Analysis Date2015-04-22 20:51:34
MD55d3a1d335d0efb532ed2001ff1143c7b
SHA1a3e20c8b82c4837da8b6494b4251d5ddc9d0e371

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 1aa4ce28e08c61cc6535bd61ad589102 sha1: de78b5e364249e20a33f140f42d230021b618ce0 size: 81920
Section.data md5: 620f0b67a91f7f74151bc5be745b7110 sha1: 1ceaf73df40e531df3bfb26b4fb7cd95fb7bff1d size: 4096
Section.rsrc md5: babd4aec484b77fb70fc155ad2e1fcef sha1: 02afb3afa609f89cdc83cfe994d0dcb9ba044014 size: 4096
Timestamp2015-03-13 23:35:08
VersionLegalCopyright: Copyright (C) 2012
InternalName: Origin
FileVersion: 9,5,3,636
CompanyName: Electronic Arts
LegalTrademarks: (c) Electronic Arts 2012. All rights reserved.
ProductName: Origin
ProductVersion: 9,5,3,636
FileDescription: Origin
OriginalFilename: Origin.exe
PackerMicrosoft Visual Basic v5.0
PEhash80fc62e96de156c008242b5de700bc95891bb7c7
IMPhashb66b7d453ac07497522d13c5518936a8
AVAd-AwareGen:Variant.Zusy.133535
AVAlwil (avast)Evo-gen [Susp]
AVArcabit (arcavir)Gen:Variant.Zusy.133535
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.VB.30279
AVBullGuardGen:Variant.Zusy.133535
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Zusy.133535
AVEset (nod32)Win32/Injector.BWJM
AVFortinetW32/Injector.BXKK!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Zusy.133535
AVGrisoft (avg)Dropper.Generic9.AAYW
AVIkarusno_virus
AVK7Riskware ( 0040eff71 )
AVKaspersky 2015no_virus
AVMalwareBytesno_virus
AVMcafeeSuspect-BQ!5D3A1D335D0E
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Zusy.133535
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend MicroPossible_Otorun8
AVTwisterBackdoor.DarkKomet.eygc.zgcs
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\2595_appcompat.txt
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196
Creates ProcessC:\WINDOWS\system32\drwtsn32 -p 1396 -e 152 -g

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\drwtsn32 -p 1396 -e 152 -g

Network Details:


Raw Pcap

Strings
.w~zyyz.{y{wwxzyzw
\*.*
0GZG
100904B0
2.5.0
2.5.1
2.5.2
2.6.0
2.6.1
2.6.2
9368265E-85FE-11d1-8BE3-0000F8754DA1
9,5,3,636
A*\AC:\Users\Jonaas\Desktop\aaX\
Action= @
Action=Open USB
AppData
\Archivos
Arguments
Array not initialized!
ASDHQWIUETIUASJDLASD
ASDIQWKYELAOSDA
ASDKJGHQWJITGASUIDASASDASD
[Autorun]
autorun.inf
(c) Electronic Arts 2012.  All rights reserved.
cftmon
\cftmon.exe
\cftmon.exe 
CompanyName
Copyright (C) 2012
CreateShortcut
d9368265E-85FE-11d1-8BE3-0000F8754DA1
Description
DFGSDFJFHIKDTYUYSWYWTY
Drives
DriveType
DSFG HDFHJFYHJKLFHJJSDF
e9368265E-85FE-11d1-8BE3-0000F8754DA1
Electronic Arts
EnableLUA
.exe
ExecQuery
\explorer.exe
explorer.exe
Fehler
FileDescription
FileVersion
.fldr
GetAbsolutePathName
GHDSFG
IconLocation
Icon=%SystemRoot%\system32\SHELL32.dll,7
InternalName
IsReady
JASGDKNAUYSHFDIQJHWE
LegalCopyright
LegalTrademarks
.lnk
\Microsoft\Windows\Start Menu\Programs\Startup\
Not an array!
notepad.exe
Open
Open=
Origin
OriginalFilename
Origin.exe
Path
ProductName
ProductVersion
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disableregistrytools /t reg_dword /d "1" /f
reg add hkcu\software\microsoft\windows\currentversion\policies\system /v disabletaskmgr /t reg_dword /d "1" /f
RWTYERTYERTYDRTY
S3 Trio32/64
Save
SbieDll.dll
Scripting.FileSystemObject
SDAKJSDNGKQWYIEFRKUSDASIPODAS
SDFGSDFGSDFGSDFGSDFGSDFG
SELECT * FROM Win32_VideoController
select name from Win32_Process where name='---'
Server 2K3
shell32.dll, 0
shell32.dll, 2
shell32.dll, 3
shell\explore\Command=
shell\open\Command=
shell\open\Default=1
shell\open=Open
SOFTWARE\Microsoft\Security Center
SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
\Start Menu\Programs\Startup\
StringFileInfo
svchost.exe
\system32\notepad.exe
\system32\svchost.exe
\system32\taskhost.exe
TargetPath
taskhost.exe
temp
Terminate
thisexe
This Programm can not run under this OS.
\tmp645eaa54d87qw4vc558sd46.exe
Translation
TRUE
UACDisableNotify
UseAutoPlay=1
UserProfile
VarFileInfo
.vbp
VirtualBox Graphics Adapter
Vista
VM Additions S3 Trio32/64
VMware SVGA II
VS_VERSION_INFO
w{|~|}
windir
WinDir
winmgmts:
WorkingDirectory
WScript.Shell
wwwwww
|wwwwww}
{wwwwww
}wwwwww}
wwwwwww
}wwwwwww
{wwwwww|x}
~wxw~wwwxww}
wz|xz{}
~xw{
xxwxwwww}
ywwwwww
~z{}
zwwwwww
 " " " " " 
 " " " " " " 
 " " " " " " : 
 "!" " " " " " : 
 "!" "!
 $.' ",#
" " " " " " 
" " " " " " : 
" " " " " " " : 
" "!" " " " " " 
"!" : 
"!" " " " " " 
#03PB`
0W=FFqZ
!15@ "0
!1AQaq
!22222222222222222222222222222222222222222222222222
,41iV9
%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
  %*5-%'2(  .?/279<<<$-BFA:F5;<9
&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz
6Photoshop 3.0
(7),01444
'9=82<.342
9& &99999999999999999999999999999999999999999999999999
9acspAPPL
9EbCFG&'
9iVt**
9*?P*-jxf
9~v;3o~
_adj_fdiv_m16i
_adj_fdiv_m32
_adj_fdiv_m32i
_adj_fdiv_m64
_adj_fdiv_r
_adj_fdivr_m16i
_adj_fdivr_m32
_adj_fdivr_m32i
_adj_fdivr_m64
_adj_fpatan
_adj_fprem
_adj_fprem1
_adj_fptan
advapi32.dll
_allmul
a(xD2G
bD2?ppj
BorderStyle
c6M$x'
CallWindowProcA
_CIatan
_CIcos
_CIexp
_CIlog
_CIsin
_CIsqrt
_CItan
CloseHandle
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
CreateToolhelp32Snapshot
C:\\//WINDOWS\\//SYSTEM32\\//KeRnEl32.dLl
C:\\//WINDOWS\\//SYSTEM32\\//MSVBVM60.dLl
C:\\//WINDOWS\\//SYSTEM32\\//ShElL32.dLl
cW_WbuQ58vgCQp-RTp2u
`.data
;DL3333333
DL3333333E
DllFunctionCall
Eb_x{D
>{ef#k
Enabled
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
FindExecutableA
GetCurrentProcessId
GetModuleFileNameA
GetModuleHandleA
GetVersionExW
GetVolumeInformationA
Gm77IDttt
HotTracking
	HZM/E$
ICC_PROFILE
ImageCombo
ImageList
/$InV5
I&.oV*
JBffZjQUU
KE{7J*1VKd
kernel32
kernel32.dll
KZT1j%/
l5Sr62
ListView
M5knnQij9
mntrRGB XYZ 
Mscomctl32.
Mscomctl32.ocx
MSComctlLib.ImageCombo
MSComctlLib.ImageList
MSComctlLib.ListView
MSComctlLib.ProgressBar
MSComctlLib.Slider
MSComctlLib.StatusBar
MSComctlLib.TabStrip
MSComctlLib.Toolbar
MSComctlLib.TreeView
MSVBVM60.DLL
MulDiv
MultiSelect
Nrr299555
NuuuuPPu7
OivH5g65z
Picture1
Picture2
Process32First
Process32Next
ProgressBar
QGisy 
RegCloseKey
RegOpenKeyExA
RegSetValueExA
rS!eO@
RtlAdjustPrivilege
rxn}2Y'
S8RWWcc7778LLG2
Seconds
Separators
SHELL32
ShellExecuteA
Slider
StatusBar
TabStrip
!This program cannot be run in DOS mode.
Toolbar
TreeView
u=&^K?
u=~qwt@
V8M5knnQij9Ho77
vb4projectVb
VBA6.DLL
__vbaAryConstruct2
__vbaAryCopy
__vbaAryDestruct
__vbaAryLock
__vbaAryMove
__vbaAryUnlock
__vbaAryVar
__vbaBoolVarNull
__vbaChkstk
__vbaEnd
__vbaErase
__vbaErrorOverflow
__vbaExceptHandler
__vbaExitProc
__vbaFileClose
__vbaFileOpen
__vbaForEachCollAd
__vbaForEachVar
__vbaFPException
__vbaFpR4
__vbaFreeObj
__vbaFreeObjList
__vbaFreeStr
__vbaFreeStrList
__vbaFreeVar
__vbaFreeVarList
__vbaGenerateBoundsError
__vbaGet3
__vbaHresultCheckObj
__vbaI2I4
__vbaI2Str
__vbaI4Str
__vbaI4Var
__vbaInStr
__vbaLateIdCallLd
__vbaLateMemCall
__vbaLateMemCallLd
__vbaLateMemSt
__vbaLenBstr
__vbaMidStmtBstr
__vbaNew2
__vbaNextEachCollAd
__vbaNextEachVar
__vbaObjSet
__vbaObjSetAddref
__vbaObjVar
__vbaOnError
__vbaPrintFile
__vbaPut3
__vbaR8Str
__vbaRedim
__vbaSetSystemError
__vbaStr2Vec
__vbaStrCat
__vbaStrCmp
__vbaStrCopy
__vbaStrI2
__vbaStrI4
__vbaStrMove
__vbaStrToAnsi
__vbaStrToUnicode
__vbaStrVarCopy
__vbaStrVarMove
__vbaStrVarVal
__vbaUbound
__vbaUI1I2
__vbaUI1Var
__vbaVar2Vec
__vbaVarAdd
__vbaVarAnd
__vbaVarCat
__vbaVarCmpEq
__vbaVarCmpNe
__vbaVarCopy
__vbaVarDup
__vbaVarIndexLoad
__vbaVarLateMemCallLd
__vbaVarMove
__vbaVarMul
__vbaVarSetVar
__vbaVarSub
__vbaVarTstEq
__vbaVarTstGt
__vbaVarTstLt
__vbaVarTstNe
__vbaVarZero
VmsVTQ
Vx9333ry0
\wInDoWS\SYSTEM32\kernel32.dLl
\wInDoWS\SYSTEM32\USER32.dLl
Wk222n6Wm
WV	a|D
xV:T>5