Analysis Date2014-09-04 23:38:02
MD5186b0f44f65e150c7adc9ce077fe434f
SHA13b615ffd5c217a0576ccc5b691ddbf342fd77ab0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 339d9d903c058705da46351abc65d912 sha1: f05d19d977e26374837c68cabd86e084805d8dec size: 1024
Section.rdata md5: 8013970f7c52c4cb5b3c11a726a2b2cb sha1: 40c0fd764dd27d6db6a647212efa7199534468cf size: 512
Sectioncode2 md5: a2828793777103275fc7aee40ab8fe54 sha1: f140b6098acd2ddda0d477885483ecbddf0ae64a size: 512
Sectionzdata md5: 2447b871343f93a6f5b737ce06f13660 sha1: d8ef9cebcdf1446ca3d1fcffb1b87b6128e6edae size: 512
Sectioncodej md5: 72aab3599727f9b7622a9dfc918c6b55 sha1: 92b58cb13201716372059595293b1caaaa9fc8a0 size: 512
Section.rsrc md5: 6531d882409acfbbb460c6fba0773636 sha1: f8080308ab6f485cef00229b6b1604960b09dba8 size: 58880
Timestamp2014-04-11 14:23:11
VersionLegalCopyright: Copyright (C) 2003
InternalName: welled
FileVersion: 4,1,4,24
ProductName: welled Application
ProductVersion: 2,3,2,5
FileDescription: welled Application
OriginalFilename: welled.exe
PackerPE Diminisher v0.1
PEhash88851ac96a4161cfe7eeb1849af2b0c8f1c2767c
IMPhasheaeaf27597bb0523389a72cda6281fd0

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\dirraguzotup ➝
C:\Documents and Settings\Administrator\dirraguzotup.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mastechn[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\solutioncorp[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\telenavis[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icigrain[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lexjuridica[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\shipeliteexpress[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\safetyconnection[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\berkshirebusiness[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mastechn[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\solutioncorp[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\telenavis[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\icigrain[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lexjuridica[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\shipeliteexpress[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\safetyconnection[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\berkshirebusiness[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSphotoclubs.com
Winsock DNSberkshirebusiness.org
Winsock DNSnd-evenementiel.com
Winsock DNSnaijagurus.com
Winsock DNSsafetyconnection.ca
Winsock DNStelenavis.com
Winsock DNSziuabarbatului.ro
Winsock DNSdebtrescueusa.com
Winsock DNSisp-h.com
Winsock DNStollefsondesign.com
Winsock DNSrea-soft.ru
Winsock DNSmiltinio-teatras.lt
Winsock DNSvioladagamba.com
Winsock DNSshipeliteexpress.com
Winsock DNSicigrain.com
Winsock DNSlexjuridica.com
Winsock DNSmsasys.com
Winsock DNSsolutioncorp.com
Winsock DNSshakeyspizza.ph
Winsock DNSmastechn.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.138.105.21:25

Raw Pcap

Strings
.

&0--0--4 declaims
041904b0
1'AN
2,3,2,5
2DWM
4,1,4,24
5little thrust Italian sashes secluded looking Company
A-6>
&abandon pearl
&about VOICES
abroad
accordion different
&addresses fashion
&Adonai
&affected Lion's
affirm volumes
afternoon tastefully
&again didn't
&again little
&Alderman KEYES
alive
amalgamated Hawkins upcast wife's
&Anch'io unusual
&apoplexy
&Arbour strode
&Armagh
Assuming
&Astronomy
&astute ville
&attack Cuckoo
&attention answered
Aubrey
Awaiting
&Battersby
bearded
&beating pawnbroker's
beautiful
&beauty
&because
bedrooms
&before
before's proprietor
&beggar wheels
&behind
benefit
between proposed
&bicycle
&birdsnies perceive
&blackbeetles
blessed
&bloody
&BLOOM
&BLOOM paper
&blowing
bluecircled
boatbearers symmetry
&Boylan
&bring
&bringing
&bronzed again
brother because
&brotherhood smooths
brow fleshpot
brushes
&buccal
&Buckley's
&Buddha
bunched mixture
&buries
business commonly opening
&buttocksmothered finger
&Caballero amours
cacophonous
Caffrey
&Caffrey through
&cagework hyenas
Cameron
&cassock
Castile Ireland remember yanked
&castor
&catechism
&catechism What's
&Celestine
&centrifugal
cesspools whereas
&Chacun please
&chair
&champions
&chancre
Changing hubbub
&chap's property
Chaste
children
&circumcised
&cityful
coarse
cocked
&cohesion poison
&colleagues
&combings described
coming
&composed Mulligan
&condition immense
connected wonder tabinet
&Conscious Crofter
constellation
&continental
Copyright (C) 2003
&corner weeks
&corporation ground
Costello
Costello posthumous constancy
costumed
&couldnt
&Couldn't
countries depicted planted It's
&cover babyish
&Cranly's
cried
&cried clapped
&croak
&crooked thunders
&crushed
&Cuckoo premium
Cunningham
&Cunningham George's
&dainty
&dancing
&dateshaped though
daughter
&days
&deeply
deficiency
&degrees staunch
delights indeed
depravatio
Desire's unless socialist
devil's
&didn't
&didn't municipal
different Richmond staring
&Dignam
&distinctly
&doesn't
drifting
Drink
drooping street
Dublin Stephen
&eddies
&embroidery facile
Emperor's
entwined
&envelopes
&equilibrium
&esplanade brother
&evening
evening hissing
&Examiner
&excited
excursion
&experience
&extension
&Exuberant STEPHEN
&faded division
fastened
&father Roscommon
&featherskins student
&fellow eunuch
&field looking
FileDescription
FileVersion
&finespun
first polished halldoor
&fjords
&flambeaus confession
flies
&following smouldered
&forgetmenot cures
&forming
&fortnight
&forward
&foundation
foundered
&fraction
&friendly permeates
&Garryowen
&general
gestures
giving
&Glendalough Oxford
&glitter height
&Gloomily
&goodness Mulligan's
&Goulding
&grace
&grammar Dorans
&grass
&Greeks gorgeous
&green
Green bawling
&greenhouses
&greenish moustache
&grief
ground
&habits Bringing
&hackle
&hairbrush
&halfclosed BLOOM
&halldoor
&hand
&hangdog wenching
Hanukah sentiment
happens
harking
&health
&Higgins Runs
&himself
&hither people
Holles
&horns
&horsenostrilled minutes
hoses
hotwaterjar trailed
&house timehonoured
&howled
&Hungary Williamites
&immodest
&imprint
incrispated
&indeed
&individual right
inserts
InternalName
&involving Crawford
&jessamine
&jogged
kings'
&kissed change
&kitchen Murmurs
kneecap
&knives constant
&Lambert
&Leahy's unascertained
LegalCopyright
&Lenehan edition
Leopold
&lifted Martin
little
Little group Whelan WATCH
&Livermore
&living eleven
&loincloths sidling
&Lombard
longed bright
&looked
&MacHugh Dinner
&magnetic weekly
major housetops
&Many
&married
married Fraidrine longest
Martin
&Martin William
&masses
master
master excitement
&matron
matter
&mattress
&mavourneen's thurible
meaning
&meaning
&measure
medals Greenwich
meeting wife
&mention
Mervyn flight
methods
&mirror address
mirror plaited
&missed boomerangs
&mockery family
&mollify
moment unbuttoned
&Moore's benign
&morbous night
morning
motorcar
&mourners Armagh
&mourning
&mouth
MS Shell Dlg
&Murphy's bliss
&Myles
napkin money
&nation advertisement
&natural
&nearer
&nipples
noise
&noodly
&obituary
offers scarlet little others
&oilskin ladylove
O'Neill's always
&opposite scornful
ordinaries
OriginalFilename
&others
&oysters breath
&pages
&Panama
&paradigm
parson
&Passion search
patient
&peerless
perhaps
&personal everyone
&phenomenon Bristol
&Phibsborough perfume
&pillar l'attosca
pillars halted trying certainly
&pitched BURGESS
places
plainlooking
&player
pockets
&pointing
&polished
&polycimical
&ports
&possible
possibly upholstered redeemer silverbuckled
&power
&preoccupied
&present
&pretending Molly
priceless
&probably alderman
&Produces recall
ProductName
ProductVersion
professor
&proper
property
&proposed
&propriety always
proved
&pubhunting touring
Pyrrhus
&quarter profligate
quayside
&Queenstown Gurrhr
race
&racial Hungry
&railings
&rained
rapping Rest
&really anticipation
&remote Quick
removed parlous
renovated
&report located
&repose posing
&represents literature
reservoir doffed having sugared
resistance
return
ribbons
RichEdit20A
&right revival
&rising Cowley
&rotter Where
&rudely examined
Rudolf possessed
&ruined goldhaired
&Russell connection
salted
&sanctity
&satirical
&sauce Gravediggers
&Save Whelps
&schoolfellows
&scillas attendant
&Scotch plodding
&screws giving
scullion sowing Christ slowly
&SECOND
seemed
seems
&sending Sorrow
shaded
shaded Curious
shadow despair
&Shakes Nolan
&shaking
&shame
&Shannon Inform
&shares
&Sharons
&shillings
&Shitbroleeth PRISON
&shocks spinach
shops Gallaher
should
&shouted mountain
&Shouts Shakespeare
Shreds
sidled
&sighed fumbles
&singing daystar
sister-in-law
&sisters building
&sitting
&sixteens
&skins flour
Skin-the-etcetera proximity
skipping butter tailormade
&slammed particular
&sleeve
&slowly
&slowly family
&sniffing Quigley
SNIVELS another country
&snowball oxygen
&somewhere
&sourly
&Spanish producing
&sphincter
&spoke profound
sports
spouse
&stays Doublebasses
&Stephen
&Stephen's
stepping
&Still
&stone again
&storms
Stratford generations
&street
&street follows
street notice
street Venus
&strident
StringFileInfo
Stuart
student
stupid arrive Liliata cousins
&subtile
Successively tapping
Sudden latter trouble matter
&suggest secretary's
&sullen blazes
&Suppose
survival server
sweeping Talbot
&Swinburne
SysListView32
&table
&table Ontario
Tahoma
taste
&Telegraph
telling
temperance
terrace
&textual
&there
There Because
There's
theyre
thirst answer
though ships7Gilligan changes unfolded beggar geegee middlings stick
thoughts compass
&Thursday
&timepiece Mulligan
&tinkle hop-of-my-thumb
&towards
Translation
&transmigration
Travers?
Tremendously
trilingual
Trombone smiles
trouserbutton
trousers pointing
&turning whistle
&unbelief Giltrap's
&unique
unweave permanence
upstairs
&urinal
&Valuing
VarFileInfo
&vendor
verbis
&veux
&vigorously There's
villa
vinegar
&VIRAG
visible housed
VS_VERSION_INFO
 &~w
&walked asked
&walked performance
wanted
&watched
&Waterford
water meant
&waters
waters didn't
&waters moisture
&weather railway
Wellcut selfinterest
welled
welled Application
welled.exe
Whelps
whereas proper
&Whereat
&Whereat quarter
&wherefore
&whining success
whisper
&white
&whole Foreign
&window picked
&windows
within choice
&without
&wonderfully
&Workbasket
&wormfingers hop-of-my-thumb
&wouldnt shoves
&you're velocity
&Youth Stephen
Z-H)
11xxxxxxxCreateWaitableTimerA
3BhyOs
}."-67O
6-}b9+
7Dxhqf
7k 2dD
7L'[/[
]7;Q^-
9(McdY
9m,.spLoadImageA
aK|9{4
bwVQ*o
 Cf=ok
@code2
CreateThread
cu%D/'
dt[:!~
Ed=D}i
FA"Kmg 
fdh37s 9llGetObjectA
?f'+'T;
?Fway/]:
G6|$Gh6
gaIYPC
%,'gdi32.dll
gdi32.dll
GetModuleHandleA
GetObjectA
GetObjectW
g^eW,L
h'$9;].
[Hm|w]%z
(|IgaW
?iNL8E$
InterlockedIncrement
J0lb}A
JGmI$J
JH%RiQ
:JhYLDT
j"yc{L
kernel32.dll
KhbqH%
kRichn
}k`tn\R
l>Ji|`y
LM\>#o'	
(!ln(\
LoadImageA
LoadLibraryExA
m6y7j)
meK^lAk
$Mk!~0
M->o/yX3
nHPkGw
N	Xm:p';
O'l3x!
on`9#Y:
{o#RN"UF
OWl}^8
p-j,(#
`.rdata
R:\jfndh8883.dat
rJ)'WjY
*s>`&[
s83hfn257635936459350fgdgdfgdsgsdGetProcAddress
sDyA\w
SetWaitableTimer
SleepEx
s-"pD!
S! z-W
!This program cannot be run in DOS mode.
T`REf$M
UA^<}.W
,|u^/L
user32.dll
UY:we<%
(vJZtC
)\w3u8N
WaitForSingleObject
~{w]uJ
Xo`k(ZC
:Y&B=v
Z^:Bd$<?
Zbr)egP
@Z#N9:
zq\a":T
zxc098iuser32.dll