Analysis Date2015-05-08 22:01:27
MD526bbdec2f7056f6132dbafd7a9fc26e3
SHA1058106226f526a48c4e730daca55e04206fa680d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3f6c98158530a63abddcd771d65d5ca2 sha1: 3571d08f0058c7fa981b52f356f1cc3cce5e7cd6 size: 66048
Section.rdata md5: 9f5955daf84943c065a99798da6b10f2 sha1: 903cd69739105891699ba33155d0ca6f20d0c473 size: 48128
Section.CRT md5: 4c78c449ef7ec2b15a27c94bd57fc604 sha1: 5fe2d9f213cf269b504e3e9986b614b2860cc12e size: 23040
Section.idata md5: c57550fa8c4cbf9affa479c3728d76c2 sha1: b5690dd49048ce5a00aafaff81fe3a8b89a66577 size: 54784
Section.pdata md5: 22db81dfb73187978c268004d06426d4 sha1: 58d353c405b685e59e51a55a41acbdb0571b932d size: 2560
Section.data md5: 283b46548f0e2b45f896af4cd962725a sha1: 80b84734ba7078b81eb0a2a9cea3cc8a83de2ca2 size: 23552
Section.rsrc md5: a2e2dd39031b4307165f5f9c8d9362ca sha1: de3b117f6f7cf466c7b75fc5404c42a283601bca size: 10752
Section.reloc md5: 7932114cc4a83ba8d0a94bb9320bb991 sha1: 18eacc9e202bba01ab7872da690d5e7d8c4bc7cf size: 8192
Timestamp2012-03-21 04:25:39
VersionLegalCopyright: Copyright © 1987-1998 Microsoft Corp.
InternalName: MsAddnDr.Dll
FileVersion: 6.00.8169
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft® is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
Comments: June 18, 1998
ProductName: AddInDesigner Object Library
OLESelfRegister:
ProductVersion: 6.00.8169
FileDescription: AddInDesigner
PackerBorland Delphi 3.0 (???)
PEhash43ec8da606d576f8ccd3d8dd56d2524770767b14
IMPhash0ea5773f823bf635e6ba17f020373bb1
AVAd-AwareGen:Variant.Kazy.598486
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)Gen:Variant.Kazy.598486
AVAuthentiumW32/Trojan.PSYK-4304
AVAvira (antivir)TR/Dropper.A.37484
AVBitDefenderGen:Variant.Kazy.598486
AVBullGuardGen:Variant.Kazy.598486
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.598486
AVEset (nod32)Win32/Redyms.AM
AVFortinetW32/Ramdo.AM!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.598486
AVGrisoft (avg)Crypt4.OWM
AVIkarusTrojan.Win32.Redyms
AVK7Trojan ( 004b6d551 )
AVKasperskyTrojan.Win32.Ramdo.wpk
AVMalwareBytesTrojan.FakeMS
AVMcafeeRDN/Generic.dx!dql
AVMicrosoft Security EssentialsTrojan:Win32/Ramdo
AVMicroWorld (escan)Gen:Variant.Kazy.598486
AVPadvishno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVTwisterTrojan.Ramdo.wnr.jtyg!
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\a2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\a2.tmp

Network Details:


Raw Pcap

Strings
.
.
.
.
.
T
.

040904E4
 1987-1998 Microsoft Corp.
6.00.8169
Addin &Description
AddInDesigner
AddIn DesignerHThe "(Default)" value is a default registry value and cannot be removed.+Are you sure you wish to delete this value?
AddInDesigner Object Library
AddinDesigner Properties
Addin Display &Name
Addin is &command-line safe (Does not put up any UI)
Addin &Specific Data
A&pplication
Application &Version
Cancel
Comments
CompanyName
Copyright 
Data	&Advanced
Data Type
	(Default)
&Delete
&Delete Value
DWORD
&DWORD
&DWORD Value
DWORD Value
&Edit
&Edit Value
FileDescription
FileVersion
&General(The "(Default)" value cannot be removed.+Are you sure you wish to delete this value?BA value name can appear only once, please choose a different name.
Initial &Load Behavior
InternalName
 is a registered trademark of Microsoft Corporation. Windows(TM) is a trademark of Microsoft Corporation
June 18, 1998
LegalCopyright
Legal_policy_statement
LegalTrademarks
List3
Microsoft
Microsoft Corporation
MsAddnDr.Dll
msadnFA value name can appear only once, please choose a different key name.
MS Sans Serif
Name
&New
New Registry Key Data
Ne&w Value
OLESelfRegister
Please specify a value name.
ProductName
ProductVersion
$PUGAExperiment.dl
Registry &Key for Additional Addin Data
Satellite DLL &Name
String
&String
StringFileInfo
&String Value
String Value
SubC
SysListView32
Translation
TYPELIB
&Value Data
Value Data
Value Data (Decimal)
Value Name
Value &Name
(value not set)
VarFileInfo
VS_VERSION_INFO
0!0'0-03090@0G0N0U0\0c0j0r0z0
0 0%0+080?0Q0b0h0w0
0$0*0/0I0R0X0b0p0w0
0#0+020]0v0
0 0-040F0M0x0
0%0+0A0N0\0b0
0-0>0E0c0i0
0%0;0O0y0
0#0=0Y0
0$040B0P0X0e0w0}0
0'060@0L0R0k0w0
0*0B0H0[0a0n0
0/1:1@1F1g1q1
0$141;1K1j1{1
<)<0<6<<<E<N<W<}<
>0>6><>H>e>
?(?0?6?I?W?b?h?n?
:0:6:Q:\:i:
070403125309Z
0C0_0o0
?)?0?C?M?_?
>)>0>d>w>
0F0O0Z0c0
=)=0===H=u=
0S0`0i0
100701213655Z
100831221932Z
110708205909Z
1!1.1<1B1R1a1n1
1!1.1>1D1Q1a1g1l1{1
1&1,1B1\1
111I1Q1g1{1
1"1/1I1X1c1p1{1
1,1=1R1_1f1k1y1
1!1:1R1k1p1
1"151@1K1X1^1w1
1'161A1M1b1h1o1~1
1.1D1T1Z1
1>1E1L1R1n1
130124223339Z
130327200825Z
130327201313Z
130924174141Z
131005085247Z0#
140424223339Z0
140627200825Z0
140627201313Z0
141224174141Z0
151@1F1
@18u(^
?1?C?J?Q?X?r?
;*;1;<;c;o;
1http://www.microsoft.com/PKI/docs/CPS/default.htm0@
1Jv1=+r
>+>1>@>L>R>m>}>
1Y1e1k1r1~1
200831222932Z0y1
20131004233521Z
20131005085248.98Z0
20131005233521Z0t0:
210403130309Z0w1
2+212V2d2j2p2
2$2*22282R2^2t2
2$2*2=2H2Y2t2
2$2+262G2R2a2m2
2#2/272I2O2U2[2f2r2
2'23292K2V2m2
2.242@2F2S2\2
2)282=2L2q2}2
2'292E2K2R2_2j2p2
2!2e2y2
2-2I2[2c2k2q2y2
2*2P2Z2
232>2I2r2}2
2.393J3Z3g3
242:2g2s2
250701214655Z0|1
260708210909Z0~1
:':2:8:C:L:a:j:q:~:
>'>->2>8>D>I>`>n>
>2>8>G>P>[>a>r>w>
=)=2=8=H=_=e=l=r={=
>2>8>S>a>
:#:2:8:?:Z:a:g:q:~:
2A2G2N2]2j2q2
>2>B>a>n>
;2;B;S;Y;`;l;s;z;
>2>C>[>e>k>q>
:2:@:E:L:s:z:
;";2;E;S;Y;k;p;v;};
:&:2:G:N:\:b:h:m:s:z:
?,?2?G?U?Z?q?w?
:#:,:2:V:k:
$`2X`F
*31595+4faf0b71-ad37-4aa3-a671-76bc052344ad0
*31642+2860b52e-c4a3-454d-bc1e-32c5add17e900
323>3J3P3Y3g3u3z3
3*32383?3L3c3
3#3+33393n3
3!3-3;3D3`3y3
3$3.353Y3j3
3%3*3B3R3_3e3w3~3
3!3/3C3R3X3b3r3
333P3Y3k3q3
3<3_3r3~3
3$3=3V3b3z3
3!3@3W3c3i3v3
3)363<3J3R3o3
3 3D3J3Y3`3f3r3}3
3;3F3L3^3x3
3)4@4I4V4t4
3(454V4j4o4u4
3&474=4C4S4Y4a4j4
3!494B4K4P4Z4i4r4~4
: :3:A:H:l:w:
<-<3<C<N<b<x<
>3>>>H>N>V>l>u>}>
3http://www.microsoft.com/pkiops/docs/primarycps.htm0@
<3<><J<Y<z<
;";3;V;n;v;
=!=-=3=@=Y=h=r=x=
40454I4P4c4q4
424;4R4d4
4$414C4J4Q4X4r4x4~4
4&4-474>4R4Y4`4k4q4w4
4"4)4D4K4Q4x4
4!4+4K4^4|4
4 4<4X4]4e4p4w4
4$454>4Y4r4
4&464K4Y4`4
4)484E4`4o4
4,4M4[4e4k4s4
4A4V4b4
:':.:4:C:N:U:{:
?&?4?:?G?i?x?
< <%<-<4<J<X<l<x<
: :':.:4:N:V:\:b:g:
=!='=-=4=R=i=
535H5V5k5q5
545@5F5L5]5k5t5
5'505C5]5z5
5(525<5H5N5m5
5)555=5C5I5S5[5c5{5
5"5(5.5>5I5O5`5r5
5"5(5/565W5l5{5
5!5(565=5c5i5n5
5(5.575L5h5n5}5
5&5<5G5T5x5
5/585@5I5R5a5s5
5*585H5N5Z5`5m5t5
5!62686>6E6w6
5&626M6S6m6y6
585G5N5U5\5n5t5z5
:#:+:5:C:]:
=5=;=D=M=Y=
>(>.>5>F>L>R>X>
='=5=F=M=Y=y=
5N5T5c5r5x5
5R6\6s6
;5;;;R;h;|;
?'?5?<?y?
616G6b6q6~6
63F`JCH
6)60666=6D6b6n6w6}6
6&666[6q6
6!6-6@6c6
6$6+6?6J6d6z6
6$6*6:6o6z6
6!6.6?6R6c6j6|6
6?6[6i6
6,686?6F6M6`6f6x6
6"7.7B7N7S7i7r7
677C7[7y7
677R7_7
686O6v6
696c6q6z6
696Q6W6e6y6
="=6=<=B=R=g=x=~=
6F7e7y7
718?8J8a8
7!717<7R7]7n7
7-767S7n7
7	7)70767B7[7g7n7|7
7$7+737B7H7S7a7g7~7
7"7)7?7F7L7q7
7'7;7H7N7U7`7v7
7$7*7I7O7U7[7b7r7x7
7)7@7n7
7'797?7J7V7^7d7r7~7
7"7B7I7S7\7b7p7}7
= =&=,=7=<=C=[=a=f=}=
7customWW
=7=L=Z=q=
7tM	jP
828@8^8d8t8z8
878B8S8Y8l8w8
8%82888G8U8g8|8
8#858<8C8R8^8h8n8t8
8+868B8P8W8`8x8~8
8$8@8a8y8
8!8(8H8Q8g8m8s8
8+8:8R8b8n8u8
8#8+8S8c8t8
8.8?8S8f8r8{8
8!898A8W8b8q8{8
8'8A8H8N8[8w8
8:8F8L8X8]8j8q8
8C8Q8q8}8
=/=8=>=E=Q=]=m=
8_FIAddinDesignerWW,
8hrAddinDesignerWWW
?8?H?T?`?
8http://www.microsoft.com/pki/certs/MicrosoftRootCert.crt0
:':-:8:K:t:
8lTIDTExtensibility2WWWX
;-;8;P;V;e;x;
:	; ;8;P;w;
8r!ext_DisconnectModeWW
919;9J9P9b9s9y9
969C9H9P9V9b9i9p9
9)90979J9T9]9e9s9y9
9!909=9D9U9p9
9&92989D9Q9`9e9l9~9
9)929@9E9i9v9
9-939K9X9n9t9
9*949:9Y9f9k9
9.959K9u9
9!9&9,939=9E9P9X9g9o9
9'9.9G9Q9]9y9
9!9'9K9Q9`9m9
9$9B9w9
9&9M9^9e9s9y9
:*:9:?:F:X:_:
>%>9>G>R>g>w>
;9;O;d;w;
>	>">9>R>g>}>
9X9h9o9
adAddInInstWWW
Add-In Designer controlWWW
Add-In Designer ControlWWW
AddInDesignerObjects
Add-In Instance Object
>AddinInstanceWWW
aDXCpuRI_DTq
>#>A>[>f>
affriction
/A!juh
;);A;L;T;\;f;r;
amicability
aov_VW
*ApplicationW
aristate
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
associate
?A?`?u?{?
audita
balbriggan
Bhttp://www.microsoft.com/pki/certs/MicRooCerAut2011_2011_03_22.crt0
<"<,<<<B<O<b<g<t<
?.?B?S?g?m?s?x?
calocedrus
carnegie
carport
ceilinged
cforgive
cheesepairings
_chkstk
Chttp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl0X
Chttp://www.microsoft.com/pkiops/crl/MicCodSigPCA2011_2011-07-08.crl0a
circumstantial
CloseClipboard
:(:.:C:M:V:]:j:s:
cognition
ConnectModeW
CreateFileA
CreateSemaphoreA
<#<,<C<X<w<
cydonia
cyprian
D$07#GmP
D$0etl/
D$4bjm
@.data
D$DSUVW
declarative
deepness
DeleteFileA
denote
DestroyCursor
?(?.?D?e?t?
diffuse
; ;*;>;D;I;P;g;s;
disappointingly
DispatchMessageA
D$|kqz
</<D<K<w<
dosser
douvre
dowager
DragFinish
=##	du
=,=D=u=
D$,ujqv3
dumfounder
Ehttp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl0Z
Ehttp://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl0Z
Ehttp://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl0Z
Ehttp://www.microsoft.com/pkiops/certs/MicCodSigPCA2011_2011-07-08.crt0
elocutionist
Eo/>VW
equitation
=}%E<u
=E@'^u
<<<E<W<b<p<v<
ExitThread
'ext_cm_AfterStartupW
ext_cm_CommandLineWWd
ext_cm_ExternalW
ext_cm_StartupWW
[ext_ConnectModeWd
ext_dm_HostShutdownWd
ext_dm_UserClosedWWW
<;<F<~<
?'?=?F?
fjrjrQ
;-;=;F;M;i;
fOA?IR
fPjhhp
FreeEnvironmentStringsA
freestone
fUQGYWESHZKpfvkvjEqpuexlcojpu
`Ge`@N
GetCapture
GetClassInfoExA
GetCommandLineA
GetComputerNameA
GetCurrentProcess
GetCurrentThreadId
GetDesktopWindow
GetFileSize
GetFileVersionInfoA
GetLogicalDrives
GetMessageTime
GetOEMCP
GetSysColor
GetTempPathA
GetUserDefaultLCID
GetUserDefaultUILanguage
GetVersion
glossary
goldmine
;%<-<G<R<X<d<|<
="=.=G=X=g=m=
H~SUVW
?http://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl0T
http://microsoft.com0
>http://www.microsoft.com/pki/certs/MicCodSigPCA_08-31-2010.crt0
>http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt0
<http://www.microsoft.com/pki/certs/MicrosoftTimeStampPCA.crt0
>http://www.microsoft.com/pki/certs/MicTimStaPCA_2010-07-01.crt0
<]<h<v<
'HwJv+
hzYA#h
IAddinInstanceWW
@.idata
_IDTExtensibility2WW
Ihttp://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl0^
="=I=i=o=}=
insulse
IsDebuggerPresent
IsWindow
;I;T;r;};
jcjhhy
jcjth$&
:+:J:[:c:n:z:
jcPjch
@jcPjch
jcVjeh
jfjcja
jhjeh		
jhj(h+
<(<J<j<
]J%!M?j1
J[QTZUYTJGeF
jrjchR&
jrPPh$
=(=/=J=V=\={=
=(>>>J>z>
KERNEL32.dll
:::K:P:X:q:|:
<$<<<K<\<q<
*?*kXIc
L$$_^][3
lakefront
L&*H$_Z
LoadCursorA
LoadResource
LocalAlloc
\lSKu}
<$<?<L<W<i<t<
>L>X>a>n>
?%?L?X?]?l?r?w?
l\ZuFf
`M%a'acZ
madwoman
mangily
;';<;M;_;e;k;q;
MessageBoxA
mfAx~)
	microsoft1-0+
Microsoft Add-In DesignerW
Microsoft Code Signing PCA
Microsoft Code Signing PCA0
Microsoft Code Signing PCA 2011
Microsoft Code Signing PCA 20110
Microsoft Corporation0
Microsoft Corporation1
Microsoft Corporation1!0
Microsoft Corporation1(0&
Microsoft Corporation1&0$
Microsoft Corporation1#0!
Microsoft Corporation1200
$Microsoft Root Certificate Authority
$Microsoft Root Certificate Authority0
)Microsoft Root Certificate Authority 20100
)Microsoft Root Certificate Authority 20110
"Microsoft Time Source Master Clock0
Microsoft Time-Stamp PCA
Microsoft Time-Stamp PCA0
Microsoft Time-Stamp PCA 2010
Microsoft Time-Stamp PCA 20100
Microsoft Time-Stamp Service
Microsoft Time-Stamp Service0
misapprehend
MOPR1'0%
MOPR1301
nCipher DSE ESN:B8EC-30A4-71441%0#
nCipher DSE ESN:C0F4-3086-DEF81%0#
nCipher NTS ESN:B027-C6F8-1D881+0)
noncompetitive
ntdll.dll
Ntjhja
observance
oK0D$"<
ok}h.%
ok}hd#
ok}he%
ok}hm#
ok}jch
ok}jcjr
ok}Ph^%
OnAddInsUpdateWW
~OnBeginShutdownW
OnConnection
-OnDisconnectionW
,OnStartupCompleteWWW
OpenPrinterA
palatine
.pdata
p{dk}1Mx
perinatal
pharyngeal
PjchW"
Pjcjrhu
Pjhh?&
PostMessageA
prebendaryship
propension
^P! SUVW
pu	Qj@
|$,PVf
=Q6qEu
QEX82q'
?)?Q?\?s?
?"?)?Q?V?\?k?
r~akow
`.rdata
Redmond1
ReleaseCapture
ReleaseMutex
@.reloc
repatriation
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
RPCRT4.dll
R.x2SVWvm
=R.x2w
;R;Y;d;t;
R}Y\$@JlU
    </security>
    <security>
selling
seraskier
SetUnhandledExceptionFilter
SHELL32.dll
SHLWAPI.dll
showerhead
SHReleaseThreadRef
;%;+;<;S;k;{;
spontaneity
stdole2.tlbWWW
SUVW=hs
SVW=HO
%'SVWu
=#=,=<=S=Y=^=p=v=|=
=T:4Iu
TerminateProcess
thermohydrometer
!This program cannot be run in DOS mode.
tigress
TranslateMessage
tR}j~_W
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
uncropped
UnhandledExceptionFilter
USER32.dll
}u#SSj
UuidCreate
UuidFromStringA
veiled
verdine
VerQueryValueA
VERSION.dll
<+<><V<`<h<n<
vilely
VjcPh]
VRemoveModeWW
=V_[zv
@=V_[zw
WaitForSingleObject
Washington1
wcsncpy
wellness
< </<?<W<e<l<r<y<
whenever
WINSPOOL.DRV
>+>:>W>k>r>
WqVNHE
wZ\p~YDf
=z#6[u
zc]rB(Tn#a
ZZ_Ovb