Analysis Date2014-12-05 21:56:05
MD5bb1acff1716613ec2b3c3a55b69ed834
SHA10b7022f1ad96962be56f71188b070753ff80eeb3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 655e7645109a926e1d3c852919293b20 sha1: 36b4eb7328db3c2da9947ab11cd19b403bc6127d size: 32256
Section.rdata md5: edd6364a87f23006f1d7dd7b6462b719 sha1: fc8cf424e83ba3782f336d4b934726de6b14ceef size: 24576
Section.data md5: e85845a3d596c51423b3db1f741c24fc sha1: 5ee7185610120b114e13201fef608f074e1d8428 size: 11776
Section.rsrc md5: 902df700c59e7bda9d0008b7a3ffa9d2 sha1: 584f8737329d9b0f7ca66ecd82d1ce26e5f81570 size: 8192
Timestamp2012-03-12 18:29:36
VersionLegalCopyright: Copyright (C) 2014 DevSpread Ltd.
InternalName: dbe invertdb tool
FileVersion: 3.3.2.3
CompanyName: DevSpread Ltd.
ProductName: DPE Invert Database Tool
ProductVersion: 3.3.2.3
FileDescription: DPE Invert Database Tool
OriginalFilename: dpeinvertdbtool
PackerMicrosoft Visual C++ ?.?
PEhash9fccc9ac07a46dc339183d9b0c4991680d14d349
IMPhashbbd13a00cb2eb0ecc0b9045101097d04
AV360 SafeGen:Variant.Symmi.43232
AVAd-AwareGen:Variant.Symmi.43232
AVAlwil (avast)Crypt-QUY [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/A-261909fd!Eldorado
AVAvira (antivir)TR/Crypt.ZPACK.67935
AVBullGuardGen:Variant.Symmi.43232
AVCA (E-Trust Ino)Win32/Upatre.OCcFGPC
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Symmi.43232
AVEset (nod32)Win32/TrojanDownloader.Tiny.NKK
AVFortinetW32/Tiny.WMQ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.43232
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Dropper.WMQ
AVK7Trojan-Downloader ( 004993d51 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Zbot.VXGen
AVMcafeePWSZbot-FBPG!BB1ACFF17166
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Dalexis.A
AVMicroWorld (escan)Gen:Variant.Symmi.43232
AVRisingno_virus
AVSophosno_virus
AVSymantecDownloader.Ponik
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Yakes

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\0b7022f1ad96962be56f71188b070753ff80eeb3.doc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\temp_cab_75156.cab
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Creates Mutex4718295
Winsock DNSwindowsupdate.microsoft.com

Network Details:

DNSwww.update.microsoft.com.nsatc.net
Type: A
134.170.0.157
DNSwww.update.microsoft.com.nsatc.net
Type: A
65.55.50.157
DNSwindowsupdate.microsoft.com
Type: A
HTTP GEThttp://windowsupdate.microsoft.com/
User-Agent: Opera/9.25 (Windows NT 6.0; U; en)
Flows TCP192.168.1.1:1031 ➝ 134.170.0.157:80

Raw Pcap
0x00000000 (00000)   47455420 2f204854 54502f31 2e310d0a   GET / HTTP/1.1..
0x00000010 (00016)   55736572 2d416765 6e743a20 4f706572   User-Agent: Oper
0x00000020 (00032)   612f392e 32352028 57696e64 6f777320   a/9.25 (Windows 
0x00000030 (00048)   4e542036 2e303b20 553b2065 6e290d0a   NT 6.0; U; en)..
0x00000040 (00064)   486f7374 3a207769 6e646f77 73757064   Host: windowsupd
0x00000050 (00080)   6174652e 6d696372 6f736f66 742e636f   ate.microsoft.co
0x00000060 (00096)   6d0d0a43 6f6e6e65 6374696f 6e3a2043   m..Connection: C
0x00000070 (00112)   6c6f7365 0d0a0d0a                     lose....


Strings
CC
0
\
. 
.
`s
.
    
040904b0
3.3.2.3
- abort() has been called
AKERNEL32.DLL
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
binary search
CoInitializeEx() failed, 0x%x.
CompanyName
CONIN$
CONOUT$
Copyright (C) 2014 DevSpread Ltd.
- CRT not initialized
dbe invertdb tool
dddd, MMMM dd, yyyy
December
DevSpread Ltd.
DOMAIN error
DPE Invert Database Tool
dpeinvertdbtool
February
FileDescription
FileVersion
- floating point support not loaded
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
InternalName
invalidate
January
July
June
,/KPip
LegalCopyright
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
n(null)
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
OriginalFilename
/ P6pL
/-P?pR
ProductName
ProductVersion
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
SING error
StringFileInfo
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Translation
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
VarFileInfo
VS_VERSION_INFO
Wednesday
WUSER32.DLL
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
!"%&'().0O+IF
 !"#(),-121l
1f-#4(#*UTH
1ff=d!
/1ffff1
1ffff5
$%&'*+./3455n
468>H5
|$49=H)A
5>D!5!
5>D!54
5>D!56<
5ffffffff
*:69766
>6CC?>::776
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AppendMenuW
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
August
AVIBuildFilterA
AVIFIL32.dll
b(&98=
 Base Class Array'
 Base Class Descriptor at (
__based(
bbff01
BeginPaint
bO%<!b
b^vP:,>
C3W?	4
cannot be used
]C;;!C
__cdecl
 Class Hierarchy Descriptor'
CloseClipboard
CloseHandle
__clrcall
CoInitializeEx
 Complete Object Locator'
`copy constructor closure'
CorExitProcess
CoUninitialize
C{QPONJNP
CreateBitmapIndirect
CreateCompatibleDC
CreateDialogParamW
CreateFileW
CreatePopupMenu
CRTUVWWWV7
C_WWUUTRQC
?D!5ffffffff6#ff*gdf
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
DefWindowProcA
 delete
 delete[]
DeleteCriticalSection
DeleteDC
DeleteObject
dff??]
DJEEBD
D>&P~s-
DQPNNLD||O
dv4{ff%bSUffj#V
D|wQPOKNO
D$,y>I
`dynamic atexit destructor for '
`dynamic initializer for '
D~yrQQKOQ
DzPONNFOO
__eabi
effVff
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EncodePointer
EndPaint
EnterCriticalSection
ExitProcess
ExitThread
+&({F.
'f35#4UTH
__fastcall
fdffbf
February
fegmgoffhfffjffffff6rfffvfffFffff&ffvfffdffcfffffffcffffffffVfffdffffffdff
'ffae*	
'ff%f%
fff0000
fff0000001
fff"'2'ffffCf
fff5.*1'6/H"**f5#236'6/H"**ffff5.#**UTH"**f1/(.226H"**f
fFf(f2fFfPfHfVf]fFf3f]fFf
ffFf50
{ffffff
{ffffffbg#
fffffffff
ff&fffffff&fffffff
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffjzffffffffff
ffffffffffffffffffffffffffffffffffffffffffffffffffffffgfff>ff
fffffffffffffffffffffffffffH
ffffffffffffffgf
ffffffffffffffgfobff.fff
`ff=fffgfes
fffffIfffffff)f
fff>mfffFfffjfffvffffffffffffff&ff&ffffffffffffffffffffffffffffffffffffffffffffffff
fff{%Of?D!5?D!5?D!5
fffRQW^T_Sf
{fffvff
+<ffgfffdfff
f	fHf	f
?FFKKNOPQ7
fFUf#Tff
{ff>vffffffffffffffffffffff
ffvffvffffvffvffffffvfffffffffff
Ff(VVWQ^KWVK"KS^Q^K6VVVVR9VTH
}ffZffffFff>mfffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffvff
fIfffff#
fIf_fHfTfSfFfNf1f
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
fOfffff!f#f2fffCf
fPfUfHf
FreeEnvironmentStringsW
Friday
fTfRfIf
FUVVWWW__6
FVUUTRRQP@
g$-,.0
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetClipboardData
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDCEx
GetDeviceCaps
GetDlgItem
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetMenuItemInfoW
GetMenuStringA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleW
GetObjectA
GetOEMCP
GetParent
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSubMenu
GetSystemMenu
GetSystemTimeAsFileTime
GetTextExtentPoint32W
GetTickCount
GetUpdateRect
GetUserObjectInformationW
Gffffffff
Gffffffffffffffffffffffff
`h````
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
`h`hhh
HH:mm:ss
InitializeCriticalSectionAndSpinCount
InsertMenuA
InterlockedDecrement
InterlockedIncrement
InvalidateRect
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
January
JB@DBCCDCDCDDDEDEEEEE?DOxQJ
j@j ^V
 #$/J,-P
KERNEL32.dll
kfffvfffhfffdffffffffffffffFff
?KKKKKFFF
lB,8AQJ0p
LCMapStringW
LeaveCriticalSection
lffffffffffbf"f'f2f'fffffffffffffff+5% ffff
lffffffJfffffffeggfgfff
LoadCursorA
LoadLibraryW
LoadMenuA
LoadStringA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
MessageBoxW
MM/dd/yy
Monday
MoveToEx
MQQQK>
MultiByteToWideChar
Nbff501
(*,nD9
 new[]
Nnff501
November
NPCEFB
(null)
:NXZ\yR
obff??5
October
ole32.dll
OLEAUT32.dll
`omni callsig'
ONONNNONOP
OpenClipboard
OPENGL32.dll
operator
OPPPJ>
__pascal
`placement delete closure'
`placement delete[] closure'
PPPPPPPP
@PQQQRRRT7
__ptr64
QQOKFC@?7>697
QQwQQL?
QueryPerformanceCounter
r+68G5
`.rdata
ReadConsoleInputA
ReleaseDC
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
__restrict
rH/CwA^
}rOxywzrPMPOPE>
RRQONFC@:9:7766
RtlUnwind
RWVUTRRQQQPPOOOO@
ryyQx|OONOD
rzyzyyyyyyyzzxyyxyzy{|
,S02F?
s6v&f98
Saturday
`scalar deleting destructor'
    </security>
    <security>
SelectObject
September
SetConsoleCursorPosition
SetConsoleMode
SetFilePointer
SetHandleCount
SetLastError
SetMenuDefaultItem
SetMenuItemBitmaps
SetStdHandle
SetStretchBltMode
SetTextAlign
SetUnhandledExceptionFilter
SetWindowTextA
SetWindowTextW
sFv&f]
sfv&f98=
sjv&f6
SL<<<=AAABHHNDQ:
srv&f0
^SSSSS
__stdcall
`string'
Sunday
s*v&f_
s*v&f]
s&v&f15
s"v&f6
sVv&f[
svv&fU
SZv&f1
t$$9|$
TerminateProcess
.t&f55
__thiscall
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9] u
TTRQPNFC7>>>>9:
t$<"u	3
Tuesday
TUTRQPNKC?C@CC@6
;t$,v-
TVUTRQQP>FFCFFN?6
two elements
 Type Descriptor'
`typeof'
`udt returning'
__unaligned
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
`virtual displacement map'
v	N+D$
v=us=q
[vv&f??]
WaitForMultipleObjects
Wednesday
wglDeleteContext
wglMakeCurrent
WideCharToMultiByte
 W=LhB,
wNMNPrrxzzyywwQQQPOMLEA>
WriteConsoleW
WriteFile
}|||w|z|QP}zrPx|rNMMJ
xppwpp
xpxxxx
yKDKNLKJJJFFECCA@??@EMN@
YRUUVVXXZ[\]^_``jkklml
|ywrLOP
ywrQM?
}yww|rQzyNNNNND
}|yxMOO
~||{yyxrrQQPPOOONLE?
z('$$]
}"/z1&f
Z5:D!5?D 5)D!56<
zffd{ffh{ffx{ffH{ff&{ff6{ff
zffffffffff
~}|zNOO
~~~~}|||||{{z{O
zTX^0s
zyQO|xQPPz
~zyywx|
}||zzyxrQQPPOONNNNNK?
||{zzyzrQQQPONOOMNMF
}|zzzyQPPPJ>