Analysis Date2014-10-09 04:56:41
MD590fd6e7b34e0d879966677bfb77115b5
SHA1a7f4a911430400c381abe84b604d5fa0b6ddb88b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bbf4d1c6e41cd1816a53e91de8ac5554 sha1: 638884009b75748c1814c7280394afe6e21cb1c5 size: 104448
Section.rdata md5: ab5ff432716e2f74473fd1068288356d sha1: 328ac400c7ec2760ad4c16ea884e1ab26786221b size: 28160
Section.data md5: 942f5f2128c12f4b3985de3827e0d8f6 sha1: c7758e909f974530a88e76e9a0240972f4d1f68e size: 4608
Section.rsrc md5: 051a3a4c9fff8d0bd2684abd78b2f27f sha1: 14f75feb6b859df2ed77dc09d3fb7bd92325da61 size: 199168
Sectionusrbhpi md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1999-06-26 20:20:27
PackerMicrosoft Visual C++ ?.?
PEhash59bafeeb7f7788a3ff7e57ddf357394a40c0b57b
IMPhash720f62ecaae027b5c3ec6686644322e9
AV360 SafeGen:Variant.Symmi.43388
AVAd-AwareGen:Variant.Symmi.43388
AVAlwil (avast)Virtu-F:Win32:Virtu-F
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVCA (E-Trust Ino)Win32/Tnega.QDDOAVD
AVCAT (quickheal)TrojanRansom.Blocker.A4
AVClamAVno_virus
AVDr. WebTrojan.Winlock.8775
AVEmsisoftGen:Variant.Symmi.43388
AVEset (nod32)MSIL/Bladabindi.Q
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.43388
AVGrisoft (avg)Generic31.BEIT
AVIkarusTrojan.Win32.Dynamer
AVK7Trojan ( 003f3a341 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.MSIL
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.43388
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Hoax.Blocker
AVYara APTno_virus
AVZillya!Trojan.Blocker.Win32.4914

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\2b84a7ed33f26a9ef98ff459e1950594\US ➝
!\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\WINDOWS.exe
Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\Administrator\Application Data\WINDOWS.exe"

Process
↳ "C:\Documents and Settings\Administrator\Application Data\WINDOWS.exe"

Network Details:


Raw Pcap

Strings
..;.*.**A. d
..=....h.v.4...x..o.
.'...."W.!W:..[...{
.v.4...x..o.
.8...0eG.);V..[...{
.v.4...x..o.
.
.u.DK#.E;V..[...{
.v.4...x..o.
.'...!.
.)WV..[...{
.v.4...x..o.
...6.!*W.
U%..5...{
.v.4...x..o.
.1.6...Z.1^;..)....}.v.4...x..o.
xaf3.t.b
..
w
..@
`@
CC
00-+ 
.
\
 
.
..
.
.
.e
.!
.&
.
.
.@
w.
!1Aa
#+3;CScs
B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                                 H
         (((((                  H
         h((((                  H
jjjj
KERNEL32.DLL
MAINICON(
mscoree.dll
mscorlib.dll
(null)
                          
! "$!$#
!)&(#"&
'+.%$('%)
"%'&**(,
$"&&%(
$#'$ %
&%)#!&
%$(,+/
								
]	!`.0
+,0+)-
&+0;'(0
:0)<0*D60=3)A8.C7-5+!2(
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
$01ADCVQOa3/5
;0(>2**!
+05(&,!"(
0A@@Ju
/0?BARTQa>9:
&0dYdotW
0%.H7O
/0:>=LA@O:<F12=/0;
.0{o%V
0SSSSS
0WWWWW
0/;(",`Z[<9Ef`vMPgY]|^i
10APYwXd
11@-.9+)502<
1-:63D:8GPOcbc|im
17Gt84
$&1BBTSTc`[S
	1'$C6.
/1=CCTQP`KFB
--1FTjHWpFWlGXmG[nKZiR`sXdvIP`Zgtn}
,(1=<O??RNOabf}ns
1p=Ah<1
1V6`@}
1)%ZQG1' '
-.2-+/
"(%+-+2
)-2'%+&%*
+,2'&+##*
($)20:
2)0Y]ndk
21@ZWp]Zufe~ko
|$2`|2$A
!",22CAAVLL_FFRA;6zjW
(23BCAVNNa44?g\O
2~5aL%w
%)(2#!-63BJM]]_tgj
2=9gQ,	g
=2+A5/G93F<3F<2G;17-#4+!L>4WJ;[MA[MA[MAWH?^NEcZPTQJ%()
2Age$[@
2dPd5f
/2>FER=<>reU
>2^M$3q
;2,~v_d\MJB6:/*
2w0)[ZM
,)2x98
2x~\La>,
.).3/;
{&3/-%
%$+30@/-<ABOUWmaf}ks
3BJLk'
`$3drm
_;~3O'
3`sj5}a
')3S_jkw
4*$;1*
45FTZygp
=4,jaPi_N@5,
.4@??S<=MEFVjg
%-*501:**4  *
 +55FROd]_tbcwcewXZlNQ`OP`[[k
*(5+)71/;HHYV^qcj
5G0\TG%
5h4_JS
5,s^Mf
5,$`YJ6-&^QF$ 
61?BBWEEYVXmhl
$65F%'2
$65G98KDDVY\rjl
66C(&/*&1/.7a[oVXr^b
+67>24;
67@Z^teh
69GNPbSU]
*,6CCURRbZTM
6=>:\G*
6g5owP#
707_avfh
7@+0'f
)*.768B
+-7\hu
7kNkzI
7Mv5ui=
&'7,o9
7pN?jA
7 /Po/
82-2*$)&'*)+
8_27x?r=
86E53CIFWZVtb_zNOg_a
86G>:LA<MOJ\fd|cc
%89FHLZKN^JM\?@O9<I8=H
$89J[a{mt
8!aFwy
(+8DI\JOcY\wdd
8kDp~b
~;8M\c}
8VVVVV
?90MG9WM?
+*9$&2)&1+,6++5
98]0hH
;9c`u3
(;9JPScY[kY[mQSeHKZDFUKK[
9K[]oV
9o?|I(zh
^(9^$u
~(9~$u
A7.?3,
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
\`|ABVKDd
]a}@CZA=V
afuWdyco
>AFy 4
Ah}8b:
}_ahOXnXdx^j
An application has made an attempt to load the C runtime library incorrectly.
<	a'PI
Arg list too long
<at9<rt,<wt
aTNbVPbUOaRL^OIZKC<1*
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
"]<a'u2
|au 4Hh
August
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
\B6xl;
Bad address
bad allocation
Bad file descriptor
 Base Class Array'
 Base Class Descriptor at (
__based(
b,E@7}7m))
B>Fk&h\Q
bhxcfuns
!\b*o2
bQKfVPZJDaQKaPJfSMZHA 
Broken pipe
C8-M_*
C8=$(P
capYTazs
CAY-)4+'/)$-<;MLOk59K
cb@eXs
CCUOOfMOf`bzpt
./:CCUQQaVJE
__cdecl
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
CompareStringA
CompareStringW
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CorExitProcess
CP_^][
c_pNNeYVsTQm??S
CreateFileA
CreateFileW
CreateToolhelp32Snapshot
- CRT not initialized
C?RV\zTbw]i
cVIqdV|sd90*8.(<60H>7zn\VKA'$"
\cvOVgiu
D$0^][_
d#2M_E
{d7($C
@.data
d^=AXJl
d"BfL$
D$ )D$
D$(+D$
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
dek,G[
 delete
 delete[]
Delete
DeleteCriticalSection
D$$)G@
Directory not empty
DJa2->
DN^T_zT`{Yh
Domain error
DOMAIN error
d]P=4,
d!qI/^
D$Tt*;
:||dwtI
#@DXdk
dXH_SBI=20)$
`dynamic atexit destructor for '
`dynamic initializer for '
D`YQD6
E;4aXK7/)viV&"
E82G93L>8M?7M>5L=4<.':-&MA7ZJ?\NB^PD]OCZL@_RGfZPRMF $'
$~Ed_J
EEJO-Y
E#+E/_^ZY
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
ek}[`qVVfW\kfm|
E@_!m:n
EncodePointer
EnterCriticalSection
ePYVv/[
=eRbr(m
_eu\\leiypw
e"vF9X
e]vYS[JGLKFRAE]QTu?EW
ewh/?y
]exbizqy
Exec format error
ExitProcess
f,*3">
F*7;rPLc^
__fastcall
FD)np)nl
February
)FFUyi^
fHJ:GgJ\^*w
;FH_#Y
File exists
Filename too long
File too large
FindResourceA
$!#:=F?KZAM]:EP.7;#)3&*68?KIO^iu
FL9~Xu	V
fl}jm|w|
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
]Fo/mY
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeResource
Friday
Function not implemented
gBcLA{@P
,]G#"`d'e`*
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
Gh9Ghr
!g[i+d
GJf%%0
"GLbks
Gqy4Ks
Gx^n0>T
.GX"tf`
gYHRtjn
G'z5*G
`h````
}`!`"H
H*0"ZOW
H:4H:4M?9PA9QB9N?6>0)?1+NB8ZJ@[MA_QE_QEYK?\ODbVLHA@
H>7>1*6+$
H]bj1S\
HDMX^vai
HE7#AOd
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
HqSu4`
Hv{H{F
hVPkXShTOdTN`PJ]NEQA:
_hz)  $
I9(ch!
>If90t
-.;IH\hf|_^tVYsvx
IiGM>nw
=Ijyef
;:IKPf_a
Illegal byte sequence
Improper link
Inappropriate I/O control operation
InitializeCriticalSectionAndSpinCount
Input/output error
InterlockedDecrement
InterlockedIncrement
Interrupted function call
Invalid argument
Invalid seek
IPNl``
I!ps8l
Is a directory
IsBadReadPtr
IsDebuggerPresent
IsValidCodePage
It~$H+S
IuvS=I
i]wE}!
IzoU7dC
J;1TG8VH<VH<XI>SD;]MDaWMSQI
JanFebMarAprMayJunJulAugSepOctNovDec
January
=Jg<d#	
[jHqJE
j@j ^V
!/$/?;J^JVh
JK`PTkPTlbg
jr*,l#)3
j"^SSSSS
+jUbzJ
'!);<JV\rgo
]J/{(z>fJ
K;5K<6QA;SC=TD=PA:@1+D60TC:^ND_QEaSG^PEWI?XIAfWP867
~k7frW
KA6XQB;2*
kernel32.dll
KERNEL32.dll
=;KHI^JK`]^uko
KI3txsA
'%'KVnP]xM\vSc}[l
;<KVYxbc
"	L*@ 
L$4;D$Ts<)D$T
L<6l59
^l@9'o
L$(9ODv
l!;b	F
LCMapStringA
LCMapStringW
LeaveCriticalSection
{l"L,`
L$(+L$
[-&LMb#{'
&l"|MLaLc
LoadLibraryA
LoadResource
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LockResource
lstrlenA
lstrlenW
;l$TsY)l$T
.^M"5*kv
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
M,c)fY|
MessageBoxA
]MGZKDXH@`PHbSJdTLSD=H;5I=3=1)
Microsoft Visual C++ Runtime Library
MIDH;*
mj>zjZ
M!L'!5
MLfVZwW_vbj
MM/dd/yy
Module32First
Module32Next
Monday
MPm,+:
m_qJsG
MQq35E($.43C-/:
m]T/! +
MultiByteToWideChar
M|X:p<
MZ)]]#
)Nd)Vh
 new[]
No child processes
No error
No locks available
NoRemove
No space left on device
No such device
No such device or address
No such file or directory
No such process
Not a directory
Not enough space
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
N(Uh0%
(null)
NWk+!" 
,(n+Z!
o_1hxx
O?9O?9SC=UE?UE?RB<B3-G93WD=aPFbTHcUIaSG]NEeVMk]R,-- #* !+
O(9O$u
OC5Dw\
October
Oh;O\sN
O@;H s
O@;H(s
_OIaQKWGAdTNfUOjVQ^ME'
oj~gj\^_
)#)?=OJOeU\x]a
`omni callsig'
Operation not permitted
operator
OQgQWpSXpci
OWr.'.'
OZw3(?
@PAQBR
__pascal
Permission denied
pfWRI;4*$
&P[I^w
pJ]ioX
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
p<O#|$
PPPPPPPP
PQiTXtV\tcj
Program: 
<program name unknown>
(>>PRSbWUR
__ptr64
- pure virtual function call
Qf`1SHk
QH>=2,H>4
Qkkbal
QL]`*x$
QueryPerformanceCounter
/;QXzt
=rAG}L
RaiseException
`.rdata
ReadFile
Read-only file system
Resource deadlock avoided
Resource device
Resource temporarily unavailable
__restrict
Result too large
^RG@6,,#
ro	6SGlH
RP	har
rr	3 Wk
'?rRC70
,'-RShY_v\`|\a
RtlUnwind
runtime error 
Runtime Error!
}r]vkYk_N/(!
RVr55F80K
'RXqen
'rY]#/C
RYk^evp|
RYlR^rYd}^k
Saturday
`scalar deleting destructor'
SC=P@:UE?XFAYFAWE?F70H;2XH?bQHhWMfWMdUKeVMqbVi\R)+,"%,##)  '
]SD2+#
September
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SING error
SizeofResource
s"My[0
SQ94OA$
^SSSSS
__stdcall
`string'
Sunday
SunMonTueWedThuFriSat
s	|Z-u
t-0dzi92`
t4!qS`
t*9Qlu%
t.9Vlt)
TB	%*^
tEC~'7
teh=8A
TerminateProcess
tGHt.Ht&
T$h9T$
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t$H;t$8
Thursday
TJ5x;m
TK==4.
< tK<	tG
	TL=G@6
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
Too many links
Too many open files
Too many open files in system
T$<PQR
T$$QUR
tr9_ tm9_$th
t"SS9]
Tuesday
;t$,v-
~t^vjWZN>5-'
t:<wuE
t+WWVPV
 Type Descriptor'
`typeof'
@tZ@m+
"<)U@;
u8W|H%
ua/mMJ
U\~DI`
`udt returning'
UE?ZLEYI@_OG`QH`QHK<5F81B6,1&
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown error
Unknown exception
unWvkU:0'
U.PK:t
%_uQeM
UQPXY]Y[
Ur{`}n
URPQQh
USER32.DLL
usrbhpi
UTF-16LE
/*/U]vUaxYe}eq
v$;5$0B
VaDV${
Vb?5@:
`vbase destructor'
`vbtable'
v#]bu7i
`vcall'
)Vd)Nh
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VF@UE?VF@ZGB]IDZFAH91I=3ZKBdSKn[Sn^UhYPk\SrdZUKF#"$()/$%)#")
V&ic l
VirtualAlloc
`virtual displacement map'
VirtualFree
VirtualProtect
Visual C++ CRT: Not enough memory to complete call to strerror.
]VJLD9A61
Vj"&X,
Vlf+Vd
Vlf+Vp
VMAvu~an
v	N+D$
V"oYw8!
~vsaY[hbi|gm
_Vv]UnZWnX[z\c
V_:X1:
w6[Tzu
w<9G,s
WDqZ<t(;m
Wednesday
'WG@^4
WGAWGAWGAZIB\KDZIBK;3M?7]NFeXMiYNZKASE;:/&B6,
_WGLD5
WideCharToMultiByte
wIUzh'
w+OQvr
.@	W>OU
WriteConsoleA
WriteConsoleW
WriteFile
|$ WSPV
~\wu(j
wUzisb
wzJ3;2
*]X2M^
x 9!4F
xdiuek
XHBXHBWGAZKC\MD\MDJ;3SC=UG>F<0aSGdVJD8,.% ND9
_XLF@6^RB	
|Xn/2C
xo~GYL
xppwpp
xpxxxx
`]x<@T/6D
yaxlXqfSD;39-,
yDN7<>
y !d~>v
YICYJCYIB]NE_PG^OFJ;4K<5SF;=2*=1(dWJ>3)
ykm`Y\XU\bq^e|gn
"YMv^P
>=Yt1j
YXh~WE
Y]y=>PRHi	
	?z2}l
#Z2wXgw!
Z8]h/b
)\ZEo^m/
|?zfG&V
"zIdol
zl/ G;Ra
\ZqKEU?=K31?PLdCG^(-:
ZSP]bwbl