Analysis Date2015-02-12 00:43:08
MD5c46b81205bfae25d478073cf28da015f
SHA13f3b9607726e23dfb92f3bac39f6f465cc5ae555

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: da1094141d2c447e4fbd764af8c210fd sha1: 74baa697509cb26e294fd40cf6b88685631af6d5 size: 94208
Section.rdata md5: 5a8e29ddcb7c798a2e6ac1fbbc35bfe0 sha1: 3f23eef2269558839192b56c1e25dcc8f083020e size: 20480
Section.data md5: cb51c3bf2a1904a111b7ccfd402ad2ec sha1: 376ae8daab2068adee3b74f808c8aabd55edf7b6 size: 8192
Section.rsrc md5: ba27cbbb4f4bbae9e1626807dff6f50a sha1: d3a41b0dbff541f68456851b251caeee421a3285 size: 4096
Timestamp2015-01-30 17:53:05
PackerMicrosoft Visual C++ v6.0
PEhash8c629287a03128482d66afa0e862a3ad890bbe27
IMPhash1f2996798e58439814a084c63c1315cf
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2149077
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2149077
AVAuthentiumW32/Trojan.FGBM-0906
AVAvira (antivir)TR/Agent.154733
AVBullGuardTrojan.GenericKD.2149077
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.2149077
AVEset (nod32)Win32/Kryptik.CWWH
AVFortinetW32/Kryptik.CWDU!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2149077
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.Win32.Crypt
AVK7no_virus
AVKasperskyTrojan-Downloader.Win32.Goo.rhs
AVMalwareBytesTrojan.Agent
AVMcafeeRDN/Generic.tfr!eh
AVMicrosoft Security EssentialsTrojan:Win32/Carberp.I
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\NVIDIA Corporation\Global\nvUpdSrv\value ➝
15150124\\x00
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\MD7H82HHF7EH2D73

Network Details:

HTTP GEThttp://72.172.88.151:24423/stat?uid=100&downlink=1111&uplink=1111&id=00016EF1&statpass=bpass&version=15150124&features=30&guid=3f392b9a-a181-4b1b-a2b7-ce58cda690af&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://62.212.154.220:53818/stat?uid=100&downlink=1111&uplink=1111&id=000182F6&statpass=bpass&version=15150124&features=30&guid=3f392b9a-a181-4b1b-a2b7-ce58cda690af&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://46.23.77.57:27571/stat?uid=100&downlink=1111&uplink=1111&id=000196DC&statpass=bpass&version=15150124&features=30&guid=3f392b9a-a181-4b1b-a2b7-ce58cda690af&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://54.247.67.39:24247/stat?uid=100&downlink=1111&uplink=1111&id=0001AA83&statpass=bpass&version=15150124&features=30&guid=3f392b9a-a181-4b1b-a2b7-ce58cda690af&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://62.210.217.195:49126/stat?uid=100&downlink=1111&uplink=1111&id=0001BE69&statpass=bpass&version=15150124&features=30&guid=3f392b9a-a181-4b1b-a2b7-ce58cda690af&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://159.253.129.110:48439/stat?uid=100&downlink=1111&uplink=1111&id=0001D200&statpass=bpass&version=15150124&features=30&guid=3f392b9a-a181-4b1b-a2b7-ce58cda690af&comment=15150124&p=0&s=
User-Agent:
HTTP GEThttp://109.104.94.2:11754/stat?uid=100&downlink=1111&uplink=1111&id=0001E5C7&statpass=bpass&version=15150124&features=30&guid=3f392b9a-a181-4b1b-a2b7-ce58cda690af&comment=15150124&p=0&s=
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 72.172.88.151:24423
Flows TCP192.168.1.1:1032 ➝ 62.212.154.220:53818
Flows TCP192.168.1.1:1033 ➝ 46.23.77.57:27571
Flows TCP192.168.1.1:1034 ➝ 54.247.67.39:24247
Flows TCP192.168.1.1:1035 ➝ 62.210.217.195:49126
Flows TCP192.168.1.1:1036 ➝ 159.253.129.110:48439
Flows TCP192.168.1.1:1037 ➝ 109.104.94.2:11754

Raw Pcap
0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303136 45463126 73746174 70617373   0016EF1&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d336633 39326239   =30&guid=3f392b9
0x00000070 (00112)   612d6131 38312d34 6231622d 61326237   a-a181-4b1b-a2b7
0x00000080 (00128)   2d636535 38636461 36393061 6626636f   -ce58cda690af&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303138 32463626 73746174 70617373   00182F6&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d336633 39326239   =30&guid=3f392b9
0x00000070 (00112)   612d6131 38312d34 6231622d 61326237   a-a181-4b1b-a2b7
0x00000080 (00128)   2d636535 38636461 36393061 6626636f   -ce58cda690af&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303139 36444326 73746174 70617373   00196DC&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d336633 39326239   =30&guid=3f392b9
0x00000070 (00112)   612d6131 38312d34 6231622d 61326237   a-a181-4b1b-a2b7
0x00000080 (00128)   2d636535 38636461 36393061 6626636f   -ce58cda690af&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303141 41383326 73746174 70617373   001AA83&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d336633 39326239   =30&guid=3f392b9
0x00000070 (00112)   612d6131 38312d34 6231622d 61326237   a-a181-4b1b-a2b7
0x00000080 (00128)   2d636535 38636461 36393061 6626636f   -ce58cda690af&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303142 45363926 73746174 70617373   001BE69&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d336633 39326239   =30&guid=3f392b9
0x00000070 (00112)   612d6131 38312d34 6231622d 61326237   a-a181-4b1b-a2b7
0x00000080 (00128)   2d636535 38636461 36393061 6626636f   -ce58cda690af&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303144 32303026 73746174 70617373   001D200&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d336633 39326239   =30&guid=3f392b9
0x00000070 (00112)   612d6131 38312d34 6231622d 61326237   a-a181-4b1b-a2b7
0x00000080 (00128)   2d636535 38636461 36393061 6626636f   -ce58cda690af&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..

0x00000000 (00000)   47455420 2f737461 743f7569 643d3130   GET /stat?uid=10
0x00000010 (00016)   3026646f 776e6c69 6e6b3d31 31313126   0&downlink=1111&
0x00000020 (00032)   75706c69 6e6b3d31 31313126 69643d30   uplink=1111&id=0
0x00000030 (00048)   30303145 35433726 73746174 70617373   001E5C7&statpass
0x00000040 (00064)   3d627061 73732676 65727369 6f6e3d31   =bpass&version=1
0x00000050 (00080)   35313530 31323426 66656174 75726573   5150124&features
0x00000060 (00096)   3d333026 67756964 3d336633 39326239   =30&guid=3f392b9
0x00000070 (00112)   612d6131 38312d34 6231622d 61326237   a-a181-4b1b-a2b7
0x00000080 (00128)   2d636535 38636461 36393061 6626636f   -ce58cda690af&co
0x00000090 (00144)   6d6d656e 743d3135 31353031 32342670   mment=15150124&p
0x000000a0 (00160)   3d302673 3d204854 54502f31 2e300d0a   =0&s= HTTP/1.0..
0x000000b0 (00176)   0d0a                                  ..


Strings
.nh..

aU5pT1hN
CompanyName
El7 a60S
Fv864
grass
grown
hapless
headscarf
home
honesty
inattentive
inexact
interfaces
j7Y1n64P yI8vG D54Ou6 v8a
jets
john
juniors
kits
Komodo Laboratories LLC
lamentations
libertine
librate
mansized
members
metabolise
millimetre
millisecond
minors
mockers
molestations
mortification
MS Sans Serif
nkP2
O0p12M7 Mi9s805 Cn7G d5Y35o63
onions
opticians
outboard
overcooked
pate
perception
pitied
Q3q1 y5j2q
VS_VERSION_INFO
WnBd Dv9j9Q
Y58 yJrZ7NZA s15ma9 d07780P8
()+{# 
0<9>+,
0,|\h<
0![j>'l
;0|{Pp
?1$c;~
/1+;{\P
/$ 2/'
2:3$sJ?M,M
=243,k
25YNyT
.2+#s:?|Lx
2z#0b;&L3
:3>.$?
31+;kTOU)U[^
3a[V>~lX
3js'c%V
<44PQ3
4a\6^<
:+4cS>e
}4vyGy
4Z{>x$
5%#/} 
5>|48|, 
5]|6h\_
59,dkNw
5a<V<Vd
5%\cnv
5/F qRnd6 
?5\\^^N
5O$%N[
5t,?cT6
65|,`#V
6clN_5f
6IteW'f#oZ
6:<\l.
6-,s+J	e
6Xdf^'
7:$,2S;%
. 76+",$
7P|]p^'&
)7S4UOU
80<#l*'+
80T3u+
8 4b{;
>8$|c 
8~dhv?]'
8d<&T]Q
8;N	F!
91<34k{
91\3vsP/.$
	?+954+
9KTu=`
;9Ld}nP
9lowl!
9M\%^c^.~;`
9mtg?_l.
9:T4][
9tdPn}?0
?9t$SO-
9\\^^v>04;<
_acmdln
_adjust_fdiv
}aH.=kT
aj6WLV-
AreFileApisANSI
ArqQxovSo
BackupWrite
=bAX^hC
BuildCommDCBA
BuildCommDCBW
	by&x\
CallMsgFilterA
CallNamedPipeW
CallNextHookEx
CancelIo
:cdvVH^-
ChangeClipboardChain
CharLowerBuffW
CharNextExA
CharPrevW
CheckDlgButton
cI&mko_
ClientToScreen
;cL&u{p8
CommConfigDialogA
CompareFileTime
_controlfp
ConvertDefaultLocale
CopyFileA
CreateDesktopW
CreateEventA
CreateEventW
CreateFileMappingW
CreateMailslotW
CreateMDIWindowA
CreateMutexA
CreatePipe
CreateSemaphoreA
CreateWindowExW
CreateWindowStationW
cr>OTu&
@.data
DdeCreateDataHandle
DdeFreeDataHandle
DdeQueryNextServer
DdeUninitialize
DeferWindowPos
DefFrameProcW
DefineDosDeviceA
DefWindowProcW
DeleteAtom
DeleteFileA
DeleteMenu
DialogBoxIndirectParamA
DisableThreadLibraryCalls
DispatchMessageA
DkWs~k
D<#O.58
DosDateTimeToFileTime
DragObject
DrawFrameControl
DrawIcon
DrawTextA
D$Tfoox
dz>x\(>
EnableMenuItem
EndDeferWindowPos
EnumDesktopsA
EnumDisplaySettingsW
EnumResourceLanguagesA
EnumResourceLanguagesW
EnumSystemCodePagesA
EnumSystemLocalesA
EnumTimeFormatsA
EnumWindows
e`WVfc_
eX7ndo
_except_handler3
ExitWindowsEx
ExpandEnvironmentStringsW
FatalAppExitW
FileTimeToLocalFileTime
FillConsoleOutputCharacterW
FindAtomA
FindCloseChangeNotification
FindFirstChangeNotificationA
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceExA
FindResourceExW
FindResourceW
FindWindowExW
!FiU)Do
FlushConsoleInputBuffer
FlushFileBuffers
FlushInstructionCache
FoldStringA
FrameRect
GD^6dM
GDI32.dll
GetACP
GetClassInfoA
GetClientRect
GetClipboardFormatNameA
GetClipCursor
GetCommState
GetCommTimeouts
GetCompressedFileSizeA
GetConsoleCursorInfo
GetCPInfo
GetCurrentThread
GetDateFormatW
GetDesktopWindow
GetDiskFreeSpaceExW
GetEnvironmentStringsW
GetExitCodeProcess
GetExitCodeThread
GetExpandedNameW
GetForegroundWindow
GetGUIThreadInfo
GetHandleInformation
GetKeyboardLayoutNameA
GetKeyboardState
GetLargestConsoleWindowSize
GetLastActivePopup
GetLogicalDriveStringsA
GetLogicalDriveStringsW
__getmainargs
GetMenuStringA
GetMessageTime
GetModuleHandleA
GetModuleHandleW
GetNamedPipeInfo
GetPriorityClass
GetPriorityClipboardFormat
GetPrivateProfileSectionW
GetPrivateProfileStringW
GetPrivateProfileStructW
GetProcessHeaps
GetProcessPriorityBoost
GetProcessTimes
GetProcessVersion
GetProcessWorkingSetSize
GetProfileStringW
GetStartupInfoA
GetSystemTimeAdjustment
GetSystemTimeAsFileTime
GetTempFileNameW
GetThreadDesktop
GetThreadLocale
GetThreadPriority
GetThreadSelectorEntry
GetUserDefaultLCID
GetVolumeInformationA
GetVolumeInformationW
GetWindowDC
GetWindowModuleFileNameA
GetWindowPlacement
GetWindowTextLengthA
GetWindowTextW
GlobalCompact
GlobalDeleteAtom
GlobalFindAtomA
GlobalHandle
GlobalMemoryStatus
GlobalReAlloc
GlobalUnWire
H0p.WKV
H3-{sHgeW
H?-d#SJe}W`&V
HeapCompact
HeapLock
Hi%/k+Wkn_
{Hp-7c
?hT_&f+c
~}h`W&n[
I`->+|
i0WcVN.e
I	-acv
I]-fsow
IMM32.dll
ImmGetContext
InflateRect
_initterm
InvalidateRect
InvertRect
IsCharAlphaW
IsDlgButtonChecked
IsMenu
*Isuw(hsoW
IsWindowVisible
IU]>&\
I?-\{VxnH
i*W#.b
i}W Vj
IY%.K[en/_
IZMnuo o2
izWpno'o3
#|J0}1X
<,$#JJ%5{
Jjmww(0ss
jKZ>*n
J$~NX}V .
^j&Wbh
JY}{X`V~
%`[.^k
K8utX_
KERNEL32.dll
KillTimer
KJ%ucx
KlUWff/w{ (bc
:&,Ks%/3csv
k*/{SP
Kt%03{
K~uP0U#vK]=.
-%KU	Yt^w
K&][~^ vbb;.
k&_;VT
KZUN&]+v3
L]}~ 8rt??<
?	la_^
LamnW7^t
la_V)\c^
=Ll%_k
LM%-{#xz
LoadCursorA
LoadIconW
lQ/-{+
L&U3~#Hz] V0b2
LXU>^,
LZ32.dll
LZOpenFileW
LZStart
M^5V\~
M{e`'n
MenuItemFromPoint
MessageBoxA
MessageBoxIndirectA
miOo-os
Mm]?vlx
Mni.=i<	t,
Module32First
M(}s0OKue[X
MsM'ukp
MSVCRT.dll
;MTu]xv8
Mx5mZ/
mZO~ep
N %b+&
Nb"?Z\V
n!gzW n
;nH1J?
N'm+/+c
NOe%'3
NPu}p 7
Nt%/Z%
N	UyZ8^
nYO&e#_
Nz=`\&
>O4+R[
Oa}f8od
OemToCharBuffW
Of'g[W&fcgf7'\c
ole32.dll
OLEAUT32.dll
O-m[/~
O}M8%dS
o)oc_n
OO-US~m
OQU}n`_
O{&	[qV'
O=-<Slu
OV5~|p0
p!0;1<
;P4]sN
PackDDElParam
PaintDesktop
pBRM)1
__p__commode
__p__fmode
pH_%V3
pI'u+ c
P<%lk?/
P`]~N0-
PostMessageW
Process32First
Process32Next
:P\Uf>
PUU~n _
>q4ot/w*eK/
Q58dTVU>
q8/s#OJ
QI%-csnO
Qiu'XsvOp
Q:mto_
Q;mT'u
Qn:"T*
qr>]*=
QXurT_
qyZ|`#m
R7u$8"|R
`.rdata
ReleaseStgMedium
RemovePropA
ri_-6{
R/>kTW~&
RP%%k#
R\UnV7
S2US6e
S6elWO
SendMessageTimeoutW
__set_app_type
SetClipboardViewer
SetCursor
SetDebugErrorLevel
SetPixelFormat
SetPropA
SetScrollPos
SetTimer
__setusermatherr
SetWindowContextHelpId
SetWindowsHookExW
SetWindowTextW
SetWindowWord
SetWinEventHook
SHELL32.dll
ShowScrollBar
SHQueryRecycleBinA
Sie7wl
:-\sn'
SwitchDesktop
sYOn=WTV.
SystemParametersInfoW
szWH.}#X2&c
>>$t+ 
<:|T`-
!This program cannot be run in DOS mode.
Thread32First
TI-}3 
?"TjR|
ToAsciiEx
tU]aQs
:u4X+.s3
u" ::d
U;-Dx\
u/h+Wkf
uj`wvx  rJ'
U!Nbe~
UnhookWindowsHook
UnpackDDElParam
UnregisterClassW
UpdateWindow
USER32.dll
;UtvQ^enWw
u]`.VcV
U`vvxp
V9bt^O
v"b:nL7
V	cu^x
VerLanguageNameW
_"V"fb
vip''+{#p
Vq^5^$V
/-[[VvV
WaitMessage
Wh~/8{
WinHelpW
WINNLSEnableIME
Wj&'+{;(lcgv7
)wmM;m
Wp^'&{K(
W!>Rde
wRHUU^6&
wvsprintfW
_XcptFilter
)x#mH/
x	PT!xQ
XQ>-4+T+
x}RNa$@
Xs^_V.n+W
XXnm__
%YK&u{``.vc 6J
Y&P>~}
\Y^~v0x;0<
_yV ~b
}yx(H[U
y*xsHo5/l+Wk
yY8V\v
,zc8.43
=z<`dn
 Zjno/(
,Zk~o('{3x
+ZKVe~
?Zl6W\.
#Z^tN/
	zy(xc
zY`y0`#