Gen.Heur.MSIL.Androm.3_f2af690756 – Adaware

HEUR:Trojan.Win32.Generic (Kaspersky), Gen:Heur.MSIL.Androm.3 (B) (Emsisoft), Gen:Heur.MSIL.Androm.3 (AdAware), Backdoor.Win32.Xtrat.FD, GenericAutorunWorm.YR, GenericInjector.YR (Lavasoft MAS)Behaviour: Trojan, Backdoor, Worm, WormAutorun

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: f2af690756b98d258501df2f423d3818

SHA1: 659c77b6971f795555ffb23652c072303b4ad61e

SHA256: 7ee350d862ce7065d75475e1e2175a7ff87dcb46cc687f4110b33fffaa6ed755

SSDeep: 3072:Xkfn0z3uUvVht3QVc/YA2UUf1rm9p8tw/465AUVUVjNtGxhM/3q:0fMuULNU6YPfJXG/4CUVcQq

Size: 180616 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6

Company: no certificate found

Created at: 2017-02-05 18:13:14

Analyzed on: Windows7 SP1 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

Behaviour	Description
WormAutorun	A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Process activity

The Trojan creates the following process(es):

csc.exe:3568
cvtres.exe:1480

The Trojan injects its code into the following process(es):

%original file name%.exe:1796
applaunch.exe:1780
svchost.exe:2348

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1796 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PEYvTOrp.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.cmdline (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1B2E.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1B2F.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1B2D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp31B0.tmp.txt (22516 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.out (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab318E.tmp (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar318F.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1B30.tmp (2712 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.cmdline (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.out (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1B2E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1B2F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1B2D.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp31B0.tmp.txt (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab318E.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar318F.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1B30.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.err (0 bytes)

The process applaunch.exe:1780 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Windows\System32\InstallDir\Server.exe (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\dWiQzXLm5.dat (308 bytes)

The process csc.exe:3568 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.dll (4658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC3284.tmp (652 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.out (396 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES3285.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC3284.tmp (0 bytes)

The process cvtres.exe:1480 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES3285.tmp (3666 bytes)

Registry activity

The process %original file name%.exe:1796 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Classes\Local Settings\MuiCache\2D\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD]
"Blob" = "0F 00 00 00 01 00 00 00 20 00 00 00 52 29 BA 15"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PEYvTOrp.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates]
"D69B561148F01C77C54578C10926DF5B856976AD"

The process applaunch.exe:1780 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\XtremeRAT]
"Mutex" = "dWiQzXLm5"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASMANCS]
"EnableFileTracing" = "0"
"MaxFileSize" = "1048576"
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\dWiQzXLm5]
"ServerStarted" = "12/02/2017 02:44:55"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\dWiQzXLm5]
"ServerName" = "C:\Windows\system32\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASAPI32]
"MaxFileSize" = "1048576"

"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{I03565D8-8S35-8CQ1-RIYN-U4R5N66V6L6C}]
"StubPath" = "C:\Windows\system32\InstallDir\Server.exe restart"

[HKLM\SOFTWARE\Microsoft\Tracing\AppLaunch_RASMANCS]
"EnableConsoleTracing" = "0"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "C:\Windows\system32\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "C:\Windows\system32\InstallDir\Server.exe"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
0f01571a3e4c71eb4313175aae86488e	c:\Windows\System32\InstallDir\Server.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

A worm can spread via removable drives. It writes its executable and creates "autorun.inf" scripts on all removable drives. The autorun script will execute the Trojan's file once a user opens a drive's folder in Windows Explorer.

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
csc.exe:3568
cvtres.exe:1480
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PEYvTOrp.exe (673 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.cmdline (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1B2E.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1B2F.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab1B2D.tmp (51 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\tmp31B0.tmp.txt (22516 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.out (259 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015 (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015 (1700 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab318E.tmp (50 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar318F.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar1B30.tmp (2712 bytes)
C:\Windows\System32\InstallDir\Server.exe (55 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\dWiQzXLm5.dat (308 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ysqyzphh.dll (4658 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\CSC3284.tmp (652 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\RES3285.tmp (3666 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\PEYvTOrp.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"HKCU" = "C:\Windows\system32\InstallDir\Server.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HKLM" = "C:\Windows\system32\InstallDir\Server.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Find and delete all copies of the worm's file together with "autorun.inf" scripts on removable drives.
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: Tomb Raider: Anniversary
Product Name: Tomb Raider: Anniversary
Product Version: 1.0.9
Legal Copyright: Copyright (C) 2007 Eidos Inc.
Legal Trademarks: Crystal Dynamics(R), the Crystal Dynamics(R) logo and the Eidos(R) logo are registered trademarks of the Eidos Group of Companies
Original Filename: hackerCFA.exe
Internal Name: hackerCFA.exe
File Version: 1.0.9
File Description: Tomb Raider: Anniversary
Comments: Tomb Raider: Anniversary
Language: English (United States)

Company Name: Tomb Raider: AnniversaryProduct Name: Tomb Raider: AnniversaryProduct Version: 1.0.9Legal Copyright: Copyright (C) 2007 Eidos Inc.Legal Trademarks: Crystal Dynamics(R), the Crystal Dynamics(R) logo and the Eidos(R) logo are registered trademarks of the Eidos Group of CompaniesOriginal Filename: hackerCFA.exeInternal Name: hackerCFA.exeFile Version: 1.0.9File Description: Tomb Raider: AnniversaryComments: Tomb Raider: AnniversaryLanguage: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	8192	174260	174592	5.51031	d7dc4b9cd572aa01fe765116a1e1f704
.rsrc	188416	4096	4096	1.57957	d249e93a08e35241fcea7469e55c3a5a
.reloc	196608	12	512	0.070639	01fdcb2cfc6b1540de79e57c93fdbeca

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://a767.dspw65.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab	80.231.122.160
equipeponder.duckdns.org	141.255.144.42
dns.msftncsi.com

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Cache-Control: max-age = 86402

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Fri, 16 Sep 2016 21:16:59 GMT

If-None-Match: "8017f9a85f10d21:0"

User-Agent: Microsoft-CryptoAPI/6.1

Host: VVV.download.windowsupdate.com

HTTP/1.1 200 OK

Cache-Control: max-age=604800

Content-Type: application/octet-stream

Last-Modified: Sat, 12 Nov 2016 01:34:12 GMT

Accept-Ranges: bytes

ETag: "02e4de843cd21:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 50939

Date: Sun, 12 Feb 2017 00:44:54 GMT

Connection: keep-alive

X-CCC: FR

X-CID: 2

MSCF............,...................I.................kI;. .authroot.stl.6....7..CK...<.[.........].y.Q..YKv..%k.....!..H!.Q.-..$tU$.)7k..R.=...n3......}?...3gf......h<.2...4.(q..f......&{.`....02.s...2@`.J.<#..q..0Xy%.4..egd.:M.B....in.([....W....(.|.....|....s!..Mo..@......|"(n;Z..'~DE.}(........Mz:T....x..{..n.`z..-.\.............q....ld2z..N/.b.J...........X.S.:UN.S.v."..'l........:yz.<."!.]O..6.:d.....C.P ....P($.Y.Q y..y..B....u.`...u.00.....|(..A.J.Cp.c...X..g.........}..'........D.QVFf0...D...a6.f.0.....k.*8...<.;..o...(.....f...L.0..C.......I.A!.H.....'._)....Qc.V.....5D..,..d../(..j.F.d.....`..f...$>:_%.W..(....@.r.9..Ob.e.$..m.~.]....g.......%`e_..&Qhp .......ey.c.....H`.%<9.......#.\S...R.5....v.......dWE.....:...../"3.._..l.XiH.J!..............{.5C_...i.U....7....;p....Q.`....L.j........u....b.`:Mk.L.......*..@M^m..Jv...g........<d:l..Kq.X...*y...x1.u....... .....z.....c.(<.b...l.#....,z~..M.Y.]..Z....F..N./..[.#....Ol...f.k........U.rF)D....3..sK...`..W.....5.=.@#a....!./....>...g.(. ..9..>!.K..e..j..{x.0.^,...U9..ru.C......,..q^1.G..A.e.F[...".1..*...^...L..#:,7...:.z.n...fI1.....l..E.q>......E...x n....H....t....5.....\...<.l....7}.`\..~_..#..Bz....i..[{.w.....a...c....E w?..6..l......x8..H....7.e.;.%.:.!.*Q....#..bT.......(....ka.......B..|.........1....t.r...fk....C.t`....@3.P..*t..nmD.....8$.bd..`D...5X.....H..L../1:..Ap...w.\...,..U..../"X......}X...a...G....N.X..<....MG....r..H....._@..Q2..T...Q.....].e.G./.v,.Z5ib..5........9 ............z..!...g

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

applaunch.exe_1780:

`.rsrc

ServerKeyloggerU

789:;

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

juXqhu2.iu

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

.LzraryAk

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

equipeponder.duckdns.org

Server.exe

%Explorer.exe%

{I03565D8-8S35-8CQ1-RIYN-U4R5N66V6L6C}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ftpuser

PTF.ftpserver.com

C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe

applaunch.exe_1780_rwx_10000000_0007E000:

`.rsrc

ServerKeyloggerU

789:;

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

juXqhu2.iu

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

.LzraryAk

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

equipeponder.duckdns.org

Server.exe

%Explorer.exe%

{I03565D8-8S35-8CQ1-RIYN-U4R5N66V6L6C}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ftpuser

PTF.ftpserver.com

C:\Windows\Microsoft.NET\Framework\v2.0.50727\applaunch.exe

svchost.exe_2348:

.text

`.data

.rsrc

@.reloc

msvcrt.dll

API-MS-Win-Core-ProcessThreads-L1-1-0.dll

KERNEL32.dll

NTDLL.DLL

API-MS-Win-Security-Base-L1-1-0.dll

API-MS-WIN-Service-Core-L1-1-0.dll

API-MS-WIN-Service-winsvc-L1-1-0.dll

RPCRT4.dll

ole32.dll

ntdll.dll

_amsg_exit

RegCloseKey

RegOpenKeyExW

GetProcessHeap

svchost.pdb

version="5.1.0.0"

name="Microsoft.Windows.Services.SvcHost"

Host Process for Windows Services

Software\Microsoft\Windows NT\CurrentVersion\Svchost

Software\Microsoft\Windows NT\CurrentVersion\MgdSvchost

\PIPE\

Host Process for Windows Services

6.1.7600.16385 (win7_rtm.090713-1255)

svchost.exe

Windows

Operating System

6.1.7600.16385

svchost.exe_2348_rwx_10000000_0007E000:

`.rsrc

ServerKeyloggerU

789:;

%SERVER%

URLMON.DLL

shell32.dll

hXXp://

advapi32.dll

kernel32.dll

mpr.dll

version.dll

comctl32.dll

gdi32.dll

opengl32.dll

user32.dll

wintrust.dll

msimg32.dll

juXqhu2.iu

KWindows

TServerKeylogger

GetWindowsDirectoryW

RegOpenKeyExW

RegCreateKeyW

RegCloseKey

RegOpenKeyExA

FindExecutableW

ShellExecuteW

SHDeleteKeyW

URLDownloadToCacheFileW

UnhookWindowsHookEx

SetWindowsHookExW

MapVirtualKeyW

GetKeyboardLayout

GetKeyState

GetKeyboardType

GetKeyboardState

FtpPutFileW

FtpSetCurrentDirectoryW

.idata

.rdata

P.reloc

P.rsrc

.LzraryAk

URLDb

KERNEL32.DLL

ntdll.dll

oleaut32.dll

shlwapi.dll

wininet.dll

x.html

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_CURRENT_CONFIG

[Execute]

KeyDelBackspace

.html

XtremeKeylogger

Software\Microsoft\Windows\CurrentVersion\Run

.functions

icon=shell32.dll,4

shellexecute=

autorun.inf

\Microsoft\Windows\

ÞFAULTBROWSER%

svchost.exe

equipeponder.duckdns.org

Server.exe

%Explorer.exe%

{I03565D8-8S35-8CQ1-RIYN-U4R5N66V6L6C}

HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ftpuser

PTF.ftpserver.com