| Analysis Date | 2014-08-30 04:51:49 |
|---|---|
| MD5 | 62f7c79e6f2fd55cf7511a40177200d6 |
| SHA1 | 0cf91c1228ec8b09bf39b5e7d0f04c1201c093cd |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: a312e996c34e8cd6aff598c9bfce1d71 sha1: d1b8ca327182e02ea5377bff57ecd1225c495dcf size: 12288 | |
| Section | .rdata md5: 35667106ef1871713541b72070f67d77 sha1: a92d81359bba1197313718ae5bcbcedd1cd3effe size: 4096 | |
| Section | .data md5: 1f8df12252c54144b72ac097ad6262d0 sha1: 0fe443952f55ec294986e71937696388a2dbbc32 size: 151552 | |
| Section | .rsrc md5: 5cff4d786f2c19819708f8b05398365a sha1: 42c29a07e90fa0ac263d0eb6e447ca3d5913536e size: 4096 | |
| Timestamp | 2014-08-25 06:30:25 | |
| Packer | Microsoft Visual C++ v6.0 | |
| PEhash | ceb97676ccf48916b9e1f4ced0d88cd4afcb01c0 | |
| IMPhash | 877e930d6e2f308501ad9de053bdefe5 | |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝ NULL |
|---|---|
| Registry | HKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝ NULL |
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝ 1 |
| Creates File | C:\Documents and Settings\All Users\SxS\NvSmart.exe |
| Creates File | C:\Documents and Settings\All Users\SxS\NvSmartMax.dll |
| Creates File | C:\Documents and Settings\All Users\SxS\xxx.xxx |
| Creates File | PIPE\lsarpc |
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\All Users\k.kkk |
| Creates Process | C:\WINDOWS\system32\msiexec.exe 209 1228 |
| Creates Mutex | DBWinMutex |
| Creates Mutex | ZA-MUTEX |
| Winsock DNS | 127.0.0.1 |
Process
↳ C:\Documents and Settings\All Users\SxS\NvSmart.exe
Process
↳ C:\WINDOWS\system32\msiexec.exe 209 1228
Network Details:
| Flows UDP | 192.168.1.1:53 ➝ 192.168.1.1:53 |
|---|---|
| Flows UDP | 192.168.1.1:53 ➝ 192.168.1.1:53 |
Raw Pcap
Strings
\
.
&.
t
.
.+.
m.t
].O
.
^
B.
About
Copyright (C) 2012
&File
((((( H
h&About ...
Hello World!
&Help
iE&xit
Shell7
SHELL7
Shell7 Version 1.0
System
`(^$&~
1=3|ZqB
:!:+1Fr
1X0-2?
& %2\\
2/4}1,3
2=JeHT
#-2`z$
'37k{)
3^8\ix(
3fBk]k
3r@pJ}
*3vC#6
4;^et2
=4IcVI
4vr|-O
5k#pM\J
5WB_]E
6}0Q.B
6>mEk \h}
6n]vag
6Pv:5R
7~:4kr
74X1c)
:}7g9Cn
7O]61!
@7??w5-
7YPr} }
#84|$#
8DFrPw`
8#~y>`)
8y{>Xa?
^9`0If
@9hpy}
!9={O
.,9rj>kS|
9w-};nO
9$xQ{X
A@*b:-
abnormal program termination
}AGXuwT
_aiCMx
#Am)}Yj
ArcCwO
<aX=_,
b\/2J
BeginPaint
_B?HhC+
B}iBxy
BmIlNC{G%
%)B^mT
b:QG|ae
Bt24+
Bt8]ml
bU\{E|
C80^0k
.+c=G^
cg5n/)ww
cGLjh:
'{clj%
c#!p:8d
cp[U~J
CreateWindowExA
'C_y c
c\yC0c
d4w4p=
@.data
DefWindowProcA
DestroyWindow
dHi#u>
D[!,}i
DialogBoxParamA
DispatchMessageA
D,>Iwm1MHq
DOMAIN error
D$PjdPjjQ
DrawTextA
\dR'Qr
DSUVWh
Du6NC o5GW 2ZI!
D`_XMb:
]e3g|E
EaV(JVX
e(~ja2
EndDialog
EndPaint
~E"U)&
)\E!vuM
?e>#W<
ExitProcess
EXR"K9
Ff;M |
fg4B|>
FiyK][
- floating point not loaded
<=(F=R
FreeEnvironmentStringsA
FreeEnvironmentStringsW
f=vaW:ZR
.(<fW%
FwneO' s,
[# G+~
G>*2pYC
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetVersion
GH:jFf@
gR8kx_
g(RDd]2
g^uaRV|
GV?8tK.JX
GW@N F
h2[?+K
H# &a:
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HEc(iI
[hg;@[
HJ6 %S
hL+Lj&
H n}9o
hnYFh5
H}rD)'T
hSLB9H&
htAHt%
i_dapnt
i*I\Dg
iKz-di
IUupz*
~I")W:
j2#tSQr
J^2W3z=7j
J(6J?hCk
;J'@8c
*Jff=1*
@^JJ"3%
/)JKTL
J*'LX0
JrwS8,
jtM@ q7
JYKdVx
JZ-w ;
K0lJh2
k99JpV
k_#bw*
KERNEL32.dll
?KI>|d
["Kzhp2B
l"?-`-@
l1vxZ4
`l2@Q
LbDAD~
LCMapStringA
LCMapStringW
LeBV'TG
L=,H/4
|LiQwe
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadStringA
l{:y)w
MBQVQx
M?Ck|h#
MessageBoxA
%MhEBt
Microsoft Visual C++ Runtime Library
mKK02L
mkR+tmW
'Mme!r
m! Ms}
mP4;9(
MS;c(vU
]MT(w7Z
MultiByteToWideChar
/mwjaa
MxH-Fv
mz>0t-1'
N0knse
?NfA7&F
+nfZpa
n<\h c
Ni*y=_
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
nO'TH}
nTzt(|
nxFKcef
^@%o|6=
O)c(VRe{
oGakeJ
![O;l@
/-ouMP
oVC7;GQ
{Oz{ +
$P c+e9
PostQuitMessage
Program:
<program name unknown>
*`ps)U
- pure virtual function call
P@us%P4
PVh0D@
]pXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pz+Xz@
->qD6i
qehuzB
"=qf=~K5
,Q$g9o
+QIQ5>4
ql['EX7O-
Qr,@@Nl
qsgehb
Q_s"hu
?qXT~y
Qy?LVp
R5C 4_
RbUKK2z}
*]rbx7
rcYUMe
`.rdata
RegisterClassExA
RJWZf:
RksaW*
rnm"bH{
)<_R(Q
RrfP0N+
*r*TGj'
RtlUnwind
runtime error
Runtime Error!
)Rz>l,
s 1&)Xm
.SaTf-
>sbcH78
Sc\PCE
Sec5B7
SetHandleCount
[Sh4D@
shH-pN
ShowWindow
~:.shT
SING error
s?p9im
SS@SSPVSS
sv@*'.
,sXhsoJS
Sy:#j=
szF>nh
!T3G+mK.
T$5TA,
t{<;9"
T-ARo
Tb\@Uo
TerminateProcess
!This program cannot be run in DOS mode.
@t];-]I
tJQK]"
)tJQlK
TLOSS error
!(tNg@<
TranslateAcceleratorA
TranslateMessage
t#SSUP
+{T( t/b
t.;t$$t(
*|<tU&j
t$$VSS
T WQz#|
T!y }^
t{<>Y]x(G
*U-)8e
=+$/uN
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
user32.dll
USER32.dll
v$#40x
v7k_+}
`vC"1^4
VC20XC00U
v^>Fgz
^Vh4D@
VirtualAlloc
VirtualFree
V[j6O$
Vo9i<l
V+Wn'O
VWuBh$D@
v~x$?1
vX%.Rz
W7qzU%
W9 qu5
waM[Pms
WDuep>
wfD"Z\
WideCharToMultiByte
).;W>J%Y
{W#oZk
=wpuI/
W|QyX:q
WriteFile
&w%UBa)
"W%/w>[
"WWSh0D@
x|#dq7
!xi0qP^
XjWkKq
X$MA;wS
~X$N[
xO^$2uJ
XOF|s"
XxJq(HP
Y9)d_&
)Yd{Hc
^yM#j'
>Yn&Ud
%(YwjD3
YWM8VUj#
_^][YY
YYh P@
y(y\u5t*kY
Z"4a4v
Z4BJ+B
z8; ~"
?<z8s'
\z-AY{
--zdVdN
=%z{hA1(+
|"Z+)i
zqh*g&
)]\zrd*
;Z; S$(e
|_zty=
zu.w~%
'ZZh`zw