Analysis Date2015-05-16 09:00:28
MD5ec138e4079c2419e3e23dee488dc69fe
SHA1fdc078631ae829d3c66a6191c03aae68a87419d1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dd7b1c5a88e0b2eeaf1892ba542e946b sha1: 0a70e56debb8ee9b0ede232000fd8294ea421d11 size: 53248
Section.data md5: 399b6a1604edfe95eea909d8b5508b87 sha1: b0e05151bba64a61a49a87f3ec0fac4e2f9a399c size: 20480
Section.rsrc md5: be7db288611bf371d3a36d8bf1f84d42 sha1: c442e3fa3d872c27cf776cd3a49b84385f78fc6f size: 16384
Timestamp2010-02-05 07:31:46
Pdb pathviskaluj.pdb
PEhash5aa20282da96865ded5659fb78c360e8650906cc
IMPhashd568a2759f37043b45b2b34a6629c039

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\tyharyto.cab
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\fdc078631ae829d3c66a6191c03aae68a87419d1.rtf
Creates Mutexgaanvdhb

Network Details:

DNSniray.com.cn
Type: A

Raw Pcap

Strings
u

*^#"^-
25J0Iq
47yx74
6^5_p,E
/ )[8C
AuthzAddSidsToContext
authz.dll
AuthzFreeContext
AuthzFreeResourceManager
AuthzInitializeContextFromSid
Bu1/vuQ
`'CBgp
CertAlgIdToOID
CertControlStore
CertCreateCRLContext
CertDuplicateCRLContext
CertDuplicateStore
CertFindAttribute
CertFindChainInStore
CertFindExtension
CertNameToStrA
CertOpenStore
CertSaveStore
CompareStringW
CopyFileA
CreateMutexA
CreateSemaphoreW
CreateWindowExW
CRYPT32.dll
CryptEncodeObject
CryptEnumOIDInfo
CryptFindOIDInfo
#D8H'I
dAaijgKOAAMnINkEt
`.data
DialogBoxParamW
DispatchMessageA
DllCanUnloadNow
DllGetClassObject
DllRegisterServer
DllUnregisterServer
DrawIcon
ExpandEnvironmentStringsA
FindResourceExA
(&FLU/HW!. 
FormatMessageA
GetAtomNameA
GetCaretPos
GetComputerNameA
GetConsoleAliasW
GetCurrentProcess
GetCurrentThreadId
GetDateFormatW
GetDiskFreeSpaceA
GetFullPathNameA
GetMessageA
GetNumberFormatA
GetPrivateProfileIntA
GetProcessHeap
GetSystemInfo
GetTickCount
GetTimeFormatA
gpnphost.DLL
HeapCreate
H}v/AE:
$hyaW~
InterlockedDecrement
InterlockedExchange
IsCharLowerA
IsDialogMessageA
IsValidLocale
IsWindow
IsZoomed
J|pq|J
J|pq|Z
J|qp|J
jzHI:z
KERNEL32.dll
L!2,n%w=,2s
LoadLibraryA
mq%6b<
[N,I*"
n$R5$n
o9:b9o
OvwO}6
,OZQ%}
!p+7A_
PathCombineA
PathCommonPrefixA
PathCompactPathA
PostMessageA
!p\pa%
-,p*X-.p,-
%Q~4k!1z
qOZVR8
'|QP|'
qqqH"""
)qqq?uuuCuuuCuuuCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCyyyCuuuCuuuCwwwB{{{@
r10r3Z[3B
r3^_3B
r3rs3B
r3xy3B
r"4`rr
">RS> l
rYXr3~
s	01	C|}C9
s3rs3B
s3RS3B
ServiceMain
SetCursorPos
SetEnvironmentVariableA
SetFileAttributesW
SetFocus
shlwapi.dll
SleepEx
s?>s3RS3s>?s
s	VW	C
t}/%|2
!This program cannot be run in DOS mode.
tqNOq1UT3p
tqNOqt
tqONqt
Uk-,kr
uOWVOu
upnphost.dll
UrlCanonicalizeA
UrlCombineA
UrlCompareA
UrlGetLocationA
UrlHashA
UrlIsA
UrlIsNoHistoryA
UrlIsOpaqueA
user32.dll
uZGpiLhqdBQTBOBIK
viskaluj.pdb
+VX+.bc.
WE78o&
WriteFile
WriteProcessMemory
wtsapi32.dll
WTSCloseServer
WTSEnumerateProcessesA
WTSEnumerateServersA
WTSEnumerateSessionsA
WTSLogoffSession
WTSQuerySessionInformationA
WTSSetUserConfigW
WTSUnRegisterSessionNotification
WTSVirtualChannelClose
WTSVirtualChannelQuery
WuwY]B
xqDeYVkbhPp
xWIHW8
z%}Jn*I