Analysis Date2015-05-19 12:42:46
MD56748f146638a3404092dab02f2b9c447
SHA118584d1243ed97c7e94c61d047382eee9da209f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ec67b79f5f315a9e8cbec18311eb9c3a sha1: 6cb473b30e8db82415e2a5810309df1744fcee72 size: 49152
Section.rdata md5: b125ec673a3f5301e98eb3834b1b97d1 sha1: b3ce5299594f6ba9984fbee0dec059a5c8591862 size: 8192
Section.dataS5 md5: 00e57c6756c8396cd50ffe4b944949e8 sha1: d9ec8a47ba99cd7f894cc827f016eac08c256b13 size: 4096
Section.rsrc+ md5: 978fd2e6b451e86e1ecba687305f5fb5 sha1: 2fbf957c68a8e4f12a8d28513280f0ff2a638883 size: 4096
Timestamp1995-10-21 08:38:54
VersionLegalCopyright: pals (C) logical
InternalName: redeposited laches literalistic
FileVersion: 93, 62, 233, 192
CompanyName: QSound Labs, Inc.
PrivateBuild: recomputable perspectives interferer
LegalTrademarks: mirage
Comments: negations
ProductName: pun
SpecialBuild:
ProductVersion: 243, 119, 86, 52
FileDescription: mobilities nonessentials lampposts
OriginalFilename: law.exe
PackerMicrosoft Visual C++ v6.0
PEhash9129ec0c0ef4c2aea544bc8efa7b90e1dbffb5d1
IMPhashd90e0aa0c8f8ecc78470f300276877cd

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
14141208\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://65.254.56.90:10703/stat?uid=100&downlink=1111&uplink=1111&id=00015F70&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
HTTP GEThttp://213.192.92.3:53109/stat?uid=100&downlink=1111&uplink=1111&id=00017337&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
HTTP GEThttp://212.175.86.17:42737/stat?uid=100&downlink=1111&uplink=1111&id=000186CE&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
HTTP GEThttp://74.113.233.180:29380/stat?uid=100&downlink=1111&uplink=1111&id=00019A66&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
HTTP GEThttp://108.163.219.2:49891/stat?uid=100&downlink=1111&uplink=1111&id=0001ADFE&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
HTTP GEThttp://69.64.87.23:51447/stat?uid=100&downlink=1111&uplink=1111&id=0001C195&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
HTTP GEThttp://213.192.92.3:53109/stat?uid=100&downlink=1111&uplink=1111&id=0001D53D&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
HTTP GEThttp://133.242.1.99:27501/stat?uid=100&downlink=1111&uplink=1111&id=0001E8D4&statpass=bpass&version=14141208&features=30&guid=82e5d1d0-2c0f-458f-b864-88ac2ec9446d&comment=14141208&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 65.254.56.90:10703
Flows TCP192.168.1.1:1031 ➝ 65.254.56.90:10703
Flows TCP192.168.1.1:1032 ➝ 213.192.92.3:53109
Flows TCP192.168.1.1:1033 ➝ 212.175.86.17:42737
Flows TCP192.168.1.1:1034 ➝ 74.113.233.180:29380
Flows TCP192.168.1.1:1035 ➝ 108.163.219.2:49891
Flows TCP192.168.1.1:1036 ➝ 69.64.87.23:51447
Flows TCP192.168.1.1:1037 ➝ 213.192.92.3:53109
Flows TCP192.168.1.1:1038 ➝ 133.242.1.99:27501

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303135 46373026 73746174 70617373   0015F70&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303137 33333726 73746174 70617373   0017337&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 36434526 73746174 70617373   00186CE&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 41363626 73746174 70617373   0019A66&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 44464526 73746174 70617373   001ADFE&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303143 31393526 73746174 70617373   001C195&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 35334426 73746174 70617373   001D53D&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 38443426 73746174 70617373   001E8D4&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   34313431 32303826 66656174 75726573   4141208&features
0x00000060 (00096)   3d333026 67756964 3d383265 35643164   =30&guid=82e5d1d
0x00000070 (00112)   302d3263 30662d34 3538662d 62383634   0-2c0f-458f-b864
0x00000080 (00128)   2d383861 63326563 39343436 6426636f   -88ac2ec9446d&co
0x00000090 (00144)   6d6d656e 743d3134 31343132 30382670   mment=14141208&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings
.
040904b0
243, 119, 86, 52
93, 62, 233, 192
Comments
CompanyName
FileDescription
FileVersion
H1yu
InternalName
law.exe
LegalCopyright
LegalTrademarks
mirage
mobilities nonessentials lampposts
negations
OriginalFilename
pals (C) logical
PrivateBuild
ProductName
ProductVersion
QSound Labs, Inc.
recomputable perspectives interferer
redeposited laches literalistic
SpecialBuild
StringFileInfo
VS_VERSION_INFO
6r+ g:
_acmdln
_adjust_fdiv
ADVAPI32.dll
(aje^"
aK.vSs(m
,B}~+1
bXbmGT
CharToOemBuffA
CLUSAPI.dll
ClusterNetworkCloseEnum
ClusterNetworkOpenEnum
ClusterNodeControl
ClusterRegDeleteValue
ClusterRegQueryInfoKey
ClusterRegQueryValue
CoFreeUnusedLibraries
CoLoadLibrary
comdlg32.dll
_controlfp
CreateClusterResource
CreateClusterResourceType
CreatePolyPolygonRgn
CreateWindowExA
@.data
DeleteClusterResource
EVUeNnM
_except_handler3
FindMediaType
FindMediaTypeClass
GDI32.dll
GetClusterGroupKey
GetFileVersionInfoW
__getmainargs
GetModuleHandleA
GetSaveFileNameA
GetStartupInfoA
GetTrusteeFormA
htBHt,
_initterm
JEK)z\	|
JJo{|	
J.vKFT
KERNEL32.dll
KQ&X6gq <
(]ky4:
LHm-^#
]$|M<Fr
midiInOpen
midiInReset
midiOutCacheDrumPatches
midiOutGetErrorTextA
midiOutOpen
{m)i`P
mixerGetID
mixerGetLineControlsW
mmioRenameW
Msi.dll
MSVCRT.dll
NDdeApi.dll
ole32.dll
OLEAUT32.dll
OleCreateMenuDescriptor
PathAddBackslashW
PathBuildRootA
PathCombineA
PathCompactPathExA
PathFindFileNameA
PathIsUNCServerShareA
PathIsUNCServerShareW
PathMakeSystemFolderW
PathParseIconLocationW
PathSetDlgItemPathA
PathStripToRootA
PathStripToRootW
__p__commode
PdhCloseLog
pdh.dll
PdhEnumObjectItemsA
PdhSelectDataSourceW
__p__fmode
pounding
probing
QJov7x
QrKk4o
`.rdata
RegisterClassExA
RemoveClusterResourceNode
ResUtilEnumPrivateProperties
ResUtilEnumResources
RESUTILS.dll
ResUtilStopResourceService
r|+S\R
__set_app_type
SetClusterGroupName
SetClusterNetworkPriorityOrder
SetICMProfileW
SETUPAPI.dll
SetupDiBuildClassInfoListExW
SetupDiDrawMiniIcon
SetupDiGetClassDevPropertySheetsA
SetupDiGetClassImageListExW
SetupDiGetDeviceInfoListDetailW
SetupDiGetDeviceInstallParamsA
SetupDiGetHwProfileListExW
SetupDiInstallClassA
SetupDiInstallClassExA
SetupDiOpenClassRegKey
SetupDiSelectDevice
SetupDiSelectOEMDrv
SetupGetLineTextA
SetupGetTargetPathA
SetupInitDefaultQueueCallbackEx
SetupInstallFileW
SetupLogErrorA
SetupOpenMasterInf
SetupQueryFileLogW
SetupQueueRenameSectionW
SetupScanFileQueueA
SetupSetDirectoryIdExA
SetupSetPlatformPathOverrideW
__setusermatherr
SHDeleteEmptyKeyW
SHELL32.dll
ShellExecuteW
SHEnumKeyExA
SHLWAPI.dll
SHQueryValueExA
SHRegDeleteEmptyUSKeyA
SHRegDeleteUSValueA
SHRegEnumUSKeyA
SHRegGetBoolUSValueW
SHRegQueryInfoUSKeyA
STGMEDIUM_UserFree
StrCatW
StrCmpIW
StrCSpnIA
StrCSpnIW
StrFormatByteSizeA
StrFromTimeIntervalA
StrIsIntlEqualA
StrPBrkA
TabbedTextOutW
!This program cannot be run in DOS mode.
=(u89aK
urlmon.dll
URLOpenStreamW
USER32.dll
UX[+QC
v6yBrj
VerInstallFileW
VERSION.dll
waveInClose
waveInUnprepareHeader
waveOutBreakLoop
WINMM.dll
X	$BmT
_XcptFilter
yg@QC3u<Jo
Zg}t1L