Trojaner-Board
 Benutzername Angemeldet bleiben? Kennwort

## Log-Analyse und Auswertung: Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Windows 7 Wenn Du Dir einen Trojaner eingefangen hast oder ständig Viren Warnungen bekommst, kannst Du hier die Logs unserer Diagnose Tools zwecks Auswertung durch unsere Experten posten. Um Viren und Trojaner entfernen zu können, muss das infizierte System zuerst untersucht werden: Erste Schritte zur Hilfe. Beachte dass ein infiziertes System nicht vertrauenswürdig ist und bis zur vollständigen Entfernung der Malware nicht verwendet werden sollte.

21.11.2014, 23:36   #1
derdingens

## Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Hallo,
Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden.

Detekt rät, nie mehr mit dem PC ins Internet zu gehen.

Gibt es hierzu ALternativen? Was tun?

Vielen Dank,

DerDingens

Die Logs:
2. detekt.log
3. FRST.txt
4. gmer.log

22.11.2014, 08:46   #2
schrauber
/// the machine
/// TB-Ausbilder

### Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
• Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
• Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
• Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
• Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________

__________________

22.11.2014, 11:41   #3
derdingens

## Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund.

Hallo,
Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden.

Detekt rät, nie mehr mit dem PC ins Internet zu gehen.

Gibt es hierzu ALternativen? Was tun?

Vielen Dank,

DerDingens

Die Logs:
2. detekt.log
3. FRST.txt
4. gmer.log
__________________

22.11.2014, 12:05   #4
schrauber
/// the machine
/// TB-Ausbilder

## Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Hi,

Logs bitte immer in den Thread posten. Zur Not aufteilen und mehrere Posts nutzen.
Ich kann auf Arbeit keine Anhänge öffnen, danke.

So funktioniert es:
Posten in CODE-Tags
Die Logfiles anzuhängen oder sogar vorher in ein ZIP, RAR, 7Z-Archive zu packen erschwert mir massiv die Arbeit, es sei denn natürlich die Datei wäre ansonsten zu gross für das Forum. Um die Logfiles in eine CODE-Box zu stellen gehe so vor:
• Markiere das gesamte Logfile (geht meist mit STRG+A) und kopiere es in die Zwischenablage mit STRG+C.
• Klicke im Editor auf das #-Symbol. Es erscheinen zwei Klammerausdrücke [CODE] [/CODE].
• Setze den Curser zwischen die CODE-Tags und drücke STRG+V.
• Klicke auf Erweitert/Vorschau, um so prüfen, ob du es richtig gemacht hast. Wenn alles stimmt ... auf Antworten.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen

Keine Hilfestellung via PM!

22.11.2014, 13:52   #5
derdingens

## Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund.

Hallo,
Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center von ATI). Die Virenscanner (Avira und Microsoft Security Essentials) haben bisher nie etwas gefunden.

Detekt rät, nie mehr mit dem PC ins Internet zu gehen.

Gibt es hierzu ALternativen? Was tun?

Vielen Dank,

DerDingens

Code:
ATTFilter
Additional scan result of Farbar Recovery Scan Tool (x86) Version: 20-11-2014
Ran by hcxxx at 2014-11-21 17:30:59
Running from G:\
Boot Mode: Normal
==========================================================

==================== Security Center ========================

(If an entry is included in the fixlist, it will be removed.)

AV: Avira Desktop (Enabled - Up to date) {4D041356-F94D-285F-8768-AAE50FA36859}
AV: Microsoft Security Essentials (Enabled - Up to date) {4F35CFC4-45A3-FC37-EF17-759A02E39AB1}
AS: Microsoft Security Essentials (Enabled - Up to date) {F4542E20-6399-F3B9-D5A7-4EE87964D00C}
AS: Avira Desktop (Enabled - Up to date) {F665F2B2-DF77-27D1-BDD8-9197742422E4}
AS: Windows Defender (Disabled - Up to date) {D68DDC3A-831F-4fae-9E44-DA132C1ACF46}

==================== Installed Programs ======================

(Only the adware programs with "hidden" flag could be added to the fixlist to unhide them. The adware programs should be uninstalled manually.)

AAVUpdateManager (HKLM\...\{AFA42FE1-A5C3-485F-9180-BFCF5BF1F1C3}) (Version: 18.00.0000 - Wolters Kluwer Deutschland GmbH)
AllDup 3.0.0 (HKLM\...\AllDup_is1) (Version: 3.0.0 - Michael Thummerer Software Design)
Amazon Kindle For PC v1.0 (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Amazon Kindle For PC) (Version:  - )
AMD Catalyst Install Manager (HKLM\...\{0BD03BF6-3A66-EC7F-5155-28A8D6C69409}) (Version: 8.0.911.0 - Advanced Micro Devices, Inc.)
Apple Application Support (HKLM\...\{83CAF0DE-8D3B-4C37-A631-2B8F16EC3031}) (Version: 3.1 - Apple Inc.)
Apple Mobile Device Support (HKLM\...\{235EBB33-3DA1-46DF-AADE-9955123409CB}) (Version: 8.0.5.6 - Apple Inc.)
Apple Software Update (HKLM\...\{789A5B64-9DD9-4BA5-915A-F0FC0A1B7BFE}) (Version: 2.1.3.127 - Apple Inc.)
ArcSoft TotalMedia 3 (HKLM\...\{268CF0B8-CA38-4E20-9E99-514A07F7C1F1}) (Version:  - ArcSoft)
ASUSUpdate (HKLM\...\{587178E7-B1DF-494E-9838-FA4DD36E873C}) (Version:  - )
ATI AVIVO Codecs (Version: 10.0.0.40103 - ATI Technologies Inc.) Hidden
Audacity 1.2.6 (HKLM\...\Audacity_is1) (Version:  - )
Avira (HKLM\...\{9480d4af-12b9-4e56-8034-4031ef6ab39d}) (Version: 1.1.25.25607 - Avira Operations GmbH & Co. KG)
Avira (Version: 1.1.25.25607 - Avira Operations GmbH & Co. KG) Hidden
Avira Free Antivirus (HKLM\...\Avira AntiVir Desktop) (Version: 14.0.7.342 - Avira)
AviSynth 2.5 (HKLM\...\AviSynth) (Version:  - )
AVStoDVD 2.1.4 (HKLM\...\AVStoDVD) (Version: 2.1.4 - MrC)
bcTester 4.8 (de) (HKLM\...\{DCA0A35D-30F1-4ED0-971F-5FFD2F60BB08}) (Version: 1.0.0 - QS QualitySoft GmbH)
bcWebCam (HKLM\...\{2C2943D2-61CB-4F91-A3DA-A50FA1E93F54}) (Version: 1.0.0 - QS QualitySoft GmbH)
Belkin 54Mbps Wireless Network Adapter (HKLM\...\{F3759A9F-7AFA-4FB4-8DF1-53F26B979DEE}) (Version: 1.00.01 - Belkin)
Benutzerhandbuch anzeigen (HKLM\...\View User Guide) (Version: 3.60.02.0 - )
Biet-O-Matic v2.12.6 (HKLM\...\Biet-O-Matic v2.12.6) (Version: Biet-O-Matic v2.12.6 - BOM Development Team)
Bing Maps 3D (HKLM\...\{2D87E961-577B-492B-AD54-1368680FB9A7}) (Version: 4.0.903.16005 - Microsoft Corporation)
BlackBerry Link (HKLM\...\BlackBerry_10_Desktop) (Version: 1.2.3.48 - BlackBerry Ltd.)
BlackBerry Link (Version: 1.2.3.48 - BlackBerry Ltd.) Hidden
Bonjour (HKLM\...\{79155F2B-9895-49D7-8612-D92580E0DE5B}) (Version: 3.0.0.10 - Apple Inc.)
BP MANAGER 6.0 (HKLM\...\{360A4222-B9D2-4B7B-B240-F967289F65D9}) (Version: 1.0.0 - Physio logic)
BufferChm (Version: 130.0.331.000 - Hewlett-Packard) Hidden
calibre (HKLM\...\{0C1A656B-4449-49CB-A1B3-6A8C0986B342}) (Version: 0.6.30 - Kovid Goyal)
Cardiris (Version: 3.01.001 - Ihr Firmenname) Hidden
Cardiris 3.0 LE (HKLM\...\InstallShield_{0143D544-04A4-11D8-944E-000475727249}) (Version: 3.01.001 - Ihr Firmenname)
CCleaner (HKLM\...\CCleaner) (Version: 3.02 - Piriform)
CDBurnerXP (HKLM\...\{7E265513-8CDA-4631-B696-F40D983F3B07}_is1) (Version: 4.5.4.4852 - CDBurnerXP)
Chipcard master 5.65 (HKLM\...\Chipcard master_is1) (Version:  - Dr. Olaf Jacobsen)
Chipcardmaster 7.05 (HKLM\...\Chipcardmaster_is1) (Version:  - Dr. Olaf Jacobsen)
Cold Turkey version 0.7 (HKLM\...\{6498E673-B9C2-4544-A722-1E854B5B573E}_is1) (Version: 0.7 - Felix Belzile)
Common Desktop Agent (Version: 1.62.0 - OEM) Hidden
Cool & Quiet (HKLM\...\{1ADE1AA0-7F82-4BB1-B1BD-727DE438057B}) (Version:  - )
CPUID CPU-Z 1.69.2 (HKLM\...\CPUID CPU-Z_is1) (Version:  - )
CutePDF Writer 2.8 (HKLM\...\CutePDF Writer Installation) (Version:  - )
D3DX10 (Version: 15.4.2368.0902 - Microsoft) Hidden
Destinations (Version: 140.0.77.000 - Hewlett-Packard) Hidden
Deutsche Post E-Porto (HKLM\...\{5CCF8330-F742-411A-8A04-719806D168B5}) (Version: 2.3.0 - Deutsche Post AG)
DeviceManagementQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
DHTML Editing Component (HKLM\...\{2EA870FA-585F-4187-903D-CB9FFD21E2E0}) (Version: 6.02.0001 - Microsoft Corporation)
DocProc (Version: 13.0.0.0 - Hewlett-Packard) Hidden
DocProcQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Dropbox (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Dropbox) (Version: 2.10.30 - Dropbox, Inc.)
Drv (HKLM\...\{DA71A94B-3617-4935-8BBE-1566B2174C95}) (Version: 1.00.0000 - My Company Name)
DVDFab 6.2.1.8 (31/12/2009) (HKLM\...\DVDFab 6_is1) (Version:  - Fengtao Software Inc.)
DVR-MS Converter (HKLM\...\DVR-MS Converter) (Version: 2.6.1 - Dvrsoft)
DVRMSToolbox (HKLM\...\{E7ECD072-02DF-4F24-B5C9-7928A2867B14}) (Version: 1.2.1 - babgvant.com)
Easy ShutDown 3.4 (HKLM\...\Easy ShutDown_is1) (Version:  - EasyShutDown.com)
Easy2Sync für Outlook 3.xx (HKLM\...\{EF702322-B623-4B6A-B41D-411725582043}_is1) (Version:  - ITSTH)
eSupportQFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
Felix zweite wundersame Reise (HKLM\...\Felix zweite wundersame Reise) (Version:  - )
Flickroom (HKLM\...\Flickroom.7A385545159204287F941528E627F38AD4ECB7C0.1) (Version: v0.60 - Ashu Mittal)
Flickroom (Version: 0.60 - Ashu Mittal) Hidden
Foxit PDF IFilter (HKLM\...\{74E78471-E122-4101-8744-CEB6C5C027A0}) (Version: 2.0.0.519 - Foxit Software)
Free Countdown Timer 2.7.1 (HKLM\...\{404245D0-E836-4737-9C12-D4D0034540F5}_is1) (Version: 2.7 - Comfort Software Group)
Free FLV Converter V 7.1.0 (HKLM\...\Free FLV Converter_is1) (Version: 7.1.0.0 - Koyote Soft)
Free Stopwatch 2.5.0 (HKLM\...\{A1FAC1AF-5615-47FE-B5C8-5E981EC8522B}_is1) (Version: 2.5 - Comfort Software Group)
FreeMind (HKLM\...\B991B020-2968-11D8-AF23-444553540000_is1) (Version: 0.8.1 - )
FreeOCR 3.0 (HKLM\...\{108A39BF-4ED1-4293-B11A-06BD521FB8F7}) (Version: 3.0 - Free OCR)
GemPC430 (HKLM\...\{DFD0B53C-7948-4091-82C2-3270A39EE2AC}) (Version: 1.0.0 - Gemplus)
GemPcCCID (HKLM\...\{8BD3AFAF-636E-4516-A7E8-D57CCDBE28B8}) (Version: 2.0.1 - Gemalto)
GIMP 2.6.11 (HKLM\...\WinGimp-2.0_is1) (Version: 2.6.11 - The GIMP Team)
GnuWin32: Bzip2-1.0.5 (HKLM\...\Bzip2-1.0.5_is1) (Version: 1.0.5 - GnuWin32)
GnuWin32: Wget-1.11.4-1 (HKLM\...\Wget-1.11.4-1_is1) (Version: 1.11.4-1 - GnuWin32)
GPBaseService2 (Version: 130.0.371.000 - Hewlett-Packard) Hidden
Gpg4win (2.1.1-34299-beta) (HKLM\...\GPG4Win) (Version: 2.1.1-34299-beta - The Gpg4win Project)
GPL Ghostscript (HKLM\...\GPL Ghostscript 9.04) (Version: 9.04 - Artifex Software Inc.)
HP Imaging Device Functions 13.0 (HKLM\...\HP Imaging Device Functions) (Version: 13.0 - HP)
HP Photosmart Essential (HKLM\...\{EB21A812-671B-4D08-B974-2A347F0D8F70}) (Version: 1.12.0.46 - HP)
HP Photosmart Essential 3.5 (HKLM\...\HP Photosmart Essential) (Version: 3.5 - HP)
HP Scanjet G3010 (HKLM\...\{E2A59F15-F731-4062-9BB7-3C99D8F15756}) (Version: 13.0 - HP)
HP Scanjet G3010 and 4370 9.0 (HKLM\...\{696A666D-7CB6-40f6-B394-BD3EEDAA2B99}) (Version: 9.0 - HP)
HP Solution Center 13.0 (HKLM\...\HP Solution Center & Imaging Support Tools) (Version: 13.0 - HP)
HP Update (HKLM\...\{B0069CFA-5BB9-4C03-B1C6-89CE290E5AFE}) (Version: 5.002.006.003 - Hewlett-Packard)
hpg3010 (Version: 13.0.0.0 - Ihr Firmenname) Hidden
hpg3010QFolder (Version: 1.00.0000 - Hewlett-Packard) Hidden
HPPhotosmartEssential (Version: 2.04.0000 - Hewlett-Packard) Hidden
HPProductAssistant (Version: 130.0.371.000 - Hewlett-Packard) Hidden
HydraVision (Version: 4.2.92.0 - ATI Technologies Inc.) Hidden
ImgBurn (HKLM\...\ImgBurn) (Version: 2.5.0.0 - LIGHTNING UK!)
Inkscape 0.47 (HKLM\...\Inkscape) (Version: 0.47 - )
inSSIDer (HKLM\...\{C7DEE429-4C9B-4126-894F-50B4F54FF196}) (Version: 1.2.8 - MetaGeek, LLC)
iPhone-Konfigurationsprogramm (HKLM\...\{B90FCEB7-2B0C-4D27-95B5-54238DF059ED}) (Version: 3.6.2.300 - Apple Inc.)
IPWizard (HKLM\...\{6C71E42B-7D26-4638-8EC4-364E9E881747}) (Version: 2.0.2.0 - A-MTK)
iTunes (HKLM\...\{F32DC846-4457-40A8-BECA-BCC0E960BC53}) (Version: 11.4.0.18 - Apple Inc.)
Juniper Networks Network Connect 7.1.0 (HKLM\...\Juniper Network Connect 7.1.0) (Version: 7.1.0.19243 - Juniper Networks)
Juniper Networks, Inc. Setup Client (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\Juniper_Setup_Client) (Version: 7.1.4.13103 - Juniper Networks, Inc.)
Juniper Networks, Inc. Setup Client Activex Control (HKLM\...\Juniper_Setup_Client Activex Control) (Version: 2.1.1.1 - Juniper Networks, Inc.)
Junk Mail filter update (Version: 15.4.3502.0922 - Microsoft Corporation) Hidden
KeyboardTest V3.0 (HKLM\...\KeyboardTest_is1) (Version:  - PassMark Software)
Kindle Auto eBook Converter 0.4.50 (HKLM\...\Kindle Auto eBook Converter) (Version: 0.4.50 - The Messenger)
LG United Mobile Driver (HKLM\...\{2A3A4BD6-6CE0-4e2a-80D2-1D0FF6ACBFBA}) (Version: 3.10.1.0 - LG Electronics)
Logitech Media Server 7.7.4 (HKLM\...\Logitech Media Server_is1) (Version: 7.7.4 - Logitech)
Luka (HKLM\...\Luka) (Version:  - )
Magical Jelly Bean KeyFinder (HKLM\...\KeyFinder_is1) (Version: 2.0.10.9 - Magical Jelly Bean)
maxdome - Online Videothek Version 3.0.0 (HKLM\...\maxdome - Online Videothek_is1) (Version:  - maxdome)
MB-Ruler (HKLM\...\{7363206E-C7BD-45CD-89A0-792B28409811}_is1) (Version: 5.1 - Markus Bader)
McAfee Security Scan Plus (HKLM\...\McAfee Security Scan) (Version: 3.8.150.1 - McAfee, Inc.)
MD 86097 W-LAN USB Remote Hub (HKLM\...\{C4F43749-7088-40E2-83BE-039E68FE1BBC}) (Version: 1.02.0000 - Medion)
Mesh Runtime (Version: 15.4.5722.2 - Microsoft Corporation) Hidden
Microsoft .NET Compact Framework 3.5 (HKLM\...\{72CCBEA1-8D57-4981-A337-81019F28C5BA}) (Version: 3.5.7283 - Microsoft Corporation)
Microsoft .NET Framework 3.5 Language Pack SP1 - DEU (HKLM\...\Microsoft .NET Framework 3.5 Language Pack SP1 - deu) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 3.5 SP1 (HKLM\...\Microsoft .NET Framework 3.5 SP1) (Version:  - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (Deutsch) (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1031) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft .NET Framework 4.5.1 (HKLM\...\{92FB6C44-E685-45AD-9B20-CADF4CABA132} - 1033) (Version: 4.5.50938 - Microsoft Corporation)
Microsoft Baseline Security Analyzer 2.2 (HKLM\...\{13CD417D-F1F1-4AC4-945D-FDDEB884756F}) (Version: 2.2.2170 - Microsoft Corporation)
Microsoft Flight Simulator X (HKLM\...\InstallShield_{F535B2CF-C9BB-4162-B03A-02D6971F32CC}) (Version: 10.0.60905 - Microsoft Game Studios)
Microsoft IntelliPoint 7.0 (HKLM\...\{EF71A531-5B6C-4B20-8D1E-E6379C7FB6D3}) (Version: 7.0.260.0 - Microsoft)
Microsoft Office 2007 Service Pack 3 (SP3) (HKLM\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{6E107EB7-8B55-48BF-ACCB-199F86A2CD93}) (Version:  - Microsoft)
Microsoft Office File Validation Add-In (HKLM\...\{90140000-2005-0000-0000-0000000FF1CE}) (Version: 14.0.5130.5003 - Microsoft Corporation)
Microsoft Office Live Add-in 1.5 (HKLM\...\{F40BBEC7-C2A4-4A00-9B24-7A055A2C5262}) (Version: 2.0.4024.1 - Microsoft Corporation)
Microsoft Office Outlook Connector (HKLM\...\{95140000-0081-0407-0000-0000000FF1CE}) (Version: 14.0.6123.5001 - Microsoft Corporation)
Microsoft Office Ultimate 2007 (HKLM\...\ULTIMATER) (Version: 12.0.6612.1000 - Microsoft Corporation)
Microsoft OneDrive (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\OneDriveSetup.exe) (Version: 17.3.1229.0918 - Microsoft Corporation)
Microsoft Primary Interoperability Assemblies 2005 (HKLM\...\{D24DB8B9-BB6C-4334-9619-BA1C650E13D3}) (Version: 8.0.50727.42 - Microsoft Corporation)
Microsoft Security Essentials (HKLM\...\Microsoft Security Client) (Version: 4.6.305.0 - Microsoft Corporation)
Microsoft Silverlight (HKLM\...\{89F4137D-6C26-4A84-BDB8-2E5A4BB71E00}) (Version: 5.1.30514.0 - Microsoft Corporation)
Microsoft SQL Server 2005 Compact Edition [ENU] (HKLM\...\{F0B430D1-B6AA-473D-9B06-AA3DD01FD0B8}) (Version: 3.1.0000 - Microsoft Corporation)
Microsoft SQL Server Compact 3.5 SP2 ENU (HKLM\...\{3A9FC03D-C685-4831-94CF-4EDFD3749497}) (Version: 3.5.8080.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Core Components (x86) ENU  (HKLM\...\{FF63121D-91C6-42CC-B341-F1AA729728E7}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Sync Framework 2.0 Provider Services (x86) ENU  (HKLM\...\{D3A80508-CD83-4CA3-8671-914A1BC78B61}) (Version: 2.0.1578.0 - Microsoft Corporation)
Microsoft Visual C++ 2005 ATL Update kb973923 - x86 8.0.50727.4053 (HKLM\...\{770657D0-A123-3C07-8E44-1C83EC895118}) (Version: 8.0.50727.4053 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{052bac4a-6f79-46d4-a024-1ce1b4f73cd4}) (Version: 8.0.58299 - Microsoft Corporation)
Microsoft Visual C++ 2005 Redistributable (HKLM\...\{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}) (Version: 8.0.61001 - Microsoft Corporation)
Microsoft Visual C++ 2008 ATL Update kb973924 - x86 9.0.30729.4148 (HKLM\...\{002D9D5E-29BA-3E6D-9BC4-3D7D6DBC735C}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - KB2467174 - x86 9.0.30729.5570 (HKLM\...\{86CE85E6-DBAC-3FFD-B977-E4B79F83C909}) (Version: 9.0.30729.5570 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729 (HKLM\...\{6AFCA4E1-9B78-3640-8F72-A7BF33448200}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.17 (HKLM\...\{9A25302D-30C0-39D9-BD6F-21E6EC160475}) (Version: 9.0.30729 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.4148 (HKLM\...\{1F1C2DFC-2D24-3E06-BCB8-725134ADF989}) (Version: 9.0.30729.4148 - Microsoft Corporation)
Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161 (HKLM\...\{9BE518E6-ECC6-35A9-88E4-87755C07200F}) (Version: 9.0.30729.6161 - Microsoft Corporation)
Microsoft Visual C++ 2010  x86 Redistributable - 10.0.40219 (HKLM\...\{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}) (Version: 10.0.40219 - Microsoft Corporation)
Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.51106 (HKLM\...\{8e70e4e1-06d7-470b-9f74-a51bef21088e}) (Version: 11.0.51106.1 - Microsoft Corporation)
Mobile Partner (HKLM\...\Mobile Partner) (Version: 11.302.09.01.528 - Huawei Technologies Co.,Ltd)
Mozilla Firefox 33.1 (x86 de) (HKLM\...\Mozilla Firefox 33.1 (x86 de)) (Version: 33.1 - Mozilla)
Mozilla Maintenance Service (HKLM\...\MozillaMaintenanceService) (Version: 32.0 - Mozilla)
Mpeg2Decoder 1.3 (HKLM\...\Mpeg2Decoder_is1) (Version:  - DeskShare)
mpowerplayer (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\mpowerplayer) (Version:  - mpowerplayer inc.)
MSVCRT (Version: 15.4.2862.0708 - Microsoft) Hidden
MSXML 4.0 SP2 (KB954430) (HKLM\...\{86493ADD-824D-4B8E-BD72-8C5DCDC52A71}) (Version: 4.20.9870.0 - Microsoft Corporation)
MSXML 4.0 SP2 (KB973688) (HKLM\...\{F662A8E6-F4DC-41A2-901E-8C11F044BDEC}) (Version: 4.20.9876.0 - Microsoft Corporation)
MSXML 4.0 SP2 Parser and SDK (HKLM\...\{716E0306-8318-4364-8B8F-0CC4E9376BAC}) (Version: 4.20.9818.0 - Microsoft Corporation)
MyFreeCodec (HKU\S-1-5-21-2717335284-3986619703-2298539805-1000\...\MyFreeCodec) (Version:  - )
MyPhoneExplorer (HKLM\...\MPE) (Version: 1.8.6 - F.J. Wechselberger)
NEC Electronics USB 3.0 Host Controller Driver (HKLM\...\InstallShield_{D7BF9739-8A68-4335-BBEE-37752AD9E86B}) (Version: 1.0.18.0 - NEC Electronics Corporation)
NEC Electronics USB 3.0 Host Controller Driver (Version: 1.0.18.0 - NEC Electronics Corporation) Hidden
NEF Codec (HKLM\...\{A89768CF-CD21-44FD-A723-16D5A8557415}) (Version: 1.00.0000 - Nikon)
NETGEAR XAV101 Configuration Utility (Version: 2.0.0.7 - NETGEAR Inc.) Hidden
NETGEAR XAV101-Konfigurationsprogramm (HKLM\...\InstallShield_{BB3194A0-B33D-45DB-B386-94C458292FC6}) (Version: 2.0.0.7 - NETGEAR Inc.)
Nikon Message Center (HKLM\...\{D2FCC1AE-6311-47C5-8130-C6C66D77DD71}) (Version: 0.92.000 - Nikon)
Nikon View 6 (HKLM\...\{AAB84E83-C8DF-4752-9DFC-2E2A48EE5E9F}) (Version:  - )
NirSoft BlueScreenView (HKLM\...\NirSoft BlueScreenView) (Version:  - )
OCR Software by I.R.I.S. 13.0 (HKLM\...\HPOCR) (Version: 13.0 - HP)
Office-Bibliothek (HKLM\...\{5C81B189-5456-40C4-9313-7FE6FA6DD64C}) (Version: 5.00.4 - Bibliographisches Institut & F.A. Brockhaus AG)
OpenOffice.org 3.4.1 (HKLM\...\{2303AEEA-0FA8-4AFD-80A9-8F86BA4B44D2}) (Version: 3.41.9593 - Apache Software Foundation)
OpenSSL 1.0.1e Light (32-bit) (HKLM\...\OpenSSL Light (32-bit)_is1) (Version:  - OpenSSL Win32 Installer Team)
Oracle VM VirtualBox 4.1.8 (HKLM\...\{611E3800-CE31-4953-8AD4-5657B6EE7ACF}) (Version: 4.1.8 - Oracle Corporation)
Outlook Tools (HKLM\...\{A3D5974C-59EC-486C-8654-20339CBDE698}) (Version: 3.15.0001 - Andreas Schultz Software)
Paint.NET v3.5.8 (HKLM\...\{9CF4A37B-A8C4-44D7-8C53-13B9D9594BB2}) (Version: 3.58.0 - dotPDN LLC)
PanoStandAlone (Version: 90.0.146.000 - Hewlett-Packard) Hidden
Parrot Audio Suite (HKLM\...\Parrot Audio Suite) (Version:  - )
Parrot Software Update Tool (HKLM\...\Parrot Flash Update Wizard) (Version:  - )
PC Inspector File Recovery (HKLM\...\{0DD140D3-9563-481E-AA75-BA457CBDAEF2}) (Version: 4.0 - )
PDF Blender (HKLM\...\PDF Blender) (Version:  - )
Pdf Editor (HKLM\...\{729E66B3-1B80-4F3F-8D29-342A89631E0A}_is1) (Version:  - )
PDF24 Creator 6.1.0 (HKLM\...\{81A6F461-0DBA-4F12-B56F-0E977EC10576}_is1) (Version:  - PDF24.org)
PhonerLite 1.95 (HKLM\...\PhonerLite_is1) (Version: 1.95 - sipgate GmbH)
Photo Scanner (HKLM\...\{FD0CE525-C8BA-4DF4-927F-C7F8ED66E35F}) (Version: 2.2.2 - Trundicho)
PHOTOfunSTUDIO 5.0 HD Edition (HKLM\...\{959282E3-55A9-49D8-B885-D27CF8A2FD82}) (Version: 5.00.319 - Panasonic Corporation)
Physio Logic BP Manager (HKLM\...\Physio Logic BP Manager) (Version:  - )
Picasa 3 (HKLM\...\Picasa 3) (Version: 3.9 - Google, Inc.)
Picture Control Utility (HKLM\...\{87441A59-5E64-4096-A170-14EFE67200C3}) (Version: 1.1.5 - Nikon)
Picture2avi uninstaller (HKLM\...\Picture2avi_is1) (Version: 3.3.0.0 - picture2avi.com)
PLANET IP Wizard II 3.0.0.6043 (HKLM\...\{45E990DB-ECDC-4D27-B1C3-21DD124F7DF3}_is1) (Version:  - PLANET Technology Corporation.)
Python 2.6 (HKLM\...\{110EB5C4-E995-4CFB-AB80-A5F315BEA9E8}) (Version: 2.6.150 - Python Software Foundation)
QRCode (HKLM\...\{4D13D187-BA0B-4319-B8FE-7C3613E73278}) (Version: 2.10.0 - TouchUpSoft)
QuickMark (HKLM\...\{53B0213C-CC0C-4340-90BF-BFC7D3FE5BB4}) (Version: 3.8.0 - SimpleAct)
QuickTime 7 (HKLM\...\{3D2CBC2C-65D4-4463-87AB-BB2C859C1F3E}) (Version: 7.76.80.95 - Apple Inc.)
Readiris Pro 11 (HKLM\...\{E9E9734C-2EE2-4381-ACCA-AC9B8D372DCC}) (Version: 11.00.5295 - I.R.I.S.)
RealNetworks - Microsoft Visual C++ 2008 Runtime (Version: 9.0 - RealNetworks, Inc) Hidden
RealNetworks - Microsoft Visual C++ 2010 Runtime (Version: 10.0 - RealNetworks, Inc) Hidden
RealPlayer (HKLM\...\RealPlayer 16.0) (Version: 16.0.3 - RealNetworks)
REALTEK DTV USB DEVICE (HKLM\...\{DDBB7C89-1A09-441E-AA0F-6AA465755C17}) (Version: 1.00.0000 - Realtek)
RealUpgrade 1.1 (Version: 1.1.0 - RealNetworks, Inc.) Hidden
Samsung CLP-300 Series (HKLM\...\Samsung CLP-300 Series) (Version:  - Samsung Electronics CO.,LTD)
Samsung CLP-360 Series (HKLM\...\Samsung CLP-360 Series) (Version: 1.12 (05.12.2013) - Samsung Electronics Co., Ltd.)
Samsung Easy Printer Manager (HKLM\...\Samsung Easy Printer Manager) (Version: 1.03.17.00(12.04.2013) - Samsung Electronics Co., Ltd.)
Samsung Kies (HKLM\...\InstallShield_{758C8301-2696-4855-AF45-534B1200980A}) (Version: 2.0.2.11071_128 - Samsung Electronics Co., Ltd.)
Samsung Kies (Version: 2.0.2.11071_128 - Samsung Electronics Co., Ltd.) Hidden
Samsung Printer Live Update (HKLM\...\Samsung Printer Live Update) (Version: 1.01.00:04(2013-04-22) - Samsung Electronics Co., Ltd.)
SAMSUNG USB Driver for Mobile Phones (HKLM\...\{D0795B21-0CDA-4a92-AB9E-6E92D8111E44}) (Version: 1.5.18.0 - SAMSUNG Electronics Co., Ltd.)
Scan (Version: 140.0.80.000 - Hewlett-Packard) Hidden
ScannerCopy (Version: 9.0.0.0 - Hewlett-Packard) Hidden
SDFormatter (HKLM\...\{A5355F15-F98B-4704-9BAE-E53B9FE48F48}) (Version: 3.1.0 - SD Association)
SecureW2 EAP Suite 1.1.3 for Windows (HKLM\...\SecureW2 EAP Suite) (Version:  - )
Segoe UI (Version: 15.4.2271.0615 - Microsoft Corp) Hidden
SILKYPIX Developer Studio 3.1 SE (HKLM\...\InstallShield_{0A04086B-0B71-43C3-95EF-FDFC4C18D161}) (Version: 3 - Ichikawa Soft Laboratory)
SILKYPIX Developer Studio 3.1 SE (Version: 3 - Ichikawa Soft Laboratory) Hidden
sipgate Faxdrucker (HKLM\...\{3C4AFFF7-968F-4912-BF73-46774C8E4D15}) (Version: 1.0.3 - sipgate GmbH)
SIZCHIP 2.0.0.4 NPAPI (HKLM\...\SIZCHIP-Plugin-Mozilla-20) (Version: 2.0.0.4 - SIZ GmbH)
Skype Click to Call (HKLM\...\{B6CF2967-C81E-40C0-9815-C05774FEF120}) (Version: 5.11.9874 - Skype Technologies S.A.)
SkypeMate (HKLM\...\SkypeMate) (Version:  - SkypeMate)
Skype™ 6.21 (HKLM\...\{24991BA0-F0EE-44AD-9CC8-5EC50AECF6B7}) (Version: 6.21.104 - Skype Technologies S.A.)
SMPlayer 0.6.8 (HKLM\...\SMPlayer) (Version: 0.6.8 - RVM)
Softsqueeze 3.9b2 (HKLM\...\Softsqueeze 3.9b2) (Version:  - Ralph Irving)
SolutionCenter (Version: 130.0.373.000 - Hewlett-Packard) Hidden
SpeedFan (remove only) (HKLM\...\SpeedFan) (Version:  - )
SqueezePlay 7.6.2 (HKLM\...\{09B790E3-21E3-4D1A-8130-AAA9227C9785}_is1) (Version:  - Logitech)
Steuer-Spar-Erklärung 2010 (HKLM\...\{D8E1DFEE-622B-46BA-AEFF-AB7E541C0B21}) (Version: 15.13 - Akademische Arbeitsgemeinschaft Verlag)
Steuer-Spar-Erklärung 2011 (HKLM\...\{9F5FD796-86F0-4360-85F8-D54C0F5411EB}) (Version: 16.16 - Akademische Arbeitsgemeinschaft Verlag)
Steuer-Spar-Erklärung 2012 (HKLM\...\{CCD2BAD2-0919-40CB-80CC-E9538B0E4C2E}) (Version: 17.11 - Wolters Kluwer Deutschland GmbH)
Steuer-Spar-Erklärung 2013 (HKLM\...\{AEB61F7A-4BBA-4292-A096-7893E09034A4}) (Version: 18.09 - Wolters Kluwer Deutschland GmbH)
SteuerSparErklärung 2014 (HKLM\...\{A463EB06-22A6-47F5-9593-E52B291EF13E}) (Version: 19.12.92 - Akademische Arbeitsgemeinschaft)
Streamripper (Remove only) (HKLM\...\Streamripper) (Version:  - )
StreamTransport version: 1.0.2.2171 (HKLM\...\{FA0BBB87-91A1-4BFD-9005-EB058BBA0E14}_is1) (Version:  - )
SupervisionCam (HKLM\...\SupervisionCam) (Version:  - )
Sweet Home 3D version 4.4 (HKLM\...\Sweet Home 3D_is1) (Version:  - eTeks)
swMSM (Version: 12.0.0.1 - Adobe Systems, Inc) Hidden
SyncToy 2.1 (x86) (HKLM\...\{A066194B-DC8F-449A-8E0F-B57BDD3A2072}) (Version: 2.1.0 - Microsoft)
TCPMP (HKLM\...\TCPMP) (Version:  - )
TeamViewer 9 (HKLM\...\TeamViewer 9) (Version: 9.0.32494 - TeamViewer)
The Lord of the Rings FREE Trial  (Version: 1.00.0000 - ATI Technologies Inc.) Hidden
TM PowerPoint Timer (HKLM\...\TM PowerPoint Timer_is1) (Version:  - tushar-mehta.com)
Total Commander (Remove or Repair) (HKLM\...\Totalcmd) (Version: 7.50a - Ghisler Software GmbH)
TrayStatus 1.2.3 (HKLM\...\d6b74f60-2e9d-4c60-a8b7-b7d737c44ad4_is1) (Version: 1.2.3.0 - Binary Fortress Software)
TuneUp Companion 2.2.3 (HKLM\...\TuneUpMedia) (Version: 2.2.3 - TuneUp Media, Inc.)
Turbo Lister 2 (HKLM\...\{8927E07C-97F7-4A54-88FB-D976F50DD46E}) (Version: 2.00.0000 - eBay Inc.)
TweetDeck (HKLM\...\{FA6381E9-96D2-4F6F-866C-4D16E5986FF6}) (Version: 2.7.1 - Twitter, Inc.)
Ultimate Extras sounds from Microsoft® Tinker™ (HKLM\...\UltSounds2) (Version:  - Microsoft Corporation)
Uninstall 1.0.0.1 (HKLM\...\Uninstall_is1) (Version:  - )
Update for 2007 Microsoft Office System (KB967642) (HKLM\...\{91120000-002E-0000-0000-0000000FF1CE}_ULTIMATER_{C444285D-5E4F-48A4-91DD-47AAAA68E92D}) (Version:  - Microsoft)
Update für Microsoft Office Excel 2007 Help (KB963678) (HKLM\...\{90120000-0016-0407-0000-0000000FF1CE}_ULTIMATER_{BEC163EC-7A83-48A1-BFB6-3BF47CC2F8CF}) (Version:  - Microsoft)
Update für Microsoft Office Outlook 2007 Help (KB963677) (HKLM\...\{90120000-001A-0407-0000-0000000FF1CE}_ULTIMATER_{F6828576-6F79-470D-AB50-69D1BBADBD30}) (Version:  - Microsoft)
Update für Microsoft Office Powerpoint 2007 Help (KB963669) (HKLM\...\{90120000-0018-0407-0000-0000000FF1CE}_ULTIMATER_{EA160DA3-E9B5-4D03-A518-21D306665B96}) (Version:  - Microsoft)
Update für Microsoft Office Word 2007 Help (KB963665) (HKLM\...\{90120000-001B-0407-0000-0000000FF1CE}_ULTIMATER_{38472199-D7B6-4833-A949-10E4EE6365A1}) (Version:  - Microsoft)
Utilities and SDK for UNIX-based Applications (HKLM\...\{DB88A98A-792B-4441-8E60-05A6D3E2B2C0}) (Version: 10.0.6030.0 - Microsoft Corporation)
VLC media player (HKLM\...\VLC media player) (Version: 2.1.5 - VideoLAN)
VLC Streamer 1.21 (HKLM\...\VLC Streamer_is1) (Version:  - )
Voxware Audio decoder 1.6 (HKLM\...\voxware_is1) (Version: 1.6.0 - )
WebReg (Version: 130.0.132.017 - Hewlett-Packard) Hidden
WebSite-Watcher 2011 (11.0) (HKLM\...\aigneswebsitewatcher_is1) (Version: 2011 (11.0) - www.aignes.com)
Windows Live Essentials (HKLM\...\WinLiveSuite) (Version: 15.4.3555.0308 - Microsoft Corporation)
Windows Live Mesh ActiveX control for remote connections (HKLM\...\{C5398A89-516C-4DAF-BA07-EE7949090E56}) (Version: 15.4.5722.2 - Microsoft Corporation)
Windows Live Sync (HKLM\...\{586509F0-350D-48B5-B763-9CC2F8D96C4C}) (Version: 14.0.8117.416 - Microsoft Corporation)
Windows Mobile-Gerätecenter (HKLM\...\{904CCF62-818D-4675-BC76-D37EB399F917}) (Version: 6.1.6965.0 - Microsoft Corporation)
Windows Mobile-Gerätecenter: Treiberupdate (HKLM\...\{E7044E25-3038-4A76-9064-344AC038043E}) (Version: 6.1.6965.0 - Microsoft Corporation)
Windows-Soundschemas (HKLM\...\UltSounds) (Version:  - Microsoft Corporation)
WinHTTrack Website Copier 3.43-9C (HKLM\...\WinHTTrack Website Copier_is1) (Version: 3.43.9 - HTTrack)
WinSCP 4.3.4 (HKLM\...\winscp3_is1) (Version: 4.3.4 - Martin Prikryl)
Xaldon WebSpider2 (HKLM\...\WebSpider2) (Version:  - )
XMedia Recode Version 3.1.2.5 (HKLM\...\{DDA3C325-47B2-4730-9672-BF3771C08799}_is1) (Version: 3.1.2.5 - XMedia Recode)
Xvid 1.2.2 final uninstall (HKLM\...\Xvid_is1) (Version: 1.2 - Xvid team (Koepi))
XviD4PSP 5.0 (HKLM\...\XviD4PSP5) (Version: 5.037 - Winnydows)
ZDFmediathek Version 2.1.6 (HKLM\...\ZDFmediathek_is1) (Version:  - ZDF)

==================== Custom CLSID (selected items): ==========================

(If an entry is included in the fixlist, it will be removed from registry. Any eventual file will not be moved.)

CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{005A3A96-BAC4-4B0A-94EA-C0CE100EA736}\localserver32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\Dropbox.exe (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{035FBE31-3755-450A-A775-5E6BBD43D344}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.135\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{039B2CA5-3B41-4D93-AD77-47D3293FC5CB}\InprocServer32 -> C:\ProgramData\EasyBits GO\ezGameXN.dll (EasyBits Media)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{095A2EEC-F7FE-42E8-96FB-C20E53081908}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.99\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{0F22A205-CFB0-4679-8499-A6F44A80A208}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.25.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{218D2740-5A50-42A8-AB9F-62FF1B168782}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.69\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{320F0FDB-BE0A-4648-9D18-4A2C3448C007}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.79\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{355EC88A-02E2-4547-9DEE-F87426484BD1}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.23.9\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{42481700-CF3C-4D05-8EC6-F9A1C57E8DC0}\InprocServer32 -> C:\ProgramData\EasyBits GO\ezGameXN.dll (EasyBits Media)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{62A0D750-DED9-448C-B693-406B34BB0892}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.145\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{634059C0-D264-4B2C-AE80-F73E48D33E5B}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.123\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{693566bc-21f8-401e-8d42-e2c5ce50dacc}\localserver32 -> C:\Users\hcxxx\AppData\Local\Temp\{d5641912-e47a-429c-879e-cfe13eac7a13}\IDriver.NonElevated.exe (Macrovision Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{6D7374DE-63AA-473C-8C02-60D9CDCD84C5}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.153\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{7B37E4E2-C62F-4914-9620-8FB5062718CC}\localserver32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{90B3DFBF-AF6A-4EA0-8899-F332194690F8}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.24.15\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A0396A93-DC06-4AEF-BEE9-95FFCCAEF20E}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A45426FB-E444-42B2-AA56-419F8FBEEC61}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.22.3\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{A54D478D-4F70-4F72-9A74-17C9986E35AB}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.165\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{AB807329-7324-431B-8B36-DBD581F56E0B}\localserver32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\SkyDrive.exe (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{BBACC218-34EA-4666-9D7A-C78F2274A524}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{C5A2122B-A05B-4FD8-AE49-91990AE10998}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.115\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{CB3D0F55-BC2C-4C1A-85ED-23ED75B5106B}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{D0D38C6E-BF64-4C42-840D-3E0019D9F7A6}\InprocServer32 -> C:\Program Files\Skype\Plugin Manager\ezPMUtils.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{DB25D157-76D4-41C1-97B5-359E4A4CECEB}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.65\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{EB06378B-ABB6-4B3C-9B40-D488DD8A6E93}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.22.5\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{F241C880-6982-4CE5-8CF7-7085BA96DA5A}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\SkyDriveShell.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{F8071786-1FD0-4A66-81A1-3CBE29274458}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\FileSyncApi.dll (Microsoft Corporation)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314ED9-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDA-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDB-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDC-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDD-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDE-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EDF-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB314EE0-A251-47B7-93E1-CDD82E34AF8B}\InprocServer32 -> C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\DropboxExt.24.dll (Dropbox, Inc.)
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FB994D36-B312-46CE-A40B-CF63980641F9}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.21.111\psuser.dll No File
CustomCLSID: HKU\S-1-5-21-2717335284-3986619703-2298539805-1000_Classes\CLSID\{FE498BAB-CB4C-4F88-AC3F-3641AAAF5E9E}\InprocServer32 -> C:\Users\hcxxx\AppData\Local\Google\Update\1.3.24.7\psuser.dll No File

==================== Restore Points  =========================

01-11-2014 13:10:21 Geplanter Prüfpunkt
02-11-2014 09:52:09 Geplanter Prüfpunkt
03-11-2014 13:36:30 Windows Update
04-11-2014 13:31:34 Geplanter Prüfpunkt
06-11-2014 14:59:48 Geplanter Prüfpunkt
06-11-2014 21:11:13 Windows Update
07-11-2014 14:02:55 Geplanter Prüfpunkt
08-11-2014 17:04:24 Geplanter Prüfpunkt
09-11-2014 12:08:52 Geplanter Prüfpunkt
10-11-2014 07:37:19 Windows Update
12-11-2014 08:35:13 Geplanter Prüfpunkt
12-11-2014 13:35:46 Windows Update
16-11-2014 10:49:12 Windows Update
18-11-2014 14:43:27 Geplanter Prüfpunkt
19-11-2014 08:54:16 Windows Update
21-11-2014 13:32:51 Geplanter Prüfpunkt

==================== Hosts content: ==========================

(If needed Hosts: directive could be included in the fixlist to reset Hosts.)

2006-11-02 11:23 - 2006-09-18 22:41 - 00000761 ____N C:\Windows\system32\Drivers\etc\hosts
127.0.0.1       localhost
::1             localhost

(If an entry is included in the fixlist, it will be removed from registry. Any associated file could be listed separately to be moved.)

Task: {02DCC829-85C6-4BAA-9E9C-043C5CBC851E} - System32\Tasks\Apple\AppleSoftwareUpdate => C:\Program Files\Apple Software Update\SoftwareUpdate.exe [2011-06-01] (Apple Inc.)
Task: {9FDC235A-FA74-45A5-BD1C-8C0EA7EB13C5} - System32\Tasks\Hibernate Computer Daily At 22 Hour(s) and 45 Minute(s) => C:\Program Files\Easy ShutDown\EasyShutDown.exe [2011-03-26] ()

(If an entry is included in the fixlist, the task (.job) file will be moved. The file which is running by the task will not be moved.)

Task: C:\Windows\Tasks\Hibernate Computer Daily At 22 Hour(s) and 45 Minute(s).job => C:\Program Files\Easy ShutDown\EasyShutDown.exe

2009-11-04 13:24 - 2007-07-12 22:33 - 00087552 _____ () C:\Windows\System32\cpwmon2k.dll
2014-08-29 10:53 - 2013-05-15 07:32 - 00024064 _____ () C:\Windows\System32\sst6clm.dll
2014-08-29 10:53 - 2012-01-09 14:31 - 00024064 _____ () C:\Windows\System32\sst6ylm.dll
2009-05-18 13:55 - 2007-03-14 13:33 - 00022723 _____ () C:\Windows\System32\sugg1l3.dll
2008-10-24 15:35 - 2008-10-24 15:35 - 00128296 _____ () C:\Program Files\Akademische Arbeitsgemeinschaft\AAVUpdateManager\aavus.exe
2014-01-20 13:17 - 2014-01-20 13:17 - 00073544 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\zlib1.dll
2014-10-11 13:05 - 2014-10-11 13:05 - 01044776 _____ () C:\Program Files\Common Files\Apple\Apple Application Support\libxml2.dll
2012-05-02 16:08 - 2012-05-02 16:08 - 00221696 _____ () C:\Program Files\GNU\GnuPG\dirmngr.exe
2012-05-02 16:06 - 2012-05-02 16:06 - 00209408 _____ () C:\Program Files\GNU\GnuPG\libksba-8.dll
2012-05-02 16:03 - 2012-05-02 16:03 - 00047616 _____ () C:\Program Files\GNU\GnuPG\libgpg-error-0.dll
2012-05-02 16:02 - 2012-05-02 16:02 - 00039936 _____ () C:\Program Files\GNU\GnuPG\libw32pth-0.dll
2012-05-02 16:06 - 2012-05-02 16:06 - 00075264 _____ () C:\Program Files\GNU\GnuPG\libassuan-0.dll
2012-05-02 16:06 - 2012-05-02 16:06 - 00641536 _____ () C:\Program Files\GNU\GnuPG\libgcrypt-11.dll
2011-03-03 19:27 - 2011-03-03 19:27 - 00009728 _____ () C:\Program Files\DVRMSToolbox\DTBFWService.exe
2009-06-24 08:28 - 2005-01-14 14:32 - 00053248 _____ () C:\Windows\System32\PAStiSvc.exe
2014-08-29 10:52 - 2013-05-15 07:32 - 01015296 _____ () C:\Windows\system32\spool\DRIVERS\W32X86\3\sst6cdu.dll
2010-04-07 02:22 - 2013-04-30 03:46 - 00037376 _____ () C:\Windows\system32\atitmpxx.dll
2014-11-21 08:37 - 2014-11-21 15:52 - 00158720 _____ () C:\Users\hcxxx\AppData\Local\Temp\sfareca00001.dll
2009-05-21 20:18 - 2014-11-21 15:52 - 00192512 _____ () C:\Users\hcxxx\AppData\Local\Temp\sfamcc00001.dll
2014-09-25 11:16 - 2014-09-25 11:16 - 00081056 _____ () C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.DLL
2012-05-02 16:07 - 2012-05-02 16:07 - 00624640 _____ () C:\Program Files\GNU\GnuPG\gpgex.dll
2013-04-12 09:25 - 2013-04-12 09:25 - 00699952 _____ () C:\Windows\Samsung\PanelMgr\SSMMgr.exe
2006-09-19 09:07 - 2006-09-19 09:07 - 00827392 _____ () C:\Windows\vsnpstd3.exe
2012-03-09 08:58 - 2012-03-09 08:58 - 00350072 _____ () C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe
2012-03-09 08:58 - 2012-03-09 08:58 - 00056696 _____ () C:\Program Files\Common Files\Common Desktop Agent\CDASrvPS.dll
2012-05-30 23:17 - 2011-03-26 20:22 - 00164864 _____ () C:\Program Files\Easy ShutDown\EasyShutDown.exe
2014-09-25 11:16 - 2014-09-25 11:16 - 00081056 _____ () C:\Users\hcxxx\AppData\Local\Microsoft\SkyDrive\17.3.1229.0918\LoggingPlatform.dll
2014-10-16 09:41 - 2014-10-16 09:41 - 00184320 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.Commonc65c5a95#\086a6d7a1b67ee702557defcde5f85b5\Kies.Common.DeviceServiceLib.Interface.ni.dll
2014-10-16 11:30 - 2014-10-16 11:30 - 17553920 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.Theme\b863b058df2bc3ba024231c9ff597138\Kies.Theme.ni.dll
2014-10-16 09:41 - 2014-10-16 09:41 - 01792000 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.UI\b07928f0c453603bea895b4ce2ee168d\Kies.UI.ni.dll
2014-10-16 09:41 - 2014-10-16 09:41 - 00081920 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\Kies.MVVM\f1de49400c4567d381ba7e17b1b9c52a\Kies.MVVM.ni.dll
2014-10-16 09:42 - 2014-10-16 09:42 - 00236032 _____ () C:\Windows\assembly\NativeImages_v4.0.30319_32\ASF_cSharpAPI\6815ff93472d008087880a6462931188\ASF_cSharpAPI.ni.dll
2012-12-20 10:12 - 2012-12-20 10:12 - 00582144 _____ () C:\Program Files\SkypeMate\SkypeMate.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00028774 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00032878 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00028779 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00020601 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\4461f48e31bde5c56b31b973b773de09\List.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00118918 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00082048 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00020576 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00036964 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\f233f63b6654362865c7577442edb9e3\Win32.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00082033 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024676 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00061540 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\e56c61f7248672819579325af3387035\POSIX.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00094334 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\eb138ef0e4282611dbf485a302784646\LibYAML.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00053340 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00184414 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\bd5179a413bc0c4b82eedc22c6cab101\re.dll
2014-11-21 15:49 - 2014-11-21 15:49 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-1840\93e7e3d6030f426844228042348210cf\Service.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00043008 _____ () c:\users\hcxxx\appdata\local\temp\dropbox_sqlite_ext.{5f3e3153-5bce-5766-8f84-3e3e7ecf0d81}.tmp7gj1zp.dll
2013-08-23 20:01 - 2013-08-23 20:01 - 25100288 _____ () C:\Users\hcxxx\AppData\Roaming\Dropbox\bin\libcef.dll
2013-06-18 14:49 - 2013-06-18 14:49 - 00016384 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Branding\Branding.dll
2013-04-29 22:08 - 2013-04-29 22:08 - 00369152 _____ () C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.Aspect.CrossDisplay.Graphics.Dashboard.dll
2014-01-10 10:27 - 2014-01-10 10:27 - 00663056 _____ () C:\Program Files\Common Files\Research In Motion\nginx\nginx.exe
2014-11-21 15:50 - 2014-11-21 15:50 - 00020576 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\31638f63e39b38d3e250a9a57cb9d1c5\Cwd.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00036964 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\f233f63b6654362865c7577442edb9e3\Win32.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024676 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\32785c19dc6898fbbbf06f3b776edd08\Fcntl.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00061540 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e56c61f7248672819579325af3387035\POSIX.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\5ffd05b2cbd58528e56519784ca9c869\Hostname.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00082033 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\df1ba73f49c38cbbc7a11c779c3506d2\OLE.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00118918 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\eaeabd54205de2f10c00aea80bbf0d83\Registry.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00082048 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3a7ccbf8181ee5a145227a6dfce3594c\WinError.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00028779 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\60ff464e01c2cd5526dbdad5a125081d\Dumper.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020601 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\4461f48e31bde5c56b31b973b773de09\List.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024681 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c199d3c1960e7aeeecb599487952bed2\HiRes.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00090213 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\961b0d62fa52b1dd29c795a822fbf1cf\DBI.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c5cce8d16a1bd48692b421dcf46d3396\Util.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00077824 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7f177c338672436e01c4f0bdbcf94491\EV.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00138752 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\44727051c604ef6b79894b64d4c63832\Expat.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00041080 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\2b1fc61b36a6711ea149b18bf3b41500\Parser.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00030720 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\dacfd0ab9b5fd029ed8d29e4482b0775\XS.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020590 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\fa9e3c814aa32db2ad5f17bdfbc22746\attributes.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024694 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c344fd5536724b2af2e6453833b60203\SHA1.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00094334 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\eb138ef0e4282611dbf485a302784646\LibYAML.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00053340 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\de446fdd1ae335c7d2b9e62bb8cdf765\B.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00184414 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\bd5179a413bc0c4b82eedc22c6cab101\re.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020592 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\b979ace6da01e63d651cce9ee2474fdc\Name.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00028774 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d1e7c33431cd8713f2ce3582829a8b14\Socket.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00182272 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d0bf009923f29116535c26d228271d6d\Scan.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024672 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\17d0b152e63e6bfe81b4b19588538896\mro.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020596 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3b7106dd14676048b10bbb09a990f74c\XS.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00032878 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7ef0d901bf4203fbcf7a0fff0e82aa5f\Encode.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024695 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\cf5fe81e2f5dcbfecfd0495e1648c991\Unicode.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024670 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\3a8764e0d7c5d453e01d9ad08cf7fb58\IO.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00361472 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\aff7ee779ea184f884ed432c30a58f5d\Scale.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024701 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d10c2c06ba2044cccc247c4315f5c7d3\Process.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00061546 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\4f2c03383aab0133b8dc0a3fa2dd92fa\Storable.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00110705 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\7f2598c08178217a0e2c754f3d568f28\Byte.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00024679 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c19d5e3dc664d9f4ce700001e2621cee\MD5.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00608256 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e2e81dd6b3e5a36f0bdae076393cc11d\SQLite.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00001024 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\e2e81dd6b3e5a36f0bdae076393cc11d\icudt46.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020596 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\d1c77e404b5c4b954fa537ed63c8fb7b\File.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00030208 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\0665c25e931c1ac0151b062449e91028\XSAccessor.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00020587 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\c668a322917d32a5ea22894518aa9897\Base64.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 04547584 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\38a10ee333cf1a9afec3f0acdf1bbebc\Scan.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00017920 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\8fedeb86a4a984edfc1fb255d4ea965c\XS.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00061547 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\bc147d83c7c868eeee67082dcf55430c\File.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00032881 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\b6bd87c968599725b8ab2e5c25d3046a\API.dll
2014-11-21 15:51 - 2014-11-21 15:51 - 00098415 ____R () C:\Users\hcxxx\AppData\Local\Temp\pdk-hcxxx-7464\19febd96672ffdb7ea244cef36aaa062\Zlib.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00098816 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32api.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00110080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pywintypes27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00364544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pythoncom27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00045568 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_socket.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01160704 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_ssl.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00320512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32com.shell.shell.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00713216 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_hashlib.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01175040 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._core_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00805888 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._gdi_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00811008 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._windows_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01062400 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._controls_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00735232 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._misc_.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00128512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_elementtree.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00127488 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pyexpat.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00557056 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\pysqlite2._sqlite.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00087552 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_ctypes.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00119808 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32file.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00108544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32security.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00007168 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\hashobjs_ext.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00167936 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32gui.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00018432 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32event.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00038912 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32inet.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00011264 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32crypt.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00070656 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._html2.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00027136 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\_multiprocessing.pyd
2014-11-21 15:49 - 2014-11-21 15:49 - 00035840 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32process.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00686080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\unicodedata.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00122368 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._wizard.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00024064 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32pipe.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00025600 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32pdh.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00525640 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\windows._lib_cacheinvalidation.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00010240 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\select.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00017408 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32profile.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00022528 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\win32ts.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00078336 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI33362\wx._animate.pyd
2014-11-21 13:10 - 2014-11-21 13:10 - 27810236 _____ () C:\Users\hcxxx\Documents\Temp\detekt.exe
2014-11-21 15:50 - 2014-11-21 15:50 - 01689088 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtCore.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00077824 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\sip.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00324608 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PIL._imaging.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00715264 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_hashlib.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00098816 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32api.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00110080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pywintypes27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00364544 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pythoncom27.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 05940224 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtGui.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00325120 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtWebKit.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00502784 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\PyQt4.QtNetwork.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00046080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_socket.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 01160704 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_ssl.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00686080 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\unicodedata.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00087552 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_ctypes.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00152576 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\yara.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00096256 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\distorm3.dll
2014-11-21 15:50 - 2014-11-21 15:50 - 00320512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32com.shell.shell.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00042496 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32service.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00010240 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\select.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00119808 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\win32file.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00128512 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\_elementtree.pyd
2014-11-21 15:50 - 2014-11-21 15:50 - 00127488 _____ () C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\pyexpat.pyd
2014-07-23 00:29 - 2014-07-23 00:29 - 00113171 _____ () C:\Program Files\VideoLAN\VLC\libvlc.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 02396691 _____ () C:\Program Files\VideoLAN\VLC\libvlccore.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00268307 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdshow_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00027667 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libdirectsound_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00031251 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_output\libwaveout_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 11148307 _____ () C:\Program Files\VideoLAN\VLC\plugins\gui\libqt4_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01248787 _____ () C:\Program Files\VideoLAN\VLC\plugins\misc\libxml_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00066579 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirectdraw_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 02043411 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\liblibbluray_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00100371 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_bd_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00244243 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libdvdnav_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00076307 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_vdr_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00045587 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libfilesystem_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00060947 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libsmooth_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00531475 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libhttplive_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00708627 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\libdash_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00114195 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libzip_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00040467 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libstream_filter_rar_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\stream_filter\librecord_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00133139 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libplaylist_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01512467 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libtaglib_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00296979 _____ () C:\Program Files\VideoLAN\VLC\plugins\lua\liblua_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00054291 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libhotkeys_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00038419 _____ () C:\Program Files\VideoLAN\VLC\plugins\control\libglobalhotkeys_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00189971 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmp4_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00091667 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libavi_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00067603 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libasf_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00077331 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libflacsys_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libes_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00074259 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmpc_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00016403 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libtta_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00023059 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libnuv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021523 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libwav_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00929299 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00118803 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libsap_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00144403 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libogg_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01194003 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmkv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libdirac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00707603 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\liblive555_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libsmf_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libpva_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libxa_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libaiff_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libvoc_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015891 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libau_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00417811 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libgme_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\librawvid_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00023059 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libimage_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libnsv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00525331 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libmod_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00127507 _____ () C:\Program Files\VideoLAN\VLC\plugins\demux\libts_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00036371 _____ () C:\Program Files\VideoLAN\VLC\plugins\meta_engine\libfolder_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00116755 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_http_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00072211 _____ () C:\Program Files\VideoLAN\VLC\plugins\access\libaccess_mms_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00383507 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libupnp_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021011 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libpodcast_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libmediadirs_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\services_discovery\libwindrive_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00292371 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libpng_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017939 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libcdg_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01280019 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libschroedinger_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018451 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libdts_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00336403 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libtheora_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00344595 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libfaad_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00198675 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libflac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00027155 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libg711_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015891 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaes3_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01393171 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblibass_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00146451 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspeex_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00022035 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liblpcm_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00733203 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libvorbis_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libmpeg_audio_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00026131 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libaraw_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00171027 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libopus_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019475 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\liba52_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libspudec_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 10447379 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libavcodec_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00016403 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\librawvideo_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021523 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_flac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00030739 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_dirac_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00021011 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mlp_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00063507 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4audio_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00036883 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_vc1_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libsvcdsub_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpeg4video_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00024595 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_mpegvideo_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\codec\libcvdsub_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00064531 _____ () C:\Program Files\VideoLAN\VLC\plugins\packetizer\libpacketizer_h264_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00013843 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\libfloat_mixer_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libscaletempo_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00130579 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libmpgatofixed32_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00168979 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdtstofloat32_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00058899 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\liba52tofloat32_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 01496083 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsamplerate_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019475 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libsimple_channel_mixer_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00013331 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\liba52tospdif_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdtstospdif_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014867 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libdolby_surround_decoder_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00014355 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libugly_resampler_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libtrivial_channel_mixer_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00025619 _____ () C:\Program Files\VideoLAN\VLC\plugins\audio_filter\libaudio_format_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00746515 _____ () C:\Program Files\VideoLAN\VLC\plugins\text_renderer\libfreetype_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00026643 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi420_yuy2_sse2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi420_yuy2_mmx_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00587283 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libswscale_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00113683 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi420_rgb_sse2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00027667 _____ () C:\Program Files\VideoLAN\VLC\plugins\sse2\libi422_yuy2_sse2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00019987 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi422_yuy2_mmx_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00053779 _____ () C:\Program Files\VideoLAN\VLC\plugins\mmx\libi420_rgb_mmx_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00016915 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i422_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libgrey_yuv_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00032275 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00018963 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_yuy2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00020499 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libyuy2_i420_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00017427 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_yuy2_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi422_i420_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00015379 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libscale_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00013843 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_filter\libyuvp_plugin.dll
2014-07-23 00:29 - 2014-07-23 00:29 - 00068115 _____ () C:\Program Files\VideoLAN\VLC\plugins\video_output\libdirect3d_plugin.dll

==================== Alternate Data Streams (whitelisted) =========

(If an entry is included in the fixlist, only the Alternate Data Streams will be removed.)

AlternateDataStreams: C:\ProgramData\TEMP:BC359956
AlternateDataStreams: C:\Users\hcxxx\Documents\bye.bat:SummaryInformation
AlternateDataStreams: C:\Users\hcxxx\Documents\bye.bat:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
AlternateDataStreams: C:\Users\hcxxx\Documents\forwarded message.eml:OECustomProperty

==================== Safe Mode (whitelisted) ===================

(If an item is included in the fixlist, it will be removed from the registry. The "AlternateShell" will be restored.)

==================== EXE Association (whitelisted) =============

(If an entry is included in the fixlist, the default will be restored. None default entries will be removed.)

==================== MSCONFIG/TASK MANAGER disabled items =========

(Currently there is no automatic fix for this section.)

========================= Accounts: ==========================

Gast (S-1-5-21-2717335284-3986619703-2298539805-501 - Limited - Enabled)
hcxxx (S-1-5-21-2717335284-3986619703-2298539805-1000 - Administrator - Enabled) => C:\Users\hcxxx

==================== Faulty Device Manager Devices =============

Class Guid: {4d36e972-e325-11ce-bfc1-08002be10318}
Manufacturer: Oracle Corporation
Problem: : This device is disabled. (Code 22)
Resolution: In Device Manager, click "Action", and then click "Enable Device". This starts the Enable Device wizard. Follow the instructions.

==================== Event log errors: =========================

Application errors:
==================
Error: (11/21/2014 03:51:47 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: WmiApRplC:\Windows\system32\wbem\wmiaprpl.dll4

Error: (11/21/2014 03:51:40 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"1".
Die abhängige Assemblierung "rpshellextension.1.0,language="&#x2a;",type="win32",version="1.0.0.0"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (11/21/2014 03:51:19 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

Error: (11/21/2014 03:50:56 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: PNRPsvcC:\Windows\system32\pnrpperf.dll4

Error: (11/21/2014 03:50:51 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: MSDTCC:\Windows\system32\msdtcuiu.DLL4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: LsaC:\Windows\system32\Secur32.dll4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: ESENTC:\Windows\system32\esentprf.dll4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1010) (User: )
Description: EmdCacheC:\Windows\system32\emdmgmt.dll4

Error: (11/21/2014 03:50:50 PM) (Source: Perflib) (EventID: 1008) (User: )
Description: BITSC:\Windows\system32\bitsperf.dll4

Error: (11/21/2014 02:05:04 PM) (Source: SideBySide) (EventID: 33) (User: )
Description: Fehler beim Generieren des Aktivierungskontextes für "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"1".
Die abhängige Assemblierung "Microsoft.VC90.DebugCRT,processorArchitecture="x86",publicKeyToken="1fc8b3b9a1e18e3b",type="win32",version="9.0.21022.8"" konnte nicht gefunden werden.
Verwenden Sie für eine detaillierte Diagnose das Programm "sxstrace.exe".

System errors:
=============
Error: (11/21/2014 03:59:33 PM) (Source: Microsoft Antimalware) (EventID: 2001) (User: )
Description: Beim Aktualisieren der Signaturen wurde von %NT-AUTORITÄT60 ein Fehler festgestellt.

Neue Signaturversion:

Vorherige Signaturversion: 1.189.318.0

Aktualisierungsquelle: %NT-AUTORITÄT59

Aktualisierungsphase: 4.6.0305.00

Signaturtyp: %NT-AUTORITÄT602

Aktualisierungstyp: %NT-AUTORITÄT604

Benutzer: NT-AUTORITÄT\SYSTEM

Aktuelle Modulversion: %NT-AUTORITÄT605

Vorherige Modulversion: %NT-AUTORITÄT606

Fehlercode: %NT-AUTORITÄT607

Fehlerbeschreibung: %NT-AUTORITÄT608

Error: (11/21/2014 03:46:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: ShowAnalyzerMaster%%3

Error: (11/21/2014 03:46:56 PM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: DgiVecp%%20

Error: (11/21/2014 03:45:48 PM) (Source: Print) (EventID: 19) (User: NT-AUTORITÄT)
Description: Der Druckspooler konnte den Drucker Samsung CLP-360 Series nicht unter dem Namen Samsung CLP-360 Series freigeben. Fehler: 2114. Der Drucker kann nicht von anderen Benutzern im Netzwerk verwendet werden.

Error: (11/21/2014 08:36:42 AM) (Source: Service Control Manager) (EventID: 7022) (User: )
Description: Windows Update

Error: (11/21/2014 08:35:01 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {F4396DC6-E851-4D3A-8D01-34E6949F3500}

Error: (11/21/2014 08:35:00 AM) (Source: DCOM) (EventID: 10010) (User: )
Description: {7F6316B4-4D69-4765-B0A3-B2598F2FA80A}

Error: (11/21/2014 08:32:12 AM) (Source: iaStorV) (EventID: 9) (User: )
Description: Das Gerät \Device\Ide\iaStor0 hat innerhalb der Fehlerwartezeit nicht geantwortet.

Error: (11/21/2014 08:32:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: ShowAnalyzerMaster%%3

Error: (11/21/2014 08:32:10 AM) (Source: Service Control Manager) (EventID: 7000) (User: )
Description: DgiVecp%%20

Microsoft Office Sessions:
=========================
Error: (10/11/2014 10:45:46 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6691.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 999 seconds with 120 seconds of active time.  This session ended with a crash.

Error: (09/17/2014 10:36:33 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 19211 seconds with 60 seconds of active time.  This session ended with a crash.

Error: (01/24/2014 01:16:35 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 71199 seconds with 1920 seconds of active time.  This session ended with a crash.

Error: (12/13/2013 02:29:02 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 15578 seconds with 720 seconds of active time.  This session ended with a crash.

Error: (11/01/2013 00:21:14 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6683.5002, Microsoft Office Version: 12.0.6612.1000. This session lasted 5949 seconds with 240 seconds of active time.  This session ended with a crash.

Error: (09/26/2013 08:29:10 AM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 276 seconds with 60 seconds of active time.  This session ended with a crash.

Error: (09/11/2013 09:33:49 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 0, Application Name: Microsoft Office Word, Application Version: 12.0.6668.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 115581 seconds with 1200 seconds of active time.  This session ended with a crash.

Error: (09/02/2013 06:00:09 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 6, Application Name: Microsoft Office Outlook, Application Version: 12.0.6680.5000, Microsoft Office Version: 12.0.6612.1000. This session lasted 100923 seconds with 4500 seconds of active time.  This session ended with a crash.

Error: (07/25/2013 03:50:05 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 190060 seconds with 1320 seconds of active time.  This session ended with a crash.

Error: (02/24/2013 02:48:46 PM) (Source: Microsoft Office 12 Sessions) (EventID: 7001) (User: )
Description: ID: 1, Application Name: Microsoft Office Excel, Application Version: 12.0.6665.5003, Microsoft Office Version: 12.0.6612.1000. This session lasted 185782 seconds with 480 seconds of active time.  This session ended with a crash.

CodeIntegrity Errors:
===================================
Date: 2013-10-14 12:16:56.618
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:16:56.356
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:16:56.064
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:16:55.773
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:15:36.664
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:15:36.404
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:15:36.138
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:15:35.886
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:15:35.312
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

Date: 2013-10-14 12:15:35.069
Description: Die Abbildintegrität der Datei "\Device\HarddiskVolume1\Program Files\Microsoft Security Client\Drivers\Backup\NisDrv\NisDrvWFP.sys" konnte nicht überprüft werden, da der Satz seitenbezogener Abbildhashes auf dem System nicht gefunden wurde.

==================== Memory info ===========================

Processor: Intel(R) Core(TM) i7 CPU 920 @ 2.67GHz
Percentage of memory in use: 69%
Total physical RAM: 3062.17 MB
Available physical RAM: 922.32 MB
Total Pagefile: 6339.3 MB
Available Pagefile: 3512.04 MB
Total Virtual: 2047.88 MB
Available Virtual: 1891.88 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:931.52 GB) (Free:220.94 GB) NTFS ==>[Drive with boot components (obtained from BCD)]
Drive e: (System-reserviert) (Fixed) (Total:0.1 GB) (Free:0.07 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: () (Fixed) (Total:465.66 GB) (Free:41.02 GB) NTFS
Drive g: (SD) (Removable) (Total:29.84 GB) (Free:29.84 GB) FAT32
Drive h: (HDDRIVE2GO) (Fixed) (Total:931.28 GB) (Free:27.77 GB) FAT32

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (MBR Code: Windows 7 or Vista) (Size: 931.5 GB) (Disk ID: 11E8DE91)
Partition 1: (Active) - (Size=931.5 GB) - (Type=07 NTFS)

========================================================
Disk: 1 (MBR Code: Windows 7 or 8) (Size: 465.8 GB) (Disk ID: DEDD9B10)
Partition 1: (Active) - (Size=100 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=465.7 GB) - (Type=07 NTFS)

========================================================
Disk: 2 (Size: 931.5 GB) (Disk ID: C2AC2C31)
Partition 1: (Not Active) - (Size=931.5 GB) - (Type=0C)

========================================================
Disk: 3 (Size: 29.9 GB) (Disk ID: 00000000)

Partition: GPT Partition Type.

==================== End Of Log ============================


22.11.2014, 14:02   #6
derdingens

## Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log

Teil 1 / 3 Detekt.log

Code:
ATTFilter
2014-11-21 13:19:20,345 - detector - INFO - Starting with process ID 12268
2014-11-21 13:19:20,348 - detector - INFO - Selected Profile Name: VistaSP2x86
2014-11-21 13:19:20,349 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI132202\drivers\winpmem32.sys
2014-11-21 13:19:20,349 - detector.service - INFO - Launching service destroyer...
2014-11-21 13:19:20,351 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2014-11-21 13:19:20,351 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 13:19:20,351 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 13:19:20,351 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2014-11-21 13:19:21,035 - detector.service - INFO - Trying to start the winpmem service...
2014-11-21 13:19:21,223 - detector - INFO - Service started
2014-11-21 13:19:21,223 - detector - INFO - Selected Yara signature file at C:\Users\hcxxx\AppData\Local\Temp\_MEI132202\rules\signatures.yar
2014-11-21 13:19:21,223 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-21 13:19:25,924 - detector - INFO - Profile: <volatility.plugins.overlays.windows.vista.VistaSP2x86 object at 0x08818350>, DTB: 0x122000
2014-11-21 13:19:25,926 - detector - INFO - Starting yara scanner...
2014-11-21 14:05:21,569 - detector - INFO - Starting with process ID 14976
2014-11-21 14:05:21,575 - detector - INFO - Selected Profile Name: VistaSP2x86
2014-11-21 14:05:21,575 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI152562\drivers\winpmem32.sys
2014-11-21 14:05:21,575 - detector.service - INFO - Launching service destroyer...
2014-11-21 14:05:21,575 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 14:05:21,609 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 14:05:21,698 - detector - CRITICAL - Unable to start winpmem service: Unable to create service: (1072, 'CreateService', 'Der angegebene Dienst wurde zum L\xf6schen markiert.')
2014-11-21 15:51:53,463 - detector - INFO - Starting with process ID 7020
2014-11-21 15:51:53,467 - detector - INFO - Selected Profile Name: VistaSP2x86
2014-11-21 15:51:53,467 - detector - INFO - Selected Driver: C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\drivers\winpmem32.sys
2014-11-21 15:51:53,467 - detector.service - INFO - Launching service destroyer...
2014-11-21 15:51:53,467 - detector.service - DEBUG - Unable to OpenService: (1060, 'OpenService', 'Der angegebene Dienst ist kein installierter Dienst.')
2014-11-21 15:51:53,469 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 15:51:53,469 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 15:51:53,469 - detector.service - DEBUG - Unable to delete the service: (6, 'DeleteService', 'Das Handle ist ung\xfcltig.')
2014-11-21 15:51:53,499 - detector.service - INFO - Trying to start the winpmem service...
2014-11-21 15:51:53,572 - detector - INFO - Service started
2014-11-21 15:51:53,572 - detector - INFO - Selected Yara signature file at C:\Users\hcxxx\AppData\Local\Temp\_MEI81562\rules\signatures.yar
2014-11-21 15:51:53,572 - detector - INFO - Obtaining address space and generating config for volatility
2014-11-21 15:51:55,232 - detector - INFO - Profile: <volatility.plugins.overlays.windows.vista.VistaSP2x86 object at 0x089782D0>, DTB: 0x122000
2014-11-21 15:51:55,233 - detector - INFO - Starting yara scanner...
2014-11-21 16:51:41,969 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE46B, Value:

6d 6f 64 41 50 49 24 6d 6f 64 32 00 6d 6f 64 41 modAPI$mod2.modA 75 64 69 6f 24 6d 6f 64 33 00 6d 6f 64 42 74 4b udio$mod3.modBtK
69 6c 6c 65 72 24 6d 6f 64 34 00 6d 6f 64 43 72 iller$mod4.modCr 79 70 74 24 6d 6f 64 35 00 6d 6f 64 46 75 63 74 ypt$mod5.modFuct
69 6f 6e 73 24 6d 6f 64 36 00 6d 6f 64 48 69 6a ions$mod6.modHij 61 63 6b 24 6d 6f 64 37 00 6d 6f 64 49 43 61 6c ack$mod7.modICal
6c 42 61 63 6b 24 6d 6f 64 38 00 6d 6f 64 49 49 lBack$mod8.modII 6e 65 74 24 6d 6f 64 39 00 6d 6f 64 49 6e 66 65 net$mod9.modInfe
63 74 24 6d 6f 64 31 30 00 6d 6f 64 49 6e 6a 50 ct$mod10.modInjP 45 24 6d 6f 64 31 31 00 6d 6f 64 4c 61 75 6e 63 E$mod11.modLaunc
68 57 65 62 24 6d 6f 64 31 32 00 6d 6f 64 4f 53 hWeb$mod12.modOS 24 6d 6f 64 31 33 00 6d 6f 64 50 57 73 24 6d 6f$mod13.modPWs$mo 64 31 34 00 6d 6f 64 52 65 67 69 73 74 72 79 24 d14.modRegistry$
6d 6f 64 31 35 00 6d 6f 64 53 63 72 65 65 6e 63 mod15.modScreenc
61 70 24 6d 6f 64 31 36 00 6d 6f 64 53 6e 69 66 ap$mod16.modSnif 66 24 6d 6f 64 31 37 00 6d 6f 64 53 6f 63 6b 65 f$mod17.modSocke

2014-11-21 16:51:41,970 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE477, Value:

6d 6f 64 41 75 64 69 6f 24 6d 6f 64 33 00 6d 6f modAudio$mod3.mo 64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 00 6d dBtKiller$mod4.m
6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f 64 odCrypt$mod5.mod 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d 6f Fuctions$mod6.mo
64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f 64 dHijack$mod7.mod 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 6d ICallBack$mod8.m
6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f 64 odIInet$mod9.mod 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f 64 Infect$mod10.mod
49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 4c InjPE$mod11.modL 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 6d aunchWeb$mod12.m
6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 57 odOS$mod13.modPW 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 73 s$mod14.modRegis
74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 72 try$mod15.modScr 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f 64 eencap$mod16.mod
53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 53 Sniff$mod17.modS 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 31 ocketMaster$mod1

2014-11-21 16:51:41,971 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE485, Value:

6d 6f 64 42 74 4b 69 6c 6c 65 72 24 6d 6f 64 34 modBtKiller$mod4 00 6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d .modCrypt$mod5.m
6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 odFuctions$mod6. 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m
6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m
6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo
64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod
50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS
63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo
64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo

2014-11-21 16:51:41,973 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE496, Value:

6d 6f 64 43 72 79 70 74 24 6d 6f 64 35 00 6d 6f modCrypt$mod5.mo 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 00 6d dFuctions$mod6.m
6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d 6f odHijack$mod7.mo 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 00 dICallBack$mod8.
6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo
64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.
6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m

2014-11-21 16:51:41,974 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4A4, Value:

6d 6f 64 46 75 63 74 69 6f 6e 73 24 6d 6f 64 36 modFuctions$mod6 00 6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 .modHijack$mod7.
6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod 38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9.
6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10. 6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16. 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod

2014-11-21 16:51:41,976 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4B5, Value:

6d 6f 64 48 69 6a 61 63 6b 24 6d 6f 64 37 00 6d modHijack$mod7.m 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 38 odICallBack$mod8
00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d .modIInet$mod9.m 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d odInfect$mod10.m
6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f odInjPE$mod11.mo 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 dLaunchWeb$mod12
00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 .modOS$mod13.mod 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 PWs$mod14.modReg
69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 istry$mod15.modS 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d creencap$mod16.m
6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f odSniff$mod17.mo 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f dSocketMaster$mo
64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f d18.modSpread$mo 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 d19.modSqueezer$
6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 mod20.modSS$mod2 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 1.modTorrentSeed 2014-11-21 16:51:41,977 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4C4, Value: 6d 6f 64 49 43 61 6c 6c 42 61 63 6b 24 6d 6f 64 modICallBack$mod
38 00 6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 8.modIInet$mod9. 6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10.
6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64$mod20.modSS$mod 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms

2014-11-21 16:51:41,980 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4D6, Value:

6d 6f 64 49 49 6e 65 74 24 6d 6f 64 39 00 6d 6f modIInet$mod9.mo 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 6d 6f dInfect$mod10.mo
64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d 6f 64 dInjPE$mod11.mod 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 32 00 LaunchWeb$mod12.
6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m
6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$
74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr

2014-11-21 16:51:41,980 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4E4, Value:

6d 6f 64 49 6e 66 65 63 74 24 6d 6f 64 31 30 00 modInfect$mod10. 6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m
6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo
64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod
53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16. 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m
6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m
6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer
24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 $mod20.modSS$mod
32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee
64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74$tmr2.tmrAlive$t 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm

2014-11-21 16:51:41,982 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE4F4, Value:

6d 6f 64 49 6e 6a 50 45 24 6d 6f 64 31 31 00 6d modInjPE$mod11.m 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 31 odLaunchWeb$mod1
32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 2.modOS$mod13.mo 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 dPWs$mod14.modRe
67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 gistry$mod15.mod 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 Screencap$mod16.
6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64$mod20.modSS$mod 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5

2014-11-21 16:51:41,983 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE503, Value:

6d 6f 64 4c 61 75 6e 63 68 57 65 62 24 6d 6f 64 modLaunchWeb$mod 31 32 00 6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 12.modOS$mod13.m
6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 odPWs$mod14.modR 65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d 6f egistry$mod15.mo
64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 dScreencap$mod16 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 .modSniff$mod17.
6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$
6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze
72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo
64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe
65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t
6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.

2014-11-21 16:51:41,984 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE516, Value:

6d 6f 64 4f 53 24 6d 6f 64 31 33 00 6d 6f 64 50 modOS$mod13.modP 57 73 24 6d 6f 64 31 34 00 6d 6f 64 52 65 67 69 Ws$mod14.modRegi
73 74 72 79 24 6d 6f 64 31 35 00 6d 6f 64 53 63 stry$mod15.modSc 72 65 65 6e 63 61 70 24 6d 6f 64 31 36 00 6d 6f reencap$mod16.mo
64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d 6f 64 dSniff$mod17.mod 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d 6f 64 SocketMaster$mod
31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 18.modSpread$mod 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 19.modSqueezer$m
6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 od20.modSS$mod21 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 .modTorrentSeed$
74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 tmr1.tmrAlarms$t 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 mr2.tmrAlive$tmr
33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 3.tmrAnslut$tmr4 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 .tmrAudio$tmr5.t
6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 mrBlink$tmr6.tmr 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f Check$tmr7.tmrCo

2014-11-21 16:51:41,986 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE522, Value:

6d 6f 64 50 57 73 24 6d 6f 64 31 34 00 6d 6f 64 modPWs$mod14.mod 52 65 67 69 73 74 72 79 24 6d 6f 64 31 35 00 6d Registry$mod15.m
6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 31 odScreencap$mod1 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 6.modSniff$mod17
00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 .modSocketMaster
24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 $mod18.modSpread 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a$mod19.modSqueez
65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d er$mod20.modSS$m
6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 od21.modTorrentS
65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 eed$tmr1.tmrAlar 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 ms$tmr2.tmrAlive
24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 $tmr3.tmrAnslut$
74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d tmr4.tmrAudio$tm 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 r5.tmrBlink$tmr6
00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 .tmrCheck$tmr7.t 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 mrCountdown$tmr8

2014-11-21 16:51:41,987 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE52F, Value:

6d 6f 64 52 65 67 69 73 74 72 79 24 6d 6f 64 31 modRegistry$mod1 35 00 6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 5.modScreencap$m
6f 64 31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f od16.modSniff$mo 64 31 37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 d17.modSocketMas 74 65 72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 ter$mod18.modSpr
65 61 64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 ead$mod19.modSqu 65 65 7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 eezer$mod20.modS
53 24 6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 S$mod21.modTorre 6e 74 53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 ntSeed$tmr1.tmrA
6c 61 72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c larms$tmr2.tmrAl 69 76 65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c ive$tmr3.tmrAnsl
75 74 24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f ut$tmr4.tmrAudio 24 74 6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74$tmr5.tmrBlink$t 6d 72 36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 mr6.tmrCheck$tmr
37 00 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 7.tmrCountdown$t 6d 72 38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 mr8.tmrCrazy$tmr

2014-11-21 16:51:41,989 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE541, Value:

6d 6f 64 53 63 72 65 65 6e 63 61 70 24 6d 6f 64 modScreencap$mod 31 36 00 6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 16.modSniff$mod1
37 00 6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 7.modSocketMaste
72 24 6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 r$mod18.modSprea 64 24 6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 d$mod19.modSquee
7a 65 72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 zer$mod20.modSS$
6d 6f 64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 mod21.modTorrent
53 65 65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 Seed$tmr1.tmrAla 72 6d 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 rms$tmr2.tmrAliv
65 24 74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 e$tmr3.tmrAnslut 24 74 6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74$tmr4.tmrAudio$t 6d 72 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 mr5.tmrBlink$tmr
36 00 74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 6.tmrCheck$tmr7. 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr
38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9. 74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr

2014-11-21 16:51:41,990 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE554, Value:

6d 6f 64 53 6e 69 66 66 24 6d 6f 64 31 37 00 6d modSniff$mod17.m 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 6d odSocketMaster$m
6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 6d od18.modSpread$m 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 72 od19.modSqueezer 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f 64$mod20.modSS$mod 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 21.modTorrentSee 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 d$tmr1.tmrAlarms
24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 74 $tmr2.tmrAlive$t
6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d mr3.tmrAnslut$tm 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 35 r4.tmrAudio$tmr5
00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 .tmrBlink$tmr6.t 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 mrCheck$tmr7.tmr
43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 Countdown$tmr8.t 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 mrCrazy$tmr9.tmr
44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 DOS$tmr10.tmrDoW 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 ork$tmr11.tmrFoc

2014-11-21 16:51:41,992 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE563, Value:

6d 6f 64 53 6f 63 6b 65 74 4d 61 73 74 65 72 24 modSocketMaster$6d 6f 64 31 38 00 6d 6f 64 53 70 72 65 61 64 24 mod18.modSpread$
6d 6f 64 31 39 00 6d 6f 64 53 71 75 65 65 7a 65 mod19.modSqueeze
72 24 6d 6f 64 32 30 00 6d 6f 64 53 53 24 6d 6f r$mod20.modSS$mo
64 32 31 00 6d 6f 64 54 6f 72 72 65 6e 74 53 65 d21.modTorrentSe
65 64 24 74 6d 72 31 00 74 6d 72 41 6c 61 72 6d ed$tmr1.tmrAlarm 73 24 74 6d 72 32 00 74 6d 72 41 6c 69 76 65 24 s$tmr2.tmrAlive$74 6d 72 33 00 74 6d 72 41 6e 73 6c 75 74 24 74 tmr3.tmrAnslut$t
6d 72 34 00 74 6d 72 41 75 64 69 6f 24 74 6d 72 mr4.tmrAudio$tmr 35 00 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 5.tmrBlink$tmr6.
74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.
74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra

2014-11-21 16:51:41,993 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE579, Value:

6d 6f 64 53 70 72 65 61 64 24 6d 6f 64 31 39 00 modSpread$mod19. 6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2
30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr
31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t
6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB
6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount
64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t
6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t
6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi

2014-11-21 16:51:41,994 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE589, Value:

6d 6f 64 53 71 75 65 65 7a 65 72 24 6d 6f 64 32 modSqueezer$mod2 30 00 6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 0.modSS$mod21.mo
64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 dTorrentSeed$tmr 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 1.tmrAlarms$tmr2
00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 .tmrAlive$tmr3.t 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d mrAnslut$tmr4.tm
72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 rAudio$tmr5.tmrB 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 link$tmr6.tmrChe
63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 ck$tmr7.tmrCount 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 down$tmr8.tmrCra
7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 zy$tmr9.tmrDOS$t
6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 mr10.tmrDoWork$t 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d mr11.tmrFocus$tm
72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 r12.tmrGrabber$t 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 mr13.tmrInaktivi 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 tet$tmr14.tmrInf

2014-11-21 16:51:41,996 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE59B, Value:

6d 6f 64 53 53 24 6d 6f 64 32 31 00 6d 6f 64 54 modSS$mod21.modT 6f 72 72 65 6e 74 53 65 65 64 24 74 6d 72 31 00 orrentSeed$tmr1.
74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr
41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli
6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f$tmr7.tmrCountdo
77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72$tmr9.tmrDOS$tmr 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr
31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr
31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite
74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter

2014-11-21 16:51:41,997 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5A7, Value:

6d 6f 64 54 6f 72 72 65 6e 74 53 65 65 64 24 74 modTorrentSeed$t 6d 72 31 00 74 6d 72 41 6c 61 72 6d 73 24 74 6d mr1.tmrAlarms$tm
72 32 00 74 6d 72 41 6c 69 76 65 24 74 6d 72 33 r2.tmrAlive$tmr3 00 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 .tmrAnslut$tmr4.
74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC
68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC
72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b$tmr10.tmrDoWork
24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$
74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber
24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI
6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm

2014-11-21 16:51:41,999 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5BB, Value:

74 6d 72 41 6c 61 72 6d 73 24 74 6d 72 32 00 74 tmrAlarms$tmr2.t 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d 72 mrAlive$tmr3.tmr
41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 41 Anslut$tmr4.tmrA 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c 69 udio$tmr5.tmrBli
6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 6b nk$tmr6.tmrCheck 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 6f$tmr7.tmrCountdo
77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a 79 wn$tmr8.tmrCrazy 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d 72$tmr9.tmrDOS$tmr 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 10.tmrDoWork$tmr
31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 31 11.tmrFocus$tmr1 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 2.tmrGrabber$tmr
31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 13.tmrInaktivite
74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 t$tmr14.tmrInfoT 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 O$tmr15.tmrInter
76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 valUpdate$tmr16. 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm

2014-11-21 16:51:42,000 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5CA, Value:

74 6d 72 41 6c 69 76 65 24 74 6d 72 33 00 74 6d tmrAlive$tmr3.tm 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 6d 72 rAnslut$tmr4.tmr
41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 42 6c Audio$tmr5.tmrBl 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 65 63 ink$tmr6.tmrChec
6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e 74 64 k$tmr7.tmrCountd 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 61 7a own$tmr8.tmrCraz
79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 74 6d y$tmr9.tmrDOS$tm
72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 74 6d r10.tmrDoWork$tm 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 6d 72 r11.tmrFocus$tmr
31 32 00 74 6d 72 47 72 61 62 62 65 72 24 74 6d 12.tmrGrabber$tm 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 69 74 r13.tmrInaktivit 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e 66 6f et$tmr14.tmrInfo
54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e 74 65 TO$tmr15.tmrInte 72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 31 36 rvalUpdate$tmr16
00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 .tmrLiveLogger$t 6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 mr17.tmrPersista 2014-11-21 16:51:42,003 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5D8, Value: 74 6d 72 41 6e 73 6c 75 74 24 74 6d 72 34 00 74 tmrAnslut$tmr4.t
6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d 72 mrAudio$tmr5.tmr 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 68 Blink$tmr6.tmrCh
65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 6e eck$tmr7.tmrCoun 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 72 tdown$tmr8.tmrCr
61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 24 azy$tmr9.tmrDOS$
74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b 24 tmr10.tmrDoWork$74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 74 tmr11.tmrFocus$t
6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 24 mr12.tmrGrabber$74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 76 tmr13.tmrInaktiv 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 6e itet$tmr14.tmrIn
66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 6e foTO$tmr15.tmrIn 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d 72 tervalUpdate$tmr
31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 16.tmrLiveLogger
24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 73 $tmr17.tmrPersis 74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 63 tant$tmr18.tmrSc

2014-11-21 16:51:42,003 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5E7, Value:

74 6d 72 41 75 64 69 6f 24 74 6d 72 35 00 74 6d tmrAudio$tmr5.tm 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d 72 43 rBlink$tmr6.tmrC
68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 6f 75 heck$tmr7.tmrCou 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d 72 43 ntdown$tmr8.tmrC
72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 4f 53 razy$tmr9.tmrDOS 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f 72 6b$tmr10.tmrDoWork
24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 73 24 $tmr11.tmrFocus$
74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 65 72 tmr12.tmrGrabber
24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b 74 69 $tmr13.tmrInakti 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d 72 49 vitet$tmr14.tmrI
6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d 72 49 nfoTO$tmr15.tmrI 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 74 6d ntervalUpdate$tm
72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 67 65 r16.tmrLiveLogge
72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 73 69 r$tmr17.tmrPersi 73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d 72 53 stant$tmr18.tmrS
63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 39 00 creenshot$tmr19. 2014-11-21 16:51:42,006 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE5F5, Value: 74 6d 72 42 6c 69 6e 6b 24 74 6d 72 36 00 74 6d tmrBlink$tmr6.tm
72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d 72 43 rCheck$tmr7.tmrC 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 74 6d ountdown$tmr8.tm
72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d 72 44 rCrazy$tmr9.tmrD 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f 57 6f OS$tmr10.tmrDoWo
72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f 63 75 rk$tmr11.tmrFocu 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 62 62 s$tmr12.tmrGrabb
65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e 61 6b er$tmr13.tmrInak 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 74 6d tivitet$tmr14.tm
72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 74 6d rInfoTO$tmr15.tm 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 65 24 rIntervalUpdate$
74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c 6f 67 tmr16.tmrLiveLog
67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 65 72 ger$tmr17.tmrPer 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 74 6d sistant$tmr18.tm
72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d 72 31 rScreenshot$tmr1 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 9.tmrSpara$tmr20

2014-11-21 16:51:42,006 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE603, Value:

74 6d 72 43 68 65 63 6b 24 74 6d 72 37 00 74 6d tmrCheck$tmr7.tm 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 38 00 rCountdown$tmr8.
74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra
62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.
74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15. 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 2014-11-21 16:51:42,009 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE611, Value: 74 6d 72 43 6f 75 6e 74 64 6f 77 6e 24 74 6d 72 tmrCountdown$tmr
38 00 74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 8.tmrCrazy$tmr9. 74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr
44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr 46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG
72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr 49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1
34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1 35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd 61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv
65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1
38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t
6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22


22.11.2014, 14:05   #7
derdingens

## Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log Teil 2/3

Detekt.log Teil 2/3
Code:
ATTFilter
2014-11-21 16:51:42,009 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE623, Value:

74 6d 72 43 72 61 7a 79 24 74 6d 72 39 00 74 6d tmrCrazy$tmr9.tm 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 44 6f rDOS$tmr10.tmrDo
57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 46 6f Work$tmr11.tmrFo 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 72 61 cus$tmr12.tmrGra
62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 49 6e bber$tmr13.tmrIn 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 34 00 aktivitet$tmr14.
74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15. 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL
6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18.
74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW 2014-11-21 16:51:42,010 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE631, Value: 74 6d 72 44 4f 53 24 74 6d 72 31 30 00 74 6d 72 tmrDOS$tmr10.tmr
44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 74 6d 72 DoWork$tmr11.tmr 46 6f 63 75 73 24 74 6d 72 31 32 00 74 6d 72 47 Focus$tmr12.tmrG
72 61 62 62 65 72 24 74 6d 72 31 33 00 74 6d 72 rabber$tmr13.tmr 49 6e 61 6b 74 69 76 69 74 65 74 24 74 6d 72 31 Inaktivitet$tmr1
34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 4.tmrInfoTO$tmr1 35 00 74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 5.tmrIntervalUpd 61 74 65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 ate$tmr16.tmrLiv
65 4c 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d eLogger$tmr17.tm 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 rPersistant$tmr1
38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 8.tmrScreenshot$74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 tmr19.tmrSpara$t
6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d mr20.tmrSprid$tm 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 r21.tmrTCP$tmr22
00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d .tmrUDP$tmr23.tm 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 rWebHideBlackSha 2014-11-21 16:51:42,013 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE63E, Value: 74 6d 72 44 6f 57 6f 72 6b 24 74 6d 72 31 31 00 tmrDoWork$tmr11.
74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.
74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d$tmr21.tmrTCP$tm 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection

2014-11-21 16:51:42,013 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE64E, Value:

74 6d 72 46 6f 63 75 73 24 74 6d 72 31 32 00 74 tmrFocus$tmr12.t 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 00 mrGrabber$tmr13.
74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t
6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval
55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17
00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar
61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d$tmr21.tmrTCP$tm 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23
00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack
53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection
00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$2014-11-21 16:51:42,016 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE65D, Value: 74 6d 72 47 72 61 62 62 65 72 24 74 6d 72 31 33 tmrGrabber$tmr13
00 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 .tmrInaktivitet$74 6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 tmr14.tmrInfoTO$
74 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 tmr15.tmrInterva
6c 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d lUpdate$tmr16.tm 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 rLiveLogger$tmr1
37 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 7.tmrPersistant$74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 tmr18.tmrScreens 68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 hot$tmr19.tmrSpa
72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 ra$tmr20.tmrSpri 64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 d$tmr21.tmrTCP$t 6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 mr22.tmrUDP$tmr2
33 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 3.tmrWebHideBlac
6b 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f kShades.detectio
6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 n.DarkComet.RAT.
24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 $bot1.#BOT#OpenU 2014-11-21 16:51:42,016 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE66E, Value: 74 6d 72 49 6e 61 6b 74 69 76 69 74 65 74 24 74 tmrInaktivitet$t
6d 72 31 34 00 74 6d 72 49 6e 66 6f 54 4f 24 74 mr14.tmrInfoTO$t 6d 72 31 35 00 74 6d 72 49 6e 74 65 72 76 61 6c mr15.tmrInterval 55 70 64 61 74 65 24 74 6d 72 31 36 00 74 6d 72 Update$tmr16.tmr
4c 69 76 65 4c 6f 67 67 65 72 24 74 6d 72 31 37 LiveLogger$tmr17 00 74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 .tmrPersistant$t
6d 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 mr18.tmrScreensh
6f 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 ot$tmr19.tmrSpar 61 24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 a$tmr20.tmrSprid
24 74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d $tmr21.tmrTCP$tm
72 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 r22.tmrUDP$tmr23 00 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b .tmrWebHideBlack 53 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e Shades.detection 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 .DarkComet.RAT.$
62 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 bot1.#BOT#OpenUr
6c 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 l$bot2.#BOT#Ping 2014-11-21 16:51:42,019 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE683, Value: 74 6d 72 49 6e 66 6f 54 4f 24 74 6d 72 31 35 00 tmrInfoTO$tmr15.
74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18. 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1. 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$

2014-11-21 16:51:42,019 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE693, Value:

74 6d 72 49 6e 74 65 72 76 61 6c 55 70 64 61 74 tmrIntervalUpdat
65 24 74 6d 72 31 36 00 74 6d 72 4c 69 76 65 4c e$tmr16.tmrLiveL 6f 67 67 65 72 24 74 6d 72 31 37 00 74 6d 72 50 ogger$tmr17.tmrP
65 72 73 69 73 74 61 6e 74 24 74 6d 72 31 38 00 ersistant$tmr18. 74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm
72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr 32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2
31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW
65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade
73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark
43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1. 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot
32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$
62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni

2014-11-21 16:51:42,020 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6AB, Value:

74 6d 72 4c 69 76 65 4c 6f 67 67 65 72 24 74 6d tmrLiveLogger$tm 72 31 37 00 74 6d 72 50 65 72 73 69 73 74 61 6e r17.tmrPersistan 74 24 74 6d 72 31 38 00 74 6d 72 53 63 72 65 65 t$tmr18.tmrScree
6e 73 68 6f 74 24 74 6d 72 31 39 00 74 6d 72 53 nshot$tmr19.tmrS 70 61 72 61 24 74 6d 72 32 30 00 74 6d 72 53 70 para$tmr20.tmrSp
72 69 64 24 74 6d 72 32 31 00 74 6d 72 54 43 50 rid$tmr21.tmrTCP 24 74 6d 72 32 32 00 74 6d 72 55 44 50 24 74 6d$tmr22.tmrUDP$tm 72 32 33 00 74 6d 72 57 65 62 48 69 64 65 42 6c r23.tmrWebHideBl 61 63 6b 53 68 61 64 65 73 00 64 65 74 65 63 74 ackShades.detect 69 6f 6e 00 44 61 72 6b 43 6f 6d 65 74 20 52 41 ion.DarkComet.RA 54 00 24 62 6f 74 31 00 23 42 4f 54 23 4f 70 65 T.$bot1.#BOT#Ope
6e 55 72 6c 24 62 6f 74 32 00 23 42 4f 54 23 50 nUrl$bot2.#BOT#P 69 6e 67 24 62 6f 74 33 00 23 42 4f 54 23 52 75 ing$bot3.#BOT#Ru
6e 50 72 6f 6d 70 74 24 62 6f 74 34 00 23 42 4f nPrompt$bot4.#BO 54 23 53 76 72 55 6e 69 6e 73 74 61 6c 6c 24 62 T#SvrUninstall$b
6f 74 35 00 23 42 4f 54 23 55 52 4c 44 6f 77 6e ot5.#BOT#URLDown

2014-11-21 16:51:42,023 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6BF, Value:

74 6d 72 50 65 72 73 69 73 74 61 6e 74 24 74 6d tmrPersistant$tm 72 31 38 00 74 6d 72 53 63 72 65 65 6e 73 68 6f r18.tmrScreensho 74 24 74 6d 72 31 39 00 74 6d 72 53 70 61 72 61 t$tmr19.tmrSpara
24 74 6d 72 32 30 00 74 6d 72 53 70 72 69 64 24 $tmr20.tmrSprid$
74 6d 72 32 31 00 74 6d 72 54 43 50 24 74 6d 72 tmr21.tmrTCP$tmr 32 32 00 74 6d 72 55 44 50 24 74 6d 72 32 33 00 22.tmrUDP$tmr23.
74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS
68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection.
44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b 6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl 24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24$bot2.#BOT#Ping$62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro 6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv
72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5. 23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload 24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70$bot6.#BOT#URLUp

2014-11-21 16:51:42,023 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6D3, Value:

74 6d 72 53 63 72 65 65 6e 73 68 6f 74 24 74 6d tmrScreenshot$tm 72 31 39 00 74 6d 72 53 70 61 72 61 24 74 6d 72 r19.tmrSpara$tmr
32 30 00 74 6d 72 53 70 72 69 64 24 74 6d 72 32 20.tmrSprid$tmr2 31 00 74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 1.tmrTCP$tmr22.t
6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 mrUDP$tmr23.tmrW 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 ebHideBlackShade 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b s.detection.Dark 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 Comet.RAT.$bot1.
23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT
23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74$bot7.#BOT#Visit

2014-11-21 16:51:42,026 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6E7, Value:

74 6d 72 53 70 61 72 61 24 74 6d 72 32 30 00 74 tmrSpara$tmr20.t 6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 6d mrSprid$tmr21.tm
72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 44 rTCP$tmr22.tmrUD 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 69 P$tmr23.tmrWebHi
64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 65 deBlackShades.de
74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d 65 tection.DarkCome
74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f 54 t.RAT.$bot1.#BOT 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 42 #OpenUrl$bot2.#B
4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 4f OT#Ping$bot3.#BO 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 34 T#RunPrompt$bot4
00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 .#BOT#SvrUninsta
6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c ll$bot5.#BOT#URL 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 Download$bot6.#B
4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 OT#URLUpdate$bot 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 7.#BOT#VisitUrl$
62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 bot8.#BOT#CloseS

2014-11-21 16:51:42,026 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE6F6, Value:

74 6d 72 53 70 72 69 64 24 74 6d 72 32 31 00 74 tmrSprid$tmr21.t 6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 55 mrTCP$tmr22.tmrU
44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 48 DP$tmr23.tmrWebH 69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 64 ideBlackShades.d 65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f 6d etection.DarkCom 65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 4f et.RAT.$bot1.#BO
54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 23 T#OpenUrl$bot2.# 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 42 BOT#Ping$bot3.#B
4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f 74 OT#RunPrompt$bot 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 4.#BOT#SvrUninst 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 all$bot5.#BOT#UR
4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 LDownload$bot6.# 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 6f BOT#URLUpdate$bo
74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c t7.#BOT#VisitUrl
24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 $bot8.#BOT#Close 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 4f Server$ddos1.DDO

2014-11-21 16:51:42,029 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE705, Value:

74 6d 72 54 43 50 24 74 6d 72 32 32 00 74 6d 72 tmrTCP$tmr22.tmr 55 44 50 24 74 6d 72 32 33 00 74 6d 72 57 65 62 UDP$tmr23.tmrWeb
48 69 64 65 42 6c 61 63 6b 53 68 61 64 65 73 00 HideBlackShades.
64 65 74 65 63 74 69 6f 6e 00 44 61 72 6b 43 6f detection.DarkCo
6d 65 74 20 52 41 54 00 24 62 6f 74 31 00 23 42 met.RAT.$bot1.#B 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 32 00 OT#OpenUrl$bot2.
23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.# 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo
74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins
74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.
23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos

2014-11-21 16:51:42,029 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE712, Value:

74 6d 72 55 44 50 24 74 6d 72 32 33 00 74 6d 72 tmrUDP$tmr23.tmr 57 65 62 48 69 64 65 42 6c 61 63 6b 53 68 61 64 WebHideBlackShad 65 73 00 64 65 74 65 63 74 69 6f 6e 00 44 61 72 es.detection.Dar 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 6f 74 31 kComet.RAT.$bot1
00 23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f .#BOT#OpenUrl$bo 74 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 t2.#BOT#Ping$bot
33 00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 3.#BOT#RunPrompt
24 62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e $bot4.#BOT#SvrUn 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f install$bot5.#BO
54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f T#URLDownload$bo 74 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 t6.#BOT#URLUpdat 65 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 e$bot7.#BOT#Visi
74 55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 tUrl$bot8.#BOT#C 6c 6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 loseServer$ddos1
00 44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 .DDOSHTTPFLOOD$d 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f dos2.DDOSSYNFLOO 2014-11-21 16:51:42,032 - detector - WARNING - Process CCC.exe (pid: 7624) matched: BlackShades at address: 0x542CE71F, Value: 74 6d 72 57 65 62 48 69 64 65 42 6c 61 63 6b 53 tmrWebHideBlackS 68 61 64 65 73 00 64 65 74 65 63 74 69 6f 6e 00 hades.detection. 44 61 72 6b 43 6f 6d 65 74 20 52 41 54 00 24 62 DarkComet.RAT.$b
6f 74 31 00 23 42 4f 54 23 4f 70 65 6e 55 72 6c ot1.#BOT#OpenUrl
24 62 6f 74 32 00 23 42 4f 54 23 50 69 6e 67 24 $bot2.#BOT#Ping$
62 6f 74 33 00 23 42 4f 54 23 52 75 6e 50 72 6f bot3.#BOT#RunPro
6d 70 74 24 62 6f 74 34 00 23 42 4f 54 23 53 76 mpt$bot4.#BOT#Sv 72 55 6e 69 6e 73 74 61 6c 6c 24 62 6f 74 35 00 rUninstall$bot5.
23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp 64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V
69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO 54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd
6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO
44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU

2014-11-21 16:51:42,032 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE753, Value:

23 42 4f 54 23 4f 70 65 6e 55 72 6c 24 62 6f 74 #BOT#OpenUrl$bot 32 00 23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 2.#BOT#Ping$bot3
00 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 .#BOT#RunPrompt$62 6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 bot4.#BOT#SvrUni 6e 73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 nstall$bot5.#BOT
23 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 #URLDownload$bot 36 00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 6.#BOT#URLUpdate 24 62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74$bot7.#BOT#Visit
55 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c Url$bot8.#BOT#Cl 6f 73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 oseServer$ddos1.
44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD 24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c$ddos3.DDOSUDPFL
4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.

2014-11-21 16:51:42,035 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE765, Value:

23 42 4f 54 23 50 69 6e 67 24 62 6f 74 33 00 23 #BOT#Ping$bot3.# 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 6f BOT#RunPrompt$bo
74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e 73 t4.#BOT#SvrUnins
74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 55 tall$bot5.#BOT#U 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 RLDownload$bot6.
23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos
32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 2014-11-21 16:51:42,036 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE774, Value: 23 42 4f 54 23 52 75 6e 50 72 6f 6d 70 74 24 62 #BOT#RunPrompt$b
6f 74 34 00 23 42 4f 54 23 53 76 72 55 6e 69 6e ot4.#BOT#SvrUnin
73 74 61 6c 6c 24 62 6f 74 35 00 23 42 4f 54 23 stall$bot5.#BOT# 55 52 4c 44 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 URLDownload$bot6
00 23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 .#BOT#URLUpdate$62 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 bot7.#BOT#VisitU 72 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f rl$bot8.#BOT#Clo
73 65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 seServer$ddos1.D 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f DOSHTTPFLOOD$ddo
73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 s2.DDOSSYNFLOOD$64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f ddos3.DDOSUDPFLO 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 OD$keylogger1.Ac
74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 ger$keylogger2.U 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 nActiveOnlineKey 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger

2014-11-21 16:51:42,038 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE788, Value:

23 42 4f 54 23 53 76 72 55 6e 69 6e 73 74 61 6c #BOT#SvrUninstal
6c 24 62 6f 74 35 00 23 42 4f 54 23 55 52 4c 44 l$bot5.#BOT#URLD 6f 77 6e 6c 6f 61 64 24 62 6f 74 36 00 23 42 4f ownload$bot6.#BO
54 23 55 52 4c 55 70 64 61 74 65 24 62 6f 74 37 T#URLUpdate$bot7 00 23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 .#BOT#VisitUrl$b
6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 ot8.#BOT#CloseSe
72 76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 rver$ddos1.DDOSH 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 TTPFLOOD$ddos2.D
44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 DOSSYNFLOOD$ddos 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 3.DDOSUDPFLOOD$k
65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 eylogger1.Active
4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 OnlineKeylogger$6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 keylogger2.UnAct 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 er$keylogger3.Ac
74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo

2014-11-21 16:51:42,039 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE79F, Value:

23 42 4f 54 23 55 52 4c 44 6f 77 6e 6c 6f 61 64 #BOT#URLDownload
24 62 6f 74 36 00 23 42 4f 54 23 55 52 4c 55 70 $bot6.#BOT#URLUp 64 61 74 65 24 62 6f 74 37 00 23 42 4f 54 23 56 date$bot7.#BOT#V
69 73 69 74 55 72 6c 24 62 6f 74 38 00 23 42 4f isitUrl$bot8.#BO 54 23 43 6c 6f 73 65 53 65 72 76 65 72 24 64 64 T#CloseServer$dd
6f 73 31 00 44 44 4f 53 48 54 54 50 46 4c 4f 4f os1.DDOSHTTPFLOO
44 24 64 64 6f 73 32 00 44 44 4f 53 53 59 4e 46 D$ddos2.DDOSSYNF 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 4f 53 55 LOOD$ddos3.DDOSU
44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f 67 67 65 DPFLOOD$keylogge 72 31 00 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b r1.ActiveOnlineK 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg
65 72 32 00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 er2.UnActiveOnli
6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl 6f 67 67 65 72 33 00 41 63 74 69 76 65 4f 66 66 ogger3.ActiveOff 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke
79 6c 6f 67 67 65 72 34 00 55 6e 41 63 74 69 76 ylogger4.UnActiv

2014-11-21 16:51:42,039 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7B5, Value:

23 42 4f 54 23 55 52 4c 55 70 64 61 74 65 24 62 #BOT#URLUpdate$b 6f 74 37 00 23 42 4f 54 23 56 69 73 69 74 55 72 ot7.#BOT#VisitUr 6c 24 62 6f 74 38 00 23 42 4f 54 23 43 6c 6f 73 l$bot8.#BOT#Clos
65 53 65 72 76 65 72 24 64 64 6f 73 31 00 44 44 eServer$ddos1.DD 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 6f 73 OSHTTPFLOOD$ddos
32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 2.DDOSSYNFLOOD$d 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f dos3.DDOSUDPFLOO 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 D$keylogger1.Act
69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 iveOnlineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e er$keylogger2.Un 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3
00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel

2014-11-21 16:51:42,042 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7C9, Value:

23 42 4f 54 23 56 69 73 69 74 55 72 6c 24 62 6f #BOT#VisitUrl$bo 74 38 00 23 42 4f 54 23 43 6c 6f 73 65 53 65 72 t8.#BOT#CloseSer 76 65 72 24 64 64 6f 73 31 00 44 44 4f 53 48 54 ver$ddos1.DDOSHT
54 50 46 4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 TPFLOOD$ddos2.DD 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 OSSYNFLOOD$ddos3
00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 .DDOSUDPFLOOD$ke 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f ylogger1.ActiveO 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k
65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 eylogger2.UnActi
76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 veOnlineKeylogge
72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 r$keylogger3.Act 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 iveOfflineKeylog 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 ger$keylogger4.U
6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 nActiveOfflineKe
79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 ylogger$shell1.A 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c CTIVEREMOTESHELL 2014-11-21 16:51:42,042 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7DC, Value: 23 42 4f 54 23 43 6c 6f 73 65 53 65 72 76 65 72 #BOT#CloseServer 24 64 64 6f 73 31 00 44 44 4f 53 48 54 54 50 46$ddos1.DDOSHTTPF
4c 4f 4f 44 24 64 64 6f 73 32 00 44 44 4f 53 53 LOOD$ddos2.DDOSS 59 4e 46 4c 4f 4f 44 24 64 64 6f 73 33 00 44 44 YNFLOOD$ddos3.DD
4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 6c 6f OSUDPFLOOD$keylo 67 67 65 72 31 00 41 63 74 69 76 65 4f 6e 6c 69 gger1.ActiveOnli 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c neKeylogger$keyl
6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 65 4f ogger2.UnActiveO
6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b nlineKeylogger$k 65 79 6c 6f 67 67 65 72 33 00 41 63 74 69 76 65 eylogger3.Active 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 OfflineKeylogger 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e 41 63$keylogger4.UnAc
74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f tiveOfflineKeylo
67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 54 49 gger$shell1.ACTI 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 VEREMOTESHELL$sh
65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 45 53 ell2.SUBMREMOTES

2014-11-21 16:51:42,045 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE7F3, Value:

44 44 4f 53 48 54 54 50 46 4c 4f 4f 44 24 64 64 DDOSHTTPFLOOD$dd 6f 73 32 00 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 os2.DDOSSYNFLOOD 24 64 64 6f 73 33 00 44 44 4f 53 55 44 50 46 4c$ddos3.DDOSUDPFL
4f 4f 44 24 6b 65 79 6c 6f 67 67 65 72 31 00 41 OOD$keylogger1.A 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f ctiveOnlineKeylo 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 00 gger$keylogger2.
55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog
67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU
42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES 2014-11-21 16:51:42,046 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE807, Value: 44 44 4f 53 53 59 4e 46 4c 4f 4f 44 24 64 64 6f DDOSSYNFLOOD$ddo
73 33 00 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 s3.DDOSUDPFLOOD$6b 65 79 6c 6f 67 67 65 72 31 00 41 63 74 69 76 keylogger1.Activ 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger 24 6b 65 79 6c 6f 67 67 65 72 32 00 55 6e 41 63$keylogger2.UnAc
74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 tiveOnlineKeylog
67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 ger$keylogger3.A 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c ctiveOfflineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 34 ogger$keylogger4
00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 .UnActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 Keylogger$shell1 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 .ACTIVEREMOTESHE 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 LL$shell2.SUBMRE
4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 MOTESHELL$shell3 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c .KILLREMOTESHELL 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 DarkComet.detect 2014-11-21 16:51:42,048 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE81A, Value: 44 44 4f 53 55 44 50 46 4c 4f 4f 44 24 6b 65 79 DDOSUDPFLOOD$key
6c 6f 67 67 65 72 31 00 41 63 74 69 76 65 4f 6e logger1.ActiveOn
6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 lineKeylogger$ke 79 6c 6f 67 67 65 72 32 00 55 6e 41 63 74 69 76 ylogger2.UnActiv 65 4f 6e 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 eOnlineKeylogger 24 6b 65 79 6c 6f 67 67 65 72 33 00 41 63 74 69$keylogger3.Acti
76 65 4f 66 66 6c 69 6e 65 4b 65 79 6c 6f 67 67 veOfflineKeylogg
65 72 24 6b 65 79 6c 6f 67 67 65 72 34 00 55 6e er$keylogger4.Un 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC
54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI
4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar
6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection
00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str 2014-11-21 16:51:42,049 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE832, Value: 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 32 ogger$keylogger2
00 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b .UnActiveOnlineK
65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 eylogger$keylogg 65 72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e er3.ActiveOfflin 65 4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f eKeylogger$keylo
67 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 gger4.UnActiveOf
66 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 flineKeylogger$s 68 65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f hell1.ACTIVEREMO 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 TESHELL$shell2.S
55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 UBMREMOTESHELL$s 68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 hell3.KILLREMOTE 53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 SHELLDarkComet.d 65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 etection.Xtreme. 52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 RAT.$string1.Xtr
65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 emeKeylogger$str 2014-11-21 16:51:42,049 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE855, Value: 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 79 6c ActiveOnlineKeyl 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 33 ogger$keylogger3
00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 .ActiveOfflineKe
79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 r4.UnActiveOffli 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c neKeylogger$shel
6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 l1.ACTIVEREMOTES
48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d HELL$shell2.SUBM 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c REMOTESHELL$shel
6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 l3.KILLREMOTESHE
4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 LLDarkComet.dete
63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 ction.Xtreme.RAT
00 24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 .$string1.Xtreme 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 Keylogger$string
32 00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 2.XtremeRAT$stri 6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 ng3.XTREMEUPDATE 2014-11-21 16:51:42,052 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE853, Value: 55 6e 41 63 74 69 76 65 4f 6e 6c 69 6e 65 4b 65 UnActiveOnlineKe 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 ylogger$keylogge
72 33 00 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 r3.ActiveOffline
4b 65 79 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 Keylogger$keylog 67 65 72 34 00 55 6e 41 63 74 69 76 65 4f 66 66 ger4.UnActiveOff 6c 69 6e 65 4b 65 79 6c 6f 67 67 65 72 24 73 68 lineKeylogger$sh
65 6c 6c 31 00 41 43 54 49 56 45 52 45 4d 4f 54 ell1.ACTIVEREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 ESHELL$shell2.SU 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 BMREMOTESHELL$sh
65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 ell3.KILLREMOTES
48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 HELLDarkComet.de
74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 tection.Xtreme.R
41 54 00 24 73 74 72 69 6e 67 31 00 58 74 72 65 AT.$string1.Xtre 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 72 69 meKeylogger$stri
6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 73 74 ng2.XtremeRAT$st 72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 44 41 ring3.XTREMEUPDA 2014-11-21 16:51:42,052 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE876, Value: 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey 6c 6f 67 67 65 72 24 6b 65 79 6c 6f 67 67 65 72 logger$keylogger
34 00 55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 4.UnActiveOfflin
65 4b 65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c eKeylogger$shell 31 00 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 1.ACTIVEREMOTESH 45 4c 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 ELL$shell2.SUBMR
45 4d 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c EMOTESHELL$shell 33 00 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 3.KILLREMOTESHEL 4c 44 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 LDarkComet.detec 74 69 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 tion.Xtreme.RAT. 24 73 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b$string1.XtremeK
65 79 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 eylogger$string2 00 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e .XtremeRAT$strin
67 33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 g3.XTREMEUPDATE$73 74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 string4.STUBXTRE 4d 45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 MEINJECTED$unit1

2014-11-21 16:51:42,055 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE89A, Value:

41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b 65 79 ActiveOfflineKey
6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 41 43 logger$shell1.AC 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c 4c 24 TIVEREMOTESHELL$
73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d 4f 54 shell2.SUBMREMOT
45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 4b 49 ESHELL$shell3.KI 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 61 72 LLREMOTESHELLDar 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 6f 6e kComet.detection 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 74 72 .Xtreme.RAT.$str
69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 6c 6f ing1.XtremeKeylo
67 67 65 72 24 73 74 72 69 6e 67 32 00 58 74 72 gger$string2.Xtr 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 00 58 emeRAT$string3.X
54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 69 TREMEUPDATE$stri 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 4e ng4.STUBXTREMEIN 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e 69 JECTED$unit1.Uni
74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 00 55 tConfigs$unit2.U 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e 69 nitGetServer$uni

2014-11-21 16:51:42,055 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE898, Value:

55 6e 41 63 74 69 76 65 4f 66 66 6c 69 6e 65 4b UnActiveOfflineK
65 79 6c 6f 67 67 65 72 24 73 68 65 6c 6c 31 00 eylogger$shell1. 41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL 4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM
4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3. 4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD 61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti 6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s
74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey
6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3
00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U
6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u

2014-11-21 16:51:42,058 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8B8, Value:

41 43 54 49 56 45 52 45 4d 4f 54 45 53 48 45 4c ACTIVEREMOTESHEL
4c 24 73 68 65 6c 6c 32 00 53 55 42 4d 52 45 4d L$shell2.SUBMREM 4f 54 45 53 48 45 4c 4c 24 73 68 65 6c 6c 33 00 OTESHELL$shell3.
4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2
00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 nit3.UnitKeylogg 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 er$unit4.UnitCry

2014-11-21 16:51:42,059 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8D1, Value:

53 55 42 4d 52 45 4d 4f 54 45 53 48 45 4c 4c 24 SUBMREMOTESHELL$73 68 65 6c 6c 33 00 4b 49 4c 4c 52 45 4d 4f 54 shell3.KILLREMOT 45 53 48 45 4c 4c 44 61 72 6b 43 6f 6d 65 74 00 ESHELLDarkComet. 64 65 74 65 63 74 69 6f 6e 00 58 74 72 65 6d 65 detection.Xtreme 20 52 41 54 00 24 73 74 72 69 6e 67 31 00 58 74 .RAT.$string1.Xt
72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 73 74 remeKeylogger$st 72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 54 24 ring2.XtremeRAT$
73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 55 50 string3.XTREMEUP
44 41 54 45 24 73 74 72 69 6e 67 34 00 53 54 55 DATE$string4.STU 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 44 24 BXTREMEINJECTED$
75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 69 67 unit1.UnitConfig
73 24 75 6e 69 74 32 00 55 6e 69 74 47 65 74 53 s$unit2.UnitGetS 65 72 76 65 72 24 75 6e 69 74 33 00 55 6e 69 74 erver$unit3.Unit
4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 74 34 00 Keylogger$unit4. 55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 67 24 UnitCryptString$
75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 61 6c unit5.UnitInstal

2014-11-21 16:51:42,061 - detector - WARNING - Process CCC.exe (pid: 7624) matched: DarkComet at address: 0x542CE8E8, Value:

4b 49 4c 4c 52 45 4d 4f 54 45 53 48 45 4c 4c 44 KILLREMOTESHELLD
61 72 6b 43 6f 6d 65 74 00 64 65 74 65 63 74 69 arkComet.detecti
6f 6e 00 58 74 72 65 6d 65 20 52 41 54 00 24 73 on.Xtreme.RAT.$s 74 72 69 6e 67 31 00 58 74 72 65 6d 65 4b 65 79 tring1.XtremeKey 6c 6f 67 67 65 72 24 73 74 72 69 6e 67 32 00 58 logger$string2.X
74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 33 tremeRAT$string3 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 .XTREMEUPDATE$st
72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 ring4.STUBXTREME
49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 INJECTED$unit1.U 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 nitConfigs$unit2
00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 .UnitGetServer$u 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 nit3.UnitKeylogg 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 er$unit4.UnitCry
70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 ptString$unit5.U 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 nitInstallServer 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63$unit6.UnitInjec

2014-11-21 16:51:42,062 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE91F, Value:

58 74 72 65 6d 65 4b 65 79 6c 6f 67 67 65 72 24 XtremeKeylogger$73 74 72 69 6e 67 32 00 58 74 72 65 6d 65 52 41 string2.XtremeRA 54 24 73 74 72 69 6e 67 33 00 58 54 52 45 4d 45 T$string3.XTREME
55 50 44 41 54 45 24 73 74 72 69 6e 67 34 00 53 UPDATE$string4.S 54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 45 TUBXTREMEINJECTE 44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e 66 D$unit1.UnitConf
69 67 73 24 75 6e 69 74 32 00 55 6e 69 74 47 65 igs$unit2.UnitGe 74 53 65 72 76 65 72 24 75 6e 69 74 33 00 55 6e tServer$unit3.Un
69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 74 itKeylogger$unit 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 4.UnitCryptStrin 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 g$unit5.UnitInst
61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 36 00 allServer$unit6. 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 UnitInjectServer 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65$unit7.UnitBinde
72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 r$unit8.UnitInje 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 ctProcessXtreme. 2014-11-21 16:51:42,063 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE937, Value: 58 74 72 65 6d 65 52 41 54 24 73 74 72 69 6e 67 XtremeRAT$string
33 00 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 3.XTREMEUPDATE$s 74 72 69 6e 67 34 00 53 54 55 42 58 54 52 45 4d tring4.STUBXTREM 45 49 4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 EINJECTED$unit1.
55 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 UnitConfigs$unit 32 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 2.UnitGetServer$
75 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 unit3.UnitKeylog
67 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 ger$unit4.UnitCr 79 70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 yptString$unit5.
55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe
72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje 63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U
6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8. 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R 2014-11-21 16:51:42,065 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE949, Value: 58 54 52 45 4d 45 55 50 44 41 54 45 24 73 74 72 XTREMEUPDATE$str
69 6e 67 34 00 53 54 55 42 58 54 52 45 4d 45 49 ing4.STUBXTREMEI
4e 4a 45 43 54 45 44 24 75 6e 69 74 31 00 55 6e NJECTED$unit1.Un 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 32 00 itConfigs$unit2.
55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e UnitGetServer$un 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 65 it3.UnitKeylogge 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 70 r$unit4.UnitCryp
74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 6e tString$unit5.Un 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 24 itInstallServer$
75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 74 unit6.UnitInject
53 65 72 76 65 72 24 75 6e 69 74 37 00 55 6e 69 Server$unit7.Uni 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 55 6e tBinder$unit8.Un
69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 73 58 itInjectProcessX
74 72 65 6d 65 00 64 65 74 65 63 74 69 6f 6e 00 treme.detection.
48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 43 53 Hacking.Team.RCS
20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 31 00 .Scout.$engine1. 2014-11-21 16:51:42,065 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE95E, Value: 53 54 55 42 58 54 52 45 4d 45 49 4e 4a 45 43 54 STUBXTREMEINJECT 45 44 24 75 6e 69 74 31 00 55 6e 69 74 43 6f 6e ED$unit1.UnitCon
66 69 67 73 24 75 6e 69 74 32 00 55 6e 69 74 47 figs$unit2.UnitG 65 74 53 65 72 76 65 72 24 75 6e 69 74 33 00 55 etServer$unit3.U
6e 69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e 69 nitKeylogger$uni 74 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 69 t4.UnitCryptStri 6e 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e 73 ng$unit5.UnitIns
74 61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 36 tallServer$unit6 00 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 .UnitInjectServe 72 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 r$unit7.UnitBind
65 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a er$unit8.UnitInj 65 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 ectProcessXtreme 00 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 .detection.Hacki 6e 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f 75 ng.Team.RCS.Scou 74 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 6e t.$engine1.Engin
65 20 73 74 61 72 74 65 64 24 65 6e 67 69 6e 65 e.started$engine 2014-11-21 16:51:42,068 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE977, Value: 55 6e 69 74 43 6f 6e 66 69 67 73 24 75 6e 69 74 UnitConfigs$unit
32 00 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 2.UnitGetServer$75 6e 69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 unit3.UnitKeylog 67 65 72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 ger$unit4.UnitCr
79 70 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 yptString$unit5. 55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe 72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje
63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U 6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8.
55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces
73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio
6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R
43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67$engine2.Running
20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e 2014-11-21 16:51:42,069 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE989, Value: 55 6e 69 74 47 65 74 53 65 72 76 65 72 24 75 6e UnitGetServer$un
69 74 33 00 55 6e 69 74 4b 65 79 6c 6f 67 67 65 it3.UnitKeylogge
72 24 75 6e 69 74 34 00 55 6e 69 74 43 72 79 70 r$unit4.UnitCryp 74 53 74 72 69 6e 67 24 75 6e 69 74 35 00 55 6e tString$unit5.Un
69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 72 24 itInstallServer$75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 63 74 unit6.UnitInject 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 6e 69 Server$unit7.Uni
74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 55 6e tBinder$unit8.Un 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 73 58 itInjectProcessX 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f 6e 00 treme.detection. 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 43 53 Hacking.Team.RCS 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 31 00 .Scout.$engine1.
45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 24 65 Engine.started$e 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 20 69 ngine2.Running.i 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 6e 67 n.background$eng
69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 6f 6f ine3.Locking.doo

2014-11-21 16:51:42,071 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE99D, Value:

55 6e 69 74 4b 65 79 6c 6f 67 67 65 72 24 75 6e UnitKeylogger$un 69 74 34 00 55 6e 69 74 43 72 79 70 74 53 74 72 it4.UnitCryptStr 69 6e 67 24 75 6e 69 74 35 00 55 6e 69 74 49 6e ing$unit5.UnitIn
73 74 61 6c 6c 53 65 72 76 65 72 24 75 6e 69 74 stallServer$unit 36 00 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 6.UnitInjectServ 65 72 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e er$unit7.UnitBin
64 65 72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e der$unit8.UnitIn 6a 65 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d jectProcessXtrem 65 00 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b e.detection.Hack 69 6e 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f ing.Team.RCS.Sco 75 74 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 ut.$engine1.Engi
6e 65 20 73 74 61 72 74 65 64 24 65 6e 67 69 6e ne.started$engin 65 32 00 52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 e2.Running.in.ba 63 6b 67 72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 ckground$engine3
00 4c 6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 .Locking.doors$e 6e 67 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e ngine4.Rotors.en 2014-11-21 16:51:42,072 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9B1, Value: 55 6e 69 74 43 72 79 70 74 53 74 72 69 6e 67 24 UnitCryptString$
75 6e 69 74 35 00 55 6e 69 74 49 6e 73 74 61 6c unit5.UnitInstal
6c 53 65 72 76 65 72 24 75 6e 69 74 36 00 55 6e lServer$unit6.Un 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 24 75 itInjectServer$u
6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65 72 24 nit7.UnitBinder$75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 63 74 unit8.UnitInject 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 64 65 ProcessXtreme.de 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e 67 20 tection.Hacking. 54 65 61 6d 20 52 43 53 20 53 63 6f 75 74 00 24 Team.RCS.Scout.$
65 6e 67 69 6e 65 31 00 45 6e 67 69 6e 65 20 73 engine1.Engine.s
74 61 72 74 65 64 24 65 6e 67 69 6e 65 32 00 52 tarted$engine2.R 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b 67 72 unning.in.backgr 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c 6f 63 ound$engine3.Loc
6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 69 6e king.doors$engin 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 67 65 e4.Rotors.engage 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 67 6f d$engine5.I'm.go

2014-11-21 16:51:42,073 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9C7, Value:

55 6e 69 74 49 6e 73 74 61 6c 6c 53 65 72 76 65 UnitInstallServe
72 24 75 6e 69 74 36 00 55 6e 69 74 49 6e 6a 65 r$unit6.UnitInje 63 74 53 65 72 76 65 72 24 75 6e 69 74 37 00 55 ctServer$unit7.U
6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 00 nitBinder$unit8. 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R 43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine
31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started
24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 $engine2.Running 20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e
6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 ngine3.Locking.d
6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 oors$engine4.Rot 6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 ors.engaged$engi
6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f ne5.I'm.going.to
20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 31 .start.it$start1 2014-11-21 16:51:42,075 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9DF, Value: 55 6e 69 74 49 6e 6a 65 63 74 53 65 72 76 65 72 UnitInjectServer 24 75 6e 69 74 37 00 55 6e 69 74 42 69 6e 64 65$unit7.UnitBinde
72 24 75 6e 69 74 38 00 55 6e 69 74 49 6e 6a 65 r$unit8.UnitInje 63 74 50 72 6f 63 65 73 73 58 74 72 65 6d 65 00 ctProcessXtreme. 64 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e detection.Hackin 67 20 54 65 61 6d 20 52 43 53 20 53 63 6f 75 74 g.Team.RCS.Scout 00 24 65 6e 67 69 6e 65 31 00 45 6e 67 69 6e 65 .$engine1.Engine
20 73 74 61 72 74 65 64 24 65 6e 67 69 6e 65 32 .started$engine2 00 52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b .Running.in.back 67 72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c ground$engine3.L
6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 ocking.doors$eng 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 ine4.Rotors.enga 67 65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 ged$engine5.I'm.
67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 69 going.to.start.i
74 24 73 74 61 72 74 31 00 53 74 61 72 74 69 6e t$start1.Startin 67 20 75 70 67 72 61 64 65 21 24 73 74 61 72 74 g.upgrade!$start

2014-11-21 16:51:42,075 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CE9F6, Value:

55 6e 69 74 42 69 6e 64 65 72 24 75 6e 69 74 38 UnitBinder$unit8 00 55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 .UnitInjectProce 73 73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 ssXtreme.detecti 6f 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 on.Hacking.Team. 52 43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e RCS.Scout.$engin
65 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 e1.Engine.starte
64 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e d$engine2.Runnin 67 20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 g.in.background$
65 6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 engine3.Locking.
64 6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f doors$engine4.Ro 74 6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 tors.engaged$eng
69 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 ine5.I'm.going.t
6f 20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 o.start.it$start 31 00 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 1.Starting.upgra 64 65 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 de!$start2.I'm.g
6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 oing.to.start.th

2014-11-21 16:51:42,078 - detector - WARNING - Process CCC.exe (pid: 7624) matched: Xtreme at address: 0x542CEA07, Value:

55 6e 69 74 49 6e 6a 65 63 74 50 72 6f 63 65 73 UnitInjectProces
73 58 74 72 65 6d 65 00 64 65 74 65 63 74 69 6f sXtreme.detectio
6e 00 48 61 63 6b 69 6e 67 20 54 65 61 6d 20 52 n.Hacking.Team.R
43 53 20 53 63 6f 75 74 00 24 65 6e 67 69 6e 65 CS.Scout.$engine 31 00 45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 1.Engine.started 24 65 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67$engine2.Running
20 69 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 .in.background$e 6e 67 69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 ngine3.Locking.d 6f 6f 72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 oors$engine4.Rot
6f 72 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 ors.engaged$engi 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f ne5.I'm.going.to 20 73 74 61 72 74 20 69 74 24 73 74 61 72 74 31 .start.it$start1
00 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 .Starting.upgrad
65 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f e!$start2.I'm.go 69 6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 65 ing.to.start.the 20 70 72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 .program$start3.

2014-11-21 16:51:42,078 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA49, Value:

45 6e 67 69 6e 65 20 73 74 61 72 74 65 64 24 65 Engine.started$e 6e 67 69 6e 65 32 00 52 75 6e 6e 69 6e 67 20 69 ngine2.Running.i 6e 20 62 61 63 6b 67 72 6f 75 6e 64 24 65 6e 67 n.background$eng
69 6e 65 33 00 4c 6f 63 6b 69 6e 67 20 64 6f 6f ine3.Locking.doo
72 73 24 65 6e 67 69 6e 65 34 00 52 6f 74 6f 72 rs$engine4.Rotor 73 20 65 6e 67 61 67 65 64 24 65 6e 67 69 6e 65 s.engaged$engine
35 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 5.I'm.going.to.s
74 61 72 74 20 69 74 24 73 74 61 72 74 31 00 53 tart.it$start1.S 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 65 21 tarting.upgrade! 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f 69 6e$start2.I'm.goin
67 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 70 g.to.start.the.p
72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 69 73 rogram$start3.is 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 00 43 .it.ok?$start4.C
6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 68 lick.to.start.th
65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 55 e.program$upd1.U 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 69 pdJob$upd2.UpdTi

2014-11-21 16:51:42,081 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA60, Value:

52 75 6e 6e 69 6e 67 20 69 6e 20 62 61 63 6b 67 Running.in.backg
72 6f 75 6e 64 24 65 6e 67 69 6e 65 33 00 4c 6f round$engine3.Lo 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e 67 69 cking.doors$engi
6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 61 67 ne4.Rotors.engag
65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d 20 67 ed$engine5.I'm.g 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 69 74 oing.to.start.it 24 73 74 61 72 74 31 00 53 74 61 72 74 69 6e 67$start1.Starting
20 75 70 67 72 61 64 65 21 24 73 74 61 72 74 32 .upgrade!$start2 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 .I'm.going.to.st 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 art.the.program$
73 74 61 72 74 33 00 69 73 20 69 74 20 6f 6b 3f start3.is.it.ok?
24 73 74 61 72 74 34 00 43 6c 69 63 6b 20 74 6f $start4.Click.to 20 73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 .start.the.progr 61 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 24 75 am$upd1.UpdJob$u 70 64 32 00 55 70 64 54 69 6d 65 72 24 6c 6f 6f pd2.UpdTimer$loo
6b 6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 49 20 kma1.Owning.PCI.

2014-11-21 16:51:42,082 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA7E, Value:

4c 6f 63 6b 69 6e 67 20 64 6f 6f 72 73 24 65 6e Locking.doors$en 67 69 6e 65 34 00 52 6f 74 6f 72 73 20 65 6e 67 gine4.Rotors.eng 61 67 65 64 24 65 6e 67 69 6e 65 35 00 49 27 6d aged$engine5.I'm
20 67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 .going.to.start.
69 74 24 73 74 61 72 74 31 00 53 74 61 72 74 69 it$start1.Starti 6e 67 20 75 70 67 72 61 64 65 21 24 73 74 61 72 ng.upgrade!$star
74 32 00 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 t2.I'm.going.to.
73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 start.the.progra
6d 24 73 74 61 72 74 33 00 69 73 20 69 74 20 6f m$start3.is.it.o 6b 3f 24 73 74 61 72 74 34 00 43 6c 69 63 6b 20 k?$start4.Click.
74 6f 20 73 74 61 72 74 20 74 68 65 20 70 72 6f to.start.the.pro
67 72 61 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 gram$upd1.UpdJob 24 75 70 64 32 00 55 70 64 54 69 6d 65 72 24 6c$upd2.UpdTimer$l 6f 6f 6b 6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 ookma1.Owning.PC 49 20 62 75 73 24 6c 6f 6f 6b 6d 61 32 00 46 6f I.bus$lookma2.Fo
72 6d 61 74 74 69 6e 67 20 62 69 6f 73 24 6c 6f rmatting.bios$lo 2014-11-21 16:51:42,084 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEA94, Value: 52 6f 74 6f 72 73 20 65 6e 67 61 67 65 64 24 65 Rotors.engaged$e
6e 67 69 6e 65 35 00 49 27 6d 20 67 6f 69 6e 67 ngine5.I'm.going
20 74 6f 20 73 74 61 72 74 20 69 74 24 73 74 61 .to.start.it$sta 72 74 31 00 53 74 61 72 74 69 6e 67 20 75 70 67 rt1.Starting.upg 72 61 64 65 21 24 73 74 61 72 74 32 00 49 27 6d rade!$start2.I'm
20 67 6f 69 6e 67 20 74 6f 20 73 74 61 72 74 20 .going.to.start.
74 68 65 20 70 72 6f 67 72 61 6d 24 73 74 61 72 the.program$star 74 33 00 69 73 20 69 74 20 6f 6b 3f 24 73 74 61 t3.is.it.ok?$sta
72 74 34 00 43 6c 69 63 6b 20 74 6f 20 73 74 61 rt4.Click.to.sta
72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 75 rt.the.program$u 70 64 31 00 55 70 64 4a 6f 62 24 75 70 64 32 00 pd1.UpdJob$upd2.
55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 UpdTimer$lookma1 00 4f 77 6e 69 6e 67 20 50 43 49 20 62 75 73 24 .Owning.PCI.bus$
6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 lookma2.Formatti
6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 ng.bios$lookma3. 50 6c 65 61 73 65 20 69 6e 73 65 72 74 20 61 20 Please.insert.a. 2014-11-21 16:51:42,085 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAAB, Value: 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 I'm.going.to.sta 72 74 20 69 74 24 73 74 61 72 74 31 00 53 74 61 rt.it$start1.Sta
72 74 69 6e 67 20 75 70 67 72 61 64 65 21 24 73 rting.upgrade!$s 74 61 72 74 32 00 49 27 6d 20 67 6f 69 6e 67 20 tart2.I'm.going. 74 6f 20 73 74 61 72 74 20 74 68 65 20 70 72 6f to.start.the.pro 67 72 61 6d 24 73 74 61 72 74 33 00 69 73 20 69 gram$start3.is.i
74 20 6f 6b 3f 24 73 74 61 72 74 34 00 43 6c 69 t.ok?$start4.Cli 63 6b 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 ck.to.start.the. 70 72 6f 67 72 61 6d 24 75 70 64 31 00 55 70 64 program$upd1.Upd
4a 6f 62 24 75 70 64 32 00 55 70 64 54 69 6d 65 Job$upd2.UpdTime 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e 69 6e 67 r$lookma1.Owning
20 50 43 49 20 62 75 73 24 6c 6f 6f 6b 6d 61 32 .PCI.bus$lookma2 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 69 6f 73 .Formatting.bios 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 73 65 20$lookma3.Please.
69 6e 73 65 72 74 20 61 20 64 69 73 6b 20 69 6e insert.a.disk.in
20 64 72 69 76 65 20 41 3a 24 6c 6f 6f 6b 6d 61 .drive.A:$lookma 2014-11-21 16:51:42,085 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAC8, Value: 53 74 61 72 74 69 6e 67 20 75 70 67 72 61 64 65 Starting.upgrade 21 24 73 74 61 72 74 32 00 49 27 6d 20 67 6f 69 !$start2.I'm.goi
6e 67 20 74 6f 20 73 74 61 72 74 20 74 68 65 20 ng.to.start.the.
70 72 6f 67 72 61 6d 24 73 74 61 72 74 33 00 69 program$start3.i 73 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 00 s.it.ok?$start4.
43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 Click.to.start.t
68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 he.program$upd1. 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT
69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look
6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b
69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo
6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP
55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look 2014-11-21 16:51:42,088 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEAE1, Value: 49 27 6d 20 67 6f 69 6e 67 20 74 6f 20 73 74 61 I'm.going.to.sta 72 74 20 74 68 65 20 70 72 6f 67 72 61 6d 24 73 rt.the.program$s
74 61 72 74 33 00 69 73 20 69 74 20 6f 6b 3f 24 tart3.is.it.ok?$73 74 61 72 74 34 00 43 6c 69 63 6b 20 74 6f 20 start4.Click.to. 73 74 61 72 74 20 74 68 65 20 70 72 6f 67 72 61 start.the.progra 6d 24 75 70 64 31 00 55 70 64 4a 6f 62 24 75 70 m$upd1.UpdJob$up 64 32 00 55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b d2.UpdTimer$look
6d 61 31 00 4f 77 6e 69 6e 67 20 50 43 49 20 62 ma1.Owning.PCI.b
75 73 24 6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 us$lookma2.Forma 74 74 69 6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d tting.bios$lookm
61 33 00 50 6c 65 61 73 65 20 69 6e 73 65 72 74 a3.Please.insert
20 61 20 64 69 73 6b 20 69 6e 20 64 72 69 76 65 .a.disk.in.drive
20 41 3a 24 6c 6f 6f 6b 6d 61 34 00 55 70 64 61 .A:$lookma4.Upda 74 69 6e 67 20 43 50 55 20 6d 69 63 72 6f 63 6f ting.CPU.microco 64 65 24 6c 6f 6f 6b 6d 61 35 00 4e 6f 74 20 73 de$lookma5.Not.s
75 72 65 20 77 68 61 74 27 73 20 68 61 70 70 65 ure.what's.happe

2014-11-21 16:51:42,088 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB07, Value:

69 73 20 69 74 20 6f 6b 3f 24 73 74 61 72 74 34 is.it.ok?$start4 00 43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 .Click.to.start. 74 68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 the.program$upd1
00 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 .UpdJob$upd2.Upd 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 Timer$lookma1.Ow
6e 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f ning.PCI.bus$loo 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 kma2.Formatting. 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 bios$lookma3.Ple
61 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 ase.insert.a.dis
6b 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f k.in.drive.A:$lo 6f 6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 okma4.Updating.C 50 55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f PU.microcode$loo
6b 6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 kma5.Not.sure.wh
61 74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c at's.happening$l 6f 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 ookma6.Look.ma,. 6e 6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c no.thread.id!.\\ 2014-11-21 16:51:42,091 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB18, Value: 43 6c 69 63 6b 20 74 6f 20 73 74 61 72 74 20 74 Click.to.start.t 68 65 20 70 72 6f 67 72 61 6d 24 75 70 64 31 00 he.program$upd1.
55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own
69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look 6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea
73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk
20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo 6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP 55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look
6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 61 ma5.Not.sure.wha
74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c 6f t's.happening$lo 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 6e okma6.Look.ma,.n 6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c 6f o.thread.id!.\\o 2f 52 43 53 5f 53 63 6f 75 74 00 64 65 74 65 63 /RCS_Scout.detec 2014-11-21 16:51:42,092 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB38, Value: 55 70 64 4a 6f 62 24 75 70 64 32 00 55 70 64 54 UpdJob$upd2.UpdT
69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 00 4f 77 6e imer$lookma1.Own 69 6e 67 20 50 43 49 20 62 75 73 24 6c 6f 6f 6b ing.PCI.bus$look
6d 61 32 00 46 6f 72 6d 61 74 74 69 6e 67 20 62 ma2.Formatting.b
69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 50 6c 65 61 ios$lookma3.Plea 73 65 20 69 6e 73 65 72 74 20 61 20 64 69 73 6b se.insert.a.disk 20 69 6e 20 64 72 69 76 65 20 41 3a 24 6c 6f 6f .in.drive.A:$loo
6b 6d 61 34 00 55 70 64 61 74 69 6e 67 20 43 50 kma4.Updating.CP
55 20 6d 69 63 72 6f 63 6f 64 65 24 6c 6f 6f 6b U.microcode$look 6d 61 35 00 4e 6f 74 20 73 75 72 65 20 77 68 61 ma5.Not.sure.wha 74 27 73 20 68 61 70 70 65 6e 69 6e 67 24 6c 6f t's.happening$lo
6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d 61 2c 20 6e okma6.Look.ma,.n
6f 20 74 68 72 65 61 64 20 69 64 21 20 5c 5c 6f o.thread.id!.\\o
2f 52 43 53 5f 53 63 6f 75 74 00 64 65 74 65 63 /RCS_Scout.detec
74 69 6f 6e 00 48 61 63 6b 69 6e 67 20 54 65 61 tion.Hacking.Tea
6d 20 52 43 53 20 42 61 63 6b 64 6f 6f 72 00 24 m.RCS.Backdoor.$2014-11-21 16:51:42,094 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Scout at address: 0x542CEB44, Value: 55 70 64 54 69 6d 65 72 24 6c 6f 6f 6b 6d 61 31 UpdTimer$lookma1
00 4f 77 6e 69 6e 67 20 50 43 49 20 62 75 73 24 .Owning.PCI.bus$6c 6f 6f 6b 6d 61 32 00 46 6f 72 6d 61 74 74 69 lookma2.Formatti 6e 67 20 62 69 6f 73 24 6c 6f 6f 6b 6d 61 33 00 ng.bios$lookma3.
50 6c 65 61 73 65 20 69 6e 73 65 72 74 20 61 20 Please.insert.a.
64 69 73 6b 20 69 6e 20 64 72 69 76 65 20 41 3a disk.in.drive.A:
24 6c 6f 6f 6b 6d 61 34 00 55 70 64 61 74 69 6e $lookma4.Updatin 67 20 43 50 55 20 6d 69 63 72 6f 63 6f 64 65 24 g.CPU.microcode$
6c 6f 6f 6b 6d 61 35 00 4e 6f 74 20 73 75 72 65 lookma5.Not.sure
20 77 68 61 74 27 73 20 68 61 70 70 65 6e 69 6e .what's.happenin
67 24 6c 6f 6f 6b 6d 61 36 00 4c 6f 6f 6b 20 6d g$lookma6.Look.m 61 2c 20 6e 6f 20 74 68 72 65 61 64 20 69 64 21 a,.no.thread.id! 20 5c 5c 6f 2f 52 43 53 5f 53 63 6f 75 74 00 64 .\\o/RCS_Scout.d 65 74 65 63 74 69 6f 6e 00 48 61 63 6b 69 6e 67 etection.Hacking 20 54 65 61 6d 20 52 43 53 20 42 61 63 6b 64 6f .Team.RCS.Backdo 6f 72 00 24 64 65 62 75 67 31 00 2d 20 43 68 65 or.$debug1.-.Che

2014-11-21 16:51:42,095 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC3F, Value:

2d 20 43 68 65 63 6b 69 6e 67 20 63 6f 6d 70 6f -.Checking.compo
6e 65 6e 74 73 24 64 65 62 75 67 32 00 2d 20 41 nents$debug2.-.A 63 74 69 76 61 74 69 6e 67 20 68 69 64 69 6e 67 ctivating.hiding 20 73 79 73 74 65 6d 24 64 65 62 75 67 33 00 66 .system$debug3.f
75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 6e 61 6c ully.operational
24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 65 72 20 $log1.-.Browser. 61 63 74 69 76 69 74 79 20 28 46 46 29 24 6c 6f activity.(FF)$lo
67 32 00 2d 20 42 72 6f 77 73 65 72 20 61 63 74 g2.-.Browser.act
69 76 69 74 79 20 28 49 45 29 24 65 72 72 6f 72 ivity.(IE)$error 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 70 1.[Unable.to.dep 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b 54 68 65 loy]$error2.[The
20 73 79 73 74 65 6d 20 69 73 20 61 6c 72 65 61 .system.is.alrea
64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 dy.monitored]RCS
5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 _Backdoor.detect
69 6f 6e 00 46 69 6e 46 69 73 68 65 72 20 46 69 ion.FinFisher.Fi
6e 53 70 79 00 24 70 61 73 73 77 6f 72 64 31 00 nSpy.$password1. 2014-11-21 16:51:42,096 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC5C, Value: 2d 20 41 63 74 69 76 61 74 69 6e 67 20 68 69 64 -.Activating.hid 69 6e 67 20 73 79 73 74 65 6d 24 64 65 62 75 67 ing.system$debug
33 00 66 75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 3.fully.operatio
6e 61 6c 24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 nal$log1.-.Brows 65 72 20 61 63 74 69 76 69 74 79 20 28 46 46 29 er.activity.(FF) 24 6c 6f 67 32 00 2d 20 42 72 6f 77 73 65 72 20$log2.-.Browser.
61 63 74 69 76 69 74 79 20 28 49 45 29 24 65 72 activity.(IE)$er 72 6f 72 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 ror1.[Unable.to. 64 65 70 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b deploy]$error2.[
54 68 65 20 73 79 73 74 65 6d 20 69 73 20 61 6c The.system.is.al
72 65 61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d ready.monitored]
52 43 53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 RCS_Backdoor.det
65 63 74 69 6f 6e 00 46 69 6e 46 69 73 68 65 72 ection.FinFisher
20 46 69 6e 53 70 79 00 24 70 61 73 73 77 6f 72 .FinSpy.$passwor 64 31 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 d1./scomma.kbd10 31 2e 73 79 73 24 70 61 73 73 77 6f 72 64 32 00 1.sys$password2.

2014-11-21 16:51:42,098 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC7E, Value:

66 75 6c 6c 79 20 6f 70 65 72 61 74 69 6f 6e 61 fully.operationa
6c 24 6c 6f 67 31 00 2d 20 42 72 6f 77 73 65 72 l$log1.-.Browser 20 61 63 74 69 76 69 74 79 20 28 46 46 29 24 6c .activity.(FF)$l
6f 67 32 00 2d 20 42 72 6f 77 73 65 72 20 61 63 og2.-.Browser.ac
74 69 76 69 74 79 20 28 49 45 29 24 65 72 72 6f tivity.(IE)$erro 72 31 00 5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 r1.[Unable.to.de 70 6c 6f 79 5d 24 65 72 72 6f 72 32 00 5b 54 68 ploy]$error2.[Th
65 20 73 79 73 74 65 6d 20 69 73 20 61 6c 72 65 e.system.is.alre
61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 ady.monitored]RC
53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 S_Backdoor.detec
74 69 6f 6e 00 46 69 6e 46 69 73 68 65 72 20 46 tion.FinFisher.F
69 6e 53 70 79 00 24 70 61 73 73 77 6f 72 64 31 inSpy.$password1 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e ./scomma.kbd101. 73 79 73 24 70 61 73 73 77 6f 72 64 32 00 4e 41 sys$password2.NA
4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c ME,EMAIL.CLIENT,
45 4d 41 49 4c 20 41 44 44 52 45 53 53 2c 53 45 EMAIL.ADDRESS,SE

2014-11-21 16:51:42,099 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CEC95, Value:

2d 20 42 72 6f 77 73 65 72 20 61 63 74 69 76 69 -.Browser.activi
74 79 20 28 46 46 29 24 6c 6f 67 32 00 2d 20 42 ty.(FF)$log2.-.B 72 6f 77 73 65 72 20 61 63 74 69 76 69 74 79 20 rowser.activity. 28 49 45 29 24 65 72 72 6f 72 31 00 5b 55 6e 61 (IE)$error1.[Una
62 6c 65 20 74 6f 20 64 65 70 6c 6f 79 5d 24 65 ble.to.deploy]$e 72 72 6f 72 32 00 5b 54 68 65 20 73 79 73 74 65 rror2.[The.syste 6d 20 69 73 20 61 6c 72 65 61 64 79 20 6d 6f 6e m.is.already.mon 69 74 6f 72 65 64 5d 52 43 53 5f 42 61 63 6b 64 itored]RCS_Backd 6f 6f 72 00 64 65 74 65 63 74 69 6f 6e 00 46 69 oor.detection.Fi 6e 46 69 73 68 65 72 20 46 69 6e 53 70 79 00 24 nFisher.FinSpy.$
70 61 73 73 77 6f 72 64 31 00 2f 73 63 6f 6d 6d password1./scomm
61 20 6b 62 64 31 30 31 2e 73 79 73 24 70 61 73 a.kbd101.sys$pas 73 77 6f 72 64 32 00 4e 41 4d 45 2c 45 4d 41 49 sword2.NAME,EMAI 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 49 4c 20 41 L.CLIENT,EMAIL.A 44 44 52 45 53 53 2c 53 45 52 56 45 52 20 4e 41 DDRESS,SERVER.NA 4d 45 2c 53 45 52 56 45 52 20 54 59 50 45 2c 55 ME,SERVER.TYPE,U 2014-11-21 16:51:42,101 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECB2, Value: 2d 20 42 72 6f 77 73 65 72 20 61 63 74 69 76 69 -.Browser.activi 74 79 20 28 49 45 29 24 65 72 72 6f 72 31 00 5b ty.(IE)$error1.[
55 6e 61 62 6c 65 20 74 6f 20 64 65 70 6c 6f 79 Unable.to.deploy
5d 24 65 72 72 6f 72 32 00 5b 54 68 65 20 73 79 ]$error2.[The.sy 73 74 65 6d 20 69 73 20 61 6c 72 65 61 64 79 20 stem.is.already. 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 5f 42 61 monitored]RCS_Ba 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 69 6f 6e ckdoor.detection 00 46 69 6e 46 69 73 68 65 72 20 46 69 6e 53 70 .FinFisher.FinSp 79 00 24 70 61 73 73 77 6f 72 64 31 00 2f 73 63 y.$password1./sc
6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 79 73 24 omma.kbd101.sys$70 61 73 73 77 6f 72 64 32 00 4e 41 4d 45 2c 45 password2.NAME,E 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 49 MAIL.CLIENT,EMAI 4c 20 41 44 44 52 45 53 53 2c 53 45 52 56 45 52 L.ADDRESS,SERVER 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 54 59 50 .NAME,SERVER.TYP 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 E,USERNAME,PASSW 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 61 73 73 ORD,PROFILE$pass

2014-11-21 16:51:42,101 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECD1, Value:

5b 55 6e 61 62 6c 65 20 74 6f 20 64 65 70 6c 6f [Unable.to.deplo
79 5d 24 65 72 72 6f 72 32 00 5b 54 68 65 20 73 y]$error2.[The.s 79 73 74 65 6d 20 69 73 20 61 6c 72 65 61 64 79 ystem.is.already 20 6d 6f 6e 69 74 6f 72 65 64 5d 52 43 53 5f 42 .monitored]RCS_B 61 63 6b 64 6f 6f 72 00 64 65 74 65 63 74 69 6f ackdoor.detectio 6e 00 46 69 6e 46 69 73 68 65 72 20 46 69 6e 53 n.FinFisher.FinS 70 79 00 24 70 61 73 73 77 6f 72 64 31 00 2f 73 py.$password1./s
63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 79 73 comma.kbd101.sys
24 70 61 73 73 77 6f 72 64 32 00 4e 41 4d 45 2c $password2.NAME, 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 4d 41 EMAIL.CLIENT,EMA 49 4c 20 41 44 44 52 45 53 53 2c 53 45 52 56 45 IL.ADDRESS,SERVE 52 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 54 59 R.NAME,SERVER.TY 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 PE,USERNAME,PASS 57 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 61 73 WORD,PROFILE$pas
73 77 6f 72 64 33 00 2f 73 63 6f 6d 6d 61 20 65 sword3./scomma.e
78 63 65 6c 32 30 31 30 2e 70 61 72 74 24 70 61 xcel2010.part$pa 2014-11-21 16:51:42,104 - detector - WARNING - Process CCC.exe (pid: 7624) matched: RCS_Backdoor at address: 0x542CECEB, Value: 5b 54 68 65 20 73 79 73 74 65 6d 20 69 73 20 61 [The.system.is.a 6c 72 65 61 64 79 20 6d 6f 6e 69 74 6f 72 65 64 lready.monitored 5d 52 43 53 5f 42 61 63 6b 64 6f 6f 72 00 64 65 ]RCS_Backdoor.de 74 65 63 74 69 6f 6e 00 46 69 6e 46 69 73 68 65 tection.FinFishe 72 20 46 69 6e 53 70 79 00 24 70 61 73 73 77 6f r.FinSpy.$passwo
72 64 31 00 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 rd1./scomma.kbd1
30 31 2e 73 79 73 24 70 61 73 73 77 6f 72 64 32 01.sys$password2 00 4e 41 4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 .NAME,EMAIL.CLIE 4e 54 2c 45 4d 41 49 4c 20 41 44 44 52 45 53 53 NT,EMAIL.ADDRESS 2c 53 45 52 56 45 52 20 4e 41 4d 45 2c 53 45 52 ,SERVER.NAME,SER 56 45 52 20 54 59 50 45 2c 55 53 45 52 4e 41 4d VER.TYPE,USERNAM 45 2c 50 41 53 53 57 4f 52 44 2c 50 52 4f 46 49 E,PASSWORD,PROFI 4c 45 24 70 61 73 73 77 6f 72 64 33 00 2f 73 63 LE$password3./sc
6f 6d 6d 61 20 65 78 63 65 6c 32 30 31 30 2e 70 omma.excel2010.p
61 72 74 24 70 61 73 73 77 6f 72 64 34 00 41 50 art$password4.AP 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 4f 43 PLICATION,PROTOC 2014-11-21 16:51:42,105 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CED3F, Value: 2f 73 63 6f 6d 6d 61 20 6b 62 64 31 30 31 2e 73 /scomma.kbd101.s 79 73 24 70 61 73 73 77 6f 72 64 32 00 4e 41 4d ys$password2.NAM
45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e 54 2c 45 E,EMAIL.CLIENT,E
4d 41 49 4c 20 41 44 44 52 45 53 53 2c 53 45 52 MAIL.ADDRESS,SER
56 45 52 20 4e 41 4d 45 2c 53 45 52 56 45 52 20 VER.NAME,SERVER.
54 59 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 TYPE,USERNAME,PA
53 53 57 4f 52 44 2c 50 52 4f 46 49 4c 45 24 70 SSWORD,PROFILE$p 61 73 73 77 6f 72 64 33 00 2f 73 63 6f 6d 6d 61 assword3./scomma 20 65 78 63 65 6c 32 30 31 30 2e 70 61 72 74 24 .excel2010.part$
70 61 73 73 77 6f 72 64 34 00 41 50 50 4c 49 43 password4.APPLIC
41 54 49 4f 4e 2c 50 52 4f 54 4f 43 4f 4c 2c 55 ATION,PROTOCOL,U
53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD
24 70 61 73 73 77 6f 72 64 35 00 2f 73 74 61 62 $password5./stab 20 4d 53 56 43 52 33 32 2e 6d 61 6e 69 66 65 73 .MSVCR32.manifes 74 24 70 61 73 73 77 6f 72 64 36 00 2f 73 63 6f t$password6./sco
6d 6d 61 20 4d 53 4e 32 30 31 30 2e 64 6c 6c 24 mma.MSN2010.dll$ 22.11.2014, 14:08 #8 derdingens ## Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log Teil 3/3 Detekt.log 3/3 Code: ATTFilter 2014-11-21 16:51:42,107 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CED5C, Value: 4e 41 4d 45 2c 45 4d 41 49 4c 20 43 4c 49 45 4e NAME,EMAIL.CLIEN 54 2c 45 4d 41 49 4c 20 41 44 44 52 45 53 53 2c T,EMAIL.ADDRESS, 53 45 52 56 45 52 20 4e 41 4d 45 2c 53 45 52 56 SERVER.NAME,SERV 45 52 20 54 59 50 45 2c 55 53 45 52 4e 41 4d 45 ER.TYPE,USERNAME 2c 50 41 53 53 57 4f 52 44 2c 50 52 4f 46 49 4c ,PASSWORD,PROFIL 45 24 70 61 73 73 77 6f 72 64 33 00 2f 73 63 6f E$password3./sco
6d 6d 61 20 65 78 63 65 6c 32 30 31 30 2e 70 61 mma.excel2010.pa
72 74 24 70 61 73 73 77 6f 72 64 34 00 41 50 50 rt$password4.APP 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 4f 43 4f LICATION,PROTOCO 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 L,USERNAME,PASSW 4f 52 44 24 70 61 73 73 77 6f 72 64 35 00 2f 73 ORD$password5./s
74 61 62 20 4d 53 56 43 52 33 32 2e 6d 61 6e 69 tab.MSVCR32.mani
66 65 73 74 24 70 61 73 73 77 6f 72 64 36 00 2f fest$password6./ 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 2e 64 scomma.MSN2010.d 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f 73 63 ll$password7./sc
6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 61 73 omma.Firefox.bas

2014-11-21 16:51:42,108 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEDB8, Value:

2f 73 63 6f 6d 6d 61 20 65 78 63 65 6c 32 30 31 /scomma.excel201
30 2e 70 61 72 74 24 70 61 73 73 77 6f 72 64 34 0.part$password4 00 41 50 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f .APPLICATION,PRO 54 4f 43 4f 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 TOCOL,USERNAME,P 41 53 53 57 4f 52 44 24 70 61 73 73 77 6f 72 64 ASSWORD$password
35 00 2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 5./stab.MSVCR32.
6d 61 6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 manifest$passwor 64 36 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 d6./scomma.MSN20 31 30 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 10.dll$password7
00 2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 ./scomma.Firefox
2e 62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 .base$password8. 49 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 INDEX,URL,USERNA 4d 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 ME,PASSWORD,USER 4e 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 NAME.FIELD,PASSW 4f 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 ORD.FIELD,FILE,H 54 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 TTP$password9./s

2014-11-21 16:51:42,108 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEDD9, Value:

41 50 50 4c 49 43 41 54 49 4f 4e 2c 50 52 4f 54 APPLICATION,PROT
4f 43 4f 4c 2c 55 53 45 52 4e 41 4d 45 2c 50 41 OCOL,USERNAME,PA
53 53 57 4f 52 44 24 70 61 73 73 77 6f 72 64 35 SSWORD$password5 00 2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 6d ./stab.MSVCR32.m 61 6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 64 anifest$password
36 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 6./scomma.MSN201
30 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 0.dll$password7. 2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e /scomma.Firefox. 62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 base$password8.I
4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d NDEX,URL,USERNAM
45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e E,PASSWORD,USERN
41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f AME.FIELD,PASSWO
52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 RD.FIELD,FILE,HT
54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 TP$password9./sc 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 omma.IE7setup.sy 73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 s$password10.ORI

2014-11-21 16:51:42,111 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE0A, Value:

2f 73 74 61 62 20 4d 53 56 43 52 33 32 2e 6d 61 /stab.MSVCR32.ma
6e 69 66 65 73 74 24 70 61 73 73 77 6f 72 64 36 nifest$password6 00 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 ./scomma.MSN2010 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f .dll$password7./
73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 scomma.Firefox.b
61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 4e ase$password8.IN 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d 45 DEX,URL,USERNAME 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e 41 ,PASSWORD,USERNA 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f 52 ME.FIELD,PASSWOR 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 54 D.FIELD,FILE,HTT 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 6f P$password9./sco
6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 73 mma.IE7setup.sys
24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 47 $password10.ORIG 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 52 IN.URL,ACTION.UR 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 L,USERNAME.FIELD 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 2c ,PASSWORD.FIELD, 2014-11-21 16:51:42,111 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE2B, Value: 2f 73 63 6f 6d 6d 61 20 4d 53 4e 32 30 31 30 2e /scomma.MSN2010. 64 6c 6c 24 70 61 73 73 77 6f 72 64 37 00 2f 73 dll$password7./s
63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e 62 61 comma.Firefox.ba
73 65 24 70 61 73 73 77 6f 72 64 38 00 49 4e 44 se$password8.IND 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d 45 2c EX,URL,USERNAME, 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e 41 4d PASSWORD,USERNAM 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f 52 44 E.FIELD,PASSWORD 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 54 50 .FIELD,FILE,HTTP 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 6f 6d$password9./scom
6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 73 24 ma.IE7setup.sys$70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 47 49 password10.ORIGI 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 52 4c N.URL,ACTION.URL 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD, 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 2c 55 PASSWORD.FIELD,U 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 73 73 77 ,TIMESTAMP$passw

2014-11-21 16:51:42,114 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE49, Value:

2f 73 63 6f 6d 6d 61 20 46 69 72 65 66 6f 78 2e /scomma.Firefox.
62 61 73 65 24 70 61 73 73 77 6f 72 64 38 00 49 base$password8.I 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 4d NDEX,URL,USERNAM 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 4e E,PASSWORD,USERN 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 4f AME.FIELD,PASSWO 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 54 RD.FIELD,FILE,HT 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 63 TP$password9./sc
6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 79 omma.IE7setup.sy
73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 49 s$password10.ORI 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 55 GIN.URL,ACTION.U 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c RL,USERNAME.FIEL 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 D,PASSWORD.FIELD 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f ,USERNAME,PASSWO 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 73 RD,TIMESTAMP$pas
73 77 6f 72 64 31 31 00 2f 73 63 6f 6d 6d 61 20 sword11./scomma.
6f 66 66 69 63 65 32 30 30 37 2e 63 61 62 24 70 office2007.cab$p 2014-11-21 16:51:42,115 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEE68, Value: 49 4e 44 45 58 2c 55 52 4c 2c 55 53 45 52 4e 41 INDEX,URL,USERNA 4d 45 2c 50 41 53 53 57 4f 52 44 2c 55 53 45 52 ME,PASSWORD,USER 4e 41 4d 45 20 46 49 45 4c 44 2c 50 41 53 53 57 NAME.FIELD,PASSW 4f 52 44 20 46 49 45 4c 44 2c 46 49 4c 45 2c 48 ORD.FIELD,FILE,H 54 54 50 24 70 61 73 73 77 6f 72 64 39 00 2f 73 TTP$password9./s
63 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 2e 73 comma.IE7setup.s
79 73 24 70 61 73 73 77 6f 72 64 31 30 00 4f 52 ys$password10.OR 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f 4e 20 IGIN.URL,ACTION. 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 URL,USERNAME.FIE 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c LD,PASSWORD.FIEL 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 D,USERNAME,PASSW 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 70 61 ORD,TIMESTAMP$pa
73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d 6d 61 ssword11./scomma
20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 62 24 .office2007.cab$70 61 73 73 77 6f 72 64 31 32 00 55 52 4c 2c 50 password12.URL,P 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 53 45 ASSWORD.TYPE,USE 2014-11-21 16:51:42,117 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEEB6, Value: 2f 73 63 6f 6d 6d 61 20 49 45 37 73 65 74 75 70 /scomma.IE7setup 2e 73 79 73 24 70 61 73 73 77 6f 72 64 31 30 00 .sys$password10.
4f 52 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f ORIGIN.URL,ACTIO
4e 20 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 N.URL,USERNAME.F
49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI
45 4c 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 ELD,USERNAME,PAS
53 57 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 SWORD,TIMESTAMP$70 61 73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d password11./scom 6d 61 20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 ma.office2007.ca 62 24 70 61 73 73 77 6f 72 64 31 32 00 55 52 4c b$password12.URL
2c 50 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 ,PASSWORD.TYPE,U
53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD
2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD,
50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 24 70 PASSWORD.FIELD$p 61 73 73 77 6f 72 64 31 33 00 2f 73 63 6f 6d 6d assword13./scomm 61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 2e 64 6c a.outlook2007.dl 2014-11-21 16:51:42,118 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEED6, Value: 4f 52 49 47 49 4e 20 55 52 4c 2c 41 43 54 49 4f ORIGIN.URL,ACTIO 4e 20 55 52 4c 2c 55 53 45 52 4e 41 4d 45 20 46 N.URL,USERNAME.F 49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI 45 4c 44 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 ELD,USERNAME,PAS 53 57 4f 52 44 2c 54 49 4d 45 53 54 41 4d 50 24 SWORD,TIMESTAMP$
70 61 73 73 77 6f 72 64 31 31 00 2f 73 63 6f 6d password11./scom
6d 61 20 6f 66 66 69 63 65 32 30 30 37 2e 63 61 ma.office2007.ca
62 24 70 61 73 73 77 6f 72 64 31 32 00 55 52 4c b$password12.URL 2c 50 41 53 53 57 4f 52 44 20 54 59 50 45 2c 55 ,PASSWORD.TYPE,U 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 4f 52 44 SERNAME,PASSWORD 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 4c 44 2c ,USERNAME.FIELD, 50 41 53 53 57 4f 52 44 20 46 49 45 4c 44 24 70 PASSWORD.FIELD$p
61 73 73 77 6f 72 64 31 33 00 2f 73 63 6f 6d 6d assword13./scomm
61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 2e 64 6c a.outlook2007.dl
6c 24 70 61 73 73 77 6f 72 64 31 34 00 46 49 4c l$password14.FIL 45 4e 41 4d 45 2c 45 4e 43 52 59 50 54 49 4f 4e ENAME,ENCRYPTION 2014-11-21 16:51:42,119 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEF31, Value: 2f 73 63 6f 6d 6d 61 20 6f 66 66 69 63 65 32 30 /scomma.office20 30 37 2e 63 61 62 24 70 61 73 73 77 6f 72 64 31 07.cab$password1
32 00 55 52 4c 2c 50 41 53 53 57 4f 52 44 20 54 2.URL,PASSWORD.T
59 50 45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 YPE,USERNAME,PAS
53 57 4f 52 44 2c 55 53 45 52 4e 41 4d 45 20 46 SWORD,USERNAME.F
49 45 4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 IELD,PASSWORD.FI
45 4c 44 24 70 61 73 73 77 6f 72 64 31 33 00 2f ELD$password13./ 73 63 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 30 scomma.outlook20 30 37 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 31 07.dll$password1
34 00 46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 59 4.FILENAME,ENCRY
50 54 49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 52 PTION,VERSION,CR
43 2c 50 41 53 53 57 4f 52 44 20 31 2c 50 41 53 C,PASSWORD.1,PAS
53 57 4f 52 44 20 32 2c 50 41 53 53 57 4f 52 f1 SWORD.2,PASSWOR.
8d 37 5f 6d 76 60 00 43 0e 01 00 00 00 00 00 00 .7_mv.C........
00 00 00 00 30 68 07 0d 80 65 07 00 00 00 00 0c ....0h...e......
10 65 07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 0e .e.Eq...7.A.....

2014-11-21 16:51:42,121 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEF53, Value:

55 52 4c 2c 50 41 53 53 57 4f 52 44 20 54 59 50 URL,PASSWORD.TYP
45 2c 55 53 45 52 4e 41 4d 45 2c 50 41 53 53 57 E,USERNAME,PASSW
4f 52 44 2c 55 53 45 52 4e 41 4d 45 20 46 49 45 ORD,USERNAME.FIE
4c 44 2c 50 41 53 53 57 4f 52 44 20 46 49 45 4c LD,PASSWORD.FIEL
44 24 70 61 73 73 77 6f 72 64 31 33 00 2f 73 63 D$password13./sc 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 30 30 37 omma.outlook2007 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 31 34 00 .dll$password14.
46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 59 50 54 FILENAME,ENCRYPT
49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 52 43 2c ION,VERSION,CRC,
50 41 53 53 57 4f 52 44 20 31 2c 50 41 53 53 57 PASSWORD.1,PASSW
4f 52 44 20 32 2c 50 41 53 53 57 4f 52 f1 8d 37 ORD.2,PASSWOR..7
5f 6d 76 60 00 43 0e 01 00 00 00 00 00 00 00 00 _mv.C..........
00 00 30 68 07 0d 80 65 07 00 00 00 00 0c 10 65 ..0h...e.......e
07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 0e 21 0e .Eq...7.A.....!.
8a 0e 91 07 41 0e 2c 0e 0a 0e 48 0e 7c 0e 2c 0e ....A.,...H.|.,.
8a 07 41 0e 1a 0e 7c 0e 0a 0e 9f 0e 51 0e 21 0e ..A...|.....Q.!.

2014-11-21 16:51:42,121 - detector - WARNING - Process CCC.exe (pid: 7624) matched: FinSpy at address: 0x542CEFA0, Value:

2f 73 63 6f 6d 6d 61 20 6f 75 74 6c 6f 6f 6b 32 /scomma.outlook2
30 30 37 2e 64 6c 6c 24 70 61 73 73 77 6f 72 64 007.dll$password 31 34 00 46 49 4c 45 4e 41 4d 45 2c 45 4e 43 52 14.FILENAME,ENCR 59 50 54 49 4f 4e 2c 56 45 52 53 49 4f 4e 2c 43 YPTION,VERSION,C 52 43 2c 50 41 53 53 57 4f 52 44 20 31 2c 50 41 RC,PASSWORD.1,PA 53 53 57 4f 52 44 20 32 2c 50 41 53 53 57 4f 52 SSWORD.2,PASSWOR f1 8d 37 5f 6d 76 60 00 43 0e 01 00 00 00 00 00 ..7_mv.C....... 00 00 00 00 00 30 68 07 0d 80 65 07 00 00 00 00 .....0h...e..... 0c 10 65 07 45 71 0e 0a 07 37 07 41 0e 9f 0e 91 ..e.Eq...7.A.... 0e 21 0e 8a 0e 91 07 41 0e 2c 0e 0a 0e 48 0e 7c .!.....A.,...H.| 0e 2c 0e 8a 07 41 0e 1a 0e 7c 0e 0a 0e 9f 0e 51 .,...A...|.....Q 0e 21 0e 70 0e 99 0e 91 07 41 0e 91 0e 9f 0e 7e .!.p.....A.....~ 0e 21 0e 8a 0e a2 0e 32 0e 91 0e 32 0e 7c 0e 70 .!.....2...2.|.p 0e 0a 0e 02 0e 51 07 41 0e 32 0e 51 0e 02 0e 25 .....Q.A.2.Q...% 0e 21 0e 91 07 41 0d 19 0d 1a 0d 17 0d 21 0d 1a .!...A.......!.. 0d 21 07 44 0d 19 0d 1b 07 41 0e 91 0e a2 07 44 .!.D.....A.....D 2014-11-21 17:01:39,334 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475ABE, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,335 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x476382, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,336 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47748E, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 34 00 n.U.r.l.....2.4. 20 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 4...3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 24 00 62 00 6.7...2.4...$.b.
6f 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 o.t.2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 0d 00 0a 00 #.P.i.n.g.$..... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 32 00 ..3.3...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 2014-11-21 17:01:39,338 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477D4A, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,339 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A05C, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 0d 00 n.U.r.l.$.b.o...
0a 00 37 00 34 00 20 00 33 00 32 00 20 00 30 00 ..7.4...3.2...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.
20 00 35 00 30 00 20 00 36 00 39 00 20 00 36 00 ..5.0...6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 34 00 20 00 e...6.7...2.4...
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 ..t.2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 0d 00 0a 00 33 00 33 00 20 00 30 00 30 00 t.....3.3...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 32 00 20 00 37 00 35 00 20 00 36 00 65 00 5.2...7.5...6.e. 20 00 35 00 30 00 20 00 37 00 32 00 20 00 36 00 ..5.0...7.2...6. 66 00 20 00 36 00 64 00 20 00 37 00 30 00 20 00 f...6.d...7.0... 2014-11-21 17:01:39,341 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A926, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 34 00 n.U.r.l.....2.4. 20 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 4...3.2...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e... 36 00 37 00 20 00 32 00 34 00 20 00 24 00 62 00 6.7...2.4...$.b.
6f 00 74 00 32 00 2e 00 23 00 42 00 4f 00 54 00 o.t.2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 0d 00 0a 00 #.P.i.n.g.$..... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 32 00 ..3.3...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 2014-11-21 17:01:39,342 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B0D6, Value: 23 00 42 00 4f 00 54 00 23 00 4f 00 70 00 65 00 #.B.O.T.#.O.p.e. 6e 00 55 00 72 00 6c 00 24 00 62 00 6f 00 74 00 n.U.r.l.$.b.o.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
30 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 0...6.9...6.e...
36 00 37 00 20 00 32 00 34 00 20 00 36 00 32 00 6.7...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
33 00 20 00 32 00 2e 00 23 00 42 00 4f 00 54 00 3...2...#.B.O.T.
23 00 50 00 69 00 6e 00 67 00 24 00 62 00 6f 00 #.P.i.n.g.$.b.o. 74 00 33 00 0d 00 0a 00 30 00 30 00 20 00 32 00 t.3.....0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 2014-11-21 17:01:39,344 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47528C, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 g.........2.0.1. 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1... 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2. 2c 00 30 00 31 00 39 00 20 00 2d 00 20 00 64 00 ,.0.1.9...-...d. 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r... 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N. 47 00 20 00 2d 00 20 00 50 00 72 00 6f 00 63 00 G...-...P.r.o.c. 65 00 73 00 73 00 20 00 43 00 43 00 43 00 2e 00 e.s.s...C.C.C... 65 00 78 00 65 00 20 00 28 00 70 00 69 00 64 00 e.x.e...(.p.i.d. 3a 00 20 00 37 00 36 00 32 00 34 00 29 00 20 00 :...7.6.2.4.)... 6d 00 61 00 74 00 63 00 68 00 65 00 64 00 3a 00 m.a.t.c.h.e.d.:. 20 00 42 00 6c 00 61 00 63 00 6b 00 53 00 68 00 ..B.l.a.c.k.S.h. 61 00 64 00 65 00 73 00 20 00 61 00 74 00 20 00 a.d.e.s...a.t... 61 00 64 00 64 00 72 00 65 00 73 00 73 00 3a 00 a.d.d.r.e.s.s.:. 20 00 30 00 78 00 35 00 34 00 32 00 43 00 45 00 ..0.x.5.4.2.C.E. 2014-11-21 17:01:39,345 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475B46, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3.....
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7.
30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4...
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4. 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1. 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,. 30 00 31 00 39 00 20 00 2d 00 20 00 64 00 65 00 0.1.9...-...d.e. 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-. 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G. 2014-11-21 17:01:39,346 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47640A, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3.....
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7.
30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4...
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$. 0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f... 37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2. 20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6. 2014-11-21 17:01:39,348 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477516, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 0d 00 0a 00 36 00 32 00 20 00 36 00 g.$.....6.2...6.
66 00 20 00 37 00 34 00 20 00 33 00 33 00 20 00 f...7.4...3.3...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 62 00 6f 00 74 00 33 00 ..6.f...b.o.t.3.
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 0d 00 0a 00 36 00 64 00 n.P.r.o.....6.d.
20 00 37 00 30 00 20 00 37 00 34 00 20 00 32 00 ..7.0...7.4...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 6d 00 70 00 5.3...7.6...m.p.

2014-11-21 17:01:39,351 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477DD2, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3..... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7. 30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4... 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2.
20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6.

2014-11-21 17:01:39,351 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47981A, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 2e 00 23 00 g.$.b.o.t.3...#. 0d 00 0a 00 34 00 32 00 20 00 34 00 66 00 20 00 ....4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6. 66 00 20 00 42 00 4f 00 54 00 23 00 52 00 75 00 f...B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
62 00 6f 00 0d 00 0a 00 37 00 34 00 20 00 33 00 b.o.....7.4...3.
34 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 4...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 35 00 33 00 20 00 37 00 ..2.3...5.3...7.
36 00 20 00 37 00 32 00 20 00 35 00 35 00 20 00 6...7.2...5.5...
36 00 65 00 20 00 36 00 39 00 20 00 36 00 65 00 6.e...6.9...6.e.

2014-11-21 17:01:39,354 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A0E4, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 0d 00 0a 00 33 00 g.$.b.o.t.....3. 33 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 3...0.0...2.3... 34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4. 20 00 32 00 33 00 20 00 35 00 32 00 20 00 37 00 ..2.3...5.2...7. 35 00 20 00 36 00 65 00 20 00 35 00 30 00 20 00 5...6.e...5.0... 37 00 32 00 20 00 36 00 66 00 20 00 36 00 64 00 7.2...6.f...6.d. 20 00 37 00 30 00 20 00 37 00 34 00 20 00 33 00 ..7.0...7.4...3. 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 0d 00 n.P.r.o.m.p.t... 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6. 66 00 20 00 37 00 34 00 20 00 33 00 34 00 20 00 f...7.4...3.4... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 33 00 20 00 37 00 36 00 20 00 3...5.3...7.6... 37 00 32 00 20 00 35 00 35 00 20 00 36 00 65 00 7.2...5.5...6.e. 2014-11-21 17:01:39,355 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A9AE, Value: 23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n. 67 00 24 00 0d 00 0a 00 36 00 32 00 20 00 36 00 g.$.....6.2...6.
66 00 20 00 37 00 34 00 20 00 33 00 33 00 20 00 f...7.4...3.3...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5...
36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2.
20 00 36 00 66 00 20 00 62 00 6f 00 74 00 33 00 ..6.f...b.o.t.3.
2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u.
6e 00 50 00 72 00 6f 00 0d 00 0a 00 36 00 64 00 n.P.r.o.....6.d.
20 00 37 00 30 00 20 00 37 00 34 00 20 00 32 00 ..7.0...7.4...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 6d 00 70 00 5.3...7.6...m.p.

2014-11-21 17:01:39,357 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B15E, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 0d 00 0a 00 g.$.b.o.t.3..... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 35 00 32 00 20 00 37 00 35 00 20 00 3...5.2...7.5... 36 00 65 00 20 00 35 00 30 00 20 00 37 00 32 00 6.e...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 64 00 20 00 37 00 ..6.f...6.d...7. 30 00 20 00 37 00 34 00 20 00 32 00 34 00 20 00 0...7.4...2.4... 2e 00 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 ..#.B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
0d 00 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 ....6.2...6.f...
37 00 34 00 20 00 33 00 34 00 20 00 30 00 30 00 7.4...3.4...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
35 00 33 00 20 00 37 00 36 00 20 00 37 00 32 00 5.3...7.6...7.2.
20 00 35 00 35 00 20 00 36 00 65 00 20 00 36 00 ..5.5...6.e...6.

2014-11-21 17:01:39,358 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BA1A, Value:

23 00 42 00 4f 00 54 00 23 00 50 00 69 00 6e 00 #.B.O.T.#.P.i.n.
67 00 24 00 62 00 6f 00 74 00 33 00 2e 00 23 00 g.$.b.o.t.3...#. 0d 00 0a 00 34 00 32 00 20 00 34 00 66 00 20 00 ....4.2...4.f... 35 00 34 00 20 00 32 00 33 00 20 00 35 00 32 00 5.4...2.3...5.2. 20 00 37 00 35 00 20 00 36 00 65 00 20 00 35 00 ..7.5...6.e...5. 30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f... 36 00 64 00 20 00 37 00 30 00 20 00 37 00 34 00 6.d...7.0...7.4. 20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6. 66 00 20 00 42 00 4f 00 54 00 23 00 52 00 75 00 f...B.O.T.#.R.u. 6e 00 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 n.P.r.o.m.p.t.$.
62 00 6f 00 0d 00 0a 00 37 00 34 00 20 00 33 00 b.o.....7.4...3.
34 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 4...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 35 00 33 00 20 00 37 00 ..2.3...5.3...7.
36 00 20 00 37 00 32 00 20 00 35 00 35 00 20 00 6...7.2...5.5...
36 00 65 00 20 00 36 00 39 00 20 00 36 00 65 00 6.e...6.9...6.e.

2014-11-21 17:01:39,358 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x475BC8, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$... 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 ......2.0.1.4.-. 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 1.1.-.2.1...1.6. 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 :.5.1.:.4.2.,.0. 31 00 39 00 20 00 2d 00 20 00 64 00 65 00 74 00 1.9...-...d.e.t. 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 e.c.t.o.r...-... 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 W.A.R.N.I.N.G... 2d 00 20 00 50 00 72 00 6f 00 63 00 65 00 73 00 -...P.r.o.c.e.s. 73 00 20 00 43 00 43 00 43 00 2e 00 65 00 78 00 s...C.C.C...e.x. 65 00 20 00 28 00 70 00 69 00 64 00 3a 00 20 00 e...(.p.i.d.:... 37 00 36 00 32 00 34 00 29 00 20 00 6d 00 61 00 7.6.2.4.)...m.a. 74 00 63 00 68 00 65 00 64 00 3a 00 20 00 42 00 t.c.h.e.d.:...B. 6c 00 61 00 63 00 6b 00 53 00 68 00 61 00 64 00 l.a.c.k.S.h.a.d. 65 00 73 00 20 00 61 00 74 00 20 00 61 00 64 00 e.s...a.t...a.d. 64 00 72 00 65 00 73 00 73 00 3a 00 20 00 30 00 d.r.e.s.s.:...0. 2014-11-21 17:01:39,361 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47648C, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$...
0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
69 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 i.........2.0.1.
34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1...
31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2.
2c 00 30 00 32 00 30 00 20 00 2d 00 20 00 64 00 ,.0.2.0...-...d.
65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r...
2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N.

2014-11-21 17:01:39,361 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x477E54, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$... 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B. 4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n. 69 00 0d 00 0a 00 36 00 65 00 20 00 37 00 33 00 i.....6.e...7.3. 20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6. 63 00 20 00 36 00 63 00 20 00 32 00 34 00 20 00 c...6.c...2.4... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 35 00 20 00 30 00 30 00 20 00 32 00 ..3.5...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 2014-11-21 17:01:39,364 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A166, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 0d 00 0a 00 P.r.o.m.p.t..... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 34 00 20 00 30 00 ..7.4...3.4...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 20 00 35 00 33 00 20 00 37 00 36 00 20 00 37 00 ..5.3...7.6...7. 32 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 2...5.5...6.e... 24 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00$.b.o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
0d 00 0a 00 36 00 39 00 20 00 36 00 65 00 20 00 ....6.9...6.e...
37 00 33 00 20 00 37 00 34 00 20 00 36 00 31 00 7.3...7.4...6.1.
20 00 36 00 63 00 20 00 36 00 63 00 20 00 32 00 ..6.c...6.c...2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 35 00 20 00 30 00 30 00 7.4...3.5...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.

2014-11-21 17:01:39,365 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B1E0, Value:

23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n.
50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 0d 00 P.r.o.m.p.t.$... 0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f. 20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5. 33 00 20 00 37 00 36 00 20 00 37 00 32 00 20 00 3...7.6...7.2... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 62 00 6f 00 74 00 34 00 2e 00 23 00 42 00 ..b.o.t.4...#.B. 4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n. 69 00 0d 00 0a 00 36 00 65 00 20 00 37 00 33 00 i.....6.e...7.3. 20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6. 63 00 20 00 36 00 63 00 20 00 32 00 34 00 20 00 c...6.c...2.4... 36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4. 20 00 33 00 35 00 20 00 30 00 30 00 20 00 32 00 ..3.5...0.0...2. 33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f... 2014-11-21 17:01:39,365 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C35E, Value: 23 00 42 00 4f 00 54 00 23 00 52 00 75 00 6e 00 #.B.O.T.#.R.u.n. 50 00 72 00 6f 00 6d 00 70 00 74 00 24 00 62 00 P.r.o.m.p.t.$.b.
0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4...
33 00 34 00 20 00 30 00 30 00 20 00 32 00 33 00 3.4...0.0...2.3.
20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5.
34 00 20 00 32 00 33 00 20 00 35 00 33 00 20 00 4...2.3...5.3...
37 00 36 00 20 00 37 00 32 00 20 00 35 00 35 00 7.6...7.2...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6.
65 00 20 00 6f 00 74 00 34 00 2e 00 23 00 42 00 e...o.t.4...#.B.
4f 00 54 00 23 00 53 00 76 00 72 00 55 00 6e 00 O.T.#.S.v.r.U.n.
69 00 6e 00 0d 00 0a 00 37 00 33 00 20 00 37 00 i.n.....7.3...7.
34 00 20 00 36 00 31 00 20 00 36 00 63 00 20 00 4...6.1...6.c...
36 00 63 00 20 00 32 00 34 00 20 00 36 00 32 00 6.c...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
35 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 5...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.

2014-11-21 17:01:39,368 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47771A, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d.
0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2...
36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6.
20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4.
32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4...
32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2.
20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7.
30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6... 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 U.p.........2.0. 31 00 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 1.4.-.1.1.-.2.1. 20 00 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 ..1.6.:.5.1.:.4. 32 00 2c 00 30 00 32 00 33 00 20 00 2d 00 20 00 2.,.0.2.3...-... 64 00 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 d.e.t.e.c.t.o.r. 20 00 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 ..-...W.A.R.N.I. 2014-11-21 17:01:39,368 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47ABB2, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d. 0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2... 36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6. 20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4. 32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4... 32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2. 20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7. 30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6...
23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 0d 00 0a 00 36 00 34 00 20 00 36 00 U.p.....6.4...6.
31 00 20 00 37 00 34 00 20 00 36 00 35 00 20 00 1...7.4...6.5...
32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f.
20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0.
30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2...
34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3.

2014-11-21 17:01:39,371 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47D5E6, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
44 00 6f 00 77 00 6e 00 6c 00 6f 00 61 00 64 00 D.o.w.n.l.o.a.d.
0d 00 0a 00 32 00 34 00 20 00 36 00 32 00 20 00 ....2.4...6.2...
36 00 66 00 20 00 37 00 34 00 20 00 33 00 36 00 6.f...7.4...3.6.
20 00 30 00 30 00 20 00 32 00 33 00 20 00 34 00 ..0.0...2.3...4.
32 00 20 00 34 00 66 00 20 00 35 00 34 00 20 00 2...4.f...5.4...
32 00 33 00 20 00 35 00 35 00 20 00 35 00 32 00 2.3...5.5...5.2.
20 00 34 00 63 00 20 00 35 00 35 00 20 00 37 00 ..4.c...5.5...7.
30 00 20 00 24 00 62 00 6f 00 74 00 36 00 2e 00 0...$.b.o.t.6... 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 0d 00 0a 00 36 00 34 00 20 00 36 00 U.p.....6.4...6. 31 00 20 00 37 00 34 00 20 00 36 00 35 00 20 00 1...7.4...6.5... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 2014-11-21 17:01:39,372 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x478066, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 0d 00 0a 00 U.p.d.a.t.e..... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 20 00 35 00 36 00 20 00 36 00 39 00 20 00 37 00 ..5.6...6.9...7. 33 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 3...6.9...7.4... 24 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00$.b.o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4.
2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1.
36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,.
30 00 32 00 36 00 20 00 2d 00 20 00 64 00 65 00 0.2.6...-...d.e.
74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-.
20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G.

2014-11-21 17:01:39,374 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x479AAE, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b. 0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4... 33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3. 20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5. 34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6... 36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9. 20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7. 32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f. 2014-11-21 17:01:39,375 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B3F2, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 0d 00 0a 00 U.p.d.a.t.e..... 32 00 34 00 20 00 36 00 32 00 20 00 36 00 66 00 2.4...6.2...6.f. 20 00 37 00 34 00 20 00 33 00 37 00 20 00 30 00 ..7.4...3.7...0. 30 00 20 00 32 00 33 00 20 00 34 00 32 00 20 00 0...2.3...4.2... 34 00 66 00 20 00 35 00 34 00 20 00 32 00 33 00 4.f...5.4...2.3. 20 00 35 00 36 00 20 00 36 00 39 00 20 00 37 00 ..5.6...6.9...7. 33 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 3...6.9...7.4... 24 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00$.b.o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
0d 00 0a 00 35 00 35 00 20 00 37 00 32 00 20 00 ....5.5...7.2...
36 00 63 00 20 00 32 00 34 00 20 00 36 00 32 00 6.c...2.4...6.2.
20 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
38 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 8...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 34 00 33 00 20 00 36 00 ..2.3...4.3...6.

2014-11-21 17:01:39,377 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BCAE, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b. 0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4... 33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3. 20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5. 34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6... 36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9. 20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7. 32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f. 2014-11-21 17:01:39,378 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C570, Value: 23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L. 55 00 70 00 64 00 61 00 74 00 65 00 24 00 0d 00 U.p.d.a.t.e.$...
0a 00 36 00 32 00 20 00 36 00 66 00 20 00 37 00 ..6.2...6.f...7.
34 00 20 00 33 00 37 00 20 00 30 00 30 00 20 00 4...3.7...0.0...
32 00 33 00 20 00 34 00 32 00 20 00 34 00 66 00 2.3...4.2...4.f.
20 00 35 00 34 00 20 00 32 00 33 00 20 00 35 00 ..5.4...2.3...5.
36 00 20 00 36 00 39 00 20 00 37 00 33 00 20 00 6...6.9...7.3...
36 00 39 00 20 00 37 00 34 00 20 00 35 00 35 00 6.9...7.4...5.5.
20 00 62 00 6f 00 74 00 37 00 2e 00 23 00 42 00 ..b.o.t.7...#.B.
4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t.
55 00 0d 00 0a 00 37 00 32 00 20 00 36 00 63 00 U.....7.2...6.c.
20 00 32 00 34 00 20 00 36 00 32 00 20 00 36 00 ..2.4...6.2...6.
66 00 20 00 37 00 34 00 20 00 33 00 38 00 20 00 f...7.4...3.8...
30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2.
20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2.
33 00 20 00 34 00 33 00 20 00 36 00 63 00 20 00 3...4.3...6.c...

2014-11-21 17:01:39,380 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47DF2A, Value:

23 00 42 00 4f 00 54 00 23 00 55 00 52 00 4c 00 #.B.O.T.#.U.R.L.
55 00 70 00 64 00 61 00 74 00 65 00 24 00 62 00 U.p.d.a.t.e.$.b. 0d 00 0a 00 36 00 66 00 20 00 37 00 34 00 20 00 ....6.f...7.4... 33 00 37 00 20 00 30 00 30 00 20 00 32 00 33 00 3.7...0.0...2.3. 20 00 34 00 32 00 20 00 34 00 66 00 20 00 35 00 ..4.2...4.f...5. 34 00 20 00 32 00 33 00 20 00 35 00 36 00 20 00 4...2.3...5.6... 36 00 39 00 20 00 37 00 33 00 20 00 36 00 39 00 6.9...7.3...6.9. 20 00 37 00 34 00 20 00 35 00 35 00 20 00 37 00 ..7.4...5.5...7. 32 00 20 00 6f 00 74 00 37 00 2e 00 23 00 42 00 2...o.t.7...#.B. 4f 00 54 00 23 00 56 00 69 00 73 00 69 00 74 00 O.T.#.V.i.s.i.t. 55 00 72 00 0d 00 0a 00 36 00 63 00 20 00 32 00 U.r.....6.c...2. 34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f... 37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0. 20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4. 66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3... 34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f. 2014-11-21 17:01:39,381 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4789AE, Value: 23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s. 69 00 74 00 55 00 72 00 6c 00 24 00 0d 00 0a 00 i.t.U.r.l.$.....
36 00 32 00 20 00 36 00 66 00 20 00 37 00 34 00 6.2...6.f...7.4.
20 00 33 00 38 00 20 00 30 00 30 00 20 00 32 00 ..3.8...0.0...2.
33 00 20 00 34 00 32 00 20 00 34 00 66 00 20 00 3...4.2...4.f...
35 00 34 00 20 00 32 00 33 00 20 00 34 00 33 00 5.4...2.3...4.3.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 37 00 ..6.c...6.f...7.
33 00 20 00 36 00 35 00 20 00 35 00 33 00 20 00 3...6.5...5.3...
62 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 b.o.t.8...#.B.O.
54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S.
0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4.
2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1.
36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,.
30 00 32 00 36 00 20 00 2d 00 20 00 64 00 65 00 0.2.6...-...d.e.
74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-.
20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G.

2014-11-21 17:01:39,382 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x479274, Value:

23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s.
69 00 74 00 55 00 72 00 6c 00 0d 00 0a 00 32 00 i.t.U.r.l.....2.
34 00 20 00 36 00 32 00 20 00 36 00 66 00 20 00 4...6.2...6.f...
37 00 34 00 20 00 33 00 38 00 20 00 30 00 30 00 7.4...3.8...0.0.
20 00 32 00 33 00 20 00 34 00 32 00 20 00 34 00 ..2.3...4.2...4.
66 00 20 00 35 00 34 00 20 00 32 00 33 00 20 00 f...5.4...2.3...
34 00 33 00 20 00 36 00 63 00 20 00 36 00 66 00 4.3...6.c...6.f.
20 00 37 00 33 00 20 00 36 00 35 00 20 00 24 00 ..7.3...6.5...$. 62 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 b.o.t.8...#.B.O. 54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 0d 00 T.#.C.l.o.s.e... 0a 00 35 00 33 00 20 00 36 00 35 00 20 00 37 00 ..5.3...6.5...7. 32 00 20 00 37 00 36 00 20 00 36 00 35 00 20 00 2...7.6...6.5... 37 00 32 00 20 00 32 00 34 00 20 00 36 00 34 00 7.2...2.4...6.4. 20 00 36 00 34 00 20 00 36 00 66 00 20 00 37 00 ..6.4...6.f...7. 33 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 3...3.1...0.0... 34 00 34 00 20 00 34 00 34 00 20 00 34 00 66 00 4.4...4.4...4.f. 2014-11-21 17:01:39,384 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47CEB4, Value: 23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s. 69 00 74 00 55 00 72 00 6c 00 24 00 62 00 0d 00 i.t.U.r.l.$.b...
0a 00 36 00 66 00 20 00 37 00 34 00 20 00 33 00 ..6.f...7.4...3.
38 00 20 00 30 00 30 00 20 00 32 00 33 00 20 00 8...0.0...2.3...
34 00 32 00 20 00 34 00 66 00 20 00 35 00 34 00 4.2...4.f...5.4.
20 00 32 00 33 00 20 00 34 00 33 00 20 00 36 00 ..2.3...4.3...6.
63 00 20 00 36 00 66 00 20 00 37 00 33 00 20 00 c...6.f...7.3...
36 00 35 00 20 00 35 00 33 00 20 00 36 00 35 00 6.5...5.3...6.5.
20 00 6f 00 74 00 38 00 2e 00 23 00 42 00 4f 00 ..o.t.8...#.B.O.
54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S.
65 00 0d 00 0a 00 37 00 32 00 20 00 37 00 36 00 e.....7.2...7.6.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2.
34 00 20 00 36 00 34 00 20 00 36 00 34 00 20 00 4...6.4...6.4...
36 00 66 00 20 00 37 00 33 00 20 00 33 00 31 00 6.f...7.3...3.1.
20 00 30 00 30 00 20 00 34 00 34 00 20 00 34 00 ..0.0...4.4...4.
34 00 20 00 34 00 66 00 20 00 35 00 33 00 20 00 4...4.f...5.3...

2014-11-21 17:01:39,385 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47E86E, Value:

23 00 42 00 4f 00 54 00 23 00 56 00 69 00 73 00 #.B.O.T.#.V.i.s.
69 00 74 00 55 00 72 00 6c 00 24 00 62 00 6f 00 i.t.U.r.l.$.b.o. 0d 00 0a 00 37 00 34 00 20 00 33 00 38 00 20 00 ....7.4...3.8... 30 00 30 00 20 00 32 00 33 00 20 00 34 00 32 00 0.0...2.3...4.2. 20 00 34 00 66 00 20 00 35 00 34 00 20 00 32 00 ..4.f...5.4...2. 33 00 20 00 34 00 33 00 20 00 36 00 63 00 20 00 3...4.3...6.c... 36 00 66 00 20 00 37 00 33 00 20 00 36 00 35 00 6.f...7.3...6.5. 20 00 35 00 33 00 20 00 36 00 35 00 20 00 37 00 ..5.3...6.5...7. 32 00 20 00 74 00 38 00 2e 00 23 00 42 00 4f 00 2...t.8...#.B.O. 54 00 23 00 43 00 6c 00 6f 00 73 00 65 00 53 00 T.#.C.l.o.s.e.S. 65 00 72 00 0d 00 0a 00 37 00 36 00 20 00 36 00 e.r.....7.6...6. 35 00 20 00 37 00 32 00 20 00 32 00 34 00 20 00 5...7.2...2.4... 36 00 34 00 20 00 36 00 34 00 20 00 36 00 66 00 6.4...6.4...6.f. 20 00 37 00 33 00 20 00 33 00 31 00 20 00 30 00 ..7.3...3.1...0. 30 00 20 00 34 00 34 00 20 00 34 00 34 00 20 00 0...4.4...4.4... 34 00 66 00 20 00 35 00 33 00 20 00 34 00 38 00 4.f...5.3...4.8. 2014-11-21 17:01:39,387 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47F1B2, Value: 23 00 42 00 4f 00 54 00 23 00 43 00 6c 00 6f 00 #.B.O.T.#.C.l.o. 73 00 65 00 53 00 65 00 72 00 76 00 65 00 72 00 s.e.S.e.r.v.e.r. 0d 00 0a 00 32 00 34 00 20 00 36 00 34 00 20 00 ....2.4...6.4... 36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3. 20 00 33 00 31 00 20 00 30 00 30 00 20 00 34 00 ..3.1...0.0...4. 34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f... 35 00 33 00 20 00 34 00 38 00 20 00 35 00 34 00 5.3...4.8...5.4. 20 00 35 00 34 00 20 00 35 00 30 00 20 00 34 00 ..5.4...5.0...4. 36 00 20 00 24 00 64 00 64 00 6f 00 73 00 31 00 6...$.d.d.o.s.1.
2e 00 44 00 44 00 4f 00 53 00 48 00 54 00 54 00 ..D.D.O.S.H.T.T.
50 00 46 00 0d 00 0a 00 34 00 63 00 20 00 34 00 P.F.....4.c...4.
66 00 20 00 34 00 66 00 20 00 34 00 34 00 20 00 f...4.f...4.4...
32 00 34 00 20 00 36 00 34 00 20 00 36 00 34 00 2.4...6.4...6.4.
20 00 36 00 66 00 20 00 37 00 33 00 20 00 33 00 ..6.f...7.3...3.
32 00 20 00 30 00 30 00 20 00 34 00 34 00 20 00 2...0.0...4.4...
34 00 34 00 20 00 34 00 66 00 20 00 35 00 33 00 4.4...4.f...5.3.

2014-11-21 17:01:39,388 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47A584, Value:

44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P.
46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 F.L.O.O.D.$.d... 0a 00 36 00 34 00 20 00 36 00 66 00 20 00 37 00 ..6.4...6.f...7. 33 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 3...3.2...0.0... 34 00 34 00 20 00 34 00 34 00 20 00 34 00 66 00 4.4...4.4...4.f. 20 00 35 00 33 00 20 00 35 00 33 00 20 00 35 00 ..5.3...5.3...5. 39 00 20 00 34 00 65 00 20 00 34 00 36 00 20 00 9...4.e...4.6... 34 00 63 00 20 00 34 00 66 00 20 00 34 00 66 00 4.c...4.f...4.f. 20 00 64 00 6f 00 73 00 32 00 2e 00 44 00 44 00 ..d.o.s.2...D.D. 4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O. 4f 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 O.........2.0.1. 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1... 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2. 2c 00 30 00 33 00 32 00 20 00 2d 00 20 00 64 00 ,.0.3.2...-...d. 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r... 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N. 2014-11-21 17:01:39,390 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B5FE, Value: 44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P. 46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 F.L.O.O.D.$.d.d.
0d 00 0a 00 36 00 66 00 20 00 37 00 33 00 20 00 ....6.f...7.3...
33 00 32 00 20 00 30 00 30 00 20 00 34 00 34 00 3.2...0.0...4.4.
20 00 34 00 34 00 20 00 34 00 66 00 20 00 35 00 ..4.4...4.f...5.
33 00 20 00 35 00 33 00 20 00 35 00 39 00 20 00 3...5.3...5.9...
34 00 65 00 20 00 34 00 36 00 20 00 34 00 63 00 4.e...4.6...4.c.
20 00 34 00 66 00 20 00 34 00 66 00 20 00 34 00 ..4.f...4.f...4.
34 00 20 00 6f 00 73 00 32 00 2e 00 44 00 44 00 4...o.s.2...D.D.
4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O.
4f 00 44 00 0d 00 0a 00 32 00 34 00 20 00 36 00 O.D.....2.4...6.
34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f...
37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0.
20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4.
66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5...
34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6.

2014-11-21 17:01:39,391 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47FAF6, Value:

44 00 44 00 4f 00 53 00 48 00 54 00 54 00 50 00 D.D.O.S.H.T.T.P.
46 00 4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 F.L.O.O.D.$.d.d. 0d 00 0a 00 36 00 66 00 20 00 37 00 33 00 20 00 ....6.f...7.3... 33 00 32 00 20 00 30 00 30 00 20 00 34 00 34 00 3.2...0.0...4.4. 20 00 34 00 34 00 20 00 34 00 66 00 20 00 35 00 ..4.4...4.f...5. 33 00 20 00 35 00 33 00 20 00 35 00 39 00 20 00 3...5.3...5.9... 34 00 65 00 20 00 34 00 36 00 20 00 34 00 63 00 4.e...4.6...4.c. 20 00 34 00 66 00 20 00 34 00 66 00 20 00 34 00 ..4.f...4.f...4. 34 00 20 00 6f 00 73 00 32 00 2e 00 44 00 44 00 4...o.s.2...D.D. 4f 00 53 00 53 00 59 00 4e 00 46 00 4c 00 4f 00 O.S.S.Y.N.F.L.O. 4f 00 44 00 0d 00 0a 00 32 00 34 00 20 00 36 00 O.D.....2.4...6. 34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f... 37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0. 20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4. 66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5... 34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6. 2014-11-21 17:01:39,392 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47B68A, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 0d 00 0a 00 32 00 34 00 L.O.O.D.....2.4. 20 00 36 00 34 00 20 00 36 00 34 00 20 00 36 00 ..6.4...6.4...6. 66 00 20 00 37 00 33 00 20 00 33 00 33 00 20 00 f...7.3...3.3... 30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4. 20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5. 35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0... 34 00 36 00 20 00 34 00 63 00 20 00 24 00 64 00 4.6...4.c...$.d.
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 0d 00 0a 00 S.U.D.P.F.L.....
34 00 66 00 20 00 34 00 66 00 20 00 34 00 34 00 4.f...4.f...4.4.
20 00 32 00 34 00 20 00 36 00 62 00 20 00 36 00 ..2.4...6.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3.
31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1...

2014-11-21 17:01:39,394 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47BF46, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 0a 00 L.O.O.D.$.d..... 36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4. 34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f... 35 00 33 00 20 00 35 00 35 00 20 00 34 00 34 00 5.3...5.5...4.4. 20 00 35 00 30 00 20 00 34 00 36 00 20 00 34 00 ..5.0...4.6...4. 63 00 20 00 34 00 66 00 20 00 34 00 66 00 20 00 c...4.f...4.f... 64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O. 0d 00 0a 00 34 00 34 00 20 00 32 00 34 00 20 00 ....4.4...2.4... 36 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 6.b...6.5...7.9. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5... 37 00 32 00 20 00 33 00 31 00 20 00 30 00 30 00 7.2...3.1...0.0. 20 00 34 00 31 00 20 00 36 00 33 00 20 00 37 00 ..4.1...6.3...7. 2014-11-21 17:01:39,395 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47C808, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 24 00 0d 00 0a 00 36 00 L.O.O.D.$.....6.
34 00 20 00 36 00 34 00 20 00 36 00 66 00 20 00 4...6.4...6.f...
37 00 33 00 20 00 33 00 33 00 20 00 30 00 30 00 7.3...3.3...0.0.
20 00 34 00 34 00 20 00 34 00 34 00 20 00 34 00 ..4.4...4.4...4.
66 00 20 00 35 00 33 00 20 00 35 00 35 00 20 00 f...5.3...5.5...
34 00 34 00 20 00 35 00 30 00 20 00 34 00 36 00 4.4...5.0...4.6.
20 00 34 00 63 00 20 00 34 00 66 00 20 00 64 00 ..4.c...4.f...d.
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 0d 00 S.U.D.P.F.L.O...
0a 00 34 00 66 00 20 00 34 00 34 00 20 00 32 00 ..4.f...4.4...2.
34 00 20 00 36 00 62 00 20 00 36 00 35 00 20 00 4...6.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 37 00 32 00 20 00 33 00 31 00 20 00 5...7.2...3.1...
30 00 30 00 20 00 34 00 31 00 20 00 36 00 33 00 0.0...4.1...6.3.

2014-11-21 17:01:39,397 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47E1C2, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 24 00 64 00 0d 00 0a 00 L.O.O.D.$.d..... 36 00 34 00 20 00 36 00 66 00 20 00 37 00 33 00 6.4...6.f...7.3. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4. 34 00 20 00 34 00 34 00 20 00 34 00 66 00 20 00 4...4.4...4.f... 35 00 33 00 20 00 35 00 35 00 20 00 34 00 34 00 5.3...5.5...4.4. 20 00 35 00 30 00 20 00 34 00 36 00 20 00 34 00 ..5.0...4.6...4. 63 00 20 00 34 00 66 00 20 00 34 00 66 00 20 00 c...4.f...4.f... 64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O. 0d 00 0a 00 34 00 34 00 20 00 32 00 34 00 20 00 ....4.4...2.4... 36 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 6.b...6.5...7.9. 20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6. 37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5... 37 00 32 00 20 00 33 00 31 00 20 00 30 00 30 00 7.2...3.1...0.0. 20 00 34 00 31 00 20 00 36 00 33 00 20 00 37 00 ..4.1...6.3...7. 2014-11-21 17:01:39,398 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47FB82, Value: 44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F. 4c 00 4f 00 4f 00 44 00 0d 00 0a 00 32 00 34 00 L.O.O.D.....2.4. 20 00 36 00 34 00 20 00 36 00 34 00 20 00 36 00 ..6.4...6.4...6. 66 00 20 00 37 00 33 00 20 00 33 00 33 00 20 00 f...7.3...3.3... 30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4. 20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5. 35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0... 34 00 36 00 20 00 34 00 63 00 20 00 24 00 64 00 4.6...4.c...$.d.
64 00 6f 00 73 00 33 00 2e 00 44 00 44 00 4f 00 d.o.s.3...D.D.O.
53 00 55 00 44 00 50 00 46 00 4c 00 0d 00 0a 00 S.U.D.P.F.L.....
34 00 66 00 20 00 34 00 66 00 20 00 34 00 34 00 4.f...4.f...4.4.
20 00 32 00 34 00 20 00 36 00 62 00 20 00 36 00 ..2.4...6.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3.
31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1...

2014-11-21 17:01:39,400 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x48043A, Value:

44 00 44 00 4f 00 53 00 53 00 59 00 4e 00 46 00 D.D.O.S.S.Y.N.F.
4c 00 4f 00 4f 00 44 00 24 00 64 00 64 00 6f 00 L.O.O.D.$.d.d.o. 0d 00 0a 00 37 00 33 00 20 00 33 00 33 00 20 00 ....7.3...3.3... 30 00 30 00 20 00 34 00 34 00 20 00 34 00 34 00 0.0...4.4...4.4. 20 00 34 00 66 00 20 00 35 00 33 00 20 00 35 00 ..4.f...5.3...5. 35 00 20 00 34 00 34 00 20 00 35 00 30 00 20 00 5...4.4...5.0... 34 00 36 00 20 00 34 00 63 00 20 00 34 00 66 00 4.6...4.c...4.f. 20 00 34 00 66 00 20 00 34 00 34 00 20 00 32 00 ..4.f...4.4...2. 34 00 20 00 73 00 33 00 2e 00 44 00 44 00 4f 00 4...s.3...D.D.O. 53 00 55 00 44 00 50 00 46 00 4c 00 4f 00 4f 00 S.U.D.P.F.L.O.O. 44 00 24 00 0d 00 0a 00 36 00 62 00 20 00 36 00 D.$.....6.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 33 00 ..6.5...7.2...3.
31 00 20 00 30 00 30 00 20 00 34 00 31 00 20 00 1...0.0...4.1...
36 00 33 00 20 00 37 00 34 00 20 00 36 00 39 00 6.3...7.4...6.9.

2014-11-21 17:01:39,401 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47D14A, Value:

44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F.
4c 00 4f 00 4f 00 44 00 24 00 6b 00 0d 00 0a 00 L.O.O.D.$.k..... 36 00 35 00 20 00 37 00 39 00 20 00 36 00 63 00 6.5...7.9...6.c. 20 00 36 00 66 00 20 00 36 00 37 00 20 00 36 00 ..6.f...6.7...6. 37 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 7...6.5...7.2... 33 00 31 00 20 00 30 00 30 00 20 00 34 00 31 00 3.1...0.0...4.1. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 37 00 36 00 20 00 36 00 35 00 20 00 9...7.6...6.5... 65 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e.y.l.o.g.g.e.r. 31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e. 0d 00 0a 00 34 00 66 00 20 00 36 00 65 00 20 00 ....4.f...6.e... 36 00 63 00 20 00 36 00 39 00 20 00 36 00 65 00 6.c...6.9...6.e. 20 00 36 00 35 00 20 00 34 00 62 00 20 00 36 00 ..6.5...4.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2. 2014-11-21 17:01:39,403 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x47EB04, Value: 44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F. 4c 00 4f 00 4f 00 44 00 24 00 6b 00 65 00 0d 00 L.O.O.D.$.k.e...
0a 00 37 00 39 00 20 00 36 00 63 00 20 00 36 00 ..7.9...6.c...6.
66 00 20 00 36 00 37 00 20 00 36 00 37 00 20 00 f...6.7...6.7...
36 00 35 00 20 00 37 00 32 00 20 00 33 00 31 00 6.5...7.2...3.1.
20 00 30 00 30 00 20 00 34 00 31 00 20 00 36 00 ..0.0...4.1...6.
33 00 20 00 37 00 34 00 20 00 36 00 39 00 20 00 3...7.4...6.9...
37 00 36 00 20 00 36 00 35 00 20 00 34 00 66 00 7.6...6.5...4.f.
20 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 ..y.l.o.g.g.e.r.
31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e.
4f 00 0d 00 0a 00 36 00 65 00 20 00 36 00 63 00 O.....6.e...6.c.
20 00 36 00 39 00 20 00 36 00 65 00 20 00 36 00 ..6.9...6.e...6.
35 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 5...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 37 00 32 00 20 00 32 00 34 00 20 00 5...7.2...2.4...

2014-11-21 17:01:39,404 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4804C4, Value:

44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F.
4c 00 4f 00 4f 00 44 00 24 00 0d 00 0a 00 36 00 L.O.O.D.$.....6. 62 00 20 00 36 00 35 00 20 00 37 00 39 00 20 00 b...6.5...7.9... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 37 00 6.c...6.f...6.7. 20 00 36 00 37 00 20 00 36 00 35 00 20 00 37 00 ..6.7...6.5...7. 32 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 2...3.1...0.0... 34 00 31 00 20 00 36 00 33 00 20 00 37 00 34 00 4.1...6.3...7.4. 20 00 36 00 39 00 20 00 37 00 36 00 20 00 6b 00 ..6.9...7.6...k. 65 00 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e.y.l.o.g.g.e.r. 31 00 2e 00 41 00 63 00 74 00 69 00 76 00 0d 00 1...A.c.t.i.v... 0a 00 36 00 35 00 20 00 34 00 66 00 20 00 36 00 ..6.5...4.f...6. 65 00 20 00 36 00 63 00 20 00 36 00 39 00 20 00 e...6.c...6.9... 36 00 65 00 20 00 36 00 35 00 20 00 34 00 62 00 6.e...6.5...4.b. 20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6. 63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7... 36 00 37 00 20 00 36 00 35 00 20 00 37 00 32 00 6.7...6.5...7.2. 2014-11-21 17:01:39,405 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x480D7E, Value: 44 00 44 00 4f 00 53 00 55 00 44 00 50 00 46 00 D.D.O.S.U.D.P.F. 4c 00 4f 00 4f 00 44 00 24 00 6b 00 65 00 79 00 L.O.O.D.$.k.e.y.
0d 00 0a 00 36 00 63 00 20 00 36 00 66 00 20 00 ....6.c...6.f...
36 00 37 00 20 00 36 00 37 00 20 00 36 00 35 00 6.7...6.7...6.5.
20 00 37 00 32 00 20 00 33 00 31 00 20 00 30 00 ..7.2...3.1...0.
30 00 20 00 34 00 31 00 20 00 36 00 33 00 20 00 0...4.1...6.3...
37 00 34 00 20 00 36 00 39 00 20 00 37 00 36 00 7.4...6.9...7.6.
20 00 36 00 35 00 20 00 34 00 66 00 20 00 36 00 ..6.5...4.f...6.
65 00 20 00 6c 00 6f 00 67 00 67 00 65 00 72 00 e...l.o.g.g.e.r.
31 00 2e 00 41 00 63 00 74 00 69 00 76 00 65 00 1...A.c.t.i.v.e.
4f 00 6e 00 0d 00 0a 00 36 00 63 00 20 00 36 00 O.n.....6.c...6.
39 00 20 00 36 00 65 00 20 00 36 00 35 00 20 00 9...6.e...6.5...
34 00 62 00 20 00 36 00 35 00 20 00 37 00 39 00 4.b...6.5...7.9.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
37 00 20 00 36 00 37 00 20 00 36 00 35 00 20 00 7...6.7...6.5...
37 00 32 00 20 00 32 00 34 00 20 00 36 00 62 00 7.2...2.4...6.b.

2014-11-21 17:01:39,407 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x48579E, Value:

53 00 55 00 42 00 4d 00 52 00 45 00 4d 00 4f 00 S.U.B.M.R.E.M.O.
54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 24 00 T.E.S.H.E.L.L.$. 0d 00 0a 00 37 00 33 00 20 00 36 00 38 00 20 00 ....7.3...6.8... 36 00 35 00 20 00 36 00 63 00 20 00 36 00 63 00 6.5...6.c...6.c. 20 00 33 00 33 00 20 00 30 00 30 00 20 00 34 00 ..3.3...0.0...4. 62 00 20 00 34 00 39 00 20 00 34 00 63 00 20 00 b...4.9...4.c... 34 00 63 00 20 00 35 00 32 00 20 00 34 00 35 00 4.c...5.2...4.5. 20 00 34 00 64 00 20 00 34 00 66 00 20 00 35 00 ..4.d...4.f...5. 34 00 20 00 73 00 68 00 65 00 6c 00 6c 00 33 00 4...s.h.e.l.l.3. 2e 00 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 ..K.I.L.L.R.E.M. 4f 00 54 00 0d 00 0a 00 34 00 35 00 20 00 35 00 O.T.....4.5...5. 33 00 20 00 34 00 38 00 20 00 34 00 35 00 20 00 3...4.8...4.5... 34 00 63 00 20 00 34 00 63 00 20 00 34 00 34 00 4.c...4.c...4.4. 20 00 36 00 31 00 20 00 37 00 32 00 20 00 36 00 ..6.1...7.2...6. 62 00 20 00 34 00 33 00 20 00 36 00 66 00 20 00 b...4.3...6.f... 36 00 64 00 20 00 36 00 35 00 20 00 37 00 34 00 6.d...6.5...7.4. 2014-11-21 17:01:39,410 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x480B74, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 0d 00 T.E.S.H.E.L.L... 0a 00 34 00 34 00 20 00 36 00 31 00 20 00 37 00 ..4.4...6.1...7. 32 00 20 00 36 00 62 00 20 00 34 00 33 00 20 00 2...6.b...4.3... 36 00 66 00 20 00 36 00 64 00 20 00 36 00 35 00 6.f...6.d...6.5. 20 00 37 00 34 00 20 00 30 00 30 00 20 00 36 00 ..7.4...0.0...6. 34 00 20 00 36 00 35 00 20 00 37 00 34 00 20 00 4...6.5...7.4... 36 00 35 00 20 00 36 00 33 00 20 00 37 00 34 00 6.5...6.3...7.4. 20 00 44 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 ..D.a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 t.........2.0.1. 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 4.-.1.1.-.2.1... 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 1.6.:.5.1.:.4.2. 2c 00 30 00 34 00 38 00 20 00 2d 00 20 00 64 00 ,.0.4.8...-...d. 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 e.t.e.c.t.o.r... 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 -...W.A.R.N.I.N. 2014-11-21 17:01:39,411 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4847AA, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D. 0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2... 36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4... 36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6. 65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2. 30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1... 35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4. 2014-11-21 17:01:39,413 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x484FE6, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D. 0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2... 36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4... 36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6. 65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2. 30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1... 35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4. 2014-11-21 17:01:39,414 - detector - WARNING - Process notepad.exe (pid: 8588) matched: DarkComet at address: 0x4860E2, Value: 4b 00 49 00 4c 00 4c 00 52 00 45 00 4d 00 4f 00 K.I.L.L.R.E.M.O. 54 00 45 00 53 00 48 00 45 00 4c 00 4c 00 44 00 T.E.S.H.E.L.L.D. 0d 00 0a 00 36 00 31 00 20 00 37 00 32 00 20 00 ....6.1...7.2... 36 00 62 00 20 00 34 00 33 00 20 00 36 00 66 00 6.b...4.3...6.f. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 34 00 20 00 30 00 30 00 20 00 36 00 34 00 20 00 4...0.0...6.4... 36 00 35 00 20 00 37 00 34 00 20 00 36 00 35 00 6.5...7.4...6.5. 20 00 36 00 33 00 20 00 37 00 34 00 20 00 36 00 ..6.3...7.4...6. 39 00 20 00 61 00 72 00 6b 00 43 00 6f 00 6d 00 9...a.r.k.C.o.m. 65 00 74 00 2e 00 64 00 65 00 74 00 65 00 63 00 e.t...d.e.t.e.c. 74 00 69 00 0d 00 0a 00 36 00 66 00 20 00 36 00 t.i.....6.f...6. 65 00 20 00 30 00 30 00 20 00 35 00 38 00 20 00 e...0.0...5.8... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 35 00 7.4...7.2...6.5. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 32 00 ..6.d...6.5...2. 30 00 20 00 35 00 32 00 20 00 34 00 31 00 20 00 0...5.2...4.1... 35 00 34 00 20 00 30 00 30 00 20 00 32 00 34 00 5.4...0.0...2.4. 2014-11-21 17:01:39,415 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x486A20, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 4b 00 65 00 X.t.r.e.m.e.K.e. 79 00 6c 00 6f 00 67 00 67 00 65 00 72 00 24 00 y.l.o.g.g.e.r.$.
0d 00 0a 00 37 00 33 00 20 00 37 00 34 00 20 00 ....7.3...7.4...
37 00 32 00 20 00 36 00 39 00 20 00 36 00 65 00 7.2...6.9...6.e.
20 00 36 00 37 00 20 00 33 00 32 00 20 00 30 00 ..6.7...3.2...0.
30 00 20 00 35 00 38 00 20 00 37 00 34 00 20 00 0...5.8...7.4...
37 00 32 00 20 00 36 00 35 00 20 00 36 00 64 00 7.2...6.5...6.d.
20 00 36 00 35 00 20 00 35 00 32 00 20 00 34 00 ..6.5...5.2...4.
31 00 20 00 73 00 74 00 72 00 69 00 6e 00 67 00 1...s.t.r.i.n.g.
32 00 2e 00 58 00 74 00 72 00 65 00 6d 00 65 00 2...X.t.r.e.m.e.
52 00 41 00 0d 00 0a 00 35 00 34 00 20 00 32 00 R.A.....5.4...2.
34 00 20 00 37 00 33 00 20 00 37 00 34 00 20 00 4...7.3...7.4...
37 00 32 00 20 00 36 00 39 00 20 00 36 00 65 00 7.2...6.9...6.e.
20 00 36 00 37 00 20 00 33 00 33 00 20 00 30 00 ..6.7...3.3...0.
30 00 20 00 35 00 38 00 20 00 35 00 34 00 20 00 0...5.8...5.4...
35 00 32 00 20 00 34 00 35 00 20 00 34 00 64 00 5.2...4.5...4.d.

2014-11-21 17:01:39,417 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x482742, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 73 00 74 00 72 00 69 00 0d 00 0a 00 T.$.s.t.r.i..... 36 00 65 00 20 00 36 00 37 00 20 00 33 00 33 00 6.e...6.7...3.3. 20 00 30 00 30 00 20 00 35 00 38 00 20 00 35 00 ..0.0...5.8...5. 34 00 20 00 35 00 32 00 20 00 34 00 35 00 20 00 4...5.2...4.5... 34 00 64 00 20 00 34 00 35 00 20 00 35 00 35 00 4.d...4.5...5.5. 20 00 35 00 30 00 20 00 34 00 34 00 20 00 34 00 ..5.0...4.4...4. 31 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 1...5.4...4.5... 6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E. 4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E. 0d 00 0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 ........2.0.1.4. 2d 00 31 00 31 00 2d 00 32 00 31 00 20 00 31 00 -.1.1.-.2.1...1. 36 00 3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 6.:.5.1.:.4.2.,. 30 00 35 00 32 00 20 00 2d 00 20 00 64 00 65 00 0.5.2...-...d.e. 74 00 65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 t.e.c.t.o.r...-. 20 00 57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 ..W.A.R.N.I.N.G. 2014-11-21 17:01:39,418 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48308A, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A. 54 00 24 00 73 00 74 00 0d 00 0a 00 37 00 32 00 T.$.s.t.....7.2.
20 00 36 00 39 00 20 00 36 00 65 00 20 00 36 00 ..6.9...6.e...6.
37 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 7...3.3...0.0...
35 00 38 00 20 00 35 00 34 00 20 00 35 00 32 00 5.8...5.4...5.2.
20 00 34 00 35 00 20 00 34 00 64 00 20 00 34 00 ..4.5...4.d...4.
35 00 20 00 35 00 35 00 20 00 35 00 30 00 20 00 5...5.5...5.0...
34 00 34 00 20 00 34 00 31 00 20 00 72 00 69 00 4.4...4.1...r.i.
6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E.
4d 00 45 00 55 00 50 00 44 00 41 00 0d 00 0a 00 M.E.U.P.D.A.....
0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 31 00 ....2.0.1.4.-.1.
31 00 2d 00 32 00 31 00 20 00 31 00 36 00 3a 00 1.-.2.1...1.6.:.
35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 35 00 5.1.:.4.2.,.0.5.
32 00 20 00 2d 00 20 00 64 00 65 00 74 00 65 00 2...-...d.e.t.e.
63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 57 00 c.t.o.r...-...W.
41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 2d 00 A.R.N.I.N.G...-.

2014-11-21 17:01:39,420 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4838C0, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 73 00 74 00 72 00 69 00 6e 00 0d 00 T.$.s.t.r.i.n... 0a 00 36 00 37 00 20 00 33 00 33 00 20 00 30 00 ..6.7...3.3...0. 30 00 20 00 35 00 38 00 20 00 35 00 34 00 20 00 0...5.8...5.4... 35 00 32 00 20 00 34 00 35 00 20 00 34 00 64 00 5.2...4.5...4.d. 20 00 34 00 35 00 20 00 35 00 35 00 20 00 35 00 ..4.5...5.5...5. 30 00 20 00 34 00 34 00 20 00 34 00 31 00 20 00 0...4.4...4.1... 35 00 34 00 20 00 34 00 35 00 20 00 32 00 34 00 5.4...4.5...2.4. 20 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 ..g.3...X.T.R.E. 4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E. 24 00 0d 00 0a 00 37 00 33 00 20 00 37 00 34 00$.....7.3...7.4.
20 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6.
65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4...
30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4.
20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5.
38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2...

2014-11-21 17:01:39,421 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485AC2, Value:

58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A.
54 00 24 00 0d 00 0a 00 37 00 33 00 20 00 37 00 T.$.....7.3...7. 34 00 20 00 37 00 32 00 20 00 36 00 39 00 20 00 4...7.2...6.9... 36 00 65 00 20 00 36 00 37 00 20 00 33 00 33 00 6.e...6.7...3.3. 20 00 30 00 30 00 20 00 35 00 38 00 20 00 35 00 ..0.0...5.8...5. 34 00 20 00 35 00 32 00 20 00 34 00 35 00 20 00 4...5.2...4.5... 34 00 64 00 20 00 34 00 35 00 20 00 35 00 35 00 4.d...4.5...5.5. 20 00 35 00 30 00 20 00 73 00 74 00 72 00 69 00 ..5.0...s.t.r.i. 6e 00 67 00 33 00 2e 00 58 00 54 00 52 00 45 00 n.g.3...X.T.R.E. 4d 00 45 00 55 00 50 00 0d 00 0a 00 34 00 34 00 M.E.U.P.....4.4. 20 00 34 00 31 00 20 00 35 00 34 00 20 00 34 00 ..4.1...5.4...4. 35 00 20 00 32 00 34 00 20 00 37 00 33 00 20 00 5...2.4...7.3... 37 00 34 00 20 00 37 00 32 00 20 00 36 00 39 00 7.4...7.2...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 33 00 ..6.e...6.7...3. 34 00 20 00 30 00 30 00 20 00 35 00 33 00 20 00 4...0.0...5.3... 35 00 34 00 20 00 35 00 35 00 20 00 44 00 41 00 5.4...5.5...D.A. 2014-11-21 17:01:39,423 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48735E, Value: 58 00 74 00 72 00 65 00 6d 00 65 00 52 00 41 00 X.t.r.e.m.e.R.A. 54 00 24 00 73 00 74 00 72 00 69 00 6e 00 67 00 T.$.s.t.r.i.n.g.
0d 00 0a 00 33 00 33 00 20 00 30 00 30 00 20 00 ....3.3...0.0...
35 00 38 00 20 00 35 00 34 00 20 00 35 00 32 00 5.8...5.4...5.2.
20 00 34 00 35 00 20 00 34 00 64 00 20 00 34 00 ..4.5...4.d...4.
35 00 20 00 35 00 35 00 20 00 35 00 30 00 20 00 5...5.5...5.0...
34 00 34 00 20 00 34 00 31 00 20 00 35 00 34 00 4.4...4.1...5.4.
20 00 34 00 35 00 20 00 32 00 34 00 20 00 37 00 ..4.5...2.4...7.
33 00 20 00 33 00 2e 00 58 00 54 00 52 00 45 00 3...3...X.T.R.E.
4d 00 45 00 55 00 50 00 44 00 41 00 54 00 45 00 M.E.U.P.D.A.T.E.
24 00 73 00 0d 00 0a 00 37 00 34 00 20 00 37 00 $.s.....7.4...7. 32 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 2...6.9...6.e... 36 00 37 00 20 00 33 00 34 00 20 00 30 00 30 00 6.7...3.4...0.0. 20 00 35 00 33 00 20 00 35 00 34 00 20 00 35 00 ..5.3...5.4...5. 35 00 20 00 34 00 32 00 20 00 35 00 38 00 20 00 5...4.2...5.8... 35 00 34 00 20 00 35 00 32 00 20 00 34 00 35 00 5.4...5.2...4.5. 2014-11-21 17:01:39,424 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4827CA, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 0d 00 0a 00 0d 00 0a 00 D.A.T.E......... 32 00 30 00 31 00 34 00 2d 00 31 00 31 00 2d 00 2.0.1.4.-.1.1.-. 32 00 31 00 20 00 31 00 36 00 3a 00 35 00 31 00 2.1...1.6.:.5.1. 3a 00 34 00 32 00 2c 00 30 00 35 00 32 00 20 00 :.4.2.,.0.5.2... 2d 00 20 00 64 00 65 00 74 00 65 00 63 00 74 00 -...d.e.t.e.c.t. 6f 00 72 00 20 00 2d 00 20 00 57 00 41 00 52 00 o.r...-...W.A.R. 4e 00 49 00 4e 00 47 00 20 00 2d 00 20 00 50 00 N.I.N.G...-...P. 72 00 6f 00 63 00 65 00 73 00 73 00 20 00 43 00 r.o.c.e.s.s...C. 43 00 43 00 2e 00 65 00 78 00 65 00 20 00 28 00 C.C...e.x.e...(. 70 00 69 00 64 00 3a 00 20 00 37 00 36 00 32 00 p.i.d.:...7.6.2. 34 00 29 00 20 00 6d 00 61 00 74 00 63 00 68 00 4.)...m.a.t.c.h. 65 00 64 00 3a 00 20 00 44 00 61 00 72 00 6b 00 e.d.:...D.a.r.k. 43 00 6f 00 6d 00 65 00 74 00 20 00 61 00 74 00 C.o.m.e.t...a.t. 20 00 61 00 64 00 64 00 72 00 65 00 73 00 73 00 ..a.d.d.r.e.s.s. 3a 00 20 00 30 00 78 00 35 00 34 00 32 00 43 00 :...0.x.5.4.2.C. 2014-11-21 17:01:39,426 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x483948, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 0d 00 0a 00 37 00 D.A.T.E.$.....7.
33 00 20 00 37 00 34 00 20 00 37 00 32 00 20 00 3...7.4...7.2...
36 00 39 00 20 00 36 00 65 00 20 00 36 00 37 00 6.9...6.e...6.7.
20 00 33 00 34 00 20 00 30 00 30 00 20 00 35 00 ..3.4...0.0...5.
33 00 20 00 35 00 34 00 20 00 35 00 35 00 20 00 3...5.4...5.5...
34 00 32 00 20 00 35 00 38 00 20 00 35 00 34 00 4.2...5.8...5.4.
20 00 35 00 32 00 20 00 34 00 35 00 20 00 73 00 ..5.2...4.5...s.
74 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 t.r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 0d 00 T.U.B.X.T.R.E...
0a 00 34 00 64 00 20 00 34 00 35 00 20 00 34 00 ..4.d...4.5...4.
39 00 20 00 34 00 65 00 20 00 34 00 61 00 20 00 9...4.e...4.a...
34 00 35 00 20 00 34 00 33 00 20 00 35 00 34 00 4.5...4.3...5.4.
20 00 34 00 35 00 20 00 34 00 34 00 20 00 32 00 ..4.5...4.4...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 31 00 6.9...7.4...3.1.

2014-11-21 17:01:39,427 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x484AC4, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t... 0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6. 65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4... 30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4. 20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5. 38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2... 34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5. 20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e. 20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4. 33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5... 34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0...  22.11.2014, 14:10 #9 derdingens ## Was tun? Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Detekt.Log vierter Teil Code: ATTFilter 2014-11-21 17:01:39,428 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485300, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t...
0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6.
65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4...
30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4.
20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5.
38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2...
34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5.
20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M.
45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e.
20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4.
33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5...
34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0...

2014-11-21 17:01:39,430 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4863FC, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 74 00 0d 00 D.A.T.E.$.s.t... 0a 00 37 00 32 00 20 00 36 00 39 00 20 00 36 00 ..7.2...6.9...6. 65 00 20 00 36 00 37 00 20 00 33 00 34 00 20 00 e...6.7...3.4... 30 00 30 00 20 00 35 00 33 00 20 00 35 00 34 00 0.0...5.3...5.4. 20 00 35 00 35 00 20 00 34 00 32 00 20 00 35 00 ..5.5...4.2...5. 38 00 20 00 35 00 34 00 20 00 35 00 32 00 20 00 8...5.4...5.2... 34 00 35 00 20 00 34 00 64 00 20 00 34 00 35 00 4.5...4.d...4.5. 20 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 ..r.i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 45 00 0d 00 0a 00 34 00 39 00 20 00 34 00 65 00 E.....4.9...4.e. 20 00 34 00 61 00 20 00 34 00 35 00 20 00 34 00 ..4.a...4.5...4. 33 00 20 00 35 00 34 00 20 00 34 00 35 00 20 00 3...5.4...4.5... 34 00 34 00 20 00 32 00 34 00 20 00 37 00 35 00 4.4...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 31 00 20 00 30 00 30 00 20 00 4...3.1...0.0... 2014-11-21 17:01:39,430 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4873E6, Value: 58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P. 44 00 41 00 54 00 45 00 24 00 73 00 0d 00 0a 00 D.A.T.E.$.s.....
37 00 34 00 20 00 37 00 32 00 20 00 36 00 39 00 7.4...7.2...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 33 00 ..6.e...6.7...3.
34 00 20 00 30 00 30 00 20 00 35 00 33 00 20 00 4...0.0...5.3...
35 00 34 00 20 00 35 00 35 00 20 00 34 00 32 00 5.4...5.5...4.2.
20 00 35 00 38 00 20 00 35 00 34 00 20 00 35 00 ..5.8...5.4...5.
32 00 20 00 34 00 35 00 20 00 34 00 64 00 20 00 2...4.5...4.d...
74 00 72 00 69 00 6e 00 67 00 34 00 2e 00 53 00 t.r.i.n.g.4...S.
54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M.
0d 00 0a 00 34 00 35 00 20 00 34 00 39 00 20 00 ....4.5...4.9...
34 00 65 00 20 00 34 00 61 00 20 00 34 00 35 00 4.e...4.a...4.5.
20 00 34 00 33 00 20 00 35 00 34 00 20 00 34 00 ..4.3...5.4...4.
35 00 20 00 34 00 34 00 20 00 32 00 34 00 20 00 5...4.4...2.4...
37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9.
20 00 37 00 34 00 20 00 33 00 31 00 20 00 30 00 ..7.4...3.1...0.

2014-11-21 17:01:39,433 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487C9C, Value:

58 00 54 00 52 00 45 00 4d 00 45 00 55 00 50 00 X.T.R.E.M.E.U.P.
44 00 41 00 54 00 45 00 24 00 73 00 74 00 72 00 D.A.T.E.$.s.t.r. 0d 00 0a 00 36 00 39 00 20 00 36 00 65 00 20 00 ....6.9...6.e... 36 00 37 00 20 00 33 00 34 00 20 00 30 00 30 00 6.7...3.4...0.0. 20 00 35 00 33 00 20 00 35 00 34 00 20 00 35 00 ..5.3...5.4...5. 35 00 20 00 34 00 32 00 20 00 35 00 38 00 20 00 5...4.2...5.8... 35 00 34 00 20 00 35 00 32 00 20 00 34 00 35 00 5.4...5.2...4.5. 20 00 34 00 64 00 20 00 34 00 35 00 20 00 34 00 ..4.d...4.5...4. 39 00 20 00 69 00 6e 00 67 00 34 00 2e 00 53 00 9...i.n.g.4...S. 54 00 55 00 42 00 58 00 54 00 52 00 45 00 4d 00 T.U.B.X.T.R.E.M. 45 00 49 00 0d 00 0a 00 34 00 65 00 20 00 34 00 E.I.....4.e...4. 61 00 20 00 34 00 35 00 20 00 34 00 33 00 20 00 a...4.5...4.3... 35 00 34 00 20 00 34 00 35 00 20 00 34 00 34 00 5.4...4.5...4.4. 20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 31 00 20 00 30 00 30 00 20 00 35 00 35 00 3.1...0.0...5.5. 2014-11-21 17:01:39,434 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48756E, Value: 55 00 6e 00 69 00 74 00 43 00 6f 00 6e 00 66 00 U.n.i.t.C.o.n.f. 69 00 67 00 73 00 24 00 75 00 6e 00 69 00 74 00 i.g.s.$.u.n.i.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 37 00 20 00 36 00 ..7.4...4.7...6.
35 00 20 00 37 00 34 00 20 00 35 00 33 00 20 00 5...7.4...5.3...
36 00 35 00 20 00 37 00 32 00 20 00 37 00 36 00 6.5...7.2...7.6.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2.
34 00 20 00 32 00 2e 00 55 00 6e 00 69 00 74 00 4...2...U.n.i.t.
47 00 65 00 74 00 53 00 65 00 72 00 76 00 65 00 G.e.t.S.e.r.v.e.
72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 36 00 r.$.....7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 2014-11-21 17:01:39,436 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x488F18, Value: 55 00 6e 00 69 00 74 00 43 00 6f 00 6e 00 66 00 U.n.i.t.C.o.n.f. 69 00 67 00 73 00 24 00 75 00 6e 00 69 00 74 00 i.g.s.$.u.n.i.t.
0d 00 0a 00 33 00 32 00 20 00 30 00 30 00 20 00 ....3.2...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 37 00 20 00 36 00 ..7.4...4.7...6.
35 00 20 00 37 00 34 00 20 00 35 00 33 00 20 00 5...7.4...5.3...
36 00 35 00 20 00 37 00 32 00 20 00 37 00 36 00 6.5...7.2...7.6.
20 00 36 00 35 00 20 00 37 00 32 00 20 00 32 00 ..6.5...7.2...2.
34 00 20 00 32 00 2e 00 55 00 6e 00 69 00 74 00 4...2...U.n.i.t.
47 00 65 00 74 00 53 00 65 00 72 00 76 00 65 00 G.e.t.S.e.r.v.e.
72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 36 00 r.$.....7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5... 37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f. 2014-11-21 17:01:39,437 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x484CD4, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u...
0a 00 0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 ......2.0.1.4.-.
31 00 31 00 2d 00 32 00 31 00 20 00 31 00 36 00 1.1.-.2.1...1.6.
3a 00 35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 :.5.1.:.4.2.,.0.
35 00 38 00 20 00 2d 00 20 00 64 00 65 00 74 00 5.8...-...d.e.t.
65 00 63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 e.c.t.o.r...-...
57 00 41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 W.A.R.N.I.N.G...
2d 00 20 00 50 00 72 00 6f 00 63 00 65 00 73 00 -...P.r.o.c.e.s.
73 00 20 00 43 00 43 00 43 00 2e 00 65 00 78 00 s...C.C.C...e.x.
65 00 20 00 28 00 70 00 69 00 64 00 3a 00 20 00 e...(.p.i.d.:...
37 00 36 00 32 00 34 00 29 00 20 00 6d 00 61 00 7.6.2.4.)...m.a.
74 00 63 00 68 00 65 00 64 00 3a 00 20 00 44 00 t.c.h.e.d.:...D.
61 00 72 00 6b 00 43 00 6f 00 6d 00 65 00 74 00 a.r.k.C.o.m.e.t.
20 00 61 00 74 00 20 00 61 00 64 00 64 00 72 00 ..a.t...a.d.d.r.
65 00 73 00 73 00 3a 00 20 00 30 00 78 00 35 00 e.s.s.:...0.x.5.

2014-11-21 17:01:39,438 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485510, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u... 0a 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 4...3.3...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 62 00 20 00 36 00 ..7.4...4.b...6. 35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c... 36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7. 20 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 ..n.i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 67 00 0d 00 0a 00 36 00 35 00 20 00 37 00 32 00 g.....6.5...7.2. 20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2... 2014-11-21 17:01:39,440 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48660C, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 0d 00 e.r.v.e.r.$.u...
0a 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 33 00 33 00 20 00 30 00 30 00 20 00 4...3.3...0.0...
35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9.
20 00 37 00 34 00 20 00 34 00 62 00 20 00 36 00 ..7.4...4.b...6.
35 00 20 00 37 00 39 00 20 00 36 00 63 00 20 00 5...7.9...6.c...
36 00 66 00 20 00 36 00 37 00 20 00 36 00 37 00 6.f...6.7...6.7.
20 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 ..n.i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
67 00 0d 00 0a 00 36 00 35 00 20 00 37 00 32 00 g.....6.5...7.2.
20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2...

2014-11-21 17:01:39,441 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x4875F6, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 0d 00 0a 00 e.r.v.e.r.$..... 37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9. 20 00 37 00 34 00 20 00 33 00 33 00 20 00 30 00 ..7.4...3.3...0. 30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 34 00 62 00 6.9...7.4...4.b. 20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6. 63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7... 75 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 u.n.i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 0d 00 0a 00 36 00 37 00 20 00 36 00 35 00 20 00 ....6.7...6.5... 37 00 32 00 20 00 32 00 34 00 20 00 37 00 35 00 7.2...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 33 00 20 00 37 00 ..7.4...4.3...7. 2014-11-21 17:01:39,444 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487EAC, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 6e 00 e.r.v.e.r.$.u.n.
0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4...
33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 69 00 74 00 33 00 2e 00 55 00 6e 00 5...i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
67 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 g.e.....7.2...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 34 00 6.9...7.4...3.4.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 33 00 20 00 37 00 32 00 20 00 37 00 39 00 4.3...7.2...7.9.

2014-11-21 17:01:39,444 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x488FA0, Value:

55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S.
65 00 72 00 76 00 65 00 72 00 24 00 0d 00 0a 00 e.r.v.e.r.$..... 37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9. 20 00 37 00 34 00 20 00 33 00 33 00 20 00 30 00 ..7.4...3.3...0. 30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 34 00 62 00 6.9...7.4...4.b. 20 00 36 00 35 00 20 00 37 00 39 00 20 00 36 00 ..6.5...7.9...6. 63 00 20 00 36 00 66 00 20 00 36 00 37 00 20 00 c...6.f...6.7... 75 00 6e 00 69 00 74 00 33 00 2e 00 55 00 6e 00 u.n.i.t.3...U.n. 69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g. 0d 00 0a 00 36 00 37 00 20 00 36 00 35 00 20 00 ....6.7...6.5... 37 00 32 00 20 00 32 00 34 00 20 00 37 00 35 00 7.2...2.4...7.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 33 00 34 00 20 00 30 00 30 00 20 00 4...3.4...0.0... 35 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 5.5...6.e...6.9. 20 00 37 00 34 00 20 00 34 00 33 00 20 00 37 00 ..7.4...4.3...7. 2014-11-21 17:01:39,447 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x489856, Value: 55 00 6e 00 69 00 74 00 47 00 65 00 74 00 53 00 U.n.i.t.G.e.t.S. 65 00 72 00 76 00 65 00 72 00 24 00 75 00 6e 00 e.r.v.e.r.$.u.n.
0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4...
33 00 33 00 20 00 30 00 30 00 20 00 35 00 35 00 3.3...0.0...5.5.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7.
34 00 20 00 34 00 62 00 20 00 36 00 35 00 20 00 4...4.b...6.5...
37 00 39 00 20 00 36 00 63 00 20 00 36 00 66 00 7.9...6.c...6.f.
20 00 36 00 37 00 20 00 36 00 37 00 20 00 36 00 ..6.7...6.7...6.
35 00 20 00 69 00 74 00 33 00 2e 00 55 00 6e 00 5...i.t.3...U.n.
69 00 74 00 4b 00 65 00 79 00 6c 00 6f 00 67 00 i.t.K.e.y.l.o.g.
67 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 g.e.....7.2...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 34 00 6.9...7.4...3.4.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 33 00 20 00 37 00 32 00 20 00 37 00 39 00 4.3...7.2...7.9.

2014-11-21 17:01:39,447 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48A194, Value:

55 00 6e 00 69 00 74 00 4b 00 65 00 79 00 6c 00 U.n.i.t.K.e.y.l.
6f 00 67 00 67 00 65 00 72 00 24 00 75 00 6e 00 o.g.g.e.r.$.u.n. 0d 00 0a 00 36 00 39 00 20 00 37 00 34 00 20 00 ....6.9...7.4... 33 00 34 00 20 00 30 00 30 00 20 00 35 00 35 00 3.4...0.0...5.5. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 37 00 ..6.e...6.9...7. 34 00 20 00 34 00 33 00 20 00 37 00 32 00 20 00 4...4.3...7.2... 37 00 39 00 20 00 37 00 30 00 20 00 37 00 34 00 7.9...7.0...7.4. 20 00 35 00 33 00 20 00 37 00 34 00 20 00 37 00 ..5.3...7.4...7. 32 00 20 00 69 00 74 00 34 00 2e 00 55 00 6e 00 2...i.t.4...U.n. 69 00 74 00 43 00 72 00 79 00 70 00 74 00 53 00 i.t.C.r.y.p.t.S. 74 00 72 00 0d 00 0a 00 36 00 39 00 20 00 36 00 t.r.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 34 00 20 00 e...6.7...2.4... 37 00 35 00 20 00 36 00 65 00 20 00 36 00 39 00 7.5...6.e...6.9. 20 00 37 00 34 00 20 00 33 00 35 00 20 00 30 00 ..7.4...3.5...0. 30 00 20 00 35 00 35 00 20 00 36 00 65 00 20 00 0...5.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 34 00 39 00 6.9...7.4...4.9. 2014-11-21 17:01:39,448 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x485ED6, Value: 55 00 6e 00 69 00 74 00 43 00 72 00 79 00 70 00 U.n.i.t.C.r.y.p. 74 00 53 00 74 00 72 00 69 00 6e 00 67 00 24 00 t.S.t.r.i.n.g.$.
0d 00 0a 00 37 00 35 00 20 00 36 00 65 00 20 00 ....7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 35 00 6.9...7.4...3.5.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 39 00 20 00 36 00 65 00 20 00 37 00 33 00 4.9...6.e...7.3.
20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6.
63 00 20 00 75 00 6e 00 69 00 74 00 35 00 2e 00 c...u.n.i.t.5...
55 00 6e 00 69 00 74 00 49 00 6e 00 73 00 74 00 U.n.i.t.I.n.s.t.
61 00 6c 00 0d 00 0a 00 0d 00 0a 00 32 00 30 00 a.l.........2.0.
31 00 34 00 2d 00 31 00 31 00 2d 00 32 00 31 00 1.4.-.1.1.-.2.1.
20 00 31 00 36 00 3a 00 35 00 31 00 3a 00 34 00 ..1.6.:.5.1.:.4.
32 00 2c 00 30 00 36 00 31 00 20 00 2d 00 20 00 2.,.0.6.1...-...
64 00 65 00 74 00 65 00 63 00 74 00 6f 00 72 00 d.e.t.e.c.t.o.r.
20 00 2d 00 20 00 57 00 41 00 52 00 4e 00 49 00 ..-...W.A.R.N.I.

2014-11-21 17:01:39,450 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48AAD2, Value:

55 00 6e 00 69 00 74 00 43 00 72 00 79 00 70 00 U.n.i.t.C.r.y.p.
74 00 53 00 74 00 72 00 69 00 6e 00 67 00 24 00 t.S.t.r.i.n.g.$. 0d 00 0a 00 37 00 35 00 20 00 36 00 65 00 20 00 ....7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 35 00 6.9...7.4...3.5. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 39 00 20 00 36 00 65 00 20 00 37 00 33 00 4.9...6.e...7.3. 20 00 37 00 34 00 20 00 36 00 31 00 20 00 36 00 ..7.4...6.1...6. 63 00 20 00 75 00 6e 00 69 00 74 00 35 00 2e 00 c...u.n.i.t.5... 55 00 6e 00 69 00 74 00 49 00 6e 00 73 00 74 00 U.n.i.t.I.n.s.t. 61 00 6c 00 0d 00 0a 00 36 00 63 00 20 00 35 00 a.l.....6.c...5. 33 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 3...6.5...7.2... 37 00 36 00 20 00 36 00 35 00 20 00 37 00 32 00 7.6...6.5...7.2. 20 00 32 00 34 00 20 00 37 00 35 00 20 00 36 00 ..2.4...7.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 33 00 36 00 20 00 30 00 30 00 20 00 35 00 35 00 3.6...0.0...5.5. 2014-11-21 17:01:39,451 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x487050, Value: 55 00 6e 00 69 00 74 00 49 00 6e 00 6a 00 65 00 U.n.i.t.I.n.j.e. 63 00 74 00 53 00 65 00 72 00 76 00 65 00 72 00 c.t.S.e.r.v.e.r. 0d 00 0a 00 32 00 34 00 20 00 37 00 35 00 20 00 ....2.4...7.5... 36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4. 20 00 33 00 37 00 20 00 30 00 30 00 20 00 35 00 ..3.7...0.0...5. 35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9... 37 00 34 00 20 00 34 00 32 00 20 00 36 00 39 00 7.4...4.2...6.9. 20 00 36 00 65 00 20 00 36 00 34 00 20 00 36 00 ..6.e...6.4...6. 35 00 20 00 24 00 75 00 6e 00 69 00 74 00 37 00 5...$.u.n.i.t.7.
2e 00 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 ..U.n.i.t.B.i.n.
64 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 d.e.....7.2...2.
34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e...
36 00 39 00 20 00 37 00 34 00 20 00 33 00 38 00 6.9...7.4...3.8.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6.
65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4...
34 00 39 00 20 00 36 00 65 00 20 00 36 00 61 00 4.9...6.e...6.a.

2014-11-21 17:01:39,453 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48BD4E, Value:

55 00 6e 00 69 00 74 00 49 00 6e 00 6a 00 65 00 U.n.i.t.I.n.j.e.
63 00 74 00 53 00 65 00 72 00 76 00 65 00 72 00 c.t.S.e.r.v.e.r.
0d 00 0a 00 32 00 34 00 20 00 37 00 35 00 20 00 ....2.4...7.5...
36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4.
20 00 33 00 37 00 20 00 30 00 30 00 20 00 35 00 ..3.7...0.0...5.
35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9...
37 00 34 00 20 00 34 00 32 00 20 00 36 00 39 00 7.4...4.2...6.9.
20 00 36 00 65 00 20 00 36 00 34 00 20 00 36 00 ..6.e...6.4...6.
35 00 20 00 24 00 75 00 6e 00 69 00 74 00 37 00 5...$.u.n.i.t.7. 2e 00 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 ..U.n.i.t.B.i.n. 64 00 65 00 0d 00 0a 00 37 00 32 00 20 00 32 00 d.e.....7.2...2. 34 00 20 00 37 00 35 00 20 00 36 00 65 00 20 00 4...7.5...6.e... 36 00 39 00 20 00 37 00 34 00 20 00 33 00 38 00 6.9...7.4...3.8. 20 00 30 00 30 00 20 00 35 00 35 00 20 00 36 00 ..0.0...5.5...6. 65 00 20 00 36 00 39 00 20 00 37 00 34 00 20 00 e...6.9...7.4... 34 00 39 00 20 00 36 00 65 00 20 00 36 00 61 00 4.9...6.e...6.a. 2014-11-21 17:01:39,454 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48ACEC, Value: 55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 64 00 U.n.i.t.B.i.n.d. 65 00 72 00 24 00 0d 00 0a 00 37 00 35 00 20 00 e.r.$.....7.5...
36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4.
20 00 33 00 38 00 20 00 30 00 30 00 20 00 35 00 ..3.8...0.0...5.
35 00 20 00 36 00 65 00 20 00 36 00 39 00 20 00 5...6.e...6.9...
37 00 34 00 20 00 34 00 39 00 20 00 36 00 65 00 7.4...4.9...6.e.
20 00 36 00 61 00 20 00 36 00 35 00 20 00 36 00 ..6.a...6.5...6.
33 00 20 00 37 00 34 00 20 00 75 00 6e 00 69 00 3...7.4...u.n.i.
74 00 38 00 2e 00 55 00 6e 00 69 00 74 00 49 00 t.8...U.n.i.t.I.
6e 00 6a 00 65 00 63 00 74 00 0d 00 0a 00 35 00 n.j.e.c.t.....5.
30 00 20 00 37 00 32 00 20 00 36 00 66 00 20 00 0...7.2...6.f...
36 00 33 00 20 00 36 00 35 00 20 00 37 00 33 00 6.3...6.5...7.3.
20 00 37 00 33 00 20 00 35 00 38 00 20 00 37 00 ..7.3...5.8...7.
34 00 20 00 37 00 32 00 20 00 36 00 35 00 20 00 4...7.2...6.5...
36 00 64 00 20 00 36 00 35 00 20 00 30 00 30 00 6.d...6.5...0.0.
20 00 36 00 34 00 20 00 36 00 35 00 20 00 50 00 ..6.4...6.5...P.

2014-11-21 17:01:39,457 - detector - WARNING - Process notepad.exe (pid: 8588) matched: Xtreme at address: 0x48C68C, Value:

55 00 6e 00 69 00 74 00 42 00 69 00 6e 00 64 00 U.n.i.t.B.i.n.d.
65 00 72 00 24 00 75 00 6e 00 69 00 74 00 38 00 e.r.$.u.n.i.t.8. 0d 00 0a 00 30 00 30 00 20 00 35 00 35 00 20 00 ....0.0...5.5... 36 00 65 00 20 00 36 00 39 00 20 00 37 00 34 00 6.e...6.9...7.4. 20 00 34 00 39 00 20 00 36 00 65 00 20 00 36 00 ..4.9...6.e...6. 61 00 20 00 36 00 35 00 20 00 36 00 33 00 20 00 a...6.5...6.3... 37 00 34 00 20 00 35 00 30 00 20 00 37 00 32 00 7.4...5.0...7.2. 20 00 36 00 66 00 20 00 36 00 33 00 20 00 36 00 ..6.f...6.3...6. 35 00 20 00 2e 00 55 00 6e 00 69 00 74 00 49 00 5.....U.n.i.t.I. 6e 00 6a 00 65 00 63 00 74 00 50 00 72 00 6f 00 n.j.e.c.t.P.r.o. 63 00 65 00 0d 00 0a 00 37 00 33 00 20 00 37 00 c.e.....7.3...7. 33 00 20 00 35 00 38 00 20 00 37 00 34 00 20 00 3...5.8...7.4... 37 00 32 00 20 00 36 00 35 00 20 00 36 00 64 00 7.2...6.5...6.d. 20 00 36 00 35 00 20 00 30 00 30 00 20 00 36 00 ..6.5...0.0...6. 34 00 20 00 36 00 35 00 20 00 37 00 34 00 20 00 4...6.5...7.4... 36 00 35 00 20 00 36 00 33 00 20 00 37 00 34 00 6.5...6.3...7.4. 2014-11-21 17:01:39,457 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48E916, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
0d 00 0a 00 37 00 30 00 20 00 36 00 34 00 20 00 ....7.0...6.4...
33 00 32 00 20 00 30 00 30 00 20 00 35 00 35 00 3.2...0.0...5.5.
20 00 37 00 30 00 20 00 36 00 34 00 20 00 35 00 ..7.0...6.4...5.
34 00 20 00 36 00 39 00 20 00 36 00 64 00 20 00 4...6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 70 00 64 00 32 00 2e 00 55 00 70 00 f...p.d.2...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 6f 00 6f 00 0d 00 0a 00 36 00 62 00 20 00 36 00 o.o.....6.b...6. 64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1... 30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 6b 00 6d 00 61 00 31 00 ..2.0...k.m.a.1. 2014-11-21 17:01:39,460 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48F156, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 0d 00 0a 00 U.p.d.J.o.b..... 32 00 34 00 20 00 37 00 35 00 20 00 37 00 30 00 2.4...7.5...7.0. 20 00 36 00 34 00 20 00 33 00 32 00 20 00 30 00 ..6.4...3.2...0. 30 00 20 00 35 00 35 00 20 00 37 00 30 00 20 00 0...5.5...7.0... 36 00 34 00 20 00 35 00 34 00 20 00 36 00 39 00 6.4...5.4...6.9. 20 00 36 00 64 00 20 00 36 00 35 00 20 00 37 00 ..6.d...6.5...7. 32 00 20 00 32 00 34 00 20 00 36 00 63 00 20 00 2...2.4...6.c... 24 00 75 00 70 00 64 00 32 00 2e 00 55 00 70 00$.u.p.d.2...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 0d 00 0a 00 36 00 66 00 20 00 36 00 66 00 20 00 ....6.f...6.f... 36 00 62 00 20 00 36 00 64 00 20 00 36 00 31 00 6.b...6.d...6.1. 20 00 33 00 31 00 20 00 30 00 30 00 20 00 34 00 ..3.1...0.0...4. 66 00 20 00 37 00 37 00 20 00 36 00 65 00 20 00 f...7.7...6.e... 36 00 39 00 20 00 36 00 65 00 20 00 36 00 37 00 6.9...6.e...6.7. 20 00 32 00 30 00 20 00 35 00 30 00 20 00 34 00 ..2.0...5.0...4. 33 00 20 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 3...o.o.k.m.a.1. 2014-11-21 17:01:39,460 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48FA0A, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 0d 00 0a 00 35 00 35 00 p.d.2.......5.5.
20 00 37 00 30 00 20 00 36 00 34 00 20 00 35 00 ..7.0...6.4...5.
34 00 20 00 36 00 39 00 20 00 36 00 64 00 20 00 4...6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 55 00 70 00 6.1...3.1...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 0d 00 0a 00 o.o.k.m.a.1..... 30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7. 20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 2014-11-21 17:01:39,461 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x490AFE, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T.
0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 2014-11-21 17:01:39,463 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x491348, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 0d 00 0a 00 36 00 34 00 20 00 33 00 32 00 p.....6.4...3.2.
20 00 30 00 30 00 20 00 35 00 35 00 20 00 37 00 ..0.0...5.5...7.
30 00 20 00 36 00 34 00 20 00 35 00 34 00 20 00 0...6.4...5.4...
36 00 39 00 20 00 36 00 64 00 20 00 36 00 35 00 6.9...6.d...6.5.
20 00 37 00 32 00 20 00 32 00 34 00 20 00 36 00 ..7.2...2.4...6.
63 00 20 00 36 00 66 00 20 00 36 00 66 00 20 00 c...6.f...6.f...
36 00 62 00 20 00 64 00 32 00 2e 00 55 00 70 00 6.b...d.2...U.p.
64 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 d.T.i.m.e.r.$.l. 6f 00 6f 00 6b 00 0d 00 0a 00 36 00 64 00 20 00 o.o.k.....6.d... 36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0. 20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6. 65 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 e...6.9...6.e... 36 00 37 00 20 00 32 00 30 00 20 00 35 00 30 00 6.7...2.0...5.0. 20 00 34 00 33 00 20 00 34 00 39 00 20 00 32 00 ..4.3...4.9...2. 30 00 20 00 36 00 32 00 20 00 6d 00 61 00 31 00 0...6.2...m.a.1. 2014-11-21 17:01:39,464 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x491B78, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 0d 00 p.d.2...U.p.d...
0a 00 35 00 34 00 20 00 36 00 39 00 20 00 36 00 ..5.4...6.9...6.
64 00 20 00 36 00 35 00 20 00 37 00 32 00 20 00 d...6.5...7.2...
32 00 34 00 20 00 36 00 63 00 20 00 36 00 66 00 2.4...6.c...6.f.
20 00 36 00 66 00 20 00 36 00 62 00 20 00 36 00 ..6.f...6.b...6.
64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1...
30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7.
20 00 54 00 69 00 6d 00 65 00 72 00 24 00 6c 00 ..T.i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 0d 00 0a 00 36 00 65 00 20 00 36 00 39 00 w.....6.e...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2. 30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3... 34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2. 20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2. 34 00 20 00 36 00 63 00 20 00 36 00 66 00 20 00 4...6.c...6.f... 2014-11-21 17:01:39,467 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x492436, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T.
0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 2014-11-21 17:01:39,469 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x492C72, Value: 55 00 70 00 64 00 4a 00 6f 00 62 00 24 00 75 00 U.p.d.J.o.b.$.u.
70 00 64 00 32 00 2e 00 55 00 70 00 64 00 54 00 p.d.2...U.p.d.T.
0d 00 0a 00 36 00 39 00 20 00 36 00 64 00 20 00 ....6.9...6.d...
36 00 35 00 20 00 37 00 32 00 20 00 32 00 34 00 6.5...7.2...2.4.
20 00 36 00 63 00 20 00 36 00 66 00 20 00 36 00 ..6.c...6.f...6.
66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d...
36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0.
20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6.
65 00 20 00 69 00 6d 00 65 00 72 00 24 00 6c 00 e...i.m.e.r.$.l. 6f 00 6f 00 6b 00 6d 00 61 00 31 00 2e 00 4f 00 o.o.k.m.a.1...O. 77 00 6e 00 0d 00 0a 00 36 00 39 00 20 00 36 00 w.n.....6.9...6. 65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0... 35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 2014-11-21 17:01:39,470 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48E992, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 6f 00 6f 00 0d 00 0a 00 36 00 62 00$.l.o.o.....6.b.
20 00 36 00 64 00 20 00 36 00 31 00 20 00 33 00 ..6.d...6.1...3.
31 00 20 00 30 00 30 00 20 00 34 00 66 00 20 00 1...0.0...4.f...
37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2.
30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3...
34 00 39 00 20 00 32 00 30 00 20 00 6b 00 6d 00 4.9...2.0...k.m.
61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n.
67 00 2e 00 50 00 43 00 49 00 2e 00 0d 00 0a 00 g...P.C.I.......
0d 00 0a 00 32 00 30 00 31 00 34 00 2d 00 31 00 ....2.0.1.4.-.1.
31 00 2d 00 32 00 31 00 20 00 31 00 36 00 3a 00 1.-.2.1...1.6.:.
35 00 31 00 3a 00 34 00 32 00 2c 00 30 00 38 00 5.1.:.4.2.,.0.8.
32 00 20 00 2d 00 20 00 64 00 65 00 74 00 65 00 2...-...d.e.t.e.
63 00 74 00 6f 00 72 00 20 00 2d 00 20 00 57 00 c.t.o.r...-...W.
41 00 52 00 4e 00 49 00 4e 00 47 00 20 00 2d 00 A.R.N.I.N.G...-.

2014-11-21 17:01:39,471 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48F1D2, Value:

55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r.
24 00 6c 00 0d 00 0a 00 36 00 66 00 20 00 36 00 $.l.....6.f...6. 66 00 20 00 36 00 62 00 20 00 36 00 64 00 20 00 f...6.b...6.d... 36 00 31 00 20 00 33 00 31 00 20 00 30 00 30 00 6.1...3.1...0.0. 20 00 34 00 66 00 20 00 37 00 37 00 20 00 36 00 ..4.f...7.7...6. 65 00 20 00 36 00 39 00 20 00 36 00 65 00 20 00 e...6.9...6.e... 36 00 37 00 20 00 32 00 30 00 20 00 35 00 30 00 6.7...2.0...5.0. 20 00 34 00 33 00 20 00 6f 00 6f 00 6b 00 6d 00 ..4.3...o.o.k.m. 61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n. 67 00 2e 00 50 00 43 00 0d 00 0a 00 34 00 39 00 g...P.C.....4.9. 20 00 32 00 30 00 20 00 36 00 32 00 20 00 37 00 ..2.0...6.2...7. 35 00 20 00 37 00 33 00 20 00 32 00 34 00 20 00 5...7.3...2.4... 36 00 63 00 20 00 36 00 66 00 20 00 36 00 66 00 6.c...6.f...6.f. 20 00 36 00 62 00 20 00 36 00 64 00 20 00 36 00 ..6.b...6.d...6. 31 00 20 00 33 00 32 00 20 00 30 00 30 00 20 00 1...3.2...0.0... 34 00 36 00 20 00 36 00 66 00 20 00 49 00 2e 00 4.6...6.f...I... 2014-11-21 17:01:39,473 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x48FA86, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00$.l.o.o.k.m.a.1.
0d 00 0a 00 30 00 30 00 20 00 34 00 66 00 20 00 ....0.0...4.f...
37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9.
20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2.
30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3...
34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2.
20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2.
34 00 20 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 4.....O.w.n.i.n.
67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 75 00 g...P.C.I...b.u.
73 00 24 00 0d 00 0a 00 36 00 63 00 20 00 36 00 s.$.....6.c...6. 66 00 20 00 36 00 66 00 20 00 36 00 62 00 20 00 f...6.f...6.b... 36 00 64 00 20 00 36 00 31 00 20 00 33 00 32 00 6.d...6.1...3.2. 20 00 30 00 30 00 20 00 34 00 36 00 20 00 36 00 ..0.0...4.6...6. 66 00 20 00 37 00 32 00 20 00 36 00 64 00 20 00 f...7.2...6.d... 36 00 31 00 20 00 37 00 34 00 20 00 37 00 34 00 6.1...7.4...7.4. 2014-11-21 17:01:39,474 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x4913C4, Value: 55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r. 24 00 6c 00 6f 00 6f 00 6b 00 0d 00 0a 00 36 00$.l.o.o.k.....6.
64 00 20 00 36 00 31 00 20 00 33 00 31 00 20 00 d...6.1...3.1...
30 00 30 00 20 00 34 00 66 00 20 00 37 00 37 00 0.0...4.f...7.7.
20 00 36 00 65 00 20 00 36 00 39 00 20 00 36 00 ..6.e...6.9...6.
65 00 20 00 36 00 37 00 20 00 32 00 30 00 20 00 e...6.7...2.0...
35 00 30 00 20 00 34 00 33 00 20 00 34 00 39 00 5.0...4.3...4.9.
20 00 32 00 30 00 20 00 36 00 32 00 20 00 6d 00 ..2.0...6.2...m.
61 00 31 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 a.1...O.w.n.i.n.
67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 0d 00 g...P.C.I...b...
0a 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2.
34 00 20 00 36 00 63 00 20 00 36 00 66 00 20 00 4...6.c...6.f...
36 00 66 00 20 00 36 00 62 00 20 00 36 00 64 00 6.f...6.b...6.d.
20 00 36 00 31 00 20 00 33 00 32 00 20 00 30 00 ..6.1...3.2...0.
30 00 20 00 34 00 36 00 20 00 36 00 66 00 20 00 0...4.6...6.f...
37 00 32 00 20 00 36 00 64 00 20 00 36 00 31 00 7.2...6.d...6.1.

2014-11-21 17:01:39,476 - detector - WARNING - Process notepad.exe (pid: 8588) matched: RCS_Scout at address: 0x4935B6, Value:

55 00 70 00 64 00 54 00 69 00 6d 00 65 00 72 00 U.p.d.T.i.m.e.r.
24 00 6c 00 6f 00 6f 00 6b 00 6d 00 61 00 31 00 $.l.o.o.k.m.a.1. 0d 00 0a 00 30 00 30 00 20 00 34 00 66 00 20 00 ....0.0...4.f... 37 00 37 00 20 00 36 00 65 00 20 00 36 00 39 00 7.7...6.e...6.9. 20 00 36 00 65 00 20 00 36 00 37 00 20 00 32 00 ..6.e...6.7...2. 30 00 20 00 35 00 30 00 20 00 34 00 33 00 20 00 0...5.0...4.3... 34 00 39 00 20 00 32 00 30 00 20 00 36 00 32 00 4.9...2.0...6.2. 20 00 37 00 35 00 20 00 37 00 33 00 20 00 32 00 ..7.5...7.3...2. 34 00 20 00 2e 00 4f 00 77 00 6e 00 69 00 6e 00 4.....O.w.n.i.n. 67 00 2e 00 50 00 43 00 49 00 2e 00 62 00 75 00 g...P.C.I...b.u. 73 00 24 00 0d 00 0a 00 36 00 63 00 20 00 36 00 s.$.....6.c...6.
66 00 20 00 36 00 66 00 20 00 36 00 62 00 20 00 f...6.f...6.b...
36 00 64 00 20 00 36 00 31 00 20 00 33 00 32 00 6.d...6.1...3.2.
20 00 30 00 30 00 20 00 34 00 36 00 20 00 36 00 ..0.0...4.6...6.
66 00 20 00 37 00 32 00 20 00 36 00 64 00 20 00 f...7.2...6.d...
36 00 31 00 20 00 37 00 34 00 20 00 37 00 34 00 6.1...7.4...7.4.

2014-11-21 17:02:15,836 - detector - INFO - Scanning finished
2014-11-21 17:02:15,838 - detector.service - INFO - Trying to stop the winpmem service...
2014-11-21 17:02:15,842 - detector.service - INFO - Trying to delete the winpmem service...
2014-11-21 17:02:15,845 - detector - INFO - Service stopped
2014-11-21 17:02:15,845 - detector - INFO - Analysis finished
`

23.11.2014, 08:07   #10
schrauber
/// the machine
/// TB-Ausbilder

## Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Zitat:
 Detekt rät, nie mehr mit dem PC ins Internet zu gehen.
Schwachsinn hoch zehn. Schmeiss Detekt von der Platte. Nit immer gleich alles glauben nur weil irgendwelche Seiten vorschnell irgend ein Tool hoch loben.

Rechner hat gar nix.
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen

Keine Hilfestellung via PM!

23.11.2014, 13:48   #11
derdingens

## Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Vielen Dank für die schnelle Antwort.

Viele Grüße,

DerDingens

24.11.2014, 09:47   #12
schrauber
/// the machine
/// TB-Ausbilder

## Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

Gern Geschehen
__________________
gruß,
schrauber

Proud Member of UNITE and ASAP since 2009

Spenden
Anleitungen und Hilfestellungen

Keine Hilfestellung via PM!

 Themen zu Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? .com, .dll, .url, alter, alternative, alternativen, analysis, antivirus, appdata, avira, befund, binder, bot, catalyst, ccc.exe, center, check, code, computer, config, control, converter, debug, delete, desktop, detector, detekt, detekt rat, dienst, down, driver, ebay, engine, essen, excel, fehler, file, firefox, flash player, foto, gefunde, gen, gmer.log, handle, helper, heute, home, hänge, hängen, index, install, installation, interne, internet, keylogger, laufen, mas, microsoft, notepad.exe, object, office, password, process, profile, scan, scanner, scanning, security, server, shell, sniff, software, space, spy, system, tan, temp, troja, trojaner, trojaner gefunden, update, usb, value, version, virenscan, virenscanner, vista, warning, was tun, was tun?, windows

#### Ähnliche Themen: Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?

1. DETEKT scan hat blackshades rat , xtreme rat, darkcomet rat auf win7 gefunden
Plagegeister aller Art und deren Bekämpfung - 24.11.2014 (21)
2. Windows 7: "Xtreme RAT" durch Detekt gefunden
Plagegeister aller Art und deren Bekämpfung - 24.11.2014 (8)
3. Xtreme Rat von "Detekt" gefunden - wie entfernen?
Log-Analyse und Auswertung - 24.11.2014 (5)
4. Detekt gibt keine Screenmeldung aber detekt.log erwähnt Njrat
Plagegeister aller Art und deren Bekämpfung - 22.11.2014 (1)
5. Xtreme Rat nach Scan mit Detekt gefunden
Log-Analyse und Auswertung - 21.11.2014 (4)
6. Virenscanner ohne Echtzeitprüfung gesucht
Antiviren-, Firewall- und andere Schutzprogramme - 23.10.2014 (8)
7. AntiVir ohne Befund, neue versteckte Objekte, kernelbase.dll nicht gefunden
Plagegeister aller Art und deren Bekämpfung - 01.08.2014 (5)
8. Virenscanner hat ein Trojaner gefunden davor schon mal 2 nicht gelöste Funde - Sorge
Log-Analyse und Auswertung - 07.12.2013 (13)
9. Windows 7: PC von selbst und bisher einmalig ohne ersichtlichen Grund heruntergefahren
Plagegeister aller Art und deren Bekämpfung - 12.09.2013 (19)
10. Win7 nach Login nur weißer Bildschirm - bisher keine Viren auf dem PC gefunden
Plagegeister aller Art und deren Bekämpfung - 05.08.2012 (1)
11. Trojaner an Bord oder nicht? html/malicious.pdf.gen gefunden - aber bisher keine Probleme
Plagegeister aller Art und deren Bekämpfung - 27.03.2012 (37)
12. GEMA Trojaner, bisher keine Lösung gefunden, OTPLE Log
Log-Analyse und Auswertung - 16.11.2011 (12)
13. 20 TAN Problem Sparkasse - Malwarebytes ohne Befund
Plagegeister aller Art und deren Bekämpfung - 06.02.2011 (17)
14. trojaner befund?
Plagegeister aller Art und deren Bekämpfung - 09.05.2010 (1)
15. Trojaner ohne Meldung von KIS gefunden...
Plagegeister aller Art und deren Bekämpfung - 24.05.2009 (0)
16. cpu-Auslastung hoch, auffällige netstat, bisher nichts gefunden
Log-Analyse und Auswertung - 24.03.2008 (7)
17. verstellte System Uhr - aber alle Scans ohne Befund
Alles rund um Windows - 14.04.2007 (11)

Zum Thema Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? - Hallo, Ich habe heute Detekt von der Electronic Frontiers Foundation über mein System laufen lassen, dabei hat es fünf RAT s gefunden. Alle RATs hängen an ccc.exe (Catalyst Control Center - Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun?...
Archiv
Du betrachtest: Detekt hat fünf! Trojaner gefunden, Virenscanner bisher ohne Befund. Was tun? auf Trojaner-Board

Search Engine Optimization by vBSEO ©2011, Crawlability, Inc.