Resolved : [aaa1adasadasda444.net] To [217.11.251.173]
Traffic – by DNS
4 domain found
Country Domain IP
CZ aaa1adasadasda444.net 217.11.251.173
CZ aaa1kjsadhasiodo.com 217.11.251.173
CZ aaa1lilililili.com 217.11.251.173
CZ aaa1skjadsdaskld.net 217.11.251.173
Traffic – by URL
4 outbound URL connection found
URL
aaa1adasadasda444.net/admin/image.php
aaa1kjsadhasiodo.com/admin/image.php
aaa1lilililili.com/admin/image.php
aaa1skjadsdaskld.net/admin/image.php
Strings from executable:
Processes:
PID ParentPID User Path
--------------------------------------------------
3324 3144 xxxx-xxx:xxx C:WINDOWSsystem32wuauclt.exe
Ports:
Port PID Type Path
--------------------------------------------------
1244 3324 TCP C:WINDOWSsystem32wuauclt.exe
Explorer Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
IE Dlls:
DLL Path Company Name File Description
--------------------------------------------------
No changes Found
Loaded Drivers:
Driver File Company Name Description
--------------------------------------------------
Monitored RegKeys
Registry Key Value
--------------------------------------------------
Kernel31 Api Log
--------------------------------------------------
***** Installing Hooks *****
719f74df RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinSock2Parameters)
719f80c4 RegOpenKeyExA (Protocol_Catalog9)
719f777e RegOpenKeyExA (000000B1)
719f764d RegOpenKeyExA (Catalog_Entries)
719f7cea RegOpenKeyExA (000000000001)
719f7cea RegOpenKeyExA (000000000002)
719f7cea RegOpenKeyExA (000000000003)
719f7cea RegOpenKeyExA (000000000004)
719f7cea RegOpenKeyExA (000000000005)
719f7cea RegOpenKeyExA (000000000006)
719f7cea RegOpenKeyExA (000000000007)
719f7cea RegOpenKeyExA (000000000008)
719f7cea RegOpenKeyExA (000000000009)
719f7cea RegOpenKeyExA (000000000010)
719f7cea RegOpenKeyExA (000000000011)
719f7cea RegOpenKeyExA (000000000012)
719f7cea RegOpenKeyExA (000000000013)
719f7cea RegOpenKeyExA (000000000014)
719f7cea RegOpenKeyExA (000000000015)
719f7cea RegOpenKeyExA (000000000016)
719f7cea RegOpenKeyExA (000000000017)
719f7cea RegOpenKeyExA (000000000018)
719f7cea RegOpenKeyExA (000000000019)
719f2623 WaitForSingleObject(790,0)
719f87c6 RegOpenKeyExA (NameSpace_Catalog5)
719f777e RegOpenKeyExA (00000039)
719f835b RegOpenKeyExA (Catalog_Entries)
719f84ef RegOpenKeyExA (000000000001)
719f84ef RegOpenKeyExA (000000000002)
719f84ef RegOpenKeyExA (000000000003)
719f84ef RegOpenKeyExA (000000000004)
719f2623 WaitForSingleObject(788,0)
719e1af2 RegOpenKeyExA (HKLMSystemCurrentControlSetServicesWinsock2Parameters)
719e198e GlobalAlloc()
7c80b72f ExitThread()
7d2454bb LoadLibraryA(kernel32.dll)=7c800000
7d2454bb LoadLibraryA(user32.dll)=7e390000
5cea9ca0 GetCurrentProcessId()=3144
7d23eab5 WaitForSingleObject(794,7530)
77b54cdb LoadLibraryA(VERSION.dll)=77bd0000
7c8191f8 LoadLibraryA(advapi32.dll)=77da0000
DirwatchData
--------------------------------------------------
WatchDir Initilized OK
Watching C:DOCUME~1xxxLOCALS~1Temp
Watching C:WINDOWS
Watching C:Program Files
Created: C:DOCUME~1xxxLOCALS~1TempJETA4BA.tmp
Created: C:DOCUME~1xxxLOCALS~1TempJET53.tmp
Deteled: C:DOCUME~1xxxLOCALS~1TempJET53.tmp
Deteled: C:DOCUME~1xxxLOCALS~1TempJETA4BA.tmp
File: wuauclt.exe
Size: 53472 Bytes
MD5: 62BB79160F86CD962F312C68C6239BFD
Packer: File not found C:iDEFENSESysAnalyzerpeid.exe
File Properties: CompanyName Microsoft Corporation
FileDescription Windows Update
FileVersion 7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834)
InternalName wuauclt.exe
LegalCopyright © Microsoft Corporation. All rights reserved.
OriginalFilename wuauclt.exe
ProductName Microsoft® Windows® Operating System
ProductVersion
Exploit Signatures:
---------------------------------------------------------------------------
Scanning for 19 signatures
Scan Complete: 56Kb in 0 seconds
Urls
--------------------------------------------------
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
RegKeys
--------------------------------------------------
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace
SoftwareMicrosoftWindowsCurrentVersionWindowsUpdateSetupServiceStartup
SoftwareMicrosoftWindowsCurrentVersionWindowsUpdateVolatileData
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequired
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequiredMandatory
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdatePostRebootReporting
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateServicesPending
ExeRefs
--------------------------------------------------
File: wuauclt_dmp.exe_
wuauclt.exe failed to get proc address for UI export object with error %#lx
wuauclt.exe is exiting with code 0x%08X
wuauclt.exe launched with command line %s
wupdmgr.exe
wuauclt.exe
wuauclt.exe
Raw Strings:
--------------------------------------------------
File: wuauclt_dmp.exe_
MD5: 8140d9906a703f95da05f350a1030cc5
Size: 57346
Ascii Strings:
---------------------------------------------------------------------------
!This program cannot be run in DOS mode.
Rich2
.text
`.data
.rsrc
@.reloc
WinSqmEventEnabled
WinSqmEventWrite
('8PW
700PP
```hhh
xppwpp
SHGetFolderPathW
0123456789abcdef
HeapSetInformation
GetNativeSystemInfo
IsWow64Process
Wow64DisableWow64FsRedirection
Wow64RevertWow64FsRedirection
Failed to open
Opened
~2]r
@Qm6t
~2]r
Vh`D
RSDS
wuauclt.pdb
qWWhX
} Vhp
QQSVj
QVW3
VVVP
QSVW3
XVSh
tDV9=4
t)WVh4
t9958
VPh8
Wj2_t>
0VWj
@SW3
tOh(
jhH
wOf;
YQPSh
URPQQh`J@
L$,3
UVWS
[_^]
SVWj
_^[]
8csm
8csm
_^[]
Y__^[
t?!E
N+D$
UQPXY]Y[
,SVW3
j{[3
tSWh
|%Vj
SSSj
SSSj
dSWWh
QWWh
VWWh
w1Ht
]$|B
@@;E
j^Pf
_^[t
SVWh
QQVW3
SVW3
Ph|%@
Ph@%@
Ph %@
WSSSS
$`&@
}?=z
SVWj
Ph|'@
Wj RPf
Ehd)@
)Whx)@
Yf;M
Yf;M
h$*@
XhH*@
QSVWh
Phl+@
h|+@
|aSjD[S
PVVVVVVV
[h 3@
}#Ph
PhH2@
Rh42@
Phh1@
h41@
hx0@
hP/@
Ph</@
Rh,/@
hX.@
h -@
h0,@
vLVVh
PhX3@
CG;}
hX4@
w2W3
f99t
AAJu
VWh$4@
}(Ph
ts9E
tnV2
t_S:
j/Zf
AAf9
FFJu
t!9E
AACCN
9_^[]
uV9}
;^9}
E PV
u$VV
f90t
QSVW
|;9]
tQ9]
_^[t
^_[]
SVW3
SSSS
NNH;
t$Cj
QSVW3
v%jYf;
t"Ht
jYf
jYf
jXf
u#9M
jYFf
u!9E
>.ur
?.uf
u#9E
f99u'9}
f9>u
jYf
>uCV
WWVR
_^[]
PVVV
Pht;@
hh;@
:u5f
hX;@
/t$f
mFVP
_^[]
WVS3
FreeLibrary
GetProcAddress
OpenEventW
InterlockedCompareExchange
LoadLibraryW
GetCommandLineW
HeapAlloc
HeapFree
GetProcessHeap
CompareStringW
GetModuleHandleW
GetSystemInfo
KERNEL32.dll
_vsnwprintf
__wgetmainargs
_cexit
_exit
_XcptFilter
exit
_wcmdln
_initterm
_amsg_exit
__setusermatherr
__p__commode
__p__fmode
__set_app_type
msvcrt.dll
memset
memcpy
memmove
malloc
free
?terminate@@YAXXZ
_controlfp
_unlock
__dllonexit
_lock
_onexit
RtlUnwind
ntdll.dll
CoUninitialize
CoCreateInstance
CoInitialize
CoInitializeEx
ole32.dll
RegCloseKey
RegOpenKeyExW
SetSecurityDescriptorDacl
InitializeSecurityDescriptor
AddAccessAllowedAce
InitializeAcl
GetLengthSid
GetUserNameW
RegDeleteValueW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
CopySid
IsValidSid
CheckTokenMembership
DuplicateTokenEx
GetTokenInformation
FreeSid
AllocateAndInitializeSid
ADVAPI32.dll
InterlockedExchange
Sleep
GetStartupInfoW
SetUnhandledExceptionFilter
GetModuleHandleA
QueryPerformanceCounter
GetTickCount
GetCurrentThreadId
GetCurrentProcessId
GetSystemTimeAsFileTime
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
CloseHandle
CreateMutexW
WaitForSingleObject
ReleaseMutex
SetEndOfFile
SetFilePointer
UnmapViewOfFile
MapViewOfFile
CreateFileMappingW
GetFileSize
SetLastError
GetLastError
GetSystemTime
InterlockedDecrement
InterlockedIncrement
GetModuleFileNameW
FlushFileBuffers
WriteFile
WideCharToMultiByte
OutputDebugStringW
VerifyVersionInfoW
VerSetConditionMask
CreateProcessW
lstrlenW
ExpandEnvironmentStringsW
GetFileAttributesW
CreateDirectoryW
CreateFileW
GetTimeZoneInformation
SystemTimeToTzSpecificLocalTime
GetSystemDirectoryW
LoadLibraryExW
GetDriveTypeW
GetVolumePathNameW
GetFileType
PostMessageW
IsWindow
USER32.dll
CoTaskMemFree
OLEAUT32.dll
StrChrW
StrRChrW
PathIsRootW
PathIsUNCW
PathStripToRootW
PathIsRelativeW
SHLWAPI.dll
kU'9
HMXB
?Zd;
?/L[
S;uD
z?aUY
D?$?
U>c{
zc%C1
.:3q
-64OS
NKeb
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<!-- Copyright (c) Microsoft Corporation -->
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<assemblyIdentity
version="6.0.0.0"
processorArchitecture="x86"
name="Microsoft.Windows.windowsupdate.wuauclt"
type="win32"/>
<application xmlns="urn:schemas-microsoft-com:asm.v3">
<windowsSettings>
<dpiAware xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">true</dpiAware>
</windowsSettings>
</application>
<dependency>
<dependentAssembly>
<assemblyIdentity
type="win32"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
processorArchitecture="x86"
publicKeyToken="6595b64144ccf1df"
language="*"/>
</dependentAssembly>
</dependency>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel
level="asInvoker"
uiAccess="false"
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
3 3(30383@3H3P3X3`3h3p3x3
<*=l=
>7>R>t>
?2?I?z?
0-0Y0m0
161?1F1L1Y1_1j1s1y1
2+2q2
3!3M3h3
404C4V4i4|4
5(575
7'7:7D7I7N7d7i7r7w7
8 8T88e8k8s8
9'9-959;9H9P9V9
< <8<
>(>5>R>
?7???
00S0`0l0t0|0
1 1(101<1E1J1P1Z1c1n1|1
1L2X2g2p2
3#3*373<3I3N3
4+474O4T4h4s4y4
5-5u5
757x7
<><U<e<l<
=&=[=}=
>%>F>s>
>/?[?b?i?p?w?~?
0:1}1
3S3X3^3f3o3
41464Z4o4
4)5S5o5
5,6B6H6j6u6
8,9W9i9v9
<!<'<,<@<F<O<V<p<
=K=S=f=m=z=
>">)>I>
>,?=?J?S?y?
0(0/0
1$1A1^1z1
172P2
3.3>3M3i3n3
4B4u4
4G5L5U5v5
7"757
7A8q8
9!9/9
;5=<=K=U=f>
0,0G0
303Q3
4W4o4|4
6*6G6V6
7/8:8
9%:^:
:$;u;
<I<d<
Y0l0
3Y3|3
;0;9;;`;h;l;
Unicode Strings:
---------------------------------------------------------------------------
Error: %#08x. wuauclt datastore: failed to spawn COM server
Error: %#08x. wuauclt datastore: failed to load wuaueng
wuaueng.dll
Error: %#08x. wuauclt datastore: failed to open event %ls
Error: 0x%08x. wuauclt handler: failed to spawn COM server
Error: 0x%08x. wuauclt handler: failed to load wuaueng
(null)
@/DetectNow
/ReportNow
/RunHandlerComServer
/RunStoreAsComServer
/ShowSettingsDialog
/ResetAuthorization
/ResetEulas
/ShowWU
/ShowWindowsUpdate
/CloseWindowsUpdate
/SelfUpdateManaged
/SelfUpdateUnmanaged
/UpdateNow
/ShowWUAutoScan
/ShowFeaturedUpdates
/ShowOptions
/ShowFeaturedOptInDialog
/DemoUI
wuauclt.exe failed to get proc address for UI export object with error %#lx
Failed to load %s with error %X
wucltui.dll
wucltux.dll
call RunAUClientUI on wucltui.dll/wucltux.dll
Ntdll.dll
WuSqm %ls session datapoint (id:%d) is incremented with dword %d.
Private
Global
wuauclt.exe is exiting with code 0x%08X
Launched Client UI process
wuauclt.exe launched with command line %s
kernel32.dll
Perf,
TraceTestThreads
TraceTestMain
Trace
OfflSnc
WuRedir
Shutdwn
Cmpress
DnldMgr
EEHndlr
Handler
Parser
COMAPI
Driver
DtaStor
WUWeb
WUApp
CltUI
AUClnt
Agent
Service
Setup
Report
Misc
<unavailable>
7.4.7600.226
True
False
<NULL>
Columns
GlobalFlags
LogDir
Level
Flags
LogFile
GlobalWindowsUpdateTracingMutex
%WINDIR%
WindowsUpdate.log
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateTrace
Windows
Microsoft
shell32.dll
%3lx
|||||||||||
%s: %s [
%s: %s
FATAL:
WARNING:
|
|| START ||
<<|| SUBMITTED ||
>>|| RESUMED ||
|| END ||
|||||||||||
%s%s
= Module: %s
= Module: <failed with %d>
= Process: %s
= Process: <failed with %d>
=========== Logging initialized (build: %s, tz: %s) ===========
Performance warning: CTraceCategory::WriteToFile had to allocate memory
Performance warning: CTraceCategory::TraceLine had to allocate memory
%s%s
wups2.dll
wups.dll
Registering proxy/stubs.
SoftwareMicrosoftWindowsCurrentVersionWindowsUpdateSetupServiceStartup
CacheFile
0123456789abcdef
GetProcAddress for GetNativeSystemInfo failed with error %#lx
kernel32
Successfully set WOW64 file system redirection state to Disabled
Successfully reverted WOW64 file system redirection state.
%hs %ls page "%ls", hr=%X
<home>
Microsoft.WindowsUpdate
wupdmgr.exe
Failed to cocreate IShellWindows, error = 0x%08lX
Failed to obtain window doc for window %d, error = 0x%08lX
Failed to obtain folder view for window %d, error = 0x%08lX
Failed to obtain folder IPersist for window %d, error = 0x%08lX
Window %d is NOT a WU window
Done enumerating windows
Quit for window %d failed: 0x%08lX
Window %d is a WU window. Attempting to close
Failed to obtain class ID for window %d, error = 0x%08lX
Got NULL disp interface for window %d
Got %d instead of VT_DISPATCH for window %d
Failed to obtain IWebBrowserApp for window %d, error = 0x%08lX
Failed to enumerate window %d, error = 0x%08lX
Failed to allocate shell window array
Found %d explorer windows
Failed to obtain shell window count, error = 0x%08lX
Failed to acquire enumerator, error = 0x%08lX
Failed to coinitialize, error = 0x%08lX
Failed to acquire service provider, error = 0x%08lX
Closing WU explorer windows
PostMessage() failed, hr=%#lx
SoftwareMicrosoftWindowsCurrentVersionWindowsUpdateVolatileData
WUAppNotificationWindows
JustSelfUpdatedManaged
JustSelfUpdatedUnmanaged
WUAppAutoScan
IconClickTime
InteractiveResults
WUAppShowInstallResults
WUAppShowFeaturedUpdatesChosenUpdate
WUAppSqmSessionGuid
ReadWUAppNotificationWindowHandles() failed to set the registry type with error %#lx
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequired
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdateRebootRequiredMandatory
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateAuto UpdatePostRebootReporting
SOFTWAREMicrosoftWindowsCurrentVersionWindowsUpdateServicesPending
RegisterWithAU
ClientApplicationID
?
####-##-##T##:##:##S
####-##-##S
##:##
%c%02hd%02hd
%04hd-%02hd-%02hd%c%02hd:%02hd:%02hd:%03hd
S-1-5-80-2006800713-1441093265-249754844-3404434343-1444102779
S-1-5-80-3864065939-1897331054-469427076-3133256761-1570309435
Volume{
UNC
?
VS_VERSION_INFO
StringFileInfo
000004B0
CompanyName
Microsoft Corporation
FileDescription
Windows Update
FileVersion
7.4.7600.226 (winmain_wtr_wsus3sp2(wmbla).090806-1834)
InternalName
wuauclt.exe
LegalCopyright
Microsoft Corporation. All rights reserved.
OriginalFilename
wuauclt.exe
ProductName
Microsoft
Windows
Operating System
ProductVersion
7.4.7600.226
VarFileInfo
Translation
hosting infos:
http://whois.domaintools.com/217.11.251.173