Analysis Date2015-12-28 02:29:32
MD53f5256f71de26cd5ad82f7d1ff235e5a
SHA196191cfc99d4acf13276299976019f7666c72c7c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8e7006369659b91f4bfade1ab965e123 sha1: 3fff4e8a6911ebe7c89bebaf31a903bcaf120c43 size: 108544
Section.rdata md5: a5127657b5b16a8943c0d00357321b36 sha1: 201b560e78b6545e1fcd0a97149a34bafc90a0af size: 32256
Section.data md5: 7b0b172cc6d7e152291b63bcef8a299e sha1: 75b969580459229d11beba16e8a81b950acea9c1 size: 63488
Section.rsrc md5: cd706f9713a43263d5b50e32ae908391 sha1: 3adf51dc9f529db2abec669b57641bc312ae50cf size: 143360
Timestamp2015-10-09 13:09:35
VersionLegalCopyright: Copyright © 2014 My microsoft production
InternalName: My microsoft production
FileVersion: 9.3.0.1
CompanyName: My microsoft production
ProductName: My microsoft production
ProductVersion: 9.3.0.1
FileDescription: This file may harm your PC
PackerMicrosoft Visual C++ ?.?
PEhash3cd3a87b27246304ea0130b2dc80ce9fa786e416
IMPhasha4e11da3b51799e494df2cdf16d9cf30
AVAvira (antivir)TR/Crypt.Xpack.294727
AVVirusBlokAda (vba32)no_virus
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Trojan.GenericKD.2787213
AVTrend Microno_virus
AVAd-AwareTrojan.GenericKD.2787213
AVBullGuardTrojan.GenericKD.2787213
AVDr. WebBackDoor.IRC.NgrBot.566
AVEmsisoftTrojan.GenericKD.2787213
AVRising0x596dceb2
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVGrisoft (avg)Crypt5.BZX
AVF-SecureTrojan.GenericKD.2787213
AVMicrosoft Security EssentialsVirTool:Win32/CeeInject.LJ
AVZillya!no_virus
AVMalwareBytesWorm.Gamarue
AVMcafeeRDN/Sdbot.worm
AVClamAVno_virus
AVKasperskyWorm.Win32.Ngrbot.aubt
AVK7Trojan ( 004d3bdc1 )
AVEset (nod32)Win32/Kryptik.EADI
AVFortinetW32/Kryptik.EASA!tr
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVAlwil (avast)Androp [Drp]
AVCAT (quickheal)Worm.Ngrbot.r4
AVBitDefenderTrojan.GenericKD.2787213
AVTwisterno_virus
AVSymantecTrojan.Gen.2
AVArcabit (arcavir)Trojan.GenericKD.2787213

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates ProcessC:\WINDOWS\system32\calc.exe
Creates ProcessC:\WINDOWS\system32\svchost.exe
Creates MutexSSLOADasdasc000900

Process
↳ C:\malware.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Taskman ➝
C:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe\\x00
RegistryHKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update Installer ➝
C:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\Update\Explorer.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\c731200
Creates FileC:\Documents and Settings\Administrator\Application Data\Update\Update.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\desktop.ini
Deletes FileC:\cwjyipnvs\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\INFO2
Deletes FileC:\Documents and Settings\All users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
Deletes FileC:\cwjyipnvs\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\desktop.ini
Deletes FileC:\Documents and Settings\Administrator\Application Data\WindowsUpdate\Updater.exe
Creates ProcessC:\WINDOWS\system32\mspaint.exe
Creates MutexSVCHOST_MUTEX_OBJECT_RELEASED_c0009X00GOAL

Process
↳ C:\WINDOWS\system32\calc.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\c731200
Creates Mutexc731200

Process
↳ C:\WINDOWS\system32\mspaint.exe

Process
↳ Pid 308

Network Details:


Raw Pcap

Strings