Trojan.Win32.FlyStudio_4b75768a5a

by malwarelabrobot on April 21st, 2017 in Malware Descriptions.

Gen:Variant.Graftor.361115 (BitDefender), HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Variant.Graftor.361115 (B) (Emsisoft), ML.Attribute.HighConfidence (Symantec), PUA.NoobyProtect (Ikarus), Gen:Variant.Graftor.361115 (FSecure), Win32:Evo-gen [Susp] (Avast), Trojan-PSW.Win32.Bzub.2.FD, Trojan.Win32.FlyStudio.FD, GenericEmailWorm.YR, GenericInjector.YR, TrojanFlyStudio.YR (Lavasoft MAS)
Behaviour: Trojan-PSW, Trojan, Worm, EmailWorm


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 4b75768a5a2a6bc710e2bd2bc0c75ff7
SHA1: cf2f79a9abf67fe7cd64869e3025ecd94ed1e2a6
SHA256: f89dcb1d4d51dcdc197b72055621cd340d901d26f69a62761d25b50ff2c9e7f8
SSDeep: 49152:Hzlvp4QBeeMcWQ1oXJbmRlgZsX78ObOgxgfH:HpeuScraJbmH4sPOgxY
Size: 1699840 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6, ACProtect141
Company: Software Assistant
Created at: 2017-03-20 15:41:10
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

Behaviour Description
EmailWorm Worm can send e-mails.


Process activity

The Trojan creates the following process(es):

ipseccmd.dll:2816
ipseccmd.dll:3668
ipseccmd.dll:2968
ipseccmd.dll:1848
ipseccmd.dll:2496
ipseccmd.dll:3704
rundll32.exe:2904

The Trojan injects its code into the following process(es):

%original file name%.exe:1900

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process rundll32.exe:2904 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6SADY2Z\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8OVP1RL\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3B5D8S8L\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RJZ2ALJ8\desktop.ini (67 bytes)

The process %original file name%.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\History\History.IE5\index.dat (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\V2ZA86OM\desktop.ini (67 bytes)
C:\polstore.dll (103 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\History\History.IE5\desktop.ini (254 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\8VIKTY0F\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\26430000220167882842196[1].htm (34284 bytes)
C:\Windows\System32\setie.bat (24 bytes)
C:\winipsec.dll (32 bytes)
C:\regset.ini (243 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\5MZ9RQ8A\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
C:\×¢ÒâÊÂÏî×ÜÀÀ.txt (1 bytes)
C:\ipseccmd.dll (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\41WGRA9S\desktop.ini (67 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\26430000220167882842196[1].htm (49133 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cookies\index.dat (16 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\26430000220167882842196[1].htm (0 bytes)

Registry activity

The process ipseccmd.dll:2816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"ipsecID" = "{a3045153-5a8e-4075-be9e-3cc1348efd57}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ipsecName" = "D107.151.95.83"
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"ipsecDataType" = "256"
"ClassName" = "ipsecNegotiationPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}]
"ipsecID" = "{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"whenChanged" = "1492711170"
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"ClassName" = "ipsecFilter"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"ipsecName" = "D107.151.95.83 filter action"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecID" = "{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"
"Name" = "ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecName" = "HFUT_SECU"
"ClassName" = "ipsecPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ipsecID" = "{f66273e7-04b0-4d83-a72e-8edbbfcc7514}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"Name" = "ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"ipsecID" = "{c7050e49-d79f-4d74-bc24-3c28605fe2c5}"
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}]
"ClassName" = "ipsecISAKMPPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"ipsecName" = "D107.151.95.83 filter list"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}]
"Name" = "ipsecISAKMPPolicy{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}"
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"Name" = "ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"Name" = "ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{c7050e49-d79f-4d74-bc24-3c28605fe2c5}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{912fc896-7ee2-4c0d-8c6c-29544ee8b51b}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{f66273e7-04b0-4d83-a72e-8edbbfcc7514}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{a3045153-5a8e-4075-be9e-3cc1348efd57}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"

The process ipseccmd.dll:3668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecDataType" = "256"
"ClassName" = "ipsecNegotiationPolicy"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"ipsecName" = "D115.230.127.243 filter list"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"Name" = "ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}"
"ipsecID" = "{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecID" = "{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"
"Name" = "ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"ipsecID" = "{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"ipsecName" = "D115.230.127.243"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecName" = "HFUT_SECU"
"ClassName" = "ipsecPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"Name" = "ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ipsecID" = "{ce76b0db-b816-41fa-a091-f5a8228c4741}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"ipsecID" = "{d4dc5178-db87-4600-8bee-d187dcd3e2ef}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"Name" = "ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"Name" = "ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"ClassName" = "ipsecFilter"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ClassName" = "ipsecISAKMPPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"ClassName" = "ipsecNFA"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"ipsecName" = "D115.230.127.243 filter action"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{d4dc5178-db87-4600-8bee-d187dcd3e2ef}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{3107c3d7-0c21-48e8-b4f0-29dec4f06a67}]
"description"

The process ipseccmd.dll:2968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"ipsecName" = "D43.226.120.167 filter list"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"ipsecID" = "{f6027bfa-c001-48d0-8e95-0eb6123d8085}"
"ClassName" = "ipsecISAKMPPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"ClassName" = "ipsecFilter"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"ipsecID" = "{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"Name" = "ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"Name" = "ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"Name" = "ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ClassName" = "ipsecNegotiationPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ipsecID" = "{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecName" = "HFUT_SECU"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ClassName" = "ipsecPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"Name" = "ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecID" = "{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"ipsecName" = "D43.226.120.167"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ipsecName" = "D43.226.120.167 filter action"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"Name" = "ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"ipsecDataType" = "256"
"ipsecID" = "{6c11879b-b457-46e6-9dd3-08b0ff41300d}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{6c11879b-b457-46e6-9dd3-08b0ff41300d}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{bce2da0a-9bf6-4ee1-a5d7-9ec8e5163e8f}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"

The process ipseccmd.dll:1848 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"Name" = "ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}"
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}"
"ipsecID" = "{318293b8-c224-4686-8cc6-e3e953f9048f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"whenChanged" = "1492711168"
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}"
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"Name" = "ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"whenChanged" = "1492711168"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"ipsecID" = "{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"whenChanged" = "1492711168"
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"ipsecName" = "D120.27.176.57 filter action"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"whenChanged" = "1492711168"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"whenChanged" = "1492711168"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecID" = "{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"ipsecNegotiationPolicyAction" = "{8a171dd3-77e3-11d1-8659-a04f00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"Name" = "ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"Name" = "ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecName" = "HFUT_SECU"
"ClassName" = "ipsecPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"ipsecName" = "D120.27.176.57 filter list"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"Name" = "ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"ipsecID" = "{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ClassName" = "ipsecISAKMPPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"ipsecID" = "{7eb3946c-b8fa-4d67-ade5-7e4457371a13}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"ipsecID" = "{a3c18004-7081-4a44-b01e-78597b652e89}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"ipsecName" = "D120.27.176.57"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"Name" = "ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}"
"whenChanged" = "1492711168"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"ipsecNegotiationPolicyType" = "{62f49e13-6c37-11d1-864c-14a300000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"ClassName" = "ipsecFilter"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"ipsecID" = "{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"whenChanged" = "1492711168"
"Name" = "ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"ClassName" = "ipsecNegotiationPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"ClassName" = "ipsecNegotiationPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{318293b8-c224-4686-8cc6-e3e953f9048f}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2f9fa847-4ffc-46ab-b298-e541c10f1a2d}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{7eb3946c-b8fa-4d67-ade5-7e4457371a13}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{95d8f5a1-735e-4298-84ca-e1b1b62b03c5}]
"ipsecOwnersReference"

The process ipseccmd.dll:2496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7d63045a-cc3c-44bb-8d65-62072770153a}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}"
"ClassName" = "ipsecFilter"
"Name" = "ipsecFilter{7d63045a-cc3c-44bb-8d65-62072770153a}"
"ipsecDataType" = "256"
"ipsecName" = "D60.169.75.39 filter list"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}]
"Name" = "ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]
"Name" = "ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7d63045a-cc3c-44bb-8d65-62072770153a}]
"ipsecID" = "{7d63045a-cc3c-44bb-8d65-62072770153a}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"Name" = "ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}"
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7d63045a-cc3c-44bb-8d65-62072770153a}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}]
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"ipsecDataType" = "256"
"ClassName" = "ipsecNegotiationPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7d63045a-cc3c-44bb-8d65-62072770153a}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"ipsecID" = "{3619b159-7cee-4799-9793-a92bfe2f75b2}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"Name" = "ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"ipsecName" = "D60.169.75.39"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecName" = "HFUT_SECU"
"ClassName" = "ipsecPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}"
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7d63045a-cc3c-44bb-8d65-62072770153a}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}]
"ipsecName" = "D60.169.75.39 filter action"
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]
"ipsecDataType" = "256"
"whenChanged" = "1492711169"
"ipsecID" = "{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}"
"ClassName" = "ipsecISAKMPPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}]
"ipsecID" = "{ef2c713d-11d3-42c9-8800-0f5d8896e48d}"
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}"
"ipsecID" = "{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"whenChanged" = "1492711169"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{ef2c713d-11d3-42c9-8800-0f5d8896e48d}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{f6027bfa-c001-48d0-8e95-0eb6123d8085}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{7dce7cda-ddfc-42cc-85b2-e88aa1f1f5f3}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{7d63045a-cc3c-44bb-8d65-62072770153a}]
"description"

The process ipseccmd.dll:3704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}]
"ipsecID" = "{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}"
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"ipsecData" = "00 AC BB 11 8D 49 D1 11 86 39 00 A0 24 8D 30 21"
"Name" = "ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}"
"ipsecNegotiationPolicyReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"ipsecID" = "{0a51f3dc-8067-489d-898b-e5d4382616f9}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}]
"Name" = "ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"ipsecName" = "D23.234.7.6"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"Name" = "ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}]
"ipsecData" = "B5 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"ipsecOwnersReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}"
"ipsecNegotiationPolicyType" = "{62f49e10-6c37-11d1-864c-14a300000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecID" = "{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"
"ipsecNFAReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{2f26f5c7-cf7f-4dd9-8eec-e0e55c1fd452}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{3619b159-7cee-4799-9793-a92bfe2f75b2}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{4610001f-dee5-4e5f-8a09-bd9ef8adf41f}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3cd8c67-a9b6-4ed2-b0ad-6f9f9bae6144}, SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{a3c18004-7081-4a44-b01e-78597b652e89}"
"Name" = "ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecData" = "63 21 20 22 4C 4F D1 11 86 3B 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}]
"ipsecDataType" = "256"
"ipsecName" = "D23.234.7.6 filter list"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecName" = "HFUT_SECU"
"ClassName" = "ipsecPolicy"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ipsecData" = "B8 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"
"Name" = "ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"ClassName" = "ipsecNegotiationPolicy"
"ipsecData" = "B9 20 DC 80 C8 2E D1 11 A8 9E 00 A0 24 8D 30 21"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ipsecID" = "{b370df04-968f-4dc6-8b74-65ca1f378905}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"ipsecNegotiationPolicyAction" = "{3f91a819-7647-11d1-864d-d46a00000000}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"ClassName" = "ipsecNFA"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"whenChanged" = "1492711170"
"ipsecFilterReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"ipsecName" = "D23.234.7.6 filter action"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"ipsecDataType" = "256"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"ipsecISAKMPReference" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy" = "SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"whenChanged" = "1492711170"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"ipsecID" = "{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}]
"ClassName" = "ipsecFilter"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ClassName" = "ipsecISAKMPPolicy"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{b370df04-968f-4dc6-8b74-65ca1f378905}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNegotiationPolicy{b0a4e620-2156-4eed-b39b-8ddd8ac30e2f}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecPolicy{1edd3dd2-dc24-4e5b-bf0a-cc71cbd7b969}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecISAKMPPolicy{ce76b0db-b816-41fa-a091-f5a8228c4741}]
"ipsecOwnersReference"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecFilter{2c8fd61d-30f2-4c29-8f2d-616f970bdee8}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local\ipsecNFA{0a51f3dc-8067-489d-898b-e5d4382616f9}]
"description"

[HKLM\SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local]
"ActivePolicy"

The process %original file name%.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 05 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL" = "http://13147758521.888pojie.com:8080/rules.pac"

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASAPI32]
"EnableConsoleTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 0C 00 00 00 0D 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\4b75768a5a2a6bc710e2bd2bc0c75ff7_RASAPI32]
"MaxFileSize" = "1048576"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
11e5a276a93c4604c175ca3ebce6d77a c:\ipseccmd.dll
4e50a8a52dc5aac3c9d3e70d792e9e0c c:\polstore.dll
24b0db7e532076d5fc17c56cc50140b4 c:\winipsec.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: 1.3.8
Product Version: 1.0.0.0
Legal Copyright: ?????? ????????
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description: 4t
Comments: ??????????(http://www.eyuyan.com)
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 1515520 589824 5.54358 33a06e27fe9cd20825277a3cec056523
.sedata 1519616 1015808 1015808 5.19071 9266eee5f97282c0b8328598fea575a4
.idata 2535424 4096 4096 1.18189 6ead33253b684ccf75b28ac859937958
.rsrc 2539520 73728 73728 3.81876 11bb118563e615c57a6693f451fbf416
.sedata 2613248 4096 4096 5.53359 0123a03fe0eb497655c37552a018dbeb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://blog.163.com/blog/static/26430000220167882842196/#
hxxp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/# 115.238.126.133


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /blog/static/26430000220167882842196/# HTTP/1.1
Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 20 Apr 2017 17:59:31 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=E05834A1E279DDD09D5A8115AC9ADC2C.yqblog18-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVj49wOEa3x2BwD7Ag==; expires=Fri, 20-Apr-18 17:59:31 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <hea
d>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.
. <meta http-equiv="content-type" content="text/html;charset=gbk
"/>.. <meta http-equiv="content-style-type" content="text/css
"/>.. <meta http-equiv="content-script-type" content="text/ja
vascript"/>.. <meta name="version" content="neblog-1.0"/>.
. <script type="text/javascript">.. .. .. docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); .. document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicT
imeStamp=function(){return '601408ea935a710890d74ac40b4966d3';};..
.. //BLOG-647:....OS.............................. (function
(){.. window.setTimeout(function(){.. var _loginUserIc
on = document.getElementById('loginUserIcon');.. var _rsavata
rimg = document.getElementById('rsavatarimg');.. if(!!_loginU
serIcon){.. var _loaded1 = false;.. var _img1 =
new Image();.. _img1.onload = function(){..
_loaded1 = true;.. _img1.onload = null;.. };
.. _img1.src = _loginUserIcon.src;.. window.setT
imeout(function(){.. if(!_loaded1){..

<<< skipped >>>

GET /blog/static/26430000220167882842196/# HTTP/1.1
Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 20 Apr 2017 17:59:20 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=DD630D79ED484089084F93ABE2428300.yqblog8-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVj49viIlnx6BueTAg==; expires=Fri, 20-Apr-18 17:59:20 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <hea
d>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.
. <meta http-equiv="content-type" content="text/html;charset=gbk
"/>.. <meta http-equiv="content-style-type" content="text/css
"/>.. <meta http-equiv="content-script-type" content="text/ja
vascript"/>.. <meta name="version" content="neblog-1.0"/>.
. <script type="text/javascript">.. .. .. docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); .. document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicT
imeStamp=function(){return '601408ea935a710890d74ac40b4966d3';};..
.. //BLOG-647:....OS.............................. (function
(){.. window.setTimeout(function(){.. var _loginUserIc
on = document.getElementById('loginUserIcon');.. var _rsavata
rimg = document.getElementById('rsavatarimg');.. if(!!_loginU
serIcon){.. var _loaded1 = false;.. var _img1 =
new Image();.. _img1.onload = function(){..
_loaded1 = true;.. _img1.onload = null;.. };
.. _img1.src = _loginUserIcon.src;.. window.setT
imeout(function(){.. if(!_loaded1){..

<<< skipped >>>

GET /blog/static/26430000220167882842196/# HTTP/1.1

Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 20 Apr 2017 17:59:22 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=8ABF6A1EFB330603AE6595E45A378B08.yqblog6-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVj49vqIlnx6BufKAg==; expires=Fri, 20-Apr-18 17:59:22 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <hea
d>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.
. <meta http-equiv="content-type" content="text/html;charset=gbk
"/>.. <meta http-equiv="content-style-type" content="text/css
"/>.. <meta http-equiv="content-script-type" content="text/ja
vascript"/>.. <meta name="version" content="neblog-1.0"/>.
. <script type="text/javascript">.. .. .. docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); .. document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicT
imeStamp=function(){return '601408ea935a710890d74ac40b4966d3';};..
.. //BLOG-647:....OS.............................. (function
(){.. window.setTimeout(function(){.. var _loginUserIc
on = document.getElementById('loginUserIcon');.. var _rsavata
rimg = document.getElementById('rsavatarimg');.. if(!!_loginU
serIcon){.. var _loaded1 = false;.. var _img1 =
new Image();.. _img1.onload = function(){..
_loaded1 = true;.. _img1.onload = null;.. };
.. _img1.src = _loginUserIcon.src;.. window.setT
imeout(function(){.. if(!_loaded1){..

<<< skipped >>>

GET /blog/static/26430000220167882842196/# HTTP/1.1

Accept: */*
Referer: hXXp://qqbaiduxiake.blog.163.com/blog/static/26430000220167882842196/#
Accept-Language: zh-cn
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
Host: qqbaiduxiake.blog.163.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 20 Apr 2017 17:59:25 GMT
Content-Type: text/html;charset=GBK
Transfer-Encoding: chunked
Connection: keep-alive
Vary: Accept-Encoding
Set-Cookie: NTESBLOGSI=DCE880DF23C3D68A49460F9143F76F59.yqblog6-8010; Domain=.blog.163.com; Path=/
Set-Cookie: usertrack=c 5 hVj49v2Ilnx6BugAAg==; expires=Fri, 20-Apr-18 17:59:25 GMT; domain=.163.com; path=/
P3P: policyref="/w3c/p3p.xml", CP="CUR ADM OUR NOR STA NID"
b49..  <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "ht
tp://VVV.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">.. <html xmlns
="hXXp://VVV.w3.org/1999/xhtml" xml:lang="zh" lang="zh">.. <hea
d>.. <meta http-equiv="X-UA-Compatible" content="IE=7" />.
. <meta http-equiv="content-type" content="text/html;charset=gbk
"/>.. <meta http-equiv="content-style-type" content="text/css
"/>.. <meta http-equiv="content-script-type" content="text/ja
vascript"/>.. <meta name="version" content="neblog-1.0"/>.
. <script type="text/javascript">.. .. .. docu
ment.uniqueID!=document.uniqueID&&!!location.hash&&(location.hash=loca
tion.hash); .. document.domain = location.hostname.replace(/^.*\.
([\w] \.[\w] )$/,'$1');.. window.focus();.. window.getMusicT
imeStamp=function(){return '601408ea935a710890d74ac40b4966d3';};..
.. //BLOG-647:....OS.............................. (function
(){.. window.setTimeout(function(){.. var _loginUserIc
on = document.getElementById('loginUserIcon');.. var _rsavata
rimg = document.getElementById('rsavatarimg');.. if(!!_loginU
serIcon){.. var _loaded1 = false;.. var _img1 =
new Image();.. _img1.onload = function(){..
_loaded1 = true;.. _img1.onload = null;.. };
.. _img1.src = _loginUserIcon.src;.. window.setT
imeout(function(){.. if(!_loaded1){..

<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1900:

.text
`.sedata
h.idata
H.rsrc
@.sedata
t$(SSh
~%UVW
u$SShe
gdi32.dll
user32.dll
advapi32.dll
Advapi32.dll
shlwapi.dll
wininet.dll
rasapi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
wincok.dll
CCProxy.exe
CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\CCProxy.exe
\wincok.dll
\winipsec.dll
\ipseccmd.dll
`.data
.rsrc
msvcrt.dll
msvcirt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
WS2_32.dll
RPCRT4.dll
ole32.dll
CRYPT32.dll
WLDAP32.dll
USERENV.dll
WINIPSEC.DLL
POLSTORE.DLL
INPASS
Fatal error occured processing cmd line at line %d
Unexpected flag: %s. Check usage.
You must specify rule name: %s. Check usage.
You must specify policy name: %s. Check usage.
You must specify storage info: %s. Check usage.
Unknown flag: %s
Polstore operation returned 0x%x!
CERT
export
import
%s could not be opened for read! GetLastError = 0x%x
ipseccmd
AscAddUint(X,X, X) ERROR - bad parameters
AscMultUint(X,X, X) ERROR - bad parameters
4294967296
Encapsulation Type : %s
To %s
From %s
Transport Bytes Received %s
Transport Bytes Sent %s
Bytes Received In Tunnels %s
Bytes Sent In Tunnels %s
Offloaded Bytes Received %s
Offloaded Bytes Sent %s
Authenticated Bytes Received %s
Authenticated Bytes Sent %s
Confidential Bytes Received %s
Confidential Bytes Sent %s
ConnListSize %d
IsadbListSize %d
KeyUpdateFail %d
KeyAddFail %d
GetSpiFail %d
TotalKeyUpdate %d
TotalKeyAdd %d
TotalGetSpi %d
Total Acquire %d
Invalid Cookies Rcvd %d
Negotiation Failures %d
Receive Heap size %d
Acquire Heap size %d
Send fail %d
Receive fail %d
Acquire fail %d
Active Receive %d
Active Acquire %d
Authentication Failures %d
Soft SAs %d
Quick Modes %d
Main Modes %d
.ipsec
Couldn't get GUID for mirror filter - UuidCreate failed with status: %ul
Couldn't get GUID for MM filter - UuidCreate failed with status: %ul
ipseccmd.pdb
t.IIt
RegCloseKey
RegOpenKeyExW
CertStrToNameW
CertNameToStrW
IPSecImportPolicies
IPSecExportPolicies
\polstore.dll
@.reloc
NETAPI32.dll
PSSh,
PSShT
RegDeleteKeyW
RegSaveKeyW
RegRestoreKeyW
RegOpenKeyW
RegCreateKeyExW
RegEnumKeyExW
GetProcessHeap
polstore.pdb
winipsec.pdb
AddTransportFilter
CloseTransportFilterHandle
DeleteTransportFilter
EnumTransportFilters
GetTransportFilter
MatchTransportFilter
OpenTransportFilterHandle
SetTransportFilter
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
TMainForm.UnicodeClass
VVV.meitu.com
te.Jt
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
ntdll.dll
kernel32.dll
hid.dll
mscoree.dll
mscorwks.dll
mscorsvr.dll
KernelBase.dll
mscoreei.dll
clr.dll
diasymreader.dll
SEGetNumExecUsed
SEGetNumExecLeft
SESetNumExecUsed
SEGetExecTimeUsed
SEGetExecTimeLeft
SESetExecTime
SEGetTotalExecTimeUsed
SEGetTotalExecTimeLeft
SESetTotalExecTime
SECheckExecTime
SECheckTotalExecTime
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
MSVCRT.dll
IPHLPAPI.DLL
PSAPI.DLL
USER32.dll
RegOpenKeyExA
RegCreateKeyExA
RegDeleteKeyA
SHELL32.dll
q.cpgf
ut|E%8Uk
.cM-R
G%u7~y
!}%xR
t,.Fi
~.Pdt
xuRL
LKJ.HO]
.PaB 
.hcJT
.lb,,
5%xGp
.uVGoe
n!.EhM<;
d@.Cc
aATCP
T.jN<hs
%Cs)c
|.kZm6%
pq%Ur
8)nu%f
uUTCP
^U{%F
O/.aPO
df,u%f
Y}).os
@/y%S7
%x(J^{,
.FPcw1_
Z[%Xir
GDI32.dll
%Ui_*MP
OLEAUT32.dll
WINMM.dll
WINSPOOL.DRV
%Ui_*
.rm|O
RASAPI32.dll
WININET.dll
AVIFIL32.dll
MSVFW32.dll
COMCTL32.dll
comdlg32.dll
<WINMM.dll
?AVIFIL32.dll
)WinExec
GetCPInfo
wUSER32.dll
SetWindowsHookExA
%CloseHandle
UnhookWindowsHookEx
CreateDialogIndirectParamA
GetKeyState
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
2-<GetViewportExtEx
.9comdlg32.dll
RegCreateKeyA
Safengine Shielden v2.3.8.0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity name="E.App" processorArchitecture="x86" version="5.2.0.0" type="win32"/><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"> <security> <requestedPrivileges> <requestedExecutionLevel level="requireAdministrator" uiAccess="false"/> </requestedPrivileges> </security></trustInfo></assembly>
%s%sFlags : %lu
%s%sPFS : %s
%s%sAlgo #%d :
%sOffer #%d
%sFlags : %lu %s %s %s
%sPolicy Id : %s
%sName : %s
%s%sQuickmode limit : %lu, Lifetime %luKbytes/%luseconds
%s%s%s
IP Addr %S
interface id %s
mask %S
subnet %S
Interface Type : %s
Mirrored : %s
Direction : %s, Weight : %lu
Outbound Passthru
Inbound Passthru
Protocol : %lu Src Port : %u Des Port : %u
Policy Id : %s
Filter Id : %s
Name : %s
AM #%d :
%sAuth Methods Id: %s
%sSoft SA expiration time : %lu
%sFlags : %lu %s %s
Auth Methods Id: %s
Filter %d
MM Filter %d
%s filter action
%s filter list
Example: ipseccmd export PERS persistent.ipsec
specify the .ipsec file extension, this extension will be appended.
Name of file to import/export from/to. If an export file name does not
Ipseccmd imports or exports a .ipsec file.
Import/Export MODE
Example: ipseccmd set logike
Ipseccmd sets configuration parameters for IPSec.
Example: ipseccmd show filters policies
stats - shows Internet Key Exchange(IKE) and IPSec statistics
Ipseccmd displays requested data from the IPSec Security Policies Database
INPASS will set any inbound filters in the FilterList as Pass filters while
will make all of the filters in the FilterList Pass filters.
PASS will ignore any methods in NegotiationMethodList and
values you can pass in the NegotiationMethodList that have special meaning:
made to signify filters as Pass (or permit) and Block. In Static mode, these
originally created with ipseccmd. Policies can be set as either Assigned or
Example: 10Q/3600S will rekey after 10 quick modes or every hour.
The number of Quick Modes and/or seconds after which IKE should rekey a
-1k MMRekeyTime
The strings provided as the preshared key or CA info are case sensitive
PRESHARE:"<preshared key>"
CERT:"<CA info>", e.g. CERT:"CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
DEFAULT: Omission of tunnel address assumes transport mode.
ipseccmd twice-- once for the outbound filters and outgoing tunnel
NOTE: If you need to set up a tunnel policy, you will need to execute
Example: ESP[DES,SHA]5120k/3600s will rekey after 5MB or 1 hour
after which IKE should rekey a Quick Mode security association.
Rekey: Optional setting to specify the number of KBytes and/or seconds
NOTE: ESP[NONE,NONE] is not a supported configuration.
AH[HashAlg] ESP[ConfAlg,AuthAlg]RekeyPFS<Group>
AH[HashAlg]RekeyPFS<Group>
ESP[ConfAlg,AuthAlg]RekeyPFS<Group>
Example: (0 128.2.1.1) will create 2 filters that will be exempted
the filter will be a Pass (or Permit) filter. If you surround the
PASS and BLOCK filters: By surrounding a filter specification with (),
all TCP traffic from the first subnet and the second subnet on port 80.
172.31.0.0/255.255.0.0:80 157.0.0.0/255.0.0.0:80:TCP will filter
M1 M2::6 will filter TCP traffic between addresses M1 and M2 on any port
You can use also use these protocol symbols: ICMP TCP UDP RAW
If you indicate a protocol, a port value or '::' must precede it.
Port and Protocol are optional. If omitted, the values are set to ANY
128.*.* is the same as above
128.*.*.* is same as 128.0.0.0/255.0.0.0
144.92.*.* is the same as 144.92.0.0/255.255.0.0
Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used.
Optionally, you can specify the keyword DEFAULT to set the
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
Each execution of ipseccmd sets an IPSec rule, an IKE policy, or both.
Import and export mode will import or export a .ipsec policy file to/from the
To delete all dynamic policies, execute "ipseccmd -u"
import, and export. The default mode is dynamic.
Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, set
For extended usage, run: ipseccmd -?
Executes a file containing regular static or dynamic ipseccmd commands.
ipseccmd -file FileName
Imports or exports a static policy file.
ipseccmd \\machinename [import OR export] Location FileName
ipseccmd \\machinename set [logike OR dontlogike]
ipseccmd \\machinename show gpo filters policies auth stats sas all
{-w Location -p PolicyName:PollInterval -r RuleName [-x OR -y] -o}
-a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime
ipseccmd \\machinename -f FilterList -n NegotiationMethodList -t TunnelAddr
Failed to add policy, error 0x%x
PA RPC not ready. Sleeping for %d seconds...
Couldn't check status of Policy Agent service, error 0x%x, Exiting.
Couldn't start Policy Agent service, error 0x%x, Exiting.
Error converting policy: 0x%x
Error 0x%x occurred:
text2pol.dll
Error: the argument is too long (>%d symbols)
EnumQMSAs failed with error %d
Source UDP Encap port : %u Dest UDP Encap port: %u
Direction : %s
Protocol : %lu Src Port : %u Des Port : %u
%s Filter
IPSecEnumMMSAs failed with error %d
Transport
Quick Mode SA #%d:
Source UDP Encap port : %u Dest UDP Encap port: %u
Auth Used : %s
Main Mode SA #%d:
ReKeys %lu
Key Deletes %lu
Key Adds %lu
Pending Key %lu
QueryIPSecStatistics failed with error %d
EnumMMAuthMethods failed with error %d
EnumQMPolicies failed with error %d
IPSecQueryIKEStatistics failed with error %d
Main Mode Authentication Methods #%d:
Quick Mode Policy #%d:
EnumMMPolicies failed with error %d
Main Mode Policy #%d:
EnumTunnelFilters failed with error %d
Specific Tunnel Filter #%d:
Generic Tunnel Filter #%d:
EnumTransportFilters failed with error %d
Specific Transport Filter #%d:
Specific Transport Filters
Generic Transport Filter #%d:
Generic Transport Filters
EnumMMFilters failed with error %d
Specific MM Filter #%d:
Generic MM Filter #%d:
Policy Path: %s
Directory Policy Name: %s
Policy Path: HKLM\%s
Description: %s
Local Policy Name: %s
A failure occured getting policy information: error %d
An error occurred importing data.
An error occurred exporting data.
{e437bc1c-aa7d-11d2-a382-00c04f991e27}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
MainMode Key Exchange
MainMode Key Authorizated
Preshared Key
RSA (Cert) Signature
RSA (Cert) Encryption
ipseccmd
SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Cache
The operation was successful.
pass-thru filter indicated but not closed properly
A string was used to designate protocol and it was not supported.
The unit for phase 2 rekey time is invalid.
Designated hash algorithm for AH is either invalid or not supported.
An undefined parse error occured due to unsupported/invalid syntax.
ESP with NULL encryption and NULL authentication is not currently supported.
Preshared key indicated, but not supplied.
The authentication method specified is invalid or unsupported.
Invalid or unsupported DH group specified.
The unit for phase 1 rekey time is invalid.
The TYPE of storage is not supported.
Storage mode indicated but no storage info passed- internal error.
The minimum rekey for Phase 2 is 20480 KB and 300 seconds.
Windows IPSec Command Utility
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ipseccmd.exe
Windows
Operating System
5.1.2600.2180
SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Save
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Persistent
OperationMode
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache
polstore.dll
TypesSupported
%SystemRoot%\System32\oakley.dll
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSec
dddddd
!"#$%&'()* ,-./0123456789:;<=
5.1.2600.5512 (xpsp.080413-0852)
Microsoft(R) Windows(R) Operating System
5.1.2600.5512
/024 &#(;%
Windows IPSec SPD Client DLL
winipsec.dll
(*.*)
1.0.0.0
1.3.8
(hXXp://VVV.eyuyan.com)

%original file name%.exe_1900_rwx_00401000_00174000:

t$(SSh
~%UVW
u$SShe
gdi32.dll
user32.dll
advapi32.dll
Advapi32.dll
shlwapi.dll
wininet.dll
rasapi32.dll
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteA
wincok.dll
CCProxy.exe
CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings
\CCProxy.exe
\wincok.dll
\winipsec.dll
\ipseccmd.dll
.text
`.data
.rsrc
msvcrt.dll
msvcirt.dll
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
WS2_32.dll
RPCRT4.dll
ole32.dll
CRYPT32.dll
WLDAP32.dll
USERENV.dll
WINIPSEC.DLL
POLSTORE.DLL
INPASS
Fatal error occured processing cmd line at line %d
Unexpected flag: %s. Check usage.
You must specify rule name: %s. Check usage.
You must specify policy name: %s. Check usage.
You must specify storage info: %s. Check usage.
Unknown flag: %s
Polstore operation returned 0x%x!
CERT
export
import
%s could not be opened for read! GetLastError = 0x%x
ipseccmd
AscAddUint(X,X, X) ERROR - bad parameters
AscMultUint(X,X, X) ERROR - bad parameters
4294967296
Encapsulation Type : %s
To %s
From %s
Transport Bytes Received %s
Transport Bytes Sent %s
Bytes Received In Tunnels %s
Bytes Sent In Tunnels %s
Offloaded Bytes Received %s
Offloaded Bytes Sent %s
Authenticated Bytes Received %s
Authenticated Bytes Sent %s
Confidential Bytes Received %s
Confidential Bytes Sent %s
ConnListSize %d
IsadbListSize %d
KeyUpdateFail %d
KeyAddFail %d
GetSpiFail %d
TotalKeyUpdate %d
TotalKeyAdd %d
TotalGetSpi %d
Total Acquire %d
Invalid Cookies Rcvd %d
Negotiation Failures %d
Receive Heap size %d
Acquire Heap size %d
Send fail %d
Receive fail %d
Acquire fail %d
Active Receive %d
Active Acquire %d
Authentication Failures %d
Soft SAs %d
Quick Modes %d
Main Modes %d
.ipsec
Couldn't get GUID for mirror filter - UuidCreate failed with status: %ul
Couldn't get GUID for MM filter - UuidCreate failed with status: %ul
ipseccmd.pdb
t.IIt
RegCloseKey
RegOpenKeyExW
CertStrToNameW
CertNameToStrW
IPSecImportPolicies
IPSecExportPolicies
\polstore.dll
@.reloc
NETAPI32.dll
PSSh,
PSShT
RegDeleteKeyW
RegSaveKeyW
RegRestoreKeyW
RegOpenKeyW
RegCreateKeyExW
RegEnumKeyExW
GetProcessHeap
polstore.pdb
winipsec.pdb
AddTransportFilter
CloseTransportFilterHandle
DeleteTransportFilter
EnumTransportFilters
GetTransportFilter
MatchTransportFilter
OpenTransportFilterHandle
SetTransportFilter
https
Mozilla/4.0 (compatible; MSIE 9.0; Windows NT 6.1)
http=
HTTP/1.1
Content-Type: application/x-www-form-urlencoded
hXXps://
hXXp://
Software\Microsoft\Windows\CurrentVersion\Internet Settings\AutoConfigURL
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\
TMainForm.UnicodeClass
VVV.meitu.com
te.Jt
%d&&'
123456789
00003333
deflate 1.1.3 Copyright 1995-1998 Jean-loup Gailly
inflate 1.1.3 Copyright 1995-1998 Mark Adler
1.2.18
%*.*f
CNotSupportedException
commctrl_DragListMsg
Afx:%x:%x:%x:%x:%x
Afx:%x:%x
COMCTL32.DLL
CCmdTarget
MSWHEEL_ROLLMSG
__MSVCRT_HEAP_SELECT
Broken pipe
Inappropriate I/O control operation
Operation not permitted
iphlpapi.dll
SHLWAPI.dll
MPR.dll
VERSION.dll
.PAVCException@@
Shell32.dll
Mpr.dll
User32.dll
Gdi32.dll
Kernel32.dll
(&07-034/)7 '
?? / %d]
%d / %d]
.PAVCFileException@@
: %d]
(*.*)|*.*||
(*.WAV;*.MID)|*.WAV;*.MID|WAV
(*.WAV)|*.WAV|MIDI
(*.MID)|*.MID|
(*.txt)|*.txt|
(*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR)|*.JPG;*.PNG;*.BMP;*.GIF;*.ICO;*.CUR|JPG
(*.JPG)|*.JPG|PNG
(*.PNG)|*.PNG|BMP
(*.BMP)|*.BMP|GIF
(*.GIF)|*.GIF|
(*.ICO)|*.ICO|
(*.CUR)|*.CUR|
%s:%d
windows
.PAVCNotSupportedException@@
out.prn
(*.prn)|*.prn|
%d.%d
%d/%d
1.6.9
unsupported zlib version
png_read_image: unsupported transformation
%d / %d
Bogus message code %d
libpng error: %s
libpng warning: %s
1.1.3
bad keyword
libpng does not support gamma background rgb_to_gray
Palette is NULL in indexed image
(%d-%d):
%ld%c
%s <%s>
Reply-To: %s
From: %s
To: %s
Subject: %s
Date: %s
Cc: %s
%a, %d %b %Y %H:%M:%S
SMTP
;3 #>6.&
'2, / 0&7!4-)1#
(*.avi)|*.avi
WPFT532.CNV
WPFT632.CNV
EXCEL32.CNV
write32.wpc
Windows Write
mswrd632.wpc
Word for Windows 6.0
wword5.cnv
Word for Windows 5.0
mswrd832.cnv
mswrd632.cnv
Word 6.0/95 for Windows & Macintosh
html32.cnv
.PAVCObject@@
.PAVCSimpleException@@
.PAVCMemoryException@@
.?AVCNotSupportedException@@
.PAVCResourceException@@
.PAVCUserException@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCTestCmdUI@@
.PAVCArchiveException@@
zcÁ
c:\%original file name%.exe
#include "l.chs\afxres.rc" // Standard components
%s%sFlags : %lu
%s%sPFS : %s
%s%sAlgo #%d :
%sOffer #%d
%sFlags : %lu %s %s %s
%sPolicy Id : %s
%sName : %s
%s%sQuickmode limit : %lu, Lifetime %luKbytes/%luseconds
%s%s%s
IP Addr %S
interface id %s
mask %S
subnet %S
Interface Type : %s
Mirrored : %s
Direction : %s, Weight : %lu
Outbound Passthru
Inbound Passthru
Protocol : %lu Src Port : %u Des Port : %u
Policy Id : %s
Filter Id : %s
Name : %s
AM #%d :
%sAuth Methods Id: %s
%sSoft SA expiration time : %lu
%sFlags : %lu %s %s
Auth Methods Id: %s
Filter %d
MM Filter %d
%s filter action
%s filter list
Example: ipseccmd export PERS persistent.ipsec
specify the .ipsec file extension, this extension will be appended.
Name of file to import/export from/to. If an export file name does not
Ipseccmd imports or exports a .ipsec file.
Import/Export MODE
Example: ipseccmd set logike
Ipseccmd sets configuration parameters for IPSec.
Example: ipseccmd show filters policies
stats - shows Internet Key Exchange(IKE) and IPSec statistics
Ipseccmd displays requested data from the IPSec Security Policies Database
INPASS will set any inbound filters in the FilterList as Pass filters while
will make all of the filters in the FilterList Pass filters.
PASS will ignore any methods in NegotiationMethodList and
values you can pass in the NegotiationMethodList that have special meaning:
made to signify filters as Pass (or permit) and Block. In Static mode, these
originally created with ipseccmd. Policies can be set as either Assigned or
Example: 10Q/3600S will rekey after 10 quick modes or every hour.
The number of Quick Modes and/or seconds after which IKE should rekey a
-1k MMRekeyTime
The strings provided as the preshared key or CA info are case sensitive
PRESHARE:"<preshared key>"
CERT:"<CA info>", e.g. CERT:"CN=CA1,OU=O,O=MEME,C=DE,E=ME@here"
DEFAULT: Omission of tunnel address assumes transport mode.
ipseccmd twice-- once for the outbound filters and outgoing tunnel
NOTE: If you need to set up a tunnel policy, you will need to execute
Example: ESP[DES,SHA]5120k/3600s will rekey after 5MB or 1 hour
after which IKE should rekey a Quick Mode security association.
Rekey: Optional setting to specify the number of KBytes and/or seconds
NOTE: ESP[NONE,NONE] is not a supported configuration.
AH[HashAlg] ESP[ConfAlg,AuthAlg]RekeyPFS<Group>
AH[HashAlg]RekeyPFS<Group>
ESP[ConfAlg,AuthAlg]RekeyPFS<Group>
Example: (0 128.2.1.1) will create 2 filters that will be exempted
the filter will be a Pass (or Permit) filter. If you surround the
PASS and BLOCK filters: By surrounding a filter specification with (),
all TCP traffic from the first subnet and the second subnet on port 80.
172.31.0.0/255.255.0.0:80 157.0.0.0/255.0.0.0:80:TCP will filter
M1 M2::6 will filter TCP traffic between addresses M1 and M2 on any port
You can use also use these protocol symbols: ICMP TCP UDP RAW
If you indicate a protocol, a port value or '::' must precede it.
Port and Protocol are optional. If omitted, the values are set to ANY
128.*.* is the same as above
128.*.*.* is same as 128.0.0.0/255.0.0.0
144.92.*.* is the same as 144.92.0.0/255.255.0.0
Mask: Optional subnet mask. If omitted, 255.255.255.255 will be used.
Optionally, you can specify the keyword DEFAULT to set the
A.B.C.D/mask:port=A.B.C.D/mask:port:protocol
Each execution of ipseccmd sets an IPSec rule, an IKE policy, or both.
Import and export mode will import or export a .ipsec policy file to/from the
To delete all dynamic policies, execute "ipseccmd -u"
import, and export. The default mode is dynamic.
Ipseccmd has multiple mutually exclusive modes: dynamic, static, show, set
For extended usage, run: ipseccmd -?
Executes a file containing regular static or dynamic ipseccmd commands.
ipseccmd -file FileName
Imports or exports a static policy file.
ipseccmd \\machinename [import OR export] Location FileName
ipseccmd \\machinename set [logike OR dontlogike]
ipseccmd \\machinename show gpo filters policies auth stats sas all
{-w Location -p PolicyName:PollInterval -r RuleName [-x OR -y] -o}
-a AuthMethodList -1s SecurityMethodList -1k MMRekeyTime
ipseccmd \\machinename -f FilterList -n NegotiationMethodList -t TunnelAddr
Failed to add policy, error 0x%x
PA RPC not ready. Sleeping for %d seconds...
Couldn't check status of Policy Agent service, error 0x%x, Exiting.
Couldn't start Policy Agent service, error 0x%x, Exiting.
Error converting policy: 0x%x
Error 0x%x occurred:
text2pol.dll
Error: the argument is too long (>%d symbols)
EnumQMSAs failed with error %d
Source UDP Encap port : %u Dest UDP Encap port: %u
Direction : %s
Protocol : %lu Src Port : %u Des Port : %u
%s Filter
IPSecEnumMMSAs failed with error %d
Transport
Quick Mode SA #%d:
Source UDP Encap port : %u Dest UDP Encap port: %u
Auth Used : %s
Main Mode SA #%d:
ReKeys %lu
Key Deletes %lu
Key Adds %lu
Pending Key %lu
QueryIPSecStatistics failed with error %d
EnumMMAuthMethods failed with error %d
EnumQMPolicies failed with error %d
IPSecQueryIKEStatistics failed with error %d
Main Mode Authentication Methods #%d:
Quick Mode Policy #%d:
EnumMMPolicies failed with error %d
Main Mode Policy #%d:
EnumTunnelFilters failed with error %d
Specific Tunnel Filter #%d:
Generic Tunnel Filter #%d:
EnumTransportFilters failed with error %d
Specific Transport Filter #%d:
Specific Transport Filters
Generic Transport Filter #%d:
Generic Transport Filters
EnumMMFilters failed with error %d
Specific MM Filter #%d:
Generic MM Filter #%d:
Policy Path: %s
Directory Policy Name: %s
Policy Path: HKLM\%s
Description: %s
Local Policy Name: %s
A failure occured getting policy information: error %d
An error occurred importing data.
An error occurred exporting data.
{e437bc1c-aa7d-11d2-a382-00c04f991e27}
Software\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions
MainMode Key Exchange
MainMode Key Authorizated
Preshared Key
RSA (Cert) Signature
RSA (Cert) Encryption
ipseccmd
SOFTWARE\Policies\Microsoft\Windows\IPSEC\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSEC\Policy\Cache
The operation was successful.
pass-thru filter indicated but not closed properly
A string was used to designate protocol and it was not supported.
The unit for phase 2 rekey time is invalid.
Designated hash algorithm for AH is either invalid or not supported.
An undefined parse error occured due to unsupported/invalid syntax.
ESP with NULL encryption and NULL authentication is not currently supported.
Preshared key indicated, but not supplied.
The authentication method specified is invalid or unsupported.
Invalid or unsupported DH group specified.
The unit for phase 1 rekey time is invalid.
The TYPE of storage is not supported.
Storage mode indicated but no storage info passed- internal error.
The minimum rekey for Phase 2 is 20480 KB and 300 seconds.
Windows IPSec Command Utility
5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ipseccmd.exe
Windows
Operating System
5.1.2600.2180
SOFTWARE\Policies\Microsoft\Windows\IPSec\GPTIPSECPolicy
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Save
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Persistent
OperationMode
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Cache
polstore.dll
TypesSupported
%SystemRoot%\System32\oakley.dll
SOFTWARE\Policies\Microsoft\Windows\IPSec\Policy\Local
SOFTWARE\Policies\Microsoft\Windows\IPSec
dddddd
!"#$%&'()* ,-./0123456789:;<=
5.1.2600.5512 (xpsp.080413-0852)
Microsoft(R) Windows(R) Operating System
5.1.2600.5512
/024 &#(;%
Windows IPSec SPD Client DLL
winipsec.dll
(*.*)

%original file name%.exe_1900_rwx_00588000_00002000:

MSVCRT.dll
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll
USER32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
ADVAPI32.dll
SHELL32.dll

NOTEPAD.EXE_1796:

.text
`.data
.rsrc
@.reloc
ADVAPI32.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
msvcrt.dll
COMDLG32.dll
SHELL32.dll
WINSPOOL.DRV
ole32.dll
SHLWAPI.dll
COMCTL32.dll
OLEAUT32.dll
VERSION.dll
Av.TBv
ntdll.dll
RegCloseKey
RegCreateKeyW
RegOpenKeyExW
GetProcessHeap
SetViewportExtEx
GetKeyboardLayout
_amsg_exit
_acmdln
ShellExecuteExW
notepad.pdb
name="Microsoft.Windows.Shell.notepad"
version="5.1.0.0"
<description>Windows Shell</description>
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
<requestedExecutionLevel level="asInvoker" uiAccess="false"/>
<windowsSettings>
<dpiAware xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
===111*!
'141133!/!(!(!""/""
;;;;4;3423332
keYM
,k<.KQ
.WF"hB
dx.Rl
V.xOx_T
<'<.<9<_<
/.SETUP
%s%c*.txt%c%s%c*.*%c
*.txt
mshelp://windows/?id=5d18d5fb-e737-4a73-b6cc-dccc63720231
\StringFileInfo\xx\OriginalFilename
\sppsvc.exe
\slui.exe
\sppuinotify.dll
Text Documents (*.txt)
6.1.7600.16385 (win7_rtm.090713-1255)
NOTEPAD.EXE
Windows
Operating System
6.1.7600.16385

%original file name%.exe_1900_rwx_00592000_00003000:

MSVCRT.dll
IPHLPAPI.DLL
PSAPI.DLL
KERNEL32.dll
USER32.dll

%original file name%.exe_1900_rwx_00626000_0003F000:

KERNEL32.dll
USER32.dll
ADVAPI32.dll
GDI32.dll
%Ui_*MP
SHELL32.dll
ole32.dll
OLEAUT32.dll
WS2_32.dll
WINMM.dll
WINSPOOL.DRV
%Ui_*
.rm|O
RASAPI32.dll
WININET.dll
AVIFIL32.dll
MSVFW32.dll
COMCTL32.dll
comdlg32.dll

%original file name%.exe_1900_rwx_00667000_00002000:

GDI32.dll
SetViewportOrgEx
OffsetViewportOrgEx
SetViewportExtEx
ScaleViewportExtEx
GetViewportOrgEx
2-<GetViewportExtEx
WINSPOOL.DRV
RegCloseKey
ole32.dll
ADVAPI32.dll
.9comdlg32.dll
RegCreateKeyA
RegOpenKeyExA
ShellExecuteA
SHELL32.dll
RegCreateKeyExA
COMCTL32.dll
OLEAUT32.dll
PSAPI.DLL
WININET.dll
IPHLPAPI.DLL
MSVCRT.dll
Safengine Shielden v2.3.8.0

%original file name%.exe_1900_rwx_01450000_0004C000:

KERNELBASE.dll
BaseGetProcessExePath
BaseReleaseProcessExePath
ConnectNamedPipe
CreateIoCompletionPort
CreateMutexExA
CreateMutexExW
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
EnumCalendarInfoExEx
EnumDateFormatsExEx
GetCPFileNameFromRegistry
GetCPHashNode
GetCPInfo
GetCPInfoExW
GetNamedPipeAttribute
GetNamedPipeClientComputerNameW
GetProcessHeap
GetProcessHeaps
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetWindowsAccountDomainSid
GetWindowsDirectoryA
GetWindowsDirectoryW
ImpersonateNamedPipeClient
NeedCurrentDirectoryForExePathA
NeedCurrentDirectoryForExePathW
OpenRegKey
PeekNamedPipe
SetNamedPipeHandleState
SetProcessShutdownParameters
TransactNamedPipe
WaitNamedPipeW
NTDLL.RtlAcquireSRWLockExclusive
NTDLL.RtlAcquireSRWLockShared
NTDLL.TpCancelAsyncIoOperation
NTDLL.TpReleasePool
NTDLL.TpReleaseCleanupGroup
NTDLL.TpReleaseCleanupGroupMembers
NTDLL.TpReleaseIoCompletion
NTDLL.TpReleaseTimer
NTDLL.TpReleaseWait
NTDLL.TpReleaseWork
NTDLL.RtlDecodePointer
NTDLL.RtlDecodeSystemPointer
NTDLL.RtlDeleteCriticalSection
NTDLL.TpDisassociateCallback
NTDLL.RtlEncodePointer
NTDLL.RtlEncodeSystemPointer
NTDLL.RtlEnterCriticalSection
NTDLL.RtlExitUserThread
NTDLL.NtFlushProcessWriteBuffers
NTDLL.TpCallbackUnloadDllOnCompletion
NTDLL.RtlAllocateHeap
NTDLL.RtlFreeHeap
NTDLL.RtlReAllocateHeap
NTDLL.RtlSizeHeap
NTDLL.RtlInitializeCriticalSection
NTDLL.RtlInitializeSListHead
NTDLL.RtlInitializeSRWLock
NTDLL.RtlInterlockedCompareExchange64
NTDLL.RtlInterlockedFlushSList
NTDLL.RtlInterlockedPopEntrySList
NTDLL.RtlInterlockedPushEntrySList
NTDLL.RtlInterlockedPushListSList
NTDLL.TpIsTimerSet
NTDLL.RtlLeaveCriticalSection
NTDLL.TpCallbackLeaveCriticalSectionOnCompletion
NTDLL.RtlQueryDepthSList
NTDLL.RtlQueryPerformanceCounter
NTDLL.RtlQueryPerformanceFrequency
NTDLL.TpCallbackReleaseMutexOnCompletion
NTDLL.RtlReleaseSRWLockExclusive
NTDLL.RtlReleaseSRWLockShared
NTDLL.TpCallbackReleaseSemaphoreOnCompletion
NTDLL.RtlSetCriticalSectionSpinCount
NTDLL.TpCallbackSetEventOnCompletion
NTDLL.RtlSetLastWin32Error
NTDLL.TpSetPoolMaxThreads
NTDLL.TpSetTimer
NTDLL.TpSetWait
NTDLL.TpStartAsyncIoOperation
NTDLL.TpPostWork
NTDLL.RtlTryAcquireSRWLockExclusive
NTDLL.RtlTryAcquireSRWLockShared
NTDLL.RtlTryEnterCriticalSection
NTDLL.TpWaitForIoCompletion
NTDLL.TpWaitForTimer
NTDLL.TpWaitForWait
NTDLL.TpWaitForWork
j.Xf;
PSSSSSSh
PSSSSSSSh
SSSSh
VWSSh
SXS: %s failing because RtlQueryInformationActivationContext() returned status lx
SXS: %s - Failing thread create because RtlActivateActivationContextEx() failed with status lx
SXS: %s - Failing thread create because RtlQueryInformationActivationContext() failed with status lx
%s - Failing thread create because RtlAllocateActivationContextStack() failed with status lx
PVWSSh
QSSSSh
`VSSSSh
t9VSSSSh
SXS: %s - Failure getting active activation context; ntstatus lx
x0-u%f
j.Yf;
t.Ht!HHt
t.HHt#
?456789:;<=
!"#$%&'()* ,-./0123
ntdll.dll
NtCreateNamedPipeFile
NtDelayExecution
NtQueryValueKey
NtOpenKey
RtlReportSilentProcessExit
NtYieldExecution
RtlGetProcessHeaps
NtSetValueKey
NtEnumerateValueKey
NtCreateKey
NtDeleteKey
NtEnumerateKey
NtNotifyChangeKey
NtDeleteValueKey
NtQueryMultipleValueKey
kernelbase.pdb
4"4@4^4|4
9-9I9e9}9
Allow flag to be passed with CreateFile call that indicates to perform downgrade if applicable.
kernel32.dll
\Windows
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
NoDefaultCurrentDirectoryInExePath
%s\%x\%s
netmsg.dll
sShortTime
sShortDate
\\.\MountPointManager
\Device\NamedPipe\
\DosDevices\pipe\
\\.\pipe\
pipe\
\\?\UNC
WUSER32.DLL
\\?\UNC\
\\?\GLOBALROOT
0123456789
%s%s%s
Windows NT BASE API Client DLL
6.1.7601.17651 (win7sp1_gdr.110715-1504)
Windows
Operating System
6.1.7601.17651

%original file name%.exe_1900_rwx_01560000_000A1000:

mpr.dll
ldap_msgfree
1.2.840.113556.1.4.529
wldap32.dll
PSSShd%EwS
%X0Kw
ÐKw
h0.Ew
ADVAPI32.dll
CryptDeriveKey
CryptDestroyKey
CryptDuplicateKey
CryptExportKey
CryptGenKey
CryptGetKeyParam
CryptGetUserKey
CryptHashSessionKey
CryptImportKey
CryptSetKeyParam
ElfReportEventA
ElfReportEventAndSourceW
ElfReportEventW
EncryptedFileKeyInfo
FreeEncryptedFileKeyInfo
FreeEncryptionCertificateHashList
GetEventLogInformation
GetMultipleTrusteeOperationA
GetMultipleTrusteeOperationW
GetServiceKeyNameA
GetServiceKeyNameW
GetWindowsAccountDomainSid
ImpersonateNamedPipeClient
LogonUserExExW
MSChapSrvChangePassword
MSChapSrvChangePassword2
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyTransactedA
RegCreateKeyTransactedW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteKeyExW
RegDeleteKeyTransactedA
RegDeleteKeyTransactedW
RegDeleteKeyValueA
RegDeleteKeyValueW
RegDeleteKeyW
RegDisableReflectionKey
RegEnableReflectionKey
RegEnumKeyA
RegEnumKeyExA
RegEnumKeyExW
RegEnumKeyW
RegFlushKey
RegGetKeySecurity
RegLoadAppKeyA
RegLoadAppKeyW
RegLoadKeyA
RegLoadKeyW
RegNotifyChangeKeyValue
RegOpenKeyA
RegOpenKeyExA
RegOpenKeyExW
RegOpenKeyTransactedA
RegOpenKeyTransactedW
RegOpenKeyW
RegOverridePredefKey
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryReflectionKey
RegRenameKey
RegReplaceKeyA
RegReplaceKeyW
RegRestoreKeyA
RegRestoreKeyW
RegSaveKeyA
RegSaveKeyExA
RegSaveKeyExW
RegSaveKeyW
RegSetKeySecurity
RegSetKeyValueA
RegSetKeyValueW
RegUnLoadKeyA
RegUnLoadKeyW
ReportEventA
ReportEventW
SaferiIsExecutableFileType
SetUserFileEncryptionKey
SetUserFileEncryptionKeyEx
WmiExecuteMethodA
WmiExecuteMethodW
KERNELBASE.AddMandatoryAce
ntdll.EtwCreateTraceInstanceId
ntdll.EtwEventActivityIdControl
ntdll.EtwEventEnabled
ntdll.EtwEventProviderEnabled
ntdll.EtwEventRegister
ntdll.EtwEventUnregister
ntdll.EtwEventWrite
ntdll.EtwEventWriteEndScenario
ntdll.EtwEventWriteStartScenario
ntdll.EtwEventWriteString
ntdll.EtwEventWriteTransfer
ntdll.EtwGetTraceEnableFlags
ntdll.EtwGetTraceEnableLevel
ntdll.EtwGetTraceLoggerHandle
KERNELBASE.IsValidRelativeSecurityDescriptor
NTDLL.MD4Final
NTDLL.MD4Init
NTDLL.MD4Update
NTDLL.MD5Final
NTDLL.MD5Init
NTDLL.MD5Update
pcwum.PerfCreateInstance
pcwum.PerfDecrementULongCounterValue
pcwum.PerfDecrementULongLongCounterValue
pcwum.PerfDeleteInstance
pcwum.PerfIncrementULongCounterValue
pcwum.PerfIncrementULongLongCounterValue
pcwum.PerfQueryInstance
pcwum.PerfSetCounterRefValue
pcwum.PerfSetCounterSetInfo
pcwum.PerfSetULongCounterValue
pcwum.PerfSetULongLongCounterValue
pcwum.PerfStartProvider
pcwum.PerfStartProviderEx
pcwum.PerfStopProvider
ntdll.EtwRegisterTraceGuidsA
ntdll.EtwRegisterTraceGuidsW
CRYPTSP.CheckSignatureInFile
ntdll.EtwLogTraceEvent
ntdll.EtwTraceEventInstance
ntdll.EtwTraceMessage
ntdll.EtwTraceMessageVa
ntdll.EtwUnregisterTraceGuids
\[%D@
6666666
U.Gwf.Gw
PSSSSSSh
PSSSSSSh#
PSSSSSSh
PSSSSSSh
(PSSSSSSh
0PSSSSSSh
8PSSSSSSh
v(SSSSSSh
PSSSSSSh!
ÙKw
d:\w7rtm\minkernel\screg\winreg\perflib\manifest.c
ÐKw
CloseWindowStation
GetProcessWindowStation
MsgWaitForMultipleObjects
d:\w7rtm\minkernel\screg\winreg\perflib\extinit.c
d:\w7rtm\minkernel\screg\winreg\perflib\utils.c
d:\w7rtm\minkernel\screg\winreg\perflib\perflib.c
d:\w7rtm\minkernel\screg\winreg\perflib\extquery.c
d:\w7rtm\minkernel\screg\winreg\perflib\perfname.c
d:\w7rtm\minkernel\screg\winreg\perflib\migrate.c
TermsrvSetKeySecurity
TermsrvRestoreKey
TermsrvDeleteKey
TermsrvSetValueKey
tsappcmp.dll
%xWKw
d:\w7rtm\minkernel\screg\winreg\regbase\perflibc.c
d:\w7rtm\minkernel\screg\winreg\perflib\perflibc.c
d:\w7rtm\minkernel\screg\winreg\perflib\pcwconsumer.c
Unable to locate init routine, error = %d
Unable to load client dll, error = %d
SamiChangePasswordUser2
SamiChangePasswordUser
%x0Kw
ShellExecuteExW
PSSShd%Ewh
9.IwG.Iw
AccProvGetOperationResults
AccProvCancelOperation
SetupDiOpenDevRegKey
WSShP
u%9x$u/9p
CRYPTSP.dll
WINTRUST.dll
SspiCli.dll
USER32.dll
bcrypt.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
pcwum.dll
SetProcessWindowStation
RPCRT4.dll
KERNEL32.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-NamedPipe-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-WIN-Service-Management-L2-1-0.dll
API-MS-WIN-Service-Management-L1-1-0.dll
API-MS-WIN-Service-winsvc-L1-1-0.dll
API-MS-WIN-Service-Core-L1-1-0.dll
KERNELBASE.dll
ntdll.dll
msvcrt.dll
RtlRunOnceExecuteOnce
NtOpenKey
NtQueryValueKey
NtQueryKey
NtCreateKey
NtSetValueKey
NtDeleteKey
NtEnumerateKey
RtlFormatCurrentUserKeyPath
NtDelayExecution
EtwpGetCpuSpeed
NtRenameKey
NtLoadKeyEx
NtCreateKeyTransacted
NtOpenKeyTransacted
NtQueryMultipleValueKey
NtOpenKeyEx
NtOpenKeyTransactedEx
NtReplaceKey
NtSaveKey
NtSaveMergedKeys
GetSystemWindowsDirectoryW
GetProcessHeap
advapi32.pdb
yDw.VHw'
KEYWt
KEYWX
KEYW
KEYWp
KEYWD
KEYWL
KEYW,
2$3(30343
2 2&212>2
88C8P8X8
7$7,727=7
3&4/454:4
4(6,60646
>$?(?4?\?
5%6U6n7
4 42474^4
<$=(=4=>=_>
1$2(20242<2@2
; ;$;,;0;
20252[2`2
7Ÿ9
1 2$2(2,2
%s\u
x-x-x-xx-xxxxxx
\PIPE\
cryptbase.dll
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ProgramFilesDir%
%HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRoot%
Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Windows NT Network Provider
\\.\WMIDataDevice
lX-X-X-XX-XXXXXX
Software\Microsoft\Windows NT\CurrentVersion\Diagnostics
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
%HKEY_LOCAL_MACHINE
%HKEY_CURRENT_USER
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer
\Software\Policies\Microsoft\Windows\Safer
\UrlZones
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
ncacn_ip_tcp
nrpcrt4.dll
%SystemRoot%\
%SystemRoot%\System32\Drivers\
user32.dll
msiltcfg.dll
Software\Microsoft\Windows\CurrentVersion\Group Policy\Appmgmt
Export
SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\SystemRoot\system32\perf0000.dat
%SystemRoot%\Debug\UserMode\appmgmt.bak
APPMGMT (%x.%x) d:d:d:d
%s%s%d%s%s%s%s%s%s%s{lx-x-x-xx-xxxxxx}
certificate
PerfDbg.Etl
C:\perfdbg.etl
$winnt$.inf
\SystemRoot\system32\prf00000.dat
127.0.0.1
{lx-x-x-xx-xxxxxx}
UrlZones
DisallowExecution
setupapi.dll
advapi32.dll
iphlpapi.dll
\PIPE\winreg
perfh016.dat
perfc016.dat
perfh004.dat
perfc004.dat
feclient.dll
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
samlib.dll
LsarpcClientAllowRemotedSecretOperations
SupportUrl
Wshell32.dll
CEvents::Report called with more params then expected!
8c7daf44-b6dc-11d1-9a4c-0020af6e7c57
%SystemRoot%\Debug\UserMode\appmgmt.log
{x-x-x-xx-xxxxxx}
\Device\Video%d
WHardwareInformation.BiosString
HardwareInformation.AdapterString
HardwareInformation.DacType
HardwareInformation.ChipType
HardwareInformation.MemorySize
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
\Device\Harddisk%u\Partition0
\\.\%s
Target%d
WindowsShutdown
765294BA-60BC-48B8-92E9-89FD77769D91
ws2_32.dll
NOT_TCPIP
%ws\%ws.tmp
ncacn_nb_tcp
\PIPE\InitShutdown
Advanced Windows 32 Base API
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Windows
Operating System
6.1.7601.17514
Microsoft-Windows-Kernel-WDI/Analytic
Microsoft-Windows-Kernel-WDI/Debug
Microsoft-Windows-Kernel-WDI/Operational
Keyword
KERNEL_GENERAL_KEYWORD_TIME
Microsoft-Windows-Kernel-Process/Analytic
ReadOperationCount
WriteOperationCount
WINEVENT_KEYWORD_PROCESS
WINEVENT_KEYWORD_THREAD
WINEVENT_KEYWORD_IMAGE
WINEVENT_KEYWORD_CPU_PRIORITY
WINEVENT_KEYWORD_OTHER_PRIORITY
Microsoft-Windows-Kernel-Registry/Analytic
KeyObject
KeyName
CreateKey
OpenKey
DeleteKey
QueryKey
SetValueKey
DeleteValueKey
QueryValueKey
EnumerateKey
EnumerateValueKey
QueryMultipleValueKey
SetInformationKey
FlushKey
CloseKey
QuerySecurityKey
SetSecurityKey
Microsoft-Windows-Kernel-PnP/Diagnostic
Pnp:DpReplace.ExtendedStatusMap
SqmWindowsSessionId
Microsoft-Windows-Kernel-Acpi/Diagnostic
Microsoft-Windows-International/Operational
RegistryKey
Operation
Microsoft-Windows-User-Loader/Analytic
USER_LOADER_KEYWORD_DEPRECATED_DLL
Microsoft-Windows-Kernel-BootDiagnostics/Diagnostic
Microsoft-Windows-Kernel-Prefetch/Diagnostic
Microsoft-Windows-UAC/Operational
Microsoft-Windows-COM/Analytic
/hXXp://schemas.microsoft.com/win/2004/08/events
DhXXp://schemas.microsoft.com/schemas/event/Microsoft.Windows/1.0.0.0
Microsoft-Windows-MUI/Operational
Microsoft-Windows-MUI/Admin
Microsoft-Windows-MUI/Analytic
Microsoft-Windows-MUI/Debug
Microsoft-Windows-Kernel-Network/Analytic
dport
sport
KERNEL_NETWORK_OPCODE_TCPCOPY
KERNEL_NETWORK_OPCODE_SENDUDP
KERNEL_NETWORK_OPCODE_RECVUDP
KERNEL_NETWORK_OPCODE_FAILUDP
KERNEL_NETWORK_TASK_TCPIP
KERNEL_NETWORK_TASK_UDPIP
KERNEL_NETWORK_KEYWORD_IPV4
KERNEL_NETWORK_KEYWORD_IPV6
Microsoft-Windows-Kernel-Disk/Analytic
Microsoft-Windows-Kernel-EventTracing/Admin
Microsoft-Windows-Kernel-EventTracing/Analytic
ETW_KEYWORD_SESSION
ETW_KEYWORD_PROVIDER
Microsoft-Windows-Kernel-Boot/Analytic
Microsoft-Windows-Kernel-File/Analytic
FileKey
OperationEnd
KERNEL_FILE_KEYWORD_FILENAME
KERNEL_FILE_KEYWORD_FILEIO
KERNEL_FILE_KEYWORD_OP_END
KERNEL_FILE_KEYWORD_CREATE
KERNEL_FILE_KEYWORD_READ
KERNEL_FILE_KEYWORD_WRITE
KERNEL_FILE_KEYWORD_DELETE_PATH
KERNEL_FILE_KEYWORD_RENAME_SETLINK_PATH
KERNEL_FILE_KEYWORD_CREATE_NEW_FILE
Microsoft-Windows-PCI/Diagnostic
Microsoft-Windows-Kernel-StoreMgr/Analytic
Microsoft-Windows-Kernel-StoreMgr/Operational
CacheTerminationMsgMap
StoreMgrCorruptPageMsgMap
DataKey
StoreKey
StoreFileKey
Microsoft-Windows-Kernel-Memory/Analytic
KERNEL_MEM_KEYWORD_MEMINFO

%original file name%.exe_1900_rwx_01640000_000D5000:

CM_Open_DevNode_Key
CryptCATCatalogInfoFromContext
WSDCreateUdpTransport
WSDCreateUdpMessageParameters
WSDCreateUdpAddress
WSDCreateHttpTransport
WSDCreateHttpMessageParameters
WSDCreateHttpAddress
WSASendMsg
WlanGetProfileKeyInfo
WlanHostedNetworkSetSecondaryKey
WlanHostedNetworkQuerySecondaryKey
_WinStationNotifyDisconnectPipe
WinStationUserLoginAccessCheck
WinStationSetAutologonPassword
WinStationReportUIResult
WinStationIsHelpAssistantSession
WinStationGetUserCertificates
WinStationFreeUserCertificates
WinStationEnumerate_IndexedW
WinStationEnumerate_IndexedA
midiOutShortMsg
&@v_GetFileExtensionFromUrl
UrlZonesDetach
UpdateUrlCacheContentPath
UnlockUrlCacheEntryStream
UnlockUrlCacheEntryFileW
UnlockUrlCacheEntryFileA
ShowX509EncodedCertificate
ShowClientAuthCerts
ShowCertificate
SetUrlCacheHeaderData
SetUrlCacheGroupAttributeW
SetUrlCacheGroupAttributeA
SetUrlCacheEntryInfoW
SetUrlCacheEntryInfoA
SetUrlCacheEntryGroupW
SetUrlCacheEntryGroupA
SetUrlCacheConfigInfoW
SetUrlCacheConfigInfoA
RunOnceUrlCache
RetrieveUrlCacheEntryStreamW
RetrieveUrlCacheEntryStreamA
RetrieveUrlCacheEntryFileW
RetrieveUrlCacheEntryFileA
RegisterUrlCacheNotification
ReadUrlCacheEntryStream
ParseX509EncodedCertificateForListBoxEntry
LoadUrlCacheContent
IsUrlCacheEntryExpiredW
IsUrlCacheEntryExpiredA
IsHostInProxyBypassList
InternetShowSecurityInfoByURLW
InternetShowSecurityInfoByURLA
InternetOpenUrlW
InternetOpenUrlA
InternetGetSecurityInfoByURLW
InternetGetSecurityInfoByURLA
InternetGetCertByURLA
InternetGetCertByURL
InternetCreateUrlW
InternetCreateUrlA
InternetCrackUrlW
InternetCrackUrlA
InternetCombineUrlW
InternetCombineUrlA
InternetCanonicalizeUrlW
InternetCanonicalizeUrlA
IncrementUrlCacheHeaderData
HttpSendRequestW
HttpSendRequestExW
HttpSendRequestExA
HttpSendRequestA
HttpQueryInfoW
HttpQueryInfoA
HttpOpenRequestW
HttpOpenRequestA
HttpEndRequestW
HttpEndRequestA
HttpAddRequestHeadersW
HttpAddRequestHeadersA
GetUrlCacheHeaderData
GetUrlCacheGroupAttributeW
GetUrlCacheGroupAttributeA
GetUrlCacheEntryInfoW
GetUrlCacheEntryInfoExW
GetUrlCacheEntryInfoExA
GetUrlCacheEntryInfoA
GetUrlCacheConfigInfoW
GetUrlCacheConfigInfoA
FtpSetCurrentDirectoryW
FtpSetCurrentDirectoryA
FtpRenameFileW
FtpRenameFileA
FtpRemoveDirectoryW
FtpRemoveDirectoryA
FtpPutFileW
FtpPutFileEx
FtpPutFileA
FtpOpenFileW
FtpOpenFileA
FtpGetFileW
FtpGetFileSize
FtpGetFileEx
FtpGetFileA
FtpGetCurrentDirectoryW
FtpGetCurrentDirectoryA
FtpFindFirstFileW
FtpFindFirstFileA
FtpDeleteFileW
FtpDeleteFileA
FtpCreateDirectoryW
FtpCreateDirectoryA
FtpCommandW
FtpCommandA
FreeUrlCacheSpaceW
FreeUrlCacheSpaceA
FindNextUrlCacheGroup
FindNextUrlCacheEntryW
FindNextUrlCacheEntryExW
FindNextUrlCacheEntryExA
FindNextUrlCacheEntryA
FindNextUrlCacheContainerW
FindNextUrlCacheContainerA
FindFirstUrlCacheGroup
FindFirstUrlCacheEntryW
FindFirstUrlCacheEntryExW
FindFirstUrlCacheEntryExA
FindFirstUrlCacheEntryA
FindFirstUrlCacheContainerW
FindFirstUrlCacheContainerA
FindCloseUrlCache
DetectAutoProxyUrl
DeleteUrlCacheGroup
DeleteUrlCacheEntryW
DeleteUrlCacheEntryA
DeleteUrlCacheContainerW
DeleteUrlCacheContainerA
CreateUrlCacheGroup
CreateUrlCacheEntryW
CreateUrlCacheEntryA
CreateUrlCacheContainerW
CreateUrlCacheContainerA
CommitUrlCacheEntryW
CommitUrlCacheEntryA
HvWinHttpWriteData
WinHttpTimeToSystemTime
WinHttpTimeFromSystemTime
WinHttpSetTimeouts
WinHttpSetStatusCallback
WinHttpSetOption
WinHttpSetCredentials
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReadData
WinHttpQueryOption
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryAuthSchemes
WinHttpOpenRequest
WinHttpOpen
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetDefaultProxyConfiguration
WinHttpCreateUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpCloseHandle
WinHttpAddRequestHeaders
]HvWerpSubmitReportFromStore
WerpSetReportFlags
WerpSetIntegratorReportId
WerpGetReportFlags
WerpGetIntegratorReportId
WerpCreateIntegratorReportId
WerpAddRegisteredDataToReport
WerReportSubmit
WerReportSetUIOption
WerReportSetParameter
WerReportCreate
WerReportCloseHandle
WerReportAddFile
WerReportAddDump
WsShutdownSessionChannel
WsRegisterOperationForCancel
WsGetOperationContextProperty
WsEncodeUrl
WsDecodeUrl
WsCombineUrl
WsAsyncExecute
ToplScheduleImport
ToplScheduleExportReadonly
LogonUserExExW
ChangeAccountPasswordW
ChangeAccountPasswordA
NetServerTransportEnum
NetServerTransportDel
NetServerTransportAddEx
>v.hHv
>v.hHv4
>v.hHv,
SqmIsWindowsOptedIn
SLSetCurrentProductKey
SLGetPKeyInformation
SLGetPKeyId
SLGetInstalledProductKeyIds
SpInfGetLineTextWithKey
SLGetPackageProductKey
HvGetScheduledDiagnosticsExecutionLevel
SceSetupUpdateSecurityKey
>v~~HvSamiSyncDSRMPasswordFromAccount
SamiOemChangePasswordUser2WithTransport
SamiChangePasswordUser3
SamiChangePasswordUser
SamiChangeKeys
SamValidatePassword
SamChangePasswordUser2
SamChangePasswordUser
\HvNetValidatePasswordPolicyFree
NetValidatePasswordPolicy
NetUserChangePassword
RmJoinSession
>v!qHvWinHttpCallbackAvrf
I_RpcBindingInqTransportType
PowerOpenUserPowerKey
PowerOpenSystemPowerKey
PowerInternalImportPowerScheme
 @vCertAutoRemove
CertAutoEnrollment
PeerGraphImportDatabase
PeerGraphExportDatabase
?v$^HvOneXUpdatePortProfile
OneXDestroySupplicantPort
OneXCreateSupplicantPort
KccExecuteTask
&@vUpdateBackupExclusionKey
NetpIsShareNameValid
NetRemoteComputerSupports
NetpGetJoinInformation
NetpDomainJoinLicensingCheck
NetpDoDomainJoin
NetpCompleteOfflineDomainJoin
NetRequestOfflineDomainJoin
NdfExecuteDiagnosis
NdfCreateWebIncidentEx
NdfCreateWebIncident
BCryptImportKeyPair
BCryptImportKey
BCryptGenerateSymmetricKey
BCryptGenerateKeyPair
BCryptFinalizeKeyPair
BCryptExportKey
BCryptDuplicateKey
BCryptDestroyKey
BCryptDeriveKeyPBKDF2
BCryptDeriveKeyCapi
BCryptDeriveKey
aHvWasDTCInstalledBySQL
~@v80?vehHvSpcGetCertFromKey
GetCryptProvFromCertEx
GetCryptProvFromCert
FreeCryptProvFromCertEx
FreeCryptProvFromCert
}HvShowModelessHTMLDialog
MprConfigTransportSetInfo
MprConfigTransportGetInfo
MprConfigTransportGetHandle
MprConfigTransportDelete
MprConfigTransportCreate
MprConfigInterfaceTransportRemove
MprConfigInterfaceTransportGetInfo
MprConfigInterfaceTransportGetHandle
MprConfigInterfaceTransportEnum
MprConfigInterfaceTransportAdd
MprAdminTransportSetInfo
MprAdminTransportGetInfo
MprAdminTransportCreate
MprAdminPortGetInfo
MprAdminPortEnum
MprAdminInterfaceTransportRemove
MprAdminInterfaceTransportAdd
WNetPasswordChangeNotify
E?vW~HvMFCreateSourceReaderFromURL
MFCreateSinkWriterFromURL
MFGetSupportedSchemes
MFGetSupportedMimeTypes
MFCreateASFMultiplexer
MFCreateASFIndexerByteStream
MFCreateASFIndexer
LsaINotifyPasswordChanged
LsaICallPackagePassthrough
PRShowSaveFromMsginaW
PRShowRestoreFromMsginaW
KRShowKeyMgr
MimeOleParseMhtmlUrl
ImmGetVirtualKey
ImageRemoveCertificate
ImageGetCertificateHeader
ImageGetCertificateData
ImageEnumerateCertificates
ImageAddCertificate
FindExecutableImage
AddUrlToFavorites
Hv@y?vv{HvTestURL
ShowInetcpl
NewUrl
ImportZones
ImportSearchProviders
ImportRatings
ImportRSSFeeds
ImportQuickLinks
ImportPrograms
ImportHomePage
ImportFavoritesCmd
ImportFavorites
ImportConnectSet
ImportADMFile
GetURLLinkType
GetFavoriteUrl
ExportRSSFeeds
ExportQuickLinks
ExportFavorites
CheckForDupKeys
\Hv`~?vjN@vIcfGetOperationalMode
GdiplusShutdown
GdipSetImageAttributesColorKeys
SetViewportOrgEx
SetViewportExtEx
FaxSetPortW
FaxSetPortExW
FaxSetPortExA
FaxSetPortA
FaxOpenPort
FaxGetReportedServerAPIVersion
FaxGetPortW
FaxGetPortExW
FaxGetPortExA
FaxGetPortA
FaxEnumPortsW
FaxEnumPortsExW
FaxEnumPortsExA
FaxEnumPortsA
FwpmFilterGetByKey0
FwpmFilterDeleteByKey0
FmsGetGdiLogicalFont
FmsGetGDILogFont
FmsGetFontProperty
FmsGetFontAutoActivationMode
FmsGetFilteredPropertyList
FmsGetFilteredFontList
FmsGetDirectWriteLogFont
FmsGetCurrentFilter
FmsGetBestMatchInFamily
FWResetIndicatedPortInUse
FWIndicatePortInUse
JetMakeKey
DwmGetTransportAttributes
gHvpServerImportDriverPackage
DriverStoreImportW
@vDrtDeleteIpv6UdpTransport
DrtCreateIpv6UdpTransport
DrtDeleteDerivedKeySecurityProvider
DrtCreateDerivedKeySecurityProvider
DrtCreateDerivedKey
xHvDrtUpdateKey
DrtUnregisterKey
DrtRegisterKey
NetDfsGetSupportedNamespaceVersion
DevObjOpenDeviceInterfaceRegKey
DevObjOpenDevRegKey
DevObjOpenClassRegKey
DevObjGetDevicePropertyKeys
DevObjGetDeviceInterfacePropertyKeys
DevObjGetClassPropertyKeys
DevObjDeleteDeviceInterfaceRegKey
DevObjDeleteDevRegKey
DevObjCreateDeviceInterfaceRegKey
DevObjCreateDevRegKey
?vjN@vDavGetUNCFromHTTPPath
DavGetHTTPFromUNCPath
DavCheckAndConvertHttpUrlToUncName
CryptXmlImportPublicKey
CryptUIWizCertRequest
CryptUIDlgViewCertificateW
CryptUIDlgSelectCertificateW
CryptUIDlgSelectCertificateFromStore
CryptUIDlgCertMgr
CertSelectionGetSerializedBlob
CryptSetKeyParam
CryptImportKey
CryptGetUserKey
CryptGetKeyParam
CryptGenKey
CryptExportKey
CryptDestroyKey
CryptDeriveKey
HvCryptRetrieveObjectByUrlW
CryptRetrieveObjectByUrlA
bHvGetFriendlyNameOfCertW
GetFriendlyNameOfCertA
CertViewPropertiesW
CertViewPropertiesA
CertSelectCertificateW
CertSelectCertificateA
CredUIPromptForWindowsCredentialsWorker
CredUIPromptForWindowsCredentialsW
CredUICmdLinePromptForCredentialsW
Z@vTaskDialogIndirect
PstMapCertificate
PstGetUserNameForCertificate
PstGetCertificates
PstAcquirePrivateKey
?v'I@vCAGetCertTypePropertyEx
CAGetCertTypeProperty
CAGetCertTypeKeySpec
CAGetCertTypeFlagsEx
CAGetCertTypeFlags
CAGetCertTypeExtensionsEx
CAGetCertTypeExtensions
CAGetCertTypeExpiration
CAGetCACertificate
CAFreeCertTypeProperty
CAFreeCertTypeExtensions
CAFindCertTypeByName
CAEnumNextCertType
CAEnumCertTypesForCAEx
CAEnumCertTypesForCA
CAEnumCertTypes
CACountCertTypes
CACloseCertType
CACertTypeAccessCheckEx
CACertTypeAccessCheck
GetAppImport
PeerIdentityImport
PeerIdentityGetCryptKey
PeerIdentityExport
PeerGroupResumePasswordAuthentication
PeerGroupPasswordJoin
PeerGroupJoin
PeerGroupImportDatabase
PeerGroupImportConfig
PeerGroupExportDatabase
PeerGroupExportConfig
PeerGroupCreatePasswordInvitation
PeerCollabExportContact
GetUdpStatisticsEx
GetUdpStatistics
GetTcpStatisticsEx
GetTcpStatistics
DsaopExecuteScript
DsMakePasswordCredentialsW
DsMakePasswordCredentialsA
DsFreePasswordCredentials
EfsUtilGetCurrentKey
PSStringFromPropertyKey
PSPropertyKeyFromString
PSPropertyBag_WritePropertyKey
PSPropertyBag_ReadPropertyKey
PSGetPropertyKeyFromName
PSGetNameFromPropertyKey
__AddMachineCertToLicenseStore
RasIsSharedConnection
MprmsgGetErrorString
SslOpenPrivateKey
SslImportMasterKey
SslImportKey
SslGetKeyProperty
SslGenerateSessionKeys
SslGenerateMasterKey
SslExportKey
SslCreateEphemeralKey
SslComputeEapKeyBlock
NCryptOpenKey
NCryptNotifyChangeKey
NCryptIsKeyHandle
NCryptIsAlgSupported
NCryptImportKey
NCryptFinalizeKey
NCryptExportKey
NCryptEnumKeys
NCryptDeriveKey
NCryptDeleteKey
NCryptCreatePersistedKey
^@vHttpWaitForDisconnectEx
HttpWaitForDisconnect
HttpWaitForDemandStart
HttpTerminate
HttpShutdownRequestQueue
HttpSetUrlGroupProperty
HttpSetServiceConfiguration
HttpSetServerSessionProperty
HttpSetRequestQueueProperty
HttpSendResponseEntityBody
HttpSendHttpResponse
HttpRemoveUrlFromUrlGroup
HttpRemoveUrl
HttpReceiveRequestEntityBody
HttpReceiveHttpRequest
HttpReceiveClientCertificate
HttpReadFragmentFromCache
HttpQueryUrlGroupProperty
HttpQueryServiceConfiguration
HttpQueryServerSessionProperty
HttpQueryRequestQueueProperty
HttpInitialize
HttpGetCounters
HttpFlushResponseCache
HttpDeleteServiceConfiguration
HttpCreateUrlGroup
HttpCreateServerSession
HttpCreateRequestQueue
HttpCreateHttpHandle
HttpCloseUrlGroup
HttpCloseServerSession
HttpCloseRequestQueue
HttpCancelHttpRequest
HttpAddUrlToUrlGroup
HttpAddUrl
HttpAddFragmentToCache
n@vEv@vUrlMkSetSessionOption
UrlMkGetSessionOption
URLOpenBlockingStreamW
URLOpenBlockingStreamA
URLDownloadToFileW
URLDownloadToFileA
URLDownloadToCacheFileW
URLDownloadToCacheFileA
ResetUrlmonLanguageData
IsValidURL
GetUrlmonThreadNotificationHwnd
GetPortFromUrlScheme
GetMarkOfTheWeb
GetAddSitesFileUrl
CreateURLMonikerEx2
CreateURLMonikerEx
CreateURLMoniker
CoInternetParseUrl
CoInternetIsFeatureEnabledForUrl
CoInternetGetSecurityUrlEx
CoInternetGetSecurityUrl
CoInternetCompareUrl
CoInternetCombineUrlEx
CoInternetCombineUrl
CoGetClassObjectFromURL
acmDriverRemove
acmDriverOpen
acmDriverClose
acmDriverAddW
@vxpsrasterservice.dll
xolehlp.dll
xmllite.dll
wtsapi32.dll
wsdapi.dll
ws2_32.dll
wmvcore.dll
wmpmde.dll
wmi.dll
wmdrmsdk.dll
wldap32.dll
wlanutil.dll
wlanhlp.dll
wlanapi.dll
wkscli.dll
wintrust.dll
winsta.dll
winspool.drv
winscard.dll
winnsi.dll
winmm.dll
wininet.dll
winhttp.dll
windowscodecs.dll
winbrand.dll
werui.dll
wer.dll
webservices.dll
webio.dll
wdi.dll
w32topl.dll
vssapi.dll
vpnikeapi.dll
virtdisk.dll
version.dll
vaultcli.dll
uxtheme.dll
uxinit.dll
utildll.dll
usp10.dll
userenv.dll
user32.dll
urlmon.dll
uiautomationcore.dll
ubpm.dll
tdh.dll
tapi32.dll
syssetup.dll
synceng.dll
sti.dll
sspicli.dll
srvcli.dll
srclient.dll
sqmapi.dll
sppc.dll
spinf.dll
spfileq.dll
sndvolsso.dll
slcext.dll
slc.dll
shlwapi.dll
shfolder.dll
shell32.dll
shdocvw.dll
sfmapi.dll
sfc.dll
setupapi.dll
sensapi.dll
secur32.dll
sdiagschd.dll
scecli.dll
scarddlg.dll
samsrv.dll
samlib.dll
samcli.dll
rtutils.dll
rstrtmgr.dll
rpcshim.dll
rpcrt4.dll
rpchttp.dll
regapi.dll
rasman.dll
rasdlg.dll
rasapi32.dll
qwave.dll
query.dll
pstorec.dll
psapi.dll
propsys.dll
profapi.dll
printui.dll
powrprof.dll
pidgenx.dll
pidgen.dll
pcwum.dll
pautoenr.dll
p2pgraph.dll
p2p.dll
opengl32.dll
onexui.dll
onex.dll
oledlg.dll
oleaut32.dll
oleacc.dll
ole32.dll
odbc32.dll
occache.dll
ntshrui.dll
ntmarta.dll
ntlanman.dll
ntdskcc.dll
ntdsetup.dll
ntdsbsrv.dll
ntdsapi.dll
ntdsa.dll
nsi.dll
normaliz.dll
netutils.dll
netshell.dll
netplwiz.dll
netman.dll
netlogon.dll
netjoin.dll
netcfgx.dll
netbios.dll
netapi32.dll
ndfapi.dll
ncrypt.dll
nci.dll
mtxclu.dll
mswsock.dll
mssign32.dll
msrating.dll
msoobeui.dll
msjava.dll
msimg32.dll
msiltcfg.dll
msi.dll
mshtml.dll
msgina.dll
msfeeds.dll
msdrm.dll
msctf.dll
mscat32.dll
msacm32.dll
mqrt.dll
mprmsg.dll
mprapi.dll
mpr.dll
mmdevapi.dll
mlang.dll
mfreadwrite.dll
mfplat.dll
mf.dll
mdedrmstublib.dll
lsasrv.dll
logoncli.dll
loadperf.dll
linkinfo.dll
ktmw32.dll
keymgr.dll
kdcsvc.dll
iphlpapi.dll
inseng.dll
inetcomm.dll
imm32.dll
imgutil.dll
imagehlp.dll
ieui.dll
ieshims.dll
ieframe.dll
ieakeng.dll
iashlpr.dll
httpapi.dll
hnetcfg.dll
hlink.dll
hid.dll
gpsvc.dll
gpapi.dll
gdiplus.dll
gdi32.dll
fxsapi.dll
fwpuclnt.dll
fveapi.dll
fms.dll
firewallapi.dll
explorerframe.dll
evr.dll
esent.dll
elscore.dll
ehtrace.dll
efsutil.dll
efsadu.dll
eappcfg.dll
dxgi.dll
dwmapi.dll
duser.dll
dui70.dll
dsrole.dll
dsound.dll
drvstore.dll
drttransport.dll
drtprov.dll
drt.dll
dnsapi.dll
dhcpcsvc6.dll
dhcpcsvc.dll
dfscli.dll
devrtl.dll
devobj.dll
devmgr.dll
ddraw.dll
dbghelp.dll
dbgeng.dll
davhlpr.dll
d3d9.dll
d3d8.dll
d2d1.dll
cscdll.dll
cscapi.dll
cryptxml.dll
cryptui.dll
cryptsp.dll
cryptnet.dll
cryptdll.dll
cryptdlg.dll
cryptbase.dll
crypt32.dll
credui.dll
comsvcs.dll
comdlg32.dll
comctl32.dll
colbact.dll
clusapi.dll
clbcatq.dll
cfgmgr32.dll
certpoleng.dll
certenroll.dll
certcli.dll
catsrvut.dll
catsrv.dll
cabinet.dll
browcli.dll
bcrypt.dll
avrt.dll
authz.dll
appmgmts.dll
apphelp.dll
api-ms-win-service-winsvc-l1-1-0.dll
api-ms-win-service-management-l2-1-0.dll
api-ms-win-service-management-l1-1-0.dll
api-ms-win-service-core-l1-1-0.dll
api-ms-win-security-sddl-l1-1-0.dll
api-ms-win-security-lsalookup-l1-1-0.dll
advpack.dll
advapi32.dll
activeds.dll
actionqueue.dll
aclui.dll
SetProcessWindowStation
OpenWindowStationW
OpenWindowStationA
MsgWaitForMultipleObjectsEx
MsgWaitForMultipleObjects
GetProcessWindowStation
GetKeyState
EnumDesktopWindows
CloseWindowStation
CM_Open_Class_Key_ExW
CM_MapCrToWin32Err
CM_MapCrToSpErr
HvPFXImportCertStore
PFXExportCertStoreEx
PFXExportCertStore
CryptVerifyCertificateSignatureEx
CryptVerifyCertificateSignature
CryptSignCertificate
CryptSignAndEncodeCertificate
CryptMsgUpdate
CryptMsgOpenToEncode
CryptMsgOpenToDecode
CryptMsgGetParam
CryptMsgGetAndVerifySigner
CryptMsgControl
CryptMsgClose
CryptMsgCalculateEncodedLength
CryptImportPublicKeyInfoEx2
CryptImportPublicKeyInfoEx
CryptImportPublicKeyInfo
CryptHashPublicKeyInfo
CryptHashCertificate
CryptGetMessageCertificates
CryptExportPublicKeyInfo
CryptAcquireCertificatePrivateKey
CertVerifyValidityNesting
CertVerifyTimeValidity
CertVerifySubjectCertificateContext
CertStrToNameW
CertStrToNameA
CertSetEnhancedKeyUsage
CertSetCertificateContextProperty
CertSerializeCertificateStoreElement
CertSelectCertificateChains
CertSaveStore
CertRemoveEnhancedKeyUsageIdentifier
CertRegisterPhysicalStore
CertRDNValueToStrW
CertRDNValueToStrA
CertOpenSystemStoreW
CertOpenSystemStoreA
CertOpenStore
CertOIDToAlgId
CertNameToStrW
CertNameToStrA
CertIsRDNAttrsInCertificateName
CertGetSubjectCertificateFromStore
CertGetPublicKeyLength
CertGetNameStringW
CertGetIssuerCertificateFromStore
CertGetIntendedKeyUsage
CertGetEnhancedKeyUsage
CertGetCertificateContextProperty
CertGetCertificateChain
CertGetCTLContextProperty
CertFreeCertificateContext
CertFreeCertificateChainList
CertFreeCertificateChainEngine
CertFreeCertificateChain
CertFreeCTLContext
CertFreeCRLContext
CertFindSubjectInCTL
CertFindRDNAttr
CertFindExtension
CertFindChainInStore
CertFindCertificateInStore
CertFindCTLInStore
CertEnumCertificatesInStore
CertEnumCertificateContextProperties
CertEnumCRLsInStore
CertDuplicateStore
CertDuplicateCertificateContext
CertDuplicateCertificateChain
CertDuplicateCTLContext
CertDeleteCertificateFromStore
CertCreateSelfSignCertificate
CertCreateContext
CertCreateCertificateContext
CertCreateCTLContext
CertCreateCRLContext
CertControlStore
CertComparePublicKeyInfo
CertCompareIntegerBlob
CertCompareCertificateName
CertCompareCertificate
CertCloseStore
CertAddStoreToCollection
CertAddSerializedElementToStore
CertAddEnhancedKeyUsageIdentifier
CertAddEncodedCertificateToStore
CertAddEncodedCRLToStore
CertAddCertificateContextToStore
CertAddCRLContextToStore
CertVerifyCertificateChainPolicy
CryptHashSessionKey
CryptDuplicateKey
TF_RunInputCPL
TF_PostAllThreadMsg
SetupDiReportDeviceInstallError
SetupDiOpenDeviceInterfaceRegKey
SetupDiOpenDevRegKey
SetupDiOpenClassRegKeyExW
SetupDiOpenClassRegKeyExA
SetupDiOpenClassRegKey
SetupDiGetDevicePropertyKeys
SetupDiGetDeviceInterfacePropertyKeys
SetupDiGetClassPropertyKeysExW
SetupDiGetClassPropertyKeys
SetupDiCreateDeviceInterfaceRegKeyW
SetupDiCreateDevRegKeyW
ShellExecuteW
ShellExecuteExW
ShellExecuteExA
ShellExecuteA
SHFileOperationW
SHFileOperationA
FindExecutableW
FindExecutableA
AssocGetDetailsOfPropKey
xHvSLUnregisterWindowsEvent
SLRegisterWindowsEvent
SLReArmWindows
SLIsWindowsGenuineLocal
SLGetWindowsInformationDWORD
SLGetWindowsInformation
SLConsumeWindowsRight
SetPortW
EnumPrinterKeyW
EnumPortsW
DeletePrinterKeyW
DeletePortW
ConfigurePortW
AddPortW
WTHelperGetProvCertFromChain
TrustIsCertificateSelfSigned
NetUnjoinDomain
NetJoinDomain
NetGetJoinInformation
LOAD: GETMODULEFILENAME failed PID=%ld | stringID=%ld | str=%S | flags=%d | hr = %X
j%Xjp3
SXS: %s() BasepSxsCreateStreams() failed
t.HH;
j.Yf;
PSSSSSSh
Invalid args passed
LOAD: INIT failed PID=%ld | stringID=%ld | str=%S | flags=%d | hr = %X
WTSShutdownSystem
twain_32.dll
SdbReleaseMatchingExe
SdbGetMatchingExe
SdbFindFirstGUIDIndexedTag
ApphelpCheckExe
j.Xf;
.data
UrlUnescapeW
UrlUnescapeA
UrlGetPartW
UrlEscapeW
UrlEscapeA
UrlCombineW
UrlCombineA
UrlCanonicalizeW
UrlCanonicalizeA
UrlApplySchemeW
UrlApplySchemeA
SHEnumKeyExW
SHDeleteKeyW
SHDeleteKeyA
PathIsURLW
PathCreateFromUrlW
CvWS_HTTP2_INITIAL_CONNECTION__new
WS_HTTP2_CONNECTION__Initialize
I_RpcTransGetHttpCredentials
I_RpcTransFreeHttpCredentials
HttpSendIdentifyResponse
HTTP_TurnOnOffKeepAlives
HTTP_SyncSend
HTTP_SyncRecv
HTTP_SetLastBufferToFree
HTTP_ServerListen
HTTP_Send
HTTP_Recv
HTTP_QueryLocalAddress
HTTP_QueryClientIpAddress
HTTP_QueryClientId
HTTP_QueryClientAddress
HTTP_Open
HTTP_Initialize
HTTP_FreeResolverHint
HTTP_CopyResolverHint
HTTP_Close
HTTP_Abort
HTTP2WinHttpDirectSend
HTTP2WinHttpDirectReceive
HTTP2WinHttpDelayedReceive
HTTP2TimerReschedule
HTTP2TestHook
HTTP2SocketTransportChannel__SendComplete
HTTP2SocketTransportChannel__ReceiveComplete
HTTP2RecycleChannel
HTTP2ProcessRuntimePostedEvent
HTTP2ProcessComplexTSend
HTTP2ProcessComplexTReceive
HTTP2PlugChannelDirectSend
HTTP2IISSenderDirectSend
HTTP2IISDirectReceive
HTTP2GetRpcConnectionTransport
HTTP2FlowControlChannelDirectSend
HTTP2EpRecvFailed
HTTP2DirectReceive
HTTP2ContinueDrainChannel
HTTP2ChannelDataOriginatorDirectSend
HTTP2AbortConnection
FreeHttpTransportCredentials
DuplicateHttpTransportCredentials
ConvertToUnicodeHttpTransportCredentials
CompareHttpTransportCredentials
TransportAddrFromMtxAddr
MtxAddrFromTransportAddr
DsaExeStartRoutine
DirOperationControl
DSStrToHashKeyExternal
DSNAMEToHashKeyExternal
AttrTypeToKey
SaferiIsExecutableFileType
ReportEventW
ReportEventA
RegUnLoadKeyW
RegSetKeyValueW
RegSetKeySecurity
RegSaveKeyW
RegSaveKeyExW
RegSaveKeyA
RegRestoreKeyW
RegReplaceKeyW
RegRenameKey
RegQueryReflectionKey
RegQueryInfoKeyW
RegQueryInfoKeyA
RegOpenKeyW
RegOpenKeyTransactedW
RegOpenKeyExW
RegOpenKeyExA
RegOpenKeyA
RegNotifyChangeKeyValue
RegLoadKeyW
RegGetKeySecurity
RegFlushKey
RegEnumKeyW
RegEnumKeyExW
RegEnumKeyA
RegEnableReflectionKey
RegDisableReflectionKey
RegDeleteKeyW
RegDeleteKeyValueW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExA
RegDeleteKeyA
RegCreateKeyW
RegCreateKeyTransactedW
RegCreateKeyExW
RegCreateKeyA
RegCloseKey
GetServiceKeyNameW
GetEventLogInformation
FreeEncryptionCertificateHashList
FreeEncryptedFileKeyInfo
EncryptedFileKeyInfo
ElfReportEventW
Gentee.Installer
RR.Raphael.Install.Builder
ThraexSoftware.AstrumInstallWizard
Roshal.WinRAR.WinRAR
Illustrate.Spoon.Installer
InstallShield.Setup
Nullsoft.NSIS
JR.Inno.Setup
uOSSh
\twain_32.dll
TermsrvSetKeySecurity
TermsrvRestoreKey
TermsrvDeleteKey
TermsrvSetValueKey
tsappcmp.dll
SXS: %s() empty lpSource %ls
SXS: %s() Calling csrss server failed. Status = 0x%x
SXS: %s() NtCreateSection() failed. Status = 0x%x.
SXS: %s() NtMapViewOfSection failed
SXS: %s() NtOpenFile(%wZ) failed
SXS: %s() AssemblyDirectory is not null terminated
SXS: %s() BaseDllMapResourceIdW failed
SXS: %s() ACTCTX_FLAG_RESOURCE_NAME_VALID set but lpResourceName == 0
SXS: %s() Bad lpAssemblyDirectory %ls
SXS: %s() Bad lpApplication name '%ls'
SXS: %s() Bad lpSource PathType %ls, 0x%lx
SXS: %s() bad wProcessorArchitecture 0x%x
SXS: %s() BaseDllMapResourceIdA failed
SXS: Invalid parameter(s) passed to FindActCtxSection*()
->cbSize = %u
SXS: %s() CsrCaptureMessageMultiUnicodeStringsInPlace failed
Kernel32: No mapping for ImageInformation.Machine == x
ConnectConsoleInternal failed with Status 0x%x
NtConnectPort %ws failed with Status 0x%x
SXS: %s() NtQueryInformationFile failed. Status = 0x%x
WaitForMultipleObjects returned with %d
RtlWerpReportException failed with status code :%d. Will try to launch the process directly
WerpReportFault Invalid params passed
WerpHeapFree failed with 0x%x
Too long restart command line passed
t5SSh
StringCchCopy failed with 0x%x
Invalid arg in %s
Invalid block passed
INIT: PID %ld is %S
LOAD: INS failed PID=%ld | stringID=%ld | str=%S | flags=%d | hr = %X
TermsrvLogInstallIniFile
TermsrvGetWindowsDirectoryW
TermsrvGetWindowsDirectoryA
SXS: %s() NtCreateSection() failed. Status = 0x%x
SXS: %s() Null %p or size 0x%lx too small
SXS: %s() Bad flags/size 0x%lx/0x%lx
.debug
.reloc
.rsrc1
.rsrc
SXS: %s() NtOpenFile(%wZ) failed. Status = 0x%x
Invalid args in %s
WerpGetRecoveryInfoForSelf failed with 0x%x
SSSSh
WPSSh
mem16.dll
ImpersonateNamedPipeClient
PSSh?
PWVSSh
{u.j-Yf9H&uùH0u
u%SPd
t SSh
PSSh<
SXS: %s - Failure getting active activation context; ntstatus lx
PVWSSh
VSSHP
GetSystemWindowsDirectory failed or the size was not adequate
StringCchPrintf failed with 0x%x
NtQueryInformationProcess failed with 0x%x
Failed to create the process %S
Failed to get the paths for the crash vertical. Error was 0x%x
NtQueryInformationProcess failed with status: 0x%x
#FvRtlInitUnicodeStringEx returned 0x%x
NtQueryInformationProcess failed 0x%x
"FvStringcchcopy failed while copying the debugger path 0x%x
StringCchPrintf failed while printng the debugger commandline with 0x%x
StringCchPrintf failed while printing the debugger path with 0x%x
NtWow64QueryInformationProcess64 failed with 0x%x
NtWow64ReadVirtualMemory64 failed with 0x%x
NtQueryInformationProcess failed with status 0x%x
WerpNtWow64QueryInformationProcess64 failed with status 0x%x
Invalid handle passed
hp.Iv
hL.Ivj
USE: GETMODSTAMP failed PID=%ld | MODNAME=%S | STRID=%ld | hr = %X
USE: GETMODULEVERSION failed PID=%ld | MODNAME=%S | STRID=%ld | hr = %X
USE: Lookup failed PID=%ld | STR=%S | HashModBuckets=%ld
CACHE: Purging node from the cache MOD=%s | STRID=%ld | Flags=%X | HashModBuckets=%ld
KERNEL32.dll
BaseCleanupAppcompatCacheSupport
BaseInitAppcompatCacheSupport
CallNamedPipeA
CallNamedPipeW
CmdBatNotification
ConnectNamedPipe
CreateIoCompletionPort
CreateMutexExA
CreateMutexExW
CreateNamedPipeA
CreateNamedPipeW
CreatePipe
DisconnectNamedPipe
EnumCalendarInfoExEx
EnumDateFormatsExEx
GetCPInfo
GetCPInfoExA
GetCPInfoExW
GetCalendarSupportedDateRange
GetConsoleAliasExesA
GetConsoleAliasExesLengthA
GetConsoleAliasExesLengthW
GetConsoleAliasExesW
GetConsoleInputExeNameA
GetConsoleInputExeNameW
GetConsoleKeyboardLayoutNameA
GetConsoleKeyboardLayoutNameW
GetConsoleOutputCP
GetLargestConsoleWindowSize
GetNamedPipeAttribute
GetNamedPipeClientComputerNameA
GetNamedPipeClientComputerNameW
GetNamedPipeClientProcessId
GetNamedPipeClientSessionId
GetNamedPipeHandleStateA
GetNamedPipeHandleStateW
GetNamedPipeInfo
GetNamedPipeServerProcessId
GetNamedPipeServerSessionId
GetProcessHandleCount
GetProcessHeap
GetProcessHeaps
GetProcessShutdownParameters
GetSystemWindowsDirectoryA
GetSystemWindowsDirectoryW
GetWindowsDirectoryA
GetWindowsDirectoryW
InitOnceExecuteOnce
NeedCurrentDirectoryForExePathA
NeedCurrentDirectoryForExePathW
PeekNamedPipe
RegCreateKeyExA
RegEnumKeyExA
RegLoadKeyA
RegRestoreKeyA
RegSaveKeyExA
RegUnLoadKeyA
RegisterWowExec
SetConsoleInputExeNameA
SetConsoleInputExeNameW
SetConsoleKeyShortcuts
SetConsoleMaximumWindowSize
SetConsoleOutputCP
SetNamedPipeAttribute
SetNamedPipeHandleState
SetProcessShutdownParameters
SetThreadExecutionState
TransactNamedPipe
VDMConsoleOperation
VDMOperationStarted
WaitNamedPipeA
WaitNamedPipeW
WinExec
NTDLL.RtlAcquireSRWLockExclusive
NTDLL.RtlAcquireSRWLockShared
api-ms-win-core-libraryloader-l1-1-0.AddDllDirectory
NTDLL.RtlAddVectoredContinueHandler
NTDLL.RtlAddVectoredExceptionHandler
NTDLL.TpCancelAsyncIoOperation
NTDLL.TpReleasePool
NTDLL.TpReleaseCleanupGroup
NTDLL.TpReleaseCleanupGroupMembers
NTDLL.TpReleaseIoCompletion
NTDLL.TpReleaseTimer
NTDLL.TpReleaseWait
NTDLL.TpReleaseWork
api-ms-win-core-processthreads-l1-1-0.CreateRemoteThreadEx
NTDLL.RtlDecodePointer
NTDLL.RtlDecodeSystemPointer
NTDLL.RtlDeleteBoundaryDescriptor
NTDLL.RtlDeleteCriticalSection
api-ms-win-core-processthreads-l1-1-0.DeleteProcThreadAttributeList
NTDLL.TpDisassociateCallback
NTDLL.RtlEncodePointer
NTDLL.RtlEncodeSystemPointer
NTDLL.RtlEnterCriticalSection
NTDLL.RtlExitUserThread
NTDLL.NtFlushProcessWriteBuffers
NTDLL.TpCallbackUnloadDllOnCompletion
NTDLL.RtlGetCurrentProcessorNumber
NTDLL.RtlGetCurrentProcessorNumberEx
api-ms-win-core-sysinfo-l1-1-0.GetLogicalProcessorInformationEx
NTDLL.RtlAllocateHeap
NTDLL.RtlReAllocateHeap
NTDLL.RtlSizeHeap
NTDLL.RtlRunOnceInitialize
NTDLL.RtlInitializeConditionVariable
NTDLL.RtlInitializeCriticalSection
api-ms-win-core-processthreads-l1-1-0.InitializeProcThreadAttributeList
NTDLL.RtlInitializeSListHead
NTDLL.RtlInitializeSRWLock
NTDLL.RtlInterlockedCompareExchange64
NTDLL.RtlInterlockedFlushSList
NTDLL.RtlInterlockedPopEntrySList
NTDLL.RtlInterlockedPushEntrySList
NTDLL.RtlInterlockedPushListSList
NTDLL.TpIsTimerSet
NTDLL.RtlLeaveCriticalSection
NTDLL.TpCallbackLeaveCriticalSectionOnCompletion
api-ms-win-core-processthreads-l1-1-0.OpenProcessToken
api-ms-win-core-processthreads-l1-1-0.OpenThreadToken
NTDLL.RtlQueryDepthSList
NTDLL.TpCallbackReleaseMutexOnCompletion
NTDLL.RtlReleaseSRWLockExclusive
NTDLL.RtlReleaseSRWLockShared
NTDLL.TpCallbackReleaseSemaphoreOnCompletion
api-ms-win-core-libraryloader-l1-1-0.RemoveDllDirectory
NTDLL.RtlRemoveVectoredContinueHandler
NTDLL.RtlRemoveVectoredExceptionHandler
NTDLL.RtlRestoreLastWin32Error
NTDLL.RtlMoveMemory
NTDLL.RtlZeroMemory
NTDLL.RtlSetCriticalSectionSpinCount
api-ms-win-core-libraryloader-l1-1-0.SetDefaultDllDirectories
NTDLL.TpCallbackSetEventOnCompletion
api-ms-win-core-processthreads-l1-1-0.SetThreadToken
NTDLL.TpSetPoolMaxThreads
NTDLL.TpSetTimer
NTDLL.TpSetWait
api-ms-win-core-threadpool-l1-1-0.SetWaitableTimerEx
NTDLL.TpStartAsyncIoOperation
NTDLL.TpPostWork
NTDLL.RtlTryAcquireSRWLockExclusive
NTDLL.RtlTryAcquireSRWLockShared
NTDLL.RtlTryEnterCriticalSection
api-ms-win-core-processthreads-l1-1-0.UpdateProcThreadAttribute
NTDLL.VerSetConditionMask
NTDLL.TpWaitForIoCompletion
NTDLL.TpWaitForTimer
NTDLL.TpWaitForWait
NTDLL.TpWaitForWork
NTDLL.RtlWakeAllConditionVariable
NTDLL.RtlWakeConditionVariable
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-Util-L1-1-0.dll
API-MS-Win-Core-Fibers-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
API-MS-Win-Core-Debug-L1-1-0.dll
API-MS-Win-Core-String-L1-1-0.dll
API-MS-Win-Core-ProcessEnvironment-L1-1-0.dll
API-MS-Win-Core-Localization-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-NamedPipe-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-ThreadPool-L1-1-0.dll
API-MS-Win-Core-IO-L1-1-0.dll
API-MS-Win-Core-File-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-Memory-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
KERNELBASE.dll
ntdll.dll
API-MS-Win-Core-RtlSupport-L1-1-0.dll
NtNotifyChangeKey
RtlComputeImportTableHash
RtlRunOnceExecuteOnce
NtSetThreadExecutionState
LdrQueryImageFileExecutionOptions
NtCreateKeyTransacted
NtDeleteValueKey
NtEnumerateKey
RtlFormatCurrentUserKeyPath
NtEnumerateValueKey
NtCreateKey
NtSetValueKey
NtFlushKey
NtOpenKey
NtQueryValueKey
LdrQueryImageFileKeyOption
NtYieldExecution
NtRequestWaitReplyPort
NtConnectPort
NtOpenKeyTransacted
NtQueryKey
NtOpenKeyEx
NtOpenKeyTransactedEx
NtDeleteKey
NtLoadKey
NtUnloadKey
NtNotifyChangeMultipleKeys
NtRestoreKey
NtSaveKeyEx
RtlWerpReportException
WerReportSQMEvent
BaseGetProcessExePath
OpenRegKey
GetCPHashNode
BaseReleaseProcessExePath
kernel32.pdb
; ;$;(;,;0;4;
> >$>(>,>
4 4$4(4,4044484
6 6$6(6,60646
0 0$0(0,00040
8 8$8(8,8
? ?$?(?,?0?4?8?
< <$<(<,<0<4<
094989<9
; ;$;(;,;0;4;8;<;
7 7$7(7,70747
=,>0><>|>
<,>0>8><>
121c1/2`2
:":\:&;>;};
6 7$7(7,7074787<7@7
01
2$2*2/2?2
cmd /c
\Registry\Machine\Software\Policies\Microsoft\Windows\System
win.ini
.Manifest
.Config
\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\WMR
\Windows
hotkey.
Software\Microsoft\Windows NT\CurrentVersion\Windows
sortdefault.nls
\Registry\MACHINE\Software\Microsoft\Windows\CurrentVersion\SideBySide
windows seven
windows vista
\Software\Microsoft\Windows NT\CurrentVersion
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags
\Registry\MACHINE\System\CurrentControlSet\Control\Session Manager\AppCertDlls
\Registry\MACHINE\Software\Policies\Microsoft\Windows\AppCompat
\system32\apphelp.dll
InstallShield Self-extracting EXE
Autoextractor EXE de InstallShield
hrbares Programm EXE
PackageForTheWeb
PackageForTheWeb Fehler
PackageForTheWeb Error
Setup cannot start the program _Setup.exe
Setup couldn't decompress the file '%s'.
\\.\MountPointManager
\\?\UNC\
ADVAPI32.DLL
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
pNullsoft.NSIS
.Local
~RF%4x.TMP
hotkey.%u %s
wowexec.pif
EmbdTrst.DLL
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
csrstub.exe %d -P %ws
WINDOWS
hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings
Application.Manifest
\\?\GLOBALROOT
\Registry\Machine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib
\wmrtrace.dmp
DNSAPI.DLL
"/\[]:|<> =;,?
\Registry\Machine\System\CurrentControlSet\Services\Tcpip\Parameters
\REGISTRY\USER\.DEFAULT
AppCertDlls
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\AutoExclusionList
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebugProtected
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AeDebug
pwinmail.exe
wmplayer.exe
outlook.exe
explorer.exe
iexplore.exe
ntsd.exe
cdb.exe
windbg.exe
PendingFileRenameOperations%d
PendingFileRenameOperations
%ws%u\DosDevices\%ws
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server\Compatibility\Applications\
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Terminal Server
serialui.dll
"%s\ntvdm.exe" %s%c
"%s\ntvdm.exe" -i%lx %s%c
\KernelObjects\SystemErrorPortReady
%systemroot%\system32\ntdll.dll
\\.\PhysicalDrive%lu
%s -u -p %d -s %I64d
%s\%s
WerFault.exe
WerFaultSecure.exe
%s\system32\%s
sntdll.dll
\Software\Microsoft\Windows\Windows Error Reporting\WMR
!"#$%&'()* ,
Windows NT BASE API Client DLL
6.1.7601.17651 (win7sp1_gdr.110715-1504)
Windows
Operating System
6.1.7601.17651

%original file name%.exe_1900_rwx_01750000_0001E000:

IPHLPAPI.DLL
CreatePersistentTcpPortReservation
CreatePersistentUdpPortReservation
DeletePersistentTcpPortReservation
DeletePersistentUdpPortReservation
GetExtendedTcpTable
GetExtendedUdpTable
GetOwnerModuleFromTcp6Entry
GetOwnerModuleFromTcpEntry
GetOwnerModuleFromUdp6Entry
GetOwnerModuleFromUdpEntry
GetPerTcp6ConnectionEStats
GetPerTcp6ConnectionStats
GetPerTcpConnectionEStats
GetPerTcpConnectionStats
GetTcp6Table
GetTcp6Table2
GetTcpStatistics
GetTcpStatisticsEx
GetTcpTable
GetTcpTable2
GetTeredoPort
GetUdp6Table
GetUdpStatistics
GetUdpStatisticsEx
GetUdpTable
InternalGetTcp6Table2
InternalGetTcp6TableWithOwnerModule
InternalGetTcp6TableWithOwnerPid
InternalGetTcpTable
InternalGetTcpTable2
InternalGetTcpTableEx
InternalGetTcpTableWithOwnerModule
InternalGetTcpTableWithOwnerPid
InternalGetUdp6TableWithOwnerModule
InternalGetUdp6TableWithOwnerPid
InternalGetUdpTable
InternalGetUdpTableEx
InternalGetUdpTableWithOwnerModule
InternalGetUdpTableWithOwnerPid
InternalSetTcpEntry
InternalSetTeredoPort
LookupPersistentTcpPortReservation
LookupPersistentUdpPortReservation
NotifyTeredoPortChange
SetPerTcp6ConnectionEStats
SetPerTcp6ConnectionStats
SetPerTcpConnectionEStats
SetPerTcpConnectionStats
SetTcpEntry
{lX-X-X-XX-XXXXXX}
SYSTEM\CurrentControlSet\Services\Tcpip\Linkage
SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\
Ht.HHt
%SSSSj
dhcpcsvc.DLL
dhcpcsvc6.DLL
DNSAPI.dll
WS2_32.dll
API-MS-Win-Core-DelayLoad-L1-1-0.dll
API-MS-Win-Security-Base-L1-1-0.dll
API-MS-Win-Core-SysInfo-L1-1-0.dll
API-MS-Win-Core-Synch-L1-1-0.dll
API-MS-Win-Core-String-L1-1-0.dll
API-MS-Win-Core-Profile-L1-1-0.dll
API-MS-Win-Core-ProcessThreads-L1-1-0.dll
API-MS-Win-Core-Misc-L1-1-0.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
API-MS-Win-Core-LibraryLoader-L1-1-0.dll
API-MS-Win-Core-Interlocked-L1-1-0.dll
API-MS-Win-Core-Heap-L1-1-0.dll
API-MS-Win-Core-Handle-L1-1-0.dll
API-MS-Win-Core-ErrorHandling-L1-1-0.dll
RPCRT4.dll
WINNSI.DLL
NSI.dll
ntdll.dll
msvcrt.dll
_amsg_exit
GetProcessHeap
RegOpenKeyExA
RegCloseKey
iphlpapi.pdb
2#3)3/343<3
7 7$7(7,707
:&;5;&<8<
4&4-44484C4N4S4c4h4x4}4
0 0(0,00080<0@0
\DEVICE\TCPIP_
%s_%u
\DEVICE\NETBT_TCPIP_
iftype%u
\advapi32.dll
6.1.7601.17514 (win7sp1_rtm.101119-1850)
iphlpapi.dll
Windows
Operating System
6.1.7601.17514

%original file name%.exe_1900_rwx_01790000_0013D000:

8SsHd
d:\win7sp1_gdr\minkernel\threadpool\ntdll\cgrp.c
<P.tmB;
TppWorkpExecuteCallback
TppSimplepExecuteCallback
d:\win7sp1_gdr\minkernel\threadpool\ntdll\simple.c
d:\win7sp1_gdr\minkernel\threadpool\ntdll\io.c
SsHd;
_CorExeMain
tùp
d:\win7sp1_gdr\minkernel\threadpool\ntdll\waiter.c
TppWaitpExecuteCallback
TppTimerpExecuteCallback
d:\win7sp1_gdr\minkernel\threadpool\ntdll\cgrpmem.c
d:\win7sp1_gdr\minkernel\threadpool\ntdll\lpc.c
TppAlpcpExecuteCallback
d:\win7sp1_gdr\minkernel\threadpool\ntdll\callback.c
ntdll.dll
EtwpGetCpuSpeed
EvtIntReportAuthzEventAndSourceAsync
EvtIntReportEventAndSourceAsync
LdrOpenImageFileOptionsKey
LdrQueryImageFileExecutionOptions
LdrQueryImageFileExecutionOptionsEx
LdrQueryImageFileKeyOption
NtAcceptConnectPort
NtAlpcAcceptConnectPort
NtAlpcConnectPort
NtAlpcCreatePort
NtAlpcCreatePortSection
NtAlpcDeletePortSection
NtAlpcDisconnectPort
NtAlpcImpersonateClientOfPort
NtAlpcSendWaitReceivePort
NtCompactKeys
NtCompleteConnectPort
NtCompressKey
NtConnectPort
NtCreateKey
NtCreateKeyTransacted
NtCreateKeyedEvent
NtCreateNamedPipeFile
NtCreatePort
NtCreateWaitablePort
NtDelayExecution
NtDeleteKey
NtDeleteValueKey
NtEnumerateKey
NtEnumerateValueKey
NtFlushKey
NtImpersonateClientOfPort
NtListenPort
NtLoadKey
NtLoadKey2
NtLoadKeyEx
NtLockProductActivationKeys
NtLockRegistryKey
NtNotifyChangeKey
NtNotifyChangeMultipleKeys
NtOpenKey
NtOpenKeyEx
NtOpenKeyTransacted
NtOpenKeyTransactedEx
NtOpenKeyedEvent
NtQueryInformationPort
NtQueryKey
NtQueryMultipleValueKey
NtQueryOpenSubKeys
NtQueryOpenSubKeysEx
NtQueryPortInformationProcess
NtQueryValueKey
NtRegisterThreadTerminatePort
NtReleaseKeyedEvent
NtRenameKey
NtReplaceKey
NtReplyPort
NtReplyWaitReceivePort
NtReplyWaitReceivePortEx
NtReplyWaitReplyPort
NtRequestPort
NtRequestWaitReplyPort
NtRestoreKey
NtSaveKey
NtSaveKeyEx
NtSaveMergedKeys
NtSecureConnectPort
NtSetDefaultHardErrorPort
NtSetInformationKey
NtSetThreadExecutionState
NtSetValueKey
NtUnloadKey
NtUnloadKey2
NtUnloadKeyEx
NtWaitForKeyedEvent
NtYieldExecution
RtlCheckRegistryKey
RtlCmDecodeMemIoResource
RtlComputeImportTableHash
RtlCreateRegistryKey
RtlEnumProcessHeaps
RtlFormatCurrentUserKeyPath
RtlGetProcessHeaps
RtlIsCurrentThreadAttachExempt
RtlQueryProcessHeapInformation
RtlReportException
RtlReportSilentProcessExit
RtlReportSqmEscalation
RtlRunOnceExecuteOnce
RtlSendMsgToSm
RtlValidateProcessHeaps
RtlWerpReportException
RtlpCleanupRegistryKeys
RtlpNtCreateKey
RtlpNtEnumerateSubKey
RtlpNtMakeTemporaryKey
RtlpNtOpenKey
RtlpNtQueryValueKey
RtlpNtSetValueKey
SbExecuteProcedure
ShipAssert
ShipAssertGetBufferInfo
ShipAssertMsgA
ShipAssertMsgW
TpCancelAsyncIoOperation
TpStartAsyncIoOperation
WerReportSQMEvent
ZwAcceptConnectPort
ZwAlpcAcceptConnectPort
ZwAlpcConnectPort
ZwAlpcCreatePort
ZwAlpcCreatePortSection
ZwAlpcDeletePortSection
ZwAlpcDisconnectPort
ZwAlpcImpersonateClientOfPort
ZwAlpcSendWaitReceivePort
ZwCompactKeys
ZwCompleteConnectPort
ZwCompressKey
ZwConnectPort
ZwCreateKey
ZwCreateKeyTransacted
ZwCreateKeyedEvent
ZwCreateNamedPipeFile
ZwCreatePort
ZwCreateWaitablePort
ZwDelayExecution
ZwDeleteKey
ZwDeleteValueKey
ZwEnumerateKey
ZwEnumerateValueKey
ZwFlushKey
ZwImpersonateClientOfPort
ZwListenPort
ZwLoadKey
ZwLoadKey2
ZwLoadKeyEx
ZwLockProductActivationKeys
ZwLockRegistryKey
ZwNotifyChangeKey
ZwNotifyChangeMultipleKeys
ZwOpenKey
ZwOpenKeyEx
ZwOpenKeyTransacted
ZwOpenKeyTransactedEx
ZwOpenKeyedEvent
ZwQueryInformationPort
ZwQueryKey
ZwQueryMultipleValueKey
ZwQueryOpenSubKeys
ZwQueryOpenSubKeysEx
ZwQueryPortInformationProcess
ZwQueryValueKey
ZwRegisterThreadTerminatePort
ZwReleaseKeyedEvent
ZwRenameKey
ZwReplaceKey
ZwReplyPort
ZwReplyWaitReceivePort
ZwReplyWaitReceivePortEx
ZwReplyWaitReplyPort
ZwRequestPort
ZwRequestWaitReplyPort
ZwRestoreKey
ZwSaveKey
ZwSaveKeyEx
ZwSaveMergedKeys
ZwSecureConnectPort
ZwSetDefaultHardErrorPort
ZwSetInformationKey
ZwSetThreadExecutionState
ZwSetValueKey
ZwUnloadKey
ZwUnloadKey2
ZwUnloadKeyEx
ZwWaitForKeyedEvent
ZwYieldExecution
.txt2
secserv.dll
.sforce
.pcle
.aspack
Set 0x%X protection for %p section for %d bytes, old protection 0x%X
CLIENT(ntdll): Tyring to fix protection for %ws section in %wZ module to 0x%X
CLIENT(ntdll): Found Execute=1, turning off execution protection for the process because of %wZ
CLIENT(ntdll): Found ExecuteOptions = %ws for %wZ in application compatibility database
CLIENT(ntdll): Found CheckAppHelp = %d for %wZ in ImageFileExecutionOptions
x:x @ d - %s - %s:
d:\win7sp1_gdr\minkernel\ntdll\ldrapi.c
d:\win7sp1_gdr\minkernel\ntdll\ldrfind.c
Changing the protection of the executable at %p failed with status 0xlx
d:\win7sp1_gdr\minkernel\ntdll\ldrinit.c
Exception record: .exr %p
Context record: .cxr %p
Process 0x%x (%wZ) exiting
Could not locate procedure "%s" in the shim engine DLL
LdrpInitializeExecutionOptions
Running the init routines of the executable's static imports failed with status 0xlx
Loading Windows subsystem DLL "%wZ" failed with status 0xlx
Walking the import tables of the executable and its static imports failed with status 0xlx
Locating procedure "%Z" in Windows subsystem DLL "%wZ" failed with status 0xlx
Beginning execution of %wZ (%wZ)
Allocating a data table entry for the executable failed
Initializing the execution options for the process %lx failed with status 0xlx
Delaying execution failed with status 0xlx
d:\win7sp1_gdr\minkernel\ntdll\ldrsnap.c
LdrpLoadImportModule
DLL name: %s DLL path: %wZ
Calling the Windows subsystem post-import routine %p failed with status 0xlx
Procedure "%s" could not be located in DLL "%s"
Ordinal 0x%lx could not be located in DLL "%s"
Hint index 0x%lx for procedure "%s" in DLL "%s" is invalid
%s loaded DLL "%wZ" (new reference count: 0x%lx)
LdrpFixupIATForRelocatedImport
DLL "%wZ" does not contain an export table
DLL "%wZ" is bound via forwarders to "%s"
Loading "%ws" from the bound import table of DLL "%wZ" failed with status 0xlx
DLL "%wZ" is bound to "%s"
LdrpHandleOneNewFormatImportDescriptor
Snapping the imports from DLL "%wZ" to DLL "%wZ" failed with status 0xlx
Loading "%ws" from the import table of DLL "%wZ" failed with status 0xlx
DLL "%wZ" imports "%s"
LdrpHandleOneOldFormatImportDescriptor
LdrpProcessStaticImports
d:\win7sp1_gdr\minkernel\ntdll\ldrtls.c
TlsVector %p Index %d : %d bytes copied from %p to %p
Execute '.cxr %p' to dump context
d:\win7sp1_gdr\minkernel\ntdll\ldrutil.c
Function %s raised exception 0xlx
RTL: Acquire Shared Sem Timeout %d(%I64u secs)
RTL: Acquire Exclusive Sem Timeout %d (%I64u secs)
NTDLL: Calling thread (%X) not owner of CritSect: %p Owner ThreadId: %X
RTL: Pid.Tid %x.%x, owner tid %x Critical Section %p - ContentionCount == %lu
RTL: Enter Critical Section Timeout (%I64u secs) %d
AVRF: Found duplicate for (%ws: %s) in %ws
AVRF: chain: thunk: %s == %s ?
AVRF: Chaining (%ws: %s) to %ws
AVRF: Checking %ws for duplicate (%ws: %s)
AVRF: Snapped (%ws: %s) with (%ws: %p).
AVRF: internal error: New thunk for %s is null.
AVRF: Unable to unprotect IAT to modify thunks (status X).
AVRF: (%ws) %s export found.
AVRF: warning: did not find `%s' export in %ws .
AVRF: failed to enable handle checking (status %X)
AVRF: Failed to find `VerifierStopMessage()' export in verifier.dll!
AVRF: Failed to find verifier.dll among loaded providers!
VERIFIER STOP %p: pid 0x%X: %s
%p : %s
AVRF: provider %ws passed an invalid descriptor @ %p
AVRF: %ws: failed to load provider `%ws' (status X) from %ws
AVRF: pid 0x%X: found dll descriptor for `%ws' with verified exports
AVRF: %ws: pid 0x%X: application verifier will be disabled due to an initialization error.
AVRF: %ws: pid 0x%X: flags 0x%X: application verifier enabled
rUS.Length <= This->PrivatePreallocatedString->MaximumLength
d:\win7sp1_gdr\minkernel\ntdll\sxsisol.cpp
!(askd.Flags & ACTIVATION_CONTEXT_SECTION_KEYED_DATA_FLAG_FOUND_IN_SYSTEM_DEFAULT)
[%x.%x] SXS: %s - Relative redirection plus env var expansion.
SXS: %s() passed the empty activation context data
SXS: %s() called with invalid cookie tid 0xI64x - should be lx
SXS: %s() called with invalid cookie type 0xI64x
SXS: %s() called with invalid flags 0xlx
SXS: %s() Active frame is not the frame being deactivated %p != %p
SXS: %s() flags contains return_assembly_metadata but they don't fit in size, return invalid_parameter 0xlx.
SXS: %s() flags contains return_flags but they don't fit in size, return invalid_parameter 0xlx.
SXS: String hash table entry at %p has invalid key offset (= %ld)
RtlpFindUnicodeStringInSection: Unsupported hash algorithm %lu found in string section.
SXS/RTL: TOC entry array (offset: %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS/RTL: Extended TOC section TOC %d (offset: %ld, size: %u) is outside activation context data bounds (%lu bytes)
SXS/RTL: Extended TOC entry array (starting at offset %ld; count = %lu; entry size = %u) is outside bounds of activation context data (%lu bytes)
SXS: %s() found assembly information section with user data extending beyond section data
SXS: %s() found assembly information section with user data too small
SXS: %s() found assembly information section with user data overlapping section header
SXS: %s() found assembly information section with search structure overlapping section header
SXS: %s() found assembly information section with element list overlapping section header
SXS: %s() passed string section at %p with too small of a header
SXS: %s() passed string section at %p claims %lu byte header size; that doesn't even include the HeaderSize member!
SXS: %s() found assembly information section with wrong magic value
SXS: %s() passed string section at %p only %lu bytes long; that's not even enough for the 4-byte magic and 4-byte header length!
SXS: %s() received invalid non-zero sub-instance index %lu
SXS: %s() found activation context data at %p with assembly roster that has no root
SXS: %s() received invalid sub-instance index %lu out of %lu Assemblies in the Acitvation Context
SXS: %s() received invalid file index (%d) in Assembly (%d)
SXS: %s() found activation context data at %p with wrong format
SXS: %s() - internal coding error; missing switch statement branch for InfoClass == %lu
SXS: %s() - caller asked to use active activation context but passed %p
SXS: %s() - Caller passed invalid hmodule (%p)
SXS: %s() - Caller asked to use activation context from hmodule but passed NULL
SXS: %s() - Caller passed invalid address, not in any .dll (%p)
SXS: %s() - Caller asked to use activation context from address in .dll but passed NULL
SXS: %s() - caller supplied no buffer to populate and no place to return required byte count
SXS: %s() - caller passed nonzero buffer length but NULL buffer pointer
SXS: %s() - caller asked for unknown information class %lu
SXS: %s() - Caller passed meaningless flags/class combination (0xlx/0xlx)
SXS: %s() - Caller passed invalid flags (0xlx)
SXS: Unabel to query location from storage root subkey %wZ; Status = 0xlx
SXS: Unable to open storage root subkey %wZ; Status = 0xlx
SXS: Unable to open registry key %wZ Status = 0xlx
SXS: Attempt to get storage location from subkey %wZ failed; Status = 0xlx
SXS: Unable to enumerate assembly storage subkey #%lu Status = 0xlx
SXS: %s() bad parameters:
SXS: %s() bad parameters
SXS: StorageLocation->Length: 0x%x
SXS: Unable to open assembly directory under storage root "%S"; Status = 0xlx
SXS: Attempt to translate DOS path name "%S" to NT format failed
SXS: Assembly storage resolution failing probe because attempt to allocate %u bytes failed.
SXS: %s() passed the empty activation context
SXS: %s() bad parameters AssemblyRosterIndex 0x%lx >= AssemblyRosterHeader->EntryCount: 0x%lx
'LDR: %s(), invalid image format of MUI file
RtlpHeapFreeVirtualMemory failed %lx for heap %p (base %p, size %x)
*** Assertion failed: %s%s
*** Source File: %s, line %ld
RtlQueryRegistryValues: Miscomputed buffer size at line %d
VirtualProtect Failed 0xx %x
VirtualQuery Failed 0xx %x
, passed to %s
Invalid heap signature for heap at %x
Unable to release memory at %p for %p bytes - Status == %x
Entry User Heap Size Req.Size Flags
:%u.%u.%u.%u
::ffff:0:%u.%u.%u.%u
::%hs%u.%u.%u.%u
%u.%u.%u.%u
X-X-X-X-X-X
Leaked Block 0x%p size 0x%p (stack %p depth %u)
*** Restarting wait on critsec or resource at %p (in %ws:%s)
*** enter .cxr %p for the context
*** enter .exr %p for the exception record
The instruction at %p tried to %s
*** An Access Violation occurred in %ws:%s
This means that the I/O device reported an I/O error. Check your hardware.
This failed because of error %x.
*** Inpage error in %ws:%s
The critical section is owned by thread %x.
*** Critical Section Timeout (%p) in %ws:%s
The resource is owned shared by %d threads
The resource is owned exclusively by thread %x
*** Resource timeout (%p) in %ws:%s
The stack trace should show the guilty function (the function directly above __report_gsfailure).
*** A stack buffer overrun occurred in %ws:%s
*** Unhandled exception 0xlx, hit in %ws:%s
Trace database: failing attempt to save biiiiig trace (size %u)
*** RtlpMuiRegLoadLicInformation failed with status %x
.hotp1
None%s
I64X: VA32 X -> X %s
I64X: PC32 X -> X (target %p) %s
I64X: VA64 6I64X -> 6I64X %s
Validation failure. Source = %p, Target = %p, Size = %x
Validation failed for global range %u of %u
I64X: jmp X (PC X) {
Unsupported template type
Inserting %u hooks into target image
Header too large (%u>%u) for copy/normalize/validate
Error code: %d - %s
heap_failure_cross_heap_operation
This is located in the %s field of the heap header.
Heap Segment at %p contains invalid NumberOfUnCommittedRanges (%x != %x)
Heap Segment at %p contains invalid NumberOfUnCommittedPages (%x != %x)
Heap block at %p has incorrect segment offset (%x)
Heap entry %p has incorrect PreviousSize field (x instead of x)
Invalid CommitSize parameter - %x
Invalid ReserveSize parameter - %x
Invalid address specified to %s( %p, %p )
Tag x (%ws) size incorrect (%x != %x) %p
Pseudo Tag x size incorrect (%x != %x) %p
dedicated (x) free list element %p is marked busy
Invalid allocation size - %x (exceeded %x)
Just allocated block at %p for 0x%x bytes with tag %ws
Just allocated block at %p for %x bytes
Just reallocated block at %p to 0x%x bytes with tag %ws
Just reallocated block at %p to %x bytes
About to rellocate block at %p to 0x%x bytes with tag %ws
About to reallocate block at %p to %x bytes
/$&@7$&@9$&@:$&@
?SsHd
>SsHd
d:\win7sp1_gdr\minkernel\threadpool\ntdll\timer.c
d:\win7sp1_gdr\minkernel\threadpool\ntdll\pool.c
d:\win7sp1_gdr\minkernel\threadpool\ntdll\work.c
SSSSh(
t%f;U
AlpcReturn = %p, AlpcPort = %p, Callback = %p, Context = %p, CallbackEnviron = %p
TppIopExecuteCallback
Pool = %p, MinThreads = %d
Pool = %p, MaxThreads = %d
File = %x, Direct = %p, Pool = %p
AlpcPort = %x, Direct = %p, Pool = %p
TimerQueueQueue = %p, Timer = %p, DueTime = 0x%I64x, Window = %d
Setting KTimer to 0x6I64x (%s)
KTimer already set for due time = 0x6x
TimerQueue = %p, DoAbsoluteQueue = %s
CapturedPeriod = %d
CapturedWindow = %d
Callback = %p, Context = %p, CallbackEnviron = %p, Flags = 0xx
Wait = %p, WaitStatus = 0xx
Executing Wait callback %p(%p, %p, %p, 0xx)
Count = %d
Work = %p, Context = %p, CallbackEnviron = %p, Flags = 0xx, CleanupGroupVFuncs = %p, TaskVFuncs = %p
CleanupGroupMember = %p, CancelledCallbackCount = %d
CleanupGroupMember = %p, CallbackCount = %d
CleanupGroupMember = %p, Context = %p, CallbackEnviron = %p, Flags = 0xx, VFuncs = %p
d:\win7sp1_gdr\minkernel\threadpool\ntdll\worker.c
Tcb = %p, Wait = %p, CapturedHandle = %x
Tcb = %p, Index = %d, Wait = %p, Status = x
CapturedHasDueTime = %s
CapturedHasDueType = %s
CapturedHandle = 0x%x
Waiter wait completed with status x
Waiter is waiting: Tcb->ActiveWaits = %d, TimeoutPtr = %p, Timeout = 6I64x
*** RESCACHE: Segment %u is no longer valid. It may have been unmapped already!!! ***
*** RESCACHE: Segment %u magic field is corrupt!!! ***
ProcessHeapsListIndex
Status: x
Timer = %p, DueTime = 0x6I64x, Period = %d, WindowLength = %d
Invalid parameter passed to C runtime function.
0j.Xj0f
sBj.Xf
s%j.Zf
j%Xf;
Unhandled Exception: .exr %p - .cxr %p - Status 0xx - dt nt!_TP_CALLBACK_INSTANCE %p
Exception: .exr %p - .cxr %p - Status 0xx - dt nt!_TP_CALLBACK_INSTANCE %p
d:\win7sp1_gdr\minkernel\threadpool\ntdll\tp.c
x @ u: %s: %s:
.sb_data
ntdll.pdb
2$2(2,20242^2
2-3
< <<<@<\<`<
>(>0>4><>@>`>|>
1 1@1`1|1
2 2<2@2\2`2|2
5 5$5@5`5
7 7<7@7\7`7|7
8 8<8@8\8`8
; ;$;(;,;8;
283:4(6`6
<*<1<;<{<
8'9.989=9
=3=8=?={=
0 1 171<1
55i5s5|5
6&7-7B7}7
%s\%sd
\\?\UNC
\\?\UNC\
csrsrv.dll
\Registry\Machine\Software\Microsoft\Windows nt\currentversion\appcompatflags\AIT
\Registry\Machine\Software\Policies\Microsoft\Windows\Appcompat\
\Registry\User\.Default
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion
%ws\%u
MSCOREE.DLL
ApiPort
CSRPORT!
\Sessions\%ld\Windows\SharedSection
PCATESTDEPRECATION.DLL
MSVBVM50.DLL
MSVCP50.DLL
D3DRM.DLL
kernelbase.dll
kernel32.dll
SPPsvc.exe
DebugProcessHeapOnly
ADVAPI32.DLL
\Registry\Machine\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
.Local
"/\[]:|<> =;,?*
Objects=%4u
Objects>%4u
\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
verifier.dll
\KernelObjects\SystemErrorPortReady
\WindowsErrorReportingServicePort
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\
\Registry\Machine\Software\Microsoft\SQMClient\Windows\WMR
\Registry\Machine\Software\Microsoft\Windows\Windows Error Reporting\Escalation
%d.%d.%d.%d
WindowsMessageReportingB1
WinShipAssert
\Software\Microsoft\Windows
svchost.exe
\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledProcesses\
\Registry\Machine\Software\Microsoft\SQMClient\Windows\CommonDatapoints\
\Registry\Machine\Software\Microsoft\SQMClient\Windows\DisabledSessions\
\Registry\Machine\Software\Microsoft\SQMClient\Windows
\Registry\Machine\Software\Policies\Microsoft\SQMClient\Windows
ASqmManifest_%x
\Registry\Machine\Software\Microsoft\SQMClient\Windows\AdaptiveSqm\Throttling
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
\SmApiPort
\SystemRoot\bootstat.dat
X:%u.%u.%u.%u
%%%u!%s!
WindowsExcludedProcs
KERNEL32.DLL
%SystemRoot%
windows seven
windows vista
\\.\CON
{lx-x-x-xx-xxxxxx}
.Local\
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\SideBySide\AssemblyStorageRoots
%s\%s%d%s
%s%s%d
%s%s%d%s
%s\%sd\%s*%s
Global\%s/%sd%s
%sd-%s%s
%s\%sd%s
%s\%sd\%s
%sd-%s
TimeZoneKeyName
.owner
.init
ResCache.hit
ResCache.dir
%s\%s
%s_%d
ResCache.usg
ResCache.mni
ResCache.ccm
%s\%s\%s
Global\%s%s%s
%s\%s*%s
%s\*\%s
%s\%s*
Global\%s/base%s
%sd-%s%d
%sd-%s%d%s
%s\%sd\%s%d%s
6.1.7601.17725 (win7sp1_gdr.111116-1503)
Windows
Operating System
6.1.7601.17725
The operation that was requested is pending completion.
An open/create operation completed while an oplock break is underway.
{Connect Failure on Primary Transport}
An attempt was made to connect to the remote server %hs on the primary transport, but the connection failed.
The computer WAS able to connect on a secondary transport.
Cached page was locked during operation.
A file system or file system filter driver has successfully completed an FsFilter operation.
An operation is blocked waiting for an oplock.
{Local Session Key}
A user session key was requested for a local RPC connection. The session key returned is a constant value and not unique to this connection.
A serial I/O operation was completed by another write to a serial port.
A serial I/O operation completed because the time-out period expired. (The IOCTL_SERIAL_XOFF_COUNTER had not reached zero.)
{Password Too Complex}
The Windows password is too complex to be converted to a LAN Manager password. The LAN Manager password returned is a NULL string.
The network transport returned partial data to its client. The remaining data will be sent later.
The network transport returned data to its client that was marked as expedited by the remote system.
The network transport returned partial data to its client and this data was marked as expedited by the remote system. The remaining data will be sent later.
The specified registry key is referenced by a predefined handle.
A yield execution was performed and no thread was available to run.
The operating system will currently accept only 16-bit (R2) pc-cards on this controller.
The CPUs in this multiprocessor system are not all the same revision level. To use all processors the operating system restricts itself to the features of the least capable processor in the system. Should problems occur with this system, contact the CPU manufacturer to see if this mix of processors is supported.
Windows has detected that the system firmware (BIOS) was updated [previous firmware date = %2, current firmware date %3].
The receive operation was successful. Check the ALPC completion list for the received message.
The attempt to commit the Transaction completed, but it is possible that some portion of the transaction tree did not commit successfully due to heuristics. Therefore it is possible that some data modified in the transaction may not have committed, resulting in transactional inconsistency. If possible, check the consistency of the associated data.
The %hs display driver has detected and recovered from a failure. Some graphical operations may have failed. The next time you reboot the machine a dialog will be displayed giving you a chance to upload data about this failure to Microsoft.
A single step or trace operation has just been completed.
Handles to objects have been automatically closed as a result of the requested operation.
During the translation of a global identifier (GUID) to a Windows security ID (SID), no administratively-defined GUID prefix was found. A substitute prefix was used, which will not compromise system security. However, this may provide a more restrictive access than intended.
The media has changed and a verify operation is in progress so no reads or writes may be performed to the device, except those used in the verify operation.
No more entries are available from an enumeration operation.
A long jump has been executed.
The Plug and Play query operation was not successful.
A frame consolidation has been executed.
The application is attempting to run executable code from the module %hs. This may be insecure. An alternative, %hs, is available. Should the application use the secure module %hs?
The application is loading executable code from the module %hs. This is secure, but may be incompatible with previous releases of the operating system. An alternative, %hs, is available. Should the application use the secure module %hs?
The create operation stopped after reaching a symbolic link.
The device has indicated that it's door is open. Further operations require it closed and secured.
Windows discovered a corruption in the file "%hs".
BitLocker encryption keys were ignored because the volume was in a transient state.
A virtual machine is running with its memory allocated across multiple NUMA nodes. This does not indicate a problem unless the performance of your virtual machine is unusually slow. If you are experiencing performance problems, you may need to modify the NUMA configuration. For detailed information, see hXXp://go.microsoft.com/fwlink/?LinkId=92362.
The regeneration operation was not able to copy all data from the active plexes due to bad sectors.
One or more disks were not fully migrated to the target pack. They may or may not require reimport after fixing the hardware problems.
Some BCD entries were not imported correctly from the BCD store.
{Operation Failed}
The requested operation was unsuccessful.
The requested operation is not implemented.
The instruction at 0xlx referenced memory at 0xlx. The memory could not be %s.
The instruction at 0x%p referenced memory at 0x%p. The required data was not placed into memory because of an I/O error status of 0x%x.
An invalid parameter was passed to a service or function.
The specified request is not a valid operation for the target device.
The specified I/O request packet (IRP) cannot be disposed of because the I/O operation is not complete.
Not enough virtual memory or paging file quota is available to complete the specified operation.
An attempt was made to execute an illegal instruction.
An attempt was made to execute an invalid lock sequence.
There is a mismatch between the type of object required by the requested operation and the type of object that is specified in the request.
Windows cannot continue from this exception.
An invalid or unaligned stack was encountered during an unwind operation.
An invalid unwind target was encountered during an unwind operation.
Device parity error on I/O operation.
Invalid Object Attributes specified to NtCreatePort or invalid Port Attributes specified to NtConnectPort
Length of message passed to NtRequestPort or NtRequestWaitReplyPort was longer than the maximum message allowed by the port.
Attempt to send a message to a disconnected communication port.
The NtConnectPort request is refused.
The type of port handle is invalid for the operation requested.
Insufficient quota exists to complete the operation
An attempt to set a process's DebugPort or ExceptionPort was made, but a port already exists in the process or an attempt to set a file's CompletionPort made, but a port was already set in the file or an attempt to set an ALPC port's associated completion port was made, but it is already set.
An operation involving EAs failed because the file system does not support EAs.
An EA operation failed because EA set is too large.
An EA operation failed because the name or EA index is invalid.
A non close operation has been requested of a file object with a delete pending.
An attempt was made to set the control attribute on a file. This attribute is not supported in the target file system.
An attempt has been made to operate on an impersonation token by a thread that is not currently impersonating a client.
Indicates the requested operation would disable or delete the last remaining administration account.
When trying to update a password, this return status indicates that the value provided as the current password is not correct.
When trying to update a password, this return status indicates that the value provided for the new password contains values that are not allowed in passwords.
When trying to update a password, this status indicates that some password update rule has been violated. For example, the password may not meet length criteria.
The user account's password has expired.
%hs is either not designed to run on Windows or it contains an error. Try installing the program again using the original installation media or contact your system administrator or the software vendor for support.
An operation failed because the disk was full.
Floating-point denormal operand.
Floating-point invalid operation.
An attempt was made to install more paging files than the system supports.
An attempt was made to execute an instruction at an unaligned address and the host system does not support unaligned instruction references.
The maximum named pipe instance count has been reached.
An instance of a named pipe cannot be found in the listening state.
The named pipe is not in the connected or closing state.
The specified pipe is set to complete operations and there are current I/O operations queued so it cannot be changed to queue operations.
The specified handle is not open to the server end of the named pipe.
The specified named pipe is in the disconnected state.
The specified named pipe is in the closing state.
The specified named pipe is in the connected state.
The specified named pipe is in the listening state.
The specified named pipe is not in message mode.
The specified I/O operation on %hs was not completed before the time-out period expired.
The passed ACL did not contain the minimum required information.
The request is not supported.
Indicates an attempt was made to operate on the security of an object that does not have security associated with it.
Used to indicate that an operation cannot continue without blocking for I/O.
Used to indicate that a read operation was done on an empty pipe.
Indicates the Sam Server was in the wrong state to perform the desired operation.
Indicates the Domain was in the wrong state to perform the desired operation.
This operation is only allowed for the Primary Domain Controller of the domain.
This error indicates that the requested operation cannot be completed due to a catastrophic media failure or on-disk data structure corruption.
An invalid parameter was passed to a service or function as the first argument.
An invalid parameter was passed to a service or function as the second argument.
An invalid parameter was passed to a service or function as the third argument.
An invalid parameter was passed to a service or function as the fourth argument.
An invalid parameter was passed to a service or function as the fifth argument.
An invalid parameter was passed to a service or function as the sixth argument.
An invalid parameter was passed to a service or function as the seventh argument.
An invalid parameter was passed to a service or function as the eighth argument.
An invalid parameter was passed to a service or function as the ninth argument.
An invalid parameter was passed to a service or function as the tenth argument.
An invalid parameter was passed to a service or function as the eleventh argument.
An invalid parameter was passed to a service or function as the twelfth argument.
A malformed function table was encountered during an unwind operation.
The logon session is not in a state that is consistent with the requested operation.
Indicates that an attempt has been made to impersonate via a named pipe that has not yet been read from.
Indicates that the transaction state of a registry sub-tree is incompatible with the requested operation. For example, a request has been made to start a new transaction with one already in progress, or a request has been made to apply a transaction when one is not currently in progress.
This error should only be returned by the Windows redirector on a remote drive.
Indicates an operation has been attempted on a built-in (special) SAM account which is incompatible with built-in accounts. For example, built-in accounts cannot be deleted.
The operation requested may not be performed on the specified group because it is a built-in special group.
The operation requested may not be performed on the specified user because it is a built-in special user.
An I/O request other than close and several other special case operations was attempted using a file object that had already been closed.
An attempt was made to operate on a thread within a specific process, but the thread specified is not in the process specified.
Your system is low on virtual memory. To ensure that Windows runs properly, increase the size of your virtual memory paging file. For more information, see Help.
The specified image file did not have the correct format, it appears to be a 16-bit Windows image.
The SAM database on a Windows Server is significantly out of synchronization with the copy on the Domain Controller. A complete synchronization is required.
The NtCreateFile API failed. This error should never be returned to an application, it is a place holder for the Windows Lan Manager Redirector to use in its internal error mapping routines.
The network transport on your computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on a remote computer has closed a network connection. There may or may not be I/O requests outstanding.
The network transport on your computer has closed a network connection because it had to wait too long for a response from the remote computer.
The connection handle given to the transport was invalid.
The address handle given to the transport was invalid.
The exception %s (0xlx) occurred in the application at location 0xlx.
An invalid level was passed into the specified system call.
{Incorrect Password to LAN Manager Server}
You specified an incorrect password to a LAN Manager 2.x or MS-NET server.
The pipe operation has failed because the other end of the pipe has been closed.
An I/O operation initiated by the Registry failed unrecoverably. The Registry could not read in, or write out, or flush, one of the files that contain the system's image of the Registry.
An event pair synchronization operation was performed using the thread specific client/server event pair object, but no event pair object was associated with the thread.
The maximum number of secrets that may be stored in a single system has been exceeded. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The length of a secret exceeds the maximum length allowed. The length and number of secrets is limited to satisfy United States State Department export restrictions.
The requested operation cannot be performed in fullscreen mode.
An attempt was made to change a user password in the security account manager without providing the necessary Windows cross-encrypted password.
A Windows Server has an incorrect configuration.
The floppy disk controller reported an error that is not recognized by the floppy disk driver.
While accessing the hard disk, a recalibrate operation failed, even after retries.
While accessing the hard disk, a disk operation failed even after retries.
Two concurrent opens of devices that share an IRQ and only work via interrupts is not supported for the particular bus type that the devices use.
Illegal operation attempted on a registry key which has been marked for deletion.
An attempt was made to change a user password in the security account manager without providing the necessary LM cross-encrypted password.
An attempt was made to create a symbolic link in a registry key that already has subkeys or values.
An attempt was made to create a Stable subkey under a Volatile parent key.
The I/O device reported an I/O error.
Log file space is insufficient to support this operation.
A write operation was attempted to a volume after it was dismounted.
The SAM database on the Windows Server does not have a computer account for this workstation trust relationship.
A requested file lock operation cannot be processed due to an invalid byte range.
The subsystem needed to support the image type is not present.
There is no user session key for the specified logon session.
The size of the buffer is invalid for the specified operation.
The transport rejected the network address specified as invalid.
The transport rejected the network address specified due to an invalid use of a wildcard.
The transport address could not be opened because all the available addresses are in use.
The transport address could not be opened because it already exists.
The transport address is now closed.
The transport connection is now disconnected.
The transport connection has been reset.
The transport cannot dynamically acquire any more nodes.
The transport aborted a pending transaction.
The transport timed out a request waiting for a response.
The transport did not receive a release for a pending response.
The transport did not find a transaction matching the specific token.
The transport had previously responded to a transaction request.
The transport does not recognized the transaction request identifier specified.
The transport does not recognize the transaction request type specified.
The transport can only process the specified request on the server side of a session.
The transport can only process the specified request on the client side of a session.
The %hs system process terminated unexpectedly with a status of 0xx (0xx 0xx).
Windows was unable to save all the data for the file %hs. The data has been lost. This error may be caused by a failure of your computer hardware or network connection. Please try to save this file elsewhere.
The parameter(s) passed to the server in the client/server shared memory window were invalid. Too much data may have been put in the shared memory window.
The user's password must be changed before logging on the first time.
Internal OFS status codes indicating how an allocation operation is handled. Either it is retried after the containing onode is moved or the extent stream is converted to a large stream.
The attempt to find the object found an object matching by ID on the volume but it is out of the scope of the handle used for the operation.
The user account has been automatically locked because too many invalid logon attempts or password change attempts have been requested.
The transport connection attempt was refused by the remote system.
The transport connection was gracefully closed.
The transport endpoint already has an address associated with it.
An address has not yet been associated with the transport endpoint.
An operation was attempted on a nonexistent transport connection.
An invalid operation was attempted on an active transport connection.
The remote network is not reachable by the transport.
The remote system is not reachable by the transport.
The remote system does not support the transport protocol.
No service is operating at the destination port of the transport on the remote system.
The transport connection was aborted by the local system.
The requested operation cannot be performed on a file with a user mapped section open.
Attempting to login during an unauthorized time of day for this account.
The account is not authorized to login from this station.
The dynamic link library %hs is not written correctly. The stack pointer has been left in an inconsistent state. The entrypoint should be declared as WINAPI or STDCALL. Select YES to fail the DLL load. Select NO to continue execution. Selecting NO may cause the application to operate incorrectly.
The %hs service is not written correctly. The stack pointer has been left in an inconsistent state. The callback entrypoint should be declared as WINAPI or STDCALL. Selecting OK will cause the service to continue operation. However, the service process may operate incorrectly.
The contacted server does not support the indicated part of the DFS namespace.
A callback return system service cannot be executed when no callback is active.
The password provided is too short to meet the policy of your user account. Please choose a longer password.
The policy of your user account does not allow you to change passwords too frequently. This is done to prevent users from changing back to a familiar, but potentially discovered, password. If you feel your password has been compromised then please contact your administrator immediately to have a new one assigned.
You have attempted to change your password to one that you have used in the past. The policy of your user account does not allow this. Please select a password that you have not previously used.
The specified compression format is unsupported.
An attempt was made to create more links on a file than the file system supports.
{Windows Evaluation Notification}
The evaluation period for this installation of Windows has expired. This system will shutdown in 1 hour. To restore access to this installation of Windows, please upgrade this installation using a licensed distribution of this product.
The system DLL %hs was relocated in memory. The application will not run properly. The relocation occurred because the DLL %hs occupied an address range reserved for Windows system DLLs. The vendor supplying the DLL should be contacted for a new DLL.
Error Status was 0x%x
An operation was attempted to a volume after it was dismounted.
There was no match for the specified key in the index.
The Windows I/O reparse tag passed for the NTFS reparse point is invalid.
The Windows I/O reparse tag does not match the one present in the NTFS reparse point.
The user data passed for the NTFS reparse point is invalid.
There are no EFS keys defined for the user.
The specified file is not in the defined EFS export format.
The guid passed was not recognized as valid by a WMI data provider.
The instance name passed was not recognized as valid by a WMI data provider.
The data item id passed was not recognized as valid by a WMI data provider.
The remote storage service is not operational at this time.
The requested operation could not be performed because the directory service is not the master for that type of operation.
The requested operation did not satisfy one or more constraints associated with the class of the object.
The directory service can perform the requested operation only on a leaf object.
The directory service cannot perform the requested operation on the Relatively Defined Name (RDN) attribute of an object.
An error occurred while performing a cross domain move operation.
The requested operation requires a directory service, and none was available.
The requested interface is not supported.
The driver %hs does not support standby mode. Updating this driver may allow the system to go to standby mode.
Mutual Authentication failed. The server's password is out of date at the domain controller.
Your system is low on virtual memory. Windows is increasing the size of your virtual memory paging file. During this process, memory requests for some applications may be denied. For more information, see Help.
The medium changer's transport element contains media, which is causing the operation to fail.
Error Status: 0x%x.
This operation is supported only when you are connected to the server.
The system image %s is not properly signed. The file has been replaced with the signed file. The system has been shut down.
Current device power state cannot support this request.
The WMI operation is not supported by the data block or method.
There is not enough power to complete the requested operation.
Security Account Manager needs to get the boot password.
Security Account Manager needs to get the boot key from floppy disk.
The requested operation can be performed only on a global catalog server.
Your computer could not be joined to the domain. You have exceeded the maximum number of computer accounts you are allowed to create in this domain. Contact your system administrator to have this limit reset or increased.
This operation cannot be performed on the current domain.
The other end of the security negotiation is requires strong crypto but it is not supported on the local machine.
The client certificate does not contain a valid UPN, or does not match the client name in the logon request. Please contact your administrator.
The encryption type requested is not supported by the KDC.
This operation is not supported on a computer running Windows Server 2003 for Small Business Server
The Master File Table on the volume is too fragmented to complete this operation.
Copy protection error - The given sector does not contain a valid key.
Copy protection error - DVD session key not established.
The Kerberos protocol encountered an error while validating the KDC certificate during smartcard Logon. There is more information in the system event log.
The transport determined that the remote system is down.
An unsupported preauthentication mechanism was presented to the Kerberos package.
The encryption algorithm used on the source file needs a bigger key buffer than the one used on the destination file.
An attempt to remove a process's DebugPort was made, but a port was not already associated with the process.
Debugger Inactive: Windows may have been started without kernel debugging enabled.
This version of Windows is not compatible with the behavior version of directory forest, domain or domain controller.
The specified image file did not have the correct format, it appears to be a 32-bit Windows image.
The specified image file did not have the correct format, it appears to be a 64-bit Windows image.
The SID filtering operation removed all SIDs.
The create operation failed because the name contained at least one mount point which resolves to a volume to which the specified device object is not attached.
A dynamic link library (DLL) referenced a module that was neither a DLL nor the process's executable image.
The requested key container does not exist on the smart card
The requested certificate does not exist on the smart card
The requested keyset does not exist
The smartcard certificate used for authentication has been revoked. Please contact your system administrator. There may be additional information in the event log.
An untrusted certificate authority was detected While processing the smartcard certificate used for authentication. Please contact your system administrator.
The revocation status of the smartcard certificate used for authentication could not be determined. Please contact your system administrator.
The smartcard certificate used for authentication was not trusted. Please contact your system administrator.
The smartcard certificate used for authentication has expired. Please
The Kerberos subsystem encountered an error. A service for user protocol request was made against a domain controller which does not support service for user.
An attempt was made by this server to make a Kerberos constrained delegation request for a target outside of the server's realm. This is not supported, and indicates a misconfiguration on this server's allowed to delegate to list. Please contact your administrator.
The revocation status of the domain controller certificate used for smartcard authentication could not be determined. There is additional information in the system event log. Please contact your system administrator.
An untrusted certificate authority was detected while processing the domain controller certificate used for authentication. There is additional information in the system event log. Please contact your system administrator.
The domain controller certificate used for smartcard logon has expired. Please contact your system administrator with the contents of your system event log.
The domain controller certificate used for smartcard logon has been revoked. Please contact your system administrator with the contents of your system event log.
Data present in one of the parameters is more than the function can operate on.
An attempt to delay-load a .dll or get a function address in a delay-loaded .dll failed.
%hs is a 16-bit application. You do not have permissions to execute 16-bit applications. Check your permissions with your system administrator.
The %hs display driver has stopped working normally. Save your work and reboot the system to restore full display functionality. The next time you reboot the machine a dialog will be displayed giving you a chance to report this failure to Microsoft.
An invalid parameter was passed to a C runtime function.
Illegal operation attempted on a registry key which has already been unloaded.
The requested operation could not be completed due to a file system limitation
Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.
The requested operation is out of order with respect to other operations.
An operation attempted to exceed an implementation-defined limit.
The requested operation requires elevation.
The PKU2U protocol encountered an error while attempting to utilize the associated certificates.
The operation was attempted beyond the valid data length of the file.
The attempted write operation encountered a write already in progress for some portion of the range.
The page fault mappings changed in the middle of processing a fault so the operation must be retried.
Client Side Encryption is not supported by the remote server even though it claims to support it.
The specified thread is already joining a task.
A callback has requested to bypass native code.
Windows cannot verify the digital signature for this file. The signing certificate for this file has been revoked.
The ALPC port is closed.
The connection port is used in an invalid context.
The ALPC port does not accept new request messages.
The hardware has reported an uncorrectable memory error.
Status 0xx was returned, waiting on handle 0x%x for wait 0x%p, in waiter 0x%p.
After a callback to 0x%p(0x%p), a completion call to SetEvent(0x%p) failed with status 0xx.
After a callback to 0x%p(0x%p), a completion call to ReleaseSemaphore(0x%p, %d) failed with status 0xx.
After a callback to 0x%p(0x%p), a completion call to ReleaseMutex(%p) failed with status 0xx.
After a callback to 0x%p(0x%p), an completion call to FreeLibrary(%p) failed with status 0xx.
A threadpool worker thread is impersonating a client, after executing an APC.
The client certificate account mapping is not unique.
The specified port already has a completion list.
A threadpool worker thread enter a callback at thread base priority 0x%x and exited at priority 0x%x.
An invalid thread, handle %p, is specified for this operation. Possibly, a threadpool worker thread was specified.
The attempted operation required self healing to be enabled.
The Directory Service cannot perform the requested operation because a domain rename operation is in progress.
The requested file operation failed because the storage quota was exceeded.
The requested file operation failed because the storage policy blocks that type of file. For more information, contact your system administrator.
The operation could not be completed due to bad clusters on disk.
The operation could not be completed because the volume is dirty. Please run chkdsk and try again.
Access Denied. Before opening files in this location, you must first browse to the web site and select the option to login automatically.
Operation did not complete successfully because the file contains a virus.
The operation did not complete successfully because it would cause an oplock to be broken. The caller has requested that existing oplocks not be broken.
The cryptographic provider does not support HMAC.
An operation or data has been rejected while on the network fast path.
Windows was unable to save all the data for the file %hs; the data has been lost.
Windows was unable to parse the requested XML data.
The RPC protocol sequence is not supported.
Not enough resources are available to complete this operation.
The RPC server is too busy to complete this operation.
The remote procedure call failed and did not execute.
The transfer syntax is not supported by the RPC server.
The type UUID is not supported.
The name syntax is not supported.
The operation cannot be performed.
No interfaces have been exported.
There is nothing to unexport.
The requested operation is not supported.
A floating point operation at the RPC server caused a divide by zero.
The requested authentication level is not supported.
The error specified is not a valid Windows RPC error code.
Invalid asynchronous RPC call handle for this operation.
Access to the HTTP proxy is denied.
HTTP proxy server rejected the connection because the cookie authentication failed.
A null context handle is passed as an [in] parameter.
The binding handles passed to a remote procedure call do not match.
A null reference pointer was passed to the stub.
Invalid operation on the encoding/decoding handle.
The RPC pipe object is invalid or corrupted.
An invalid operation was attempted on an RPC pipe object.
Unsupported RPC pipe version.
The RPC pipe object has already been closed.
The RPC call completed before all pipes were processed.
No more data is available from the RPC pipe.
Reissue the given operation as a cached IO operation
A close operation is pending on the Terminal Connection.
The MODEM.INF file was not found.
The modem (%1) was not found in MODEM.INF.
Transport driver error
An attempt has been made to connect to a session whose video mode is not supported by the current client.
DOS graphics mode is not supported.
The requested operation can be performed only on the system console.
Disconnecting the console session is not supported.
Reconnecting a disconnected session to the console is not supported.
The remote control of the console was terminated because the display mode was changed. Changing the display mode in a remote control session is not supported.
Windows can't connect to your session because a problem occurred in the Windows video subsystem. Try connecting again later, or contact the server administrator for assistance.
The resource loader failed to load MUI file because the file fail to pass validation.
The RC Manifest is corrupted with garbage data or unsupported version or missing required item.
A node is in the process of joining the cluster.
A cluster join operation is not in progress.
Windows was not able to process the application binding information.
The requested lookup key was not found in any active activation context.
Lack of system resources has required isolated activation to be disabled for the current thread of execution.
The activation context being deactivated is not active for the current thread of execution.
The activation context activation stack for the running thread of execution is corrupt.
A generic command executable returned a result that indicates failure.
The transaction handle associated with this operation is not valid.
The requested operation was made in the context of a transaction that is no longer active.
The Transaction Manager was unable to be successfully initialized. Transacted operations are not supported.
Transaction support within the specified resource manager is not started or was shut down due to an error.
The resource manager has attempted to prepare a transaction that it has not successfully joined.
The remote server or share does not support transacted file operations.
The Transaction object already has a superior enlistment, and the caller attempted an operation that would have created a new superior. Only a single superior enlistment is allowed.
The requested operation is not valid on the Transaction object in its current state.
It is too late to perform the requested operation, since the Transaction has already been aborted.
It is too late to perform the requested operation, since the Transaction has already been committed.
The buffer passed in to NtPushTransaction or NtPullTransaction is not in a valid format.
The operation cannot be performed because another transaction is depending on the fact that this property will not change.
The operation would involve a single file with two transactional resource managers and is therefore not allowed.
The $Txf directory must be empty for this operation to succeed.
The operation would leave a transactional resource manager in an inconsistent state and is therefore not allowed.
The operation could not be completed because the transaction manager does not have a log.
A rollback could not be scheduled because a previously scheduled rollback has already executed or been queued for execution.
The encryption operation could not be completed because a transaction is active.
Memory mapping (creating a mapped section) a remote file under a transaction is not supported.
This file is open for modification in an unresolved transaction and may be opened for execute only by a transacted reader.
The target volume is not a snapshot volume. This operation is only valid on a volume mounted as a snapshot.
The savepoint operation failed because files are open on the transaction. This is not permitted.
The sparse operation could not be completed because a transaction is active on the file.
The call to create a TransactionManager object failed because the Tm Identity stored in the logfile does not match the Tm Identity that was passed in as an argument.
The compression operation could not be completed because a transaction is active on the file.
The specified operation could not be performed on this Superior enlistment, because the enlistment was not created with the corresponding completion response in the NotificationMask.
The specified operation could not be performed, because the record that would be logged was too long. This can occur because of two conditions: either there are too many Enlistments on this Transaction, or the combined RecoveryInformation being logged on behalf of those Enlistments is too long.
The link tracking operation could not be completed because a transaction is active.
This operation cannot be performed in a transaction.
This snapshot operation cannot continue because a transactional resource manager cannot be frozen in its current state. Please try again.
The specified operation could not be performed because the resource manager is not enlisted in the transaction.
A policy on the log in question prevented the operation from completing.
Log is multiplexed, no direct writes to the physical log is allowed.
The operation failed because the log is a dedicated log.
The operation requires an archive context.
The operation requires a non-ephemeral log, but the log is ephemeral.
A handler was not defined by the filter for this operation.
Asynchronous requests are not valid for this operation.
Internal error code used by the filter manager to determine if a fastio operation should be forced down the IRP path. Mini-filters should never return this value.
Posting this operation to a worker thread for further processing is not safe at this time because it could lead to a system deadlock.
The filter must cleanup any operation specific context at this time because it is being removed from the system before the operation is completed by the lower drivers.
The Filter Manager had an internal error from which it cannot recover, therefore the operation has been failed. This is usually the result of a filter returning an invalid value from a pre-operation callback.
A duplicate handler definition has been provided for an operation.
Format of the obtained monitor descriptor is not supported by this release.
The driver needs more DMA buffer space in order to complete the requested operation.
Not enough video memory available to complete the operation.
The allocation can't be used from it's current segment location for the specified operation.
Specified VidPN topology is valid but is not supported by this model of the display adapter.
Specified VidPN topology is valid but is not supported by the display adapter at this time, due to current allocation of its resources.
Specified VidPN modality is not supported (e.g. at least two of the pinned modes are not cofunctional).
Miniport has no recommendation for augmentation of the specified VidPN's topology.
Miniport does not have any recommendation regarding the request to provide a functional VidPN given the current display adapter configuration.
System failed to determine a mode that is supported by both the display adapter and the monitor connected to it.
Specified VidPN present path importance ordinal is invalid.
Specified content geometry transformation is not supported on the respective VidPN present path.
Specified gamma ramp is not supported on the respective VidPN present path.
Multi-sampling is not supported on the respective VidPN present path.
All available importance ordinals are already used in specified topology.
Maximum supported number of present paths has been reached.
Miniport requested that augmentation be cancelled for the specified source of the specified VidPN's topology.
Specified display adapter child device does not support descriptor exposure.
An operation is being attempted that requires the display adapter to be in a quiescent state.
The driver does not support OPM.
The driver does not support COPP.
The driver does not support UAB.
The GDI display device passed to this function does not have any active protected outputs.
An internal error caused an operation to fail.
The function failed because the caller passed in an invalid OPM user mode handle.
A certificate could not be returned because the certificate buffer passed to the function was too small.
The HDCP System Renewability Message passed to this function did not comply with section 5 of the HDCP 1.1 specification.
The protected output cannot enable the High-bandwidth Digital Content Protection (HDCP) System because it does not support HDCP.
The protected output cannot enable Analogue Copy Protection (ACP) because it does not support ACP.
The protected output cannot enable the Content Generation Management System Analogue (CGMS-A) protection technology because it does not support CGMS-A.
The DxgkDdiOPMGetInformation function cannot return the version of the SRM being used because the application never successfully passed an SRM to the protected output.
The operating system asynchronously destroyed this OPM protected output because the operating system's state changed. This error typically occurs because the monitor PDO associated with this protected output was removed, the monitor PDO associated with this protected output was stopped, or the protected output's session became a non-console session.
The DxgkDdiOPMGetInformation and DxgkDdiOPMGetCOPPCompatibleInformation functions return this error code if the passed in sequence number is not the expected sequence number or the passed in OMAC value is invalid.
The DxgkDdiOPMGetCOPPCompatibleInformation and DxgkDdiOPMConfigureProtectedOutput functions return this error if the display driver does not support the DXGKMDT_OPM_GET_ACP_AND_CGMSA_SIGNALING and DXGKMDT_OPM_SET_ACP_AND_CGMSA_SIGNALING GUIDs.
The DxgkDdiOPMConfigureProtectedOutput function returns this error code if the passed in sequence number is not the expected sequence number or the passed in OMAC value is invalid.
The monitor does not support the specified VCP code.
The function failed because a monitor returned an invalid Timing Status byte when the operating system used the DDC/CI Get Timing Report & Timing Message command to get a timing report from a monitor.
A monitor returned a DDC/CI capabilities string which did not comply with the ACCESS.bus 3.0, DDC/CI 1.1, or MCCS 2 Revision 1 specification.
An operation failed because a DDC/CI message had an invalid value in its command field.
This function failed because an invalid monitor handle was passed to it.
The operating system asynchronously destroyed the monitor which corresponds to this handle because the operating system's state changed. This error typically occurs because the monitor PDO associated with this handle was removed, the monitor PDO associated with this handle was stopped, or a display mode change occurred. A display mode change occurs when windows sends a WM_DISPLAYCHANGE windows message to applications.
The function failed because the specified GDI display device was not attached to the Windows desktop.
This function does not support GDI mirroring display devices because GDI mirroring display devices do not have any physical monitors associated with them.
The function failed because an invalid pointer parameter was passed to it. A pointer parameter is invalid if it is NULL, it points to an invalid address, it points to a kernel mode address or it is not correctly aligned.
This function failed because the GDI device passed to it did not have any monitors associated with it.
An array passed to the function cannot hold all of the data that the function must copy into the array.
The volume is not encrypted, no key is available.
The volume cannot be encrypted because the file system is not supported.
This operation cannot be performed while a file system is mounted on the volume.
BitLocker Drive Encryption is not included with this version of Windows.
A read operation failed while converting the volume.
A write operation failed while converting the volume.
The encryption algorithm does not support the sector size of that volume.
The BitLocker startup key or recovery password could not be read from external media.
The BitLocker startup key or recovery password file is corrupt or invalid.
The BitLocker encryption key could not be obtained from the startup key or recovery password.
The authorization data for the Storage Root Key (SRK) of the Trusted Platform Module (TPM) is not zero.
The system boot information changed or the Trusted Platform Module (TPM) locked out access to BitLocker encryption keys until the computer is restarted.
The BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM).
The BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM) and PIN.
The Boot Configuration Data (BCD) settings are not supported or have changed since BitLocker was enabled.
The BitLocker encryption key could not be obtained.
The auto-unlock master key was not available from the operating system volume. Retry the operation using the BitLocker WMI interface.
This feature of BitLocker Drive Encryption is not included with this version of Windows.
The management information stored on the drive contained an unknown type. If you are using an old version of Windows, try accessing the drive from the latest version.
The BitLocker encryption key could not be obtained from the Trusted Platform Module (TPM) and enhanced PIN. Try using a PIN containing only numerals.
The operation is not supported by the specified layer.
The displayData.name field cannot be null.
A filter condition contains a match type that is not compatible with the operands.
A filter cannot contain multiple conditions operating on a single field.
A policy cannot contain the same keying module more than once.
The TCP/IP stack is not ready.
Network interface is not ready to complete this operation.
The length of the buffer submitted for this operation is not valid.
The data used for this operation is not valid.
The length of buffer submitted for this operation is too small.
Network interface does not support this OID (Object Identifier)
Network interface does not support this media type.
The I/O operation failed because network media is disconnected or wireless access point is out of range.
The offload operation on the network interface has been paused.
The revision number specified in the structure is not supported.
The specified port does not exist on this network interface.
The current state of the specified port on this network interface does not support the requested operation.
The miniport adapter is in lower power state.
Netword interface does not support this request.
The TCP connection is not offloadable because of a local policy setting.
The TCP connection is not offloadable by the Chimney offload target.
The wireless local area network interface is in auto configuration mode and doesn't support the requested parameter change operation.
The wireless local area network interface is busy and can not perform the requested operation.
The wireless local area network interface is power down and doesn't support the requested operation.
The hypervisor does not support the operation because the specified hypercall code is not supported.
The hypervisor does not support the operation because the encoding for the hypercall input register is not supported.
The hypervisor could not perform the operation beacuse a parameter has an invalid alignment.
The hypervisor could not perform the operation beacuse an invalid parameter was specified.
The hypervisor could not perform the operation because the partition is entering or in an invalid state.
The operation is not allowed in the current state.
There is not enough memory in the hypervisor pool to complete the operation.
The hypervisor could not perform the operation because the specified VP index is invalid.
The hypervisor could not perform the operation because the specified port identifier is invalid.
The hypervisor could not perform the operation because the specified connection identifier is invalid.
The hypervisor could not complete the operation because a required feature of the synthetic interrupt controller (SynIC) was disabled.
The hypervisor could not perform the operation because the object or value was either already in use or being used for a purpose that would not permit completing the operation.
The physical connection being used for debuggging has not recorded any receive activity since the last operation.
There are not enough resources to complete the operation.
IPsec DoS Protection received an IPsec negotiation packet for a keying module which is not allowed by policy.
Cannot unlock the page array for the guest operating system memory address because it does not match a previous lock request. Restarting the virtual machine may fix the problem. If the problem persists, try restarting the physical computer.
The non-uniform memory access (NUMA) node settings do not match the system NUMA topology. In order to start the virtual machine, you will need to modify the NUMA configuration. For detailed information, see hXXp://go.microsoft.com/fwlink/?LinkId=92362.
The lock or unlock request uses an invalid guest operating system memory address. Restarting the virtual machine may fix the problem. If the problem persists, try restarting the physical computer.
The specified disk is an invalid disk. Operation cannot complete on an invalid disk.
The disk layout contains more than the maximum number of supported partitions.
The specified disk is missing. The operation cannot complete on a missing disk.
There is not enough usable space for this operation.
Dynamic disks are not supported on this system.
The system does not support fault tolerant volumes.
The specified number of plexes is invalid.
The specified pack is the invalid pack. The operation cannot complete with the invalid pack.
The specified disk has an unsupported partition style. Only MBR and GPT partition styles are supported.
The specified plex is already in-sync with the other active plexes. It does not need to be regenerated.
The specified plex index is greater or equal than the number of plexes in the volume.
The operation is only supported on RAID-5 plexes.
The operation is only supported on simple plexes.
The operation is only supported on mirrored volumes.
The operation is not supported on mirrored volumes.
The operation is only supported on simple and spanned plexes.
The system does not support mirrored volumes.
The system does not support RAID-5 volumes.
The version does not support this version of the file format.
The system does not support this version of the virtual hard disk.This version of the sparse header is not supported.
The system does not support this version of the virtual hard disk. The block size is invalid.
A virtual disk support provider for the specified file was not found.
The requested operation could not be completed due to a virtual disk system limitation. Virtual disks are only supported on NTFS volumes and must be both uncompressed and unencrypted.
The requested operation cannot be performed on a virtual disk of this type.
The requested operation cannot be performed on the virtual disk in its current state.
The sector size of the physical disk on which the virtual disk resides is not supported.
The Derived Indexed Store is not present (or currently loaded) on this system.

%original file name%.exe_1900_rwx_018D0000_000CA000:

tSSSh
=.cmd
=.pif
=.lnk
=.com
=.bat
6SSSSh
USER32.dll
ActivateKeyboardLayout
ArrangeIconicWindows
CallMsgFilter
CallMsgFilterA
CallMsgFilterW
CascadeChildWindows
CascadeWindows
CliImmSetHotKey
CloseWindowStation
CreateDialogIndirectParamA
CreateDialogIndirectParamAorW
CreateDialogIndirectParamW
CreateWindowStationA
CreateWindowStationW
DisableProcessWindowsGhosting
DisplayExitWindowsWarnings
EnumChildWindows
EnumDesktopWindows
EnumThreadWindows
EnumWindowStationsA
EnumWindowStationsW
EnumWindows
ExitWindowsEx
GetAsyncKeyState
GetKeyNameTextA
GetKeyNameTextW
GetKeyState
GetKeyboardLayout
GetKeyboardLayoutList
GetKeyboardLayoutNameA
GetKeyboardLayoutNameW
GetKeyboardState
GetKeyboardType
GetProcessWindowStation
LoadKeyboardLayoutA
LoadKeyboardLayoutEx
LoadKeyboardLayoutW
LockWindowStation
MapVirtualKeyA
MapVirtualKeyExA
MapVirtualKeyExW
MapVirtualKeyW
MsgWaitForMultipleObjects
MsgWaitForMultipleObjectsEx
OemKeyScan
OpenWindowStationA
OpenWindowStationW
RegisterErrorReportingDialog
RegisterHotKey
RegisterSessionPort
SetKeyboardState
SetProcessWindowStation
SetWindowStationUser
SetWindowsHookA
SetWindowsHookExA
SetWindowsHookExW
SetWindowsHookW
SfmDxReportPendingBindingsToDwm
TileChildWindows
TileWindows
UnhookWindowsHook
UnhookWindowsHookEx
UnloadKeyboardLayout
UnlockWindowStation
UnregisterHotKey
UnregisterSessionPort
VkKeyScanA
VkKeyScanExA
VkKeyScanExW
VkKeyScanW
WINNLSGetIMEHotkey
keybd_event
CtfImmGetCompatibleKeyboardLayout
CtfImmSetDefaultRemoteKeyboardLayout
ImmProcessKey
7vSSSSh
tcPPWS
PSShTK5v
PSSh0K5v
F\ FTP
~,SSSh
*9]0t#SShH\1v
t(SShW
PSShH
ADVAPI32.dll
CFGMGR32.dll
MSIMG32.dll
POWRPROF.dll
WINSTA.dll
ReportEventW
CM_MapCrToWin32Err
KERNEL32.dll
GDI32.dll
ntdll.dll
RtlCheckRegistryKey
NtYieldExecution
NtCreateKey
NtSetValueKey
NtDeleteValueKey
NtEnumerateKey
NtOpenKey
NtQueryValueKey
GetViewportOrgEx
SetViewportOrgEx
GetViewportExtEx
GetCPInfo
GetSystemWindowsDirectoryW
RegOpenKeyExW
RegQueryInfoKeyW
RegCloseKey
RegCreateKeyExW
RegDeleteKeyExW
user32.pdb
windows.hlp
n..GGHHH
n...GGHHH
n ....HGHHHH
n  ....G.HHH
~~~~{~{{{{
n!! ....HGHHHH
n!!  .....HHHHHH
!!!  ....GGHHH
!!"".....HHHHnv
"""...-.nv
%DvttxxxxxxxxxxkL
&)-.CFDA86ANXYYUUUNna
$ .CC|
**$**$*$)0
' "$ $ *$'
8==???//3
9@==??<42
,446666,,$
"", ,',"!
jjk%xxy
jjk`jjk%xxy
>7;?__?;7>
%D=9;
.AG ,,H,a
 $ $ $$ $*$'%
.)***'***
FK;% %Sbd#
\;0-0----1--1-//1?7|
=:640)0#
=7:4##)4#
=:440)0)##
7440)))4#"
?<:4404)40##"!!
7:4)44)))#""!!
=<:744744))#""!!
=<47474744))""!!!
=<747474444)#""!!
=<<4777747)4#""
<7<77774444)"""
<77774 444###"""!!!
<<<: 44##"""
<<4 4###"
<<: 4##"
")355886''
.ziw ~y
@@@{9998
wtUUeUQ3"%U
wwtUUUe@B%UU
4W5X5
6B8N8T8‘9S9b9h9
88W8^8q8
<&<,<6<<<
0 5&53595e6
3,343^3~3
csrsrv.dll
\Registry\Machine\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
\Registry\Machine\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
kbdus.dll
Keyboard Layout\Preload
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layouts\
Control Panel\Input Method\Hot Keys
Virtual Key
Key Modifiers
keyboardlayout.ini
imm32.dll
Software\Policies\Microsoft\Windows NT\Reliability
\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Windows
\Registry\Machine\Software\Microsoft\Windows\CurrentVersion\Media Center\
\Registry\Machine\Software\Microsoft\Windows\Tablet PC\
POWRPROF.DLL
\Windows\WindowStations
\Windows
IMM32.DLL
&%d %ws
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout\
IgnoreRemoteKeyboardLayout
Keyboard Layout
kbdkor.dll
kbdjpn.dll
\Registry\Machine\System\CurrentControlSet\Control\Keyboard Layout
\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates\2BD63D28D7BCD0E251195AEB519243C13142EBC3
Hot Keys
00000409
\winhlp32.exe
x:\...\
OLE32.DLL
%SystemRoot%\System32\user32.dll
%s\%d
Software\Microsoft\Windows\CurrentVersion\Reliability
hh.exe
indicdll.dll
Multi-User Windows USER API Client DLL
6.1.7601.17514 (win7sp1_rtm.101119-1850)
Windows
Operating System
6.1.7601.17514


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    ipseccmd.dll:2816
    ipseccmd.dll:3668
    ipseccmd.dll:2968
    ipseccmd.dll:1848
    ipseccmd.dll:2496
    ipseccmd.dll:3704
    rundll32.exe:2904

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\I6SADY2Z\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\V8OVP1RL\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3B5D8S8L\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\RJZ2ALJ8\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\History\History.IE5\index.dat (16 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\V2ZA86OM\desktop.ini (67 bytes)
    C:\polstore.dll (103 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\History\History.IE5\desktop.ini (254 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\8VIKTY0F\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\26430000220167882842196[1].htm (34284 bytes)
    C:\Windows\System32\setie.bat (24 bytes)
    C:\winipsec.dll (32 bytes)
    C:\regset.ini (243 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\5MZ9RQ8A\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    C:\×¢ÒâÊÂÏî×ÜÀÀ.txt (1 bytes)
    C:\ipseccmd.dll (106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Temporary Internet Files\Content.IE5\41WGRA9S\desktop.ini (67 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\26430000220167882842196[1].htm (49133 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cookies\index.dat (16 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet

x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now