Analysis Date2014-04-19 05:33:34
MD56d5fa48ce46002b9ec937af9182a4d44
SHA12e048513851540f5fa63121aabe4a276a7af49ee

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: eda30d1af3bcf5a64784a1edc1e97729 sha1: 5d874f031cb006b05c76d56739e8c1f2d3fdc8e8 size: 20480
Section.rdata md5: 2e7df2a05b732caf8d0e787452867a19 sha1: 8927eed20d2a5682c8c14175f32921fbaf169f58 size: 4096
Section.data md5: 68801ac9bc1fca39067e2b98c81b54d5 sha1: 32e737a0eca7953c3a55b0d73cb6f8c19f3f6a96 size: 4096
Section.rsrc md5: a02ea10647bfaf77efd7af0769056d4e sha1: 2c0b07d868145b6c39111343c21dd71a23bec21a size: 81920
Timestamp1999-11-17 02:14:39
VersionLegalCopyright: Copyright © 1991 - 1999 Seagate Software, Inc.
InternalName: accwzcr
FileVersion: 8, 0, 0, 8
CompanyName: Seagate Software, Inc.
PrivateBuild:
LegalTrademarks: Seagate Crystal Reports is a trademark of Seagate Software, Inc.
Comments: Seagate Crystal Reports for Access add-in
ProductName: Seagate Crystal Reports
SpecialBuild:
ProductVersion: 8, 0, 0, 0
FileDescription: accwzcr
OriginalFilename: accwzcr.exe
PEhash068f45aea6c064c35ea47c366bb44cf4bf8ee1d2
IMPhash58f0572a0974ab0fb9e2e78b27e9cb60
AVavgWin32/Sality
AVaviraW32/Sality.AT
AVmcafeeW32/Sality.gen.z
AVmsseVirus:Win32/Sality.AT

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\A1_0 ➝
1416059451
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\Svc\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden ➝
2
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\malware.exe ➝
C:\malware.exe:*:Enabled:ipsec
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\AntiVirusOverride ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\GlobalUserOffline ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Aasppapmmxkvs\-993627007\1768776769 ➝
216
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\SYSTEM.INI
Creates Mutexalg.exeM_1884_
Creates MutexuxJLpe1m
Creates Mutexservices.exeM_616_
Creates Mutexsvchost.exeM_1232_
Creates Mutexsmss.exeM_492_
Creates Mutexuserinit.exeM_264_
Creates Mutexspoolsv.exeM_1376_
Creates Mutexcsrss.exeM_548_
Creates Mutexsvchost.exeM_852_
Creates Mutexlsass.exeM_628_
Creates Mutexwinlogon.exeM_572_
Creates Mutexsvchost.exeM_792_
Creates Mutexsvchost.exeM_1024_
Creates Mutexexplorer.exeM_352_
Creates Mutexsvchost.exeM_1128_

Process
↳ C:\WINDOWS\system32\userinit.exe

Creates MutexuxJLpe1m
Creates Mutexuserinit.exeM_264_

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
NULL

Network Details:

Flows TCP192.168.1.1:1061 ➝ 79.98.23.30:80
Flows TCP192.168.1.1:1062 ➝ 173.245.61.73:80
Flows TCP192.168.1.1:1060 ➝ 119.145.168.16:80

Raw Pcap

Strings
 
\
.
w'...
. 7

0Crystal Report 8 ActiveX Designer Run Time Error
100904b0
 1991 - 1999 Seagate Software, Inc.
8, 0, 0, 0
8.0.0.0
8, 0, 0, 8
accwzcr
accwzcr.exe
Comments
CompanyName
Copyright 
FileDescription
FileVersion
         (((((                  H
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
Seagate Crystal Reports
Seagate Crystal Reports for Access add-in
Seagate Crystal Reports is a trademark of Seagate Software, Inc.
Seagate Software, Inc.
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0A#n":
0B=pr@
0evf>o#n
0WNulx
0z%)!m
};1,98<,Wu]
1ZzW%C
25nPgt
+(>4]&
4peKWO
&|4QM[
4rIM,m
5:)JG7T
5s]g2\
63=Qp <
65OyH8 
{6k<-o
72@REm
7bJ[|=
7d}G>!
7|P;@(i
#8mg@z~f
9 <C/X
9i3e5I
9K*dDg
_9=Pv@
'ab-<e	
abnormal program termination
accwzcr_res_
"acxl;
A\ia|!-
AM	N:b
)`\"A+-n#
.?AV_com_error@@
.?AVtype_info@@
!.^BGmEn2
^b[l}a
)B\m#%5
b^ncEfA
B`nphS
/$	bU@
:c+2{7
>cb;O~G?@
CharNextA
CharPrevA
[.c<j{
cL	;&Uq
CoCreateInstance
CoInitialize
CoUninitialize
CS~;bN
cSd[LLveM
c>YJ[W%E
dEoaEs
dHt$}V
dm/LOc6
DO9I=H
DOMAIN error
DSUVWh
E.#-JNQ
	ETR&.|
ExitProcess
f#fZ!tj8
- floating point not loaded
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fYMUsb
g.<?=emw(
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProfileStringA
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetVersion
GLr*k=@
GwGfS5K
!;H28E
h/Ct&QO
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
HHtYHHtF
HW/6_[
$IEvnC:
IjVNAiB
InterlockedDecrement
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
i~tv#&G
>?ItvI
j.2|LeJQ
j-@7Xqe
J8-D$h-
Jco,gM8
jFD$kb^
JGy	(Xk
jLLWy:z
?j\OoR\
JUXZ;!
_Kb;dU
>KDZnrT>
KERNEL32.dll
kIU\"^7!
&kI&+v1
l7(/?"
LCMapStringA
LCMapStringW
 '/LEs 
}<l.i{
LoadLibraryA
LoadStringA
LocalFree
lstrlenA
*lt3}fcelu
)M#DjQ
MessageBoxA
Microsoft Visual C++ Runtime Library
MultiByteToWideChar
 MyY @
mzI)P	
$N"3G%M
nA5Jp,C
.nAwO)
nD>*1X
N>D>;E
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
nQPF99
<(nQ:r@9`
NTL]xsX
o>4Gqe
ole32.dll
OLEAUT32.dll
OleRun
OM;Bf,5
o(V`9V
 <p$7!
P<K>Qf:
Program: 
<program name unknown>
- pure virtual function call
		P&W^
qBnK]vW
QI4d3hG
qisr~z
QQSVWd
qsqK6Q
"Q"t82:}
R8Z}DsT[
RaiseException
.rdata
RtlUnwind
runtime error 
Runtime Error!
'sA4a6D
SetHandleCount
SetUnhandledExceptionFilter
SING error
sLanguage
sO;>|C;~
SS@SSPVSS
/subloc
T4ie)i
TerminateProcess
!This program cannot be run in DOS mode.
TLOSS error
>=T,PwP
TQK2pCu
t#SSUP
t.;t$$t(
T>uDTeQi
t$$VSS
$}=tv!v
U4E)g1Fs
uca-.3
UiR3{E
"UMhqc
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Un%N@6c
user32.dll
USER32.dll
*/uxb9
U{Y$R%
VC20XC00U
VirtualAlloc
VirtualFree
,vir`yss
?w	b.L
w&@D-5
@%W'HWp
WideCharToMultiByte
WriteFile
~\wZ{#
:X8-?|
/xb.(5A3j
\=xd&%
XdW`AFE$
xeAb*<7
Xe.XRhx
[$Xl&:
x/^t}F
Y0rzhM
$yj5#Z
ywud{T
_^][YY
YYh0p@
;z(\9x
Z]*OYn`
ZuQZM4K
z<\[vz
zwB8ac