Analysis Date2015-05-07 08:11:47
MD50371392c0fd68d34552fa17aea1c6c6e
SHA1897576de4fbcc2c73878803ed4d67f4297227f46

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 269d59428a64edd72091080a9e3cfedf sha1: 7db88091435a13132fd9d33feae1a37a4c84667b size: 19968
Section.rdata md5: d237ce606383ab3468c347f326cbad53 sha1: c414d884aa06235917163bbccfbffa6926ff604a size: 6144
Section.data md5: bce0d8baefc1649ad2555846c6be3339 sha1: 41596b5c538dac610ebdd452e0dbb814a593256f size: 174080
Section.rsrc md5: a56082fa3aefc825fe03f2f4e817c865 sha1: 884a9fae2f9aba837f5c31fccfdc1ea4dc574db6 size: 49152
Timestamp2012-06-14 06:21:37
PackerMicrosoft Visual C++ 7.0
PEhash08261b78909499f997a53778885c362af70fbae3
IMPhash9d0e9457de47c1db41d99ef1411163ea
AVAd-AwareGen:Variant.Barys.7118
AVAlwil (avast)PlugX-E [Trj]
AVArcabit (arcavir)Gen:Variant.Barys.7118
AVAuthentiumW32/Trojan.TNDT-1153
AVAvira (antivir)TR/Crypt.ZPACK.Gen
AVBitDefenderGen:Variant.Barys.7118
AVBullGuardGen:Variant.Barys.7118
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)TrojanAPT.PlugX.D4
AVClamAVWin.Trojan.PlugX-58
AVDr. WebTrojan.DownLoader6.21235
AVEmsisoftGen:Variant.Barys.7118
AVEset (nod32)Win32/Korplug.A
AVFortinetW32/Generic.A!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Barys.7118
AVGrisoft (avg)Agent3.BRYB
AVIkarusTrojan-Dropper.Win32.Dycler
AVK7Trojan ( 003c36381 )
AVKasperskyTrojan.Win32.Generic:Backdoor.Win32.Gulpix.az
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Gen:Variant.Barys.7118
AVPadvishno_virus
AVRisingno_virus
AVSophosTroj/PlugX-D
AVSymantecBackdoor.Korplug!gen1
AVTrend MicroBKDR_PLUGX.SME
AVTwisterTrojan.C73B52BA42C39155
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\All Users\SxS\rc.exe
Creates FileC:\Documents and Settings\All Users\SxS\rc.hlp
Creates FileC:\Documents and Settings\All Users\SxS\rcdll.dll
Creates Process"C:\Documents and Settings\All Users\SxS\rc.exe" 100 1400
Creates MutexDoInstPrepare

Process
↳ C:\Documents and Settings\All Users\SxS\rc.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ "C:\Documents and Settings\All Users\SxS\rc.exe" 100 1400

Creates FileC:\Documents and Settings\All Users\SxS\bug.log
Deletes FileC:\malware.exe
Creates MutexDBWinMutex
Creates ServiceSxS - C:\Documents and Settings\All Users\SxS\rc.exe 200 0

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 1648
Creates MutexDBWinMutex
Winsock DNSgtalk.freesharecenter.com

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 1648

Network Details:

DNSgtalk.freesharecenter.com
Type: A
123.1.189.96
HTTP POSThttp://gtalk.freesharecenter.com:443/update?id=002d4cd0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP POSThttp://gtalk.freesharecenter.com:443/update?id=002d4cd0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
HTTP POSThttp://gtalk.freesharecenter.com:443/update?id=002d4cd0
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; .NET CLR 2.0.50727; SV1)
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows TCP192.168.1.1:1031 ➝ 123.1.189.96:443
Flows TCP192.168.1.1:1032 ➝ 123.1.189.96:443
Flows TCP192.168.1.1:1033 ➝ 123.1.189.96:443

Raw Pcap
0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303264 34636430 20485454 502f312e   002d4cd0 HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a206774 616c6b2e 66726565 73686172   : gtalk.freeshar
0x000000d0 (00208)   6563656e 7465722e 636f6d0d 0a436f6e   ecenter.com..Con
0x000000e0 (00224)   74656e74 2d4c656e 6774683a 20300d0a   tent-Length: 0..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 50726167 6d613a20   -Alive..Pragma: 
0x00000110 (00272)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303264 34636430 20485454 502f312e   002d4cd0 HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a206774 616c6b2e 66726565 73686172   : gtalk.freeshar
0x000000d0 (00208)   6563656e 7465722e 636f6d0d 0a436f6e   ecenter.com..Con
0x000000e0 (00224)   74656e74 2d4c656e 6774683a 20300d0a   tent-Length: 0..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 50726167 6d613a20   -Alive..Pragma: 
0x00000110 (00272)   6e6f2d63 61636865 0d0a0d0a            no-cache....

0x00000000 (00000)   504f5354 202f7570 64617465 3f69643d   POST /update?id=
0x00000010 (00016)   30303264 34636430 20485454 502f312e   002d4cd0 HTTP/1.
0x00000020 (00032)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000030 (00048)   582d5365 7373696f 6e3a2030 0d0a582d   X-Session: 0..X-
0x00000040 (00064)   53746174 75733a20 300d0a58 2d53697a   Status: 0..X-Siz
0x00000050 (00080)   653a2036 31343536 0d0a582d 536e3a20   e: 61456..X-Sn: 
0x00000060 (00096)   310d0a55 7365722d 4167656e 743a204d   1..User-Agent: M
0x00000070 (00112)   6f7a696c 6c612f34 2e302028 636f6d70   ozilla/4.0 (comp
0x00000080 (00128)   61746962 6c653b20 4d534945 20362e30   atible; MSIE 6.0
0x00000090 (00144)   3b205769 6e646f77 73204e54 20352e31   ; Windows NT 5.1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 3b205356 31290d0a 486f7374   0727; SV1)..Host
0x000000c0 (00192)   3a206774 616c6b2e 66726565 73686172   : gtalk.freeshar
0x000000d0 (00208)   6563656e 7465722e 636f6d0d 0a436f6e   ecenter.com..Con
0x000000e0 (00224)   74656e74 2d4c656e 6774683a 20300d0a   tent-Length: 0..
0x000000f0 (00240)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000100 (00256)   2d416c69 76650d0a 50726167 6d613a20   -Alive..Pragma: 
0x00000110 (00272)   6e6f2d63 61636865 0d0a0d0a            no-cache....


Strings
\
.
 
s.
=1.
3.
(&A)...
Copyright (C) 2012
(&F)
                                 H
         (((((                  H
(&H)
         h((((                  H
        h((((                  H
Shell
SHELL
Shell Version 1.0
	System
(&X)
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
01S!^~
$0]Ey}c
}0xB6n
15lC|qL
1TPnSp
1Z,9r]
?26~,U'
2rx'{p'ds
2U]Kqc
 >2x=[
35a\up
3gs"[/
3=#i8fP;U
/3nF6d
>3"OXl
3&R=wK
3)XW1S
42^a08
^4,~V!
4vKsL2
5]id	&
5p	c&l
63[4]5mm]5\]m]mm5\mm5555555\\\5\\\5m\55\\5ed:
	64P+Lr{1
% &"6gP
6M_)v=
 6nDiM
6x.gA.<ERt
$70NK(7X
"7&c[mR
7L\4?~
7m.rlQ
*[7qAO
&.	7,VU
7y"NS`y&
7%Z7?.
\82fq9%
 86Chj@
}8aE@^S
8N_7O 
"9)fw4
9ka}vb
9l<;Ky!FI5j*.
9MoPO%]
A	2v0Q
 "A5Te
?.^aAx
A buffer overrun has been detected which has corrupted the program's
a{lx*?
an{of-
AQ.T|F
A security error of unknown cause has been detected which has
August
^A>=W	
AW'6$)
?$B0d)
b11RO]
B*1o7B
b3k@&,.
BC}40%$
b'l3_b
/:bl9-b
bm R8&
/bN)lbcI
bOtv_3\
bT=qk>4
Buffer overrun detected!
bu j7|<k
Bvz1p|
BwH-5Y
ByLn(K
c`A=x-
Cc5~"R
\C^|Lvh
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
cOXY/P.Z0.0.QR00/ZPP0000000/0PPZR.BI@/DE0,
c\r+,~
C"^`&R
;ctl"M
CU*#)g
c`U/r0
cv;s@n#
{CwA{HL
D, $58
DaPt[U
@.data
Dc?U8:
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
D{G+^Q
DOMAIN error
D$rvU4
|+.Dtv
d@#=v773
dzN	 V
e>	=\>
" ?E#6
:eBzpf
@^efrz
>)[!eL_	
E*mCWSbO(
eM[.M2
EnterCriticalSection
EO;1<#~W
+@E/*q
=-e%^x+./2t
ExitProcess
\*?F[ 
F3q)CJ|
F,98uX
"FA7cL=
/fBtiH
February
+"f'iJ`
- floating point not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FLt1/~
|]fr)c,N
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
 ]FRIt
FtSPP=
<Ftv?J
FVh$o@
%'Fx:`
f(xu.@
gcM4?M
G^EbjOCa
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemInfo
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
GetVersionExA
GF[_;l
GFpj[4
G	+iW<
G(\+J#h
GL10zq{7
G)l9xA
gqO%wx
g[]{/\#[r]
'#g(Rz3
gu8MY`
]gvX~|
GWh$o@
!GzvmB@@
]=h3o|w
h,8z7`
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
 H\FZv<
&h<%<h
HH:mm:ss
\/(Hi5
h{)RZH
hU=4i$
h(WJ83
I3')+*+)))*))()*+++,6J!54 CBA
|I8Z.S
IB)FbO
I[E&d<gd
.#!IHw
I$j_<K;X2
Ik|O;0
|i-k#|qz
IKwofv$&
/]IlM/S/
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
InterlockedExchange
internal state.  The program cannot safely continue execution and must
\I~Tpy
|>iydxh
J4,c\M&u
j8h(o@
j_9r)|BI
JanFebMarAprMayJunJulAugSepOctNovDec
January
jbS,aD
J[Dak0!
JEEEEEEEEEEFC
JEEEEEEEEEEFD
JEFEEEEEEEEEB
jF[In!
JHHGGGGGGGGHI
JJIIIIJIIIIJJ
Jnq 7}
,	JPU;
JR#].s
jtmD>(L
jYPQTVTSkllZTTXRTUiHceWda/
j|yZ23mT
jZ52u7
K9N8	.
k9qv)aI
"K|E}a&m
kernel32.dll
KERNEL32.dll
k+p*s`w
kzr-.i
l6|Key'
l8CK,	
l8{Ro|
'L9r=,
LA (+oC
LCMapStringA
LCMapStringW
LeaveCriticalSection
"LK:]QbF
LL[gMX8
|{L	lgw
LoadLibraryA
l~\ON4
/^}l^r
LTY	j^
\^	l.X'
lyIx@^
\m$*=#
MessageBoxA
M+HS]Aso
$M	*HVa
Microsoft Visual C++ Runtime Library
MM/dd/yy
]M{.Nj
Monday
&Mo(V!
M^o#&y
M[Q22-i,!
M%qwv$0W
mscoree.dll
MultiByteToWideChar
mx	B}e
}n0r=C
}^/N3N
'nH283w7
n:N/N}
n\O1:[	
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
now be terminated.
n~w1DZ`
Nw~ytMMMMMMUbbrrrrrxxxxxxxxrriUMMMMMMMMMUuzt
?O'./27,
|{O35>
#o3kY>
)O6530./21+*-,4#4PPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPPP
O(@>=77A779?<8;$O' 
.o9:v/k
October
:odnTUn
OE4i52}t
]oEn; {l
O%JEEEEEEEEEFFB
o[N!w-R
=OokX=
@Oum~s
'<_*}"=p
pAEMta
 pA-H?
PCZbIw{1
-)pHuh
Please contact the application's support team for more information.
p{Mt4K
=Pnid^
PPPPPPPP
PPPPPPPPPPPPPPPPPKMNNNNNNNNNNOLO
PqkE,X
Program: 
<program name unknown>
pUgK>7
- pure virtual function call
}P\V1m
,pWq%i
pwwwwwwww
pwwwwwwwwwwwwwwwp
pxDDDDDDDDD@
pxDDDDDDDDDDDDDDpx
pxDDDDDDDDDH
pxDDDDDDpx
pxwwwwwwpxDDD
pxwwwwwwwwwwwwwxpx
?Q0YE]i)
Q9c OU
q&BY>y:X
-Q;Cviz
Qh(e:w
}>qooggggggg1`_fhsnHK
`Q}pa5
QQSVW3
=qr=;M
qSJv CL
qTOFE~
QueryPerformanceCounter
)<QV1j
q[w#rt1
'RC%u5
`.rdata
rE8drf
)rfd|^
<rfknN
RgKin$
rJwQd9
R,)KZy
{\{|rl
RmM_#EwZ4 
"rnZ=M
RPsV>`X5P
>Rs:JXh
RtlUnwind
_r<@tO!
runtime error 
Runtime Error!
@rzHW1'r
s0KfOF
%S4QIs
.S4 V4
S&aQ/a:
s]A!:>T
Saturday
sd6E;8
September
SetHandleCount
SetLastError
S}G_HO
SGZvCP^I
SING error
SleepEx
S~Mgt*h
So!37%qGj
S^~p5)
s$QvViJ
$sQxUA
$sSAow
Sunday
SunMonTueWedThuFriSat
sz!\5GO
Szz2O]
t1D.^w
t2WWVPVSW
!t~5WJ.
T:9'g1[yU
tA<0-X
=tAJek
T`!E,=}
TerminateProcess
 TF_7F
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
Thursday
tjlzg_
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tSM-#k
t!SS9]
t#SSUP
t.;t$$t(
t$<"u	3
Tuesday
t$$VSS
tW-7u[
tw'^!qUJt
u1fKW]
u.;5l+C
u8{2jxb
@u#@9)
u%9=,*C
UCV-!d
UD7g^[h4
Uduesl
UgWn8 
u,hL!@
U.Hut@3{
^un0Ay2
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
{.u;r`
,UsB4d
user32.dll
u! TTJ
u UHg.{A6s
U#V;;4!T
UvQGwk''
@Uw4df
v@1n!y#gos
v'8Q =_
Va#k06
v!bkqP
VC20XC00U
}V&}Ej
vG&[&y6x
VirtualAlloc
VirtualFree
VirtualProtect
VirtualQuery
v	N+D$
VWumh(f@
!W4=h0
W9}Q?_
\;W{bT
Wednesday
	WE*;tI
`wFR8p
WideCharToMultiByte
#}WKk=W
WkV21TSav^8{
wOTgvP0
W*OXC%
WoY7x|
WriteFile
WUKqaR_d
WvJ6+Q
WWWWVSW
wwwwwwwpx
wwwwwwwwwwwwwwwpx
`w#y9m'
X1qm^R
X7+?4V
Xb~pPh[
xia?5^
x)#%kHm
XLHiLA
Xl~ihG
X)?tc5T
.XT:N?
 X,Zs[
Y8:?D7-_
{Y9v"UB
YB_ />
y\c>.i
-y&\h,
Y'm&<?
y`NO[w
yqVvmK
Y<$t}	
{|yvrrwsqpon
_^][YY
\!yz@-
?yz{s`
Y(ZwYcH
Z3s[)e|
_.zCvl$
zfCCS4A
@zo>_z
z'u+U 
Z<'^v!R
Z Ws*~BK
$ZWXM"
Zx|I1c
}zy|yx~