|
Log-Analyse und Auswertung: Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.XML. |
21.11.2014, 23:36 | #1 |
| Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? Hallo, Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden. Detekt rät, nie mehr mit dem PC ins Internet zu gehen. Gibt es hierzu ALternativen? Was tun? Vielen Dank, DerDingens Die Logs: 1. Addition.txt 2. detekt.log 3. FRST.txt 4. gmer.log |
22.11.2014, 08:46 | #2 |
/// the machine /// TB-Ausbilder | Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? Hi,
__________________Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke. So funktioniert es: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ |
22.11.2014, 11:41 | #3 |
| Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Hallo,
__________________Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden. Detekt rät, nie mehr mit dem PC ins Internet zu gehen. Gibt es hierzu ALternativen? Was tun? Vielen Dank, DerDingens Die Logs: 1. Addition.txt 2. detekt.log 3. FRST.txt 4. gmer.log |
22.11.2014, 12:05 | #4 |
/// the machine /// TB-Ausbilder | Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? Hi, Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen. Ich kann auf Arbeit keine Anhänge öffnen, danke. So funktioniert es: Posten in CODE-Tags Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
22.11.2014, 13:52 | #5 |
| Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Hallo, Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden. Detekt rät, nie mehr mit dem PC ins Internet zu gehen. Gibt es hierzu ALternativen? Was tun? Vielen Dank, DerDingens Addition.txt Code:
ATTFilter Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20-11-2014 Ran by hcxxx at 2014-11-21 17:30:59 Running from G:\ Boot Mode: Normal ========================================================== ==================== Security Center ======================== (If an entry is included in the fixlist, it will be removed.) AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859} AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1} AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C} AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4} AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} ==================== Installed Programs ====================== (Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.) AAVUpdateManager (HKLM\...\{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}) (Version: 18.00.0000 - Wolters Kluwer Deutschland GmbH) Adobe AIR (HKLM\...\Adobe AIR) (Version: 1.5.3.9130 - Adobe Systems Inc.) Adobe Flash Player 15 ActiveX (HKLM\...\Adobe Flash Player ActiveX) (Version: 15.0.0.223 - Adobe Systems Incorporated) Adobe Flash Player 15 Plugin (HKLM\...\Adobe Flash Player Plugin) (Version: 15.0.0.223 - Adobe Systems Incorporated) Adobe Reader X (10.1.12) - Deutsch (HKLM\...\{AC76BA86-7AD7-1031-7B44-AA1000000001}) (Version: 10.1.12 - Adobe Systems Incorporated) Adobe Shockwave Player 12.1 (HKLM\...\Adobe Shockwave Player) (Version: 12.1.3.153 - Adobe Systems, Inc.) AllDup 3.0.0 (HKLM\...\AllDup_is1) (Version: 3.0.0 - Michael Thummerer Software Design) Amazon Kindle For PC v1.0 (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Amazon Kindle For PC) (Version: - ) Amazon MP3-Downloader 1.0.9 (HKLM\...\Amazon MP3-Downloader) (Version: - ) AMD Catalyst Install Manager (HKLM\...\{0BD03BF6-3A66-EC7F-5155-28A8D6C69409}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.) Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.) Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.) Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.) ArcSoft TotalMedia 3 (HKLM\...\{268CF0B8-CA38-4E20-9E99-514A07F7C1F1}) (Version: - ArcSoft) ASUSUpdate (HKLM\...\{587178E7-B1DF-494E-9838-FA4DD36E873C}) (Version: - ) ATI AVIVO Codecs (Version: 10.0.0.40103 - ATI Technologies Inc.) Hidden Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version: - ) Avira (HKLM\...\{9480d4af-12b9-4e56-8034-4031ef6ab39d}) (Version: 1.1.25.25607 - Avira Operations GmbH & Co. KG) Avira (Version: 1.1.25.25607 - Avira Operations GmbH & Co. KG) Hidden Avira Free Antivirus (HKLM\...\Avira AntiVir Desktop) (Version: 14.0.7.342 - Avira) AviSynth 2.5 (HKLM\...\AviSynth) (Version: - ) AVStoDVD 2.1.4 (HKLM\...\AVStoDVD) (Version: 2.1.4 - MrC) bcTester 4.8 (de) (HKLM\...\{DCA0A35D-30F1-4ED0-971F-5FFD2F60BB08}) (Version: 1.0.0 - QS QualitySoft GmbH) bcWebCam (HKLM\...\{2C2943D2-61CB-4F91-A3DA-A50FA1E93F54}) (Version: 1.0.0 - QS QualitySoft GmbH) Belkin 54Mbps Wireless Network Adapter (HKLM\...\{F3759A9F-7AFA-4FB4-8DF1-53F26B979DEE}) (Version: 1.00.01 - Belkin) Benutzerhandbuch anzeigen (HKLM\...\View User Guide) (Version: 3.60.02.0 - ) Biet-O-Matic v2.12.6 (HKLM\...\Biet-O-Matic v2.12.6) (Version: Biet-O-Matic v2.12.6 - BOM Development Team) Bing Maps 3D (HKLM\...\{2D87E961-577B-492B-AD54-1368680FB9A7}) (Version: 4.0.903.16005 - Microsoft Corporation) BlackBerry Link (HKLM\...\BlackBerry_10_Desktop) (Version: 1.2.3.48 - BlackBerry Ltd.) BlackBerry Link (Version: 1.2.3.48 - BlackBerry Ltd.) Hidden Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.) BP MANAGER 6.0 (HKLM\...\{360A4222-B9D2-4B7B-B240-F967289F65D9}) (Version: 1.0.0 - Physio logic) BufferChm (Version: 130.0.331.000 - Hewlett-Packard) Hidden calibre (HKLM\...\{0C1A656B-4449-49CB-A1B3-6A8C0986B342}) (Version: 0.6.30 - Kovid Goyal) Cardiris (Version: 3.01.001 - Ihr Firmenname) Hidden Cardiris 3.0 LE (HKLM\...\InstallShield_{0143D544-04A4-11D8-944E-000475727249}) (Version: 3.01.001 - Ihr Firmenname) CCleaner (HKLM\...\CCleaner) (Version: 3.02 - Piriform) CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.4852 - CDBurnerXP) Chipcard master 5.65 (HKLM\...\Chipcard master_is1) (Version: - Dr. Olaf Jacobsen) Chipcardmaster 7.05 (HKLM\...\Chipcardmaster_is1) (Version: - Dr. Olaf Jacobsen) Citavi (HKLM\...\{E12C6653-1FF0-4686-ADB8-589C13AE761F}) (Version: 3.2.0.0 - Swiss Academic Software) Cold Turkey version 0.7 (HKLM\...\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1) (Version: 0.7 - Felix Belzile) Common Desktop Agent (Version: 1.62.0 - OEM) Hidden Cool & Quiet (HKLM\...\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}) (Version: - ) CPUID CPU-Z 1.69.2 (HKLM\...\CPUID CPU-Z_is1) (Version: - ) CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version: - ) D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden Destinations (Version: 140.0.77.000 - Hewlett-Packard) Hidden Deutsche Post E-Porto (HKLM\...\{5CCF8330-F742-411A-8A04-719806D168B5}) (Version: 2.3.0 - Deutsche Post AG) DeviceManagementQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden DHTML Editing Component (HKLM\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation) DocProc (Version: 13.0.0.0 - Hewlett-Packard) Hidden DocProcQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden Dropbox (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Dropbox) (Version: 2.10.30 - Dropbox, Inc.) Drv (HKLM\...\{DA71A94B-3617-4935-8BBE-1566B2174C95}) (Version: 1.00.0000 - My Company Name) DVDFab 6.2.1.8 (31/12/2009) (HKLM\...\DVDFab 6_is1) (Version: - Fengtao Software Inc.) DVR-MS Converter (HKLM\...\DVR-MS Converter) (Version: 2.6.1 - Dvrsoft) DVRMSToolbox (HKLM\...\{E7ECD072-02DF-4F24-B5C9-7928A2867B14}) (Version: 1.2.1 - babgvant.com) Easy ShutDown 3.4 (HKLM\...\Easy ShutDown_is1) (Version: - EasyShutDown.com) Easy2Sync für Outlook 3.xx (HKLM\...\{EF702322-B623-4B6A-B41D-411725582043}_is1) (Version: - ITSTH) eSupportQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden Felix zweite wundersame Reise (HKLM\...\Felix zweite wundersame Reise) (Version: - ) Flickroom (HKLM\...\Flickroom.7A385545159204287F941528E627F38AD4ECB7C0.1) (Version: v0.60 - Ashu Mittal) Flickroom (Version: 0.60 - Ashu Mittal) Hidden Foxit PDF IFilter (HKLM\...\{74E78471-E122-4101-8744-CEB6C5C027A0}) (Version: 2.0.0.519 - Foxit Software) Foxit Reader (HKLM\...\Foxit Reader) (Version: - ) Free Countdown Timer 2.7.1 (HKLM\...\{404245D0-E836-4737-9C12-D4D0034540F5}_is1) (Version: 2.7 - Comfort Software Group) Free FLV Converter V 7.1.0 (HKLM\...\Free FLV Converter_is1) (Version: 7.1.0.0 - Koyote Soft) Free Stopwatch 2.5.0 (HKLM\...\{A1FAC1AF-5615-47FE-B5C8-5E981EC8522B}_is1) (Version: 2.5 - Comfort Software Group) Free YouTube Download version 2.10.31 (HKLM\...\Free YouTube Download_is1) (Version: - DVDVideoSoft Limited.) FreeMind (HKLM\...\B991B020-2968-11D8-AF23-444553540000_is1) (Version: 0.8.1 - ) FreeOCR 3.0 (HKLM\...\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}) (Version: 3.0 - Free OCR) GemPC430 (HKLM\...\{DFD0B53C-7948-4091-82C2-3270A39EE2AC}) (Version: 1.0.0 - Gemplus) GemPcCCID (HKLM\...\{8BD3AFAF-636E-4516-A7E8-D57CCDBE28B8}) (Version: 2.0.1 - Gemalto) GIMP 2.6.11 (HKLM\...\WinGimp-2.0_is1) (Version: 2.6.11 - The GIMP Team) GnuWin32: Bzip2-1.0.5 (HKLM\...\Bzip2-1.0.5_is1) (Version: 1.0.5 - GnuWin32) GnuWin32: Wget-1.11.4-1 (HKLM\...\Wget-1.11.4-1_is1) (Version: 1.11.4-1 - GnuWin32) Google Chrome (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Google Chrome) (Version: 38.0.2125.111 - Google Inc.) Google Drive (HKLM\...\{C60F3836-333A-4AE2-B526-CFDBA143A9BA}) (Version: 1.18.7821.2489 - Google, Inc.) Google Earth (HKLM\...\{4D2A6330-2F8B-11E3-9C40-B8AC6F97B88E}) (Version: 7.1.2.2041 - Google) Google Talk Plugin (HKLM\...\{0C5C1177-94C5-3EFB-A8BE-3F6AF1AF887F}) (Version: 5.38.6.0 - Google) Google Update Helper (Version: 1.3.25.11 - Google Inc.) Hidden GPBaseService2 (Version: 130.0.371.000 - Hewlett-Packard) Hidden Gpg4win (2.1.1-34299-beta) (HKLM\...\GPG4Win) (Version: 2.1.1-34299-beta - The Gpg4win Project) GPL Ghostscript (HKLM\...\GPL Ghostscript 9.04) (Version: 9.04 - Artifex Software Inc.) HP Imaging Device Functions 13.0 (HKLM\...\HP Imaging Device Functions) (Version: 13.0 - HP) HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP) HP Photosmart Essential 3.5 (HKLM\...\HP Photosmart Essential) (Version: 3.5 - HP) HP Scanjet G3010 (HKLM\...\{E2A59F15-F731-4062-9BB7-3C99D8F15756}) (Version: 13.0 - HP) HP Scanjet G3010 and 4370 9.0 (HKLM\...\{696A666D-7CB6-40f6-B394-BD3EEDAA2B99}) (Version: 9.0 - HP) HP Solution Center 13.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 13.0 - HP) HP Update (HKLM\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard) hpg3010 (Version: 13.0.0.0 - Ihr Firmenname) Hidden hpg3010QFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden HPPhotosmartEssential (Version: 2.04.0000 - Hewlett-Packard) Hidden HPProductAssistant (Version: 130.0.371.000 - Hewlett-Packard) Hidden HydraVision (Version: 4.2.92.0 - ATI Technologies Inc.) Hidden ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.0.0 - LIGHTNING UK!) Inkscape 0.47 (HKLM\...\Inkscape) (Version: 0.47 - ) inSSIDer (HKLM\...\{C7DEE429-4C9B-4126-894F-50B4F54FF196}) (Version: 1.2.8 - MetaGeek, LLC) iPhone-Konfigurationsprogramm (HKLM\...\{B90FCEB7-2B0C-4D27-95B5-54238DF059ED}) (Version: 3.6.2.300 - Apple Inc.) IPWizard (HKLM\...\{6C71E42B-7D26-4638-8EC4-364E9E881747}) (Version: 2.0.2.0 - A-MTK) iTunes (HKLM\...\{F32DC846-4457-40A8-BECA-BCC0E960BC53}) (Version: 11.4.0.18 - Apple Inc.) JDownloader (HKLM\...\JDownloader) (Version: 0.89 - AppWork UG (haftungsbeschränkt)) Juniper Networks Network Connect 7.1.0 (HKLM\...\Juniper Network Connect 7.1.0) (Version: 7.1.0.19243 - Juniper Networks) Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Juniper_Setup_Client) (Version: 7.1.4.13103 - Juniper Networks, Inc.) Juniper Networks, Inc. Setup Client Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.) Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden KeyboardTest V3.0 (HKLM\...\KeyboardTest_is1) (Version: - PassMark Software) Kindle Auto eBook Converter 0.4.50 (HKLM\...\Kindle Auto eBook Converter) (Version: 0.4.50 - The Messenger) LG United Mobile Driver (HKLM\...\{2A3A4BD6-6CE0-4e2a-80D2-1D0FF6ACBFBA}) (Version: 3.10.1.0 - LG Electronics) Logitech Media Server 7.7.4 (HKLM\...\Logitech Media Server_is1) (Version: 7.7.4 - Logitech) Luka (HKLM\...\Luka) (Version: - ) Magical Jelly Bean KeyFinder (HKLM\...\KeyFinder_is1) (Version: 2.0.10.9 - Magical Jelly Bean) maxdome - Online Videothek Version 3.0.0 (HKLM\...\maxdome - Online Videothek_is1) (Version: - maxdome) MB-Ruler (HKLM\...\{7363206E-C7BD-45CD-89A0-792B28409811}_is1) (Version: 5.1 - Markus Bader) McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.) MD 86097 W-LAN USB Remote Hub (HKLM\...\{C4F43749-7088-40E2-83BE-039E68FE1BBC}) (Version: 1.02.0000 - Medion) Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden Microsoft .NET Compact Framework 3.5 (HKLM\...\{72CCBEA1-8D57-4981-A337-81019F28C5BA}) (Version: 3.5.7283 - Microsoft Corporation) Microsoft .NET Framework 3.5 Language Pack SP1 - DEU (HKLM\...\Microsoft .NET Framework 3.5 Language Pack SP1 - deu) (Version: - Microsoft Corporation) Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version: - Microsoft Corporation) Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation) Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation) Microsoft Baseline Security Analyzer 2.2 (HKLM\...\{13CD417D-F1F1-4AC4-945D-FDDEB884756F}) (Version: 2.2.2170 - Microsoft Corporation) Microsoft Flight Simulator X (HKLM\...\InstallShield_{F535B2CF-C9BB-4162-B03A-02D6971F32CC}) (Version: 10.0.60905 - Microsoft Game Studios) Microsoft IntelliPoint 7.0 (HKLM\...\{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}) (Version: 7.0.260.0 - Microsoft) Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version: - Microsoft) Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation) Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation) Microsoft Office Outlook Connector (HKLM\...\{95140000-0081-0407-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation) Microsoft Office Ultimate 2007 (HKLM\...\ULTIMATER) (Version: 12.0.6612.1000 - Microsoft Corporation) Microsoft OneDrive (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\OneDriveSetup.exe) (Version: 17.3.1229.0918 - Microsoft Corporation) Microsoft Primary Interoperability Assemblies 2005 (HKLM\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation) Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation) Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation) Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation) Microsoft SQL Server Compact 3.5 SP2 ENU (HKLM\...\{3A9FC03D-C685-4831-94CF-4EDFD3749497}) (Version: 3.5.8080.0 - Microsoft Corporation) Microsoft Sync Framework 2.0 Core Components (x86) ENU (HKLM\...\{FF63121D-91C6-42CC-B341-F1AA729728E7}) (Version: 2.0.1578.0 - Microsoft Corporation) Microsoft Sync Framework 2.0 Provider Services (x86) ENU (HKLM\...\{D3A80508-CD83-4CA3-8671-914A1BC78B61}) (Version: 2.0.1578.0 - Microsoft Corporation) Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}) (Version: 8.0.58299 - Microsoft Corporation) Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation) Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation) Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation) Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation) Mobile Partner (HKLM\...\Mobile Partner) (Version: 11.302.09.01.528 - Huawei Technologies Co.,Ltd) Mozilla Firefox 33.1 (x86 de) (HKLM\...\Mozilla Firefox 33.1 (x86 de)) (Version: 33.1 - Mozilla) Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 32.0 - Mozilla) Mpeg2Decoder 1.3 (HKLM\...\Mpeg2Decoder_is1) (Version: - DeskShare) mpowerplayer (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\mpowerplayer) (Version: - mpowerplayer inc.) MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation) MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation) MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation) MyFreeCodec (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\MyFreeCodec) (Version: - ) MyPhoneExplorer (HKLM\...\MPE) (Version: 1.8.6 - F.J. Wechselberger) NEC Electronics USB 3.0 Host Controller Driver (HKLM\...\InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}) (Version: 1.0.18.0 - NEC Electronics Corporation) NEC Electronics USB 3.0 Host Controller Driver (Version: 1.0.18.0 - NEC Electronics Corporation) Hidden NEF Codec (HKLM\...\{A89768CF-CD21-44FD-A723-16D5A8557415}) (Version: 1.00.0000 - Nikon) NETGEAR XAV101 Configuration Utility (Version: 2.0.0.7 - NETGEAR Inc.) Hidden NETGEAR XAV101-Konfigurationsprogramm (HKLM\...\InstallShield_{BB3194A0-B33D-45DB-B386-94C458292FC6}) (Version: 2.0.0.7 - NETGEAR Inc.) Nikon Message Center (HKLM\...\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}) (Version: 0.92.000 - Nikon) Nikon View 6 (HKLM\...\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}) (Version: - ) NirSoft BlueScreenView (HKLM\...\NirSoft BlueScreenView) (Version: - ) OCR Software by I.R.I.S. 13.0 (HKLM\...\HPOCR) (Version: 13.0 - HP) Office-Bibliothek (HKLM\...\{5C81B189-5456-40C4-9313-7FE6FA6DD64C}) (Version: 5.00.4 - Bibliographisches Institut & F.A. Brockhaus AG) OpenOffice.org 3.4.1 (HKLM\...\{2303AEEA-0FA8-4AFD-80A9-8F86BA4B44D2}) (Version: 3.41.9593 - Apache Software Foundation) OpenSSL 1.0.1e Light (32-bit) (HKLM\...\OpenSSL Light (32-bit)_is1) (Version: - OpenSSL Win32 Installer Team) Oracle VM VirtualBox 4.1.8 (HKLM\...\{611E3800-CE31-4953-8AD4-5657B6EE7ACF}) (Version: 4.1.8 - Oracle Corporation) Outlook Tools (HKLM\...\{A3D5974C-59EC-486C-8654-20339CBDE698}) (Version: 3.15.0001 - Andreas Schultz Software) Paint.NET v3.5.8 (HKLM\...\{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}) (Version: 3.58.0 - dotPDN LLC) PanoStandAlone (Version: 90.0.146.000 - Hewlett-Packard) Hidden Parrot Audio Suite (HKLM\...\Parrot Audio Suite) (Version: - ) Parrot Software Update Tool (HKLM\...\Parrot Flash Update Wizard) (Version: - ) PC Inspector File Recovery (HKLM\...\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}) (Version: 4.0 - ) PDF Blender (HKLM\...\PDF Blender) (Version: - ) Pdf Editor (HKLM\...\{729E66B3-1B80-4F3F-8D29-342A89631E0A}_is1) (Version: - ) PDF24 Creator 6.1.0 (HKLM\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version: - PDF24.org) PhonerLite 1.95 (HKLM\...\PhonerLite_is1) (Version: 1.95 - sipgate GmbH) Photo Scanner (HKLM\...\{FD0CE525-C8BA-4DF4-927F-C7F8ED66E35F}) (Version: 2.2.2 - Trundicho) PHOTOfunSTUDIO 5.0 HD Edition (HKLM\...\{959282E3-55A9-49D8-B885-D27CF8A2FD82}) (Version: 5.00.319 - Panasonic Corporation) Physio Logic BP Manager (HKLM\...\Physio Logic BP Manager) (Version: - ) Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.) Picture Control Utility (HKLM\...\{87441A59-5E64-4096-A170-14EFE67200C3}) (Version: 1.1.5 - Nikon) Picture2avi uninstaller (HKLM\...\Picture2avi_is1) (Version: 3.3.0.0 - picture2avi.com) Planet CamViewer Lite 1.0.3 (HKLM\...\{894E8982-4032-4FAD-8A4A-AD4E4089B22A}) (Version: 1.0.3 - Planet) PLANET IP Wizard II 3.0.0.6043 (HKLM\...\{45E990DB-ECDC-4D27-B1C3-21DD124F7DF3}_is1) (Version: - PLANET Technology Corporation.) Python 2.6 (HKLM\...\{110EB5C4-E995-4CFB-AB80-A5F315BEA9E8}) (Version: 2.6.150 - Python Software Foundation) QRCode (HKLM\...\{4D13D187-BA0B-4319-B8FE-7C3613E73278}) (Version: 2.10.0 - TouchUpSoft) QuickMark (HKLM\...\{53B0213C-CC0C-4340-90BF-BFC7D3FE5BB4}) (Version: 3.8.0 - SimpleAct) QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.) Readiris Pro 11 (HKLM\...\{E9E9734C-2EE2-4381-ACCA-AC9B8D372DCC}) (Version: 11.00.5295 - I.R.I.S.) RealDownloader (Version: 1.3.3 - RealNetworks, Inc.) Hidden RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0 - RealNetworks, Inc) Hidden RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden RealPlayer (HKLM\...\RealPlayer 16.0) (Version: 16.0.3 - RealNetworks) REALTEK DTV USB DEVICE (HKLM\...\{DDBB7C89-1A09-441E-AA0F-6AA465755C17}) (Version: 1.00.0000 - Realtek) RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden RssBandit (HKLM\...\{3CBE6C15-21D4-4F88-AB52-72446A6C6429}) (Version: 1.9.1003 - rssbandit.org) Samsung CLP-300 Series (HKLM\...\Samsung CLP-300 Series) (Version: - Samsung Electronics CO.,LTD) Samsung CLP-360 Series (HKLM\...\Samsung CLP-360 Series) (Version: 1.12 (05.12.2013) - Samsung Electronics Co., Ltd.) Samsung Easy Printer Manager (HKLM\...\Samsung Easy Printer Manager) (Version: 1.03.17.00(12.04.2013) - Samsung Electronics Co., Ltd.) Samsung Kies (HKLM\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.0.2.11071_128 - Samsung Electronics Co., Ltd.) Samsung Kies (Version: 2.0.2.11071_128 - Samsung Electronics Co., Ltd.) Hidden Samsung Printer Live Update (HKLM\...\Samsung Printer Live Update) (Version: 1.01.00:04(2013-04-22) - Samsung Electronics Co., Ltd.) SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.18.0 - SAMSUNG Electronics Co., Ltd.) Scan (Version: 140.0.80.000 - Hewlett-Packard) Hidden ScannerCopy (Version: 9.0.0.0 - Hewlett-Packard) Hidden SDFormatter (HKLM\...\{A5355F15-F98B-4704-9BAE-E53B9FE48F48}) (Version: 3.1.0 - SD Association) SecureW2 EAP Suite 1.1.3 for Windows (HKLM\...\SecureW2 EAP Suite) (Version: - ) Segoe UI (Version: 15.4.2271.0615 - Microsoft Corp) Hidden SILKYPIX Developer Studio 3.1 SE (HKLM\...\InstallShield_{0A04086B-0B71-43C3-95EF-FDFC4C18D161}) (Version: 3 - Ichikawa Soft Laboratory) SILKYPIX Developer Studio 3.1 SE (Version: 3 - Ichikawa Soft Laboratory) Hidden sipgate Faxdrucker (HKLM\...\{3C4AFFF7-968F-4912-BF73-46774C8E4D15}) (Version: 1.0.3 - sipgate GmbH) SIZCHIP 2.0.0.4 NPAPI (HKLM\...\SIZCHIP-Plugin-Mozilla-20) (Version: 2.0.0.4 - SIZ GmbH) Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 5.11.9874 - Skype Technologies S.A.) SkypeMate (HKLM\...\SkypeMate) (Version: - SkypeMate) Skype™ 6.21 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.) SMPlayer 0.6.8 (HKLM\...\SMPlayer) (Version: 0.6.8 - RVM) Softsqueeze 3.9b2 (HKLM\...\Softsqueeze 3.9b2) (Version: - Ralph Irving) SolutionCenter (Version: 130.0.373.000 - Hewlett-Packard) Hidden SpeedFan (remove only) (HKLM\...\SpeedFan) (Version: - ) SqueezePlay 7.6.2 (HKLM\...\{09B790E3-21E3-4D1A-8130-AAA9227C9785}_is1) (Version: - Logitech) Steuer-Spar-Erklärung 2010 (HKLM\...\{D8E1DFEE-622B-46BA-AEFF-AB7E541C0B21}) (Version: 15.13 - Akademische Arbeitsgemeinschaft Verlag) Steuer-Spar-Erklärung 2011 (HKLM\...\{9F5FD796-86F0-4360-85F8-D54C0F5411EB}) (Version: 16.16 - Akademische Arbeitsgemeinschaft Verlag) Steuer-Spar-Erklärung 2012 (HKLM\...\{CCD2BAD2-0919-40CB-80CC-E9538B0E4C2E}) (Version: 17.11 - Wolters Kluwer Deutschland GmbH) Steuer-Spar-Erklärung 2013 (HKLM\...\{AEB61F7A-4BBA-4292-A096-7893E09034A4}) (Version: 18.09 - Wolters Kluwer Deutschland GmbH) SteuerSparErklärung 2014 (HKLM\...\{A463EB06-22A6-47F5-9593-E52B291EF13E}) (Version: 19.12.92 - Akademische Arbeitsgemeinschaft) Streamripper (Remove only) (HKLM\...\Streamripper) (Version: - ) StreamTransport version: 1.0.2.2171 (HKLM\...\{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1) (Version: - ) SupervisionCam (HKLM\...\SupervisionCam) (Version: - ) Sweet Home 3D version 4.4 (HKLM\...\Sweet Home 3D_is1) (Version: - eTeks) swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden SyncToy 2.1 (x86) (HKLM\...\{A066194B-DC8F-449A-8E0F-B57BDD3A2072}) (Version: 2.1.0 - Microsoft) TCPMP (HKLM\...\TCPMP) (Version: - ) TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer) The Lord of the Rings FREE Trial (Version: 1.00.0000 - ATI Technologies Inc.) Hidden TM PowerPoint Timer (HKLM\...\TM PowerPoint Timer_is1) (Version: - tushar-mehta.com) Total Commander (Remove or Repair) (HKLM\...\Totalcmd) (Version: 7.50a - Ghisler Software GmbH) Tradesignal Web Edition (HKLM\...\{BF8C49DF-64D5-459A-8790-69479C60F49B}) (Version: 5.6.409 - Tradesignal GmbH) TrayStatus 1.2.3 (HKLM\...\d6b74f60-2e9d-4c60-a8b7-b7d737c44ad4_is1) (Version: 1.2.3.0 - Binary Fortress Software) TuneUp Companion 2.2.3 (HKLM\...\TuneUpMedia) (Version: 2.2.3 - TuneUp Media, Inc.) Turbo Lister 2 (HKLM\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.) TweetDeck (HKLM\...\{FA6381E9-96D2-4F6F-866C-4D16E5986FF6}) (Version: 2.7.1 - Twitter, Inc.) Ultimate Extras sounds from Microsoft® Tinker™ (HKLM\...\UltSounds2) (Version: - Microsoft Corporation) Uninstall 1.0.0.1 (HKLM\...\Uninstall_is1) (Version: - ) Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version: - Microsoft) Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM\...\{90120000-0016-0407-0000-0000000FF1CE}_ULTIMATER_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version: - Microsoft) Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM\...\{90120000-001A-0407-0000-0000000FF1CE}_ULTIMATER_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version: - Microsoft) Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM\...\{90120000-0018-0407-0000-0000000FF1CE}_ULTIMATER_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version: - Microsoft) Update für Microsoft Office Word 2007 Help (KB963665) (HKLM\...\{90120000-001B-0407-0000-0000000FF1CE}_ULTIMATER_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version: - Microsoft) Utilities and SDK for UNIX-based Applications (HKLM\...\{DB88A98A-792B-4441-8E60-05A6D3E2B2C0}) (Version: 10.0.6030.0 - Microsoft Corporation) VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN) VLC Streamer 1.21 (HKLM\...\VLC Streamer_is1) (Version: - ) Voxware Audio decoder 1.6 (HKLM\...\voxware_is1) (Version: 1.6.0 - ) WebReg (Version: 130.0.132.017 - Hewlett-Packard) Hidden WebSite-Watcher 2011 (11.0) (HKLM\...\aigneswebsitewatcher_is1) (Version: 2011 (11.0) - www.aignes.com) Windows 7 Upgrade Advisor Beta (HKLM\...\{4394DC3A-5DAC-4C80-A86E-FF462D0AD653}) (Version: 2.0.1125.0 - Microsoft Corporation) Windows 7 USB/DVD Download Tool (HKLM\...\{CCF298AF-9CE1-4B26-B251-486E98A34789}) (Version: 1.0.30 - Microsoft Corporation) Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation) Windows Live Mesh ActiveX control for remote connections (HKLM\...\{C5398A89-516C-4DAF-BA07-EE7949090E56}) (Version: 15.4.5722.2 - Microsoft Corporation) Windows Live Sync (HKLM\...\{586509F0-350D-48B5-B763-9CC2F8D96C4C}) (Version: 14.0.8117.416 - Microsoft Corporation) Windows Mobile-Gerätecenter (HKLM\...\{904CCF62-818D-4675-BC76-D37EB399F917}) (Version: 6.1.6965.0 - Microsoft Corporation) Windows Mobile-Gerätecenter: Treiberupdate (HKLM\...\{E7044E25-3038-4A76-9064-344AC038043E}) (Version: 6.1.6965.0 - Microsoft Corporation) Windows-Soundschemas (HKLM\...\UltSounds) (Version: - Microsoft Corporation) WinHTTrack Website Copier 3.43-9C (HKLM\...\WinHTTrack Website Copier_is1) (Version: 3.43.9 - HTTrack) WinSCP 4.3.4 (HKLM\...\winscp3_is1) (Version: 4.3.4 - Martin Prikryl) Xaldon WebSpider2 (HKLM\...\WebSpider2) (Version: - ) XMedia Recode Version 3.1.2.5 (HKLM\...\{DDA3C325-47B2-4730-9672-BF3771C08799}_is1) (Version: 3.1.2.5 - XMedia Recode) Xvid 1.2.2 final uninstall (HKLM\...\Xvid_is1) (Version: 1.2 - Xvid team (Koepi)) XviD4PSP 5.0 (HKLM\...\XviD4PSP5) (Version: 5.037 - Winnydows) ZDFmediathek Version 2.1.6 (HKLM\...\ZDFmediathek_is1) (Version: - ZDF) ==================== Custom CLSID (selected items): ========================== (If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{022105BD-948A-40C9-AB42-A3300DDF097F}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\ProgramData\EasyBits GO\ezGameXN.dll (EasyBits Media) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.99\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.5\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.69\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{22181302-A8A6-4F84-A541-E5CBFC70CC43}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{2F0E2680-9FF5-43C0-B76E-114A56E93598}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.79\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{39125640-8D80-11DC-A2FE-C5C455D89593}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Google Talk Plugin\googletalkax.dll (Google) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\ProgramData\EasyBits GO\ezGameXN.dll (EasyBits Media) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{51F9E8EF-59D7-475B-A106-C7EA6F30C119}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Chrome\Application\38.0.2125.111\delegate_execute.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}\localserver32 -> C:\Users\hcxxx\AppData\Local\Temp\{d5641912-e47a-429c-879e-cfe13eac7a13}\IDriver.NonElevated.exe (Macrovision Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\localserver32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.165\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\localserver32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{AB9F4455-E591-4132-A386-0B91EAEDB96C}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Google Talk Plugin\o1dax.dll (Google) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{C3101A8B-0EE1-4612-BFE9-41FFC1A3C19D}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{C442AC41-9200-4770-8CC0-7CDB4F245C55}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\npGoogleUpdate3.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{D0336C0B-7919-4C04-8CCE-2EBAE2ECE8C9}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\psuser.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.65\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{E67BE843-BBBE-4484-95FB-05271AE86750}\localserver32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\GoogleUpdateOnDemand.exe (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{E8CF3E55-F919-49D9-ABC0-948E6CB34B9F}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.11\psuser.dll (Google Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\FileSyncApi.dll (Microsoft Corporation) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.) CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File ==================== Restore Points ========================= 01-11-2014 13:10:21 Geplanter Prüfpunkt 02-11-2014 09:52:09 Geplanter Prüfpunkt 03-11-2014 13:36:30 Windows Update 04-11-2014 13:31:34 Geplanter Prüfpunkt 06-11-2014 14:59:48 Geplanter Prüfpunkt 06-11-2014 21:11:13 Windows Update 07-11-2014 14:02:55 Geplanter Prüfpunkt 08-11-2014 17:04:24 Geplanter Prüfpunkt 09-11-2014 12:08:52 Geplanter Prüfpunkt 10-11-2014 07:37:19 Windows Update 12-11-2014 08:35:13 Geplanter Prüfpunkt 12-11-2014 13:35:46 Windows Update 16-11-2014 10:49:12 Windows Update 18-11-2014 14:43:27 Geplanter Prüfpunkt 19-11-2014 08:54:16 Windows Update 21-11-2014 13:32:51 Geplanter Prüfpunkt ==================== Hosts content: ========================== (If needed Hosts: directive could be included in the fixlist to reset Hosts.) 2006-11-02 11:23 - 2006-09-18 22:41 - 00000761 ____N C:\Windows\system32\Drivers\etc\hosts 127.0.0.1 localhost ::1 localhost ==================== Scheduled Tasks (whitelisted) ============= (If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.) Task: {02DCC829-85C6-4BAA-9E9C-043C5CBC851E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.) Task: {08D52DD5-6C27-4AE6-9CED-D0FD374C2FF9} - System32\Tasks\RealUpgradeLogonTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.) Task: {1139090C-EBC0-4AA9-BF53-A49AA81E0EDF} - System32\Tasks\RealDownloaderRealUpgradeLogonTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.) Task: {201DA040-F03B-4AFA-AEDF-BFCE44AF35EC} - System32\Tasks\RealDownloaderDownloaderScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\RealNetworks\RealDownloader\recordingmanager.exe [2013-08-14] (RealNetworks, Inc.) Task: {2C0AA312-7EDA-477A-9208-C08FA901F855} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000Core => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.) Task: {2FD76A5C-B6A6-4427-AA91-E9758E4B12B8} - System32\Tasks\GoogleUpdateTaskMachineCore => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.) Task: {33B36DA1-BFAB-47A2-ABF7-F3E689DAB4ED} - System32\Tasks\RealPlayerRealUpgradeLogonTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.) Task: {47FEAD1F-2D66-4839-BA8A-6A3E80F9A940} - System32\Tasks\RealUpgradeScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.) Task: {4A242C24-5D17-4EC7-BD63-17B5E5B6799F} - System32\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000UA => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.) Task: {4C7FC6FB-94B2-4285-87F3-0F17BFD3A410} - System32\Tasks\{5A65B82E-701D-4437-BF1E-827A0FB59262} => C:\Program Files\Skype\Phone\Skype.exe [2014-10-01] (Skype Technologies S.A.) Task: {5DC911FF-9916-42F4-A00C-5BB92BBC36C9} - System32\Tasks\Speedfan => C:\Program Files\SpeedFan\speedfan.exe [2013-03-15] (Almico Software (www.almico.com)) Task: {62233372-8613-4E55-975A-FB964A71633A} - System32\Tasks\GoogleUpdateTaskMachineUA => C:\Program Files\Google\Update\GoogleUpdate.exe [2014-10-30] (Google Inc.) Task: {938DB33E-790E-44BE-848E-F81D61940580} - System32\Tasks\RealDownloaderRealUpgradeScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\RealNetworks\RealDownloader\realupgrade.exe [2013-08-14] (RealNetworks, Inc.) Task: {9D0B106D-39BC-4E6A-B2F7-D310FAE7FE9B} - System32\Tasks\{A747F6B7-1362-4573-BBCD-2BF0ABAF512E} => C:\Program Files\Skype\\Phone\Skype.exe [2014-10-01] (Skype Technologies S.A.) Task: {9FDC235A-FA74-45A5-BD1C-8C0EA7EB13C5} - System32\Tasks\Hibernate Computer Daily At 22 Hour(s) and 45 Minute(s) => C:\Program Files\Easy ShutDown\EasyShutDown.exe [2011-03-26] () Task: {D5EBFA6D-A57E-4B10-B41E-123D28450B01} - System32\Tasks\Adobe Flash Player Updater => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe [2014-11-11] (Adobe Systems Incorporated) Task: {DD2C4867-CB11-4B95-9C9A-57EFB744FD35} - System32\Tasks\RealPlayerRealUpgradeScheduledTaskS-1-5-21-2717335284-3986619703-2298539805-1000 => C:\Program Files\Real\RealUpgrade\RealUpgrade.exe [2013-08-14] (RealNetworks, Inc.) Task: {FBBD46A1-72BF-4507-965A-F2EDF6D3B2FB} - System32\Tasks\Microsoft_Hardware_Launch_IPoint_exe => C:\Program Files\Microsoft IntelliPoint\IPoint.exe [2009-05-28] (Microsoft Corporation) (If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.) Task: C:\Windows\Tasks\Adobe Flash Player Updater.job => C:\Windows\system32\Macromed\Flash\FlashPlayerUpdateService.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job => C:\Program Files\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000Core.job => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\GoogleUpdateTaskUserS-1-5-21-2717335284-3986619703-2298539805-1000UA.job => C:\Users\hcxxx\AppData\Local\Google\Update\GoogleUpdate.exe Task: C:\Windows\Tasks\Hibernate Computer Daily At 22 Hour(s) and 45 Minute(s).job => C:\Program Files\Easy ShutDown\EasyShutDown.exe ==================== Loaded Modules (whitelisted) ============= 2009-11-04 13:24 - 2007-07-12 22:33 - 00087552 _____ () C:\Windows\System32\cpwmon2k.dll 2014-08-29 10:53 - 2013-05-15 07:32 - 00024064 _____ () C:\Windows\System32\sst6clm.dll 2014-08-29 10:53 - 2012-01-09 14:31 - 00024064 _____ () C:\Windows\System32\sst6ylm.dll 2009-05-18 13:55 - 2007-03-14 13:33 - 00022723 _____ () C:\Windows\System32\sugg1l3.dll 2008-10-24 15:35 - 2008-10-24 15:35 - 00128296 _____ () C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe 2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll 2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll 2012-05-02 16:08 - 2012-05-02 16:08 - 00221696 _____ () C:\Program Files\GNU\GnuPG\dirmngr.exe 2012-05-02 16:06 - 2012-05-02 16:06 - 00209408 _____ () C:\Program Files\GNU\GnuPG\libksba-8.dll 2012-05-02 16:03 - 2012-05-02 16:03 - 00047616 _____ () C:\Program Files\GNU\GnuPG\libgpg-error-0.dll 2012-05-02 16:02 - 2012-05-02 16:02 - 00039936 _____ () C:\Program Files\GNU\GnuPG\libw32pth-0.dll 2012-05-02 16:06 - 2012-05-02 16:06 - 00075264 _____ () C:\Program Files\GNU\GnuPG\libassuan-0.dll 2012-05-02 16:06 - 2012-05-02 16:06 - 00641536 _____ () C:\Program Files\GNU\GnuPG\libgcrypt-11.dll 2011-03-03 19:27 - 2011-03-03 19:27 - 00009728 _____ () C:\Program Files\DVRMSToolbox\DTBFWService.exe 2013-08-14 14:19 - 2013-08-14 14:19 - 00039056 _____ () C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe 2009-06-24 08:28 - 2005-01-14 14:32 - 00053248 _____ () C:\Windows\System32\PAStiSvc.exe 2014-08-29 10:52 - 2013-05-15 07:32 - 01015296 _____ () C:\Windows\system32\spool\DRIVERS\W32X86\3\sst6cdu.dll 2010-04-07 02:22 - 2013-04-30 03:46 - 00037376 _____ () C:\Windows\system32\atitmpxx.dll 2014-11-21 08:37 - 2014-11-21 15:52 - 00158720 _____ () C:\Users\hcxxx\AppData\Local\Temp\sfareca00001.dll 2009-05-21 20:18 - 2014-11-21 15:52 - 00192512 _____ () C:\Users\hcxxx\AppData\Local\Temp\sfamcc00001.dll 2014-09-25 11:16 - 2014-09-25 11:16 - 00081056 _____ () C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.DLL 2012-05-02 16:07 - 2012-05-02 16:07 - 00624640 _____ () C:\Program Files\GNU\GnuPG\gpgex.dll 2013-04-12 09:25 - 2013-04-12 09:25 - 00699952 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe 2006-09-19 09:07 - 2006-09-19 09:07 - 00827392 _____ () C:\Windows\vsnpstd3.exe 2012-03-09 08:58 - 2012-03-09 08:58 - 00350072 _____ () C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe 2012-03-09 08:58 - 2012-03-09 08:58 - 00056696 _____ () C:\Program Files\Common Files\Common Desktop Agent\CDASrvPS.dll 2012-05-30 23:17 - 2011-03-26 20:22 - 00164864 _____ () C:\Program Files\Easy ShutDown\EasyShutDown.exe 2014-09-25 11:16 - 2014-09-25 11:16 - 00081056 _____ () C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.dll 2014-10-16 09:41 - 2014-10-16 09:41 - 00184320 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.Commonc65c5a95#\086a6d7a1b67ee702557defcde5f85b5\Kies.Common.DeviceServiceLib.Interface.ni.dll 2014-10-16 11:30 - 2014-10-16 11:30 - 17553920 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.Theme\b863b058df2bc3ba024231c9ff597138\Kies.Theme.ni.dll 2014-10-16 09:41 - 2014-10-16 09:41 - 01792000 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.UI\b07928f0c453603bea895b4ce2ee168d\Kies.UI.ni.dll 2014-10-16 09:41 - 2014-10-16 09:41 - 00081920 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.MVVM\f1de49400c4567d381ba7e17b1b9c52a\Kies.MVVM.ni.dll 2014-10-16 09:42 - 2014-10-16 09:42 - 00236032 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\ASF_cSharpAPI\6815ff93472d008087880a6462931188\ASF_cSharpAPI.ni.dll 2012-12-20 10:12 - 2012-12-20 10:12 - 00582144 _____ () C:\Program Files\SkypeMate\SkypeMate.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00028774 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\c5cce8d16a1bd48692b421dcf46d3396\Util.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00032878 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00028779 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00020601 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\4461f48e31bde5c56b31b973b773de09\List.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00118918 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00082048 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00020576 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00036964 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\f233f63b6654362865c7577442edb9e3\Win32.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00082033 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00024676 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00061540 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\e56c61f7248672819579325af3387035\POSIX.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00094334 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\eb138ef0e4282611dbf485a302784646\LibYAML.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00053340 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00184414 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\bd5179a413bc0c4b82eedc22c6cab101\re.dll 2014-11-21 15:49 - 2014-11-21 15:49 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\93e7e3d6030f426844228042348210cf\Service.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00043008 _____ () c:\users\hcxxx\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7gj1zp.dll 2013-08-23 20:01 - 2013-08-23 20:01 - 25100288 _____ () C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\libcef.dll 2013-06-18 14:49 - 2013-06-18 14:49 - 00016384 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll 2013-04-29 22:08 - 2013-04-29 22:08 - 00369152 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll 2014-01-10 10:27 - 2014-01-10 10:27 - 00663056 _____ () C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe 2014-11-21 15:50 - 2014-11-21 15:50 - 00020576 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00036964 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\f233f63b6654362865c7577442edb9e3\Win32.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024676 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00061540 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e56c61f7248672819579325af3387035\POSIX.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00082033 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00118918 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00082048 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00028779 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00020601 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\4461f48e31bde5c56b31b973b773de09\List.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024681 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c199d3c1960e7aeeecb599487952bed2\HiRes.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00090213 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\961b0d62fa52b1dd29c795a822fbf1cf\DBI.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c5cce8d16a1bd48692b421dcf46d3396\Util.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00077824 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7f177c338672436e01c4f0bdbcf94491\EV.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00138752 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\44727051c604ef6b79894b64d4c63832\Expat.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00041080 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\2b1fc61b36a6711ea149b18bf3b41500\Parser.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00030720 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\dacfd0ab9b5fd029ed8d29e4482b0775\XS.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\fa9e3c814aa32db2ad5f17bdfbc22746\attributes.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024694 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c344fd5536724b2af2e6453833b60203\SHA1.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00094334 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\eb138ef0e4282611dbf485a302784646\LibYAML.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00053340 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00184414 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\bd5179a413bc0c4b82eedc22c6cab101\re.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00020592 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\b979ace6da01e63d651cce9ee2474fdc\Name.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00028774 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00182272 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d0bf009923f29116535c26d228271d6d\Scan.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024672 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\17d0b152e63e6bfe81b4b19588538896\mro.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00020596 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3b7106dd14676048b10bbb09a990f74c\XS.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00032878 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024695 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\cf5fe81e2f5dcbfecfd0495e1648c991\Unicode.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024670 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3a8764e0d7c5d453e01d9ad08cf7fb58\IO.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00361472 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\aff7ee779ea184f884ed432c30a58f5d\Scale.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00061546 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\4f2c03383aab0133b8dc0a3fa2dd92fa\Storable.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00110705 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7f2598c08178217a0e2c754f3d568f28\Byte.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c19d5e3dc664d9f4ce700001e2621cee\MD5.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00608256 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e2e81dd6b3e5a36f0bdae076393cc11d\SQLite.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00001024 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e2e81dd6b3e5a36f0bdae076393cc11d\icudt46.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00020596 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d1c77e404b5c4b954fa537ed63c8fb7b\File.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00030208 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\0665c25e931c1ac0151b062449e91028\XSAccessor.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00020587 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c668a322917d32a5ea22894518aa9897\Base64.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 04547584 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\38a10ee333cf1a9afec3f0acdf1bbebc\Scan.dll 2014-11-21 15:51 - 2014-11-21 15:51 - 00017920 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\8fedeb86a4a984edfc1fb255d4ea965c\XS.dll 2014-11-21 15:51 - 2014-11-21 15:51 - 00061547 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\bc147d83c7c868eeee67082dcf55430c\File.dll 2014-11-21 15:51 - 2014-11-21 15:51 - 00032881 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\b6bd87c968599725b8ab2e5c25d3046a\API.dll 2014-11-21 15:51 - 2014-11-21 15:51 - 00098415 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\19febd96672ffdb7ea244cef36aaa062\Zlib.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00098816 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32api.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00110080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pywintypes27.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00364544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pythoncom27.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00045568 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_socket.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 01160704 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_ssl.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00320512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32com.shell.shell.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00713216 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_hashlib.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 01175040 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._core_.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00805888 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._gdi_.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00811008 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._windows_.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 01062400 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._controls_.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00735232 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._misc_.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00128512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_elementtree.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00127488 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pyexpat.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00557056 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pysqlite2._sqlite.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00087552 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_ctypes.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00119808 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32file.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00108544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32security.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00007168 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\hashobjs_ext.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00167936 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32gui.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00018432 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32event.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00038912 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32inet.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00011264 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32crypt.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00070656 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._html2.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00027136 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_multiprocessing.pyd 2014-11-21 15:49 - 2014-11-21 15:49 - 00035840 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32process.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00686080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\unicodedata.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00122368 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._wizard.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00024064 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32pipe.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00025600 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32pdh.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00525640 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\windows._lib_cacheinvalidation.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00010240 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\select.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00017408 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32profile.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00022528 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32ts.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00078336 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._animate.pyd 2014-11-21 13:10 - 2014-11-21 13:10 - 27810236 _____ () C:\Users\hcxxx\Documents\Temp\detekt.exe 2014-11-21 15:50 - 2014-11-21 15:50 - 01689088 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtCore.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00077824 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\sip.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00324608 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PIL._imaging.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00715264 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_hashlib.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00098816 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32api.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00110080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pywintypes27.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00364544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pythoncom27.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 05940224 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtGui.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00325120 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtWebKit.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00502784 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtNetwork.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00046080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_socket.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 01160704 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_ssl.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00686080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\unicodedata.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00087552 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_ctypes.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00152576 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\yara.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00096256 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\distorm3.dll 2014-11-21 15:50 - 2014-11-21 15:50 - 00320512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32com.shell.shell.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00042496 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32service.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00010240 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\select.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00119808 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32file.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00128512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_elementtree.pyd 2014-11-21 15:50 - 2014-11-21 15:50 - 00127488 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pyexpat.pyd 2014-07-23 00:29 - 2014-07-23 00:29 - 00113171 _____ () C:\Program Files\VideoLAN\VLC\libvlc.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 02396691 _____ () C:\Program Files\VideoLAN\VLC\libvlccore.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00268307 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00027667 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00031251 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 11148307 _____ () C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 01248787 _____ () C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00066579 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 02043411 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00100371 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00244243 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00076307 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00045587 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00060947 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00531475 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00708627 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00114195 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00040467 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00133139 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 01512467 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00296979 _____ () C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00054291 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00038419 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00189971 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00091667 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00067603 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00077331 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00074259 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00016403 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00023059 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00021523 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00929299 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00118803 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00144403 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 01194003 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00707603 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00015891 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00417811 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00023059 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00525331 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00127507 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00036371 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00116755 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_http_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00072211 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00383507 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00021011 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00292371 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00017939 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 01280019 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libdts_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00336403 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00344595 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00198675 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00027155 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00015891 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 01393171 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00146451 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00022035 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00733203 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libmpeg_audio_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00026131 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00171027 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00019475 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 10447379 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00016403 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00021523 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00030739 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00021011 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00063507 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00036883 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00024595 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00064531 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00013843 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00130579 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmpgatofixed32_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00168979 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdtstofloat32_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00058899 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\liba52tofloat32_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 01496083 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00019475 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00013331 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\liba52tospdif_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdtstospdif_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00746515 _____ () C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00026643 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi420_yuy2_sse2_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi420_yuy2_mmx_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00587283 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libswscale_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00113683 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi420_rgb_sse2_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00027667 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi422_yuy2_sse2_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi422_yuy2_mmx_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00053779 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi420_rgb_mmx_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00016915 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00032275 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00020499 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00013843 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libyuvp_plugin.dll 2014-07-23 00:29 - 2014-07-23 00:29 - 00068115 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d_plugin.dll ==================== Alternate Data Streams (whitelisted) ========= (If an entry is included in the fixlist, only the Alternate Data Streams will be removed.) AlternateDataStreams: C:\ProgramData\TEMP:BC359956 AlternateDataStreams: C:\Users\hcxxx\Documents\bye.bat:SummaryInformation AlternateDataStreams: C:\Users\hcxxx\Documents\bye.bat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d} AlternateDataStreams: C:\Users\hcxxx\Documents\forwarded message.eml:OECustomProperty ==================== Safe Mode (whitelisted) =================== (If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.) ==================== EXE Association (whitelisted) ============= (If an entry is included in the fixlist, the default will be restored. None default entries will be removed.) ==================== MSCONFIG/TASK MANAGER disabled items ========= (Currently there is no automatic fix for this section.) ========================= Accounts: ========================== Administrator (S-1-5-21-2717335284-3986619703-2298539805-500 - Administrator - Disabled) => C:\Users\Administrator Gast (S-1-5-21-2717335284-3986619703-2298539805-501 - Limited - Enabled) hcxxx (S-1-5-21-2717335284-3986619703-2298539805-1000 - Administrator - Enabled) => C:\Users\hcxxx ==================== Faulty Device Manager Devices ============= Name: VirtualBox Host-Only Ethernet Adapter Description: VirtualBox Host-Only Ethernet Adapter Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318} Manufacturer: Oracle Corporation Service: VBoxNetAdp Problem: : This device is disabled. (Code 22) Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions. ==================== Event log errors: ========================= Application errors: ================== Error: (11/21/2014 03:51:47 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: WmiApRplC:\Windows\system32\wbem\wmiaprpl.dll4 Error: (11/21/2014 03:51:40 PM) (Source: SideBySide) (EventID: 33) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"1". Die abhängige Assemblierung "rpshellextension.1.0,language="*",type="win32",version="1.0.0.0"" konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe". Error: (11/21/2014 03:51:19 PM) (Source: SideBySide) (EventID: 33) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1". Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe". Error: (11/21/2014 03:50:56 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4 Error: (11/21/2014 03:50:51 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: MSDTCC:\Windows\system32\msdtcuiu.DLL4 Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: LsaC:\Windows\system32\Secur32.dll4 Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: ESENTC:\Windows\system32\esentprf.dll4 Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1010) (User: ) Description: EmdCacheC:\Windows\system32\emdmgmt.dll4 Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: ) Description: BITSC:\Windows\system32\bitsperf.dll4 Error: (11/21/2014 02:05:04 PM) (Source: SideBySide) (EventID: 33) (User: ) Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1". Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden. Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe". System errors: ============= Error: (11/21/2014 03:59:33 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: ) Description: Beim Aktualisieren der Signaturen wurde von %NT-AUTORITÄT60 ein Fehler festgestellt. Neue Signaturversion: Vorherige Signaturversion: 1.189.318.0 Aktualisierungsquelle: %NT-AUTORITÄT59 Aktualisierungsphase: 4.6.0305.00 Quellpfad: 4.6.0305.01 Signaturtyp: %NT-AUTORITÄT602 Aktualisierungstyp: %NT-AUTORITÄT604 Benutzer: NT-AUTORITÄT\SYSTEM Aktuelle Modulversion: %NT-AUTORITÄT605 Vorherige Modulversion: %NT-AUTORITÄT606 Fehlercode: %NT-AUTORITÄT607 Fehlerbeschreibung: %NT-AUTORITÄT608 Error: (11/21/2014 03:46:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: ShowAnalyzerMaster%%3 Error: (11/21/2014 03:46:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: DgiVecp%%20 Error: (11/21/2014 03:45:48 PM) (Source: Print) (EventID: 19) (User: NT-AUTORITÄT) Description: Der Druckspooler konnte den Drucker Samsung CLP-360 Series nicht unter dem Namen Samsung CLP-360 Series freigeben. Fehler: 2114. Der Drucker kann nicht von anderen Benutzern im Netzwerk verwendet werden. Error: (11/21/2014 08:36:42 AM) (Source: Service Control Manager) (EventID: 7022) (User: ) Description: Windows Update Error: (11/21/2014 08:35:01 AM) (Source: DCOM) (EventID: 10010) (User: ) Description: {F4396DC6-E851-4D3A-8D01-34E6949F3500} Error: (11/21/2014 08:35:00 AM) (Source: DCOM) (EventID: 10010) (User: ) Description: {7F6316B4-4D69-4765-B0A3-B2598F2FA80A} Error: (11/21/2014 08:32:12 AM) (Source: iaStorV) (EventID: 9) (User: ) Description: Das Gerät \Device\Ide\iaStor0 hat innerhalb der Fehlerwartezeit nicht geantwortet. Error: (11/21/2014 08:32:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: ShowAnalyzerMaster%%3 Error: (11/21/2014 08:32:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: ) Description: DgiVecp%%20 Microsoft Office Sessions: ========================= Error: (10/11/2014 10:45:46 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 999 seconds with 120 seconds of active time. This session ended with a crash. Error: (09/17/2014 10:36:33 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 19211 seconds with 60 seconds of active time. This session ended with a crash. Error: (01/24/2014 01:16:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 71199 seconds with 1920 seconds of active time. This session ended with a crash. Error: (12/13/2013 02:29:02 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 15578 seconds with 720 seconds of active time. This session ended with a crash. Error: (11/01/2013 00:21:14 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 5949 seconds with 240 seconds of active time. This session ended with a crash. Error: (09/26/2013 08:29:10 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 276 seconds with 60 seconds of active time. This session ended with a crash. Error: (09/11/2013 09:33:49 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 115581 seconds with 1200 seconds of active time. This session ended with a crash. Error: (09/02/2013 06:00:09 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 100923 seconds with 4500 seconds of active time. This session ended with a crash. Error: (07/25/2013 03:50:05 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 190060 seconds with 1320 seconds of active time. This session ended with a crash. Error: (02/24/2013 02:48:46 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: ) Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 185782 seconds with 480 seconds of active time. This session ended with a crash. CodeIntegrity Errors: =================================== Date: 2013-10-14 12:16:56.618 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:16:56.356 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:16:56.064 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:16:55.773 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:15:36.664 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:15:36.404 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:15:36.138 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:15:35.886 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:15:35.312 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. Date: 2013-10-14 12:15:35.069 Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde. ==================== Memory info =========================== Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz Percentage of memory in use: 69% Total physical RAM: 3062.17 MB Available physical RAM: 922.32 MB Total Pagefile: 6339.3 MB Available Pagefile: 3512.04 MB Total Virtual: 2047.88 MB Available Virtual: 1891.88 MB ==================== Drives ================================ Drive c: () (Fixed) (Total:931.52 GB) (Free:220.94 GB) NTFS ==>[Drive with boot components (obtained from BCD)] Drive e: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)] Drive f: () (Fixed) (Total:465.66 GB) (Free:41.02 GB) NTFS Drive g: (SD) (Removable) (Total:29.84 GB) (Free:29.84 GB) FAT32 Drive h: (HDDRIVE2GO) (Fixed) (Total:931.28 GB) (Free:27.77 GB) FAT32 ==================== MBR & Partition Table ================== ======================================================== Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 11E8DE91) Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS) ======================================================== Disk: 1 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: DEDD9B10) Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS) Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS) ======================================================== Disk: 2 (Size: 931.5 GB) (Disk ID: C2AC2C31) Partition 1: (Not Active) - (Size=931.5 GB) - (Type=0C) ======================================================== Disk: 3 (Size: 29.9 GB) (Disk ID: 00000000) Partition: GPT Partition Type. ==================== End Of Log ============================ |
22.11.2014, 14:02 | #6 |
| Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log Teil 1 / 3 Detekt.log Code:
ATTFilter 2014-11-21 13:19:20,345 - detector - INFO - Starting with process ID 12268 2014-11-21 13:19:20,348 - detector - INFO - Selected Profile Name: VistaSP2x86 2014-11-21 13:19:20,349 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI132202\drivers\winpmem32.sys 2014-11-21 13:19:20,349 - detector.service - INFO - Launching service destroyer... 2014-11-21 13:19:20,351 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.') 2014-11-21 13:19:20,351 - detector.service - INFO - Trying to stop the winpmem service... 2014-11-21 13:19:20,351 - detector.service - INFO - Trying to delete the winpmem service... 2014-11-21 13:19:20,351 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.') 2014-11-21 13:19:21,035 - detector.service - INFO - Trying to start the winpmem service... 2014-11-21 13:19:21,223 - detector - INFO - Service started 2014-11-21 13:19:21,223 - detector - INFO - Selected Yara signature file at C:\Users\hcxxx\AppData\Local\Temp\_MEI132202\rules\signatures.yar 2014-11-21 13:19:21,223 - detector - INFO - Obtaining address space and generating config for volatility 2014-11-21 13:19:25,924 - detector - INFO - Address space: <volatility.plugins.addrspaces.intel.IA32PagedMemoryPae object at 0x09367230>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x08818110> 2014-11-21 13:19:25,924 - detector - INFO - Profile: <volatility.plugins.overlays.windows.vista.VistaSP2x86 object at 0x08818350>, DTB: 0x122000 2014-11-21 13:19:25,926 - detector - INFO - Starting yara scanner... 2014-11-21 14:05:21,569 - detector - INFO - Starting with process ID 14976 2014-11-21 14:05:21,575 - detector - INFO - Selected Profile Name: VistaSP2x86 2014-11-21 14:05:21,575 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI152562\drivers\winpmem32.sys 2014-11-21 14:05:21,575 - detector.service - INFO - Launching service destroyer... 2014-11-21 14:05:21,575 - detector.service - INFO - Trying to stop the winpmem service... 2014-11-21 14:05:21,609 - detector.service - INFO - Trying to delete the winpmem service... 2014-11-21 14:05:21,698 - detector - CRITICAL - Unable to start winpmem service: Unable to create service: (1072, 'CreateService', 'Der angegebene Dienst wurde zum L\xf6schen markiert.') 2014-11-21 15:51:53,463 - detector - INFO - Starting with process ID 7020 2014-11-21 15:51:53,467 - detector - INFO - Selected Profile Name: VistaSP2x86 2014-11-21 15:51:53,467 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\drivers\winpmem32.sys 2014-11-21 15:51:53,467 - detector.service - INFO - Launching service destroyer... 2014-11-21 15:51:53,467 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.') 2014-11-21 15:51:53,469 - detector.service - INFO - Trying to stop the winpmem service... 2014-11-21 15:51:53,469 - detector.service - INFO - Trying to delete the winpmem service... 2014-11-21 15:51:53,469 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.') 2014-11-21 15:51:53,499 - detector.service - INFO - Trying to start the winpmem service... 2014-11-21 15:51:53,572 - detector - INFO - Service started 2014-11-21 15:51:53,572 - detector - INFO - Selected Yara signature file at C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\rules\signatures.yar 2014-11-21 15:51:53,572 - detector - INFO - Obtaining address space and generating config for volatility 2014-11-21 15:51:55,230 - detector - INFO - Address space: <volatility.plugins.addrspaces.intel.IA32PagedMemoryPae object at 0x095961F0>, Base: <volatility.plugins.addrspaces.win32pmem.Win32FileAddressSpace object at 0x08978510> 2014-11-21 15:51:55,232 - detector - INFO - Profile: <volatility.plugins.overlays.windows.vista.VistaSP2x86 object at 0x089782D0>, DTB: 0x122000 2014-11-21 15:51:55,233 - detector - INFO - Starting yara scanner... 2014-11-21 16:51:41,969 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE46B, Value: 6d 6f 64 41 50 49 24 6d 6f 64 32 00 6d 6f 64 41 modAPI$mod2.modA 75 64 69 6f 24 6d 6f 64 33 00 6d 6f 64 42 74 4b udio$mod3.modBtK 69 6c 6c 65 72 24 6d 6f 64 34 00 6d 6f 64 43 72 iller$mod4.modCr 79 70 74 24 6d 6f 64 35 00 6d 6f 64 46 75 63 74 ypt$mod5.modFuct 69 6f 6e 73 24 6d 6f 64 36 00 6d 6f 64 48 69 6a ions$mod6.modHij 61 63 6b 24 6d 6f 64 37 00 6d 6f 64 49 43 61 6c ack$mod7.modICal 6c 42 61 63 6b 24 6d 6f 64 38 00 6d 6f 64 49 49 lBack$mod8.modII 6e 65 74 24 6d 6f 64 39 00 6d 6f 64 49 6e 66 65 net$mod9.modInfe 63 74 24 6d 6f 64 31 30 00 6d 6f 64 49 6e 6a 50 ct$mod10.modInjP 45 24 6d 6f 64 31 31 00 6d 6f 64 4c 61 75 6e 63 E$mod11.modLaunc 68 57 65 62 24 6d 6f 64 31 32 00 6d 6f 64 4f 53 hWeb$mod12.modOS 24 6d 6f 64 31 33 00 6d 6f 64 50 57 73 24 6d 6f $mod13.modPWs$mo 64 31 34 00 6d 6f 64 52 65 67 69 73 74 72 79 24 d14.modRegistry$ 6d 6f 64 31 35 00 6d 6f 64 53 63 72 65 65 6e 63 mod15.modScreenc 61 70 24 6d 6f 64 31 36 00 6d 6f 64 53 6e 69 66 ap$mod16.modSnif 66 24 6d 6f 64 31 37 00 6d 6f 64 53 6f 63 6b 65 f$mod17.modSocke 2014-11-21 16:51:41,970 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE477, Value: 6d 6f 64 41 75 64 69 6f 24 6d 6f 64 33 00 6d 6f modAudio$mod3.mo 64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 00 6d dBtKiller$mod4.m 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f 64 odCrypt$mod5.mod 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d 6f Fuctions$mod6.mo 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f 64 dHijack$mod7.mod 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 6d ICallBack$mod8.m 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f 64 odIInet$mod9.mod 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f 64 Infect$mod10.mod 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 4c InjPE$mod11.modL 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 6d aunchWeb$mod12.m 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 57 odOS$mod13.modPW 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 73 s$mod14.modRegis 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 72 try$mod15.modScr 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f 64 eencap$mod16.mod 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 53 Sniff$mod17.modS 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 31 ocketMaster$mod1 2014-11-21 16:51:41,971 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE485, Value: 6d 6f 64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 modBtKiller$mod4 00 6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d .modCrypt$mod5.m 6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 odFuctions$mod6. 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo 2014-11-21 16:51:41,973 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE496, Value: 6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f modCrypt$mod5.mo 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d dFuctions$mod6.m 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f odHijack$mod7.mo 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 dICallBack$mod8. 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12. 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m 2014-11-21 16:51:41,974 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4A4, Value: 6d 6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 modFuctions$mod6 00 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 .modHijack$mod7. 6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod 38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9. 6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10. 6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16. 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod 2014-11-21 16:51:41,976 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4B5, Value: 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 d19.modSqueezer$ 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 mod20.modSS$mod2 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 1.modTorrentSeed 2014-11-21 16:51:41,977 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4C4, Value: 6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod 38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9. 6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10. 6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16. 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms 2014-11-21 16:51:41,980 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4D6, Value: 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12. 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$ 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr 2014-11-21 16:51:41,980 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4E4, Value: 6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10. 6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16. 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm 2014-11-21 16:51:41,982 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4F4, Value: 6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16. 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5 2014-11-21 16:51:41,983 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE503, Value: 6d 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 modLaunchWeb$mod 31 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 12.modOS$mod13.m 6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 odPWs$mod14.modR 65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f egistry$mod15.mo 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 dScreencap$mod16 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 .modSniff$mod17. 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$ 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$ 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$ 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6. 2014-11-21 16:51:41,984 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE516, Value: 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$ 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 3.tmrAnslut$tmr4 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 .tmrAudio$tmr5.t 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 mrBlink$tmr6.tmr 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f Check$tmr7.tmrCo 2014-11-21 16:51:41,986 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE522, Value: 6d 6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 modPWs$mod14.mod 52 65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d Registry$mod15.m 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 odScreencap$mod1 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 6.modSniff$mod17 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 .modSocketMaster 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 $mod18.modSpread 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a $mod19.modSqueez 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d er$mod20.modSS$m 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 od21.modTorrentS 65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 eed$tmr1.tmrAlar 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 ms$tmr2.tmrAlive 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 $tmr3.tmrAnslut$ 74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d tmr4.tmrAudio$tm 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 r5.tmrBlink$tmr6 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 .tmrCheck$tmr7.t 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 mrCountdown$tmr8 2014-11-21 16:51:41,987 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE52F, Value: 6d 6f 64 52 65 67 69 73 74 72 79 24 6d 6f 64 31 modRegistry$mod1 35 00 6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 5.modScreencap$m 6f 64 31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f od16.modSniff$mo 64 31 37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 d17.modSocketMas 74 65 72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 ter$mod18.modSpr 65 61 64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 ead$mod19.modSqu 65 65 7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 eezer$mod20.modS 53 24 6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 S$mod21.modTorre 6e 74 53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 ntSeed$tmr1.tmrA 6c 61 72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c larms$tmr2.tmrAl 69 76 65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c ive$tmr3.tmrAnsl 75 74 24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f ut$tmr4.tmrAudio 24 74 6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 $tmr5.tmrBlink$t 6d 72 36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 mr6.tmrCheck$tmr 37 00 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 7.tmrCountdown$t 6d 72 38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 mr8.tmrCrazy$tmr 2014-11-21 16:51:41,989 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE541, Value: 6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 modScreencap$mod 31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 16.modSniff$mod1 37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 7.modSocketMaste 72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 r$mod18.modSprea 64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 d$mod19.modSquee 7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 zer$mod20.modSS$ 6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 mod21.modTorrent 53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 Seed$tmr1.tmrAla 72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 rms$tmr2.tmrAliv 65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 e$tmr3.tmrAnslut 24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 $tmr4.tmrAudio$t 6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 mr5.tmrBlink$tmr 36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 6.tmrCheck$tmr7. 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr 38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9. 74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr 2014-11-21 16:51:41,990 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE554, Value: 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 .tmrBlink$tmr6.t 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 mrCheck$tmr7.tmr 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 Countdown$tmr8.t 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 mrCrazy$tmr9.tmr 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 DOS$tmr10.tmrDoW 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 ork$tmr11.tmrFoc 2014-11-21 16:51:41,992 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE563, Value: 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$ 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$ 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$ 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6. 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8. 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra 2014-11-21 16:51:41,993 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE579, Value: 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 31 39 00 modSpread$mod19. 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi 2014-11-21 16:51:41,994 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE589, Value: 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 tet$tmr14.tmrInf 2014-11-21 16:51:41,996 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE59B, Value: 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 64 54 modSS$mod21.modT 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 31 00 orrentSeed$tmr1. 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter 2014-11-21 16:51:41,997 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5A7, Value: 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 modTorrentSeed$t 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d mr1.tmrAlarms$tm 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 r2.tmrAlive$tmr3 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 .tmrAnslut$tmr4. 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$ 74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber 24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI 6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm 2014-11-21 16:51:41,999 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5BB, Value: 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f $tmr7.tmrCountdo 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72 $tmr9.tmrDOS$tmr 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter 76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 valUpdate$tmr16. 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm 2014-11-21 16:51:42,000 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5CA, Value: 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d tmrAlive$tmr3.tm 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 rAnslut$tmr4.tmr 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c Audio$tmr5.tmrBl 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 ink$tmr6.tmrChec 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 k$tmr7.tmrCountd 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a own$tmr8.tmrCraz 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d y$tmr9.tmrDOS$tm 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d r10.tmrDoWork$tm 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 r11.tmrFocus$tmr 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 12.tmrGrabber$tm 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 r13.tmrInaktivit 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f et$tmr14.tmrInfo 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 TO$tmr15.tmrInte 72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 rvalUpdate$tmr16 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 .tmrLiveLogger$t 6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 mr17.tmrPersista 2014-11-21 16:51:42,003 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5D8, Value: 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 tmrAnslut$tmr4.t 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 mrAudio$tmr5.tmr 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 Blink$tmr6.tmrCh 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e eck$tmr7.tmrCoun 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 tdown$tmr8.tmrCr 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 azy$tmr9.tmrDOS$ 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 tmr10.tmrDoWork$ 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 tmr11.tmrFocus$t 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 mr12.tmrGrabber$ 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 tmr13.tmrInaktiv 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e itet$tmr14.tmrIn 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e foTO$tmr15.tmrIn 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 tervalUpdate$tmr 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 16.tmrLiveLogger 24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 $tmr17.tmrPersis 74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 63 tant$tmr18.tmrSc 2014-11-21 16:51:42,003 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5E7, Value: 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b $tmr10.tmrDoWork 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$ 74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber 24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI 6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm 72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 r16.tmrLiveLogge 72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 r$tmr17.tmrPersi 73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 stant$tmr18.tmrS 63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 39 00 creenshot$tmr19. 2014-11-21 16:51:42,006 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5F5, Value: 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d tmrBlink$tmr6.tm 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 rCheck$tmr7.tmrC 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d ountdown$tmr8.tm 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 rCrazy$tmr9.tmrD 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f OS$tmr10.tmrDoWo 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 rk$tmr11.tmrFocu 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 s$tmr12.tmrGrabb 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b er$tmr13.tmrInak 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d tivitet$tmr14.tm 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d rInfoTO$tmr15.tm 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 rIntervalUpdate$ 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 tmr16.tmrLiveLog 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 ger$tmr17.tmrPer 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d sistant$tmr18.tm 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 rScreenshot$tmr1 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 9.tmrSpara$tmr20 2014-11-21 16:51:42,006 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE603, Value: 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8. 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14. 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15. 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18. 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 2014-11-21 16:51:42,009 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE611, Value: 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr 38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9. 74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr 44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr 46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG 72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr 49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1 35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd 61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1 38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$ 74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t 6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22 |
22.11.2014, 14:05 | #7 |
| Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log Teil 2/3 Detekt.log Teil 2/3 Code:
ATTFilter 2014-11-21 16:51:42,009 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE623, Value: 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14. 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15. 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18. 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW 2014-11-21 16:51:42,010 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE631, Value: 74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr 44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr 46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG 72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr 49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1 35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd 61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1 38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$ 74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t 6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22 00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d .tmrUDP$tmr23.tm 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 rWebHideBlackSha 2014-11-21 16:51:42,013 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE63E, Value: 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 tmrDoWork$tmr11. 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13. 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection 2014-11-21 16:51:42,013 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE64E, Value: 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13. 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$ 2014-11-21 16:51:42,016 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE65D, Value: 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 tmrGrabber$tmr13 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 .tmrInaktivitet$ 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 tmr14.tmrInfoTO$ 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 tmr15.tmrInterva 6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d lUpdate$tmr16.tm 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 rLiveLogger$tmr1 37 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 7.tmrPersistant$ 74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 tmr18.tmrScreens 68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 hot$tmr19.tmrSpa 72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 ra$tmr20.tmrSpri 64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 d$tmr21.tmrTCP$t 6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 mr22.tmrUDP$tmr2 33 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 3.tmrWebHideBlac 6b 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f kShades.detectio 6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 n.DarkComet.RAT. 24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 $bot1.#BOT#OpenU 2014-11-21 16:51:42,016 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE66E, Value: 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$ 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 bot1.#BOT#OpenUr 6c 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 l$bot2.#BOT#Ping 2014-11-21 16:51:42,019 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE683, Value: 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15. 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18. 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1. 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$ 2014-11-21 16:51:42,019 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE693, Value: 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18. 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1. 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$ 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni 2014-11-21 16:51:42,020 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6AB, Value: 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm 72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 6e r17.tmrPersistan 74 24 74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 t$tmr18.tmrScree 6e 73 68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 nshot$tmr19.tmrS 70 61 72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 para$tmr20.tmrSp 72 69 64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 rid$tmr21.tmrTCP 24 74 6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d $tmr22.tmrUDP$tm 72 32 33 00 74 6d 72 57 65 62 48 69 64 65 42 6c r23.tmrWebHideBl 61 63 6b 53 68 61 64 65 73 00 64 65 74 65 63 74 ackShades.detect 69 6f 6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 ion.DarkComet.RA 54 00 24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 T.$bot1.#BOT#Ope 6e 55 72 6c 24 62 6f 74 32 00 23 42 4f 54 23 50 nUrl$bot2.#BOT#P 69 6e 67 24 62 6f 74 33 00 23 42 4f 54 23 52 75 ing$bot3.#BOT#Ru 6e 50 72 6f 6d 70 74 24 62 6f 74 34 00 23 42 4f nPrompt$bot4.#BO 54 23 53 76 72 55 6e 69 6e 73 74 61 6c 6c 24 62 T#SvrUninstall$b 6f 74 35 00 23 42 4f 54 23 55 52 4c 44 6f 77 6e ot5.#BOT#URLDown 2014-11-21 16:51:42,023 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6BF, Value: 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d tmrPersistant$tm 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f r18.tmrScreensho 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 t$tmr19.tmrSpara 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 $tmr20.tmrSprid$ 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 tmr21.tmrTCP$tmr 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 22.tmrUDP$tmr23. 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection. 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$ 62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro 6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv 72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5. 23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload 24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp 2014-11-21 16:51:42,023 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6D3, Value: 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1. 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$ 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit 2014-11-21 16:51:42,026 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6E7, Value: 74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 00 74 tmrSpara$tmr20.t 6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 6d mrSprid$tmr21.tm 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 44 rTCP$tmr22.tmrUD 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 69 P$tmr23.tmrWebHi 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 65 deBlackShades.de 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d 65 tection.DarkCome 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f 54 t.RAT.$bot1.#BOT 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 42 #OpenUrl$bot2.#B 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 4f OT#Ping$bot3.#BO 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 34 T#RunPrompt$bot4 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 .#BOT#SvrUninsta 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c ll$bot5.#BOT#URL 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 Download$bot6.#B 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 OT#URLUpdate$bot 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 7.#BOT#VisitUrl$ 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 bot8.#BOT#CloseS 2014-11-21 16:51:42,026 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6F6, Value: 74 6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 tmrSprid$tmr21.t 6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 mrTCP$tmr22.tmrU 44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 DP$tmr23.tmrWebH 69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 ideBlackShades.d 65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d etection.DarkCom 65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f et.RAT.$bot1.#BO 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 T#OpenUrl$bot2.# 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 BOT#Ping$bot3.#B 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 OT#RunPrompt$bot 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 4.#BOT#SvrUninst 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 all$bot5.#BOT#UR 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 LDownload$bot6.# 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f BOT#URLUpdate$bo 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c t7.#BOT#VisitUrl 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 $bot8.#BOT#Close 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 4f Server$ddos1.DDO 2014-11-21 16:51:42,029 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE705, Value: 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 tmrTCP$tmr22.tmr 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 UDP$tmr23.tmrWeb 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 HideBlackShades. 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f detection.DarkCo 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 met.RAT.$bot1.#B 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 OT#OpenUrl$bot2. 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.# 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6. 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos 2014-11-21 16:51:42,029 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE712, Value: 74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 tmrUDP$tmr23.tmr 57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 WebHideBlackShad 65 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 es.detection.Dar 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 kComet.RAT.$bot1 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f .#BOT#OpenUrl$bo 74 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 t2.#BOT#Ping$bot 33 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 3.#BOT#RunPrompt 24 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e $bot4.#BOT#SvrUn 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f install$bot5.#BO 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f T#URLDownload$bo 74 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 t6.#BOT#URLUpdat 65 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 e$bot7.#BOT#Visi 74 55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 tUrl$bot8.#BOT#C 6c 6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 loseServer$ddos1 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 .DDOSHTTPFLOOD$d 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f dos2.DDOSSYNFLOO 2014-11-21 16:51:42,032 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE71F, Value: 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection. 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$ 62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro 6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv 72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5. 23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload 24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp 64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V 69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO 54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd 6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO 44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU 2014-11-21 16:51:42,032 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE753, Value: 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$ 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 $bot7.#BOT#Visit 55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c Url$bot8.#BOT#Cl 6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 oseServer$ddos1. 44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD 24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL 4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2. 2014-11-21 16:51:42,035 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE765, Value: 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.# 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6. 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 2014-11-21 16:51:42,036 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE774, Value: 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 #BOT#RunPrompt$b 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e ot4.#BOT#SvrUnin 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 stall$bot5.#BOT# 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 URLDownload$bot6 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 .#BOT#URLUpdate$ 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 bot7.#BOT#VisitU 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f rl$bot8.#BOT#Clo 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 seServer$ddos1.D 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f DOSHTTPFLOOD$ddo 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 s2.DDOSSYNFLOOD$ 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f ddos3.DDOSUDPFLO 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 OD$keylogger1.Ac 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 ger$keylogger2.U 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 nActiveOnlineKey 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger 2014-11-21 16:51:42,038 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE788, Value: 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 6c #BOT#SvrUninstal 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c 44 l$bot5.#BOT#URLD 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 4f ownload$bot6.#BO 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 37 T#URLUpdate$bot7 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 .#BOT#VisitUrl$b 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 ot8.#BOT#CloseSe 72 76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 rver$ddos1.DDOSH 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 TTPFLOOD$ddos2.D 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 DOSSYNFLOOD$ddos 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 3.DDOSUDPFLOOD$k 65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 eylogger1.Active 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 OnlineKeylogger$ 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 keylogger2.UnAct 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 er$keylogger3.Ac 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo 2014-11-21 16:51:42,039 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE79F, Value: 23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload 24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp 64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V 69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO 54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd 6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO 44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU 44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f 67 67 65 DPFLOOD$keylogge 72 31 00 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b r1.ActiveOnlineK 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg 65 72 32 00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 er2.UnActiveOnli 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl 6f 67 67 65 72 33 00 41 63 74 69 76 65 4f 66 66 ogger3.ActiveOff 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke 79 6c 6f 67 67 65 72 34 00 55 6e 41 63 74 69 76 ylogger4.UnActiv 2014-11-21 16:51:42,039 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7B5, Value: 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel 2014-11-21 16:51:42,042 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7C9, Value: 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 6f #BOT#VisitUrl$bo 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 72 t8.#BOT#CloseSer 76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 54 ver$ddos1.DDOSHT 54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 TPFLOOD$ddos2.DD 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 OSSYNFLOOD$ddos3 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 .DDOSUDPFLOOD$ke 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f ylogger1.ActiveO 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 eylogger2.UnActi 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 veOnlineKeylogge 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 r$keylogger3.Act 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 iveOfflineKeylog 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 ger$keylogger4.U 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 nActiveOfflineKe 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 ylogger$shell1.A 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c CTIVEREMOTESHELL 2014-11-21 16:51:42,042 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7DC, Value: 23 42 4f 54 23 43 6c 6f 73 65 53 65 72 76 65 72 #BOT#CloseServer 24 64 64 6f 73 31 00 44 44 4f 53 48 54 54 50 46 $ddos1.DDOSHTTPF 4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 4f 53 53 LOOD$ddos2.DDOSS 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 YNFLOOD$ddos3.DD 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f OSUDPFLOOD$keylo 67 67 65 72 31 00 41 63 74 69 76 65 4f 6e 6c 69 gger1.ActiveOnli 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl 6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 65 4f ogger2.UnActiveO 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k 65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 76 65 eylogger3.Active 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 OfflineKeylogger 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e 41 63 $keylogger4.UnAc 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 54 49 gger$shell1.ACTI 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 VEREMOTESHELL$sh 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 45 53 ell2.SUBMREMOTES 2014-11-21 16:51:42,045 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7F3, Value: 44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD 24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c $ddos3.DDOSUDPFL 4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2. 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES 2014-11-21 16:51:42,046 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE807, Value: 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f DDOSSYNFLOOD$ddo 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 s3.DDOSUDPFLOOD$ 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 keylogger1.Activ 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 $keylogger2.UnAc 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 ger$keylogger3.A 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c ctiveOfflineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 ogger$keylogger4 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 .UnActiveOffline 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 Keylogger$shell1 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 .ACTIVEREMOTESHE 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 LL$shell2.SUBMRE 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 MOTESHELL$shell3 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c .KILLREMOTESHELL 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 DarkComet.detect 2014-11-21 16:51:42,048 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE81A, Value: 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 DDOSUDPFLOOD$key 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f 6e logger1.ActiveOn 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 ylogger2.UnActiv 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 $keylogger3.Acti 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 veOfflineKeylogg 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e er$keylogger4.Un 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$ 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str 2014-11-21 16:51:42,049 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE832, Value: 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 ogger$keylogger2 00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b .UnActiveOnlineK 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg 65 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e er3.ActiveOfflin 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f eKeylogger$keylo 67 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 gger4.UnActiveOf 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 flineKeylogger$s 68 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f hell1.ACTIVEREMO 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 TESHELL$shell2.S 55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 UBMREMOTESHELL$s 68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 hell3.KILLREMOTE 53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 SHELLDarkComet.d 65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 etection.Xtreme. 52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 RAT.$string1.Xtr 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 emeKeylogger$str 2014-11-21 16:51:42,049 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE855, Value: 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 l1.ACTIVEREMOTES 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d HELL$shell2.SUBM 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c REMOTESHELL$shel 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 l3.KILLREMOTESHE 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 LLDarkComet.dete 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 ction.Xtreme.RAT 00 24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 .$string1.Xtreme 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 Keylogger$string 32 00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 2.XtremeRAT$stri 6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 ng3.XTREMEUPDATE 2014-11-21 16:51:42,052 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE853, Value: 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 HELLDarkComet.de 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 tection.Xtreme.R 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 65 AT.$string1.Xtre 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 meKeylogger$stri 6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 73 74 ng2.XtremeRAT$st 72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 ring3.XTREMEUPDA 2014-11-21 16:51:42,052 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE876, Value: 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 4.UnActiveOfflin 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c eKeylogger$shell 31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 1.ACTIVEREMOTESH 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 ELL$shell2.SUBMR 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c EMOTESHELL$shell 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 3.KILLREMOTESHEL 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 LDarkComet.detec 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 tion.Xtreme.RAT. 24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b $string1.XtremeK 65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 eylogger$string2 00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e .XtremeRAT$strin 67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 g3.XTREMEUPDATE$ 73 74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 string4.STUBXTRE 4d 45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 MEINJECTED$unit1 2014-11-21 16:51:42,055 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE89A, Value: 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$ 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 6c 6f ing1.XtremeKeylo 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 74 72 gger$string2.Xtr 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 00 58 emeRAT$string3.X 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 69 TREMEUPDATE$stri 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 4e ng4.STUBXTREMEIN 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e 69 JECTED$unit1.Uni 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 00 55 tConfigs$unit2.U 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e 69 nitGetServer$uni 2014-11-21 16:51:42,055 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE898, Value: 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b UnActiveOfflineK 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 eylogger$shell1. 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3. 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u 2014-11-21 16:51:42,058 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8B8, Value: 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3. 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 nit3.UnitKeylogg 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 er$unit4.UnitCry 2014-11-21 16:51:42,059 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8D1, Value: 53 55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 SUBMREMOTESHELL$ 73 68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 shell3.KILLREMOT 45 53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 ESHELLDarkComet. 64 65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 detection.Xtreme 20 52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 .RAT.$string1.Xt 72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 remeKeylogger$st 72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 ring2.XtremeRAT$ 73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 string3.XTREMEUP 44 41 54 45 24 73 74 72 69 6e 67 34 00 53 54 55 DATE$string4.STU 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 44 24 BXTREMEINJECTED$ 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 69 67 unit1.UnitConfig 73 24 75 6e 69 74 32 00 55 6e 69 74 47 65 74 53 s$unit2.UnitGetS 65 72 76 65 72 24 75 6e 69 74 33 00 55 6e 69 74 erver$unit3.Unit 4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 74 34 00 Keylogger$unit4. 55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 67 24 UnitCryptString$ 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 61 6c unit5.UnitInstal 2014-11-21 16:51:42,061 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8E8, Value: 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 nit3.UnitKeylogg 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 er$unit4.UnitCry 70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 ptString$unit5.U 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 nitInstallServer 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 $unit6.UnitInjec 2014-11-21 16:51:42,062 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE91F, Value: 58 74 72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 XtremeKeylogger$ 73 74 72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 string2.XtremeRA 54 24 73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 T$string3.XTREME 55 50 44 41 54 45 24 73 74 72 69 6e 67 34 00 53 UPDATE$string4.S 54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 TUBXTREMEINJECTE 44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 D$unit1.UnitConf 69 67 73 24 75 6e 69 74 32 00 55 6e 69 74 47 65 igs$unit2.UnitGe 74 53 65 72 76 65 72 24 75 6e 69 74 33 00 55 6e tServer$unit3.Un 69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 74 itKeylogger$unit 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 4.UnitCryptStrin 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 g$unit5.UnitInst 61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 36 00 allServer$unit6. 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 UnitInjectServer 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65 $unit7.UnitBinde 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 r$unit8.UnitInje 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 ctProcessXtreme. 2014-11-21 16:51:42,063 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE937, Value: 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 XtremeRAT$string 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 3.XTREMEUPDATE$s 74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d tring4.STUBXTREM 45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 EINJECTED$unit1. 55 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 UnitConfigs$unit 32 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 2.UnitGetServer$ 75 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 unit3.UnitKeylog 67 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 ger$unit4.UnitCr 79 70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 yptString$unit5. 55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe 72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje 63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U 6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8. 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R 2014-11-21 16:51:42,065 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE949, Value: 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 XTREMEUPDATE$str 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 ing4.STUBXTREMEI 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e NJECTED$unit1.Un 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 00 itConfigs$unit2. 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e UnitGetServer$un 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 65 it3.UnitKeylogge 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 70 r$unit4.UnitCryp 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 6e tString$unit5.Un 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 24 itInstallServer$ 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 74 unit6.UnitInject 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 6e 69 Server$unit7.Uni 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 55 6e tBinder$unit8.Un 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 73 58 itInjectProcessX 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f 6e 00 treme.detection. 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 43 53 Hacking.Team.RCS 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 31 00 .Scout.$engine1. 2014-11-21 16:51:42,065 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE95E, Value: 53 54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 STUBXTREMEINJECT 45 44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e ED$unit1.UnitCon 66 69 67 73 24 75 6e 69 74 32 00 55 6e 69 74 47 figs$unit2.UnitG 65 74 53 65 72 76 65 72 24 75 6e 69 74 33 00 55 etServer$unit3.U 6e 69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 nitKeylogger$uni 74 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 69 t4.UnitCryptStri 6e 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 ng$unit5.UnitIns 74 61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 36 tallServer$unit6 00 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 .UnitInjectServe 72 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 r$unit7.UnitBind 65 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a er$unit8.UnitInj 65 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 ectProcessXtreme 00 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 .detection.Hacki 6e 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f 75 ng.Team.RCS.Scou 74 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 6e t.$engine1.Engin 65 20 73 74 61 72 74 65 64 24 65 6e 67 69 6e 65 e.started$engine 2014-11-21 16:51:42,068 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE977, Value: 55 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 UnitConfigs$unit 32 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 2.UnitGetServer$ 75 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 unit3.UnitKeylog 67 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 ger$unit4.UnitCr 79 70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 yptString$unit5. 55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe 72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje 63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U 6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8. 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R 43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 $engine2.Running 20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e 2014-11-21 16:51:42,069 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE989, Value: 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e UnitGetServer$un 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 65 it3.UnitKeylogge 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 70 r$unit4.UnitCryp 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 6e tString$unit5.Un 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 24 itInstallServer$ 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 74 unit6.UnitInject 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 6e 69 Server$unit7.Uni 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 55 6e tBinder$unit8.Un 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 73 58 itInjectProcessX 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f 6e 00 treme.detection. 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 43 53 Hacking.Team.RCS 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 31 00 .Scout.$engine1. 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 24 65 Engine.started$e 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 20 69 ngine2.Running.i 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 6e 67 n.background$eng 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 6f 6f ine3.Locking.doo 2014-11-21 16:51:42,071 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE99D, Value: 55 6e 69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e UnitKeylogger$un 69 74 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 it4.UnitCryptStr 69 6e 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e ing$unit5.UnitIn 73 74 61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 stallServer$unit 36 00 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 6.UnitInjectServ 65 72 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e er$unit7.UnitBin 64 65 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e der$unit8.UnitIn 6a 65 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d jectProcessXtrem 65 00 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b e.detection.Hack 69 6e 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f ing.Team.RCS.Sco 75 74 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 ut.$engine1.Engi 6e 65 20 73 74 61 72 74 65 64 24 65 6e 67 69 6e ne.started$engin 65 32 00 52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 e2.Running.in.ba 63 6b 67 72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 ckground$engine3 00 4c 6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 .Locking.doors$e 6e 67 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e ngine4.Rotors.en 2014-11-21 16:51:42,072 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9B1, Value: 55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 67 24 UnitCryptString$ 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 61 6c unit5.UnitInstal 6c 53 65 72 76 65 72 24 75 6e 69 74 36 00 55 6e lServer$unit6.Un 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 24 75 itInjectServer$u 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65 72 24 nit7.UnitBinder$ 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 63 74 unit8.UnitInject 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 64 65 ProcessXtreme.de 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e 67 20 tection.Hacking. 54 65 61 6d 20 52 43 53 20 53 63 6f 75 74 00 24 Team.RCS.Scout.$ 65 6e 67 69 6e 65 31 00 45 6e 67 69 6e 65 20 73 engine1.Engine.s 74 61 72 74 65 64 24 65 6e 67 69 6e 65 32 00 52 tarted$engine2.R 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b 67 72 unning.in.backgr 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c 6f 63 ound$engine3.Loc 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 69 6e king.doors$engin 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 67 65 e4.Rotors.engage 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 67 6f d$engine5.I'm.go 2014-11-21 16:51:42,073 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9C7, Value: 55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe 72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje 63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U 6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8. 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R 43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 $engine2.Running 20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e 6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 ngine3.Locking.d 6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 oors$engine4.Rot 6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 ors.engaged$engi 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f ne5.I'm.going.to 20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 31 .start.it$start1 2014-11-21 16:51:42,075 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9DF, Value: 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 UnitInjectServer 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65 $unit7.UnitBinde 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 r$unit8.UnitInje 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 ctProcessXtreme. 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e detection.Hackin 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f 75 74 g.Team.RCS.Scout 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 6e 65 .$engine1.Engine 20 73 74 61 72 74 65 64 24 65 6e 67 69 6e 65 32 .started$engine2 00 52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b .Running.in.back 67 72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c ground$engine3.L 6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 ocking.doors$eng 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 ine4.Rotors.enga 67 65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 ged$engine5.I'm. 67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 69 going.to.start.i 74 24 73 74 61 72 74 31 00 53 74 61 72 74 69 6e t$start1.Startin 67 20 75 70 67 72 61 64 65 21 24 73 74 61 72 74 g.upgrade!$start 2014-11-21 16:51:42,075 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9F6, Value: 55 6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 UnitBinder$unit8 00 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 .UnitInjectProce 73 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 ssXtreme.detecti 6f 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 on.Hacking.Team. 52 43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e RCS.Scout.$engin 65 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 e1.Engine.starte 64 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e d$engine2.Runnin 67 20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 g.in.background$ 65 6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 engine3.Locking. 64 6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f doors$engine4.Ro 74 6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 tors.engaged$eng 69 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 ine5.I'm.going.t 6f 20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 o.start.it$start 31 00 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 1.Starting.upgra 64 65 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 de!$start2.I'm.g 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 oing.to.start.th 2014-11-21 16:51:42,078 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CEA07, Value: 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R 43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 $engine2.Running 20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e 6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 ngine3.Locking.d 6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 oors$engine4.Rot 6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 ors.engaged$engi 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f ne5.I'm.going.to 20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 31 .start.it$start1 00 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 .Starting.upgrad 65 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f e!$start2.I'm.go 69 6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 65 ing.to.start.the 20 70 72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 .program$start3. 2014-11-21 16:51:42,078 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA49, Value: 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 24 65 Engine.started$e 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 20 69 ngine2.Running.i 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 6e 67 n.background$eng 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 6f 6f ine3.Locking.doo 72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 6f 72 rs$engine4.Rotor 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 6e 65 s.engaged$engine 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 5.I'm.going.to.s 74 61 72 74 20 69 74 24 73 74 61 72 74 31 00 53 tart.it$start1.S 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 65 21 tarting.upgrade! 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f 69 6e $start2.I'm.goin 67 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 70 g.to.start.the.p 72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 69 73 rogram$start3.is 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 00 43 .it.ok?$start4.C 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 68 lick.to.start.th 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 55 e.program$upd1.U 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 69 pdJob$upd2.UpdTi 2014-11-21 16:51:42,081 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA60, Value: 52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b 67 Running.in.backg 72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c 6f round$engine3.Lo 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 69 cking.doors$engi 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 67 ne4.Rotors.engag 65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 67 ed$engine5.I'm.g 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 69 74 oing.to.start.it 24 73 74 61 72 74 31 00 53 74 61 72 74 69 6e 67 $start1.Starting 20 75 70 67 72 61 64 65 21 24 73 74 61 72 74 32 .upgrade!$start2 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 .I'm.going.to.st 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 art.the.program$ 73 74 61 72 74 33 00 69 73 20 69 74 20 6f 6b 3f start3.is.it.ok? 24 73 74 61 72 74 34 00 43 6c 69 63 6b 20 74 6f $start4.Click.to 20 73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 .start.the.progr 61 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 24 75 am$upd1.UpdJob$u 70 64 32 00 55 70 64 54 69 6d 65 72 24 6c 6f 6f pd2.UpdTimer$loo 6b 6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 49 20 kma1.Owning.PCI. 2014-11-21 16:51:42,082 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA7E, Value: 4c 6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e Locking.doors$en 67 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 gine4.Rotors.eng 61 67 65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d aged$engine5.I'm 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 .going.to.start. 69 74 24 73 74 61 72 74 31 00 53 74 61 72 74 69 it$start1.Starti 6e 67 20 75 70 67 72 61 64 65 21 24 73 74 61 72 ng.upgrade!$star 74 32 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 t2.I'm.going.to. 73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 start.the.progra 6d 24 73 74 61 72 74 33 00 69 73 20 69 74 20 6f m$start3.is.it.o 6b 3f 24 73 74 61 72 74 34 00 43 6c 69 63 6b 20 k?$start4.Click. 74 6f 20 73 74 61 72 74 20 74 68 65 20 70 72 6f to.start.the.pro 67 72 61 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 gram$upd1.UpdJob 24 75 70 64 32 00 55 70 64 54 69 6d 65 72 24 6c $upd2.UpdTimer$l 6f 6f 6b 6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 ookma1.Owning.PC 49 20 62 75 73 24 6c 6f 6f 6b 6d 61 32 00 46 6f I.bus$lookma2.Fo 72 6d 61 74 74 69 6e 67 20 62 69 6f 73 24 6c 6f rmatting.bios$lo 2014-11-21 16:51:42,084 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA94, Value: 52 6f 74 6f 72 73 20 65 6e 67 61 67 65 64 24 65 Rotors.engaged$e 6e 67 69 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 ngine5.I'm.going 20 74 6f 20 73 74 61 72 74 20 69 74 24 73 74 61 .to.start.it$sta 72 74 31 00 53 74 61 72 74 69 6e 67 20 75 70 67 rt1.Starting.upg 72 61 64 65 21 24 73 74 61 72 74 32 00 49 27 6d rade!$start2.I'm 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 .going.to.start. 74 68 65 20 70 72 6f 67 72 61 6d 24 73 74 61 72 the.program$star 74 33 00 69 73 20 69 74 20 6f 6b 3f 24 73 74 61 t3.is.it.ok?$sta 72 74 34 00 43 6c 69 63 6b 20 74 6f 20 73 74 61 rt4.Click.to.sta 72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 75 rt.the.program$u 70 64 31 00 55 70 64 4a 6f 62 24 75 70 64 32 00 pd1.UpdJob$upd2. 55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 UpdTimer$lookma1 00 4f 77 6e 69 6e 67 20 50 43 49 20 62 75 73 24 .Owning.PCI.bus$ 6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 lookma2.Formatti 6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 ng.bios$lookma3. 50 6c 65 61 73 65 20 69 6e 73 65 72 74 20 61 20 Please.insert.a. 2014-11-21 16:51:42,085 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAAB, Value: 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 I'm.going.to.sta 72 74 20 69 74 24 73 74 61 72 74 31 00 53 74 61 rt.it$start1.Sta 72 74 69 6e 67 20 75 70 67 72 61 64 65 21 24 73 rting.upgrade!$s 74 61 72 74 32 00 49 27 6d 20 67 6f 69 6e 67 20 tart2.I'm.going. 74 6f 20 73 74 61 72 74 20 74 68 65 20 70 72 6f to.start.the.pro 67 72 61 6d 24 73 74 61 72 74 33 00 69 73 20 69 gram$start3.is.i 74 20 6f 6b 3f 24 73 74 61 72 74 34 00 43 6c 69 t.ok?$start4.Cli 63 6b 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 ck.to.start.the. 70 72 6f 67 72 61 6d 24 75 70 64 31 00 55 70 64 program$upd1.Upd 4a 6f 62 24 75 70 64 32 00 55 70 64 54 69 6d 65 Job$upd2.UpdTime 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e 69 6e 67 r$lookma1.Owning 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b 6d 61 32 .PCI.bus$lookma2 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 69 6f 73 .Formatting.bios 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 73 65 20 $lookma3.Please. 69 6e 73 65 72 74 20 61 20 64 69 73 6b 20 69 6e insert.a.disk.in 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f 6b 6d 61 .drive.A:$lookma 2014-11-21 16:51:42,085 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAC8, Value: 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 65 Starting.upgrade 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f 69 !$start2.I'm.goi 6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 ng.to.start.the. 70 72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 69 program$start3.i 73 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 00 s.it.ok?$start4. 43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 Click.to.start.t 68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 he.program$upd1. 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look 6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo 6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP 55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look 2014-11-21 16:51:42,088 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAE1, Value: 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 I'm.going.to.sta 72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 73 rt.the.program$s 74 61 72 74 33 00 69 73 20 69 74 20 6f 6b 3f 24 tart3.is.it.ok?$ 73 74 61 72 74 34 00 43 6c 69 63 6b 20 74 6f 20 start4.Click.to. 73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 start.the.progra 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 24 75 70 m$upd1.UpdJob$up 64 32 00 55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b d2.UpdTimer$look 6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 49 20 62 ma1.Owning.PCI.b 75 73 24 6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 us$lookma2.Forma 74 74 69 6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d tting.bios$lookm 61 33 00 50 6c 65 61 73 65 20 69 6e 73 65 72 74 a3.Please.insert 20 61 20 64 69 73 6b 20 69 6e 20 64 72 69 76 65 .a.disk.in.drive 20 41 3a 24 6c 6f 6f 6b 6d 61 34 00 55 70 64 61 .A:$lookma4.Upda 74 69 6e 67 20 43 50 55 20 6d 69 63 72 6f 63 6f ting.CPU.microco 64 65 24 6c 6f 6f 6b 6d 61 35 00 4e 6f 74 20 73 de$lookma5.Not.s 75 72 65 20 77 68 61 74 27 73 20 68 61 70 70 65 ure.what's.happe 2014-11-21 16:51:42,088 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB07, Value: 69 73 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 is.it.ok?$start4 00 43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 .Click.to.start. 74 68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 the.program$upd1 00 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 .UpdJob$upd2.Upd 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 Timer$lookma1.Ow 6e 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f ning.PCI.bus$loo 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 kma2.Formatting. 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 bios$lookma3.Ple 61 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 ase.insert.a.dis 6b 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f k.in.drive.A:$lo 6f 6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 okma4.Updating.C 50 55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f PU.microcode$loo 6b 6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 kma5.Not.sure.wh 61 74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c at's.happening$l 6f 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 ookma6.Look.ma,. 6e 6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c no.thread.id!.\\ 2014-11-21 16:51:42,091 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB18, Value: 43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 Click.to.start.t 68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 he.program$upd1. 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look 6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo 6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP 55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look 6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 61 ma5.Not.sure.wha 74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c 6f t's.happening$lo 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 6e okma6.Look.ma,.n 6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c 6f o.thread.id!.\\o 2f 52 43 53 5f 53 63 6f 75 74 00 64 65 74 65 63 /RCS_Scout.detec 2014-11-21 16:51:42,092 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB38, Value: 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look 6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo 6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP 55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look 6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 61 ma5.Not.sure.wha 74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c 6f t's.happening$lo 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 6e okma6.Look.ma,.n 6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c 6f o.thread.id!.\\o 2f 52 43 53 5f 53 63 6f 75 74 00 64 65 74 65 63 /RCS_Scout.detec 74 69 6f 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 tion.Hacking.Tea 6d 20 52 43 53 20 42 61 63 6b 64 6f 6f 72 00 24 m.RCS.Backdoor.$ 2014-11-21 16:51:42,094 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB44, Value: 55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 UpdTimer$lookma1 00 4f 77 6e 69 6e 67 20 50 43 49 20 62 75 73 24 .Owning.PCI.bus$ 6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 lookma2.Formatti 6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 ng.bios$lookma3. 50 6c 65 61 73 65 20 69 6e 73 65 72 74 20 61 20 Please.insert.a. 64 69 73 6b 20 69 6e 20 64 72 69 76 65 20 41 3a disk.in.drive.A: 24 6c 6f 6f 6b 6d 61 34 00 55 70 64 61 74 69 6e $lookma4.Updatin 67 20 43 50 55 20 6d 69 63 72 6f 63 6f 64 65 24 g.CPU.microcode$ 6c 6f 6f 6b 6d 61 35 00 4e 6f 74 20 73 75 72 65 lookma5.Not.sure 20 77 68 61 74 27 73 20 68 61 70 70 65 6e 69 6e .what's.happenin 67 24 6c 6f 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d g$lookma6.Look.m 61 2c 20 6e 6f 20 74 68 72 65 61 64 20 69 64 21 a,.no.thread.id! 20 5c 5c 6f 2f 52 43 53 5f 53 63 6f 75 74 00 64 .\\o/RCS_Scout.d 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e 67 etection.Hacking 20 54 65 61 6d 20 52 43 53 20 42 61 63 6b 64 6f .Team.RCS.Backdo 6f 72 00 24 64 65 62 75 67 31 00 2d 20 43 68 65 or.$debug1.-.Che 2014-11-21 16:51:42,095 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC3F, Value: 2d 20 43 68 65 63 6b 69 6e 67 20 63 6f 6d 70 6f -.Checking.compo 6e 65 6e 74 73 24 64 65 62 75 67 32 00 2d 20 41 nents$debug2.-.A 63 74 69 76 61 74 69 6e 67 20 68 69 64 69 6e 67 ctivating.hiding 20 73 79 73 74 65 6d 24 64 65 62 75 67 33 00 66 .system$debug3.f 75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 6e 61 6c ully.operational 24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 65 72 20 $log1.-.Browser. 61 63 74 69 76 69 74 79 20 28 46 46 29 24 6c 6f activity.(FF)$lo 67 32 00 2d 20 42 72 6f 77 73 65 72 20 61 63 74 g2.-.Browser.act 69 76 69 74 79 20 28 49 45 29 24 65 72 72 6f 72 ivity.(IE)$error 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 70 1.[Unable.to.dep 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b 54 68 65 loy]$error2.[The 20 73 79 73 74 65 6d 20 69 73 20 61 6c 72 65 61 .system.is.alrea 64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 dy.monitored]RCS 5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 _Backdoor.detect 69 6f 6e 00 46 69 6e 46 69 73 68 65 72 20 46 69 ion.FinFisher.Fi 6e 53 70 79 00 24 70 61 73 73 77 6f 72 64 31 00 nSpy.$password1. 2014-11-21 16:51:42,096 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC5C, Value: 2d 20 41 63 74 69 76 61 74 69 6e 67 20 68 69 64 -.Activating.hid 69 6e 67 20 73 79 73 74 65 6d 24 64 65 62 75 67 ing.system$debug 33 00 66 75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 3.fully.operatio 6e 61 6c 24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 nal$log1.-.Brows 65 72 20 61 63 74 69 76 69 74 79 20 28 46 46 29 er.activity.(FF) 24 6c 6f 67 32 00 2d 20 42 72 6f 77 73 65 72 20 $log2.-.Browser. 61 63 74 69 76 69 74 79 20 28 49 45 29 24 65 72 activity.(IE)$er 72 6f 72 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 ror1.[Unable.to. 64 65 70 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b deploy]$error2.[ 54 68 65 20 73 79 73 74 65 6d 20 69 73 20 61 6c The.system.is.al 72 65 61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d ready.monitored] 52 43 53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 RCS_Backdoor.det 65 63 74 69 6f 6e 00 46 69 6e 46 69 73 68 65 72 ection.FinFisher 20 46 69 6e 53 70 79 00 24 70 61 73 73 77 6f 72 .FinSpy.$passwor 64 31 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 d1./scomma.kbd10 31 2e 73 79 73 24 70 61 73 73 77 6f 72 64 32 00 1.sys$password2. 2014-11-21 16:51:42,098 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC7E, Value: 66 75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 6e 61 fully.operationa 6c 24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 65 72 l$log1.-.Browser 20 61 63 74 69 76 69 74 79 20 28 46 46 29 24 6c .activity.(FF)$l 6f 67 32 00 2d 20 42 72 6f 77 73 65 72 20 61 63 og2.-.Browser.ac 74 69 76 69 74 79 20 28 49 45 29 24 65 72 72 6f tivity.(IE)$erro 72 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 r1.[Unable.to.de 70 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b 54 68 ploy]$error2.[Th 65 20 73 79 73 74 65 6d 20 69 73 20 61 6c 72 65 e.system.is.alre 61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 ady.monitored]RC 53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 S_Backdoor.detec 74 69 6f 6e 00 46 69 6e 46 69 73 68 65 72 20 46 tion.FinFisher.F 69 6e 53 70 79 00 24 70 61 73 73 77 6f 72 64 31 inSpy.$password1 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e ./scomma.kbd101. 73 79 73 24 70 61 73 73 77 6f 72 64 32 00 4e 41 sys$password2.NA 4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c ME,EMAIL.CLIENT, 45 4d 41 49 4c 20 41 44 44 52 45 53 53 2c 53 45 EMAIL.ADDRESS,SE 2014-11-21 16:51:42,099 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC95, Value: 2d 20 42 72 6f 77 73 65 72 20 61 63 74 69 76 69 -.Browser.activi 74 79 20 28 46 46 29 24 6c 6f 67 32 00 2d 20 42 ty.(FF)$log2.-.B 72 6f 77 73 65 72 20 61 63 74 69 76 69 74 79 20 rowser.activity. 28 49 45 29 24 65 72 72 6f 72 31 00 5b 55 6e 61 (IE)$error1.[Una 62 6c 65 20 74 6f 20 64 65 70 6c 6f 79 5d 24 65 ble.to.deploy]$e 72 72 6f 72 32 00 5b 54 68 65 20 73 79 73 74 65 rror2.[The.syste 6d 20 69 73 20 61 6c 72 65 61 64 79 20 6d 6f 6e m.is.already.mon 69 74 6f 72 65 64 5d 52 43 53 5f 42 61 63 6b 64 itored]RCS_Backd 6f 6f 72 00 64 65 74 65 63 74 69 6f 6e 00 46 69 oor.detection.Fi 6e 46 69 73 68 65 72 20 46 69 6e 53 70 79 00 24 nFisher.FinSpy.$ 70 61 73 73 77 6f 72 64 31 00 2f 73 63 6f 6d 6d password1./scomm 61 20 6b 62 64 31 30 31 2e 73 79 73 24 70 61 73 a.kbd101.sys$pas 73 77 6f 72 64 32 00 4e 41 4d 45 2c 45 4d 41 49 sword2.NAME,EMAI 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 49 4c 20 41 L.CLIENT,EMAIL.A 44 44 52 45 53 53 2c 53 45 52 56 45 52 20 4e 41 DDRESS,SERVER.NA 4d 45 2c 53 45 52 56 45 52 20 54 59 50 45 2c 55 ME,SERVER.TYPE,U 2014-11-21 16:51:42,101 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECB2, Value: 2d 20 42 72 6f 77 73 65 72 20 61 63 74 69 76 69 -.Browser.activi 74 79 20 28 49 45 29 24 65 72 72 6f 72 31 00 5b ty.(IE)$error1.[ 55 6e 61 62 6c 65 20 74 6f 20 64 65 70 6c 6f 79 Unable.to.deploy 5d 24 65 72 72 6f 72 32 00 5b 54 68 65 20 73 79 ]$error2.[The.sy 73 74 65 6d 20 69 73 20 61 6c 72 65 61 64 79 20 stem.is.already. 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 5f 42 61 monitored]RCS_Ba 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 69 6f 6e ckdoor.detection 00 46 69 6e 46 69 73 68 65 72 20 46 69 6e 53 70 .FinFisher.FinSp 79 00 24 70 61 73 73 77 6f 72 64 31 00 2f 73 63 y.$password1./sc 6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 79 73 24 omma.kbd101.sys$ 70 61 73 73 77 6f 72 64 32 00 4e 41 4d 45 2c 45 password2.NAME,E 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 49 MAIL.CLIENT,EMAI 4c 20 41 44 44 52 45 53 53 2c 53 45 52 56 45 52 L.ADDRESS,SERVER 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 54 59 50 .NAME,SERVER.TYP 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 E,USERNAME,PASSW 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 61 73 73 ORD,PROFILE$pass 2014-11-21 16:51:42,101 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECD1, Value: 5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 70 6c 6f [Unable.to.deplo 79 5d 24 65 72 72 6f 72 32 00 5b 54 68 65 20 73 y]$error2.[The.s 79 73 74 65 6d 20 69 73 20 61 6c 72 65 61 64 79 ystem.is.already 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 5f 42 .monitored]RCS_B 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 69 6f ackdoor.detectio 6e 00 46 69 6e 46 69 73 68 65 72 20 46 69 6e 53 n.FinFisher.FinS 70 79 00 24 70 61 73 73 77 6f 72 64 31 00 2f 73 py.$password1./s 63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 79 73 comma.kbd101.sys 24 70 61 73 73 77 6f 72 64 32 00 4e 41 4d 45 2c $password2.NAME, 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 EMAIL.CLIENT,EMA 49 4c 20 41 44 44 52 45 53 53 2c 53 45 52 56 45 IL.ADDRESS,SERVE 52 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 54 59 R.NAME,SERVER.TY 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 PE,USERNAME,PASS 57 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 61 73 WORD,PROFILE$pas 73 77 6f 72 64 33 00 2f 73 63 6f 6d 6d 61 20 65 sword3./scomma.e 78 63 65 6c 32 30 31 30 2e 70 61 72 74 24 70 61 xcel2010.part$pa 2014-11-21 16:51:42,104 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECEB, Value: 5b 54 68 65 20 73 79 73 74 65 6d 20 69 73 20 61 [The.system.is.a 6c 72 65 61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 lready.monitored 5d 52 43 53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 ]RCS_Backdoor.de 74 65 63 74 69 6f 6e 00 46 69 6e 46 69 73 68 65 tection.FinFishe 72 20 46 69 6e 53 70 79 00 24 70 61 73 73 77 6f r.FinSpy.$passwo 72 64 31 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 rd1./scomma.kbd1 30 31 2e 73 79 73 24 70 61 73 73 77 6f 72 64 32 01.sys$password2 00 4e 41 4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 .NAME,EMAIL.CLIE 4e 54 2c 45 4d 41 49 4c 20 41 44 44 52 45 53 53 NT,EMAIL.ADDRESS 2c 53 45 52 56 45 52 20 4e 41 4d 45 2c 53 45 52 ,SERVER.NAME,SER 56 45 52 20 54 59 50 45 2c 55 53 45 52 4e 41 4d VER.TYPE,USERNAM 45 2c 50 41 53 53 57 4f 52 44 2c 50 52 4f 46 49 E,PASSWORD,PROFI 4c 45 24 70 61 73 73 77 6f 72 64 33 00 2f 73 63 LE$password3./sc 6f 6d 6d 61 20 65 78 63 65 6c 32 30 31 30 2e 70 omma.excel2010.p 61 72 74 24 70 61 73 73 77 6f 72 64 34 00 41 50 art$password4.AP 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 4f 43 PLICATION,PROTOC 2014-11-21 16:51:42,105 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CED3F, Value: 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 /scomma.kbd101.s 79 73 24 70 61 73 73 77 6f 72 64 32 00 4e 41 4d ys$password2.NAM 45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 E,EMAIL.CLIENT,E 4d 41 49 4c 20 41 44 44 52 45 53 53 2c 53 45 52 MAIL.ADDRESS,SER 56 45 52 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 VER.NAME,SERVER. 54 59 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 TYPE,USERNAME,PA 53 53 57 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 SSWORD,PROFILE$p 61 73 73 77 6f 72 64 33 00 2f 73 63 6f 6d 6d 61 assword3./scomma 20 65 78 63 65 6c 32 30 31 30 2e 70 61 72 74 24 .excel2010.part$ 70 61 73 73 77 6f 72 64 34 00 41 50 50 4c 49 43 password4.APPLIC 41 54 49 4f 4e 2c 50 52 4f 54 4f 43 4f 4c 2c 55 ATION,PROTOCOL,U 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD 24 70 61 73 73 77 6f 72 64 35 00 2f 73 74 61 62 $password5./stab 20 4d 53 56 43 52 33 32 2e 6d 61 6e 69 66 65 73 .MSVCR32.manifes 74 24 70 61 73 73 77 6f 72 64 36 00 2f 73 63 6f t$password6./sco 6d 6d 61 20 4d 53 4e 32 30 31 30 2e 64 6c 6c 24 mma.MSN2010.dll$ |
22.11.2014, 14:08 | #8 |
| Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log Teil 3/3 Detekt.log 3/3 Code:
ATTFilter 2014-11-21 16:51:42,107 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CED5C, Value: 4e 41 4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e NAME,EMAIL.CLIEN 54 2c 45 4d 41 49 4c 20 41 44 44 52 45 53 53 2c T,EMAIL.ADDRESS, 53 45 52 56 45 52 20 4e 41 4d 45 2c 53 45 52 56 SERVER.NAME,SERV 45 52 20 54 59 50 45 2c 55 53 45 52 4e 41 4d 45 ER.TYPE,USERNAME 2c 50 41 53 53 57 4f 52 44 2c 50 52 4f 46 49 4c ,PASSWORD,PROFIL 45 24 70 61 73 73 77 6f 72 64 33 00 2f 73 63 6f E$password3./sco 6d 6d 61 20 65 78 63 65 6c 32 30 31 30 2e 70 61 mma.excel2010.pa 72 74 24 70 61 73 73 77 6f 72 64 34 00 41 50 50 rt$password4.APP 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 4f 43 4f LICATION,PROTOCO 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 L,USERNAME,PASSW 4f 52 44 24 70 61 73 73 77 6f 72 64 35 00 2f 73 ORD$password5./s 74 61 62 20 4d 53 56 43 52 33 32 2e 6d 61 6e 69 tab.MSVCR32.mani 66 65 73 74 24 70 61 73 73 77 6f 72 64 36 00 2f fest$password6./ 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 2e 64 scomma.MSN2010.d 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f 73 63 ll$password7./sc 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 61 73 omma.Firefox.bas 2014-11-21 16:51:42,108 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEDB8, Value: 2f 73 63 6f 6d 6d 61 20 65 78 63 65 6c 32 30 31 /scomma.excel201 30 2e 70 61 72 74 24 70 61 73 73 77 6f 72 64 34 0.part$password4 00 41 50 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f .APPLICATION,PRO 54 4f 43 4f 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 TOCOL,USERNAME,P 41 53 53 57 4f 52 44 24 70 61 73 73 77 6f 72 64 ASSWORD$password 35 00 2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 5./stab.MSVCR32. 6d 61 6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 manifest$passwor 64 36 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 d6./scomma.MSN20 31 30 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 10.dll$password7 00 2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 ./scomma.Firefox 2e 62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 .base$password8. 49 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 INDEX,URL,USERNA 4d 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 ME,PASSWORD,USER 4e 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 NAME.FIELD,PASSW 4f 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 ORD.FIELD,FILE,H 54 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 TTP$password9./s 2014-11-21 16:51:42,108 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEDD9, Value: 41 50 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 APPLICATION,PROT 4f 43 4f 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 41 OCOL,USERNAME,PA 53 53 57 4f 52 44 24 70 61 73 73 77 6f 72 64 35 SSWORD$password5 00 2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 6d ./stab.MSVCR32.m 61 6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 64 anifest$password 36 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 6./scomma.MSN201 30 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 0.dll$password7. 2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e /scomma.Firefox. 62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 base$password8.I 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d NDEX,URL,USERNAM 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e E,PASSWORD,USERN 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f AME.FIELD,PASSWO 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 RD.FIELD,FILE,HT 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 TP$password9./sc 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 omma.IE7setup.sy 73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 s$password10.ORI 2014-11-21 16:51:42,111 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE0A, Value: 2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 6d 61 /stab.MSVCR32.ma 6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 64 36 nifest$password6 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 ./scomma.MSN2010 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f .dll$password7./ 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 scomma.Firefox.b 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 4e ase$password8.IN 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d 45 DEX,URL,USERNAME 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e 41 ,PASSWORD,USERNA 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f 52 ME.FIELD,PASSWOR 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 54 D.FIELD,FILE,HTT 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 6f P$password9./sco 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 73 mma.IE7setup.sys 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 47 $password10.ORIG 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 52 IN.URL,ACTION.UR 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 L,USERNAME.FIELD 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 2c ,PASSWORD.FIELD, 2014-11-21 16:51:42,111 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE2B, Value: 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 2e /scomma.MSN2010. 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f 73 dll$password7./s 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 61 comma.Firefox.ba 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 4e 44 se$password8.IND 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d 45 2c EX,URL,USERNAME, 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e 41 4d PASSWORD,USERNAM 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f 52 44 E.FIELD,PASSWORD 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 54 50 .FIELD,FILE,HTTP 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 6f 6d $password9./scom 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 73 24 ma.IE7setup.sys$ 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 47 49 password10.ORIGI 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 52 4c N.URL,ACTION.URL 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD, 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 2c 55 PASSWORD.FIELD,U 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 73 73 77 ,TIMESTAMP$passw 2014-11-21 16:51:42,114 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE49, Value: 2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e /scomma.Firefox. 62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 base$password8.I 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d NDEX,URL,USERNAM 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e E,PASSWORD,USERN 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f AME.FIELD,PASSWO 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 RD.FIELD,FILE,HT 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 TP$password9./sc 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 omma.IE7setup.sy 73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 s$password10.ORI 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 GIN.URL,ACTION.U 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c RL,USERNAME.FIEL 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 D,PASSWORD.FIELD 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f ,USERNAME,PASSWO 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 73 RD,TIMESTAMP$pas 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d 6d 61 20 sword11./scomma. 6f 66 66 69 63 65 32 30 30 37 2e 63 61 62 24 70 office2007.cab$p 2014-11-21 16:51:42,115 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE68, Value: 49 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 INDEX,URL,USERNA 4d 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 ME,PASSWORD,USER 4e 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 NAME.FIELD,PASSW 4f 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 ORD.FIELD,FILE,H 54 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 TTP$password9./s 63 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 comma.IE7setup.s 79 73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 ys$password10.OR 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 IGIN.URL,ACTION. 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 URL,USERNAME.FIE 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c LD,PASSWORD.FIEL 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 D,USERNAME,PASSW 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 ORD,TIMESTAMP$pa 73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d 6d 61 ssword11./scomma 20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 62 24 .office2007.cab$ 70 61 73 73 77 6f 72 64 31 32 00 55 52 4c 2c 50 password12.URL,P 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 53 45 ASSWORD.TYPE,USE 2014-11-21 16:51:42,117 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEEB6, Value: 2f 73 63 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 /scomma.IE7setup 2e 73 79 73 24 70 61 73 73 77 6f 72 64 31 30 00 .sys$password10. 4f 52 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f ORIGIN.URL,ACTIO 4e 20 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 N.URL,USERNAME.F 49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI 45 4c 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 ELD,USERNAME,PAS 53 57 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 SWORD,TIMESTAMP$ 70 61 73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d password11./scom 6d 61 20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 ma.office2007.ca 62 24 70 61 73 73 77 6f 72 64 31 32 00 55 52 4c b$password12.URL 2c 50 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 ,PASSWORD.TYPE,U 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD, 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 24 70 PASSWORD.FIELD$p 61 73 73 77 6f 72 64 31 33 00 2f 73 63 6f 6d 6d assword13./scomm 61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 2e 64 6c a.outlook2007.dl 2014-11-21 16:51:42,118 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEED6, Value: 4f 52 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f ORIGIN.URL,ACTIO 4e 20 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 N.URL,USERNAME.F 49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI 45 4c 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 ELD,USERNAME,PAS 53 57 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 SWORD,TIMESTAMP$ 70 61 73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d password11./scom 6d 61 20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 ma.office2007.ca 62 24 70 61 73 73 77 6f 72 64 31 32 00 55 52 4c b$password12.URL 2c 50 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 ,PASSWORD.TYPE,U 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD, 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 24 70 PASSWORD.FIELD$p 61 73 73 77 6f 72 64 31 33 00 2f 73 63 6f 6d 6d assword13./scomm 61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 2e 64 6c a.outlook2007.dl 6c 24 70 61 73 73 77 6f 72 64 31 34 00 46 49 4c l$password14.FIL 45 4e 41 4d 45 2c 45 4e 43 52 59 50 54 49 4f 4e ENAME,ENCRYPTION 2014-11-21 16:51:42,119 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEF31, Value: 2f 73 63 6f 6d 6d 61 20 6f 66 66 69 63 65 32 30 /scomma.office20 30 37 2e 63 61 62 24 70 61 73 73 77 6f 72 64 31 07.cab$password1 32 00 55 52 4c 2c 50 41 53 53 57 4f 52 44 20 54 2.URL,PASSWORD.T 59 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 YPE,USERNAME,PAS 53 57 4f 52 44 2c 55 53 45 52 4e 41 4d 45 20 46 SWORD,USERNAME.F 49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI 45 4c 44 24 70 61 73 73 77 6f 72 64 31 33 00 2f ELD$password13./ 73 63 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 30 scomma.outlook20 30 37 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 31 07.dll$password1 34 00 46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 59 4.FILENAME,ENCRY 50 54 49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 52 PTION,VERSION,CR 43 2c 50 41 53 53 57 4f 52 44 20 31 2c 50 41 53 C,PASSWORD.1,PAS 53 57 4f 52 44 20 32 2c 50 41 53 53 57 4f 52 f1 SWORD.2,PASSWOR. 8d 37 5f 6d 76 60 00 43 0e 01 00 00 00 00 00 00 .7_mv`.C........ 00 00 00 00 30 68 07 0d 80 65 07 00 00 00 00 0c ....0h...e...... 10 65 07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 0e .e.Eq...7.A..... 2014-11-21 16:51:42,121 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEF53, Value: 55 52 4c 2c 50 41 53 53 57 4f 52 44 20 54 59 50 URL,PASSWORD.TYP 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 E,USERNAME,PASSW 4f 52 44 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 ORD,USERNAME.FIE 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c LD,PASSWORD.FIEL 44 24 70 61 73 73 77 6f 72 64 31 33 00 2f 73 63 D$password13./sc 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 omma.outlook2007 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 31 34 00 .dll$password14. 46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 59 50 54 FILENAME,ENCRYPT 49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 52 43 2c ION,VERSION,CRC, 50 41 53 53 57 4f 52 44 20 31 2c 50 41 53 53 57 PASSWORD.1,PASSW 4f 52 44 20 32 2c 50 41 53 53 57 4f 52 f1 8d 37 ORD.2,PASSWOR..7 5f 6d 76 60 00 43 0e 01 00 00 00 00 00 00 00 00 _mv`.C.......... 00 00 30 68 07 0d 80 65 07 00 00 00 00 0c 10 65 ..0h...e.......e 07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 0e 21 0e .Eq...7.A.....!. 8a 0e 91 07 41 0e 2c 0e 0a 0e 48 0e 7c 0e 2c 0e ....A.,...H.|.,. 8a 07 41 0e 1a 0e 7c 0e 0a 0e 9f 0e 51 0e 21 0e ..A...|.....Q.!. 2014-11-21 16:51:42,121 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEFA0, Value: 2f 73 63 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 /scomma.outlook2 30 30 37 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 007.dll$password 31 34 00 46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 14.FILENAME,ENCR 59 50 54 49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 YPTION,VERSION,C 52 43 2c 50 41 53 53 57 4f 52 44 20 31 2c 50 41 RC,PASSWORD.1,PA 53 53 57 4f 52 44 20 32 2c 50 41 53 53 57 4f 52 SSWORD.2,PASSWOR f1 8d 37 5f 6d 76 60 00 43 0e 01 00 00 00 00 00 ..7_mv`.C....... 00 00 00 00 00 30 68 07 0d 80 65 07 00 00 00 00 .....0h...e..... 0c 10 65 07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 ..e.Eq...7.A.... 0e 21 0e 8a 0e 91 07 41 0e 2c 0e 0a 0e 48 0e 7c .!.....A.,...H.| 0e 2c 0e 8a 07 41 0e 1a 0e 7c 0e 0a 0e 9f 0e 51 .,...A...|.....Q 0e 21 0e 70 0e 99 0e 91 07 41 0e 91 0e 9f 0e 7e .!.p.....A.....~ 0e 21 0e 8a 0e a2 0e 32 0e 91 0e 32 0e 7c 0e 70 .!.....2...2.|.p 0e 0a 0e 02 0e 51 07 41 0e 32 0e 51 0e 02 0e 25 .....Q.A.2.Q...% 0e 21 0e 91 07 41 0d 19 0d 1a 0d 17 0d 21 0d 1a .!...A.......!.. 0d 21 07 44 0d 19 0d 1b 07 41 0e 91 0e a2 07 44 .!.D.....A.....D 2014-11-21 17:01:39,334 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475ABE, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t. 0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2. 20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3. 33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T. 23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,335 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x476382, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t. 0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2. 20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3. 33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T. 23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,336 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47748E, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 34 00 n.U.r.l.....2.4. 20 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 4...3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 24 00 62 00 6.7...2.4...$.b. 6f 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 o.t.2...#.B.O.T. 23 00 50 00 69 00 6e 00 67 00 24 00 0d 00 0a 00 #.P.i.n.g.$..... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 32 00 ..3.3...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 2014-11-21 17:01:39,338 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477D4A, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t. 0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2. 20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3. 33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T. 23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,339 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A05C, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 0d 00 n.U.r.l.$.b.o... 0a 00 37 00 34 00 20 00 33 00 32 00 20 00 30 00 ..7.4...3.2...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 20 00 35 00 30 00 20 00 36 00 39 00 20 00 36 00 ..5.0...6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 34 00 20 00 e...6.7...2.4... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 ..t.2...#.B.O.T. 23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 0d 00 0a 00 33 00 33 00 20 00 30 00 30 00 t.....3.3...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 32 00 20 00 37 00 35 00 20 00 36 00 65 00 5.2...7.5...6.e. 20 00 35 00 30 00 20 00 37 00 32 00 20 00 36 00 ..5.0...7.2...6. 66 00 20 00 36 00 64 00 20 00 37 00 30 00 20 00 f...6.d...7.0... 2014-11-21 17:01:39,341 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A926, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 34 00 n.U.r.l.....2.4. 20 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 4...3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 24 00 62 00 6.7...2.4...$.b. 6f 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 o.t.2...#.B.O.T. 23 00 50 00 69 00 6e 00 67 00 24 00 0d 00 0a 00 #.P.i.n.g.$..... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 32 00 ..3.3...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 2014-11-21 17:01:39,342 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B0D6, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t. 0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2. 20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3. 33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T. 23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,344 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47528C, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 g.........2.0.1. 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1... 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2. 2c 00 30 00 31 00 39 00 20 00 2d 00 20 00 64 00 ,.0.1.9...-...d. 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r... 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N. 47 00 20 00 2d 00 20 00 50 00 72 00 6f 00 63 00 G...-...P.r.o.c. 65 00 73 00 73 00 20 00 43 00 43 00 43 00 2e 00 e.s.s...C.C.C... 65 00 78 00 65 00 20 00 28 00 70 00 69 00 64 00 e.x.e...(.p.i.d. 3a 00 20 00 37 00 36 00 32 00 34 00 29 00 20 00 :...7.6.2.4.)... 6d 00 61 00 74 00 63 00 68 00 65 00 64 00 3a 00 m.a.t.c.h.e.d.:. 20 00 42 00 6c 00 61 00 63 00 6b 00 53 00 68 00 ..B.l.a.c.k.S.h. 61 00 64 00 65 00 73 00 20 00 61 00 74 00 20 00 a.d.e.s...a.t... 61 00 64 00 64 00 72 00 65 00 73 00 73 00 3a 00 a.d.d.r.e.s.s.:. 20 00 30 00 78 00 35 00 34 00 32 00 43 00 45 00 ..0.x.5.4.2.C.E. 2014-11-21 17:01:39,345 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475B46, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3..... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7. 30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4... 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4. 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1. 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,. 30 00 31 00 39 00 20 00 2d 00 20 00 64 00 65 00 0.1.9...-...d.e. 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-. 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G. 2014-11-21 17:01:39,346 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47640A, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3..... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7. 30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4... 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f... 37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2. 20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6. 2014-11-21 17:01:39,348 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477516, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 0d 00 0a 00 36 00 32 00 20 00 36 00 g.$.....6.2...6. 66 00 20 00 37 00 34 00 20 00 33 00 33 00 20 00 f...7.4...3.3... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 62 00 6f 00 74 00 33 00 ..6.f...b.o.t.3. 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 0d 00 0a 00 36 00 64 00 n.P.r.o.....6.d. 20 00 37 00 30 00 20 00 37 00 34 00 20 00 32 00 ..7.0...7.4...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 33 00 20 00 37 00 36 00 20 00 6d 00 70 00 5.3...7.6...m.p. 2014-11-21 17:01:39,351 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477DD2, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3..... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7. 30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4... 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f... 37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2. 20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6. 2014-11-21 17:01:39,351 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47981A, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 2e 00 23 00 g.$.b.o.t.3...#. 0d 00 0a 00 34 00 32 00 20 00 34 00 66 00 20 00 ....4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6. 66 00 20 00 42 00 4f 00 54 00 23 00 52 00 75 00 f...B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 62 00 6f 00 0d 00 0a 00 37 00 34 00 20 00 33 00 b.o.....7.4...3. 34 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 4...0.0...2.3... 34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4. 20 00 32 00 33 00 20 00 35 00 33 00 20 00 37 00 ..2.3...5.3...7. 36 00 20 00 37 00 32 00 20 00 35 00 35 00 20 00 6...7.2...5.5... 36 00 65 00 20 00 36 00 39 00 20 00 36 00 65 00 6.e...6.9...6.e. 2014-11-21 17:01:39,354 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A0E4, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 0d 00 0a 00 33 00 g.$.b.o.t.....3. 33 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 3...0.0...2.3... 34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4. 20 00 32 00 33 00 20 00 35 00 32 00 20 00 37 00 ..2.3...5.2...7. 35 00 20 00 36 00 65 00 20 00 35 00 30 00 20 00 5...6.e...5.0... 37 00 32 00 20 00 36 00 66 00 20 00 36 00 64 00 7.2...6.f...6.d. 20 00 37 00 30 00 20 00 37 00 34 00 20 00 33 00 ..7.0...7.4...3. 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 0d 00 n.P.r.o.m.p.t... 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6. 66 00 20 00 37 00 34 00 20 00 33 00 34 00 20 00 f...7.4...3.4... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 33 00 20 00 37 00 36 00 20 00 3...5.3...7.6... 37 00 32 00 20 00 35 00 35 00 20 00 36 00 65 00 7.2...5.5...6.e. 2014-11-21 17:01:39,355 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A9AE, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 0d 00 0a 00 36 00 32 00 20 00 36 00 g.$.....6.2...6. 66 00 20 00 37 00 34 00 20 00 33 00 33 00 20 00 f...7.4...3.3... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 62 00 6f 00 74 00 33 00 ..6.f...b.o.t.3. 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 0d 00 0a 00 36 00 64 00 n.P.r.o.....6.d. 20 00 37 00 30 00 20 00 37 00 34 00 20 00 32 00 ..7.0...7.4...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 33 00 20 00 37 00 36 00 20 00 6d 00 70 00 5.3...7.6...m.p. 2014-11-21 17:01:39,357 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B15E, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3..... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7. 30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4... 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f... 37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2. 20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6. 2014-11-21 17:01:39,358 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BA1A, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 2e 00 23 00 g.$.b.o.t.3...#. 0d 00 0a 00 34 00 32 00 20 00 34 00 66 00 20 00 ....4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6. 66 00 20 00 42 00 4f 00 54 00 23 00 52 00 75 00 f...B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 62 00 6f 00 0d 00 0a 00 37 00 34 00 20 00 33 00 b.o.....7.4...3. 34 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 4...0.0...2.3... 34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4. 20 00 32 00 33 00 20 00 35 00 33 00 20 00 37 00 ..2.3...5.3...7. 36 00 20 00 37 00 32 00 20 00 35 00 35 00 20 00 6...7.2...5.5... 36 00 65 00 20 00 36 00 39 00 20 00 36 00 65 00 6.e...6.9...6.e. 2014-11-21 17:01:39,358 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475BC8, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$... 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 ......2.0.1.4.-. 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 1.1.-.2.1...1.6. 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 :.5.1.:.4.2.,.0. 31 00 39 00 20 00 2d 00 20 00 64 00 65 00 74 00 1.9...-...d.e.t. 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 e.c.t.o.r...-... 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 W.A.R.N.I.N.G... 2d 00 20 00 50 00 72 00 6f 00 63 00 65 00 73 00 -...P.r.o.c.e.s. 73 00 20 00 43 00 43 00 43 00 2e 00 65 00 78 00 s...C.C.C...e.x. 65 00 20 00 28 00 70 00 69 00 64 00 3a 00 20 00 e...(.p.i.d.:... 37 00 36 00 32 00 34 00 29 00 20 00 6d 00 61 00 7.6.2.4.)...m.a. 74 00 63 00 68 00 65 00 64 00 3a 00 20 00 42 00 t.c.h.e.d.:...B. 6c 00 61 00 63 00 6b 00 53 00 68 00 61 00 64 00 l.a.c.k.S.h.a.d. 65 00 73 00 20 00 61 00 74 00 20 00 61 00 64 00 e.s...a.t...a.d. 64 00 72 00 65 00 73 00 73 00 3a 00 20 00 30 00 d.r.e.s.s.:...0. 2014-11-21 17:01:39,361 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47648C, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$... 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B. 4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n. 69 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 i.........2.0.1. 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1... 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2. 2c 00 30 00 32 00 30 00 20 00 2d 00 20 00 64 00 ,.0.2.0...-...d. 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r... 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N. 2014-11-21 17:01:39,361 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477E54, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$... 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B. 4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n. 69 00 0d 00 0a 00 36 00 65 00 20 00 37 00 33 00 i.....6.e...7.3. 20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6. 63 00 20 00 36 00 63 00 20 00 32 00 34 00 20 00 c...6.c...2.4... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 35 00 20 00 30 00 30 00 20 00 32 00 ..3.5...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 2014-11-21 17:01:39,364 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A166, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 0d 00 0a 00 P.r.o.m.p.t..... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 34 00 20 00 30 00 ..7.4...3.4...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 20 00 35 00 33 00 20 00 37 00 36 00 20 00 37 00 ..5.3...7.6...7. 32 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 2...5.5...6.e... 24 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 $.b.o.t.4...#.B. 4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n. 0d 00 0a 00 36 00 39 00 20 00 36 00 65 00 20 00 ....6.9...6.e... 37 00 33 00 20 00 37 00 34 00 20 00 36 00 31 00 7.3...7.4...6.1. 20 00 36 00 63 00 20 00 36 00 63 00 20 00 32 00 ..6.c...6.c...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 35 00 20 00 30 00 30 00 7.4...3.5...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 2014-11-21 17:01:39,365 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B1E0, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$... 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B. 4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n. 69 00 0d 00 0a 00 36 00 65 00 20 00 37 00 33 00 i.....6.e...7.3. 20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6. 63 00 20 00 36 00 63 00 20 00 32 00 34 00 20 00 c...6.c...2.4... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 35 00 20 00 30 00 30 00 20 00 32 00 ..3.5...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 2014-11-21 17:01:39,365 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C35E, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 62 00 P.r.o.m.p.t.$.b. 0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4... 33 00 34 00 20 00 30 00 30 00 20 00 32 00 33 00 3.4...0.0...2.3. 20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5. 34 00 20 00 32 00 33 00 20 00 35 00 33 00 20 00 4...2.3...5.3... 37 00 36 00 20 00 37 00 32 00 20 00 35 00 35 00 7.6...7.2...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6. 65 00 20 00 6f 00 74 00 34 00 2e 00 23 00 42 00 e...o.t.4...#.B. 4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n. 69 00 6e 00 0d 00 0a 00 37 00 33 00 20 00 37 00 i.n.....7.3...7. 34 00 20 00 36 00 31 00 20 00 36 00 63 00 20 00 4...6.1...6.c... 36 00 63 00 20 00 32 00 34 00 20 00 36 00 32 00 6.c...2.4...6.2. 20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3. 35 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 5...0.0...2.3... 34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4. 2014-11-21 17:01:39,368 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47771A, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d. 0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2... 36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6. 20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4. 32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4... 32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2. 20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7. 30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6... 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 U.p.........2.0. 31 00 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 1.4.-.1.1.-.2.1. 20 00 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 ..1.6.:.5.1.:.4. 32 00 2c 00 30 00 32 00 33 00 20 00 2d 00 20 00 2.,.0.2.3...-... 64 00 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 d.e.t.e.c.t.o.r. 20 00 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 ..-...W.A.R.N.I. 2014-11-21 17:01:39,368 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47ABB2, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d. 0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2... 36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6. 20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4. 32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4... 32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2. 20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7. 30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6... 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 0d 00 0a 00 36 00 34 00 20 00 36 00 U.p.....6.4...6. 31 00 20 00 37 00 34 00 20 00 36 00 35 00 20 00 1...7.4...6.5... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 2014-11-21 17:01:39,371 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47D5E6, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d. 0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2... 36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6. 20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4. 32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4... 32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2. 20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7. 30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6... 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 0d 00 0a 00 36 00 34 00 20 00 36 00 U.p.....6.4...6. 31 00 20 00 37 00 34 00 20 00 36 00 35 00 20 00 1...7.4...6.5... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 2014-11-21 17:01:39,372 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x478066, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 0d 00 0a 00 U.p.d.a.t.e..... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 20 00 35 00 36 00 20 00 36 00 39 00 20 00 37 00 ..5.6...6.9...7. 33 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 3...6.9...7.4... 24 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00 $.b.o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4. 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1. 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,. 30 00 32 00 36 00 20 00 2d 00 20 00 64 00 65 00 0.2.6...-...d.e. 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-. 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G. 2014-11-21 17:01:39,374 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x479AAE, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b. 0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4... 33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3. 20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5. 34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6... 36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9. 20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7. 32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f. 2014-11-21 17:01:39,375 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B3F2, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 0d 00 0a 00 U.p.d.a.t.e..... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 20 00 35 00 36 00 20 00 36 00 39 00 20 00 37 00 ..5.6...6.9...7. 33 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 3...6.9...7.4... 24 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00 $.b.o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 0d 00 0a 00 35 00 35 00 20 00 37 00 32 00 20 00 ....5.5...7.2... 36 00 63 00 20 00 32 00 34 00 20 00 36 00 32 00 6.c...2.4...6.2. 20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3. 38 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 8...0.0...2.3... 34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4. 20 00 32 00 33 00 20 00 34 00 33 00 20 00 36 00 ..2.3...4.3...6. 2014-11-21 17:01:39,377 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BCAE, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b. 0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4... 33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3. 20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5. 34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6... 36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9. 20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7. 32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f. 2014-11-21 17:01:39,378 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C570, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 24 00 0d 00 U.p.d.a.t.e.$... 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 37 00 20 00 30 00 30 00 20 00 4...3.7...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 36 00 20 00 36 00 39 00 20 00 37 00 33 00 20 00 6...6.9...7.3... 36 00 39 00 20 00 37 00 34 00 20 00 35 00 35 00 6.9...7.4...5.5. 20 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00 ..b.o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 55 00 0d 00 0a 00 37 00 32 00 20 00 36 00 63 00 U.....7.2...6.c. 20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6. 66 00 20 00 37 00 34 00 20 00 33 00 38 00 20 00 f...7.4...3.8... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 34 00 33 00 20 00 36 00 63 00 20 00 3...4.3...6.c... 2014-11-21 17:01:39,380 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47DF2A, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b. 0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4... 33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3. 20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5. 34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6... 36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9. 20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7. 32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f. 2014-11-21 17:01:39,381 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4789AE, Value: 23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s. 69 00 74 00 55 00 72 00 6c 00 24 00 0d 00 0a 00 i.t.U.r.l.$..... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 38 00 20 00 30 00 30 00 20 00 32 00 ..3.8...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 34 00 33 00 5.4...2.3...4.3. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 37 00 ..6.c...6.f...7. 33 00 20 00 36 00 35 00 20 00 35 00 33 00 20 00 3...6.5...5.3... 62 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 b.o.t.8...#.B.O. 54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S. 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4. 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1. 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,. 30 00 32 00 36 00 20 00 2d 00 20 00 64 00 65 00 0.2.6...-...d.e. 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-. 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G. 2014-11-21 17:01:39,382 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x479274, Value: 23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s. 69 00 74 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 i.t.U.r.l.....2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f. 20 00 37 00 33 00 20 00 36 00 35 00 20 00 24 00 ..7.3...6.5...$. 62 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 b.o.t.8...#.B.O. 54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 0d 00 T.#.C.l.o.s.e... 0a 00 35 00 33 00 20 00 36 00 35 00 20 00 37 00 ..5.3...6.5...7. 32 00 20 00 37 00 36 00 20 00 36 00 35 00 20 00 2...7.6...6.5... 37 00 32 00 20 00 32 00 34 00 20 00 36 00 34 00 7.2...2.4...6.4. 20 00 36 00 34 00 20 00 36 00 66 00 20 00 37 00 ..6.4...6.f...7. 33 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 3...3.1...0.0... 34 00 34 00 20 00 34 00 34 00 20 00 34 00 66 00 4.4...4.4...4.f. 2014-11-21 17:01:39,384 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47CEB4, Value: 23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s. 69 00 74 00 55 00 72 00 6c 00 24 00 62 00 0d 00 i.t.U.r.l.$.b... 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3. 38 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 8...0.0...2.3... 34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4. 20 00 32 00 33 00 20 00 34 00 33 00 20 00 36 00 ..2.3...4.3...6. 63 00 20 00 36 00 66 00 20 00 37 00 33 00 20 00 c...6.f...7.3... 36 00 35 00 20 00 35 00 33 00 20 00 36 00 35 00 6.5...5.3...6.5. 20 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 ..o.t.8...#.B.O. 54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S. 65 00 0d 00 0a 00 37 00 32 00 20 00 37 00 36 00 e.....7.2...7.6. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2. 34 00 20 00 36 00 34 00 20 00 36 00 34 00 20 00 4...6.4...6.4... 36 00 66 00 20 00 37 00 33 00 20 00 33 00 31 00 6.f...7.3...3.1. 20 00 30 00 30 00 20 00 34 00 34 00 20 00 34 00 ..0.0...4.4...4. 34 00 20 00 34 00 66 00 20 00 35 00 33 00 20 00 4...4.f...5.3... 2014-11-21 17:01:39,385 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47E86E, Value: 23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s. 69 00 74 00 55 00 72 00 6c 00 24 00 62 00 6f 00 i.t.U.r.l.$.b.o. 0d 00 0a 00 37 00 34 00 20 00 33 00 38 00 20 00 ....7.4...3.8... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 34 00 33 00 20 00 36 00 63 00 20 00 3...4.3...6.c... 36 00 66 00 20 00 37 00 33 00 20 00 36 00 35 00 6.f...7.3...6.5. 20 00 35 00 33 00 20 00 36 00 35 00 20 00 37 00 ..5.3...6.5...7. 32 00 20 00 74 00 38 00 2e 00 23 00 42 00 4f 00 2...t.8...#.B.O. 54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S. 65 00 72 00 0d 00 0a 00 37 00 36 00 20 00 36 00 e.r.....7.6...6. 35 00 20 00 37 00 32 00 20 00 32 00 34 00 20 00 5...7.2...2.4... 36 00 34 00 20 00 36 00 34 00 20 00 36 00 66 00 6.4...6.4...6.f. 20 00 37 00 33 00 20 00 33 00 31 00 20 00 30 00 ..7.3...3.1...0. 30 00 20 00 34 00 34 00 20 00 34 00 34 00 20 00 0...4.4...4.4... 34 00 66 00 20 00 35 00 33 00 20 00 34 00 38 00 4.f...5.3...4.8. 2014-11-21 17:01:39,387 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47F1B2, Value: 23 00 42 00 4f 00 54 00 23 00 43 00 6c 00 6f 00 #.B.O.T.#.C.l.o. 73 00 65 00 53 00 65 00 72 00 76 00 65 00 72 00 s.e.S.e.r.v.e.r. 0d 00 0a 00 32 00 34 00 20 00 36 00 34 00 20 00 ....2.4...6.4... 36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3. 20 00 33 00 31 00 20 00 30 00 30 00 20 00 34 00 ..3.1...0.0...4. 34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f... 35 00 33 00 20 00 34 00 38 00 20 00 35 00 34 00 5.3...4.8...5.4. 20 00 35 00 34 00 20 00 35 00 30 00 20 00 34 00 ..5.4...5.0...4. 36 00 20 00 24 00 64 00 64 00 6f 00 73 00 31 00 6...$.d.d.o.s.1. 2e 00 44 00 44 00 4f 00 53 00 48 00 54 00 54 00 ..D.D.O.S.H.T.T. 50 00 46 00 0d 00 0a 00 34 00 63 00 20 00 34 00 P.F.....4.c...4. 66 00 20 00 34 00 66 00 20 00 34 00 34 00 20 00 f...4.f...4.4... 32 00 34 00 20 00 36 00 34 00 20 00 36 00 34 00 2.4...6.4...6.4. 20 00 36 00 66 00 20 00 37 00 33 00 20 00 33 00 ..6.f...7.3...3. 32 00 20 00 30 00 30 00 20 00 34 00 34 00 20 00 2...0.0...4.4... 34 00 34 00 20 00 34 00 66 00 20 00 35 00 33 00 4.4...4.f...5.3. 2014-11-21 17:01:39,388 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A584, Value: 44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P. 46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 F.L.O.O.D.$.d... 0a 00 36 00 34 00 20 00 36 00 66 00 20 00 37 00 ..6.4...6.f...7. 33 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 3...3.2...0.0... 34 00 34 00 20 00 34 00 34 00 20 00 34 00 66 00 4.4...4.4...4.f. 20 00 35 00 33 00 20 00 35 00 33 00 20 00 35 00 ..5.3...5.3...5. 39 00 20 00 34 00 65 00 20 00 34 00 36 00 20 00 9...4.e...4.6... 34 00 63 00 20 00 34 00 66 00 20 00 34 00 66 00 4.c...4.f...4.f. 20 00 64 00 6f 00 73 00 32 00 2e 00 44 00 44 00 ..d.o.s.2...D.D. 4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O. 4f 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 O.........2.0.1. 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1... 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2. 2c 00 30 00 33 00 32 00 20 00 2d 00 20 00 64 00 ,.0.3.2...-...d. 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r... 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N. 2014-11-21 17:01:39,390 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B5FE, Value: 44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P. 46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 F.L.O.O.D.$.d.d. 0d 00 0a 00 36 00 66 00 20 00 37 00 33 00 20 00 ....6.f...7.3... 33 00 32 00 20 00 30 00 30 00 20 00 34 00 34 00 3.2...0.0...4.4. 20 00 34 00 34 00 20 00 34 00 66 00 20 00 35 00 ..4.4...4.f...5. 33 00 20 00 35 00 33 00 20 00 35 00 39 00 20 00 3...5.3...5.9... 34 00 65 00 20 00 34 00 36 00 20 00 34 00 63 00 4.e...4.6...4.c. 20 00 34 00 66 00 20 00 34 00 66 00 20 00 34 00 ..4.f...4.f...4. 34 00 20 00 6f 00 73 00 32 00 2e 00 44 00 44 00 4...o.s.2...D.D. 4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O. 4f 00 44 00 0d 00 0a 00 32 00 34 00 20 00 36 00 O.D.....2.4...6. 34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f... 37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0. 20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4. 66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5... 34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6. 2014-11-21 17:01:39,391 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47FAF6, Value: 44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P. 46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 F.L.O.O.D.$.d.d. 0d 00 0a 00 36 00 66 00 20 00 37 00 33 00 20 00 ....6.f...7.3... 33 00 32 00 20 00 30 00 30 00 20 00 34 00 34 00 3.2...0.0...4.4. 20 00 34 00 34 00 20 00 34 00 66 00 20 00 35 00 ..4.4...4.f...5. 33 00 20 00 35 00 33 00 20 00 35 00 39 00 20 00 3...5.3...5.9... 34 00 65 00 20 00 34 00 36 00 20 00 34 00 63 00 4.e...4.6...4.c. 20 00 34 00 66 00 20 00 34 00 66 00 20 00 34 00 ..4.f...4.f...4. 34 00 20 00 6f 00 73 00 32 00 2e 00 44 00 44 00 4...o.s.2...D.D. 4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O. 4f 00 44 00 0d 00 0a 00 32 00 34 00 20 00 36 00 O.D.....2.4...6. 34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f... 37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0. 20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4. 66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5... 34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6. 2014-11-21 17:01:39,392 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B68A, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 0d 00 0a 00 32 00 34 00 L.O.O.D.....2.4. 20 00 36 00 34 00 20 00 36 00 34 00 20 00 36 00 ..6.4...6.4...6. 66 00 20 00 37 00 33 00 20 00 33 00 33 00 20 00 f...7.3...3.3... 30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4. 20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5. 35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0... 34 00 36 00 20 00 34 00 63 00 20 00 24 00 64 00 4.6...4.c...$.d. 64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 0d 00 0a 00 S.U.D.P.F.L..... 34 00 66 00 20 00 34 00 66 00 20 00 34 00 34 00 4.f...4.f...4.4. 20 00 32 00 34 00 20 00 36 00 62 00 20 00 36 00 ..2.4...6.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3. 31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1... 2014-11-21 17:01:39,394 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BF46, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 0a 00 L.O.O.D.$.d..... 36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4. 34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f... 35 00 33 00 20 00 35 00 35 00 20 00 34 00 34 00 5.3...5.5...4.4. 20 00 35 00 30 00 20 00 34 00 36 00 20 00 34 00 ..5.0...4.6...4. 63 00 20 00 34 00 66 00 20 00 34 00 66 00 20 00 c...4.f...4.f... 64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O. 0d 00 0a 00 34 00 34 00 20 00 32 00 34 00 20 00 ....4.4...2.4... 36 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 6.b...6.5...7.9. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5... 37 00 32 00 20 00 33 00 31 00 20 00 30 00 30 00 7.2...3.1...0.0. 20 00 34 00 31 00 20 00 36 00 33 00 20 00 37 00 ..4.1...6.3...7. 2014-11-21 17:01:39,395 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C808, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 24 00 0d 00 0a 00 36 00 L.O.O.D.$.....6. 34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f... 37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0. 20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4. 66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5... 34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6. 20 00 34 00 63 00 20 00 34 00 66 00 20 00 64 00 ..4.c...4.f...d. 64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 0d 00 S.U.D.P.F.L.O... 0a 00 34 00 66 00 20 00 34 00 34 00 20 00 32 00 ..4.f...4.4...2. 34 00 20 00 36 00 62 00 20 00 36 00 35 00 20 00 4...6.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6. 35 00 20 00 37 00 32 00 20 00 33 00 31 00 20 00 5...7.2...3.1... 30 00 30 00 20 00 34 00 31 00 20 00 36 00 33 00 0.0...4.1...6.3. 2014-11-21 17:01:39,397 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47E1C2, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 0a 00 L.O.O.D.$.d..... 36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4. 34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f... 35 00 33 00 20 00 35 00 35 00 20 00 34 00 34 00 5.3...5.5...4.4. 20 00 35 00 30 00 20 00 34 00 36 00 20 00 34 00 ..5.0...4.6...4. 63 00 20 00 34 00 66 00 20 00 34 00 66 00 20 00 c...4.f...4.f... 64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O. 0d 00 0a 00 34 00 34 00 20 00 32 00 34 00 20 00 ....4.4...2.4... 36 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 6.b...6.5...7.9. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5... 37 00 32 00 20 00 33 00 31 00 20 00 30 00 30 00 7.2...3.1...0.0. 20 00 34 00 31 00 20 00 36 00 33 00 20 00 37 00 ..4.1...6.3...7. 2014-11-21 17:01:39,398 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47FB82, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 0d 00 0a 00 32 00 34 00 L.O.O.D.....2.4. 20 00 36 00 34 00 20 00 36 00 34 00 20 00 36 00 ..6.4...6.4...6. 66 00 20 00 37 00 33 00 20 00 33 00 33 00 20 00 f...7.3...3.3... 30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4. 20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5. 35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0... 34 00 36 00 20 00 34 00 63 00 20 00 24 00 64 00 4.6...4.c...$.d. 64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 0d 00 0a 00 S.U.D.P.F.L..... 34 00 66 00 20 00 34 00 66 00 20 00 34 00 34 00 4.f...4.f...4.4. 20 00 32 00 34 00 20 00 36 00 62 00 20 00 36 00 ..2.4...6.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3. 31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1... 2014-11-21 17:01:39,400 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x48043A, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 6f 00 L.O.O.D.$.d.d.o. 0d 00 0a 00 37 00 33 00 20 00 33 00 33 00 20 00 ....7.3...3.3... 30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4. 20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5. 35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0... 34 00 36 00 20 00 34 00 63 00 20 00 34 00 66 00 4.6...4.c...4.f. 20 00 34 00 66 00 20 00 34 00 34 00 20 00 32 00 ..4.f...4.4...2. 34 00 20 00 73 00 33 00 2e 00 44 00 44 00 4f 00 4...s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O. 44 00 24 00 0d 00 0a 00 36 00 62 00 20 00 36 00 D.$.....6.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3. 31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1... 36 00 33 00 20 00 37 00 34 00 20 00 36 00 39 00 6.3...7.4...6.9. 2014-11-21 17:01:39,401 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47D14A, Value: 44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F. 4c 00 4f 00 4f 00 44 00 24 00 6b 00 0d 00 0a 00 L.O.O.D.$.k..... 36 00 35 00 20 00 37 00 39 00 20 00 36 00 63 00 6.5...7.9...6.c. 20 00 36 00 66 00 20 00 36 00 37 00 20 00 36 00 ..6.f...6.7...6. 37 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 7...6.5...7.2... 33 00 31 00 20 00 30 00 30 00 20 00 34 00 31 00 3.1...0.0...4.1. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 37 00 36 00 20 00 36 00 35 00 20 00 9...7.6...6.5... 65 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e.y.l.o.g.g.e.r. 31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e. 0d 00 0a 00 34 00 66 00 20 00 36 00 65 00 20 00 ....4.f...6.e... 36 00 63 00 20 00 36 00 39 00 20 00 36 00 65 00 6.c...6.9...6.e. 20 00 36 00 35 00 20 00 34 00 62 00 20 00 36 00 ..6.5...4.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2. 2014-11-21 17:01:39,403 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47EB04, Value: 44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F. 4c 00 4f 00 4f 00 44 00 24 00 6b 00 65 00 0d 00 L.O.O.D.$.k.e... 0a 00 37 00 39 00 20 00 36 00 63 00 20 00 36 00 ..7.9...6.c...6. 66 00 20 00 36 00 37 00 20 00 36 00 37 00 20 00 f...6.7...6.7... 36 00 35 00 20 00 37 00 32 00 20 00 33 00 31 00 6.5...7.2...3.1. 20 00 30 00 30 00 20 00 34 00 31 00 20 00 36 00 ..0.0...4.1...6. 33 00 20 00 37 00 34 00 20 00 36 00 39 00 20 00 3...7.4...6.9... 37 00 36 00 20 00 36 00 35 00 20 00 34 00 66 00 7.6...6.5...4.f. 20 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 ..y.l.o.g.g.e.r. 31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e. 4f 00 0d 00 0a 00 36 00 65 00 20 00 36 00 63 00 O.....6.e...6.c. 20 00 36 00 39 00 20 00 36 00 65 00 20 00 36 00 ..6.9...6.e...6. 35 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 5...4.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6. 35 00 20 00 37 00 32 00 20 00 32 00 34 00 20 00 5...7.2...2.4... 2014-11-21 17:01:39,404 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4804C4, Value: 44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F. 4c 00 4f 00 4f 00 44 00 24 00 0d 00 0a 00 36 00 L.O.O.D.$.....6. 62 00 20 00 36 00 35 00 20 00 37 00 39 00 20 00 b...6.5...7.9... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 37 00 6.c...6.f...6.7. 20 00 36 00 37 00 20 00 36 00 35 00 20 00 37 00 ..6.7...6.5...7. 32 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 2...3.1...0.0... 34 00 31 00 20 00 36 00 33 00 20 00 37 00 34 00 4.1...6.3...7.4. 20 00 36 00 39 00 20 00 37 00 36 00 20 00 6b 00 ..6.9...7.6...k. 65 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e.y.l.o.g.g.e.r. 31 00 2e 00 41 00 63 00 74 00 69 00 76 00 0d 00 1...A.c.t.i.v... 0a 00 36 00 35 00 20 00 34 00 66 00 20 00 36 00 ..6.5...4.f...6. 65 00 20 00 36 00 63 00 20 00 36 00 39 00 20 00 e...6.c...6.9... 36 00 65 00 20 00 36 00 35 00 20 00 34 00 62 00 6.e...6.5...4.b. 20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6. 63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7... 36 00 37 00 20 00 36 00 35 00 20 00 37 00 32 00 6.7...6.5...7.2. 2014-11-21 17:01:39,405 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x480D7E, Value: 44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F. 4c 00 4f 00 4f 00 44 00 24 00 6b 00 65 00 79 00 L.O.O.D.$.k.e.y. 0d 00 0a 00 36 00 63 00 20 00 36 00 66 00 20 00 ....6.c...6.f... 36 00 37 00 20 00 36 00 37 00 20 00 36 00 35 00 6.7...6.7...6.5. 20 00 37 00 32 00 20 00 33 00 31 00 20 00 30 00 ..7.2...3.1...0. 30 00 20 00 34 00 31 00 20 00 36 00 33 00 20 00 0...4.1...6.3... 37 00 34 00 20 00 36 00 39 00 20 00 37 00 36 00 7.4...6.9...7.6. 20 00 36 00 35 00 20 00 34 00 66 00 20 00 36 00 ..6.5...4.f...6. 65 00 20 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e...l.o.g.g.e.r. 31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e. 4f 00 6e 00 0d 00 0a 00 36 00 63 00 20 00 36 00 O.n.....6.c...6. 39 00 20 00 36 00 65 00 20 00 36 00 35 00 20 00 9...6.e...6.5... 34 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 4.b...6.5...7.9. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5... 37 00 32 00 20 00 32 00 34 00 20 00 36 00 62 00 7.2...2.4...6.b. 2014-11-21 17:01:39,407 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x48579E, Value: 53 00 55 00 42 00 4d 00 52 00 45 00 4d 00 4f 00 S.U.B.M.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 24 00 T.E.S.H.E.L.L.$. 0d 00 0a 00 37 00 33 00 20 00 36 00 38 00 20 00 ....7.3...6.8... 36 00 35 00 20 00 36 00 63 00 20 00 36 00 63 00 6.5...6.c...6.c. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4. 62 00 20 00 34 00 39 00 20 00 34 00 63 00 20 00 b...4.9...4.c... 34 00 63 00 20 00 35 00 32 00 20 00 34 00 35 00 4.c...5.2...4.5. 20 00 34 00 64 00 20 00 34 00 66 00 20 00 35 00 ..4.d...4.f...5. 34 00 20 00 73 00 68 00 65 00 6c 00 6c 00 33 00 4...s.h.e.l.l.3. 2e 00 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 ..K.I.L.L.R.E.M. 4f 00 54 00 0d 00 0a 00 34 00 35 00 20 00 35 00 O.T.....4.5...5. 33 00 20 00 34 00 38 00 20 00 34 00 35 00 20 00 3...4.8...4.5... 34 00 63 00 20 00 34 00 63 00 20 00 34 00 34 00 4.c...4.c...4.4. 20 00 36 00 31 00 20 00 37 00 32 00 20 00 36 00 ..6.1...7.2...6. 62 00 20 00 34 00 33 00 20 00 36 00 66 00 20 00 b...4.3...6.f... 36 00 64 00 20 00 36 00 35 00 20 00 37 00 34 00 6.d...6.5...7.4. 2014-11-21 17:01:39,410 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x480B74, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 0d 00 T.E.S.H.E.L.L... 0a 00 34 00 34 00 20 00 36 00 31 00 20 00 37 00 ..4.4...6.1...7. 32 00 20 00 36 00 62 00 20 00 34 00 33 00 20 00 2...6.b...4.3... 36 00 66 00 20 00 36 00 64 00 20 00 36 00 35 00 6.f...6.d...6.5. 20 00 37 00 34 00 20 00 30 00 30 00 20 00 36 00 ..7.4...0.0...6. 34 00 20 00 36 00 35 00 20 00 37 00 34 00 20 00 4...6.5...7.4... 36 00 35 00 20 00 36 00 33 00 20 00 37 00 34 00 6.5...6.3...7.4. 20 00 44 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 ..D.a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 t.........2.0.1. 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1... 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2. 2c 00 30 00 34 00 38 00 20 00 2d 00 20 00 64 00 ,.0.4.8...-...d. 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r... 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N. 2014-11-21 17:01:39,411 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4847AA, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D. 0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2... 36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4... 36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6. 65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2. 30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1... 35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4. 2014-11-21 17:01:39,413 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x484FE6, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D. 0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2... 36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4... 36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6. 65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2. 30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1... 35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4. 2014-11-21 17:01:39,414 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4860E2, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D. 0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2... 36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4... 36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6. 65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2. 30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1... 35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4. 2014-11-21 17:01:39,415 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x486A20, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 4b 00 65 00 X.t.r.e.m.e.K.e. 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 24 00 y.l.o.g.g.e.r.$. 0d 00 0a 00 37 00 33 00 20 00 37 00 34 00 20 00 ....7.3...7.4... 37 00 32 00 20 00 36 00 39 00 20 00 36 00 65 00 7.2...6.9...6.e. 20 00 36 00 37 00 20 00 33 00 32 00 20 00 30 00 ..6.7...3.2...0. 30 00 20 00 35 00 38 00 20 00 37 00 34 00 20 00 0...5.8...7.4... 37 00 32 00 20 00 36 00 35 00 20 00 36 00 64 00 7.2...6.5...6.d. 20 00 36 00 35 00 20 00 35 00 32 00 20 00 34 00 ..6.5...5.2...4. 31 00 20 00 73 00 74 00 72 00 69 00 6e 00 67 00 1...s.t.r.i.n.g. 32 00 2e 00 58 00 74 00 72 00 65 00 6d 00 65 00 2...X.t.r.e.m.e. 52 00 41 00 0d 00 0a 00 35 00 34 00 20 00 32 00 R.A.....5.4...2. 34 00 20 00 37 00 33 00 20 00 37 00 34 00 20 00 4...7.3...7.4... 37 00 32 00 20 00 36 00 39 00 20 00 36 00 65 00 7.2...6.9...6.e. 20 00 36 00 37 00 20 00 33 00 33 00 20 00 30 00 ..6.7...3.3...0. 30 00 20 00 35 00 38 00 20 00 35 00 34 00 20 00 0...5.8...5.4... 35 00 32 00 20 00 34 00 35 00 20 00 34 00 64 00 5.2...4.5...4.d. 2014-11-21 17:01:39,417 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x482742, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A. 54 00 24 00 73 00 74 00 72 00 69 00 0d 00 0a 00 T.$.s.t.r.i..... 36 00 65 00 20 00 36 00 37 00 20 00 33 00 33 00 6.e...6.7...3.3. 20 00 30 00 30 00 20 00 35 00 38 00 20 00 35 00 ..0.0...5.8...5. 34 00 20 00 35 00 32 00 20 00 34 00 35 00 20 00 4...5.2...4.5... 34 00 64 00 20 00 34 00 35 00 20 00 35 00 35 00 4.d...4.5...5.5. 20 00 35 00 30 00 20 00 34 00 34 00 20 00 34 00 ..5.0...4.4...4. 31 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 1...5.4...4.5... 6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E. 4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E. 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4. 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1. 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,. 30 00 35 00 32 00 20 00 2d 00 20 00 64 00 65 00 0.5.2...-...d.e. 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-. 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G. 2014-11-21 17:01:39,418 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48308A, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A. 54 00 24 00 73 00 74 00 0d 00 0a 00 37 00 32 00 T.$.s.t.....7.2. 20 00 36 00 39 00 20 00 36 00 65 00 20 00 36 00 ..6.9...6.e...6. 37 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 7...3.3...0.0... 35 00 38 00 20 00 35 00 34 00 20 00 35 00 32 00 5.8...5.4...5.2. 20 00 34 00 35 00 20 00 34 00 64 00 20 00 34 00 ..4.5...4.d...4. 35 00 20 00 35 00 35 00 20 00 35 00 30 00 20 00 5...5.5...5.0... 34 00 34 00 20 00 34 00 31 00 20 00 72 00 69 00 4.4...4.1...r.i. 6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E. 4d 00 45 00 55 00 50 00 44 00 41 00 0d 00 0a 00 M.E.U.P.D.A..... 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 31 00 ....2.0.1.4.-.1. 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 3a 00 1.-.2.1...1.6.:. 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 35 00 5.1.:.4.2.,.0.5. 32 00 20 00 2d 00 20 00 64 00 65 00 74 00 65 00 2...-...d.e.t.e. 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 57 00 c.t.o.r...-...W. 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 2d 00 A.R.N.I.N.G...-. 2014-11-21 17:01:39,420 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4838C0, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A. 54 00 24 00 73 00 74 00 72 00 69 00 6e 00 0d 00 T.$.s.t.r.i.n... 0a 00 36 00 37 00 20 00 33 00 33 00 20 00 30 00 ..6.7...3.3...0. 30 00 20 00 35 00 38 00 20 00 35 00 34 00 20 00 0...5.8...5.4... 35 00 32 00 20 00 34 00 35 00 20 00 34 00 64 00 5.2...4.5...4.d. 20 00 34 00 35 00 20 00 35 00 35 00 20 00 35 00 ..4.5...5.5...5. 30 00 20 00 34 00 34 00 20 00 34 00 31 00 20 00 0...4.4...4.1... 35 00 34 00 20 00 34 00 35 00 20 00 32 00 34 00 5.4...4.5...2.4. 20 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 ..g.3...X.T.R.E. 4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E. 24 00 0d 00 0a 00 37 00 33 00 20 00 37 00 34 00 $.....7.3...7.4. 20 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6. 65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4... 30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4. 20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5. 38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2... 2014-11-21 17:01:39,421 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485AC2, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A. 54 00 24 00 0d 00 0a 00 37 00 33 00 20 00 37 00 T.$.....7.3...7. 34 00 20 00 37 00 32 00 20 00 36 00 39 00 20 00 4...7.2...6.9... 36 00 65 00 20 00 36 00 37 00 20 00 33 00 33 00 6.e...6.7...3.3. 20 00 30 00 30 00 20 00 35 00 38 00 20 00 35 00 ..0.0...5.8...5. 34 00 20 00 35 00 32 00 20 00 34 00 35 00 20 00 4...5.2...4.5... 34 00 64 00 20 00 34 00 35 00 20 00 35 00 35 00 4.d...4.5...5.5. 20 00 35 00 30 00 20 00 73 00 74 00 72 00 69 00 ..5.0...s.t.r.i. 6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E. 4d 00 45 00 55 00 50 00 0d 00 0a 00 34 00 34 00 M.E.U.P.....4.4. 20 00 34 00 31 00 20 00 35 00 34 00 20 00 34 00 ..4.1...5.4...4. 35 00 20 00 32 00 34 00 20 00 37 00 33 00 20 00 5...2.4...7.3... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 39 00 7.4...7.2...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 33 00 ..6.e...6.7...3. 34 00 20 00 30 00 30 00 20 00 35 00 33 00 20 00 4...0.0...5.3... 35 00 34 00 20 00 35 00 35 00 20 00 44 00 41 00 5.4...5.5...D.A. 2014-11-21 17:01:39,423 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48735E, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A. 54 00 24 00 73 00 74 00 72 00 69 00 6e 00 67 00 T.$.s.t.r.i.n.g. 0d 00 0a 00 33 00 33 00 20 00 30 00 30 00 20 00 ....3.3...0.0... 35 00 38 00 20 00 35 00 34 00 20 00 35 00 32 00 5.8...5.4...5.2. 20 00 34 00 35 00 20 00 34 00 64 00 20 00 34 00 ..4.5...4.d...4. 35 00 20 00 35 00 35 00 20 00 35 00 30 00 20 00 5...5.5...5.0... 34 00 34 00 20 00 34 00 31 00 20 00 35 00 34 00 4.4...4.1...5.4. 20 00 34 00 35 00 20 00 32 00 34 00 20 00 37 00 ..4.5...2.4...7. 33 00 20 00 33 00 2e 00 58 00 54 00 52 00 45 00 3...3...X.T.R.E. 4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E. 24 00 73 00 0d 00 0a 00 37 00 34 00 20 00 37 00 $.s.....7.4...7. 32 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 2...6.9...6.e... 36 00 37 00 20 00 33 00 34 00 20 00 30 00 30 00 6.7...3.4...0.0. 20 00 35 00 33 00 20 00 35 00 34 00 20 00 35 00 ..5.3...5.4...5. 35 00 20 00 34 00 32 00 20 00 35 00 38 00 20 00 5...4.2...5.8... 35 00 34 00 20 00 35 00 32 00 20 00 34 00 35 00 5.4...5.2...4.5. 2014-11-21 17:01:39,424 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4827CA, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 0d 00 0a 00 0d 00 0a 00 D.A.T.E......... 32 00 30 00 31 00 34 00 2d 00 31 00 31 00 2d 00 2.0.1.4.-.1.1.-. 32 00 31 00 20 00 31 00 36 00 3a 00 35 00 31 00 2.1...1.6.:.5.1. 3a 00 34 00 32 00 2c 00 30 00 35 00 32 00 20 00 :.4.2.,.0.5.2... 2d 00 20 00 64 00 65 00 74 00 65 00 63 00 74 00 -...d.e.t.e.c.t. 6f 00 72 00 20 00 2d 00 20 00 57 00 41 00 52 00 o.r...-...W.A.R. 4e 00 49 00 4e 00 47 00 20 00 2d 00 20 00 50 00 N.I.N.G...-...P. 72 00 6f 00 63 00 65 00 73 00 73 00 20 00 43 00 r.o.c.e.s.s...C. 43 00 43 00 2e 00 65 00 78 00 65 00 20 00 28 00 C.C...e.x.e...(. 70 00 69 00 64 00 3a 00 20 00 37 00 36 00 32 00 p.i.d.:...7.6.2. 34 00 29 00 20 00 6d 00 61 00 74 00 63 00 68 00 4.)...m.a.t.c.h. 65 00 64 00 3a 00 20 00 44 00 61 00 72 00 6b 00 e.d.:...D.a.r.k. 43 00 6f 00 6d 00 65 00 74 00 20 00 61 00 74 00 C.o.m.e.t...a.t. 20 00 61 00 64 00 64 00 72 00 65 00 73 00 73 00 ..a.d.d.r.e.s.s. 3a 00 20 00 30 00 78 00 35 00 34 00 32 00 43 00 :...0.x.5.4.2.C. 2014-11-21 17:01:39,426 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x483948, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 0d 00 0a 00 37 00 D.A.T.E.$.....7. 33 00 20 00 37 00 34 00 20 00 37 00 32 00 20 00 3...7.4...7.2... 36 00 39 00 20 00 36 00 65 00 20 00 36 00 37 00 6.9...6.e...6.7. 20 00 33 00 34 00 20 00 30 00 30 00 20 00 35 00 ..3.4...0.0...5. 33 00 20 00 35 00 34 00 20 00 35 00 35 00 20 00 3...5.4...5.5... 34 00 32 00 20 00 35 00 38 00 20 00 35 00 34 00 4.2...5.8...5.4. 20 00 35 00 32 00 20 00 34 00 35 00 20 00 73 00 ..5.2...4.5...s. 74 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 t.r.i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 0d 00 T.U.B.X.T.R.E... 0a 00 34 00 64 00 20 00 34 00 35 00 20 00 34 00 ..4.d...4.5...4. 39 00 20 00 34 00 65 00 20 00 34 00 61 00 20 00 9...4.e...4.a... 34 00 35 00 20 00 34 00 33 00 20 00 35 00 34 00 4.5...4.3...5.4. 20 00 34 00 35 00 20 00 34 00 34 00 20 00 32 00 ..4.5...4.4...2. 34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 31 00 6.9...7.4...3.1. 2014-11-21 17:01:39,427 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x484AC4, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t... 0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6. 65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4... 30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4. 20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5. 38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2... 34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5. 20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e. 20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4. 33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5... 34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0... |
22.11.2014, 14:10 | #9 |
| Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log vierter TeilCode:
ATTFilter 2014-11-21 17:01:39,428 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485300, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t... 0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6. 65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4... 30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4. 20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5. 38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2... 34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5. 20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e. 20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4. 33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5... 34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0... 2014-11-21 17:01:39,430 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4863FC, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t... 0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6. 65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4... 30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4. 20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5. 38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2... 34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5. 20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e. 20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4. 33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5... 34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0... 2014-11-21 17:01:39,430 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4873E6, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 73 00 0d 00 0a 00 D.A.T.E.$.s..... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 39 00 7.4...7.2...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 33 00 ..6.e...6.7...3. 34 00 20 00 30 00 30 00 20 00 35 00 33 00 20 00 4...0.0...5.3... 35 00 34 00 20 00 35 00 35 00 20 00 34 00 32 00 5.4...5.5...4.2. 20 00 35 00 38 00 20 00 35 00 34 00 20 00 35 00 ..5.8...5.4...5. 32 00 20 00 34 00 35 00 20 00 34 00 64 00 20 00 2...4.5...4.d... 74 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 t.r.i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 0d 00 0a 00 34 00 35 00 20 00 34 00 39 00 20 00 ....4.5...4.9... 34 00 65 00 20 00 34 00 61 00 20 00 34 00 35 00 4.e...4.a...4.5. 20 00 34 00 33 00 20 00 35 00 34 00 20 00 34 00 ..4.3...5.4...4. 35 00 20 00 34 00 34 00 20 00 32 00 34 00 20 00 5...4.4...2.4... 37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9. 20 00 37 00 34 00 20 00 33 00 31 00 20 00 30 00 ..7.4...3.1...0. 2014-11-21 17:01:39,433 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487C9C, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 73 00 74 00 72 00 D.A.T.E.$.s.t.r. 0d 00 0a 00 36 00 39 00 20 00 36 00 65 00 20 00 ....6.9...6.e... 36 00 37 00 20 00 33 00 34 00 20 00 30 00 30 00 6.7...3.4...0.0. 20 00 35 00 33 00 20 00 35 00 34 00 20 00 35 00 ..5.3...5.4...5. 35 00 20 00 34 00 32 00 20 00 35 00 38 00 20 00 5...4.2...5.8... 35 00 34 00 20 00 35 00 32 00 20 00 34 00 35 00 5.4...5.2...4.5. 20 00 34 00 64 00 20 00 34 00 35 00 20 00 34 00 ..4.d...4.5...4. 39 00 20 00 69 00 6e 00 67 00 34 00 2e 00 53 00 9...i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 45 00 49 00 0d 00 0a 00 34 00 65 00 20 00 34 00 E.I.....4.e...4. 61 00 20 00 34 00 35 00 20 00 34 00 33 00 20 00 a...4.5...4.3... 35 00 34 00 20 00 34 00 35 00 20 00 34 00 34 00 5.4...4.5...4.4. 20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 31 00 20 00 30 00 30 00 20 00 35 00 35 00 3.1...0.0...5.5. 2014-11-21 17:01:39,434 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48756E, Value: 55 00 6e 00 69 00 74 00 43 00 6f 00 6e 00 66 00 U.n.i.t.C.o.n.f. 69 00 67 00 73 00 24 00 75 00 6e 00 69 00 74 00 i.g.s.$.u.n.i.t. 0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 37 00 20 00 36 00 ..7.4...4.7...6. 35 00 20 00 37 00 34 00 20 00 35 00 33 00 20 00 5...7.4...5.3... 36 00 35 00 20 00 37 00 32 00 20 00 37 00 36 00 6.5...7.2...7.6. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2. 34 00 20 00 32 00 2e 00 55 00 6e 00 69 00 74 00 4...2...U.n.i.t. 47 00 65 00 74 00 53 00 65 00 72 00 76 00 65 00 G.e.t.S.e.r.v.e. 72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 36 00 r.$.....7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 2014-11-21 17:01:39,436 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x488F18, Value: 55 00 6e 00 69 00 74 00 43 00 6f 00 6e 00 66 00 U.n.i.t.C.o.n.f. 69 00 67 00 73 00 24 00 75 00 6e 00 69 00 74 00 i.g.s.$.u.n.i.t. 0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 37 00 20 00 36 00 ..7.4...4.7...6. 35 00 20 00 37 00 34 00 20 00 35 00 33 00 20 00 5...7.4...5.3... 36 00 35 00 20 00 37 00 32 00 20 00 37 00 36 00 6.5...7.2...7.6. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2. 34 00 20 00 32 00 2e 00 55 00 6e 00 69 00 74 00 4...2...U.n.i.t. 47 00 65 00 74 00 53 00 65 00 72 00 76 00 65 00 G.e.t.S.e.r.v.e. 72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 36 00 r.$.....7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 2014-11-21 17:01:39,437 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x484CD4, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u... 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 ......2.0.1.4.-. 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 1.1.-.2.1...1.6. 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 :.5.1.:.4.2.,.0. 35 00 38 00 20 00 2d 00 20 00 64 00 65 00 74 00 5.8...-...d.e.t. 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 e.c.t.o.r...-... 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 W.A.R.N.I.N.G... 2d 00 20 00 50 00 72 00 6f 00 63 00 65 00 73 00 -...P.r.o.c.e.s. 73 00 20 00 43 00 43 00 43 00 2e 00 65 00 78 00 s...C.C.C...e.x. 65 00 20 00 28 00 70 00 69 00 64 00 3a 00 20 00 e...(.p.i.d.:... 37 00 36 00 32 00 34 00 29 00 20 00 6d 00 61 00 7.6.2.4.)...m.a. 74 00 63 00 68 00 65 00 64 00 3a 00 20 00 44 00 t.c.h.e.d.:...D. 61 00 72 00 6b 00 43 00 6f 00 6d 00 65 00 74 00 a.r.k.C.o.m.e.t. 20 00 61 00 74 00 20 00 61 00 64 00 64 00 72 00 ..a.t...a.d.d.r. 65 00 73 00 73 00 3a 00 20 00 30 00 78 00 35 00 e.s.s.:...0.x.5. 2014-11-21 17:01:39,438 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485510, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u... 0a 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 4...3.3...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 62 00 20 00 36 00 ..7.4...4.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 ..n.i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 67 00 0d 00 0a 00 36 00 35 00 20 00 37 00 32 00 g.....6.5...7.2. 20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2... 2014-11-21 17:01:39,440 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48660C, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u... 0a 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 4...3.3...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 62 00 20 00 36 00 ..7.4...4.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 ..n.i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 67 00 0d 00 0a 00 36 00 35 00 20 00 37 00 32 00 g.....6.5...7.2. 20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2... 2014-11-21 17:01:39,441 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4875F6, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 0d 00 0a 00 e.r.v.e.r.$..... 37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9. 20 00 37 00 34 00 20 00 33 00 33 00 20 00 30 00 ..7.4...3.3...0. 30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 34 00 62 00 6.9...7.4...4.b. 20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6. 63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7... 75 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 u.n.i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 0d 00 0a 00 36 00 37 00 20 00 36 00 35 00 20 00 ....6.7...6.5... 37 00 32 00 20 00 32 00 34 00 20 00 37 00 35 00 7.2...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 33 00 20 00 37 00 ..7.4...4.3...7. 2014-11-21 17:01:39,444 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487EAC, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 6e 00 e.r.v.e.r.$.u.n. 0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4... 33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6. 35 00 20 00 69 00 74 00 33 00 2e 00 55 00 6e 00 5...i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 67 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 g.e.....7.2...2. 34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 34 00 6.9...7.4...3.4. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 33 00 20 00 37 00 32 00 20 00 37 00 39 00 4.3...7.2...7.9. 2014-11-21 17:01:39,444 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x488FA0, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 0d 00 0a 00 e.r.v.e.r.$..... 37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9. 20 00 37 00 34 00 20 00 33 00 33 00 20 00 30 00 ..7.4...3.3...0. 30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 34 00 62 00 6.9...7.4...4.b. 20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6. 63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7... 75 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 u.n.i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 0d 00 0a 00 36 00 37 00 20 00 36 00 35 00 20 00 ....6.7...6.5... 37 00 32 00 20 00 32 00 34 00 20 00 37 00 35 00 7.2...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 33 00 20 00 37 00 ..7.4...4.3...7. 2014-11-21 17:01:39,447 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x489856, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 6e 00 e.r.v.e.r.$.u.n. 0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4... 33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6. 35 00 20 00 69 00 74 00 33 00 2e 00 55 00 6e 00 5...i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 67 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 g.e.....7.2...2. 34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 34 00 6.9...7.4...3.4. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 33 00 20 00 37 00 32 00 20 00 37 00 39 00 4.3...7.2...7.9. 2014-11-21 17:01:39,447 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48A194, Value: 55 00 6e 00 69 00 74 00 4b 00 65 00 79 00 6c 00 U.n.i.t.K.e.y.l. 6f 00 67 00 67 00 65 00 72 00 24 00 75 00 6e 00 o.g.g.e.r.$.u.n. 0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4... 33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2... 37 00 39 00 20 00 37 00 30 00 20 00 37 00 34 00 7.9...7.0...7.4. 20 00 35 00 33 00 20 00 37 00 34 00 20 00 37 00 ..5.3...7.4...7. 32 00 20 00 69 00 74 00 34 00 2e 00 55 00 6e 00 2...i.t.4...U.n. 69 00 74 00 43 00 72 00 79 00 70 00 74 00 53 00 i.t.C.r.y.p.t.S. 74 00 72 00 0d 00 0a 00 36 00 39 00 20 00 36 00 t.r.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 34 00 20 00 e...6.7...2.4... 37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9. 20 00 37 00 34 00 20 00 33 00 35 00 20 00 30 00 ..7.4...3.5...0. 30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 34 00 39 00 6.9...7.4...4.9. 2014-11-21 17:01:39,448 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485ED6, Value: 55 00 6e 00 69 00 74 00 43 00 72 00 79 00 70 00 U.n.i.t.C.r.y.p. 74 00 53 00 74 00 72 00 69 00 6e 00 67 00 24 00 t.S.t.r.i.n.g.$. 0d 00 0a 00 37 00 35 00 20 00 36 00 65 00 20 00 ....7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 35 00 6.9...7.4...3.5. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 39 00 20 00 36 00 65 00 20 00 37 00 33 00 4.9...6.e...7.3. 20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6. 63 00 20 00 75 00 6e 00 69 00 74 00 35 00 2e 00 c...u.n.i.t.5... 55 00 6e 00 69 00 74 00 49 00 6e 00 73 00 74 00 U.n.i.t.I.n.s.t. 61 00 6c 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 a.l.........2.0. 31 00 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 1.4.-.1.1.-.2.1. 20 00 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 ..1.6.:.5.1.:.4. 32 00 2c 00 30 00 36 00 31 00 20 00 2d 00 20 00 2.,.0.6.1...-... 64 00 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 d.e.t.e.c.t.o.r. 20 00 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 ..-...W.A.R.N.I. 2014-11-21 17:01:39,450 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48AAD2, Value: 55 00 6e 00 69 00 74 00 43 00 72 00 79 00 70 00 U.n.i.t.C.r.y.p. 74 00 53 00 74 00 72 00 69 00 6e 00 67 00 24 00 t.S.t.r.i.n.g.$. 0d 00 0a 00 37 00 35 00 20 00 36 00 65 00 20 00 ....7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 35 00 6.9...7.4...3.5. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 39 00 20 00 36 00 65 00 20 00 37 00 33 00 4.9...6.e...7.3. 20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6. 63 00 20 00 75 00 6e 00 69 00 74 00 35 00 2e 00 c...u.n.i.t.5... 55 00 6e 00 69 00 74 00 49 00 6e 00 73 00 74 00 U.n.i.t.I.n.s.t. 61 00 6c 00 0d 00 0a 00 36 00 63 00 20 00 35 00 a.l.....6.c...5. 33 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 3...6.5...7.2... 37 00 36 00 20 00 36 00 35 00 20 00 37 00 32 00 7.6...6.5...7.2. 20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 36 00 20 00 30 00 30 00 20 00 35 00 35 00 3.6...0.0...5.5. 2014-11-21 17:01:39,451 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487050, Value: 55 00 6e 00 69 00 74 00 49 00 6e 00 6a 00 65 00 U.n.i.t.I.n.j.e. 63 00 74 00 53 00 65 00 72 00 76 00 65 00 72 00 c.t.S.e.r.v.e.r. 0d 00 0a 00 32 00 34 00 20 00 37 00 35 00 20 00 ....2.4...7.5... 36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4. 20 00 33 00 37 00 20 00 30 00 30 00 20 00 35 00 ..3.7...0.0...5. 35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9... 37 00 34 00 20 00 34 00 32 00 20 00 36 00 39 00 7.4...4.2...6.9. 20 00 36 00 65 00 20 00 36 00 34 00 20 00 36 00 ..6.e...6.4...6. 35 00 20 00 24 00 75 00 6e 00 69 00 74 00 37 00 5...$.u.n.i.t.7. 2e 00 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 ..U.n.i.t.B.i.n. 64 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 d.e.....7.2...2. 34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 38 00 6.9...7.4...3.8. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 39 00 20 00 36 00 65 00 20 00 36 00 61 00 4.9...6.e...6.a. 2014-11-21 17:01:39,453 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48BD4E, Value: 55 00 6e 00 69 00 74 00 49 00 6e 00 6a 00 65 00 U.n.i.t.I.n.j.e. 63 00 74 00 53 00 65 00 72 00 76 00 65 00 72 00 c.t.S.e.r.v.e.r. 0d 00 0a 00 32 00 34 00 20 00 37 00 35 00 20 00 ....2.4...7.5... 36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4. 20 00 33 00 37 00 20 00 30 00 30 00 20 00 35 00 ..3.7...0.0...5. 35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9... 37 00 34 00 20 00 34 00 32 00 20 00 36 00 39 00 7.4...4.2...6.9. 20 00 36 00 65 00 20 00 36 00 34 00 20 00 36 00 ..6.e...6.4...6. 35 00 20 00 24 00 75 00 6e 00 69 00 74 00 37 00 5...$.u.n.i.t.7. 2e 00 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 ..U.n.i.t.B.i.n. 64 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 d.e.....7.2...2. 34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 38 00 6.9...7.4...3.8. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 39 00 20 00 36 00 65 00 20 00 36 00 61 00 4.9...6.e...6.a. 2014-11-21 17:01:39,454 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48ACEC, Value: 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 64 00 U.n.i.t.B.i.n.d. 65 00 72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 e.r.$.....7.5... 36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4. 20 00 33 00 38 00 20 00 30 00 30 00 20 00 35 00 ..3.8...0.0...5. 35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9... 37 00 34 00 20 00 34 00 39 00 20 00 36 00 65 00 7.4...4.9...6.e. 20 00 36 00 61 00 20 00 36 00 35 00 20 00 36 00 ..6.a...6.5...6. 33 00 20 00 37 00 34 00 20 00 75 00 6e 00 69 00 3...7.4...u.n.i. 74 00 38 00 2e 00 55 00 6e 00 69 00 74 00 49 00 t.8...U.n.i.t.I. 6e 00 6a 00 65 00 63 00 74 00 0d 00 0a 00 35 00 n.j.e.c.t.....5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 33 00 20 00 36 00 35 00 20 00 37 00 33 00 6.3...6.5...7.3. 20 00 37 00 33 00 20 00 35 00 38 00 20 00 37 00 ..7.3...5.8...7. 34 00 20 00 37 00 32 00 20 00 36 00 35 00 20 00 4...7.2...6.5... 36 00 64 00 20 00 36 00 35 00 20 00 30 00 30 00 6.d...6.5...0.0. 20 00 36 00 34 00 20 00 36 00 35 00 20 00 50 00 ..6.4...6.5...P. 2014-11-21 17:01:39,457 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48C68C, Value: 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 64 00 U.n.i.t.B.i.n.d. 65 00 72 00 24 00 75 00 6e 00 69 00 74 00 38 00 e.r.$.u.n.i.t.8. 0d 00 0a 00 30 00 30 00 20 00 35 00 35 00 20 00 ....0.0...5.5... 36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4. 20 00 34 00 39 00 20 00 36 00 65 00 20 00 36 00 ..4.9...6.e...6. 61 00 20 00 36 00 35 00 20 00 36 00 33 00 20 00 a...6.5...6.3... 37 00 34 00 20 00 35 00 30 00 20 00 37 00 32 00 7.4...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 33 00 20 00 36 00 ..6.f...6.3...6. 35 00 20 00 2e 00 55 00 6e 00 69 00 74 00 49 00 5.....U.n.i.t.I. 6e 00 6a 00 65 00 63 00 74 00 50 00 72 00 6f 00 n.j.e.c.t.P.r.o. 63 00 65 00 0d 00 0a 00 37 00 33 00 20 00 37 00 c.e.....7.3...7. 33 00 20 00 35 00 38 00 20 00 37 00 34 00 20 00 3...5.8...7.4... 37 00 32 00 20 00 36 00 35 00 20 00 36 00 64 00 7.2...6.5...6.d. 20 00 36 00 35 00 20 00 30 00 30 00 20 00 36 00 ..6.5...0.0...6. 34 00 20 00 36 00 35 00 20 00 37 00 34 00 20 00 4...6.5...7.4... 36 00 35 00 20 00 36 00 33 00 20 00 37 00 34 00 6.5...6.3...7.4. 2014-11-21 17:01:39,457 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48E916, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u. 0d 00 0a 00 37 00 30 00 20 00 36 00 34 00 20 00 ....7.0...6.4... 33 00 32 00 20 00 30 00 30 00 20 00 35 00 35 00 3.2...0.0...5.5. 20 00 37 00 30 00 20 00 36 00 34 00 20 00 35 00 ..7.0...6.4...5. 34 00 20 00 36 00 39 00 20 00 36 00 64 00 20 00 4...6.9...6.d... 36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 66 00 20 00 70 00 64 00 32 00 2e 00 55 00 70 00 f...p.d.2...U.p. 64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 6f 00 6f 00 0d 00 0a 00 36 00 62 00 20 00 36 00 o.o.....6.b...6. 64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1... 30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 6b 00 6d 00 61 00 31 00 ..2.0...k.m.a.1. 2014-11-21 17:01:39,460 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48F156, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 0d 00 0a 00 U.p.d.J.o.b..... 32 00 34 00 20 00 37 00 35 00 20 00 37 00 30 00 2.4...7.5...7.0. 20 00 36 00 34 00 20 00 33 00 32 00 20 00 30 00 ..6.4...3.2...0. 30 00 20 00 35 00 35 00 20 00 37 00 30 00 20 00 0...5.5...7.0... 36 00 34 00 20 00 35 00 34 00 20 00 36 00 39 00 6.4...5.4...6.9. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 32 00 20 00 32 00 34 00 20 00 36 00 63 00 20 00 2...2.4...6.c... 24 00 75 00 70 00 64 00 32 00 2e 00 55 00 70 00 $.u.p.d.2...U.p. 64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 0d 00 0a 00 36 00 66 00 20 00 36 00 66 00 20 00 ....6.f...6.f... 36 00 62 00 20 00 36 00 64 00 20 00 36 00 31 00 6.b...6.d...6.1. 20 00 33 00 31 00 20 00 30 00 30 00 20 00 34 00 ..3.1...0.0...4. 66 00 20 00 37 00 37 00 20 00 36 00 65 00 20 00 f...7.7...6.e... 36 00 39 00 20 00 36 00 65 00 20 00 36 00 37 00 6.9...6.e...6.7. 20 00 32 00 30 00 20 00 35 00 30 00 20 00 34 00 ..2.0...5.0...4. 33 00 20 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 3...o.o.k.m.a.1. 2014-11-21 17:01:39,460 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48FA0A, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u. 70 00 64 00 32 00 2e 00 0d 00 0a 00 35 00 35 00 p.d.2.......5.5. 20 00 37 00 30 00 20 00 36 00 34 00 20 00 35 00 ..7.0...6.4...5. 34 00 20 00 36 00 39 00 20 00 36 00 64 00 20 00 4...6.9...6.d... 36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d... 36 00 31 00 20 00 33 00 31 00 20 00 55 00 70 00 6.1...3.1...U.p. 64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 0d 00 0a 00 o.o.k.m.a.1..... 30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 2014-11-21 17:01:39,461 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x490AFE, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u. 70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T. 0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d... 36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d... 36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0. 20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6. 65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 2014-11-21 17:01:39,463 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x491348, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u. 70 00 0d 00 0a 00 36 00 34 00 20 00 33 00 32 00 p.....6.4...3.2. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 37 00 ..0.0...5.5...7. 30 00 20 00 36 00 34 00 20 00 35 00 34 00 20 00 0...6.4...5.4... 36 00 39 00 20 00 36 00 64 00 20 00 36 00 35 00 6.9...6.d...6.5. 20 00 37 00 32 00 20 00 32 00 34 00 20 00 36 00 ..7.2...2.4...6. 63 00 20 00 36 00 66 00 20 00 36 00 66 00 20 00 c...6.f...6.f... 36 00 62 00 20 00 64 00 32 00 2e 00 55 00 70 00 6.b...d.2...U.p. 64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 6f 00 6f 00 6b 00 0d 00 0a 00 36 00 64 00 20 00 o.o.k.....6.d... 36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0. 20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6. 65 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 e...6.9...6.e... 36 00 37 00 20 00 32 00 30 00 20 00 35 00 30 00 6.7...2.0...5.0. 20 00 34 00 33 00 20 00 34 00 39 00 20 00 32 00 ..4.3...4.9...2. 30 00 20 00 36 00 32 00 20 00 6d 00 61 00 31 00 0...6.2...m.a.1. 2014-11-21 17:01:39,464 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x491B78, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u. 70 00 64 00 32 00 2e 00 55 00 70 00 64 00 0d 00 p.d.2...U.p.d... 0a 00 35 00 34 00 20 00 36 00 39 00 20 00 36 00 ..5.4...6.9...6. 64 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 d...6.5...7.2... 32 00 34 00 20 00 36 00 63 00 20 00 36 00 66 00 2.4...6.c...6.f. 20 00 36 00 66 00 20 00 36 00 62 00 20 00 36 00 ..6.f...6.b...6. 64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1... 30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7. 20 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 ..T.i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 0d 00 0a 00 36 00 65 00 20 00 36 00 39 00 w.....6.e...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2. 30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3... 34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2. 20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2. 34 00 20 00 36 00 63 00 20 00 36 00 66 00 20 00 4...6.c...6.f... 2014-11-21 17:01:39,467 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x492436, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u. 70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T. 0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d... 36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d... 36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0. 20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6. 65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 2014-11-21 17:01:39,469 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x492C72, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u. 70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T. 0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d... 36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d... 36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0. 20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6. 65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 2014-11-21 17:01:39,470 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48E992, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 6f 00 6f 00 0d 00 0a 00 36 00 62 00 $.l.o.o.....6.b. 20 00 36 00 64 00 20 00 36 00 31 00 20 00 33 00 ..6.d...6.1...3. 31 00 20 00 30 00 30 00 20 00 34 00 66 00 20 00 1...0.0...4.f... 37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2. 30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3... 34 00 39 00 20 00 32 00 30 00 20 00 6b 00 6d 00 4.9...2.0...k.m. 61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n. 67 00 2e 00 50 00 43 00 49 00 2e 00 0d 00 0a 00 g...P.C.I....... 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 31 00 ....2.0.1.4.-.1. 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 3a 00 1.-.2.1...1.6.:. 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 38 00 5.1.:.4.2.,.0.8. 32 00 20 00 2d 00 20 00 64 00 65 00 74 00 65 00 2...-...d.e.t.e. 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 57 00 c.t.o.r...-...W. 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 2d 00 A.R.N.I.N.G...-. 2014-11-21 17:01:39,471 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48F1D2, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 0d 00 0a 00 36 00 66 00 20 00 36 00 $.l.....6.f...6. 66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d... 36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0. 20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6. 65 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 e...6.9...6.e... 36 00 37 00 20 00 32 00 30 00 20 00 35 00 30 00 6.7...2.0...5.0. 20 00 34 00 33 00 20 00 6f 00 6f 00 6b 00 6d 00 ..4.3...o.o.k.m. 61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n. 67 00 2e 00 50 00 43 00 0d 00 0a 00 34 00 39 00 g...P.C.....4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 20 00 36 00 62 00 20 00 36 00 64 00 20 00 36 00 ..6.b...6.d...6. 31 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 1...3.2...0.0... 34 00 36 00 20 00 36 00 66 00 20 00 49 00 2e 00 4.6...6.f...I... 2014-11-21 17:01:39,473 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48FA86, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 $.l.o.o.k.m.a.1. 0d 00 0a 00 30 00 30 00 20 00 34 00 66 00 20 00 ....0.0...4.f... 37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2. 30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3... 34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2. 20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2. 34 00 20 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 4.....O.w.n.i.n. 67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 75 00 g...P.C.I...b.u. 73 00 24 00 0d 00 0a 00 36 00 63 00 20 00 36 00 s.$.....6.c...6. 66 00 20 00 36 00 66 00 20 00 36 00 62 00 20 00 f...6.f...6.b... 36 00 64 00 20 00 36 00 31 00 20 00 33 00 32 00 6.d...6.1...3.2. 20 00 30 00 30 00 20 00 34 00 36 00 20 00 36 00 ..0.0...4.6...6. 66 00 20 00 37 00 32 00 20 00 36 00 64 00 20 00 f...7.2...6.d... 36 00 31 00 20 00 37 00 34 00 20 00 37 00 34 00 6.1...7.4...7.4. 2014-11-21 17:01:39,474 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x4913C4, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 6f 00 6f 00 6b 00 0d 00 0a 00 36 00 $.l.o.o.k.....6. 64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1... 30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 6d 00 ..2.0...6.2...m. 61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n. 67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 0d 00 g...P.C.I...b... 0a 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2. 34 00 20 00 36 00 63 00 20 00 36 00 66 00 20 00 4...6.c...6.f... 36 00 66 00 20 00 36 00 62 00 20 00 36 00 64 00 6.f...6.b...6.d. 20 00 36 00 31 00 20 00 33 00 32 00 20 00 30 00 ..6.1...3.2...0. 30 00 20 00 34 00 36 00 20 00 36 00 66 00 20 00 0...4.6...6.f... 37 00 32 00 20 00 36 00 64 00 20 00 36 00 31 00 7.2...6.d...6.1. 2014-11-21 17:01:39,476 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x4935B6, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 $.l.o.o.k.m.a.1. 0d 00 0a 00 30 00 30 00 20 00 34 00 66 00 20 00 ....0.0...4.f... 37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2. 30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3... 34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2. 20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2. 34 00 20 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 4.....O.w.n.i.n. 67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 75 00 g...P.C.I...b.u. 73 00 24 00 0d 00 0a 00 36 00 63 00 20 00 36 00 s.$.....6.c...6. 66 00 20 00 36 00 66 00 20 00 36 00 62 00 20 00 f...6.f...6.b... 36 00 64 00 20 00 36 00 31 00 20 00 33 00 32 00 6.d...6.1...3.2. 20 00 30 00 30 00 20 00 34 00 36 00 20 00 36 00 ..0.0...4.6...6. 66 00 20 00 37 00 32 00 20 00 36 00 64 00 20 00 f...7.2...6.d... 36 00 31 00 20 00 37 00 34 00 20 00 37 00 34 00 6.1...7.4...7.4. 2014-11-21 17:02:15,836 - detector - INFO - Scanning finished 2014-11-21 17:02:15,838 - detector.service - INFO - Trying to stop the winpmem service... 2014-11-21 17:02:15,842 - detector.service - INFO - Trying to delete the winpmem service... 2014-11-21 17:02:15,845 - detector - INFO - Service stopped 2014-11-21 17:02:15,845 - detector - INFO - Analysis finished |
23.11.2014, 08:07 | #10 | |
/// the machine /// TB-Ausbilder | Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?Zitat:
Rechner hat gar nix.
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
23.11.2014, 13:48 | #11 |
| Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? Vielen Dank für die schnelle Antwort. Viele Grüße, DerDingens |
24.11.2014, 09:47 | #12 |
/// the machine /// TB-Ausbilder | Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? Gern Geschehen
__________________ gruß, schrauber Proud Member of UNITE and ASAP since 2009 Spenden Anleitungen und Hilfestellungen Trojaner-Board Facebook-Seite Keine Hilfestellung via PM! |
Themen zu Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? |
.com, .dll, .url, alter, alternative, alternativen, analysis, antivirus, appdata, avira, befund, binder, bot, catalyst, ccc.exe, center, check, code, computer, config, control, converter, debug, delete, desktop, detector, detekt, detekt rat, dienst, down, driver, ebay, engine, essen, excel, fehler, file, firefox, flash player, foto, gefunde, gen, gmer.log, handle, helper, heute, home, hänge, hängen, index, install, installation, interne, internet, keylogger, laufen, mas, microsoft, notepad.exe, object, office, password, process, profile, rojaner gefunden, scan, scanner, scanning, security, server, shell, sniff, software, space, spy, system, tan, temp, troja, trojaner, trojaner gefunden, update, usb, value, version, virenscan, virenscanner, vista, warning, was tun, was tun?, windows |