Analysis Date2013-11-07 07:15:56
MD50fe408844f7f89ff70c6b72eb72813d2
SHA1fb3d47b6e7a8dba996b72364f4d22c36ff4fb7f0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 88d8c3bec4a96cec9e80392ec3c6d428 sha1: dc0df612bad25e5a1305fbb2aa75965427978073 size: 102400
Section.data md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 4a7d5e8541c36844d60a592d22562ad1 sha1: 167d973b1bbb4fc553c62e5f33de3c6261090d41 size: 16384
Timestamp2015-05-11 06:59:28
VersionLegalCopyright: lxniuva
InternalName: ceij
FileVersion: 5.64
CompanyName: dadots
LegalTrademarks: vzhkwiu
ProductName: tthdr
ProductVersion: 5.64
FileDescription: yljroa
OriginalFilename: ceij.exe
PackerMicrosoft Visual Basic v5.0 - v6.0
PEhashd3a155dab1154d8ec018e6eb7fcfe2e0b613ed59
AVavgGeneric_vb.HJ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\wkssvc
Creates Process 71

Process
↳ 71

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\65a9_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 196

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 196

Network Details:


Raw Pcap

Strings
040904B0
5.64
ceij
ceij.exe
CompanyName
dadots
FileDescription
FileVersion
InternalName
,/KPip
LegalCopyright
LegalTrademarks
lxniuva
OriginalFilename
/ P6pL
/-P?pR
ProductName
ProductVersion
StringFileInfo
Translation
tthdr
VarFilewnfo
VS_VERSION_INFO
vzhkwiu
yljroa
<!&!&&&&(&!!&!!) !
"$%())-0*)&'&''%""
-00f1888:ege
046}#2.
$1>@KUQndfe
1wsu8O
'2(@#^
269_ab]G^
"+26J^_\__
,29OOOGFG
34fidih
3_5#2I
3:dhlpoz{{
3kP5D-B~
3Th]Z(
41xS\C
4B~d^i9,V
;4;fd;;;hhmpmzpmp{npnp|
-5::JPa]`c
-5KUhjaah
5x:lX\
699IWb\\\
699<<jkjkxyx|
6swG8s
6-!}Zd
!'77]\\7+]``at
"7@GjhRi
--:7HPc]_^
 #7:Jgmga
7s2d9s
81cV}q
8;dx,P]
+,8IO\GGG
8]QqF`
8Wo=7aG
>97676A9?8AI956799976=?69:
////99
`;9v~W
abffc[[efea[ZZZdb\d__PZ[\\
aB"vRAu8
abytbe
`[AGsj
a~q%$^
Arbureuus
Aw@%gm
B5z"6 {
bbd^[[bfb\[NWPWZWP\\\GGNGW
bbzaemcy
 BEs.|
'bLipGh
boelpnqvij
\[[bQ[\\db\[\ZPW\\\G\GD
bURSc}
b[[[W\Wbd\[X\WWGXVXGAGGDVK
Bx-oQH 
-C000-asjec
c32\B]
****cave
!CCDGCAAKKA?A7>BDA:7>G>7::9
CCEF@I
|c]-co)
CGBGGB
Check2227
\Ck4Qp@
Colambary
Combo400
Combo9418
Command5120
Command5615
Coprolalia
C:\Program Files\Microsoft Visual Studio\VB98\VB6.OLB
C:\Program Files\Microsoft Visual Studio\VB98\Wizards\FLEXWIZ.oca
,Cv(6og]
dasamprovement
`.data
dctdtwlfgmojcg
"%DDFDC
d*-H=wv
DI=9:d
digmatically
Dir1756
Dir1917
Dir3183
Disvulnerobility
dlittzgldwu
dpwkaxfdh
Drive5030
Drive7591
Drive809
Drive8464
Drive866
Drive921
#.>DSZkmk
dvuaqdhhyxgsk
e9sJg9s,
effcjxayscuj
E{hQ3qY
Elytrorhagia
emanimetry
enlfyobxtrao
EVENT_SINK_AddRef
EVENT_SINK_QueryInterface
EVENT_SINK_Release
evfvzepnkqvxok
e?Zpxp
fbyfghgcboemkp
:f.[{d
/FGUTT
fhrdxs
File3246
File7132
File8565
FLEXWIZ.OCX
fmewpdnuyimg
Form149
Form223
f:)Qt}
Frame2383
Frame5103
Frame5141
fzmscein
f'Zx]$
G{2FE03AUserControl195
GBBGDNJBBJGG8>ABBAB:8:AA>8
 G>G@EQHQ
g\h.4h
!GHHDGH>IJJC>>::DK?I697??6=
g;hmmpz
ghvylppknif
g;K3Fy
gkgwnxgyhn
Glc]f	ij
Glused
Gommiforausnoss
}Gq`F{
gQg	{Rfk+z
greelly
gsvjydqjjplre
H50ECH=
hjgybfhfoadjakb
 hlegej%rkaejekcjae_`je^_]^
Hoblake
Horsemonger
H_ SQk
 -:II]\\FG
Image6126
Image8682
Image9559
inuI#k
ipspmlbr
IPTWWW
isqxccusnw
izsaqjfknvf
i<ZSubWizard1
J3\Y4m
J_$dl#]s
j#IDH,
 J~IG=
" >JJEPPQ>B?O
jjjhhajckjjjlhggcjmllkjhja
jjjkkjkljlmlgjghjcj`aagca`
"jsoccjolmljac^ejeaaejh_]
JVJGNDBBGVBB:8B>AA:
jvpubwhe
kbxotvtlqttruu
 kinknlkioncj____eee___
KKYWGAYYHJJAA>A>>?AD>8A77:
Kn{z;R
Ks`}9R
Label4904
+Label4904
?lclSeG
Line1243
Line8000
Line9485
List360
List7491
List7691
List8023
Lithachramatagraphic
llkjhkhrrklmjlmljjclmcajkj
l'#>M%
lmrcsuxaccxf
]]LN+Vw
lturjjhhjm
M23OS4-@RM.;@O33TL
m2eXtqd 
?ma$Dq[
madrmhdelrpger
MethCallEngine
metrupule
mhbylkqcmsiaux
mllhjgmjnckjmjhchjlmjlhhms
MSFlexGridWizard
MSFlexGridWizard.SubWizard
msmjkmmmk
MSVBVM60.DLL
%{n~8w
ngrdcxbtxwdyo
NIi#Myb5
N"li+9c
nnnnkien
NNNNNVVZWN\PGWNGNVG%PGAGVP
nonb__c
-&NqR^o
nV2Otg-
nx_^op?G
oavlkinfmsifst
o(ftVW
oligopnea
o+ocZM
Option1714
Option5661
Option9834
=OTrusu
ozinjghclotfr
p3%;=b
p4TthL4mr1
.p8sh;:s
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADD
Paleocosmuc
_^]^]P_^_b_b_PZ^befPPZP]^]
*:$p^]C
pdimbtncxlvkrq
PDrive866
pjeyxubejvkqo
pkvtrul
p{lzz~~
Polypragmatacally
p<<qtU.k
P%r0g(
pristodus
ProcCallEngine
PropertyPage
PropertyPage142
PropertyPage365
psiadic
psslll
psussprlpkrsrhjkhklr
.pxR]w
pZ-B^B
PZV79"
q[4J3=l
%Q|7Ox
QH,	HHTU^R
qoinqoelocoline
(]qq_rwv
quotable
Q"Z	Nf.)FB
R3kD6|
r7+gc6
rbpbhxvumczrf
rT"T~;
ryaeyzpafdceq
:?}S@<_
s6e@f#KR,%l
Sfascer
Shape4975
Shape5293
Shape5667
Shape6329
smpuwzs
`!s/;O
sosteneto
*^s_rr
stophyloplosty
strurmlkmklkmmjaO
"<STW	d
SubWizard
SubWizard1
T/3#P/0
talahib
Text1869
Text6438
Text9244
!This program cannot be run in DOS mode.
Timer9297
}TjAx~g
T~jttDlR
+"TLO]
trummelheud
tsstrsjtsrkljjklrrsjmjjkmm
 tussu
U2T`u&iLs<LOrq.]hr; 
ujhjvl
uotflsovbmfj
urtqrrrtr+
U S.\Ct?
UserControl
UserControl195
usplhjjolljmmmgcchm
uspqkurrmr1
utsutrptsu.3
uusupurpur1$
uutupmrtrsl-
UVV\aM
uXRs#u
V1UygWS
V=2&^aL
VB5!6&*
VBA6.DLL
__vbaExceptHandler
Vierling
v/n!=;
#>:VRkg!
|\+W()
wahlenbergia
wevfvzepnkqvxok
}W*!F{
wgdmeshpqzx
W(GrDrive8464
X	HU?*
!XKGCCA
xzxlqfvxgoo
YD}?#7h
ynjittowesbdox
ypcgcqsht
YWKHDJGIJKXA=/:5/,#
yyxuwuuuK
yy~y|~
{z}S<=
[ZZ[Z[[[[[[[[[[[[
Z[ZZPPP]bZbP[PZPZZ[bPZPP[b