Analysis Date2014-10-13 22:30:38
MD58c91ecfb2f3c4ab97fc1368b1dff2b66
SHA16d07ece4f778fc4ff1b9c5e7caec5ccf81e58723

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 554ea6e3fb8adc2cef391a2a73c4b832 sha1: f56e8e1850238b3ed228b99be0e2cadbbdfdc0a4 size: 78336
Section.rdata md5: d358f23dfa77de0f3f6bf7fdd48e835b sha1: e307c3167156ae350bd0483049f3366431989c8a size: 8192
Section.data md5: 2124d03cdfa14a7a1b34f8a6ddb47f2a sha1: 1fb153d8c6694388d2938bc542ec72b21d65a017 size: 5120
Section.rsrc md5: cd8f78b354b2281fba88c76f74706d3a sha1: b6d442a96bcace04446e7353ed6aa0d7b5ed5b4b size: 9728
Timestamp2012-08-27 13:42:03
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: xpnetdiag.exe
FileVersion: 5.1.2600.5512 (xpsp.080413-0852)
CompanyName: Microsoft Corporation
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Network Diagnostic for Windows XP
OriginalFilename: xpnetdiag.exe
PackerMicrosoft Visual C++ ?.?
PEhashb6209fb8fc4dcd354f4caec76e2c785606ec09ae
IMPhash6d1e787e5525cde3b08e7e75a631e922
AV360 SafeGen:Variant.Symmi.2767
AVAd-AwareGen:Variant.Symmi.2767
AVAlwil (avast)Trojan-gen:Win32:Trojan-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Zusy.17217
AVBullGuardGen:Variant.Symmi.2767
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVno_virus
AVDr. WebTrojan.Mayachok.1
AVEmsisoftGen:Variant.Symmi.2767
AVEset (nod32)Win32/Agent.SFM
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.2767
AVGrisoft (avg)Agent3.BZCD
AVIkarusTrojan-Downloader.Win32.Vundo
AVK7Backdoor ( 04c4c2651 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeeVundo.gen.hk
AVMicrosoft Security EssentialsTrojan:Win32/Vundo.OD
AVMicroWorld (escan)Gen:Variant.Symmi.2767
AVNormanwinpe/Kryptik.RKIT
AVRisingTrojan.Win32.Generic.132D3F55
AVSophosMal/Vundo-K
AVSymantecTrojan.Gen
AVTrend MicroTROJ_VUNDO.SMKK
AVVirusBlokAda (vba32)Trojan.Lampa
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\vphsisf.dll
Creates FileC:\WINDOWS\system32\vphsisf.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\BSDHA97U\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\IIQ3LGTM\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\D4Z32ED8\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Cookies\index.dat

Network Details:


Raw Pcap

Strings
P
.8
.

040904B0
1Cycle through the possible initial break settings9Request that the debugger resynchronize with the debuggee
1Display debugger and debuggee version information
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-0852)
7Set the initial command for new command browser windows!Toggle the verbose output setting2Display the debugger time for every debuggee event1Display debugger and debuggee version information
8Configure mapping from file extension to source language
About WinDbg
Activate window
ButtonAlternateFace
ButtonDkA
ButtonLight
Cascade all floating windows&Horizontally tile all floating windows$Vertically tile all floating windows
Close all source windows-Close all windows that are error placeholders"Open a new docked window container
CompanyName
Control Panel\Desktop\WindowMetrics
CWindowClass
Debug operations
Detach the current program
Display source when possibleGPerform symbol resolution for symbol strings without a module qualifier
Dock all undocked windows
FileDescription
FileVersion
GradientActiveTitle
GradientInactiveTitle
                                 H
         (((((                  H
Halt the current program
Help contents and searches
         h((((                  H
HotTracking
InfoText
InfoWindow
InternalName
kernel32.dll
KERNEL32.DLL
Kernel debugging control.Cycle through the available baud rate settings
LegalCopyright
Manage event filters
Manage open windows
:Manage windows using the Multiple Document Interface styleDAutomatically open a disassembly window when source is not available
MenuBar
MenuHighlighted
Microsoft
Microsoft Corporation
 Microsoft Corporation. All rights reserved.
mscoree.dll
\\.\mustafa.sys
Network Diagnostic for Windows XP
ntdll.dll
Open a command browser window
Open the command window
Open the disassembly window
Open the help index
Open the help search dialog
Open the help table of contents)Open the help for the current window type)Open help for the currently selected text
"Open the process and thread window
Open the registers window
Open the scratch pad window"Open the process and thread window
 Operating System
OriginalFilename
ProductName
ProductVersion
Restart the Program"Stop debugging the current program
RPC4D.dll
Run the Program)Handle the exception and continue running1Do not handle the exception, but continue running
Shell Icon Size
Shell Small Icon Size
Step over the next statement Step out of the current function1Run the program to the line containing the cursor
StringFileInfo
Toggle the status bar on or off
Toggle the status bar on or off,View or edit the font for the current window
Toggle the toolbar on or off
Trace into the next statement
Translation
Undock all docked windows
VarFileInfo
View program options
View the module list
View WinDbg's command line
VS_VERSION_INFO
 Window arrangement and selection
 Windows
xpnetdiag.exe
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
"1%Me{=1M
,1m<:Q
1&UIBg
2d_4ja
2Trkkt
{{{{{{{3
{{{{{{{33
{{{{{{{330
3333333
33333330
33333333
3tFtAtEl
{3Xk J9O
5LUk^.-
6~mDM]x
'7*(r7
7Wp{Yly
[8E3ai
8YK5*5N
>:---9
&&}9D*
A 9cK2
aa%ioe3
aAtEBerTorl
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
a\hE{)wP};C
Akdl^k9
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
[b%58l
b63cMb:XI
'b8;8T
B!C5JV
BeginPaint
[b`P[^t
CeeiGFeT
#ch_}skWriTt\,n
CloseHandle
CorExitProcess
CoTaskMemAlloc
CreateBitmap
CreateFileW
CreateWindowExA
- CRT not initialized
d:84ly
D*]anzw
@.data
D)b#L8s]
DDDDDD@
DDDDDDDDDDD
DDDDDDGpw
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcA
DeleteCriticalSection
DestroyWindow
DeviceIoControl
DFnFnou
DialogBoxParamA
DispatchMessageA
dLs3%'
DOMAIN error
DrawTextA
eacTiW nosps
eC	?`p
&eeKns
e`gyPoLiaAGlVlGaPSc
eiAdeia
eitisl
eL/DLp
EncodePointer
EndPaint
EnterCriticalSection
er9ut?!5a
ExitProcess
F\=8XA
February
)f*egB
FindWindowA
FkEeteironxiAeaMEeA
fkkvedP
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
Foak<0
Fo\uinw_L
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FR===H
Friday
Fsl2Zd
GcrPeeleleHlc
GDI32.dll
Gdoetei
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleHandleW
GetOEMCP
GetPixelFormat
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSysColor
GetSysColorBrush
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersion
{;*g/*M
hAcnNV
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
hhx/Z6
hI6T[}
hp7:yK
I6o1N|Z
IlSlhheH
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
i UVDC
ixdRKmy
JanFebMarAprMayJunJulAugSepOctNovDec
January
)JGX(m
j hXeA
j@j ^V
jkj3I_U
jThhdA
/jWphWN[Z
k1KmvM
KERNEL32.dll
KNEtE2rtgF}e
{$kR;Ol
]kXDN&5
'@KXZ}{
#latr/SM<
lB.)J$
LCMapStringA
LCMapStringW
LDPj~s+
LeaveCriticalSection
leVllsoeouuAnr
liuTeA
"LJ>tp
#L$[>L
LoadCursorA
LoadIconA
LoadIconW
LoadLibraryA
LoadResource
LoadStringA
LockResource
:l;P:.C
lstrcmpiA
MessageBoxA
|(mhJ%
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
msI;ux
'Ms_uB2
MultiByteToWideChar
,n<k'&
nK)|;>
n_"	!no
NOq4Uz@
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
+N/UXG`
October
oedttCLemytN_e
O?|	G"
ole32.dll
@oo\rW
OstCriotLap
o su'Z
"o&`t~
ovD.HcrE
palAiPnanimnyt
pH - YHY]
Please contact the application's support team for more information.
Please wait...
!pneOe
PPPPPPPP
Program: 
<program name unknown>
- pure virtual function call
|pxq	u
qf865Vjl
,QK)R&%
QueryPerformanceCounter
&.R/"c
`.rdata
 R\dwes
Rectangle
RegConnectRegistryA
RegisterClassExA
RegOpenKeyExA
RegSetValueExW
R"f!Ca4x[
rFeFee
Ri%|y!EI
Rq$N3N
RtlUnwind
runtime error 
Runtime Error!
(rz=tk
!sa  o$E#
Saturday
September
SetFilePointer
SetHandleCount
SetLastError
SetParent
SetUnhandledExceptionFilter
ShowWindow
SING error
	/S$O9	
SOBOJkc
SoelxL2
strcat
Sunday
SunMonTueWedThuFriSat
TerminateProcess
TextOutA
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK<	tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
T/ntSm
TP%!;)TJv
TranslateAcceleratorA
TranslateMessage
t"SS9]
t$<"u	3
Tuesday
;t$,v-
t+WWVPV
uERu0eOsZ
UE|w~I
uHx^[7h
UlgeRV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UpdateWindow
UQPXY]Y[
URPQQhp A
USER32.dll
USER32.DLL
V0)JKV
\=vcZQ
VInelAmAi
VirtualAlloc
VirtualFree
v	N+D$
/vQ[qR*4
vs)>+0i
VVVVVV
VVVVVVh
vXW_4#
*W2{!%
Wednesday
WideCharToMultiByte
Wiea.los
WriteFile
wsprintfA
wwwwwwwwwww
X/]M~ D
XRliE3
YcUloem
y"KZ?r
yo*k]3$
>=Yt1j
ZgWgh^
zL5!A2
Z%SJ0`