Trojan.GenericKD.2524648_0e94655120

by malwarelabrobot on August 7th, 2015 in Malware Descriptions.

Trojan-Downloader.Win32.Genome.syln (Kaspersky), Trojan.GenericKD.2524648 (B) (Emsisoft), Trojan.GenericKD.2524648 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 0e94655120a2b3dfb0853da68bd6a1ad
SHA1: 6aec0acf18e06c810e3a2ef790bd56adff83032f
SHA256: 1d01aca79be1c803e86f2c801eaaa307bc3cc2a093a5bee7866920db462d05c4
SSDeep: 6144:1eTeM/PFhvzILNooL87BruKkdJOM6fWNLQXSHRi BDsOBsQlGM0ePa053xPCqFG:5MPvgNooIBruK6wM6f5XSxi0DBC80ePw
Size: 388369 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-06-19 00:33:23
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

install1403380.exe:1036
RsMgrSvc.exe:1436
ravmond.exe:1272
ravmond.exe:1152
popwndexe.exe:220

The Trojan injects its code into the following process(es):

%original file name%.exe:368

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex
RasPbFile
s554d

File activity

The process install1403380.exe:1036 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (1385 bytes)
%Program Files%\Rising\RAV\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\moncomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (278 bytes)
%Program Files%\Rising\RAV\setup.dat (601 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\Repair.url (155 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
%Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAV\12345678.000 (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm (4 bytes)
%Program Files%\Rising\RAV\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RAV\rscurl.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RAV\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (605 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
%Program Files%\Rising\RAV\cfgxml\adefmon.mond (2 bytes)
%Program Files%\Rising\RAV\desktop.ini (182 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9 (4 bytes)
%Program Files%\Rising\RAV\cloudqry.dll (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (1604 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
%Program Files%\Rising\RSD\updater.exe (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
%Program Files%\Rising\RAV\Label.dat (140 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml.rs (667 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\RsStub.exe (64 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (336 bytes)
%Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
%Program Files%\Rising\RAV\rscom.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
%Program Files%\Rising\RAV\RsTray.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
%Program Files%\Rising\RAV\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RAV\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
%Program Files%\Rising\RAV\cfgxml\mondcoms.xml (8 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RAV\cfgxml\mond.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\RsPcVer12[1].xml (663 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsuser.db1 (601 bytes)
%Program Files%\Rising\RAV\XMLS\RSDK.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
%Program Files%\Rising\RAV\Microsoft.VC90.CRT.manifest (496 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
%Program Files%\Rising\RAV\cnt08.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
%System%\drivers\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (435 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1898 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (2613 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
%Program Files%\Rising\RAV\RavSetup.dll (7433 bytes)
%Program Files%\Rising\RAV\cfgxml\repairmanager.mond (207 bytes)
%Program Files%\Rising\RAV\CompsVer.inf (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
%Program Files%\Rising\RAV\RsMain.ico (27 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
%Program Files%\Rising\RAV\XMLS\MONBASEDUI.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
%Program Files%\Rising\RAV\procenv.dll (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RAV\mergexml.dll (601 bytes)
%Program Files%\Rising\RAV\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (2352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
%Program Files%\Rising\RAV\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\url.ini (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
%Program Files%\Rising\RAV\rssrv.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
%Program Files%\Rising\RAV\XMLS\RAVDEFDB.xml (967 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\rslang.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
%Program Files%\Rising\RAV\cfgxml\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
%Program Files%\Rising\RAV\Cloudv3.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (106 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (935 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
%Program Files%\Rising\RSD\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
%Program Files%\Rising\RAV\LogDc.bmp (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (2550 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db (43 bytes)
%Program Files%\Rising\RAV\rscommx2.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
%Program Files%\Rising\RAV\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
%System%\drivers\protreg.sys (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (1248 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CompsVer.inf (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\c[1].aspx (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
%Program Files%\Rising\RAV\XMLS\RAVLOG.xml (545 bytes)
%Program Files%\Rising\RAV\cfgxml\userdata.rstray (293 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (4295 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
%Program Files%\Rising\RAV\ravmond.exe (1425 bytes)
%Program Files%\Rising\RAV\sysmon_if.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
%Program Files%\Rising\RAV\XMLS\RSMONDEF.xml (1 bytes)
%Program Files%\Rising\RAV\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
%Program Files%\Rising\RAV\moncom08.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
%Program Files%\Rising\RAV\rsmain.exe (601 bytes)
%Program Files%\Rising\RAV\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
%Program Files%\Rising\RAV\XMLS\LICENSE.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\Label.dat (140 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
%Program Files%\Rising\RAV\rsdll.dll.dat (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1076 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
%Program Files%\Rising\RAV\XMLS\RAVCONFIG.xml (518 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
%Program Files%\Rising\RAV\rsxml3w.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
%Program Files%\Rising\RAV\XMLS\MSCRT9.xml (961 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
%Program Files%\Rising\RAV\antipromotionmon.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
%Program Files%\Rising\RAV\rslog.dll (601 bytes)
%Program Files%\Rising\RAV\Proccom.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\dfw.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (3891 bytes)
%Program Files%\Rising\RAV\rspalvd.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
%Program Files%\Rising\RAV\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (165 bytes)
%Program Files%\Rising\RAV\XMLS\RSCOMM.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (634 bytes)
%Program Files%\Rising\RAV\XMLS\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (248 bytes)
%Program Files%\Rising\RAV\bacore.dll (2321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
%Program Files%\Rising\RAV\XMLS\RAVMON.xml (574 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
%Program Files%\Rising\RAV\rscfg.dll (53 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
%Program Files%\Rising\RSD\syslay.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
%Program Files%\Rising\RAV\LogAc.bmp (24 bytes)
%Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
%Program Files%\Rising\RAV\dataups.dat (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (985 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (1153 bytes)
%Program Files%\Rising\RAV\XMLS\RAVMAINDUI.xml (1 bytes)
%Program Files%\Rising\RAV\XMLS\CLOUDQRY.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
%Program Files%\Rising\RAV\msvcp90.dll (3361 bytes)
%Documents and Settings%\All Users\Start Menu\Programs\Rising Software Deployment System\.lnk (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
%Program Files%\Rising\RAV\monrule.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
%Program Files%\Rising\RSD\update.xml (164 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\RAV.ico (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
%Program Files%\Rising\RAV\mondef.dll (3361 bytes)
%Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\urg[1].htm (224 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (7805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db1 (43 bytes)
%Program Files%\Rising\RAV\cnt09.dll (1281 bytes)
%Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (459 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
%Program Files%\Rising\RAV\localopt.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\language.ini (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (1803 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
%Program Files%\Rising\RAV\cloudnotifier.dll (1425 bytes)
%Program Files%\Rising\RAV\traywnd.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (6045 bytes)
%Program Files%\Rising\RSD\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
%Program Files%\Rising\RAV\kguard_if.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef (4 bytes)
%Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
%Program Files%\Rising\RSD\Setup.exe (5441 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (5724 bytes)
%Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
%Program Files%\Rising\RAV\rsxml3a.dll (673 bytes)
%System%\drivers\rsndisp.sys (10 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
%Program Files%\Rising\RAV\rstasku.xml (4 bytes)
%Program Files%\Rising\RAV\XMLS\_RAV.xml (368 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\RAV.ini (599 bytes)
%Program Files%\RsTest.ini (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
%Program Files%\Rising\RAV\syslay.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase (4 bytes)
%Program Files%\Rising\RAV\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\ravcfg.xml (601 bytes)
%Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
%Program Files%\Rising\RAV\rav936\chs.lag (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
%System%\drivers\kguard.sys (601 bytes)
%Program Files%\Rising\RAV\mondrv.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
%Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
%Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (1039 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
%Program Files%\Rising\RAV\cloudwork.dll (7726 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase (4 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\rsuser.db (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (1384 bytes)
%Program Files%\Rising\RAV\defmon.dll (3361 bytes)
%Program Files%\Rising\RAV\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
C:\rising.ini (215 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
%Program Files%\Rising\RAV\uprsmon.dat (45 bytes)
%Program Files%\Rising\RAV\cloudnet.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
%Program Files%\Rising\RAV\XMLS\CLOUDV3.xml (1 bytes)
%Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
%Program Files%\Rising\RAV\ravxp.exe (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
%Program Files%\Rising\RSD\Data\RAV\RAV.ini (57324 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
%Program Files%\Rising\RSD\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\XMLS\RAV936.xml (515 bytes)
%Program Files%\Rising\RAV\cfgxml\userdata.mond (485 bytes)
%Program Files%\Rising\RAV\pngdll.dll (1425 bytes)
%Program Files%\Rising\RAV\Proccomm.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
%Program Files%\Rising\RAV\comx3.dll (673 bytes)
%Program Files%\Rising\RAV\hookbase.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
%Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
%Program Files%\Rising\RAV\XMLS\RAVBASE.xml (4 bytes)
%Program Files%\Rising\RAV\rstask.xml (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
%Program Files%\Rising\RAV\cloudstore.dll (2321 bytes)
%Program Files%\Rising\RAV\atl90.dll (673 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3 (4 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (168 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
%Program Files%\Rising\RAV\XMLS\setup.xml (2 bytes)
%Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
%Program Files%\Rising\RAV\rsdll.dll (601 bytes)
%Program Files%\Rising\RAV\Microsoft.VC90.ATL.manifest (466 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db (19 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\install1403380.exe.log (317387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (2065 bytes)
%Program Files%\Rising\RAV\XMLS\RAVXP.xml (404 bytes)
%Program Files%\Rising\RAV\XMLS\RSCFG.xml (996 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (6605 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
%Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
%Program Files%\Rising\RAV\rscombas.dll (1281 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
%Program Files%\Rising\RAV\bawhite.dll (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
%Program Files%\Rising\RSD\setup.dat (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (608 bytes)
%Program Files%\Rising\RAV\bawhite.dat (22 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mond (207 bytes)
%Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
%Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
%Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (1000 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
%System%\drivers\sysmon.sys (673 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (1202 bytes)
%Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (741 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV_DL (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\irg[1].ashx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ForLogDeve[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\c[1].aspx (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\urg[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\CARYGJJT.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000.bak (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\RsPcVer12[1].xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (0 bytes)
%Program Files%\Rising\RAV (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (0 bytes)
%Program Files%\Rising (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (0 bytes)
%Program Files%\RsTest.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (0 bytes)

The process RsMgrSvc.exe:1436 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
%Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)

The process ravmond.exe:1152 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Program Files%\Rising\RAV\logfiles\ravmond.exe.cloudwork.log (6073 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\navigate_sign[1].xml (200 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db-journal (2338 bytes)
%Program Files%\Rising\RAV\logfiles\ravmond.exe.log (149 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db (15562 bytes)
%Program Files%\Rising\RAV\browserruncount.dat (944 bytes)
%Program Files%\Rising\RAV\prvcloudcfg.ini (26 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\navigate_up[1].xml (235 bytes)
%Program Files%\Rising\RAV\ravmond.exe_status.ini (80 bytes)
%Program Files%\Rising\RAV\CCenter.db-journal (18630 bytes)
%Program Files%\Rising\RAV\CCenter.db (623 bytes)

The Trojan deletes the following file(s):

%Program Files%\Rising\RAV\CCenter.db-journal (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\navigate_sign[1].xml (0 bytes)
%Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db-journal (0 bytes)
%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\navigate_up[1].xml (0 bytes)

The process %original file name%.exe:368 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\55.dll (19614 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\xID.dll (3 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1.tmp (0 bytes)

Registry activity

The process install1403380.exe:1036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\rdisk_exec_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\SmartScan]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AutoTreatInfected]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\state]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\pro_path]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\UseAI]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\exploit_scan_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\protect_registries]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PackageSizeLimit]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"DisplayVersion" = "24.00.43.08"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\func]
"(Default)" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\GlobalCache]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\homepageguard\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\DenferTime]
"(Default)" = "255"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"Path" = "%Program Files%\Rising\RAV\nprising.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\PollingInterval]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg]
"ver" = "24"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKLM\SOFTWARE\rising\lockie]
"url6" = "U40SF7l0GScVB3dcXjsAGGMBGCAIGSpdEj1OSC9OR98="
"url1" = "U40SF7l0GScVB3dcXjsAGGMBGCAIGSpdEj1OSC9OQNQ="

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\lockie]
"url2" = "U40SF7l0GScVB3dcXjsAGGMBGCAIGSpdEj1OSC9OQ9s="

[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\Enable]
"ver" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayVersion" = "23.00.01.03"

[HKLM\SOFTWARE\rising\lockie]
"url9" = "U40SF7l0GScVB3dcXjsAGGMBGCAIGSpdEj1OSC9OSNw="
"url8" = "U40SF7l0GScVB3dcXjsAGGMBGCAIGSpdEj1OSC9OSd0="

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\Mode]
"(Default)" = "Post"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\scriptmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\state]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"Publisher" = "Beijing Rising Information Technology, Inc."

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AutoTreatInfected]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\file_ext_filter]
"(Default)" = "VBS;VBE;JS;JSE;LSP;FAS;ASP;HTT;HTA;CSS;WSH;MHT;JSP;PHP;HTM;HTML;RB;LUA;PY;EXE;COM;SYS;VXD;DRV;DLL;BIN;OVL;386;FON;DOC;DOT;XLS;XLT;PPT;BAT;SCT;OCX;CPL;LNK;EML;NWS;PIF;SHS;MAI;SCR;ZIP;7Z;ARJ;BZ2;BZIP2;CAB;GZ;GZIP;HFS;ISO;LHA;LZH;LZMA;RAR;TAR;"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\InsufficientSpaceHandleMethod]
"ver" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"DisplayName" = "Rising Software Deployment System"

[HKLM\SOFTWARE\rising\rscommon]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\common"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\verdict_vir_found]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\autorun_disable_state]
"(Default)" = "1"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"Description" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\sites]
"(Default)" = "D8 6D 9D 5B 51 7F 00 00 2A 00 2E 00 74 00 61 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\Report]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}]
"ProcID" = "{0D565346-BF61-6648-3030-303030303030}"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\Default\ProtectConfig\ProtectType]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Type" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\verdict_vir_found]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\ProtectConfig\ProtectType]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\SmartScan]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowLogonIcon]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\Enable]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\app_filters]
"(Default)" = "00 00 00 00"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising]
"vender" = "Rising"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_filters]
"(Default)" = "2D 00 2D 00 74 00 79 00 70 00 65 00 3D 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\AutoEnterSilenceMode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\scan_timeout]
"(Default)" = "30000"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoTrayIcon]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"URLInfoAbout" = "http://help.ikaka.com/"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\sites]
"(Default)" = "D8 6D 9D 5B 51 7F 00 00 2A 00 2E 00 74 00 61 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\PackageSizeLimit]
"ver" = "3"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}]
"ProcKey" = "RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AlertSound]
"ver" = "1"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Group" = "Boot Bus Extender"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\PopupInterval]
"(Default)" = "600"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\func]
"(Default)" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\file_ext_filter]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\verdict_vir_found]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\bxfix]
"(Default)" = "http://rscloud.rising.net.cn/navigate_bwfix.xml"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\UseCloudDefence]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\SmartRelocate]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\homepageguard\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\whitemask]
"(Default)" = "25"

[HKLM\System\CurrentControlSet\Services\sysmon\Instances\sysmon]
"Altitude" = "370070"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\GlobalCache]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\zone]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\SmartScan]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rs_processes]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\func]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\FileNameFilter]
"(Default)" = ".exe|.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\REGO]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BackgroundScan\State]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\file_ext_filter]
"ver" = "1"

[HKCU\Software\MozillaPlugins\@rising.com.cn/nprising]
"Path" = "%Program Files%\Rising\RAV\nprising.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\mode]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowAgent]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\mode]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\Count]
"(Default)" = "592"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\Default\KeepDays]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\UninstallProtect]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoTrayIcon]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ScanResultCountPerPage]
"(Default)" = "268435455"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RSD"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\QQMgrInterval]
"(Default)" = "900"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"InstallLocation" = "%Program Files%\Rising\RSD"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV]
"InstallPath" = "%Program Files%\Rising\RAV"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\rdisk_exec_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\Baidu]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\writelog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PackageSizeLimit]
"ver" = "4"

[HKLM\SOFTWARE\rising\RAV]
"Type" = "17"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\whitemask]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\reg_path]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV]
"Version" = "24.00.43.08"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\UseAI]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\level]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising\MimeType]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowLogonIcon]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\sites]
"ver" = "16"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoBacore]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowScanAd]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"UninstallString" = "%Program Files%\Rising\RSD\Setup.exe /UNINSTALL /PRODUCT=RAV"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\MaxScanDeep]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\KeepDays]
"(Default)" = "60"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\mode]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\MaxScanDeep]
"(Default)" = "2"

[HKLM\System\CurrentControlSet\Services\sysmon\Instances]
"DefaultInstance" = "sysmon"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\conntest]
"(Default)" = "http://rscloud.rising.net.cn/cloud.html"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\Default\KeepDays]
"(Default)" = "60"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AutoTreatInfected]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PackageSizeLimit]
"ver" = "4"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\InsufficientSpaceHandleMethod]
"(Default)" = "0"

[HKLM\System\CurrentControlSet\Services\SysMon]
"DebugLevel" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\UseCloudEngine]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AutoTreatInfected]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\Enable]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PreciseFormat]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\port_list]
"(Default)" = "110=110|25=120"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\reg_path]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\AutoTreatInfected]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Description" = "Rising System Monitor Driver"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\whitemask]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\lockie]
"url3" = "U40SF7l0GScVB3dcXjsAGGMBGCAIGSpdEj1OSC9OQto="

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\UseAI]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV]
"DataPath" = "%Documents and Settings%\All Users\Application Data\Rising\Rav"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\zone]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\protect_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\oswhite]
"(Default)" = "http://rscloud.rising.net.cn/navigate_oswhite.xml"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\BRScan]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\NavigateXml\navig]
"(Default)" = "http://rscloud.rising.net.cn/navigate.xml"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\mode]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\protect_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\BaiduInterval]
"(Default)" = "900"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\System\CurrentControlSet\Services\SysMon]
"DLibPath" = "%Program Files%\Rising\RAV\rsdll.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\homepageguard\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\verdict_vir_found]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\InsufficientSpaceHandleMethod]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\notify_timeout]
"(Default)" = "131072"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\level]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\State]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\MaxScanDeep]
"ver" = "2"

[HKLM\System\CurrentControlSet\Services\SysMon]
"AppProtect" = "11c176b2, 920e004c, 70ffc5d4"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\JoinImprovementPlan]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\state]
"ver" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\InsufficientSpaceHandleMethod]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rs_processes]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\antipromotionmon\intercept]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\SmartScan]
"ver" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\rising\RAV\cfgUn\PreventUninstallSwitch]
"PreventUninstallSwitch" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\verdict_vir_found]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\DisableLog]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Features\UrlLogging]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\Default\ProtectConfig\Password]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\JoinImprovementPlan]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\Baidu]
"(Default)" = "14400"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\Default\LargeFileHandleMethod]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\UseCloudDefence]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_filters]
"(Default)" = "2D 00 2D 00 74 00 79 00 70 00 65 00 3D 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"Publisher" = "Beijing Rising Information Technology, Inc."

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\scan_timeout]
"(Default)" = "30000"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\filemon\file_ext_filter]
"(Default)" = "VBS;VBE;JS;JSE;LSP;FAS;ASP;HTT;HTA;CSS;WSH;MHT;JSP;PHP;HTM;HTML;RB;LUA;PY;EXE;COM;SYS;VXD;DRV;DLL;BIN;OVL;386;FON;DOC;DOT;XLS;XLT;PPT;BAT;SCT;OCX;CPL;LNK;EML;NWS;PIF;SHS;MAI;SCR;ZIP;7Z;ARJ;BZ2;BZIP2;CAB;GZ;GZIP;HFS;ISO;LHA;LZH;LZMA;RAR;TAR;"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\PollingPath]
"(Default)" = ";"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudSafe\Default\UseCloudEngine]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\notify_timeout]
"(Default)" = "131072"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AlertSound]
"(Default)" = "1"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcKind" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\func]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\eshopmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\FileMonRoutine\PackageSizeLimit]
"(Default)" = "0"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcInfo" = "1438869406"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Services]
"Rising" = "Admin Test"

[HKLM\SOFTWARE\rising\RAV]
"Name" = "Rising AntiVirus 2012"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\Default\AutoEnterSilenceMode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ScanResultCountPerPage]
"(Default)" = "268435455"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\AutoTreatInfected]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayName" = "Rising Software Deployment System"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\scriptmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\WhiteList\TrustedFiles]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BackgroundScan\State]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\HTTP\EngDelay]
"(Default)" = "256"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\notify_timeout]
"(Default)" = "131072"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\app_filters]
"ver" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\autorun_disable_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\lockie]
"URL" = "aqceZAduQEZGXRpFB1pTQg4YQUFbQ0dES1wdVQ=="

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\QQMgr]
"(Default)" = "14400"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\UseAI]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\instrmon_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\verdict_vir_found]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"URLInfoAbout" = "http://help.ikaka.com/"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\rising\lockie]
"LockTab" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\bamon\state]
"ver" = "2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\mailmon\port_list]
"(Default)" = "110=110|25=120"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\app_filters]
"(Default)" = "00 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\OnlyScanPopMalware]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsLog\KeepDays]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\Default\CurrentWorkMode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowAgent]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\bamon\verdict_vir_found]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\AutoTreatInfected]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\lockie]
"TabUrl" = "U40SF7l0GScVB3dcXjsAGGMBGCAIGSpdEj1OGSgEBTIDWSUHHD-9"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\vpatchmon\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BackgroundScan\State]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowScanAd]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\WorkMode\CurrentWorkMode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\REGO]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\kernelreinforce\writelog]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\silent_competitor]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\vpatchmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\PreciseFormat]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\BRScan\pro_path]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\IntegrityDetection\BaiduInterval]
"ver" = "2"

[HKLM\SOFTWARE\rising\lockie]
"Enable" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\BRScan]
"ver" = "2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Control Panel\Desktop]
"FontSmoothingType" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\SmartRelocate]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_filters]
"ver" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\UninstallProtect]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\mailmon\notify_timeout]
"(Default)" = "131072"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\selfdef\notify_user]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD]
"DisplayIcon" = "%Program Files%\Rising\RSD\Setup.exe"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\Default\ShowLogonIcon]
"(Default)" = "0"

[HKLM\System\CurrentControlSet\Services\SysMon]
"SrpProtect" = "11c176b2, 920e004c, 70ffc5d4"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 6E F9 60 4E 02 D9 A4 8D 08 93 8A 25 26 C8 AD"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\officemon\state]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Features\UrlLogging]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\selfdef\protect_registries]
"(Default)" = "00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\homepageguard\state]
"ver" = "2"

[HKLM\System\CurrentControlSet\Services\SysMon]
"Tag" = "4"

[HKLM\SOFTWARE\MozillaPlugins\@rising.com.cn/nprising\MimeType\application/x-rs-extension]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\TaskRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BackgroundScan\State]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\eshopmon\sites]
"ver" = "16"

[HKLM\System\CurrentControlSet\Services\sysmon\Instances\sysmon]
"Flags" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\webmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\kernelreinforce\whitemask]
"(Default)" = "25"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\FileMonRoutine\AlertSound]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\Features\NoBacore]
"ver" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\DisableLog]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV]
"InstallLocation" = "%Program Files%\Rising\RAV"

[HKCR\CLSID\{F1CF8F61-AB1D-11d4-ABBD-0050BACEC828}\RzNBMlVLLUswUDBORC1MMEVGU1UtRkg1MzAw]
"ProcDll" = "1470491806"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\filemon\verdict_vir_found]
"(Default)" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\BankProtRoutine\PackageSizeLimit]
"ver" = "3"

[HKLM\SOFTWARE\rising\RAV\cfg\SoftwareSafe\ProtectConfig\Password]
"(Default)" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\MailMonRoutine\OnlyScanPopMalware]
"ver" = "2"

[HKLM\System\CurrentControlSet\Services\SysMon]
"DependOnService" = ""

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\webmon\app_pathnames]
"(Default)" = "00 00"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\BankProtRoutine\PackageSizeLimit]
"(Default)" = "20"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanReportRoutine\DenferTime]
"(Default)" = "255"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\officemon\exploit_scan_state]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\TaskRoutine\PreciseFormat]
"ver" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RsStore\LargeFileHandleMethod]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanRemovableStorage\MaxScanDeep]
"(Default)" = "2"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\AlertSound]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV]
"(Default)" = "Rising Software Deployment System"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\MailMonRoutine\UseAI]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\ScanRemovableStorage\FileNameFilter]
"(Default)" = ".exe|.dll"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\KillTroy\DelayCloud]
"(Default)" = "1280"

[HKLM\SOFTWARE\rising\RAV\cfg\RssService\Default\ScanReportRoutine\Report]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\Default\rdskmon\attach_scan_mode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\attach_scan_mode]
"(Default)" = "1"

[HKLM\SOFTWARE\rising\RAV\cfg\RsmonService\rdskmon\state]
"(Default)" = "0"

[HKLM\SOFTWARE\rising\RAV\cfg\CloudQuery\KillTroy\Radio]
"(Default)" = "5"

[HKLM\SOFTWARE\rising\RAV\cfg\Personality\ShowLogonIcon]
"ver" = "2"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Program Files%\Rising\RAV]
"RavMonD.exe" = "%Program Files%\Rising\RAV\ravmond.exe:*:Enabled:RAV Service"

The following driver will be automatically launched by the OS Loader:

[HKLM\System\CurrentControlSet\Services\SysMon]
"Start" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\System\CurrentControlSet\Services]
"Rising"

The process RsMgrSvc.exe:1436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A1 FE 56 A9 86 77 81 72 63 CC 16 D6 83 79 4E 2A"

The process ravmond.exe:1272 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 2E 7F FA 72 14 64 0E AF 43 01 A6 89 DC 66 F6"

The process ravmond.exe:1152 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\rising\RAV\cfg\EnhancedSelfProtect\State]
"(Default)" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 4C 0C 2F F7 CD E2 BA 1E 08 77 C5 9E 7A FE B6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\System\CurrentControlSet\Services\kguard]
"stat" = "3"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process %original file name%.exe:368 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 2F 2B 8A EB 3F B8 33 9B 29 6A 44 65 82 44 E4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process popwndexe.exe:220 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "27 8F 3C D6 73 61 2C 72 53 44 18 1F 15 B0 5E 1F"

Dropped PE files

MD5 File path
90d4e96dbbcff68690f37736655fada3 c:\Documents and Settings\All Users\Application Data\Rising\Rav\ShortCut\RAV.ico
b19eaceaf35f2db4976db8da259a498d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll
af1b1fca64556fab4ce9c09e1dac4b96 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\rslang.dll
3fff3e7a22df1c549e8b054dd18477e6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\RsdSfxTmp\setup.dll
3ece8fdc0342ddd5aec082d168817112 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\55.dll
00a0194c20ee912257df53bfe258ee4a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\System.dll
76d2faad042161f24b6c9c78de3bd265 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2.tmp\xID.dll
d5a4de2ba24c733642355d25357fa4b6 c:\Program Files\Rising\RAV\Cloudv3.dll
fbc567d59b385341c53338ca58c3e248 c:\Program Files\Rising\RAV\Proccom.dll
7ae91c40093e829a971616b1e2f9113e c:\Program Files\Rising\RAV\Proccomm.dll
270f42646170f2545c25a43f732532fb c:\Program Files\Rising\RAV\RavSetup.dll
bd57bcbbed105791aba2b968354e466c c:\Program Files\Rising\RAV\RsBaseNetWrapper.dll
68d18a0915bbda36e573d5dbb9e6ea8e c:\Program Files\Rising\RAV\RsTray.ico
293a4453521432a09712b7ba715cb951 c:\Program Files\Rising\RAV\antipromotionmon.dll
78b62e4c13378f737603136975a07e1a c:\Program Files\Rising\RAV\atl90.dll
c50714810dcd88daee4dea6e098e4d6a c:\Program Files\Rising\RAV\bacore.dll
dad3c0290a40f4efdab971fc0d316e35 c:\Program Files\Rising\RAV\bawhite.dll
0f0aa3f8b1ceab59168724a6037c8a8b c:\Program Files\Rising\RAV\cloudnet.dll
063510e07cfb8b97cbbcaf3ed4aabb03 c:\Program Files\Rising\RAV\cloudnotifier.dll
6e80cfd8dc6d4dff870b8b4dfc796c7e c:\Program Files\Rising\RAV\cloudqry.dll
9941a9a12196696c1fa9bb6d6442d359 c:\Program Files\Rising\RAV\cloudsta.dll
d3caa6caedf1b4e183b26efd8c95f6ad c:\Program Files\Rising\RAV\cloudstore.dll
e4459e014cb9c8fc06ee0c3ccded66d3 c:\Program Files\Rising\RAV\cloudwork.dll
7a80c5c9e6955622d45ae9bdf86472ff c:\Program Files\Rising\RAV\cnt08.dll
4918a3e5256d45c5ca1dea6a2592ca88 c:\Program Files\Rising\RAV\cnt09.dll
904607ed3d2e8a29c13dcaf80cb311a9 c:\Program Files\Rising\RAV\comx3.dll
21e45757451e136934cd235b8bcfb27d c:\Program Files\Rising\RAV\defmon.dll
12d2d81f07d7557cb4fbe3af6a3ea9f6 c:\Program Files\Rising\RAV\dfw.dll
02342ba3a87b3974d612c15275c29446 c:\Program Files\Rising\RAV\hookbase.dll
a86b29a69472d5e5f624c6f6c2b2bbfa c:\Program Files\Rising\RAV\kguard_if.dll
78f5881af930e81a9ffb246402b6a6e2 c:\Program Files\Rising\RAV\localopt.dll
e28dd24338cae534a54a14d33020cbe9 c:\Program Files\Rising\RAV\mergexml.dll
82387571279847d2324297ea4722e14f c:\Program Files\Rising\RAV\moncom08.dll
0a44f63c07112bb325aac94321ae8ff6 c:\Program Files\Rising\RAV\moncomm.dll
62de362c75022744c5149e03d1191fff c:\Program Files\Rising\RAV\mondef.dll
ce1bd850367d321b3ee2f867db6623e1 c:\Program Files\Rising\RAV\mondrv.dll
4fd2a695c22336cf6f802d697d0f6f6c c:\Program Files\Rising\RAV\monrule.dll
874c8b1317c58ffe62d4d6aa591eabe2 c:\Program Files\Rising\RAV\msvcp90.dll
f1f9eeef647cfa62a7104c054ce0999b c:\Program Files\Rising\RAV\msvcr90.dll
7d6bc107cd29293b274577d755662d05 c:\Program Files\Rising\RAV\pngdll.dll
2349983d784ed407a64f274acb8d4b18 c:\Program Files\Rising\RAV\procenv.dll
28d944cae5632248d3a546aaf7601160 c:\Program Files\Rising\RAV\ravmond.exe
ef56ceeafa7b2464f44da3b3a46702f6 c:\Program Files\Rising\RAV\ravxp.exe
249a270469f151ec278c95d63a3fbf79 c:\Program Files\Rising\RAV\repairmanager.dll
e8c78de68ec8e77e27af803074b08ce5 c:\Program Files\Rising\RAV\rscfg.dll
5bb8c8a5a7abac3b8478b254956ab580 c:\Program Files\Rising\RAV\rscom.dll
ef1bc9d6a13e8ccaf50ac6ae9095f28e c:\Program Files\Rising\RAV\rscombas.dll
9e58445a57ead0fd320fcc58ec173c3c c:\Program Files\Rising\RAV\rscommx2.dll
67d42ba1ef54c485a5a879b0aee066db c:\Program Files\Rising\RAV\rscurl.dll
9ca6368d7bb34f15b542f9773e0acd18 c:\Program Files\Rising\RAV\rsdll.dll
9ca6368d7bb34f15b542f9773e0acd18 c:\Program Files\Rising\RAV\rsdll.dll.dat
08dcba43400dc71b8145a30c6f0b55da c:\Program Files\Rising\RAV\rslog.dll
4f4500ee19410043cc338668d28f95a3 c:\Program Files\Rising\RAV\rsmain.dll
f5857084201bd2f578b2c04c12cc2ac8 c:\Program Files\Rising\RAV\rsmain.exe
23d683209cef821f78ae2751d07455e4 c:\Program Files\Rising\RAV\rspalvd.dll
b4f78b19eed6248a10f3031baac0b517 c:\Program Files\Rising\RAV\rssqlite.dll
00a45353f419bc4891645f1ad0150617 c:\Program Files\Rising\RAV\rssrv.dll
1ac62583254fc92a143c4780489c3762 c:\Program Files\Rising\RAV\rsutils_if.dll
b19eaceaf35f2db4976db8da259a498d c:\Program Files\Rising\RAV\rsxml3a.dll
3cc9f8d9db63e973433637945232fff4 c:\Program Files\Rising\RAV\rsxml3w.dll
9ea2304fae8880ab11a3fc9df60be008 c:\Program Files\Rising\RAV\selfmon.dll
d3b9432cc4ccf146a47c36e4428ba2c0 c:\Program Files\Rising\RAV\setup.dat
6beba6b5b2e5e5ce840cf7c02f3fb657 c:\Program Files\Rising\RAV\syslay.dll
5a866622a428d8dd979751975ab881f5 c:\Program Files\Rising\RAV\sysmon_if.dll
412638fde23d2ba33aa194a67165866f c:\Program Files\Rising\RAV\traywnd.dll
0f0aa3f8b1ceab59168724a6037c8a8b c:\Program Files\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll
6e80cfd8dc6d4dff870b8b4dfc796c7e c:\Program Files\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll
9941a9a12196696c1fa9bb6d6442d359 c:\Program Files\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll
67d42ba1ef54c485a5a879b0aee066db c:\Program Files\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll
d5a4de2ba24c733642355d25357fa4b6 c:\Program Files\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll
063510e07cfb8b97cbbcaf3ed4aabb03 c:\Program Files\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll
d3caa6caedf1b4e183b26efd8c95f6ad c:\Program Files\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll
e4459e014cb9c8fc06ee0c3ccded66d3 c:\Program Files\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll
78f5881af930e81a9ffb246402b6a6e2 c:\Program Files\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll
2649f027aa2dae21a4d87419c7b98e46 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys
5ed47386e7b9fa59270555d8439325ab c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys
a2a329f69ecdc7dcc297454f1985064f c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys
02342ba3a87b3974d612c15275c29446 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll
c2c8f37702fcc84f10e70772f79081c7 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys
a86b29a69472d5e5f624c6f6c2b2bbfa c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll
ce1bd850367d321b3ee2f867db6623e1 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll
9ca6368d7bb34f15b542f9773e0acd18 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat
595587c6d7366726203885f14a1dfc32 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys
15111481a4eead86edeeb2c90a6070a3 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys
1ac62583254fc92a143c4780489c3762 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll
53389a0314cf0f7dcbb2a3b1ad0631e2 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys
5a866622a428d8dd979751975ab881f5 c:\Program Files\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll
0a44f63c07112bb325aac94321ae8ff6 c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll
28d944cae5632248d3a546aaf7601160 c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe
ef1bc9d6a13e8ccaf50ac6ae9095f28e c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll
00a45353f419bc4891645f1ad0150617 c:\Program Files\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll
78b62e4c13378f737603136975a07e1a c:\Program Files\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll
874c8b1317c58ffe62d4d6aa591eabe2 c:\Program Files\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll
f1f9eeef647cfa62a7104c054ce0999b c:\Program Files\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll
90d4e96dbbcff68690f37736655fada3 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico
270f42646170f2545c25a43f732532fb c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll
68d18a0915bbda36e573d5dbb9e6ea8e c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico
7d6bc107cd29293b274577d755662d05 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll
249a270469f151ec278c95d63a3fbf79 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll
23d683209cef821f78ae2751d07455e4 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll
d3b9432cc4ccf146a47c36e4428ba2c0 c:\Program Files\Rising\RSD\Backup\RAV\RAVBASE\setup.dat
e28dd24338cae534a54a14d33020cbe9 c:\Program Files\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll
62de362c75022744c5149e03d1191fff c:\Program Files\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll
08dcba43400dc71b8145a30c6f0b55da c:\Program Files\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll
4f4500ee19410043cc338668d28f95a3 c:\Program Files\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll
f5857084201bd2f578b2c04c12cc2ac8 c:\Program Files\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe
ef56ceeafa7b2464f44da3b3a46702f6 c:\Program Files\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe
e8c78de68ec8e77e27af803074b08ce5 c:\Program Files\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll
fbc567d59b385341c53338ca58c3e248 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll
7ae91c40093e829a971616b1e2f9113e c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll
bd57bcbbed105791aba2b968354e466c c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll
7a80c5c9e6955622d45ae9bdf86472ff c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll
4918a3e5256d45c5ca1dea6a2592ca88 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll
82387571279847d2324297ea4722e14f c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll
9e58445a57ead0fd320fcc58ec173c3c c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll
b4f78b19eed6248a10f3031baac0b517 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll
6beba6b5b2e5e5ce840cf7c02f3fb657 c:\Program Files\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll
904607ed3d2e8a29c13dcaf80cb311a9 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\comx3.dll
12d2d81f07d7557cb4fbe3af6a3ea9f6 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\dfw.dll
2349983d784ed407a64f274acb8d4b18 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\procenv.dll
5bb8c8a5a7abac3b8478b254956ab580 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\rscom.dll
b19eaceaf35f2db4976db8da259a498d c:\Program Files\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll
3cc9f8d9db63e973433637945232fff4 c:\Program Files\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll
412638fde23d2ba33aa194a67165866f c:\Program Files\Rising\RSD\Backup\RAV\RSDK\traywnd.dll
293a4453521432a09712b7ba715cb951 c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll
c50714810dcd88daee4dea6e098e4d6a c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll
dad3c0290a40f4efdab971fc0d316e35 c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll
21e45757451e136934cd235b8bcfb27d c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll
4fd2a695c22336cf6f802d697d0f6f6c c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll
9ea2304fae8880ab11a3fc9df60be008 c:\Program Files\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll
4bf3b0c552a575f4a0d09bf74e4083dd c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll
1f35136daa23c794a9561b46db35d5a5 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll
787524b75ce2e55ed671a5cd596d2b36 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe
8b287372151ae026ae02cefece7f538e c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe
7a762be1d46bb1ed07eacec047cbd1cc c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe
8353f3fdd33da4187b4411a51122174d c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll
6e2517fd1ced9878e60075e1e696b408 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\Setup.exe
92aa0e6a0be8766a98a74f05d202d4c3 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\comx3.dll
7864be756f44fca55c58601b765d963f c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\localopt.dll
9fc8d62cd7e5c9db50b515c26b968e00 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe
1a16b46fae0e4443927fabc89432f708 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\protreg.sys
72aec55622cac794f6525a6f9411ed3f c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll
9dd8dfd3e7359021dcfa5e91537bafab c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll
af1b1fca64556fab4ce9c09e1dac4b96 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rslang.dll
0353146a43705ff783ee2a6109f232df c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll
783749a918b23b8a581b48284d18a3a2 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\setup.dat
6a2ad6ba7dece95286bc5eef92c62b28 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\syslay.dll
66e3df00feb94c09d687a6d544c1e909 c:\Program Files\Rising\RSD\Backup\RSD\RSSetup\updater.exe
4bf3b0c552a575f4a0d09bf74e4083dd c:\Program Files\Rising\RSD\CfgDll.dll
1f35136daa23c794a9561b46db35d5a5 c:\Program Files\Rising\RSD\RsAppMgr.dll
787524b75ce2e55ed671a5cd596d2b36 c:\Program Files\Rising\RSD\RsBackup.exe
8b287372151ae026ae02cefece7f538e c:\Program Files\Rising\RSD\RsMgrSvc.exe
7a762be1d46bb1ed07eacec047cbd1cc c:\Program Files\Rising\RSD\RsStub.exe
8353f3fdd33da4187b4411a51122174d c:\Program Files\Rising\RSD\RstoreDll.dll
6e2517fd1ced9878e60075e1e696b408 c:\Program Files\Rising\RSD\Setup.exe
92aa0e6a0be8766a98a74f05d202d4c3 c:\Program Files\Rising\RSD\comx3.dll
7864be756f44fca55c58601b765d963f c:\Program Files\Rising\RSD\localopt.dll
9fc8d62cd7e5c9db50b515c26b968e00 c:\Program Files\Rising\RSD\popwndexe.exe
72aec55622cac794f6525a6f9411ed3f c:\Program Files\Rising\RSD\rsdinfo.dll
9dd8dfd3e7359021dcfa5e91537bafab c:\Program Files\Rising\RSD\rsdk.dll
af1b1fca64556fab4ce9c09e1dac4b96 c:\Program Files\Rising\RSD\rslang.dll
0353146a43705ff783ee2a6109f232df c:\Program Files\Rising\RSD\rsmginfo.dll
783749a918b23b8a581b48284d18a3a2 c:\Program Files\Rising\RSD\setup.dat
6a2ad6ba7dece95286bc5eef92c62b28 c:\Program Files\Rising\RSD\syslay.dll
66e3df00feb94c09d687a6d544c1e909 c:\Program Files\Rising\RSD\updater.exe
c2c8f37702fcc84f10e70772f79081c7 c:\WINDOWS\system32\drivers\kguard.sys
1a16b46fae0e4443927fabc89432f708 c:\WINDOWS\system32\drivers\protreg.sys
595587c6d7366726203885f14a1dfc32 c:\WINDOWS\system32\drivers\rsndisp.sys
15111481a4eead86edeeb2c90a6070a3 c:\WINDOWS\system32\drivers\rsutils.sys
53389a0314cf0f7dcbb2a3b1ad0631e2 c:\WINDOWS\system32\drivers\sysmon.sys
57a573e5823fe660e1a98a089cdd65b6 c:\install1403380.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\kguard.sys" the Trojan controls creation and closing of processes by installing the process notifier.
Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls creation and closing of threads by installing the thread notifier.
Using the driver "%System%\DRIVERS\rsndisp.sys" the Trojan controls loading executable images into a memory by installing the Load image notifier.
Using the driver "%System%\DRIVERS\sysmon.sys" the Trojan controls operations with a system registry by installing the registry notifier.
The Trojan installs the following kernel-mode hooks:

KeUserModeCallback
ZwTerminateProcess
ZwAssignProcessToJobObject
ZwClose
ZwConnectPort
ZwCreateKey
ZwCreateMutant
ZwCreateProcess
ZwCreateProcessEx
ZwCreateSection
ZwCreateSymbolicLinkObject
ZwCreateThread
ZwDebugActiveProcess
ZwDuplicateObject
ZwEnumerateValueKey
ZwFreeVirtualMemory
ZwLoadDriver
ZwLockVirtualMemory
ZwOpenKey
ZwOpenProcess
ZwOpenSection
ZwProtectVirtualMemory
ZwQueryDirectoryFile
ZwQuerySystemInformation
ZwQueryValueKey
ZwQueueApcThread
ZwReadVirtualMemory
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSecureConnectPort
ZwSetContextThread
ZwSetInformationProcess
ZwSetSecurityObject
ZwSetSystemInformation
ZwSetSystemTime
ZwSuspendProcess
ZwSuspendThread
ZwSystemDebugControl
ZwTerminateProcess
ZwTerminateThread
ZwUnmapViewOfSection
ZwWriteVirtualMemory

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23096 23552 4.43854 092e164daa50385128d3c5b319373035
.rdata 28672 4496 4608 3.59023 4e7f519777030dd2f0ea0d2092babed3
.data 36864 110424 1024 3.20088 f6d93c048bf148a2daee8a6b0505e38b
.ndata 147456 57344 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 204800 27896 28160 3.99271 77ac1d3ac94ba92c03267cf8abb5fedb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://1st.dl.ourdvs.com/dl/qdtg/install1403380.exe
hxxp://z.rising.com.cn/urg.asp?v=ravbase&t=rav&a=
hxxp://z.rising.com.cn/register/minicenter/e/c.aspx
hxxp://z.rising.com.cn/LogCenter.asp?info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH
hxxp://z.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH
hxxp://data1.iruixing.com/irg.ashx?d= 101.254.23.28
hxxp://data1.iruixing.com/irg.ashx?d=UEhUFHp/FHMXDnt2V0JSZntxEnAQCAoAUkNXYHx5EnAQCAIBVUNXY3d5GnsRDBcAUV1QY2F5GXsTAwIFU0dVYn5wEHtxeW8= 101.254.23.28
hxxp://z.rising.com.cn/rs2012/RsPcVer12.xml
hxxp://cloud.rising.com.cn/productstat/productStat.aspx?info=SZi6GdlvS1wCDFMPCggZHEdXUkpQVBFGWklQJGFtaHouQ0RcBmleJAVncAMmVWcCdWpAKQd3fX04SHF6Dh1dVRFEXlxQVwMcCx5DUQQcCxZLE15ATUsfWAUGFR5cSwMDFRdeQ1hBBh5LDVhBTxNdIQIEDh1ZU3V0DR9bUwMKCB5eVQQCCB5eVQQCCB5eVRFTWFoECllbXxNcUQcBCBZdQ1tTVUlQVAUHCQgOCVNTT0tQQ0RGWloIWAcUUl5QQ0RcZF4fDEFbV0sKAAoDDAgeC2hCSUEDBFpXBh9dQ0RcZF4fCkNLS0tQVxFBVXEMF1JTBh5LFlltWEIEAFlGVVsAWAYUSEAyCV5fUlpQUBFQUkkYFVNTT0tQVfk= 211.103.159.105
hxxp://1st.ecoma.glb0.lxdns.com/cloud.html
hxxp://1st.ecoma.glb0.lxdns.com/navigate.xml
hxxp://1st.ecoma.glb0.lxdns.com/navigate_oswhite.xml
hxxp://1st.ecoma.glb0.lxdns.com/navigate_bwfix.xml
hxxp://1st.ecoma.glb0.lxdns.com/navigate_sign.xml
hxxp://1st.ecoma.glb0.lxdns.com/navigate_up.xml
hxxp://center.rising.com.cn/urg.asp?v=ravbase&t=rav&a= 1.122.192.19
hxxp://rsup10.rising.com.cn/register/minicenter/e/c.aspx 1.122.192.19
hxxp://rscloud.rising.net.cn/navigate_oswhite.xml 203.130.61.92
hxxp://dl.ikiki.cn/dl/qdtg/install1403380.exe 171.107.186.80
hxxp://rscloud.rising.net.cn/navigate.xml 203.130.61.92
hxxp://rscloud.rising.net.cn/navigate_up.xml 203.130.61.92
hxxp://rsup10.rising.com.cn/rs2012/RsPcVer12.xml 1.122.192.19
hxxp://center.rising.com.cn/LogCenter.asp?info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH 1.122.192.19
hxxp://rscloud.rising.net.cn/navigate_sign.xml 203.130.61.92
hxxp://rscloud.rising.net.cn/cloud.html 203.130.61.92
hxxp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH 1.122.192.19
hxxp://rscloud.rising.net.cn/navigate_bwfix.xml 203.130.61.92
down.llhan.com 222.186.129.20


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake Windows NT Version 5.0
ET POLICY HTTP Request on Unusual Port Possibly Hostile
ET MALWARE Suspicious Mozilla User-Agent - Likely Fake (Mozilla/4.0)
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /productstat/productStat.aspx?info=SZi6GdlvS1wCDFMPCggZHEdXUkpQVBFGWklQJGFtaHouQ0RcBmleJAVncAMmVWcCdWpAKQd3fX04SHF6Dh1dVRFEXlxQVwMcCx5DUQQcCxZLE15ATUsfWAUGFR5cSwMDFRdeQ1hBBh5LDVhBTxNdIQIEDh1ZU3V0DR9bUwMKCB5eVQQCCB5eVQQCCB5eVRFTWFoECllbXxNcUQcBCBZdQ1tTVUlQVAUHCQgOCVNTT0tQQ0RGWloIWAcUUl5QQ0RcZF4fDEFbV0sKAAoDDAgeC2hCSUEDBFpXBh9dQ0RcZF4fCkNLS0tQVxFBVXEMF1JTBh5LFlltWEIEAFlGVVsAWAYUSEAyCV5fUlpQUBFQUkkYFVNTT0tQVfk= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: cloud.rising.com.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:45 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Set-Cookie: ASP.NET_SessionId=e3dsxe45pfkbwe55tvqxt045; path=/; HttpOnly
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 2
okHTTP/1.1 200 OK..Date: Thu, 06 Aug 2015 13:56:45 GMT..Server: Micros
oft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Set-C
ookie: ASP.NET_SessionId=e3dsxe45pfkbwe55tvqxt045; path=/; HttpOnly..C
ache-Control: private..Content-Type: text/html; charset=utf-8..Content
-Length: 2..ok..



GET /navigate_up.xml HTTP/1.0
User-Agent: Mozilla/4.0
Host: rscloud.rising.net.cn
Pragma: no-cache


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:45:56 GMT
Content-Length: 235
Content-Type: text/xml
Last-Modified: Mon, 24 Dec 2012 10:11:33 GMT
Accept-Ranges: bytes
ETag: "d6991cdbfe1cd1:c6e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Via: 1.1 kf48:2 (Cdn Cache Server V2.0)
Connection: close
<?xml version="1.0" encoding="utf-8" ?>..<CONFIG>...<RE
PORT DEFAULTON="100"></REPORT>...<MD5SWITCH DEFAULTON="100
"></MD5SWITCH>...<URL>....<WITHFILE>hXXp://211.10
3.159.113/cloud11infoup/cloudinfopage.aspx</WITHFILE>...</URL
>..</CONFIG>..



GET /irg.ashx?d= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: data1.iruixing.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 06 Aug 2015 13:56:31 GMT
Content-Length: 0
....


GET /irg.ashx?d=UEhUFHp/FHMXDnt2V0JSZntxEnAQCAoAUkNXYHx5EnAQCAIBVUNXY3d5GnsRDBcAUV1QY2F5GXsTAwIFU0dVYn5wEHtxeW8= HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: data1.iruixing.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: private
Server: Microsoft-IIS/7.5
X-AspNet-Version: 2.0.50727
X-Powered-By: ASP.NET
Date: Thu, 06 Aug 2015 13:56:31 GMT
Content-Length: 0
HTTP/1.1 200 OK..Cache-Control: private..Server: Microsoft-IIS/7.5..X-
AspNet-Version: 2.0.50727..X-Powered-By: ASP.NET..Date: Thu, 06 Aug 20
15 13:56:31 GMT..Content-Length: 0..



GET /navigate_sign.xml HTTP/1.0
User-Agent: Mozilla/4.0
Host: rscloud.rising.net.cn
Pragma: no-cache


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:45:02 GMT
Content-Length: 200
Content-Type: text/xml
Last-Modified: Mon, 24 Dec 2012 10:11:33 GMT
Accept-Ranges: bytes
ETag: "b814b6cbfe1cd1:c6e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Via: 1.1 kf48:3 (Cdn Cache Server V2.0)
Connection: close
<?xml version="1.0" encoding="UTF-8"?>..<CONFIG>..    <
SWITCH DEFAULTON="100"></SWITCH>..    <KEY>hXXp://q.ris
ing.cn/cloud/signgk.php</KEY>..    <UP>hXXp://q.rising.cn/
cloud/signup.php</UP>..</CONFIG>..



GET /dl/qdtg/install1403380.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Accept: */*
Host: dl.ikiki.cn
Cache-Control: no-cache


HTTP/1.0 200 OK
Date: Wed, 05 Aug 2015 21:42:45 GMT
Content-Type: application/octet-stream
Last-Modified: Wed, 05 Aug 2015 07:13:48 GMT
Accept-Ranges: bytes
ETag: "56d15464ecfd01:0"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
Content-Length: 4787448
Age: 58395
Via: 1.0 jxjj35:80 (Cdn Cache Server V2.0), 1.0 nanning16:8101 (Cdn Cache Server V2.0)
Connection: close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........c.........
......m.......d.....1.......<.R.....<.P.......P.....E...........
B...1.m.....1.R.#...S.S.....1.W.....Rich............PE..L....i.T......
...............0......`.............@........................... .....
..I.........................................D........'..........8.H...
..........................................P...H.......................
....................UPX0....................................UPX1......
[email protected].......*..................@...
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............3.07.UPX!.....uX..._.....Y...8`Q.&...e.>..<-.2..U.p
D.%H>U..=S.2-.!..t*.B(...R.w(G...............I]s...O...\...l?..CB..
>.....(.<...3T.x...nI..5i...[<........Z`&aE........\.%.!.*..o
...9...k. #..r5.J.....KI......&.L..-.2T.I.=...#...K.B.......D.R26.....
6.|^..M..H...".="d#.[.!j.gH....~S..cW....).^...z]^.,.M...z!.U.....L\?.
..V..Z]u.D. L..>x.....U.....J..t..][...Z.$.kPV......u...!X...J...&g
t;.[...9.....C.oa(...n....i.6b.....?...T.s>v#KFv.......j.......G..5
....-.....~..!...u.._...\...{.."-...[.K..VrX..7..T..=......"..?...
<<< skipped >>>


GET /navigate.xml HTTP/1.1
Host: rscloud.rising.net.cn
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 11:08:29 GMT
Content-Length: 251
Content-Type: text/xml
Last-Modified: Fri, 07 Jun 2013 04:32:16 GMT
Accept-Ranges: bytes
ETag: "fc468bfd3763ce1:c6e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Via: 1.1 kf50:0 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<CONFIG>..    <
SWITCH DEFAULTON="100" CACHELIFE="15" CACHEKN="360" CACHEUN="8"><
;/SWITCH>..    <SEARCH>hXXp://q.rising.cn/cloud/s.php</SEA
RCH>..    <SEARCHSUP>hXXp://q.rising.cn/cloud/m.php</SEARC
HSUP>..</CONFIG>..



GET /navigate_oswhite.xml HTTP/1.1
Host: rscloud.rising.net.cn
Accept: */*


HTTP/1.1 200 OK
Date: Wed, 05 Aug 2015 21:11:10 GMT
Content-Length: 159
Content-Type: text/xml
Last-Modified: Mon, 24 Dec 2012 10:11:34 GMT
Accept-Ranges: bytes
ETag: "622064dbfe1cd1:c6e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Via: 1.1 kf49:0 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<CONFIG>..    <
SWITCH DEFAULTON="100"></SWITCH>..    <UPGRADE>hXXp://q
.rising.cn/cloud/oswhite.php</UPGRADE>..</CONFIG>..



POST /register/minicenter/e/c.aspx HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Content-Length: 304
Connection: Keep-Alive
Cache-Control: no-cache

MrFBHs8QWG5PWRkWAXYZEA4OVS5YQRlND2wbVQkGR24DEl5fZ3kPB09bFQ5/BE1ZFXgBAUxcE38JAUxcE38JAUxcE24VEl4cRDlQVl5VA24bHlxNQi9NWxMBSigbCFxNAWAZEAgORG4DEl4dRj9mRR0bQCRmWxIcVy1VXl5DAT9NVwxNGWwbA15DKkUwO3VmA2wbQBkcViBNEEZPAThLRxlND2wbVw4dTD5aXRgKAXYZEF5DA25LVxEOUScbCFxNSiJKRh0DTy5cVRUBAWAZEAwOAXYZEF5DA25JUF5VA24bT98=
HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:39 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 1
0HTTP/1.1 200 OK..Date: Thu, 06 Aug 2015 13:56:39 GMT..Server: Microso
ft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-
Control: private..Content-Type: text/plain; charset=utf-8..Content-Len
gth: 1..0....


POST /register/minicenter/e/c.aspx HTTP/1.1


Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Content-Length: 308
Connection: Keep-Alive
Cache-Control: no-cache

OanRHGS-NnEcSkgfb2lKA18HOzELUkhEYXNIRlgPKXFQAQ9WCWZcFB5SexEsFxxQe2dSEh1VfWBaEh1VfWBaEh1VfXFGAQ8VKiYDRQ9cbXFIDQ1ELDAeSEIIJDdIGw1Eb39KA1kHKnFQAQ8UKCA1VkwSLjs1SEMVOTIGTQ9KbyAeRF1Ed3NIFQ9KRFpjKCRvbXNIU0gVOD8eAxdGbycYVEhEYXNIRF8UIiEJTkkDb2lKAw9KbXEYREAHPzhIGw1ECCseU0wFOSAfQk4DPiBIDQ1EPTJIGw1Eb39KA10Eb2lKAw8bMw==
HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 1
0HTTP/1.1 200 OK..Date: Thu, 06 Aug 2015 13:56:40 GMT..Server: Microso
ft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-
Control: private..Content-Type: text/plain; charset=utf-8..Content-Len
gth: 1..0....


GET /Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Connection: Keep-Alive
Host: rsup10.rising.com.cn


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:42 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/html; charset=utf-8
Content-Length: 645
rsd..<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
 "hXXp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">..<ht
ml xmlns="hXXp://VVV.w3.org/1999/xhtml" >..<head><title>
;.................</title></head>..<body>..    <f
orm name="form1" method="post" action="ForLogDeve.aspx?Info=PKaZHK8Ud1
xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0T
DgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH" id="form1">..
<div>..<input type="hidden" name="__VIEWSTATE" id="__VIEWSTAT
E" value="/wEPDwUJNzgzNDMwNTMzZGT5qhiQSwh0e7azV4FNYKbU4eqACw==" />.
.</div>..    <div>..    ..    </div>..    </form&
gt;..</body>..</html>..HTTP/1.1 200 OK..Date: Thu, 06 Aug 
2015 13:56:42 GMT..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..X
-AspNet-Version: 2.0.50727..Cache-Control: private..Content-Type: text
/html; charset=utf-8..Content-Length: 645..rsd..<!DOCTYPE html PUBL
IC "-//W3C//DTD XHTML 1.0 Transitional//EN" "hXXp://VVV.w3.org/TR/xhtm
l1/DTD/xhtml1-transitional.dtd">..<html xmlns="hXXp://VVV.w3.org
/1999/xhtml" >..<head><title>.................</titl
e></head>..<body>..    <form name="form1" method="po
st" action="ForLogDeve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZ
X5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFh
DTXpRDAocGXtLWUFKBz1QAQkH" id="form1">..<div>..<input type
="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNzgzN
<<< skipped >>>

GET /rs2012/RsPcVer12.xml HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Length: 663
Content-Type: text/xml
Last-Modified: Thu, 06 Aug 2015 12:23:23 GMT
Accept-Ranges: bytes
ETag: W/"d41747b042d0d01:be4"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 06 Aug 2015 13:56:44 GMT
...<?xml version="1.0" encoding="utf-8"?>..<RISING>..  <
;PRODUCT NAME="Rav" VERSION="24.00.45.20" REBOOTVER="24.00.00.00">.
.  </PRODUCT>..  <URLLIST>..    <ITEM KEY="Validate">
;hXXp://rsup10.rising.com.cn/Register/Validate/PageInfo/RavRequest2012
.aspx</ITEM>..    <ITEM KEY="Download">hXXp://download.ris
ing.net.cn/rs2012/pcver/</ITEM>..    <ITEM KEY="Finish"> h
ttp://rsup10.rising.com.cn/Register/Validate/PageInfo/RequestFinished2
012.aspx</ITEM>..    <ITEM KEY="Overtime"> hXXp://rsup10.r
ising.com.cn/Register/Validate/PageInfo/SnGetOverTime.aspx</ITEM>
;..    <ITEM KEY="Stat">hXXp://cloud.rising.com.cn/productstat/p
roductStat.aspx</ITEM>..  </URLLIST>..</RISING>HTTP/
1.1 200 OK..Content-Length: 663..Content-Type: text/xml..Last-Modified
: Thu, 06 Aug 2015 12:23:23 GMT..Accept-Ranges: bytes..ETag: W/"d41747
b042d0d01:be4"..Server: Microsoft-IIS/6.0..X-Powered-By: ASP.NET..Date
: Thu, 06 Aug 2015 13:56:44 GMT.....<?xml version="1.0" encoding="u
tf-8"?>..<RISING>..  <PRODUCT NAME="Rav" VERSION="24.00.45
.20" REBOOTVER="24.00.00.00">..  </PRODUCT>..  <URLLIST>
;..    <ITEM KEY="Validate">hXXp://rsup10.rising.com.cn/Register
/Validate/PageInfo/RavRequest2012.aspx</ITEM>..    <ITEM KEY=
"Download">hXXp://download.rising.net.cn/rs2012/pcver/</ITEM>
..    <ITEM KEY="Finish"> hXXp://rsup10.rising.com.cn/Register/V
alidate/PageInfo/RequestFinished2012.aspx</ITEM>..    <IT
<<< skipped >>>

POST /register/minicenter/e/c.aspx HTTP/1.1


Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Content-Length: 280
Connection: Keep-Alive
Cache-Control: no-cache

TJSCGCTGEWNGB1AFSHsQTkcdHCNRH1BeRmESC0AVDmMKTBdMLnQGWQZIXAN2WgRKXHUIXwVPWnIAXwVPWnIAXwVPWmMcTBcPDTRZCBdGSmMSQBVeCyJEBVoSAyUSVhVeSG0QTkEdDWMKTBcOCzdvH0VeRmNDGFAMSHsQTgReRkg5ZTx1Y2EQTkcZGTRcGBdGSmMBThlcSCRCHloOCS5UCRdGSmMBThlcSDNVAVQOAWMKTBdNXnEDXw1MSG0QTkUdSHsQThdQSmNADhdGSmMSERQ=
HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 1
0HTTP/1.1 200 OK..Date: Thu, 06 Aug 2015 13:56:46 GMT..Server: Microso
ft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-
Control: private..Content-Type: text/plain; charset=utf-8..Content-Len
gth: 1..0....


POST /register/minicenter/e/c.aspx HTTP/1.1


Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: rsup10.rising.com.cn
Content-Length: 280
Connection: Keep-Alive
Cache-Control: no-cache

bXBUEQ0pSUQaHgIIEFxMVxUQRAQNBgJTHkZOEhIYVkRWVUVBdlNaQFRFBCQqQ1ZHBFJURldCAlVcRldCAlVcRldCAkRAVUUCVRMFEUVLEkROWUdTUwUYHAgfWwJOT0dTEEpMVxMQVURWVUUDUxAzBhdTHkQfAQIBEFxMV1VTHm9lfG54O0ZMVxUUQRMAAUVLEkRdV0tREAMeBwgDUQkIEEVLEkRdV0tREBQJGAYDWURWVUVABlZfRl9BEEpMVxcQEFxMV0VdEkQcF0VLEkROCEU=
HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:56 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: text/plain; charset=utf-8
Content-Length: 1
0HTTP/1.1 200 OK..Date: Thu, 06 Aug 2015 13:56:56 GMT..Server: Microso
ft-IIS/6.0..X-Powered-By: ASP.NET..X-AspNet-Version: 2.0.50727..Cache-
Control: private..Content-Type: text/plain; charset=utf-8..Content-Len
gth: 1..0..



GET /cloud.html HTTP/1.1
Host: rscloud.rising.net.cn
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 09:11:50 GMT
Content-Length: 1
Content-Type: text/html
Last-Modified: Tue, 19 Jul 2011 09:16:39 GMT
Accept-Ranges: bytes
ETag: "b219991f445cc1:c6e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 17105
X-Via: 1.1 kf49:3 (Cdn Cache Server V2.0)
Connection: keep-alive
1..



GET /navigate_bwfix.xml HTTP/1.1
Host: rscloud.rising.net.cn
Accept: */*


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 07:14:13 GMT
Content-Length: 157
Content-Type: text/xml
Last-Modified: Mon, 24 Dec 2012 10:11:33 GMT
Accept-Ranges: bytes
ETag: "a475d7cbfe1cd1:c6e"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Age: 1
X-Via: 1.1 kf49:4 (Cdn Cache Server V2.0)
Connection: keep-alive
<?xml version="1.0" encoding="UTF-8"?>..<CONFIG>..    <
SWITCH DEFAULTON="100"></SWITCH>..    <UPGRADE>hXXp://q
.rising.cn/cloud/bwfix.php</UPGRADE>..</CONFIG>..



GET /urg.asp?v=ravbase&t=rav&a= HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:38 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 56
Content-Type: text/html
Set-Cookie: ASPSESSIONIDASBSTACQ=CJICCJGBEDNBGLMMLJBMBAND; path=/
Cache-control: private
hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspxHTTP/1.1 200 O
K..Date: Thu, 06 Aug 2015 13:56:38 GMT..Server: Microsoft-IIS/6.0..X-P
owered-By: ASP.NET..Content-Length: 56..Content-Type: text/html..Set-C
ookie: ASPSESSIONIDASBSTACQ=CJICCJGBEDNBGLMMLJBMBAND; path=/..Cache-co
ntrol: private..hXXp://rsup10.rising.com.cn/register/minicenter/e/c.as
px....


GET /urg.asp?v=ravbase&t=rav&a= HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDASBSTACQ=CJICCJGBEDNBGLMMLJBMBAND


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:40 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 56
Content-Type: text/html
Cache-control: private
hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspxHTTP/1.1 200 O
K..Date: Thu, 06 Aug 2015 13:56:40 GMT..Server: Microsoft-IIS/6.0..X-P
owered-By: ASP.NET..Content-Length: 56..Content-Type: text/html..Cache
-control: private..hXXp://rsup10.rising.com.cn/register/minicenter/e/c
.aspx....


GET /LogCenter.asp?info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDASBSTACQ=CJICCJGBEDNBGLMMLJBMBAND


HTTP/1.1 302 Object moved
Date: Thu, 06 Aug 2015 13:56:41 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Location: hXXp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLogDeve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH
Content-Length: 331
Content-Type: text/html
Cache-control: private
<head><title>Object moved</title></head>.<b
ody><h1>Object Moved</h1>This object may be found <a
 HREF="hXXp://rsup10.rising.com.cn/Register/OnlineHelper/ForLog/ForLog
Deve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZX5TCQobFwkjCggZF39
dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFhDTXpRDAocGXtLWUFKB
z1QAQkH">here</a>.</body>.HTTP/1.1 302 Object moved..Da
te: Thu, 06 Aug 2015 13:56:41 GMT..Server: Microsoft-IIS/6.0..X-Powere
d-By: ASP.NET..Location: hXXp://rsup10.rising.com.cn/Register/OnlineHe
lper/ForLog/ForLogDeve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhDTW0TDQQfZ
X5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXwNzSCUWSFh
DTXpRDAocGXtLWUFKBz1QAQkH..Content-Length: 331..Content-Type: text/htm
l..Cache-control: private..<head><title>Object moved</t
itle></head>.<body><h1>Object Moved</h1>Thi
s object may be found <a HREF="hXXp://rsup10.rising.com.cn/Register
/OnlineHelper/ForLog/ForLogDeve.aspx?Info=PKaZHK8Ud1xWHBk2eGxBSCUWSFhD
TW0TDQQfZX5TCQobFwkjCggZF39dDwkcEXhVDwkcEXhVDwkcEW0TDgQfBz1WAQkJV39YXw
NzSCUWSFhDTXpRDAocGXtLWUFKBz1QAQkH">here</a>.</body>.font>....
<<< skipped >>>

GET /urg.asp?v=ravbase&t=rav&a= HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDASBSTACQ=CJICCJGBEDNBGLMMLJBMBAND


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:46 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 56
Content-Type: text/html
Cache-control: private
hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspxHTTP/1.1 200 O
K..Date: Thu, 06 Aug 2015 13:56:46 GMT..Server: Microsoft-IIS/6.0..X-P
owered-By: ASP.NET..Content-Length: 56..Content-Type: text/html..Cache
-control: private..hXXp://rsup10.rising.com.cn/register/minicenter/e/c
.aspx....


GET /urg.asp?v=ravbase&t=rav&a= HTTP/1.1


Accept: */*
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; Rising)
Host: center.rising.com.cn
Connection: Keep-Alive
Cookie: ASPSESSIONIDASBSTACQ=CJICCJGBEDNBGLMMLJBMBAND


HTTP/1.1 200 OK
Date: Thu, 06 Aug 2015 13:56:55 GMT
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Content-Length: 56
Content-Type: text/html
Cache-control: private
hXXp://rsup10.rising.com.cn/register/minicenter/e/c.aspxHTTP/1.1 200 O
K..Date: Thu, 06 Aug 2015 13:56:55 GMT..Server: Microsoft-IIS/6.0..X-P
owered-By: ASP.NET..Content-Length: 56..Content-Type: text/html..Cache
-control: private..hXXp://rsup10.rising.com.cn/register/minicenter/e/c
.aspx..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_368:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\55.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp\55.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2.tmp
~g.jk)C
D%u:5
`O.vtB
.%f=L "
nsh2.tmp
55120a2b3dfb0853da68bd6a1ad.exe
655120a2b3dfb0853da68bd6a1ad.exe
c:\%original file name%.exe
%Program Files%\54d
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsr1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
! !!565665@
! !!####0
;;;9551%%0
%xERRj3cqZQ
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_368_rwx_10004000_00001000:

callback%d

RsMgrSvc.exe_1436:

.text
`.rdata
@.data
.rsrc
t%ShH;B
|$D.tD
CryptDecodeObject failed with %x
wintrust.dll
WTHelperGetProvCertFromChain
CryptCATCatalogInfoFromContext
crypt32.dll
CryptMsgGetParam
CryptSIPVerifyIndirectData failed with %x
1.3.6.1.4.1.311.2.1.4
CryptMsgGetParam(%d) failed with %x
CryptSIPRetrieveSubjectGuid failed with %x
CryptQueryObject failed with %x
\\.\PhysicalDrive%d
\\.\Scsi%d:
Iphlpapi.dll
Software\Microsoft\Windows\CurrentVersion
Advapi32.dll
\Rising\RSD\RsMgrSvc.exe"
Explorer.exe
XXXXXXXXXXX
{X-X-X-XX-XXXXXX}
CLSID\{CAA2D3B1-4BB5-4a45-A17A-122773379D99}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon
[d-d-d][d:d:d:d]
SHFolder.dll
Shell32.dll
SOFTWARE\Rising\%s
2.log
[u]
[0xX]
RAV.INI
WinSessionThread GetPidByName dwPID = %d , name=%s!
NtDll.dll
Kernel32.dll
WTSQueryUserToken Failed! Err Code: %d
wtsapi32.DLL
OpenProcess Failed! Err Code: %d
GetProcAddress(OpenProcessToken) Failed! Err Code: %d
OpenProcessToken Failed! Err Code: %d
GetLogonUserToken(%d)
>`userinit.exe
CRsMgrSvc::WaitForLogonNT:LoadLibrary(_"psapi.dll");err=0x%x
psapi.dll
Fail to OpenProcessToken; 0x%x
Failed to call CreateProcessAsUser again: appname = %s cmd=%s;err=0x%x.
Failed to SetTokenInformation(0):err=0x%x
Failed to call CreateProcessAsUser:cmd=%s;err=0x%x.
Failed to DuplicateTokenEx:err=0x%x
Failed to SetTokenInformation:err=0x%x
SessionId = %d
Failed to LoadLibrary("Wtsapi32.dll"):err=0x
Failed to call WTSEnumerateSessions:err=0x%x
SessionInfo[%d]: SessionId=%d; WinStationName=%s; State=%d.
Wtsapi32.dll
Failed to CreateProcess:%s;err=0x%x
Failed to LoadLibrary("Wtsapi32.dll"):err=0x%x
Failed to WTSEnumerateSessions:err=0x%x
Session\%d\RSD_POP_MESSAGE_INFO
WinSessionThread CreateProcess ret = %d end !
WinSessionThread CreateProcess pid = %d, CreateProcessAsUser err = %d !
Userenv.DLL
WinSessionThread CreateProcess begin dwSessionID = %d!
Failed to LoadLibrary("Userenv.DLL"):err=0x%x
Failed to call CreateProcessAsUser: cmd=%s;err=0x%x.
New Failed to call WTSQueryUserToken, err= 0x%x
rsmsg
%s\rsmsginfo.ini
Failed to open the shell ready event: 0x%x
"%s" /shellrun
%s\RsStub.exe
Session\%d\ShellReadyEvent
LogonRun - session : %d
Failed to call RegOpenKeyEx, err = 0x%x
Failed to call RegSaveKey, err = 0x%x
Failed to call AdjustTokenPrivileges, err = 0x%x
Failed to call OpenPrcessToken, err = 0x%x
%s\RsMgrSvc.dat
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
BaiduAnSvc.exe
BaiduSdSvc.exe
liebao.exe
ksafe.exe
{849B7E2B-0551-429C-B317-14B7D374D6EC}_is1
kxescore.exe
QQPCRtp.exe
360sd.exe
360se.exe
{23F3F476-BE34-4f48-9C77-2806A8393EC4}
360Desktop.exe
ZhuDongFangYu.exe
safeboxTray.exe
Failed to Create LogonRunThread Thread, err = 0x%x
SessionChange:EventType=%d; sessionID = %d
\Backup\RSD\RSSetup\RSSetup.xml
rsup10.rising.com.cn
u.suxiazai.com
%s?t=0&info=%s
ver=%s&guid=%s&sguid=%s&state=%s
hXXp://u.suxiazai.com/menu/info.xml
hXXp://rsup10.rising.com.cn/menu/info.xml
%srsd\info.xml
/subkey
Failed to Verify the "%s".
Failed to call vf.Init.
%s\rsbackup.exe
"%s\rsbackup.exe"
/subkey
%s\RsMgrSvc.ini
%s\updater.exe
"%s\updater.exe"
DeleteFile: %s.
ITEM%d
\RsMgrSvc.ini
DeletePath: %s.
Clean WillReboot In %s
%s\%s\%s.ini
1971-01-01 00:00:00
%d-%d-%d %d:%d:%d
%s\Data
%s /subkey %s /RsMgrSvc
"%s\Updater.exe" /silence
%s\Updater.exe
\Reboot.ini
CRsMgrSvc::SVC:Failed to CreateEvent-Wait: err=0x%x
CRsMgrSvc::SVC:Failed to CreateEvent, err=0x%x
comx3.dll
KERNEL32.DLL
kernel32.dll
MSIE %d.%d
WININET.DLL
Windows
Windows Me
Windows 98
Windows 95
Windows NT %d.%d
%s:%d
Mozilla/4.0 (compatible; %s; %s; Rising)
HTTP/1.0
Range: bytes=%d-
RstoreDll.dll
@CRsUseRepairProduct::prstorestart %s Dllpath:%s
@CRsUseRepairProduct::prstorestart %s
Subkey: %s could not find dllPath ,so use rsd path:%s
Subkey: %s Path:%s
\RstoreDll.dll
02%d.d.d.d
CRsLoadCloud::DownLoadCldRsdDll... faild hre = %d ,lasterror = %d
CRsLoadCloud::LoadCldRsdDll... failed lasterror = %d
CRsLoadCloud::LoadCldRsdDll...%s
CRsLoadCloud::StartTask...success
CRsLoadCloud::InitData... CopyFile flag= %d.
hXXp://download.suxiazai.com/for_down/2013/new/dlls/CldRsd.dll
CldRsd.dll
mscoree.dll
internal state. The program cannot safely continue execution and must
continue execution and must now be terminated.
- This application cannot run using the active version of the Microsoft .NET Runtime
Please contact the application's support team for more information.
GetProcessWindowStation
user32.dll
C:\DistributedAutoLink\Temp\CompileOutputDir\RsMgrSvc.pdb
GetWindowsDirectoryA
KERNEL32.dll
USER32.dll
RegCloseKey
RegOpenKeyExA
RegEnumKeyExA
RegCreateKeyA
RegOpenKeyA
RegSaveKeyA
RegQueryInfoKeyA
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
CryptMsgClose
CertCloseStore
CertGetNameStringW
CertFindCertificateInStore
CRYPT32.dll
RPCRT4.dll
InternetCrackUrlA
HttpQueryInfoA
HttpSendRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
WININET.dll
VERSION.dll
GetProcessHeap
GetCPInfo
zcÁ
%Program Files%\Rising\RSD\RsMgrSvc.exe.log
%Program Files%\Rising\RSD\RsMgrSvc.exe
.Beijing Rising Information Technology Corporation Limited
1.0.0.50
RsMgrSvc.exe
20150423153938597

popwndexe.exe_220:

.text
`.rdata
@.data
.rsrc
@.reloc
Please contact the application's support team for more information.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
operator
GetProcessWindowStation
USER32.DLL
C:\DistributedAutoLink\Temp\CompileOutputDir\popwndexe.pdb
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
>$>(>,>0>
5(565;5~7
mscoree.dll
KERNEL32.DLL
rsdk.dll
<plugin clsid='{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}' name='CLID_CRsPopWndUI' start='1'/>
<plugin clsid='{EBC23555-424F-45c3-BECE-206819CB276B}' name='ClSID_CTrayWnd' start='999' /> </plugins></process></rscom>
BUF:<?xml version='1.0' ?><rscom> <components> <component path='rsdk.dll'> <clsid progid='RscomEnv.1'>{E59BC62D-64AB-439D-BAF3-B2D1BA15E441}</clsid> <clsid progid='ObjectLoader.1'>{4F496E7F-D8FD-4DED-967D-C4F53BFB9452}</clsid> <clsid progid='Rot.1'>{216DFF2F-B2F0-4CE0-BA5B-72E0B7BFAC28}</clsid> <clsid progid='MainRun.1'>{C8CA7580-8E65-49E6-A66A-B087C7EF523D}</clsid> <clsid progid='RsSrv.1'>{5D37C04C-8F58-4D47-94C8-B94153399473}</clsid> <clsid progid='Property.1'>{ED20E0E5-2357-4825-B3FA-198AEC674E81}</clsid> <clsid progid='PropertyThread.1'>{AD4F3A47-0CD6-43DE-BC22-E8BE24FFD424}</clsid> <clsid progid='Property2.1'>{2100E98D-B13E-4306-8081-50F325B10586}</clsid> <clsid progid='Property2Thread.1'>{0AEF80FB-9BAF-4E66-96B3-784ED0FCECF1}</clsid> <clsid>{E8D494C-D598-4E2F-B796-809E74315E76}</clsid> <clsid>{95EAB9C4-A7F4-46A8-A69F-54911364F2F0}</clsid> <clsid progid='TrayWnd'>{EBC23555-424F-45C3-BECE-206819CB276B}</clsid> <clsid progid='TraySrv'>{4FCE6281-8849-4FC6-A764-95C793EB8A48}</clsid> <clsid progid='TrayMenuBase'>{FCA0E62A-5DD4-46FB-AFB2-BDC74EA7DB36}</clsid> <clsid>{35FD921E-B758-46D8-B0AA-FCD033B0E66D}</clsid> <clsid progid='DfwWindow'>{201409F6-22F8-48D3-A69F-7935BDDE6BFA}</clsid> <clsid progid='DfwComponentMgr'>{787683B8-D58D-4072-BA04-46284CEA5AF8}</clsid> <clsid progid='DfwDrawIcon'>{224E5B34-E98F-4033-8B6F-46B758E7587E}</clsid> <clsid progid='DfwLocalExternal'>{23BD3E3A-72ED-4AE4-A5A9-41B466BA8D25}</clsid> <clsid progid='SafeSecurity'>{B769D42A-2392-42B6-8C10-DB99AE23F75A}</clsid> </component> <component path = 'localopt.dll'> <clsid progid='localopt'>{1DDF6C09-67B3-4b05-B3A4-43D7D92D067C}</clsid> </component> <component path = 'rsmginfo.dll'> <clsid progid='rsmginfo'>{56CF1F5A-D59E-4fe7-BE35-066F4E788E2A}</clsid> </component> </components></rscom>
{{887FE1BB-7C1F-4d73-BD44-B726E1672DC7}}_%s
%Program Files%\Rising\RSD\popwndexe.exe
1.0.0.7
tray.exe
814210592210000


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    install1403380.exe:1036
    RsMgrSvc.exe:1436
    ravmond.exe:1272
    ravmond.exe:1152
    popwndexe.exe:220

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ui\snin.htm (527 bytes)
    %Program Files%\Rising\RSD\RsMgrsvc.ini (60 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\moncom08.dll (1385 bytes)
    %Program Files%\Rising\RAV\repairmanager.dll (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\label.dat (140 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CfgDll.dll (701 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\comx3.dll (673 bytes)
    %Program Files%\Rising\RAV\moncomm.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.dll (278 bytes)
    %Program Files%\Rising\RAV\setup.dat (601 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\Repair.url (155 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\os.xml (685 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\Setup.exe (5441 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\RAVMON.xml (574 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\popwndexe.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.xml (996 bytes)
    %Program Files%\Rising\RSD\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RAV\12345678.000 (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudnotifier.dll (2752 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\dfw.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils.sys (1660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogDc.bmp (24 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsndisp.sys (10 bytes)
    %Program Files%\Rising\RAV\rav936\lics936.txt (8 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bacore.dll (2321 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rscom.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\comx3.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\CfgDll.dll (1425 bytes)
    %Program Files%\Rising\RAV\rscurl.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon_if.dll (64 bytes)
    %Program Files%\Rising\RSD\rsmginfo.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.CRT.manifest (496 bytes)
    %Program Files%\Rising\RAV\msvcr90.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\localopt.dll (605 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rscombas.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\url.ini (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.xml (404 bytes)
    %Program Files%\Rising\RAV\cfgxml\adefmon.mond (2 bytes)
    %Program Files%\Rising\RAV\desktop.ini (182 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.dll (3179 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\chs.lag (7 bytes)
    %Program Files%\Rising\RAV\cloudqry.dll (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon.sys (1604 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\antipromotionmon.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscomm.xml (2 bytes)
    %Program Files%\Rising\RSD\updater.exe (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mondcoms.xml (8 bytes)
    %Program Files%\Rising\RAV\Label.dat (140 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dat (22 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3w.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rscurl.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsPcVer12.xml.rs (667 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\RSDK.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD1252\Eng.lag (52 bytes)
    %Program Files%\Rising\RSD\RsStub.exe (64 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rspalvd.dll (336 bytes)
    %Program Files%\Rising\RSD\rsdinfo.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccom.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\Cloudv3.dll (3073 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\procenv.dll (29 bytes)
    %Program Files%\Rising\RAV\rscom.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mond.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\moncomm.dll (673 bytes)
    %Program Files%\Rising\RAV\RsTray.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\LogAc.bmp (24 bytes)
    %Program Files%\Rising\RAV\RsSmall.bmp (576 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsAppMgr.dll (64 bytes)
    %Program Files%\Rising\RAV\uprsuser.dat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudwork.dll (11830 bytes)
    %Program Files%\Rising\RAV\cfgxml\mondcoms.xml (8 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudstore.dll (2321 bytes)
    %Program Files%\Rising\RAV\cfgxml\mond.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\mondrv.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\RsPcVer12[1].xml (663 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\rsuser.db1 (601 bytes)
    %Program Files%\Rising\RAV\XMLS\RSDK.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsuser.db1 (71 bytes)
    %Program Files%\Rising\RAV\Microsoft.VC90.CRT.manifest (496 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsMain.ico (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rssrv.dll (114 bytes)
    %Program Files%\Rising\RAV\cnt08.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\RAVMAINDUI.xml (1 bytes)
    %Program Files%\Rising\RSD\RSD936\CHS.lag (28 bytes)
    %System%\drivers\rsutils.sys (601 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsBackup.exe (2105 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcr90.dll (4185 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\rscombas.dll (435 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.rstray (293 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\LICENSE\LICENSE.xml (347 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD1252\Eng.lag (52 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudnet.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMON\mond.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\popwndexe.exe (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3a.dll (1898 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\MONBASEDUI.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\mergexml.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard_if.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\comx3.dll (709 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\localopt.dll (2613 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsdk.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RstoreDll.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\mondcoms.xml (8 bytes)
    %Program Files%\Rising\RAV\RavSetup.dll (7433 bytes)
    %Program Files%\Rising\RAV\cfgxml\repairmanager.mond (207 bytes)
    %Program Files%\Rising\RAV\CompsVer.inf (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\kguard.sys (601 bytes)
    %Program Files%\Rising\RAV\RsMain.ico (27 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsmginfo.dll (2105 bytes)
    %Program Files%\Rising\RAV\XMLS\MONBASEDUI.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsmon.dat (45 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rstask.xml (4 bytes)
    %Program Files%\Rising\RAV\procenv.dll (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\rsmon.db1 (43 bytes)
    %Program Files%\Rising\RSD\RsMgrSvc.exe (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD932\Jpn.lag (37 bytes)
    %Program Files%\Rising\RAV\mergexml.dll (601 bytes)
    %Program Files%\Rising\RAV\rsutils_if.dll (58 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCFG\rscfg.dll (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsMgrSvc.exe (1855 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\monbasedui.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RstoreDll.dll (2352 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\url.ini (4 bytes)
    %Program Files%\Rising\RAV\Rising.ico (3 bytes)
    %Program Files%\Rising\RAV\url.ini (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\hookbase.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravconfig.xml (518 bytes)
    %Program Files%\Rising\RAV\rssrv.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\Microsoft.VC90.ATL.manifest (466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\CompsVer.inf (2 bytes)
    %Program Files%\Rising\RAV\XMLS\RAVDEFDB.xml (967 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogAc.bmp (24 bytes)
    %Program Files%\Rising\RSD\rslang.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rslang.dll (673 bytes)
    %Program Files%\Rising\RAV\cfgxml\repairmanager.mondcoms (232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\mscrt9.xml (961 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\chs.lag (7 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVXP\ravxp.exe (601 bytes)
    %Program Files%\Rising\RAV\Cloudv3.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dat (22 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\mergexml.dll (117 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\rslog.dll (106 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rslang.dll (935 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\rspalvd.dll (1281 bytes)
    %Program Files%\Rising\RSD\os.xml (685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg (48 bytes)
    %Program Files%\Rising\RAV\LogDc.bmp (24 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\moncom08.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.mondcoms (232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rssqlite.dll (2550 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db (43 bytes)
    %Program Files%\Rising\RAV\rscommx2.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\atl90.dll (1254 bytes)
    %Program Files%\Rising\RAV\cloudsta.dll (63 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils_if.dll (58 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\setup.dat (601 bytes)
    %System%\drivers\protreg.sys (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mond (207 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSSetup.xml (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\syslay.dll (1248 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\updater.exe (7115 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\ravmaindui.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\msvcp90.dll (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CompsVer.inf (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravlog\ravlog.xml (545 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsutils.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\c[1].aspx (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\protreg.sys (24 bytes)
    %Program Files%\Rising\RAV\XMLS\RAVLOG.xml (545 bytes)
    %Program Files%\Rising\RAV\cfgxml\userdata.rstray (293 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\Proccomm.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\defmon.dll (3361 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\pngdll.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\syslay.dll (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RavSetup.dll (4295 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdk.dll (3073 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\userdata.mond (485 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\rsxml3a.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\setup.dat (601 bytes)
    %Program Files%\Rising\RAV\ravmond.exe (1425 bytes)
    %Program Files%\Rising\RAV\sysmon_if.dll (64 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\_RAV\_RAV.xml (368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.mondcoms (232 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\x64\adefmon.mond (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsSmall.bmp (576 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\sysmon.sys (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\procenv.dll (29 bytes)
    %Program Files%\Rising\RAV\XMLS\RSMONDEF.xml (1 bytes)
    %Program Files%\Rising\RAV\rsnscfg.dat (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsndisp.sys (11 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCFG\RSCFG.xml (996 bytes)
    %Program Files%\Rising\RAV\moncom08.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RSCOMM.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudqry.xml (1 bytes)
    %Program Files%\Rising\RAV\rsmain.exe (601 bytes)
    %Program Files%\Rising\RAV\rssqlite.dll (2321 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudnotifier.dll (1425 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.dll (787 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\syslay.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\antipromotionmon.dll (432 bytes)
    %Program Files%\Rising\RAV\XMLS\LICENSE.xml (347 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\Label.dat (140 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravconfig\ravcfg.xml (126 bytes)
    %Program Files%\Rising\RAV\rsdll.dll.dat (601 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\ui\snin.htm (527 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsmon.db1 (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\sysmon.sys (1076 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsMgrSvc.exe (673 bytes)
    %Program Files%\Rising\RAV\XMLS\RAVCONFIG.xml (518 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\datastorage.db (19 bytes)
    %Program Files%\Rising\RAV\rsxml3w.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsSmall.bmp (576 bytes)
    %Program Files%\Rising\RAV\XMLS\MSCRT9.xml (961 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\dataups.dat (207 bytes)
    %Program Files%\Rising\RAV\antipromotionmon.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rssqlite.dll (2321 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAV.ico (601 bytes)
    %Program Files%\Rising\RAV\rslog.dll (601 bytes)
    %Program Files%\Rising\RAV\Proccom.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudqry.dll (2105 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\RAVCONFIG.xml (518 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\cloudsta.dll (63 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Rising.ico (3 bytes)
    %Program Files%\Rising\RAV\dfw.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\uprsuser.dat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\defmon.dll (3386 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmginfo.dll (3891 bytes)
    %Program Files%\Rising\RAV\rspalvd.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.rstray (293 bytes)
    %Program Files%\Rising\RAV\selfmon.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\moncomm.dll (165 bytes)
    %Program Files%\Rising\RAV\XMLS\RSCOMM.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\rscommx2.dll (1411 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsuser.dat (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard.sys (634 bytes)
    %Program Files%\Rising\RAV\XMLS\HOOKBASE.xml (4 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD932\Jpn.lag (37 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rsxml3w.dll (248 bytes)
    %Program Files%\Rising\RAV\bacore.dll (2321 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\_rav.xml (368 bytes)
    %Program Files%\Rising\RAV\XMLS\RAVMON.xml (574 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RAVBASE.xml (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\userdata.mond (485 bytes)
    %Program Files%\Rising\RAV\rscfg.dll (53 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravxp\ravxp.exe (86 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\selfmon.dll (89 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\12345678.000 (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RAV.cfg.tmp (1960 bytes)
    %Program Files%\Rising\RSD\syslay.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dll (3859 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudv3.xml (1 bytes)
    %Program Files%\Rising\RAV\LogAc.bmp (24 bytes)
    %Program Files%\Rising\RSD\ui\snin.htm (527 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt09.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\Cloudv3.dll (4727 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\comx3.dll (693 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\repairmanager.dll (38 bytes)
    %Program Files%\Rising\RAV\dataups.dat (207 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsutils.sys (985 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\monrule.dll (1153 bytes)
    %Program Files%\Rising\RAV\XMLS\RAVMAINDUI.xml (1 bytes)
    %Program Files%\Rising\RAV\XMLS\CLOUDQRY.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rscurl.dll (3926 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudnet.dll (2054 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD936\CHS.lag (28 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\protreg.sys (24 bytes)
    %Program Files%\Rising\RAV\msvcp90.dll (3361 bytes)
    %Documents and Settings%\All Users\Start Menu\Programs\Rising Software Deployment System\.lnk (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\selfmon.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\rstask.xml (4 bytes)
    %Program Files%\Rising\RAV\monrule.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsStub.exe (1762 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSSETUP.xml (6 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\cloudwork.dll (7726 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\datastorage.db (19 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\_RAV\setup.xml (2 bytes)
    %Program Files%\Rising\RSD\update.xml (164 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\update.xml (164 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\ShortCut\RAV.ico (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RSD950\CHT.lag (28 bytes)
    %Program Files%\Rising\RAV\mondef.dll (3361 bytes)
    %Program Files%\Rising\RSD\RsAppMgr.dll (64 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD936\CHS.lag (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\urg[1].htm (224 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\rscommx2.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bacore.dll (5060 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcr90.dll (7805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmaindui\rsmain.exe (817 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\RsBaseNetWrapper.dll (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\setup.dat (126 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\rsmon.db1 (43 bytes)
    %Program Files%\Rising\RAV\cnt09.dll (1281 bytes)
    %Program Files%\Rising\RSD\RsBackup.exe (2105 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RAV.ico (81 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\kguard_if.dll (459 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\syslay.dll (26 bytes)
    %Program Files%\Rising\RAV\localopt.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\MSCRT9.xml (961 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\language.ini (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\sysmon_if.dll (1803 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.ATL.manifest (466 bytes)
    %Program Files%\Rising\RAV\cloudnotifier.dll (1425 bytes)
    %Program Files%\Rising\RAV\traywnd.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk.dll (6045 bytes)
    %Program Files%\Rising\RSD\localopt.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\bawhite.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\setup.dat (118 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\cloudstore.dll (2897 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\x64\adefmon.mond (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsndisp.sys (10 bytes)
    %Program Files%\Rising\RAV\kguard_if.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudv3\dataups.dat (207 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RSD950\CHT.lag (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Auto.ini (36 bytes)
    %Program Files%\Rising\RSD\RSD1252\Eng.lag (52 bytes)
    %Program Files%\Rising\RSD\Setup.exe (5441 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\mscrt9\msvcp90.dll (5724 bytes)
    %Program Files%\Rising\RSD\CfgDll.dll (1425 bytes)
    %Program Files%\Rising\RAV\rsxml3a.dll (673 bytes)
    %System%\drivers\rsndisp.sys (10 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\64\rsutils.sys (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsMain.ico (27 bytes)
    %Program Files%\Rising\RAV\rstasku.xml (4 bytes)
    %Program Files%\Rising\RAV\XMLS\_RAV.xml (368 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\rsnscfg.dat (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\mondef.dll (3361 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\bawhite.dll (1069 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\RAV.ini (599 bytes)
    %Program Files%\RsTest.ini (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\dfw.dll (3888 bytes)
    %Program Files%\Rising\RAV\syslay.dll (26 bytes)
    %Program Files%\Rising\RAV\RsBaseNetWrapper.dll (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\monbasedui\ravmond.exe (1990 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVCONFIG\ravcfg.xml (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Repair.url (155 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\ravcfg.xml (601 bytes)
    %Program Files%\Rising\RSD\popwndexe.exe (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsutils_if.dll (58 bytes)
    %Program Files%\Rising\RAV\rav936\chs.lag (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\hookbase.xml (4 bytes)
    %System%\drivers\kguard.sys (601 bytes)
    %Program Files%\Rising\RAV\mondrv.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\rsnscfg.dat (2 bytes)
    %Program Files%\Rising\RSD\RstoreDll.dll (1281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\rav936.xml (515 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\adefmon.mond (2 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\sysmon.sys (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\RAVLOG.xml (545 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rav936\lics936.txt (8 bytes)
    %Program Files%\Rising\RSD\XMLS\RSSetup.xml (6 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\CLOUDV3.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\atl90.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\os.xml (685 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccom.dll (1039 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Setup.exe (8063 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\ravbase.xml (4 bytes)
    %Program Files%\Rising\RAV\cloudwork.dll (7726 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSDK\traywnd.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\64\rsndisp.sys (11 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RavSetup.dll (7433 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsmondef\rsmondef.xml (1 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\LogDc.bmp (24 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravmon\ravmon.xml (574 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\rsdll.dll.dat (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Custom.xml (775 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\lics936.txt (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\rscom.dll (1384 bytes)
    %Program Files%\Rising\RAV\defmon.dll (3361 bytes)
    %Program Files%\Rising\RAV\rsmain.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\localopt.dll (1425 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\RsStub.exe (64 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\rsdinfo.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\RAVDEFDB.xml (967 bytes)
    C:\rising.ini (215 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\Rising.ico (3 bytes)
    %Program Files%\Rising\RAV\uprsmon.dat (45 bytes)
    %Program Files%\Rising\RAV\cloudnet.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\license\license.xml (347 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSCOMM\cnt08.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\uprsmon.dat (45 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MSCRT9\Microsoft.VC90.CRT.manifest (496 bytes)
    %Program Files%\Rising\RAV\XMLS\CLOUDV3.xml (1 bytes)
    %Program Files%\Rising\RSD\RSD932\Jpn.lag (37 bytes)
    %Program Files%\Rising\RAV\ravxp.exe (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\HOOKBASE\HOOKBASE.xml (4 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDQRY\CLOUDQRY.xml (1 bytes)
    %Program Files%\Rising\RSD\Data\RAV\RAV.ini (57324 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\update.xml (164 bytes)
    %Program Files%\Rising\RSD\comx3.dll (673 bytes)
    %Program Files%\Rising\RAV\XMLS\RAV936.xml (515 bytes)
    %Program Files%\Rising\RAV\cfgxml\userdata.mond (485 bytes)
    %Program Files%\Rising\RAV\pngdll.dll (1425 bytes)
    %Program Files%\Rising\RAV\Proccomm.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\rsdll.dll.dat (101 bytes)
    %Program Files%\Rising\RAV\comx3.dll (673 bytes)
    %Program Files%\Rising\RAV\hookbase.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\RsTray.ico (68 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\LICENSE\12345678.000 (24 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\RsTray.ico (601 bytes)
    %Program Files%\Rising\RAV\XMLS\RAVBASE.xml (4 bytes)
    %Program Files%\Rising\RAV\rstask.xml (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsBackup.exe (1851 bytes)
    %Program Files%\Rising\RAV\cloudstore.dll (2321 bytes)
    %Program Files%\Rising\RAV\atl90.dll (673 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAV936\RAV936.xml (515 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\RSMONDEF.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\RsAppMgr.dll (168 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVBASE\Repair.url (155 bytes)
    %Program Files%\Rising\RAV\XMLS\setup.xml (2 bytes)
    %Program Files%\Rising\RSD\Backup\RSD\RSSetup\updater.exe (3361 bytes)
    %Program Files%\Rising\RAV\Microsoft.VC90.ATL.manifest (466 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db (19 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVDEFDB\rsuser.db1 (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\adefmon.mond (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\install1403380.exe.log (317387 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\Rav.7z (22865 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\mondef.dll (2065 bytes)
    %Program Files%\Rising\RAV\XMLS\RAVXP.xml (404 bytes)
    %Program Files%\Rising\RAV\XMLS\RSCFG.xml (996 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVXP\RAVXP.xml (404 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\rssrv.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\hookbase\mondrv.dll (6605 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVMAINDUI\rsmain.dll (601 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\CLOUDV3\localopt.dll (1281 bytes)
    %Program Files%\Rising\RAV\rscombas.dll (1281 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RSMONDEF\monrule.dll (601 bytes)
    %Program Files%\Rising\RAV\bawhite.dll (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt08.dll (1787 bytes)
    %Program Files%\Rising\RSD\setup.dat (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravdefdb\ravdefdb.xml (967 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\Proccomm.dll (608 bytes)
    %Program Files%\Rising\RAV\bawhite.dat (22 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\MONBASEDUI\ravmond.exe (1425 bytes)
    %Program Files%\Rising\RAV\NetConfig.ini (24 bytes)
    %Program Files%\Rising\RSD\rsdk.dll (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\RsBaseNetWrapper.dll (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdinfo.dll (1000 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\repairmanager.dll (38 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\_rav\setup.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\cloudqry\cloudsta.dll (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscomm\cnt09.dll (2293 bytes)
    %System%\drivers\sysmon.sys (673 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rscfg\rscfg.dll (1202 bytes)
    %Program Files%\Rising\RSD\Backup\RAV\RAVLOG\rslog.dll (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\rsdk\traywnd.dll (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\RsdSfxTmp\ravbase\pngdll.dll (741 bytes)
    %Program Files%\Rising\RSD\RsMgrSvc.exe.log (367 bytes)
    %Program Files%\Rising\RSD\RsMgrSvc.dat (708 bytes)
    %Program Files%\Rising\RAV\logfiles\ravmond.exe.cloudwork.log (6073 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\navigate_sign[1].xml (200 bytes)
    %Documents and Settings%\All Users\Application Data\Rising\Rav\datastorage.db-journal (2338 bytes)
    %Program Files%\Rising\RAV\logfiles\ravmond.exe.log (149 bytes)
    %Program Files%\Rising\RAV\browserruncount.dat (944 bytes)
    %Program Files%\Rising\RAV\prvcloudcfg.ini (26 bytes)
    %Documents and Settings%\LocalService\Local Settings\Temporary Internet Files\Content.IE5\QLSNQ10Z\navigate_up[1].xml (235 bytes)
    %Program Files%\Rising\RAV\ravmond.exe_status.ini (80 bytes)
    %Program Files%\Rising\RAV\CCenter.db-journal (18630 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\55.dll (19614 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh2.tmp\xID.dll (3 bytes)

  5. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "RSDTRAY" = "%Program Files%\Rising\RSD\popwndexe.exe"

  6. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  7. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now