Analysis Date2013-11-02 19:59:58
MD54bd84f3f00b7c7ae4b1580817f2553b8
SHA190b1d3436a9598704a201c6c6f899b8f9649c418

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 2e294640ac9db2ce243e49088a1782c8 sha1: 680ecd792f4015bde066268b1a2b7c44b3463365 size: 118784
SectionDATA md5: cb1d9da1fb1357dda90cbb27c135a401 sha1: a51ad4d22ee7c0f57c3f04c27ad4927d6b6d57c4 size: 26624
SectionBSS md5: ef4f0a24a7eae6210cb1495c799bd0eb sha1: 0309fe5586637e2d6565f7fa09e31dd4632fd439 size: 19968
Section.idata md5: 0ecff55ec87ecc1a64f3a5bacaf73190 sha1: 5d8ef4ada2087344ecd27bd9a050037921ef37ef size: 20992
Section.reloc md5: 9a59388e344b4a9ddb0f86fdf0d24ef5 sha1: 4dc44072da3ca529ff7d52bb09ef69cc9e0a7339 size: 24064
Section.rsrc md5: 1ae0c8e49ac63a749bcd14b7442c8298 sha1: 2eb0bb38348b757b111fe91079ab7194fa07f5bd size: 11776
Timestamp1992-06-19 22:22:17
VersionLegalCopyright: Copyright 2013
InternalName: Downloader
FileVersion: 1, 0, 0, 0
ProductName: Downloader
ProductVersion: 1, 0, 0, 0
FileDescription: Downloader
OriginalFilename: Downloader.exe
PEhash4c2d0cd718c868e3840b5acaa26de46be926b9e0
AVavgWin32/Cryptor

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Process?

Process
↳ ?

Network Details:


Raw Pcap

Strings
041904e3
0e5538l
1, 0, 0, 0
 3dcelpf5-usqv2kyf6b
3frxvhpmbsxcud_
4cgln-r4d
4xn7lq6_oyihapg4
65da948
6qcof_9mzz+
8nfbv_5tlr3d
a-a8c0vmg3krjfyj 84x
b0mz960-x#t
Copyright 2013
d6p0
Downloader
Downloader.exe
ejtg2 imn7_9dlw0
FileDescription
FileVersion
fqxttbes+9q
fxu6cq-
h7 _zt7
hejoq7ya9
InternalName
k_#fc
LegalCopyright
m2 u8e-tt3c
<<<Obsolete>>
ogx72_4krdfn
OriginalFilename
ProductName
ProductVersion
 pzo6arfimvlt8v7plndz
#p_zp80#md34
StringFileInfo
_t4 l8
torren
Translation
VarFileInfo
vbkoxalcipq3kt
vkxqbw0nv3+
vk-yy38gtt42wkbj9camx
VS_VERSION_INFO
w4ycwxl
xnhxz829v+n827gmva
z80obz
zwkxe9+8gzge79##
) '(")
0$0*00060:0>0B0F0J0N0R0V0Z0^0b0f0j0n0r0v0z0~0
0#0+00070K0U0[0a0~0
0&0-070=0Q0W0]0h0r0|0
<)<0<6<H<N<T<z<
?&?,?0?7?@?J?W?]?k?q?w?}?
090_0k0q0w0}0
/	0A&-
0http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
0http://crt.comodoca.com/COMODOCodeSigningCA2.crt0$
>!>0>:>@>V>i>o>u>{>
1%10161<1B1H1U1`1f1l1
110824000000Z
1!1+181A1I1N1U1[1a1g1z1
1.141B1N1^1q1w1}1
1255991
131010000000Z
131020105425Z0
141010235959Z0
190709184036Z0
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
1http://crl.usertrust.com/UTN-USERFirst-Object.crl0t
1http://crt.usertrust.com/UTNAddTrustObject_CA.crt0%
200530104838Z0{1
2"2)20282?2T2
2"2(222<2F2P2V2\2f2m2{2
2'24292A2K2
272<2F2N2X2
< <&<,<2<8<><O<U<[<`<k<w<}<
2C2Y2_2f2n2
2i+$0o
?!?'?-?2?N?[?h?m?u?
<3 	.%
3$3*30363A3I3U3_3i3o3z3
3%3,343:3@3J3U3{3
3#343:3C3I3O3U3d3|3
>%>3>9>?>E>L>[>a>g>q>z>
>'>->3>=>G>M>U>[>h>}>
}*3I; 
_+3T8#
4 4&41494K4Q4[4a4l4r4x4~4
4 4%4-434;4A4G4N4T4Z4l4
4 4&4,4J4]4c4i4o4y4
4/4B4U4h4{4
4*4V4`4f4q4w4~4
;%;.;4;:;f;l;r;
:%:4:::@:F:L:R:W:]:i:s:y:
<4<:<G<N<U<b<h<n<y<
;);4;:;@;H;M;Y;_;e;n;t;
4q!jlV
5(51595C5}5
5(5.53595C5I5S5^5d5j5r5x5
5 5*555;5A5I5N5U5[5a5h5n5}5
5"5(5:5B5H5O5V5^5d5n5t5
5'575[5e5o5u5}5
;%;/;5;;;B;I;N;T;];c;j;z;
="=(=.=5===C=L=Q=V=\=o=u={=
!@5hp?
>'>->5>;>H>S>X>^>d>o>w>}>
5z_?H}?
6$6*60686>6F6P6]6c6r6x6~6
6%6+616:6D6Q6i6s6{6
6"6,626:6@6M6U6[6a6g6m6
6"6(636Q6d6j6p6v6
6"6(6.646>6I6]6i6r6|6
=&=.=6=>=F=N=V=^=f=n=v=~=
6yTw:vU!
7!7*70767
7 7&747I7O7U7a7g7q7w7}7
7"7(777=7D7M7T7Y7_7h7n7u7
7)7/797I7S7^7g7q7~7
7 7-7C7L7V7c7
7am+0B
7AO2MK
7qp<<%
7Y<_<j<r<x<
8 878=8C8R8\8b8l8w8}8
8 8$8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
8"8,828:8@8M8U8[8a8k8u8{8
8$8/858;8A8H8R8X8^8{8
8	jBX/
8Y8_8t8z8
990709183120Z
9!9+91999?9L9T9Z9`9j9t9z9
9*9/94999?9C9J9P9Z9c9i9o9u9{9
9"9*989>9I9O9_9m9u9
?#?)?/?9???E?O?U?^?j?p?v?
:$:):9:H:N:X:l:
:!:):/:9:K:b:h:t:
='=-=9=L=V=`=f=n=t=
="=(=.=9=?=Q=W=]=c=
adslhhGB
?$?,?:?A?N?
AND LLC0
AND LLC1
</assembly>
<assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
aYaJMR#nL,
b'gyt9
;#;:;B;N;U;o;z;
CF8%~I
c<Frxp
ch$tHB
>]?c?i?
comdlg32.dll
COMODO CA Limited1!0
COMODO Code Signing CA 2
COMODO Code Signing CA 20
ConvertDefaultLocale
CopyFileExW
CQ4C'n
CreateEventA
CreateMemoryResourceNotification
CreateProcessA
CreateProcessInternalA
CreateSemaphoreW
d0=!(1
(DBQo<HB
</dependency>
<dependency>
</dependentAssembly>
<dependentAssembly>
<dl[F3
D{[!*{M
dpw`,&x
dwLBSubclass
 =@E;!
e^i__0_
?$?*?@?E?M?S?Y?i?r?|?
EnumCalendarInfoExA
e~-T%ab
ET;C2=
f2e4Z~;
FindNextVolumeMountPointW
: :+:@:F:\:i:q:x:
fkYG4)
FLC<h$
FlushInstructionCache
f#@Q'i
F``*,U
)fuaYW>io
FYv;Dr 
$>G6n$
GbX LG
>G>_>e>k>q>
GetACP
GetDiskFreeSpaceExW
GetDriveTypeW
GetLocaleInfoA
GetTempPathW
GetThreadContext
GlobalGetAtomNameA
Greater Manchester1
HeapFree
HeapLock
HjZz;(
Hns_I&5
http://ocsp.comodoca.com0
http://ocsp.usertrust.com0
https://secure.comodo.net/CPS0A
http://www.usertrust.com1
i8|3t(
.idata
[)i*g"|9
info@andcompany.ru0
>">(>.>I>R>\>f>q>
i`y]8]f
izURs-.
J.H%#ng
&JOc1M
j[Vu~J
	J-&w*c.
kA{D.G
kernel32.dll
KERNEL32.DLL
KoGXG]#%
kq9$xj4
KukS,I
LoadLibraryA
LocalAlloc
lstrcpyn
LZStart
Marshala Fedorenko street, 71
MBq]&~
mi 3Z(
Moscow1
Moscow1%0#
N0T0_0g0A1M1
n$ce]N
nWnJZ|
o G"0[
oO8i;E
OpenWaitableTimerA
oWdu(~0
P.rsrc
-q|)1cy
Qvx,GiH
]>R0%,Y
 rC@"/
.reloc
ReplaceFileA
<requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
</requestedPrivileges>
<requestedPrivileges>
)r\T0B
\r,Ul0LM
Ru'nwi
Salford1
Salt Lake City1
</security>
<security>
SetCalendarInfoA
SetEndOfFile
(shMfs
swF;;/
The USERTRUST Network1!0
This program must be run under Win32
tK:7|~]n
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
UnlockFileEx
uO\R@!+
UTN-USERFirst-Object0
}(v}K"*vc
vVAGD'5
>vV&+yM
Wa]NZY
Wo>Rv=
WriteTapemark
ws2_32.dll
WSACreateEvent
wtsapi32.dll
WTSAPI32.DLL
WTSOpenServerA
WTSSendMessageW
XAvG#7Zz
$x	k@vq&/
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
-YcEmL
ysn e'
z]9hS#
zdzwk5
zH,vgd
Z_+'IB
z\XK ]