Analysis Date2015-11-29 23:01:57
MD5ec9a719026c30ac6196aebf88ba0559d
SHA19df86168e8bedf8dcf5d50c63715389c1db34689

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1faf46134e916a23aef521d6fe9d6086 sha1: 0d2c03a21277ecbba70e698357b829925a4ed9cc size: 53248
Section.rdata md5: f25db7209d8c747ca2b5587e980bb01e sha1: b839f0e01695e263852ef81f87edb8749f187e3f size: 8192
Section.data md5: 508a7e04aa8763e1c50d07f8d88cff76 sha1: 894683ee7d1d123ced0dabf8971022ca50c5af7f size: 180224
Section.rsrc md5: fdbb9403e5f922e7837d206dc3e5e52b sha1: 1855cbac875302ab049ea89ee5e17835f6cc8b03 size: 12288
Timestamp2014-03-22 16:09:17
Pdb path@
VersionLegalCopyright: Copyright (c) 1998-2013 VMware, Inc. All rights reserved.
InternalName: bootstrapper.exe
FileVersion: 1.1.2 build-00000
CompanyName: VMware, Inc.
PrivateBuild:
LegalTrademarks:
Comments:
ProductName: <fill in installer name with buildInputs.h or -pn>
SpecialBuild:
ProductVersion: 1.1.2 build-00000
FileDescription: VMware Software Installer
OriginalFilename: bootstrapper.exe
PackerMicrosoft Visual C++ v6.0
PEhash34842d1b9e116f3a65e0a9a63b56d58e97a8acc2
IMPhashc6a2268cba024a120f1848b1359eeef7
AVMcafeeGenericR-EUD!EC9A719026C3
AVMcafeeGenericR-EUD!EC9A719026C3
AVCA (E-Trust Ino)no_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost!rfn
AVMicrosoft Security EssentialsBackdoor:Win32/Zegost!rfn
AVCA (E-Trust Ino)no_virus
AVMicroWorld (escan)Gen:Variant.Graftor.141004
AVMicroWorld (escan)Gen:Variant.Graftor.141004
AVArcabit (arcavir)Gen:Variant.Graftor.141004
AVPadvishno_virus
AVPadvishno_virus
AVCAT (quickheal)no_virus
AVRisingno_virus
AVRisingno_virus
AVCAT (quickheal)no_virus
AVSophosno_virus
AVAd-AwareGen:Variant.Graftor.141004
AVSymantecno_virus
AVSymantecno_virus
AVClamAVWin.Trojan.11085343
AVTrend Microno_virus
AVTrend Microno_virus
AVClamAVWin.Trojan.11085343
AVTwisterTrojan.Staser.vez.mdxb
AVTwisterTrojan.Staser.vez.mdxb
AVAuthentiumW32/Trojan.GFLU-3910
AVVirusBlokAda (vba32)no_virus
AVVirusBlokAda (vba32)no_virus
AVDr. WebBackDoor.Spy.2323
AVZillya!Trojan.Staser.Win32.526
AVZillya!Trojan.Staser.Win32.526
AVDr. WebBackDoor.Spy.2323
AVAuthentiumW32/Trojan.GFLU-3910
AVEmsisoftGen:Variant.Graftor.141004
AVEmsisoftGen:Variant.Graftor.141004
AVAlwil (avast)Farfli-BZ [Trj]
AVEset (nod32)Win32/Farfli.ARC
AVEset (nod32)Win32/Farfli.ARC
AVAvira (antivir)TR/Rogue.11085343
AVFortinetW32/Farfli.ARC!tr
AVFortinetW32/Farfli.ARC!tr
AVAvira (antivir)TR/Rogue.11085343
AVFrisk (f-prot)no_virus
AVFrisk (f-prot)no_virus
AVAlwil (avast)Farfli-BZ [Trj]
AVF-SecureGen:Variant.Graftor.141004
AVF-SecureGen:Variant.Graftor.141004
AVBitDefenderGen:Variant.Graftor.141004
AVGrisoft (avg)BackDoor.Generic_r.GCH

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Yabcde Ghijklmn \Description ➝
Yabcdefg Ijklmnopq Stuvwxy Bcdefghi
Creates Filevir8.exe
Creates Filevir1.exe
Creates Filevir7.exe
Creates Filevir9.exe
Creates Filevir3.exe
Creates Filevir4.exe
Creates Filevir5.exe
Creates Filevir2.exe
Creates Filevir6.exe
Creates FileC:\WINDOWS\yygeym.exe
Creates Filevir0.exe
Creates Process > nul
Creates MutexC:\malware.exe
Creates ServiceYabcde Ghijklmn Pqrstuvw - C:\WINDOWS\yygeym.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1860

Process
↳ Pid 1184

Process
↳ C:\WINDOWS\yygeym.exe

Creates Filevir8.exe
Creates Filevir1.exe
Creates Filevir7.exe
Creates Filepipe\net\NtControlPipe10
Creates Filevir9.exe
Creates Filevir3.exe
Creates File\Device\Afd\Endpoint
Creates Filevir4.exe
Creates Filevir5.exe
Creates Filevir2.exe
Creates Filevir6.exe
Creates Filevir0.exe
Creates Mutexlj1009777241.eicp.net:8076
Creates MutexC:\WINDOWS\yygeym.exe

Process
↳ > nul

Network Details:

DNSlj1009777241.eicp.net
Type: A
174.128.255.231
Flows TCP192.168.1.1:1031 ➝ 174.128.255.231:8076
Flows TCP192.168.1.1:1032 ➝ 174.128.255.231:8076
Flows TCP192.168.1.1:1033 ➝ 174.128.255.231:8076
Flows TCP192.168.1.1:1034 ➝ 174.128.255.231:8076
Flows TCP192.168.1.1:1035 ➝ 174.128.255.231:8076

Raw Pcap

Strings
FE
.00-+ 
\
. 
C::::% BbmHpAadYySMI--
)))
))..ml)
.
080404b0
1.1.2 build-00000
333f3
bootstrapper.exe
Comments
CompanyName
Copyright (c) 1998-2013 VMware, Inc. All rights reserved.
f3fff
FileDescription
FileVersion
<fill in installer name with buildInputs.h or -pn>
         (((((                  H
InternalName
LegalCopyright
LegalTrademarks
(null)
OriginalFilename
PrivateBuild
ProductName
ProductVersion
SpecialBuild
StringFileInfo
Translation
VarFileInfo
VMware, Inc.
VMware Software Installer
VS_VERSION_INFO
--------
....................................................................................................
0*:!:*
!1$}/2
;)1?3i
14u$A9,
1o{N)c
1#u$^T
$1uzu-a
%5{BI}=
5lu~E"
$5R9,U
7GS	4Q2
8_w\Q}
^}%958
$9al9D
}%^9B1
_*9F-Z
9Qnw%)
$9R9%3
$9S9>j#PZwD
	9>_wZ
ABCDIyVgX19YWlpaXVtgYSwoLh9hISwbVVdfWlmP
abnormal program termination
america
american
american english
american-english
Argentina
August
Australia
australian
Austria
.?AVtype_info@@
Basque
BbuKu:
belgian
Belgium
B!]GA)
britain
btHHt.
C6uBmVlwta
Canada
canadian
can't not open the %d outfile
can't not open the infile
CDEFSywpMBwjG48=
chinese
chinese-hongkong
chinese-simplified
chinese-singapore
chinese-traditional
CloseHandle
Colombia
CompareStringA
CompareStringW
Costa Rica
CreateFileA
>Cu28V
C:\Users\Administrator\Desktop\
d1F;7=H
@.data
dddd, MMMM dd, yyyy
December
DeleteCriticalSection
DOMAIN error
Dominican Republic
D|T]u=
dutch-belgian
e%^9A1
Ecuador
edGLaq;
EFGHODAtLissb0onKCUmIyQhb48=
england
English
english-american
english-aus
english-belize
english-can
english-caribbean
english-ire
english-jamaica
english-nz
english-south africa
english-trinidad y tobago
english-uk
english-us
english-usa
EnterCriticalSection
EnumSystemLocalesA
e%.s]5S
E%*uA!
e%&uU-
e%"wSi
ExitProcess
f0P)bK
FatalAppExitA
)Fb.y+
February
}%FG5)
Finland
Finnish
F@j@Ph
- floating point not loaded
FlushFileBuffers
F PjPWj
F$PjQWj
F.PjRWj
F*PjTWj
F+PjUWj
F,PjVWj
F-PjWWj
France
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
French
french-belgian
french-canadian
french-luxembourg
french-swiss
Friday
F*wW1:
G0s@io
G6uFi:
German
german-austrian
german-lichtenstein
german-luxembourg
german-swiss
gE_sVQ
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentThread
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetLocaleInfoW
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetProcessHeap
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTimeZoneInformation
GetUserDefaultLCID
GetVersion
GetVersionExA
GHIJODAtLissb0onKCUmIyQhbz8gHR4bHBkab48=
__GLOBAL_HEAP_SELECTED
g	Mw~=
gmXwNu
GN9F9!
great britain
Guatemala
`h````
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
')HfON
HHtiHtGH
HHtpHHtl
H:mm:ss
holland
hong-kong
HSVHWtgHHtF
HtHHt(
HtOHt)H
HwP=_lw
Iceland
Icelandic
IJKLODAtLissKSpvSCUmIyQhIh8gbz4bHBkaFxhvTS4rLCkqJyhvjw==
InitializeCriticalSection
InterlockedDecrement
InterlockedIncrement
>i<?r&
irish-english
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
IsValidCodePage
IsValidLocale
italian-swiss
It[IItM
j?%5!7\
j9PYsT
jACw^=t
JanFebMarAprMayJunJulAugSepOctNovDec
January
JfuKm*
JRs<+2
J~uCE*
J~usES
$=k2wD
KERNEL32.dll
KLMN3e3a4abe5f9065c26db94d67c4f1747c
kQlwTe
....---l
L2l8,8
LC_ALL
LC_COLLATE
LC_CTYPE
LCMapStringA
LCMapStringW
LC_MONETARY
LC_NUMERIC
LC_TIME
LeaveCriticalSection
LoadLibraryA
luK=g3
luTe	[u
Luxembourg
lwt-ov
m%2uC!
m%^9@1
mBon\R
M/d/yy
mEfsDmm
MessageBoxA
Mexico
m%:F=+
m%Fft+
Microsoft Visual C++ Runtime Library
MNOPv/BXjw==
Monday
m!/RyW
m%"sp,8
Mst-uT
__MSVCRT_HEAP_SELECT
m%"uEy
m%*uI!
MultiByteToWideChar
m%VtA(@L
new-zealand
:nj>Cl
nnnnnnnh
norwegian
norwegian-bokmal
norwegian-nynorsk
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
/^nQtN
(null)
October
omCwN]
om[wFu
O*u@%g
p0G:*:
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADNB10
Panama
Paraguay
P-C[vD
portuguese-brazilian
PPPPPPPP
ppxxxx
pr china
pr-china
Program: 
<program name unknown>
puerto-rico
- pure virtual function call
,Q7#KLF
)Q9%Q~R
q	HwP=
)Qnw%)
QQSUVWj
QQSVW3
QQSVWd
QQSVWj
RaiseException
+r-ApY
`.rdata
ReadFile
RtlUnwind
$!R_u-
runtime error 
Runtime Error!
-ru$}>)u#}?)u.sT
$=RXw~5W
r!Y!YO
S6O@ouPN
Saturday
September
\Server\NewServer\Release\Install.pdb
SetConsoleCtrlHandler
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SING error
slovak
sO;>|C;~
south africa
south-africa
South Africa
south korea
south-korea
Spanish
spanish-argentina
spanish-bolivia
spanish-chile
spanish-colombia
spanish-costa rica
spanish-dominican republic
spanish-ecuador
spanish-el salvador
spanish-guatemala
spanish-honduras
spanish-mexican
spanish-modern
Spanish - Modern Sort
spanish-nicaragua
spanish-panama
spanish-paraguay
spanish-peru
spanish-puerto rico
Spanish - Traditional Sort
spanish-uruguay
spanish-venezuela
SS@SSPVSS
SSSSSS
SSSSSSL
Sunday
SunMonTueWedThuFriSat
sU%SbV
[sU=SYuE9Q
~s uu%
Sweden
Swedish
swedish-finland
Switzerland
S|W]u=
:+t0tA(@H
>t#^9>^
>t9Gb.|+
)Tb&|+
tEj@Vh
TerminateProcess
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
tn<%t2
!?t#QY
trinidad & tobago
t#SSUP
t.;t$$t(
)t~u@!
Tuesday
$!T\uk
(t]us-
$?t]uU9
t	\uu%V
t$$VSS
t/WWUPj
;^tZS<
^tZS=j=k
U%*_$]
u%2su(W
u4sF!Q
u#^8>^
u,\9>[
)uCuN=
	uF5_Q}
>:u#FV
uh5K\up%
uH=@TwH=2
uJsh(T
}% uK1
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
united-kingdom
united-states
----Uq
Uruguay
user32.dll
u(sx(kv
>u$^T}
~?utAsG(
UUUU---
UUUU.-O
u uv-:
!uX=B97
v4s>,>+
V9bRaW0Q
v;c1,3
VC20XC00U
Venezuela
vir0.exe
vir1.exe
vir2.exe
vir3.exe
vir4.exe
vir5.exe
vir6.exe
vir7.exe
vir8.exe
vir9.exe
VirtualAlloc
VirtualFree
VirtualProtect
}}}}VQ
Vtvj0j
VVVV.-q
VVVVU-l
VVVVU-l	
VWuBh0
_w\1=[]
_W1'u{
_w\8>[
=_w\9>[
_w\9>[
Wednesday
wFIw	wnI
WfwVuT
WideCharToMultiByte
}%*wj-
WJwFag
'_w\Q}
WQj1Pj
_w\QuL
WriteFile
w(v_WN
wwwwww
wxnnnn
**"(wz
x2_w\Q<
./y9ci
Y	HwP=
}}}}yS
}ySSSSL
_^][YY
z114v;
zilwLzq
zu^SSS
Z_w\Q=