Analysis Date2018-03-15 02:18:38
MD5908e0f886eeb47580fdb7beddee64711
SHA1eeafa6f2e3c80254301aa53e6cf9b9341c72123a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2c26fa74b9cd9bc5c1b49be9fdd0a527 sha1: 2517c825edaf5b2cfbbad43ba8ad7b6917581308 size: 62464
Section.itext2 md5: cafa60f655c84363f0a34d71dfc4a6b7 sha1: 1c342a002026f975c856757111522618705c512f size: 1536
Section.rdata md5: 6f3d838d68365f3077d087a586ce19bd sha1: 7759feb9d4a76ad43b97158a758c5dab8fd9b5bc size: 11264
Section.data md5: a1b19b9fcfbd2337a3f63edd0f563e55 sha1: 1facae6e12a7d272a317f852fede23e20e4ea897 size: 4096
Section.rsrc md5: 6c2b86bb3a25cccc3042a9a6a079b14c sha1: f4d575158ad5dae971368490a454c549a4ae500e size: 16896
Section.reloc md5: 2e305372c45f8711ec3be7f901008f4e sha1: f30a0d5ea6b4fa124b114356c24563c9c6a01c85 size: 2560
Timestamp2014-12-05 16:07:48
Pdb pathC:\j\dm9sg\i4vyo\w6swij5\5pfrwh2\8fio\84nh7i\y\s5syo54xt.pdb
VersionLegalCopyright: License: MPL 2
InternalName:
FileVersion: 30.0
CompanyName: Mozilla Foundation
BuildID: 20140605174243
LegalTrademarks: Mozilla
Comments:
ProductName: Firefox
ProductVersion: 30.0
FileDescription:
OriginalFilename: crashreporter.exe
PackerMicrosoft Visual C++ ?.?
PEhash363db8daf1df8a87bc01ebab0c261ddf93062864
IMPhash74f3ec1432b8e4d11b3fa7aa9bf46203
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.510677
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)Gen:Variant.Kazy.510677
AVAuthentiumno_virus
AVAvira (antivir)TR/Crypt.ZPACK.107214
AVBullGuardGen:Variant.Kazy.510677
AVCA (E-Trust Ino)Win32/Necurs.MILbRXC
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.510677
AVEset (nod32)Win32/TrojanDownloader.Necurs.B
AVFortinetW32/Necurs.B!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.510677
AVGrisoft (avg)Downloader.Generic14.FST
AVIkarusTrojan-Dropper.Win32.Necurs
AVK7Trojan-Downloader ( 003b48d61 )
AVKasperskyTrojan-Dropper.Win32.Necurs.wxm
AVMalwareBytesTrojan.FakeMoz.ED
AVMcafeeRDN/Generic Dropper!vq
AVMicrosoft Security EssentialsTrojan:Win32/Necurs.gen!A
AVMicroWorld (escan)Gen:Variant.Kazy.510677
AVRisingno_virus
AVSophosMal/Necurs-K
AVSymantecTrojan.Gen
AVTrend MicroTROJ_SPNR.15A415
AVVirusBlokAda (vba32)TrojanDropper.Necurs

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\eeafa6f2e3c80254301aa53e6cf9b9341c72123a.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\eeafa6f2e3c80254301aa53e6cf9b9341c72123a.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\eeafa6f2e3c80254301aa53e6cf9b9341c72123a.exe.tmp
Creates File\??\PCI#VEN_25AF&DEV_0209&SUBSYS_070455AF&REV_00
Creates File\??\NtSecureSys

Process
↳ C:\Windows\SysWOW64\cmd.exe

Network Details:

DNSmicrosoft.com
Type: A
134.170.185.46
DNSmicrosoft.com
Type: A
134.170.188.221
DNS0.pool.ntp.org
Type: A
149.20.68.17
DNS0.pool.ntp.org
Type: A
198.110.48.12
DNS0.pool.ntp.org
Type: A
198.145.64.137
DNS0.pool.ntp.org
Type: A
24.124.0.251
DNS1.pool.ntp.org
Type: A
107.150.21.225
DNS1.pool.ntp.org
Type: A
129.250.35.250
DNS1.pool.ntp.org
Type: A
173.49.198.27
DNS1.pool.ntp.org
Type: A
216.66.0.142
DNS2.pool.ntp.org
Type: A
96.44.142.5
DNS2.pool.ntp.org
Type: A
208.75.88.4
DNS2.pool.ntp.org
Type: A
50.97.210.169
DNS2.pool.ntp.org
Type: A
70.165.30.93
DNShwkrukedjitvmlh.com
Type: A
DNSlgflmmswtug.com
Type: A
DNSxhcftooruin.com
Type: A
DNScmqmmpigvde.com
Type: A
DNSmiodzaki.bit
Type: A
Flows TCP192.168.1.1:1031 ➝ 134.170.185.46:80
Flows UDP192.168.1.1:14997 ➝ 93.177.178.57:23367
Flows TCP192.168.1.1:1038 ➝ 78.63.40.73:20756
Flows UDP192.168.1.1:14997 ➝ 118.171.203.54:7298
Flows TCP192.168.1.1:1045 ➝ 211.206.43.34:6127
Flows UDP192.168.1.1:1046 ➝ 94.231.81.244:53
Flows UDP192.168.1.1:14997 ➝ 201.227.67.163:19808
Flows TCP192.168.1.1:1047 ➝ 87.121.15.160:10079
Flows UDP192.168.1.1:14997 ➝ 201.132.233.190:16705
Flows UDP192.168.1.1:1050 ➝ 109.69.8.34:53
Flows UDP192.168.1.1:14997 ➝ 24.36.117.216:28373
Flows TCP192.168.1.1:1052 ➝ 105.147.108.145:13847

Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings
....9..^aR.!.
....,=..
.S

000004b0
20140605174243
30.0
BuildID
Comments
CompanyName
crashreporter.exe
FileDescription
FileVersion
Firefox
InternalName
LegalCopyright
LegalTrademarks
License: MPL 2
Mozilla
Mozilla Foundation
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
0%0,0,0.010303060@0F0I0O0Q0T0V0b0b0e0h0m0r0s0
0cJN=<
0R6.0lm3
0+Vj]43H
0W@f1Z
0x7aa0acb0-0x664a71cc-
0x88eb6a6c.dll
-0xf23d0706
0YFA2P_\g8
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
1)1515151618191B1U1V1[1]1c1d1f1g1h1o1p1s1v1v1x1
2%2-202021292:2:2B2
2 2$2(2,2024282<2@2D2H2L2P2T2X2\2`2d2h2l2p2t2x2|2
2A&"mti
2ehI9^
2Hr]LG
3+2EnS;
3#303O3]3i3r3x3
3 3$3(3,3034383<3@3D3H3L3P3T3X3\3`3d3h3l3p3t3x3|3
3;$6(	
? ? ?!?&?&?(?*?*?3?6?7?=?@?B?K?K?L?Q?R?Y?]?_?d?m?o?q?y?z?
38Dkx3
424:4I4Q4d4s4
4 4$4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4p4t4x4|4
.4IA@H[
5 5$5(5,5054585<5@5D5H5L5P5T5X5\5`5d5h5l5p5t5x5|5
5"5(5c5i5
,5h_p&P
5%V2``
6"686V6p6
:%;*;/;6;B;u;
707J7i7
70STjM
\~7@+6
7T8o8}8,9
:7yWQG
8$8C8Y8w8
8d!3;t
8#PejhR!Epe
8Q#&nJ
9Q(xU4
<A:2hU
a<8OYEp
AbortDoc
A;BxR@
_acmdln
ADVAPI32.dll
_amsg_exit
aO=Q9,6
At1]Sn
B6h`|"i
__badioinfo
*bEB\X6W
BeginPaint
C0Yh<L
calloc
c"e2U5'e
_cexit
CharNextA
CharPrevA
ChooseFontA
/c`h@u
_CIcos
C:\j\dm9sg\i4vyo\w6swij5\5pfrwh2\8fio\84nh7i\y\s5syo54xt.pdb
ClientToScreen
CloseClipboard
CloseHandle
COMDLG32.dll
_controlfp
CopyFileA
_CPo(J
CreateDialogParamA
CreateFileA
CreateFontA
CreatePen
CreateProcessA
CreateSolidBrush
CreateThread
CreateWindowExA
c'"	vu@
dAL[v9
@.data
DefWindowProcA
DeleteCriticalSection
DeleteDC
DeleteFileA
DestroyMenu
DestroyWindow
df3 1'8
DialogBoxParamA
DI=qI4F
DispatchMessageA
DpD @2
DrawTextA
;dw6$@<W;
DY;eWuif@_
E	`(`#
EA*#'i
;Ea@U?W
E@! "D
E"!fCr
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPage
EndPaint
Enf%)Z
EnterCriticalSection
e;o@eJ
Epn&Wn
_errno
EvS8T}
ExitProcess
ExitThread
ExpandEnvironmentStringsA
ExtTextOutA
ExtTextOutW
'f3 3D
fa=3WUi
f}|ESt
_fileno
FillRect
FindClose
FindFirstFileA
FindNextFileA
]fkzV7
F-_l[>
F&ORUG(i
FP444s
FreeLibrary
g;4%YPU
GaW@>.t
GDI32.dll
GetACP
GetClientRect
GetConsoleCP
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetCurrentThreadId
_getcwd
GetDesktopWindow
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileTime
GetFullPathNameA
__getmainargs
GetMessageA
GetModuleHandleA
GetOpenFileNameA
GetProcAddress
GetSaveFileNameA
GetStartupInfoA
GetStdHandle
GetStockObject
GetSubMenu
GetSysColor
GetSystemTimeAsFileTime
GetTempFileNameA
GetTempPathA
GetTextExtentPoint32A
GetTextExtentPointA
GetTickCount
GetVersionExA
GetWindowRect
GetWindowTextLengthA
GlobalAlloc
GlobalFindAtomW
GlobalFree
GlobalHandle
GlobalLock
GlobalUnlock
 ]>/G,M
h  Aos
(hd1< 
HeapSetInformation
hG1^stx3
hG;(p?7C
]H`@$L
i/ddVxiq
	i_^L62><
InitializeCriticalSection
_initterm
InterlockedCompareExchange
InterlockedExchange
InvalidateRect
 ir"p5
isalpha
_isatty
isdigit
isleadbyte
_ismbblead
isspace
`.itext2
IYB?jB
Jb	Be(
@}*jd`
j%h|_A
-jhY(.
	jhz3c}j
@J]=jw
]<!jToTrd
KERNEL32.dll
kRz<gg
Ld2Q`0Dd
LeaveCriticalSection
LineTo
(lj4>P
LoadIconA
LoadLibraryA
LoadLibraryExA
LoadStringA
_lseeki64
lstrcmpiA
lstrcpyA
lstrlenA
M0wh<@
malloc
memcpy
memmove
memset
MessageBoxA
_mkdir
MoveToEx
MpCmIM
msvcrt.dll
MuA9FEc
MulDiv
MultiByteToWideChar
n6bBq60
&nEE`J6X
N`jHkB
|$?NxD
(}ofhV
OpenClipboard
__p__commode
PeekMessageA
P*$f;<
__p__fmode
__pioinfo
PostMessageA
PostQuitMessage
po\WT`h
PP};}ji
PrintDlgA
PtInRect
Q9M<uQK:
"Qij5@n=N
qu,2z$P
QueryPerformanceCounter
R_0<}n
`.rdata
ReadFile
Rectangle
RedrawWindow
RegCloseKey
RegCreateKeyA
RegDeleteValueA
RegOpenKeyA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseCapture
ReleaseDC
@.reloc
RMLlJEu
r'Mp\y
RtlUnwind
ScrollWindow
SelectObject
SendDlgItemMessageA
SendMessageA
__set_app_type
SetBkColor
SetCapture
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetFileAttributesA
SetFilePointer
SetFileTime
SetFocus
SetROP2
SetScrollInfo
SetScrollRange
SetTextColor
SetUnhandledExceptionFilter
__setusermatherr
SetWindowLongA
SetWindowPos
SetWindowTextA
"sEU}SpL
ShowWindow
`>s"Mp
_snprintf
stJ:JD9
strchr
strcspn
_strdup
_stricmp
strncmp
_strnicmp
strpbrk
strrchr
strstr
strtok
strtoul
system
t83!:@
TerminateProcess
?terminate@@YAXXZ
"tg*N9c@4
!This program cannot be run in DOS mode.
tMYl;E
tolower
toupper
TranslateAcceleratorA
TranslateMessage
 tu	Mj
-U3<rA
Uhu(|h
uJb	PG
&+uKSt
UnhandledExceptionFilter
U~NJ!uE1
u rPG;%
USER32.dll
U^tuK1
u/Uj47
V0j!E#
VaEu@f
ValidateRect
VirtualProtect
Vj}w@.E
V{ kqP
Vnh18E
(W0Iv7
WaitForSingleObject
WbEd]H
W|c0Pf
wcspbrk
wctomb
 w[Fq7
WideCharToMultiByte
WpXw5~
_write
WriteFile
$w|Ur`V1
_XcptFilter
xS 	(y
X_Z:M5\
	yt=6W
YYh|_A
z0MPVQ8w
$za;)w
@zHJC7
z$ wp%!