Analysis Date2013-08-06 19:24:08
MD56582176c687fb5d12f023c72ea7e15b1
SHA1fb87349f2f5b7bf277ed109cf643f8cb204e5def

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.nsp0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.nsp1 md5: 2460da6fd394e3c098f5832f85d47cb9 sha1: cd72aeac7eefb2a7488f4782d8a7411050f3b636 size: 551258
Section.nsp2 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp2011-05-27 07:03:25
VersionLegalCopyright: 叛逆丶夜 版权所有
FileVersion: 1.0.0.0
CompanyName: 叛逆丶夜
Comments: 本程序使用易语言编写(http://www.eyuyan.com)
ProductName: pnidye
ProductVersion: 1.0.0.0
FileDescription: 本程序纯学习专用,请勿用于游戏
PackerNsPack v3.7 -> North Star (h)
PEhash866545060c64a57aec637558431f03c1b8ef935e
AVmsseVirTool:Win32/Obfuscator.EH

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\shenxiandao[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013080620130807\index.dat
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\index[1].htm
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013061320130614\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\MSHist012013052720130603\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!mshist012013080620130807!
Creates Mutex_!SHMSFTHISTORY!_
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwww.dnfhg.com
Winsock DNSwww.lzg52.com
Winsock DNSwww.shenxiandao.cn
Winsock DNSwww.dy350.com
Winsock DNSwww.52shanhu.com
Winsock DNSwww.dy985.com
Winsock DNSwww.dnflr.com

Network Details:

DNSwww.dy350.com
Type: A
69.43.161.174
DNSwww.dy985.com
Type: A
69.43.161.174
DNSwww.dnfhg.com
Type: A
50.118.92.2
DNSwww.dnfhg.com
Type: A
50.118.92.2
DNScname.huatian.net
Type: A
74.207.247.129
DNSwww.52shanhu.com
Type: A
208.73.211.167
DNSwww.pniwg.com
Type: A
DNSwww.dnflr.com
Type: A
DNSwww.lzg52.com
Type: A
DNSwww.shenxiandao.cn
Type: A
HTTP GEThttp://www.dy350.com/2500.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dy985.com/cb985/dy985.html
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dnfhg.com/index.htm?kuangshen
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.dnfhg.com/index.html?kuangshen
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.shenxiandao.cn/?kuangshen
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://www.52shanhu.com/jueai.htm
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1034 ➝ 69.43.161.174:80
Flows TCP192.168.1.1:1033 ➝ 69.43.161.174:80
Flows TCP192.168.1.1:1035 ➝ 50.118.92.2:80
Flows TCP192.168.1.1:1036 ➝ 50.118.92.2:80
Flows TCP192.168.1.1:1037 ➝ 74.207.247.129:80
Flows TCP192.168.1.1:1038 ➝ 208.73.211.167:80

Raw Pcap
0x00000000 (00000)   47455420 2f636239 38352f64 79393835   GET /cb985/dy985
0x00000010 (00016)   2e68746d 6c204854 54502f31 2e310d0a   .html HTTP/1.1..
0x00000020 (00032)   41636365 70743a20 2a2f2a0d 0a416363   Accept: */*..Acc
0x00000030 (00048)   6570742d 4c616e67 75616765 3a20656e   ept-Language: en
0x00000040 (00064)   2d75730d 0a416363 6570742d 456e636f   -us..Accept-Enco
0x00000050 (00080)   64696e67 3a20677a 69702c20 6465666c   ding: gzip, defl
0x00000060 (00096)   6174650d 0a557365 722d4167 656e743a   ate..User-Agent:
0x00000070 (00112)   204d6f7a 696c6c61 2f342e30 2028636f    Mozilla/4.0 (co
0x00000080 (00128)   6d706174 69626c65 3b204d53 49452036   mpatible; MSIE 6
0x00000090 (00144)   2e303b20 57696e64 6f777320 4e542035   .0; Windows NT 5
0x000000a0 (00160)   2e313b20 5356313b 202e4e45 5420434c   .1; SV1; .NET CL
0x000000b0 (00176)   5220322e 302e3530 37323729 0d0a486f   R 2.0.50727)..Ho
0x000000c0 (00192)   73743a20 7777772e 64793938 352e636f   st: www.dy985.co
0x000000d0 (00208)   6d0d0a43 6f6e6e65 6374696f 6e3a204b   m..Connection: K
0x000000e0 (00224)   6565702d 416c6976 650d0a0d 0a         eep-Alive....

0x00000000 (00000)   47455420 2f323530 302e6874 6d6c2048   GET /2500.html H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d4c616e    */*..Accept-Lan
0x00000030 (00048)   67756167 653a2065 6e2d7573 0d0a4163   guage: en-us..Ac
0x00000040 (00064)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000050 (00080)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 290d0a48 6f73743a 20777777   0727)..Host: www
0x000000c0 (00192)   2e647933 35302e63 6f6d0d0a 436f6e6e   .dy350.com..Conn
0x000000d0 (00208)   65637469 6f6e3a20 4b656570 2d416c69   ection: Keep-Ali
0x000000e0 (00224)   76650d0a 0d0a                         ve....

0x00000000 (00000)   47455420 2f696e64 65782e68 746d6c3f   GET /index.html?
0x00000010 (00016)   6b75616e 67736865 6e204854 54502f31   kuangshen HTTP/1
0x00000020 (00032)   2e310d0a 41636365 70743a20 2a2f2a0d   .1..Accept: */*.
0x00000030 (00048)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x00000040 (00064)   3a20656e 2d75730d 0a416363 6570742d   : en-us..Accept-
0x00000050 (00080)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x00000060 (00096)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x00000070 (00112)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x00000080 (00128)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000090 (00144)   49452036 2e303b20 57696e64 6f777320   IE 6.0; Windows 
0x000000a0 (00160)   4e542035 2e313b20 5356313b 202e4e45   NT 5.1; SV1; .NE
0x000000b0 (00176)   5420434c 5220322e 302e3530 37323729   T CLR 2.0.50727)
0x000000c0 (00192)   0d0a486f 73743a20 7777772e 646e6668   ..Host: www.dnfh
0x000000d0 (00208)   672e636f 6d0d0a43 6f6e6e65 6374696f   g.com..Connectio
0x000000e0 (00224)   6e3a204b 6565702d 416c6976 650d0a0d   n: Keep-Alive...
0x000000f0 (00240)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e68 746d3f6b   GET /index.htm?k
0x00000010 (00016)   75616e67 7368656e 20485454 502f312e   uangshen HTTP/1.
0x00000020 (00032)   310d0a41 63636570 743a202a 2f2a0d0a   1..Accept: */*..
0x00000030 (00048)   41636365 70742d4c 616e6775 6167653a   Accept-Language:
0x00000040 (00064)   20656e2d 75730d0a 41636365 70742d45    en-us..Accept-E
0x00000050 (00080)   6e636f64 696e673a 20677a69 702c2064   ncoding: gzip, d
0x00000060 (00096)   65666c61 74650d0a 55736572 2d416765   eflate..User-Age
0x00000070 (00112)   6e743a20 4d6f7a69 6c6c612f 342e3020   nt: Mozilla/4.0 
0x00000080 (00128)   28636f6d 70617469 626c653b 204d5349   (compatible; MSI
0x00000090 (00144)   4520362e 303b2057 696e646f 7773204e   E 6.0; Windows N
0x000000a0 (00160)   5420352e 313b2053 56313b20 2e4e4554   T 5.1; SV1; .NET
0x000000b0 (00176)   20434c52 20322e30 2e353037 3237290d    CLR 2.0.50727).
0x000000c0 (00192)   0a486f73 743a2077 77772e64 6e666867   .Host: www.dnfhg
0x000000d0 (00208)   2e636f6d 0d0a436f 6e6e6563 74696f6e   .com..Connection
0x000000e0 (00224)   3a204b65 65702d41 6c697665 0d0a0d0a   : Keep-Alive....
0x000000f0 (00240)                                         

0x00000000 (00000)   47455420 2f3f6b75 616e6773 68656e20   GET /?kuangshen 
0x00000010 (00016)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000020 (00032)   3a202a2f 2a0d0a41 63636570 742d4c61   : */*..Accept-La
0x00000030 (00048)   6e677561 67653a20 656e2d75 730d0a41   nguage: en-us..A
0x00000040 (00064)   63636570 742d456e 636f6469 6e673a20   ccept-Encoding: 
0x00000050 (00080)   677a6970 2c206465 666c6174 650d0a55   gzip, deflate..U
0x00000060 (00096)   7365722d 4167656e 743a204d 6f7a696c   ser-Agent: Mozil
0x00000070 (00112)   6c612f34 2e302028 636f6d70 61746962   la/4.0 (compatib
0x00000080 (00128)   6c653b20 4d534945 20362e30 3b205769   le; MSIE 6.0; Wi
0x00000090 (00144)   6e646f77 73204e54 20352e31 3b205356   ndows NT 5.1; SV
0x000000a0 (00160)   313b202e 4e455420 434c5220 322e302e   1; .NET CLR 2.0.
0x000000b0 (00176)   35303732 37290d0a 486f7374 3a207777   50727)..Host: ww
0x000000c0 (00192)   772e7368 656e7869 616e6461 6f2e636e   w.shenxiandao.cn
0x000000d0 (00208)   0d0a436f 6e6e6563 74696f6e 3a204b65   ..Connection: Ke
0x000000e0 (00224)   65702d41 6c697665 0d0a0d0a 0a         ep-Alive.....

0x00000000 (00000)   47455420 2f6a7565 61692e68 746d2048   GET /jueai.htm H
0x00000010 (00016)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000020 (00032)   202a2f2a 0d0a4163 63657074 2d4c616e    */*..Accept-Lan
0x00000030 (00048)   67756167 653a2065 6e2d7573 0d0a4163   guage: en-us..Ac
0x00000040 (00064)   63657074 2d456e63 6f64696e 673a2067   cept-Encoding: g
0x00000050 (00080)   7a69702c 20646566 6c617465 0d0a5573   zip, deflate..Us
0x00000060 (00096)   65722d41 67656e74 3a204d6f 7a696c6c   er-Agent: Mozill
0x00000070 (00112)   612f342e 30202863 6f6d7061 7469626c   a/4.0 (compatibl
0x00000080 (00128)   653b204d 53494520 362e303b 2057696e   e; MSIE 6.0; Win
0x00000090 (00144)   646f7773 204e5420 352e313b 20535631   dows NT 5.1; SV1
0x000000a0 (00160)   3b202e4e 45542043 4c522032 2e302e35   ; .NET CLR 2.0.5
0x000000b0 (00176)   30373237 290d0a48 6f73743a 20777777   0727)..Host: www
0x000000c0 (00192)   2e353273 68616e68 752e636f 6d0d0a43   .52shanhu.com..C
0x000000d0 (00208)   6f6e6e65 6374696f 6e3a204b 6565702d   onnection: Keep-
0x000000e0 (00224)   416c6976 650d0a0d 0a                  Alive....


Strings