Analysis Date2014-04-23 11:13:04
MD52373a103f4ae9cd41d44c6df03a9af7a
SHA1ef21181e98e1e815fe54a8500f9603fd5ba418c9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: feef372236dcf26a54ef30cb671aa240 sha1: 4027c399d915bcfaa23ed36ea543d0bb89e40fdb size: 24576
Section.rdata md5: cc1056a0455b741c5f4b81fa0caa64d7 sha1: 4617d0b67d672d08d77309e21f00a613eb03e2dc size: 4096
Section.data md5: 7aca206485b3945c5d620d16bcf56a8d sha1: ce598428e633a08a3977d1de33b9aae6aefa1522 size: 12288
Section.rsrc md5: f0cc138658facff225080bf9e649edbf sha1: 4347a55b15abae93fa61a9e18c3a8ccf8a4edeb5 size: 4096
Section.text md5: 31e5e16a94c18f6e0edd0aed3c626738 sha1: ed536c1dd80bb8dbd64d7fb261d7d75d52e9cf33 size: 155648
Timestamp2003-09-08 09:02:17
VersionLegalCopyright: Copyright © 2003 TechSmith Corp. All rights reserved.
InternalName: SnagItPI
FileVersion: 1.0.2.0
CompanyName: TechSmith Corporation
Comments:
ProductName: SnagIt
ProductVersion: 7.0.0
FileDescription: SnagIt Printer Installer
OriginalFilename: SnagItPI.exe
PEhashccbe777e608a1b831038c8c02ccc2da075268f6a
IMPhashda5dab4d05c82e3c82e3c3870789130d
AVmcafeeW32/Ramnit.a
AVavgWin32/Zbot.G
AVaviraW32/Ramnit.C
AVmsseVirus:Win32/Ramnit.N
AVclamavW32.Ramnit-1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\inf\NTPRINT.PNF
Creates FilePIPE\lsarpc
Creates FileC:\ef21181e98e1e815fe54a8500f9603fd5ba418c9mgr.exe
Creates FileC:\WINDOWS\System32\CatRoot2\dberr.txt
Creates ProcessC:\ef21181e98e1e815fe54a8500f9603fd5ba418c9mgr.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D69B5E1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Deletes FileC:\Program Files\huettqja\px3.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex{37FFF72F-FE56-017C-F492-53D699921D45}
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\ef21181e98e1e815fe54a8500f9603fd5ba418c9mgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Network Details:

DNSgoogle.com
Type: A
62.253.3.118
DNSgoogle.com
Type: A
62.253.3.103
DNSgoogle.com
Type: A
62.253.3.113
DNSgoogle.com
Type: A
62.253.3.89
DNSgoogle.com
Type: A
62.253.3.108
DNSgoogle.com
Type: A
62.253.3.114
DNSgoogle.com
Type: A
62.253.3.119
DNSgoogle.com
Type: A
62.253.3.88
DNSgoogle.com
Type: A
62.253.3.109
DNSgoogle.com
Type: A
62.253.3.94
DNSgoogle.com
Type: A
62.253.3.93
DNSgoogle.com
Type: A
62.253.3.99
DNSgoogle.com
Type: A
62.253.3.123
DNSgoogle.com
Type: A
62.253.3.104
DNSgoogle.com
Type: A
62.253.3.98
DNSgoogle.com
Type: A
62.253.3.84
DNSytioghfdghvcfgbgvdf.com
Type: A
109.74.196.143
DNSytioghfdghvcfgbgvdf.com
Type: A
109.74.196.143
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
Flows TCP192.168.1.1:1033 ➝ 62.253.3.118:80
Flows TCP192.168.1.1:1034 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 109.74.196.143:443

Raw Pcap

Strings
\
. 
\
{----}
.
040904b0
1.0.2.0
 2003 TechSmith Corp. All rights reserved.
7.0.0
AddPort
Comments
CompanyName
Copyright 
DeletePort
FileDescription
FileVersion
         (((((                  H
InternalName
jjjjjj
LegalCopyright
Local Port
OriginalFilename
ProductName
ProductVersion
SnagIt
SNAGIT7
SnagItPI
SnagItPI.exe
SnagIt Printer Installer
StringFileInfo
TechSmith Corporation
Translation
VarFileInfo
VS_VERSION_INFO
XcvMonitor
06rCW+
08VBR8
14NL#e
1AABBf
!1	mxnh
2|]DL/
|2Dn/)
|2DP/$
|2D'/x
2<+JbOV
3|aD'/
3|MDN/
4|7Dv/
"|4D!/
|4D;J5m
]4n/6-p?,A
4VT1eO
'|5DF/j
5|,DM/
5l9V V*?q
5|mDf/
!|6D?/
|6D'/y
6 Sic~QP
[#7,5f
$|7D0/
|7D`/p
7fa'|)j 
>7x{eq
8wX_9Yep
_93wT"
9CG{P~o#
"9gGU\G
9j-o* 
>9sLi%
>9\$$t
|9xG/{
a|3D[/i
abnormal program termination
a"cd]Ivl
A"cd}Ivl
A &c+X D
|aD7/d
AddPrinterA
AddPrinterDriverA
AddPrinterDriverExA
$AKQ_}
a|vDg/
*( *b6
b,7b{`oW
b"cd_Ivl
b| Dm/
|BDz/A
bok2PC
c"cdHIvlCA
"cd2Ivl
cd4IvlVC
|CD4/u
|CDa/[
}"cdAIvl
{cdGIvl
{"cdGIvl
|cDh/,
"cd>Ivl
"cd!Ivl
{"cd@Ivl
\"cd`Ivl
#cd$Ivl
cd]Ivn
}"cdJIvlJq
c|?DL/>
"cdMIvl
cdnJvl
cd|Qvl
cdW@vl
"cdXIvl
cdyxvl
@	_CE	_C[	_C
/check
CloseHandle
ClosePrinter
CreateFileA
CreateProcessA
"cTU?q
Cvnd0E
cvuvvh
)#"d'}
||D;/(
|/D;/{
|(D}/^
|@D=/>
|%D:/!
#|[D /
D|1Dp/
|^D4/$
| D)/8
|+D9/6
D|ADi/
@.data
|}Da/W
||D-/b
d"cdYIvl
|DD[/0
|$DD/H
`|'De/
D|eD$/
DeleteFileA
DeletePrinter
DeletePrinterDriverA
DeletePrinterDriverExA
|.DE/r
&|*Dg/
_||Di/
`| DK/:
DOMAIN error
|/D\/P
|;Dp/J
|<DP/J
||Dq/k
|%Dr/3
|;Dr/B
DSUVWh
|&Dt/{
|,D,/V
|@DV/k
D|WDe/
|;DZ/K
e"cdFIvlk]
e"cdoIvl&
e"cdYIvl
E|*De/
`|EDF/
|EDH/&
|eDy/r
EnumPortsA
EnumPrintersA
e|oDG/
eU_[TrX
ExitProcess
F2Xc!}
f"cdZIvl
fiFt	?C
F|lDC/q
- floating point not loaded
f-or1(/=
~/fpz)
F}r/8L
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
FTWk30
f|VDy/
G<2;@?
g"cdTIvlKW
g/cdX@vl
|GDe/E
|gD`/f
g|=Dl/
GetACP
GetActiveWindow
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileAttributesA
GetFileType
GetLastActivePopup
GetLastError
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetPrinterDriverDirectoryA
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetVersion
GetVersionExA
GetVolumeInformationA
GetWindowsDirectoryA
g|iD!/
g(JBy=
GlobalAlloc
GlobalFree
__GLOBAL_HEAP_SELECTED
g|ND"/
?|g{rU!
h|5DK/ 
hA*FcV_
!/%#hb
@|hDA/
]|HDB/l
|HDH/N
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
H?jpN\
h|VD@/
h>x*GpFu
HY_^Z[
|)I85h
i|8D7/z
i"cdUIvl
i"cdVIvl
ICONLIB.DLL
|ID+/j
|IDl/i
|iDn/;
;|iDP/
}|iDr/9
|IDy/N
i|GDM/
Ih;{5x
IK5CfZ
*IlQOk;
install
InterlockedExchange
i|qDV/*
i|yDL/Y
Iz&q#Av
J"cdwIvl
|jDk/'
|jE-J>K
j|KDE/
J^p]X(
.j	{-v^
j|ZDK/P
jZQCw:
k2cdTEvl
%Kae*Z
k|bD,/-
k"cdWIvl
k|&D//
K|	Dv/|
kernel32.dll
KERNEL32.dll
Kf $<,@
 [Km Ny
K|QDS/
#k*{/S/
K|sDF/
l"cdmIvl
l"cdPIvl
LCMapStringA
LCMapStringW
!|lDH/[
[|LDr/@
}|LDx/\
\LLe4h
LoadLibraryA
LocalAlloc
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
l'VXzv
l|wDa/
m{4Eoj
MessageBoxA
mgr.exe
 mh	{vE
Microsoft Visual C++ Runtime Library
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
M%Vj*G
n"cdRIvl
|nDl/*
|NDU/I
n|KD:/
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
NT5_OEMUNI
NTPRINT.INF
NTq+AqU
nXay@c
[N-zC	
_>-)o*
OA#ZE,vc
?O_Gf$k
OpenMutexA
OpenPrinterA
OpenPrinterW
-or1(/<
-or1(/=
OzhS$^1O
p7{*HP
Pcd9Ivl
P"cdlIvl
p|lDA/~
pO/pe<
ppJmV1
Program: 
<program name unknown>
- pure virtual function call
pyh8hG
Q0FcVA
Q|+D`/
|qD8/c
|qDP/{
|QDt/w
q!F6y3
QM`BJS
	^qvLm
q|WD&/
qwDM !
r|0Dp/
RaiseException
R"cdmIvl
r"cdNIvl
|rD9/ 
`.rdata
|rD,/X
^Re9jU
rfg\iH
Richy{"
-.R\@Kz|
r|NDE/
rR~zo+
RtlUnwind
runtime error 
Runtime Error!
!s0A|6
s|2Dv/7
s"cdLIvl
|sD5/8
;|sDJ/N
|SDq/U
|SDr/7
|SDS/j
SetHandleCount
SETUPAPI.dll
SetupCloseFileQueue
SetupCloseInfFile
SetupCommitFileQueueA
SetupDefaultQueueCallbackA
SetupInitDefaultQueueCallbackEx
SetupInstallFilesFromInfSectionA
SetupOpenFileQueue
SetupOpenInfFileA
SetupPromptReboot
SetupSetDirectoryIdA
SHELL32.dll
ShellExecuteExA
SING error
SNAGIT
SnagIt 7
SNAGIT7
SnagIt 7 Printer
SNAGITD7.DLL
SNAGITD7.DRV
SNAGITP7.GPD
SNAGITP7.INI
SP2K.INF
SP9X_1.INF
SP9X_2.INF
SRQWVj
%s\RUNDLL.EXE SETUPX.DLL,InstallHinfSection DefaultInstall 132 %s
SS@SSPVSS
{S|>STv
STDNAMES.GPD
sUkxa/2XA
'Swl6]
s]xbL(
|tD=/?
 |TD6/t
T|{Ds/$
TerminateProcess
@.text
|&|TFo
!This program cannot be run in DOS mode.
#T;~KV
TLOSS error
T\O'(T
T|PDZ/
T$<Sj 
t#SSSSS
t#SSUP
t.;t$$t(
t$$VSS
txgDr=2
u|aDS/Q
u _CC	_C
U"cdiIvl
u"cdOIv
U"cdoIvn
 |uDl/
,u!JRv
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNIDRV.DLL
UNIDRV.HLP
UNIDRV.OEM
UNIDRVUI.DLL
UNIRES.DLL
user32.dll
USER32.dll
uUU46v
}v3VT"
V|9D}/
VC20XC00U
v"cdJIvl
 |VDy/
VirtualAlloc
VirtualFree
vJ/2>X
V}JO@QS
vl1f |
VWQRSj
v|xD%/
WaitForSingleObject
w"cdKIvl
|WD6/|
|wDk/A
|wDP/c
|WDW/-
|WDy/=
|wDY/U
WideCharToMultiByte
WinPrint
WINSPOOL.DRV
WriteFile
WRw+qj
wsprintfA
x73BHl
-x(Bn_
X"cdkIvl
XcvDataW
^|xD{/
+|XDn/
|xDV/N
y$;5Mgk
Y(&bG>l
y"cdEIvl
ycd?Ivl
Y!=CRX
y|(D:/
|yD8/a
Yp1,/\
&yP~PV
;ypVAy
yUh.GQ
Y`u"&q
YXJ^g5'd
_^][YY
yy<@zu
Z3+-RX
z"cdEIvl
z cdFKvl
z"cdYIvl
z"cyTWv
ZD[;BY