Analysis Date2015-12-03 18:56:25
MD5b596f8e22c04d6683a1ba7d90b173ebb
SHA1ec19b9c08e5bc392f208af4f0a781ca10cc6a77d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 36c6d5d4d7f4ee67306bfa301229ec49 sha1: a5066b772889451001a7c84a9b002c4e926259ca size: 40960
Section.data md5: b73962902652b9081e5b45fdee43f056 sha1: 5adbccc6effde1743823fb9138b3a737759ab26e size: 4096
Section.rsrc md5: a46acc64c2274c5b4e187c71d8efcd79 sha1: 1fd80c7e6614598b29458edf1b64202045dba25b size: 40960
SectionB%Xu" md5: db495b39172daeca558aa0d092db6ba5 sha1: 2cfb3a6297d233f378edda0e2e4a56a3ef156c84 size: 20480
Timestamp2001-07-19 22:01:47
VersionLegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: msn
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: msn
OriginalFilename: msn.exe
LegalCopyright: Copyright (C) Microsoft Corp. 1981-2000
InternalName: msn
FileVersion: 6.10.0016.1624
CompanyName: Microsoft Corporation
Built by: msnbld
ProductName: Microsoft(R) MSN (R) Communications System
ProductVersion: 6.10.0016.1624
FileDescription: msn
OriginalFilename: msn.exe
PEhash6eab692353028a1e864e1baf1562d65a4025d951
IMPhash5002bceb823d3d7321ac4b2e8ee9f66d
AVF-SecureWin32.VJadtre.3
AVAuthentiumW32/PatchLoad.E
AVMalwareBytesno_virus
AVDr. WebBackDoor.Darkshell.246
AVGrisoft (avg)Win32/Wapomi.I
AVMalwareBytesno_virus
AVEset (nod32)Win32/Wapomi.BA virus
AVMicroWorld (escan)Win32.VJadtre.3
AVTrend MicroPE_WAPOMI.BM
AVClamAVWin.Trojan.Downloader-64296
AVAd-AwareWin32.VJadtre.3
AVEset (nod32)Win32/Wapomi.BA virus
AVBitDefenderWin32.VJadtre.3
AVMicroWorld (escan)Win32.VJadtre.3
AVAvira (antivir)W32/Jadtre.B
AVAlwil (avast)Malware-gen:Evo-gen [Susp]:Win32:Malware-gen
AVFortinetW32/Nimnul.F
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVIkarusTrojan-Downloader.Win32.Small
AVKasperskyVirus.Win32.Nimnul.f
AVVirusBlokAda (vba32)Virus.Nimnul.19209
AVArcabit (arcavir)Win32.VJadtre.3
AVMcafeeW32/Kudj
AVTwisterVirus.558BEC81EC@120000#.mg
AVAvira (antivir)W32/Jadtre.B
AVAlwil (avast)Malware-gen:Evo-gen [Susp]:Win32:Malware-gen
AVSymantecW32.Wapomi.C!inf
AVFortinetW32/Nimnul.F
AVK7Virus ( 0040f7441 )
AVMicrosoft Security EssentialsVirus:Win32/Mikcer.B
AVRisingWin32.Roue.a
AVMcafeeW32/Kudj
AVTwisterVirus.558BEC81EC@120000#.mg
AVAd-AwareWin32.VJadtre.3
AVGrisoft (avg)Win32/Wapomi.I
AVSymantecW32.Wapomi.C!inf
AVBitDefenderWin32.VJadtre.3
AVK7Virus ( 0040f7441 )
AVAuthentiumW32/PatchLoad.E
AVFrisk (f-prot)W32/PatchLoad.E
AVEmsisoftWin32.VJadtre.3
AVZillya!Virus.Nimnul.Win32.5
AVCAT (quickheal)W32.Nimnul.F1
AVPadvishno_virus
AVBullGuardWin32.VJadtre.3
AVCA (E-Trust Ino)Win32/Nimnul.A
AVRisingWin32.Roue.a
AVIkarusTrojan-Downloader.Win32.Small
AVFrisk (f-prot)W32/PatchLoad.E

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\MSN6\MSNExplorerHasBeenRestarted ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\MSN6\Watson\DWNoExternalURL ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kpZxml.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\kpZxml.exe
Creates Mutex{ECCC50B5-064A-4693-B104-925714A4C74B}
Creates Mutex{BB7E11D6-5E67-4005-A530-ED1831D6A427}

Process
↳ C:\WINDOWS\system32\cmd.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\kpZxml.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\GTplus\Time ➝
NULL
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Digcore.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\setup.exe
Creates FileC:\temp\files\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\696a46d5.bat
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Setup Files\RdrBig709\ENU\instmsiw.exe
Creates FilePIPE\lsarpc
Creates FileC:\temp\files\NET1.EXE
Creates File\Device\Afd\Endpoint
Creates FileC:\temp\files\RUNDLL32.EXE
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\msnsusii.exe
Creates FileC:\temp\files\kpZxml.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Updater\acroaum.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\MSN\MSNCoreFiles\Install\MSN9Components\Msncli.exe
Winsock DNSddos.dnsnb8.net
Winsock URLhttp://ddos.dnsnb8.net:799/cj//k1.rar

Network Details:

DNSddos.dnsnb8.net
Type: A

Raw Pcap

Strings
.
f

000004E4
040904B0
6.10.0016.1624
Adc#
A newer version of Internet Explorer is required to run MSN than the one currently installed on your computer.
ANSI(00)
background
.BAK.{FEC69D39-ADBA-4928-98F0-3571AA97ABDF}
{BB7E11D6-5E67-4005-A530-ED1831D6A427}
buddies
Built by
By allowing MSN Explorer to send an automated error report, you can help MSN work to prevent errors from happening in the future. We will treat this report as confidential and anonymous.
CompanyName
Control Panel\Appearance
Copyright (C) Microsoft Corp. 1981-2000
CountryID
crash
crashother
Current
&Don't tell
DWNoExternalURL
DwReportResponse
DwResponse
{E8055863-4956-4cbf-9CA5-46FF053A904C}
{ECCC50B5-064A-4693-B104-925714A4C74B}
email
Error code: 0x%08x
Error code: 0x%08xGWe were unable to load procedure number %d from %s.
Error code: 0x%08x>We were unable to load a required library.
Error code: 0x%08x@We were unable to load a required procedure.
Error code: 0x%08x@We were unable to load procedure %s from %s.
E&xit MSN Explorer
FileDescription
FileVersion
High Contrast
http://
If you were in the middle of something, the information you were working on might be lost.
InternalName
kernel32
@LastRunFrom
LegalCopyright
mailto:
manifest.xml
market16.mar
market32.mar
market8.mar
MARKETS
mars.ini
marslib module %s started
MARS_ONLOAD
marsperf.log
MarsPerf shutdown
/microsoft.com
.microsoft.com
Microsoft Corporation
Microsoft(R) MSN (R) Communications System
Mode
#MSHTML#PERF#
MSN6
@MSN6 ApplicationWindow
MSN6.INI
MSN6 Window
msnbld
.msn.com
msn.exe
MSN Explorer 6.0
MSN Explorer Error Reporting
MSNExplorerHasBeenRestarted
MSN Explorer - Not signed in
msnls.dll
MSN tray icon
msn://@ui.mar@/chanbar.htm
MSN Update
msnupdate!@#@.exe
msnuserdata.txt
MSN^We're very sorry, but MSN Explorer has experienced an internal error and will have to restart.
My &Buddies
My E-&Mail
 NavigateURL Complete
.NEW.{9D6EAA4F-27B2-4407-AC72-4BBD2FCB6ED1}
nomw
norestartoncrash
OLPerf.dat
once
&Open MSN Explorer
OriginalFilename
Please go to http://www.microsoft.com/windows/ie/ and install the latest version of Internet Explorer.AWe were unable to load a required library %s.
ProductName
ProductVersion
riched20.dll
 /r /s
%s%08lX
SHELL32.DLL
ShipFlags
%s is signed in	Signed in
Software\Microsoft\Mars\Performance
Software\Microsoft\MSN6
Software\Microsoft\MSN6\Setup
Software\Microsoft\MSN6\Watson
Software\Microsoft\Windows\CurrentVersion\Run
%s /p:0x%x /a:"%s"
stress
StringFileInfo
&Switch User
%s%x
sysinfo
System\CurrentControlSet\Control\FontAssoc\Associated Charset
System\CurrentControlSet\Control\Terminal Server
S&ystem Information
tel:
&Tell MSN about this!
test
Translation
TSAppCompat
update.exe
UseSysColors
VarFileInfo
VS_VERSION_INFO
watson.microsoft.com
WatsonServer
We're very sorry, but MSN Explorer needs to shut down because of an error.
||}}}}~~~
                                                           
  ---------      -------      ---------   ----------
------    ---------    --------      -------      -------
../#$::
"""""""!
""""""""!
""""")
$-.062
 (08@P`p
09-./0#"::
0xIJD/
1000 us == 1ms == 0.001 s == 3.17e-11 years
%11s   %11s   %11s   %s
)1:llllllll5+
1UEEWp
1UUUUp
=*)'2<67,-./##":
;;2kllllll
2M+-'3
??2@YAPAXI@Z
33vgvgvgvgvg
3568,-//#""%:
36gvgvgvgvg
37vgvgvgvgw
*)'3BEID
%3d.%03d s
3wvgvgvgvgvg
"""""""""#3wwvgvgvgvgww
*'41567,-.0$
*'41568,-.0#"&
*)'4156,9..
(4157,9-.0##"::
*'4157,9-/0#$""
*)42567,9-/#"$
*)42<57@B;	
6.10.0016.1624
}613?CIMQeg
623?CCIMceg
&62	CCCCIMPdg
62ObIMcefi`_9
%,+63HCCCIMceg
6669-./##"$:
%6d  %11s   %11s   %11s   %s
6DDMPeh
%6d us
762BCCIMceg
	8 [[@
-8lllllll#;;	
.adata
advapi32.dll
ADVAPI32.DLL
AKLMNQTTUM
ALMNQUTTTT+
.aspack
`a``^^\\ZWX
_bbaa``^^\ZX
BefJ<Z0
)BEHII
BEHIKL
  BHIKLMPJ
-buddies
[!Calculated durations follow:]
#Calls    TotalTime    AvgTime*      MaxTime      EvtName
CCCIMceg
CCIMceg
ceeddbbaa``Y
ceeW[jl%
CharNextA
CloseHandle
ConvertINetMultiByteToUnicode
ConvertINetUnicodeToMultiByte
CopyFileA
CopyFileW
[cOTUUTTU\eG
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileMappingW
CreateFileW
CreateIconFromResource
CreateIconFromResourceEx
CreateMutexA
CreateMutexW
CreateProcessA
CreateProcessW
CreateWindowExA
CreateWindowExW
CryptReleaseContext
"""$D{
`.data
[ddcbba``^^\g
DefWindowProcA
DefWindowProcW
DeleteCriticalSection
DeleteFileA
DeleteFileW
DeleteObject
DestroyIcon
DestroyMenu
DestroyWindow
Dfffffh
DispatchMessageA
DispatchMessageW
dleAu7
DllGetVersion
drop\bbinstr\dump\opt\msn6.exe.pdb
DuplicateHandle
DUUDU33fffffh
DUUDU33fh
dw -x -s %u
E2<2wz
EEGwpc1
eHanu@
=EHIKLNC
 EIKLMNQN
-email
EnableMenuItem
[!End Mars perf]
[End Mars Perf Statistics]
EnterCriticalSection
!Error! Fatal error encountered. Results may be inaccurate.
ExitProcess
~f	2bY
F	B^^Vd
ffb\RR\adcb
[ffeededbba`
fffffh
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceA
FindWindowExA
FindWindowExW
FindWindowW
?FJJJPdh
FlushFileBuffers
FreeLibrary
GDI32.DLL
GetACP
GetAtomNameA
GetClassInfoExA
GetClassInfoExW
GetCommandLineA
GetCommandLineW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetCursorPos
GetDeviceCaps
GetDoubleClickTime
GetFileAttributesA
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetForegroundWindow
GetLastError
GetLocalTime
GetLongPathNameA
GetLongPathNameW
GetMessageA
GetMessageW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetModuleHandleW
GetMuR
GetPaletteEntries
GetPrivateProfileIntA
GetPrivateProfileIntW
GetPrivateProfileStringA
GetPrivateProfileStringW
GetProcAddress
GetProcessTimes
GetSubMenu
GetSysColor
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempPathA
GetTempPathW
GetTickCount
GetVersionExA
GetVersionExW
GetWindowLongA
GetWindowLongW
GetWindowTextA
GlobalAddAtomA
GlobalDeleteAtom
]HHHaflll`I]G[
\HHHHPfll_MIGZ?
HHNYj7;;!
HKLM\Software\Microsoft\Internet Explorer\Registration\DigitalProductID
hlBT7!2
hlllkkkkkmmpnpn
hlnnnnmnpprssss
ijljjll
 IKLMNQTTF
imrrssttttuuuwx
InitializeCriticalSection
InterlockedDecrement
InterlockedExchange
InterlockedIncrement
Invalid Atom
IsBadReadPtr
IsDBCSLeadByte
IsWindow
j8PjnW
j8PjpW
j8PjqW
j@Pjdj
j@PjkV
@j"@Zf
kernel32.dll
KERNEL32.DLL
KillTimer
Language
LeaveCriticalSection
LKShl/*;;
<>llnp"R^\\ZZYYY8
LoadCursorA
LoadCursorW
LOADER ERROR
LoadImageA
LoadImageW
LoadLibraryA
LoadLibraryW
LoadMenuA
LoadResource
LoadStringA
LoadStringW
LocalAlloc
LocalFree
LocalReAlloc
LockResource
LookupIconIdFromDirectoryEx
lstrcmpA
lstrcpynA
lstrlenA
lstrlenW
MapViewOfFile
market.ini
[Mars Perf Statistics  %d total  %d:%02d:%02d   %d/%d/%02d]
MessageBoxA
MessageBoxW
/microsoft.com
.microsoft.com
Microsoft\MSN6\Watson
MLANG.DLL
!>MNQUUTTTTL
{mo?F&
?MQUTUUTTTUC
msn6.exe
msn6.pdb
.msn.com
msnmetal.dll
msvcrt.dll
MultiByteToWideChar
*note: average time doesn't include the MaxTime entry
oduluI
OLEAUT32.dll
OORSUO
OpenProcessToken
PathAddBackslashW
PathAppendA
PathAppendW
PathCombineA
PathCombineW
PathFileExistsA
PathFindFileNameW
PathIsUNCA
PathRemoveFileSpecA
PathRemoveFileSpecW
[PerfFreq=%7d/s  *-since start :-duration %2d%% buffer used]
PostMessageA
PostMessageW
PostThreadMessageA
PostThreadMessageW
PVVhtH@
#]Q)/=J
QQSVW3
QueryPerformanceCounter
QueryPerformanceFrequency
QWn,n#
RaiseException
.rdata
RegCloseKey
RegCreateKeyExA
RegCreateKeyExW
RegisterClassExA
RegisterClassExW
RegisterWindowMessageA
RegisterWindowMessageW
RegOpenKeyExA
RegOpenKeyExW
RegQueryValueExA
RegQueryValueExW
ReleaseDC
ReleaseMutex
.reloc
RemoveDirectoryA
RemoveDirectoryW
]]]^Rgl;3.&"'4
RPPPPPPQP
RShlE@
SendMessageTimeoutA
SendMessageTimeoutW
SetErrorMode
SetEvent
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFocus
SetForegroundWindow
SetLastError
SetTimer
SetUnhandledExceptionFilter
SetWindowLongA
SetWindowLongW
SHCreateShellPalette
SHDeleteValueW
shell32.dll
SHELL32.dll
SHELL32.DLL
ShellExecuteA
Shell_NotifyIconA
Shell_NotifyIconW
SHFileOperationA
SHGetInverseCMAP
SHGetSpecialFolderPathA
SHGetValueW
shlwapi.dll
SHLWAPI.dll
SHSetValueW
SizeofResource
Software\Microsoft\Internet Explorer
: %s - %S
* %s - %S
[!Start Mars perf   Ver(%s)   %d:%02d:%02d   %d/%d/%02d ]
  StartTime      EndTime      TotalTime   Event Name
StrCatBuffA
StrCatBuffW
StrChrA
StrChrW
StrCmpIW
StrCmpNIW
StrCmpNW
StrCpyNW
StrStrIW
StrStrW
SVWjF3
SWhbt50
SWhct50
SWhcy50
SystemParametersInfoA
SystemParametersInfoW
TaskbarCreated
The ordinal %u could not be located in the dynamic link library %s
The procedure entry point %s could not be located in the dynamic link library %s
!This program cannot be run in DOS mode.
t?Ht5Ht+Ht
TrackPopupMenuEx
TranslateMessage
tstmetal.dll
|::TTTTT:
t@WSSh
tx{vlr6S]_______\:
U33gvgvgvgvgw
u6AQVj
u#h<?@
u$h`G@
UnmapViewOfFile
URLDownloadToFileA
urlmon.dll
user32.dll
USER32.DLL
UU33vgvgvgvgvg
]UUTTTTUUUY
UUU337vgvgvfff
UUUU336gvgvgvgv
UUUUUU338
UUUUUUU36fffffh
UUUUUUU36gvgvgvh
v5SUW3
\VarFileInfo\Translation
 ;/VDA
VerQueryValueA
Version
VERSION.dll
VirtualAlloc
VirtualFree
VirtualProtect
vtuuwwwyyy|||}
w66N^\[[`____
WaitForSingleObject
?w"^D{
WideCharToMultiByte
wnsprintfA
wnsprintfW
[WOORRV
_WPPQP
Wqct q!
WriteFile
wsprintfA
wvnsprintfA
wvsprintfA
wwuUUUwwwwwUUUwwwwwuUWwwwwwwuw
wwvgvgvgvgww
wwwwwvgwwwww""""""""
wwwwwvgwwwww""""""""!
wwwwww
wwwwwww
wwwwwwww
wwwwwwwww
wwwwwwwwww
wwwwwwwwww"""""
wwwwwwwwwww"""""
wwwwwwwwwww""""""!
wwwwwwwwwwwv'wwwwwwbbtGwwww&&DDwwwrbaDDGww33
wwwwwwwwwwww""""""!
XGHHHPfllYEFDVlC=BGHHPfllO>TUlllC=BGHPfllEJllllllB<@EMdlllllllllllAD=DblllllllllllllCQl
XVQPjB
<;XWWWWUU:
Zh&wP}M
_`^^\\ZOO
_\\ZOORO
zpkknnn