Analysis Date2014-01-25 16:00:56
MD5e50e752bcaac72aec5fb21ed0f1c2322
SHA137a9c8ee5b838d610f05d9890763981b6ab7c139

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d796e4ff5c4d9c5ca2d1b90272d6d6b8 sha1: 0755e4acb128a57a55d97d2e967825b0a5393d30 size: 65536
Section.data md5: 789f8dbcfc8423c0c1058375d02239bf sha1: f0b25955806641c0017dfcc1eaafd33c8c24a187 size: 4096
Section.rsrc md5: 95c3a4840354bf62ec32d7ce9f5c6cb2 sha1: 2b3cddb7b110e371697ebf99e4de9d01e8674e77 size: 4096
SectionX?5K md5: 46b79e7e19dd2375e5fa482cca331b6d sha1: 935b9c6693c5d1d6f24960609cbb88a5a6b1cf58 size: 233472
Timestamp2001-07-19 19:30:07
Pdb pathpdb
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: copymar
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: copymar
OriginalFilename: copymar.exe
PEhash2dce5c3f727d4cd205c57b62afba3a99aeb09893
AVaviraW32/Etap
AVavgWin32/Wapomi
AVmsseVirus:Win32/Mikcer.A
AVclamavW32.Virus.Wapomi-1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\36c95706.exe
Creates ProcessC:\36c95706.exe

Process
↳ C:\36c95706.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Keyboard Layouts\E0010409\Layout File ➝
KBDUS.DLL\\x00
Creates FileC:\Documents and Settings\Infotmp.txt
Creates FileC:\WINDOWS\system32\562A015C.tmp

Network Details:


Raw Pcap

Strings

000004E4
040904B0
%1 is an unimplemented method
6.10.0016.1624
about
accessimage
activeborder
activecaption
Adc#
ANSI(00)
application/x-javascript
application/x-shockwave-flash
application/x-unknown
application/x-vbscript
appworkspace
.asa
.asp
audio/wav
autoupdate
background
.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}
{BB7E11D6-5E67-4005-A530-ED1831D6A427}
.bmp
bold
bolder
border
bottom
Built by
buttonface
buttonhighlight
buttonshadow
buttontext
ByteCount
captiontext
@CBitmapSurface::EnableDefaultMappings
CBitmapSurface::SetMapping
CMarsProtStreamWrapper::Clone
CMarsProtStreamWrapper::Commit
CMarsProtStreamWrapper::CopyTo
CMarsProtStreamWrapper::LockRegion
CMarsProtStreamWrapper::Revert
@CMarsProtStreamWrapper::SetSize
CMarsProtStreamWrapper::UnlockRegion
CompanyName
content
Control Panel\Appearance
copymar
COPYMAR
copymar.exe
Copyright (C) Microsoft Corp. 1981-2000
.css
Current
Daily
.dat
default
desc
disabled
dkshadow
@donotdither
{E8055863-4956-4cbf-9CA5-46FF053A904C}
emars.ini
exceeded maximum command-line args %d
face
facetext
file
FileDescription
FileVersion
ForceReadOnlyMarchive
foreground
generaldialogs
.gif
gopher
graytext
Hardware\Description\System\CentralProcessor\0
hasfocus
High Contrast
highlight
highlighttext
hilight
hovered
hoverpressed
.htc
.htm
http
http://207.46.176.247/guidgen/guidgen.dll
@http://207.46.176.247/msndata-bvt/mdserver.dll
http://207.46.176.247/msndata/mdserver.dll
https
http://sqm.msn.com/guidgen/guidgen.dll
http://sqm.msn.com/msndata/mdserver.dll
image
image/bmp
image/gif
imageinfo.mii
@imageinfo.xml
image/jpeg
imagelist
image/pjpeg
image/png
image/x-png
inactiveborder
inactivecaption
inactivecaptiontext
infobackground
infotext
instantmsgr
instantmsgr_tabs
InternalName
italic
javascript
.jpg
left
LegalCopyright
light
lighter
local
logon
MachineInstID
mailto
manifest.xml
.MAR
MarsDataTest
marslib module %s started
MARS_ONLOAD
marsperf.log
MarsPerf shutdown
measure
mediaplayer
menu
menu_background
menubold
menutext
menu_text
~MHz
Microsoft Corporation
Microsoft(R) MSN (R) Communications System
.mii
Mode
#MSHTML#PERF#
msn://
MSN6
MSN6\
MSN6.INI
MSN Archive: Checksum Mismatch in file %s: %s
@MSN Archive Stability
msnbld
msndata
MSN is uploading non-personal data to improve our quality of service.  To disable this monitoring, go to My Settings.
msn://@ui.mar@/chanbar.htm
msnupdate!@#@.exe
.mti
name
 NavigateURL Complete
nccaption
ncmenu
ncsmcaption
ncstatus
.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}
news
nntp
normal
numimages
@OLPerf.dat
OriginalFilename
other
places
.png
popup
pressed
ProductName
ProductVersion
progress
rect
res://
right
RunCount
%s%08lX
scrollbar
searchbar
SelfHost
semibold
%s : fatal error -: 
shadow
shell
ShipFlags
sidebar
.skn
snews
Software\Microsoft\Mars\Performance
%s: %s
statusbar
StreamHandle
StreamName
strikeout
StringFileInfo
.swf
 %s%x
system
System\CurrentControlSet\Control\FontAssoc\Associated Charset
System\CurrentControlSet\Control\Terminal Server
telnet
text
text/css
text/html
text/plain
text/x-component
text/xml
threeddarkshadow
threedface
threedhighlight
threedshadow
tinycrt
titlebar
titlebar_text
toolbar
Translation
TSAppCompat
.txt
underline
update.exe
UseSysColors
ValidateMarchiveChecksums
VarFileInfo
.vbs
vbscript
VS_VERSION_INFO
wais
.wav
window
windowframe
windowtext
X-Description
.xml
@.xsl
^:#)[#
<&;[!~^
                                                           
                                                                                 
  ---------      -------      ---------   ----------
------    ---------    --------      -------      -------
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
"#$%&'(
)*+,-.
#&'(+./
						
							
								
									
    !!!!""""####$$$$%%%%&&&&''''(((())))*****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<<====>>>>?
    !!!!""""####$$$$%%%%&&&&''''(((())))****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<<==>>???
    !!!!""""####$$$$%%%%&&&&''''(((())))****++++,,,,----....////0000111122223333444455556666777788889999::::;;;;<<<=
012345678
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 (08@P`p
0C0=y}
0d1112131415161718191:1;1<1=1>1?1@1A1B1C1D1E1F1G1H1I1J1K1L1M1N1
0LYrtM
1000 us == 1ms == 0.001 s == 3.17e-11 years
[1\1]1^1_1`1
%11s   %11s   %11s   %s
!%)-16:>BFJNRVZ^cgkosw{
!)1:BJRZcks{
1C&fYQ
1juaj'
'1n|M}u
)1$N*)Q&`[U
(-*.1S)
2EJ)hdtx
?$2Hdr
2S7UrOx
2-t`<o
2Y)L@S
%3d.%03d s
#3[LNx
	3SG)>
4AcNx{
4CzN{:
4{]=g8
4.-mb<(
^*4pb 1
4]Pg6(
53gK;|
/,5\a@
&^5bAR4
5),Bua
5D/wlo<_@hT
<5"eg,L
5`iXof
/5NqM 
"5PeQ5
5Q33wz
5,q?t|
6.10.0016.1624
63<u`^
	)	!6A
6ccm%k
%6d  %11s   %11s   %11s   %s
%6d us
.6>jD1
6jyeiwM
^%: 6VS
'{]7;-
77^#s&
^7MbbEE"
[!7Mjo
7s*2%1p
88888888888888888888888888888888888888888888
8BHNpp
8",,btH
8Closu 
8Creau
8GetMuj
8kB(Zg
8L?u/&
8WinEu
8Writu$
92cyv60U
+9.9`Zop
9IHd4Y2
@.9J4W1
9ML%?R
9nj=;a
|9oZq]
9QcCeS@"b+i
9tU)ek
9.t,W3
9.t+W3
9\YTt-
~:%/~A
a1b1c1
a2HrS9i
a|473_E
Ab1bl274&
ACL!,R
.adata
?A+~dqC
advapi32.dll
ADVAPI32.dll
AgYd`-
A. I!'%
aIIb!0Rm
?"ajtDK
&A{MxK
annhPLw/
!AQ1>]
arHM{5
.aspack
AYY]uMLm
'B7_>;D
B[BQ n
(B(D&|-l
BitBlt
bp?xWH
:BRbGR
,br;=O
bZ~bZ]e
|!_c%;0
C0k1dA
[!Calculated durations follow:]
#Calls    TotalTime    AvgTime*      MaxTime      EvtName
cC3[Y&x
CCDCEF
<CD:[ 
c>Dk9pY
CloseHandle
CoCreateInstance
CoInitialize
COMCTL32.dll
ConvertINetMultiByteToUnicode
ConvertINetUnicodeToMultiByte
copymar.pdb
CoTaskMemAlloc
CoTaskMemFree
CoUninitialize
C$q1um|&T/
CreateCompatibleBitmap
CreateCompatibleDC
CreateDIBSection
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CryptReleaseContext
,cw*8k
<<<<<<<<<<<<<<<<<<<<<<<<<==>??@D.
D`*?[!
d!3bY-
d50&}1
^d5ru}o
d_`9oD
`.data
DecodeImage
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteObject
DestroyEnvironmentBlock
D^,fg3
DG.T-c
Dh_6?_J
:&&;di
>dL-@>
dl_A{MY$S\
dleAuF
DnZ[om
_>"?DO0o
d=oD~M
;d	PU2
dQdQ0yb'qG
]'D	.qg3
/\dRx4
\d[RY?
dsAFtm{V
D&#Vjk6
dWf'RBy
dyeE74y
E;2WQQ
Ec_96*
)E)D?(.O
eEf=ghfijklimnf=o
=EeWQTf
^*`E{F6
*EfuTh[t8
eHanuR
ekRPYG
EMFZuL^
eMo=Za
[!End Mars perf]
[End Mars Perf Statistics]
EnterCriticalSection
!Error! Fatal error encountered. Results may be inaccurate.
;E sYSV
ExitProcess
F16Vc'>[
f3tX[l{
F7u&!m
^f9r$u.f
_FC]H3(
}Fd4fHZ~\
f+d%>X
_F[gnN
Fi#`_Q#
FjM+=v
fKV-/oF
FlushFileBuffers
f=pqrst
f=rQ:T5
&F&Xl'
fYDchb+
FzFe$o
/`G0K>li
G8PcLz
gcJNK" Q	
GCSw2IW
+G=$	d
gdi32.dll
GDI32.dll
GdipGetImageEncodersSize
gdiplus.dll
GetACP
GetAtomNameA
GetCommandLineA
GetCurrentDirectoryA
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDIBColorTable
GetDIBits
GetFileSize
GetImageInfo
GetLastError
GetLocalTime
GetModuleFileNameA
GetModuleFileNameExA
GetModuleFileNameW
GetModuleHandleA
GetNetworkParams
GetObjectA
GetObjectW
GetPaletteEntries
GetPrivateProfileIntA
GetPrivateProfileIntW
GetPrivateProfileStringA
GetPrivateProfileStringW
GetProcAddress
GetProcessHeap
GetProcessTimes
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempFileNameA
GetTickCount
GetVersionExA
GetVersionExW
GlobalAddAtomA
GlobalDeleteAtom
GlobalMemoryStatus
GMP`=,0dw'}
gMxHBF
GNV_`+{L
gp\5Pj
Gqy77|
G>)(v%zbu
"g&'!z
G?<z-z
H4ldlcu
>H7FnHv<
*h)7t*
h8uG;}
_{h|9X
;\h[=	a
h>{a6h
h'Bk>YW
HeapAlloc
h~H]vq
h._?{i
hi**e9
hJV`}B-
H"Kc=I>
hL-|Np
$}hNf}
hQyfje
HRP*ga
%H@$rs
hrx.])
	Hs#;Q
:?<hT;z
I/25Qe
]i58k	
i5K,Y_
{IkkkdW
?]]_im8!*.*
IMGUTIL.DLL
iN!d'<|
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
IntersectRect
i~`NV_
Invalid Atom
iphlpapi.dll
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsDBCSLeadByte
<IU<Ic
iwjjeg
i"?"X\
ix)8xH
)i?Xsp
j0h0%@
J3S]vo
j$Gq!c
*j.H4Eu1
j\I{&H
Jnm[9$J
jO.QoU
Jr%1)]`
j>tuQ<O
J'WA0S
JZ-B{>
k0^I	aC
k%!9q*Pz|
)KcUW?
kernel32.dll
KERNEL32.dll
kHk4=y,~
KH}`rK
)+*ki;
K>j(1Q
KJIfJV
K,j(QV
k=jW?s
KLMNOP
K*p[}/>
kX+tp@
K#y;AN
LB=l<M
LD/@!i
LeaveCriticalSection
^lG0Ox>
lhx3"H?
li;8>'$
_l,jGj]s
LOADER ERROR
LoadLibraryA
LocalAlloc
LocalFree
LocalReAlloc
;L>s#aA9nD
lstrcmpA
lstrcpynA
lstrlenA
lstrlenW
l=!;.T\;
M?64'V
m]6f}FN
m7RK]K
_m9iWzxa
mA1>VN
MapViewOfFile
MARCV9
[Mars Perf Statistics  %d total  %d:%02d:%02d   %d/%d/%02d]
MessageBoxA
MessageBoxW
mJc"1P
MLANG.DLL
m;<mS]
M=n%fL
MoveFileA
MPQrn9
mpr.dll
mQiKl=
/Mq];QxV
;M s\SW
msvcrt.dll
m$tmGW
"mUJp"ov
MultiByteToWideChar
{M\)v!
mZk}Q>i
*NC<-3x
[Nd:_~
neCtTy
ngcglm[ee-_
^n:jK3H
N,!KBv
*note: average time doesn't include the MaxTime entry
	np`C=
%%+N*Q3
Ns7S"S~
n=^y?T
O1P1Q1R1S1T1
odulu^
OffsetRect
ole32.dll
OLEAUT32.dll
om/>tF3$
:OQ2eS
Oq$p4'|
][o[rq
_oW@&6
*o?Wbh
O'XQ8r.
P3B'q/a'Vm
p=5 $@m
p9;7(a
P.9m*7
PathAppendW
PathCombineW
PathFindFileNameW
PathIsRelativeW
PathRemoveFileSpecA
PathRemoveFileSpecW
pA-tmU
\<?paW
&PAZU	
P*,?BN
[PerfFreq=%7d/s  *-since start :-duration %2d%% buffer used]
p*j:Lb
P_kHvO
>pkm}k
psapi.dll
&pV3*~
PVVh@,@
Q2dA?L
Q$9sS%d
#QaGU7b
QbfQb"
<Qf[hx
"Qki=I
Q@nC^>
Qo4A' 
QPEzQ1
QQSVW3
Qtd$Z_
  ]QU(
QueryPerformanceCounter
QueryPerformanceFrequency
qz>:UjbB
=r6=Dj
"r!7yi4
RaiseException
.rdata
#) r{e
RealizePalette
RegCloseKey
RegisterWindowMessageA
RegisterWindowMessageW
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegQueryValueExW
ReleaseDC
.reloc
rF>a"3
Rg!T	J
rH1B@.4
r Hvh 
-R$Ihu
+(r*na
}RN:g}oS
RoR-!J
RtlUnwind
R&`v	s
RyOi5M
.;S	2[
S4zypXP
S8H]*K
sc`*	eg
ScMk2m}
S^cu)n
SelectObject
SelectPalette
SetBkMode
SetDIBColorTable
SetEntriesInAclA
SetEvent
SetFilePointer
SetStretchBltMode
SetTextColor
SHCreateShellPalette
SHCreateStreamOnFileW
shell32.dll
SHELL32.dll
SHFOLDER.dll
SHGetInverseCMAP
SHGetSpecialFolderPathA
SHGetValueW
shlwapi.dll
SHLWAPI.dll
SHSetValueA
SHStrDupW
	S_,IJ8N
s\mars\setup\copymar\obj\i386\copymar.pdb
sr<h]`
: %s - %S
* %s - %S
[!Start Mars perf   Ver(%s)   %d:%02d:%02d   %d/%d/%02d ]
  StartTime      EndTime      TotalTime   Event Name
STFm>Ee
StrCatBuffA
StrCatBuffW
StrCmpIW
StrCmpNW
StrCpyNW
StrStrIW
StrToIntW
}stSO*
]sv=W]
SVWjF3
SYiCGA
SystemParametersInfoA
SystemParametersInfoW
)T@), 1 Rc/4
t2P\v"
t7]\Uj
tBj9L>
TerminateProcess
TGzup[
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
T_"JT_"
+Tk)?'
tKh\#@
= TKt$
tQVVVj
\TQ)Xa
t.;t$$t(
T?=U.n"
TUUUUU+
$tVqjU{
t?VVVj
tWh4V@
tXL q0
TxS9~Zq@c
U1V1W1X1Y1Z1
u6AQVj
 !?u?<d
$UNkgT
UnmapViewOfFile
UO`<FQ
urlmon.dll
user32.dll
USER32.dll
userenv.dll
UUUUUUU
UVWXYZ[
uW|5=f
U(zt$P
V1OhII
V36TNToC
V4KjVa
v5SUW3
VC20XC00U
VERSION.dll
#v<FM<
VFPPL.0-0
VirtualAlloc
VirtualFree
VirtualProtect
vJmn D)'&
+VLOq 9
vu+F1n
v.u#QN
VVE5DLC
vX1-A 7
w7JaI*C
	wBV[Pd
wcscmp
wd6B5=
w<#f' 
Wg`QUS9
WideCharToMultiByte
Wi~Mg!z
wI@,P%
WNetOpenEnumA
wnsprintfA
wnsprintfW
.w>p4]j
wQr/\W
WriteFile
?]w$;`s.
ws2_32.dll
wsprintfA
&w*_VE
wvnsprintfA
wvnsprintfW
W(xf6}}
Wz^)yp
x0gXXPa
x=|268
{x6E_mJnd
~;x`8%
:x-Azv3{
XHZZ4pz
x@L'`[
x> n{$X
	xp/71p
X$??pV?V
=xq\U}
X_r$w'f
xsn+w*
xu^@&]S[j
XVQPjB
Y0kTz7u
~y..<0W?
	-Y0ZoF
Y1)tr$p
y.2ZDk
Y`3sJT
.Y4 NR
<!y5m]Z
yB#V!Y;
y%f;',
{y^gJb
yJ}&&xu
YLH0E<
(y@NMk
YN/wtPte
YP\t0'MR
Yr"8'Q
y&rT+Vd
y s]$L2
)/<,z5
z7B#ia
-ZbM?0
ZG]5"w
z+hj,3
z-/J-55}
Z~#=MiB
zudWWWW