Analysis Date2015-01-27 03:16:21
MD5eed507dbb0cb5376c79be32ae1faf2fb
SHA1be97a581b814c92cbcb4d8e45b90468fe6b9b8bf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bad8a4b4032ca3c89e9c94b47de377e9 sha1: af739f9a701c029974c5a629dc58b37194ee767a size: 104448
Section.rdata md5: ab5ff432716e2f74473fd1068288356d sha1: 328ac400c7ec2760ad4c16ea884e1ab26786221b size: 28160
Section.data md5: 942f5f2128c12f4b3985de3827e0d8f6 sha1: c7758e909f974530a88e76e9a0240972f4d1f68e size: 4608
Section.rsrc md5: 2cc26523641f48e778b4143d72ad5ad4 sha1: 72901b70788eb88c7d453845fd712a88304ed0ad size: 143360
Sectiongflvqns md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.text md5: 4e418bb00ec74ca23f2cd4285da2b270 sha1: 2eff3b950f7339c9c4955fd638062769aa8c94f2 size: 385536
Timestamp2009-01-21 12:27:24
PackerMicrosoft Visual C++ ?.?
PEhashb6364ba359bc638ef8a3dbc45729c0b927685170
IMPhash720f62ecaae027b5c3ec6686644322e9
AV360 Safeno_virus
AVAd-AwareGen:Variant.Symmi.43388
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Symmi.43388
AVAuthentiumW32/A-27762b68!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen
AVBullGuardGen:Variant.Symmi.43388
AVCA (E-Trust Ino)Win32/Tnega.QDDOAVD
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Winlock.8775
AVEmsisoftGen:Variant.Symmi.43388
AVEset (nod32)MSIL/Bladabindi.Q
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Symmi.43388
AVGrisoft (avg)Generic31.BEIT
AVIkarusTrojan.MSIL.Bladabindi
AVK7Trojan ( 003f3a341 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.MSIL
AVMcafeeRDN/Generic BackDoor!bbm
AVMicrosoft Security EssentialsBackdoor:MSIL/Bladabindi
AVMicroWorld (escan)Gen:Variant.Symmi.43388
AVRisingBackdoor.Win32.Bindi.a
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)Hoax.Blocker

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\2b84a7ed33f26a9ef98ff459e1950594\US ➝
!\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Application Data\WINDOWS.exe
Creates FilePIPE\lsarpc
Creates Process"C:\Documents and Settings\Administrator\Application Data\WINDOWS.exe"

Process
↳ "C:\Documents and Settings\Administrator\Application Data\WINDOWS.exe"

Network Details:


Raw Pcap

Strings
..;.*.**A. d
..=....h.v.4...x..o.
.'...."W.!W:..[...{
.v.4...x..o.
.8...0eG.);V..[...{
.v.4...x..o.
.
.u.DK#.E;V..[...{
.v.4...x..o.
.'...!.
.)WV..[...{
.v.4...x..o.
...6.!*W.
U%..5...{
.v.4...x..o.
.1.6...Z.1^;..)....}.v.4...x..o.
xaf3.t.b
..
w
..@
`@
CC
00-+ 
.
\
 
.
.
..
.
.
.e
.!
.&
.
.
.@
w.
!1Aa
#+3;CScs
B|BxBtBpBlBhBdB`B\BXBTBPBLBHBDB@B<B8B4B0B,B(B$B B
                                 H
         (((((                  H
         h((((                  H
jjjj
KERNEL32.DLL
MAINICON(
mscoree.dll
mscorlib.dll
(null)
                          
! "$!$#
!)&(#"&
'+.%$('%)
"%'&**(,
$"&&%(
$#'$ %
&%)#!&
%$(,+/
								
]	!`.0
+,0+)-
&+0;'(0
:0)<0*D60=3)A8.C7-5+!2(
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
$01ADCVQOa3/5
;0(>2**!
+05(&,!"(
0A@@Ju
/0?BARTQa>9:
&0dYdotW
0%.H7O
/0:>=LA@O:<F12=/0;
.0{o%V
0SSSSS
0WWWWW
0/;(",`Z[<9Ef`vMPgY]|^i
10APYwXd
11@-.9+)502<
1-:63D:8GPOcbc|im
17Gt84
$&1BBTSTc`[S
	1'$C6.
/1=CCTQP`KFB
--1FTjHWpFWlGXmG[nKZiR`sXdvIP`Zgtn}
,(1=<O??RNOabf}ns
1p=Ah<1
1V6`@}
1)%ZQG1' '
-.2-+/
"(%+-+2
)-2'%+&%*
+,2'&+##*
($)20:
2)0Y]ndk
21@ZWp]Zufe~ko
|$2`|2$A
!",22CAAVLL_FFRA;6zjW
(23BCAVNNa44?g\O
2~5aL%w
%)(2#!-63BJM]]_tgj
2=9gQ,	g
=2+A5/G93F<3F<2G;17-#4+!L>4WJ;[MA[MA[MAWH?^NEcZPTQJ%()
2Age$[@
2dPd5f
/2>FER=<>reU
>2^M$3q
;2,~v_d\MJB6:/*
2w0)[ZM
,)2x98
2x~\La>,
.).3/;
{&3/-%
%$+30@/-<ABOUWmaf}ks
3BJLk'
`$3drm
_;~3O'
3`sj5}a
')3S_jkw
4*$;1*
45FTZygp
=4,jaPi_N@5,
.4@??S<=MEFVjg
%-*501:**4  *
 +55FROd]_tbcwcewXZlNQ`OP`[[k
*(5+)71/;HHYV^qcj
5G0\TG%
5h4_JS
5,s^Mf
5,$`YJ6-&^QF$ 
61?BBWEEYVXmhl
$65F%'2
$65G98KDDVY\rjl
66C(&/*&1/.7a[oVXr^b
+67>24;
67@Z^teh
69GNPbSU]
*,6CCURRbZTM
6=>:\G*
6g5owP#
707_avfh
7@+0'f
)*.768B
+-7\hu
7kNkzI
7Mv5ui=
&'7,o9
7pN?jA
7 /Po/
82-2*$)&'*)+
8_27x?r=
86E53CIFWZVtb_zNOg_a
86G>:LA<MOJ\fd|cc
%89FHLZKN^JM\?@O9<I8=H
$89J[a{mt
8!aFwy
(+8DI\JOcY\wdd
8kDp~b
~;8M\c}
8VVVVV
?90MG9WM?
+*9$&2)&1+,6++5
98]0hH
;9c`u3
(;9JPScY[kY[mQSeHKZDFUKK[
9K[]oV
9o?|I(zh
^(9^$u
~(9~$u
A7.?3,
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
\`|ABVKDd
]a}@CZA=V
afuWdyco
>AFy 4
Ah}8b:
}_ahOXnXdx^j
An application has made an attempt to load the C runtime library incorrectly.
<	a'PI
Arg list too long
<at9<rt,<wt
aTNbVPbUOaRL^OIZKC<1*
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
"]<a'u2
|au 4Hh
August
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVtype_info@@
\B6xl;
Bad address
bad allocation
Bad file descriptor
 Base Class Array'
 Base Class Descriptor at (
__based(
b,E@7}7m))
B>Fk&h\Q
bhxcfuns
!\b*o2
bQKfVPZJDaQKaPJfSMZHA 
Broken pipe
C8-M_*
C8=$(P
capYTazs
CAY-)4+'/)$-<;MLOk59K
cb@eXs
CCUOOfMOf`bzpt
./:CCUQQaVJE
__cdecl
 Class Hierarchy Descriptor'
CloseHandle
__clrcall
CompareStringA
CompareStringW
 Complete Object Locator'
CONOUT$
`copy constructor closure'
CorExitProcess
CP_^][
c_pNNeYVsTQm??S
CreateFileA
CreateFileW
CreateToolhelp32Snapshot
- CRT not initialized
C?RV\zTbw]i
cVIqdV|sd90*8.(<60H>7zn\VKA'$"
\cvOVgiu
D$0^][_
d#2M_E
{d7($C
@.data
d^=AXJl
d"BfL$
D$ )D$
D$(+D$
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
dek,G[
 delete
 delete[]
Delete
DeleteCriticalSection
D$$)G@
Directory not empty
DJa2->
DN^T_zT`{Yh
Domain error
DOMAIN error
d]P=4,
d!qI/^
D$Tt*;
:||dwtI
#@DXdk
dXH_SBI=20)$
`dynamic atexit destructor for '
`dynamic initializer for '
D`YQD6
E;4aXK7/)viV&"
E82G93L>8M?7M>5L=4<.':-&MA7ZJ?\NB^PD]OCZL@_RGfZPRMF $'
$~Ed_J
EEJO-Y
E#+E/_^ZY
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
ek}[`qVVfW\kfm|
E@_!m:n
EncodePointer
EnterCriticalSection
ePYVv/[
=eRbr(m
_eu\\leiypw
e"vF9X
e]vYS[JGLKFRAE]QTu?EW
ewh/?y
]exbizqy
Exec format error
ExitProcess
f,*3">
F*7;rPLc^
__fastcall
FD)np)nl
February
)FFUyi^
fHJ:GgJ\^*w
;FH_#Y
File exists
Filename too long
File too large
FindResourceA
$!#:=F?KZAM]:EP.7;#)3&*68?KIO^iu
FL9~Xu	V
fl}jm|w|
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
]Fo/mY
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FreeResource
Friday
Function not implemented
gBcLA{@P
,]G#"`d'e`*
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
gflvqns
Gh9Ghr
!g[i+d
GJf%%0
"GLbks
Gqy4Ks
Gx^n0>T
.GX"tf`
gYHRtjn
G'z5*G
`h````
}`!`"H
H*0"ZOW
H:4H:4M?9PA9QB9N?6>0)?1+NB8ZJ@[MA_QE_QEYK?\ODbVLHA@
H>7>1*6+$
H]bj1S\
HDMX^vai
HE7#AOd
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
HqSu4`
Hv{H{F
hVPkXShTOdTN`PJ]NEQA:
_hz)  $
I9(ch!
>If90t
-.;IH\hf|_^tVYsvx
IiGM>nw
=Ijyef
;:IKPf_a
Illegal byte sequence
Improper link
Inappropriate I/O control operation
InitializeCriticalSectionAndSpinCount
Input/output error
InterlockedDecrement
InterlockedIncrement
Interrupted function call
Invalid argument
Invalid seek
IPNl``
I!ps8l
Is a directory
IsBadReadPtr
IsDebuggerPresent
IsValidCodePage
It~$H+S
IuvS=I
i]wE}!
IzoU7dC
J;1TG8VH<VH<XI>SD;]MDaWMSQI
JanFebMarAprMayJunJulAugSepOctNovDec
January
=Jg<d#	
[jHqJE
j@j ^V
!/$/?;J^JVh
JK`PTkPTlbg
jr*,l#)3
j"^SSSSS
+jUbzJ
'!);<JV\rgo
]J/{(z>fJ
K;5K<6QA;SC=TD=PA:@1+D60TC:^ND_QEaSG^PEWI?XIAfWP867
~k7frW
KA6XQB;2*
kernel32.dll
KERNEL32.dll
=;KHI^JK`]^uko
KI3txsA
'%'KVnP]xM\vSc}[l
;<KVYxbc
"	L*@ 
L$4;D$Ts<)D$T
L<6l59
^l@9'o
L$(9ODv
l!;b	F
LCMapStringA
LCMapStringW
LeaveCriticalSection
{l"L,`
L$(+L$
[-&LMb#{'
&l"|MLaLc
LoadLibraryA
LoadResource
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LockResource
lstrlenA
lstrlenW
;l$TsY)l$T
.^M"5*kv
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
M,c)fY|
MessageBoxA
]MGZKDXH@`PHbSJdTLSD=H;5I=3=1)
Microsoft Visual C++ Runtime Library
MIDH;*
mj>zjZ
M!L'!5
MLfVZwW_vbj
MM/dd/yy
Module32First
Module32Next
Monday
MPm,+:
m_qJsG
MQq35E($.43C-/:
m]T/! +
MultiByteToWideChar
M|X:p<
MZ)]]#
)Nd)Vh
 new[]
No child processes
No error
No locks available
NoRemove
No space left on device
No such device
No such device or address
No such file or directory
No such process
Not a directory
Not enough space
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
N(Uh0%
(null)
NWk+!" 
,(n+Z!
o_1hxx
O?9O?9SC=UE?UE?RB<B3-G93WD=aPFbTHcUIaSG]NEeVMk]R,-- #* !+
O(9O$u
OC5Dw\
October
Oh;O\sN
O@;H s
O@;H(s
_OIaQKWGAdTNfUOjVQ^ME'
oj~gj\^_
)#)?=OJOeU\x]a
`omni callsig'
Operation not permitted
operator
OQgQWpSXpci
OWr.'.'
OZw3(?
@PAQBR
__pascal
Permission denied
pfWRI;4*$
&P[I^w
pJ]ioX
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
p<O#|$
PPPPPPPP
PQiTXtV\tcj
Program: 
<program name unknown>
(>>PRSbWUR
__ptr64
- pure virtual function call
Qf`1SHk
QH>=2,H>4
Qkkbal
QL]`*x$
QueryPerformanceCounter
/;QXzt
=rAG}L
RaiseException
`.rdata
ReadFile
Read-only file system
Resource deadlock avoided
Resource device
Resource temporarily unavailable
__restrict
Result too large
^RG@6,,#
ro	6SGlH
RP	har
rr	3 Wk
'?rRC70
,'-RShY_v\`|\a
RtlUnwind
runtime error 
Runtime Error!
}r]vkYk_N/(!
RVr55F80K
'RXqen
'rY]#/C
RYk^evp|
RYlR^rYd}^k
Saturday
`scalar deleting destructor'
SC=P@:UE?XFAYFAWE?F70H;2XH?bQHhWMfWMdUKeVMqbVi\R)+,"%,##)  '
]SD2+#
September
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetHandleCount
SetLastError
SetStdHandle
SetUnhandledExceptionFilter
SING error
SizeofResource
s"My[0
SQ94OA$
^SSSSS
__stdcall
`string'
Sunday
SunMonTueWedThuFriSat
s	|Z-u
t-0dzi92`
t4!qS`
t*9Qlu%
t.9Vlt)
TB	%*^
tEC~'7
teh=8A
TerminateProcess
tGHt.Ht&
T$h9T$
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t$H;t$8
Thursday
TJ5x;m
TK==4.
< tK<	tG
	TL=G@6
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
Too many links
Too many open files
Too many open files in system
T$<PQR
T$$QUR
tr9_ tm9_$th
t"SS9]
Tuesday
;t$,v-
~t^vjWZN>5-'
t:<wuE
t+WWVPV
 Type Descriptor'
`typeof'
@tZ@m+
"<)U@;
u8W|H%
ua/mMJ
U\~DI`
`udt returning'
UE?ZLEYI@_OG`QH`QHK<5F81B6,1&
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown error
Unknown exception
unWvkU:0'
U.PK:t
%_uQeM
UQPXY]Y[
Ur{`}n
URPQQh
USER32.DLL
UTF-16LE
/*/U]vUaxYe}eq
v$;5$0B
VaDV${
Vb?5@:
`vbase destructor'
`vbtable'
v#]bu7i
`vcall'
)Vd)Nh
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VF@UE?VF@ZGB]IDZFAH91I=3ZKBdSKn[Sn^UhYPk\SrdZUKF#"$()/$%)#")
V&ic l
VirtualAlloc
`virtual displacement map'
VirtualFree
VirtualProtect
Visual C++ CRT: Not enough memory to complete call to strerror.
]VJLD9A61
Vj"&X,
Vlf+Vd
Vlf+Vp
VMAvu~an
v	N+D$
V"oYw8!
~vsaY[hbi|gm
_Vv]UnZWnX[z\c
V_:X1:
w6[Tzu
w<9G,s
WDqZ<t(;m
Wednesday
'WG@^4
WGAWGAWGAZIB\KDZIBK;3M?7]NFeXMiYNZKASE;:/&B6,
_WGLD5
WideCharToMultiByte
wIUzh'
w+OQvr
.@	W>OU
WriteConsoleA
WriteConsoleW
WriteFile
|$ WSPV
~\wu(j
wUzisb
wzJ3;2
*]X2M^
x 9!4F
xdiuek
XHBXHBWGAZKC\MD\MDJ;3SC=UG>F<0aSGdVJD8,.% ND9
_XLF@6^RB	
|Xn/2C
xo~GYL
xppwpp
xpxxxx
`]x<@T/6D
yaxlXqfSD;39-,
yDN7<>
y !d~>v
YICYJCYIB]NE_PG^OFJ;4K<5SF;=2*=1(dWJ>3)
ykm`Y\XU\bq^e|gn
"YMv^P
>=Yt1j
YXh~WE
Y]y=>PRHi	
	?z2}l
#Z2wXgw!
Z8]h/b
)\ZEo^m/
|?zfG&V
"zIdol
zl/ G;Ra
\ZqKEU?=K31?PLdCG^(-:
ZSP]bwbl