Analysis Date2018-06-10 03:34:22
MD5d86fd1d1f748203d488a989c98ec0e98
SHA1fb50beeb1a8730d0e17417ce6a73181851137d72

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
PEhash

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\fb50beeb1a8730d0e17417ce6a73181851137d72.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\fb50beeb1a8730d0e17417ce6a73181851137d72.exe
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\conwurm.exe
Creates Mutex
Creates Mutex

Process
↳ C:\Users\Phil\AppData\Local\Temp\conwurm.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\conwurm.exe
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls

Network Details:


Raw Pcap

Strings
ZFmZ)
WYe8
n;+WSV
RDT-H~
P+h<
7EAE
/t/ppY
UAUh`VG
9A6n
nvs-g
h|[=
;32O
tE93
u9	|
Hu0h
#!]qEa
3G?R
"?J-
>JRQP
o_><U
(AA)A[k
u`_-@
dc+"
D34!
!P{\
RssrdPfBbr
$$IC
t4#$
L7Rp
EsX{
m %uc
559y
I{'i
O{5L
qK]H
CA4.
8J|,
z2N#
$@E+
i$r@3o=.x
-<4SY
8H7z8
9]f=[1
Dk'_
&C/w
PEu"
c/t6
Y}aD
(tV"
LTV3
M6D<
fXzgE
qYuTVWhH/5
 ,h,
(W9Oh:
chy%
a`	n6
u&OGh
<Yv8
?DD+
h@'S
2<-%
!4 x
mU*4]
 w	fb'
	,&u
f==(
Gq>=
E4~f9.u
]7Y[C]
5t	h-
#j"'Y
J7'B
*D]?
r9'}
Lzxu
98ub
t#S[
GI,]
nU@.
dZs.WXW
:X!u-
UWfTx0
ITh8
dj(j ^VUQ
XN;hw[
'=9|
*j$n
-Ee]
#@>`u
,0i)$
PFh}|q
q@!R18
j+xN
F$&d{
,4B&dB<D
'dH\=
;l#(;
7	tjT
=TdZ
{lhp
/8;0
;~,N2
!bg4
^_eV
`S+.
35LW
Dm;L
ZS{-,$t
:T,9h
f{2rV:K
LT &W
Y-L
[/u,
(gL$7
x"tf
ehmd
AkYh4
eP,*
x$iVj
Jx&_
8h.=6
nV9P
| h
tgui
duD"
u/|/
XdT	d
n	pt[
@)j$
6TXfJ
,Ip7!
[_D05 9
V`{aS
K,bh
l4h9
m95'uw
u(m*
"G"pL
W%LZ
dB.i
DPzVP
}9:	Zt
8L` M\
%88Uf
}TvES
uV9[Ti
dlt|M3
9(uZ
O85'
Y)B=
	F"Z:
Fpt"
~l0A>
vpSW
dPm@Ppn
gu]l
Gr-6
7?Hl
8]OE
;|;i
>i@+B;
08ar
B,9U`{
GZc1AU0
AhJu
g|W
h=iP
^hS5Z
ZLf[
5S)L
BPYr
oATqP
	uG'
l[Wq
Y$^e+]
s%!B
VpIa4d
wCa+
e?yF
m|[?
AYKYYWei
62?s
)YN!K6
?9`h
ljow`
pxtxY
yVN.
/HHK
|D#M
u)'6HZ9
+LG`#
fXTj _3
.n;"T
&x8q
htnu
$*!["
zyJ2\
.'9c^
F,6K;
Fwt;C4J
v.tlm
((0u3A
elRQt`
J5Xx
j#Xn
I"Z,
qs0|
W!y80
FQYGV
IE[FW1
9yuH
V!h4t
V ^0
_of@
nPlv
fv`~p
nJ3F
ZwO'
(,0A
lptb$
dx|!
&&vt
e?~.
.4&:a
0Vh<
iX?@+
AWro
BLYNG;
$Cm7
_r7e
s{t)q
(AUVc
Na7;
 ISda
#>*u
($$ $
 N@R
@hrds
TsTst
t[4M
tOCaB
,uO=R
dv=1
;tv-
UQPXY]Y[;
0@P`p
X0XV
P-lC
"\x_
	1^t
*n2"
Z64FW
}4XS
Z@#~
t8-W
V-u	s
t<Vu;
t+"PFM
5lh0@,
VWVS
D)he#7
i0vf5
98r'O
wU&:
\)T#
;'wb
;+v	N+
AIXn<
`ocP
/llo? He
PtEd
!oQi
TAez
~H(aOBc
@rpu
X]tDM
'qor
fGv3
CorExitPress
runtime er
TLOSS
SING
6034
An applicaU
has mad^a
ttempt
to lo
o2brary in
ctly.
nta1]
'[su
'm f
m#e/
3- A
biUs
 dur
Kg nJv
9 bug
 yo:
. Ir*
of]T
'(/clr)
nQDoc
DIMai
2nofe
h5pMe.@H
v0/
)std5
5mS_*e
lc+8Fp
#7mvuh
"quo
@wa!
s-+8
u(sW2f
<p.go
 'kPwn>
so2E
!-P&
=: OEn
KERNEL
.DLL
DeFlsF
SetV
;IlCr
5hQW
'kY8
mXlsP
Us+ObjFI
pvA3L
tA_v
bKYp
~WSQageBox1US
 !"#$%&'()
*+,-./
56789:;<=
>?@ABCDEFGHIJKLMNOPQRST
XYZ[\]2`
ijkIn
uvwxyz{|}~
;7*[e
HH:ms
d, M
//y@
PMAM
NovO
J5:A
m?i|MWchj
g_WSK
GC7yC?;
;Xk4W
C;7/'#
_lv_
GP%@M
B^dg
_A?E
d_"fE
9}ko
YIP])
w"Cecl&
_c?-
?Ya'
<6lo
t*Q'@
F	#V
@`%
l1#a
R%%6
oYpP
e0qPP
	fee
?NEE~"
2.L$r
x~tisG@
PO@#5
@%h7
IHp=p
?E+@5p;
I_7w
_"1.
N8@48hP
}{pk
O!VY
Mp6<
b !m
k_8l
`F/.
34d/
 L4e
m}w@
S	`@
m8]g
/Mws
.ah/	]@
WExM
h[:v
UP/\
;`kY
piF'
Faclui
mCo$Cl
OLEI(
Ex6Y
ACP3
lY{l
'8W4
4,($
xpdi
i\PD@<
RtlUnwind
`EaStF
ModuleFi
Ha;l
>AD]
ddGss
fW6JW*
n?Versi
cMbBy
mIT`ideChoA,
Type
T<Id7
C/tfV
"esQ
y`o(s
	Kh%
JB6v8k>~P
OEM	;
#~LCMO
.tex
`.rVi
v	w@.&'
XPTPSW
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PA
KERNEL32.DLL
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess