Analysis Date2015-01-14 16:07:18
MD5b124bde81c4a3d8434b76ace0e5d9e9e
SHA19a5d3401481ea31c01777cbe80da4ecfb06aae6d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b0e97b2266d1214aa8b5d7bca4345ad4 sha1: b7040d0f032e76f71cc3f2e08c83a279f63d5c1f size: 50688
Section.rdata md5: 187cf136969cf1a6779ac96369fa16a4 sha1: 20835d3486c25701a7d13654c8c5b82d427a7054 size: 14336
Section.data md5: 78abf74055b47561852ab4d4d4e926eb sha1: 71ea98a5de541f3f04a03fb857d40daf04acf8bb size: 4096
Section.rsrc md5: 6d3d2acce70d79b3ff7a29f596888e1b sha1: 1339f79ea4617675658d641f6ff260257e7b3c12 size: 512
Section.reloc md5: ca7f3730061de5370555a45911871303 sha1: 5f5275ed9d6182aa27a0cfa371b163664c6790d1 size: 5632
Timestamp2014-12-11 13:23:19
PackerMicrosoft Visual C++ ?.?
PEhash9e3e0c4fcbb7f1efd42013a4888b621cc8a052c6
IMPhash25e7bbf9c01c0a28fea1dfc37ffc3cd5
AV360 Safeno_virus
AVAd-AwareGen:Trojan.Heur.quZ@H5a@zqei
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Trojan.Heur.quZ@H5a@zqei
AVAuthentiumW32/S-9761f5a8!Eldorado
AVAvira (antivir)TR/Spy.Gen
AVBullGuardGen:Trojan.Heur.quZ@H5a@zqei
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Trojan.Heur.quZ@H5a@zqei
AVEset (nod32)Win32/Agent.WMT
AVFortinetW32/Agent.WOV!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Trojan.Heur.quZ@H5a@zqei
AVGrisoft (avg)Agent5.DWC
AVIkarusTrojan.Win32.Agent
AVK7Trojan ( 004af5c61 )
AVKasperskyTrojan.Win32.Agent.amjnu
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Trojan.Heur.quZ@H5a@zqei
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen
AVTrend Microno_virus
AVVirusBlokAda (vba32)Trojan.Agent.amjnu

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Winsock URLhttps://www.google-analytics.com/collect?v=1&tid=UA-54655926-1&cid=0CE620CD0A00&t=event&ec=plugin&ea=unknown_p&el=C:%5cWINDOWS%5csystem32%5cmonitor.exe&z=41&de=UTF-8&cd1=Ss00&cd2=2.0.1&cd3=

Network Details:

DNSwww-google-analytics.l.google.com
Type: A
173.194.125.69
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.70
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.71
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.72
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.73
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.78
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.64
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.65
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.66
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.67
DNSwww-google-analytics.l.google.com
Type: A
173.194.125.68
DNSwww.google-analytics.com
Type: A
Flows TCP192.168.1.1:1031 ➝ 173.194.125.69:443
Flows TCP192.168.1.1:1032 ➝ 173.194.125.69:443

Raw Pcap
0x00000000 (00000)   804c0103                              .L..

0x00000000 (00000)   802b01                                .+.


Strings
%0
-
 
CC
00-+ 
.
\
.
.........

3456fyqmpsfs/fyf
]3456Fyqmpsfs]Vtfst]Efgbvmu]Tfuujoh/dgh
- abort() has been called
AHH:mm:ss
April
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.bak
\Care
Carefree
CONOUT$
- CRT not initialized
dddd, MMMM dd, yyyy
December
DOMAIN error
error code = %x
Eruntime error 
Failed to open file.
Failed to release file.
February
- floating point support not loaded
free
Friday
fyqmpsfs/fyf
                                 H
         (((((                  H
         h((((                  H
h{soruhu1h{h
inst
iuuq;00xxx/3456/dpn0@37893
January
@jjj
July
June
kernel32
lock
March
@Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
mscoree.dll
nKERNEL32.DLL
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
open
+PrivateBuild
Program: 
<program name unknown>
- pure virtual function call
R6002
R6008
R6009
R6010
R6016
R6017
R6018
R6019
R6024
R6025
R6026
R6027
R6028
R6030
R6031
R6032
R6033
reg exit code failed
reg_fail
reg_ok
regsvr32
release
Runtime Error!
%s\*.*
Saturday
%s\CarefreePlugin.dll
%s\CarefreePluginX.dll
%sdeleted.tmp
September
SING error
\SogouPinyin.local
%s\plugin.dat
/s "%s"
%s\%s
Sunday
%s\Uninstall.exe
%sUninstall.exe
/s /u "%s"
\temp
test
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
Thursday
TLOSS error
Tuesday
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Uninstall successfully!
unknown
unknown_p
unreg_fail
unreg_ok
Wednesday
WUSER32.DLL
                          
"! '&%$
0'000p0
0$0,040<0D0L0T0\0d0l0t0|0
00I0z0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
02090\0`0d0h0
%02X%02X%02X%02X%02X%02X
0|F8FC`L
\0h0{0
<0<L<P<p<
0pnh|k
*0Q0V0[0k0r0
0X4X5\5`5d5h5l5p5t5x5|5
10E@'p
(1,101
1!101W1
112M2T2
1%131@1j1
1#1Y1d1y1~1
1&2,21292I2S2Y2m2
12341234
=1234ubVj
1pP[iq_C
1V1\1`1d1h1
20=0X0_0d0h0l0
20242T6X6\6
2222#/+32222Kcs
2&222B2e2r2~2
2 2D2V2d2y2
2 2g2q2
2&383f3
2I3P3Z3l3
2+{ns*
2_		:P6	]
304X4\4a4
32107654+*)(/.-,#"! '&%$
32222C[s
3/3>3^3x3
3#3K3h3
33kc;#
3"4.4M4
]3456Fyqmpsfs]Vojotubmm/fyf
3=4E4X4c4h4z4
3E4_4p4
3='(IF6
4+3G_c
443819
4&5E5d5
4-5K5q5
47?CSw
4@B2(<
>,>4>j>
4X4x4L7n7
5(5.565<5H5N5[5e5k5u5
5$5]5g5
5F5L5T5
5F5O5[5
64.dat
657A7L8'9>9
6 6$6(6,6064686<6@6D6H6L6P6T6X6\6`6d6h6l6p6t6x6|6
6+6;6o6v6
6#6F6Q6W6g6l6}6
6'7A7[7]9d9j9/:5:?:
6>7C7H7[7f7o7
6B6H6N6d6|6
6F6[6f6y6
6f6o6u6
<)=6=@=N=W=a=
6O0T1+*
6R93:z:
`6UW9W
&6`v\B
#73?Cm
'#/+74
7%717=7C7U7]7h7
7(7.7S7Z7b7
7(787H7X7|7
$&-77r
7*8	3?
7 909L9h9l9p9x9P>T>X>\>`>d>h>l>p>t>
7?G}hhhOW_g
7P7V7\7d7
7|>=-Q
868W8j8
8 8084888@8X8\8t8
8#8*8/878@8L8Q8V8\8`8f8k8q8v8
8 8$8(8,8084888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
8hqp0w
90=0A0E0I0M0Q0U0
919d9t9
9,@5,I
9!939n9
9"9.979<9B9L9U9`9l9q9
9/9A9g9y9
9(9H9h9
9;[b=c
9Y:l:~:
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
ac`_5j
>?aPKI
</assembly>PADPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDING
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
<at,<rt"<wt
August
.?AVbad_alloc@std@@
.?AVCAtlException@ATL@@
.?AVexception@std@@
.?AVtype_info@@
bad allocation
BA@GFED;:98?>=<32107654+*)(/.-,#
ba`gfed[ZYX_^]\SRQPWVUTKJIHONMLC
 Base Class Array'
 Base Class Descriptor at (
__based(
,BM4!8=
c9m9:u
Carefree/1.0
C+#{:B
__cdecl
cggggks
ck]R;:)
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
C=LS?S
 Complete Object Locator'
`copy constructor closure'
CopyFileW
CorExitProcess
Cq	/t!
CreateDirectoryW
CreateFileA
CreateFileW
CreateThread
CreateToolhelp32Snapshot
C: ,sg
D	/;@8
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
 delete
 delete[]
DeleteCriticalSection
DeleteFileW
dfSlx=
djfpzM
dRl9]yz
DT\lt|
`dynamic atexit destructor for '
`dynamic initializer for '
e7?GOW_
E8bpiwz
@E8QMT
__eabi
(Eb7-;
eCOKWS[
e"-[G}
e[gcokw
eh4p4K/W
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EncodePointer
EnterCriticalSection
EnumProcessModules
Eutkjihonmlcba`gfed[ZYX_^]\
E; w<z
ex4jG\
ExitProcess
F#~/<~
f3~?^;V;
Failed to write file.
__fastcall
February
/*`;Fh^
Fh=0 A
FindClose
FindFirstFileW
FindNextFileW
FJO+XZs
#_\>FK
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
}F/&MU
FreeEnvironmentStringsW
Friday
FX.O!*
:g;7<h<~<
G;{Es(
GetACP
GetActiveWindow
GetAdaptersInfo
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetExitCodeProcess
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleFileNameExW
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoW
GetStdHandle
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathW
GetTickCount
GetUserObjectInformationW
#ggggCk
GOW[oF
	gq6,l|en
~gZ@8FNvq
`h````
<H6)^ep
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSetInformation
HeapSize
;(;H;h;
`h`hhh
hhh r+
HH:mm:ss
:(:H:h:t:
HHtYHHt
HttpQueryInfoA
~_	I> 
i;3+[B
ig[_Sb
=->I>l>
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InternetCloseHandle
InternetOpenA
InternetOpenUrlA
IPHLPAPI.DLL
IsDebuggerPresent
IsProcessorFeaturePresent
IsValidCodePage
IsWow64Process
i()u5A
iuuqt;00xxx/hpphmf.bobmzujdt/dpn0dpmmfdu
j61MLt=
January
Jd`p4K
)J$(E\
j@j ^V
jM3kaN
J"pn2^
[J?RVr~
jw+i)%
#[k0!6$
K{8:&+
KERNEL32.dll
 kha$@
kj0qui
k"|Khv
klpSAuA
k\|oay
]k~v?@
KW0tWI
Kx9"=*
kXk863
= =<=L=
l0AE9=1p
LCMapStringW
 lD4/q
LeaveCriticalSection
LoadLibraryW
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
m[;aR:CK
MessageBoxA
MessageBoxW
MM/dd/yy
Monday
MoveFileW
mSSS):
>	?/?M?T?X?\?`?d?h?l?p?
MultiByteToWideChar
 new[]
;N=($j $
}N{&N:K#{B
November
(null)
NW3Wkl4
_%>o)]
(O4(g+
o;8|?pjT
October
Oe1tw~
:-:?:#;O;h;
OI:2\F
OKWS_e
`omni callsig'
ooz"C>h
OpenProcess
operator
O>T'oG
$p0rf+%
p1UfY}
''[?,p5t
__pascal
PathFileExistsA
PathFileExistsW
PathFindFileNameW
!p(df/
`placement delete closure'
`placement delete[] closure'
plugin
  plugin64.dat
  plugin.dat
PPPPPPPP
Process32FirstW
Process32NextW
PSAPI.DLL
__ptr64
Q97X-=
>)?Q?j?
QueryPerformanceCounter
$qvCz$
qwfU$:
q *$Y{
RaiseException
`.rdata
rd?}R]
ReadFile
@.reloc
RemoveDirectoryW
        <requestedExecutionLevel level="requireAdministrator" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
      <requestedPrivileges>
__restrict
rhh7?G
R+k{_	
;R;_;t;
RtlUnwind
>s7%|U
Saturday
`scalar deleting destructor'
    </security>
    <security>
September
SetEndOfFile
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
+!S-f@
$<SH{(
SHELL32.dll
ShellExecuteExW
ShellExecuteW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
~~sHuO
sj)pS3
>-?S?m?
sOALfB
~}|srq
~}|srqpwvutkjihonmlc
SRQPWVUTKJIHONMLCBA@GFED;:98?>=<
=Ss00u*j
SS+pfT
^SSSSS
__stdcall
`string'
Sunday
%s?v=1&tid=%s&cid=%s&t=event&ec=%s&ea=%s&el=%s&z=%d&de=UTF-8&cd1=%s&cd2=%s&cd3=%s
s=;'X\
t~ ~22
tCHt(Ht 
Te8x[,y4
TerminateProcess
__thiscall
!This program cannot be run in DOS mode.
T]h "K
Thread32First
Thread32Next
Thursday
< tK<	tG
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
Tnk#&8S
[TRi\i
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t"SS9] u
t$<"u	3
Tuesday
;t$,v-
T!yfik
 Type Descriptor'
`typeof'
#T:(zO
U7,:U ,;U
UA-54655926-1
U>c~;8k0
`udt returning'
:UKT\3
__unaligned
UnhandledExceptionFilter
UNICODE
Unknown exception
UQPXY]Y[
URPQQh
USER32.dll
UTF-16LE
U_,:UOZ
U!,:UOZ
U#,:UOZ
U!,:U)T
U#,:U)T
U+,:U)T
 ,:U ,:U ,:U
{;+[`V
'v^3O&Q
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
<#<V<f<x<
`virtual displacement map'
v	N+D$
v'n#f$dnn/N+F7
+v_nK5
v?~/OG
VQLQ}z
v}+XY7
w732nww
WaitForSingleObject
wA!;-Q
Wednesday
WideCharToMultiByte
WININET.dll
?w;=PC
WriteConsoleW
WriteFile
WritePrivateProfileStringW
wsprintfW
	wT&1.
#;WxQ~z
_!X(a%
x_		c9
XE<[qu8
^xF}"){
xiri-#
xLou:EY
xp }81
xppwpp
xpxxxx
]{XWf?
:y0+c?U
y	OXe6v
YSDm%F6
y=uBrR
{{}{z{
*z8>>X;
{{}{zG
zHvgJx[
<z`_LJx
,zp(^O
|Z]qEp
Z>Ry=?
}zwgkuW