Analysis Date2015-07-24 07:12:05
MD5fb6c25d27c50a091773fbf0c2cf7a77f
SHA148e2ce3ce822107023352a1e8862153770ef0988

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: c9d8ead0daebbf25f59a8d6df0ac58c5 sha1: d12720c0b6be6ad948cbd872c37f07e0b04b4384 size: 90112
SectionUPX1 md5: 981255501ec9fb603f263fe0f73c1593 sha1: f814afdb28598d993a29556eb0fad2a16e835eba size: 115200
Section.rsrc md5: d69f476347d338cdebf891321e309948 sha1: c74572e5015e56dfefeceedab7d3f496f27a684b size: 5120
Timestamp2010-07-14 21:49:33
VersionLegalCopyright: (C) Microsoft Corporation. All rights reserved.
InternalName: VSSVC.EXE
FileVersion: 5.2.3790.4021 (srv03_sp2_qfe.070211-2318)
ProductName: 360杀毒 主程序
ProductVersion: 5.2.3790.4021
FileDescription: 360杀毒 主程序
ConpanyName: Microsoft Corporation
OriginalFilename: VSSVC.EXE
PackerMicrosoft Visual C++ v6.0
PEhash6c96dd0947184a52568eafe4b99bf6ca5dda64d5
IMPhash8175c64c8fc743f8bf36097b64640918
AVRisingno_virus
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Graftor.28034
AVDr. WebTrojan.Ludo.27
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Graftor.28034
AVBullGuardGen:Variant.Graftor.28034
AVPadvishno_virus
AVVirusBlokAda (vba32)TrojanPSW.Bjlog
AVCAT (quickheal)no_virus
AVTrend MicroTROJ_ZEGOST.SME
AVKasperskyTrojan-PSW.Win32.Bjlog.dtfz
AVZillya!Trojan.Redosdru.Win32.2857
AVEmsisoftGen:Variant.Graftor.28034
AVIkarusTrojan-PWS.Win32.Bjlog
AVFrisk (f-prot)W32/Zegost.F.gen!Eldorado
AVAuthentiumW32/Zegost.F.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Graftor.28034
AVMicrosoft Security EssentialsTrojanDropper:Win32/Zegost.B
AVK7Trojan ( 00386dc51 )
AVBitDefenderGen:Variant.Graftor.28034
AVFortinetW32/Bjlog.LBY!tr.pws
AVSymantecno_virus
AVGrisoft (avg)PSW.Generic8.UEH
AVEset (nod32)Win32/Redosdru.GL
AVAlwil (avast)Zegost-D [Drp]:Zegost-E [Drp]
AVAd-AwareGen:Variant.Graftor.28034
AVTwisterTrojan.FA1519F2CEED3743
AVAvira (antivir)TR/Hijacker.Gen
AVMcafeeRDN/Generic Dropper

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\ovgnvsjyvq\DependOnService ➝
NULL
RegistryHKEY_LOCAL_MACHINE\sOFtwaRe\ovgnvsjyv\seRVicemAIN ➝
SetupSave\\x00
Creates Filec:\obhqktomvd
Creates Fileovgnvsjyv
Creates FileC:\WINDOWS\system32\f5859b27.rdb
Creates Filec:\Documents and Settings\Administrator\Local Settings\temp\wxfribbxpe.dat
Creates Process
Starts ServiceHidServ

Process
↳ Pid 1600

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 828

Process
↳ Pid 872

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1228

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1192

Network Details:

DNSwww.a.shifen.com
Type: A
103.235.46.39
DNSqup.qh-lb.com
Type: A
106.120.162.176
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSqup.qh-lb.com
Type: A
106.120.162.176
DNSqurl.qh-lb.com
Type: A
106.120.167.91
DNSqurl.qh-lb.com
Type: A
106.120.167.99
DNSqurl.qh-lb.com
Type: A
106.120.167.99
DNSqurl.qh-lb.com
Type: A
106.120.167.91
DNSqurl.qh-lb.com
Type: A
106.120.167.91
DNSqurl.qh-lb.com
Type: A
106.120.167.99
DNSqup.qh-lb.com
Type: A
106.120.162.176
DNSqup.qh-lb.com
Type: A
106.120.167.25
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.192.207.9
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.203
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.209
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.222
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.204.253
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.206.175
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.230.206.219
DNSd1z9e7acialubj.cloudfront.net
Type: A
54.239.172.251
DNSsdup.qh-lb.com
Type: A
0.0.0.0
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.207.130
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.239.172.170
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.192.207.223
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.204.119
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.204.153
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.205.189
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.206.11
DNSd1q7jy3ylnh6sp.cloudfront.net
Type: A
54.230.206.72
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSqd-b.code.qihoo.com
Type: A
218.30.118.9
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSlocini.gslb.360safe.com
Type: A
220.181.150.219
DNSlocini.gslb.360safe.com
Type: A
220.181.159.91
DNSlocini.gslb.360safe.com
Type: A
101.226.161.214
DNSlocini.gslb.360safe.com
Type: A
220.181.150.161
DNSlocini.gslb.360safe.com
Type: A
220.181.150.162
DNStr-b.p.360.cn
Type: A
180.153.227.168
DNStr-b.p.360.cn
Type: A
180.153.227.169
DNStr-b.p.360.cn
Type: A
61.160.224.11
DNStr-b.p.360.cn
Type: A
61.160.224.12
DNStr-b.p.360.cn
Type: A
61.160.224.13
DNStr-b.p.360.cn
Type: A
61.160.224.14
DNStr-b.p.360.cn
Type: A
180.153.227.61
DNStr-b.p.360.cn
Type: A
180.153.227.62
DNSupdateh-b.360safe.com
Type: A
58.68.236.241
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSg2-b.stat.360safe.com
Type: A
106.38.184.104
DNSg2-b.stat.360safe.com
Type: A
180.97.63.236
DNSdl.qhcdn.com
Type: A
171.13.14.145
DNSdl.qhcdn.com
Type: A
171.13.14.181
DNSdl.qhcdn.com
Type: A
171.13.14.181
DNSdl.qhcdn.com
Type: A
171.13.14.145
DNSdl.qh-lb.com
Type: A
0.0.0.0
DNSwww-b.360.cn
Type: A
106.120.167.66
DNSwww.360safe.com
Type: A
54.251.107.25
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.28
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.158
DNSsoftm-b.update.360safe.com
Type: A
220.181.158.159
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.93
DNSsoftm-b.update.360safe.com
Type: A
106.120.168.94
DNSsoftm-b.update.360safe.com
Type: A
180.153.230.27
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.24
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.65
DNSsoftm-s.update.360safe.com
Type: A
61.240.140.66
DNSsoftm-s.update.360safe.com
Type: A
123.125.80.23
DNSantispy.db.kingsoft.com
Type: A
219.232.254.22
DNSbo.duba.net
Type: A
119.147.146.155
DNSwww.beike.cn
Type: A
114.112.68.174
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.20
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.21
DNSforkingsoft.xdwscache.glb0.lxdns.com
Type: A
8.37.231.22
DNSifr.duba.net
Type: A
127.0.0.1
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSf-signs.duba.net
Type: A
121.14.11.167
DNSf-signs.duba.net
Type: A
121.14.11.28
DNSapi.pc120.com
Type: A
119.147.146.126
DNShd.duba.net
Type: A
114.112.93.21
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.81
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.85
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.87
DNSyd.ecoma.glb0.lxdns.com
Type: A
61.140.13.80
DNSz.rising.com.cn
Type: A
211.103.159.73
DNSz.rising.com.cn
Type: A
211.103.159.74
DNSz.rising.com.cn
Type: A
211.103.159.75
DNSz.rising.com.cn
Type: A
211.103.159.76
DNSz.rising.com.cn
Type: A
211.103.159.77
DNSz.rising.com.cn
Type: A
211.103.159.78
DNSz.rising.com.cn
Type: A
211.103.159.79
DNSz.rising.com.cn
Type: A
211.103.159.80
DNSz.rising.com.cn
Type: A
211.103.159.81
DNSz.rising.com.cn
Type: A
211.103.159.82
DNSz.rising.com.cn
Type: A
211.103.159.83
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSm.rising.com.cn
Type: A
211.103.159.160
DNSm.rising.com.cn
Type: A
211.103.159.161
DNSm.rising.com.cn
Type: A
211.103.159.162
DNSm.rising.com.cn
Type: A
211.103.159.163
DNSm.rising.com.cn
Type: A
211.103.159.164
DNSm.rising.com.cn
Type: A
211.103.159.165
DNSm.rising.com.cn
Type: A
211.103.159.166
DNSm.rising.com.cn
Type: A
211.103.159.167
DNSm.rising.com.cn
Type: A
211.103.159.168
DNSm.rising.com.cn
Type: A
211.103.159.169
DNSm.rising.com.cn
Type: A
211.103.159.170
DNSm.rising.com.cn
Type: A
211.103.159.86
DNSm.rising.com.cn
Type: A
211.103.159.151
DNSm.rising.com.cn
Type: A
211.103.159.152
DNSm.rising.com.cn
Type: A
211.103.159.153
DNSm.rising.com.cn
Type: A
211.103.159.154
DNSm.rising.com.cn
Type: A
211.103.159.155
DNSm.rising.com.cn
Type: A
211.103.159.157
DNSm.rising.com.cn
Type: A
211.103.159.158
DNSm.rising.com.cn
Type: A
211.103.159.159
DNSreportq.rising.com.cn
Type: A
211.103.159.109
DNSreportq.rising.com.cn
Type: A
211.103.159.97
DNSreportq.rising.com.cn
Type: A
211.103.159.100
DNSreportq.rising.com.cn
Type: A
211.103.159.101
DNSreportq.rising.com.cn
Type: A
211.103.159.107
DNSgnop008.tlgslb.com
Type: A
116.10.187.120
DNSgnop008.tlgslb.com
Type: A
116.10.187.110
DNSgnop008.tlgslb.com
Type: A
116.10.187.111
DNSgnop008.tlgslb.com
Type: A
116.10.187.112
DNSgnop008.tlgslb.com
Type: A
116.10.187.118
DNSgnop008.tlgslb.com
Type: A
116.10.187.119
DNSxnop007.tlgslb.com
Type: A
117.42.74.137
DNSxnop007.tlgslb.com
Type: A
117.42.74.147
DNSsupport.eset.com.cn
Type: A
42.120.44.60
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.153
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.170
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.176
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.107
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.112
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.121
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.131
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.137
DNSa2047.x.akamai.net.0.1.cn.akamaitech.net
Type: A
23.3.97.139
DNSe1793.b.akamaiedge.net
Type: A
23.220.247.223
DNSgtm-tnt.avg.com
Type: A
173.245.115.70
DNSgtm-self.avg.com
Type: A
212.96.161.252
DNSmmi.explabs.net
Type: A
204.193.144.11
DNSa568.d.akamai.net
Type: A
23.3.98.41
DNSa568.d.akamai.net
Type: A
23.3.98.25
DNSa1639.g1.akamai.net
Type: A
184.86.240.81
DNSa1639.g1.akamai.net
Type: A
184.86.240.74
DNScm-p.activeupdate.trendmicro.cncssr.chinacache.net
Type: A
211.90.30.93
DNScm-p.activeupdate.trendmicro.cncssr.chinacache.net
Type: A
61.179.105.132
DNSdnl-01.geo.kaspersky.com
Type: A
4.28.136.42
DNSrsup1.rising.com.cn
Type: A
219.238.233.223
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
218.60.107.24
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
221.204.171.166
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
222.142.57.26
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
113.5.250.131
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
211.90.30.82
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSprd.geo.kaspersky.com
Type: A
38.117.98.253
DNSprd.geo.kaspersky.com
Type: A
38.124.168.116
DNSprd.geo.kaspersky.com
Type: A
38.124.168.119
DNSprd.geo.kaspersky.com
Type: A
38.124.168.125
DNSprd.geo.kaspersky.com
Type: A
4.28.136.36
DNS08update1.jiangmin.com
Type: A
218.28.204.3
DNSexpire.eset.com
Type: A
91.228.165.81
DNSum01.eset.com
Type: A
91.228.166.13
DNSdnl-02.geo.kaspersky.com
Type: A
4.28.136.39
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
211.90.30.82
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
218.60.107.24
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
221.204.171.166
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
222.142.57.26
DNSdownload005.dbu.cncssr.chinacache.net
Type: A
113.5.250.131
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSprd.geo.kaspersky.com
Type: A
4.28.136.36
DNSprd.geo.kaspersky.com
Type: A
38.117.98.253
DNSprd.geo.kaspersky.com
Type: A
38.124.168.116
DNSprd.geo.kaspersky.com
Type: A
38.124.168.119
DNSprd.geo.kaspersky.com
Type: A
38.124.168.125
DNSupdate2.jiangmin.com
Type: A
218.28.204.3
DNS08update1.jiangmin.com
Type: A
218.28.204.3
DNSexpire.eset.com
Type: A
91.228.165.81
DNSum02.eset.com
Type: A
91.228.166.14
DNSdnl-03.geo.kaspersky.com
Type: A
4.28.136.39
DNScu003.www.duba.cncssr.chinacache.net
Type: A
111.170.232.34
DNScu003.www.duba.cncssr.chinacache.net
Type: A
221.235.254.115
DNScs3.duba.net
Type: A
114.112.68.186
DNSprd.geo.kaspersky.com
Type: A
38.124.168.125
DNSprd.geo.kaspersky.com
Type: A
4.28.136.36
DNSprd.geo.kaspersky.com
Type: A
38.117.98.253
DNSprd.geo.kaspersky.com
Type: A
38.124.168.116
DNSprd.geo.kaspersky.com
Type: A
38.124.168.119
DNSupdate3.jiangmin.com
Type: A
114.215.82.64
DNS08update1.jiangmin.com
Type: A
218.28.204.3
DNSexp03.eset.com
Type: A
91.228.164.22
DNSu3.eset.com.cn
Type: A
42.120.44.60
DNSum03.eset.com
Type: A
91.228.166.15
DNSdnl-04.geo.kaspersky.com
Type: A
4.28.136.36
DNScu003.www.duba.cncssr.chinacache.net
Type: A
221.235.254.115
DNScu003.www.duba.cncssr.chinacache.net
Type: A
111.170.232.34
DNSrdr.kingsoft.com
Type: A
125.39.136.78
DNSrdr.kingsoft.com
Type: A
115.182.195.29
DNSshineok.3322.org
Type: A
DNSwww.baidu.com
Type: A
DNSconf.f.360.cn
Type: A
DNSqup.f.360.cn
Type: A
DNSu.qurl.f.360.cn
Type: A
DNSqurl.f.360.cn
Type: A
DNSsdup.360.cn
Type: A
DNSsdupm.360.cn
Type: A
DNSqd.code.360.cn
Type: A
DNSqd.code.qihoo.com
Type: A
DNSstat.360safe.com
Type: A
DNSstat-s.360safe.com
Type: A
DNSupdate.360safe.com
Type: A
DNSupdate-s.360safe.com
Type: A
DNStr.p.360.cn
Type: A
DNSupdateh.360safe.com
Type: A
DNSw.360.cn
Type: A
DNSstat.sd.360.cn
Type: A
DNSsdl.360safe.com
Type: A
DNSdl.360safe.com
Type: A
DNSwww.360.cn
Type: A
DNSsoftm.update.360safe.com
Type: A
DNSf-sq.beike.cn
Type: A
DNSvc01.beike.cn
Type: A
DNSpush.www.duba.net
Type: A
DNSwww.duba.net
Type: A
DNSvi.pc120.com
Type: A
DNSwww.rising.com.cn
Type: A
DNSrsdownload.rising.com.cn
Type: A
DNSmsginfo.rising.com.cn
Type: A
DNSrsdownauto.rising.com.cn
Type: A
DNSkaspersky.fastcdn.com
Type: A
DNSupdate.nai.com
Type: A
DNSguru.avg.com
Type: A
DNSgtm-nyc.avg.com
Type: A
DNSgtm-hkg.avg.com
Type: A
DNSliveupdate.symantecliveupdate.com
Type: A
DNSll002.avast.com
Type: A
DNSiau.trendmicro.com.cn
Type: A
DNScu001.www.duba.net
Type: A
DNScs1.duba.net
Type: A
DNSdownloads1.kaspersky-labs.com
Type: A
DNSupdate1.jiangmin.com
Type: A
DNSexp01.eset.com
Type: A
DNSu1.eset.com.cn
Type: A
DNSrsup2.rising.com.cn
Type: A
DNScu002.www.duba.net
Type: A
DNScs2.duba.net
Type: A
DNSdownloads2.kaspersky-labs.com
Type: A
DNS08update2.jiangmin.com
Type: A
DNSexp02.eset.com
Type: A
DNSu2.eset.com.cn
Type: A
DNSrsup3.rising.com.cn
Type: A
DNScu003.www.duba.net
Type: A
DNSdownloads3.kaspersky-labs.com
Type: A
DNS08update3.jiangmin.com
Type: A
DNSrsup4.rising.com.cn
Type: A
DNScu004.www.duba.net
Type: A
DNScs4.duba.net
Type: A
DNSdownloads4.kaspersky-labs.com
Type: A

Raw Pcap

Strings