• Stay aware

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • How to get the best

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Help us

    Inquietari sueti praenturis et stationibus servabantur agrariis

  • Forum

    Inquietari sueti praenturis et stationibus servabantur agrariis

Mon, 03/27/2017 - 04:52

Trojan.GenericKD.4586128_74c660426e

HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.GenericKD.4586128 (B) (Emsisoft), Trojan.GenericKD.4586128 (AdAware) Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

Summary

MD5: 74c660426e6ad01904cf0c4321675097

SHA1: 8c559ec0e4bd4ae1d09c7f4d835d3251d9356168

SHA256: 9db86a5816ab429b4726cd64a8c394f369d77a6db62bb1518dc806d673ffc8ff

SSDeep: 24576:EaXNVojWEdAxIHJRyiKps0TErCgxjyAdSx/qSboroFNRJaYfi:Euzoj5JgjEr/dyqSbo0cY

Size: 1454080 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: appinstall d2

Created at: 2017-03-13 05:22:53

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1792
%original file name%.exe:2176

The Trojan injects its code into the following process(es):

SearchProtocolHost.exe:1900
SearchFilterHost.exe:1780
wininit.exe:360
winlogon.exe:416
services.exe:460
lsm.exe:476
svchost.exe:580
svchost.exe:648
svchost.exe:700
svchost.exe:820
svchost.exe:860
svchost.exe:1032
SearchIndexer.exe:1100
svchost.exe:1112
spoolsv.exe:1224
svchost.exe:1260
svchost.exe:1664
wmiprvse.exe:1816
taskhost.exe:1940
taskeng.exe:2000
Dwm.exe:2008
Explorer.EXE:2024
svchost.exe:2340
conhost.exe:3904
taskhost.exe:3572

Mutexes

The following mutexes were created/opened: No objects were found.

File activity

The process %original file name%.exe:1792 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\Documents\Delay.txt (32 bytes)

The process %original file name%.exe:2176 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Roaming\Monitor\Screenshots\03-26-2017\3.35 AM (47 bytes)

Registry activity

The process %original file name%.exe:2176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software]
"prc" = "2176"
"auKBM NbrgFiv3UGmZkr Q==" = "BYOZMbcHdwFtgYglTiC u9sOgGxp/ZCC9VBKAcbgz8s="
"pth" = "c:\%original file name%.exe"
"6pprwpp0CBdleLjPr/lihg==" = "gHz0ziJAt86V3 qIMpS9A=="
"MTX" = "59a9161a78a3483a2edcdc3fb582650a1c3d25a6"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

The Trojan installs the following user-mode hooks in ntdll.dll:

ZwQuerySystemInformation

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Scan a system with an anti-rootkit tool.
  2. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1792
    %original file name%.exe:2176

  3. Delete the original Trojan file.
  4. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\Documents\Delay.txt (32 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Monitor\Screenshots\03-26-2017\3.35 AM (47 bytes)

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  6. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Pantaray Research Ltd.
Product Name: Diagnostic HUB
Product Version: 12.0.0.0
Legal Copyright: Copyright (C) 2002-2017
Legal Trademarks:
Original Filename: Project1.exe
Internal Name:
File Version: 12.0.0.5
File Description: Diagnostic HUB
Comments:
Language: English (United States)

Company Name: Pantaray Research Ltd. Product Name: Diagnostic HUB Product Version: 12.0.0.0 Legal Copyright: Copyright (C) 2002-2017 Legal Trademarks: Original Filename: Project1.exe Internal Name: File Version: 12.0.0.5 File Description: Diagnostic HUB Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text8192145114014515204.399258d7f1f1ed29fe6c9000fec4d8730ec68
.rsrc1466368153615362.7514449849b48188e9f40acc0e6260275ca29
.reloc1474560125120.0706398607f77b215816cfa92bb1b9a31350e3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
dns.msftncsi.com
time.windows.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

SearchProtocolHost.exe_1900:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

ntdll.DLL

ntdll.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

TQUERY.DLL

TQUERY.DLL

MSSHooks.dll

MSSHooks.dll

IMM32.dll

IMM32.dll

SHLWAPI.dll

SHLWAPI.dll

SrchCollatorCatalogInfo

SrchCollatorCatalogInfo

SrchDSSLogin

SrchDSSLogin

SrchDSSPortManager

SrchDSSPortManager

SrchPHHttp

SrchPHHttp

SrchIndexerQuery

SrchIndexerQuery

SrchIndexerProperties

SrchIndexerProperties

SrchIndexerPlugin

SrchIndexerPlugin

SrchIndexerClient

SrchIndexerClient

SrchIndexerSchema

SrchIndexerSchema

Msidle.dll

Msidle.dll

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

Failed to get REGKEY_FLTRDMN_MS_TO_IDLE, using default

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

pfps->psProperty.ulKind is LPWSTR but psProperty.lpwstr is NULL or empty

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\utils\crchash.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrdmn\fltrdaemon.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\search\common\include\secutil.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracerhelpers.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

RegDeleteKeyW

RegDeleteKeyW

RegDeleteKeyExW

RegDeleteKeyExW

8%uiP

8%uiP

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

0xx=

0xx=

%s(%d)

%s(%d)

tid="0x%x"

tid="0x%x"

pid="0x%x"

pid="0x%x"

tagname="%s"

tagname="%s"

tagid="0x%x"

tagid="0x%x"

el="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

time="d/d/d d:d:d.d"

logname="%s"

logname="%s"

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

SHELL32.dll

SHELL32.dll

PROPSYS.dll

PROPSYS.dll

ntdll.dll

ntdll.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ReportEventW

ReportEventW

_amsg_exit

_amsg_exit

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

SearchProtocolHost.pdb

SearchProtocolHost.pdb

2 2(20282|2

2 2(20282|2

4%5S5

4%5S5

Software\Microsoft\Windows Search

Software\Microsoft\Windows Search

https

https

kernel32.dll

kernel32.dll

msTracer.dll

msTracer.dll

msfte.dll

msfte.dll

lX-X-X-XX-XXXXXX

lX-X-X-XX-XXXXXX

SOFTWARE\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

tquery.dll

tquery.dll

%s\%s

%s\%s

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Windows Search Service

Windows Search Service


0xx%p%S%d


0xx%p%S%d

advapi32.dll

advapi32.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

WAPI-MS-Win-Core-LocalRegistry-L1-1-0.dll

winhttp.dll

winhttp.dll

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

Software\Microsoft\Windows Search\Tracing\EventThrottleState

%S(%d)

%S(%d)

tagname="%S"

tagname="%S"

logname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s.mui

.\%s\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s\%s.mui

Microsoft Windows Search Protocol Host

Microsoft Windows Search Protocol Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchProtocolHost.exe

SearchProtocolHost.exe

Windows

Windows

7.00.7601.17610

7.00.7601.17610

SearchProtocolHost.exe_1900_rwx_0077D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

SearchFilterHost.exe_1780:

.text

.text

`.data

`.data

.rsrc

.rsrc

@.reloc

@.reloc

ADVAPI32.dll

ADVAPI32.dll

ntdll.DLL

ntdll.DLL

KERNEL32.dll

KERNEL32.dll

msvcrt.dll

msvcrt.dll

USER32.dll

USER32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

TQUERY.DLL

TQUERY.DLL

IMM32.dll

IMM32.dll

MSSHooks.dll

MSSHooks.dll

mscoree.dll

mscoree.dll

SHLWAPI.dll

SHLWAPI.dll

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\search\search\gather\fltrhost\bufstm.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\mutex.cpp

RegDeleteKeyW

RegDeleteKeyW

RegDeleteKeyExW

RegDeleteKeyExW

8%uiP

8%uiP

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

d:\win7sp1_gdr\enduser\mssearch2\common\include\srchxcpt.hxx

Invalid parameter passed to C runtime function.

Invalid parameter passed to C runtime function.

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracersecutil.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.cpp

-d-d-d-d-d-d-d-%d

-d-d-d-d-d-d-d-%d

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\tracmain.h

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

d:\win7sp1_gdr\enduser\mssearch2\common\tracer\sysimprs.cxx

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

ReportEventW

ReportEventW

_amsg_exit

_amsg_exit

SearchFilterHost.pdb

SearchFilterHost.pdb

version="5.1.0.0"

version="5.1.0.0"

name="Microsoft.Windows.Search.MSSFH"

name="Microsoft.Windows.Search.MSSFH"

3 3(30383|3

3 3(30383|3

kernel32.dll

kernel32.dll

Software\Microsoft\Windows Search

Software\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

SOFTWARE\Microsoft\Windows Search

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

Windows Search Service

Windows Search Service

tquery.dll

tquery.dll

advapi32.dll

advapi32.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll


0xx%p%S%d


0xx%p%S%d

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleLastReported

Software\Microsoft\Windows Search\Tracing\EventThrottleState

Software\Microsoft\Windows Search\Tracing\EventThrottleState

0xx=

0xx=

%S(%d)

%S(%d)

tid="0x%x"

tid="0x%x"

pid="0x%x"

pid="0x%x"

tagname="%S"

tagname="%S"

tagid="0x%x"

tagid="0x%x"

el="0x%x"

el="0x%x"

time="d/d/d d:d:d.d"

time="d/d/d d:d:d.d"

logname="%S"

logname="%S"

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11CF-8B85-00AA005B4383}

.\%s.mui

.\%s.mui

.\%s\%s.mui

.\%s\%s.mui

%s\%s.mui

%s\%s.mui

%s\%s\%s.mui

%s\%s\%s.mui

%s\%s

%s\%s

winhttp.dll

winhttp.dll

Microsoft Windows Search Filter Host

Microsoft Windows Search Filter Host

7.00.7601.17610 (win7sp1_gdr.110503-1502)

7.00.7601.17610 (win7sp1_gdr.110503-1502)

SearchFilterHost.exe

SearchFilterHost.exe

Windows

Windows

7.00.7601.17610

7.00.7601.17610

SearchFilterHost.exe_1780_rwx_0067D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

wininit.exe_360_rwx_0027D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

winlogon.exe_416_rwx_0053D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

C:\Windows\system32\winlogon.exe

C:\Windows\system32\winlogon.exe

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

services.exe_460_rwx_0008D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

lsm.exe_476_rwx_0024D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_580_rwx_001CD000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_648_rwx_0017D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_700_rwx_002ED000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

.ja-JP

.ja-JP

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_820_rwx_0015D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_860_rwx_005BD000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_1032_rwx_0009D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

SearchIndexer.exe_1100_rwx_00E0D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_1112_rwx_00DBD000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

spoolsv.exe_1224_rwx_006CD000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_1260_rwx_003AD000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_1664_rwx_001ED000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

wmiprvse.exe_1816_rwx_0021D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

taskhost.exe_1940_rwx_0037D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

C:\Windows\system32\taskhost.exe

C:\Windows\system32\taskhost.exe

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

taskeng.exe_2000_rwx_002DD000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

Dwm.exe_2008_rwx_004CD000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

C:\Windows\system32\Dwm.exe

C:\Windows\system32\Dwm.exe

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

Explorer.EXE_2024_rwx_02D6D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

svchost.exe_2340_rwx_0014D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

conhost.exe_3904_rwx_0010D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

C:\Windows\system32\conhost.exe

C:\Windows\system32\conhost.exe

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL

taskhost.exe_3572_rwx_0062D000_00007000:

Bv.SCv

Bv.SCv

GetProcessWindowStation

GetProcessWindowStation

ADVAPI32.dll

ADVAPI32.dll

RegOpenKeyExW

RegOpenKeyExW

RegCloseKey

RegCloseKey

ntdll.dll

ntdll.dll

KERNEL32.dll

KERNEL32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

mscoree.dll

mscoree.dll

kernel32.dll

kernel32.dll

- floating point support not loaded

- floating point support not loaded

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

USER32.DLL

USER32.DLL