Analysis Date2016-11-15 00:55:51
MD516888c1bf8324fa18a8f659bb20d6327
SHA17010afde45bf6dac89d25d91d635bbb317c1e476

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6f9bf6885d26e2ba04a373cdc86a9a3f sha1: d754a9627f7b356b50b3ac79bb0bed18e5c8fdbf size: 45056
Section.data md5: 9aa7ddeaf362143eccab7cab42849cc9 sha1: e37685de9f2a64fc2fc63a4b2fb074dd8b145f7b size: 20992
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: sha1: size:
Section.rsrc md5: 31bc5ba38ed96d34676813a6c227f071 sha1: 012ab527f0eab328e730bbb155504282eccdaaa2 size: 512
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C++ ?.?
PEhash
IMPhash0c7c7eb1ac4729e480cc1db17f22f7e0
AV360 SafeNo Virus
AVAd-AwareTrojan.Gamarue.CF
AVAlwil (avast)?
AVArcabit (arcavir)Trojan.Gamarue.CF
AVAuthentiumW32/Trojan.YWYF-8463
AVAvira (antivir)TR/Inject.anl.8
AVBitDefenderTrojan.Gamarue.CF
AVBullGuardTrojan.Gamarue.CF
AVCA (E-Trust Ino)Trojan.Gamarue.CF
AVCAT (quickheal)Worm.Gamarue.5299
AVClamAVWin.Trojan.Gamarue-97
AVDr. WebBackDoor.Andromeda.178
AVEmsisoftTrojan.Gamarue.CF
AVEset (nod32)Win32/TrojanDownloader.Wauchos.L
AVF-SecureTrojan.Gamarue.CF
AVFortinetW32/Zbot.PKJO!tr
AVFrisk (f-prot)W32/Trojan2.OBFM
AVGrisoft (avg)Generic32.BTGJ
AVIkarusTrojan.Inject
AVK7Trojan-Downloader ( 0043f6bc1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Injector.RRE
AVMcafeeObfuscated-FVR!hb
AVMicroWorld (escan)Trojan.Gamarue.CF
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.F
AVRisingWorm.Win32.Gamarue.v
AVSUPERAntiSpywareTrojan.Agent/Gen-Gamarue
AVSymantecPacked.Dromedan!gen21
AVTrend MicroNo Virus
AVTwisterTrojan.9D9F2DC5AEFE6B57
AVVirusBlokAda (vba32)SScope.Trojan.CLR.2407
AVWindows DefenderWorm:Win32/Gamarue.F
AVZillya!Downloader.Andromeda.Win32.2852

Runtime Details:

Screenshot

Process
↳ C:\7010afde45bf6dac89d25d91d635bbb317c1e476.exe

Creates FileC:\WINDOWS\system32\wuauclt.exe

Process
↳ C:\WINDOWS\system32\wuauclt.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\EventMessageFile ➝
C:\WINDOWS\system32\ESENT.dll\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryMessageFile ➝
C:\WINDOWS\system32\ESENT.dll\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application\ESENT\CategoryCount ➝
16

Network Details:


Raw Pcap

Strings
PSha
9p u
EEEEE$
$&$m
t 3t
3dM333
8zEv
bu$u
EEuu
uu33
3m3;%
EE%<%
)%-%L
a3i3
u333
33$$
V3>3
$_$EE
3333
uu$$
tE.E
uRE33
EUE(E
%E/.E
SSh:
u!fu*
$R$)
%7%$$
uE3EI
P$33
$O$$$
.EkE
h#jW
uEEEE
$IG$33
e3h3B
EdEy
,ytBt
$'v$
uu;u
ttE^
$R$33
[Euu
IGEo
{tFt
u$$$
L%P%EE
E+EEE
7E}E
$$uau
EEuSu
EEE7E
EEEttt1t
$<$i
2E%%E
Ew$y$5
3K3B
O3%%
uwu$$
33%p%
=3[3d
$($EE
$$$a$
tot#
$$$I$
>3$
35Eh
3u88ju
e$9f$
Iu0u)
3Y3EE
EEEEt
.E$E
$^$$
4Eb$h$
%uut>St
EE%:%
3(3&
33E.E$$
"EqEuu
EEER
%%EE
EuAu
nHEwE
D;;^
/$O$
3333
uu%y
$p$o
3s3$$
AExE
333$
$<$~
b$}$
$$33
uC!u$$
EEt1ty
0$s$
%%ETUEw
Lt4t
+WF+h
$tt33EJ5E
T$x;$
3n3>3
u<%J%
EOE@
E>E.
33EE
7U&M
u8u$$
trtEE
'ufu<
3L3IV
3S2$
33$$
$$33
3\>3
3D303
EE$$
GFKuj
uAuZ
EEEE
33EE
EEt:t
EJE"E
u~uJE
+3^3
($+$
FEPE
33333<3
ttEE
$<$$$
E2E_
%p%m
u$E'E
3j3o
,usu7
5t/A
5t/A
5t/A
5t/A
5t/A
5t/A
5t/A
QSVW3
=p/A
=p/A
5t/A
Yt"V
Yt.V
Yt"V
WWWWW
_^][
VVVVV
=hZA
MZu3
j`h`
YQPj
5h[A
=d[A
%X[A
-T[A
j@j ^V
[j@j
VVVVV
= $A
Y__^[
\$ UV
_^][
9csm
t!hL
T$(j
D$,9h
8csm
hvT@
5@$A
VVVVV
VVVVV
YYuTVWh
hbW@
VVVVV
u&h`
PPPPP
<Yv8V
VVVVV
VVVVV
VVVVV
]_^[Y
S99t
=|%A
=x%A
~du
t$<"u	3
5`ZA
5`ZA
>=Yt/j
tJVUP
SSSSS
5`ZA
Y]_^[
>"u&
< tK<	tG
SUVW
SSS+
@PVSS
t#SSUP
t$$VSS
_^][YY
QQSV3
v#Wh
YYt:V
teh2c@
YYt4V
VVVVV
VVVVV
Yu'9
YYu-9D$
5$bA
WWWWW
t!h
t	VP
~,WPV
98t^
tVPV
t/9U
URPQQhDn@
L$,3
UVWS
[_^]
SVWj
_^[]
9MZt
Y_^[
Y_^[
hKp@
QSUVW
YYt3
_^][Y
t+Ht
PPPPP
 SVW
SSSSS
u,hH
SSSSS
0SSSSS
_^[]
0SSSSS
0SSSSS
VVVVV
SUVW
_^][
0A@@Ju
t&:a
Wto=
t^9(uZ
tD9(u@
=(-A
Y_^][
_^][
Fpt"
ueSj
@_^[
 VW}
j?^;
WWWWW
uaVj
uL9=
wIVSP
FVSj
WWWWW
WWWWW
VVVVV
VVVVV
WWWWW
SSSSS
SVWUj
]_^[
;t$,v-
UQPXY]Y[
WWWWW
u8SS3
GWh
9]$SS
t)9]
t"9]
9] u
FVh
9] SS
oV f
o^0f
of@f
onPf
ov`f
o~pf
v$;5
PPPPPPPP
PPPPPPPP
WWWWW
950.A
=0.A
50.A
YYt}
~%9M
QVj
r 8^
VVVVV
VW|[;
VVVVV
WWWWV
t<Vj
t+WWVPV
WWWWW
<Xt
u,9u
v	N+D$
^_[3
CorExitProcess
mscoree.dll
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
.mixcrt
EncodePointer
KERNEL32.DLL
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
InitializeCriticalSectionAndSpinCount
kernel32.dll
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
CONOUT$
4.A?
3f3_
eFGB
eGpP#
Osii
>353
""U&U
aP.CA_
393D
2kD2
VATo4
DD""
o3#3
y"9"
I.td
.@.HAw
kUUU
"r"C
V?VA
"6"v
"L"*
$$BE
9VEv
%%[u
$$ttO33
<CB$
Sos#
  cP @
(\Gp
CSoF
gnlr
h*wG
Z"wD
BoB@
FsbS
	 nw
i tE
=PCt
co\"oP
=CBv<
r&dCr
No9dG
Brt|d
e2ln
t:=F
HlG[
toia@
CpBh
tBaeI
1 GD
rTFu
RSDS%
U\4K
c:\rail\lot\and\meat\name\For\port\villagestore.pdb
CoInitialize
OleCreate
CoUninitialize
OleInitialize
CoSuspendClassObjects
StgCreateDocfile
ole32.dll
CreateDirectoryA
VirtualAlloc
CopyFileA
ResetEvent
VirtualProtect
VirtualFree
SetSystemTimeAdjustment
GetCommandLineA
HeapFree
GetVersionExA
HeapAlloc
GetProcessHeap
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
EnterCriticalSection
LeaveCriticalSection
GetProcAddress
GetModuleHandleA
ExitProcess
WriteFile
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapDestroy
HeapCreate
QueryPerformanceCounter
GetTickCount
GetCurrentProcessId
GetSystemTimeAsFileTime
Sleep
InitializeCriticalSection
RtlUnwind
LoadLibraryA
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapReAlloc
GetConsoleCP
GetConsoleMode
FlushFileBuffers
HeapSize
MultiByteToWideChar
GetLocaleInfoA
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
CloseHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
SetFilePointer
SetStdHandle
CreateFileA
KERNEL32.dll

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
wildscale
oftendifficult
Jw^~
KH39;
}s%M|
6NMP
0X^s
 _VQ
B*7#
LHw-H
JI,ps
w/4]
|,dj
L|mT
f	)Z
2'8b
UD1y
:hc2
R'6">
e0J0
>E^I/
]{SvG
/X~e*
b*4<K
!Gw8
v3IOD
KHg3
_v?t
pz?+
|^ASs}
.?AVCTrafficView@@
.?AVCBitmap@@
ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrs
UPUF
%tVtno
tnIMW
O3DD
t@~No
DeHC@R
;@N@?
xlE@
f G@
i"f"
UeU(
2e@.
3k3\
Vd@Gf
3G3i
U\xU
iaA@C
aE@rHn
G?wiHd
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
</assembly>