebSpringGreen
clWebMediumSpringGreen
clWebDarkSeaGreen
clWebLightSeaGreen
clWebPaleTurquoise
clWebLightCyan
clWebLightBlue
clWebLightSkyBlue
clWebCornFlowerBlue
clWebDarkBlue
clWebIndigo
clWebMediumTurquoise
clWebTurquoise
clWebCyan
clWebPowderBlue
clWebSkyBlue
clWebRoyalBlue
clWebMediumBlue
clWebMidnightBlue
clWebDarkTurquoise
clWebCadetBlue
clWebDarkCyan
clWebTeal
clWebDeepskyBlue
clWebDodgerBlue
clWebBlue
clWebNavy
clWebDarkViolet
clWebDarkOrchid
clWebMagenta
clWebDarkMagenta
clWebMediumVioletRed
clWebPaleVioletRed
clWebBlueViolet
clWebMediumOrchid
clWebMediumPurple
clWebPurple
clWebDeepPink
clWebLightPink
clWebViolet
clWebOrchid
clWebPlum
clWebThistle
clWebHotPink
clWebPink
clWebLightSteelBlue
clWebMediumSlateBlue
clWebLightSlateGray
clWebWhite
clWebLightgrey
clWebGray
clWebSteelBlue
clWebSlateBlue
clWebSlateGray
clWebWhiteSmoke
clWebSilver
clWebDimGray
clWebMistyRose
clWebDarkSlateBlue
clWebDarkSlategray
clWebGainsboro
clWebDarkGray
clWebBlack
comctl32.dll
AutoHotkeys
AutoHotkeys`
\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\
TKeyEvent
TKeyPressEvent
HelpKeyword
crSQLWait
%s (%s)
imm32.dll
ssHotTrack
TWindowState
poProportional
TWMKey
KeyPreview8
WindowStateD
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
User32.dll
%s, ClassID: %s
ole32.dll
rasapi32.dll
Error opening rasapi32.dll
rnaph.dll
Error opening rnaph.dll
127.0.0.1
1.0.4
RAPTOR@PASS
4;#$11|/
inflate 1.0.4 Copyright 1995-1996 Mark Adler
!#<@3;@"
0"!<$5\0
P%S4$;
E D[A#%D
advapi32.dll
RegOpenKeyExA
RegCloseKey
user32.dll
GetKeyboardType
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
LoadKeyboardLayoutA
GetKeyboardState
GetKeyboardLayoutNameA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
ExitWindowsEx
EnumWindows
EnumThreadWindows
EnumChildWindows
ActivateKeyboardLayout
gdi32.dll
SetViewportOrgEx
version.dll
WinExec
GetWindowsDirectoryA
GetCPInfo
RegQueryInfoKeyA
RegOpenKeyA
RegFlushKey
RegEnumKeyExA
RegDeleteKeyA
RegCreateKeyExA
URLMON.DLL
URLDownloadToFileA
shell32.dll
ShellExecuteA
LZ32.DLL
netapi32.dll
wsock32.dll
winmm.dll
? ?$?(?,?0?4?8?
7 89c:i:y:
4!4%4)404
4 4$4(4,4044484
1 2!2D2I2V2
9,999@9_9
3 3$3(3,3034383<315
7&838>8`8
PP@95.PP
PPP=:..PPPPP
PPPPP3..PPP
7777777777777777755
77777777777777755
777777777777775
77777777777777
7777777777777
777777777777
77777777777
7777777777
777777777777777
7777777777777777
3777777777777777
377777777777777
37777777777777
3777777777777
377777777777
777777777
77777777777777772
777777777777777777
KWindows
UrlMon
#RASReport
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Clipboard does not support Icons/Menu '%s' is already being used by another form
- Dock zone has no controlLError loading dock zone from the stream. Expecting version %d, but found %d.
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters
Invalid stream operation
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
No help found for %s#No context-sensitive help installed
Unsupported clipboard format
Invalid ImageList Index)Failed to read ImageList data from stream(Failed to write ImageList data to stream List capacity out of bounds (%d)
List count out of bounds (%d)
List index out of bounds (%d) Out of memory while expanding memory stream
Error reading %s%s%s: %s
Failed to create key %s
Failed to get data for '%s'
Failed to set data for '%s'
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Property %s does not exist
Cannot assign a %s to a %s
Bits index out of range*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread
Class %s not found
A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates
Cannot create file "%s". %s
Cannot open file "%s". %s
Invalid stream format$''%s'' is not a valid component name
Invalid data type for '%s'
Ancestor for '%s' not found
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
System Error. Code: %d.
"Variant method calls not supported
Invalid variant operation%Invalid variant operation (%s%.8x)
%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)
Operation not supported
Integer overflow Invalid floating point operation
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction(Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
!'%s' is not a valid integer value
'%s' is not a valid date!'%s' is not a valid date and time!'%s' is not a valid boolean value
I/O error %d
Windows
2.3.3.1

file2.exe_2372:

.text
`.rdata
@.data
.rsrc
powershell.exe
\ShellIds\Microsoft.PowerShell
usage: %s
%s\%s%s
%s\%s
\Everstrike\ExeScript Pro\key.txt
#es.include
%s\%d%s
<!-- ----- ExeScript Options Begin -----
----- ExeScript Options End ----- -->
wscript.exe /B
wscript.exe
cscript.exe /B
cscript.exe
mshta.exe
%s "%s"
%s "%s"
SHELL32.dll
SHLWAPI.dll
PeekNamedPipe
CreatePipe
GetProcessHeap
KERNEL32.dll
USER32.dll
RegCloseKey
RegEnumKeyExA
RegOpenKeyExA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file2.exe
<assemblyIdentity version="1.0.0.0"
processorArchitecture="X86" name="exescript" type="win32"/>
<description>ExeScript</description>
<ms_asmv2:requestedExecutionLevel
</assembly>ExeScriptPAD:2
g-pass
The script is encrypted. Please enter the password:
5The script is encrypted. Please enter your password:
That password is invalid.
]ExeScript is not installed. You can't use %s on this computer (Personal License limitations).

file3.exe_572:

.idata
.rdata
.reloc
.rsrc
.aspack
.data
.rmnet
Portions Copyright (c) 1983,97 Borland
EInvalidOperation
%s_%d
EInvalidGraphicOperation
comctl32.dll
TKeyEvent
TKeyPressEvent
crSQLWait
Ht.Ht
t.HtR
IMM32.DLL
:].tJ
TWindowState
poProportional
KeyPreview
WindowState
OnKeyDown
OnKeyPress
OnKeyUp
CTL3D32.DLL
System\CurrentControlSet\Control\Keyboard Layouts\%.8x
vcltest3.dll
PasswordChar
ssHorizontal
OnKeyUp,
Uh5%C
KERNEL32.DLL
lblWebsite
lblWebsiteClick
hXXp://VVV.rjlsoftware.com/redir/fakefmt.htm
hXXp://VVV.rjlsoftware.com/redir/fakefmt_ad.htm
Visit our website and get yourself a program to get them back.
:\$RJ$.DAT
msdx32.dll
FTPF0|
kernel32.dll
user32.dll
GetKeyboardType
advapi32.dll
RegOpenKeyExA
RegCloseKey
oleaut32.dll
GetWindowsDirectoryA
GetCPInfo
gdi32.dll
SetViewportOrgEx
UnhookWindowsHookEx
SetWindowsHookExA
MapVirtualKeyA
GetKeyboardLayoutList
GetKeyboardLayout
GetKeyState
GetKeyNameTextA
EnumWindows
EnumThreadWindows
ActivateKeyboardLayout
shell32.dll
ShellExecuteA
KWindows
Font.Charset
Font.Color
Font.Height
Font.Name
Font.Style
Lines.Strings
Dor accessing RJL Software, Inc.'s website, you agree to be bound by
.express written consent of RJL Software, Inc.
Items.Strings
Picture.Data
%Copyright 1999-00, RJL Software, Inc.
Company website
VVV.rjlsoftware.com
RJL Software creates many useful and fun software programs for Windows. Visit our website to view what other free software we have to offer.
Visit company website
hXXp://VVV.rjlsoftware.com
If you would like more free fun software, visit our website. RJL Software has tons of free utilities, screen savers, desktop, security, internet software.
0000000
ukernel32.dll
The procedure entry point %s could not be located in the dynamic link library %s
The ordinal %u could not be located in the dynamic link library %s
Srv.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3Srv.exe
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
SHELL32.DLL
USER32.DLL
Value must be between %d and %d
Unable to insert a line Clipboard does not support Icons
Bits index out of range/Menu '%s' is already being used by another form
Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window
%s property out of range
 Operation not allowed on sorted string list%String list does not allow duplicates#A component named %s already exists$''%s'' is not a valid component name
A class named %s already exists
Error reading %s.%s: %s
Ancestor for '%s' not found
Unsupported clipboard format
Cannot assign a %s to a %s
Cannot create file %s
Cannot open file %s
Class %s not found
Resource %s not found
List index out of bounds (%d) List capacity out of bounds (%d)
List count out of bounds (%d)
External exception %x
Interface not supported
%s (%s, line %d)
Abstract Error?Access violation at address %p in module '%s'. %s of address %p
Win32 Error. Code: %d.
Invalid pointer operation
Invalid class typecast0Access violation at address %p. %s of address %p
Privileged instruction%Exception %s in module %s at %p.
Application Error1Format '%s' invalid or incompatible with argument
No argument for format '%s'
Invalid variant operation"Variant method calls not supported
!'%s' is not a valid integer value
I/O error %d
Integer overflow Invalid floating point operation
RJL Software - VVV.rjlsoftware.com
1.0.5.0
fakefmt.exe
1.0.0.0
Support issues should be emailed to support@rjlsoftware.com
Web Site
106.42.73.61
2528-6142
nedwp.exe

file3.exe_572_rwx_00450000_0000F000:

Srv.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3Srv.exe
kernel32.dll
.rsrc
O.Cp}l
OO.sJD
AM6d%X
4ml%F
.pkrd
.DBxA
Xvi%2x
8KeysX
<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
KERNEL32.DLL
SHELL32.DLL
USER32.DLL
106.42.73.61
2528-6142
nedwp.exe

wscript.exe_1692:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
msvcrt.dll
OLEAUT32.dll
ole32.dll
VERSION.dll
advapi32.dll
wscript.exe
kernel32.dll
%s%s.DLL
wintrust.dll
%d.%d
Invalid parameter passed to C runtime function.
SOFTWARE\Classes\%s\%s
0x%8X
CreateURLMonikerEx
urlmon.dll
@@8X%u
RegCreateKeyA
RegCloseKey
RegOpenKeyA
RegDeleteKeyA
RegCreateKeyExW
RegCreateKeyExA
RegOpenKeyExW
ReportEventW
RegEnumKeyExA
RegOpenKeyExA
GetProcessHeap
GetCPInfo
MsgWaitForMultipleObjects
EnumThreadWindows
wscript.pdb
stdole2.tlbWWW
.ObjectWW
KeyW
WindowsFolderWWW4
%CopyFolderWWL
Windows Script Host (Ver 5.6)W)
Windows Script Host Application InterfaceW%
Windows Script Host Object
ebstrCmdLineW
1.191>1[1
: :$:(:,:0:4:8:<:
Software\Microsoft\Windows Script Host\Settings
Windows Script Host
WScript.CreateObject
WSHRemote.Execute
Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}
.\%s.mui
.\%s\%s.mui
%s\%s.mui
%s\%s\%s.mui
%s\%s
Windows Based Script Host
5.8.7600.16385
Windows Script Host
(Windows Script Host (debugging disabled)
Windows Script Host Error
Windows Script Host Input Error
This Unicode version of Windows Script Host will only execute under Windows NT.
Please use the ANSI version of Windows Script Host."
WScript execution time was exceeded on script "%1!ls!".
Script execution was terminated.1Could not locate automation class named "%1!ls!".
Could not connect object.'Could not create object named "%1!ls!".1Initialization of the Windows Script Host failed.6Can't find script engine "%2!ls!" for script "%1!ls!".!Can't change default script host.=An attempt at saving your settings via the //S option failed.(Loading script "%1!ls!" failed (%2!ls!).
Loading your settings failed.,Execution of the Windows Script Host failed.,Unexpected error of the Windows Script Host._Windows Script Host access is disabled on this machine. Contact your administrator for details.<Attempt to execute Windows Script Host while it is disabled.SAttempt to execute Windows Script Host remotely while remote execution is disabled.
Missing job name.*Unicode is not supported on this platform.
<The Windows Script Host settings have been reset to default.
Command line options are saved.4The default script host is now set to "wscript.exe".4The default script host is now set to "cscript.exe".,Successful execution of Windows Script Host.3Successful remote execution of Windows Script Host.
Win32 Error 0x%X
Windows Script Host(Windows Script Host (debugging disabled)
Usage: WScript scriptname.extension [option...] [arguments...]
Use engine for executing script
Changes the default script host to CScript.exe
Changes the default script host to WScript.exe (default)
Prevent logo display: No banner will be shown at execution time
#WScript Error - Windows Script Host!Input Error - Windows Script HostlThis Unicode version of WScript will only execute under Windows NT.
%6!ls! WScript - Script Execution Error!Windows Script Host Remote Script/Remote script object can only be executed once. Unable to execute remote script.

chrome.exe_1948:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
D$,j.Xf
j.Yf;
_tcPVj@
.PjRW
ole32.dll
POWRPROF.dll
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
user32.dll
c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc
c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\build\slave\win-pgo\build\src\base\threading\thread_local_win.cc
0123456789
(flags = 0x%x)
Histogram: %s recorded %d samples
.syzygy
.thunks
Windows NT
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
UMA.CreatePersistentHistogram.Result
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
widevinecdmadapter.dll
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
chrome-sxs
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc
iexplore.exe
googlechrome
googlechromeframe
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_commands.cc
Cannot initialize AppCommands from an invalid key.
Skipping over key "
Failed to open key "
Cannot initialize an AppCommand from an invalid key.
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_command.cc
CHROME_MAIN_TICKS
user_experience_metrics.reporting_enabled
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\misc\uuid.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
create a new pipe and send its name via HANDLE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
pipe-name
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc
duplicate key
--annotation requires KEY=VALUE
--handshake-handle and --pipe-name are incompatible
--handshake-handle or --pipe-name is required
SetProcessShutdownParameters
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
reserved key
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %d.%d.%d.%s%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
kernel32.dll
c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateSize
GetCertificate
GetCertificateSizeByHandle
GetCertificateByHandle
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
::GetNamedPipeClientProcessId
\\.\pipe\crashpad_%d_
ImpersonateNamedPipeClient
ConnectNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
Crashpad/0.8.0
WinHttpOpen
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpSendRequest
%%x
--%s%sContent-Disposition: form-data; name="%s"
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
0x%llx   0x%llx (%s)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc
<failed to retrieve error message (0x%x)>
(0xx)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_local_alloc.cc
SetNamedPipeHandleState
WaitNamedPipe
TransactNamedPipe: expected
TransactNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
chrome_elf.dll
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
ADVAPI32.dll
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHandleCount
KERNEL32.dll
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
WTSAPI32.dll
RPCRT4.dll
GetCPInfo
GetProcessHeap
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="54.0.2840.59" version="54.0.2840.59" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
3 3*363@3
6 6%6-646
-0F3K4U4g4m4r4}4
1$3 303{3
081?1_1?3
4!4%4)4{4
9—9d9
; <0<6<;<
<&=.=6=>=~=
? ?$?(?,?
5 5$5(5,5
5 5$5(5,5054585
9,9094989
< <$<(<,<0<4<
4 4<4@4\4`4|4
5 5<5@5\5`5|5
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
PreReadChromeChildInBrowser
${windows}
Ndebug.log
\StringFileInfo\xx\%ls
ntdll.dll
shell32.dll
resources.pak
script.log
chrome
pepflashplayer.dll
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Chrome
chrome_child.dll
chrome.dll
Google Chrome Canary
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
ChromeCanary
Chrome Canary HTML Document
ChromeSSHTM
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}
Google Chrome binaries
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
Google Chrome
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
ChromeHTML
Chrome HTML Document
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{5C65F4B0-3651-4514-B207-D10CB699B14B}
Google Chrome Frame
Chrome in a Frame.
Google\Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
WebAccessible
-chromeframe
-chrome
lSOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
pipe\
egdi32.dll
tntdll.dll
xntdll.dll
Chrome_MessageWindow
Failed to create directory %ls, last error is %d
Chrome SxS\Application
winhttp.dll
54.0.2840.59
chrome_exe

chrome.exe_2764:

.text
`.rdata
@.data
.gfids
@.tls
.rsrc
@.reloc
D$,j.Xf
j.Yf;
_tcPVj@
.PjRW
ole32.dll
POWRPROF.dll
address family not supported
broken pipe
function not supported
inappropriate io control operation
not supported
operation canceled
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
InitOnceExecuteOnce
operator
operator ""
?#%X.y
%S#[k
?OLEAUT32.dll
user32.dll
c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc
c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc
Failed to load Chrome DLL from
ChromeMain
RelaunchChromeBrowserWithNewCommandLineIfNeeded
Could not find exported function
%s: option `%s' is ambiguous (could be `--%s' or `--%s')
%s: invalid option -- `-%c'
%s: argument required for option `
--%s'
0.8.0
%ls (%s) %s
hXXps://crashpad.chromium.org/
hXXps://crashpad.chromium.org/bug/new
Report %ls bugs to
%s home page: <%s>
%ls: %s
(0x%X)
Error (0x%X) while retrieving error. (0x%X)
PlatformFile.UnknownErrors.Windows
c:\b\build\slave\win-pgo\build\src\base\threading\thread_local_win.cc
0123456789
(flags = 0x%x)
Histogram: %s recorded %d samples
.syzygy
.thunks
Windows NT
Histogram.InconsistentCountHigh
Histogram.InconsistentCountLow
c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc
(%d = %3.1f%%)
UMA.CreatePersistentHistogram.Result
Dictionary keys must be quoted.
Unsupported encoding. JSON must be UTF-8.
Line: %i, column: %i, %s
widevinecdmadapter.dll
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc
Failed to write to application's ClientState key
Removed incremental installer failure key; switching to channel:
Removed multi-install failure key; switching to channel:
CHROME_PROBED_PROGRAM_FILES_PATH
chrome-sxs
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc
iexplore.exe
googlechrome
googlechromeframe
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_commands.cc
Cannot initialize AppCommands from an invalid key.
Skipping over key "
Failed to open key "
Cannot initialize an AppCommand from an invalid key.
c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_command.cc
CHROME_MAIN_TICKS
user_experience_metrics.reporting_enabled
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc
x-x-x-xx-xxxxxx
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\misc\uuid.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc
--annotation=KEY=VALUE set a process annotation in each crash report
--database=PATH store the crash report database at PATH
create a new pipe and send its name via HANDLE
--pipe-name=PIPE communicate with the client over PIPE
--url=URL send crash reports to this Breakpad server URL,
pipe-name
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc
duplicate key
--annotation requires KEY=VALUE
--handshake-handle and --pipe-name are incompatible
--handshake-handle or --pipe-name is required
SetProcessShutdownParameters
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc
reserved key
FinishedWritingCrashReport failed
PrepareNewCrashReport failed
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc
%s.%s,%s,%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc
%s %d.%d.%d.%s%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc
kernel32.dll
c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc
NtOpenKey
NtCreateKey
GetCertificateSize
GetCertificate
GetCertificateSizeByHandle
GetCertificateByHandle
SetOPMSigningKeyAndSequenceNumbers
CreateNamedPipeW
NtOpenKeyEx
PruneCrashReportDatabase: Failed to get pending reports
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc
PruneCrashReportDatabase: Failed to get completed reports
Database Pruning: Failed to remove report
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc
::GetNamedPipeClientProcessId
\\.\pipe\crashpad_%d_
ImpersonateNamedPipeClient
ConnectNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpCloseHandle
Crashpad/0.8.0
WinHttpOpen
WinHttpSetTimeouts
WinHttpReceiveResponse
WinHttpQueryHeaders
HTTP status %d
WinHttpReadData
WinHttpAddRequestHeaders
WinHttpSendRequest
%%x
--%s%sContent-Disposition: form-data; name="%s"
; filename="%s"%s
Content-Type: %s%s
multipart/form-data; boundary=%s
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc
Reading x64 process from x86 process not supported
0x%llx   0x%llx (%s)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc
<failed to retrieve error message (0x%x)>
(0xx)
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_local_alloc.cc
SetNamedPipeHandleState
WaitNamedPipe
TransactNamedPipe: expected
TransactNamedPipe
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc
c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc
InvokeMainViaCRT
ExitMainViaCRT
Microsoft.CRTProvider
C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb
.text$di
.text$mn
.text$x
.text$yd
.idata$5
.CRT$XCA
.CRT$XCAA
.CRT$XCC
.CRT$XCL
.CRT$XCU
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XLA
.CRT$XLB
.CRT$XLZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$T
.rdata$r
.rdata$sxdata
.rdata$zETW0
.rdata$zETW1
.rdata$zETW2
.rdata$zETW9
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata$x
.didat$2
.didat$3
.didat$4
.didat$6
.didat$7
.edata
.idata$2
.idata$3
.idata$4
.idata$6
.data
.data$r
.didat$5
.gfids$x
.gfids$y
.tls$ZZZ
.rsrc$01
.rsrc$02
chrome.exe
SignalChromeElf
chrome_elf.dll
RegOpenKeyExW
RegEnumKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegCloseKey
ADVAPI32.dll
CreateIoCompletionPort
GetWindowsDirectoryW
GetProcessHandleCount
KERNEL32.dll
ShellExecuteExW
SHELL32.dll
CloseWindowStation
CreateWindowStationW
GetProcessWindowStation
SetProcessWindowStation
USER32.dll
VERSION.dll
WINMM.dll
WTSAPI32.dll
RPCRT4.dll
GetCPInfo
GetProcessHeap
PeekNamedPipe
DisconnectNamedPipe
WaitNamedPipeW
WINHTTP.dll
.?AU_Crt_new_delete@std@@
a.IDATx
%F?????????3 
ÿFFFFFFFFFFFFFFF?B%
:1----16
Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12
:BBBBBBBBBB>>-.jdddcccca
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="54.0.2840.59" version="54.0.2840.59" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>
3 3*363@3
6 6%6-646
-0F3K4U4g4m4r4}4
1$3 303{3
081?1_1?3
4!4%4)4{4
9—9d9
; <0<6<;<
<&=.=6=>=~=
? ?$?(?,?
5 5$5(5,5
5 5$5(5,5054585
9,9094989
< <$<(<,<0<4<
4 4<4@4\4`4|4
5 5<5@5\5`5|5
KERNEL32.DLL
mscoree.dll
ext-ms-win-ntuser-windowstation-l1-1-0
portuguese-brazilian
Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers
nchrome_watcher.dll
PreReadChromeChildInBrowser
${windows}
Ndebug.log
\StringFileInfo\xx\%ls
ntdll.dll
shell32.dll
resources.pak
script.log
chrome
pepflashplayer.dll
Browse the web
Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium
{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}
{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}
Chrome
chrome_child.dll
chrome.dll
Google Chrome Canary
{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}
ChromeCanary
Chrome Canary HTML Document
ChromeSSHTM
{1BEAC3E3-B852-44F4-B468-8906C062422E}
{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}
Google Chrome binaries
hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1
Google Chrome
%d.%d.%d
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome
ChromeHTML
Chrome HTML Document
{8A69D345-D564-463c-AFF1-A69D9E530F96}
{5C65F4B0-3651-4514-B207-D10CB699B14B}
Google Chrome Frame
Chrome in a Frame.
Google\Chrome Frame
Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame
{8BA986DA-5100-405E-AA35-86F34A02ACBF}
WebAccessible
-chromeframe
-chrome
lSOFTWARE\Policies\Google\Chrome
reports
settings.dat
ALPC Port
\Sessions\%d\AppContainerNamedObjects\%ls
sHKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_TEXT
HKEY_PERFORMANCE_NLSTEXT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
pipe\
egdi32.dll
tntdll.dll
xntdll.dll
Chrome_MessageWindow
Failed to create directory %ls, last error is %d
Chrome SxS\Application
winhttp.dll
%Program Files%\Google\Chrome\Application\chrome.exe
54.0.2840.59
chrome_exe

chrome.exe_1948_rwx_00190000_00001000:

WYw%Program Files%\Microsoft\DesktopLayer.exe

chrome.exe_1948_rwx_20010000_00009000:

.text
.rdata
@.data
.reloc
Srv.exe
kernel32.dll


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    chrome.exe:2764
    file3Srv.exe:3104
    file2.exe:2372

  2. Delete the original MemScan file.
  3. Delete or disinfect the following files created/modified by the MemScan:

    %Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat (80 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\hdr.tmp (571756 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3.exe (2001 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file5.empty (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\temp.dat (14600 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file4.empty (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Header.dat (96 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file2.exe (1047 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file6.empty (15 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\file3Srv.exe (113 bytes)
    %Program Files%\Microsoft\DesktopLayer.exe (113 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\xyz.vbs (10 bytes)

  4. Remove the references to the MemScan by modifying the following registry value(s) (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
    "UserInit" = "c:\windows\system32\userinit.exe,,c:\program files\microsoft\desktoplayer.exe"

  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now