Analysis Date2014-11-02 20:44:08
MD5fa90af949ca37aa7e4a0a658462ad0d4
SHA1191ed98a10af63434eb8857751e504df1db5d7d4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 530eb5a48fcb5b81442f1c826b867e7e sha1: 2c8711b647a53472214102a8a85dd37086cf5a56 size: 83968
Section.rsrc md5: fef6e43413df9e42634d521495dbb5a3 sha1: d6d8c821bb85ba128a35aa9a4be7af0888157092 size: 28672
Timestamp2012-04-25 10:21:53
VersionLegalCopyright: Microsoft Corporation
InternalName: pic_new1450
FileVersion: 1.00
CompanyName: Microsoft Corporation
LegalTrademarks: Microsoft Corporation
Comments: Microsoft Corporation
ProductName: Microsoft Corporation
ProductVersion: 1.00
FileDescription: Microsoft Corporation
OriginalFilename: pic_new1450.exe
PackerUPX -> www.upx.sourceforge.net
PEhash2ebb1f85b24a44f3dd1dde4d8644f6ed03b7fa46
IMPhashe029f98a2da83608852f59fa44f95f0e
AV360 SafeGeneric.Malware.SL!!.06847536
AVAd-AwareGeneric.Malware.SL!!.06847536
AVAlwil (avast)Spyware-gen [Spy]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ULPM.Gen
AVBullGuardGeneric.Malware.SL!!.06847536
AVCA (E-Trust Ino)Win32/FakeFLDR_i
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.DownLoader6.16455
AVEmsisoftGeneric.Malware.SL!!.06847536
AVEset (nod32)Win32/Spy.VB.NOQ
AVFortinetW32/VB.NOQ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGeneric.Malware.SL!!.06847536
AVGrisoft (avg)Luhe.Fiha.A
AVIkarusVirus.Win32.Xorala
AVK7Trojan ( 0027cf851 )
AVKasperskyWorm.Win32.Autorun.ejgm
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeePWS-FBTI!A9B00BD52675
AVMicrosoft Security EssentialsPWS:Win32/VB.DX
AVMicroWorld (escan)Generic.Malware.SL!!.06847536
AVNormanGeneric.Malware.SL!!.06847536
AVRisingno_virus
AVSophosMal/VB-A
AVSymantecW32.Harakit
AVTrend MicroMal_OtorunP
AVVirusBlokAda (vba32)Worm.AutoRun

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\SunJava ➝
C:\Documents and Settings\Administrator\Application Data\Sunjava\SunJava.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~DFB809.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Processexplorer.exe C:\191ed98a10af63434eb8857751e504df1db5d7d4\
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ explorer.exe C:\191ed98a10af63434eb8857751e504df1db5d7d4\

Network Details:


Raw Pcap

Strings
i..
.M
.i.nDi..
.M
.i.nD
040904B0
1.00
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
Microsoft Corporation
OriginalFilename
pic_new1450
pic_new1450.exe
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
#/#&)*-
####|<
#%'''<[[^^\\]
 ,0B)'.
0cOpeX
0V(%`R
$1;GVv
$1;GVvys
*1=R\QQc
*1=R\QQc}
21!i%]
28eE# 
2@CVVg`m
'2FCaccm
2T/Fk@
]2Xhf0
+388<<a^^^^]^
+388<<a^.]^
3F[Yam
+4(,-+
4M<840
4Mfjlonm
4Mgilj
592D3936325
5c8][48
5eH0K#
>5Sf85Qd(6Rf
608148
6|71.b
6AS4qF
'6L]r@C
(+|7=3l'
%@74i%
	7>CS1
+`7d*s
7[fvJ^
#%88<Ca[]]]]]
"#%89addammmr
"%%8D<aabm^^m
_"%%8Db/
$-8<Gdnmmmj
$-8GGhnsrr}
$-8GIdnnjrr
#-8<Iaammmmm
8####X4
 99MBy
 99MJJBy
	9At]2
^9e]{%f
$-9Gdhnszz
/9Gdzz
$-9GGggs}s
+-9Ghgys
  9KJJJ\
9#KMJJ\
!/9?NGGaaq^
!/9?NGGaaq^^^m
#%''<_a[^^^\^
A	41C3
#%''<<aa^^^^^
ACD Syst
a_k7l 
##''<_am^m^^m
apAr-[k
%b0-'8!E 
B1B3D462FDD7
b#2T7i
,@B9/#
B&DBBVv
BKS!c:
Bn%Lab
(,Bw[;
;-&/|c
#%Ca[]
%C B7Ev18rJ
CC/T5H
''CCZ[^\\\]
#%''CCZ[^\\\]
,%+Chc
[$Cr30>Wa
d9@@((
de/Last
d'.ext
{*d{}g
dh!)-q
@_<&DI
dio\VB98
dk|	u6
^"d]L7%
D\+MreSF
DO#*jza
drVUK9
dTTD<Y
EcH{ C
e	*GdwC
ENT_SINK_AddRef$
Ex=GDH.9
Exif	II*A
ExitProcess
f7*%BpA{p
F FBBn
}fnA8t-uz'
];fs9r
f	 tURL
f	u1tKgA
fZkmH	g%
g1QfL4Qd%5Th
GDIPl<
$_Gdnj
GetProcAddress
Gggs}s
gpcbYu
+/GSiiyy
GYGwwRok!y
h`$43Dir
Hc}(Nfg1QfL4Qd%5Th
$####hdD`####
Hi\2Wqa
HIJSTUVWXYZcdefghij
	H-KUU-S
HWc5_kc
%> -{I
#ihU_Tk
inePix A400 
@iwrQ0
(J@@=%
%Jc_(Nf/)Sl
juwxz.4DC
k01/'<[^
k@}7*7)i`
KERNEL32.DLL
	keyxg6y:O8
> Kh)q
'*  KJJJ;t
kk-R_K
K.@&tx|3
!'^'l`
l```D	l 
 Lhh(QjT/SiB3Sh'5Ti
Li|#Qmo+Un\Fs
Lit%Qla-TkM3
Lit%Qla-TkM3Ti>5Sf85Qd(6Rf
Liz$Qli,UmU2VlD5Ti:5Rf55Qd1Y
ll7,bhebj[S/dh
=LMOO`
  =LMOO`
lMoveM
LoadLibraryA
L`oPLn2
L####p0
lrj'.n	'
ltO&vi
#l[%	w
LY0rnm
mCVeT2E
MethCallEngF@%"x
#MgR'Qj.(Vq
%Mgr.RhY4RfE
%Mgr.RhY4RfE5Qd:f
Mg.w')
MicrosoftWindowsExplorer#
m'i<vY
m=k#tT
/#_mLO
MSVBVM60.DLL
!%|mxb$
_n{1450
N2!#~>
n@-t;z2
n-vpN0
% nWxk
ooBlt\
Or,kzf
:,OT1be
!OUOYI
pby{,<
}.phpf
p/(M``
:q{*4D
Qcbk ]XX7
Q#d}3K
qdKhs &
#Qmo+Un\Fs
?Query
QZjd,Yhkm)
;,R0b2
R1EF79i
ReadOutput
rm1A'Q2
Rm]55-d
RTVVjrqmjr}
s 0214Pq
SCLSID
s Digital Ima
SOAh-6)
)sOo3[
SS3k\fw
sU@H<+L;
s (x86)\
?$TA/ h'
Tccbk 
tdwTyp
t_+hgy-
!This program cannot be run in DOS mode.
+/?Tiv
T{%+JIA
TJLw8O
%TMBrot
TM_ec"m
=tmlC_
tmrVis
:TOJ7Q
<*t,s^,
T/SiB3Sh'5T
#### \tT####l@
U52vds
Uk3|K$
<=UUQ\h
*<=UUQ\h
uvwxyz
uWe8(t d
uwxz.4DC\JJMU
U~x File
valut;
__vbaEx
Vcccl#
Vcccl),Fbb_:
Vccll7,bheb:
Vcj[S/dhhhbH
vcyGInmr
viont"
Vj3>7V
_VTTTPJJJBH
*@@VU```g
VwCtl.WebBrA
wN.E_>=#H
WOW<HD
+.?/x%
x7[Q)Z3
XE^:~H
^,xGk\
X^\,^J
<^]Y),Fbb_:
/YlKFCt
Y<`@#Lu
'yqcL;
ZauvKn;
Zi.8Vt
z$i,UmU2V
Zk@;61
ZkSQJ)'
zOevUc%
ZZ!,D{