MD5: c0db3b87d7b895dbfd879b0b0ce82159
SHA1: 2620bf3728db34f99ee58189da8eed0af5a81b9c
SHA256: becb56fd1c7e8c4fbab8df73191b1eaf2add926cc0686ec76f959acd4ecf370e
SSDeep: 98304:SqoT4ILbGt1oF/Kd Lvc44IJF96BvMUIiU5440qdeUed9mULabTyfbb:SqobG4oGRivMUIXU6Ty
Size: 3276288 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6, ACProtect141
Company: no certificate found
Created at: 2017-09-30 20:41:22
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1900

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Windows\Temp\splwow64.exe (1717 bytes)

Registry activity

The process %original file name%.exe:1900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

"UNCAsIntranet" = "0"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"nahvay" = "c:\%original file name%.exe"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

Dropped PE files

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: TODO:
Product Name: TODO:
Product Version: 1.0.0.1
Legal Copyright: TODO: (C) ????????
Legal Trademarks:
Original Filename: Test.exe
Internal Name: Test.exe
File Version: 1.0.0.1
File Description: Test
Comments:
Language: Chinese (Simplified, PRC)

PE Sections

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL	IP
xmr.crypto-pool.fr	163.172.226.128

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

The Trojan connects to the servers at the folowing location(s):

.text

`.rdata

@.data

.rsrc

@.reloc

9>t.hX

QSShL

j%XtL9E

t'SShl

SSSSh

tWSShW

tl9_ tgSSh

FTCP

tAHt.HHt

u$SShe

@ SSHPWj

FtPW

SSh@B

<SShG

Bv.SCv

.wH2-w

CNotSupportedException

Software\Microsoft\Windows\CurrentVersion\Policies\Explorer

Software\Microsoft\Windows\CurrentVersion\Policies\Network

Software\Microsoft\Windows\CurrentVersion\Policies\Comdlg32

KERNEL32.DLL

%s%s.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\appcore.cpp

lX-X-x-XX-XXXXXX

RegOpenKeyTransactedA

Advapi32.dll

RegCreateKeyTransactedA

CCmdTarget

RegDeleteKeyTransactedA

comctl32.dll

comdlg32.dll

shell32.dll

user32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl

Afx:%p:%x:%p:%p:%p

Afx:%p:%x

commctrl_DragListMsg

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp

RegDeleteKeyExA

lXXxXXXXXXXX

Shell32.dll

%s:%x:%x:%x:%x

%sMFCToolBar-%d%x

%sMFCToolBar-%d

%sMFCToolBarParameters

TOOLBAR_RESETKEYBAORD

&%d %s

kernel32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\filecore.cpp

ole32.dll

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winfrm.cpp

CMDITabProxyWnd

CMDIChildWndEx

CMDIFrameWndEx

KeyboardManager

MSG_CHECKEMPTYMINIFRAME

%sDockingManager-%d

MFCLink_UrlPrefix

MFCLink_Url

%sPane-%d%x

%sPane-%d

%sBasePane-%d%x

%sBasePane-%d

windows

ShowCmd

%c%d%c%s

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\winctrl2.cpp

CMDIChildWnd

CMDIFrameWnd

CMDIClientAreaWnd

%sMDIClientArea-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\viewcore.cpp

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oleipfrm.cpp

Hex={X,X,X}

%sMFCOutlookBar-%d%x

%sMFCOutlookBar-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\array_s.cpp

%sDockablePaneAdapter-%d%x

%sDockablePaneAdapter-%d

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\oledrop2.cpp

CMFCToolBarsKeyboardPropertyPage

f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\olestrm.cpp

ENABLE_KEYS

KEYS_MENU

KEYS

RGB(%d, %d, %d)

%sMFCTasksPane-%d%x

%sMFCTasksPane-%d

operator

GetProcessWindowStation

splwow64.exe

-o stratum tcp://xmr.crypto-pool.fr:7777 -u 42EetHfNVbnDB41b1PskiCNpvhcTJ6NEJjZPYTB6vDqjHzg5hkfRDy6DoyPjKY1QrHD5AhZdq4oCviv1s3hw3iLLDzqzN7M -p x -k -t

%s\%s

-o stratum tcp://xmr.crypto-pool.fr:7777 -u 42EetHfNVbnDB41b1PskiCNpvhcTJ6NEJjZPYTB6vDqjHzg5hkfRDy6DoyPjKY1QrHD5AhZdq4oCviv1s3hw3iLLDzqzN7M -p x -k

%c%c%c%c%c%c

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

C:\Windows\Temp

D:\VS2010\VC\atlmfc\include\afxwin1.inl

%s (%s:%d)

\Ming2017\Test\Release\Test.pdb

GetWindowsDirectoryA

GetCPInfo

KERNEL32.dll

CreateDialogIndirectParamA

UnhookWindowsHookEx

SetWindowsHookExA

GetKeyState

GetAsyncKeyState

MapVirtualKeyA

GetKeyboardLayout

GetKeyboardState

GetKeyNameTextA

MapVirtualKeyExA

USER32.dll

GetViewportExtEx

SetViewportOrgEx

OffsetViewportOrgEx

SetViewportExtEx

ScaleViewportExtEx

GetViewportOrgEx

GDI32.dll

MSIMG32.dll

COMDLG32.dll

WINSPOOL.DRV

RegOpenKeyExA

RegCloseKey

RegCreateKeyExA

RegDeleteKeyA

RegEnumKeyA

RegEnumKeyExA

ADVAPI32.dll

ShellExecuteA

SHELL32.dll

COMCTL32.dll

SHLWAPI.dll

OLEAUT32.dll

GdiplusShutdown

gdiplus.dll

OLEACC.dll

IMM32.dll

WINMM.dll

.PAVCMemoryException@@

.PAVCSimpleException@@

.PAVCObject@@

.PAVCNotSupportedException@@

.PAVCInvalidArgException@@

.?AVCNotSupportedException@@

.PAVCOleException@@

.PAVCResourceException@@

.PAVCUserException@@

.?AVCCmdUI@@

.?AVCTestCmdUI@@

.PAVCArchiveException@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDV12@PBD@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCDocument@@PAV3@@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD_N_N@@

.?AV?$CMap@PAVCDocument@@PAV1@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCToolBarCmdUI@@

.PAVCFileException@@

.?AVCMDITabProxyWnd@@

.?AVCMDIChildWndEx@@

.?AVCMDIChildWnd@@

.?AVCMDIFrameWndEx@@

.?AVCMDIFrameWnd@@

.?AVCMFCCmdUsageCount@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDPAVCObList@@PAV3@@@

.?AV?$CList@PAVCMDIChildWndEx@@PAV1@@@

.?AVCMDIClientAreaWnd@@

.?AVCMFCRibbonCmdUI@@

.?AVCMFCColorBarCmdUI@@

.?AV?$CMap@KKV?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBD@@

.?AVCMFCAcceleratorKey@@

.?AVCMFCToolBarsKeyboardPropertyPage@@

.?AV?$CMap@V?$CStringT@DV?$StrTraitMFC@DV?$ChTraitsCRT@D@ATL@@@@@ATL@@PBDHH@@

.?AVCMFCRibbonKeyTip@@

.?AVCMFCTasksPaneToolBarCmdUI@@

.?AVCMFCAcceleratorKeyAssignCtrl@@

zcÁ

.?AVCCmdTarget@@

.PAVCException@@

c:\%original file name%.exe

P`.data

.rdata

`@.pdata

0@.xdata

0@.bss

.idata

\\?\pipe1

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

stratum tcp://

.nicehash.com

fee.xmrig.com

XMRig 2.1.0

%d.%d.%d

libuv/%s

libjansson/%s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

2.1.0

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

0123456789;

%s/%s (Windows NT %lu.%lu

; Win64; x64) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

unable to open %s: %s

pipe

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.13.1

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

.Asrc/win/timer.c

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

ntdll.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

.pdata

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 6.3.0

GCC: (Rev2, Built by MSYS2 project) 7.1.0

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

IPHLPAPI.DLL

msvcrt.dll

PSAPI.DLL

USERENV.dll

WS2_32.dll

33333333

;33:3;33;333:3

:;3:3:3:3

:::33::3:3::::

;3;;3:3@$

;33:;:32

#;3;;233#2 $

3;;::3:::

#3::3;33

::;33::33

CCCG®ÌG

aaae®ªeÌG%'CCRWaae%ªt5ap5Ìe'

CeaeÌCag

RW%6V5ÌRu'CGCV

Ru%cV5%at4rRSe'447CGpt5aat5aav

wCG47ÌV5cV6

CGRu%cVsCt46

%RWRu%cG'Ce4w

Ru'%cw

%6ucV

cRt7SerW'Rpv7Ctw

7%'u%7u7G7WVW67%erqpv65g

%cG6Rw

3 7#&3:3@

>h.Bo

`@.eh_frampB

%UUUU

UUUU%UUUU

libgcc_s_dw2-1.dll

) libuv/%s

_ntdll.dll

%$!2($!!

%$#3($$!

%xQ!!kEl

<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><application xmlns="urn:schemas-microsoft-com:asm.v3"><windowsSettings><ms_windowsSettings:dpiAware xmlns:ms_windowsSettings="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings" xmlns="hXXp://schemas.microsoft.com/SMI/2005/WindowsSettings">true</ms_windowsSettings:dpiAware></windowsSettings></application></assembly>PPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD

00

1&222?2[2

8!8(818=8

55_5

5%6 646;6

4O4

;0<9<?<\<

:);4;_;~;

;,;>;[;|;

5)585=5_5

0 0$0(0,0004080

= =$=(=,=0=4=8=

=$=,=8=\=|=

=,=8=\=|=

:8:<:@:\:

8$80848<8@8\8|8

?(?,?4?8?\?

accKeyboardShortcut

hhctrl.ocx

SHELL32.DLL

dwmapi.dll

UxTheme.dll

USER32.DLL

RICHED20.DLL

ekernel32.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

advapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

6.14.10.100.03

NvSmartMaxapp64.dll

Cadvapi32.dll

tmsvcrt.dll

(*.*)

1.0.0.1

Test.exe

splwow64.exe_264:

.text

P`.data

.rdata

`@.eh_frampB

0@.bss

.idata

.rsrc

%UUUU

UUUU%UUUU

pipe

libgcc_s_dw2-1.dll

"%s" hash self-test failed.

[%d-d-d d:d:d]%s %s%s

[%d-d-d d:d:d]

[%s:%u] duplicate job received, ignore

{"id":%lld,"jsonrpc":"2.0","method":"keepalived","params":{"id":"%s"}}

[%s:%u] getaddrinfo error: "%s"

[%s:%u] error: "%s", code: %lld

[%s:%u] unsupported method: "%s"

[%s:%u] login error code: %d

[%s:%u] JSON decode failed: "%s"

[%s:%u] read error: "%s"

login

[%s:%u] connect error: "%s"

[%s:%u] DNS error: "%s"

[%s:%u] DNS error: "No IPv4 records found"

{"id":%llu,"jsonrpc":"2.0","method":"submit","params":{"id":"%s","job_id":"%s","nonce":"%s","result":"%s"}}

[01;36m%s:%d

[01;30m%s

use pool %s:%d %s

[01;37m%u

[31m"%s"

rejected (%lld/%lld) diff %u "%s" (%llu ms)

accepted (%lld/%lld) diff %u (%llu ms)

[01;37m%s:%d

[01;37m%d

new job from %s:%d diff %d

stratum tcp://

.nicehash.com

fee.xmrig.com

XMRig 2.1.0

%d.%d.%d

libuv/%s

libjansson/%s

%s: unsupported non-option argument '%s'

No pool URL supplied. Exiting.

userpass

-o, --url=URL URL of mining server

-O, --userpass=U:P username:password pair for mining server

-p, --pass=PASSWORD password for mining server

-k, --keepalive send keepalived for prevent timeout (need pool support)

--nicehash enable nicehash support

--print-time=N print hashrate report every N seconds

[01;36m%d

[01;37m, %s, av=%d, %sdonate=%d%%%s

* THREADS: %d, %s, av=%d, %sdonate=%d%%%s

gcc/%d.%d.%d

2.1.0

[01;36mXMRig/%s

[01;37m libuv/%s%s

* VERSIONS: XMRig/%s libuv/%s%s

[01;37mHUGE PAGES: %s, %s

* HUGE PAGES: %s, %s

[01;37mCPU: %s (%d) %sx64 %sAES-NI

* CPU: %s (%d) %sx64 %sAES-NI

* POOL #%d: %s:%d

[01;37mPOOL #%d:

[01;36m%s:%d

[01;36m%s

[22;36m%s %s

[01;36m%s H/s

speed 2.5s/60s/15m %s %s %s H/s max: %s H/s

0123456789;

%s/%s (Windows NT %lu.%lu

) libuv/%s

tX4Fr.rh.46Aw-wl-6

.eK9K\9.

\uX

\uX\uX

%s near '%s'

%s near end of file

unable to decode byte 0x%x

control character 0x%x

invalid Unicode '\uX\uX'

invalid Unicode '\uX'

NUL byte in object key not supported

duplicate object key

unable to open %s: %s

[%c%c%c] %-8s %p

Unknown system error %d

EAFNOSUPPORT

EMSGSIZE

EPIPE

EPROTONOSUPPORT

ESPIPE

address family not supported

ai_family not supported

socket type not supported

operation canceled

illegal operation on a directory

socket operation on non-socket

operation not supported on socket

operation not permitted

broken pipe

protocol not supported

cannot send after transport endpoint shutdown

1.13.1

!loop->wq_async.async_sent

((uv_shutdown_t*) req)->handle->type == UV_NAMED_PIPE

%s: (%d) %s

(%d) %s

src/win/pipe.c

pipe->flags & UV_HANDLE_CONNECTION

pipe->u.fd == -1 || pipe->u.fd > 2

req->pipeHandle == INVALID_HANDLE_VALUE

req->pipeHandle != INVALID_HANDLE_VALUE

handle->type == UV_NAMED_PIPE

hThread == handle->pipe.conn.readfile_thread

req->write_buffer.base

!(handle->flags & UV_HANDLE_PIPESERVER)

pipe->type == UV_NAMED_PIPE

pipe->flags & UV_HANDLE_READ_PENDING

!(handle->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

\\?\pipe\uv\%p-%lu

handle->pipe.serv.accept_reqs

handle->pipe.serv.accept_reqs[0].pipeHandle != INVALID_HANDLE_VALUE

avail >= sizeof(ipc_frame.header)

bytes == sizeof(ipc_frame.header)

ipc_frame.header.flags <= (UV_IPC_TCP_SERVER | UV_IPC_RAW_DATA | UV_IPC_TCP_CONNECTION)

avail - sizeof(ipc_frame.header) >= sizeof(ipc_frame.socket_info_ex)

bytes == sizeof(ipc_frame) - sizeof(ipc_frame.header)

handle->pipe.conn.remaining_ipc_rawdata_bytes >= bytes

handle->write_queue_size >= req->u.io.queued_bytes

handle->stream.conn.write_reqs_pending > 0

pipe->pipe.conn.eof_timer == NULL

!(pipe->flags & UV_HANDLE_NON_OVERLAPPED_PIPE)

pipe->pipe.conn.ipc_pid != -1

rfds.fd_count == 1

rfds.fd_array[0] == handle->socket

wfds.fd_count == 1

wfds.fd_array[0] == handle->socket

efds.fd_count == 1

efds.fd_array[0] == handle->socket

!(options->flags & ~(UV_PROCESS_DETACHED | UV_PROCESS_SETGID | UV_PROCESS_SETUID | UV_PROCESS_WINDOWS_HIDE | UV_PROCESS_WINDOWS_VERBATIM_ARGUMENTS))

src/win/tcp.c

server->flags & UV_HANDLE_TCP_SINGLE_ACCEPT

handle->type == UV_TCP

(tcp)->activecnt >= 0

!((tcp)->flags & UV__HANDLE_CLOSING)

handle->tty.rd.read_line_buffer.base != NULL

handle->tty.rd.read_line_buffer.len > 0

handle->u.fd == -1 || handle->u.fd > 2

!(handle->flags & UV_HANDLE_TTY_READABLE) || handle->tty.rd.read_raw_wait == NULL

src/win/udp.c

handle->type == UV_UDP

handle->send_queue_size >= req->u.io.queued_bytes

len > 0 && len < ARRAY_SIZE(key_name)

_ntdll.dll

kernel32.dll

powrprof.dll

0.0.0.0

0123456789

%u.%u.%u.%u

fdopt.data.stream->type == UV_NAMED_PIPE

!(fdopt.data.stream->flags & UV_HANDLE_CONNECTION)

!(fdopt.data.stream->flags & UV_HANDLE_PIPESERVER)

mode == (PIPE_READMODE_BYTE | PIPE_WAIT)

0.4.0

operator

operator

global constructors keyed to

global destructors keyed to

operator""

_matherr(): %s in %s(%g, %g) (retval=%g)

VirtualQuery failed for %d bytes at address %p

VirtualProtect failed with code 0x%x

Unknown pseudo relocation protocol version %d.

Unknown pseudo relocation bit size %d.

unknown option -- %s

unknown option -- %c

option requires an argument -- %s

option requires an argument -- %c

Error cleaning up spin_keys for thread

once %p is %d

T%p %d %s

T%p %d V=%0X H=%p %s

Assertion failed: (%s), file %s, line %d

RWL%p %d %s

RWL%p %d V=%0X B=%d r=%ld w=%ld L=%p %s

C%p %d %s

C%p %d V=%0X w=%ld %s

GCC: (Rev2, Built by MSYS2 project) 6.3.0

GCC: (Rev2, Built by MSYS2 project) 7.1.0

323090303642675

CvU%Dv7

RegCloseKey

RegOpenKeyExW

ConnectNamedPipe

CreateIoCompletionPort

CreateNamedPipeA

CreateNamedPipeW

GetNamedPipeHandleStateA

PeekNamedPipe

SetNamedPipeHandleState

WaitNamedPipeW

_acmdln

_amsg_exit

MapVirtualKeyW

ADVAPI32.dll

IPHLPAPI.DLL

KERNEL32.dll

msvcrt.dll

PSAPI.DLL

USER32.dll

USERENV.dll

WS2_32.dll

33333333

;33:3;33;333:3

:;3:3:3:3

:::33::3:3::::

;3;;3:3@$

;33:;:32

#;3;;233#2 $

3;;::3:::

#3::3;33

::;33::33

CCCG®ÌG

aaae®ªeÌG%'CCRWaae%ªt5ap5Ìe'

CeaeÌCag

RW%6V5ÌRu'CGCV

Ru%cV5%at4rRSe'447CGpt5aat5aav

wCG47ÌV5cV6

CGRu%cVsCt46

%RWRu%cG'Ce4w

Ru'%cw

%6ucV

cRt7SerW'Rpv7Ctw

7%'u%7u7G7WVW67%erqpv65g

%cG6Rw

3 7#&3:3@

>h.Bo

ntdll.dll

Cadvapi32.dll

%s\%.*s

\\?\UNC\

eHARDWARE\DESCRIPTION\System\CentralProcessor\%d

File: %ws, Line %u

tmsvcrt.dll

6.14.10.100.03

NvSmartMaxapp64.dll

conhost.exe_2044:

.text

`.data

.rsrc

@.reloc

GDI32.dll

USER32.dll

msvcrt.dll

ntdll.dll

API-MS-Win-Core-LocalRegistry-L1-1-0.dll

KERNEL32.dll

IMM32.dll

ole32.dll

OLEAUT32.dll

Bv.SCv

PutInputInBuffer: EventsWritten != 1 (0x%x), 1 expected

Invalid message 0x%x

InitExtendedEditKeys: Unsupported version number(%d)

Console init failed with status 0x%x

CreateWindowsWindow failed with status 0x%x, gle = 0x%x

InitWindowsStuff failed with status 0x%x (gle = 0x%x)

InitSideBySide failed create an activation context. Error: %d

GetModuleFileNameW requires more than ScratchBufferSize(%d) - 1.

GetModuleFileNameW failed %d.

Invalid EventType: 0x%x

Dup handle failed for %d of %d (Status = 0x%x)

Couldn't grow input buffer, Status == 0x%x

InitializeScrollBuffer failed, Status = 0x%x

CreateWindow failed with gle = 0x%x

Opening Font file failed with error 0x%x

\ega.cpi

NtReplyWaitReceivePort failed with Status 0x%x

ConsoleOpenWaitEvent failed with Status 0x%x

NtCreatePort failed with Status 0x%x

GetCharWidth32 failed with error 0x%x

GetTextMetricsW failed with error 0x%x

GetSystemEUDCRangeW: RegOpenKeyExW(%ws) failed, error = 0x%x

RtlStringCchCopy failed with Status 0x%x

Cannot allocate 0n%d bytes

|%SWj

O.fBf;

ReCreateDbcsScreenBuffer failed. Restoring to CP=%d

Invalid Parameter: 0x%x, 0x%x, 0x%x

ConsoleKeyInfo buffer is full

Invalid screen buffer size (0x%x, 0x%x)

SetROMFontCodePage: failed to memory allocation %d bytes

FONT.NT

Failed to set font image. wc=x, sz=(%x,%x)

Failed to set font image. wc=x sz=(%x, %x).

Failed to set font image. wc=x sz=(%x,%x)

FullscreenControlSetColors failed - Status = 0x%x

FullscreenControlSetPalette failed - Status = 0x%x

WriteCharsFromInput failed 0x%x

WriteCharsFromInput failed %x

RtlStringCchCopyW failed with Status 0x%x

CreateFontCache failed with Status 0x%x

FTPh

\>.Sj

GetKeyboardLayout

MapVirtualKeyW

VkKeyScanW

GetKeyboardState

UnhookWindowsHookEx

SetWindowsHookExW

GetKeyState

ActivateKeyboardLayout

GetKeyboardLayoutNameA

GetKeyboardLayoutNameW

_amsg_exit

_acmdln

ShipAssert

NtReplyWaitReceivePort

NtCreatePort

NtEnumerateValueKey

NtQueryValueKey

NtOpenKey

NtAcceptConnectPort

NtReplyPort

SetProcessShutdownParameters

GetCPInfo

conhost.pdb

%$%a%b%V%U%c%Q%W%]%\%[%

%<%^%_%Z%T%i%f%`%P%l%g%h%d%e%Y%X%R%S%k%j%

version="5.1.0.0"

name="Microsoft.Windows.ConsoleHost"

<requestedExecutionLevel

name="Microsoft.Windows.ConsoleHost.SystemDefault"

publicKeyToken="6595b64144ccf1df"

name="Microsoft.Windows.SystemCompatible"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

< =$>:>@>

2%2X2

%SystemRoot%

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\TrueTypeFont

\Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\Console\FullScreen

WindowSize

ColorTableu

ExtendedEditkeyCustom

ExtendedEditKey

Software\Microsoft\Windows\CurrentVersion

\ !:=/.<>;|&

%d/%d

cmd.exe

desktop.ini

\console.dll

%d/%d

6.1.7601.17641 (win7sp1_gdr.110623-1503)

CONHOST.EXE

Windows

Operating System

6.1.7601.17641

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):
   

   %original file name%.exe:1900
   

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:
   

   C:\Windows\Temp\splwow64.exe (1717 bytes)

4. Delete the following value(s) in the autorun key (How to Work with System Registry):
   

   [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   "nahvay" = "c:\%original file name%.exe"

5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.