Zurück   Trojaner-Board > Malware entfernen > Log-Analyse und Auswertung

Log-Analyse und Auswertung: Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML.

Antwort
Alt 21.11.2014, 23:36   #1
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?



Hallo,
Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden.

Detekt rät, nie mehr mit dem PC ins Internet zu gehen.

Gibt es hierzu ALternativen? Was tun?

Vielen Dank,

DerDingens


Die Logs:
1. Addition.txt
2. detekt.log
3. FRST.txt
4. gmer.log

Alt 22.11.2014, 08:46   #2
schrauber
/// the machine
/// TB-Ausbilder
 

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

Alt 22.11.2014, 11:41   #3
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund.



Hallo,
Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden.

Detekt rät, nie mehr mit dem PC ins Internet zu gehen.

Gibt es hierzu ALternativen? Was tun?

Vielen Dank,

DerDingens


Die Logs:
1. Addition.txt
2. detekt.log
3. FRST.txt
4. gmer.log
__________________

Alt 22.11.2014, 12:05   #4
schrauber
/// the machine
/// TB-Ausbilder
 

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?



Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
  • Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
  • Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
  • Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
  • Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 22.11.2014, 13:52   #5
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund.



Hallo,
Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden.

Detekt rät, nie mehr mit dem PC ins Internet zu gehen.

Gibt es hierzu ALternativen? Was tun?

Vielen Dank,

DerDingens

Addition.txt
Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20-11-2014
Ran by hcxxx at 2014-11-21 17:30:59
Running from G:\
Boot Mode: Normal
==========================================================


==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AAVUpdateManager (HKLM\...\{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}) (Version: 18.00.0000 - Wolters Kluwer Deutschland GmbH)
Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.)
Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated)
Adobe Reader X (10.1.12) - Deutsch (HKLM\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated)
Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.)
AllDup 3.0.0 (HKLM\...\AllDup_is1) (Version: 3.0.0 - Michael Thummerer Software Design)
Amazon Kindle For PC v1.0 (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Amazon Kindle For PC) (Version:  - )
Amazon MP3-Downloader 1.0.9 (HKLM\...\Amazon MP3-Downloader) (Version:  - )
AMD Catalyst Install Manager (HKLM\...\{0BD03BF6-3A66-EC7F-5155-28A8D6C69409}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft TotalMedia 3 (HKLM\...\{268CF0B8-CA38-4E20-9E99-514A07F7C1F1}) (Version:  - ArcSoft)
ASUSUpdate (HKLM\...\{587178E7-B1DF-494E-9838-FA4DD36E873C}) (Version:  - )
ATI AVIVO Codecs (Version: 10.0.0.40103 - ATI Technologies Inc.) Hidden
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
Avira (HKLM\...\{9480d4af-12b9-4e56-8034-4031ef6ab39d}) (Version: 1.1.25.25607 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.25.25607 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM\...\Avira AntiVir Desktop) (Version: 14.0.7.342 - Avira)
AviSynth 2.5 (HKLM\...\AviSynth) (Version:  - )
AVStoDVD 2.1.4 (HKLM\...\AVStoDVD) (Version: 2.1.4 - MrC)
bcTester 4.8 (de) (HKLM\...\{DCA0A35D-30F1-4ED0-971F-5FFD2F60BB08}) (Version: 1.0.0 - QS QualitySoft GmbH)
bcWebCam (HKLM\...\{2C2943D2-61CB-4F91-A3DA-A50FA1E93F54}) (Version: 1.0.0 - QS QualitySoft GmbH)
Belkin 54Mbps Wireless Network Adapter (HKLM\...\{F3759A9F-7AFA-4FB4-8DF1-53F26B979DEE}) (Version: 1.00.01 - Belkin)
Benutzerhandbuch anzeigen (HKLM\...\View User Guide) (Version: 3.60.02.0 - )
Biet-O-Matic v2.12.6 (HKLM\...\Biet-O-Matic v2.12.6) (Version: Biet-O-Matic v2.12.6 - BOM Development Team)
Bing Maps 3D (HKLM\...\{2D87E961-577B-492B-AD54-1368680FB9A7}) (Version: 4.0.903.16005 - Microsoft Corporation)
BlackBerry Link (HKLM\...\BlackBerry_10_Desktop) (Version: 1.2.3.48 - BlackBerry Ltd.)
BlackBerry Link (Version: 1.2.3.48 - BlackBerry Ltd.) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
BP MANAGER 6.0 (HKLM\...\{360A4222-B9D2-4B7B-B240-F967289F65D9}) (Version: 1.0.0 - Physio logic)
BufferChm (Version: 130.0.331.000 - Hewlett-Packard) Hidden
calibre (HKLM\...\{0C1A656B-4449-49CB-A1B3-6A8C0986B342}) (Version: 0.6.30 - Kovid Goyal)
Cardiris (Version: 3.01.001 - Ihr Firmenname) Hidden
Cardiris 3.0 LE (HKLM\...\InstallShield_{0143D544-04A4-11D8-944E-000475727249}) (Version: 3.01.001 - Ihr Firmenname)
CCleaner (HKLM\...\CCleaner) (Version: 3.02 - Piriform)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.4852 - CDBurnerXP)
Chipcard master 5.65 (HKLM\...\Chipcard master_is1) (Version:  - Dr. Olaf Jacobsen)
Chipcardmaster 7.05 (HKLM\...\Chipcardmaster_is1) (Version:  - Dr. Olaf Jacobsen)
Citavi (HKLM\...\{E12C6653-1FF0-4686-ADB8-589C13AE761F}) (Version: 3.2.0.0 - Swiss Academic Software)
Cold Turkey version 0.7 (HKLM\...\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1) (Version: 0.7 - Felix Belzile)
Common Desktop Agent (Version: 1.62.0 - OEM) Hidden
Cool & Quiet (HKLM\...\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}) (Version:  - )
CPUID CPU-Z 1.69.2 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Destinations (Version: 140.0.77.000 - Hewlett-Packard) Hidden
Deutsche Post E-Porto (HKLM\...\{5CCF8330-F742-411A-8A04-719806D168B5}) (Version: 2.3.0 - Deutsche Post AG)
DeviceManagementQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
DHTML Editing Component (HKLM\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
DocProc (Version: 13.0.0.0 - Hewlett-Packard) Hidden
DocProcQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Dropbox (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Dropbox) (Version: 2.10.30 - Dropbox, Inc.)
Drv (HKLM\...\{DA71A94B-3617-4935-8BBE-1566B2174C95}) (Version: 1.00.0000 - My Company Name)
DVDFab 6.2.1.8 (31/12/2009) (HKLM\...\DVDFab 6_is1) (Version:  - Fengtao Software Inc.)
DVR-MS Converter (HKLM\...\DVR-MS Converter) (Version: 2.6.1 - Dvrsoft)
DVRMSToolbox (HKLM\...\{E7ECD072-02DF-4F24-B5C9-7928A2867B14}) (Version: 1.2.1 - babgvant.com)
Easy ShutDown 3.4 (HKLM\...\Easy ShutDown_is1) (Version:  - EasyShutDown.com)
Easy2Sync für Outlook 3.xx (HKLM\...\{EF702322-B623-4B6A-B41D-411725582043}_is1) (Version:  - ITSTH)
eSupportQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Felix zweite wundersame Reise (HKLM\...\Felix zweite wundersame Reise) (Version:  - )
Flickroom (HKLM\...\Flickroom.7A385545159204287F941528E627F38AD4ECB7C0.1) (Version: v0.60 - Ashu Mittal)
Flickroom (Version: 0.60 - Ashu Mittal) Hidden
Foxit PDF IFilter (HKLM\...\{74E78471-E122-4101-8744-CEB6C5C027A0}) (Version: 2.0.0.519 - Foxit Software)
Foxit Reader (HKLM\...\Foxit Reader) (Version:  - )
Free Countdown Timer 2.7.1 (HKLM\...\{404245D0-E836-4737-9C12-D4D0034540F5}_is1) (Version: 2.7 - Comfort Software Group)
Free FLV Converter V 7.1.0 (HKLM\...\Free FLV Converter_is1) (Version: 7.1.0.0 - Koyote Soft)
Free Stopwatch 2.5.0 (HKLM\...\{A1FAC1AF-5615-47FE-B5C8-5E981EC8522B}_is1) (Version: 2.5 - Comfort Software Group)
Free YouTube Download version 2.10.31 (HKLM\...\Free YouTube Download_is1) (Version:  - DVDVideoSoft Limited.)
FreeMind (HKLM\...\B991B020-2968-11D8-AF23-444553540000_is1) (Version: 0.8.1 - )
FreeOCR 3.0 (HKLM\...\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}) (Version: 3.0 - Free OCR)
GemPC430 (HKLM\...\{DFD0B53C-7948-4091-82C2-3270A39EE2AC}) (Version: 1.0.0 - Gemplus)
GemPcCCID (HKLM\...\{8BD3AFAF-636E-4516-A7E8-D57CCDBE28B8}) (Version: 2.0.1 - Gemalto)
GIMP 2.6.11 (HKLM\...\WinGimp-2.0_is1) (Version: 2.6.11 - The GIMP Team)
GnuWin32: Bzip2-1.0.5 (HKLM\...\Bzip2-1.0.5_is1) (Version: 1.0.5 - GnuWin32)
GnuWin32: Wget-1.11.4-1 (HKLM\...\Wget-1.11.4-1_is1) (Version: 1.11.4-1 - GnuWin32)
Google Chrome (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.)
Google Drive (HKLM\...\{C60F3836-333A-4AE2-B526-CFDBA143A9BA}) (Version: 1.18.7821.2489 - Google, Inc.)
Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google)
Google Talk Plugin (HKLM\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google)
Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden
GPBaseService2 (Version: 130.0.371.000 - Hewlett-Packard) Hidden
Gpg4win (2.1.1-34299-beta) (HKLM\...\GPG4Win) (Version: 2.1.1-34299-beta - The Gpg4win Project)
GPL Ghostscript (HKLM\...\GPL Ghostscript 9.04) (Version: 9.04 - Artifex Software Inc.)
HP Imaging Device Functions 13.0 (HKLM\...\HP Imaging Device Functions) (Version: 13.0 - HP)
HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP)
HP Photosmart Essential 3.5 (HKLM\...\HP Photosmart Essential) (Version: 3.5 - HP)
HP Scanjet G3010 (HKLM\...\{E2A59F15-F731-4062-9BB7-3C99D8F15756}) (Version: 13.0 - HP)
HP Scanjet G3010 and 4370 9.0 (HKLM\...\{696A666D-7CB6-40f6-B394-BD3EEDAA2B99}) (Version: 9.0 - HP)
HP Solution Center 13.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 13.0 - HP)
HP Update (HKLM\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
hpg3010 (Version: 13.0.0.0 - Ihr Firmenname) Hidden
hpg3010QFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
HPPhotosmartEssential (Version: 2.04.0000 - Hewlett-Packard) Hidden
HPProductAssistant (Version: 130.0.371.000 - Hewlett-Packard) Hidden
HydraVision (Version: 4.2.92.0 - ATI Technologies Inc.) Hidden
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.0.0 - LIGHTNING UK!)
Inkscape 0.47 (HKLM\...\Inkscape) (Version: 0.47 - )
inSSIDer (HKLM\...\{C7DEE429-4C9B-4126-894F-50B4F54FF196}) (Version: 1.2.8 - MetaGeek, LLC)
iPhone-Konfigurationsprogramm (HKLM\...\{B90FCEB7-2B0C-4D27-95B5-54238DF059ED}) (Version: 3.6.2.300 - Apple Inc.)
IPWizard (HKLM\...\{6C71E42B-7D26-4638-8EC4-364E9E881747}) (Version: 2.0.2.0 - A-MTK)
iTunes (HKLM\...\{F32DC846-4457-40A8-BECA-BCC0E960BC53}) (Version: 11.4.0.18 - Apple Inc.)
JDownloader (HKLM\...\JDownloader) (Version: 0.89 - AppWork UG (haftungsbeschränkt))
Juniper Networks Network Connect 7.1.0 (HKLM\...\Juniper Network Connect 7.1.0) (Version: 7.1.0.19243 - Juniper Networks)
Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Juniper_Setup_Client) (Version: 7.1.4.13103 - Juniper Networks, Inc.)
Juniper Networks, Inc. Setup Client Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
KeyboardTest V3.0 (HKLM\...\KeyboardTest_is1) (Version:  - PassMark Software)
Kindle Auto eBook Converter 0.4.50 (HKLM\...\Kindle Auto eBook Converter) (Version: 0.4.50 - The Messenger)
LG United Mobile Driver (HKLM\...\{2A3A4BD6-6CE0-4e2a-80D2-1D0FF6ACBFBA}) (Version: 3.10.1.0 - LG Electronics)
Logitech Media Server 7.7.4 (HKLM\...\Logitech Media Server_is1) (Version: 7.7.4 - Logitech)
Luka (HKLM\...\Luka) (Version:  - )
Magical Jelly Bean KeyFinder (HKLM\...\KeyFinder_is1) (Version: 2.0.10.9 - Magical Jelly Bean)
maxdome - Online Videothek Version 3.0.0 (HKLM\...\maxdome - Online Videothek_is1) (Version:  - maxdome)
MB-Ruler (HKLM\...\{7363206E-C7BD-45CD-89A0-792B28409811}_is1) (Version: 5.1 - Markus Bader)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
MD 86097 W-LAN USB Remote Hub (HKLM\...\{C4F43749-7088-40E2-83BE-039E68FE1BBC}) (Version: 1.02.0000 - Medion)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Compact Framework 3.5 (HKLM\...\{72CCBEA1-8D57-4981-A337-81019F28C5BA}) (Version: 3.5.7283 - Microsoft Corporation)
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU (HKLM\...\Microsoft .NET Framework 3.5 Language Pack SP1 - deu) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Baseline Security Analyzer 2.2 (HKLM\...\{13CD417D-F1F1-4AC4-945D-FDDEB884756F}) (Version: 2.2.2170 - Microsoft Corporation)
Microsoft Flight Simulator X (HKLM\...\InstallShield_{F535B2CF-C9BB-4162-B03A-02D6971F32CC}) (Version: 10.0.60905 - Microsoft Game Studios)
Microsoft IntelliPoint 7.0 (HKLM\...\{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}) (Version: 7.0.260.0 - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM\...\{95140000-0081-0407-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Ultimate 2007 (HKLM\...\ULTIMATER) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\OneDriveSetup.exe) (Version: 17.3.1229.0918 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 ENU (HKLM\...\{3A9FC03D-C685-4831-94CF-4EDFD3749497}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x86) ENU  (HKLM\...\{FF63121D-91C6-42CC-B341-F1AA729728E7}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x86) ENU  (HKLM\...\{D3A80508-CD83-4CA3-8671-914A1BC78B61}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}) (Version: 8.0.58299 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Mobile Partner (HKLM\...\Mobile Partner) (Version: 11.302.09.01.528 - Huawei Technologies Co.,Ltd)
Mozilla Firefox 33.1 (x86 de) (HKLM\...\Mozilla Firefox 33.1 (x86 de)) (Version: 33.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 32.0 - Mozilla)
Mpeg2Decoder 1.3 (HKLM\...\Mpeg2Decoder_is1) (Version:  - DeskShare)
mpowerplayer (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\mpowerplayer) (Version:  - mpowerplayer inc.)
MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MyFreeCodec (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\MyFreeCodec) (Version:  - )
MyPhoneExplorer (HKLM\...\MPE) (Version: 1.8.6 - F.J. Wechselberger)
NEC Electronics USB 3.0 Host Controller Driver (HKLM\...\InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}) (Version: 1.0.18.0 - NEC Electronics Corporation)
NEC Electronics USB 3.0 Host Controller Driver (Version: 1.0.18.0 - NEC Electronics Corporation) Hidden
NEF Codec (HKLM\...\{A89768CF-CD21-44FD-A723-16D5A8557415}) (Version: 1.00.0000 - Nikon)
NETGEAR XAV101 Configuration Utility (Version: 2.0.0.7 - NETGEAR Inc.) Hidden
NETGEAR XAV101-Konfigurationsprogramm (HKLM\...\InstallShield_{BB3194A0-B33D-45DB-B386-94C458292FC6}) (Version: 2.0.0.7 - NETGEAR Inc.)
Nikon Message Center (HKLM\...\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}) (Version: 0.92.000 - Nikon)
Nikon View 6 (HKLM\...\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}) (Version:  - )
NirSoft BlueScreenView (HKLM\...\NirSoft BlueScreenView) (Version:  - )
OCR Software by I.R.I.S. 13.0 (HKLM\...\HPOCR) (Version: 13.0 - HP)
Office-Bibliothek (HKLM\...\{5C81B189-5456-40C4-9313-7FE6FA6DD64C}) (Version: 5.00.4 - Bibliographisches Institut & F.A. Brockhaus AG)
OpenOffice.org 3.4.1 (HKLM\...\{2303AEEA-0FA8-4AFD-80A9-8F86BA4B44D2}) (Version: 3.41.9593 - Apache Software Foundation)
OpenSSL 1.0.1e Light (32-bit) (HKLM\...\OpenSSL Light (32-bit)_is1) (Version:  - OpenSSL Win32 Installer Team)
Oracle VM VirtualBox 4.1.8 (HKLM\...\{611E3800-CE31-4953-8AD4-5657B6EE7ACF}) (Version: 4.1.8 - Oracle Corporation)
Outlook Tools (HKLM\...\{A3D5974C-59EC-486C-8654-20339CBDE698}) (Version: 3.15.0001 - Andreas Schultz Software)
Paint.NET v3.5.8 (HKLM\...\{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}) (Version: 3.58.0 - dotPDN LLC)
PanoStandAlone (Version: 90.0.146.000 - Hewlett-Packard) Hidden
Parrot Audio Suite (HKLM\...\Parrot Audio Suite) (Version:  - )
Parrot Software Update Tool (HKLM\...\Parrot Flash Update Wizard) (Version:  - )
PC Inspector File Recovery (HKLM\...\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}) (Version: 4.0 - )
PDF Blender (HKLM\...\PDF Blender) (Version:  - )
Pdf Editor (HKLM\...\{729E66B3-1B80-4F3F-8D29-342A89631E0A}_is1) (Version:  - )
PDF24 Creator 6.1.0 (HKLM\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version:  - PDF24.org)
PhonerLite 1.95 (HKLM\...\PhonerLite_is1) (Version: 1.95 - sipgate GmbH)
Photo Scanner (HKLM\...\{FD0CE525-C8BA-4DF4-927F-C7F8ED66E35F}) (Version: 2.2.2 - Trundicho)
PHOTOfunSTUDIO 5.0 HD Edition (HKLM\...\{959282E3-55A9-49D8-B885-D27CF8A2FD82}) (Version: 5.00.319 - Panasonic Corporation)
Physio Logic BP Manager (HKLM\...\Physio Logic BP Manager) (Version:  - )
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Picture Control Utility (HKLM\...\{87441A59-5E64-4096-A170-14EFE67200C3}) (Version: 1.1.5 - Nikon)
Picture2avi uninstaller (HKLM\...\Picture2avi_is1) (Version: 3.3.0.0 - picture2avi.com)
Planet CamViewer Lite 1.0.3 (HKLM\...\{894E8982-4032-4FAD-8A4A-AD4E4089B22A}) (Version: 1.0.3 - Planet)
PLANET IP Wizard II 3.0.0.6043 (HKLM\...\{45E990DB-ECDC-4D27-B1C3-21DD124F7DF3}_is1) (Version:  - PLANET Technology Corporation.)
Python 2.6 (HKLM\...\{110EB5C4-E995-4CFB-AB80-A5F315BEA9E8}) (Version: 2.6.150 - Python Software Foundation)
QRCode (HKLM\...\{4D13D187-BA0B-4319-B8FE-7C3613E73278}) (Version: 2.10.0 - TouchUpSoft)
QuickMark (HKLM\...\{53B0213C-CC0C-4340-90BF-BFC7D3FE5BB4}) (Version: 3.8.0 - SimpleAct)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Readiris Pro 11 (HKLM\...\{E9E9734C-2EE2-4381-ACCA-AC9B8D372DCC}) (Version: 11.00.5295 - I.R.I.S.)
RealDownloader (Version: 1.3.3 - RealNetworks, Inc.) Hidden
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM\...\RealPlayer 16.0) (Version: 16.0.3 - RealNetworks)
REALTEK DTV USB DEVICE (HKLM\...\{DDBB7C89-1A09-441E-AA0F-6AA465755C17}) (Version: 1.00.0000 - Realtek)
RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden
RssBandit (HKLM\...\{3CBE6C15-21D4-4F88-AB52-72446A6C6429}) (Version: 1.9.1003 - rssbandit.org)
Samsung CLP-300 Series (HKLM\...\Samsung CLP-300 Series) (Version:  - Samsung Electronics CO.,LTD)
Samsung CLP-360 Series (HKLM\...\Samsung CLP-360 Series) (Version: 1.12 (05.12.2013) - Samsung Electronics Co., Ltd.)
Samsung Easy Printer Manager (HKLM\...\Samsung Easy Printer Manager) (Version: 1.03.17.00(12.04.2013) - Samsung Electronics Co., Ltd.)
Samsung Kies (HKLM\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.0.2.11071_128 - Samsung Electronics Co., Ltd.)
Samsung Kies (Version: 2.0.2.11071_128 - Samsung Electronics Co., Ltd.) Hidden
Samsung Printer Live Update (HKLM\...\Samsung Printer Live Update) (Version: 1.01.00:04(2013-04-22) - Samsung Electronics Co., Ltd.)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.18.0 - SAMSUNG Electronics Co., Ltd.)
Scan (Version: 140.0.80.000 - Hewlett-Packard) Hidden
ScannerCopy (Version: 9.0.0.0 - Hewlett-Packard) Hidden
SDFormatter (HKLM\...\{A5355F15-F98B-4704-9BAE-E53B9FE48F48}) (Version: 3.1.0 - SD Association)
SecureW2 EAP Suite 1.1.3 for Windows (HKLM\...\SecureW2 EAP Suite) (Version:  - )
Segoe UI (Version: 15.4.2271.0615 - Microsoft Corp) Hidden
SILKYPIX Developer Studio 3.1 SE (HKLM\...\InstallShield_{0A04086B-0B71-43C3-95EF-FDFC4C18D161}) (Version: 3 - Ichikawa Soft Laboratory)
SILKYPIX Developer Studio 3.1 SE (Version: 3 - Ichikawa Soft Laboratory) Hidden
sipgate Faxdrucker (HKLM\...\{3C4AFFF7-968F-4912-BF73-46774C8E4D15}) (Version: 1.0.3 - sipgate GmbH)
SIZCHIP 2.0.0.4 NPAPI (HKLM\...\SIZCHIP-Plugin-Mozilla-20) (Version: 2.0.0.4 - SIZ GmbH)
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 5.11.9874 - Skype Technologies S.A.)
SkypeMate (HKLM\...\SkypeMate) (Version:  - SkypeMate)
Skype™ 6.21 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
SMPlayer 0.6.8 (HKLM\...\SMPlayer) (Version: 0.6.8 - RVM)
Softsqueeze 3.9b2 (HKLM\...\Softsqueeze 3.9b2) (Version:  - Ralph Irving)
SolutionCenter (Version: 130.0.373.000 - Hewlett-Packard) Hidden
SpeedFan (remove only) (HKLM\...\SpeedFan) (Version:  - )
SqueezePlay 7.6.2 (HKLM\...\{09B790E3-21E3-4D1A-8130-AAA9227C9785}_is1) (Version:  - Logitech)
Steuer-Spar-Erklärung 2010 (HKLM\...\{D8E1DFEE-622B-46BA-AEFF-AB7E541C0B21}) (Version: 15.13 - Akademische Arbeitsgemeinschaft Verlag)
Steuer-Spar-Erklärung 2011 (HKLM\...\{9F5FD796-86F0-4360-85F8-D54C0F5411EB}) (Version: 16.16 - Akademische Arbeitsgemeinschaft Verlag)
Steuer-Spar-Erklärung 2012 (HKLM\...\{CCD2BAD2-0919-40CB-80CC-E9538B0E4C2E}) (Version: 17.11 - Wolters Kluwer Deutschland GmbH)
Steuer-Spar-Erklärung 2013 (HKLM\...\{AEB61F7A-4BBA-4292-A096-7893E09034A4}) (Version: 18.09 - Wolters Kluwer Deutschland GmbH)
SteuerSparErklärung 2014 (HKLM\...\{A463EB06-22A6-47F5-9593-E52B291EF13E}) (Version: 19.12.92 - Akademische Arbeitsgemeinschaft)
Streamripper (Remove only) (HKLM\...\Streamripper) (Version:  - )
StreamTransport version: 1.0.2.2171 (HKLM\...\{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1) (Version:  - )
SupervisionCam (HKLM\...\SupervisionCam) (Version:  - )
Sweet Home 3D version 4.4 (HKLM\...\Sweet Home 3D_is1) (Version:  - eTeks)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
SyncToy 2.1 (x86) (HKLM\...\{A066194B-DC8F-449A-8E0F-B57BDD3A2072}) (Version: 2.1.0 - Microsoft)
TCPMP (HKLM\...\TCPMP) (Version:  - )
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
The Lord of the Rings FREE Trial  (Version: 1.00.0000 - ATI Technologies Inc.) Hidden
TM PowerPoint Timer (HKLM\...\TM PowerPoint Timer_is1) (Version:  - tushar-mehta.com)
Total Commander (Remove or Repair) (HKLM\...\Totalcmd) (Version: 7.50a - Ghisler Software GmbH)
Tradesignal Web Edition (HKLM\...\{BF8C49DF-64D5-459A-8790-69479C60F49B}) (Version: 5.6.409 - Tradesignal GmbH)
TrayStatus 1.2.3 (HKLM\...\d6b74f60-2e9d-4c60-a8b7-b7d737c44ad4_is1) (Version: 1.2.3.0 - Binary Fortress Software)
TuneUp Companion 2.2.3 (HKLM\...\TuneUpMedia) (Version: 2.2.3 - TuneUp Media, Inc.)
Turbo Lister 2 (HKLM\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.)
TweetDeck (HKLM\...\{FA6381E9-96D2-4F6F-866C-4D16E5986FF6}) (Version: 2.7.1 - Twitter, Inc.)
Ultimate Extras sounds from Microsoft® Tinker™ (HKLM\...\UltSounds2) (Version:  - Microsoft Corporation)
Uninstall 1.0.0.1 (HKLM\...\Uninstall_is1) (Version:  - )
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM\...\{90120000-0016-0407-0000-0000000FF1CE}_ULTIMATER_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version:  - Microsoft)
Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM\...\{90120000-001A-0407-0000-0000000FF1CE}_ULTIMATER_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version:  - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM\...\{90120000-0018-0407-0000-0000000FF1CE}_ULTIMATER_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version:  - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM\...\{90120000-001B-0407-0000-0000000FF1CE}_ULTIMATER_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version:  - Microsoft)
Utilities and SDK for UNIX-based Applications (HKLM\...\{DB88A98A-792B-4441-8E60-05A6D3E2B2C0}) (Version: 10.0.6030.0 - Microsoft Corporation)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
VLC Streamer 1.21 (HKLM\...\VLC Streamer_is1) (Version:  - )
Voxware Audio decoder 1.6 (HKLM\...\voxware_is1) (Version: 1.6.0 - )
WebReg (Version: 130.0.132.017 - Hewlett-Packard) Hidden
WebSite-Watcher 2011 (11.0) (HKLM\...\aigneswebsitewatcher_is1) (Version: 2011 (11.0) - www.aignes.com)
Windows 7 Upgrade Advisor Beta (HKLM\...\{4394DC3A-5DAC-4C80-A86E-FF462D0AD653}) (Version: 2.0.1125.0 - Microsoft Corporation)
Windows 7 USB/DVD Download Tool (HKLM\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Mesh ActiveX control for remote connections (HKLM\...\{C5398A89-516C-4DAF-BA07-EE7949090E56}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Sync (HKLM\...\{586509F0-350D-48B5-B763-9CC2F8D96C4C}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Mobile-Gerätecenter (HKLM\...\{904CCF62-818D-4675-BC76-D37EB399F917}) (Version: 6.1.6965.0 - Microsoft Corporation)
Windows Mobile-Gerätecenter: Treiberupdate (HKLM\...\{E7044E25-3038-4A76-9064-344AC038043E}) (Version: 6.1.6965.0 - Microsoft Corporation)
Windows-Soundschemas (HKLM\...\UltSounds) (Version:  - Microsoft Corporation)
WinHTTrack Website Copier 3.43-9C (HKLM\...\WinHTTrack Website Copier_is1) (Version: 3.43.9 - HTTrack)
WinSCP 4.3.4 (HKLM\...\winscp3_is1) (Version: 4.3.4 - Martin Prikryl)
Xaldon WebSpider2 (HKLM\...\WebSpider2) (Version:  - )
XMedia Recode Version 3.1.2.5 (HKLM\...\{DDA3C325-47B2-4730-9672-BF3771C08799}_is1) (Version: 3.1.2.5 - XMedia Recode)
Xvid 1.2.2 final uninstall (HKLM\...\Xvid_is1) (Version: 1.2 - Xvid team (Koepi))
XviD4PSP 5.0 (HKLM\...\XviD4PSP5) (Version: 5.037 - Winnydows)
ZDFmediathek Version 2.1.6 (HKLM\...\ZDFmediathek_is1) (Version:  - ZDF)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\ProgramData\EasyBits GO\ezGameXN.dll (EasyBits Media)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.99\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.69\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.79\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Google Talk Plugin\googletalkax.dll (Google)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\ProgramData\EasyBits GO\ezGameXN.dll (EasyBits Media)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Chrome\Application\38.0.2125.111\delegate_execute.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}\localserver32 -> C:\Users\hcxxx\AppData\Local\Temp\{d5641912-e47a-429c-879e-cfe13eac7a13}\IDriver.NonElevated.exe (Macrovision Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\localserver32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.165\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\localserver32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Google Talk Plugin\o1dax.dll (Google)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.65\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\psuser.dll (Google Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\FileSyncApi.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File

==================== Restore Points  =========================

01-11-2014 13:10:21 Geplanter Prüfpunkt
02-11-2014 09:52:09 Geplanter Prüfpunkt
03-11-2014 13:36:30 Windows Update
04-11-2014 13:31:34 Geplanter Prüfpunkt
06-11-2014 14:59:48 Geplanter Prüfpunkt
06-11-2014 21:11:13 Windows Update
07-11-2014 14:02:55 Geplanter Prüfpunkt
08-11-2014 17:04:24 Geplanter Prüfpunkt
09-11-2014 12:08:52 Geplanter Prüfpunkt
10-11-2014 07:37:19 Windows Update
12-11-2014 08:35:13 Geplanter Prüfpunkt
12-11-2014 13:35:46 Windows Update
16-11-2014 10:49:12 Windows Update
18-11-2014 14:43:27 Geplanter Prüfpunkt
19-11-2014 08:54:16 Windows Update
21-11-2014 13:32:51 Geplanter Prüfpunkt

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 11:23 - 2006-09-18 22:41 - 00000761 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

==================== Scheduled Tasks (whitelisted) =============

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {02DCC829-85C6-4BAA-9E9C-043C5CBC851E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {08D52DD5-6C27-4AE6-9CED-D0FD374C2FF9} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {1139090C-EBC0-4AA9-BF53-A49AA81E0EDF} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {201DA040-F03B-4AFA-AEDF-BFCE44AF35EC} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14] (RealNetworks, Inc.)
Task: {2C0AA312-7EDA-477A-9208-C08FA901F855} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000Core => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.)
Task: {2FD76A5C-B6A6-4427-AA91-E9758E4B12B8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.)
Task: {33B36DA1-BFAB-47A2-ABF7-F3E689DAB4ED} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {47FEAD1F-2D66-4839-BA8A-6A3E80F9A940} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {4A242C24-5D17-4EC7-BD63-17B5E5B6799F} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000UA => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.)
Task: {4C7FC6FB-94B2-4285-87F3-0F17BFD3A410} - System32\Tasks\{5A65B82E-701D-4437-BF1E-827A0FB59262} => C:\Program Files\Skype\Phone\Skype.exe [2014-10-01] (Skype Technologies S.A.)
Task: {5DC911FF-9916-42F4-A00C-5BB92BBC36C9} - System32\Tasks\Speedfan => C:\Program Files\SpeedFan\speedfan.exe [2013-03-15] (Almico Software (www.almico.com))
Task: {62233372-8613-4E55-975A-FB964A71633A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.)
Task: {938DB33E-790E-44BE-848E-F81D61940580} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {9D0B106D-39BC-4E6A-B2F7-D310FAE7FE9B} - System32\Tasks\{A747F6B7-1362-4573-BBCD-2BF0ABAF512E} => C:\Program Files\Skype\\Phone\Skype.exe [2014-10-01] (Skype Technologies S.A.)
Task: {9FDC235A-FA74-45A5-BD1C-8C0EA7EB13C5} - System32\Tasks\Hibernate Computer Daily At 22 Hour(s) and 45 Minute(s) => C:\Program Files\Easy ShutDown\EasyShutDown.exe [2011-03-26] ()
Task: {D5EBFA6D-A57E-4B10-B41E-123D28450B01} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-11] (Adobe Systems Incorporated)
Task: {DD2C4867-CB11-4B95-9C9A-57EFB744FD35} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.)
Task: {FBBD46A1-72BF-4507-965A-F2EDF6D3B2FB} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => C:\Program Files\Microsoft IntelliPoint\IPoint.exe [2009-05-28] (Microsoft Corporation)

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000Core.job => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000UA.job => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe
Task: C:\Windows\Tasks\Hibernate Computer Daily At 22 Hour(s) and 45 Minute(s).job => C:\Program Files\Easy ShutDown\EasyShutDown.exe

==================== Loaded Modules (whitelisted) =============

2009-11-04 13:24 - 2007-07-12 22:33 - 00087552 _____ () C:\Windows\System32\cpwmon2k.dll
2014-08-29 10:53 - 2013-05-15 07:32 - 00024064 _____ () C:\Windows\System32\sst6clm.dll
2014-08-29 10:53 - 2012-01-09 14:31 - 00024064 _____ () C:\Windows\System32\sst6ylm.dll
2009-05-18 13:55 - 2007-03-14 13:33 - 00022723 _____ () C:\Windows\System32\sugg1l3.dll
2008-10-24 15:35 - 2008-10-24 15:35 - 00128296 _____ () C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2012-05-02 16:08 - 2012-05-02 16:08 - 00221696 _____ () C:\Program Files\GNU\GnuPG\dirmngr.exe
2012-05-02 16:06 - 2012-05-02 16:06 - 00209408 _____ () C:\Program Files\GNU\GnuPG\libksba-8.dll
2012-05-02 16:03 - 2012-05-02 16:03 - 00047616 _____ () C:\Program Files\GNU\GnuPG\libgpg-error-0.dll
2012-05-02 16:02 - 2012-05-02 16:02 - 00039936 _____ () C:\Program Files\GNU\GnuPG\libw32pth-0.dll
2012-05-02 16:06 - 2012-05-02 16:06 - 00075264 _____ () C:\Program Files\GNU\GnuPG\libassuan-0.dll
2012-05-02 16:06 - 2012-05-02 16:06 - 00641536 _____ () C:\Program Files\GNU\GnuPG\libgcrypt-11.dll
2011-03-03 19:27 - 2011-03-03 19:27 - 00009728 _____ () C:\Program Files\DVRMSToolbox\DTBFWService.exe
2013-08-14 14:19 - 2013-08-14 14:19 - 00039056 _____ () C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe
2009-06-24 08:28 - 2005-01-14 14:32 - 00053248 _____ () C:\Windows\System32\PAStiSvc.exe
2014-08-29 10:52 - 2013-05-15 07:32 - 01015296 _____ () C:\Windows\system32\spool\DRIVERS\W32X86\3\sst6cdu.dll
2010-04-07 02:22 - 2013-04-30 03:46 - 00037376 _____ () C:\Windows\system32\atitmpxx.dll
2014-11-21 08:37 - 2014-11-21 15:52 - 00158720 _____ () C:\Users\hcxxx\AppData\Local\Temp\sfareca00001.dll
2009-05-21 20:18 - 2014-11-21 15:52 - 00192512 _____ () C:\Users\hcxxx\AppData\Local\Temp\sfamcc00001.dll
2014-09-25 11:16 - 2014-09-25 11:16 - 00081056 _____ () C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.DLL
2012-05-02 16:07 - 2012-05-02 16:07 - 00624640 _____ () C:\Program Files\GNU\GnuPG\gpgex.dll
2013-04-12 09:25 - 2013-04-12 09:25 - 00699952 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe
2006-09-19 09:07 - 2006-09-19 09:07 - 00827392 _____ () C:\Windows\vsnpstd3.exe
2012-03-09 08:58 - 2012-03-09 08:58 - 00350072 _____ () C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
2012-03-09 08:58 - 2012-03-09 08:58 - 00056696 _____ () C:\Program Files\Common Files\Common Desktop Agent\CDASrvPS.dll
2012-05-30 23:17 - 2011-03-26 20:22 - 00164864 _____ () C:\Program Files\Easy ShutDown\EasyShutDown.exe
2014-09-25 11:16 - 2014-09-25 11:16 - 00081056 _____ () C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.dll
2014-10-16 09:41 - 2014-10-16 09:41 - 00184320 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.Commonc65c5a95#\086a6d7a1b67ee702557defcde5f85b5\Kies.Common.DeviceServiceLib.Interface.ni.dll
2014-10-16 11:30 - 2014-10-16 11:30 - 17553920 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.Theme\b863b058df2bc3ba024231c9ff597138\Kies.Theme.ni.dll
2014-10-16 09:41 - 2014-10-16 09:41 - 01792000 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.UI\b07928f0c453603bea895b4ce2ee168d\Kies.UI.ni.dll
2014-10-16 09:41 - 2014-10-16 09:41 - 00081920 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.MVVM\f1de49400c4567d381ba7e17b1b9c52a\Kies.MVVM.ni.dll
2014-10-16 09:42 - 2014-10-16 09:42 - 00236032 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\ASF_cSharpAPI\6815ff93472d008087880a6462931188\ASF_cSharpAPI.ni.dll
2012-12-20 10:12 - 2012-12-20 10:12 - 00582144 _____ () C:\Program Files\SkypeMate\SkypeMate.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00028774 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00032878 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00028779 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00020601 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\4461f48e31bde5c56b31b973b773de09\List.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00118918 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00082048 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00020576 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00036964 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\f233f63b6654362865c7577442edb9e3\Win32.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00082033 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024676 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00061540 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\e56c61f7248672819579325af3387035\POSIX.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00094334 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\eb138ef0e4282611dbf485a302784646\LibYAML.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00053340 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00184414 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\bd5179a413bc0c4b82eedc22c6cab101\re.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\93e7e3d6030f426844228042348210cf\Service.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00043008 _____ () c:\users\hcxxx\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7gj1zp.dll
2013-08-23 20:01 - 2013-08-23 20:01 - 25100288 _____ () C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\libcef.dll
2013-06-18 14:49 - 2013-06-18 14:49 - 00016384 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
2013-04-29 22:08 - 2013-04-29 22:08 - 00369152 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2014-01-10 10:27 - 2014-01-10 10:27 - 00663056 _____ () C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe
2014-11-21 15:50 - 2014-11-21 15:50 - 00020576 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00036964 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\f233f63b6654362865c7577442edb9e3\Win32.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024676 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00061540 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e56c61f7248672819579325af3387035\POSIX.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00082033 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00118918 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00082048 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00028779 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020601 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\4461f48e31bde5c56b31b973b773de09\List.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024681 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c199d3c1960e7aeeecb599487952bed2\HiRes.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00090213 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\961b0d62fa52b1dd29c795a822fbf1cf\DBI.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00077824 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7f177c338672436e01c4f0bdbcf94491\EV.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00138752 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\44727051c604ef6b79894b64d4c63832\Expat.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00041080 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\2b1fc61b36a6711ea149b18bf3b41500\Parser.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00030720 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\dacfd0ab9b5fd029ed8d29e4482b0775\XS.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\fa9e3c814aa32db2ad5f17bdfbc22746\attributes.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024694 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c344fd5536724b2af2e6453833b60203\SHA1.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00094334 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\eb138ef0e4282611dbf485a302784646\LibYAML.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00053340 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00184414 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\bd5179a413bc0c4b82eedc22c6cab101\re.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020592 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\b979ace6da01e63d651cce9ee2474fdc\Name.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00028774 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00182272 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d0bf009923f29116535c26d228271d6d\Scan.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024672 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\17d0b152e63e6bfe81b4b19588538896\mro.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020596 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3b7106dd14676048b10bbb09a990f74c\XS.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00032878 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024695 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\cf5fe81e2f5dcbfecfd0495e1648c991\Unicode.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024670 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3a8764e0d7c5d453e01d9ad08cf7fb58\IO.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00361472 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\aff7ee779ea184f884ed432c30a58f5d\Scale.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00061546 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\4f2c03383aab0133b8dc0a3fa2dd92fa\Storable.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00110705 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7f2598c08178217a0e2c754f3d568f28\Byte.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c19d5e3dc664d9f4ce700001e2621cee\MD5.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00608256 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e2e81dd6b3e5a36f0bdae076393cc11d\SQLite.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00001024 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e2e81dd6b3e5a36f0bdae076393cc11d\icudt46.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020596 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d1c77e404b5c4b954fa537ed63c8fb7b\File.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00030208 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\0665c25e931c1ac0151b062449e91028\XSAccessor.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020587 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c668a322917d32a5ea22894518aa9897\Base64.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 04547584 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\38a10ee333cf1a9afec3f0acdf1bbebc\Scan.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00017920 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\8fedeb86a4a984edfc1fb255d4ea965c\XS.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00061547 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\bc147d83c7c868eeee67082dcf55430c\File.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00032881 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\b6bd87c968599725b8ab2e5c25d3046a\API.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00098415 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\19febd96672ffdb7ea244cef36aaa062\Zlib.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00098816 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32api.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00110080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pywintypes27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00364544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pythoncom27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00045568 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_socket.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01160704 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_ssl.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00320512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32com.shell.shell.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00713216 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_hashlib.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01175040 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._core_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00805888 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._gdi_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00811008 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._windows_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01062400 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._controls_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00735232 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._misc_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00128512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_elementtree.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00127488 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pyexpat.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00557056 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pysqlite2._sqlite.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00087552 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_ctypes.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00119808 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32file.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00108544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32security.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00007168 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\hashobjs_ext.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00167936 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32gui.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00018432 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32event.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00038912 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32inet.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00011264 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32crypt.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00070656 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._html2.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00027136 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_multiprocessing.pyd
2014-11-21 15:49 - 2014-11-21 15:49 - 00035840 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32process.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00686080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\unicodedata.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00122368 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._wizard.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00024064 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32pipe.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00025600 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32pdh.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00525640 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\windows._lib_cacheinvalidation.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00010240 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\select.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00017408 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32profile.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00022528 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32ts.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00078336 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._animate.pyd
2014-11-21 13:10 - 2014-11-21 13:10 - 27810236 _____ () C:\Users\hcxxx\Documents\Temp\detekt.exe
2014-11-21 15:50 - 2014-11-21 15:50 - 01689088 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtCore.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00077824 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\sip.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00324608 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PIL._imaging.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00715264 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_hashlib.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00098816 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32api.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00110080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pywintypes27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00364544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pythoncom27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 05940224 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtGui.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00325120 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtWebKit.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00502784 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtNetwork.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00046080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_socket.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01160704 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_ssl.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00686080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\unicodedata.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00087552 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_ctypes.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00152576 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\yara.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00096256 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\distorm3.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00320512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32com.shell.shell.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00042496 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32service.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00010240 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\select.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00119808 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32file.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00128512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_elementtree.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00127488 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pyexpat.pyd
2014-07-23 00:29 - 2014-07-23 00:29 - 00113171 _____ () C:\Program Files\VideoLAN\VLC\libvlc.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 02396691 _____ () C:\Program Files\VideoLAN\VLC\libvlccore.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00268307 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00027667 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00031251 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 11148307 _____ () C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01248787 _____ () C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00066579 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 02043411 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00100371 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00244243 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00076307 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00045587 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00060947 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00531475 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00708627 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00114195 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00040467 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00133139 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01512467 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00296979 _____ () C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00054291 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00038419 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00189971 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00091667 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00067603 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00077331 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00074259 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00016403 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00023059 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021523 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00929299 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00118803 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00144403 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01194003 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00707603 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015891 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00417811 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00023059 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00525331 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00127507 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00036371 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00116755 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_http_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00072211 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00383507 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021011 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00292371 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017939 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01280019 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libdts_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00336403 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00344595 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00198675 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00027155 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015891 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01393171 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00146451 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00022035 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00733203 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libmpeg_audio_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00026131 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00171027 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019475 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 10447379 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00016403 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021523 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00030739 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021011 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00063507 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00036883 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00024595 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00064531 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00013843 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00130579 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmpgatofixed32_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00168979 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdtstofloat32_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00058899 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\liba52tofloat32_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01496083 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019475 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00013331 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\liba52tospdif_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdtstospdif_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00746515 _____ () C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00026643 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi420_yuy2_sse2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi420_yuy2_mmx_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00587283 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libswscale_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00113683 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi420_rgb_sse2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00027667 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi422_yuy2_sse2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi422_yuy2_mmx_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00053779 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi420_rgb_mmx_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00016915 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00032275 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00020499 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00013843 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libyuvp_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00068115 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d_plugin.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:BC359956
AlternateDataStreams: C:\Users\hcxxx\Documents\bye.bat:SummaryInformation
AlternateDataStreams: C:\Users\hcxxx\Documents\bye.bat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\hcxxx\Documents\forwarded message.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)


==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)


==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)


========================= Accounts: ==========================

Administrator (S-1-5-21-2717335284-3986619703-2298539805-500 - Administrator - Disabled) => C:\Users\Administrator
Gast (S-1-5-21-2717335284-3986619703-2298539805-501 - Limited - Enabled)
hcxxx (S-1-5-21-2717335284-3986619703-2298539805-1000 - Administrator - Enabled) => C:\Users\hcxxx

==================== Faulty Device Manager Devices =============

Name: VirtualBox Host-Only Ethernet Adapter
Description: VirtualBox Host-Only Ethernet Adapter
Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Oracle Corporation
Service: VBoxNetAdp
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.


==================== Event log errors: =========================

Application errors:
==================
Error: (11/21/2014 03:51:47 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: WmiApRplC:\Windows\system32\wbem\wmiaprpl.dll4

Error: (11/21/2014 03:51:40 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1".
Die abhängige Assemblierung "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (11/21/2014 03:51:19 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (11/21/2014 03:50:56 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4

Error: (11/21/2014 03:50:51 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: MSDTCC:\Windows\system32\msdtcuiu.DLL4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: LsaC:\Windows\system32\Secur32.dll4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: ESENTC:\Windows\system32\esentprf.dll4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\system32\bitsperf.dll4

Error: (11/21/2014 02:05:04 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".


System errors:
=============
Error: (11/21/2014 03:59:33 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Beim Aktualisieren der Signaturen wurde von %NT-AUTORITÄT60 ein Fehler festgestellt.

	Neue Signaturversion: 

	Vorherige Signaturversion: 1.189.318.0

	Aktualisierungsquelle: %NT-AUTORITÄT59

	Aktualisierungsphase: 4.6.0305.00

	Quellpfad: 4.6.0305.01

	Signaturtyp: %NT-AUTORITÄT602

	Aktualisierungstyp: %NT-AUTORITÄT604

	Benutzer: NT-AUTORITÄT\SYSTEM

	Aktuelle Modulversion: %NT-AUTORITÄT605

	Vorherige Modulversion: %NT-AUTORITÄT606

	Fehlercode: %NT-AUTORITÄT607

	Fehlerbeschreibung: %NT-AUTORITÄT608

Error: (11/21/2014 03:46:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: ShowAnalyzerMaster%%3

Error: (11/21/2014 03:46:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: DgiVecp%%20

Error: (11/21/2014 03:45:48 PM) (Source: Print) (EventID: 19) (User: NT-AUTORITÄT)
Description: Der Druckspooler konnte den Drucker Samsung CLP-360 Series nicht unter dem Namen Samsung CLP-360 Series freigeben. Fehler: 2114. Der Drucker kann nicht von anderen Benutzern im Netzwerk verwendet werden.

Error: (11/21/2014 08:36:42 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: Windows Update

Error: (11/21/2014 08:35:01 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F4396DC6-E851-4D3A-8D01-34E6949F3500}

Error: (11/21/2014 08:35:00 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {7F6316B4-4D69-4765-B0A3-B2598F2FA80A}

Error: (11/21/2014 08:32:12 AM) (Source: iaStorV) (EventID: 9) (User: )
Description: Das Gerät \Device\Ide\iaStor0 hat innerhalb der Fehlerwartezeit nicht geantwortet.

Error: (11/21/2014 08:32:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: ShowAnalyzerMaster%%3

Error: (11/21/2014 08:32:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: DgiVecp%%20


Microsoft Office Sessions:
=========================
Error: (10/11/2014 10:45:46 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 999 seconds with 120 seconds of active time.  This session ended with a crash.

Error: (09/17/2014 10:36:33 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 19211 seconds with 60 seconds of active time.  This session ended with a crash.

Error: (01/24/2014 01:16:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 71199 seconds with 1920 seconds of active time.  This session ended with a crash.

Error: (12/13/2013 02:29:02 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 15578 seconds with 720 seconds of active time.  This session ended with a crash.

Error: (11/01/2013 00:21:14 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 5949 seconds with 240 seconds of active time.  This session ended with a crash.

Error: (09/26/2013 08:29:10 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 276 seconds with 60 seconds of active time.  This session ended with a crash.

Error: (09/11/2013 09:33:49 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 115581 seconds with 1200 seconds of active time.  This session ended with a crash.

Error: (09/02/2013 06:00:09 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 100923 seconds with 4500 seconds of active time.  This session ended with a crash.

Error: (07/25/2013 03:50:05 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 190060 seconds with 1320 seconds of active time.  This session ended with a crash.

Error: (02/24/2013 02:48:46 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 185782 seconds with 480 seconds of active time.  This session ended with a crash.


CodeIntegrity Errors:
===================================
  Date: 2013-10-14 12:16:56.618
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:16:56.356
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:16:56.064
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:16:55.773
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:15:36.664
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:15:36.404
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:15:36.138
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:15:35.886
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:15:35.312
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

  Date: 2013-10-14 12:15:35.069
  Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.


==================== Memory info =========================== 

Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz
Percentage of memory in use: 69%
Total physical RAM: 3062.17 MB
Available physical RAM: 922.32 MB
Total Pagefile: 6339.3 MB
Available Pagefile: 3512.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1891.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.52 GB) (Free:220.94 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Fixed) (Total:465.66 GB) (Free:41.02 GB) NTFS
Drive g: (SD) (Removable) (Total:29.84 GB) (Free:29.84 GB) FAT32
Drive h: (HDDRIVE2GO) (Fixed) (Total:931.28 GB) (Free:27.77 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 11E8DE91)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: DEDD9B10)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 931.5 GB) (Disk ID: C2AC2C31)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=0C)

========================================================
Disk: 3 (Size: 29.9 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================
         


Alt 22.11.2014, 14:02   #6
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log



Teil 1 / 3 Detekt.log

Code:
ATTFilter
2014-11-21 13:19:20,345 - detector - INFO - Starting with process ID 12268
2014-11-21 13:19:20,348 - detector - INFO - Selected Profile Name: VistaSP2x86
2014-11-21 13:19:20,349 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI132202\drivers\winpmem32.sys
2014-11-21 13:19:20,349 - detector.service - INFO - Launching service destroyer...
2014-11-21 13:19:20,351 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2014-11-21 13:19:20,351 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 13:19:20,351 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 13:19:20,351 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2014-11-21 13:19:21,035 - detector.service - INFO - Trying to start the winpmem service...
2014-11-21 13:19:21,223 - detector - INFO - Service started
2014-11-21 13:19:21,223 - detector - INFO - Selected Yara signature file at C:\Users\hcxxx\AppData\Local\Temp\_MEI132202\rules\signatures.yar
2014-11-21 13:19:21,223 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-21 13:19:25,924 - detector - INFO - Address space: <volatility.plugins.addrspaces.intel.IA32PagedMemoryPae object at 0x09367230>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x08818110>
2014-11-21 13:19:25,924 - detector - INFO - Profile: <volatility.plugins.overlays.windows.vista.VistaSP2x86 object at 0x08818350>, DTB: 0x122000
2014-11-21 13:19:25,926 - detector - INFO - Starting yara scanner...
2014-11-21 14:05:21,569 - detector - INFO - Starting with process ID 14976
2014-11-21 14:05:21,575 - detector - INFO - Selected Profile Name: VistaSP2x86
2014-11-21 14:05:21,575 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI152562\drivers\winpmem32.sys
2014-11-21 14:05:21,575 - detector.service - INFO - Launching service destroyer...
2014-11-21 14:05:21,575 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 14:05:21,609 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 14:05:21,698 - detector - CRITICAL - Unable to start winpmem service: Unable to create service: (1072, 'CreateService', 'Der angegebene Dienst wurde zum L\xf6schen markiert.')
2014-11-21 15:51:53,463 - detector - INFO - Starting with process ID 7020
2014-11-21 15:51:53,467 - detector - INFO - Selected Profile Name: VistaSP2x86
2014-11-21 15:51:53,467 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\drivers\winpmem32.sys
2014-11-21 15:51:53,467 - detector.service - INFO - Launching service destroyer...
2014-11-21 15:51:53,467 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2014-11-21 15:51:53,469 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 15:51:53,469 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 15:51:53,469 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2014-11-21 15:51:53,499 - detector.service - INFO - Trying to start the winpmem service...
2014-11-21 15:51:53,572 - detector - INFO - Service started
2014-11-21 15:51:53,572 - detector - INFO - Selected Yara signature file at C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\rules\signatures.yar
2014-11-21 15:51:53,572 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-21 15:51:55,230 - detector - INFO - Address space: <volatility.plugins.addrspaces.intel.IA32PagedMemoryPae object at 0x095961F0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x08978510>
2014-11-21 15:51:55,232 - detector - INFO - Profile: <volatility.plugins.overlays.windows.vista.VistaSP2x86 object at 0x089782D0>, DTB: 0x122000
2014-11-21 15:51:55,233 - detector - INFO - Starting yara scanner...
2014-11-21 16:51:41,969 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE46B, Value:

6d 6f 64 41 50 49 24 6d 6f 64 32 00 6d 6f 64 41 modAPI$mod2.modA
75 64 69 6f 24 6d 6f 64 33 00 6d 6f 64 42 74 4b udio$mod3.modBtK
69 6c 6c 65 72 24 6d 6f 64 34 00 6d 6f 64 43 72 iller$mod4.modCr
79 70 74 24 6d 6f 64 35 00 6d 6f 64 46 75 63 74 ypt$mod5.modFuct
69 6f 6e 73 24 6d 6f 64 36 00 6d 6f 64 48 69 6a ions$mod6.modHij
61 63 6b 24 6d 6f 64 37 00 6d 6f 64 49 43 61 6c ack$mod7.modICal
6c 42 61 63 6b 24 6d 6f 64 38 00 6d 6f 64 49 49 lBack$mod8.modII
6e 65 74 24 6d 6f 64 39 00 6d 6f 64 49 6e 66 65 net$mod9.modInfe
63 74 24 6d 6f 64 31 30 00 6d 6f 64 49 6e 6a 50 ct$mod10.modInjP
45 24 6d 6f 64 31 31 00 6d 6f 64 4c 61 75 6e 63 E$mod11.modLaunc
68 57 65 62 24 6d 6f 64 31 32 00 6d 6f 64 4f 53 hWeb$mod12.modOS
24 6d 6f 64 31 33 00 6d 6f 64 50 57 73 24 6d 6f $mod13.modPWs$mo
64 31 34 00 6d 6f 64 52 65 67 69 73 74 72 79 24 d14.modRegistry$
6d 6f 64 31 35 00 6d 6f 64 53 63 72 65 65 6e 63 mod15.modScreenc
61 70 24 6d 6f 64 31 36 00 6d 6f 64 53 6e 69 66 ap$mod16.modSnif
66 24 6d 6f 64 31 37 00 6d 6f 64 53 6f 63 6b 65 f$mod17.modSocke

2014-11-21 16:51:41,970 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE477, Value:

6d 6f 64 41 75 64 69 6f 24 6d 6f 64 33 00 6d 6f modAudio$mod3.mo
64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 00 6d dBtKiller$mod4.m
6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f 64 odCrypt$mod5.mod
46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d 6f Fuctions$mod6.mo
64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f 64 dHijack$mod7.mod
49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 6d ICallBack$mod8.m
6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f 64 odIInet$mod9.mod
49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f 64 Infect$mod10.mod
49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 4c InjPE$mod11.modL
61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 6d aunchWeb$mod12.m
6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 57 odOS$mod13.modPW
73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 73 s$mod14.modRegis
74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 72 try$mod15.modScr
65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f 64 eencap$mod16.mod
53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 53 Sniff$mod17.modS
6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 31 ocketMaster$mod1

2014-11-21 16:51:41,971 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE485, Value:

6d 6f 64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 modBtKiller$mod4
00 6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d .modCrypt$mod5.m
6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 odFuctions$mod6.
6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m
6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8
00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m
6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m
6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo
64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12
00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod
50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg
69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS
63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m
6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo
64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo
64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo

2014-11-21 16:51:41,973 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE496, Value:

6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f modCrypt$mod5.mo
64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d dFuctions$mod6.m
6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f odHijack$mod7.mo
64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 dICallBack$mod8.
6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo
64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo
64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod
4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.
6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP
57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc
72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod
53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod
31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m

2014-11-21 16:51:41,974 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4A4, Value:

6d 6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 modFuctions$mod6
00 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 .modHijack$mod7.
6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod
38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9.
6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.
6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod

2014-11-21 16:51:41,976 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4B5, Value:

6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m
6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8
00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m
6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m
6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo
64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12
00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod
50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg
69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS
63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m
6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo
64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo
64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo
64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 d19.modSqueezer$
6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 mod20.modSS$mod2
31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 1.modTorrentSeed

2014-11-21 16:51:41,977 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4C4, Value:

6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod
38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9.
6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.
6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms

2014-11-21 16:51:41,980 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4D6, Value:

6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo
64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo
64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod
4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.
6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP
57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc
72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod
53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod
31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m
6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21
00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$
74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t
6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr

2014-11-21 16:51:41,980 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4E4, Value:

6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.
6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm

2014-11-21 16:51:41,982 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4F4, Value:

6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm
72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5

2014-11-21 16:51:41,983 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE503, Value:

6d 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 modLaunchWeb$mod
31 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 12.modOS$mod13.m
6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 odPWs$mod14.modR
65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f egistry$mod15.mo
64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 dScreencap$mod16
00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 .modSniff$mod17.
6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$
6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$
6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze
72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo
64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe
65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm
73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$
74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t
6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr
35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.

2014-11-21 16:51:41,984 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE516, Value:

6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP
57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc
72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod
53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod
31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m
6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21
00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$
74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t
6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr
33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 3.tmrAnslut$tmr4
00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 .tmrAudio$tmr5.t
6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 mrBlink$tmr6.tmr
43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f Check$tmr7.tmrCo

2014-11-21 16:51:41,986 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE522, Value:

6d 6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 modPWs$mod14.mod
52 65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d Registry$mod15.m
6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 odScreencap$mod1
36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 6.modSniff$mod17
00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 .modSocketMaster
24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 $mod18.modSpread
24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a $mod19.modSqueez
65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d er$mod20.modSS$m
6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 od21.modTorrentS
65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 eed$tmr1.tmrAlar
6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 ms$tmr2.tmrAlive
24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 $tmr3.tmrAnslut$
74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d tmr4.tmrAudio$tm
72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 r5.tmrBlink$tmr6
00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 .tmrCheck$tmr7.t
6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 mrCountdown$tmr8

2014-11-21 16:51:41,987 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE52F, Value:

6d 6f 64 52 65 67 69 73 74 72 79 24 6d 6f 64 31 modRegistry$mod1
35 00 6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 5.modScreencap$m
6f 64 31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f od16.modSniff$mo
64 31 37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 d17.modSocketMas
74 65 72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 ter$mod18.modSpr
65 61 64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 ead$mod19.modSqu
65 65 7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 eezer$mod20.modS
53 24 6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 S$mod21.modTorre
6e 74 53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 ntSeed$tmr1.tmrA
6c 61 72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c larms$tmr2.tmrAl
69 76 65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c ive$tmr3.tmrAnsl
75 74 24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f ut$tmr4.tmrAudio
24 74 6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 $tmr5.tmrBlink$t
6d 72 36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 mr6.tmrCheck$tmr
37 00 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 7.tmrCountdown$t
6d 72 38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 mr8.tmrCrazy$tmr

2014-11-21 16:51:41,989 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE541, Value:

6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 modScreencap$mod
31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 16.modSniff$mod1
37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 7.modSocketMaste
72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 r$mod18.modSprea
64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 d$mod19.modSquee
7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 zer$mod20.modSS$
6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 mod21.modTorrent
53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 Seed$tmr1.tmrAla
72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 rms$tmr2.tmrAliv
65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 e$tmr3.tmrAnslut
24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 $tmr4.tmrAudio$t
6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 mr5.tmrBlink$tmr
36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 6.tmrCheck$tmr7.
74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr
38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9.
74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr

2014-11-21 16:51:41,990 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE554, Value:

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm
72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5
00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 .tmrBlink$tmr6.t
6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 mrCheck$tmr7.tmr
43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 Countdown$tmr8.t
6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 mrCrazy$tmr9.tmr
44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 DOS$tmr10.tmrDoW
6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 ork$tmr11.tmrFoc

2014-11-21 16:51:41,992 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE563, Value:

6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$
6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$
6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze
72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo
64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe
65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm
73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$
74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t
6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr
35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.
74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm
72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.
74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm
72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo
63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra

2014-11-21 16:51:41,993 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE579, Value:

6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 31 39 00 modSpread$mod19.
6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2
30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo
64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr
31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2
00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t
6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm
72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB
6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe
63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount
64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra
7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t
6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t
6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm
72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t
6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi

2014-11-21 16:51:41,994 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE589, Value:

6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2
30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo
64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr
31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2
00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t
6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm
72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB
6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe
63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount
64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra
7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t
6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t
6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm
72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t
6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi
74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 tet$tmr14.tmrInf

2014-11-21 16:51:41,996 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE59B, Value:

6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 64 54 modSS$mod21.modT
6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 31 00 orrentSeed$tmr1.
74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t
6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr
41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA
75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli
6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck
24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo
77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy
24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr
31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr
31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1
32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr
31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite
74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT
4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter

2014-11-21 16:51:41,997 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5A7, Value:

6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 modTorrentSeed$t
6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d mr1.tmrAlarms$tm
72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 r2.tmrAlive$tmr3
00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 .tmrAnslut$tmr4.
74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm
72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC
68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou
6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC
72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS
24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork
24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$
74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber
24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti
76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI
6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI
6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm

2014-11-21 16:51:41,999 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5BB, Value:

74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t
6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr
41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA
75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli
6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck
24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo
77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy
24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr
31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr
31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1
32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr
31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite
74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT
4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter
76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 valUpdate$tmr16.
74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm

2014-11-21 16:51:42,000 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5CA, Value:

74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d tmrAlive$tmr3.tm
72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 rAnslut$tmr4.tmr
41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c Audio$tmr5.tmrBl
69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 ink$tmr6.tmrChec
6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 k$tmr7.tmrCountd
6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a own$tmr8.tmrCraz
79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d y$tmr9.tmrDOS$tm
72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d r10.tmrDoWork$tm
72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 r11.tmrFocus$tmr
31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 12.tmrGrabber$tm
72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 r13.tmrInaktivit
65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f et$tmr14.tmrInfo
54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 TO$tmr15.tmrInte
72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 rvalUpdate$tmr16
00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 .tmrLiveLogger$t
6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 mr17.tmrPersista

2014-11-21 16:51:42,003 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5D8, Value:

74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 tmrAnslut$tmr4.t
6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 mrAudio$tmr5.tmr
42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 Blink$tmr6.tmrCh
65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e eck$tmr7.tmrCoun
74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 tdown$tmr8.tmrCr
61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 azy$tmr9.tmrDOS$
74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 tmr10.tmrDoWork$
74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 tmr11.tmrFocus$t
6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 mr12.tmrGrabber$
74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 tmr13.tmrInaktiv
69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e itet$tmr14.tmrIn
66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e foTO$tmr15.tmrIn
74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 tervalUpdate$tmr
31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 16.tmrLiveLogger
24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 $tmr17.tmrPersis
74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 63 tant$tmr18.tmrSc

2014-11-21 16:51:42,003 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5E7, Value:

74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm
72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC
68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou
6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC
72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS
24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork
24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$
74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber
24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti
76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI
6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI
6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm
72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 r16.tmrLiveLogge
72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 r$tmr17.tmrPersi
73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 stant$tmr18.tmrS
63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 39 00 creenshot$tmr19.

2014-11-21 16:51:42,006 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5F5, Value:

74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d tmrBlink$tmr6.tm
72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 rCheck$tmr7.tmrC
6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d ountdown$tmr8.tm
72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 rCrazy$tmr9.tmrD
4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f OS$tmr10.tmrDoWo
72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 rk$tmr11.tmrFocu
73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 s$tmr12.tmrGrabb
65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b er$tmr13.tmrInak
74 69 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d tivitet$tmr14.tm
72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d rInfoTO$tmr15.tm
72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 rIntervalUpdate$
74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 tmr16.tmrLiveLog
67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 ger$tmr17.tmrPer
73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d sistant$tmr18.tm
72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 rScreenshot$tmr1
39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 9.tmrSpara$tmr20

2014-11-21 16:51:42,006 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE603, Value:

74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm
72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.
74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm
72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo
63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra
62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn
61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.
74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.
74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2

2014-11-21 16:51:42,009 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE611, Value:

74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr
38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9.
74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr
44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr
46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG
72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr
49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1
34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1
35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd
61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv
65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm
72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1
38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$
74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t
6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm
72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22
         

Alt 22.11.2014, 14:05   #7
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log Teil 2/3



Detekt.log Teil 2/3
Code:
ATTFilter
2014-11-21 16:51:42,009 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE623, Value:

74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm
72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo
63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra
62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn
61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.
74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.
74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW

2014-11-21 16:51:42,010 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE631, Value:

74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr
44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr
46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG
72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr
49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1
34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1
35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd
61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv
65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm
72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1
38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$
74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t
6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm
72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22
00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d .tmrUDP$tmr23.tm
72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 rWebHideBlackSha

2014-11-21 16:51:42,013 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE63E, Value:

74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 tmrDoWork$tmr11.
74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t
6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.
74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t
6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr
4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t
6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh
6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid
24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm
72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection

2014-11-21 16:51:42,013 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE64E, Value:

74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t
6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.
74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t
6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr
4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t
6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh
6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid
24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm
72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection
00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$

2014-11-21 16:51:42,016 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE65D, Value:

74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 tmrGrabber$tmr13
00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 .tmrInaktivitet$
74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 tmr14.tmrInfoTO$
74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 tmr15.tmrInterva
6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d lUpdate$tmr16.tm
72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 rLiveLogger$tmr1
37 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 7.tmrPersistant$
74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 tmr18.tmrScreens
68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 hot$tmr19.tmrSpa
72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 ra$tmr20.tmrSpri
64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 d$tmr21.tmrTCP$t
6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 mr22.tmrUDP$tmr2
33 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 3.tmrWebHideBlac
6b 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f kShades.detectio
6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 n.DarkComet.RAT.
24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 $bot1.#BOT#OpenU

2014-11-21 16:51:42,016 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE66E, Value:

74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t
6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr
4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t
6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh
6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid
24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm
72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection
00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$
62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 bot1.#BOT#OpenUr
6c 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 l$bot2.#BOT#Ping

2014-11-21 16:51:42,019 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE683, Value:

74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.
74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.
23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$

2014-11-21 16:51:42,019 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE693, Value:

74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.
23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni

2014-11-21 16:51:42,020 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6AB, Value:

74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm
72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 6e r17.tmrPersistan
74 24 74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 t$tmr18.tmrScree
6e 73 68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 nshot$tmr19.tmrS
70 61 72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 para$tmr20.tmrSp
72 69 64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 rid$tmr21.tmrTCP
24 74 6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d $tmr22.tmrUDP$tm
72 32 33 00 74 6d 72 57 65 62 48 69 64 65 42 6c r23.tmrWebHideBl
61 63 6b 53 68 61 64 65 73 00 64 65 74 65 63 74 ackShades.detect
69 6f 6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 ion.DarkComet.RA
54 00 24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 T.$bot1.#BOT#Ope
6e 55 72 6c 24 62 6f 74 32 00 23 42 4f 54 23 50 nUrl$bot2.#BOT#P
69 6e 67 24 62 6f 74 33 00 23 42 4f 54 23 52 75 ing$bot3.#BOT#Ru
6e 50 72 6f 6d 70 74 24 62 6f 74 34 00 23 42 4f nPrompt$bot4.#BO
54 23 53 76 72 55 6e 69 6e 73 74 61 6c 6c 24 62 T#SvrUninstall$b
6f 74 35 00 23 42 4f 54 23 55 52 4c 44 6f 77 6e ot5.#BOT#URLDown

2014-11-21 16:51:42,023 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6BF, Value:

74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d tmrPersistant$tm
72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f r18.tmrScreensho
74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 t$tmr19.tmrSpara
24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 $tmr20.tmrSprid$
74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 tmr21.tmrTCP$tmr
32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 22.tmrUDP$tmr23.
74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS
68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection.
44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b
6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl
24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$
62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro
6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv
72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5.
23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp

2014-11-21 16:51:42,023 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6D3, Value:

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.
23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni
6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT
23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot
36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate
24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit

2014-11-21 16:51:42,026 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6E7, Value:

74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 00 74 tmrSpara$tmr20.t
6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 6d mrSprid$tmr21.tm
72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 44 rTCP$tmr22.tmrUD
50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 69 P$tmr23.tmrWebHi
64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 65 deBlackShades.de
74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d 65 tection.DarkCome
74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f 54 t.RAT.$bot1.#BOT
23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 42 #OpenUrl$bot2.#B
4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 4f OT#Ping$bot3.#BO
54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 34 T#RunPrompt$bot4
00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 .#BOT#SvrUninsta
6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c ll$bot5.#BOT#URL
44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 Download$bot6.#B
4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 OT#URLUpdate$bot
37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 7.#BOT#VisitUrl$
62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 bot8.#BOT#CloseS

2014-11-21 16:51:42,026 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6F6, Value:

74 6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 tmrSprid$tmr21.t
6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 mrTCP$tmr22.tmrU
44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 DP$tmr23.tmrWebH
69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 ideBlackShades.d
65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d etection.DarkCom
65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f et.RAT.$bot1.#BO
54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 T#OpenUrl$bot2.#
42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 BOT#Ping$bot3.#B
4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 OT#RunPrompt$bot
34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 4.#BOT#SvrUninst
61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 all$bot5.#BOT#UR
4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 LDownload$bot6.#
42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f BOT#URLUpdate$bo
74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c t7.#BOT#VisitUrl
24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 $bot8.#BOT#Close
53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 4f Server$ddos1.DDO

2014-11-21 16:51:42,029 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE705, Value:

74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 tmrTCP$tmr22.tmr
55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 UDP$tmr23.tmrWeb
48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 HideBlackShades.
64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f detection.DarkCo
6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 met.RAT.$bot1.#B
4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 OT#OpenUrl$bot2.
23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.#
42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo
74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins
74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U
52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.
23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b
6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr
6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD
4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos

2014-11-21 16:51:42,029 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE712, Value:

74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 tmrUDP$tmr23.tmr
57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 WebHideBlackShad
65 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 es.detection.Dar
6b 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 kComet.RAT.$bot1
00 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f .#BOT#OpenUrl$bo
74 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 t2.#BOT#Ping$bot
33 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 3.#BOT#RunPrompt
24 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e $bot4.#BOT#SvrUn
69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f install$bot5.#BO
54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f T#URLDownload$bo
74 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 t6.#BOT#URLUpdat
65 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 e$bot7.#BOT#Visi
74 55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 tUrl$bot8.#BOT#C
6c 6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 loseServer$ddos1
00 44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 .DDOSHTTPFLOOD$d
64 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f dos2.DDOSSYNFLOO

2014-11-21 16:51:42,032 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE71F, Value:

74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS
68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection.
44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b
6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl
24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$
62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro
6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv
72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5.
23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp
64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V
69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO
54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd
6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO
44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF
4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU

2014-11-21 16:51:42,032 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE753, Value:

23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni
6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT
23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot
36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate
24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit
55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c Url$bot8.#BOT#Cl
6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 oseServer$ddos1.
44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd
6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD
24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL
4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A
63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo
67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.

2014-11-21 16:51:42,035 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE765, Value:

23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.#
42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo
74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins
74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U
52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.
23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b
6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr
6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD
4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos
32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d
64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO
44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un
41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl

2014-11-21 16:51:42,036 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE774, Value:

23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 #BOT#RunPrompt$b
6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e ot4.#BOT#SvrUnin
73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 stall$bot5.#BOT#
55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 URLDownload$bot6
00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 .#BOT#URLUpdate$
62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 bot7.#BOT#VisitU
72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f rl$bot8.#BOT#Clo
73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 seServer$ddos1.D
44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f DOSHTTPFLOOD$ddo
73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 s2.DDOSSYNFLOOD$
64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f ddos3.DDOSUDPFLO
4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 OD$keylogger1.Ac
74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 ger$keylogger2.U
6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 nActiveOnlineKey
6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger

2014-11-21 16:51:42,038 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE788, Value:

23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 6c #BOT#SvrUninstal
6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c 44 l$bot5.#BOT#URLD
6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 4f ownload$bot6.#BO
54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 37 T#URLUpdate$bot7
00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 .#BOT#VisitUrl$b
6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 ot8.#BOT#CloseSe
72 76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 rver$ddos1.DDOSH
54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 TTPFLOOD$ddos2.D
44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 DOSSYNFLOOD$ddos
33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 3.DDOSUDPFLOOD$k
65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 eylogger1.Active
4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 OnlineKeylogger$
6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 keylogger2.UnAct
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 er$keylogger3.Ac
74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo

2014-11-21 16:51:42,039 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE79F, Value:

23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp
64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V
69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO
54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd
6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO
44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF
4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU
44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f 67 67 65 DPFLOOD$keylogge
72 31 00 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b r1.ActiveOnlineK
65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg
65 72 32 00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 er2.UnActiveOnli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl
6f 67 67 65 72 33 00 41 63 74 69 76 65 4f 66 66 ogger3.ActiveOff
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke
79 6c 6f 67 67 65 72 34 00 55 6e 41 63 74 69 76 ylogger4.UnActiv

2014-11-21 16:51:42,039 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7B5, Value:

23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b
6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr
6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD
4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos
32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d
64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO
44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un
41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3
00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel

2014-11-21 16:51:42,042 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7C9, Value:

23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 6f #BOT#VisitUrl$bo
74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 72 t8.#BOT#CloseSer
76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 54 ver$ddos1.DDOSHT
54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 TPFLOOD$ddos2.DD
4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 OSSYNFLOOD$ddos3
00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 .DDOSUDPFLOOD$ke
79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f ylogger1.ActiveO
6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k
65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 eylogger2.UnActi
76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 veOnlineKeylogge
72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 r$keylogger3.Act
69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 iveOfflineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 ger$keylogger4.U
6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 nActiveOfflineKe
79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 ylogger$shell1.A
43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c CTIVEREMOTESHELL

2014-11-21 16:51:42,042 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7DC, Value:

23 42 4f 54 23 43 6c 6f 73 65 53 65 72 76 65 72 #BOT#CloseServer
24 64 64 6f 73 31 00 44 44 4f 53 48 54 54 50 46 $ddos1.DDOSHTTPF
4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 4f 53 53 LOOD$ddos2.DDOSS
59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 YNFLOOD$ddos3.DD
4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f OSUDPFLOOD$keylo
67 67 65 72 31 00 41 63 74 69 76 65 4f 6e 6c 69 gger1.ActiveOnli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl
6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 65 4f ogger2.UnActiveO
6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k
65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 76 65 eylogger3.Active
4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 OfflineKeylogger
24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e 41 63 $keylogger4.UnAc
74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo
67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 54 49 gger$shell1.ACTI
56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 VEREMOTESHELL$sh
65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 45 53 ell2.SUBMREMOTES

2014-11-21 16:51:42,045 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7F3, Value:

44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd
6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD
24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL
4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A
63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo
67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.
55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog
67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh
65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU
42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh
65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES

2014-11-21 16:51:42,046 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE807, Value:

44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f DDOSSYNFLOOD$ddo
73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 s3.DDOSUDPFLOOD$
6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 keylogger1.Activ
65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger
24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 $keylogger2.UnAc
74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 ger$keylogger3.A
63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c ctiveOfflineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 ogger$keylogger4
00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 .UnActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 Keylogger$shell1
00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 .ACTIVEREMOTESHE
4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 LL$shell2.SUBMRE
4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 MOTESHELL$shell3
00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c .KILLREMOTESHELL
44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 DarkComet.detect

2014-11-21 16:51:42,048 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE81A, Value:

44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 DDOSUDPFLOOD$key
6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f 6e logger1.ActiveOn
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke
79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 ylogger2.UnActiv
65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger
24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 $keylogger3.Acti
76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 veOfflineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e er$keylogger4.Un
41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey
6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC
54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$
73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI
4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar
6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection
00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str

2014-11-21 16:51:42,049 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE832, Value:

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 ogger$keylogger2
00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b .UnActiveOnlineK
65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg
65 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e er3.ActiveOfflin
65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f eKeylogger$keylo
67 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 gger4.UnActiveOf
66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 flineKeylogger$s
68 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f hell1.ACTIVEREMO
54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 TESHELL$shell2.S
55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 UBMREMOTESHELL$s
68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 hell3.KILLREMOTE
53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 SHELLDarkComet.d
65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 etection.Xtreme.
52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 RAT.$string1.Xtr
65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 emeKeylogger$str

2014-11-21 16:51:42,049 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE855, Value:

41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl
6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3
00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel
6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 l1.ACTIVEREMOTES
48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d HELL$shell2.SUBM
52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c REMOTESHELL$shel
6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 l3.KILLREMOTESHE
4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 LLDarkComet.dete
63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 ction.Xtreme.RAT
00 24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 .$string1.Xtreme
4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 Keylogger$string
32 00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 2.XtremeRAT$stri
6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 ng3.XTREMEUPDATE

2014-11-21 16:51:42,052 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE853, Value:

55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog
67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh
65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU
42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh
65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES
48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 HELLDarkComet.de
74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 tection.Xtreme.R
41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 65 AT.$string1.Xtre
6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 meKeylogger$stri
6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 73 74 ng2.XtremeRAT$st
72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 ring3.XTREMEUPDA

2014-11-21 16:51:42,052 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE876, Value:

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey
6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger
34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 4.UnActiveOfflin
65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c eKeylogger$shell
31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 1.ACTIVEREMOTESH
45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 ELL$shell2.SUBMR
45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c EMOTESHELL$shell
33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 3.KILLREMOTESHEL
4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 LDarkComet.detec
74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 tion.Xtreme.RAT.
24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b $string1.XtremeK
65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 eylogger$string2
00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e .XtremeRAT$strin
67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 g3.XTREMEUPDATE$
73 74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 string4.STUBXTRE
4d 45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 MEINJECTED$unit1

2014-11-21 16:51:42,055 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE89A, Value:

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey
6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC
54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$
73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI
4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar
6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection
00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str
69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 6c 6f ing1.XtremeKeylo
67 67 65 72 24 73 74 72 69 6e 67 32 00 58 74 72 gger$string2.Xtr
65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 00 58 emeRAT$string3.X
54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 69 TREMEUPDATE$stri
6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 4e ng4.STUBXTREMEIN
4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e 69 JECTED$unit1.Uni
74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 00 55 tConfigs$unit2.U
6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e 69 nitGetServer$uni

2014-11-21 16:51:42,055 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE898, Value:

55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b UnActiveOfflineK
65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 eylogger$shell1.
41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL
4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM
4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3.
4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s
74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey
6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3
00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U
6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2
00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u

2014-11-21 16:51:42,058 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8B8, Value:

41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL
4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM
4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3.
4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s
74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey
6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3
00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U
6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2
00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u
6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 nit3.UnitKeylogg
65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 er$unit4.UnitCry

2014-11-21 16:51:42,059 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8D1, Value:

53 55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 SUBMREMOTESHELL$
73 68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 shell3.KILLREMOT
45 53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 ESHELLDarkComet.
64 65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 detection.Xtreme
20 52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 .RAT.$string1.Xt
72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 remeKeylogger$st
72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 ring2.XtremeRAT$
73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 string3.XTREMEUP
44 41 54 45 24 73 74 72 69 6e 67 34 00 53 54 55 DATE$string4.STU
42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 44 24 BXTREMEINJECTED$
75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 69 67 unit1.UnitConfig
73 24 75 6e 69 74 32 00 55 6e 69 74 47 65 74 53 s$unit2.UnitGetS
65 72 76 65 72 24 75 6e 69 74 33 00 55 6e 69 74 erver$unit3.Unit
4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 74 34 00 Keylogger$unit4.
55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 67 24 UnitCryptString$
75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 61 6c unit5.UnitInstal

2014-11-21 16:51:42,061 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8E8, Value:

4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s
74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey
6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3
00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U
6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2
00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u
6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 nit3.UnitKeylogg
65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 er$unit4.UnitCry
70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 ptString$unit5.U
6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 nitInstallServer
24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 $unit6.UnitInjec

2014-11-21 16:51:42,062 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE91F, Value:

58 74 72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 XtremeKeylogger$
73 74 72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 string2.XtremeRA
54 24 73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 T$string3.XTREME
55 50 44 41 54 45 24 73 74 72 69 6e 67 34 00 53 UPDATE$string4.S
54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 TUBXTREMEINJECTE
44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 D$unit1.UnitConf
69 67 73 24 75 6e 69 74 32 00 55 6e 69 74 47 65 igs$unit2.UnitGe
74 53 65 72 76 65 72 24 75 6e 69 74 33 00 55 6e tServer$unit3.Un
69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 74 itKeylogger$unit
34 00 55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 4.UnitCryptStrin
67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 g$unit5.UnitInst
61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 36 00 allServer$unit6.
55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 UnitInjectServer
24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65 $unit7.UnitBinde
72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 r$unit8.UnitInje
63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 ctProcessXtreme.

2014-11-21 16:51:42,063 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE937, Value:

58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 XtremeRAT$string
33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 3.XTREMEUPDATE$s
74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d tring4.STUBXTREM
45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 EINJECTED$unit1.
55 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 UnitConfigs$unit
32 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 2.UnitGetServer$
75 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 unit3.UnitKeylog
67 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 ger$unit4.UnitCr
79 70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 yptString$unit5.
55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe
72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje
63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U
6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8.
55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces
73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio
6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R

2014-11-21 16:51:42,065 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE949, Value:

58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 XTREMEUPDATE$str
69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 ing4.STUBXTREMEI
4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e NJECTED$unit1.Un
69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 00 itConfigs$unit2.
55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e UnitGetServer$un
69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 65 it3.UnitKeylogge
72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 70 r$unit4.UnitCryp
74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 6e tString$unit5.Un
69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 24 itInstallServer$
75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 74 unit6.UnitInject
53 65 72 76 65 72 24 75 6e 69 74 37 00 55 6e 69 Server$unit7.Uni
74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 55 6e tBinder$unit8.Un
69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 73 58 itInjectProcessX
74 72 65 6d 65 00 64 65 74 65 63 74 69 6f 6e 00 treme.detection.
48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 43 53 Hacking.Team.RCS
20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 31 00 .Scout.$engine1.

2014-11-21 16:51:42,065 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE95E, Value:

53 54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 STUBXTREMEINJECT
45 44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e ED$unit1.UnitCon
66 69 67 73 24 75 6e 69 74 32 00 55 6e 69 74 47 figs$unit2.UnitG
65 74 53 65 72 76 65 72 24 75 6e 69 74 33 00 55 etServer$unit3.U
6e 69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 nitKeylogger$uni
74 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 69 t4.UnitCryptStri
6e 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 ng$unit5.UnitIns
74 61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 36 tallServer$unit6
00 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 .UnitInjectServe
72 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 r$unit7.UnitBind
65 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a er$unit8.UnitInj
65 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 ectProcessXtreme
00 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 .detection.Hacki
6e 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f 75 ng.Team.RCS.Scou
74 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 6e t.$engine1.Engin
65 20 73 74 61 72 74 65 64 24 65 6e 67 69 6e 65 e.started$engine

2014-11-21 16:51:42,068 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE977, Value:

55 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 UnitConfigs$unit
32 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 2.UnitGetServer$
75 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 unit3.UnitKeylog
67 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 ger$unit4.UnitCr
79 70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 yptString$unit5.
55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe
72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje
63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U
6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8.
55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces
73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio
6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R
43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine
31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started
24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 $engine2.Running
20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e

2014-11-21 16:51:42,069 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE989, Value:

55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e UnitGetServer$un
69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 65 it3.UnitKeylogge
72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 70 r$unit4.UnitCryp
74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 6e tString$unit5.Un
69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 24 itInstallServer$
75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 74 unit6.UnitInject
53 65 72 76 65 72 24 75 6e 69 74 37 00 55 6e 69 Server$unit7.Uni
74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 55 6e tBinder$unit8.Un
69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 73 58 itInjectProcessX
74 72 65 6d 65 00 64 65 74 65 63 74 69 6f 6e 00 treme.detection.
48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 43 53 Hacking.Team.RCS
20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 31 00 .Scout.$engine1.
45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 24 65 Engine.started$e
6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 20 69 ngine2.Running.i
6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 6e 67 n.background$eng
69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 6f 6f ine3.Locking.doo

2014-11-21 16:51:42,071 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE99D, Value:

55 6e 69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e UnitKeylogger$un
69 74 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 it4.UnitCryptStr
69 6e 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e ing$unit5.UnitIn
73 74 61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 stallServer$unit
36 00 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 6.UnitInjectServ
65 72 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e er$unit7.UnitBin
64 65 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e der$unit8.UnitIn
6a 65 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d jectProcessXtrem
65 00 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b e.detection.Hack
69 6e 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f ing.Team.RCS.Sco
75 74 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 ut.$engine1.Engi
6e 65 20 73 74 61 72 74 65 64 24 65 6e 67 69 6e ne.started$engin
65 32 00 52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 e2.Running.in.ba
63 6b 67 72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 ckground$engine3
00 4c 6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 .Locking.doors$e
6e 67 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e ngine4.Rotors.en

2014-11-21 16:51:42,072 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9B1, Value:

55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 67 24 UnitCryptString$
75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 61 6c unit5.UnitInstal
6c 53 65 72 76 65 72 24 75 6e 69 74 36 00 55 6e lServer$unit6.Un
69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 24 75 itInjectServer$u
6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65 72 24 nit7.UnitBinder$
75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 63 74 unit8.UnitInject
50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 64 65 ProcessXtreme.de
74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e 67 20 tection.Hacking.
54 65 61 6d 20 52 43 53 20 53 63 6f 75 74 00 24 Team.RCS.Scout.$
65 6e 67 69 6e 65 31 00 45 6e 67 69 6e 65 20 73 engine1.Engine.s
74 61 72 74 65 64 24 65 6e 67 69 6e 65 32 00 52 tarted$engine2.R
75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b 67 72 unning.in.backgr
6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c 6f 63 ound$engine3.Loc
6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 69 6e king.doors$engin
65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 67 65 e4.Rotors.engage
64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 67 6f d$engine5.I'm.go

2014-11-21 16:51:42,073 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9C7, Value:

55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe
72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje
63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U
6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8.
55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces
73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio
6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R
43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine
31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started
24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 $engine2.Running
20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e
6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 ngine3.Locking.d
6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 oors$engine4.Rot
6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 ors.engaged$engi
6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f ne5.I'm.going.to
20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 31 .start.it$start1

2014-11-21 16:51:42,075 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9DF, Value:

55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 UnitInjectServer
24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65 $unit7.UnitBinde
72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 r$unit8.UnitInje
63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 ctProcessXtreme.
64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e detection.Hackin
67 20 54 65 61 6d 20 52 43 53 20 53 63 6f 75 74 g.Team.RCS.Scout
00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 6e 65 .$engine1.Engine
20 73 74 61 72 74 65 64 24 65 6e 67 69 6e 65 32 .started$engine2
00 52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b .Running.in.back
67 72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c ground$engine3.L
6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 ocking.doors$eng
69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 ine4.Rotors.enga
67 65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 ged$engine5.I'm.
67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 69 going.to.start.i
74 24 73 74 61 72 74 31 00 53 74 61 72 74 69 6e t$start1.Startin
67 20 75 70 67 72 61 64 65 21 24 73 74 61 72 74 g.upgrade!$start

2014-11-21 16:51:42,075 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9F6, Value:

55 6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 UnitBinder$unit8
00 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 .UnitInjectProce
73 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 ssXtreme.detecti
6f 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 on.Hacking.Team.
52 43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e RCS.Scout.$engin
65 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 e1.Engine.starte
64 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e d$engine2.Runnin
67 20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 g.in.background$
65 6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 engine3.Locking.
64 6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f doors$engine4.Ro
74 6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 tors.engaged$eng
69 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 ine5.I'm.going.t
6f 20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 o.start.it$start
31 00 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 1.Starting.upgra
64 65 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 de!$start2.I'm.g
6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 oing.to.start.th

2014-11-21 16:51:42,078 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CEA07, Value:

55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces
73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio
6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R
43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine
31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started
24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 $engine2.Running
20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e
6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 ngine3.Locking.d
6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 oors$engine4.Rot
6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 ors.engaged$engi
6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f ne5.I'm.going.to
20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 31 .start.it$start1
00 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 .Starting.upgrad
65 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f e!$start2.I'm.go
69 6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 65 ing.to.start.the
20 70 72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 .program$start3.

2014-11-21 16:51:42,078 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA49, Value:

45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 24 65 Engine.started$e
6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 20 69 ngine2.Running.i
6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 6e 67 n.background$eng
69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 6f 6f ine3.Locking.doo
72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 6f 72 rs$engine4.Rotor
73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 6e 65 s.engaged$engine
35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 5.I'm.going.to.s
74 61 72 74 20 69 74 24 73 74 61 72 74 31 00 53 tart.it$start1.S
74 61 72 74 69 6e 67 20 75 70 67 72 61 64 65 21 tarting.upgrade!
24 73 74 61 72 74 32 00 49 27 6d 20 67 6f 69 6e $start2.I'm.goin
67 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 70 g.to.start.the.p
72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 69 73 rogram$start3.is
20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 00 43 .it.ok?$start4.C
6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 68 lick.to.start.th
65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 55 e.program$upd1.U
70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 69 pdJob$upd2.UpdTi

2014-11-21 16:51:42,081 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA60, Value:

52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b 67 Running.in.backg
72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c 6f round$engine3.Lo
63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 69 cking.doors$engi
6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 67 ne4.Rotors.engag
65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 67 ed$engine5.I'm.g
6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 69 74 oing.to.start.it
24 73 74 61 72 74 31 00 53 74 61 72 74 69 6e 67 $start1.Starting
20 75 70 67 72 61 64 65 21 24 73 74 61 72 74 32 .upgrade!$start2
00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 .I'm.going.to.st
61 72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 art.the.program$
73 74 61 72 74 33 00 69 73 20 69 74 20 6f 6b 3f start3.is.it.ok?
24 73 74 61 72 74 34 00 43 6c 69 63 6b 20 74 6f $start4.Click.to
20 73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 .start.the.progr
61 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 24 75 am$upd1.UpdJob$u
70 64 32 00 55 70 64 54 69 6d 65 72 24 6c 6f 6f pd2.UpdTimer$loo
6b 6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 49 20 kma1.Owning.PCI.

2014-11-21 16:51:42,082 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA7E, Value:

4c 6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e Locking.doors$en
67 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 gine4.Rotors.eng
61 67 65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d aged$engine5.I'm
20 67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 .going.to.start.
69 74 24 73 74 61 72 74 31 00 53 74 61 72 74 69 it$start1.Starti
6e 67 20 75 70 67 72 61 64 65 21 24 73 74 61 72 ng.upgrade!$star
74 32 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 t2.I'm.going.to.
73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 start.the.progra
6d 24 73 74 61 72 74 33 00 69 73 20 69 74 20 6f m$start3.is.it.o
6b 3f 24 73 74 61 72 74 34 00 43 6c 69 63 6b 20 k?$start4.Click.
74 6f 20 73 74 61 72 74 20 74 68 65 20 70 72 6f to.start.the.pro
67 72 61 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 gram$upd1.UpdJob
24 75 70 64 32 00 55 70 64 54 69 6d 65 72 24 6c $upd2.UpdTimer$l
6f 6f 6b 6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 ookma1.Owning.PC
49 20 62 75 73 24 6c 6f 6f 6b 6d 61 32 00 46 6f I.bus$lookma2.Fo
72 6d 61 74 74 69 6e 67 20 62 69 6f 73 24 6c 6f rmatting.bios$lo

2014-11-21 16:51:42,084 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA94, Value:

52 6f 74 6f 72 73 20 65 6e 67 61 67 65 64 24 65 Rotors.engaged$e
6e 67 69 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 ngine5.I'm.going
20 74 6f 20 73 74 61 72 74 20 69 74 24 73 74 61 .to.start.it$sta
72 74 31 00 53 74 61 72 74 69 6e 67 20 75 70 67 rt1.Starting.upg
72 61 64 65 21 24 73 74 61 72 74 32 00 49 27 6d rade!$start2.I'm
20 67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 .going.to.start.
74 68 65 20 70 72 6f 67 72 61 6d 24 73 74 61 72 the.program$star
74 33 00 69 73 20 69 74 20 6f 6b 3f 24 73 74 61 t3.is.it.ok?$sta
72 74 34 00 43 6c 69 63 6b 20 74 6f 20 73 74 61 rt4.Click.to.sta
72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 75 rt.the.program$u
70 64 31 00 55 70 64 4a 6f 62 24 75 70 64 32 00 pd1.UpdJob$upd2.
55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 UpdTimer$lookma1
00 4f 77 6e 69 6e 67 20 50 43 49 20 62 75 73 24 .Owning.PCI.bus$
6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 lookma2.Formatti
6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 ng.bios$lookma3.
50 6c 65 61 73 65 20 69 6e 73 65 72 74 20 61 20 Please.insert.a.

2014-11-21 16:51:42,085 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAAB, Value:

49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 I'm.going.to.sta
72 74 20 69 74 24 73 74 61 72 74 31 00 53 74 61 rt.it$start1.Sta
72 74 69 6e 67 20 75 70 67 72 61 64 65 21 24 73 rting.upgrade!$s
74 61 72 74 32 00 49 27 6d 20 67 6f 69 6e 67 20 tart2.I'm.going.
74 6f 20 73 74 61 72 74 20 74 68 65 20 70 72 6f to.start.the.pro
67 72 61 6d 24 73 74 61 72 74 33 00 69 73 20 69 gram$start3.is.i
74 20 6f 6b 3f 24 73 74 61 72 74 34 00 43 6c 69 t.ok?$start4.Cli
63 6b 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 ck.to.start.the.
70 72 6f 67 72 61 6d 24 75 70 64 31 00 55 70 64 program$upd1.Upd
4a 6f 62 24 75 70 64 32 00 55 70 64 54 69 6d 65 Job$upd2.UpdTime
72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e 69 6e 67 r$lookma1.Owning
20 50 43 49 20 62 75 73 24 6c 6f 6f 6b 6d 61 32 .PCI.bus$lookma2
00 46 6f 72 6d 61 74 74 69 6e 67 20 62 69 6f 73 .Formatting.bios
24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 73 65 20 $lookma3.Please.
69 6e 73 65 72 74 20 61 20 64 69 73 6b 20 69 6e insert.a.disk.in
20 64 72 69 76 65 20 41 3a 24 6c 6f 6f 6b 6d 61 .drive.A:$lookma

2014-11-21 16:51:42,085 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAC8, Value:

53 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 65 Starting.upgrade
21 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f 69 !$start2.I'm.goi
6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 ng.to.start.the.
70 72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 69 program$start3.i
73 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 00 s.it.ok?$start4.
43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 Click.to.start.t
68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 he.program$upd1.
55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT
69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own
69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look
6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b
69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea
73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk
20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo
6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP
55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look

2014-11-21 16:51:42,088 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAE1, Value:

49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 I'm.going.to.sta
72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 73 rt.the.program$s
74 61 72 74 33 00 69 73 20 69 74 20 6f 6b 3f 24 tart3.is.it.ok?$
73 74 61 72 74 34 00 43 6c 69 63 6b 20 74 6f 20 start4.Click.to.
73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 start.the.progra
6d 24 75 70 64 31 00 55 70 64 4a 6f 62 24 75 70 m$upd1.UpdJob$up
64 32 00 55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b d2.UpdTimer$look
6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 49 20 62 ma1.Owning.PCI.b
75 73 24 6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 us$lookma2.Forma
74 74 69 6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d tting.bios$lookm
61 33 00 50 6c 65 61 73 65 20 69 6e 73 65 72 74 a3.Please.insert
20 61 20 64 69 73 6b 20 69 6e 20 64 72 69 76 65 .a.disk.in.drive
20 41 3a 24 6c 6f 6f 6b 6d 61 34 00 55 70 64 61 .A:$lookma4.Upda
74 69 6e 67 20 43 50 55 20 6d 69 63 72 6f 63 6f ting.CPU.microco
64 65 24 6c 6f 6f 6b 6d 61 35 00 4e 6f 74 20 73 de$lookma5.Not.s
75 72 65 20 77 68 61 74 27 73 20 68 61 70 70 65 ure.what's.happe

2014-11-21 16:51:42,088 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB07, Value:

69 73 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 is.it.ok?$start4
00 43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 .Click.to.start.
74 68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 the.program$upd1
00 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 .UpdJob$upd2.Upd
54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 Timer$lookma1.Ow
6e 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f ning.PCI.bus$loo
6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 kma2.Formatting.
62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 bios$lookma3.Ple
61 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 ase.insert.a.dis
6b 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f k.in.drive.A:$lo
6f 6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 okma4.Updating.C
50 55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f PU.microcode$loo
6b 6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 kma5.Not.sure.wh
61 74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c at's.happening$l
6f 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 ookma6.Look.ma,.
6e 6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c no.thread.id!.\\

2014-11-21 16:51:42,091 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB18, Value:

43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 Click.to.start.t
68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 he.program$upd1.
55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT
69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own
69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look
6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b
69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea
73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk
20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo
6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP
55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look
6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 61 ma5.Not.sure.wha
74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c 6f t's.happening$lo
6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 6e okma6.Look.ma,.n
6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c 6f o.thread.id!.\\o
2f 52 43 53 5f 53 63 6f 75 74 00 64 65 74 65 63 /RCS_Scout.detec

2014-11-21 16:51:42,092 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB38, Value:

55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT
69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own
69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look
6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b
69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea
73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk
20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo
6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP
55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look
6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 61 ma5.Not.sure.wha
74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c 6f t's.happening$lo
6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 6e okma6.Look.ma,.n
6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c 6f o.thread.id!.\\o
2f 52 43 53 5f 53 63 6f 75 74 00 64 65 74 65 63 /RCS_Scout.detec
74 69 6f 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 tion.Hacking.Tea
6d 20 52 43 53 20 42 61 63 6b 64 6f 6f 72 00 24 m.RCS.Backdoor.$

2014-11-21 16:51:42,094 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB44, Value:

55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 UpdTimer$lookma1
00 4f 77 6e 69 6e 67 20 50 43 49 20 62 75 73 24 .Owning.PCI.bus$
6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 lookma2.Formatti
6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 ng.bios$lookma3.
50 6c 65 61 73 65 20 69 6e 73 65 72 74 20 61 20 Please.insert.a.
64 69 73 6b 20 69 6e 20 64 72 69 76 65 20 41 3a disk.in.drive.A:
24 6c 6f 6f 6b 6d 61 34 00 55 70 64 61 74 69 6e $lookma4.Updatin
67 20 43 50 55 20 6d 69 63 72 6f 63 6f 64 65 24 g.CPU.microcode$
6c 6f 6f 6b 6d 61 35 00 4e 6f 74 20 73 75 72 65 lookma5.Not.sure
20 77 68 61 74 27 73 20 68 61 70 70 65 6e 69 6e .what's.happenin
67 24 6c 6f 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d g$lookma6.Look.m
61 2c 20 6e 6f 20 74 68 72 65 61 64 20 69 64 21 a,.no.thread.id!
20 5c 5c 6f 2f 52 43 53 5f 53 63 6f 75 74 00 64 .\\o/RCS_Scout.d
65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e 67 etection.Hacking
20 54 65 61 6d 20 52 43 53 20 42 61 63 6b 64 6f .Team.RCS.Backdo
6f 72 00 24 64 65 62 75 67 31 00 2d 20 43 68 65 or.$debug1.-.Che

2014-11-21 16:51:42,095 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC3F, Value:

2d 20 43 68 65 63 6b 69 6e 67 20 63 6f 6d 70 6f -.Checking.compo
6e 65 6e 74 73 24 64 65 62 75 67 32 00 2d 20 41 nents$debug2.-.A
63 74 69 76 61 74 69 6e 67 20 68 69 64 69 6e 67 ctivating.hiding
20 73 79 73 74 65 6d 24 64 65 62 75 67 33 00 66 .system$debug3.f
75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 6e 61 6c ully.operational
24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 65 72 20 $log1.-.Browser.
61 63 74 69 76 69 74 79 20 28 46 46 29 24 6c 6f activity.(FF)$lo
67 32 00 2d 20 42 72 6f 77 73 65 72 20 61 63 74 g2.-.Browser.act
69 76 69 74 79 20 28 49 45 29 24 65 72 72 6f 72 ivity.(IE)$error
31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 70 1.[Unable.to.dep
6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b 54 68 65 loy]$error2.[The
20 73 79 73 74 65 6d 20 69 73 20 61 6c 72 65 61 .system.is.alrea
64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 dy.monitored]RCS
5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 _Backdoor.detect
69 6f 6e 00 46 69 6e 46 69 73 68 65 72 20 46 69 ion.FinFisher.Fi
6e 53 70 79 00 24 70 61 73 73 77 6f 72 64 31 00 nSpy.$password1.

2014-11-21 16:51:42,096 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC5C, Value:

2d 20 41 63 74 69 76 61 74 69 6e 67 20 68 69 64 -.Activating.hid
69 6e 67 20 73 79 73 74 65 6d 24 64 65 62 75 67 ing.system$debug
33 00 66 75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 3.fully.operatio
6e 61 6c 24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 nal$log1.-.Brows
65 72 20 61 63 74 69 76 69 74 79 20 28 46 46 29 er.activity.(FF)
24 6c 6f 67 32 00 2d 20 42 72 6f 77 73 65 72 20 $log2.-.Browser.
61 63 74 69 76 69 74 79 20 28 49 45 29 24 65 72 activity.(IE)$er
72 6f 72 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 ror1.[Unable.to.
64 65 70 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b deploy]$error2.[
54 68 65 20 73 79 73 74 65 6d 20 69 73 20 61 6c The.system.is.al
72 65 61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d ready.monitored]
52 43 53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 RCS_Backdoor.det
65 63 74 69 6f 6e 00 46 69 6e 46 69 73 68 65 72 ection.FinFisher
20 46 69 6e 53 70 79 00 24 70 61 73 73 77 6f 72 .FinSpy.$passwor
64 31 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 d1./scomma.kbd10
31 2e 73 79 73 24 70 61 73 73 77 6f 72 64 32 00 1.sys$password2.

2014-11-21 16:51:42,098 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC7E, Value:

66 75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 6e 61 fully.operationa
6c 24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 65 72 l$log1.-.Browser
20 61 63 74 69 76 69 74 79 20 28 46 46 29 24 6c .activity.(FF)$l
6f 67 32 00 2d 20 42 72 6f 77 73 65 72 20 61 63 og2.-.Browser.ac
74 69 76 69 74 79 20 28 49 45 29 24 65 72 72 6f tivity.(IE)$erro
72 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 r1.[Unable.to.de
70 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b 54 68 ploy]$error2.[Th
65 20 73 79 73 74 65 6d 20 69 73 20 61 6c 72 65 e.system.is.alre
61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 ady.monitored]RC
53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 S_Backdoor.detec
74 69 6f 6e 00 46 69 6e 46 69 73 68 65 72 20 46 tion.FinFisher.F
69 6e 53 70 79 00 24 70 61 73 73 77 6f 72 64 31 inSpy.$password1
00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e ./scomma.kbd101.
73 79 73 24 70 61 73 73 77 6f 72 64 32 00 4e 41 sys$password2.NA
4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c ME,EMAIL.CLIENT,
45 4d 41 49 4c 20 41 44 44 52 45 53 53 2c 53 45 EMAIL.ADDRESS,SE

2014-11-21 16:51:42,099 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC95, Value:

2d 20 42 72 6f 77 73 65 72 20 61 63 74 69 76 69 -.Browser.activi
74 79 20 28 46 46 29 24 6c 6f 67 32 00 2d 20 42 ty.(FF)$log2.-.B
72 6f 77 73 65 72 20 61 63 74 69 76 69 74 79 20 rowser.activity.
28 49 45 29 24 65 72 72 6f 72 31 00 5b 55 6e 61 (IE)$error1.[Una
62 6c 65 20 74 6f 20 64 65 70 6c 6f 79 5d 24 65 ble.to.deploy]$e
72 72 6f 72 32 00 5b 54 68 65 20 73 79 73 74 65 rror2.[The.syste
6d 20 69 73 20 61 6c 72 65 61 64 79 20 6d 6f 6e m.is.already.mon
69 74 6f 72 65 64 5d 52 43 53 5f 42 61 63 6b 64 itored]RCS_Backd
6f 6f 72 00 64 65 74 65 63 74 69 6f 6e 00 46 69 oor.detection.Fi
6e 46 69 73 68 65 72 20 46 69 6e 53 70 79 00 24 nFisher.FinSpy.$
70 61 73 73 77 6f 72 64 31 00 2f 73 63 6f 6d 6d password1./scomm
61 20 6b 62 64 31 30 31 2e 73 79 73 24 70 61 73 a.kbd101.sys$pas
73 77 6f 72 64 32 00 4e 41 4d 45 2c 45 4d 41 49 sword2.NAME,EMAI
4c 20 43 4c 49 45 4e 54 2c 45 4d 41 49 4c 20 41 L.CLIENT,EMAIL.A
44 44 52 45 53 53 2c 53 45 52 56 45 52 20 4e 41 DDRESS,SERVER.NA
4d 45 2c 53 45 52 56 45 52 20 54 59 50 45 2c 55 ME,SERVER.TYPE,U

2014-11-21 16:51:42,101 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECB2, Value:

2d 20 42 72 6f 77 73 65 72 20 61 63 74 69 76 69 -.Browser.activi
74 79 20 28 49 45 29 24 65 72 72 6f 72 31 00 5b ty.(IE)$error1.[
55 6e 61 62 6c 65 20 74 6f 20 64 65 70 6c 6f 79 Unable.to.deploy
5d 24 65 72 72 6f 72 32 00 5b 54 68 65 20 73 79 ]$error2.[The.sy
73 74 65 6d 20 69 73 20 61 6c 72 65 61 64 79 20 stem.is.already.
6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 5f 42 61 monitored]RCS_Ba
63 6b 64 6f 6f 72 00 64 65 74 65 63 74 69 6f 6e ckdoor.detection
00 46 69 6e 46 69 73 68 65 72 20 46 69 6e 53 70 .FinFisher.FinSp
79 00 24 70 61 73 73 77 6f 72 64 31 00 2f 73 63 y.$password1./sc
6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 79 73 24 omma.kbd101.sys$
70 61 73 73 77 6f 72 64 32 00 4e 41 4d 45 2c 45 password2.NAME,E
4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 49 MAIL.CLIENT,EMAI
4c 20 41 44 44 52 45 53 53 2c 53 45 52 56 45 52 L.ADDRESS,SERVER
20 4e 41 4d 45 2c 53 45 52 56 45 52 20 54 59 50 .NAME,SERVER.TYP
45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 E,USERNAME,PASSW
4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 61 73 73 ORD,PROFILE$pass

2014-11-21 16:51:42,101 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECD1, Value:

5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 70 6c 6f [Unable.to.deplo
79 5d 24 65 72 72 6f 72 32 00 5b 54 68 65 20 73 y]$error2.[The.s
79 73 74 65 6d 20 69 73 20 61 6c 72 65 61 64 79 ystem.is.already
20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 5f 42 .monitored]RCS_B
61 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 69 6f ackdoor.detectio
6e 00 46 69 6e 46 69 73 68 65 72 20 46 69 6e 53 n.FinFisher.FinS
70 79 00 24 70 61 73 73 77 6f 72 64 31 00 2f 73 py.$password1./s
63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 79 73 comma.kbd101.sys
24 70 61 73 73 77 6f 72 64 32 00 4e 41 4d 45 2c $password2.NAME,
45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 EMAIL.CLIENT,EMA
49 4c 20 41 44 44 52 45 53 53 2c 53 45 52 56 45 IL.ADDRESS,SERVE
52 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 54 59 R.NAME,SERVER.TY
50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 PE,USERNAME,PASS
57 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 61 73 WORD,PROFILE$pas
73 77 6f 72 64 33 00 2f 73 63 6f 6d 6d 61 20 65 sword3./scomma.e
78 63 65 6c 32 30 31 30 2e 70 61 72 74 24 70 61 xcel2010.part$pa

2014-11-21 16:51:42,104 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECEB, Value:

5b 54 68 65 20 73 79 73 74 65 6d 20 69 73 20 61 [The.system.is.a
6c 72 65 61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 lready.monitored
5d 52 43 53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 ]RCS_Backdoor.de
74 65 63 74 69 6f 6e 00 46 69 6e 46 69 73 68 65 tection.FinFishe
72 20 46 69 6e 53 70 79 00 24 70 61 73 73 77 6f r.FinSpy.$passwo
72 64 31 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 rd1./scomma.kbd1
30 31 2e 73 79 73 24 70 61 73 73 77 6f 72 64 32 01.sys$password2
00 4e 41 4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 .NAME,EMAIL.CLIE
4e 54 2c 45 4d 41 49 4c 20 41 44 44 52 45 53 53 NT,EMAIL.ADDRESS
2c 53 45 52 56 45 52 20 4e 41 4d 45 2c 53 45 52 ,SERVER.NAME,SER
56 45 52 20 54 59 50 45 2c 55 53 45 52 4e 41 4d VER.TYPE,USERNAM
45 2c 50 41 53 53 57 4f 52 44 2c 50 52 4f 46 49 E,PASSWORD,PROFI
4c 45 24 70 61 73 73 77 6f 72 64 33 00 2f 73 63 LE$password3./sc
6f 6d 6d 61 20 65 78 63 65 6c 32 30 31 30 2e 70 omma.excel2010.p
61 72 74 24 70 61 73 73 77 6f 72 64 34 00 41 50 art$password4.AP
50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 4f 43 PLICATION,PROTOC

2014-11-21 16:51:42,105 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CED3F, Value:

2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 /scomma.kbd101.s
79 73 24 70 61 73 73 77 6f 72 64 32 00 4e 41 4d ys$password2.NAM
45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 E,EMAIL.CLIENT,E
4d 41 49 4c 20 41 44 44 52 45 53 53 2c 53 45 52 MAIL.ADDRESS,SER
56 45 52 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 VER.NAME,SERVER.
54 59 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 TYPE,USERNAME,PA
53 53 57 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 SSWORD,PROFILE$p
61 73 73 77 6f 72 64 33 00 2f 73 63 6f 6d 6d 61 assword3./scomma
20 65 78 63 65 6c 32 30 31 30 2e 70 61 72 74 24 .excel2010.part$
70 61 73 73 77 6f 72 64 34 00 41 50 50 4c 49 43 password4.APPLIC
41 54 49 4f 4e 2c 50 52 4f 54 4f 43 4f 4c 2c 55 ATION,PROTOCOL,U
53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD
24 70 61 73 73 77 6f 72 64 35 00 2f 73 74 61 62 $password5./stab
20 4d 53 56 43 52 33 32 2e 6d 61 6e 69 66 65 73 .MSVCR32.manifes
74 24 70 61 73 73 77 6f 72 64 36 00 2f 73 63 6f t$password6./sco
6d 6d 61 20 4d 53 4e 32 30 31 30 2e 64 6c 6c 24 mma.MSN2010.dll$
         

Alt 22.11.2014, 14:08   #8
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log Teil 3/3



Detekt.log 3/3

Code:
ATTFilter
2014-11-21 16:51:42,107 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CED5C, Value:

4e 41 4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e NAME,EMAIL.CLIEN
54 2c 45 4d 41 49 4c 20 41 44 44 52 45 53 53 2c T,EMAIL.ADDRESS,
53 45 52 56 45 52 20 4e 41 4d 45 2c 53 45 52 56 SERVER.NAME,SERV
45 52 20 54 59 50 45 2c 55 53 45 52 4e 41 4d 45 ER.TYPE,USERNAME
2c 50 41 53 53 57 4f 52 44 2c 50 52 4f 46 49 4c ,PASSWORD,PROFIL
45 24 70 61 73 73 77 6f 72 64 33 00 2f 73 63 6f E$password3./sco
6d 6d 61 20 65 78 63 65 6c 32 30 31 30 2e 70 61 mma.excel2010.pa
72 74 24 70 61 73 73 77 6f 72 64 34 00 41 50 50 rt$password4.APP
4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 4f 43 4f LICATION,PROTOCO
4c 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 L,USERNAME,PASSW
4f 52 44 24 70 61 73 73 77 6f 72 64 35 00 2f 73 ORD$password5./s
74 61 62 20 4d 53 56 43 52 33 32 2e 6d 61 6e 69 tab.MSVCR32.mani
66 65 73 74 24 70 61 73 73 77 6f 72 64 36 00 2f fest$password6./
73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 2e 64 scomma.MSN2010.d
6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f 73 63 ll$password7./sc
6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 61 73 omma.Firefox.bas

2014-11-21 16:51:42,108 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEDB8, Value:

2f 73 63 6f 6d 6d 61 20 65 78 63 65 6c 32 30 31 /scomma.excel201
30 2e 70 61 72 74 24 70 61 73 73 77 6f 72 64 34 0.part$password4
00 41 50 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f .APPLICATION,PRO
54 4f 43 4f 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 TOCOL,USERNAME,P
41 53 53 57 4f 52 44 24 70 61 73 73 77 6f 72 64 ASSWORD$password
35 00 2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 5./stab.MSVCR32.
6d 61 6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 manifest$passwor
64 36 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 d6./scomma.MSN20
31 30 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 10.dll$password7
00 2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 ./scomma.Firefox
2e 62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 .base$password8.
49 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 INDEX,URL,USERNA
4d 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 ME,PASSWORD,USER
4e 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 NAME.FIELD,PASSW
4f 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 ORD.FIELD,FILE,H
54 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 TTP$password9./s

2014-11-21 16:51:42,108 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEDD9, Value:

41 50 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 APPLICATION,PROT
4f 43 4f 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 41 OCOL,USERNAME,PA
53 53 57 4f 52 44 24 70 61 73 73 77 6f 72 64 35 SSWORD$password5
00 2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 6d ./stab.MSVCR32.m
61 6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 64 anifest$password
36 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 6./scomma.MSN201
30 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 0.dll$password7.
2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e /scomma.Firefox.
62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 base$password8.I
4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d NDEX,URL,USERNAM
45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e E,PASSWORD,USERN
41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f AME.FIELD,PASSWO
52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 RD.FIELD,FILE,HT
54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 TP$password9./sc
6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 omma.IE7setup.sy
73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 s$password10.ORI

2014-11-21 16:51:42,111 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE0A, Value:

2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 6d 61 /stab.MSVCR32.ma
6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 64 36 nifest$password6
00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 ./scomma.MSN2010
2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f .dll$password7./
73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 scomma.Firefox.b
61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 4e ase$password8.IN
44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d 45 DEX,URL,USERNAME
2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e 41 ,PASSWORD,USERNA
4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f 52 ME.FIELD,PASSWOR
44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 54 D.FIELD,FILE,HTT
50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 6f P$password9./sco
6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 73 mma.IE7setup.sys
24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 47 $password10.ORIG
49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 52 IN.URL,ACTION.UR
4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 L,USERNAME.FIELD
2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 2c ,PASSWORD.FIELD,

2014-11-21 16:51:42,111 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE2B, Value:

2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 2e /scomma.MSN2010.
64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f 73 dll$password7./s
63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 61 comma.Firefox.ba
73 65 24 70 61 73 73 77 6f 72 64 38 00 49 4e 44 se$password8.IND
45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d 45 2c EX,URL,USERNAME,
50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e 41 4d PASSWORD,USERNAM
45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f 52 44 E.FIELD,PASSWORD
20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 54 50 .FIELD,FILE,HTTP
24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 6f 6d $password9./scom
6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 73 24 ma.IE7setup.sys$
70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 47 49 password10.ORIGI
4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 52 4c N.URL,ACTION.URL
2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD,
50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 2c 55 PASSWORD.FIELD,U
53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD
2c 54 49 4d 45 53 54 41 4d 50 24 70 61 73 73 77 ,TIMESTAMP$passw

2014-11-21 16:51:42,114 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE49, Value:

2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e /scomma.Firefox.
62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 base$password8.I
4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d NDEX,URL,USERNAM
45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e E,PASSWORD,USERN
41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f AME.FIELD,PASSWO
52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 RD.FIELD,FILE,HT
54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 TP$password9./sc
6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 omma.IE7setup.sy
73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 s$password10.ORI
47 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 GIN.URL,ACTION.U
52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c RL,USERNAME.FIEL
44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 D,PASSWORD.FIELD
2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f ,USERNAME,PASSWO
52 44 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 73 RD,TIMESTAMP$pas
73 77 6f 72 64 31 31 00 2f 73 63 6f 6d 6d 61 20 sword11./scomma.
6f 66 66 69 63 65 32 30 30 37 2e 63 61 62 24 70 office2007.cab$p

2014-11-21 16:51:42,115 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE68, Value:

49 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 INDEX,URL,USERNA
4d 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 ME,PASSWORD,USER
4e 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 NAME.FIELD,PASSW
4f 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 ORD.FIELD,FILE,H
54 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 TTP$password9./s
63 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 comma.IE7setup.s
79 73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 ys$password10.OR
49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 IGIN.URL,ACTION.
55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 URL,USERNAME.FIE
4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c LD,PASSWORD.FIEL
44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 D,USERNAME,PASSW
4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 ORD,TIMESTAMP$pa
73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d 6d 61 ssword11./scomma
20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 62 24 .office2007.cab$
70 61 73 73 77 6f 72 64 31 32 00 55 52 4c 2c 50 password12.URL,P
41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 53 45 ASSWORD.TYPE,USE

2014-11-21 16:51:42,117 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEEB6, Value:

2f 73 63 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 /scomma.IE7setup
2e 73 79 73 24 70 61 73 73 77 6f 72 64 31 30 00 .sys$password10.
4f 52 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f ORIGIN.URL,ACTIO
4e 20 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 N.URL,USERNAME.F
49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI
45 4c 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 ELD,USERNAME,PAS
53 57 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 SWORD,TIMESTAMP$
70 61 73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d password11./scom
6d 61 20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 ma.office2007.ca
62 24 70 61 73 73 77 6f 72 64 31 32 00 55 52 4c b$password12.URL
2c 50 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 ,PASSWORD.TYPE,U
53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD
2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD,
50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 24 70 PASSWORD.FIELD$p
61 73 73 77 6f 72 64 31 33 00 2f 73 63 6f 6d 6d assword13./scomm
61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 2e 64 6c a.outlook2007.dl

2014-11-21 16:51:42,118 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEED6, Value:

4f 52 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f ORIGIN.URL,ACTIO
4e 20 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 N.URL,USERNAME.F
49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI
45 4c 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 ELD,USERNAME,PAS
53 57 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 SWORD,TIMESTAMP$
70 61 73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d password11./scom
6d 61 20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 ma.office2007.ca
62 24 70 61 73 73 77 6f 72 64 31 32 00 55 52 4c b$password12.URL
2c 50 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 ,PASSWORD.TYPE,U
53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD
2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD,
50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 24 70 PASSWORD.FIELD$p
61 73 73 77 6f 72 64 31 33 00 2f 73 63 6f 6d 6d assword13./scomm
61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 2e 64 6c a.outlook2007.dl
6c 24 70 61 73 73 77 6f 72 64 31 34 00 46 49 4c l$password14.FIL
45 4e 41 4d 45 2c 45 4e 43 52 59 50 54 49 4f 4e ENAME,ENCRYPTION

2014-11-21 16:51:42,119 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEF31, Value:

2f 73 63 6f 6d 6d 61 20 6f 66 66 69 63 65 32 30 /scomma.office20
30 37 2e 63 61 62 24 70 61 73 73 77 6f 72 64 31 07.cab$password1
32 00 55 52 4c 2c 50 41 53 53 57 4f 52 44 20 54 2.URL,PASSWORD.T
59 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 YPE,USERNAME,PAS
53 57 4f 52 44 2c 55 53 45 52 4e 41 4d 45 20 46 SWORD,USERNAME.F
49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI
45 4c 44 24 70 61 73 73 77 6f 72 64 31 33 00 2f ELD$password13./
73 63 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 30 scomma.outlook20
30 37 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 31 07.dll$password1
34 00 46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 59 4.FILENAME,ENCRY
50 54 49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 52 PTION,VERSION,CR
43 2c 50 41 53 53 57 4f 52 44 20 31 2c 50 41 53 C,PASSWORD.1,PAS
53 57 4f 52 44 20 32 2c 50 41 53 53 57 4f 52 f1 SWORD.2,PASSWOR.
8d 37 5f 6d 76 60 00 43 0e 01 00 00 00 00 00 00 .7_mv`.C........
00 00 00 00 30 68 07 0d 80 65 07 00 00 00 00 0c ....0h...e......
10 65 07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 0e .e.Eq...7.A.....

2014-11-21 16:51:42,121 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEF53, Value:

55 52 4c 2c 50 41 53 53 57 4f 52 44 20 54 59 50 URL,PASSWORD.TYP
45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 E,USERNAME,PASSW
4f 52 44 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 ORD,USERNAME.FIE
4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c LD,PASSWORD.FIEL
44 24 70 61 73 73 77 6f 72 64 31 33 00 2f 73 63 D$password13./sc
6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 omma.outlook2007
2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 31 34 00 .dll$password14.
46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 59 50 54 FILENAME,ENCRYPT
49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 52 43 2c ION,VERSION,CRC,
50 41 53 53 57 4f 52 44 20 31 2c 50 41 53 53 57 PASSWORD.1,PASSW
4f 52 44 20 32 2c 50 41 53 53 57 4f 52 f1 8d 37 ORD.2,PASSWOR..7
5f 6d 76 60 00 43 0e 01 00 00 00 00 00 00 00 00 _mv`.C..........
00 00 30 68 07 0d 80 65 07 00 00 00 00 0c 10 65 ..0h...e.......e
07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 0e 21 0e .Eq...7.A.....!.
8a 0e 91 07 41 0e 2c 0e 0a 0e 48 0e 7c 0e 2c 0e ....A.,...H.|.,.
8a 07 41 0e 1a 0e 7c 0e 0a 0e 9f 0e 51 0e 21 0e ..A...|.....Q.!.

2014-11-21 16:51:42,121 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEFA0, Value:

2f 73 63 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 /scomma.outlook2
30 30 37 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 007.dll$password
31 34 00 46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 14.FILENAME,ENCR
59 50 54 49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 YPTION,VERSION,C
52 43 2c 50 41 53 53 57 4f 52 44 20 31 2c 50 41 RC,PASSWORD.1,PA
53 53 57 4f 52 44 20 32 2c 50 41 53 53 57 4f 52 SSWORD.2,PASSWOR
f1 8d 37 5f 6d 76 60 00 43 0e 01 00 00 00 00 00 ..7_mv`.C.......
00 00 00 00 00 30 68 07 0d 80 65 07 00 00 00 00 .....0h...e.....
0c 10 65 07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 ..e.Eq...7.A....
0e 21 0e 8a 0e 91 07 41 0e 2c 0e 0a 0e 48 0e 7c .!.....A.,...H.|
0e 2c 0e 8a 07 41 0e 1a 0e 7c 0e 0a 0e 9f 0e 51 .,...A...|.....Q
0e 21 0e 70 0e 99 0e 91 07 41 0e 91 0e 9f 0e 7e .!.p.....A.....~
0e 21 0e 8a 0e a2 0e 32 0e 91 0e 32 0e 7c 0e 70 .!.....2...2.|.p
0e 0a 0e 02 0e 51 07 41 0e 32 0e 51 0e 02 0e 25 .....Q.A.2.Q...%
0e 21 0e 91 07 41 0d 19 0d 1a 0d 17 0d 21 0d 1a .!...A.......!..
0d 21 07 44 0d 19 0d 1b 07 41 0e 91 0e a2 07 44 .!.D.....A.....D

2014-11-21 17:01:39,334 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475ABE, Value:

23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e.
6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o.
74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4.

2014-11-21 17:01:39,335 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x476382, Value:

23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e.
6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o.
74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4.

2014-11-21 17:01:39,336 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47748E, Value:

23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e.
6e 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 34 00 n.U.r.l.....2.4.
20 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 4...3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 24 00 62 00 6.7...2.4...$.b.
6f 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 o.t.2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 0d 00 0a 00 #.P.i.n.g.$.....
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 33 00 33 00 20 00 30 00 30 00 20 00 32 00 ..3.3...0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...

2014-11-21 17:01:39,338 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477D4A, Value:

23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e.
6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o.
74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4.

2014-11-21 17:01:39,339 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A05C, Value:

23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e.
6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 0d 00 n.U.r.l.$.b.o...
0a 00 37 00 34 00 20 00 33 00 32 00 20 00 30 00 ..7.4...3.2...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.
20 00 35 00 30 00 20 00 36 00 39 00 20 00 36 00 ..5.0...6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 34 00 20 00 e...6.7...2.4...
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 ..t.2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o.
74 00 0d 00 0a 00 33 00 33 00 20 00 30 00 30 00 t.....3.3...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 32 00 20 00 37 00 35 00 20 00 36 00 65 00 5.2...7.5...6.e.
20 00 35 00 30 00 20 00 37 00 32 00 20 00 36 00 ..5.0...7.2...6.
66 00 20 00 36 00 64 00 20 00 37 00 30 00 20 00 f...6.d...7.0...

2014-11-21 17:01:39,341 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A926, Value:

23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e.
6e 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 34 00 n.U.r.l.....2.4.
20 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 4...3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 24 00 62 00 6.7...2.4...$.b.
6f 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 o.t.2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 0d 00 0a 00 #.P.i.n.g.$.....
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 33 00 33 00 20 00 30 00 30 00 20 00 32 00 ..3.3...0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...

2014-11-21 17:01:39,342 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B0D6, Value:

23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e.
6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o.
74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4.

2014-11-21 17:01:39,344 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47528C, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 g.........2.0.1.
34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1...
31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2.
2c 00 30 00 31 00 39 00 20 00 2d 00 20 00 64 00 ,.0.1.9...-...d.
65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r...
2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N.
47 00 20 00 2d 00 20 00 50 00 72 00 6f 00 63 00 G...-...P.r.o.c.
65 00 73 00 73 00 20 00 43 00 43 00 43 00 2e 00 e.s.s...C.C.C...
65 00 78 00 65 00 20 00 28 00 70 00 69 00 64 00 e.x.e...(.p.i.d.
3a 00 20 00 37 00 36 00 32 00 34 00 29 00 20 00 :...7.6.2.4.)...
6d 00 61 00 74 00 63 00 68 00 65 00 64 00 3a 00 m.a.t.c.h.e.d.:.
20 00 42 00 6c 00 61 00 63 00 6b 00 53 00 68 00 ..B.l.a.c.k.S.h.
61 00 64 00 65 00 73 00 20 00 61 00 74 00 20 00 a.d.e.s...a.t...
61 00 64 00 64 00 72 00 65 00 73 00 73 00 3a 00 a.d.d.r.e.s.s.:.
20 00 30 00 78 00 35 00 34 00 32 00 43 00 45 00 ..0.x.5.4.2.C.E.

2014-11-21 17:01:39,345 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475B46, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3.....
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7.
30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4...
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4.
2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1.
36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,.
30 00 31 00 39 00 20 00 2d 00 20 00 64 00 65 00 0.1.9...-...d.e.
74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-.
20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G.

2014-11-21 17:01:39,346 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47640A, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3.....
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7.
30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4...
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2.
20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6.

2014-11-21 17:01:39,348 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477516, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 0d 00 0a 00 36 00 32 00 20 00 36 00 g.$.....6.2...6.
66 00 20 00 37 00 34 00 20 00 33 00 33 00 20 00 f...7.4...3.3...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 62 00 6f 00 74 00 33 00 ..6.f...b.o.t.3.
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 0d 00 0a 00 36 00 64 00 n.P.r.o.....6.d.
20 00 37 00 30 00 20 00 37 00 34 00 20 00 32 00 ..7.0...7.4...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 6d 00 70 00 5.3...7.6...m.p.

2014-11-21 17:01:39,351 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477DD2, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3.....
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7.
30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4...
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2.
20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6.

2014-11-21 17:01:39,351 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47981A, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 2e 00 23 00 g.$.b.o.t.3...#.
0d 00 0a 00 34 00 32 00 20 00 34 00 66 00 20 00 ....4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4.
20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6.
66 00 20 00 42 00 4f 00 54 00 23 00 52 00 75 00 f...B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
62 00 6f 00 0d 00 0a 00 37 00 34 00 20 00 33 00 b.o.....7.4...3.
34 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 4...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 35 00 33 00 20 00 37 00 ..2.3...5.3...7.
36 00 20 00 37 00 32 00 20 00 35 00 35 00 20 00 6...7.2...5.5...
36 00 65 00 20 00 36 00 39 00 20 00 36 00 65 00 6.e...6.9...6.e.

2014-11-21 17:01:39,354 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A0E4, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 0d 00 0a 00 33 00 g.$.b.o.t.....3.
33 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 3...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 35 00 32 00 20 00 37 00 ..2.3...5.2...7.
35 00 20 00 36 00 65 00 20 00 35 00 30 00 20 00 5...6.e...5.0...
37 00 32 00 20 00 36 00 66 00 20 00 36 00 64 00 7.2...6.f...6.d.
20 00 37 00 30 00 20 00 37 00 34 00 20 00 33 00 ..7.0...7.4...3.
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 0d 00 n.P.r.o.m.p.t...
0a 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6.
66 00 20 00 37 00 34 00 20 00 33 00 34 00 20 00 f...7.4...3.4...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 33 00 20 00 37 00 36 00 20 00 3...5.3...7.6...
37 00 32 00 20 00 35 00 35 00 20 00 36 00 65 00 7.2...5.5...6.e.

2014-11-21 17:01:39,355 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A9AE, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 0d 00 0a 00 36 00 32 00 20 00 36 00 g.$.....6.2...6.
66 00 20 00 37 00 34 00 20 00 33 00 33 00 20 00 f...7.4...3.3...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 62 00 6f 00 74 00 33 00 ..6.f...b.o.t.3.
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 0d 00 0a 00 36 00 64 00 n.P.r.o.....6.d.
20 00 37 00 30 00 20 00 37 00 34 00 20 00 32 00 ..7.0...7.4...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 6d 00 70 00 5.3...7.6...m.p.

2014-11-21 17:01:39,357 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B15E, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3.....
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7.
30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4...
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2.
20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6.

2014-11-21 17:01:39,358 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BA1A, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 2e 00 23 00 g.$.b.o.t.3...#.
0d 00 0a 00 34 00 32 00 20 00 34 00 66 00 20 00 ....4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2.
20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4.
20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6.
66 00 20 00 42 00 4f 00 54 00 23 00 52 00 75 00 f...B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
62 00 6f 00 0d 00 0a 00 37 00 34 00 20 00 33 00 b.o.....7.4...3.
34 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 4...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 35 00 33 00 20 00 37 00 ..2.3...5.3...7.
36 00 20 00 37 00 32 00 20 00 35 00 35 00 20 00 6...7.2...5.5...
36 00 65 00 20 00 36 00 39 00 20 00 36 00 65 00 6.e...6.9...6.e.

2014-11-21 17:01:39,358 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475BC8, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$...
0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 ......2.0.1.4.-.
31 00 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 1.1.-.2.1...1.6.
3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 :.5.1.:.4.2.,.0.
31 00 39 00 20 00 2d 00 20 00 64 00 65 00 74 00 1.9...-...d.e.t.
65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 e.c.t.o.r...-...
57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 W.A.R.N.I.N.G...
2d 00 20 00 50 00 72 00 6f 00 63 00 65 00 73 00 -...P.r.o.c.e.s.
73 00 20 00 43 00 43 00 43 00 2e 00 65 00 78 00 s...C.C.C...e.x.
65 00 20 00 28 00 70 00 69 00 64 00 3a 00 20 00 e...(.p.i.d.:...
37 00 36 00 32 00 34 00 29 00 20 00 6d 00 61 00 7.6.2.4.)...m.a.
74 00 63 00 68 00 65 00 64 00 3a 00 20 00 42 00 t.c.h.e.d.:...B.
6c 00 61 00 63 00 6b 00 53 00 68 00 61 00 64 00 l.a.c.k.S.h.a.d.
65 00 73 00 20 00 61 00 74 00 20 00 61 00 64 00 e.s...a.t...a.d.
64 00 72 00 65 00 73 00 73 00 3a 00 20 00 30 00 d.r.e.s.s.:...0.

2014-11-21 17:01:39,361 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47648C, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$...
0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
69 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 i.........2.0.1.
34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1...
31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2.
2c 00 30 00 32 00 30 00 20 00 2d 00 20 00 64 00 ,.0.2.0...-...d.
65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r...
2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N.

2014-11-21 17:01:39,361 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477E54, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$...
0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
69 00 0d 00 0a 00 36 00 65 00 20 00 37 00 33 00 i.....6.e...7.3.
20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6.
63 00 20 00 36 00 63 00 20 00 32 00 34 00 20 00 c...6.c...2.4...
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 33 00 35 00 20 00 30 00 30 00 20 00 32 00 ..3.5...0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...

2014-11-21 17:01:39,364 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A166, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 0d 00 0a 00 P.r.o.m.p.t.....
32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f.
20 00 37 00 34 00 20 00 33 00 34 00 20 00 30 00 ..7.4...3.4...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.
20 00 35 00 33 00 20 00 37 00 36 00 20 00 37 00 ..5.3...7.6...7.
32 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 2...5.5...6.e...
24 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 $.b.o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
0d 00 0a 00 36 00 39 00 20 00 36 00 65 00 20 00 ....6.9...6.e...
37 00 33 00 20 00 37 00 34 00 20 00 36 00 31 00 7.3...7.4...6.1.
20 00 36 00 63 00 20 00 36 00 63 00 20 00 32 00 ..6.c...6.c...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 35 00 20 00 30 00 30 00 7.4...3.5...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.

2014-11-21 17:01:39,365 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B1E0, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$...
0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
69 00 0d 00 0a 00 36 00 65 00 20 00 37 00 33 00 i.....6.e...7.3.
20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6.
63 00 20 00 36 00 63 00 20 00 32 00 34 00 20 00 c...6.c...2.4...
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 33 00 35 00 20 00 30 00 30 00 20 00 32 00 ..3.5...0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...

2014-11-21 17:01:39,365 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C35E, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 62 00 P.r.o.m.p.t.$.b.
0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4...
33 00 34 00 20 00 30 00 30 00 20 00 32 00 33 00 3.4...0.0...2.3.
20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5.
34 00 20 00 32 00 33 00 20 00 35 00 33 00 20 00 4...2.3...5.3...
37 00 36 00 20 00 37 00 32 00 20 00 35 00 35 00 7.6...7.2...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6.
65 00 20 00 6f 00 74 00 34 00 2e 00 23 00 42 00 e...o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
69 00 6e 00 0d 00 0a 00 37 00 33 00 20 00 37 00 i.n.....7.3...7.
34 00 20 00 36 00 31 00 20 00 36 00 63 00 20 00 4...6.1...6.c...
36 00 63 00 20 00 32 00 34 00 20 00 36 00 32 00 6.c...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
35 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 5...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.

2014-11-21 17:01:39,368 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47771A, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d.
0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2...
36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6.
20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4.
32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4...
32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2.
20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7.
30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6...
23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 U.p.........2.0.
31 00 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 1.4.-.1.1.-.2.1.
20 00 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 ..1.6.:.5.1.:.4.
32 00 2c 00 30 00 32 00 33 00 20 00 2d 00 20 00 2.,.0.2.3...-...
64 00 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 d.e.t.e.c.t.o.r.
20 00 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 ..-...W.A.R.N.I.

2014-11-21 17:01:39,368 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47ABB2, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d.
0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2...
36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6.
20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4.
32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4...
32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2.
20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7.
30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6...
23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 0d 00 0a 00 36 00 34 00 20 00 36 00 U.p.....6.4...6.
31 00 20 00 37 00 34 00 20 00 36 00 35 00 20 00 1...7.4...6.5...
32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f.
20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.

2014-11-21 17:01:39,371 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47D5E6, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d.
0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2...
36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6.
20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4.
32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4...
32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2.
20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7.
30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6...
23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 0d 00 0a 00 36 00 34 00 20 00 36 00 U.p.....6.4...6.
31 00 20 00 37 00 34 00 20 00 36 00 35 00 20 00 1...7.4...6.5...
32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f.
20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.

2014-11-21 17:01:39,372 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x478066, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 0d 00 0a 00 U.p.d.a.t.e.....
32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f.
20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.
20 00 35 00 36 00 20 00 36 00 39 00 20 00 37 00 ..5.6...6.9...7.
33 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 3...6.9...7.4...
24 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00 $.b.o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4.
2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1.
36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,.
30 00 32 00 36 00 20 00 2d 00 20 00 64 00 65 00 0.2.6...-...d.e.
74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-.
20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G.

2014-11-21 17:01:39,374 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x479AAE, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b.
0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4...
33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3.
20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5.
34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6...
36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9.
20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7.
32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f.

2014-11-21 17:01:39,375 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B3F2, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 0d 00 0a 00 U.p.d.a.t.e.....
32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f.
20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.
20 00 35 00 36 00 20 00 36 00 39 00 20 00 37 00 ..5.6...6.9...7.
33 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 3...6.9...7.4...
24 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00 $.b.o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
0d 00 0a 00 35 00 35 00 20 00 37 00 32 00 20 00 ....5.5...7.2...
36 00 63 00 20 00 32 00 34 00 20 00 36 00 32 00 6.c...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
38 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 8...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 34 00 33 00 20 00 36 00 ..2.3...4.3...6.

2014-11-21 17:01:39,377 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BCAE, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b.
0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4...
33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3.
20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5.
34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6...
36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9.
20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7.
32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f.

2014-11-21 17:01:39,378 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C570, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 24 00 0d 00 U.p.d.a.t.e.$...
0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 37 00 20 00 30 00 30 00 20 00 4...3.7...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
36 00 20 00 36 00 39 00 20 00 37 00 33 00 20 00 6...6.9...7.3...
36 00 39 00 20 00 37 00 34 00 20 00 35 00 35 00 6.9...7.4...5.5.
20 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00 ..b.o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
55 00 0d 00 0a 00 37 00 32 00 20 00 36 00 63 00 U.....7.2...6.c.
20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6.
66 00 20 00 37 00 34 00 20 00 33 00 38 00 20 00 f...7.4...3.8...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 34 00 33 00 20 00 36 00 63 00 20 00 3...4.3...6.c...

2014-11-21 17:01:39,380 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47DF2A, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b.
0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4...
33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3.
20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5.
34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6...
36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9.
20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7.
32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f.

2014-11-21 17:01:39,381 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4789AE, Value:

23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s.
69 00 74 00 55 00 72 00 6c 00 24 00 0d 00 0a 00 i.t.U.r.l.$.....
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 33 00 38 00 20 00 30 00 30 00 20 00 32 00 ..3.8...0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 34 00 33 00 5.4...2.3...4.3.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 37 00 ..6.c...6.f...7.
33 00 20 00 36 00 35 00 20 00 35 00 33 00 20 00 3...6.5...5.3...
62 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 b.o.t.8...#.B.O.
54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S.
0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4.
2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1.
36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,.
30 00 32 00 36 00 20 00 2d 00 20 00 64 00 65 00 0.2.6...-...d.e.
74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-.
20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G.

2014-11-21 17:01:39,382 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x479274, Value:

23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s.
69 00 74 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 i.t.U.r.l.....2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f.
20 00 37 00 33 00 20 00 36 00 35 00 20 00 24 00 ..7.3...6.5...$.
62 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 b.o.t.8...#.B.O.
54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 0d 00 T.#.C.l.o.s.e...
0a 00 35 00 33 00 20 00 36 00 35 00 20 00 37 00 ..5.3...6.5...7.
32 00 20 00 37 00 36 00 20 00 36 00 35 00 20 00 2...7.6...6.5...
37 00 32 00 20 00 32 00 34 00 20 00 36 00 34 00 7.2...2.4...6.4.
20 00 36 00 34 00 20 00 36 00 66 00 20 00 37 00 ..6.4...6.f...7.
33 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 3...3.1...0.0...
34 00 34 00 20 00 34 00 34 00 20 00 34 00 66 00 4.4...4.4...4.f.

2014-11-21 17:01:39,384 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47CEB4, Value:

23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s.
69 00 74 00 55 00 72 00 6c 00 24 00 62 00 0d 00 i.t.U.r.l.$.b...
0a 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
38 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 8...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 34 00 33 00 20 00 36 00 ..2.3...4.3...6.
63 00 20 00 36 00 66 00 20 00 37 00 33 00 20 00 c...6.f...7.3...
36 00 35 00 20 00 35 00 33 00 20 00 36 00 35 00 6.5...5.3...6.5.
20 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 ..o.t.8...#.B.O.
54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S.
65 00 0d 00 0a 00 37 00 32 00 20 00 37 00 36 00 e.....7.2...7.6.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2.
34 00 20 00 36 00 34 00 20 00 36 00 34 00 20 00 4...6.4...6.4...
36 00 66 00 20 00 37 00 33 00 20 00 33 00 31 00 6.f...7.3...3.1.
20 00 30 00 30 00 20 00 34 00 34 00 20 00 34 00 ..0.0...4.4...4.
34 00 20 00 34 00 66 00 20 00 35 00 33 00 20 00 4...4.f...5.3...

2014-11-21 17:01:39,385 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47E86E, Value:

23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s.
69 00 74 00 55 00 72 00 6c 00 24 00 62 00 6f 00 i.t.U.r.l.$.b.o.
0d 00 0a 00 37 00 34 00 20 00 33 00 38 00 20 00 ....7.4...3.8...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 34 00 33 00 20 00 36 00 63 00 20 00 3...4.3...6.c...
36 00 66 00 20 00 37 00 33 00 20 00 36 00 35 00 6.f...7.3...6.5.
20 00 35 00 33 00 20 00 36 00 35 00 20 00 37 00 ..5.3...6.5...7.
32 00 20 00 74 00 38 00 2e 00 23 00 42 00 4f 00 2...t.8...#.B.O.
54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S.
65 00 72 00 0d 00 0a 00 37 00 36 00 20 00 36 00 e.r.....7.6...6.
35 00 20 00 37 00 32 00 20 00 32 00 34 00 20 00 5...7.2...2.4...
36 00 34 00 20 00 36 00 34 00 20 00 36 00 66 00 6.4...6.4...6.f.
20 00 37 00 33 00 20 00 33 00 31 00 20 00 30 00 ..7.3...3.1...0.
30 00 20 00 34 00 34 00 20 00 34 00 34 00 20 00 0...4.4...4.4...
34 00 66 00 20 00 35 00 33 00 20 00 34 00 38 00 4.f...5.3...4.8.

2014-11-21 17:01:39,387 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47F1B2, Value:

23 00 42 00 4f 00 54 00 23 00 43 00 6c 00 6f 00 #.B.O.T.#.C.l.o.
73 00 65 00 53 00 65 00 72 00 76 00 65 00 72 00 s.e.S.e.r.v.e.r.
0d 00 0a 00 32 00 34 00 20 00 36 00 34 00 20 00 ....2.4...6.4...
36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3.
20 00 33 00 31 00 20 00 30 00 30 00 20 00 34 00 ..3.1...0.0...4.
34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f...
35 00 33 00 20 00 34 00 38 00 20 00 35 00 34 00 5.3...4.8...5.4.
20 00 35 00 34 00 20 00 35 00 30 00 20 00 34 00 ..5.4...5.0...4.
36 00 20 00 24 00 64 00 64 00 6f 00 73 00 31 00 6...$.d.d.o.s.1.
2e 00 44 00 44 00 4f 00 53 00 48 00 54 00 54 00 ..D.D.O.S.H.T.T.
50 00 46 00 0d 00 0a 00 34 00 63 00 20 00 34 00 P.F.....4.c...4.
66 00 20 00 34 00 66 00 20 00 34 00 34 00 20 00 f...4.f...4.4...
32 00 34 00 20 00 36 00 34 00 20 00 36 00 34 00 2.4...6.4...6.4.
20 00 36 00 66 00 20 00 37 00 33 00 20 00 33 00 ..6.f...7.3...3.
32 00 20 00 30 00 30 00 20 00 34 00 34 00 20 00 2...0.0...4.4...
34 00 34 00 20 00 34 00 66 00 20 00 35 00 33 00 4.4...4.f...5.3.

2014-11-21 17:01:39,388 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A584, Value:

44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P.
46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 F.L.O.O.D.$.d...
0a 00 36 00 34 00 20 00 36 00 66 00 20 00 37 00 ..6.4...6.f...7.
33 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 3...3.2...0.0...
34 00 34 00 20 00 34 00 34 00 20 00 34 00 66 00 4.4...4.4...4.f.
20 00 35 00 33 00 20 00 35 00 33 00 20 00 35 00 ..5.3...5.3...5.
39 00 20 00 34 00 65 00 20 00 34 00 36 00 20 00 9...4.e...4.6...
34 00 63 00 20 00 34 00 66 00 20 00 34 00 66 00 4.c...4.f...4.f.
20 00 64 00 6f 00 73 00 32 00 2e 00 44 00 44 00 ..d.o.s.2...D.D.
4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O.
4f 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 O.........2.0.1.
34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1...
31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2.
2c 00 30 00 33 00 32 00 20 00 2d 00 20 00 64 00 ,.0.3.2...-...d.
65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r...
2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N.

2014-11-21 17:01:39,390 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B5FE, Value:

44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P.
46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 F.L.O.O.D.$.d.d.
0d 00 0a 00 36 00 66 00 20 00 37 00 33 00 20 00 ....6.f...7.3...
33 00 32 00 20 00 30 00 30 00 20 00 34 00 34 00 3.2...0.0...4.4.
20 00 34 00 34 00 20 00 34 00 66 00 20 00 35 00 ..4.4...4.f...5.
33 00 20 00 35 00 33 00 20 00 35 00 39 00 20 00 3...5.3...5.9...
34 00 65 00 20 00 34 00 36 00 20 00 34 00 63 00 4.e...4.6...4.c.
20 00 34 00 66 00 20 00 34 00 66 00 20 00 34 00 ..4.f...4.f...4.
34 00 20 00 6f 00 73 00 32 00 2e 00 44 00 44 00 4...o.s.2...D.D.
4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O.
4f 00 44 00 0d 00 0a 00 32 00 34 00 20 00 36 00 O.D.....2.4...6.
34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f...
37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0.
20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4.
66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5...
34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6.

2014-11-21 17:01:39,391 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47FAF6, Value:

44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P.
46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 F.L.O.O.D.$.d.d.
0d 00 0a 00 36 00 66 00 20 00 37 00 33 00 20 00 ....6.f...7.3...
33 00 32 00 20 00 30 00 30 00 20 00 34 00 34 00 3.2...0.0...4.4.
20 00 34 00 34 00 20 00 34 00 66 00 20 00 35 00 ..4.4...4.f...5.
33 00 20 00 35 00 33 00 20 00 35 00 39 00 20 00 3...5.3...5.9...
34 00 65 00 20 00 34 00 36 00 20 00 34 00 63 00 4.e...4.6...4.c.
20 00 34 00 66 00 20 00 34 00 66 00 20 00 34 00 ..4.f...4.f...4.
34 00 20 00 6f 00 73 00 32 00 2e 00 44 00 44 00 4...o.s.2...D.D.
4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O.
4f 00 44 00 0d 00 0a 00 32 00 34 00 20 00 36 00 O.D.....2.4...6.
34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f...
37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0.
20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4.
66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5...
34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6.

2014-11-21 17:01:39,392 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B68A, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 0d 00 0a 00 32 00 34 00 L.O.O.D.....2.4.
20 00 36 00 34 00 20 00 36 00 34 00 20 00 36 00 ..6.4...6.4...6.
66 00 20 00 37 00 33 00 20 00 33 00 33 00 20 00 f...7.3...3.3...
30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4.
20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5.
35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0...
34 00 36 00 20 00 34 00 63 00 20 00 24 00 64 00 4.6...4.c...$.d.
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 0d 00 0a 00 S.U.D.P.F.L.....
34 00 66 00 20 00 34 00 66 00 20 00 34 00 34 00 4.f...4.f...4.4.
20 00 32 00 34 00 20 00 36 00 62 00 20 00 36 00 ..2.4...6.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3.
31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1...

2014-11-21 17:01:39,394 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BF46, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 0a 00 L.O.O.D.$.d.....
36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3.
20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4.
34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f...
35 00 33 00 20 00 35 00 35 00 20 00 34 00 34 00 5.3...5.5...4.4.
20 00 35 00 30 00 20 00 34 00 36 00 20 00 34 00 ..5.0...4.6...4.
63 00 20 00 34 00 66 00 20 00 34 00 66 00 20 00 c...4.f...4.f...
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O.
0d 00 0a 00 34 00 34 00 20 00 32 00 34 00 20 00 ....4.4...2.4...
36 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 6.b...6.5...7.9.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5...
37 00 32 00 20 00 33 00 31 00 20 00 30 00 30 00 7.2...3.1...0.0.
20 00 34 00 31 00 20 00 36 00 33 00 20 00 37 00 ..4.1...6.3...7.

2014-11-21 17:01:39,395 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C808, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 24 00 0d 00 0a 00 36 00 L.O.O.D.$.....6.
34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f...
37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0.
20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4.
66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5...
34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6.
20 00 34 00 63 00 20 00 34 00 66 00 20 00 64 00 ..4.c...4.f...d.
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 0d 00 S.U.D.P.F.L.O...
0a 00 34 00 66 00 20 00 34 00 34 00 20 00 32 00 ..4.f...4.4...2.
34 00 20 00 36 00 62 00 20 00 36 00 35 00 20 00 4...6.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 37 00 32 00 20 00 33 00 31 00 20 00 5...7.2...3.1...
30 00 30 00 20 00 34 00 31 00 20 00 36 00 33 00 0.0...4.1...6.3.

2014-11-21 17:01:39,397 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47E1C2, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 0a 00 L.O.O.D.$.d.....
36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3.
20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4.
34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f...
35 00 33 00 20 00 35 00 35 00 20 00 34 00 34 00 5.3...5.5...4.4.
20 00 35 00 30 00 20 00 34 00 36 00 20 00 34 00 ..5.0...4.6...4.
63 00 20 00 34 00 66 00 20 00 34 00 66 00 20 00 c...4.f...4.f...
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O.
0d 00 0a 00 34 00 34 00 20 00 32 00 34 00 20 00 ....4.4...2.4...
36 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 6.b...6.5...7.9.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5...
37 00 32 00 20 00 33 00 31 00 20 00 30 00 30 00 7.2...3.1...0.0.
20 00 34 00 31 00 20 00 36 00 33 00 20 00 37 00 ..4.1...6.3...7.

2014-11-21 17:01:39,398 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47FB82, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 0d 00 0a 00 32 00 34 00 L.O.O.D.....2.4.
20 00 36 00 34 00 20 00 36 00 34 00 20 00 36 00 ..6.4...6.4...6.
66 00 20 00 37 00 33 00 20 00 33 00 33 00 20 00 f...7.3...3.3...
30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4.
20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5.
35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0...
34 00 36 00 20 00 34 00 63 00 20 00 24 00 64 00 4.6...4.c...$.d.
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 0d 00 0a 00 S.U.D.P.F.L.....
34 00 66 00 20 00 34 00 66 00 20 00 34 00 34 00 4.f...4.f...4.4.
20 00 32 00 34 00 20 00 36 00 62 00 20 00 36 00 ..2.4...6.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3.
31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1...

2014-11-21 17:01:39,400 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x48043A, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 6f 00 L.O.O.D.$.d.d.o.
0d 00 0a 00 37 00 33 00 20 00 33 00 33 00 20 00 ....7.3...3.3...
30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4.
20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5.
35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0...
34 00 36 00 20 00 34 00 63 00 20 00 34 00 66 00 4.6...4.c...4.f.
20 00 34 00 66 00 20 00 34 00 34 00 20 00 32 00 ..4.f...4.4...2.
34 00 20 00 73 00 33 00 2e 00 44 00 44 00 4f 00 4...s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O.
44 00 24 00 0d 00 0a 00 36 00 62 00 20 00 36 00 D.$.....6.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3.
31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1...
36 00 33 00 20 00 37 00 34 00 20 00 36 00 39 00 6.3...7.4...6.9.

2014-11-21 17:01:39,401 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47D14A, Value:

44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F.
4c 00 4f 00 4f 00 44 00 24 00 6b 00 0d 00 0a 00 L.O.O.D.$.k.....
36 00 35 00 20 00 37 00 39 00 20 00 36 00 63 00 6.5...7.9...6.c.
20 00 36 00 66 00 20 00 36 00 37 00 20 00 36 00 ..6.f...6.7...6.
37 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 7...6.5...7.2...
33 00 31 00 20 00 30 00 30 00 20 00 34 00 31 00 3.1...0.0...4.1.
20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6.
39 00 20 00 37 00 36 00 20 00 36 00 35 00 20 00 9...7.6...6.5...
65 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e.y.l.o.g.g.e.r.
31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e.
0d 00 0a 00 34 00 66 00 20 00 36 00 65 00 20 00 ....4.f...6.e...
36 00 63 00 20 00 36 00 39 00 20 00 36 00 65 00 6.c...6.9...6.e.
20 00 36 00 35 00 20 00 34 00 62 00 20 00 36 00 ..6.5...4.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2.

2014-11-21 17:01:39,403 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47EB04, Value:

44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F.
4c 00 4f 00 4f 00 44 00 24 00 6b 00 65 00 0d 00 L.O.O.D.$.k.e...
0a 00 37 00 39 00 20 00 36 00 63 00 20 00 36 00 ..7.9...6.c...6.
66 00 20 00 36 00 37 00 20 00 36 00 37 00 20 00 f...6.7...6.7...
36 00 35 00 20 00 37 00 32 00 20 00 33 00 31 00 6.5...7.2...3.1.
20 00 30 00 30 00 20 00 34 00 31 00 20 00 36 00 ..0.0...4.1...6.
33 00 20 00 37 00 34 00 20 00 36 00 39 00 20 00 3...7.4...6.9...
37 00 36 00 20 00 36 00 35 00 20 00 34 00 66 00 7.6...6.5...4.f.
20 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 ..y.l.o.g.g.e.r.
31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e.
4f 00 0d 00 0a 00 36 00 65 00 20 00 36 00 63 00 O.....6.e...6.c.
20 00 36 00 39 00 20 00 36 00 65 00 20 00 36 00 ..6.9...6.e...6.
35 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 5...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 37 00 32 00 20 00 32 00 34 00 20 00 5...7.2...2.4...

2014-11-21 17:01:39,404 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4804C4, Value:

44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F.
4c 00 4f 00 4f 00 44 00 24 00 0d 00 0a 00 36 00 L.O.O.D.$.....6.
62 00 20 00 36 00 35 00 20 00 37 00 39 00 20 00 b...6.5...7.9...
36 00 63 00 20 00 36 00 66 00 20 00 36 00 37 00 6.c...6.f...6.7.
20 00 36 00 37 00 20 00 36 00 35 00 20 00 37 00 ..6.7...6.5...7.
32 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 2...3.1...0.0...
34 00 31 00 20 00 36 00 33 00 20 00 37 00 34 00 4.1...6.3...7.4.
20 00 36 00 39 00 20 00 37 00 36 00 20 00 6b 00 ..6.9...7.6...k.
65 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e.y.l.o.g.g.e.r.
31 00 2e 00 41 00 63 00 74 00 69 00 76 00 0d 00 1...A.c.t.i.v...
0a 00 36 00 35 00 20 00 34 00 66 00 20 00 36 00 ..6.5...4.f...6.
65 00 20 00 36 00 63 00 20 00 36 00 39 00 20 00 e...6.c...6.9...
36 00 65 00 20 00 36 00 35 00 20 00 34 00 62 00 6.e...6.5...4.b.
20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6.
63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7...
36 00 37 00 20 00 36 00 35 00 20 00 37 00 32 00 6.7...6.5...7.2.

2014-11-21 17:01:39,405 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x480D7E, Value:

44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F.
4c 00 4f 00 4f 00 44 00 24 00 6b 00 65 00 79 00 L.O.O.D.$.k.e.y.
0d 00 0a 00 36 00 63 00 20 00 36 00 66 00 20 00 ....6.c...6.f...
36 00 37 00 20 00 36 00 37 00 20 00 36 00 35 00 6.7...6.7...6.5.
20 00 37 00 32 00 20 00 33 00 31 00 20 00 30 00 ..7.2...3.1...0.
30 00 20 00 34 00 31 00 20 00 36 00 33 00 20 00 0...4.1...6.3...
37 00 34 00 20 00 36 00 39 00 20 00 37 00 36 00 7.4...6.9...7.6.
20 00 36 00 35 00 20 00 34 00 66 00 20 00 36 00 ..6.5...4.f...6.
65 00 20 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e...l.o.g.g.e.r.
31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e.
4f 00 6e 00 0d 00 0a 00 36 00 63 00 20 00 36 00 O.n.....6.c...6.
39 00 20 00 36 00 65 00 20 00 36 00 35 00 20 00 9...6.e...6.5...
34 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 4.b...6.5...7.9.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5...
37 00 32 00 20 00 32 00 34 00 20 00 36 00 62 00 7.2...2.4...6.b.

2014-11-21 17:01:39,407 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x48579E, Value:

53 00 55 00 42 00 4d 00 52 00 45 00 4d 00 4f 00 S.U.B.M.R.E.M.O.
54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 24 00 T.E.S.H.E.L.L.$.
0d 00 0a 00 37 00 33 00 20 00 36 00 38 00 20 00 ....7.3...6.8...
36 00 35 00 20 00 36 00 63 00 20 00 36 00 63 00 6.5...6.c...6.c.
20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4.
62 00 20 00 34 00 39 00 20 00 34 00 63 00 20 00 b...4.9...4.c...
34 00 63 00 20 00 35 00 32 00 20 00 34 00 35 00 4.c...5.2...4.5.
20 00 34 00 64 00 20 00 34 00 66 00 20 00 35 00 ..4.d...4.f...5.
34 00 20 00 73 00 68 00 65 00 6c 00 6c 00 33 00 4...s.h.e.l.l.3.
2e 00 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 ..K.I.L.L.R.E.M.
4f 00 54 00 0d 00 0a 00 34 00 35 00 20 00 35 00 O.T.....4.5...5.
33 00 20 00 34 00 38 00 20 00 34 00 35 00 20 00 3...4.8...4.5...
34 00 63 00 20 00 34 00 63 00 20 00 34 00 34 00 4.c...4.c...4.4.
20 00 36 00 31 00 20 00 37 00 32 00 20 00 36 00 ..6.1...7.2...6.
62 00 20 00 34 00 33 00 20 00 36 00 66 00 20 00 b...4.3...6.f...
36 00 64 00 20 00 36 00 35 00 20 00 37 00 34 00 6.d...6.5...7.4.

2014-11-21 17:01:39,410 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x480B74, Value:

4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O.
54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 0d 00 T.E.S.H.E.L.L...
0a 00 34 00 34 00 20 00 36 00 31 00 20 00 37 00 ..4.4...6.1...7.
32 00 20 00 36 00 62 00 20 00 34 00 33 00 20 00 2...6.b...4.3...
36 00 66 00 20 00 36 00 64 00 20 00 36 00 35 00 6.f...6.d...6.5.
20 00 37 00 34 00 20 00 30 00 30 00 20 00 36 00 ..7.4...0.0...6.
34 00 20 00 36 00 35 00 20 00 37 00 34 00 20 00 4...6.5...7.4...
36 00 35 00 20 00 36 00 33 00 20 00 37 00 34 00 6.5...6.3...7.4.
20 00 44 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 ..D.a.r.k.C.o.m.
65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c.
74 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 t.........2.0.1.
34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1...
31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2.
2c 00 30 00 34 00 38 00 20 00 2d 00 20 00 64 00 ,.0.4.8...-...d.
65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r...
2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N.

2014-11-21 17:01:39,411 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4847AA, Value:

4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O.
54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D.
0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2...
36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f.
20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7.
34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4...
36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5.
20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6.
39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m.
65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c.
74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6.
65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8...
37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5.
20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2.
30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1...
35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4.

2014-11-21 17:01:39,413 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x484FE6, Value:

4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O.
54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D.
0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2...
36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f.
20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7.
34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4...
36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5.
20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6.
39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m.
65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c.
74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6.
65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8...
37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5.
20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2.
30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1...
35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4.

2014-11-21 17:01:39,414 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4860E2, Value:

4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O.
54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D.
0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2...
36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f.
20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7.
34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4...
36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5.
20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6.
39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m.
65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c.
74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6.
65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8...
37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5.
20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2.
30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1...
35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4.

2014-11-21 17:01:39,415 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x486A20, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 4b 00 65 00 X.t.r.e.m.e.K.e.
79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 24 00 y.l.o.g.g.e.r.$.
0d 00 0a 00 37 00 33 00 20 00 37 00 34 00 20 00 ....7.3...7.4...
37 00 32 00 20 00 36 00 39 00 20 00 36 00 65 00 7.2...6.9...6.e.
20 00 36 00 37 00 20 00 33 00 32 00 20 00 30 00 ..6.7...3.2...0.
30 00 20 00 35 00 38 00 20 00 37 00 34 00 20 00 0...5.8...7.4...
37 00 32 00 20 00 36 00 35 00 20 00 36 00 64 00 7.2...6.5...6.d.
20 00 36 00 35 00 20 00 35 00 32 00 20 00 34 00 ..6.5...5.2...4.
31 00 20 00 73 00 74 00 72 00 69 00 6e 00 67 00 1...s.t.r.i.n.g.
32 00 2e 00 58 00 74 00 72 00 65 00 6d 00 65 00 2...X.t.r.e.m.e.
52 00 41 00 0d 00 0a 00 35 00 34 00 20 00 32 00 R.A.....5.4...2.
34 00 20 00 37 00 33 00 20 00 37 00 34 00 20 00 4...7.3...7.4...
37 00 32 00 20 00 36 00 39 00 20 00 36 00 65 00 7.2...6.9...6.e.
20 00 36 00 37 00 20 00 33 00 33 00 20 00 30 00 ..6.7...3.3...0.
30 00 20 00 35 00 38 00 20 00 35 00 34 00 20 00 0...5.8...5.4...
35 00 32 00 20 00 34 00 35 00 20 00 34 00 64 00 5.2...4.5...4.d.

2014-11-21 17:01:39,417 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x482742, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 73 00 74 00 72 00 69 00 0d 00 0a 00 T.$.s.t.r.i.....
36 00 65 00 20 00 36 00 37 00 20 00 33 00 33 00 6.e...6.7...3.3.
20 00 30 00 30 00 20 00 35 00 38 00 20 00 35 00 ..0.0...5.8...5.
34 00 20 00 35 00 32 00 20 00 34 00 35 00 20 00 4...5.2...4.5...
34 00 64 00 20 00 34 00 35 00 20 00 35 00 35 00 4.d...4.5...5.5.
20 00 35 00 30 00 20 00 34 00 34 00 20 00 34 00 ..5.0...4.4...4.
31 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 1...5.4...4.5...
6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E.
4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E.
0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4.
2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1.
36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,.
30 00 35 00 32 00 20 00 2d 00 20 00 64 00 65 00 0.5.2...-...d.e.
74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-.
20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G.

2014-11-21 17:01:39,418 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48308A, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 73 00 74 00 0d 00 0a 00 37 00 32 00 T.$.s.t.....7.2.
20 00 36 00 39 00 20 00 36 00 65 00 20 00 36 00 ..6.9...6.e...6.
37 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 7...3.3...0.0...
35 00 38 00 20 00 35 00 34 00 20 00 35 00 32 00 5.8...5.4...5.2.
20 00 34 00 35 00 20 00 34 00 64 00 20 00 34 00 ..4.5...4.d...4.
35 00 20 00 35 00 35 00 20 00 35 00 30 00 20 00 5...5.5...5.0...
34 00 34 00 20 00 34 00 31 00 20 00 72 00 69 00 4.4...4.1...r.i.
6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E.
4d 00 45 00 55 00 50 00 44 00 41 00 0d 00 0a 00 M.E.U.P.D.A.....
0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 31 00 ....2.0.1.4.-.1.
31 00 2d 00 32 00 31 00 20 00 31 00 36 00 3a 00 1.-.2.1...1.6.:.
35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 35 00 5.1.:.4.2.,.0.5.
32 00 20 00 2d 00 20 00 64 00 65 00 74 00 65 00 2...-...d.e.t.e.
63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 57 00 c.t.o.r...-...W.
41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 2d 00 A.R.N.I.N.G...-.

2014-11-21 17:01:39,420 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4838C0, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 73 00 74 00 72 00 69 00 6e 00 0d 00 T.$.s.t.r.i.n...
0a 00 36 00 37 00 20 00 33 00 33 00 20 00 30 00 ..6.7...3.3...0.
30 00 20 00 35 00 38 00 20 00 35 00 34 00 20 00 0...5.8...5.4...
35 00 32 00 20 00 34 00 35 00 20 00 34 00 64 00 5.2...4.5...4.d.
20 00 34 00 35 00 20 00 35 00 35 00 20 00 35 00 ..4.5...5.5...5.
30 00 20 00 34 00 34 00 20 00 34 00 31 00 20 00 0...4.4...4.1...
35 00 34 00 20 00 34 00 35 00 20 00 32 00 34 00 5.4...4.5...2.4.
20 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 ..g.3...X.T.R.E.
4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E.
24 00 0d 00 0a 00 37 00 33 00 20 00 37 00 34 00 $.....7.3...7.4.
20 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6.
65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4...
30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4.
20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5.
38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2...

2014-11-21 17:01:39,421 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485AC2, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 0d 00 0a 00 37 00 33 00 20 00 37 00 T.$.....7.3...7.
34 00 20 00 37 00 32 00 20 00 36 00 39 00 20 00 4...7.2...6.9...
36 00 65 00 20 00 36 00 37 00 20 00 33 00 33 00 6.e...6.7...3.3.
20 00 30 00 30 00 20 00 35 00 38 00 20 00 35 00 ..0.0...5.8...5.
34 00 20 00 35 00 32 00 20 00 34 00 35 00 20 00 4...5.2...4.5...
34 00 64 00 20 00 34 00 35 00 20 00 35 00 35 00 4.d...4.5...5.5.
20 00 35 00 30 00 20 00 73 00 74 00 72 00 69 00 ..5.0...s.t.r.i.
6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E.
4d 00 45 00 55 00 50 00 0d 00 0a 00 34 00 34 00 M.E.U.P.....4.4.
20 00 34 00 31 00 20 00 35 00 34 00 20 00 34 00 ..4.1...5.4...4.
35 00 20 00 32 00 34 00 20 00 37 00 33 00 20 00 5...2.4...7.3...
37 00 34 00 20 00 37 00 32 00 20 00 36 00 39 00 7.4...7.2...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 33 00 ..6.e...6.7...3.
34 00 20 00 30 00 30 00 20 00 35 00 33 00 20 00 4...0.0...5.3...
35 00 34 00 20 00 35 00 35 00 20 00 44 00 41 00 5.4...5.5...D.A.

2014-11-21 17:01:39,423 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48735E, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 73 00 74 00 72 00 69 00 6e 00 67 00 T.$.s.t.r.i.n.g.
0d 00 0a 00 33 00 33 00 20 00 30 00 30 00 20 00 ....3.3...0.0...
35 00 38 00 20 00 35 00 34 00 20 00 35 00 32 00 5.8...5.4...5.2.
20 00 34 00 35 00 20 00 34 00 64 00 20 00 34 00 ..4.5...4.d...4.
35 00 20 00 35 00 35 00 20 00 35 00 30 00 20 00 5...5.5...5.0...
34 00 34 00 20 00 34 00 31 00 20 00 35 00 34 00 4.4...4.1...5.4.
20 00 34 00 35 00 20 00 32 00 34 00 20 00 37 00 ..4.5...2.4...7.
33 00 20 00 33 00 2e 00 58 00 54 00 52 00 45 00 3...3...X.T.R.E.
4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E.
24 00 73 00 0d 00 0a 00 37 00 34 00 20 00 37 00 $.s.....7.4...7.
32 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 2...6.9...6.e...
36 00 37 00 20 00 33 00 34 00 20 00 30 00 30 00 6.7...3.4...0.0.
20 00 35 00 33 00 20 00 35 00 34 00 20 00 35 00 ..5.3...5.4...5.
35 00 20 00 34 00 32 00 20 00 35 00 38 00 20 00 5...4.2...5.8...
35 00 34 00 20 00 35 00 32 00 20 00 34 00 35 00 5.4...5.2...4.5.

2014-11-21 17:01:39,424 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4827CA, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 0d 00 0a 00 0d 00 0a 00 D.A.T.E.........
32 00 30 00 31 00 34 00 2d 00 31 00 31 00 2d 00 2.0.1.4.-.1.1.-.
32 00 31 00 20 00 31 00 36 00 3a 00 35 00 31 00 2.1...1.6.:.5.1.
3a 00 34 00 32 00 2c 00 30 00 35 00 32 00 20 00 :.4.2.,.0.5.2...
2d 00 20 00 64 00 65 00 74 00 65 00 63 00 74 00 -...d.e.t.e.c.t.
6f 00 72 00 20 00 2d 00 20 00 57 00 41 00 52 00 o.r...-...W.A.R.
4e 00 49 00 4e 00 47 00 20 00 2d 00 20 00 50 00 N.I.N.G...-...P.
72 00 6f 00 63 00 65 00 73 00 73 00 20 00 43 00 r.o.c.e.s.s...C.
43 00 43 00 2e 00 65 00 78 00 65 00 20 00 28 00 C.C...e.x.e...(.
70 00 69 00 64 00 3a 00 20 00 37 00 36 00 32 00 p.i.d.:...7.6.2.
34 00 29 00 20 00 6d 00 61 00 74 00 63 00 68 00 4.)...m.a.t.c.h.
65 00 64 00 3a 00 20 00 44 00 61 00 72 00 6b 00 e.d.:...D.a.r.k.
43 00 6f 00 6d 00 65 00 74 00 20 00 61 00 74 00 C.o.m.e.t...a.t.
20 00 61 00 64 00 64 00 72 00 65 00 73 00 73 00 ..a.d.d.r.e.s.s.
3a 00 20 00 30 00 78 00 35 00 34 00 32 00 43 00 :...0.x.5.4.2.C.

2014-11-21 17:01:39,426 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x483948, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 0d 00 0a 00 37 00 D.A.T.E.$.....7.
33 00 20 00 37 00 34 00 20 00 37 00 32 00 20 00 3...7.4...7.2...
36 00 39 00 20 00 36 00 65 00 20 00 36 00 37 00 6.9...6.e...6.7.
20 00 33 00 34 00 20 00 30 00 30 00 20 00 35 00 ..3.4...0.0...5.
33 00 20 00 35 00 34 00 20 00 35 00 35 00 20 00 3...5.4...5.5...
34 00 32 00 20 00 35 00 38 00 20 00 35 00 34 00 4.2...5.8...5.4.
20 00 35 00 32 00 20 00 34 00 35 00 20 00 73 00 ..5.2...4.5...s.
74 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 t.r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 0d 00 T.U.B.X.T.R.E...
0a 00 34 00 64 00 20 00 34 00 35 00 20 00 34 00 ..4.d...4.5...4.
39 00 20 00 34 00 65 00 20 00 34 00 61 00 20 00 9...4.e...4.a...
34 00 35 00 20 00 34 00 33 00 20 00 35 00 34 00 4.5...4.3...5.4.
20 00 34 00 35 00 20 00 34 00 34 00 20 00 32 00 ..4.5...4.4...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 31 00 6.9...7.4...3.1.

2014-11-21 17:01:39,427 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x484AC4, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t...
0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6.
65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4...
30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4.
20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5.
38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2...
34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5.
20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M.
45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e.
20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4.
33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5...
34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0...
         

Alt 22.11.2014, 14:10   #9
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log vierter Teil



Code:
ATTFilter
2014-11-21 17:01:39,428 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485300, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t...
0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6.
65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4...
30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4.
20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5.
38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2...
34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5.
20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M.
45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e.
20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4.
33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5...
34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0...

2014-11-21 17:01:39,430 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4863FC, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t...
0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6.
65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4...
30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4.
20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5.
38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2...
34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5.
20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M.
45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e.
20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4.
33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5...
34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0...

2014-11-21 17:01:39,430 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4873E6, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 0d 00 0a 00 D.A.T.E.$.s.....
37 00 34 00 20 00 37 00 32 00 20 00 36 00 39 00 7.4...7.2...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 33 00 ..6.e...6.7...3.
34 00 20 00 30 00 30 00 20 00 35 00 33 00 20 00 4...0.0...5.3...
35 00 34 00 20 00 35 00 35 00 20 00 34 00 32 00 5.4...5.5...4.2.
20 00 35 00 38 00 20 00 35 00 34 00 20 00 35 00 ..5.8...5.4...5.
32 00 20 00 34 00 35 00 20 00 34 00 64 00 20 00 2...4.5...4.d...
74 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 t.r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M.
0d 00 0a 00 34 00 35 00 20 00 34 00 39 00 20 00 ....4.5...4.9...
34 00 65 00 20 00 34 00 61 00 20 00 34 00 35 00 4.e...4.a...4.5.
20 00 34 00 33 00 20 00 35 00 34 00 20 00 34 00 ..4.3...5.4...4.
35 00 20 00 34 00 34 00 20 00 32 00 34 00 20 00 5...4.4...2.4...
37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9.
20 00 37 00 34 00 20 00 33 00 31 00 20 00 30 00 ..7.4...3.1...0.

2014-11-21 17:01:39,433 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487C9C, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 74 00 72 00 D.A.T.E.$.s.t.r.
0d 00 0a 00 36 00 39 00 20 00 36 00 65 00 20 00 ....6.9...6.e...
36 00 37 00 20 00 33 00 34 00 20 00 30 00 30 00 6.7...3.4...0.0.
20 00 35 00 33 00 20 00 35 00 34 00 20 00 35 00 ..5.3...5.4...5.
35 00 20 00 34 00 32 00 20 00 35 00 38 00 20 00 5...4.2...5.8...
35 00 34 00 20 00 35 00 32 00 20 00 34 00 35 00 5.4...5.2...4.5.
20 00 34 00 64 00 20 00 34 00 35 00 20 00 34 00 ..4.d...4.5...4.
39 00 20 00 69 00 6e 00 67 00 34 00 2e 00 53 00 9...i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M.
45 00 49 00 0d 00 0a 00 34 00 65 00 20 00 34 00 E.I.....4.e...4.
61 00 20 00 34 00 35 00 20 00 34 00 33 00 20 00 a...4.5...4.3...
35 00 34 00 20 00 34 00 35 00 20 00 34 00 34 00 5.4...4.5...4.4.
20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
33 00 31 00 20 00 30 00 30 00 20 00 35 00 35 00 3.1...0.0...5.5.

2014-11-21 17:01:39,434 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48756E, Value:

55 00 6e 00 69 00 74 00 43 00 6f 00 6e 00 66 00 U.n.i.t.C.o.n.f.
69 00 67 00 73 00 24 00 75 00 6e 00 69 00 74 00 i.g.s.$.u.n.i.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 37 00 20 00 36 00 ..7.4...4.7...6.
35 00 20 00 37 00 34 00 20 00 35 00 33 00 20 00 5...7.4...5.3...
36 00 35 00 20 00 37 00 32 00 20 00 37 00 36 00 6.5...7.2...7.6.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2.
34 00 20 00 32 00 2e 00 55 00 6e 00 69 00 74 00 4...2...U.n.i.t.
47 00 65 00 74 00 53 00 65 00 72 00 76 00 65 00 G.e.t.S.e.r.v.e.
72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 36 00 r.$.....7.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.

2014-11-21 17:01:39,436 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x488F18, Value:

55 00 6e 00 69 00 74 00 43 00 6f 00 6e 00 66 00 U.n.i.t.C.o.n.f.
69 00 67 00 73 00 24 00 75 00 6e 00 69 00 74 00 i.g.s.$.u.n.i.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 37 00 20 00 36 00 ..7.4...4.7...6.
35 00 20 00 37 00 34 00 20 00 35 00 33 00 20 00 5...7.4...5.3...
36 00 35 00 20 00 37 00 32 00 20 00 37 00 36 00 6.5...7.2...7.6.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2.
34 00 20 00 32 00 2e 00 55 00 6e 00 69 00 74 00 4...2...U.n.i.t.
47 00 65 00 74 00 53 00 65 00 72 00 76 00 65 00 G.e.t.S.e.r.v.e.
72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 36 00 r.$.....7.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.

2014-11-21 17:01:39,437 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x484CD4, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u...
0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 ......2.0.1.4.-.
31 00 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 1.1.-.2.1...1.6.
3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 :.5.1.:.4.2.,.0.
35 00 38 00 20 00 2d 00 20 00 64 00 65 00 74 00 5.8...-...d.e.t.
65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 e.c.t.o.r...-...
57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 W.A.R.N.I.N.G...
2d 00 20 00 50 00 72 00 6f 00 63 00 65 00 73 00 -...P.r.o.c.e.s.
73 00 20 00 43 00 43 00 43 00 2e 00 65 00 78 00 s...C.C.C...e.x.
65 00 20 00 28 00 70 00 69 00 64 00 3a 00 20 00 e...(.p.i.d.:...
37 00 36 00 32 00 34 00 29 00 20 00 6d 00 61 00 7.6.2.4.)...m.a.
74 00 63 00 68 00 65 00 64 00 3a 00 20 00 44 00 t.c.h.e.d.:...D.
61 00 72 00 6b 00 43 00 6f 00 6d 00 65 00 74 00 a.r.k.C.o.m.e.t.
20 00 61 00 74 00 20 00 61 00 64 00 64 00 72 00 ..a.t...a.d.d.r.
65 00 73 00 73 00 3a 00 20 00 30 00 78 00 35 00 e.s.s.:...0.x.5.

2014-11-21 17:01:39,438 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485510, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u...
0a 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 4...3.3...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 62 00 20 00 36 00 ..7.4...4.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 ..n.i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
67 00 0d 00 0a 00 36 00 35 00 20 00 37 00 32 00 g.....6.5...7.2.
20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2...

2014-11-21 17:01:39,440 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48660C, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u...
0a 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 4...3.3...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 62 00 20 00 36 00 ..7.4...4.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 ..n.i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
67 00 0d 00 0a 00 36 00 35 00 20 00 37 00 32 00 g.....6.5...7.2.
20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2...

2014-11-21 17:01:39,441 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4875F6, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 0d 00 0a 00 e.r.v.e.r.$.....
37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9.
20 00 37 00 34 00 20 00 33 00 33 00 20 00 30 00 ..7.4...3.3...0.
30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 34 00 62 00 6.9...7.4...4.b.
20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6.
63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7...
75 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 u.n.i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
0d 00 0a 00 36 00 37 00 20 00 36 00 35 00 20 00 ....6.7...6.5...
37 00 32 00 20 00 32 00 34 00 20 00 37 00 35 00 7.2...2.4...7.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 33 00 20 00 37 00 ..7.4...4.3...7.

2014-11-21 17:01:39,444 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487EAC, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 75 00 6e 00 e.r.v.e.r.$.u.n.
0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4...
33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 69 00 74 00 33 00 2e 00 55 00 6e 00 5...i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
67 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 g.e.....7.2...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 34 00 6.9...7.4...3.4.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 33 00 20 00 37 00 32 00 20 00 37 00 39 00 4.3...7.2...7.9.

2014-11-21 17:01:39,444 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x488FA0, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 0d 00 0a 00 e.r.v.e.r.$.....
37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9.
20 00 37 00 34 00 20 00 33 00 33 00 20 00 30 00 ..7.4...3.3...0.
30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 34 00 62 00 6.9...7.4...4.b.
20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6.
63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7...
75 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 u.n.i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
0d 00 0a 00 36 00 37 00 20 00 36 00 35 00 20 00 ....6.7...6.5...
37 00 32 00 20 00 32 00 34 00 20 00 37 00 35 00 7.2...2.4...7.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 33 00 20 00 37 00 ..7.4...4.3...7.

2014-11-21 17:01:39,447 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x489856, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 75 00 6e 00 e.r.v.e.r.$.u.n.
0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4...
33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 69 00 74 00 33 00 2e 00 55 00 6e 00 5...i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
67 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 g.e.....7.2...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 34 00 6.9...7.4...3.4.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 33 00 20 00 37 00 32 00 20 00 37 00 39 00 4.3...7.2...7.9.

2014-11-21 17:01:39,447 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48A194, Value:

55 00 6e 00 69 00 74 00 4b 00 65 00 79 00 6c 00 U.n.i.t.K.e.y.l.
6f 00 67 00 67 00 65 00 72 00 24 00 75 00 6e 00 o.g.g.e.r.$.u.n.
0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4...
33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2...
37 00 39 00 20 00 37 00 30 00 20 00 37 00 34 00 7.9...7.0...7.4.
20 00 35 00 33 00 20 00 37 00 34 00 20 00 37 00 ..5.3...7.4...7.
32 00 20 00 69 00 74 00 34 00 2e 00 55 00 6e 00 2...i.t.4...U.n.
69 00 74 00 43 00 72 00 79 00 70 00 74 00 53 00 i.t.C.r.y.p.t.S.
74 00 72 00 0d 00 0a 00 36 00 39 00 20 00 36 00 t.r.....6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 34 00 20 00 e...6.7...2.4...
37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9.
20 00 37 00 34 00 20 00 33 00 35 00 20 00 30 00 ..7.4...3.5...0.
30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 34 00 39 00 6.9...7.4...4.9.

2014-11-21 17:01:39,448 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485ED6, Value:

55 00 6e 00 69 00 74 00 43 00 72 00 79 00 70 00 U.n.i.t.C.r.y.p.
74 00 53 00 74 00 72 00 69 00 6e 00 67 00 24 00 t.S.t.r.i.n.g.$.
0d 00 0a 00 37 00 35 00 20 00 36 00 65 00 20 00 ....7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 35 00 6.9...7.4...3.5.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 39 00 20 00 36 00 65 00 20 00 37 00 33 00 4.9...6.e...7.3.
20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6.
63 00 20 00 75 00 6e 00 69 00 74 00 35 00 2e 00 c...u.n.i.t.5...
55 00 6e 00 69 00 74 00 49 00 6e 00 73 00 74 00 U.n.i.t.I.n.s.t.
61 00 6c 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 a.l.........2.0.
31 00 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 1.4.-.1.1.-.2.1.
20 00 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 ..1.6.:.5.1.:.4.
32 00 2c 00 30 00 36 00 31 00 20 00 2d 00 20 00 2.,.0.6.1...-...
64 00 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 d.e.t.e.c.t.o.r.
20 00 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 ..-...W.A.R.N.I.

2014-11-21 17:01:39,450 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48AAD2, Value:

55 00 6e 00 69 00 74 00 43 00 72 00 79 00 70 00 U.n.i.t.C.r.y.p.
74 00 53 00 74 00 72 00 69 00 6e 00 67 00 24 00 t.S.t.r.i.n.g.$.
0d 00 0a 00 37 00 35 00 20 00 36 00 65 00 20 00 ....7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 35 00 6.9...7.4...3.5.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 39 00 20 00 36 00 65 00 20 00 37 00 33 00 4.9...6.e...7.3.
20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6.
63 00 20 00 75 00 6e 00 69 00 74 00 35 00 2e 00 c...u.n.i.t.5...
55 00 6e 00 69 00 74 00 49 00 6e 00 73 00 74 00 U.n.i.t.I.n.s.t.
61 00 6c 00 0d 00 0a 00 36 00 63 00 20 00 35 00 a.l.....6.c...5.
33 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 3...6.5...7.2...
37 00 36 00 20 00 36 00 35 00 20 00 37 00 32 00 7.6...6.5...7.2.
20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
33 00 36 00 20 00 30 00 30 00 20 00 35 00 35 00 3.6...0.0...5.5.

2014-11-21 17:01:39,451 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487050, Value:

55 00 6e 00 69 00 74 00 49 00 6e 00 6a 00 65 00 U.n.i.t.I.n.j.e.
63 00 74 00 53 00 65 00 72 00 76 00 65 00 72 00 c.t.S.e.r.v.e.r.
0d 00 0a 00 32 00 34 00 20 00 37 00 35 00 20 00 ....2.4...7.5...
36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4.
20 00 33 00 37 00 20 00 30 00 30 00 20 00 35 00 ..3.7...0.0...5.
35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9...
37 00 34 00 20 00 34 00 32 00 20 00 36 00 39 00 7.4...4.2...6.9.
20 00 36 00 65 00 20 00 36 00 34 00 20 00 36 00 ..6.e...6.4...6.
35 00 20 00 24 00 75 00 6e 00 69 00 74 00 37 00 5...$.u.n.i.t.7.
2e 00 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 ..U.n.i.t.B.i.n.
64 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 d.e.....7.2...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 38 00 6.9...7.4...3.8.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 39 00 20 00 36 00 65 00 20 00 36 00 61 00 4.9...6.e...6.a.

2014-11-21 17:01:39,453 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48BD4E, Value:

55 00 6e 00 69 00 74 00 49 00 6e 00 6a 00 65 00 U.n.i.t.I.n.j.e.
63 00 74 00 53 00 65 00 72 00 76 00 65 00 72 00 c.t.S.e.r.v.e.r.
0d 00 0a 00 32 00 34 00 20 00 37 00 35 00 20 00 ....2.4...7.5...
36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4.
20 00 33 00 37 00 20 00 30 00 30 00 20 00 35 00 ..3.7...0.0...5.
35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9...
37 00 34 00 20 00 34 00 32 00 20 00 36 00 39 00 7.4...4.2...6.9.
20 00 36 00 65 00 20 00 36 00 34 00 20 00 36 00 ..6.e...6.4...6.
35 00 20 00 24 00 75 00 6e 00 69 00 74 00 37 00 5...$.u.n.i.t.7.
2e 00 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 ..U.n.i.t.B.i.n.
64 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 d.e.....7.2...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 38 00 6.9...7.4...3.8.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 39 00 20 00 36 00 65 00 20 00 36 00 61 00 4.9...6.e...6.a.

2014-11-21 17:01:39,454 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48ACEC, Value:

55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 64 00 U.n.i.t.B.i.n.d.
65 00 72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 e.r.$.....7.5...
36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4.
20 00 33 00 38 00 20 00 30 00 30 00 20 00 35 00 ..3.8...0.0...5.
35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9...
37 00 34 00 20 00 34 00 39 00 20 00 36 00 65 00 7.4...4.9...6.e.
20 00 36 00 61 00 20 00 36 00 35 00 20 00 36 00 ..6.a...6.5...6.
33 00 20 00 37 00 34 00 20 00 75 00 6e 00 69 00 3...7.4...u.n.i.
74 00 38 00 2e 00 55 00 6e 00 69 00 74 00 49 00 t.8...U.n.i.t.I.
6e 00 6a 00 65 00 63 00 74 00 0d 00 0a 00 35 00 n.j.e.c.t.....5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 33 00 20 00 36 00 35 00 20 00 37 00 33 00 6.3...6.5...7.3.
20 00 37 00 33 00 20 00 35 00 38 00 20 00 37 00 ..7.3...5.8...7.
34 00 20 00 37 00 32 00 20 00 36 00 35 00 20 00 4...7.2...6.5...
36 00 64 00 20 00 36 00 35 00 20 00 30 00 30 00 6.d...6.5...0.0.
20 00 36 00 34 00 20 00 36 00 35 00 20 00 50 00 ..6.4...6.5...P.

2014-11-21 17:01:39,457 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48C68C, Value:

55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 64 00 U.n.i.t.B.i.n.d.
65 00 72 00 24 00 75 00 6e 00 69 00 74 00 38 00 e.r.$.u.n.i.t.8.
0d 00 0a 00 30 00 30 00 20 00 35 00 35 00 20 00 ....0.0...5.5...
36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4.
20 00 34 00 39 00 20 00 36 00 65 00 20 00 36 00 ..4.9...6.e...6.
61 00 20 00 36 00 35 00 20 00 36 00 33 00 20 00 a...6.5...6.3...
37 00 34 00 20 00 35 00 30 00 20 00 37 00 32 00 7.4...5.0...7.2.
20 00 36 00 66 00 20 00 36 00 33 00 20 00 36 00 ..6.f...6.3...6.
35 00 20 00 2e 00 55 00 6e 00 69 00 74 00 49 00 5.....U.n.i.t.I.
6e 00 6a 00 65 00 63 00 74 00 50 00 72 00 6f 00 n.j.e.c.t.P.r.o.
63 00 65 00 0d 00 0a 00 37 00 33 00 20 00 37 00 c.e.....7.3...7.
33 00 20 00 35 00 38 00 20 00 37 00 34 00 20 00 3...5.8...7.4...
37 00 32 00 20 00 36 00 35 00 20 00 36 00 64 00 7.2...6.5...6.d.
20 00 36 00 35 00 20 00 30 00 30 00 20 00 36 00 ..6.5...0.0...6.
34 00 20 00 36 00 35 00 20 00 37 00 34 00 20 00 4...6.5...7.4...
36 00 35 00 20 00 36 00 33 00 20 00 37 00 34 00 6.5...6.3...7.4.

2014-11-21 17:01:39,457 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48E916, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
0d 00 0a 00 37 00 30 00 20 00 36 00 34 00 20 00 ....7.0...6.4...
33 00 32 00 20 00 30 00 30 00 20 00 35 00 35 00 3.2...0.0...5.5.
20 00 37 00 30 00 20 00 36 00 34 00 20 00 35 00 ..7.0...6.4...5.
34 00 20 00 36 00 39 00 20 00 36 00 64 00 20 00 4...6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 70 00 64 00 32 00 2e 00 55 00 70 00 f...p.d.2...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l.
6f 00 6f 00 0d 00 0a 00 36 00 62 00 20 00 36 00 o.o.....6.b...6.
64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1...
30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0...
35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9.
20 00 32 00 30 00 20 00 6b 00 6d 00 61 00 31 00 ..2.0...k.m.a.1.

2014-11-21 17:01:39,460 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48F156, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 0d 00 0a 00 U.p.d.J.o.b.....
32 00 34 00 20 00 37 00 35 00 20 00 37 00 30 00 2.4...7.5...7.0.
20 00 36 00 34 00 20 00 33 00 32 00 20 00 30 00 ..6.4...3.2...0.
30 00 20 00 35 00 35 00 20 00 37 00 30 00 20 00 0...5.5...7.0...
36 00 34 00 20 00 35 00 34 00 20 00 36 00 39 00 6.4...5.4...6.9.
20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7.
32 00 20 00 32 00 34 00 20 00 36 00 63 00 20 00 2...2.4...6.c...
24 00 75 00 70 00 64 00 32 00 2e 00 55 00 70 00 $.u.p.d.2...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l.
0d 00 0a 00 36 00 66 00 20 00 36 00 66 00 20 00 ....6.f...6.f...
36 00 62 00 20 00 36 00 64 00 20 00 36 00 31 00 6.b...6.d...6.1.
20 00 33 00 31 00 20 00 30 00 30 00 20 00 34 00 ..3.1...0.0...4.
66 00 20 00 37 00 37 00 20 00 36 00 65 00 20 00 f...7.7...6.e...
36 00 39 00 20 00 36 00 65 00 20 00 36 00 37 00 6.9...6.e...6.7.
20 00 32 00 30 00 20 00 35 00 30 00 20 00 34 00 ..2.0...5.0...4.
33 00 20 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 3...o.o.k.m.a.1.

2014-11-21 17:01:39,460 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48FA0A, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 0d 00 0a 00 35 00 35 00 p.d.2.......5.5.
20 00 37 00 30 00 20 00 36 00 34 00 20 00 35 00 ..7.0...6.4...5.
34 00 20 00 36 00 39 00 20 00 36 00 64 00 20 00 4...6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 55 00 70 00 6.1...3.1...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l.
6f 00 6f 00 6b 00 6d 00 61 00 31 00 0d 00 0a 00 o.o.k.m.a.1.....
30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0...
35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9.
20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7.
35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4...

2014-11-21 17:01:39,461 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x490AFE, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T.
0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l.
6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O.
77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0...
35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9.
20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7.
35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4...
36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f.

2014-11-21 17:01:39,463 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x491348, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 0d 00 0a 00 36 00 34 00 20 00 33 00 32 00 p.....6.4...3.2.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 37 00 ..0.0...5.5...7.
30 00 20 00 36 00 34 00 20 00 35 00 34 00 20 00 0...6.4...5.4...
36 00 39 00 20 00 36 00 64 00 20 00 36 00 35 00 6.9...6.d...6.5.
20 00 37 00 32 00 20 00 32 00 34 00 20 00 36 00 ..7.2...2.4...6.
63 00 20 00 36 00 66 00 20 00 36 00 66 00 20 00 c...6.f...6.f...
36 00 62 00 20 00 64 00 32 00 2e 00 55 00 70 00 6.b...d.2...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l.
6f 00 6f 00 6b 00 0d 00 0a 00 36 00 64 00 20 00 o.o.k.....6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 e...6.9...6.e...
36 00 37 00 20 00 32 00 30 00 20 00 35 00 30 00 6.7...2.0...5.0.
20 00 34 00 33 00 20 00 34 00 39 00 20 00 32 00 ..4.3...4.9...2.
30 00 20 00 36 00 32 00 20 00 6d 00 61 00 31 00 0...6.2...m.a.1.

2014-11-21 17:01:39,464 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x491B78, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 0d 00 p.d.2...U.p.d...
0a 00 35 00 34 00 20 00 36 00 39 00 20 00 36 00 ..5.4...6.9...6.
64 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 d...6.5...7.2...
32 00 34 00 20 00 36 00 63 00 20 00 36 00 66 00 2.4...6.c...6.f.
20 00 36 00 66 00 20 00 36 00 62 00 20 00 36 00 ..6.f...6.b...6.
64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1...
30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7.
20 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 ..T.i.m.e.r.$.l.
6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O.
77 00 0d 00 0a 00 36 00 65 00 20 00 36 00 39 00 w.....6.e...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2.
30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3...
34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2.
20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2.
34 00 20 00 36 00 63 00 20 00 36 00 66 00 20 00 4...6.c...6.f...

2014-11-21 17:01:39,467 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x492436, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T.
0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l.
6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O.
77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0...
35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9.
20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7.
35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4...
36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f.

2014-11-21 17:01:39,469 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x492C72, Value:

55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T.
0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l.
6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O.
77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0...
35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9.
20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7.
35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4...
36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f.

2014-11-21 17:01:39,470 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48E992, Value:

55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r.
24 00 6c 00 6f 00 6f 00 0d 00 0a 00 36 00 62 00 $.l.o.o.....6.b.
20 00 36 00 64 00 20 00 36 00 31 00 20 00 33 00 ..6.d...6.1...3.
31 00 20 00 30 00 30 00 20 00 34 00 66 00 20 00 1...0.0...4.f...
37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2.
30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3...
34 00 39 00 20 00 32 00 30 00 20 00 6b 00 6d 00 4.9...2.0...k.m.
61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n.
67 00 2e 00 50 00 43 00 49 00 2e 00 0d 00 0a 00 g...P.C.I.......
0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 31 00 ....2.0.1.4.-.1.
31 00 2d 00 32 00 31 00 20 00 31 00 36 00 3a 00 1.-.2.1...1.6.:.
35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 38 00 5.1.:.4.2.,.0.8.
32 00 20 00 2d 00 20 00 64 00 65 00 74 00 65 00 2...-...d.e.t.e.
63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 57 00 c.t.o.r...-...W.
41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 2d 00 A.R.N.I.N.G...-.

2014-11-21 17:01:39,471 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48F1D2, Value:

55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r.
24 00 6c 00 0d 00 0a 00 36 00 66 00 20 00 36 00 $.l.....6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 e...6.9...6.e...
36 00 37 00 20 00 32 00 30 00 20 00 35 00 30 00 6.7...2.0...5.0.
20 00 34 00 33 00 20 00 6f 00 6f 00 6b 00 6d 00 ..4.3...o.o.k.m.
61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n.
67 00 2e 00 50 00 43 00 0d 00 0a 00 34 00 39 00 g...P.C.....4.9.
20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7.
35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4...
36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f.
20 00 36 00 62 00 20 00 36 00 64 00 20 00 36 00 ..6.b...6.d...6.
31 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 1...3.2...0.0...
34 00 36 00 20 00 36 00 66 00 20 00 49 00 2e 00 4.6...6.f...I...

2014-11-21 17:01:39,473 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48FA86, Value:

55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r.
24 00 6c 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 $.l.o.o.k.m.a.1.
0d 00 0a 00 30 00 30 00 20 00 34 00 66 00 20 00 ....0.0...4.f...
37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2.
30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3...
34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2.
20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2.
34 00 20 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 4.....O.w.n.i.n.
67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 75 00 g...P.C.I...b.u.
73 00 24 00 0d 00 0a 00 36 00 63 00 20 00 36 00 s.$.....6.c...6.
66 00 20 00 36 00 66 00 20 00 36 00 62 00 20 00 f...6.f...6.b...
36 00 64 00 20 00 36 00 31 00 20 00 33 00 32 00 6.d...6.1...3.2.
20 00 30 00 30 00 20 00 34 00 36 00 20 00 36 00 ..0.0...4.6...6.
66 00 20 00 37 00 32 00 20 00 36 00 64 00 20 00 f...7.2...6.d...
36 00 31 00 20 00 37 00 34 00 20 00 37 00 34 00 6.1...7.4...7.4.

2014-11-21 17:01:39,474 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x4913C4, Value:

55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r.
24 00 6c 00 6f 00 6f 00 6b 00 0d 00 0a 00 36 00 $.l.o.o.k.....6.
64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1...
30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0...
35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9.
20 00 32 00 30 00 20 00 36 00 32 00 20 00 6d 00 ..2.0...6.2...m.
61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n.
67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 0d 00 g...P.C.I...b...
0a 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2.
34 00 20 00 36 00 63 00 20 00 36 00 66 00 20 00 4...6.c...6.f...
36 00 66 00 20 00 36 00 62 00 20 00 36 00 64 00 6.f...6.b...6.d.
20 00 36 00 31 00 20 00 33 00 32 00 20 00 30 00 ..6.1...3.2...0.
30 00 20 00 34 00 36 00 20 00 36 00 66 00 20 00 0...4.6...6.f...
37 00 32 00 20 00 36 00 64 00 20 00 36 00 31 00 7.2...6.d...6.1.

2014-11-21 17:01:39,476 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x4935B6, Value:

55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r.
24 00 6c 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 $.l.o.o.k.m.a.1.
0d 00 0a 00 30 00 30 00 20 00 34 00 66 00 20 00 ....0.0...4.f...
37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2.
30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3...
34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2.
20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2.
34 00 20 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 4.....O.w.n.i.n.
67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 75 00 g...P.C.I...b.u.
73 00 24 00 0d 00 0a 00 36 00 63 00 20 00 36 00 s.$.....6.c...6.
66 00 20 00 36 00 66 00 20 00 36 00 62 00 20 00 f...6.f...6.b...
36 00 64 00 20 00 36 00 31 00 20 00 33 00 32 00 6.d...6.1...3.2.
20 00 30 00 30 00 20 00 34 00 36 00 20 00 36 00 ..0.0...4.6...6.
66 00 20 00 37 00 32 00 20 00 36 00 64 00 20 00 f...7.2...6.d...
36 00 31 00 20 00 37 00 34 00 20 00 37 00 34 00 6.1...7.4...7.4.

2014-11-21 17:02:15,836 - detector - INFO - Scanning finished
2014-11-21 17:02:15,838 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 17:02:15,842 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 17:02:15,845 - detector - INFO - Service stopped
2014-11-21 17:02:15,845 - detector - INFO - Analysis finished
         

Alt 23.11.2014, 08:07   #10
schrauber
/// the machine
/// TB-Ausbilder
 

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?



Zitat:
Detekt rät, nie mehr mit dem PC ins Internet zu gehen.
Schwachsinn hoch zehn. Schmeiss Detekt von der Platte. Nit immer gleich alles glauben nur weil irgendwelche Seiten vorschnell irgend ein Tool hoch loben.

Rechner hat gar nix.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Alt 23.11.2014, 13:48   #11
derdingens
 
Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?



Vielen Dank für die schnelle Antwort.

Viele Grüße,

DerDingens

Alt 24.11.2014, 09:47   #12
schrauber
/// the machine
/// TB-Ausbilder
 

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Standard

Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?



Gern Geschehen
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen
Trojaner-Board Facebook-Seite

Keine Hilfestellung via PM!

Antwort

Themen zu Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?
.com, .dll, .url, alter, alternative, alternativen, analysis, antivirus, appdata, avira, befund, binder, bot, catalyst, ccc.exe, center, check, code, computer, config, control, converter, debug, delete, desktop, detector, detekt, detekt rat, dienst, down, driver, ebay, engine, essen, excel, fehler, file, firefox, flash player, foto, gefunde, gen, gmer.log, handle, helper, heute, home, hänge, hängen, index, install, installation, interne, internet, keylogger, laufen, mas, microsoft, notepad.exe, object, office, password, process, profile, rojaner gefunden, scan, scanner, scanning, security, server, shell, sniff, software, space, spy, system, tan, temp, troja, trojaner, trojaner gefunden, update, usb, value, version, virenscan, virenscanner, vista, warning, was tun, was tun?, windows




Ähnliche Themen: Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?


  1. DETEKT scan hat blackshades rat , xtreme rat, darkcomet rat auf win7 gefunden
    Plagegeister aller Art und deren Bekämpfung - 24.11.2014 (21)
  2. Windows 7: "Xtreme RAT" durch Detekt gefunden
    Plagegeister aller Art und deren Bekämpfung - 24.11.2014 (8)
  3. Xtreme Rat von "Detekt" gefunden - wie entfernen?
    Log-Analyse und Auswertung - 24.11.2014 (5)
  4. Detekt gibt keine Screenmeldung aber detekt.log erwähnt Njrat
    Plagegeister aller Art und deren Bekämpfung - 22.11.2014 (1)
  5. Xtreme Rat nach Scan mit Detekt gefunden
    Log-Analyse und Auswertung - 21.11.2014 (4)
  6. Virenscanner ohne Echtzeitprüfung gesucht
    Antiviren-, Firewall- und andere Schutzprogramme - 23.10.2014 (8)
  7. AntiVir ohne Befund, neue versteckte Objekte, kernelbase.dll nicht gefunden
    Plagegeister aller Art und deren Bekämpfung - 01.08.2014 (5)
  8. Virenscanner hat ein Trojaner gefunden davor schon mal 2 nicht gelöste Funde - Sorge
    Log-Analyse und Auswertung - 07.12.2013 (13)
  9. Windows 7: PC von selbst und bisher einmalig ohne ersichtlichen Grund heruntergefahren
    Plagegeister aller Art und deren Bekämpfung - 12.09.2013 (19)
  10. Win7 nach Login nur weißer Bildschirm - bisher keine Viren auf dem PC gefunden
    Plagegeister aller Art und deren Bekämpfung - 05.08.2012 (1)
  11. Trojaner an Bord oder nicht? html/malicious.pdf.gen gefunden - aber bisher keine Probleme
    Plagegeister aller Art und deren Bekämpfung - 27.03.2012 (37)
  12. GEMA Trojaner, bisher keine Lösung gefunden, OTPLE Log
    Log-Analyse und Auswertung - 16.11.2011 (12)
  13. 20 TAN Problem Sparkasse - Malwarebytes ohne Befund
    Plagegeister aller Art und deren Bekämpfung - 06.02.2011 (17)
  14. trojaner befund?
    Plagegeister aller Art und deren Bekämpfung - 09.05.2010 (1)
  15. Trojaner ohne Meldung von KIS gefunden...
    Plagegeister aller Art und deren Bekämpfung - 24.05.2009 (0)
  16. cpu-Auslastung hoch, auffällige netstat, bisher nichts gefunden
    Log-Analyse und Auswertung - 24.03.2008 (7)
  17. verstellte System Uhr - aber alle Scans ohne Befund
    Alles rund um Windows - 14.04.2007 (11)

Zum Thema Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Hallo, Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center - Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?...
Archiv
Du betrachtest: Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.