Analysis Date2014-12-20 01:46:29
MD5c376a10454baf28f119e07ae74c40516
SHA145d967318e6d60bb9c018681cb2fbdb8f9444e41

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7f8c4f787d902e25a401364f745b17b6 sha1: 699021a0aeafa04326f9144cc16b1ccd682f0732 size: 77824
Section.data md5: f44eb19f2170d27d794f515d0b02d2fc sha1: d13366a09d35bc543ebbaaf7e15a13b44b4a13cc size: 18944
Section.rsrc md5: fd71bbe0af4003327fdba5191b85d0fe sha1: 388eb57c11295412bc30c5d9940e900373aa8887 size: 28160
Timestamp2012-08-05 14:58:34
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: xpnetdiag.exe
FileVersion: 5.1.2600.5512 (xpsp.080413-0852)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Network Diagnostic for Windows XP
OriginalFilename: xpnetdiag.exe
PackerMicrosoft Visual C++ ?.?
PEhashe1448de0389003a1e4374b33baedb9872ccd5119
IMPhash40833af74e5a6e857af19b3c276b8453
AV360 SafeGen:Variant.Zusy.15645
AVAd-AwareGen:Variant.Zusy.15645
AVAlwil (avast)Buterat-OM [Trj]
AVArcabit (arcavir)Gen:Variant.Zusy.15645
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVBullGuardGen:Variant.Zusy.15645
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.1
AVEmsisoftGen:Variant.Zusy.15645
AVEset (nod32)Win32/Kryptik.AJLX
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.15645
AVGrisoft (avg)Agent_r.BLQ
AVIkarusTrojan.Win32.Lampa
AVK7Backdoor ( 04c4cebd1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeeVundo.gen.hk
AVMicrosoft Security EssentialsTrojan:Win32/Vundo.OD
AVMicroWorld (escan)Gen:Variant.Zusy.15645
AVRising0x559ab097
AVSophosTroj/Agent-XQE
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\vphsisf.dll
Creates FileC:\WINDOWS\system32\vphsisf.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Network Details:


Raw Pcap

Strings
P.F
......
uriVttcetorla
\
.CC
 

040904B0
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-0852)
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
8User interface suspended, use .suspend_ui 0 to re-enable;Tiling would produce windows below the minimum allowed sizesToggling MDI emulation mode requires that all current windows be closed and all window settings be reset.  Proceed?
About WinDbg
ACannot query debuggee as it is running or has exited or shut down"Unable to create file '%s', %s
Activate window
&Add a line to the command history text
Add Image Path Directory
Add Source Path Directory
Add Symbol Path Directory
A deferred breakpoint has been set Unable to open workspace, %s
	ASM
Assembly Include Files
Assembly Source Files
Assertion Failed
Associate File with Scratch Pad
Attached processes can only be restarted by shutting down the existing process and creating a new one. This may lose specific characteristics of the current process as the debugger cannot perfectly recreate the environment that existed when the current process was created.
Attach to a running process
A window could not be updated, so the operation is only partially complete.
\\.\beep
Break (Ctrl+Break)
Browse For DLL 
Browse For File 
Browse For Log File
Calls
Call stack (Alt+6)
Cancel exits the operation.]The debugger is still working and cannot stop.  Answer Yes to continue to wait or No to exit.
Can't find '%s'
	CAPS
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
C/C++ Include Files
*.C;*.CPP;*.CXX
C/C++ Source Files
cExiting without using 'q' or Stop Debugging may leave the debuggee in an unusable state.  Continue?
Clear the command history text5Evaluate current selection text in the command window9Display the currently selected type in the command window
Close active window
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
Command
Command (Alt+1)
Command Browser
Command Browser (Ctrl+N)
Commands
CompanyName
Complex sessions that have multiple debuggees, multiple types of debugging or extremely long command lines cannot be restarted.
Connect to a remote sessionHRedirect debugging activity through a remote stub server (like -premote)
Copy (Ctrl+C)
Crash Dump Files	DLL Files	All Files
*.CS
C# Source Files
Cut (Ctrl+X)
<Debuggee must be stopped before breakpoints can be modified.
debugger.chm
Debug operations
*.DEF
Definition Files
Detach the current program
Dialog Files
Disassembly
Disassembly (Alt+7)
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
*.DLG
*.DLL
Dock all undocked windows
Do you want the debugger to load and search the remaining symbols?
Do you want to open this file as a source file?1Unable to retrieve drag-and-drop filename, %s
Do you want to reload the file?  NOTE: This will not update breakpoint locations%Process %d is not a sleeping debugger
Edit operations'Move the selected text to the clipboard5Copy the selected text to the clipboard as plain text6Copy the selection and any formatting to the clipboard/Paste the clipboard text at the insertion point+Select all of the text in the active window?Write a textual representation of the window contents to a file%Copy all window text to the clipboard
Edit program breakpoints
Example Test
*.EXE
Executable Files	Log Files
Exit WinDbg
figaro32.dll
FileDescription
$File navigation, status and toolbars
File.Open Executable and File.Open Crash Dump should be used to open such files.
File operations
FileVersion
Find some text
Font
Generate report
GhostClass
Go (F5)
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
*.H;*.HPP;*.HXX	*.ASM;*.S
*.INC
InternalName
Invalid
Invalid process ID %ld7The command line arguments passed to WinDbg are invalid-The remote debugger connection to (%s) failed1The debugger could not connect using '%s', %s
Invalid Process Name %s
It may be corrupt or in a format not understood by the debugger.
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Local kernel debugging is disabled by default in Windows Vista, you must run 'bcdedit -debug on' and reboot to enable it.(Unable to debug the local kernel, %s
Local kernel debugging requires Windows XP, Administrative
Locals (Alt+3)
Locals	Registers
*.LOG&*.DMP;*.HDMP;*.MDMP;*.KDMP;*.CAB;*.RUN
*.MAK
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
Map a remote drive Disconnect a mapped remote drive
Memory
MEMORY.DMP
Memory window (Alt+5)
Microsoft
Microsoft Corporation
 Microsoft Corporation. All rights reserved.
Move to a specified line number$Move to the currently executing code.Set instruction pointer to current source line
Move to the specified address
mscoree.dll
Network Diagnostic for Windows XP
No returns to the UI while the search proceeds.
	NUM
ObsoleteQuickWatch
of the instance you are interested in and use -p <pid>.
Only a single local kernel debugging session can run at a time.
Open a command browser window
Open a crash dump to debug
Open a memory window
Open an executable to debug
Open a saved workspace
Open a source file
Open Crash Dump
Open Executable
Open or close a log file
Open Source File
Open source file (Ctrl+O)
Open Symbol File For 
Open the call stack window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
Open the locals window
Open the registers window
Open the scratch pad window"Open the process and thread window
Open the watch window
Open Workspace in File
 Operating System
Options
OriginalFilename
Out of memoryDDebugger did not start - please check your initialization parameters
	OVR
Paste (Ctrl+V)
*.PDB;*.DBG;*.SYM
Please stop the current debugging session first.NThe client cannot communicate with the server.  The session will be shut down.yThere is more than one '%s' process running.  Find the process ID
 Please truncate the following path:
Please wait until the engine finishes, or use Ctrl+Break to interrupt the engine.RThe command line arguments cannot specify more than one kind of debugging to start
Prefixing local variables with $! and global variables with <module>! will avoid any unnecessary lookup time.
privileges, and is not supported by WOW64.
	Proc
Processes and Threads
Processes and Threads (Alt+9)
ProductName
ProductVersion
Project Files
*.RC
Registers (Alt+4)
Registers are not yet known
Repeat the last find
Resource Files
Restart (Ctrl+Shift+F5)
Restart the Program"Stop debugging the current program
Retrieving information...
rpc4call32.dll
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Run to cursor (Ctrl+F10 or F7) Insert or remove breakpoint (F9)
'%s'
%s0Unable to write window text to file '%s', %s
Save the current workspace*Save the current workspace with a new name)Remove entries from the current workspace!Delete workspaces from the system Open a workspace saved in a file$Save the current workspace to a file
Save Workspace to File
%s&Could not attach to process %d, %s
%s'Could not find the %s Dump File, %s
%s<Could not start kernel debugging using %s parameters, %s
Scratch Pad
Scratch Pad (Alt+8)
Set the image search path
Set the source search path
Set the symbol search path
%s failed, %s
%s has changed since it was opened.  This may result in invalid breakpoints or other incorrect behavior.
'%s' is too long for a filenamelAn internal debugger error (%s) occurred in component '%s'.  Please contact Microsoft Technical Support.
%skThe selected workspace will start a new debugging session.
%slFailure when opening dump file '%s', %s
Sort mode utilites
Source
Source mode off
Source mode on
%s!Please enter a value for the path
Start kernel debugging
Step into (F11 or F8)
Step out (Shift+F11)
Step over (F10)
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
%s)The remoting connection is already in use0Unable to connect to process server '%s', %s
Stop debugging (Shift+F5)
StringFileInfo
%s#Unable to find process '%s', %s
%s`WinDbg could not register file associations.  This operation requires administrative privileges.WWinDbg successfully registered file assocations for .DMP, .HDMP, .MDMP, .KDMP and .WEW.HThe file '%s' cannot be opened.  Cancel to prevent further file opening.
%s Workspace not found.  Create it?)Too many dump files specified, %s ignored
%s(Workspace %s already exists.  Overwrite? Unable to save workspace, %s
Symbol Files
Symbol information for the current line could not be located in the currently loaded symbols.
	Sys
TBorlandClass
Text Files
The command line that will be used for creation is
>The debugger could not contact the remote server given in '%s'OThe client is not using the same version of the remoting protocol as the server
>The debugger doesn't support additional dump information files
The file '%s' cannot be openedXThe maximum length for a path is %d characters.
The file you selected has an executable file or crash dump file extension.
The 'remote' command was not given the correct parameters.  Please consult the documentation for a description of the 'remote' command parameters
The 'server' command was not given the correct parameters.  Please consult the documentation for a description of the 'server' command parameters
*The system does not support detach on exit"Code not found, breakpoint not setSNo symbolic information was found for this file.
The system does not support local kernel debugging.
	Thrd
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
*.TXT
Unable to get information, the engine is busy.
Unable to secure operation
Unable to use '%s', %s
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
Watch
Watch (Alt+2)
Watch window update took %.2g seconds.  This can be caused by slow symbol loading or by stale variables in the watch window.  If you don't need the watch window close it, or review its contents for validity.
*.WEW
WinBaseClass
WinDbg:6.11.0001.404 X86 
WinDbg cannot be initialized
WinDbgFrameClass	DockClass
~WinDbg was not successfully installed as the default postmortem debugger.   This operation requires administrative privileges.EWinDbg was successfully installed as the default postmortem debugger.%Could not create process '%s', %s
 Window arrangement and selection
Window placement information in this workspace is corrupt.  Windows may not be displayed as expected.  Window placement information will not be saved.
 Windows
Workspace could not be created&Unable to retrieve information, %s: %s
Workspace Files
Write Window Text to File
xpnetdiag.exe
Yes performs the search immediately.
You can choose to proceed with shutdown and recreation, change nothing and retry the existing attach or cancel the retry attempt.\WinDbg could not register URL protocols.  This operation requires administrative privileges.;WinDbg successfully registered URL protocols for remdbgeng.
You can manually move windows that are not in the desired state.
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
_1UzEE
1yL'f5
246OEAu
2'bqY8
+2G",-Y
3c!>r1
3tDtAtEl
7~*67~#
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
An application has made an attempt to load the C runtime library incorrectly.
AonuVn
AP tpdw
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
bC[	0G
BeginPaint
CAeeypNvet
CloseHandle
)C)/MC
c=M$ll:
CorExitProcess
CreateFileW
CreateWindowExA
- CRT not initialized
cs_.shWciNt@]I
D5.!~o
`.data
DDDDDDD
DDDDDDDDDDDDDDD
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
DFnFnouA
dFtaLsm
DispatchMessageA
DOMAIN error
DrawTextA
dUO,bp
e4!\nq{lT
eayTsWCnistsaI
Ectlieog	DATa
eeoioF
elKLEiEdrKgy}
{E_M/8
EncodePointer
EndPaint
EnterCriticalSection
,\@ER2
ErAPae%Fol3
evqZ\yo
ExitProcess
##_exn
February
f,h]!pX
FindWindowA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
Fo\\GWw`Lop
F\=pZA
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
=FUlOl
FVhH\A
GDI32.dll
Gdoetei
;G(d;OP
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileSize
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSysColor
GetSystemMetrics
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
GNePke
;G(`;_P
;G(q;RP
GWhH\A
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
H^eHdd
HFre!E.
HH:mm:ss
]HT[E&
!H;}Yzt?
I!CPf]
\!IHC!
I^`]j=
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IoeiAeAF
ioelM?eiZsaoi
IsDebuggerPresent
IsValidCodePage
iVjogD
JanFebMarAprMayJunJulAugSepOctNovDec
January
:jgeo!
j@j ^V
j(o},Js
j xfCt_
jXh0fA
Jznjvs
KEabG(
kernel32.dll
KERNEL32.dll
,`#KVK|
<KxTN>
l %5GN5
#latr/SM
LCMapStringA
LCMapStringW
lcY2^j
LeaveCriticalSection
leVllsoeouuAnr
	Lgcu4
liNiCle
{L)M_ 
LoadIconA
LoadIconW
LoadLibraryA
LoadStringA
LockResource
=`LSV5
ltD}RliE3
MbKa`v
MessageBoxA
&_;m#g
Microsoft Visual C++ Runtime Library
MlbpV$
MM/dd/yy
Monday
MultiByteToWideChar
N_k&WG
nM$}<~p#
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
;NPb;OP
NpS"VS
NQ!*QG
nsurU@7
*#O9UJ
October
palAiPnanimnyt2Ge
%ph(,S
{pJP5d
Please contact the application's support team for more information.
PPPPPPPP
Program: 
<program name unknown>
- pure virtual function call
PvI.Sch
+,#qMX
QueryPerformanceCounter
 R\dwes
RegCloseKey
RegisterClassExA
RegOpenKeyExA
;RichNP
rmeolaloHpclC
+RNJ_q
rnollueeAueoaluL
rrtexeo
RtlUnwind
runtime error 
Runtime Error!
RW'rw}
Rxmu[aeoK
!sa  o$E#
Saturday
!S@BgSl!#
sE2xdRl
September
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
sG?tMe
ShowWindow
SING error
strcat
Sunday
SunMonTueWedThuFriSat
T=-_+~
TerminateProcess
=  th2}
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t#h\TA
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
T-ntSm
TranslateAcceleratorA
TranslateMessage
t"SS9]
tU2gtR
t$<"u	3
Tuesday
;t$,v-
Tv8OA?jK
tw,'fP
t+WWVPV
u2h4TA
UENQEB
uERu0eOs
u&h8ZA
ukOrtTr\onLLp
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
v9f5I*
VAeEgePTLra.6iVdGiP
vGdTlAlSlehxH2
v=I	Qk
VirtualAlloc
VirtualFree
v	N+D$
VVVVVVh
wbQ_u$
W*.Ceer
Wednesday
WideCharToMultiByte
Wiea.los 8E
WriteFile
wsprintfA
X$jN%m
};<xlr
XX(XH,1
ySN<wF
>=Yt1j
Z8+A]V
z"bo<9.