Analysis Date2015-01-31 12:58:27
MD5025483178db0df030ebc9b30e212ee31
SHA158c4614b5f9ff5ff176950861d40a6b42059c2e6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: 06473d6a3e1efeacd83cafbb427a3c59 sha1: 9d5f6058b6f81ac5e84be5a524e887b8cd9038ae size: 117248
Section.rsrc md5: 880f98ca736e4857a88d523e6da320c4 sha1: d5670a6a30534073a9582868da1878d76524f42b size: 13312
Timestamp2007-09-06 07:28:05
VersionLegalCopyright: Copyright (C) 2003
InternalName: freegate
FileVersion: 1, 0, 0, 1
CompanyName:
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: freegate Application
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: freegate MFC Application
OriginalFilename: freegate.EXE
PackerUPX -> www.upx.sourceforge.net
PEhash4e59048367e3aaa51740ebb1a9b509efa7e9a8b7
IMPhashf6bf5e676428275cc880efb98e86620e
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Proxy.2989
AVEmsisoftno_virus
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusVirus.Win32.Agent
AVK7no_virus
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsError Scanning File
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Dgdebdtf ➝
54272
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates File\Device\Netbios
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSw64.ziyoulonglive.com
Type: A
DNSw65.ziyoulonglive.com
Type: A
DNSw61.ziyoulonglive.com
Type: A
DNSw62.ziyoulonglive.com
Type: A
DNSw63.ziyoulonglive.com
Type: A
Flows UDP192.168.1.1:1031 ➝ 203.162.163.61:53
Flows UDP192.168.1.1:1032 ➝ 203.143.49.230:53
Flows UDP192.168.1.1:1032 ➝ 203.233.125.58:53
Flows UDP192.168.1.1:1031 ➝ 198.189.5.3:53
Flows UDP192.168.1.1:1032 ➝ 203.199.165.131:53
Flows UDP192.168.1.1:1032 ➝ 203.172.54.250:53
Flows UDP192.168.1.1:1031 ➝ 202.235.79.227:53
Flows UDP192.168.1.1:1032 ➝ 203.113.42.57:53
Flows UDP192.168.1.1:1032 ➝ 203.162.85.71:53
Flows UDP192.168.1.1:1031 ➝ 64.235.32.206:53
Flows UDP192.168.1.1:1032 ➝ 203.125.194.186:53
Flows UDP192.168.1.1:1032 ➝ 203.124.6.74:53
Flows UDP192.168.1.1:1031 ➝ 204.183.80.2:53
Flows UDP192.168.1.1:1032 ➝ 203.102.161.121:53
Flows UDP192.168.1.1:1032 ➝ 203.127.3.159:53
Flows UDP192.168.1.1:1031 ➝ 66.118.80.4:53
Flows UDP192.168.1.1:1032 ➝ 203.115.228.212:53
Flows UDP192.168.1.1:1032 ➝ 203.0.119.200:53
Flows UDP192.168.1.1:1031 ➝ 211.13.223.133:53
Flows UDP192.168.1.1:1032 ➝ 203.176.121.65:53
Flows UDP192.168.1.1:1032 ➝ 203.92.69.211:53
Flows UDP192.168.1.1:1031 ➝ 143.246.0.1:53
Flows UDP192.168.1.1:1032 ➝ 203.112.16.242:53
Flows UDP192.168.1.1:1032 ➝ 203.245.210.85:53
Flows UDP192.168.1.1:1031 ➝ 203.162.163.61:53
Flows UDP192.168.1.1:1032 ➝ 203.203.156.55:53
Flows UDP192.168.1.1:1032 ➝ 203.99.149.191:53
Flows UDP192.168.1.1:1032 ➝ 203.106.164.87:53
Flows UDP192.168.1.1:1032 ➝ 203.40.238.77:53
Flows UDP192.168.1.1:1032 ➝ 203.79.100.18:53
Flows UDP192.168.1.1:1032 ➝ 203.224.208.105:53
Flows UDP192.168.1.1:1032 ➝ 203.108.251.82:53
Flows UDP192.168.1.1:1032 ➝ 203.56.58.134:53
Flows UDP192.168.1.1:1032 ➝ 203.48.241.183:53
Flows UDP192.168.1.1:1032 ➝ 203.188.121.177:53
Flows UDP192.168.1.1:1032 ➝ 203.189.119.196:53
Flows UDP192.168.1.1:1032 ➝ 203.131.25.220:53
Flows UDP192.168.1.1:1032 ➝ 203.89.84.146:53
Flows UDP192.168.1.1:1032 ➝ 203.165.149.221:53
Flows UDP192.168.1.1:1032 ➝ 203.38.15.18:53
Flows UDP192.168.1.1:1032 ➝ 203.71.106.53:53
Flows UDP192.168.1.1:1032 ➝ 203.69.245.237:53
Flows UDP192.168.1.1:1032 ➝ 203.10.57.151:53
Flows UDP192.168.1.1:1032 ➝ 203.60.100.204:53
Flows UDP192.168.1.1:1032 ➝ 203.228.49.94:53
Flows UDP192.168.1.1:1032 ➝ 203.145.8.64:53
Flows UDP192.168.1.1:1032 ➝ 203.85.97.63:53
Flows UDP192.168.1.1:1032 ➝ 203.173.173.181:53

Raw Pcap

Strings
e^f'
w$U
.
.+.
040904b0
1, 0, 0, 1
Comments
CompanyName
Copyright (C) 2003
FileDescription
FileVersion
freegate
freegate Application
freegate.EXE
freegate MFC Application
icro
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
`];,$?
)@@*(,(
01234H
& 0}#c:
,,0ddd
,0@@@F
0[H}& 8Ri*S
#0;Il=
0$kL<;
0V7Ka$
0)XwYS
~188881~
1HXA^U
1mD*,|
@2+0H 
20T?V@
 2222$(,0222248<@2222DHLPddd6T
~,?2Ay
2@D@C 
2hlh[2
2i	a(i
~2mS2r
2\<(-MUUVVVV
.#\2r	
&~2r"}USPUw
2V1'gh
313H3m3
]38eHu
<3f	48)
3m)alZ
-<3mw`
3R/U6:
/3SYSTEM\C
:443\libssl32.dll
,4460KL
48##yH*
4aksBf
4!G"GS
4joRs 
4MVPJD>84M
|4<va|tk
 _:56]
56789abcdef
?5~8S8F
5pr=4u
,5VSk4V5
61.ziyou!ng
66kH"q_\
<+6_9d
6 <(Td
6zb_{60;
7%7*747>7H71j
7Bn$:2
7Failed
7ktopF
[7ni#G
}7|T5]
7x-F3N?
>!(?8 ,
:8081o
~8880000/01
8dwebR
8TGPL!
@8Z->!	{W
940>YN
97o8+9d
&9^,=C
@&9( H
#9]_qkU
$-(_{A
%acmon
/ACrea8
<adFin4
ADVAPI32.dll
A=`H=n,@
A jo" o
)@&Ak/+%%
AQLwH'
aQS`G`
A$`&Rp
^ASerK2
Ask if c
aSk$Si
ASOFTW
.aspx??tC
A!x@s}
ba^bc?&@
b'Fk=	
B[NB9h
b+#/!T-
BU3ONO
*BWzA7
-BYPHPR@
'c= = 
(C)2002-
~C/| 4
C/\ 7[[
CConnecti
C,<F"6
;(CFu7
C>K\Pj@B
?CN&u=
CoInitialize
Cookieq: umm
~CQ@_c
CTjAR!A
.Ctrl-Alt-Z
curitIA9
%cuswa
CUV Wj?
Cwtqxb
C:z2Vl@G
d@0@@9
D$0XRU\
DEFGHIJKLMNOVT
dHHLC0
d"$^KY3
Dlg stm
#]dM8P
dPy`6"
d<qi&7
d.Remov
DRV_E@
Drv\obj5+i386\
DRy1'gn
d\t_001@ya<
dtld4@
D<uv,"
dyoBluff6
$e$4"iU	-o
>E>6Eq
E6{nh' 
e7!.>5f[
)E8t,u
eDdk _#
eInieizeE;
-equiv="
es\Tcp
ExitProcess
expFh)
Explor
@F0DDdBF
%;f3hV
F@3QWJ=
FAGAd%b
f)Cmd/!bug
fEXPLp
fgtxgHuaBao!laGhb'^Fu;	
FilNM?2
)F'N$W
&FreeGseSh
 FSu6cvh
f/U[p&L
F_Y?H#
g1T%c"'J
G3j@hh
#(+%G%7
G''+9T
GDI32.dll
	Gecp-Q
GetNetworkParams
GetPixel
GetProcAddress
~gGET2
`G HE!
ghijklm^
 ,ghosL
]GL23$
GL'87V
GlobalUn
gMx$8j
goskrn\
Gs9\PbA
G\SS9X
>%g.txt
,h$8DG
H8dL*vs
hdWTZis
)hfIQfq
@h]JTB
?hl=en&
 Hlhyn
hlp32L
H:%MSX4:)
h` OBF
h.rdata
Ht?Hu1
http://
H~t$(W27
HW&Shq
h@/	!y
H,\(YJ
I&0XqQ
?I@ 9y
'.iByIToWid
ID_HAND
i=EMU]i
IEW~)B
'ijKh@
INITjw8
InternetOpenA
i@@@,-P
iphlpapi.dll
ISKWScUE:
i@;ZYd
J_\6.f]
(j?9TU
Jb?sL=<
!j/D5j
jdRSD52
J	EQED
JFDt\t
j h.hH3 
`JHPDT
;*jI7H
`J||Ip
}J PE0	
jpX @W
j@QJL.y
$JQUWVR
jR>+ai: 
j[t&%U
j\u2<k 
JWETAn
@JZ$W	E
k0@-P!
<kAbjB&
 [k%e_
Keep/A
KERNEL32.DLL
KeWaitOS
K ex;t
kFE~tF
^"?KFO
k#gnbdi1I"
/'KHf=
Ki`r?+
_Kp	pf
	kqQ5Zp
#KSymb
k;XP\F`W
_=l)-(0x%08x1MAC:
LCID+LaH
lfC=_ p
lM	ypx
LoadLibraryA
L<QD\1Z
lr$GryxnGr$Gtws<
lt\)aLM1
LTQhdR
'Lv:,3
L[xV_AZ
M-5S(ofRs
M:\923
\maui\
$MC%U$h4
md5_mR
media3.minghui.org/dl/getl#ks
mEt-t^
MFC42.DLL
M\ FPy
'MHJue4g.j
Micgsof
MLKDc: 
MSVCRT.dll
mtf!qB{w
$^|MXz<
n2/bR_
N34;2#
n6B 5r8h,
Na0ERa73P
N\absrc\
_ncpymeDv
NETAPI32.dll
Netbios
n^H]p[
nkiQ~lr 
Nl?6PfO
 nLen ghJ
=NOTCONNECTED/Tw
N^@Pfy
!nPMoz
	<np|`r
>nsRwolv_
NV=fW^
O#7/-|!
~=$^Oa
O|_ALR
ObfDerp
o`bpha
OD$H\PE
OK/FwH
oKmKc_
ole32.dll
	o!Lzd
/O&NZX
?OO#%'GPP
OR%lFS
<!OrmbDJYd
#o"[u:
|Outpul
P3@,RV
]P6EF/:
P^cQ0O
pdfdoc
,p <GK
/phome.php?v=6.5/
P}~hxS
P?k/\G
Pk@ON Op
=PL@/bb
;pl,+R
PM$WPk,
p o(1_
p	Oturned off
`Pp	G>
PqXh0d
P $#tJ
pt{=Ke%
P-@U@VAVX
PWh,]T
PwrF)P
?Pwtus
P?xFNz
[Py*5w<
{QifkdPuunk
Qk~X9(x
QR0WB2I
qrstuvwxyz
q%),tf7'0
QX]kfmgzC
/Q__Z/1u
r3#?t}
R73UFO
r@b	g{
@rCpciU$*;
RcqgTi
rdrct.html@
RegCloseKey
rfDs_4
RH!%fCo
Rh~#kP
>RichN
-`\RL 
rLPN}F
rRcspVp
RROR_S
RyaXlf1
{RZ_^+
;s&B) Pvs
SHELL32.dll
ShellExecuteA
	sicK,!>E
S"<@.Km>
snKbip?
S;-+P5**
Sr:@_{
 StVc"
subscribe
s-"Xo 
t1Volu
TARTINGtw
!This program cannot be run in DOS mode.
tIY~6t 
-TM8-8
TRhtSYK~h@
t	<RrPU
TRYHTTPS
\ts?D[
T>TUW$
Tu-mCu
tu]tp* 
TV(K]S
ty_Bru
`]U2N`+
_UFAIL./Ah
Uh"PVqo7
umxxmu
univjty6F+gN
up IE pro
UR"^C4
Us)>aLXFgE
USER32.dll
UVVVWX
Uwd@>.]x
V)6=+?8x
vCv07<_8<^
vjBI\B
'VP'F=T
/,VPWQS
<,:VrqNi
[\?VS6
_]VSG?
VUu!G2
v,vKh%,
w\/_`3
(W6eO8
 w b \
>)~wH*
W;hTaX
WININET.dll
&WL8 *
,WQVU0^ij
Wrb=u:
WRG(X]<;6
WS2_32.dll
ww3L02y/viewf'umB?f=1
;/#(X]
 X0P6wkfb[
	\X+dB
X\`dddddhlp#
	xn9tX
Xo!Fi[
xr@Pl,
x^tE>fD
x,wQf[
XX]G4!
x>xrHs
xy %s:%d OK
 @Y()"
Y2 M{>d
@@YAXXZHWXcS
-ykzgnMB7
<Yo @p=S
Y_RUNN
Ys[n@+
_>Ytwo
yvIP0x
Z2W4J;
-Z66''=
z.m):c%
(#zO}Q
~zZJZQuKa