Analysis Date2014-01-15 23:30:14
MD5e1adacbad93f88dced1dbda23469210f
SHA14127b96b5d15027eafcc027fd713abb71b34f804

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dd4ff1acf66dece6dd621b0c2b5faff8 sha1: 1afb1aabc4444cf1725ad66cb331cbcfff59bb7d size: 30720
Section.data md5: 3fd82fcc3cf0c0692e0e466248ee3fbf sha1: 73304225b866a642e29cc3b5c57e3c0161e35680 size: 2048
Section.rsrc md5: 20fff3e8404250168b131c368bb7960e sha1: b656ddbd8fd8f30cda813830842647680441d1ec size: 35328
Timestamp2008-04-13 13:11:02
Pdb pathnotepad.pdb
VersionLegalCopyright: © Корпорация Майкрософт. Все права защищены.
InternalName: Notepad
FileVersion: 5.1.2600.5512 (xpsp.080413-2105)
CompanyName: Корпорация Майкрософт
ProductName: Операционная система Microsoft® Windows®
ProductVersion: 5.1.2600.5512
FileDescription: Блокнот
OriginalFilename: NOTEPAD.EXE
PEhashbcef5e385bee2aa5f59b8490b2f8a4566922ace0
AVaviraW32/Luder.A
AVclamavW32.Luder.B
AVmsseVirus:Win32/Luder.A

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\362e_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 184

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 184

Network Details:


Raw Pcap

Strings
 %% 
 %%.
 %%. 
041904B0
 (0x%04x)
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-2105)
ANSI
 ANSI. 
 Big Endian
commdlg_FindReplace
commdlg_help
CompanyName
	Ctrl+A
	Ctrl+C
...	Ctrl+F
...	Ctrl+G
...	Ctrl+H
	Ctrl+N
...	Ctrl+O
...	Ctrl+P
	Ctrl+S
	Ctrl+V
	Ctrl+X
	Ctrl+Z
 %d  
 %d, 
	Del
DEV Error!
Edit
fFpPtTdDcCrRlL
FileDescription
FileVersion
fMLE_is_broken
fSaveWindowPositions
fWrap
 "%%"h
.i%%
iMarginBottom
iMarginLeft
iMarginRight
iMarginTop
InternalName
iPointSize
iWindowPosDX
iWindowPosX
iWindowPosY
LegalCopyright
lfCharSet
lfClipPrecision
lfEscapement
lfFaceName
lfItalic
lfOrientation
lfOutPrecision
lfPitchAndFamily
lfQuality
lfStrikeOut
lfUnderline
lfWeight
Lucida Console
MainAcc
MAINACC	SLIPUPACC
 Microsoft
miWindowPosDY
MS Shell Dlg
Notepad
NOTEPAD.EXE
notepad.hlp
NpEncodingDialog
NPENCODINGDIALOG
OriginalFilename
Out of RC string space!!
ProductName
ProductVersion
/.SETUP
SlipUpAcc
Software\Microsoft\Notepad
StatusBar
StringFileInfo
szHeader
szTrailer
Translation
 (*.txt)
.txt
*.txt
UTF-8
VarFileInfo
VS_VERSION_INFO
 Windows
 Windows 
        />
! ,$&&'
&*$#$$#$*
.111,,,@Tf
2~hbrq_^P3-.
4bbbUTK
~||{4ncTK
4TTTTTAWK-
6~nC7~
6~$t7~
78;4O`
7~ls7~
8~4e;~
8877666.,,,&&&1TU
999877766mv.,0A@UTTTU
9v+|9v
AABFF3
AA@@Nu
AbortDoc
_acmdln
_adjust_fdiv
ADVAPI32.dll
AH[qzz
AIH$+#
</assembly>
<assemblyIdentity
        <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
C7~NJ7~
_cexit
_c_exit
CharLowerW
CharNextW
CharUpperW
CheckMenuItem
ChildWindowFromPoint
ChooseFontW
CloseClipboard
CloseHandle
ClosePrinter
CLSID\{ADB880A6-D8FF-11CF-9377-00AA003B7A11}\InprocServer32
CMGGPc
COMCTL32.dll
comdlg32.dll
CommDlgExtendedError
CompareStringW
_controlfp
CreateDCW
CreateDialogParamW
CreateFileMappingW
CreateFileW
CreateFontIndirectW
CreateStatusWindowW
CreateWindowExW
`.data
DDD.;;;11ATW
DefWindowProcW
DeleteDC
DeleteFileW
DeleteObject
</dependency>
<dependency>
    </dependentAssembly>
    <dependentAssembly>
<description>Windows Shell</description>
DestroyWindow
D]h@MMM)MMM
DialogBoxParamW
DispatchMessageW
DragAcceptFiles
DragFinish
DragQueryFileW
DrawTextExW
eC8>=Pb
EnableMenuItem
EnableWindow
EndDialog
EndDoc
EndPage
EnumFontsW
_except_handler3
ezst^(a6@@j
FFEEEDD
ffffffff
ffffffffffff`
FindClose
FindFirstFileW
FindTextW
FoldStringW
FormatMessageW
G7~"x7~
GDI32.dll
GetACP
GetClientRect
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetCursorPos
GetDateFormatW
GetDesktopWindow
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetDlgItemTextW
GetFileAttributesW
GetFileInformationByHandle
GetFileTitleW
GetFocus
GetForegroundWindow
GetKeyboardLayout
GetLastError
GetLocaleInfoW
GetLocalTime
__getmainargs
GetMenu
GetMenuState
GetMessageW
GetModuleHandleA
GetObjectW
GetOpenFileNameW
GetParent
GetPrinterDriverW
GetProcAddress
GetSaveFileNameW
GetStartupInfoA
GetStockObject
GetSubMenu
GetSystemMenu
GetSystemMetrics
GetSystemTimeAsFileTime
GetTextExtentPoint32W
GetTextFaceW
GetTextMetricsW
GetTickCount
GetTimeFormatW
GetUserDefaultLCID
GetUserDefaultUILanguage
GetWindowLongW
GetWindowPlacement
GetWindowTextW
/GGGHITf
GlobalFree
GlobalLock
GlobalUnlock
gQccUN
gRa``]]z
gwwwwwwwwwwww`wwww
hhctrl.ocx
_initterm
InvalidateRect
irajjrzij.bzi
IsClipboardFormatAvailable
IsDialogMessageW
IsIconic
IsTextUnicode
iswctype
.:;;;;ITf
k7/4/;PT
KERNEL32.dll
L5'?)"""#
L5'%""#"$
            language="*"
lllkkkjj/bbQQTV
LoadAcceleratorsW
LoadCursorW
LoadIconW
LoadImageW
LoadLibraryA
LoadStringW
LocalAlloc
LocalFree
LocalLock
LocalReAlloc
LocalSize
localtime
LocalUnlock
LPtoDP
LRI?9\
lstrcatW
lstrcmpiW
lstrcmpW
lstrcpynW
lstrcpyW
lstrlenW
m\.1,,,,,2TW
MapViewOfFile
MessageBeep
MessageBoxW
mmdBEO]_
MMM3MMM
MMM7MMM
MMM9MMMxMMM
MMMAMMMNMMMKMMMFMMM@MMM7MMM,MMM!MMM
MMMBMMM
MMMdMMM"MMM
MMMdMMM(MMM
MMMFMMM
MMMJMMM
MMMjMMM>MMM*MMM
MMMjMMMXMMMLMMMAMMM4MMM%MMM
MMMkMMMXMMMLMMMBMMM2MMM
MMMlMMM'MMM
MMM^MMM
MMM=MMM
MMM:MMM
MMM?MMM
MMM	MMM
MMM|MMM4MMM
MMMmMMM'MMM
MMMnMMM(MMM
MMMQMMM
MMMrMMMaMMMQMMMDMMM9MMM,MMM
MMMrMMMKMMM
MMMrMMM`MMMRMMMFMMM:MMM.MMM"MMM
MMMSMMM
MMMsMMM+MMM	MMM
MMMtMMM+MMM	MMM
MMMWMMM
MMMYMMM
MMMyMMMfMMMVMMMKMMM@MMM2MMM%MMM
MMMyMMM/MMM
MMMzMMMKMMM
MoveWindow
msvcrt.dll
MulDiv
MultiByteToWideChar
            name="Microsoft.Windows.Common-Controls"
    name="Microsoft.Windows.Shell.notepad"
nLLLLZk7/5--Pb
notepad.chm
notepad.pdb
NTDLL.DLL
nuk{safe4.
n~~~~~~~~v
n~~~~~~~~~~~~v
n~~~~~~~~~~~~w`
n~~~~~~~~~~~~w`w
nwwwwwwww`ww
n~~~~~~~~~~~~w`x
oaaaa_ep
OFFEEEDDDD.111111RU
OpenClipboard
OpenPrinterW
PageSetupDlgW
PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
__p__commode
PeekMessageW
__p__fmode
pn~~~~
PostMessageW
PostQuitMessage
~~~p~p
PrintDlgExW
            processorArchitecture="x86"
    processorArchitecture="x86"
            publicKeyToken="6595b64144ccf1df"
/QGGGRT
QueryPerformanceCounter
ReadFile
RegCloseKey
RegCreateKeyW
RegisterClassExW
RegisterPenApp
RegisterWindowMessageW
RegOpenKeyExA
RegQueryValueExA
RegQueryValueExW
RegSetValueExW
ReleaseDC
ReplaceTextW
Ro```]]
rX+%"/
rZ8oWFFWwwvvC:QQQRa'
ScreenToClient
SelectObject
SendDlgItemMessageW
SendMessageW
SetAbortProc
SetActiveWindow
__set_app_type
SetBkMode
SetCursor
SetDlgItemTextW
SetEndOfFile
SetFocus
SetLastError
SetMapMode
SetScrollPos
SetUnhandledExceptionFilter
__setusermatherr
SetViewportExtEx
SetWindowExtEx
SetWindowLongW
SetWindowPlacement
SetWindowTextW
SetWinEventHook
SHELL32.dll
ShellAboutW
ShowWindow
_snwprintf
StartDocW
StartPage
sYR|nyywwx
t9VSSj
TerminateProcess
TextOutW
!This program cannot be run in DOS mode.
tnnTTi
toobRTi
TranslateAcceleratorW
TranslateMessage
^}}|tt
|tyg,1
            type="win32"
    type="win32"/>
UnhandledExceptionFilter
UnhookWinEvent
UnmapViewOfFile
UpdateWindow
USER32.dll
UTlZMSK
uuu4nncTK
u/VVWQ
~~~~~~~~~~~~v
    version="5.1.0.0"
            version="6.0.0.0"
~vfffffff~~~v
V`mdRQJ"& 
~~~~~~~w`
wcsncmp
wcsncpy
WFFFFW,)---<^
WideCharToMultiByte
WinExec
WinHelpW
WINSPOOL.DRV
w,)-**>R
WriteFile
wsprintfW
~~~~~~~w`w
wwwwwwwww
wwwwwwwwww
_XcptFilter
XL\[FGE
xlllkkkjj
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XRG???
Y3+)"""#
YRIPPPF
~~||{yy4naTV
||{yywuuuuu4oooTV
{yywwu
z>]N?@5
z_____/VK<-
ZZZNN/HHHHJTW
][[[ZZZNNOO/HH::;UU