Gen.Variant.Symmi.62967_a02fab24ed – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

dwwin.exe:208
%original file name%.exe:852

The Trojan injects its code into the following process(es):

%original file name%.exe:1264
_xx_svchosst.exe:868
_xx_svchosst.exe:684

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process dwwin.exe:208 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25469A.dmp (113840 bytes)

The process %original file name%.exe:852 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_xx_svchosst.exe (1281 bytes)

The process %original file name%.exe:1264 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ratata\logs.html (1016 bytes)

The process _xx_svchosst.exe:868 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3c12_appcompat.txt (1895 bytes)

The process _xx_svchosst.exe:684 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\ratata\logs.html (1190 bytes)

Registry activity

The process dwwin.exe:208 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "26 A9 78 F2 42 B5 57 60 52 08 A2 63 86 24 04 A3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:852 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"_xx_svchosst.exe" = "_xx_svchosst"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 69 39 7F 52 3F EE ED 7D D6 15 0F 5B 03 93 4F"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process %original file name%.exe:1264 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB D9 04 D7 C1 F5 50 56 D1 90 88 F9 1D 0E 3E 26"

The process _xx_svchosst.exe:868 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 8D 20 5A D1 9A BE 4A D7 F9 71 9E 8F AF 89 9F"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"Guid" = "0c5a3172-2248-44fd-b9a6-8389cb1dc56a"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"BitNames" = " DOT11_ASSOCIATE DOT11_ROAMING DOT11_1X DOT11_PNP DOT11_SCAN DOT11_RECEIVE DOT11_SEND DOT11_IOCTL DOT11_OID DOT11_MISC DOT11_UPCALL DOT11_KEYMGR DOT11_PEER DOT11_SOFTAP DOT11_PAM DOT11_REPEATER DOT11_APROUTER DOT11_WME DOT11_CONFIG DOT11_MSM DOT11_MSM_ADAPT DOT11_MSM_SCAN DOT11_MSM_CONNECT DOT11_MSM_SECURITY_PKT DOT11_NOTIFY_OBJECT"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"Guid" = "2e8d9ec5-a712-48c4-8ce0-631eb0c1cd65"

[HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{0A2E9326-4C7A-4A3D-B362-B3F1B1F96429}]
"StubPath" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_xx_svchosst.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"BitNames" = " WD_LOG_FLAG_INIT WD_LOG_FLAG_RPC WD_LOG_FLAG_EVENT WD_LOG_FLAG_INTERFACE WD_LOG_FLAG_CONNECTION WD_LOG_FLAG_CONTROL WD_LOG_FLAG_LOCKS WD_LOG_FLAG_MEMORY WD_LOG_FLAG_REFERENCES WD_LOG_FLAG_FUNCTION_TRACE WD_LOG_FLAG_ASSERT"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WDiagCoreCtlGuid]
"Guid" = "637a0f36-dff5-4b2f-83dd-b106c1c725e2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\ServiceCtlGuid]
"BitNames" = " DOT11_AUTOCONF DOT11_AUTOCONF_CLIENT DOT11_AUTOCONF_UI DOT11_FATMSM DOT11_COMMON DOT11_WLANGPA DOT11_CLASS_COINSTALLER"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\WLanDiagCtlGuid]
"BitNames" = " WLANHC_AUTOCONFIG WLANHC_RNWFMSM WLANHC_FATMSM WLANHC_DLLMAIN WLANHC_TEST"
"Guid" = "6da4ddca-0901-4bae-9ad4-7e6030bab531"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\CtlGuid]
"Guid" = "d905ac1c-65e7-4242-99ea-fe66a8355df8"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\DiagL2SecCtlGuid]
"BitNames" = " SECHC_LOG_FLAG_ASSERT SECHC_LOG_FLAG_INIT SECHC_LOG_FLAG_DIAG SECHC_LOG_FLAG_ONEX_DIAG SECHC_LOG_FLAG_REPAIR SECHC_LOG_FLAG_STATE SECHC_LOG_FLAG_EXT SECHC_LOG_FLAG_EVENT_LOG SECHC_LOG_FLAG_FUNCTION SECHC_LOG_FLAG_MEMORY SECHC_LOG_FLAG_LOCKS"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_xx_svchosst.exe"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

The process _xx_svchosst.exe:684 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A6 78 E4 D0 CD 9E DA 15 F7 43 DF 73 70 A8 B8 4E"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:208
%original file name%.exe:852
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\25469A.dmp (113840 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_xx_svchosst.exe (1281 bytes)
%Documents and Settings%\%current user%\ratata\logs.html (1016 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3c12_appcompat.txt (1895 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"Windows Defender" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_xx_svchosst.exe"
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	339968	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	344064	241664	238592	5.492	ae8b5d2cb8deab9e7eada6197e41b321
.rsrc	585728	4096	3072	2.16563	f739df926071f2bd5a2e8fa3bd78878a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 2
a4bb62ee5dd2151de8b593b88e1db105
9fb335be4c7989c8ae8de26e2ebc6a1f

Network Activity

URLs

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1264:

.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

logs.html

KWindows

GetCPInfo

RegOpenKeyExA

RegCloseKey

GetKeyState

GetAsyncKeyState

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

KERNEL32.DLL

advapi32.dll

oleaut32.dll

user32.dll

Invalid variant operation

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

%original file name%.exe_1264_rwx_00400000_00014000:

.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

logs.html

KWindows

GetCPInfo

RegOpenKeyExA

RegCloseKey

GetKeyState

GetAsyncKeyState

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

KERNEL32.DLL

advapi32.dll

oleaut32.dll

user32.dll

Invalid variant operation

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

_xx_svchosst.exe_868:

`.rsrc

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

PSAPI.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword,=

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

AutoHotkeysd

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowStateH

OnKeyDown

OnKeyPress

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

avicap32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

76487-644-3177037-23510

55274-640-2673064-23950

sbiedll.dll

dbghelp.dll

Software\Microsoft\Windows\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\MUTSS

HKEY_CURRENT_USER\Software\Microsoft\PATHSS

m.bat

m.bat"

Windows Vista

Windows 7

advapi32.dll

taskmgr.exe

explorer.exe

TWindows

User32.DLL

password

2.0.0

_xx_mydll.dll

80211_SHARED_KEY

Profile: %s

NetworkName: %s

Signal Quality: %d

Auth Algorithm: %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

\update.exe

Used Memory: %d %%

33|Keylogger is deactivated!

.html

/logs.html

software\microsoft\windows\currentversion\uninstall\

127.0.0.1****

.rsrc

/w)f%F

.xZTUWVSA

Pk.Dg

KERNEL32.DLL

user32.dll

RegCloseKey

blakdave.ddns.net****##90##123##Temp##_xx_svchosst.exe##Windows Defender##{0A2E9326-4C7A-4A3D-B362-B3F1B1F96429}##1##1##1##1##BKOL9OVGBM7HT8UBAMLI8=5 U##0##0##1##Remote-PC##1##0##0##0##PAD&=O8

KWindows

UrlMon

untCMDList

uWindows

HuntHTTPDownload

%uWebcam

SetNamedPipeHandleState

GetWindowsDirectoryA

GetCPInfo

CreatePipe

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyA

SetViewportOrgEx

ShellExecuteA

keybd_event

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

GetKeyboardType

InternetOpenUrlA

.idata

.rdata

P.reloc

P.rsrc

4.IBJ/

gdi32.dll

msacm32.dll

ole32.dll

shell32.dll

shfolder.dll

version.dll

wininet.dll

winmm.dll

wlanapi.dll

wsock32.dll

No help keyword specified.

JPEG error #%d

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

'%s' is not a valid GUID value

I/O error %d

Integer overflow Invalid floating point operation

_xx_svchosst.exe_868_rwx_10001000_0008D000:

kernel32.dll

Windows

MSWHEEL_ROLLMSG

MSH_WHEELSUPPORT_MSG

MSH_SCROLL_LINES_MSG

PSAPI.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

oleaut32.dll

EVariantBadIndexError

ssShift

htKeyword

EInvalidOperation

u%CNu

%s_%d

EInvalidGraphicOperation

USER32.DLL

comctl32.dll

uxtheme.dll

IE(AL("%s",4),"AL(\"%0:s\",3)","JK(\"%1:s\",\"%0:s\")")

JumpID("","%s")

TKeyEvent

TKeyPressEvent

HelpKeyword,=

crSQLWait

%s (%s)

imm32.dll

AutoHotkeys

AutoHotkeysd

ssHotTrack

TWindowState

poProportional

TWMKey

KeyPreview

WindowStateH

OnKeyDown

OnKeyPress

OnKeyUp

System\CurrentControlSet\Control\Keyboard Layouts\%.8x

vcltest3.dll

User32.dll

avicap32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_CONFIG

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

76487-644-3177037-23510

55274-640-2673064-23950

sbiedll.dll

dbghelp.dll

Software\Microsoft\Windows\CurrentVersion

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\

HKEY_CURRENT_USER\Software\Microsoft\MUTSS

HKEY_CURRENT_USER\Software\Microsoft\PATHSS

m.bat

m.bat"

Windows Vista

Windows 7

advapi32.dll

taskmgr.exe

explorer.exe

TWindows

User32.DLL

password

2.0.0

_xx_mydll.dll

80211_SHARED_KEY

Profile: %s

NetworkName: %s

Signal Quality: %d

Auth Algorithm: %s

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

\update.exe

Used Memory: %d %%

33|Keylogger is deactivated!

.html

/logs.html

software\microsoft\windows\currentversion\uninstall\

127.0.0.1****

.rsrc

/w)f%F

.xZTUWVSA

Pk.Dg

KERNEL32.DLL

user32.dll

RegCloseKey

blakdave.ddns.net****##90##123##Temp##_xx_svchosst.exe##Windows Defender##{0A2E9326-4C7A-4A3D-B362-B3F1B1F96429}##1##1##1##1##BKOL9OVGBM7HT8UBAMLI8=5 U##0##0##1##Remote-PC##1##0##0##0##PAD&=O8

KWindows

UrlMon

untCMDList

uWindows

HuntHTTPDownload

%uWebcam

SetNamedPipeHandleState

GetWindowsDirectoryA

GetCPInfo

CreatePipe

RegOpenKeyExA

RegOpenKeyA

RegEnumKeyExA

RegDeleteKeyA

RegCreateKeyA

SetViewportOrgEx

ShellExecuteA

keybd_event

UnhookWindowsHookEx

SetWindowsHookExA

MapVirtualKeyA

LoadKeyboardLayoutA

GetKeyboardState

GetKeyboardLayoutList

GetKeyboardLayout

GetKeyState

GetKeyNameTextA

EnumWindows

EnumThreadWindows

ActivateKeyboardLayout

GetKeyboardType

InternetOpenUrlA

.idata

.rdata

P.reloc

P.rsrc

No help keyword specified.

JPEG error #%d

No help found for %s#No context-sensitive help installed$No topic-based help system installed

Alt Clipboard does not support Icons/Menu '%s' is already being used by another form

Unsupported clipboard format

Error creating window class Cannot focus a disabled or invisible window!Control '%s' has no parent window

Error reading %s%s%s: %s

Resource %s not found

%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group

Property %s does not exist

*Can't write to a read-only resource streamECheckSynchronize called from thread $%x, which is NOT the main thread

Class %s not found

A class named %s already exists%List does not allow duplicates ($0%x)#A component named %s already exists%String list does not allow duplicates

Cannot create file "%s". %s

Cannot open file "%s". %s

Invalid stream format$''%s'' is not a valid component name

Invalid property value List capacity out of bounds (%d)

List count out of bounds (%d)

List index out of bounds (%d)

Ancestor for '%s' not found

Cannot assign a %s to a %s

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

System Error. Code: %d.

Invalid variant operation%Invalid variant operation (%s%.8x)

%s5Could not convert variant of type (%s) into type (%s)=Overflow while converting variant of type (%s) into type (%s)

Operation not supported

External exception %x

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

'%s' is not a valid GUID value

I/O error %d

Integer overflow Invalid floating point operation

_xx_svchosst.exe_684:

.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

logs.html

KWindows

GetCPInfo

RegOpenKeyExA

RegCloseKey

GetKeyState

GetAsyncKeyState

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

KERNEL32.DLL

advapi32.dll

oleaut32.dll

user32.dll

Invalid variant operation

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

_xx_svchosst.exe_684_rwx_00400000_00014000:

.rsrc

kernel32.dll

$*@@@*$@@@$ *@@* $@@($*)@-$*@@$-*@@$*-@@(*$)@-*$@@*-$@@*$-@@-* $@-$ *@* $-@$ *-@$ -*@*- $@($ *)(* $)

logs.html

KWindows

GetCPInfo

RegOpenKeyExA

RegCloseKey

GetKeyState

GetAsyncKeyState

GetKeyboardType

.idata

.rdata

P.reloc

P.rsrc

KERNEL32.DLL

advapi32.dll

oleaut32.dll

user32.dll

Invalid variant operation

External exception %x

Interface not supported

%s (%s, line %d)

Abstract Error?Access violation at address %p in module '%s'. %s of address %p

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Privileged instruction(Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'"Variant method calls not supported

!'%s' is not a valid integer value

I/O error %d

Integer overflow Invalid floating point operation

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps