Analysis Date2018-06-05 07:38:25
MD5f367f4ea1721e8a651b53d369d5c140f
SHA178aba7f99b7c01d6fceae61cd0e8c33aed871c8b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386
Section.text md5: ebbee5f3c897bc4deeba21090bc6df92 sha1: 235a547238818892e69dbb81b0a790c6e0ab90ba size: 24576
Sectionrdat md5: 28c2361010a3923c679a68d13839bfdd sha1: 3fe9a22065f057a44a87aa3b7c2a849ddef75604 size: 8447
Sectiondat md5: bbe619bba273b859d6cdc1e2173e4666 sha1: b82d6f5f0df702998a2721507e965474cc6dde73 size: 2560
Section.rsrcB md5: 22a94a74ae687f6a74375cb5e0d5c79b sha1: 6961d9d6b10be5a28537f2f7ae13b73d80c7dc85 size: 67072
Timestamp2014-09-26 19:23:23
PEhash9c5f06f2fa208ac770329117f89722fba14568c3
IMPhash8c97468a974d0a90afc0a6b7a9772935
AV360 SafeTrojan.GenericKD.1948350
AVAd-AwareTrojan.GenericKD.1948350
AVAlwil (avast)Agent-AUMM [Trj]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ZPACK.103486
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1948350
AVEset (nod32)Win32/Injector.BOIR
AVFortinetW32/BOIR!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1948350
AVGrisoft (avg)Inject2.BCBU
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan-Spy.Win32.Zbot.umeu
AVMalwareBytesTrojan.Agent.FF
AVMcafeeRDN/Generic PWS.y!bbp
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVNormanTrojan.GenericKD.1948350
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroTROJ_IN.7C2726F9
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\78aba7f99b7c01d6fceae61cd0e8c33aed871c8b.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\78aba7f99b7c01d6fceae61cd0e8c33aed871c8b.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\78aba7f99b7c01d6fceae61cd0e8c33aed871c8b.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat

Process
↳ C:\Windows\System32\cmd.exe

Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\tmpce2583f8.bat

Network Details:


Raw Pcap
0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 34323a35 3335370d 0a0d0a3c   00.142:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a393364 39393733 392d3962 36322d34   :93d99739-9b62-4
0x00000280 (00640)   3236642d 61616237 2d343161 36376437   26d-aab7-41a67d7
0x00000290 (00656)   30613631 323c2f77 73613a4d 65737361   0a612</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a6233 63393439   >urn:uuid:b3c949
0x00000340 (00832)   65302d36 3430382d 34316133 2d616234   e0-6408-41a3-ab4
0x00000350 (00848)   622d6636 36306361 62623136 66663c2f   b-f660cabb16ff</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings
000004b0
20140506152807
29.0.1
- abort() has been called
ALSA4
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
BuildID
Comments
CompanyName
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
February
FileDescription
FileVersion
Firefox
Firefox and Mozilla Developers; available under the MPL 2 license.
firefox.exe
Firefox is a Trademark of The Mozilla Foundation.
- floating point support not loaded
FM3ZX3
Friday
                                 H
         (((((                  H
         h((((                  H
HH:mm:ss
InternalName
January
July
June
LegalCopyright
LegalTrademarks
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
Mozilla Corporation
mscoree.dll
nKERNEL32.DLL
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
October
OriginalFilename
ProductName
ProductVersion
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
runtime error 
Runtime Error!
Saturday
September
SING error
StringFileInfo
Sunday
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Translation
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
VarFileInfo
VS_VERSION_
Wednesday
WUSER32.DLL
                          
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
1)f^	#
)3/I([
<3mlked
,.4B1-
5<&e9MT#e
9.Yd$7y
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ADVAPI32.dll
</assembly>PAPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
August
&^b(bC
b;FrWp
=bU,zU*
 \(}CF
CorExitProcess
dddd, MMMM dd, yyyy
December
DecodePointer
DeleteCriticalSection
EncodePointer
EnterCriticalSection
ExitProcess
February
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FreeEnvironmentStringsW
Friday
GetACP
GetActiveWindow
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserNameW
GetUserObjectInformationW
GocGjH
 hb)j^
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
HH:mm:ss
HNkzW/
;i3OIv
I:9dG}
_.IB5kh
*ImGR{&-
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
I:pI<45
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
I~/VeZ
January
j@j ^V
jSXjeYjtf
jSZjcf
jWZjsf
j.Xjbf
j"Xj%f
j\XjIf
j"Zj%Yjs
KERNEL32.dll
Kl:7ifH
]Kt2kk9C
l3$aD2
	$:l~]9	
l93Ku)
LCMapStringW
LeaveCriticalSection
l_mk@^
LoadLibraryW
:=lQ(X
lstrlenA
{"\lxO
maPC=InGwOdJEz
MessageBoxW
mhZuPq|
	|mIlua
MM/dd/yy
Monday
MultiByteToWideChar
November
o9x, xK$dQ
October
odwxvd|
PPPPPPPP
PSSWSSSS
PVVj VVV
.;]q>,
]q7x~E
QQSVWh
QueryPerformanceCounter
*Q$zt%
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
Rich2>
R#+L82q/5
RtlUnwind
R*(v!-
Saturday
    </security>
    <security>
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
S<'H,+
shell32
shlwapi
^SSSSS
Sunday
tdQjHC
TerminateProcess
t&f9=`
!This program cannot be run in DOS mode.
Thursday
t	j\Yf
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9] u
Tuesday
;t$,v-
t#VVVW
uE!SW:
UnhandledExceptionFilter
UQ@Lqg0H
UQPXY]Y[
URPQQh
user32
uTVWhYM@
v	N+D$
w0tC#>
wAMv_NQ
Wednesday
WideCharToMultiByte
WriteFile
wwwwww
wwwwwwwwwwwwww
X3:R?6
X(?8f2
x!qu2?
Yvwg`]l
Yw&k)(
ZjlYj=f
z[kD4>
	zQ ft