Win32.Ramnit_f5d9902ce9

by malwarelabrobot on May 11th, 2017 in Malware Descriptions.

Win32.Ramnit (BitDefender), Virus:Win32/Ramnit.A (Microsoft), Virus.Win32.Nimnul.a (Kaspersky), Virus.Win32.Ramnit.a (v) (VIPRE), Win32.Rmnet (DrWeb), Win32.Ramnit (B) (Emsisoft), W32/Ramnit.a (McAfee), W32.Ramnit!inf (Symantec), DDoS.Win32.Nitol (Ikarus), Win32.Ramnit (FSecure), Generic_r.EKO (AVG), Win32:RmnDrp (Avast), PE_RAMNIT.H (TrendMicro), Win32.Ramnit (AdAware), GenericInjector.YR, DDoSNitol.YR (Lavasoft MAS)
Behaviour: Virus

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: f5d9902ce9891dc74597527a6ca77104
SHA1: 7ebe9678ecca75c45aa6e87a66747b4533b9092f
SHA256: d1b815b4cf252d1aeeb4a5fc51be7fbe6f2addefda87a7ef2f84b8c6274724ca
SSDeep: 1536:rBvMbyHwxc3JzKmeQg59QZmV/rFzLqrXXhVPfIRhlX3oQz:rJXJwVrQCorh0Xz
Size: 78336 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-06-03 02:39:37
Analyzed on: Windows7 SP1 32-bit

Summary:

Virus. A program that recursively replicates a possibly evolved copy of itself.

Payload

No specific payload has been found.

Process activity

The Virus creates the following process(es):

%original file name%.exe:2984
yyamykSrv.exe:264
f5d9902ce9891dc74597527a6ca77104Srv.exe:1908

The Virus injects its code into the following process(es):

chrome.exe:2920
yyamyk.exe:684
iexplore.exe:2944

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process chrome.exe:2920 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)

The process yyamyk.exe:684 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\Windows\yyamykSrv.exe (113 bytes)
C:\RCX7944.tmp (22644 bytes)
C:\Windows\System32\hra33.dll (12 bytes)
C:\lpk.dll (601 bytes)
C:\Windows\Sys (90 bytes)
C:\Boot\lpk.dll (601 bytes)

The process %original file name%.exe:2984 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

C:\f5d9902ce9891dc74597527a6ca77104Srv.exe (113 bytes)
C:\Windows\yyamyk.exe (601 bytes)

The process yyamykSrv.exe:264 makes changes in the file system.
The Virus deletes the following file(s):

%Program Files%\Microsoft\px76D4.tmp (0 bytes)

The process f5d9902ce9891dc74597527a6ca77104Srv.exe:1908 makes changes in the file system.
The Virus creates and/or writes to the following file(s):

%Program Files%\Microsoft\DesktopLayer.exe (113 bytes)

The Virus deletes the following file(s):

%Program Files%\Microsoft\px76B5.tmp (0 bytes)

Registry activity

The process chrome.exe:2920 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKCU\Software\Google\Chrome\BLBeacon]
"State" = "2"
"failed_count" = "0"

The Virus adds the reference to itself to be executed when a user logs on:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "c:\windows\system32\userinit.exe,,c:\windows\yyamyksrv.exe,c:\program files\microsoft\desktoplayer.exe"

The process %original file name%.exe:2984 makes changes in the system registry.
The Virus creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Services\Vwxyab Defghijk Mno]
"Description" = "Vwxyabcd Fghijklmn Pqrstuv Xyabcdef Hij"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

The Virus deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

MD5	File path
7b81dd2c569975f5fa9fd0e5a90e3abf	c:\Boot\lpk.dll
7b81dd2c569975f5fa9fd0e5a90e3abf	c:\Perl\bin\lpk.dll
7b81dd2c569975f5fa9fd0e5a90e3abf	c:\Windows\System32\hra33.dll
3b0e3f923f87e4a4a6afbb2dabab6a4f	c:\f5d9902ce9891dc74597527a6ca77104Srv.exe
7b81dd2c569975f5fa9fd0e5a90e3abf	c:\lpk.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
UPX0	4096	36864	0	0	d41d8cd98f00b204e9800998ecf8427e
UPX1	40960	20480	18432	5.4293	c44e395800015d12c514f7ffd93c4019
.rsrc	61440	4096	1024	1.70391	cb2c2957270c610b7b940ce34cc18caa
.rmnet	65536	61440	57856	5.52703	233575bde480410e2d925deaa8738bfb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
yy22815.com	115.238.236.87
google.com	216.58.214.238
czcxiansheng.f3322.net	61.147.103.233
fget-career.com	89.185.44.100

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN Win32/Ramnit Checkin

Traffic

The Virus connects to the servers at the folowing location(s):

yyamyk.exe_684:

`.rsrc

.rmnet

WS2_32.dll

sUnl=oOpenKey

)NULL#"%s"

.exe#

~d

GET(HTTP/1.1

.ms-q

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyA

RegCloseKey

czcxiansheng.f3322.net

mpr.dll

\\%s\ipc$

\\%s\admin$\g1fd.exe

\\%s\C$\NewArean.exe

C:\g1fd.exe

\\%s\D$\g1fd.exe

D:\g1fd.exe

\\%s\E$\g1fd.exe

E:\g1fd.exe

\\%s\F$\g1fd.exe

F:\g1fd.exe

at \\%s %d:%d %s

password

12345678

%d.%d.%d.%d

hra%u.dll

kernel32.dll

%c%c%c%cÌn.exe

yy22815.com

ddd

%c%c%c%c%c%c.exe

%s %s %s%d

%d*%u%s

%u MB

0.0.0.0

%u Gbps

%u Mbps

GET %s HTTP/1.1

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

Host: %s:%d

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

.text

`.rdata

@.data

.rsrc

@.reloc

SHELL32.dll

SHLWAPI.dll

lpk.attack

lpk.dll

GetWindowsDirectoryA

WinExec

RegOpenKeyExA

_acmdln

ShellExecuteExA

ShellExecuteA

SHDeleteKeyA

.data

#EXE.

KERNEL32.DLL

iphlpapi.dll

MSVCRT.dll

USER32.dll

Srv.exe

C:\Windows\yyamykSrv.exe

O.Cp}l

OO.sJD

AM6d%X

4ml%F

.pkrd

.DBxA

Xvi%2x

8KeysX

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>

SHELL32.DLL

USER32.DLL

106.42.73.61

2528-6142

nedwp.exe

yyamyk.exe_684_rwx_00401000_0000D000:

WS2_32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyA

RegCloseKey

czcxiansheng.f3322.net

mpr.dll

\\%s\ipc$

\\%s\admin$\g1fd.exe

\\%s\C$\NewArean.exe

C:\g1fd.exe

\\%s\D$\g1fd.exe

D:\g1fd.exe

\\%s\E$\g1fd.exe

E:\g1fd.exe

\\%s\F$\g1fd.exe

F:\g1fd.exe

at \\%s %d:%d %s

password

12345678

%d.%d.%d.%d

hra%u.dll

kernel32.dll

%c%c%c%cÌn.exe

yy22815.com

ddd

%c%c%c%c%c%c.exe

%s %s %s%d

%d*%u%s

%u MB

0.0.0.0

%u Gbps

%u Mbps

GET %s HTTP/1.1

Host: %s

User-Agent:Mozilla/5.0 (X11; U; Linux i686; en-US; re:1.4.0) Gecko/20080808 Firefox/%d.0

Referer: hXXp://%s:80/hXXp://%s

%s %s%s

Host: %s:%d

User-Agent:Mozilla/4.0 (compatible; MSIE %d.00; Windows NT %d.0; MyIE 3.01)

Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/vnd.ms-excel, application/vnd.ms-powerpoint, application/msword, */*

User-Agent:Mozilla/4.0 (compatible; MSIE %d.0; Windows NT %d.1; SV1)

User-Agent:Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

GET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htmGET ^&&%$%$^%$#^&**(*((&*^%$##$%^&*(*&^%$%^&*.htm

.text

`.rdata

@.data

.rsrc

@.reloc

SHELL32.dll

SHLWAPI.dll

lpk.attack

lpk.dll

GetWindowsDirectoryA

WinExec

RegOpenKeyExA

_acmdln

ShellExecuteExA

ShellExecuteA

SHDeleteKeyA

.data

#EXE.

yyamyk.exe_684_rwx_00410000_0000F000:

Srv.exe

C:\Windows\yyamykSrv.exe

kernel32.dll

.rsrc

O.Cp}l

OO.sJD

AM6d%X

4ml%F

.pkrd

.DBxA

Xvi%2x

8KeysX

<requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>

KERNEL32.DLL

SHELL32.DLL

USER32.DLL

106.42.73.61

2528-6142

nedwp.exe

iexplore.exe_2944:

.text

`.data

.rsrc

@.reloc

Bv.TBv

>.uzf

.us;}

IEFRAME.dll

MLANG.dll

iertutil.dll

urlmon.dll

ole32.dll

SHELL32.dll

SHLWAPI.dll

msvcrt.dll

USER32.dll

KERNEL32.dll

ADVAPI32.dll

RegOpenKeyExW

RegCloseKey

GetWindowsDirectoryW

_amsg_exit

_wcmdln

UrlApplySchemeW

PathIsURLW

UrlCanonicalizeW

UrlCreateFromPathW

iexplore.pdb

KEYW

KEYWh

KEYWD

.ENNNG.

a.ry.v

l.igM4

?1%SGf

xh.JW^

.97777"7" " " !

3.... ))

8888888888888

8888888888

.lPV)

úW1

.ApX/

H.ZAf

ð[U

%s!FK

1YYYY1YY9GEAA=77YRNNNW:.VT1

888777777

Y.hilkRROMLK=C,

..(((($$

3...((((%

3....(.''$

3.2...((((%

33.2....(,'

55323222...

(%&'00443445?

00.,,,4(

000.,,9(

0020..9(

003200;(

(#'( (''''!'!

Microsoft.InternetExplorer.Default

user32.dll

Kernel32.DLL

xfire.exe

wlmail.exe

winamp.exe

waol.exe

sidebar.exe

psocdesigner.exe

np.exe

netscape.exe

netcaptor.exe

neoplanet.exe

msn.exe

mshtmpad.exe

mshta.exe

loader42.exe

infopath.exe

iexplore.exe

iepreview.exe

groove.exe

explorer.exe

dreamweaver.exe

contribute.exe

aol.exe

{28fb17e0-d393-439d-9a21-9474a070473a}

Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings

DShell32.dll

Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iexplore.exe

Software\Microsoft\Active Setup\Installed Components\>{26923b43-4d38-484f-9b9e-de460746276c}

"%s" %s

Kernel32.dll

\AppPatch\sysmain.sdb

-extoff go.microsoft.com/fwlink/?LinkId=106323

-extoff go.microsoft.com/fwlink/?LinkId=106322

-extoff go.microsoft.com/fwlink/?LinkId=106320

kernel32.dll

{00000000-0000-0000-0000-000000000000}

\\?\Volume

shell:%s

Imaging_CreateWebPagePreview_Perftrack

Browseui_Tabs_Tearoff_BetweenWindows

Frame_URLEntered

Imaging_CreateWebPagePreview

WS_ExecuteQuery

Shdocvw_BaseBrowser_FireEvent_WindowStateChanged

IdleTask_Execution_Time

9.00.8112.16421 (WIN7_IE9_RTM.110308-0330)

IEXPLORE.EXE

Windows

9.00.8112.16421

chrome.exe_2920:

.text

`.rdata

@.data

.gfids

@.tls

.rsrc

@.reloc

D$,j.Xf

j.Yf;

_tcPVj@

.PjRW

Cv.SCv

ole32.dll

POWRPROF.dll

address family not supported

broken pipe

function not supported

inappropriate io control operation

not supported

operation canceled

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

InitOnceExecuteOnce

operator

operator ""

?#%X.y

%S#[k

?OLEAUT32.dll

user32.dll

c:\b\build\slave\win-pgo\build\src\chrome\app\chrome_exe_main_win.cc

c:\b\build\slave\win-pgo\build\src\chrome\app\main_dll_loader_win.cc

Failed to load Chrome DLL from

ChromeMain

RelaunchChromeBrowserWithNewCommandLineIfNeeded

Could not find exported function

%s: option `%s' is ambiguous (could be `--%s' or `--%s')

%s: invalid option -- `-%c'

%s: argument required for option `

--%s'

0.8.0

%ls (%s) %s

hXXps://crashpad.chromium.org/

hXXps://crashpad.chromium.org/bug/new

Report %ls bugs to

%s home page: <%s>

%ls: %s

(0x%X)

Error (0x%X) while retrieving error. (0x%X)

PlatformFile.UnknownErrors.Windows

c:\b\build\slave\win-pgo\build\src\base\threading\thread_local_win.cc

0123456789

Histogram: %s recorded %d samples

(flags = 0x%x)

.syzygy

.thunks

Windows NT

Histogram.InconsistentCountHigh

Histogram.InconsistentCountLow

c:\b\build\slave\win-pgo\build\src\base\metrics\persistent_memory_allocator.cc

(%d = %3.1f%%)

UMA.CreatePersistentHistogram.Result

Dictionary keys must be quoted.

Unsupported encoding. JSON must be UTF-8.

Line: %i, column: %i, %s

widevinecdmadapter.dll

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_update_settings.cc

Removed incremental installer failure key; switching to channel:

Failed to write to application's ClientState key

Removed multi-install failure key; switching to channel:

CHROME_PROBED_PROGRAM_FILES_PATH

chrome-sxs

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\google_chrome_distribution.cc

iexplore.exe

googlechrome

googlechromeframe

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\channel_info.cc

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\language_selector.cc

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_commands.cc

Cannot initialize AppCommands from an invalid key.

Skipping over key "

Failed to open key "

Cannot initialize an AppCommand from an invalid key.

c:\b\build\slave\win-pgo\build\src\chrome\installer\util\app_command.cc

CHROME_MAIN_TICKS

user_experience_metrics.reporting_enabled

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\settings.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\numeric\in_range_cast.h

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\crash_report_database_win.cc

x-x-x-xx-xxxxxx

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\misc\uuid.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_io.cc

--annotation=KEY=VALUE set a process annotation in each crash report

--database=PATH store the crash report database at PATH

create a new pipe and send its name via HANDLE

--pipe-name=PIPE communicate with the client over PIPE

--url=URL send crash reports to this Breakpad server URL,

pipe-name

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\handler_main.cc

duplicate key

--annotation requires KEY=VALUE

--handshake-handle and --pipe-name are incompatible

--handshake-handle or --pipe-name is required

SetProcessShutdownParameters

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\crash_report_upload_thread.cc

reserved key

FinishedWritingCrashReport failed

PrepareNewCrashReport failed

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\handler\win\crash_report_exception_handler.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_file_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writer_util.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_writable.cc

%s.%s,%s,%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\minidump\minidump_context_writer.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\process_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\crashpad_info_client_options.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_simple_string_dictionary_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\module_snapshot_minidump.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\exception_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\module_snapshot_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\system_snapshot_win.cc

%s %d.%d.%d.%s%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_reader_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\minidump\minidump_string_list_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\capture_memory.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\cpu_context_win.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_annotations_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\process_subrange_reader.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\snapshot\win\pe_image_resource_reader.cc

kernel32.dll

c:\b\build\slave\win-pgo\build\src\sandbox\win\src\sandbox_policy_base.cc

NtOpenKey

NtCreateKey

GetCertificateSize

GetCertificate

GetCertificateSizeByHandle

GetCertificateByHandle

SetOPMSigningKeyAndSequenceNumbers

CreateNamedPipeW

NtOpenKeyEx

PruneCrashReportDatabase: Failed to get pending reports

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\client\prune_crash_reports.cc

PruneCrashReportDatabase: Failed to get completed reports

Database Pruning: Failed to remove report

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\exception_handler_server.cc

::GetNamedPipeClientProcessId

\\.\pipe\crashpad_%d_

ImpersonateNamedPipeClient

ConnectNamedPipe

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_reader.cc

WinHttpSetTimeouts

WinHttpCrackUrl

WinHttpConnect

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_transport_win.cc

WinHttpCloseHandle

Crashpad/0.8.0

WinHttpOpen

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpQueryHeaders

HTTP status %d

WinHttpOpenRequest

WinHttpAddRequestHeaders

WinHttpReadData

%%x

--%s%sContent-Disposition: form-data; name="%s"

; filename="%s"%s

Content-Type: %s%s

multipart/form-data; boundary=%s

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_process_suspend.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\file\file_seeker.cc

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\process_info.cc

Reading x64 process from x86 process not supported

0x%llx   0x%llx (%s)

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\module_version.cc

(0xx)

<failed to retrieve error message (0x%x)>

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\scoped_local_alloc.cc

WaitNamedPipe

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\win\registration_protocol_win.cc

TransactNamedPipe

SetNamedPipeHandleState

TransactNamedPipe: expected

c:\b\build\slave\win-pgo\build\src\third_party\crashpad\crashpad\util\net\http_body.cc

InvokeMainViaCRT

ExitMainViaCRT

Microsoft.CRTProvider

C:\b\build\slave\win-pgo\build\src\out\Release\initialexe\chrome.exe.pdb

.text$di

.text$mn

.text$x

.text$yd

.idata$5

.CRT$XCA

.CRT$XCAA

.CRT$XCC

.CRT$XCL

.CRT$XCU

.CRT$XCZ

.CRT$XIA

.CRT$XIAA

.CRT$XIAC

.CRT$XIC

.CRT$XIZ

.CRT$XLA

.CRT$XLB

.CRT$XLZ

.CRT$XPA

.CRT$XPX

.CRT$XPXA

.CRT$XPZ

.CRT$XTA

.CRT$XTZ

.rdata

.rdata$T

.rdata$r

.rdata$sxdata

.rdata$zETW0

.rdata$zETW1

.rdata$zETW2

.rdata$zETW9

.rdata$zzzdbg

.rtc$IAA

.rtc$IZZ

.rtc$TAA

.rtc$TZZ

.xdata$x

.didat$2

.didat$3

.didat$4

.didat$6

.didat$7

.edata

.idata$2

.idata$3

.idata$4

.idata$6

.data

.data$r

.didat$5

.gfids$x

.gfids$y

.tls$ZZZ

.rsrc$01

.rsrc$02

chrome.exe

SignalChromeElf

SignalInitializeCrashReporting

chrome_elf.dll

RegOpenKeyExW

RegEnumKeyExW

RegCreateKeyExW

RegQueryInfoKeyW

RegCloseKey

ADVAPI32.dll

CreateIoCompletionPort

GetWindowsDirectoryW

GetProcessHandleCount

KERNEL32.dll

ShellExecuteExW

SHELL32.dll

CloseWindowStation

CreateWindowStationW

GetProcessWindowStation

SetProcessWindowStation

USER32.dll

VERSION.dll

WINMM.dll

WTSAPI32.dll

RPCRT4.dll

GetCPInfo

GetProcessHeap

PeekNamedPipe

DisconnectNamedPipe

WaitNamedPipeW

WINHTTP.dll

.?AU_Crt_new_delete@std@@

a.IDATx

%F?????????3

ÿFFFFFFFFFFFFFFF?B%

:1----16

Rhgf^rrrr(   ?NOCdhgfrrrr...DlEBScjhg^rr,001k>985Tnhherr-12

:BBBBBBBBBB>>-.jdddcccca

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><dependency><dependentAssembly><assemblyIdentity type="win32" name="54.0.2840.71" version="54.0.2840.71" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>

3 3*363@3

6#6(60676

0%1X1y1

4"4'4-44494p4K5Z9j9t9}9

; ;%;7;>;^;

< =0=4=8=<=

6 6$6(6,60646

8-8C8}8

? ?$?(?,?0?4?8?<?

= =$=(=,=0=4=8=

5 5$5(5,5054585

? ?$?(?,?0?

= =@=\=`=

KERNEL32.DLL

mscoree.dll

ext-ms-win-ntuser-windowstation-l1-1-0

portuguese-brazilian

Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers

nchrome_watcher.dll

PreReadChromeChildInBrowser

${windows}

Ndebug.log

\StringFileInfo\xx\%ls

ntdll.dll

shell32.dll

script.log

resources.pak

chrome

pepflashplayer.dll

Browse the web

Software\Microsoft\Windows\CurrentVersion\Uninstall\Chromium

{A2DF06F9-A21A-44A8-8A99-8B9C84F29160}

{7D2B3E1D-D096-4594-9D8F-A6667F12E0AC}

Chrome

chrome_child.dll

chrome.dll

Google Chrome Canary

Chrome Canary HTML Document

ChromeSSHTM

{1BEAC3E3-B852-44F4-B468-8906C062422E}

{4ea16ac7-fd5a-47c3-875b-dbf4a2008c20}

ChromeCanary

{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}

Google Chrome binaries

hXXps://support.google.com/chrome/contact/chromeuninstall3?hl=$1

Google Chrome

%d.%d.%d

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome

ChromeHTML

Chrome HTML Document

{8A69D345-D564-463c-AFF1-A69D9E530F96}

{5C65F4B0-3651-4514-B207-D10CB699B14B}

Google Chrome Frame

Chrome in a Frame.

Google\Chrome Frame

Software\Microsoft\Windows\CurrentVersion\Uninstall\Google Chrome Frame

{8BA986DA-5100-405E-AA35-86F34A02ACBF}

WebAccessible

-chromeframe

-chrome

lSOFTWARE\Policies\Google\Chrome

reports

settings.dat

ALPC Port

\Sessions\%d\AppContainerNamedObjects\%ls

sHKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_TEXT

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_PERFORMANCE_NLSTEXT

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

pipe\

tgdi32.dll

xntdll.dll

Chrome_MessageWindow

Failed to create directory %ls, last error is %d

Chrome SxS\Application

winhttp.dll

54.0.2840.71

chrome_exe

iexplore.exe_2944_rwx_00180000_00001000:

wC:\Windows\yyamykSrv.exe

iexplore.exe_2944_rwx_20010000_00009000:

.text

.rdata

@.data

.reloc

Srv.exe

kernel32.dll

chrome.exe_2920_rwx_00090000_00001000:

w%Program Files%\Microsoft\DesktopLayer.exe

chrome.exe_2920_rwx_20010000_00009000:

.text

.rdata

@.data

.reloc

Srv.exe

kernel32.dll

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2984
yyamykSrv.exe:264
f5d9902ce9891dc74597527a6ca77104Srv.exe:1908
Delete the original Virus file.
Delete or disinfect the following files created/modified by the Virus:

%Program Files%\Google\Chrome\Application\dmlconf.dat (48 bytes)
C:\Windows\yyamykSrv.exe (113 bytes)
C:\RCX7944.tmp (22644 bytes)
C:\Windows\System32\hra33.dll (12 bytes)
C:\lpk.dll (601 bytes)
C:\Boot\lpk.dll (601 bytes)
C:\f5d9902ce9891dc74597527a6ca77104Srv.exe (113 bytes)
C:\Windows\yyamyk.exe (601 bytes)
%Program Files%\Microsoft\DesktopLayer.exe (113 bytes)
Remove the references to the Virus by modifying the following registry value(s) (How to Work with System Registry):

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"UserInit" = "c:\windows\system32\userinit.exe,,c:\windows\yyamyksrv.exe,c:\program files\microsoft\desktoplayer.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.