Analysis Date2014-08-30 03:41:14
MD54fa24ef0f130a2720dbb46795ea83c24
SHA1de594bbbeddab970e4d1f9838fed872712190d46

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 082ad918f311305d409ef12b2e0a15e8 sha1: 48328ed92c55bcaaba57594ebacd81468bedf5fc size: 25600
Section.rdata md5: d67222814ed38f936f80239176d9849c sha1: 3d94c890dbd4e7981a20039d2cde807d0ecf4f02 size: 7680
Section.data md5: e09d4c5f1dfee87ec1c42f889b6367bf sha1: a9310efa6b737e12e02b0162eb20fb50ef65ff84 size: 152064
Section.rsrc md5: a8eaa2c405bc232228a6261c285e20ea sha1: e9d5d9223f2ac01b702dc797f3bc65571bb3c08b size: 512
Section.reloc md5: 823325634b8c4a36cdad02a7bcb84fd5 sha1: 6f4715def0e949df38584e70479b68b5f253c5fb size: 3584
Timestamp2014-08-25 05:46:54
PackerMicrosoft Visual C++ ?.?
PEhashac8790cb5ee90728149681ed388c46d3ef23d636
IMPhashffe2fbf865bb8c25b9b6a19704b9a801

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
.CC
 
.
.
.
-
.
.
+
.
.
gN.U
tH
.
.
Y
                                 H
         (((((                  H
         h((((                  H
KERNEL32.DLL
mscoree.dll
MS Shell Dlg
                          
0$0,040<0D0L0T0\0d0l0t0|0
0:0?0d0j0u0
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0(171F1O1d1
0>1F1[1f1
0>1G1R1X1g1t1~1
: :$:(:,:0:4:8:<:@:D:H:L:P:T:X:\:`:d:h:l:p:t:x:|:
%070B0Y0p0|0
^%0a>_7
0A@@Ju
:%;0;:;K;V;
0lV4~F
0SSSSS
0WWWWW
1,131K1W1]1i1x1~1
19.V#|
1AxCog
1L<sO&R
1	+PZ8L
<1<T<h<s<
20282C2
2"2:2@2O2U2d2j2x2
2$3(30343P3l3p3
252J2p2
>2>9>C>K>X>_>
 2Ef8k
 ),2JW
2\#_.R[
2^=S2O
)2[Tj7
2Vuu3y
3H4X4h4x4
<3>iqB
3Lwgl)#
3V@[Es 
4181<1@1
4 4<4@4`4|4
4$4-444V4
4'4q4x4
4#5A5H5L5P5T5X5\5`5d5
46xP/"
4{[:AN
4/d/qdq
4/F`Fw
=/=4=K=
-4,k"\B,
4QJTcS/3v 
4wCKe1
5%5+54595H5o5
5 5@5`5
5*5@5K5P5[5`5k5p5}5
5+565P5\5d5t5
5&616L6S6X6\6`6
5"6(696
? ?%?5?d?r?
5tbuekL
6#6-6J6
6!7*767o7x7
6cb=Uh
6"imZnQ
>6JL#J{/
6jn|@3
6#k7{1r
7.848@8
7E7]7h7
7HSs\LW
7J7P7T7X7\7
/7PCVyy
81868E8N8[8f8x8
+$83if
86zzxB0 q
878\8o8
8$8-82888B8K8V8b8g8w8|8
888?8G8L8P8T8}8
8%8H8U8a8i8q8}8
8.94989<9@9
<8&Jhf]
(&$8lO
8L`q3#kM).*
*8n%5o
8xExH%
95g=GOC
9#91989=9F9S9Y9s9
99dK)~z3
9>9L9R9u9|9
9	{.A>MJ
9,P9UNz|
9<Yp1:#Z
A7F		5K
A8)&0Mr
AAFFf;
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AcF]:L
A&l=e(
a]n7riu
An application has made an attempt to load the C runtime library incorrectly.
*A:Oqj)
~aTp(c
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
A$tv]R
August
AX9J}s,
Bd@LJ3
BeginPaint
^bknQO
_bRKYy_
B'~:sg
`*}c{!
+^c1]\
_=$>Cb
~ch?(-	
C].j``
-(CM/N
\C!\+Mo
c%%oaz
CorExitProcess
{ Cqc%
Cr=eAj
CreateWindowExW
- CRT not initialized
{.<cZL
czq!e4FB+f
D51{x^
@.data
&Dbs^(
D}"-D0
dddd, MMMM dd, yyyy
December
DecodePointer
DefWindowProcW
DeleteCriticalSection
:+:]:d:h:l:p:t:x:|:
DialogBoxParamW
DispatchMessageW
D?k[~b
DOMAIN error
DPwB/^z
d{s'G5
E!*40;
e8w'FX
|E9}/o:
EncodePointer
EndDialog
EndPaint
eN_fuS"^
EnterCriticalSection
es#2tW
esOTs0
ExitProcess
eXMykG
&f1PxK
	F3o[_
FA{	b[gl
:f)E.~7
February
\FEv.	
F^k?e=
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FM2Cw<
FreeEnvironmentStringsW
Friday
F&S +u
F YLuB0
GAm[ie
G	~c1bb
GetACP
GetActiveWindow
GetCommandLineW
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetEnvironmentStringsW
GetFileType
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessWindowStation
GetStartupInfoA
GetStartupInfoW
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetSystemTimeAsFileTime
GetTickCount
GetUserObjectInformationA
G,]F[D[6
_g}Hr.
G;\z	)
H14GdJ
/H4x)~|x
h)5/]6
[h#6>FK
h?BW]~
h.BYr0mC
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
HH:mm:ss
H~K@#d,:j
}Hn	tS
<H=O=d=
hS@cS^
H}"+>T
hTUw@rC
h?umq~P
+i+A|*X
;idbwd
I<L""<
iMUR&f\
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
IsDebuggerPresent
IsValidCodePage
i;VlTz
j9$-#F
JanFebMarAprMayJunJulAugSepOctNovDec
January
j*B4	-
JCz7Mj
J]F"ii
j@j ^V
:$J"o<
jo	GT]
(JpS	];!8|
=juANSN
K2TO?;
~K3!I`
K@6Aio}
~K9svW
K\B[/z3z
KERNEL32.dll
$kJwzqA
k'k\}G
/_kMkY
&@?kpN
LCMapStringA
LCMapStringW
LeaveCriticalSection
~LmY6?"z
LnlhVk\D
LNN`1] 
LoadCursorW
LoadLibraryA
lQ.&*B
lz?I0z
M}2}ZF
mA]T6;?K
MegZ!u`v
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
)`Mps=
MultiByteToWideChar
m~)_=W/,X
MYd! Z
\MY?EG
	m/&yT*
M zc:j
[nea:JjcD*
NiLS7^
N`i#m	
niwo`:ncwo_
N_,#Jf
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
&\n^PL
n>~r>I
NS)!TQL
\;o +:
October
>od]>+s*r
`}OejTH
oI&b(*
`oJV'v
!o$kD{
ok;w!I
]\omLB?g
om_{&W
onbY{E@
%OP$?\
ormk!%
?O+RU.
oZm3lJ
/ .P$a`
Ph1{w_
:pkgb@
]	pK]L
Please contact the application's support team for more information.
pLic)U
@p<mam
PostQuitMessage
PPPPPPPP
PqNrSibG
Program: 
<program name unknown>
- pure virtual function call
/pWOYB
?pz.{H
	{Q6Rv-
Q PXA\
Qqgj>G
QQSVWh
QueryPerformanceCounter
QyT+#d
qZY6qV9o~Az/
~r2SXm'
-R+7/lK
`.rdata
RegisterClassExW
@.reloc
-[r"iG
?RsZwdx
RtlUnwind
rUaZo~\K
runtime error 
Runtime Error!
rw$'@l
S0^0f0z0
s6N{>xN,.
SAcZw]
Saturday
September
SetHandleCount
SetLastError
SetUnhandledExceptionFilter
{sh'F-(
ShowWindow
[sHxv}`
SING error
sPETOc
SR;"Vc>
Sunday
SunMonTueWedThuFriSat
tcIVZEg
teh=#@
TerminateProcess
Tes6|T
{+tH#b
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
-;+tOo
TranslateMessage
t"SS9]
Tuesday
;t$,v-
tv:t?J
t+WWVPV
*U83oP
UA6)/q
uBh6 @
U$g,.v7
&uKl?Z
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
U_o6|'
'Uo79.%<
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
)	uU&NM
\U	zpy
v0Q15kj:
V6u	#N
(vA=j/
V/bwOc
VbZ$xsV
/\Vf>]R+
VirtualAlloc
VirtualFree
VK;ddM
V>mb"	
v	N+D$
VSVVVV
VUTpz\
Wednesday
WFB:F\(SA
WideCharToMultiByte
wLd	'~
WMFt&Pk
wPij/1
WriteFile
wsH@U6B
WT-5W$$y
/%(x%_
x'i7Y'n`
XiDO!Mbi_P
+**XNu
=X>]>o>
x=;,/Q
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Y0k0x0
Y6]"cc.
y#{E6.
yfs|s+
?|YH a
<*Yl*H
YS3eqw
>=Yt1j
Z9g+.C^
zc%>\G
z?g\ZK
z\kWwF
zLcFVdD
ZTt(I%