Analysis Date2014-04-21 14:26:50
MD5d23597314b01c27446ad67650c0635f3
SHA137a989cf3216de5c3a5797ebefc6502780bb70cc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f269f426b1b8f5d3e3e07287ac93f823 sha1: c47151d1a52682abf5424878bd6e1fd5fcb10a90 size: 21504
Section.rdata md5: f0364f549a2099be80d33d5ae03e4a55 sha1: 8f36f6743053fa07fe92801ab3fb0537c892d2af size: 4608
Section.data md5: d856143f5d02d0579d8504e0d8f4d87d sha1: 697061a3022b68ffce1ce80a677610709279dd3f size: 11776
Section.rsrc md5: 4a418767e6a58422d259a5fede50787a sha1: 5fc028b9b8573e5eb483154b727fac933dca81c4 size: 148992
Section.UPX0 md5: d760df8f3bf8d0ecc117a43bd8342666 sha1: 3301ecc9e07ecfbdbf2cd5512e8202a243f910da size: 3072
Section.UPX1 md5: 0ba19683d4c9dd1beffce79575477e82 sha1: 22890a319f06c1bb145a52097a502e7f80b89f94 size: 34304
Section.reloc md5: ca6b127ad61a23bb0ea05b7c44249c57 sha1: 7ac8f757a9ad1aa965b415590a9ec562582e9bae size: 3072
Section.aspack md5: 0d0a51a3371f08b9b739f6a8d0af2742 sha1: a378edbd74c72479b6e9f6a0c408b1a554e12db3 size: 15360
Section.adata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section> md5: 92d82e779f421cdaa68ae05afe9fbadb sha1: 9bf7b474314689d66ae4a05fb9d644ae27110f4c size: 244736
Timestamp2010-08-26 07:43:27
VersionLegalCopyright: Copyright(C) 2006-2009 QVOD
InternalName: QvodInstall.exe
FileVersion: 3, 0, 0, 0
CompanyName: Shenzhen QVOD Technology Co.,Ltd
ProductName: QvodInstall Module
ProductVersion: 3, 0, 0, 0
FileDescription: QvodInstall Module
OriginalFilename: QvodInstall.exe
PEhash287276436fe7fdf65cce7122724026adc95eeb79
IMPhash67d3144b8219775fb6c6a40a643e0dc5
AVavgWin32/Wapomi.C
AVaviraTR/Patched.Ren.Gen
AVmcafeeW32/Fujacks.be
AVclamavWIN.Virus.Wapomi
AVmsseVirus:Win32/Jadtre.L

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\SfcApi
Creates FileC:\Documents and Settings\Infotmp.txt
Creates FileC:\WINDOWS\system32\upnphost.dll
Creates FileC:\WINDOWS\system32\xmlprov.dll
Creates FileC:\WINDOWS\system32\qmgr.dll
Creates FileC:\381b3edb.exe
Creates FileC:\WINDOWS\system32\mspmsnsv.dll
Creates ProcessC:\381b3edb.exe
Starts ServiceAppMgmt
Starts ServiceBITS

Process
↳ C:\381b3edb.exe

Creates FileC:\WINDOWS\system32\appmgmts.dll
Creates FilePIPE\SfcApi
Creates FileC:\Documents and Settings\Infotmp.txt
Starts ServiceAppMgmt

Process
↳ C:\381b3edb.exe

Creates FileC:\WINDOWS\system32\ntmssvc.dll
Creates FilePIPE\SfcApi
Creates FileC:\Documents and Settings\Infotmp.txt
Creates FileC:\WINDOWS\system32\tapisrv.dll
Creates FileC:\WINDOWS\system32\qmgr.dll
Starts ServiceAppMgmt
Starts ServiceBITS

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1148

Network Details:


Raw Pcap

Strings
...
040904b0
3, 0, 0, 0
CompanyName
Copyright(C) 2006-2009 QVOD
FILE
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
ProductName
ProductVersion
QvodInstall.exe
QvodInstall Module
Shenzhen QVOD Technology Co.,Ltd
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
~?"!._
05nv-B
 (08@P`p
0!^}{m
;0. oyf
{:0qf5
0X$j-^H
:1/+)*
]10{~%
16no1R
1co92B
1:gjc3l5
1Qm41IK@
1t'4v@
1WGkj=
25#l-%.
<=2;	a
2%c!0n
&{$2hn
)`2ohj
	,2&pX
2SXw9H	
{3#4Ah5
'3[DB1>[
3&F&'_u
3gJ)\p
3iVB*%sA
|"3KGB
3<N#'Com
3_u?^$
[%4.j j
=!4=K*=
4O^icn^cb
>4sQBMf{
5\]]_4
5CD4EN[
5$dPc#
5)?eDE
$5"q#42	0Z
5q9Tvz
5V;A.>;
63848Q
6|5Z};B
`6c#+<
6d]S `;
$6`%|@j
]6:NiK
6XQ3ZA
( 6yd,
6z->N4P
7,kiV2
7%*NI(
|7!ZqxA7%
8	*|,D
-?8%Oa
8WI|]g
9d(c@R)=
9lV6Z8
9vYQCd
a3s&ut\
"?AaM)
.adata
advapi32.dll
AMe\Qb
A{n4sO
aNu>?O
.aspack
A+W=_`
"A) z:
B1|;J%
?b1qpV
:)B(4U
B+?:_6
B:7/.*:)
bb+MZOh
bdjo_~-
B.^eSD5-~j
@bJ;/}
&~+}BMt
bOUdnPQ6
\^bX*SoU
C1Th1 
c'4BJq
[c4qUn
c}[9}"
(C97AC/
!c>`c+
C)J)}G
:C{l9r
_$COlg 
Csik;`
cT3a!]
CUIUu)
[&CVRu
|}*d/!
d% 0Ij
D;\,4D
d6 aCI
(D6Y	gd( 
Da4+~j`
d>c}rZ
dCsP.<
Dd@..2
D+E=a]
DeleteService
d`g?-i4
(`<dH+
dJF;!*
D=k!Y}6
Dw8$OQ
dxUcr#
"E<6|l
	$ea>V
-e)EV;
),E#f">YI
eg0c.,
\e`hLT
e}I}ej
e[+Qp#)
E]Thise
"eUSck
ExitProcess
ey<_UC
"f1S)>yZ
F3$xPqJ
?F4i.MC
f7PA=N
@f_'AAY
f%Ci5R_M
feL,]6u
fg~SXk}
Fgv^x#6
/fHIvg
)FLnTD
F-$n}9
fp,+L;
FrfC>6
fUc4e*
FU/X%X
f>=\:x
@G0wY=
G5J[3X
GetAdaptersInfo
GetModuleHandleA
GetProcAddress
gLS@76
<GLVBU?
,G<NW=
GO,1@y
:{Gp:<
G}wygj
	h4b{Dn
H4U1Ud
_+hBBg
$hCu7Y
h.EJ'6
^H@|i_7
H|ik)f
HNP#)D
H:ojOUt
HQt'Sj
HSPQU(W
hSrMr/_8C
H_/tW-
hxGS-6
Hy=^X6
 $ibli
i+c@*i
iC'j78
Ij#H'W
iJUA%&
"[*iL	
@imm[x
I@'od`
iphlpapi.dll
>IrtA#
=iTC	C
iT(yr4
[j0A*"
J8&_\=
 J*!}D`~=
#JfnP;M
	(}$Jg
JGuAK,i
j K~2l!
Jlr9J%
js0'p_
JsEBr,Md
j&{T@[.
JZwtGwO
K1E%}*
k1HGoI
k[*505
ka2L7vs
~Kc;uf
Kd_8h^:
kernel32.dll
:`KgJ6
Kj)\4Z
K"LtL|
ko2Z"1
K,pv0Mn
KRR8.=
Kru=>N
"|";Ks9
KVI(ji
KvX'$b
KZAP15
L0HNF^:T
L+0`U4
'LE1%^Y
<}/L`i
L`L ;z
LOADER ERROR
LoadLibraryA
LP6MC*
L*[Q[u
lwJjkl
|lwZ:qP2
lXO3aB}8
M0y!wM
>!M1N-y
/(mbrO
|MDv];
MessageBoxA
#[M-g+
mG^vjQ1gq
MIv&Tc
mJmCm:m5
!m?^*l
\MP{iC-
mpr.dll
mqg(i 
msvcrt.dll
mV9c'9
Mvi&iz
MwWy=c
mXVgVm
%N!2Xk
-_N9~ai
NA*z$l
n=c;A{
,nki?x
NN5u_So
nNF4Vo3
N\NMS>c
{@N!pZ
	NWM}YL~
O<0~Y-
"&$.{o2
o5}h+Z>
`O'+A0
@OH]76l
=~onF/
o[OebkX
$oON50
oOwD}T
OpenWindowStationA
oqSBvF}
owqPmFv
O>]wVjSS
{oyKT(
P~6<Bq
P>7*[,'
p9}"Vd
POFn]k
PPQN9{
Pr=-Jg
psb"L}
p+ SH[
pX]T+j
_q36j6~
q5>z}Z
=(q;-aA51
qAOei@
Qb?W_n
	Q"F:!?Z
QiAo@_
Q">=~k
Q!mBewD
Q^\m.I
Q,)p1&
;+Q>QD
 	{qt{1
Q_uG{U
^_Q=~v
*r+@&/
r0g.n,
~ra*]4l
r	"a4L&
RBl;Q[
.rdata
.reloc
r([G9r
rJ{1Nr1
rk@Zuu
RMP'Wd
^rO	^@V
rpcrt4.dll
r>s>$7;
RtXl=$g
R/ut	a*
R!w^ti`"
/?rWZD
R~;,,y
-R*Ziu
S-1%l/
s2|}iFOJ
S]a`\s?+2l
!sC3:q
S<frF<sP
SGwwwH:@
SGyFbewO
ShAAy}wv
SHDeleteKeyA
shell32.dll
SHGetSpecialFolderPathA
shlwapi.dll
S.IFqo
SIm@!%)
s_`&j;|{
SlVo(l,
.?s!{N	
sN1-BDwSqh
)}S`S$
SV.s+r
SZpdY@Uc
t]3qbj}
T=!!|5
)td}=a]<_B~a
tE3mfC
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
~T)p9aYv
TP|\z"
!*t.+~s
tuz0hL
Tv2bd+
Tx>)S{
u'4e3?
u6AQVj
u6j^Dg
\&UB}>i[
|UddW7
<UH1+D.
:u$ily
u]}PEewmo
]uQ)PT
U< Rdh9Nd
user32.dll
UuidFromStringA
U~W-*6
U{)z3De.
UZo]Vn
V6M?w-
,v=	9~
V9UyZX+U
VB5R";
 V/B-Q
$V#cY0
+&Vgq.FZ%e*,]
Vg#-xb
VirtualAlloc
VirtualFree
VirtualProtect
V@I\zU
\v(>mH
VMYUf:G
V]Q}-{%
v/q/gM
V~=w^{6
>w=['*0RT
?wD0D4
WD0id&
]/w*Ht
Wi~*~]n^
wintrust.dll
WinVerifyTrust
WNetOpenEnumA
ws2_32.dll
WSAEventSelect
w/SLL$
wsprintfA
/wU? 3EYfC
wVSFr(D
w^]xHB
wXK;8H
wypTiW
W'(/YU
x[#){)
X0Nf9A
XD$ Yvb
XEj;%2
)Xf%;?m
xhO>!2
XR}\"|a*
xrZt[8
X"V	?3Xy
XvYX|c
"x{%"Y
y0B{l(nk
|Y8#N{2
y~Aj;R
yBi@8|
Yca"%W#
>/Y`cg
yF!fw{!
YFYSi)
YhoeEs
;YHv?l
YJV[Q2
y}mwsA;
{@Y[PC
yRJW_Ji
Y~RnYba
Yux#ah
yvRsx q
'Y\WL`[
yZ1d#/
y;zrM-
`Z3\\:c*f
Zaj^}=stE
*%Z&BK
ZG'q{Bs
ZL{m^|G'i="
Z*N2>9
=ZQ@^^
zWp&kQ
zYC	R~