Analysis Date2014-09-11 11:42:13
MD527ea1e7391adafc6c668802be55d478a
SHA1fbe471f07c8f39ad74f3d89dc8a5eadd7becef36

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b96950240febd35ca52c9c46f194866f sha1: a74c25d4a793cff223a69c6fcff05f484e928733 size: 167936
Section.data md5: b050d83e8669a916113e71b0bc55351d sha1: 5f560303d3d3e5f9b82fa0cf20dab147fff60f8e size: 4096
Section.rsrc md5: c4a420caa0eaf6faf5df2ae504b838b7 sha1: db67a2cb52321b4475ed4b1b4081d966bcf23fe9 size: 12288
Timestamp2002-06-26 21:12:30
Pdb path\office10\4225.0\setup\dwexternal\vanilla\ship\dw15.pdb
VersionLegalCopyright: Copyright© Microsoft Corporation 1999-2001.  All rights reserved.
InternalName: DW
FileVersion: 10.0.4225
CompanyName: Microsoft Corporation
LegalTrademarks1: Microsoft® is a registered trademark of Microsoft Corporation.
LegalTrademarks2: Windows® is a registered trademark of Microsoft Corporation.
ProductName: Microsoft Application Error Reporting
ProductVersion: 10.0.4225
FileDescription: Microsoft Application Error Reporting
Built by: OFFMSO5
OriginalFilename: DW.Exe
PackerBorland Delphi 3.0 (???)
PEhash8cf8740bc9b1a976111f0e4f5cb0e3fb13495916
IMPhash76eabba519900fb9d6b50d88be936ee4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
....
?&\\__ 
!!
 
d{
  
-0
...O...

     
000004E4
10.0.4225
 All rights reserved.
A&lways Ignore
Application Error
ASSERT!
Brand=
Built by
Caption=
CompanyName
Copyright
&Copy to Clipboard
DAL=on
DataFiles=
&Debug
DigPidRegPath=
.dmp
DW.Exe
DWReporteeName
ErrorDetail=
ErrorSig=
ErrorSubPath=
ErrorText=
EventID=
EventLogSource=
File
FileDescription
FileVersion
Flags=
         (((((                  H
HeaderText=
Heap=
HEY, YOU!  Please put the four letter assert tag in the assertion field in RAID if you enter a bug.  Thanks.
IconFile=
&Ignore
Ignore &All
Info on this AssertTag
InternalName
 is a registered trademark of Microsoft Corporation.
jjjj
LegalCopyright
LegalTrademarks1
LegalTrademarks2
Microsoft
Microsoft Application Error Reporting
Microsoft Corporation
 Microsoft Corporation 1999-2001.
Microsoft Office 10
&Microsoft Office X
MS Sans Serif
NoReportButton=
<<<Obsolete>>
OFFMSO5
OriginalFilename
Plea=
ProductName
ProductVersion
&Quit
RegSubPath=
ReportButton=
Reportee=
root\cimv2
Server=
Stage1URL=
Stage2URL=
StringFileInfo
TitleName=
.tmp
Translation
UI LCID=
unknown
VarFileInfo
VS_VERSION_INFO
Windows
      
  !!!!
 &   ! 
$$$$$$
$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$$
*))))$$$$$$$$$
$#)/$0
001210080000Z
010228000000Z
0123456789ABCDEF
020525005548Z
020628210634Z0
%02d:%02d:%02d  %02d-%02d-%04d
031125010548Z0
040106235959Z0
040107235959Z0
051112080000Z0
$, 0$d\
0DigitalProductID
0HKCU\Software
0Ht Ht
0p1+0)
0policy.txt
0PPjXW
0PVh*_
0QSPhD
0RtlGetFunctionTableListHead
0SUVWj
0t$jxh>
0u	9X$
0uFWWj
0u,Vhc
$$$$$$0$V
0VVSSPPV
0VWtH9]
0VWu09
0x%08x:
0x%08x: %08x %08x %08x %08x 
201231070000Z0p1+0)
26.7$<.=$>.?$A.B$D.E$
2Terms of use at https://www.verisign.com/rpa (c)011'0%
$( )$3 4$9 =$@4D6E$H4I$L4M&T$V&_$a e$o5
*35?*G H$i p$}4
%$%,%4%<%
$$&$$      $$$$  $$                      $       $  $  $  $$4$66*44$$$$44$$44*$$$$$$$$$$$    $ $$$$$$$5555555555&&***$$$$$$$$$$$$&&*$       $ $   $                      $       $  $     $$&*66644444$44*$66&$$*$$$$$$$$$$$$$$$ $$$$$5555555555$$$$$$$$$$$$$$$$$&**$        $$  $$                      $       $  $$    $$&**46444$$$44$$44&$$$$$$$$**$$$$  $   $$$$5555555555*$$$$$$$$$$$$$$$$$**$      $$$   $    $$$  $ $  $$$  $$$   $$$        $   $$$$66444$$$444$444&$$$$$$$$$*$$$$$$$$$$$$$$$555555555555$$$$$$$$$$$$$
$# $7% &7. /807193799::>$?+E7F8G:K;N:O+Y5[+
8A@@Ju
-8F	u/8F
~8 }Jf
8LCICt
8LCICu
8MCICt
8MDMPu
$( )$9 =$@6C4E$H4I$L4M&V$W*_$a e$o5
970110070000Z
970512000000Z
<9~C<.t?<\t;<:t7<$t3<%t/<'t+<_t'<@t#<{t
_9~$~D
9http://crl.microsoft.com/pki/crl/products/CodeSignPCA.crl0
$9 ;$<&=*L4M&O$P*T&W$a c4e*o5p*
_9^$tK9
9^$u	9
9xSharedMemoryDump=
Accepted Safe Mode action : %1.
ADVAPI32.DLL
AeDebug
appdata
appdir
Application Failure
Application Hang
AppName: %s	 AppVer: %d.%d.%d.%d	 ModName: %s
A@PVhx
ASSERT Failed
:AuthuB
AutoLaunch=
b%c%d%e%f%g%h%i%j%k%l%
BINARY
B k&l:m;B<k=B>k?B@kFnZo]B^k`$d
BTLog.dll
BTLogEnd
BTLogSetOptions
BTLogStart
BTLogStatus
Bucket=
Bucket: %08d
BuildPipe
BuildPipeMachine
bWWWWj
$C*_${*~$
)C.?/$1
Cabs Gathered=
CallWindowProcA
CallWindowProcW
cAMDu*
CharPrevA
CheckDlgButton
Checksum: 0x%08x	Time Stamp: 0x%08x
CloseHandle
CoCreateInstance
Code: 0x%08x	Flags: 0x%08x
CoInitializeEx
CoInitializeSecurity
COMCTL32.DLL
commonfiles
Context:
"Copyright (c) 1997 Microsoft Corp.1
"Copyright (c) 2000 Microsoft Corp.1#0!
"Copyright (c) 2002 Microsoft Corp.1
CoUninitialize
counts
count.txt
Courier New
CPU AMD Feature Code: %08X
CPU Vendor Code: %08X - %08X - %08X
CPU Version: %08X  CPU Feature Code: %08X
Crashes per bucket=
Crashing Events
crash.log
CreateDialogParamA
CreateDialogParamW
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingA
CreateFileW
CreateFontA
CreateFontIndirectA
CreateMutexA
CreatePen
CreateProcessA
CreateProcessW
CreateSemaphoreA
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
D$(_^][
D$$_^][
\\daddev\office10\4225.0\setup\dwexternal\vanilla\ship\dw15.pdb
`.data
DBGHELP.DLL
%d.%d.%d.%d
%d.%d.%d.%d.%08x.%d.%d
DebugBreak
Debugger
(default)
DefWindowProcA
DeleteCriticalSection
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
DeregisterEventSource
DestroyIcon
DestroyWindow
DialogBoxParamA
DialogBoxParamW
DispatchMessageA
DISPLAY
DrawFocusRect
DrawIconEx
drwatson
drwtsn32
D$,;t$
DumpFile=
DumpServer=
DuplicateHandle
DWAllowHeadless
DWDebugBreak
DWFileTreeRoot
dwintl.dll
\dw.log
DWNeverUpload
DWNoCollectionLink
DWNoExternalURL
DWNoFileCollection
DWNoSecondLevelCollection
DWORD BIGENDIAN (printed as little endian
\dwprivacy.hta
dwprivacy.hta
DWReporteeName
DwReportResponse=
DwResponse=
/dw/stagetwo.asp
DWStressReport
DWTester
DWTracking
DWURLLaunch
$$$$$$$%%%%%%%%%&&&'&&&&&&&&&&'&&''&&&'&&&&&&&&((((((&$%%%%&&&&&&$$$$$$$$$$$$$$$$$$$$$$E)_$a)s$u*y$z(}$~*
EBX: 0x%08x  ECX: 0x%08x  EDX: 0x%08x
EDI: 0x%08x  ESI: 0x%08x  EAX: 0x%08x
EFlags: 0x%08x  ESP: 0x%08x  SegSs: 0x%08x
EIP: 0x%08x  EBP: 0x%08x  SegCs: 0x%08x
EnableWindow
EndDialog
EnterCriticalSection
Entire Contents
entiu6
EnumDisplayDevicesA
EnumDisplayMonitors
EnumProcessModules
EnumWindows
Exception Information
ExitProcess
ExpandEnvironmentStringsA
ExpandEnvironmentStringsW
EXPAND SZ
ExtractIconExA
ExtractIconExW
ExtTextOutW
Fault bucket %1.
Faulting application %1, version %2, faulting module %3, version %4, fault address 0x%5.
!F$!F(
 FileDate:	%08x:%08x
FileTreeRoot=
 FileType:	%08x
 FileVer:	(%d.%d:%d.%d)
FillRect
FindResourceExA
FixedSys
 FlagMask:	%08x
 Flags:		%08x
FreeLibrary
FunTest
GDI32.DLL
generic
GetACP
GetClientRect
GetCommandLineA
GetCommandLineW
GetComputerNameA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDlgItem
GetFile=
GetFileAttributesA
GetFileAttributesW
GetFileSize
GetFileVersion=
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFileVersionInfoSizeW
GetFileVersionInfoW
GetLastError
GetLocaleInfoA
GetMessageA
GetModuleFileNameA
GetModuleFileNameExW
GetModuleHandleA
GetMonitorInfoA
GetObjectA
GetProcAddress
GetProcessHeap
GetProfileStringA
GetScrollInfo
GetStartupInfoA
GetStartupInfoW
GetStringTypeA
GetStringTypeW
GetSysColor
GetSysColorBrush
GetSystemDefaultLangID
GetSystemDefaultLCID
GetSystemDefaultUILanguage
GetSystemDirectoryA
GetSystemInfo
GetSystemMetrics
GetSystemTime
GetSystemTimeAsFileTime
GetTempPathA
GetTempPathW
GetTextExtentPoint32W
GetTextFaceA
GetTextMetricsA
GetThreadContext
GetThreadSelectorEntry
GetTickCount
GetUserDefaultLangID
GetUserNameA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowThreadProcessId
GGAAJu
Hanging application %1, version %2, hanging module %3, version %4, hang address 0x%5.
Hanging Events
"H"d"e"
HeapAlloc
HeapFree
HHtZHt@
hits.log
HKCU\Software\Microsoft\Internet Explorer\Settings\Anchor Color
HKCU\Software\Policies
HKEY_CLASSES_ROOT\
HKEY_CURRENT_CONFIG\
HKEY_CURRENT_USER\
HKEY_LOCAL_MACHINE\
HKEY_USERS\
HKLM\Software
HKLM\Software\Microsoft\Office\10.0\Registration
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AeDebug\Debugger
HKLM\Software\Policies
Ht9Ht(
HtbHtO-
Ht>HHt
Ht>Ht$-
Ht~Htc
Ht{Htx
http://
HttpEndRequestA
$http://ocsp.verisign.com/ocsp/status0	
http://office.microsoft.com 0
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestExA
https://www.verisign.com/rpa0
http://watson.microsoft.com/dw/dcp.asp?CLCID=%d&EXENAME=%s&BRAND=%s
iData=
Image Base: 0x%08x	Image Size: 0x%08x
imm32.dll
ImmDisableIME
InitializeCriticalSection
InternetAutodial
InternetCanonicalizeUrlA
InternetCloseHandle
InternetConnectA
InternetGetConnectedState
InternetOpenA
InternetQueryOptionA
InternetReadFileExA
InternetSetOptionA
InternetSetStatusCallback
InternetWriteFile
InvalidateRect
i$o?p3s$y3z
IsDBCSLeadByte
IsDialogMessageA
IsDlgButtonChecked
IsIconic
IsValidCodePage
IsWindowUnicode
It`It8
j PjXW
- $:.?$@/J.R,_$i0j
kernel32.dll
KERNEL32.DLL
KillTimer
l1m-o$p,
>LCICt
&lcid=
LCID=%d&OS=%s
LCMapStringA
LCMapStringW
LeaveCriticalSection
LLLLLL
LoadCursorA
LoadIconA
LoadLibraryA
LoadResource
LoadStringW
LockResource
L$,PQUW
L$$r.f=
L$ SRPj
lstrcmpW
lstrcpyA
L$(URVPQS
/{m7#M
MapViewOfFile
MapWindowPoints
>MCICt
;MCICu
memory.dmp
MemoryDump=
Memory Range %d
Microsoft Code Signing PCA
Microsoft Code Signing PCA0
/microsoft.com
.microsoft.com
Microsoft Corporation0
Microsoft Corporation1!0
Microsoft Corporation1+0)
Microsoft\Office\10.0\Common
Microsoft Root Authority
Microsoft Root Authority0
moddir
Module32First
Module32FirstW
Module32Next
Module32NextW
Module %d
ModVer: %d.%d.%d.%d	 Offset: %08x
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
msaccess.exe
.msn.com
MsoDWExclusive%i
MulDiv
MultiByteToWideChar
MULTI SZ
mydocuments
NoExternalURL=
NoFileCollection=
+NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.
+NO LIABILITY ACCEPTED, (c)97 VeriSign, Inc.0
No response
NoSecondLevelCollection=
NTDLL.DLL
NtOpenThread
NtQueryInformationProcess
NtQueryInformationThread
NtQueryObject
NtQuerySystemInformation
officedir
officewatson
OfficeWatson
ole32.dll
OLEAUT32.DLL
$$$$$$$+$OOOOOOOOOOOPOPOPOPOPOPOPOPOPOPOPOPOOPOPOPOOOOOOPPOPPOPPOPPOPPOOOOOOOOOOOOOOOOOOOOOOO$$$$QQRRST$$UUUUUUUUUUUVUVUVUVUVUVUVUVUVUVUVUVUUVUVUVUUUUUUVVUVVUVVUVVUVVUUUUUUUUUUUUUUUUWUWWUUVWWVVVVXYZ[$
OpenProcess
OpenThread
o$r`s$t`u$
 OS:		%08x
OutputDebugStringA
Polyline
PostMessageA
PostQuitMessage
P%Q%R%Q
 ProdVer:	(%d.%d:%d.%d)
progfiles
PSAPI.DLL
PSSj&S
PSSj+S
PSSSSSS
PX;Q`t
QQSVW3
r0p1+0)
ReadDumpStream
ReadProcessMemory
Record: 0x%08x%08x	Address: 0x%08x%08x
Redmond1
RegCloseKey
RegEnumKeyExA
RegEnumValueA
RegisterClassExA
RegisterEventSourceW
registry.txt
RegKey=
RegOpenKeyExA
RegQueryInfoKeyA
RegQueryValueExA
RegQueryValueExW
Rejected Safe Mode action : %1.
ReleaseDC
ReleaseMutex
ReportEventA
RESOURCE LIST
Response=
ResponseServer=
ResponseURL=
RestoreDC
ResumeThread
@Rich`
riched20.dll
RtlFreeHeap
RtlGetUnloadEventTrace
RtlUnwind
%s\%08X%s
SaveDC
%s\%d.%d.%d.%d\%s\%d.%d.%d.%d\%08X
SelectObject
SendDlgItemMessageA
SendMessageA
SetBkMode
SetCursor
SetDlgItemTextA
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFilePointer
SetFocus
SetForegroundWindow
SetLastError
SetMapMode
SetScrollInfo
SetTextAlign
SetTextColor
SetTimer
SetUnhandledExceptionFilter
SetWindowLongA
SetWindowPos
SetWindowTextA
SetWindowTextW
sharedmemory.dmp
shell32.dll
SHELL32.DLL
ShellExecuteExA
shfolder.dll
SHGetFolderPathA
SHGetSpecialFolderPath
SHGetSpecialFolderPathA
SHGetSpecialFolderPathW
SHLWAPI.DLL
ShowWindow
SHUVHW
&Sig=FAIL
&Sig=INVALID
&Sig=NA
 Signature:	%08x
&Sig=TEST
&Sig=UNSIGNED
&Sig=UNTRUSTED
&Sig=VALID
SOFTWARE\Microsoft\OASys\OAClient
Software\Microsoft\Office\10.0\Common\Debug
Software\Microsoft\Office\10.0\Common\InstallRoot
[SPWWWVhl
%s:(%s)
	%s	%s	
%s:(%s) %08X
%s:(%s) %08X%08X
%s  %s %d.%d.%d.%d in %s %d.%d.%d.%d at offset %08x
%s/%s/%d.%d.%d.%d/%s/%d.%d.%d.%d/%08x.htm
SSj j WPQ
%s:(%s) %s
%s\%s\%s
	%s	%s	%s
%s\%s\%s\%s
SSSSSVP
%s?szAppName=%s&szAppVer=%d.%d.%d.%d&szModName=%s&szModVer=%d.%d.%d.%d&offset=%08x&szBuiltBy=%s&szBuiltByMod=%s
Stack:
/StageOne
static
status
status.txt
\StringFileInfo\000004e4\Built by
 StrucVer:	%08x
S%T%U%V%W%X%Y%Z%[%\%]%^%_%`%a%
 SubType:	%08x
SuspendThread
SWUPQV
systemdir
System Information
SystemParametersInfoA
t298t.
t3Wj&3
t3WWWj
t4Hutj
t5SSh(
t	9|$pu
TBZze{
tCHt9Ht&Ht
TerminateProcess
TerminateThread
t}HHtAHt 
!This program cannot be run in DOS mode.
Thread32First
Thread32Next
Thread %d
Thread ID: 0x%08x
t=Ht HHt
^t'Ht Ht
t|HtMHHt
tHWPWj
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
t$lVu&
Total Hits=
t=PPVSj
Tracking=
TranslateCharsetInfo
TranslateMessage
tSHt3Ht)H
t|SSSj
TSSSSj
TSUVW3
t.;t$$t(
tXSSSj
tZSSSj
u+jzhG
UNKNOWN
unknown.sig
unknown user
UnmapViewOfFile
URLLaunch=
USER32
USER32.DLL
VeriSign, Inc.1
VeriSign, Inc.1,0*
VeriSign Time Stamping Service0
#VeriSign Time Stamping Service Root1402
VeriSign Trust Network1
VeriSign Trust Network1;09
VerQueryValueA
VERSION.DLL
Version Information
version.txt
VirtualAlloc
VirtualFree
VirtualQueryEx
v(j\US
VVVVVS
WaitForMultipleObjects
WaitForSingleObject
Washington1
WideCharToMultiByte
Windows 95  Build: 
Windows 98+  Build: 
Windows, Minor Version: %d  Build: %d
Windows NT %d.%d Build: %d
Windows NT  Version %d.%d Build: %d
WININET.DLL
wintrust.dll
WinVerifyTrust
wnsprintfA
W*p+v*z$
wql.txt
WriteDump
WriteFile
WTHelperProvDataFromStateData
WVVVVj
WWWjHjZV
WWWWWWWjHjZV
X$Z'_+`$
Yf90v5
<Z~K<0|
<z~S<A|
ZSSSSj