Analysis Date2015-10-27 15:19:48
MD597604aeeb9450e2d93fb2381efd61592
SHA15cb8e35942df104eb2ce54305fdd7fc623b55cc6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c62d82fe848317b9b2dbfb6554260acc sha1: e24f9573ecb1b9a0076f3d96ce6172ca3244d71a size: 28672
Section.rdata md5: b879e0ee3afc8dfef239f039686046b3 sha1: 5c6af7641ca98b4b617c4b310fb2bcfe7da4f06c size: 8192
Section.data md5: 7d6399ea800b499ed94618eb780fd840 sha1: b7992b99d56dbfbe4fb1b825ce92b3a4e41c810f size: 16384
Section.rsrc md5: 5632fa0b6b6f0e4a5b3197e076983c88 sha1: 2c88936c0603079517e92bf3064dc2dfe7eeccb3 size: 16384
Timestamp1999-09-21 17:59:40
VersionLegalCopyright: Copyright ? 2010
InternalName: Server
FileVersion: 1, 0, 0, 1
CompanyName: Microsoft
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: Microsoft Server
SpecialBuild:
ProductVersion: 1, 0, 0, 1
FileDescription: Server
OriginalFilename: Server.exe
PackerInstaller VISE Custom
PEhashbc530bd53b351ce1322502cc1b4d01d6f312df88
IMPhashfb3518abe2e2019f3af4d9acb91dda91
AVRisingBackdoor.Overie!486D
AVMcafeeno_virus
AVAvira (antivir)TR/ATRAPS.Gen
AVTwisterVirus.EC90@2FF50FF15@124.mg
AVAd-AwareGeneric.ServStart.4A4E8FA8
AVAlwil (avast)Nitol-A [Trj]:ServStart-C [Trj]
AVEset (nod32)Win32/ServStart.AD
AVGrisoft (avg)Generic34.ACWI
AVSymantecBackdoor.Trojan
AVFortinetW32/ServStart.AA!tr
AVBitDefenderGeneric.ServStart.4A4E8FA8
AVK7Trojan ( 0040f5c11 )
AVMicrosoft Security EssentialsDDoS:Win32/Nitol.A
AVMicroWorld (escan)Generic.ServStart.4A4E8FA8
AVMalwareBytesno_virus
AVAuthentiumW32/QQhelper.C.gen!Eldorado
AVFrisk (f-prot)W32/QQhelper.C.gen!Eldorado
AVIkarusTrojan.Win32.ServStart
AVEmsisoftGeneric.ServStart.4A4E8FA8
AVZillya!Trojan.ServStart.Win32.3794
AVKasperskyTrojan.Win32.Generic
AVTrend MicroWORM_NITOL.SMB
AVCAT (quickheal)Trojan.ServStart.A4
AVVirusBlokAda (vba32)SScope.Trojan.Unigo
AVPadvishno_virus
AVBullGuardGeneric.ServStart.4A4E8FA8
AVArcabit (arcavir)Generic.ServStart.4A4E8FA8:Gen:Variant.Graftor.17698
AVClamAVWIN.Dropper.Inject-6
AVDr. WebTrojan.DownLoader5.3601
AVF-SecureGeneric.ServStart.4A4E8FA8
AVCA (E-Trust Ino)Win32/Nitol.AF

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauservyab\Description ➝
\\xc6\\xf4\\xd3\\xc3\\xcf\\xc2\\xd4\\xd8\\xba\\xcd\\xb0\\xb2\\xd7\\xb0 Windows \\xb8\\xfc\\xd0\\xc2\\xa1\\xa3\\xc8\\xe7\\xb9\\xfb\\xb4\\xcb\\xb7\\xfe\\xce\\xf1\\xb1\\xbb\\xbd\\xfb\\xd3\\xc3\\xa3\\xac\\xd5\\xe2\\xcc\\xa8\\xbc\\xc6\\xcb\\xe3\\xbb\\xfa\\xbd\\xab\\xce\\xde\\xb7\\xa8\\xca\\xb9\\xd3\\xc3\\xa1\\xb0\\xd7\\xd4\\xb6\\xaf\\xb8\\xfc\\xd0\\xc2\\xa1\\xb1\\xb9\\xa6\\xc4\\xdc\\xba\\xcd Windows Update \\xcd\\xf8\\xd5\\xbe\\xa1\\xa3 nbq
Creates FileC:\WINDOWS\system32\mmqcmg.exe
Creates Processcalc.exe
Creates Service\\xd7\\xd4\\xb6\\xaf\\xb8\\xfc\\xd0\\xc2vvm - C:\WINDOWS\system32\mmqcmg.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1108

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1840

Process
↳ Pid 1120

Process
↳ C:\WINDOWS\system32\mmqcmg.exe

Creates FileC:\Program Files\Windows Media Player\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\lpk.dll
Creates FileC:\Program Files\Messenger\lpk.dll
Creates FileC:\Program Files\MSN Gaming Zone\Windows\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
Creates FileC:\Program Files\Windows NT\Accessories\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\Speech\lpk.dll
Creates FileC:\Program Files\Outlook Express\lpk.dll
Creates FileC:\temp\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\lpk.dll
Creates FileC:\Program Files\Internet Explorer\lpk.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\lpk.dll
Creates FileC:\RCX1.tmp
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\Windows NT\lpk.dll
Creates FileC:\lpk.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\lpk.dll
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\lpk.dll
Creates FileC:\Program Files\Internet Explorer\Connection Wizard\lpk.dll
Creates FileC:\Program Files\Movie Maker\lpk.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\MSInfo\lpk.dll
Creates FileC:\WINDOWS\assembly\NativeImages_v2.0.50727_32\dfsvc\d35c221f74db5d48b3aa3ad663400c85\lpk.dll
Creates FileC:\Program Files\Windows NT\Pinball\lpk.dll
Creates Filepipe\net\NtControlPipe10
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\lpk.dll
Creates Filehra33.dll
Creates FileC:\Program Files\Common Files\Microsoft Shared\DW\lpk.dll
Creates FileC:\Program Files\NetMeeting\lpk.dll
Deletes Filehra33.dll
Creates Mutexwuauservyab

Process
↳ calc.exe

Network Details:

DNSdnspod-free.mydnspod.net
Type: A
119.28.48.229
DNSwww.wg.gd
Type: A
Flows TCP192.168.1.1:1031 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1032 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1033 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1034 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1035 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1036 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1037 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1038 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1039 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1040 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1041 ➝ 119.28.48.229:8888
Flows TCP192.168.1.1:1042 ➝ 119.28.48.229:8888

Raw Pcap

Strings