Analysis Date2015-05-06 12:59:58
MD5790af9219602441ddd4c133e99c46630
SHA1fe9817f28f5b5f5369d42a6fb5a9091157082e54

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e881a9edefa61d6e4057dcd4c5c8b40a sha1: 96ee548fd21f156f31348d4839e2328a8d7cdbcd size: 28672
Sectioncode md5: 427b1fe57b3b0a37a8fc4c3247916ebe sha1: 7a15c53e18e12606cb0964672e4fef51487d7aaa size: 8192
Section.rdata md5: 820ad7640b9054ea58ea8ae7858d943c sha1: af1f94b317b01c47e66751f47b6e720f5685e018 size: 16384
Section.data md5: 8fe7ccafd3a1aeeeb81861e1db1bf93a sha1: c3c095291782c93231a009e6b56c01e17bf39f3f size: 20480
Section.reloc md5: d739ba005bbce37f0657b9bc44cbfe59 sha1: 8ee8b8f5a216137b370a4ff18c46a6499fc0b599 size: 8192
Section.imports md5: 508534a6f7a52c5d5f0c6c5e9d6932ae sha1: 4f8858f91d0f726bd88117ac5d25ca152e03296e size: 4096
Timestamp2015-03-10 12:34:35
PEhashe5b5a7c3bbeafbfaec0077670678997d1c1c0d9a
IMPhashfdf5441ef161ea9d0386fe89a39c4d64
AVAd-AwareGen:Variant.Kazy.590541
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Kazy.590541
AVAuthentiumW32/S-c18556bf!Eldorado
AVAvira (antivir)TR/Proxy.Gen
AVBitDefenderGen:Variant.Kazy.590541
AVBullGuardGen:Variant.Kazy.590541
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Inject1.55278
AVEmsisoftGen:Variant.Kazy.590541
AVEset (nod32)Win32/Dorkbot.J worm
AVFortinetW32/Dorkbot.J!worm
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.590541
AVGrisoft (avg)Win32/DH.FF8203AB{Mw}
AVIkarusWin32.SuspectCrc
AVK7Trojan ( 003db13d1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeRDN/Generic.dx!dqs
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.590541
AVPadvishno_virus
AVRisingno_virus
AVSophosMal/Behav-010
AVSymantecno_virus
AVTrend Microno_virus
AVTwisterW32.Dorkbot.J.caty
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Network Details:


Raw Pcap

Strings
.
.
l
82z2z2s2d2g4j6k4l62d
\advapi32.dll
advapi32.dll
alg.exe
\apiSoftCA
\AppData\Roaming\Windows Live\hsdeqgoyuy.exe
calc.exe
crypt32.dll
csrss.exe
C:\Users\
dnsapi.dll
explorer.exe
iexplore.exe
\Internet Explorer\
iphlpapi.dll
jjjj
KOPWELERGKR23930DW
lsass.exe
netapi32.dll
netutils.dll
notepad.exe
\ntdll.dll
ole32.dll
%rand%
rpcrt4.dll
rundll32.exe
samcli.dll
secur32.dll
SeDebugPrivilege
services.exe
shell32.dll
shlwapi.dll
smss.exe
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run
Software\Microsoft\Windows\CurrentVersion\Run
Software\Uazi Soft
spoolsv.exe
--startup
svchost.exe
System
[System Process]
UaziVer
%uniq%
%uniq%.exe
urlmon.dll
user32.dll
userenv.dll
w.exe
\Windows Live\
Windows Live
wininet.dll
winlogon.exe
ws2_32.dll
wtsapi32.dll
:Zone.Identifier
0 0$0(0,0004080<0@0D0H0P0T0X0\0`0d0h0l0p0t0x0|0
0$0+000?0F0L0S0X0_0e0o0w0
0$0*00060<0B0H0N0T0Z0`0f0l0r0x0~0
0 0&0,02080>0D0J0P0V0\0b0h0n0t0z0
0*0?0T0
0040<0@0X0\0p0x0
0!1+1<1A1G1Y1_1o1
02373=3D3
> >$>(>,>0>4>8>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>
:$:0:4:8:<:@:D:H:L:P:T:X:\:`:h:l:p:t:x:|:
>*?0?5?A?N?S?Y?a?
060M0]0k0
<$<*<0<6<<<B<H<N<T<Z<`<f<l<r<x<~<
=$=*=0=6=<=B=H=N=T=Z=`=f=l=r=x=~=
:$:*:0:6:<:B:H:N:T:Z:`:f:l:r:x:~:
?$?*?0?6?<?B?H?N?T?Z?`?f?l?r?x?~?
&0m0z0
=%=0=@=T=Z=a=u=|=
$0Z0n0
1#1(1-1:1?1y1~1
1 1&1,12181>1D1J1P1V1\1b1h1n1t1z1
1"1(1.141:1@1F1L1R1X1^1d1j1p1v1|1
1 1$1(1D2P2\2h2t2
1)1?1t1
=1=;=F=T=a=g=v=
1z2z3reas34534543233245x6
2!2'202:2u2{2
2$2*20262<2B2H2N2T2Z2`2f2l2r2x2~2
2"2(2.242:2@2F2L2R2X2^2d2j2p2v2|2
2"2)2n2
262J2`2f2v2
> >&>,>2>8>>>D>J>P>V>\>b>h>n>t>z>
; ;&;,;2;8;>;D;J;P;V;\;b;h;n;t;z;
: :&:,:2:8:>:D:J:P:V:\:b:h:n:t:z:
2A3L3V3[3h3
313:3?3K3_3h3n3y3
3$3*30363<3B3H3N3T3Z3`3f3l3r3x3~3
3 3&3,32383>3D3J3P3V3\3b3h3n3t3z3
3"3(3.343:3@3F3L3R3X3^3d3j3p3v3|3
3$3*343:3G3n3t3
3 3$3L3P3T3X3\3`3d3h3l3p3t3x3|3
3:3D3I3S3]3
>3>8>B>G>Q>W>k>~>
404@4M4^4m4t4
41% 5$o5(/841% 5$2o34
434K4_4f4s4z4
4$4*40464<4B4H4N4T4Z4`4f4l4r4x4~4
4 4(4,4044484<4@4D4H4L4P4T4X4\4`4d4h4l4
4"4(4.444:4@4F4L4R4X4^4d4j4p4v4|4
4&474?4m4
<"<(<.<4<:<@<F<L<R<X<^<d<j<p<v<|<
>">(>.>4>:>@>F>L>R>X>^>d>j>p>v>|>
;";(;.;4;:;@;F;L;R;X;^;d;j;p;v;|;
?"?(?.?4?:?@?F?L?R?X?^?d?j?p?v?|?
;$<4<J<f<
;&;-;4;J;n;
?/?4?l?w?
4T4q4w4
= =4=;=T=[=a=h=|=
5$5*50565<5B5H5N5T5`5d5h5l5p5t5x5|5
5$5+525:5A5G5W5b5i5o5v5{5
5"5'525<5i5t5{5
5!5'535|5
5 5&5,52585>5D5J5P5V5\5b5h5n5t5z5
5(5,5@5H5P5V5\5b5h5n5t5z5
5&6,686=6J6O6U6]6g6l6r6z6
5<6A6F6L6S6X6p6x6~6
6(646@6L6X6t6
6%6+636F6X6c6m6y6
6"6(6.646:6@6F6L6R6X6^6d6j6p6v6|6
6 6$6(6,60646<6@6D6L6P6T6X6\6`6d6h6l6p6
<6<I<%=2===U>b>m>*?
7!757B7O7T7]7c7w7
7$7*70767<7B7H7N7T7Z7`7f7l7r7x7~7
7 7&7-74797@7F7M7S7]7c7n7u7|7
7+898Q8
<(<.<7<D<^<
7?:.+>/d00?2;)=d8?
7?:.+>/d0,0"::9d8?
7?:.+>/d>0)3;8(d8?
7?:.+>/d&&#0#38d8?
7?:.+>/d03'!/&+d8?
7?:.+>/d082>?-(d8?
7?:.+>/d: "0?8/d8?
7?:.+>/d$$08='>d8?
7?:.+>/d08=%&;:d8?
7?:.+>/d<% 0;'9d8?
7?:.+>/d>09,(#)d8?
7?:.+>/d )#?0+'d8?
7?:.+>/d--&= -0d8?
7?:.+>/d;0#($-)d8?
7?:.+>/d:,0-#%,d8?
7?:.+>/d)>=& 0;d8?
7?:.+>/d$<?/(0%d8?
7?:.+>/d#;>0)",d8?
7?:.+>/d0#'((>"d8?
7?:.+>/d!:%2+<0d8?
7?:.+>/d&!22<32d8?
7?:.+>/d'2$/2>>d8?
7?:.+>/d+2;##>8d8?
7?:.+>/d&298<=!d8?
7?:.+>/d<>+>((2d8?
7?:.+>/d:$2,?+-d8?
7?:.+>/d/?2:)>"d8?
7?:.+>/d%-#!-2;d8?
7?:.+>/d+2>&&,/d8?
7?:.+>/d+3+099#d8?
7?:.+>/d,;+30+-d8?
7?:.+>/d/<3;0&)d8?
7?:.+>/d$?3,>2$d8?
7?:.+>/d/3/3%,?d8?
7?:.+>/d>3,8#3&d8?
7?:.+>/d" 3932%d8?
7?:.+>/d%39 9!-d8?
7?:.+>/d'"3>9="d8?
7?:.+>/d$(,39?"d8?
7?:.+>/d/!#;3?$d8?
7?:.+>/d',3#>&#d8?
7?:.+>/d$3=!:#(d8?
7?:.+>/d#&"(3>%d8?
7?:.+>/d#&)%3,(d8?
7?:.+>/d80""/#&d8?
7?:.+>/d&8&%/3(d8?
7?:.+>/d8%$ 3, d8?
7?:.+>/d>88::2=d8?
7?:.+>/d"=8)'98d8?
7?:.+>/d:8;%>%$d8?
7?:.+>/d"8,%'#%d8?
7?:.+>/d&))$:8#d8?
7?:.+>/d#>,?>?8/)&?(d8?
7?:.+>/d?'/9/ 2d8?
7?:.+>/d!$&9)=3d8?
7?:.+>/d980(3>>d8?
7?:.+>/d<#$.?9>83d8?
7?:.+>/d?!'99!/d8?
7?:.+>/d>9 <>+ d8?
7?:.+>/d =,9&-"d8?
7?:.+>/d/)(9:/-d8?
7?:.+>/d)%$9?&>#$-#$)d8?
7?:.+>/d&% )+ 9d8?
7?:.+>/d%)/9?/ d8?
7?:.+>/d= :;:?)d8?
7?:.+>/d><?->>&d8?
7?:.+>/d>:+&/$)d8?
7?:.+>/d ;)$%+(d8?
7?:.+>/d #%';$!d8?
7?:.+>/d;? =&->d8?
7?:.+>/d;$;)=& d8?
7?:.+>/d!)=&%;:d8?
7?:.+>/d/+##/)=d8?
7?:.+>/d'=<>"$-d8?
7?:.+>/d';?=!;%d8?
7?:.+>/d'#( !#(d8?
7?:.+>/d'+(>';-d8?
7?:.+>/d"%#<$$%d8?
7?:.+>/d):/-$ :d8?
7?:.+>/d)%$$/)>~d8?
7?:.+>/d$: +"= d8?
7?:.+>/d&;>'- =d8?
7?:.+>/d&&>#?,-d8?
7?:.+>/d#'<""">d8?
7?:.+>/d#%/+ &!d8?
7?:.+>/d% +$>& d8?
7?:.+>/d+:+<)?&d8?
7?:.+>/d=r9>+8>d8?
7?:.+>/d>"/&%</}~zd8?
8,808D8L8X8^8d8j8p8v8|8
8)858N8\8o8
8 8&8,82888>8D8J8P8V8\8b8h8n8t8z8
8 8$8(8,888<8@8D8H8L8P8T8X8\8`8d8h8l8p8t8x8|8
;$;8;>;D;J;P;V;\;b;h;n;t;z;
8|<E=X=
8I9V9j9
>'>->8>>>I>O>\>a>r>w>
<"<8<\<m<
?"?'?8?=?T?u?{?
9$9*90969<9B9H9N9T9Z9`9f9l9r9x9~9
9(9.949:9@9F9L9R9X9^9d9j9p9v9|9
9"9(9.949:9@9F9L9R9X9^9d9j9p9v9|9
9]9c9y9
AdjustTokenPrivileges
advapi32.dll
ADVAPI32.dll
;&;,;\;a;m;r;w;
B.imports
;);B;K;Q;c;
CharLowerW
:&:-:<:C:I:Y:_:e:l:
CloseHandle
closesocket
CoCreateGuid
CopyFileW
CreateDirectoryW
CreateEventA
CreateEventW
CreateFileA
CreateFileMappingA
CreateFileW
CreateIoCompletionPort
CreateMutexA
CreateProcessW
CreateRemoteThread
CreateThread
CreateToolhelp32Snapshot
> >)>C>W>]>o>t>
@.data
debug_cache_dump_2384394.dmp
DeleteFileW
%dMutex%dExplorer%dMutex%d
dnsapi.dll
DNSAPI.dll
DnsQuery_A
DnsRecordListFree
downloader 
downloader2 
DuplicateHandle
E#+E/^ZY
EnterCriticalSection
ExitProcess
ExitThread
?F?S?w?
GetComputerNameW
GetCurrentProcess
GetCurrentProcessId
GetCurrentThread
GetFileSize
GetLastError
GetLongPathNameW
GetModuleFileNameW
GetModuleHandleA
GetProcAddress
GetProcessImageFileNameW
GetProcessVersion
GetQueuedCompletionStatus
GetShellWindow
GetSystemTimeAsFileTime
GetSystemWow64DirectoryW
GetTempPathW
GetTickCount
GetUserNameW
GetVersionExA
GetVersionExW
GetWindowThreadProcessId
HttpAddRequestHeadersA
HttpOpenRequestA
HttpQueryInfoA
HttpSendRequestA
InitializeCriticalSection
InternetCloseHandle
InternetConnectA
InternetCrackUrlA
InternetOpenA
InternetReadFile
InternetSetOptionA
IsWoW64Process
jpmeyikbtjtbwxjlbwxlqaypliadxdepeik
:#:(:.:j:w:|:
kernel32.dll
KERNEL32.dll
kernelbase.dll
LeaveCriticalSection
LoadLibraryA
LoadLibraryW
LockFile
LookupPrivilegeValueW
lstrcatA
lstrcatW
lstrcmpiA
lstrcmpiW
lstrcpyA
lstrcpyW
lstrlenA
lstrlenW
MapViewOfFile
MessageBoxA
MultiByteToWideChar
MUTEX_NAME_
; <M<Z<
ntdll.dll
NtQueryDirectoryFile
NtQueryInformationThread
NtQueueApcThread
NtResumeThread
ObtainUserAgentString
ole32.dll
OpenProcess
OpenProcessToken
Process32FirstW
Process32NextW
psapi.dll
Qkkbal
QueryPerformanceCounter
Range: bytes=%d-%d
`.rdata
ReadFile
reboot
RegCloseKey
RegCreateKeyExW
RegDeleteValueW
RegEnumValueW
RegNotifyChangeKeyValue
RegQueryValueA
RegQueryValueExW
RegSetValueExW
.reloc
ResetEvent
SetCurrentDirectoryW
SetEvent
SetFilePointer
SetHandleContext
SetLastError
SetUnhandledExceptionFilter
shell32.dll
SHELL32.dll
SHGetFolderPathW
shlwapi.dll
SHLWAPI.dll
StrChrW
StrRChrW
StrStrW
TerminateProcess
TerminateThread
!This program cannot be run in DOS mode.
uninstall
Unknown error occured.
UnlockFile
UnmapViewOfFile
update 
update2 
urlmon.dll
user32.dll
USER32.dll
User Agent
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualFreeEx
VirtualProtect
VirtualQuery
WaitForSingleObject
WideCharToMultiByte
wininet.dll
WININET.dll
WriteFile
WriteProcessMemory
ws2_32.dll
WS2_32.dll
WSAGetLastError
WSARecvFrom
WSASendTo
WSASocketW
WSAStartup
wsprintfA
	wsprintfA
wWXZOlIzwOwzIlOZXWw
= =&=,=x=|=
:,<Z<|<
ZwQueryDirectoryFile
ZwQueryInformationThread
ZwQueueApcThread
ZwResumeThread
ZwSetLdtEntries