SD_Dyninst: Malware Analysis Factory Results

All malware samples collected by Offensive Computing in December 2009, and searchable on their website by their MD5 checksum.

Viewing this page with javascript enabled will make the results list collapsible.

MD5 checksum	20270a828eb67eb9083ac87715a8b453
Anti-virus name	W32/Trojan2.HYXQ (exact),Trojan.Zlob-9783,Trojan.Downloader.Zlob.ACBX

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40c440 0x40c45a 0x40c461 0x40c450 0x40c456 0x40c463 0x40c468 0x40c473 0x40c479 0x40c484 0x40c48b 0x40c496 0x40c498 0x40c4a3 0x40c4b0 0x40c4d4 0x40c4f4 0x40c503 0x40c4b4 0x40c4b5 0x40c4c0 0x40c4c6 0x40c4d1 0x40c4a9 0x40c4e5 0x40c4ee 0x40c49c 0x40c46c 0x40c4b9 0x40c47b 0x40c4c8 0x40c50a 0x40c512 0x40c517 0x40c51b 0x40c520 0x40c53e 0x40c54a 0x40c560 0x40c568 0x40c575 0x40c579 0x40c561 0x40c544 0x40c586 0x40c59f 0x40c5b4 0x40c5ba 0x40c5c0 0x4015da 0x401630 0x401682 0x401695 0x4016a9 0x4016b7 0x4016c1 0x401728 0x40155b 0x401532 0x401741 0x401791 0x401927 0x4019e3 0x401ad7 0x401ae8 0x401aee
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40c55a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c56f
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40c59d
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40c5b2
5. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4015d4
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40162e
7. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401680
8. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40168f
9. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x4016a7
10. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x4016b5
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4016bf
12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401726
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401555
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401525
15. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40152c
16. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x40173b
17. CreateThread at 0x7c81082f in kernel32.dll called from 0x40178b
18. CreateDesktopA at 0x77d85b10 in USER32.dll called from 0x40193e
CFG at thread creation event
- dot file
- jpg

MD5 checksum	2247765328dac61e0bc2b2d9ec98713a
Anti-virus name	W32/Swizzor.D.gen!Eldorado (generic, not disinfectable),Trojan.Swizzor.Gen,Trojan.Swizzor.2

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x41aab2 0x402267 0x402297 0x4022a2 0x4022ae 0x4022b6 0x4022be 0x4022ca 0x4022dd 0x4022e8 0x4022f7 0x41aab7 0x41a8d3 0x41445c 0x41a8df 0x41a8ed 0x41a904 0x41a90b 0x41a91e 0x41a927 0x41a93c 0x41a959 0x41a960 0x41a96e 0x41a892 0x41a89d 0x41a8ae 0x41a8b9 0x41a8c2 0x41a99d 0x407bc1 0x407bd8 0x407be4 0x407b66 0x417b2c 0x417b54 0x417b5d 0x407b7d 0x407b8f 0x417b63 0x417b8b 0x417b93 0x407b98 0x407baa 0x407bb1 0x407bb7 0x407be9 0x407c17 0x41a9a9 0x41a9b6 0x40e849 0x40e855 0x40e864 0x40e873 0x40e880 0x40e88d 0x40e89a 0x40e8c4 0x40e8e8 0x40e8ee 0x40e8fc 0x40e905 0x40e90d 0x417d53 0x40e4eb 0x40e47d 0x40e48c 0x40e490 0x40e4b1 0x40e4bc 0x40e4c2 0x40e411 0x40e42c 0x40e437 0x40e43f 0x40e452 0x405910 0x405920 0x405926 0x40592a 0x405954 0x40e45d 0x40e463 0x40e46f 0x40e475 0x40e479 0x40e4c7 0x40e4cb 0x40e4d7 0x40e4db 0x40e4e1 0x40e4e5 0x40e4f2 0x417d59 0x40765a 0x417d61 0x4193c4 0x417d67 0x419edf 0x417d6d 0x423765 0x417d73 0x407e54 0x417d79 0x40973e 0x417d7f 0x417d85 0x417dd8 0x417de2 0x417d8b 0x417d95 0x40e912 0x40e91d 0x40e92d 0x40e93d 0x40e94d 0x40f6f0 0x40f6f9 0x40f703 0x4193de 0x4193ea 0x40e4f4 0x40e503 0x40e507 0x40e528 0x40e533 0x40e539 0x40e53e 0x40e542 0x40e54e 0x40e552 0x40e558 0x40e55c 0x4193fa 0x419401 0x41940a 0x41941c 0x419422 0x41942d 0x419431 0x41943d 0x419448 0x41944e 0x419454 0x41945f 0x419493 0x4144a1 0x4194a2 0x40f71b 0x40f721 0x40f727 0x40f72a 0x40e95a 0x40e95e 0x40e96e 0x40e562 0x40e568 0x40e971 0x40e97b 0x4053f8 0x4081c3 0x4081cf 0x4081d8 0x408206 0x408216 0x408220 0x408274 0x408278 0x408287 0x408289 0x4082d9 0x4082e0 0x40540b 0x40543b 0x40e987 0x40e98f 0x40e511 0x40e51a 0x40e51c 0x40e9a1 0x40e9a4 0x40e9a8 0x40e5da 0x40e5e6 0x40e5f1 0x40e608 0x40e60d 0x40e611 0x40e621 0x40e631 0x40e637 0x40e657 0x40f866 0x40f88c 0x40f894 0x40e65e 0x40e66d 0x40e675 0x409bb6 0x409bc7 0x409bd4 0x409be1 0x409bee 0x409bfb 0x409c01 0x409c0a 0x409c13 0x409c23 0x409c29 0x409c37 0x40e67d 0x40e690 0x40f78e 0x40f7a1 0x40e697 0x40e68a 0x40e68f 0x40e9b0 0x40e9b8 0x40e9ca 0x41a9bb 0x41a9c7 0x40932e 0x40934f 0x41a9cc 0x41a401 0x41a40d 0x41a41c 0x41a42e 0x41a438 0x41a474 0x41a44b 0x41a478 0x41a57f 0x41a581 0x41a59e 0x41a5a6 0x41a5b5 0x41a5bc 0x41a5c3 0x41a5c7 0x41a5ce 0x41a606 0x41a610 0x41a5ab 0x41a5d2 0x41a5e4 0x41a5ed 0x40e520 0x41a5fb 0x41a601 0x41a61a 0x41a626 0x41a63b 0x41a640 0x41a9d4 0x41a9e0 0x426440 0x426453 0x426455 0x426459 0x426485 0x426487 0x4264dc 0x41a9e5 0x425730 0x425748 0x42574a 0x425750 0x42577b 0x42578e 0x425795 0x42579c 0x4257a3 0x4053b8 0x41a7ab 0x41a7b9 0x41a7e6 0x41a7f0 0x41a7f4 0x41a7fb 0x41a81c 0x41a825 0x41a851 0x4053c5 0x4053f3 0x4257af 0x4257c2 0x41cf00 0x41cf18 0x41cf20 0x41cf28 0x41cf47 0x41cf4f 0x41cf5a 0x41cf5c 0x41d098 0x4257ca 0x4257b6 0x4257bd 0x425880 0x425882 0x41a9ef 0x403a9f 0x403ac2 0x403ad1 0x403ada 0x403953 0x403976 0x40397c 0x4039a7 0x40398f 0x40399d 0x4039ab 0x4039b1 0x4039e2 0x4039c0 0x4039c4 0x403a90 0x403a99 0x403aeb 0x403af8 0x403b03 0x403b0e 0x403b14 0x403b1b 0x40396d 0x403995 0x403a97 0x403b2d 0x403b45 0x41a9f9 0x41aa05 0x41b136 0x41b161 0x41b14f 0x41b156 0x410a95 0x410a99 0x410aa3 0x41b15c 0x41b155 0x41b169 0x41b173 0x41b186 0x41b1d0 0x41b18e 0x41b194 0x41b1cd 0x41b19e 0x41b1a6 0x41b1ae 0x42512d 0x42513a 0x42515d 0x42516a 0x42516c 0x42517b 0x42517e 0x425193 0x41b1b6 0x41b1ca 0x41b1d5 0x407c9b 0x407ca7 0x407cae 0x407cfa 0x407d09 0x407d23 0x407d28 0x41b1e0 0x41b1f5 0x41b1f6 0x41aa0a 0x41aa16 0x417b9f 0x417bc2 0x427423 0x40e49a 0x40e4a3 0x40e4a5 0x40e4a9 0x427434 0x427427 0x42743f 0x417bc7 0x417b0c 0x417b24 0x417b15 0x417b19 0x417b21 0x417b1f 0x407516 0x40751f 0x40737c 0x407388 0x40e710 0x40e699 0x40e6a1 0x40e56b 0x40e578 0x40e599 0x40e6ae 0x40e6b0 0x40e704 0x40e70b 0x40e716 0x40e724 0x407391 0x407003 0x40700f 0x407014 0x40703d 0x407044 0x40708d 0x40709e 0x4070a5 0x407d0d 0x416e3d 0x416e42 0x416e4c 0x407d12 0x407d1a 0x416e02 0x416e08 0x416e11 0x416e23 0x407d20 0x4251a5 0x4251af 0x4251be 0x4251d0 0x4251d9 0x4251dd 0x4251e3 0x4251e7 0x4251f1 0x4252f3 0x4252f5
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40229c
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x4022a8
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4022b0
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x4022b8
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x4022c4
6. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x41a8e7
7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x41a902
8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x41a905
9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x41a921
10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x41a957
11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x41a95a
12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x407bd2
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40e84f
14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e871
15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e87e
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e88b
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e898
18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40e8e8
19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40e903
20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e48a
21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40e4b6
22. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40e439
23. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e4d1
24. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x40e4df
25. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e501
26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40e52d
27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e548
28. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x40e556
29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x419427
30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x419437
31. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x41945d
32. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40e562
33. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x408281
34. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e518
35. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e51a
36. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40e9a2
37. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40e5eb
38. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e61f
39. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40e62f
40. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e651
41. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40f88e
42. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x409bc5
43. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x409c35
44. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40f79b
45. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40e9b2
46. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x41a416
47. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x41a5b6
48. GetFileType at 0x7c811069 in kernel32.dll called from 0x41a5c8
49. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e501
50. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x41a620
51. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x426453
52. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x426485
53. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x425748
54. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x41a823
55. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4257b7
56. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x403abc
57. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x407d03
58. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e4a1
59. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e4a3
60. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x40e69b
61. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e572
62. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40e6ae
63. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x40e705
64. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x407d14

MD5 checksum	23b429fd8bcbbcf8e66bad9c883f4ce2
Anti-virus name	W32/Downldr2.CBAS (exact, not disinfectable),Trojan.Vundo-3044,MemScan:Trojan.Dropper.SCR

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x1006461 0x10063e0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x10053fa 0x1002e55 0x1002e6d 0x1002e75 0x1002e7c 0x1002e81 0x1002e85 0x1002e8d 0x1002e95 0x1002e9c 0x1002ea4 0x100546e 0x1005476 0x1005481 0x100548b 0x1005497 0x10054a8 0x10054ac 0x1005563 0x100359c 0x10035c6 0x1003a8b 0x1003a8d 0x10064de 0x10064e6 0x10064ee 0x1003a98 0x1005574 0x1005587 0x100559e 0x10055b1 0x10055c8 0x10055d0 0x10055de 0x100488c 0x10048c9 0x10048ed 0x10048fc 0x100490b 0x100494e 0x1004953 0x100496f 0x100497b 0x1004baa 0x1004bbf 0x10055e9 0x10055ed 0x10055f8 0x10055fe 0x1005604 0x1006394 0x1006398 0x1006205 0x1006224 0x100622c 0x10043ec 0x1004404 0x1004411 0x1004433 0x100443d 0x1004464 0x1004470 0x1004474 0x100447b 0x10044b3 0x1006231 0x1006235 0x1004bc8 0x1004bdc 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006243 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x100624c 0x100639e 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063a5 0x100644f
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	23f380496027e78535f93228ab6c5b19
Anti-virus name	W32/Trojan.WFZ (exact),Trojan.Agent-121131
PEiD packer signature	Microsoft Visual C++ 6.0

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x403831 0x40385d 0x403a63 0x403a7a 0x403a83 0x403a9f 0x403ab2 0x403abc 0x403a88 0x403a9b 0x403890 0x40389d 0x4049fe 0x403970 0x403982 0x403989 0x4039ae 0x4039bb 0x403e33 0x403e65 0x403e83 0x403eaa 0x403eaf 0x403eb1 0x403ecd 0x403ecf 0x403ee5 0x403ee7 0x403ee9 0x403efd 0x403eff 0x40413c 0x40417f 0x40419e 0x4041a5 0x4041b8 0x4041d3 0x4041ea 0x403f04 0x403f0d 0x4041ed 0x4041ff 0x404208 0x40421d 0x404229 0x404244 0x404250 0x40425a 0x40425d 0x404296 0x4042d0 0x4042d3 0x4042e3 0x403f13 0x403f28 0x403f3b 0x403f86 0x403fa2 0x403faf 0x403fb3 0x403fb8 0x403fd2 0x403fd5 0x4040ea 0x4040ee 0x4040f9 0x404115 0x40412f 0x404137 0x4039c1 0x4039e2 0x403992 0x4039ad 0x40397f 0x404a0f 0x404a1e 0x404a34 0x404a38 0x404a52 0x404a5d 0x404b2e 0x404b30 0x404b3e 0x404b46 0x404b55 0x404b5c 0x404b63 0x404b6a 0x404b7a 0x404b8f 0x404b4b 0x404b6e 0x404b80 0x404b95 0x404ba1 0x4038a5 0x4038ab 0x4048cc 0x40491a 0x404923 0x404927 0x404929 0x404933 0x40493a 0x404941 0x404948 0x404961 0x404967 0x4039c6 0x4039cd 0x40496d 0x404976 0x404983 0x404995 0x404999 0x4049a0 0x4049f7 0x4038b5 0x40467f 0x404696 0x4046a8 0x4046b9 0x4046bb 0x404718 0x404742 0x404747 0x404750 0x404754 0x40476c 0x404779 0x404783 0x404788 0x4047ce 0x4047d2 0x4048bb 0x4048c2 0x4046cb 0x403e91 0x4046da 0x4046eb 0x40473a 0x404772 0x40477f 0x4048bf 0x404701 0x4038bf 0x4045c6 0x4045d8 0x4045e0 0x4045e6 0x4045eb 0x4033b0 0x4033d0 0x4033e8 0x4033ef 0x4033f3 0x4033fa 0x403403 0x4045f1 0x403417 0x4033bc 0x4033c3 0x4033cb 0x40340d 0x4045ea 0x403421 0x4045f8 0x404605 0x40461a 0x404624 0x404625 0x40462b 0x404656 0x404634 0x40463a 0x404649 0x4032c0 0x403331 0x40333d 0x403344 0x40334f 0x403356 0x403351 0x403370 0x403374 0x403378 0x403392 0x404651 0x403380 0x40338a 0x4033a8 0x40339f 0x40465c 0x40465d 0x403802 0x40380b 0x403add 0x403aed 0x403af1 0x403b00 0x403b05 0x403b07 0x403811 0x403821 0x40382f 0x404668 0x4038c4 0x4042e8 0x4042f3 0x4043d0 0x4043d5 0x4043db 0x4043e3 0x4043e1 0x40564b 0x405666 0x4043e8 0x404302 0x404311 0x4038c9 0x4038d6 0x40456e 0x40457c 0x404589 0x404591 0x404595 0x405245 0x405256 0x405267 0x40527c 0x40527e 0x405282 0x405252 0x40459e 0x4045a6 0x4045ab 0x4045b8 0x4045c2 0x4038db 0x4038ea 0x4038ed 0x4038f9 0x40113a 0x401166 0x401183 0x401196 0x4011a4 0x4011b2 0x4011c7 0x4011cf 0x4011d9 0x4014af 0x4014cd 0x4014e5
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x403857
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x403a74
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403aac
4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x404198
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4041b2
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40423e
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x404a57
8. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x404b56
9. GetFileType at 0x7c811069 in kernel32.dll called from 0x404b64
10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x404b9b
11. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4038a5
12. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x404927
13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40495f
14. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x404981
15. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40499a
16. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4046a2
17. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x403829
18. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4038d0
19. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4038f3
20. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401160
21. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x40117d
22. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x4011a2
23. ReadFile at 0x7c80180e in kernel32.dll called from 0x4011c1
24. MessageBoxA at 0x77d8050b in USER32.dll called from 0x4014f0

MD5 checksum	2420bdf9bb328428a367627b9adc227d
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x486f23 0x48fb5c 0x48fb8c 0x48fb97 0x48fba3 0x48fbab 0x48fbb3 0x48fbbf 0x48fbd2 0x48fbdd 0x48fbec 0x486f28 0x486d44 0x48dbf8 0x486d50 0x486d5e 0x486d75 0x486d7c 0x486d8f 0x486d98 0x486dad 0x486dca 0x486dd1 0x486ddf 0x486d03 0x486d0e 0x486d1f 0x486d2a 0x486d33 0x486e0e 0x48fb02 0x48fb19 0x48fb25 0x48faa7 0x48d70f 0x48d737 0x48d740 0x48fabe 0x48fad0 0x48d746 0x48d76e 0x48d776 0x48fad9 0x48faeb 0x48faf2 0x48faf8 0x48fb2a 0x48fb58 0x486e1a 0x486e27 0x48f923 0x48f92f 0x48f93e 0x48f94d 0x48f95a 0x48f967 0x48f974 0x48f99e 0x48f9c2 0x48f9c8 0x48f9d6 0x48f9df 0x48f9e7 0x48d922 0x48f53a 0x48f4d7 0x48f4e6 0x48f4ea 0x48f50b 0x48f516 0x48f51a 0x48f526 0x48f52a 0x48f530 0x48f534 0x48f541 0x48d928 0x49518c 0x48d930 0x4958f8 0x48d936 0x488a91 0x48d93c 0x491035 0x48d942 0x49926e 0x48d948 0x49905b 0x48d94e 0x48d954 0x49127f 0x491289 0x48d95a 0x48d964 0x48f9ec 0x48f9f7 0x48fa07 0x48fa17 0x48fa27 0x490124 0x49012d 0x490137 0x495912 0x49591e 0x48f543 0x48f552 0x48f556 0x48f577 0x48f582 0x48f586 0x48f592 0x48f596 0x48f59c 0x48f5a0 0x49592e 0x495935 0x49593e 0x495950 0x495956 0x495961 0x495965 0x495971 0x49597c 0x495982 0x495988 0x495993 0x4959c7 0x48dc3d 0x4959d6 0x49014f 0x490155 0x49015b 0x49015e 0x48fa34 0x48fa38 0x48fa48 0x48f5a6 0x48f5ac 0x48fa4b 0x48fa55 0x494f3f 0x489f75 0x489f81 0x489f8a 0x489fb8 0x489fc8 0x489fd2 0x48a026 0x48a02a 0x48a039 0x48a03b 0x48a08b 0x48a092 0x494f52 0x494f82 0x48fa61 0x48fa69 0x48f560 0x48f569 0x48f56b 0x48fa7b 0x48fa7e 0x48fa82 0x48f64a 0x48f656 0x48f661 0x48f678 0x48f686 0x48f696 0x48f69c 0x48f6bc 0x49029a 0x4902c0 0x4902c8 0x48f6c3 0x48f6d2 0x48f6da 0x4920bc 0x4920cd 0x4920da 0x4920e7 0x4920f4 0x492101 0x492107 0x492110 0x492119 0x492129 0x49212f 0x49213d 0x48f6e2 0x48f6f5 0x4901c2 0x4901d5 0x48f6fc 0x48f6ef 0x48f6f4 0x48fa8a 0x48fa92 0x48faa4 0x486e2c 0x486e38 0x48f48f 0x48f4b0 0x486e3d 0x48f24f 0x48f25b 0x48f26a 0x48f27c 0x48f286 0x48f2c2 0x48f299 0x48f2c6 0x48f3cd 0x48f3cf 0x48f3ec 0x48f3f4 0x48f403 0x48f40a 0x48f411 0x48f415 0x48f41c 0x48f454 0x48f45e 0x48f3f9 0x48f420 0x48f432 0x48f43b 0x48f56f 0x48f449 0x48f44f 0x48f468 0x48f474 0x48f489 0x48f48e 0x486e45 0x486e51 0x48f1b0 0x48f1c3 0x48f1c5 0x48f1c9 0x48f1f5 0x48f1f7 0x48f24c 0x486e56 0x48f04f 0x48f067 0x48f069 0x48f06f 0x48f09a 0x48f0ad 0x48f0b4 0x48f0bb 0x48f0c2 0x494eff 0x48cf56 0x48cf64 0x48cf91 0x48cf9b 0x48cf9f 0x48cfa6 0x48cfc7 0x48cfd0 0x48cffc 0x494f0c 0x494f3a 0x48f0ce 0x48f0e1 0x489960 0x489978 0x489980 0x489988 0x4899a7 0x4899af 0x4899ba 0x4899bc 0x489af8 0x48f0e9 0x48f0d5 0x48f0dc 0x48f19f 0x48f1a1 0x486e60 0x48efa4 0x48efc7 0x48efd6 0x48efdf 0x48ee58 0x48ee7b 0x48ee81 0x48eeac 0x48ee94 0x48eea2 0x48eeb0 0x48eeb6 0x48eee7 0x48eec5 0x48eec9 0x48ef95 0x48ef9e 0x48eff0 0x48effd 0x48f008 0x48f013 0x48f019 0x48f020 0x48ee72 0x48ee9a 0x48ef9c 0x48f032 0x48f04a 0x486e6a 0x486e76 0x48ed7e 0x48eda9 0x48ed97 0x48ed9e 0x487226 0x48722a 0x487234 0x48eda4 0x48ed9d 0x48edb1 0x48edbb 0x48edce 0x48ee18 0x48edd6 0x48eddc 0x48ee15 0x48ede6 0x48edee 0x48edf6 0x48d4f6 0x48d503 0x48d526 0x48d533 0x48d535 0x48d544 0x48d547 0x48d55c 0x48edfe 0x48ee12 0x48ee1d 0x4889ca 0x4889d6 0x4889dd 0x488a29 0x488a38 0x488a52 0x488a57 0x48ee28 0x48ee3d 0x48ee3e 0x486e7b 0x486e87 0x48d782 0x48d78b 0x495382 0x49538e 0x495310 0x49531e 0x49532b 0x49539d 0x4953a2 0x495340 0x49535e 0x495362 0x495369 0x495372 0x49537e 0x4953ae 0x4953b4 0x4953e8 0x4953ed 0x48d795 0x48d79a 0x48968f 0x48962f 0x489694 0x494244 0x49424f 0x494253 0x49425f 0x494263 0x494267 0x489699 0x4896a5 0x4941df 0x49d518 0x49d562 0x49d576 0x4a2075 0x4a208c 0x4a208f 0x4a2094 0x4a2097 0x4a209c 0x4a209f 0x4a20a4 0x4a20a7 0x4a20ac 0x4a20af 0x4a20b4 0x4a20ba 0x4a20f2 0x4a20f6 0x4a20fa 0x4a2108 0x4a2115 0x4a21dd 0x4a2370 0x49d57b 0x4941f2 0x494206 0x4896aa 0x48d7a4 0x48d7a5 0x4941c0 0x48f4f4 0x48f4fd 0x48f4ff 0x48f503 0x4941d1 0x4941c4 0x4941dc 0x48d7aa 0x48d6ef 0x48d707 0x48d6f8 0x48d6fc 0x48d704 0x48d702 0x4897f1 0x4897fb 0x489803 0x489819 0x48ab20 0x48ab2d 0x48ab3a 0x48ab3f 0x48ab47 0x48ab70 0x48ab7e 0x48ab79 0x48ab8f 0x48ab9a 0x48abb6 0x48abbe 0x48abc0 0x48abba 0x48abcc 0x490110 0x49a6a0 0x49a6c4 0x49a6e3 0x49a6ed 0x49a650 0x49a65c 0x49a690 0x49a69f 0x49a6f2 0x49a6f6 0x49a6fd 0x49011c 0x49363e 0x493647 0x4934a4 0x4934b0 0x48f781 0x48f6fe 0x48f706 0x48f5ca 0x48f5d6 0x48f5f3 0x48f70d 0x48f71f 0x48f721 0x48f775 0x48f77c 0x48f787 0x48f795 0x4934b9 0x4931db 0x4931e7 0x4931ec 0x493215 0x49321c 0x493265 0x493276 0x49327d 0x493271 0x493201 0x49320d 0x4892da 0x489304 0x489325 0x48932e 0x489342 0x4934e4 0x4934ef 0x4932f9 0x49327f 0x4892c6 0x4892d5 0x493291 0x4932ba 0x4932d1 0x4932e8 0x4932ed 0x4932f4 0x4932f6 0x493317 0x493330 0x493335 0x49333d 0x49334a 0x493355 0x49335d 0x488950 0x48895c 0x488966 0x48896e 0x48897c 0x488984 0x488997 0x4889af 0x4889b5 0x4889bf 0x49336c 0x493479 0x49347c 0x493438 0x493051 0x49307b 0x493088 0x49308a 0x493096 0x4930cf 0x49cf6b 0x49cf7c 0x49cdb3 0x49cdd2 0x49cde6 0x49cdea 0x49ce26 0x49ce36 0x49ce59 0x49ce63 0x49ce65 0x49ce6d 0x49ce78 0x48e200 0x48bcf0 0x48bd04 0x48bd08 0x49ce7d 0x49ce83 0x49ce9c 0x49ce9f 0x49cea1 0x49cea5 0x49ceb1 0x49cec3 0x49cec7 0x49ced5 0x49ced8 0x496ca4 0x496cac 0x496cbe 0x49cede 0x49cf59 0x488a82 0x488a8a 0x49cf69 0x49cf99 0x49cfa2 0x49cfa9 0x4930ec 0x497061 0x497072 0x496cbf 0x496cde 0x496cf5 0x496cf9 0x496d16 0x496d1b 0x496d21 0x496d26 0x496d2b 0x496d2e 0x496d3a 0x496d3d 0x496d4b 0x496d53 0x496d5c 0x496d6c 0x496d8f 0x496d99 0x496d9b 0x496da7 0x496db2 0x496db7 0x496dbd 0x496dd6 0x496dd9 0x496de1 0x496dea 0x496dfb 0x496e03 0x496e17 0x496e24 0x496e55 0x496e59 0x496e65 0x496e70 0x496e75 0x496e7b 0x496ea0 0x496ea4 0x496eb8 0x496ebc 0x496ec7 0x496ecd 0x496edb 0x496ede 0x496ee4 0x496ee5 0x496eed 0x49704f 0x49705f 0x497092 0x49709b 0x4970a2 0x49310c 0x493131 0x493136 0x49314e 0x493168 0x493170 0x493140 0x49315f 0x493153 0x493175 0x4931c4 0x4931d3 0x49343f 0x493329 0x493495 0x4934a2 0x493507 0x493514 0x493520 0x493524 0x493535 0x493541 0x49354b 0x493558 0x49355f 0x49357e 0x493586 0x493596 0x493598 0x4935a2 0x4935af 0x4935b1 0x4935bb 0x4935cb 0x4935d7 0x4935ee 0x4935f7 0x493605 0x49360c 0x493603 0x493635 0x49363d 0x49364e 0x493659 0x49a700 0x49a705 0x56a3a8 0x48985c 0x489820 0x48982c 0x48d6c5 0x48d6cc 0x489831 0x489744 0x489754 0x489765 0x48976d 0x489779 0x48e468 0x48e474 0x48e4a1 0x48e4e2 0x48e4f0 0x48e4f9 0x48977f 0x4897d0 0x4897df 0x4897eb 0x48983d 0x489856 0x48d6ce 0x48d6d5 0x48985b 0x48984d 0x489855 0x489865 0x56a3b2 0x4911b7 0x4911c2 0x4911c8 0x48d70d 0x48d7b9 0x48d7bf 0x48d7cb 0x48d7dc 0x48d7e4 0x48d7e2 0x5a29a1 0x5a29ab 0x5a29ad 0x5a29b7 0x5a2b8c 0x475f73 0x5a2f58 0x569b3e 0x569b4c 0x569b50 0x56b2b7 0x56b2c1 0x569b5c 0x569b56 0x569b68 0x569b69 0x5a2f62 0x5a2f6c 0x5a2f7a 0x5a2f84 0x5a2f8e 0x5a2f90 0x48ab1a 0x5a2f95 0x56a907 0x4027ff 0x48909d 0x40280b 0x569fa8 0x469996 0x4699af 0x4699b5 0x4699bc 0x569fb2 0x569fba 0x40281e 0x402829 0x40282e 0x4011ed 0x569df0 0x569dfc 0x569e07 0x569b96 0x56b2cd 0x56b2d7 0x569bb0 0x569e10 0x569e1e 0x569e25 0x569e33 0x569d4e 0x569d5a 0x404d94 0x40175d 0x40176f 0x401772 0x404da5 0x4045c2 0x4888c0 0x4888f0 0x488908 0x48890f 0x488937 0x4045ce 0x40416d 0x401779 0x401789 0x40178b 0x4017a7 0x4017a9 0x40417d 0x40419f 0x403959 0x40396b 0x40397d 0x40399e 0x4039aa 0x4041ab 0x4041af 0x4041bc 0x4041bf 0x4010dc 0x486f2d 0x486f3f 0x486f5f 0x486f64 0x486f69 0x4899e4 0x489acb 0x489aec 0x486f75 0x486f3b 0x486fa4 0x4010f0 0x4041ca 0x4041d7 0x4041d9 0x4045db 0x404db0 0x569d8d 0x489175 0x569d94 0x569e39 0x569e3f 0x569c2a 0x569c33 0x56b2e3 0x56b2f1 0x569c44 0x569c45 0x569e49 0x569e5f 0x401183 0x401194 0x40119c 0x4011a0 0x569bb7 0x56b2d8 0x56b2e2 0x569bc7 0x4011a8 0x569e6c 0x569e76 0x569e82 0x569e89 0x4011f5 0x569c24 0x4011fc 0x401203 0x402835 0x402839 0x4017ad 0x402843 0x40284a 0x56a90f 0x56a8c0 0x56a8d8 0x56a8e0 0x56a840 0x56a8f3 0x56a922 0x5a2fa3 0x5a2fad 0x5a2faf 0x408bfa 0x408c06 0x408c15 0x408c2c 0x407cb0 0x4059fa 0x405926 0x405935 0x4059da 0x4059df 0x405a24 0x405a2b 0x405a30 0x405a37 0x405a3b 0x407cb9 0x40730d 0x407319 0x4012e0 0x401207 0x401217 0x4012f3 0x407322 0x405efc 0x405f08 0x405f12 0x40114e 0x40115a 0x401164 0x401169 0x401176 0x40117e 0x405f29 0x401235 0x401249 0x40124b 0x40124f 0x401268 0x405f32 0x405f38 0x405f40 0x4055b6 0x4055c2 0x4055cb 0x4055cf 0x4055d6 0x4055e3 0x4053ef 0x489106 0x4053fb 0x405351 0x40535d 0x405369 0x403798 0x4037a9 0x405375 0x40537d 0x405385 0x40538d 0x4053c2 0x569e8a 0x492e5d 0x492e69 0x492e93 0x492e98 0x492230 0x49223c 0x492241 0x49226f 0x492276 0x4921f2 0x4921f6 0x4921fa 0x492229 0x492289 0x49229a 0x4922a1 0x492298 0x49225b 0x492267 0x49226e 0x492ea2 0x492eb5 0x492ec4 0x492ecb 0x4921ce 0x4921d5 0x4921d9 0x4921dd 0x4921ee 0x4921f0 0x492edd 0x492f8b 0x492f92 0x492ee5 0x492b9c 0x492bde 0x492d53 0x492561 0x492576 0x492583 0x49238f 0x49239b 0x4923a0 0x49a599 0x49a5a6 0x49a5c9 0x49a5d5 0x49a5d7 0x49a5df 0x49a5e3 0x49a5ed 0x49a5f0 0x49a604 0x4923b2 0x4923c6 0x49a5db 0x4923c9 0x4923ca 0x4925b1 0x4925bc 0x4925cc 0x4925e2 0x48a5a0 0x48a5b0 0x48a5b6 0x48a5ba 0x48a5bf 0x48a5e0 0x4925ec 0x4925f7 0x492627 0x492634 0x49267e 0x492687 0x4926a5 0x4926bc 0x4926c5 0x4926cd 0x492d58 0x492d65 0x492ef2 0x492efe 0x492f20 0x492f27 0x492201 0x492209 0x49220e 0x492142 0x49214b 0x492157 0x492164 0x492171 0x49217e 0x49218b 0x492191 0x49219a 0x4921a3 0x4921b3 0x4921b9 0x4921c7 0x4921ca 0x492214 0x492f39 0x492f3f 0x492f46 0x492f4f 0x49221a 0x492f5b 0x489a90 0x489ae4 0x492f70 0x4922a6 0x492f78 0x492f97 0x492f9e 0x492f81 0x492fb0 0x492fc8 0x492fbc 0x492fc4 0x569e93 0x569e9e 0x401791 0x401798 0x569eac 0x569eb3 0x492bf0 0x492cf7 0x4926d2 0x492704 0x492728 0x492732 0x49273c 0x492741 0x492747 0x48ffc5 0x48ffd2 0x48fff5 0x490001 0x490003 0x49000d 0x490010 0x490024 0x492757 0x49276d 0x49277c 0x492785 0x492894 0x4928a1 0x492d09 0x492d10 0x492d13 0x492d3e 0x492d17 0x492d22 0x492d3b 0x492d47 0x492f03 0x492f10 0x492222 0x491f7c 0x491f90 0x491fff 0x49204d 0x492073 0x492079 0x492082 0x492093 0x4920aa 0x4920b0 0x4920b6 0x492228 0x569ebe 0x569ec9 0x569ed2 0x4053cb 0x4053d4 0x405423 0x40126c 0x40112b 0x569a4e 0x49bad3 0x49bad8 0x49baf5 0x569a54 0x49baad 0x49bab2 0x49bacf 0x569a62 0x569a71 0x569a7a 0x49ab3f 0x49ab44 0x49ab61 0x569a84 0x489991 0x569a8d 0x569aa5 0x40113c 0x401282 0x405431 0x403e95 0x403ea1 0x569d2b 0x569d35 0x569d40 0x569d43 0x569d4b 0x569d4d 0x403eb3 0x403212 0x40321c 0x403247 0x403259 0x403ec0 0x403ecc 0x403ed8 0x403ee4 0x403eef 0x403ef4 0x40543c 0x405457 0x489189 0x489193 0x40545e 0x4055eb 0x4055ef 0x4055f1 0x4055f9 0x405f49 0x405f6a 0x405f7a 0x569cf2 0x569cfb 0x569d05 0x569d06 0x569d0d 0x569d12 0x569d25 0x405f80 0x405f81 0x405f8d 0x405f94 0x40732c 0x40121d 0x401223 0x4011ab 0x4011bd 0x4011c4 0x4011c9 0x4011cd 0x4011e0 0x401228 0x401234 0x40733b 0x4054df 0x407345 0x40734a 0x407cce 0x407ce5 0x407cf4 0x408c4a 0x408c51 0x5a2fc2 0x5a2fcc 0x5a2fce 0x56a86b 0x56a88c 0x56a8a5 0x56a8be 0x5a2fd8 0x5a2fe2 0x5a2fec 0x5a2fee 0x5a2ff8 0x5a2c7d 0x5a2c87 0x5a2f2c 0x569868 0x569812 0x5696ef 0x5696fc 0x56981d 0x569885 0x5698aa 0x5698be 0x5698c4 0x5698ca 0x5698e0 0x5698e4 0x569703 0x56970f 0x56971a 0x56973e 0x56974d 0x5698fa 0x569905 0x569912 0x5a2f36 0x5a2f40 0x5a2f42 0x569842 0x569798 0x5697a3 0x56984a 0x56974e 0x56975d 0x569762 0x56976e 0x569856 0x569864 0x5a2f4c 0x5a2f56 0x5a2ffa 0x46b9eb 0x47f0a9 0x47f0b5 0x47f0c8 0x47f0cd 0x47f0d7 0x47ede4 0x47ee09 0x47ee15 0x47ee1f 0x47f0e8 0x47f0f8 0x47ecd4 0x47ece9 0x47ed00 0x47ed22 0x47ed2c 0x475f4e 0x4699d1 0x4699dd 0x4699e8 0x475f61 0x475f6e 0x47ed34 0x47ed3f 0x47ed68 0x47ed90 0x47ed97 0x488977 0x490081 0x4900db 0x49009f 0x4900ae 0x49002a 0x49004a 0x49007a 0x4900b7 0x4900c0 0x4900c4 0x490109 0x47edaf 0x47edb8 0x47edbd 0x47edc3 0x47eddc 0x47f0fd 0x47f103 0x47eb61 0x47eb70 0x47eb78 0x47eb7d 0x47eb85 0x47eb9f 0x47eba6 0x47f110 0x47f116 0x469c94 0x469ca0 0x47eb39 0x47eb45 0x47eb4e 0x469caa 0x469cb8 0x46b352 0x469cbd 0x469cc2 0x47f119 0x47ee86 0x4890d0 0x47ee92 0x47eea4 0x47eeb1 0x47eeba 0x47eec2 0x47eef8 0x47ef02 0x47ef06 0x47ef12 0x47ec55 0x47ec3f 0x47ec4b 0x47ec63 0x47ef25 0x47eedd 0x47eee2 0x47eeec 0x47eef6 0x47ef55 0x47ef67 0x47ef80 0x47ef92 0x47ef95 0x47ef9c 0x47efa1 0x47efa7 0x47efad 0x47efb3 0x47efb8 0x47f129 0x47f130 0x46b9fa 0x46ba03 0x46ba0a 0x47ebc8 0x47ebd4 0x47ebdc 0x47f636 0x47f645 0x47f64e 0x47f5cd 0x47f5d6 0x47f5eb 0x47f653 0x47f66d 0x47f674 0x47f679 0x47f687 0x47f689 0x47f694 0x47f69c 0x47ebe3 0x47ebed 0x46b9bc 0x46b9c8 0x46b9d2 0x46b9e0 0x46b9a8 0x46b8aa 0x46b8b6 0x428dac 0x475ece 0x428db4 0x46a7c9 0x46a7de 0x475f96 0x46a7e3 0x428dbc 0x46b8d9 0x428dc0 0x428dd9 0x428cef 0x428d02 0x428d08 0x428c0f 0x475f4b 0x428c2c 0x475ed4 0x475ee4 0x475ef5 0x475efa 0x475f0a 0x428c37 0x428c42 0x428c49 0x428c4b 0x428be5 0x428c00 0x428c5b 0x428b6a 0x428b83 0x428c6b 0x428d0e 0x428d32 0x428de4 0x46b916 0x46b934 0x46b945 0x46b954 0x46b961 0x46b5e8 0x46b5f4 0x42fb3c 0x42fb48 0x42fb52 0x42fb5a 0x42faa0 0x42faaa 0x42fabd 0x42fb68 0x42fb6c 0x42914d 0x42915d 0x429163 0x429164 0x428dea 0x428dfd 0x428e0f 0x428e21 0x428e38 0x428e44 0x428bbe 0x428bc6 0x428bcd 0x428e51 0x428e52 0x42916d 0x42fb76 0x42fb7d 0x46b603 0x46b586 0x46b44c 0x46b2f7 0x46b304 0x46b30c 0x46b310 0x46b34d 0x46b45e 0x46b59b 0x46b613 0x46b61e 0x46b80b 0x46b966 0x46b96a 0x46b979 0x46b986 0x46b827 0x46b833 0x46b842 0x46b852 0x46b85d 0x46b8a9 0x46b98b 0x46b98f 0x46b9a5 0x46b9b2 0x46b9e5 0x46b9ea 0x47ebf0 0x47ebf2 0x47f6a3 0x47f6b1 0x47f6c0 0x47ebfd 0x47ec04 0x46ba19 0x46ba1d 0x5a2fff 0x5a300d 0x590600 0x488913 0x48892d 0x59060f 0x590619 0x59061b 0x59062a 0x590634 0x590636 0x590645 0x59064f 0x590651 0x590660 0x59066a 0x59066c 0x59067b 0x590685 0x590687 0x590696 0x5906a0 0x5906a2 0x488941 0x403970 0x403487 0x403493 0x4034a8 0x4034cd 0x4019c4 0x4019dc 0x4019d3 0x4019d9 0x4034dc 0x40350c 0x403531 0x40353c 0x40176a 0x40354c 0x403551 0x4041b7 0x5906b1 0x5906bb 0x5906bd 0x5906cc 0x5906d6 0x5906d8 0x5906e7 0x5906f1 0x5906f3 0x590702 0x59070c 0x59070e 0x4888cc 0x488923 0x59071d 0x590727 0x590729 0x590738 0x590742 0x590744 0x590753 0x59075d 0x59075f 0x59076e 0x590778 0x59077a 0x590789 0x590793 0x590795 0x5907a4 0x5907ae 0x5907b0 0x5907bf 0x5907c9 0x5907cb 0x5907da 0x5907e4 0x5907e6 0x5907f5 0x489786 0x48978f 0x489791 0x489797 0x494f87 0x48a0d2 0x48a0de 0x48a0f3 0x48a106 0x48a2a6 0x48a278 0x48a27d 0x48a28d 0x48a2e9 0x48a2bf 0x48a2c4 0x494f98 0x494fcd 0x4897a1 0x4897be 0x4897ca 0x5907ff 0x590801 0x590810 0x59081a 0x59081c 0x48891a 0x489b0c 0x59082b 0x590835 0x590837 0x590846 0x590850 0x590852 0x590861 0x59086b 0x59086d 0x59087c 0x590886 0x590888 0x590897 0x5908a1 0x5908a3 0x5908b2 0x5908bc 0x5908be 0x5908cd 0x5908d7 0x5908d9 0x5908e5 0x5908f4 0x590907 0x59091a 0x59092d 0x590940 0x590953 0x590966 0x590979 0x590983 0x590989
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x48fb91
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x48fb9d
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x48fba5
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x48fbad
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x48fbb9
6. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x486d58
7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x486d73
8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x486d76
9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x486d92
10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x486dc8
11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x486dcb
12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x48fb13
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x48f929
14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f94b
15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f958
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f965
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f972
18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x48f9c2
19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x48f9dd
20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f4e4
21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x48f510
22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f520
23. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x48f52e
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f550
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x48f57c
26. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f58c
27. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x48f59a
28. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x49595b
29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x49596b
30. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x495991
31. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x48f5a6
32. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x48a033
33. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f567
34. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f569
35. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x48fa7c
36. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x48f65b
37. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f684
38. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48f694
39. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x48f6b6
40. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x4902c2
41. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x4920cb
42. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x49213b
43. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x4901cf
44. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x48fa8c
45. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x48f264
46. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x48f404
47. GetFileType at 0x7c811069 in kernel32.dll called from 0x48f416
48. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x48f46e
49. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x48f1c3
50. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x48f1f5
51. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x48f067
52. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x48cfce
53. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x48f0d6
54. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x48efc1
55. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x488a32
56. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x494249
57. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x494259
58. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x494265
59. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f4fb
60. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f4fd
61. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x48f700
62. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f5d0
63. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f719
64. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x48f71f
65. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x48f776
66. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x49334f
67. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x493075
68. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x49cde0
69. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x49ce57
70. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x49cec1
71. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x49cecf
72. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x496cef
73. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x496d8d
74. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x496df9
75. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x496e15
76. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x496eb2
77. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x496ed5
78. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x49351a
79. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x49353f
80. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x4935d1
81. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x4935f5
82. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x48e4ea
83. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x4911bc
84. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x569b46
85. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x56b2bb
86. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x56b2d1
87. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x56b2dc
88. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x48f776
89. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x488a32
90. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x492155
91. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x4921c5
92. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x48f59a
93. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x48e4ea
94. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x5698b8
95. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x569714
96. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x47ee03
97. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x47ee19
98. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x47ece3
99. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x47ed39
100. GlobalLock at 0x7c810119 in kernel32.dll called from 0x47ed91
101. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x47edd6
102. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x47eb6a
103. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x47eb7f
104. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x47eba0
105. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x47eb3f
106. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x47ee9e
107. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x47eebc
108. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x47eef0
109. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x47ef8c
110. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x47efad
111. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x47f672
112. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x47f681
113. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x47f69a
114. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x47f6ba
115. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x48f59a
116. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x48e4ea
117. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x48f52e
118. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x4902c2
119. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x48f59a
120. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x48e4ea
121. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x4901cf
122. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x48f59a
123. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x48f59a
124. RtlReAllocateHeap at 0x7c9179fd in ntdll.dll called from 0x48a287
125. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x48f59a

MD5 checksum	246a099a3c71835dfaadd2feb4177933
Anti-virus name	W32/Hupigon.A.gen!Eldorado (generic, not disinfectable),Trojan.Packed-19,GenPack:Generic.Hupigon.PAS.C6EFFF4B

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x51cf74 0x51cf9a 0x51cfce 0x51cfd6 0x51cfe1 0x51d2a1 0x51d2ad 0x51d2ae 0x51d320 0x51d324 0x51d329 0x51d2b3 0x51d2b5 0x51d2bc 0x51d2be 0x51d2c5 0x51d2c7 0x51d2c9 0x51d2ce 0x51d2d2 0x51d2d4 0x51d2e8 0x51d2ed 0x51d316 0x51d315 0x51d2d7 0x51d32c 0x51d32d 0x51d332 0x51d339 0x51d33b 0x51d2dc 0x51d2f4 0x51d32a 0x51d301 0x51d308 0x51d30f 0x51d314 0x51d2df 0x51d2e6 0x51d33c 0x51cff0 0x51d002 0x51d022 0xa305a9 0xa305c9 0xa305d5 0xa305e3 0xa305e9 0xa30605 0xa30628 0xa30297 0xa302f9 0xa302fd 0xa3030f 0xa30017 0xa30032 0xa30000 0xa30011 0xa30037 0xa30048 0xa3031d 0xa30327 0xa3033a 0xa30093 0xa300ac 0xa300e8 0xa3012e 0xa3034f 0xa30353 0xa3037e 0xa30394 0xa303ba 0xa301ad 0xa301b7 0xa301c4 0xa300ec 0xa3012b 0xa300cf 0xa300d6 0xa301cd 0xa303c2 0xa30433 0xa3058b 0xa30112 0xa30119 0xa303c9 0xa303de 0xa303e9 0xa303f5 0xa303fc 0xa3040d 0xa30486 0xa30232 0xa3023d 0xa30241 0xa30131 0xa30142 0xa30146 0xa30154 0xa3015b 0xa3015c 0xa30255 0xa30292 0xa30497 0xa3055d 0xa30563 0xa3056b 0xa30577 0xa30586 0xa30384 0xa30389 0xa30391 0xa3039a 0xa301d1 0xa301e0 0xa301fd 0xa30205 0xa30221 0xa3020f 0xa3021d 0xa30229 0xa303b4 0xa30411 0xa3041a 0xa304b0 0xa304e2 0xa304ed 0xa30503 0xa30508 0xa30535 0xa3004c 0xa3005b 0xa3005e 0xa3006b 0xa30083 0xa30066 0xa30086 0xa30087 0xa3053d 0xa3052c 0xa3016b 0xa30184 0xa30185 0xa30193 0xa301a3 0xa301a4 0xa30531 0xa30556 0xa30520 0xa30073 0xa3007b 0xa3038e 0xa30441 0xa3044d 0xa30456 0xa30465 0xa3046e 0xa30477 0xa3047d 0xa30469 0xa3020d 0xa30451 0xa30257 0xa30261 0xa30281 0xa3028f 0xa30551 0xa304ea 0xa30266 0xa3027c 0xremoving 0xa30599 0xa30647 0xa3064d 0xa3064e 0xa3065b 0x51d043 0x51d064 0x51d079 0x51d07e 0x51d082 0x51d09e 0x51d0a8 0x51d0b8 0x51d1f7 0x51d205 0x51d220 0x51d23b 0x51d243 0x51d25a 0x51d26e 0x51d281 0x51d28a 0x51d24e 0x51d0bd 0x51d150 0x51d1a3 0x51d1b4
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x51cfc8
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0xa30625
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0xa30658
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x51d05e
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x51d235
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x51d27b
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x51d1cd

MD5 checksum	249854f9026cdac6930a3aa43b2304b9
Anti-virus name	W32/OnlineGames.CG.gen!Eldorado (generic, not disinfectable)
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x43a6a0 0x43a6c2 0x43a6c9 0x43a6b8 0x43a6be 0x43a6cb 0x43a6d0 0x43a6db 0x43a6e1 0x43a6ec 0x43a700 0x43a70b 0x43a718 0x43a71c 0x43a71d 0x43a728 0x43a72e 0x43a739 0x43a73c 0x43a74d 0x43a756 0x43a6f3 0x43a6fe 0x43a75c 0x43a76b 0x43a6e3 0x43a711 0x43a6d4 0x43a704 0x43a730 0x43a721 0x43a772 0x43a77f 0x43a795 0x43a79d 0x43a7aa 0x43a7ae 0x43a796 0x43a779 0x43a7bb 0x43a7d4 0x43a7e9 0x43a7ef 0x43a7f5
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x43a78f
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x43a7a4
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x43a7d2
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x43a7e7
5. strupr at 0x77c46665 in MSVCRT.dll called from 0x402431
CFG at exit
- dot file
- jpg

MD5 checksum	249c08ae522f8ba775c64663d4661492
Anti-virus name	W32/Worm.AOFT (exact),Worm.Autorun-924,Trojan.Agent.AHUY
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x41dc80 0x41dca1 0x41dca6 0x41dd6c 0x41dd70 0x41dd7a 0x41dd9a 0x41dda4 0x41ddb3 0x41ddc4 0x41de02 0x41de1b 0x41df3f 0x41df6a 0x41df7f 0x41df37 0x41df52 0x41df5c 0x41dfb0 0x41dfd0 0x41e6f8 0x41dff8 0x41e03b 0x41e0a7 0x41e0df 0x41e0fd 0x41e151 0x41e1c7 0x41e2ff 0x41e31b 0x41e339 0x41e37a 0x41e3a8 0x41e3f6 0x41e425 0x41e432 0x41e45d 0x41e471 0x41e49e 0x41e445 0x41e44f 0x41e489 0x41e4a9 0x41e6b0 0x41e6c1 0x41e6d8 0x41e6e9 0x41de75 0x41de8c 0x41deb6 0x41dec0 0x41dece 0x41df09 0x41df98 0x41dfdd 0x41dfe4 0x41ddea 0x41ddf4 0x41e055 0x41e34b 0x41e3ec 0x41e4c9 0x41e4da 0x41e4f9 0x41e524 0x41e538 0x41e565 0x41e550 0x41e570 0x41e57f 0x41e597 0x41e609 0x41e616 0x41e644 0x41e674 0x41e693 0x41e6a6 0x41dee6 0x41df29 0x41df07 0x41e323 0x41e32d 0x41e025 0x41e02f 0x41e13b 0x41e145 0x41e1e0 0x41e200 0x41e20a 0x41e216 0x41e230 0x41e2f3 0x41dfee 0x41e50c 0x41e516 0x41e659 0x41e4d5 0x41e62c 0x41e636 0x41e5b3 0x41e5b6 0x41e5d8 0x41e5eb 0x41e5e4 0x41e5ee 0x41e167 0x41e18d 0x41e253 0x41e28b 0x41e2a5 0x41e2eb 0x41e0c9 0x41e0d3 0x41df35 0x41e3bb 0x41e392 0x41e39c 0x41e2c5 0x41e275 0x41e27f 0x41e5c0 0x41e5ca 0x41e709 0x41e728 0x41e747 0x41e75f 0x41e764 0x41e770 0x41e775 0x41e779 0x41e77e 0x41e79c 0x41e7a8 0x41e7be 0x41e7c6 0x41e7ca 0x41e7d1 0x41e7d5 0x41e7dc 0x41e7e7
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x41e7b8
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41e7d6
3. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x41e7e7
CFG at exit
- dot file
- jpg

MD5 checksum	24c297ba180637af78f0ec110fed0f99
Anti-virus name	W32/Trojan2.JCWT (exact),Trojan.Generic.663053
PEiD packer signature	Borland Delphi 6.0 - 7.0

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x465ff0 0x465ff7 0x406960 0x40689c 0x406971 0x406954 0x406214 0x40695e 0x406993 0x4041fc 0x4040f4 0x40422f 0x40419c 0x4041ab 0x4041c4 0x4041d2 0x4069d4 0x4041d4 0x406828 0x406831 0x40356c 0x403564 0x40689a 0x406a4c 0x407678 0x4076b0 0x413944 0x4079a0 0x40e37c 0x40e396 0x40423c 0x404248 0x40677c 0x40678c 0x406795 0x405cc4 0x405cce 0x405cdd 0x405c7c 0x405c8c 0x401314 0x405c9f 0x405eb8 0x405ed9 0x40136c 0x405ce4 0x4067ac 0x401344 0x404580 0x404554 0x404558 0x402760 0x402765 0x402198 0x4021ac 0x401aac 0x401400 0x401ac7 0x401ada 0x401470 0x401ae4 0x401aee 0x401af8 0x4013e0 0x401b04 0x401b12 0x401b17 0x401b2b 0x401b41 0x401b61 0x401b69 0x4021b5 0x4021c7 0x4021e8 0x4021f8 0x402204 0x40220d 0x402297 0x4022e9 0x4020a4 0x4020b4 0x4020c3 0x4020cc 0x4020cf 0x4020d7 0x4020e4 0x4020ec 0x402078 0x402081 0x40208b 0x402099 0x4020a1 0x4020f3 0x4020f9 0x402018 0x40186c 0x4018c0 0x4018c4 0x4015c4 0x4015d3 0x4015e6 0x4013f0 0x4015f8 0x401600 0x401478 0x401420 0x40142c 0x401438 0x401443 0x401452 0x401483 0x40148c 0x40160c 0x401623 0x4018cd 0x4018d2 0x4014c0 0x4014dc 0x4014fe 0x401514 0x40151a 0x401523 0x40152b 0x4018dd 0x401888 0x401758 0x4017da 0x40179e 0x4017ac 0x4017b2 0x4017b6 0x4017ba
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40689c
2. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x403564
3. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401314
4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x7c80b379
5. RtlUnicodeStringToAnsiString at 0x7c9130c6 in ntdll.dll called from 0x7c80b3c1
6. memmove at 0x7c90253a in ntdll.dll called from 0x7c80b3e7
7. RtlFreeUnicodeString at 0x7c910976 in ntdll.dll called from 0x7c80b3f4
8. RegOpenKeyExA at 0x77dd761b in ADVAPI32.dll called from 0x40136c
9. LoadStringA at 0x77d6ec98 in USER32.dll called from 0x401344
10. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x401400
11. RtlInitializeCriticalSection at 0x7c911b2d in ntdll.dll called from 0x7c809fa9
12. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4013e0
13. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4013f0

MD5 checksum	24c5cb3fcbce517ea2fac5cf023969d0
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x406453 0x40d596 0x40d5c8 0x40d5d3 0x40d5df 0x40d5e7 0x40d5ef 0x40d5fb 0x40d60e 0x40d619 0x40d628 0x406458 0x406301 0x406814 0x40630d 0x40631b 0x40632c 0x40633a 0x406343 0x406357 0x40941f 0x40943a 0x409445 0x40635e 0x40636b 0x40a5ec 0x40a5fc 0x40a607 0x40a611 0x40a61f 0x40a62c 0x40a639 0x40a646 0x40a670 0x40a694 0x40a69a 0x40a6a8 0x40a6b1 0x40a6b9 0x405b18 0x40a24e 0x40a1dc 0x40a1f0 0x40a1f4 0x40a215 0x40a221 0x40a230 0x40a23c 0x40a240 0x40a245 0x40a248 0x40a255 0x405b20 0x409633 0x405b28 0x40b158 0x405b2e 0x406629 0x405b34 0x40b149 0x405b3a 0x40b13a 0x405b40 0x40af28 0x405b46 0x405b4c 0x40adb6 0x40adc0 0x405b52 0x405b5c 0x40a6be 0x40a6c9 0x40a6d9 0x40a6e9 0x40a6f9 0x4087ac 0x4087b7 0x4087c1 0x40b167 0x40b173 0x40b183 0x40b1b7 0x406859 0x40b1c6 0x4087d9 0x4087df 0x4087e5 0x4087e8 0x40a706 0x40a70a 0x40a257 0x40a26b 0x40a26f 0x40a290 0x40a29c 0x40a2ab 0x40a2b7 0x40a2bb 0x40a2c0 0x40a2c3 0x40a71a 0x40a2c9 0x40a2cf 0x40a71d 0x40a727 0x40cead 0x41032d 0x410339 0x410342 0x410370 0x410380 0x41038a 0x4103de 0x4103e2 0x4103f1 0x4103f3 0x410443 0x41044a 0x40cec3 0x40cef3 0x40a733 0x40a73b 0x40a279 0x40a282 0x40a284 0x40a74d 0x40a750 0x40a754 0x40a343 0x40a34f 0x40a35b 0x40a366 0x40a37d 0x40a38b 0x40a39b 0x40a3a1 0x408928 0x408950 0x408958 0x40a3c0 0x40a3ce 0x40a418 0x40884e 0x408863 0x40a41f 0x40a3da 0x40a3e1 0x40a3ef 0x40a3f7 0x40a000 0x40a014 0x40a021 0x40a02e 0x40a03b 0x40a048 0x40a052 0x40a05b 0x40a064 0x40a074 0x40a07c 0x40a08a 0x40a3ff 0x40a421 0x40a428 0x40a40c 0x40a411 0x40a75c 0x40a764 0x40a776 0x406370 0x40637c 0x40abbf 0x40abe2 0x406381 0x40cc14 0x40cc20 0x40cc2f 0x40cc41 0x40cc4b 0x40cc8e 0x40cc5e 0x40cc92 0x40cda6 0x40cda8 0x40cdc5 0x40cdcd 0x40cddc 0x40cde3 0x40cdea 0x40cdee 0x40cdf5 0x40cdf9 0x40ce05 0x40ce14 0x40ce22 0x40ce28 0x40ce37 0x40cdd2 0x40ce0b 0x40ce41 0x40ce4d 0x40ce62 0x40ce67 0x40638a 0x406396 0x40639c 0x4062d8 0x4062e6 0x4095fa 0x40f41f 0x40f42e 0x40f433 0x40f438 0x40f467 0x409601 0x409607 0x40960e 0x409613 0x40961c 0x40944f 0x409463 0x40946c 0x409475 0x40947e 0x409485 0x40948f 0x409496 0x40949b 0x4095c3 0x4095cb 0x4095d1 0x4095d6 0x40b430 0x40b460 0x40b478 0x40b47f 0x40b483 0x40b49d 0x4095ea 0x4095f5 0x409626 0x409630 0x409632 0x4062eb 0x40b4b1 0x4062f3 0x4058b2 0x405887 0x405897 0x4058b0 0x4058bf
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40d5cd
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x40d5d9
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40d5e1
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40d5e9
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x40d5f5
6. HeapCreate at 0x7c812929 in kernel32.dll called from 0x409434
7. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x40a5f6
8. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a61d
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a62a
10. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a637
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a644
12. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40a694
13. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40a6af
14. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40a1ee
15. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x40a21b
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a236
17. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x40a243
18. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x40b17d
19. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40a269
20. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x40a296
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a2b1
22. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x40a2be
23. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40a2c9
24. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4103eb
25. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40a280
26. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40a282
27. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40a74e
28. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x40a355
29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a389
30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40a399
31. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x408952
32. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40a3c8
33. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40885d
34. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40a012
35. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40a088
36. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40a75e
37. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40cc29
38. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4103eb
39. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x40cddd
40. GetFileType at 0x7c811069 in kernel32.dll called from 0x40cdef
41. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x40ce47
42. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x406396
43. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x4095c5
44. WriteFile at 0x7c810f9f in kernel32.dll called from 0x4095ef
45. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x405891
46. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x4058c3

MD5 checksum	24e71039f59f1c0ae8cad7ea7f097573
Anti-virus name	W32/Agent.CM.gen!Eldorado (generic, not disinfectable),Trojan.Agent-64034
PEiD packer signature	Microsoft Visual C++ 6.0 [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x403861 0x40388d 0x403a93 0x403aaa 0x403ab3 0x403acf 0x403ae2 0x403aec 0x403ab8 0x403acb 0x4038c0 0x4038cd 0x404a2e 0x4039a0 0x4039b2 0x4039b9 0x4039de 0x4039eb 0x403e63 0x403e95 0x403eb3 0x403eda 0x403edf 0x403ee1 0x403efd 0x403eff 0x403f15 0x403f17 0x403f19 0x403f2d 0x403f2f 0x40416c 0x4041af 0x4041ce 0x4041d5 0x4041e8 0x404203 0x40421a 0x403f34 0x403f3d 0x40421d 0x40422f 0x404238 0x40424d 0x404259 0x404274 0x404280 0x40428a 0x40428d 0x4042c6 0x404300 0x404303 0x404313 0x403f43 0x403f58 0x403f6b 0x403fb6 0x403fd2 0x403fdf 0x403fe3 0x403fe8 0x404002 0x404005 0x40411a 0x40411e 0x404129 0x404145 0x40415f 0x404167 0x4039f1 0x403a12 0x4039c2 0x4039dd 0x4039af 0x404a3f 0x404a4e 0x404a64 0x404a68 0x404a82 0x404a8d 0x404b5e 0x404b60 0x404b6e 0x404b76 0x404b85 0x404b8c 0x404b93 0x404b9a 0x404baa 0x404bbf 0x404b7b 0x404b9e 0x404bb0 0x404bc5 0x404bd1 0x4038d5 0x4038db 0x4048fc 0x404917 0x404919 0x40491f 0x404953 0x404963 0x40496a 0x404971 0x404978 0x404991 0x404997 0x4039f6 0x4039fd 0x40499d 0x4049a6 0x4049b3 0x4049c5 0x4049c9 0x4049d0 0x404a27 0x4038e5 0x4046af 0x4046c1 0x40567b 0x405684 0x4052b7 0x405450 0x405470 0x405475 0x40547f 0x4052c8 0x4052da 0x4052e4 0x4052eb 0x4052ef 0x4052fa 0x405305 0x40530e 0x405420 0x405426 0x40543f 0x4054f6 0x405510 0x405519 0x405520 0x40552c 0x405571 0x405a6d 0x405a9e 0x405ab2 0x405ab6 0x405ad7 0x405adc 0x405b05 0x405b0e 0x405b1b 0x405b38 0x405b3f 0x405bc0 0x405be0 0x405b51 0x403a20 0x403a2c 0x403a3a 0x403a49 0x403a61 0x403a6d 0x405b61 0x405b71 0x405b79 0x405b8e 0x405b92 0x405ba0 0x405ba4 0x405595 0x40581e 0x40584e 0x405866 0x40586a 0x405894 0x405899 0x405a42 0x405a52 0x405a57 0x405a5f 0x405a6a 0x4058a4 0x4058a9 0x4058d0 0x4058d9 0x4058e6 0x405903 0x405910 0x405920 0x405941 0x405946 0x40595b 0x40595f 0x405971 0x40597a 0x4059c0 0x4059d4 0x4059f4 0x4059f8 0x405a0c 0x405a10 0x405a1b 0x405a21 0x405a31 0x405a3b 0x4059ae 0x4055b9 0x4055e1 0x4055ec 0x40560a 0x40561f 0x405626 0x4055f4 0x405602 0x40560f 0x40562d 0x405678 0x405444 0x40544b 0x40568b 0x405696 0x4046c6 0x4046d8 0x4046e9 0x4046eb 0x404748 0x404772 0x404777 0x404780 0x404784 0x40479c 0x4047a9 0x4047b3 0x4047b8 0x4047fe 0x404802 0x4048eb 0x4048f2 0x4046fb 0x403ec1 0x40470a 0x40471b 0x40476a 0x4047a2 0x4047af 0x4048ef 0x404731 0x4038ef 0x4045f6 0x404608 0x404610 0x404616 0x40461b 0x4033f0 0x403410 0x403428 0x40342f 0x403433 0x40343a 0x403443 0x404621 0x403457 0x4033fc 0x403403 0x40340b 0x40344d 0x40461a 0x403461 0x404628 0x404635 0x40464a 0x404654 0x404655 0x40465b 0x404686 0x404664 0x40466a 0x404679 0x4032f0 0x403361 0x40336d 0x403374 0x40337f 0x403386 0x403381 0x4033a0 0x4033a4 0x4033a8 0x4033c2 0x404681 0x4033b0 0x4033ba 0x4033d8 0x4033cf 0x40468c 0x40468d 0x403832 0x40383b 0x403b0d 0x403b1d 0x403b21 0x403b30 0x403b35 0x403b37 0x403841 0x403851 0x40385f 0x404698 0x4038f4 0x404318 0x404323 0x404400 0x404405 0x40440b 0x404413 0x404411 0x404418 0x404332 0x404341 0x4038f9 0x403906 0x40459e 0x4045ac 0x4045b9 0x4045c1 0x4045c5 0x405275 0x405286 0x405297 0x4052ac 0x4052ae 0x4052b2 0x405282 0x4045ce 0x4045d6 0x4045db 0x4045e8 0x4045f2 0x40390b 0x40391a 0x40391d 0x403929 0x40113a 0x401166 0x401183 0x401196 0x4011a4 0x4011b2 0x4011c7 0x4011cf 0x4011d9 0x4011ec 0x4011f5 0x4011fe 0x40346b 0x403476 0x401204 0x401210 0x401220 0x401229 0x40123c 0x401244 0x401250 0x40125c 0x401271 0x401281 0x401119 0x401122 0x401126 0x401139 0x40129c 0x4012d3 0x403300 0x40331c 0x403334 0x40333b 0x40333f 0x403346 0x40334f 0x4012e0 0x4012e6 0x4012fb 0x403354 0x40130c 0x401321 0x40132d 0x401335 0x40133b 0x40134e 0x403248 0x4028a2 0x4027b8 0x4027c9 0x4027d7 0x4027e2 0x4027f1 0x4027f9 0x402803 0x402808 0x40280f 0x4032c7 0x4037b5 0x4037c8 0x4037cf 0x4037d5 0x4037dc 0x4037e4 0x4037ea 0x40381c 0x403825 0x403828 0x40382a 0x4032d4 0x40281b 0x402829 0x402842 0x402847 0x40284c 0x401597 0x4015a8 0x4015b1 0x4037f1 0x403800 0x4015be 0x4015d3 0x4015e0 0x401601 0x40152c 0x401542 0x40154d 0x40155d 0x40156d 0x401585 0x401000 0x40101a 0x401115 0x40158a 0x401593 0x401619 0x40161e 0x40286d 0x40288c 0x40273b 0x402745 0x40274c 0x40276f 0x402892 0x40289e 0x4028b5 0x403282 0x403289 0x4028b9 0x4028cc 0x4028d5 0x4028dd 0x4028ec 0x4028fc 0x402903 0x40290e 0x402945 0x40295e 0x40296f 0x4029b8 0x4029c1 0x4028ef 0x4029cf 0x401622 0x401657 0x40165c 0x40166a 0x401671 0x401674 0x401679 0x401683 0x40169c 0x4016b1 0x4016b4 0x4016c0 0x40165f 0x401888 0x40188b 0x401890 0x40189a 0x4018b2 0x4018cb 0x4018df 0x4018f5 0x401903 0x401923 0x401926 0x40194d 0x40192b 0x401935 0x40197e 0x401984 0x40199a 0x402c1c 0x402c32 0x402c41 0x402c9b 0x402ce1 0x402cf1 0x402d07 0x402d17 0x402d1b 0x402d24 0x402d2e 0x402d34 0x402d38 0x402d40 0x402d4b 0x402d56 0x402d5a 0x402d62 0x402d6c 0x402d84 0x402d93 0x402d95 0x402da6 0x402dab 0x402dcd 0x402db4 0x402dd3 0x402e0d 0x402e1d 0x402e30 0x402e3e 0x402e5a 0x402e6c 0x402e7c 0x402e82 0x402e8e 0x402e99 0x402eb5 0x402f0a 0x402f12 0x402f1e 0x402f20 0x402f3e 0x402f45 0x402f71 0x402f75 0x402f8b 0x402f91 0x402fa7 0x402fa9 0x402fb4 0x402fbe 0x402fcd 0x402fe7 0x402fb8 0x402ff5 0x40300b 0x402d00 0x402d02 0x402c60 0x402c73 0x402c78 0x402c8a 0x4032d7 0x403847 0x403b38 0x403bfe 0x403c0c 0x403c1b 0x403c32 0x403c37 0x403c47 0x403c49 0x403cb8 0x403cbb 0x403cc1 0x403d53 0x403e5e 0x40384d 0x4032e0 0x402c93 0x402c98 0x4019b4 0x4019c2 0x4019cb 0x4019eb 0x4019ee 0x4019f3 0x4019fd 0x401a16 0x401a39 0x401a52 0x401a5c 0x401a5f 0x401a71 0x401a9f 0x401ae1 0x401ae7 0x401af0 0x401afb 0x401b07 0x401a7c 0x401a86 0x401a57 0x401af9 0x401b0f 0x40302a 0x403043 0x403055 0x402e57 0x402f59 0x402ed6 0x402fdc 0x403081 0x403088 0x403090 0x4030bb 0x4030c2 0x4030ce 0x40311b 0x403124 0x40312a 0x401b53 0x401b5f 0x401b6c 0x401e6d 0x401e7d 0x401e84 0x401e9f 0x401b7e 0x401b89 0x401ea1 0x401ed9 0x401ede 0x401eec 0x401ef3 0x401efe 0x401f08 0x402470 0x4024a2 0x4024a7 0x4024c4 0x4024c9 0x4024e0 0x4024f3 0x4024fd 0x40250d 0x402516 0x402664 0x40267a 0x402683 0x402689 0x40252f 0x402570 0x40258c 0x402591 0x40259a 0x4025bc 0x4025bf 0x4025db 0x402608 0x402651 0x40265c 0x402553 0x40256d 0x4025c3 0x4026b5 0x4026c4 0x4026c6 0x40270a 0x401f40 0x401f6c 0x401f71 0x401f8f 0x401fa2 0x401faa 0x401fb4 0x401fd2 0x402000 0x40200c 0x401ee1 0x402272 0x4022fc 0x40226a 0x402014 0x40201c 0x40204a 0x40207a 0x4020a5 0x4020ad 0x4020b7 0x4020d5 0x402101 0x402132 0x402162 0x40219e 0x4021a5 0x4021b2 0x402240 0x402261 0x40213a 0x402144 0x402030 0x402121 0x40315c 0x40317f 0x40318a 0x40318e 0x403198 0x4031a7 0x401022 0x40102c 0x40102d 0x40103a 0x401046 0x401054 0x4010dd 0x4010ec 0x401037 0x40110d 0x40110e 0x4031ae 0x4031ba 0x403480 0x4034a0 0x4034a8 0x4034b3 0x4034b5 0x4035d8 0x4031c4 0x4031d5 0x4031e0 0x4031e3 0x4031f1 0x4031ff 0x40320e 0x403215 0x403221 0x4034dc 0x4035bf 0x40322b 0x403234 0x4021ef 0x402207 0x40220c 0x402238 0x402623 0x40264e 0x402638 0x40263b 0x40264b 0x4026cc 0x4026d1 0x4026e0 0x4026e2 0x401f7a 0x40238e 0x40239e 0x4010e1 0x403600 0x4023ab 0x4023da 0x402428 0x4034bc 0x4034d4 0x40242f 0x401bbd 0x401bc9 0x40245f 0x40246d 0x401bd6 0x401bfe 0x401c04 0x401c11 0x40227a 0x402284 0x40228e 0x402294 0x40229e 0x40249d 0x401f67 0x40218e 0x4021ba 0x4021e2 0x40317c 0x4034c8 0x403540 0x403550 0x403552 0x4031f5 0x4035ec 0x40351c 0x403536 0x403538 0x4021c4 0x4021ce 0x4021d4 0x4021de 0x402052 0x40205c 0x4022a2 0x4022af 0x4022c7 0x4022cc 0x4022f8 0x4035e0 0x402118 0x4034f0 0x403510 0x403512 0x402d48 0x402039 0x402042 0x40225b 0x401d6c 0x401d82 0x401db4 0x401e02 0x401e09 0x4029d9 0x4029f4 0x4029fb 0x402a04 0x40153d 0x402a17 0x402a2e 0x402a3f 0x402a6d 0x402a97 0x402ac1 0x402bd3 0x402bcd 0x402bce 0x403294 0x4032b4 0x40277a 0x402783 0x40278a 0x402790 0x402797 0x401e39 0x401e4c 0x401e55 0x401e5e 0x401e65 0x40279e 0x4027a0 0x4027a9 0x4032c2 0x4032c3 0x40135f 0x401379 0x4033e0 0x4033e9 0x401381 0x40139a 0x4013a5 0x405c00 0x405c18 0x405c1c 0x405c20 0x405c4e 0x405c87 0x4013b6 0x4013cd 0x4013d7 0x4013d9 0x4013f1 0x401400 0x40141f 0x401427 0x401435 0x40143e 0x405c2a 0x405c4a 0x4013bc 0x4013c7 0x401449 0x40145a 0x40146d 0x40147d 0x40148d 0x40149a 0x4014a6 0x4014b3 0x4014ca 0x4014ec 0x4014f1 0x4014f9 0x4014fa 0x401512
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x403887
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x403aa4
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403adc
4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4041c8
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4041e2
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40426e
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x404a87
8. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x404b86
9. GetFileType at 0x7c811069 in kernel32.dll called from 0x404b94
10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x404bcb
11. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4038d5
12. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x404917
13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40498f
14. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4049b1
15. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4049ca
16. GetACP at 0x7c809943 in kernel32.dll called from 0x40547f
17. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4052ff
18. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40550a
19. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x405aac
20. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405b32
21. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405b88
22. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x405b9a
23. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405860
24. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4058fd
25. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405955
26. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40596b
27. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405a06
28. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x405a2b
29. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4046d2
30. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x403859
31. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x403900
32. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x403923
33. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401160
34. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x40117d
35. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x4011a2
36. ReadFile at 0x7c80180e in kernel32.dll called from 0x4011c1
37. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x40121e
38. ReadFile at 0x7c80180e in kernel32.dll called from 0x401236
39. GetTempPathA at 0x7c8221cf in kernel32.dll called from 0x40126b
40. CreateDirectoryA at 0x7c826219 in kernel32.dll called from 0x4012f5
41. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4037fa
42. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x401419
43. WriteFile at 0x7c810f9f in kernel32.dll called from 0x40142f
44. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x401438
45. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x401487
46. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4014a0
47. GetNewSock at 0xd674b0 in krnln.fnr called from 0x4014b8
48. MessageBoxA at 0x77d8050b in USER32.dll called from 0x40151d

MD5 checksum	25de4efcad24afc24aeec2f9b12a876c
PEiD packer signature	Microsoft Visual C++ 6.0 [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x40280d 0x402920 0x402937 0x402940 0x40295c 0x40296f 0x402979 0x402945 0x402958 0x402840 0x40284d 0x40383b 0x402627 0x402639 0x402640 0x402665 0x402672 0x402cf0 0x402d22 0x402d40 0x402d67 0x402d6c 0x402d6e 0x402d8a 0x402d8c 0x402da2 0x402da4 0x402da6 0x402dba 0x402dbc 0x402ff9 0x40303c 0x40305b 0x403062 0x403075 0x403090 0x402dc1 0x4030aa 0x4030bc 0x4030c5 0x4030da 0x4030e6 0x403101 0x40310d 0x403117 0x40311a 0x403153 0x40318d 0x403190 0x4031a0 0x402dd0 0x402678 0x402699 0x402649 0x402664 0x402636 0x40384c 0x40385b 0x403871 0x403875 0x40388f 0x40389a 0x40396b 0x40396d 0x40397b 0x403983 0x403992 0x403999 0x4039a0 0x4039a7 0x4039ab 0x4039bd 0x4039de 0x402855 0x40285b 0x403709 0x403724 0x403726 0x40372c 0x40379e 0x4037a4 0x40267d 0x402684 0x4037aa 0x4037b3 0x4037c0 0x4037d2 0x4037dd 0x403834 0x402865 0x4034bc 0x4034ce 0x40448b 0x404494 0x4040c7 0x404260 0x404280 0x404285 0x40428f 0x4040d8 0x4040ea 0x4040f4 0x4040fb 0x4040ff 0x40410a 0x404115 0x40411e 0x404230 0x404236 0x404306 0x404320 0x404329 0x404330 0x40433c 0x404381 0x404d2d 0x404d5e 0x404d72 0x404d76 0x404d97 0x404df8 0x404dff 0x404e80 0x404ea0 0x404e11 0x4025a0 0x4025ac 0x4025ba 0x4025c9 0x4025e1 0x4025ed 0x404e21 0x404e31 0x404e39 0x404e4e 0x404e52 0x404e60 0x404e64 0x4043a5 0x404ade 0x404b0e 0x404b26 0x404b2a 0x404d02 0x404d12 0x404d17 0x404d1f 0x404d2a 0x404bc3 0x404bd0 0x404be0 0x404c01 0x404c06 0x404c1b 0x404c1f 0x404c31 0x404c3a 0x404c80 0x404c94 0x404cb4 0x404cb8 0x404ccc 0x404cd0 0x404cdb 0x404ce1 0x404cf1 0x4043c9 0x4043f1 0x4043fc 0x40441a 0x40442f 0x404436 0x404404 0x404412 0x40441f 0x40443d 0x404488 0x40449b 0x4044a6 0x4034d3 0x4034e5 0x4034f6 0x4034f8 0x403555 0x40357f 0x403584 0x40358d 0x403591 0x4035a9 0x4035b6 0x4035c0 0x4035c5 0x40360b 0x40360f 0x4036f8 0x4036ff 0x403508 0x403517 0x403528 0x403577 0x4035af 0x4035bc 0x4036fc 0x40353e 0x40286f 0x403403 0x403415 0x40341d 0x403423 0x403428 0x4045a0 0x4045c0 0x4045d8 0x4045df 0x4045e3 0x4045ea 0x4045f3 0x40342e 0x404607 0x4045ac 0x4045b3 0x4045bb 0x4045fd 0x403427 0x404611 0x403435 0x403442 0x403457 0x403461 0x403462 0x403468 0x403493 0x403471 0x403477 0x403486 0x4044b0 0x404521 0x40452d 0x404534 0x40453f 0x404546 0x404541 0x404560 0x404564 0x404568 0x404582 0x40348e 0x40458f 0x404598 0x404570 0x40457a 0x403499 0x40349a 0x4025f8 0x402601 0x40299a 0x4029aa 0x4029ae 0x4029bd 0x4029c2 0x4029c4 0x402607
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x402807
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x402931
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x402969
4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403055
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40306f
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4030fb
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x403894
8. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x403993
9. GetFileType at 0x7c811069 in kernel32.dll called from 0x4039a1
10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x4039d8
11. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x402855
12. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x403724
13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40379c
14. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4037be
15. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4037d7
16. GetACP at 0x7c809943 in kernel32.dll called from 0x40428f
17. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40410f
18. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40431a
19. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x404d6c
20. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404df2
21. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404e48
22. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x404e5a
23. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x404b20
24. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404bbd
25. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404c15
26. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x404c2b
27. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x404cc6
28. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x404ceb
29. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4034df
30. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40261f
31. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x402880
32. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4028a3
- dot file
- jpg

MD5 checksum	262015f3c00edde8879916ce463bb47e
Anti-virus name	Trojan.Inject.FW
PEiD packer signature	Borland Delphi 6.0 - 7.0

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x100070b4 0x100070bb 0x10004c80 0x10004bbc 0x10004c91 0x10004c74 0x10004a78 0x10004c7e 0x10004cb3 0x10003c58 0x10003b44 0x10003c8b 0x10003bf0 0x10003c00 0x10003c1c 0x10003c2f 0x10003c2d 0x10007000 0x1000700d 0x10002a04 0x10002a11 0x10002a1c 0x10002a53 0x10002a58 0x10002a6a 0x10002aa4 0x10002aa9 0x10002ab6 0x10002a16 0x10002ab1 0x10002ae1 0x100029c0 0x100029cb 0x100029d9 0x100029e9 0x100029f4 0x100029f6 0x100029ff 0x10002ae6 0x10002b04 0x10002b11 0x10007012 0x1000355c 0x10003554 0x10007094 0x10007098 0x100070a1 0x100070a8 0x10003c33 0x10003c51 0x10003c97 0x10004cbf 0x100070c9 0x10002e34 0x100010d4 0x10002e3d 0x10002e41 0x100070dc 0x1000557c 0x10005584 0x1000558b 0x100054f4 0x100040ec 0x100040f0 0x100040fa 0x1000550e 0x10005523 0x10005528 0x10005238 0x10003474 0x10003414 0x1000342b 0x1000343a 0x10003443 0x10003457 0x10003462 0x1000346c 0x1000347d 0x1000524f 0x10003248 0x10003250 0x10003252 0x10002d34 0x10002d38 0x10002d3d 0x10002d42 0x10002dea 0x1000325f 0x1000525c 0x10003fdc 0x10003f9c 0x10003f70 0x10003f74 0x10002c10 0x10002c14 0x10001734 0x1000174c 0x1000175e 0x10001784 0x10001808 0x1000184c 0x100018c8 0x100018fc 0x10001420 0x100013b4 0x100013bd 0x10001428 0x10001108 0x1000143b 0x1000143f 0x10001907 0x10002c1a 0x10002c1e 0x10003f81 0x10003fac 0x10003fb4 0x10003fbd 0x10003eac 0x10003ece 0x10003fc4 0x10005265 0x1000553a 0x10004ff0 0x10005007 0x100040f6 0x1000500f 0x10005024 0x10005029 0x10004330 0x1000433d 0x10004343 0x10004366 0x1000436d 0x10004375 0x1000437e 0x10004380 0x10002e2c 0x10004385 0x10003eb2 0x1000438c 0x1000438e 0x10005031
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x10004bbc
2. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x10003554
3. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x100010d4
4. ZwQueryPerformanceCounter at 0x7c90e102 in ntdll.dll called from 0x7c80a425
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x10001108

MD5 checksum	262ff18bcf6998b50af6fa6d0da88ca6
Anti-virus name	W32/Trojan2.IDWC (exact),Trojan.Zlob-10557,Trojan.Zlob.28296

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40c750 0x40c76a 0x40c771 0x40c760 0x40c766 0x40c773 0x40c778 0x40c783 0x40c789 0x40c794 0x40c79b 0x40c7a6 0x40c7a8 0x40c7b3 0x40c7c0 0x40c7e4 0x40c804 0x40c813 0x40c7ac 0x40c7c4 0x40c7c5 0x40c7d0 0x40c7d6 0x40c7e1 0x40c7f5 0x40c7fe 0x40c78b 0x40c7b9 0x40c7c9 0x40c7d8 0x40c77c 0x40c81a 0x40c822 0x40c827 0x40c82b 0x40c830 0x40c84e 0x40c85a 0x40c870 0x40c878 0x40c885 0x40c889 0x40c871 0x40c854 0x40c896 0x40c8af 0x40c8c4 0x40c8ca 0x40c8d0 0x401034 0x401053 0x402050 0x4020c5 0x4020ee 0x402108 0x40210c 0x402110 0x40212a 0x401070 0x402060 0x402080 0x402098 0x40209f 0x4020a3 0x4020b8 0x401081 0x4020c2 0x401092 0x4010a3 0x4010b5 0x4010c5 0x4010d9 0x4010ea 0x4020bd 0x4010f7 0x4020aa 0x4020b3 0x401108 0x40111b 0x40112d 0x40113e 0x40114f 0x401160 0x40116d 0x401180 0x401194 0x4011a2 0x4011ac 0x4011c2 0x4011d3 0x4011e4 0x4011f5 0x401206 0x401213 0x401039 0x401045 0x401da5 0x40101b 0x401027 0x40102e 0x401db6 0x401dbd 0x4016e1 0x4016f2 0x401709
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40c86a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c87f
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40c8ad
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40c8c2
5. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4010bf
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401119
7. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40116b
8. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40117a
9. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x401192
10. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x4011a0
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4011aa
12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401211
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40103f
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401021
15. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401028
16. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x4016ec
17. CreateThread at 0x7c81082f in kernel32.dll called from 0x401703
CFG at thread creation event
- dot file
- jpg

MD5 checksum	2671f9c926915aa60aecb29eda5f3d3d
Anti-virus name	W32/Downloader.AT.gen!Eldorado (generic, not disinfectable),Trojan.Generic.501004

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4333fd 0x433404 0x433417 0x43344c 0x433454 0x43345f 0x43371e 0x43372a 0x43372b 0x43379d 0x4337a1 0x4337a6 0x433732 0x433739 0x43373b 0x433742 0x433744 0x433746 0x43374b 0x43374f 0x433751 0x433765 0x43376a 0x433793 0x433792 0x433754 0x4337a9 0x4337aa 0x4337af 0x4337b6 0x4337b8 0x433771 0x4337a7 0x43377e 0x433785 0x43378c 0x433791 0x43375c 0x433763 0x4337b9 0x433481 0x4334a1 0x8a05aa 0x8a05ca 0x8a05d6 0x8a05e4 0x8a05ea 0x8a0606 0x8a0629 0x8a0298 0x8a02fa 0x8a02fe 0x8a0310 0x8a0018 0x8a0033 0x8a0001 0x8a0012 0x8a0038 0x8a0049 0x8a0328 0x8a033b 0x8a0094 0x8a00ad 0x8a00e9 0x8a012f 0x8a0354 0x8a037f 0x8a0395 0x8a03bb 0x8a01ae 0x8a01b8 0x8a01c5 0x8a00ed 0x8a012c 0x8a00d0 0x8a00d7 0x8a01ce 0x8a0434 0x8a058c 0x8a0113 0x8a011a 0x8a03ca 0x8a03df 0x8a04b1 0x8a0233 0x8a023e 0x8a0242 0x8a0132 0x8a0143 0x8a0147 0x8a0155 0x8a015c 0x8a015d 0x8a0293 0x8a04ee 0x8a0504 0x8a0509 0x8a0521 0x8a052d 0x8a016c 0x8a0185 0x8a0186 0x8a0194 0x8a01a4 0x8a01a5 0x8a0557 0x8a055e 0x8a0564 0x8a056c 0x8a0578 0x8a0587 0x8a03ea 0x8a03f6 0x8a0442 0x8a044e 0x8a0452 0x8a047e 0x8a0487 0x8a0258 0x8a0262 0x8a0282 0x8a0290 0x8a0498 0x8a0385 0x8a038f 0x8a0392 0x8a039b 0x8a01d2 0x8a01e1 0x8a01fe 0x8a0206 0x8a0222 0x8a0210 0x8a021e 0x8a022a 0x8a03fd 0x8a040e 0x8a038a 0x8a0457 0x8a0466 0x8a046a 0x8a0478 0x8a0552 0x8a0536 0x8a004d 0x8a005c 0x8a005f 0x8a0067 0x8a006c 0x8a0074 0x8a007c 0x8a0084 0x8a0087 0x8a0088 0x8a046f 0x8a0412 0x8a041b 0x8a04eb 0x8a0267 0x8a027d 0x8a020e 0x8a0598 0x8a059a 0x8a0648 0x8a064e 0x8a064f 0x8a065c 0x8a0660 0x4334ce 0x4334e1 0x4334f6 0x4334fb 0x4334ff 0x433507 0x43350d 0x433525 0x433535 0x433674 0x433682 0x43369d 0x4336b8 0x4336c0 0x4336d7 0x4336eb 0x4336fe 0x433707 0x4336cb 0x4336d4 0x43368a 0x43368f 0x433695 0x43369b 0x433717 0x43353a 0x4335cd 0x433620 0x433631 0x433650 0x433659 0x43366d 0x4097f4 0x404e28 0x404c1c 0x404cee 0x404e60 0x404fc4 0x408a70 0x4089f8 0x408a38 0x405284 0x408720 0x404597 0x403d24 0x403cf8 0x401f6c 0x4018d8 0x401e97 0x401ea0 0x401ea3 0x401eab 0x401eb8 0x401ec0 0x401e4c 0x401e55 0x401e5f 0x401e6d 0x401e75 0x401ecd 0x401dec 0x401640 0x401694 0x401698 0x401398 0x4013a7 0x4013ba 0x4011f4 0x401200 0x40120c 0x401217 0x401226 0x40123a 0x401260 0x401e02 0x401d60 0x401d14 0x401d5d 0x401294 0x4012b0 0x4012d2 0x4012e7 0x4012ed 0x4012f6 0x4012fe 0x401d90 0x401da0 0x401db7 0x401dc0 0x401ab8 0x401ad5 0x401ada
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x433446
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x8a0626
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x8a0659
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4334db
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4336b2
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4336f8
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x43364a
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x404cf0
9. GetKeyboardType at 0x77d6fa46 in USER32.DLL called from 0x40313c
10. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401108
11. RegOpenKeyExA at 0x77dd761b in ADVAPI32.DLL called from 0x401158
12. LoadStringA at 0x77d6ec98 in USER32.DLL called from 0x401138
13. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4011d4
14. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4011b4
- dot file
- jpg

MD5 checksum	2725f0631f9509d9e2502ca9abd67980
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x49baea 0x49baf1 0x49bae0 0x49bae6 0x49baf3 0x49baf8 0x49bb03 0x49bb09 0x49bb33 0x49bb3a 0x49bb45 0x49bb56 0x49bb58 0x49bb64 0x49bb24 0x49bb2f 0x49bb85 0x49bba4 0x49bbb3 0x49bb4b 0x49bb5d 0x49bb96 0x49bb9f 0x49bb14 0x49bb20 0x49bb28 0x49bb19 0x49bafc 0x49bb0b 0x49bb66 0x49bb71 0x49bb77 0x49bb82 0x49bb6a 0x49bb79 0x49bb4f 0x49bbba 0x49bbc2 0x49bbc7 0x49bbcb 0x49bbd0 0x49bbee 0x49bbfa 0x49bc10 0x49bc18 0x49bc23 0x49bc27 0x49bc2e 0x49bc32 0x49bc11 0x49bc58 0x49bc6d 0x49bc73 0x49bc79 0x453e3d 0x45ef9a 0x45efca 0x45efd5 0x45efe1 0x45efe9 0x45eff1 0x45effd 0x45f010 0x45f01b 0x453e42 0x453c5e 0x45570c 0x453c6a 0x453c78 0x453c8f 0x453c96 0x453ca9 0x453cb2 0x453cc7 0x453ce4 0x453ceb 0x453cf9 0x453c1d 0x453c28 0x453c39 0x453c44 0x453c4d 0x453d28 0x457c57 0x457c6e 0x457c7a 0x457bfc 0x44eb00 0x44eb28 0x44eb31 0x457c13 0x457c25 0x44eb37 0x44eb5f 0x44eb67 0x457c2e 0x457c40 0x457c47 0x457c4d 0x457c7f 0x457cad 0x453d34 0x453d41 0x454d93 0x454d9f 0x454dae 0x454dbd 0x454dca 0x454dd7 0x454de4 0x454e0e 0x454e32 0x454e38 0x454e46 0x454e4f 0x454e57 0x44ed27 0x454998 0x45492a 0x454939 0x45493d 0x45495e 0x454969 0x45496f 0x4548be 0x4548d9 0x4548e4 0x4548ec 0xmulti 0x451670 0x451680 0x4516b4 0x45490a 0x454910 0x451686 0x45168a 0x45491c 0x454922 0x454974 0x454978 0x454984 0x454988 0x45498e 0x45499f 0x44ed2d 0x44ed73 0x44ed35 0x455ccd 0x44ed3b 0x454f17 0x44ed41 0x455cc3 0x44ed47 0x455cb9 0x44ed4d 0x455aaf 0x44ed53 0x44ed59 0x45593f 0x455949 0x44ed5f 0x44ed69 0x454e5c 0x454e67 0x454e77 0x454e87 0x454e97 0x4553bc 0x4553c5 0x4553cf 0x455ce7 0x455cf3 0x4549a1 0x4549b0 0x4549b4 0x4549d5 0x4549e0 0x4549e6 0x4549eb 0x4549ef 0x4549fb 0x4549ff 0x454a05 0x455d03 0x455d0a 0x455d13 0x455d25 0x455d2b 0x455d36 0x455d3a
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x49bc0a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x49bc28
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x49bc56
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x49bc6b
5. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x45efcf
6. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x45efdb
7. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x45efe3
8. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x45efeb
9. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x45eff7
10. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x453c72
11. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x453c8d
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x453c90
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x453cac
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x453ce2
15. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x453ce5
16. HeapCreate at 0x7c812929 in kernel32.dll called from 0x457c68
17. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x454d99
18. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x454dbb
19. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x454dc8
20. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x454dd5
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x454de2
22. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x454e32
23. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x454e4d
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x454937
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x454963
26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4548e6
27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x45497e
28. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x45498c
29. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4549ae
30. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4549da
31. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4549f5
32. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x454a03
33. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x455d30
34. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x455d40
35. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x455d66

MD5 checksum	275801d38f5c7e13cfde62750c6039f5
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x405abe 0x40cb22 0x40cb54 0x40cb5f 0x40cb6b 0x40cb73 0x40cb7b 0x40cb87 0x40cb9a 0x40cba5 0x40cbb4 0x405ac3 0x40596d 0x4068e0 0x405979 0x405987 0x405998 0x4059a6 0x4059af 0x4059c3 0x406939 0x406954 0x40695f 0x4059ca 0x4059d7 0x408ffd 0x40900d 0x409018 0x409022 0x409030 0x40903d 0x40904a 0x409057 0x409081 0x4090a5 0x4090ab 0x4090b9 0x4090c2 0x4090ca 0x406c53 0x408c5f 0x408bed 0x408c01 0x408c05 0x408c26 0x408c32 0x408c41 0x408c4d 0x408c51 0x408c56 0x408c59 0x408c66 0x406c5b 0x406f10 0x406c63 0x40cbb8 0x406c69 0x407dff 0x406c6f 0x40d1d7 0x406c75 0x40d1c8 0x406c7b 0x40cfb6 0x406c81 0x406c87 0x40c423 0x40c42d 0x406c8d 0x406c97 0x4090cf 0x4090da 0x4090ea 0x4090fa 0x40910a 0x405c6d 0x405c78 0x405c82 0x40cbc7 0x40cbd3 0x40cbe3 0x40cc17 0x406925 0x40cc26 0x405c9a 0x405ca0 0x405ca6 0x405ca9 0x409117 0x40911b 0x408c68 0x408c7c 0x408c80 0x408ca1 0x408cad 0x408cbc 0x408cc8 0x408ccc 0x408cd1 0x408cd4 0x40912b 0x408cda 0x408ce0 0x40912e 0x409138 0x40b5ad 0x40f36f 0x40f37b 0x40f384 0x40f3b2 0x40f3c2 0x40f3cc 0x40f420 0x40f424 0x40f433 0x40f435 0x40f485 0x40f48c 0x40b5c3 0x40b5f3 0x409144 0x40914c 0x408c8a 0x408c93 0x408c95 0x40915e 0x409161 0x409165 0x408d54 0x408d60 0x408d6c 0x408d77 0x408d8e 0x408d9c 0x408dac 0x408db2 0x405de9 0x405e11 0x405e19 0x408dd1 0x408ddf 0x408e29 0x405d0f 0x405d24 0x408e30 0x408deb 0x408df2 0x408e00 0x408e08 0x408a11 0x408a25 0x408a32 0x408a3f 0x408a4c 0x408a59 0x408a63 0x408a6c 0x408a75 0x408a85 0x408a8d 0x408a9b 0x408e10 0x408e32 0x408e39 0x408e1d 0x408e22 0x40916d 0x409175 0x409187 0x4059dc 0x4059e8 0x40cad6 0x40caf9 0x4059ed 0x40a86b 0x40a877 0x40a886 0x40a898 0x40a8a2 0x40a8e5 0x40a8b5 0x40a8e9 0x40a9fd 0x40a9ff 0x40aa1c 0x40aa24 0x40aa33 0x40aa3a 0x40aa41 0x40aa45 0x40aa4c 0x40aa50 0x40aa5c 0x40aa6b 0x40aa79 0x40aa7f 0x40aa8e 0x40aa29 0x40aa62 0x40aa98 0x40aaa4 0x40aab9 0x40aabe 0x4059f6 0x405a02 0x40cad0 0x405a07 0x40ca79 0x40ca82 0x40ca8e 0x40ca93 0x40ca9a 0x40caa1 0x40b568 0x403e58 0x403e62 0x403e96 0x403eb0 0x40b579 0x40b5a7 0x40caaf 0x40cac3 0x403ec0 0x403ed8 0x403ee0 0x403ee8 0x403f07 0x403f0f 0x403f1a 0x403f1c 0x404058 0x40cacb 0x40cab6 0x40cabd 0x405a11 0x40c9cb 0x40c9f1 0x40ca00 0x40ca09 0x40c87a 0x40c89f 0x40c8a5 0x40c8d0 0x40c8b8 0x40c8c6 0x40c8d4 0x40c8da 0x40c90c 0x40c8ea 0x40c8ee 0x40c9bc 0x40c9c5 0x40ca1a 0x40ca27 0x40ca32 0x40ca3d 0x403de9 0x403dfb 0x403e24 0x403e2e 0x403e32 0x403e39 0x40c896 0x40c8be 0x40c9c3 0x40ca5c 0x40ca74 0x405a1b 0x405a27 0x40c79c 0x40c7c6 0x40c7b4 0x40c7bb 0x40a58c 0x40a594 0x40a59e 0x40c7c1 0x40c7ba 0x40c7ce 0x40c7d8 0x40c7eb 0x40c837 0x40c7f3 0x40c7f9 0x40c834 0x40c803 0x40c80b 0x40c813 0x40a4dd 0x40a4ee 0x40a513 0x40a521 0x40a523 0x40a532 0x40a535 0x40a50e 0x40c81b 0x40c831 0x40c83d 0x404225 0x404231 0x404238 0x404284 0x404293 0x4042ad 0x4042b2 0x40c848 0x40c85f 0x40c860 0x405a2c 0x405a38 0x406a58 0x406a66 0x40a420 0x40a390 0x40a3a6 0x40a3b3 0x40a466 0x40a46d 0x40a3d0 0x40a3f2 0x40a3f5 0x40a3fc 0x40a405 0x40a40f 0x40a480 0x40a487 0x406a70 0x406a75 0x4106e7 0x410687 0x4106f1 0x41124e 0x411259 0x41125d 0x411269 0x41126d 0x411271 0x4106f6 0x410701 0x4111e5 0x41170f 0x41175b 0x41176f 0x41334d 0x413366 0x413369 0x41336e 0x413371 0x413376 0x413379 0x41337e 0x413381 0x413386 0x413389 0x41338e 0x413394 0x4133cb 0x4133cf 0x4133d7 0x4133e5 0x4133f3 0x4134bc 0x413657 0x411774 0x4111fa 0x41120e 0x410706 0x406a7e 0x406a7f 0x40cf95 0x408c0f 0x408c18 0x408c1a 0x408c1e 0x40cfa8 0x40cf9b 0x40cfb3 0x406a84 0x406a34 0x406a50 0x406a41 0x406a45 0x406a4d 0x406a4b 0x404e73 0x404e80 0x404e8d 0x404e92 0x404e9a 0x404ec3 0x404ed1 0x404ecc 0x404ee2 0x404eed 0x404f09 0x404f0d 0x404f13 0x404f1f 0x405c60 0x405bfe 0x405c24 0x405c43 0x405c4d 0x405bae 0x405bba 0x405bee 0x405bfd 0x405c52 0x405c56 0x405c5d 0x405c65 0x4088aa 0x4088b3 0x408710 0x40871c 0x408eb4 0x408e3b 0x408e45 0x408ce3 0x408cf2 0x408d13 0x408e52
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40cb59
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x40cb65
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40cb6d
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40cb75
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x40cb81
6. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40694e
7. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x409007
8. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40902e
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40903b
10. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x409048
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x409055
12. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x4090a5
13. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x4090c0
14. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408bff
15. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x408c2c
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408c47
17. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x408c54
18. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x40cbdd
19. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408c7a
20. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x408ca7
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408cc2
22. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x408ccf
23. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x408cda
24. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40f42d
25. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408c91
26. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408c93
27. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40915f
28. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x408d66
29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408d9a
30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408daa
31. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x405e13
32. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x408dd9
33. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x405d1e
34. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x408a23
35. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x408a99
36. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40916f
37. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40a880
38. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x40aa34
39. GetFileType at 0x7c811069 in kernel32.dll called from 0x40aa46
40. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x40aa9e
41. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x40cad0
42. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40ca7c
43. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403e60
44. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40cab7
45. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x40c9eb
46. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40428d
47. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x411253
48. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x411263
49. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x41126f
50. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408c16
51. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408c18
52. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x408e3f
53. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408cec
54. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408e52

MD5 checksum	2770c3288765be86ffff598680ae3361
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x49357a 0x493581 0x493570 0x493576 0x493583 0x493588 0x493593 0x493599 0x4935c3 0x4935ca 0x4935d5 0x4935e6 0x4935e8 0x4935f4 0x4935b4 0x4935bf 0x493615 0x493634 0x493643 0x4935db 0x4935ed 0x493626 0x49362f 0x4935a4 0x4935b0 0x49359b 0x4935f6 0x493601 0x493607 0x493612 0x4935b8 0x4935df 0x49358c 0x4935a9 0x4935fa 0x493609 0x49364a 0x493652 0x493657 0x49365b 0x493660 0x49367e 0x49368a 0x4936a0 0x4936a8 0x4936b3 0x4936b7 0x4936be 0x4936c2 0x4936a1 0x4936e8 0x4936fd 0x493703 0x493709 0x450cad 0x45be0a 0x45be3a 0x45be45 0x45be51 0x45be59 0x45be61 0x45be6d 0x45be80 0x45be8b 0x450cb2 0x450ace 0x4524fc 0x450ada 0x450ae8 0x450aff 0x450b06 0x450b19 0x450b22 0x450b37 0x450b54 0x450b5b 0x450b69 0x450a8d 0x450a98 0x450aa9 0x450ab4 0x450abd 0x450b98 0x454957 0x45496e 0x45497a 0x4548fc 0x44b97a 0x44b9a2 0x44b9ab 0x454913 0x454925 0x44b9b1 0x44b9d9 0x44b9e1 0x45492e 0x454940 0x454947 0x45494d 0x45497f 0x4549ad 0x450ba4 0x450bb1 0x451b83 0x451b8f 0x451b9e 0x451bad 0x451bba 0x451bc7 0x451bd4 0x451bfe 0x451c22 0x451c28 0x451c36 0x451c3f 0x451c47 0x44bba1 0x451788 0x45171a 0x451729 0x45172d 0x45174e 0x451759 0x45175f 0x4516ae 0x4516c9 0x4516d4 0x4516dc 0x 0x44e570 0x44e580 0x44e5b4 0x4516fa 0x451700 0x44e586 0x44e58a 0x45170c 0x451712 0x451764 0x451768 0x451774 0x451778 0x45177e 0x45178f 0x44bba7 0x44bbed 0x44bbaf 0x452abd 0x44bbb5 0x451d07 0x44bbbb 0x452ab3 0x44bbc1 0x452aa9 0x44bbc7 0x45289f 0x44bbcd 0x44bbd3 0x45272f 0x452739 0x44bbd9 0x44bbe3 0x451c4c 0x451c57 0x451c67 0x451c77 0x451c87 0x4521ac 0x4521b5 0x4521bf 0x452ad7 0x452ae3 0x451791 0x4517a0 0x4517a4 0x4517c5 0x4517d0 0x4517d6 0x4517db 0x4517df 0x4517eb 0x4517ef 0x4517f5 0x452af3 0x452afa 0x452b03 0x452b15 0x452b1b 0x452b26 0x452b2a
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x49369a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4936b8
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4936e6
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4936fb
5. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x45be3f
6. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x45be4b
7. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x45be53
8. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x45be5b
9. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x45be67
10. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x450ae2
11. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x450afd
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x450b00
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x450b1c
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x450b52
15. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x450b55
16. HeapCreate at 0x7c812929 in kernel32.dll called from 0x454968
17. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x451b89
18. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x451bab
19. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x451bb8
20. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x451bc5
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x451bd2
22. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x451c22
23. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x451c3d
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x451727
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x451753
26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4516d6
27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x45176e
28. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x45177c
29. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x45179e
30. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4517ca
31. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4517e5
32. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x4517f3
33. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x452b20
34. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x452b30
35. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x452b56

MD5 checksum	27749ecdeaacda05e2a7325f858d781a
Anti-virus name	W32/Dropper.EUQ (exact, not disinfectable),Backdoor.Generic.70035
PEiD packer signature	Nothing found [RAR SFX] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x403894 0x410068 0x413a18 0x410077 0x413aae 0x41008f 0x410089 0x4100a3 0x4038ab 0x413a1e 0x4038b0 0x4038b6 0x4038bf 0x40f735 0x40f72a 0x40f734 0x40f73d 0x4038cc 0x4038ce 0x4038d6 0x40f76c 0x40f78c 0x40f774 0x40f784 0x40f778 0x40f783 0x40f78b 0x40f792 0x4038e2 0x4038f1 0x40396e 0x403975 0x40397b 0x40397e 0x413a5a 0x40398f 0x413ae4 0x40399e 0x413a60 0x4039a5 0x413c2e 0x40f79e 0x40f79a 0x40f7a4 0x404f68 0x413a0c 0x404f75 0x404f7f 0x4050b1 0x4050b6 0x4050c0 0x404f96 0x40f7c4 0x40f7c7 0x40f7cf 0x404fa2 0x404fad 0x404c75 0x40f73b 0x402d8d 0x402d93 0x413a6c 0x402d9e 0x413bce 0x408a6c 0x408a6f 0x408a73
Windows API calls issued from malware code
1. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x413a18
2. IsDBCSLeadByte at 0x7c80b664 in kernel32.dll called from 0x413aae
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x413a1e
4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x413a5a
5. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x7c80b379
6. RtlUnicodeStringToAnsiString at 0x7c9130c6 in ntdll.dll called from 0x7c80b3c1
7. memmove at 0x7c90253a in ntdll.dll called from 0x7c80b3e7
8. RtlFreeUnicodeString at 0x7c910976 in ntdll.dll called from 0x7c80b3f4
9. SetEnvironmentVariableA at 0x7c8226a9 in kernel32.dll called from 0x413ae4
10. RtlInitString at 0x7c90125c in ntdll.dll called from 0x7c8226c0
11. RtlAnsiStringToUnicodeString at 0x7c90f04c in ntdll.dll called from 0x7c8226d2
12. RtlSetEnvironmentVariable at 0x7c926eb5 in ntdll.dll called from 0x7c822715
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x413a60
14. LoadIconA at 0x77d521ae in USER32.dll called from 0x413c2e
15. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x413a0c
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x413a6c
17. GetClassNameA at 0x77d4e032 in USER32.dll called from 0x413bce
CFG at exit
- dot file
- jpg

MD5 checksum	27d7b89bbc8ced2faccb78a14ffb5aab
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x4711d8 0x4711dd 0x4712a4 0x4712a8 0x4712b2 0x4712d2 0x4712dc 0x4712eb 0x4712fc 0x47133a 0x471353 0x471477 0x4714a2 0x4714d0 0x47146f 0x4714b7 0x4714e8 0x471508 0x471c30 0x471322 0x47132c 0x47148a 0x471494 0x471530 0x471573 0x4715df 0x471617 0x471635 0x471673 0x47167d 0x471689 0x47169f 0x4716c5 0x4713ad 0x4713c4 0x471406 0x47141e 0x471461 0x471441 0x471515 0x47151c 0x47155d 0x471567 0x47158d 0x471853 0x471871 0x471883 0x471924 0x47195d 0x47196a 0x471995 0x4719a9 0x4719d6 0x4719e1 0x471a01 0x471a12 0x471a31 0x471a5c 0x471a70 0x471a9d 0x471a44 0x471a4e 0x471a88 0x471aa8 0x471ab7 0x471acf 0x471b41 0x471b4e 0x471b7c 0x471bac 0x471bcb 0x471b91 0x471bde 0x471be8 0x471bf9 0x471c10 0x471c21 0x4713ee 0x4713f8 0x47185b 0x471865 0x47143f 0x47197d 0x471987 0x4719c1 0x471b64 0x471b6e 0x471a0d 0x471526 0x4716ff 0x471837 0x471601 0x47160b 0x471718 0x47174e 0x47178b 0x4717c3 0x4717dd 0x471823 0x47182b 0x4718b2 0x4718e0 0x47192e 0x471768 0x471aeb 0x471aee 0x471b10 0x471b23 0x471b1c 0x471b26 0x4717ad 0x4717b7 0x4717fd 0x471af8 0x471b02 0x471738 0x471742 0x4718ca 0x4718d4 0x4718f3 0x47146d 0x471c41 0x471c60 0x471c7f 0x471c97 0x471c9c 0x471cdc 0x471cbd 0x471ce6 0x471caa 0x471cb3 0x471cb7 0x471cc3 0x471cc8 0x471ceb 0x471cf7 0x471d0d 0x471d15 0x471d20 0x471d24 0x471d2b 0x471d2f 0x471d0e 0x471d55 0x471d6a 0x471d70 0x471d76 0x441e5e 0x4568a8
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x471d07
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x471d25
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x471d53
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x471d68
CFG at exit
- dot file
- jpg

MD5 checksum	27edf381cb42a6489045c53d141c69aa
Anti-virus name	W32/Swizzor.D.gen!Eldorado (generic, not disinfectable),Trojan.Swizzor-79,Trojan.Swizzor.2

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x402dc8 0x40fdda 0x40fe0c 0x40fe17 0x40fe23 0x40fe2b 0x40fe33 0x40fe3f 0x40fe52 0x40fe5d 0x40fe6c 0x402dcd 0x402c4b 0x40f368 0x402c57 0x402c66 0x402c7a 0x402c8b 0x402c99 0x402ca2 0x402cb5 0x4090aa 0x4090c5 0x4090d0 0x402cbe 0x402ccb 0x4189d1 0x4189e1 0x4189ec 0x4189f6 0x418a04 0x418a11 0x418a1e 0x418a2b 0x418a55 0x418a79 0x418a7f 0x418a8d 0x418a96 0x418a9e 0x411da7 0x418633 0x4185c1 0x4185d5 0x4185d9 0x4185fa 0x418606 0x418615 0x418621 0x418625 0x41862a 0x41862d 0x41863a 0x411daf 0x4211b2 0x411db7 0x406f87 0x411dbd 0x40c6ff 0x411dc3 0x41be24 0x411dc9 0x406055 0x411dcf 0x417742 0x411dd5 0x411ddb 0x41169d 0x4116a7 0x411de1 0x411deb 0x418aa3 0x418aae 0x418abe 0x418ace 0x418ade 0x415fd3 0x415fde 0x415fe8 0x406f96 0x406fa2 0x406fb2 0x406fe6 0x40f3ad 0x406ff5 0x416000 0x416006 0x41600c 0x41600f 0x418aeb 0x418aef 0x41863c 0x418650 0x418654 0x418675 0x418681 0x418690 0x41869c 0x4186a0 0x4186a5 0x4186a8 0x418aff 0x4186ae 0x4186b4 0x418b02 0x418b0c 0x4028b1 0x41daeb 0x41daf7 0x41db00 0x41db2e 0x41db3e 0x41db48 0x41db9c 0x41dba0 0x41dbaf 0x41dbb1 0x41dc01 0x41dc08 0x4028c7 0x4028f7 0x418b18 0x418b20 0x41865e 0x418667 0x418669 0x418b32 0x418b35 0x418b39 0x418728 0x418734 0x418740 0x41874b 0x418762 0x418770 0x418780 0x418786 0x41614f 0x416177 0x41617f 0x4187a5 0x4187b3 0x4187fd 0x416075 0x41608a 0x418804 0x4187bf 0x4187c6 0x4187d4 0x4187dc 0x41ab97 0x41abab 0x41abb8 0x41abc5 0x41abd2 0x41abdf 0x41abe9 0x41abf2 0x41abfb 0x41ac0b 0x41ac13 0x41ac21 0x4187e4 0x418806 0x41880d 0x4187f1 0x4187f6 0x418b41 0x418b49 0x418b5b 0x402cd0 0x402cdc 0x406cc3 0x406ce6 0x402ce1 0x409b24 0x409b30 0x409b3f 0x409b51 0x409b5b 0x409b9e 0x409b6e 0x409ba2 0x409cb6 0x409cb8 0x409cd5 0x409cdd 0x409cec 0x409cf3 0x409cfa 0x409cfe 0x409d05 0x409d3d 0x409d47 0x409ce2 0x409d09 0x409d1b 0x409d24 0x409d32 0x409d38 0x409d51 0x409d5d 0x409d72 0x409d77 0x402ce9 0x402cf5 0x4142f6 0x402cfa 0x402dd2 0x402ddb 0x402de7 0x402dec 0x402df3 0x402dfa 0x40286c 0x411255 0x411267 0x411290 0x41129a 0x41129e 0x4112a5 0x4112c4 0x4112ce 0x411302 0x41131c 0x40287d 0x4028ab 0x402e08 0x402e1c 0x409e70 0x409e88 0x409e90 0x409e98 0x409eb7 0x409ebf 0x409eca 0x409ecc 0x40a008 0x402e24 0x402e0f 0x402e16 0x402d04 0x40c4df 0x40c505 0x40c514 0x40c51d 0x40c38e 0x40c3b3 0x40c3b9 0x40c3e4 0x40c3cc 0x40c3da 0x40c3e8 0x40c3ee 0x40c420 0x40c3fe 0x40c402 0x40c4d0 0x40c4d9 0x40c52e 0x40c53b 0x40c546 0x40c551 0x40c557 0x40c55e 0x40c3aa 0x40c3d2 0x40c4d7 0x40c570 0x40c588 0x402d0e 0x402d1a 0x40f4e6 0x40f510 0x40f4fe 0x40f505 0x410f2c 0x410f34 0x410f3e 0x40f50b 0x40f504 0x40f518 0x40f522 0x40f535 0x40f581 0x40f53d 0x40f543 0x40f57e 0x40f54d 0x40f555 0x40f55d 0x412951 0x412962 0x412987 0x412995 0x412997 0x4129a6 0x4129a9 0x412982 0x40f565 0x40f57b 0x40f587 0x40dfc4 0x40dfd0 0x40dfd7 0x40e023 0x40e032 0x40e04c 0x40e051 0x40f592 0x40f5a9 0x40f5aa 0x402d1f 0x402d2b 0x411bac 0x411bd3 0x41c854 0x4185e3 0x4185ec 0x4185ee 0x4185f2 0x41c867 0x41c85a 0x41c872 0x411bd8 0x411b88 0x411ba4 0x411b95 0x411b99 0x411ba1 0x411b9f 0x419bc2 0x419bcb 0x419a28 0x419a34 0x418888 0x41880f 0x418819 0x4186b7 0x4186c6 0x4186e7 0x418826 0x418828 0x41887c 0x418883 0x418890 0x41889e 0x419a3d 0x41969c 0x4196a8 0x4196ad 0x4196d6 0x4196dd 0x419726 0x419737 0x41973e 0x40e036 0x41a169 0x41a16e 0x41a178 0x40e03b 0x40e043 0x41a127 0x41a131 0x41a13a 0x41a14d 0x40e049 0x4026e0 0x402719 0x414512 0x41451a 0x402729 0x402736 0x4027ac
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40fe11
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x40fe1d
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40fe25
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40fe2d
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x40fe39
6. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x402c60
7. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4090bf
8. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x4189db
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x418a02
10. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x418a0f
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x418a1c
12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x418a29
13. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x418a79
14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x418a94
15. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4185d3
16. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x418600
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41861b
18. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x418628
19. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x406fac
20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x41864e
21. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x41867b
22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x418696
23. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x4186a3
24. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x4186ae
25. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x41dba9
26. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x418665
27. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x418667
28. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x418b33
29. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x41873a
30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41876e
31. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41877e
32. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x416179
33. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x4187ad
34. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x416084
35. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x41aba9
36. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x41ac1f
37. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x418b43
38. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x409b39
39. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x409ced
40. GetFileType at 0x7c811069 in kernel32.dll called from 0x409cff
41. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x409d57
42. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x4142f6
43. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x402dd5
44. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4112cc
45. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x402e10
46. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x40c4ff
47. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40e02c
48. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4185ea
49. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4185ec
50. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x418813
51. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4186c0
52. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x418826
53. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x41887d
54. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x40e03d

MD5 checksum	27f21030edbe5b6eb6287faede118577
Anti-virus name	W32/Dropper.ACBE (exact, dropper),Trojan.Generic.984210

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x11006ee0 0x11006e58 0x11006e76 0x11006e81
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x11006e52
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x11006e70
3. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x11006e81
CFG at exit
- dot file
- jpg

MD5 checksum	280d2f0ee536660eb45f88cacb1e83dd
Anti-virus name	Trojan.Dropper-3074,Dropped:Trojan.Downloader.Small.2
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40ab5c 0x412242 0x412272 0x41227d 0x412289 0x412291 0x412299 0x4122a5 0x4122b8 0x4122c3 0x4122d2 0x40ab61 0x40a97c 0x40d110 0x40a988 0x40a996 0x40a9ad 0x40a9b4 0x40a9c7 0x40a9d0 0x40a9e5 0x40aa02 0x40aa09 0x40aa17 0x40a93b 0x40a946 0x40a957 0x40a962 0x40a96b 0x40aa46 0x41122b 0x411242 0x41124e 0x4111d0 0x40a152 0x40a17a 0x40a183 0x4111e7 0x4111f9 0x40a189 0x40a1b1 0x40a1b9 0x411202 0x411214 0x41121b 0x411221 0x411253 0x411281 0x40aa52 0x40aa5f 0x40bac6 0x40bad2 0x40bae1 0x40baf0 0x40bafd 0x40bb0a 0x40bb17 0x40bb41 0x40bb65 0x40bb6b 0x40bb79 0x40bb82 0x40bb8a 0x40a365 0x40b6dd 0x40b67a 0x40b689 0x40b68d 0x40b6ae 0x40b6b9 0x40b6bd 0x40b6c9 0x40b6cd 0x40b6d3 0x40b6d7 0x40b6e4 0x40a36b 0x40c0b8 0x40a373 0x410a4d 0x40a379 0x407db5 0x40a37f 0x410a43 0x40a385 0x410a39 0x40a38b 0x41082f 0x40a391 0x40a397 0x40d0fc 0x40d106 0x40a39d 0x40a3a7 0x40bb8f 0x40bb9a 0x40bbaa 0x40bbba 0x40bbca 0x410621 0x41062a 0x410634 0x410a67 0x410a73 0x40b6e6 0x40b6f5 0x40b6f9 0x40b71a 0x40b725 0x40b729 0x40b735 0x40b739 0x40b73f 0x40b743 0x410a83 0x410a8a 0x410a93 0x410aa5 0x410aab 0x410ab6 0x410aba 0x410ac6 0x410ad1 0x410ad7 0x410add 0x410ae8 0x410b1c 0x40d155 0x410b2b 0x41064c 0x410652 0x410658 0x41065b 0x40bbd7 0x40bbdb 0x40bbeb 0x40b749 0x40b74f 0x40bbee 0x40bbf8 0x40d59e 0x413557 0x413563 0x41356c 0x41359a 0x4135aa 0x4135b4 0x413608 0x41360c 0x41361b 0x41361d 0x41366d 0x413674 0x40d5b1 0x40d5e1 0x40bc04 0x40bc0c 0x40b703 0x40b70c 0x40b70e 0x40bc1e 0x40bc21 0x40bc25 0x40b7ed 0x40b7f9 0x40b804 0x40b81b 0x40b829 0x40b839 0x40b83f 0x40b85f 0x410797 0x4107bd 0x4107c5 0x40b866 0x40b875 0x40b87d 0x40e58a 0x40e59b 0x40e5a8 0x40e5b5 0x40e5c2 0x40e5cf 0x40e5d5 0x40e5de 0x40e5e7 0x40e5f7 0x40e5fd 0x40e60b 0x40b885 0x40b898 0x4106bf 0x4106d2 0x40b89f 0x40b892 0x40b897 0x40bc2d 0x40bc35 0x40bc47 0x40aa64 0x40aa70 0x4107c8 0x4107e9 0x40aa75 0x40fec5 0x40fed1 0x40fee0 0x40fef2 0x40fefc 0x40ff38 0x40ff0f 0x40ff3c 0x410043 0x410045 0x410062 0x41006a 0x410079 0x410080 0x410087 0x41008b 0x410092 0x4100ca 0x4100d4 0x41006f 0x410096 0x4100a8 0x4100b1 0x40b712 0x4100bf 0x4100c5 0x4100de 0x4100ea 0x4100ff 0x410104 0x40aa7d 0x40aa89 0x40aa8f 0x41210d 0x412129 0x41212b 0x412131 0x41215f 0x412172 0x412179 0x412180 0x412187 0x4121a0 0x4121a6 0x40d55e 0x40a854 0x40a862 0x40a88f 0x40a899 0x40a89d 0x40a8a4 0x40a8c5 0x40a8ce 0x40a8fa 0x40d56b 0x40d599 0x4121ac 0x4121b5 0x4121c2 0x4121d4 0x4121d8 0x4121df 0x41223b 0x40aa99 0x412054 0x412067 0x40e42c 0x40e435 0x40e292 0x40e29e 0x40b924 0x40b8a1 0x40b8a9 0x40b76d 0x40b779 0x40b796 0x40b8b0 0x40b8c2 0x40b8c4 0x40b918 0x40b91f 0x40b92a 0x40b938 0x40e2a7 0x40dfc9 0x40dfd5 0x40dfda 0x40e003 0x40e00a 0x40e053 0x40e064 0x40e06b 0x40e05f 0x40dfef 0x40dffb 0x40e002 0x40e2b1 0x40e06d 0x408a46 0x408a55 0x408a5a 0x408a84 0x408aa5 0x408aae 0x408ac2 0x40e07f 0x40e0a8 0x40e0ad 0x40e0bd 0x40e09a 0x40e09f 0x40e0e4 0x40e2bc 0x40e2c8 0x40e2d2 0x40e2dd 0x40e0e7 0x40e0bf 0x40e0d6 0x40e0db 0x40e0e2 0x40e105 0x40e11e 0x40e123 0x40e12b 0x40e138 0x40e143 0x40e14b 0x40b600 0x40b60c 0x40b616 0x40b61e 0x40b62c 0x40b634 0x40b647 0x40b65f 0x40b665 0x40b66f 0x40e15a 0x40e267 0x40e26a 0x40e226 0x40de3f 0x40de69 0x40de76 0x40de78 0x40de84 0x40debd 0x41477b 0x41478c 0x4145c3 0x4145e2 0x4145f6 0x4145fa 0x414636 0x414646 0x414669 0x414673 0x414675 0x41467d 0x414688 0x40f510 0x415390 0x4153a4 0x4153a8 0x41468d 0x414693 0x4146ac 0x4146af 0x4146b1 0x4146b5 0x4146c1 0x4146d3 0x4146d7 0x4146e5 0x4146e8 0x408f4d 0x408f55 0x408f67 0x4146ee 0x414769 0x407c3d 0x407c45 0x414779 0x4147a9 0x4147b2 0x4147b9 0x40deda 0x40eaf2 0x40eb03 0x40e750 0x40e76f 0x40e786 0x40e78a 0x40e7a7 0x40e7ac 0x40e7b2 0x40e7b7 0x40e7bc 0x40e7bf 0x40e7cb 0x40e7ce 0x40e7dc 0x40e7e4 0x40e7ed 0x40e7fd 0x40e820 0x40e82a 0x40e82c 0x40e838 0x40e843 0x40e848 0x40e84e 0x40e867 0x40e86a 0x40e872 0x40e87b 0x40e88c 0x40e894 0x40e8a8 0x40e8b5 0x40e8e6 0x40e8ea 0x40e8f6 0x40e901 0x40e906 0x40e90c 0x40e931 0x40e935 0x40e949 0x40e94d 0x40e958 0x40e95e 0x40e96c 0x40e96f 0x40e975 0x40e976 0x40e97e 0x40eae0 0x40eaf0 0x40eb23 0x40eb2c 0x40eb33 0x40defa 0x40df1f 0x40df24 0x40df3c 0x40df56 0x40df5e 0x40df2e 0x40df4d 0x40df41 0x40df63 0x40dfb2 0x40dfc1 0x40e22d 0x40e117 0x40e283 0x40e290 0x40e2f5 0x40e302 0x40e30e 0x40e312 0x40e323 0x40e32f 0x40e339 0x40e346 0x40e34d 0x40e36c 0x40e374 0x40e384 0x40e386 0x40e390 0x40e39d 0x40e39f 0x40e3a9 0x40e3b9 0x40e3c5 0x40e3dc 0x40e3e5 0x40e3f3 0x40e3fa 0x40e3f1 0x40e423 0x40e42b 0x40e43c 0x40e447 0x41206c 0x412084 0x412093 0x41209d 0x411ebc 0x411ee2 0x411ee5 0x411eea 0x411f36 0x411efa 0x411f08 0x415ceb 0x415c9a 0x415cab 0x415cbb 0x415cd3 0x415cd5 0x415cdc 0x415ce2 0x415ce9 0x415cfa 0x411f14 0x411f2c 0x411f3c 0x411f41 0x411f68 0x411f4e 0x411f52 0x412044 0x412050 0x4120ae 0x4120bb 0x4120c3 0x4120cf 0x4120d5 0x4120dc 0x411ed9 0x411f00 0x41204d 0x4120ef 0x412108 0x40aaa3 0x40aaaf 0x411de1 0x411df3 0x411e17 0x411e07 0x411e0c 0x40ab70 0x40aba0 0x40abb8 0x40abbf 0x40abc3 0x40abca 0x40abd3 0x411e12 0x40abe7 0x40ab7c 0x40ab85 0x40ab8d 0x40abdd 0x411e0b 0x40abf1 0x411e1d 0x411e26 0x411e34 0x411e7d 0x411e3d 0x411e43 0x411e7b 0x411e4c 0x411e54 0x411e5c 0x408ee8 0x408ef5 0x408f18 0x408f24 0x408f26 0x408f30 0x408f33 0x408f47 0x411e64 0x411e78 0x411e81 0x40a777 0x40a783 0x40a78a 0x40a7d6 0x40a7e5 0x40a7ff 0x40a804 0x411e8c 0x411ea2 0x40aab4 0x40aac0 0x40a1c5 0x40a1e8 0x410810 0x40b697 0x40b6a0 0x40b6a2 0x40b6a6 0x410821 0x410814 0x41082c 0x40a1ed 0x40a132 0x40a14a 0x40a13b 0x40a13f 0x40a147 0x40a145 0x40b5c4 0x4088b5 0x4088bf 0x4088c7 0x4088dd 0x40d72a 0x40d737 0x40d744 0x40d749 0x40d751 0x40d77a 0x40d788 0x40d783 0x40d799 0x40d7a4 0x40d7c0 0x40d7c8 0x40d7ca 0x40d7c4 0x40d7d6 0x4131d6 0x415d5b 0x415d7f 0x415d9e 0x415da8 0x415d0b 0x415d17 0x415d4b 0x415d5a 0x415dad 0x415db1 0x415db8 0x4131e2 0x415dbb 0x415dc0 0x412342 0x41234d 0x412353 0x40a150 0x40a1fc 0x40a202 0x408920 0x4088e4 0x4088f0 0x40a108 0x40a10f 0x4088f5 0x408808 0x408818 0x408829 0x408831 0x40883d 0x40d681 0x40d68d 0x40d6ba 0x40d6fb 0x40d709 0x40d712
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x412277
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x412283
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x41228b
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x412293
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x41229f
6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40a990
7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40a9ab
8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40a9ae
9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40a9ca
10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40aa00
11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40aa03
12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x41123c
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40bacc
14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40baee
15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40bafb
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40bb08
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40bb15
18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40bb65
19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40bb80
20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b687
21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40b6b3
22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b6c3
23. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x40b6d1
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b6f3
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40b71f
26. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b72f
27. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x40b73d
28. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x410ab0
29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x410ac0
30. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x410ae6
31. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40b749
32. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x413615
33. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b70a
34. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b70c
35. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40bc1f
36. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40b7fe
37. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b827
38. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b837
39. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40b859
40. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x4107bf
41. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e599
42. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e609
43. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x4106cc
44. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40bc2f
45. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40feda
46. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x41007a
47. GetFileType at 0x7c811069 in kernel32.dll called from 0x41008c
48. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x4100e4
49. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40aa89
50. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x412129
51. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x41219e
52. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40a8cc
53. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4121c0
54. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4121d9
55. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x40b8a3
56. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b773
57. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b8bc
58. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b8c2
59. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x40b919
60. GetACP at 0x7c809943 in kernel32.dll called from 0x40e0b7
61. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40e13d
62. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40de63
63. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4145f0
64. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x414667
65. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4146d1
66. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4146df
67. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e780
68. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e81e
69. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e88a
70. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e8a6
71. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e943
72. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40e966
73. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x40e308
74. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e32d
75. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x40e3bf
76. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e3e3
77. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x41207e
78. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40a7df
79. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b69e
80. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b6a0
81. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x412347
82. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x40d703

MD5 checksum	286c476893e3289e87cceae02984a211
Anti-virus name	W32/Backdoor2.CJKR (exact),Trojan.Packed-18,Backdoor.Hupigon.AYSE

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x4a93be 0x4a93d1 0x4a9406 0x4a940e 0x4a9419 0x4a96d8 0x4a96e4 0x4a96e5 0x4a9757 0x4a975b 0x4a9760 0x4a96ea 0x4a96ec 0x4a96f3 0x4a96f5 0x4a96fc 0x4a96fe 0x4a9700 0x4a9705 0x4a9709 0x4a970b 0x4a971f 0x4a9724 0x4a974d 0x4a974c 0x4a970e 0x4a9763 0x4a9764 0x4a9769 0x4a9770 0x4a9772 0x4a9713 0x4a972b 0x4a9761 0x4a9738 0x4a973f 0x4a9746 0x4a974b 0x4a9716 0x4a971d 0x4a9773 0x4a9428 0x4a943b 0x4a945b 0x3505aa 0x3505ca 0x3505d6 0x3505e4 0x3505ea 0x350606 0x350629 0x350298 0x3502fa 0x3502fe 0x350310 0x350018 0x350033 0x350001 0x350012 0x350038 0x350049 0x35031e 0x350328 0x35033b 0x350094 0x3500ad 0x3500e9 0x35012f 0x350350 0x350354 0x35037f 0x350395 0x3503bb 0x3501ae 0x3501b8 0x3501c5 0x3500ed 0x35012c 0x3500d0 0x3500d7 0x3501ce 0x3503c3 0x350434 0x35058c 0x350113 0x35011a 0x3503ca 0x3503df 0x3504b1 0x350233 0x35023e 0x350242 0x350132 0x350143 0x350147 0x350155 0x35015c 0x35015d 0x350256 0x350293 0x3504e3 0x3504eb 0x3504ee 0x350504 0x350509 0x350536 0x35004d 0x35005c 0x35005f 0x350067 0x35006c 0x350084 0x350087 0x350088 0x35053e 0x35052d 0x35016c 0x350185 0x350186 0x350194 0x3501a4 0x3501a5 0x350532 0x350557 0x35055e 0x350564 0x35056c 0x350578 0x350587 0x350385 0x35038a 0x350392 0x35039b 0x3501d2 0x3501e1 0x3501fe 0x350222 0x350210 0x35021e 0x35022a 0x3503b5 0x3503ea 0x3503f6 0x3503fd 0x35040e 0x350487 0x350498 0x350206 0x350412 0x35041b 0x350442 0x35044e 0x350452 0x35047e 0x350521 0x35038f 0x350457 0x350466 0x35046a 0x350478 0x350074 0x35007c 0x35046f 0x350258 0x350262 0x350267 0x35027d 0x350282 0x350290 0x350552 0x35020e 0xmultitramp 0x35059a 0x350648 0x35064e 0x35064f 0x35065c 0x4a947b 0x4a949b 0x4a94ef 0x4a962e 0x4a963c 0x4a9649 0x4a964f 0x4a9655 0x4a96d1 0x4a94f4 0x4a9587 0x4a95da 0x4a95eb
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4a9400
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x350626
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x350659
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4a9495
5. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4a9604

MD5 checksum	29192867e2f4f0d19fd0c601ba7cd2d2
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40eb10 0x40eb32 0x40eb39 0x40eb28 0x40eb2e 0x40eb3b 0x40eb40 0x40eb4b 0x40eb51 0x40eb5c 0x40eb70 0x40eb7b 0x40eb88 0x40ebac 0x40ebbd 0x40ebc6 0x40eb63 0x40eb6e 0x40ebcc 0x40ebdb 0x40eb53 0x40eb8c 0x40eb8d 0x40eb98 0x40eb9e 0x40eba9 0x40eb44 0x40eb74 0x40eb81 0x40eba0 0x40eb91 0x40ebe2 0x40ebea 0x40ebef 0x40ebf3 0x40ebf8 0x40ec16 0x40ec22 0x40ec38 0x40ec40 0x40ec4d 0x40ec51 0x40ec39 0x40ec1c 0x40ec5e 0x40ec77 0x40ec8c 0x40ec92 0x40ec98 0x401a1f 0x403216 0x403246 0x403251 0x40325d 0x403265 0x40326d 0x403279 0x40328c 0x403297 0x4032a6 0x401a24 0x40183f 0x403018 0x40184b 0x401859 0x401870 0x401877 0x40188a 0x401893 0x4018a8 0x4018c5 0x4018cc 0x4018da 0x4017fe 0x401809 0x40181a 0x401825 0x40182e 0x401909 0x402fbb 0x402fd2 0x402fde 0x402f60 0x402272 0x40229a 0x4022a3 0x402f77 0x402f89 0x4022a9 0x4022d1 0x4022d9 0x402f92 0x402fa4 0x402fab 0x402fb1 0x402fe3 0x403011 0x401915 0x401922 0x401e47 0x401e53 0x401e62 0x401e71 0x401e7e 0x401e8b 0x401e98 0x401ec2 0x401ee6 0x401eec 0x401efa 0x401f03 0x401f0b 0x402485 0x401afb 0x401a98 0x401aa7 0x401aab 0x401acc 0x401ad7 0x401adb 0x401ae7 0x401aeb 0x401af1 0x401af5 0x401b02 0x40248b 0x404775 0x402493 0x404696 0x402499 0x40408e 0x40249f 0x40468c 0x4024a5 0x404682 0x4024ab 0x404478 0x4024b1 0x4024b7 0x404467 0x404471 0x4024bd 0x4024c7 0x401f10 0x401f1b 0x401f2b 0x401f3b 0x401f4b 0x4032aa 0x4032b3 0x4032bd 0x4046b0 0x4046bc 0x401b04 0x401b13 0x401b17 0x401b38 0x401b43 0x401b47 0x401b53 0x401b57 0x401b5d 0x401b61 0x4046cc 0x4046d3 0x4046dc 0x4046ee 0x4046f4 0x4046ff 0x404703 0x40470f 0x40471a 0x404720 0x404726 0x404731 0x404765 0x40305d 0x404774 0x4032d5 0x4032db 0x4032e1 0x4032e4 0x401f58 0x401f5c 0x401f6c 0x401b67 0x401b6d 0x401f6f 0x401f79 0x403f36 0x406647 0x406653 0x40665c 0x40668a 0x40669a 0x4066a4 0x4066f8 0x4066fc 0x40670b 0x40670d 0x40675d 0x406764 0x403f49 0x403f79 0x401f85 0x401f8d 0x401b21 0x401b2a 0x401b2c 0x401f9f 0x401fa2 0x401fa6 0x401bd7 0x401be3 0x401bee 0x401c05 0x401c13 0x401c23 0x401c29 0x401c49 0x403420 0x403446 0x40344e 0x401c50 0x401c5f 0x401c67 0x403591 0x4035a2 0x4035af 0x4035bc 0x4035c9 0x4035d6 0x4035dc 0x4035e5 0x4035ee 0x4035fe 0x403604 0x403612 0x401c6f 0x401c82 0x403348 0x40335b 0x401c89 0x401c7c 0x401c81 0x401fae 0x401fb6 0x401fc8 0x401927 0x401933 0x402f18 0x402f39 0x401938 0x402cd8 0x402ce4 0x402cf3 0x402d05 0x402d0f 0x402d4b 0x402d22 0x402d4f 0x402e56 0x402e58 0x402e75 0x402e7d 0x402e8c 0x402e93 0x402e9a 0x402e9e 0x402ea5 0x402edd 0x402ee7 0x402e82 0x402ea9 0x402ebb 0x402ec4 0x401b30 0x402ed2 0x402ed8 0x402ef1 0x402efd 0x402f12 0x402f17 0x401940 0x40194c 0x401952 0x402ba3 0x402bbf 0x402bc1 0x402bc7 0x402bf5 0x402c08 0x402c0f 0x402c16 0x402c1d 0x402c36 0x402c3c 0x403ef6 0x406584 0x406592 0x4065bf 0x4065c9 0x4065cd 0x4065d4 0x4065f5 0x4065fe 0x40662a 0x403f03 0x403f31 0x402c42 0x402c4b 0x402c58 0x402c6a 0x402c6e 0x402c75 0x402cd1 0x40195c 0x402aea 0x402afd 0x403e4a 0x403e53 0x403cb0 0x403cbc 0x401d0e 0x401c8b 0x401c93 0x401b70 0x401b7c 0x401b99 0x401c9a 0x401cac 0x401cae 0x401d02 0x401d09 0x401d14 0x401d22 0x403cc5 0x403965 0x403971 0x403976 0x40399f 0x4039a6 0x4039ef 0x403a00 0x403a07 0x4039fb 0x40398b 0x403997 0x40399e 0x403ccf 0x403a8b 0x403a09 0x403a18 0x403a1d 0x403a47 0x403a68 0x403a71 0x403a85 0x403a9d 0x403ac6 0x403acb 0x403adb 0x403ab8 0x403abd 0x403b02 0x403cda 0x403ce6 0x403cf0 0x403cfb 0x403b05 0x403add 0x403af4 0x403af9 0x403b00 0x403b23 0x403b3c 0x403b41 0x403b49 0x403b56 0x403b61 0x403b69 0x401760 0x40176c 0x401776 0x40177e 0x40178c 0x401794 0x4017a7 0x4017bf 0x4017c5 0x4017cf 0x403b78 0x403c85 0x403c88 0x403c44 0x4037db 0x403805 0x403812 0x403814 0x403820 0x403859 0x4060d0 0x4060e1 0x405f18 0x405f37 0x405f4b 0x405f4f 0x405f8b 0x405f9b 0x405fbe 0x405fc8 0x405fca 0x405fd2 0x405fdd 0x407170 0x407460 0x407474 0x407478 0x405fe2 0x405fe8 0x406001 0x406004 0x406006 0x40600a 0x406016 0x406028 0x40602c 0x40603a 0x40603d 0x405e20 0x405e28 0x405e3a 0x406043 0x4060be 0x401743 0x40174b 0x4060ce 0x4060fe 0x406107 0x40610e 0x403876 0x4064f2 0x406503 0x406150 0x40616f 0x406186 0x40618a 0x4061a7 0x4061ac 0x4061b2 0x4061b7 0x4061bc 0x4061bf 0x4061cb 0x4061ce 0x4061dc 0x4061e4 0x4061ed 0x4061fd 0x406220 0x40622a 0x40622c 0x406238 0x406243 0x406248 0x40624e 0x406267 0x40626a 0x406272 0x40627b 0x40628c 0x406294 0x4062a8 0x4062b5 0x4062e6 0x4062ea 0x4062f6 0x406301 0x406306 0x40630c 0x406331 0x406335 0x406349 0x40634d 0x406358 0x40635e 0x40636c 0x40636f 0x406375 0x406376 0x40637e 0x4064e0 0x4064f0 0x406523 0x40652c 0x406533 0x403896 0x4038bb 0x4038c0 0x4038d8 0x4038f2 0x4038fa 0x4038ca 0x4038e9 0x4038dd 0x4038ff 0x40394e 0x40395d 0x403c4b 0x403b35 0x403ca1 0x403cae 0x403d13 0x403d20 0x403d2c 0x403d30 0x403d41 0x403d4d 0x403d57 0x403d64 0x403d6b 0x403d8a 0x403d92 0x403da2 0x403da4 0x403dae 0x403dbb 0x403dbd 0x403dc7 0x403dd7 0x403de3 0x403dfa 0x403e03 0x403e11 0x403e18 0x403e0f 0x403e41 0x403e49 0x403e5a 0x403e65 0x402b02 0x402b1a 0x402b29 0x402b33 0x402952 0x402978 0x40297b 0x402980 0x4029cc 0x402990 0x40299e 0x404bf7 0x404ba6 0x404bb7 0x404bc7 0x404bdf 0x404be1 0x404be8 0x404bee 0x404bf5 0x404c06 0x4029aa 0x4029c2 0x4029d2 0x4029d7 0x4029fe 0x4029e4 0x4029e8 0x402ada 0x402ae6 0x402b44 0x402b51 0x402b59 0x402b65 0x402b6b 0x402b72 0x40296f 0x402996 0x402ae3 0x402b85 0x402b9e 0x401966 0x401972 0x402877 0x402889 0x4028ad 0x40289d 0x4028a2 0x404a70 0x404aa0 0x404ab8 0x404abf 0x404ac3 0x404aca 0x404ad3 0x4028a8 0x404ae7 0x404a7c 0x404a85 0x404a8d 0x404add 0x4028a1 0x404af1 0x4028b3 0x4028bc 0x4028ca 0x402913 0x4028d3 0x4028d9 0x402911 0x4028e2 0x4028ea 0x4028f2 0x404afb 0x404b08 0x404b2b 0x404b37 0x404b39 0x404b43 0x404b46 0x404b5a 0x4028fa 0x40290e 0x402917 0x403e68 0x403e74 0x403e7b 0x403ec7 0x403ed6 0x403ef0 0x403ef5 0x402922 0x402938 0x401977 0x401983 0x4022e5 0x402308 0x404330 0x401ab5 0x401abe 0x401ac0 0x401ac4 0x404341 0x404334 0x40434c 0x40230d 0x402252 0x40226a 0x40225b 0x40225f 0x402267 0x402265 0x4021b5 0x404021 0x404045 0x404064 0x40406e 0x403fd1 0x403fdd 0x404011 0x404020 0x404073 0x404077 0x40407e 0x4021c1 0x404081 0x404086 0x4042b3 0x4042bd 0x4042c5 0x4042db 0x402270 0x40231c 0x402322 0x40431e 0x4042e2 0x4042ee 0x402228 0x40222f 0x4042f3 0x404206 0x404216 0x404227 0x40422f 0x40423b 0x406980 0x40698c 0x4069b9 0x4069fa 0x406a08 0x406a11
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40ec32
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40ec47
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40ec75
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40ec8a
5. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40324b
6. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x403257
7. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40325f
8. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x403267
9. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x403273
10. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x401853
11. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40186e
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401871
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40188d
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x4018c3
15. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4018c6
16. HeapCreate at 0x7c812929 in kernel32.dll called from 0x402fcc
17. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401e4d
18. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401e6f
19. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401e7c
20. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401e89
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401e96
22. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x401ee6
23. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x401f01
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401aa5
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401ad1
26. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401ae1
27. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x401aef
28. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401b11
29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401b3d
30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401b4d
31. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x401b5b
32. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4046f9
33. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x404709
34. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x40472f
35. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x401b67
36. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x406705
37. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401b28
38. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401b2a
39. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x401fa0
40. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401be8
41. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401c11
42. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401c21
43. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x401c43
44. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x403448
45. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x4035a0
46. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x403610
47. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x403355
48. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x401fb0
49. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x402ced
50. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x402e8d
51. GetFileType at 0x7c811069 in kernel32.dll called from 0x402e9f
52. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x402ef7
53. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40194c
54. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x402bbf
55. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402c34
56. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4065fc
57. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402c56
58. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x402c6f
59. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x401c8d
60. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401b76
61. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401ca6
62. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401cac
63. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x401d03
64. GetACP at 0x7c809943 in kernel32.dll called from 0x403ad5
65. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x403b5b
66. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4037ff
67. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x405f45
68. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405fbc
69. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x406026
70. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x406034
71. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x406180
72. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40621e
73. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40628a
74. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4062a6
75. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x406343
76. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x406366
77. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x403d26
78. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x403d4b
79. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x403ddd
80. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x403e01
81. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x402b14
82. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x403ed0
83. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401abc
84. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401abe
85. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x406a02

MD5 checksum	298e10dc5b595e16095acbe6d3c83491
Anti-virus name	Adware.Generic.52770
PEiD packer signature	Microsoft Visual C++ 6.0 [Debug]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x424034 0x424060 0x42a928 0x42a93f 0x42a948 0x42a7e0 0x4233d0 0x4233dc 0x4233f0 0x42a7ed 0x42a805 0x42a809 0x42a812 0x42a81b 0x42a925 0x42a94d 0x42a964 0x42a981 0x424092 0x42409f 0x428c2c 0x428e93 0x428ea2 0x428eaa 0x428eb2 0x428eba 0x428c32 0x428c38 0x428c42 0x42d420 0x42d455 0x42d45e 0x42d46b 0x42d477 0x42d4c2 0x42d508 0x42d50d 0x42d51c 0x42d51f 0x42d54b 0x42d54e 0x428c4b 0x428c53 0x428c60 0x428c64 0x428c9e 0x428c6a 0x428c71 0x4240a4 0x4240b0 0x42a5a3 0x425134 0x425146 0x42514d 0x425172 0x4251e2 0x425241 0x42524b 0x425251 0x42525f 0x425156 0x425171 0x425143 0x42a5b6 0x42a5c5 0x42a5db 0x42a5df 0x42a5fd 0x42a607 0x42a6e3 0x42a6e5 0x42a6f7 0x42a6ff 0x42a70e 0x42a715 0x42a71c 0x42a723 0x42a733 0x42a748 0x42a704 0x42a727 0x42a739 0x42a74e 0x42a75a 0x4240ba 0x4240c0 0x42a471 0x42a48c 0x42a48e 0x42a494 0x42a4c8 0x42a4d8 0x42a4df 0x42a4e6 0x42a4ed 0x42a506 0x42a50c 0x42a512 0x42a51b 0x42a528 0x42a53a 0x42a53e 0x42a545 0x42a59c 0x4240ca 0x42a224 0x42a236 0x426cd2 0x426cdb 0x4268ea 0x428f28 0x428f40 0x428f48 0x428f57 0x428f7e 0x428f86 0x428f5e 0x428f65 0x428f6b 0x428f75 0x428f89 0x428f9c 0x428f7c 0x4268fa 0x426a97 0x426ab7 0x426abc 0x426ac6 0x426902 0x426918 0x426920 0x426927 0x42692b 0x426936 0x426941 0x42694c 0x426a5a 0x426a61 0x426a7b 0x426b3d 0x426b57 0x426b60 0x426b67 0x426b73 0x426bb8 0x42b938 0x42b969 0x42b97d 0x42b981 0x42b9a2 0x42b9a7 0x42b9d0 0x42b9d9 0x42b9e6 0x42ba03 0x42ba0a 0x42ba1c 0x423ca0 0x423cac 0x423cba 0x423cc9 0x423ce1 0x423ced 0x42ba2c 0x42ba3c 0x42ba44 0x42ba59 0x42ba5d 0x42ba6b 0x42ba6f 0x426bdc 0x429d4c 0x429d7c 0x429d94 0x429d98 0x429dc2 0x429dc7 0x429f70 0x429f80 0x429f85 0x429f8d 0x429f98 0x429dd2 0x429dd7 0x429dfe 0x429e07 0x429e14 0x429e31 0x429e3e 0x429e4e 0x429e6f 0x429e74 0x429e89 0x429e8d 0x429e9f 0x429ea8 0x429eee 0x429f02 0x429f22 0x429f26 0x429f3a 0x429f3e 0x429f49 0x429f4f 0x429f5f 0x429f69 0x429edc 0x426c00 0x426c28 0x426c33 0x426c51 0x426c66 0x426c6d 0x426c3b 0x426c49 0x426c56 0x426c74 0x426cbf 0x426a80 0x426911 0x426a88 0x426a8f 0x426ce2 0x426ced 0x42a23b 0x42a24d 0x42a25e 0x42a260 0x42a2bd 0x42a2e7 0x42a2ec 0x42a2f5 0x42a2f9 0x42a311 0x42a31e 0x42a328 0x42a32d 0x42a373 0x42a377 0x42a460 0x42a467 0x42a270 0x42a27f 0x42a290 0x42a2df 0x42a317 0x42a324 0x42a464 0x42a2a6 0x4240d4 0x42a16b 0x42a17d 0x42a185 0x42a18b 0x42a190 0x423fb0 0x423fd0 0x423fe8 0x423fef 0x423ff3 0x423ffa 0x424003 0x42a196 0x424017 0x423fbc 0x423fc3 0x423fcb 0x42400d 0x42a18f 0x424021 0x42a19d 0x42a1aa 0x42a1bf 0x42a1c9 0x42a1ca 0x42a1d0 0x42a1fb 0x42a1d9 0x42a1df 0x42a1ee 0x42e550 0x42e5c1 0x42e5cd 0x42e5d4 0x42e5df 0x42e5e6 0x42e5e1 0x42e600 0x42e604 0x42e608 0x42e622 0x42a1f6 0x42e610 0x42e61a 0x42e638 0x42e62f 0x42a201 0x42a202 0x42526e 0x42529c 0x4252e1 0x425339 0x425348 0x42a20d 0x4240d9 0x423d27 0x423d30 0x42364b 0x423663 0x423650 0x429094 0x42909f 0x4290a3 0x4290af 0x4290b3 0x4290b7 0x423655 0x429044 0x430110 0x4300db 0x430151 0x43015f 0x430162 0x430167 0x430169 0x43016e 0x430170 0x430175 0x430177 0x43017c 0x43017e 0x430183 0x430188 0x4301c0 0x4301c5 0x4301c9 0x4301d5 0x4301e2 0x4300ec 0x4301e3 0x4301f0 0x4301f3 0x4301f8 0x4301fa 0x4301ff 0x430201 0x430206 0x430208 0x43020d 0x43020f 0x430217 0x430219 0x430246 0x430250 0x430258 0x43025e 0x43026b 0x430103 0x430123 0x429053 0x42365f 0x423d32 0x423e4b 0x423e50 0x423e56 0x423e5e 0x423e5c 0x42348f 0x423499 0x4234b0 0x42f5ee 0x42f5fb 0x42f608 0x42f60d 0x42f615 0x42f641 0x42f648 0x42f65e 0x42f665 0x42f685 0x42f688 0x42f681 0x42f694 0x42ad13 0x42ad1e 0x423e63 0x423d41 0x44becc 0x44bed6 0x41cb37 0x41cb59 0x44bee4 0x44bed1 0x44bee5 0x42347d 0x4233ff 0x423e39 0x423e40 0x423405 0x427069 0x4270dc 0x427127 0x427138 0x423410 0x423465 0x423e42 0x423e49 0x423479 0x423486 0x44beef 0x44bf0c 0x44bf16 0x44bf24 0x44bf11 0x44bf25 0x44bf2f 0x44bfef 0x44bff9 0x44c007 0x44bff4 0x44c008 0x44c012 0x43cfb2 0x43cfbc 0x43cfca 0x43cfb7 0x43cfcb 0x43cfd5 0x43cfe1 0x43cfeb 0x43cffc 0x43cfe6 0x43cffd 0x43d007 0x43d013 0x43d01d 0x43d02e 0x43d018 0x43d02f 0x43d039 0x43d045 0x43d04f 0x43d060 0x43d04a 0x43d061 0x43d06b 0x44c4cc 0x44c4d6 0x44bb63 0x4233ac 0x44bb6d 0x4380b0 0x44bb7c 0x4221f0 0x44bb8c 0x44bb9c 0x44c4d1 0x44c4e0 0x44c4ea 0x44cdba 0x44cdbf 0x44cdc5 0x44cdcf 0x44d004 0x44d009 0x44d00f 0x44d019 0x44dad6 0x44dae0 0x44daee 0x44dadb 0x44daef 0x44daf9 0x44caf3 0x44caf8 0x44cafe 0x44cb08 0x44ccb2 0x44ccb7 0x44ccbd 0x44ccc7 0x44ccd8 0x44ccdd 0x44cce3 0x44cced 0x44e709 0x44e70e 0x44e714 0x44e71e 0x4358ea 0x4358b4 0x44d03a 0x44d877 0x44d880 0x44d88a 0x44d895 0x44d436 0x44d45e 0x44d46a 0x44d474 0x44d89a 0x44d8a0 0x44d8a6 0x44d4cf 0x44d4e4 0x44d4fb 0x44d51d 0x44d528 0x44d539 0x44d55d 0x44d586 0x44d58c 0x44d5aa 0x44d5b4 0x44d5b9 0x44d5bf 0x44d5d9 0x44d8ab 0x44d8ad 0x44d8bc 0x44d8cd 0x44d8cf 0x44d8d3
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x42405a
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x42a939
3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x42a7ff
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x428ea0
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x428ea8
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x428eb0
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x428eb8
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x428c32
9. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x42d516
10. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x428c5a
11. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x428c6b
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x425259
13. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x42a601
14. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x42a70f
15. GetFileType at 0x7c811069 in kernel32.dll called from 0x42a71d
16. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x42a754
17. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4240ba
18. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x42a48c
19. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x42a504
20. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x42a526
21. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x42a53f
22. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x428f80
23. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x428f65
24. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x428f96
25. GetACP at 0x7c809943 in kernel32.dll called from 0x426ac6
26. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x42693b
27. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x426b51
28. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x42b977
29. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x42b9fd
30. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x42ba53
31. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x42ba65
32. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x429d8e
33. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x429e2b
34. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x429e83
35. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x429e99
36. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x429f34
37. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x429f59
38. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x42a247
39. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x425342
40. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x429099
41. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4290a9
42. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x4290b5
43. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x42ad18
44. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x41cb53
45. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x427132
46. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x44bb96
47. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x44d458
48. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x44d46e
49. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x44d4de
50. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x44d533
51. GlobalLock at 0x7c810119 in kernel32.dll called from 0x44d58a
52. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x44d5d3
53. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x44d8b6

MD5 checksum 2b4c2f9c1920a1ff5432f4738432b10c

Anti-virus name W32/Swizzor-based.2!Maximus

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x40b3e9 0x409f38 0x409f68 0x409f73 0x409f7f 0x409f87 0x409f8f 0x409f9b 0x409fae 0x409fb9 0x409fc8 0x40b3ee 0x40b20a 0x409be8 0x40b216 0x40b224 0x40b23b 0x40b242 0x40b255 0x40b25e 0x40b273 0x40b290 0x40b297 0x40b2a5 0x40b1c9 0x40b1d4 0x40b1e5 0x40b1f0 0x40b1f9 0x40b2d4 0x40d1da 0x40d1f1 0x40d1fd 0x40d17f 0x418c59 0x418c81 0x418c8a 0x40d196 0x40d1a8 0x418c90 0x418cb8 0x418cc0 0x40d1b1 0x40d1c3 0x40d1ca 0x40d1d0 0x40d202 0x40d230 0x40b2e0 0x40b2ed 0x401438 0x401444 0x401453 0x401462 0x40146f 0x40147c 0x401489 0x4014b3 0x4014d7 0x4014dd 0x4014eb 0x4014f4 0x4014fc 0x418e80 0x4010da 0x40106c 0x40107b 0x40107f 0x4010a0 0x4010ab 0x4010b1 0x401000 0x40101b 0x401026 0x40102e 0x401041 0x40c3a0 0x40c3b0 0x40c3b6 0x40c3ba 0x40c3e4 0x40104c 0x401052 0x40105e 0x401064 0x401068 0x4010b6 0x4010ba 0x4010c6 0x4010ca 0x4010d0 0x4010d4 0x4010e1 0x418e86 0x42c766 0x418e8e 0x409b07 0x418e94 0x4099dd 0x418e9a 0x411240 0x418ea0 0x42262e 0x418ea6 0x4015bc 0x418eac 0x418eb2 0x418625 0x41862f 0x418eb8 0x418ec2 0x401501 0x40150c 0x40151c 0x40152c 0x40153c 0x40ab09 0x40ab12 0x40ab1c 0x409b21 0x409b2d 0x4010e3 0x4010f2 0x4010f6 0x401117 0x401122 0x401128 0x40112d 0x401131 0x40113d 0x401141 0x401147 0x40114b 0x409b3d 0x409b44 0x409b4d 0x409b5f 0x409b65 0x409b70 0x409b74 0x409b80 0x409b8b 0x409b91 0x409b97 0x409ba2 0x409bd6 0x409c2d 0x409be5 0x40ab34 0x40ab3a 0x40ab40 0x40ab43 0x401549 0x40154d 0x40155d 0x401151 0x401157 0x401560 0x40156a 0x41115d 0x4017c6 0x4017d2 0x4017db 0x401809 0x401819 0x401823 0x401877 0x40187b 0x40188a 0x40188c 0x4018dc 0x4018e3 0x411170 0x4111a0 0x401576 0x40157e 0x401100 0x401109 0x40110b 0x401590 0x401593 0x401597 0x4011c9 0x4011d5 0x4011e0 0x4011f7 0x4011fc 0x401200 0x401210 0x401220 0x401226 0x401246 0x40ac7f 0x40aca5 0x40acad 0x40124d 0x40125c 0x401264 0x42735a 0x42736b 0x427378 0x427385 0x427392 0x42739f 0x4273a5 0x4273ae 0x4273b7 0x4273c7 0x4273cd 0x4273db 0x40126c 0x40127f 0x40aba7 0x40abba 0x401286 0x401279 0x40127e 0x40159f 0x4015a7 0x4015b9 0x40b2f2 0x40b2fe 0x413927 0x413948 0x40b303 0x401987 0x401993 0x4019a2 0x4019b4 0x4019be 0x4019fa 0x4019d1 0x4019fe 0x401b05 0x401b07 0x401b24 0x401b2c 0x401b3b 0x401b42 0x401b49 0x401b4d 0x401b54 0x401b8c 0x401b96 0x401b31 0x401b58 0x401b6a 0x401b73 0x40110f 0x401b81 0x401b87 0x401ba0 0x401bac 0x401bc1 0x401bc6 0x40b30b 0x40b317 0x4281f8 0x42820b 0x42820d 0x428211 0x42823d 0x42823f 0x428294 0x40b31c 0x404864 0x40487c 0x40487e 0x404884 0x4048af 0x4048c2 0x4048c9 0x4048d0 0x4048d7 0x41111d 0x42ad14 0x42ad22 0x42ad4f 0x42ad59 0x42ad5d 0x42ad64 0x42ad85 0x42ad8e 0x42adba 0x41112a 0x411158 0x4048e3 0x4048f6 0x414170 0x414188 0x414190 0x414198 0x4141b7 0x4141bf 0x4141ca 0x4141cc 0x414308 0x4048fe 0x4048ea 0x4048f1 0x4049b4 0x4049b6 0x40b326 0x41728d 0x4172b0 0x4172bf 0x4172c8 0x417141 0x417164 0x41716a 0x417195 0x41717d 0x41718b 0x417199 0x41719f 0x4171d0 0x4171ae 0x4171b2 0x41727e 0x417287 0x4172d9 0x4172e6 0x4172f1 0x4172fc 0x417302 0x417309 0x41715b 0x417183 0x417285 0x41731b 0x417333 0x40b330 0x40b33c 0x402f66 0x402f91 0x402f7f 0x402f86 0x4128d7 0x4128db 0x4128e5 0x402f8c 0x402f85 0x402f99 0x402fa3 0x402fb6 0x403000 0x402fbe 0x402fc4 0x402ffd 0x402fce 0x402fd6 0x402fde 0x41debb 0x41dec8 0x41deeb 0x41def8 0x41defa 0x41df09 0x41df0c 0x41df21 0x402fe6 0x402ffa 0x403005 0x423415 0x423421 0x423428 0x423474 0x423483 0x42349d 0x4234a2 0x403010 0x403025 0x403026 0x40b341 0x40b34d 0x418ccc 0x418cef 0x402c19 0x401089 0x401092 0x401094 0x401098 0x402c2a 0x402c1d 0x402c35 0x418cf4 0x418c39 0x418c51 0x418c42 0x418c46 0x418c4e 0x418c4c 0x426eb4 0x426ebd 0x426d1a 0x426d26 0x4012ff 0x401288 0x401290 0x40115a 0x401167 0x401188 0x40129d 0x40129f 0x4012f3 0x4012fa 0x401305 0x401313 0x426d2f 0x426a23 0x426a2f 0x426a34 0x426a5d 0x426a64 0x426aad 0x426abe 0x426ac5 0x423487 0x40d656 0x40d65b 0x40d665 0x42348c 0x423494 0x40d61b 0x40d621 0x40d62a 0x40d63c 0x42349a 0x416b0d 0x416b17 0x416b26 0x416b38 0x416b41 0x416b45 0x416b4b 0x416b4f 0x416b59 0x416c5b 0x416c5d
- Windows API calls issued from malware code
  1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x409f6d
  2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x409f79
  3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x409f81
  4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x409f89
  5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x409f95
  6. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x40b21e
  7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40b239
  8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40b23c
  9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40b258
  10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40b28e
  11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40b291
  12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40d1eb
  13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40143e
  14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401460
  15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40146d
  16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40147a
  17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401487
  18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x4014d7
  19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x4014f2
  20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401079
  21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4010a5
  22. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401028
  23. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4010c0
  24. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x4010ce
  25. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4010f0
  26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40111c
  27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401137
  28. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x401145
  29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x409b6a
  30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x409b7a
  31. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x409ba0
  32. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x401151
  33. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401884
  34. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401107
  35. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401109
  36. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x401591
  37. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4011da
  38. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40120e
  39. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40121e
  40. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x401240
  41. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40aca7
  42. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x427369
  43. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x4273d9
  44. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40abb4
  45. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4015a1
  46. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40199c
  47. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x401b3c
  48. GetFileType at 0x7c811069 in kernel32.dll called from 0x401b4e
  49. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x401ba6
  50. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x42820b
  51. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x42823d
  52. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40487c
  53. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x42ad8c
  54. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4048eb
  55. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x4172aa
  56. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x42347d
  57. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401079
  58. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401090
  59. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401092
  60. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x40128a
  61. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x401161
  62. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40129d
  63. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x4012f4
  64. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x42348e

MD5 checksum	2b80d65e1c2c05e1d0d8a9267f18c0c0
Anti-virus name	W32/Beastdoor.AY@bd (exact, not disinfectable),Trojan.Beastdoor-22,Backdoor.Generic.80620

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x1006461 0x10063e0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x10053fa 0x1002e55 0x1002e6d 0x1002e75 0x1002e7c 0x1002e81 0x1002e85 0x1002e8d 0x1002e95 0x1002e9c 0x1002ea4 0x100546e 0x1005476 0x1005481 0x100548b 0x1005497 0x10054a8 0x10054ac 0x1005563 0x100359c 0x10035c6 0x1003a8b 0x1003a8d 0x10064de 0x10064e6 0x10064ee 0x1003a98 0x1005574 0x1005587 0x100559e 0x10055b1 0x10055c8 0x10055d0 0x10055de 0x100488c 0x10048c9 0x10048ed 0x10048fc 0x100490b 0x100494e 0x1004953 0x100496f 0x100497b 0x1004baa 0x1004bbf 0x10055e9 0x10055ed 0x10055f8 0x10055fe 0x1005604 0x1006394 0x1006398 0x1006205 0x1006224 0x100622c 0x10043ec 0x1004404 0x1004411 0x1004433 0x100443d 0x1004464 0x1004470 0x1004474
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96

MD5 checksum	2c08361e5ceb8e03279edb62fad472e2
Anti-virus name	W32/Heuristic-210!Eldorado (not disinfectable),DeepScan:Generic.Banker.OT.BC2032DF

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x1e211b9 0x1e211bf 0x1e2120a 0x1e21217 0x1e21227 0x1e21234 0x1e211c4 0x1e2123c 0x1e2124f 0x1e21080 0x1e21a30 0x1e21a3e 0x1e21a41 0x1e21ab3 0x1e21ab7 0x1e21abc 0x1e21a46 0x1e21a48 0x1e21a4f 0x1e21a51 0x1e21a58 0x1e21a5a 0x1e21a5f 0x1e21a64 0x1e21a68 0x1e21a6a 0x1e21aa9 0x1e21a7d 0x1e21a82 0x1e21aa2 0x1e21aa3 0x1e21aa4 0x1e21aa5 0x1e21a6d 0x1e21abf 0x1e21ac0 0x1e21ac5 0x1e21acc 0x1e21ace 0x1e21a72 0x1e21a86 0x1e21abd 0x1e21a91 0x1e21a98 0x1e21a9d 0x1e21acf 0x1e2108f 0x1e2125d 0x1e2103a 0x1e21266 0x1e21277 0x1e211c9 0x1e2127a 0x1e21030 0x1e21291 0x1e212ad 0x1e212ae 0x1e212bb 0x1e212c4 0x1e212d7 0x1e21000 0x1e2100e 0x1e21023 0x1e2102d 0x1e212e0 0x1e212fb 0x1e21303 0x1e2130e 0x1e21320 0x1e21375 0x1e21388 0x1e2138b 0x1e21a76 0x1e21a7b 0x1e2139b 0x1e213a2 0x1e2105f 0x1e21063 0x1e21072 0x1e213b0 0x1e213b3
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x1e21211
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x1e21225
3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x1e21232
4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x1e21249
5. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x1e21271
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x1e2131a
7. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x1e213bb
8. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x1e21358

MD5 checksum	2c0e4eca67fffa39acee91d3793ec29e
Anti-virus name	W32/Downloader-Sml!Eldorado (generic, not disinfectable),Trojan.Downloader-33811,Trojan.Crypt.GY
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x404ad0 0x404af2 0x404af9 0x404ae8 0x404aee 0x404afb 0x404b00 0x404b0b 0x404b11 0x404b1c 0x404b30 0x404b3b 0x404b48 0x404b4c 0x404b4d 0x404b58 0x404b5e 0x404b69 0x404b6c 0x404b7d 0x404b86 0x404b23 0x404b2e 0x404b8c 0x404b9b 0x404b34 0x404b04 0x404b13 0x404b41 0x404b51 0x404b60 0x404ba2 0x404baf 0x404bc5 0x404bcd 0x404bda 0x404bde 0x404bc6 0x404ba9 0x404beb 0x404c04 0x404c19 0x404c1f 0x404c25 0x401c59 0x401c5f 0x401c75 0x401c84 0x401c8a 0x401c9c 0x401ca2 0x401ca8 0x401cad 0x401cb4 0x401cb5 0x401cbd 0x401292 0x4012aa 0x4012b9 0x4012c3 0x401ce5 0x401cee 0x401cfa 0x401d00 0x4012ae
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x404bbf
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x404bd4
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x404c02
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x404c17
5. GetSystemDefaultLangID at 0x7c81e835 in kernel32.dll called from 0x401c9c
6. GetVolumeInformationA at 0x7c827052 in kernel32.dll called from 0x401cdf
7. wsprintfA at 0x77d4a2de in USER32.dll called from 0x401d0c
Stack trace at network call
1. THREAD ID=#1872
2. WARNING: didn't find a callee for callPoint at 771bdf05 when stackwalking .\s Frame pc=0x7c901231 function DbgBreakPoint at 7c901230 in mod ntdll.dll
3. Frame pc=0x10003a63 function DYNINSTbreakPoint at 10003a50 in mod libdyninstAPI_RT.dll
4. Frame pc=0x1000176d function DYNINST_stopThread at 100016d0 in mod libdyninstAPI_RT.dll
5. Frame pc=0x104c3bee function socket at 71ab3b91 in mod WS2_32.dll
6. Frame pc=0x71ab5a0e function targ5a03 at 71ab5a03 in mod WS2_32.dll
7. Frame pc=0x71ab5ab3 function targ5a71 at 71ab5a71 in mod WS2_32.dll
8. Frame pc=0x71ab5a5d
9. Frame pc=0x7c9105c8 function targ105a2 at 7c9105a2 in mod ntdll.dll
10. Frame pc=0x7c910732 function targ10701 at 7c910701 in mod ntdll.dll
11. Frame pc=0x7c809e2a function MultiByteToWideChar at 7c809cad in mod kernel32.dll
12. Frame pc=0x71ab2aca function getaddrinfo at 71ab2a6f in mod WS2_32.dll
13. Frame pc=0x771c1512
14. Frame pc=0x7c809a0f function LocalAlloc at 7c8099bd in mod kernel32.dll
15. Frame pc=0x771bdf08 function targded8 at 771bded8 in mod WININET.dll
16. Frame pc=0x771bdeb6 function targde91 at 771bde91 in mod WININET.dll
17. Frame pc=0x771bdf08 function targded8 at 771bded8 in mod WININET.dll
18. Frame pc=0x771bdeb6 function targde91 at 771bde91 in mod WININET.dll
19. Frame pc=0x771bdf08 function targded8 at 771bded8 in mod WININET.dll
20. Frame pc=0x771bdeb6 function targde91 at 771bde91 in mod WININET.dll
21. Frame pc=0x771bdf08 function targded8 at 771bded8 in mod WININET.dll
22. Frame pc=0x771bdeb6 function targde91 at 771bde91 in mod WININET.dll
23. Frame pc=0x7c9106eb function RtlAllocateHeap at 7c9105d4 in mod ntdll.dll
24. Frame pc=0x7c809a20 function LocalAlloc at 7c8099bd in mod kernel32.dll
25. Frame pc=0x771bdf08 function targded8 at 771bded8 in mod WININET.dll
26. Frame pc=0x771bdeb6 function targde91 at 771bde91 in mod WININET.dll
27. Frame pc=0x771bdf08 function targded8 at 771bded8 in mod WININET.dll
28. Frame pc=0x771bdeb6 function targde91 at 771bde91 in mod WININET.dll
29. Frame pc=0x771be12b function targe021 at 771be021 in mod WININET.dll
30. THREAD ID=#112
31. Frame pc=0x7c91d888 function targ1d871 at 7c91d871 in mod ntdll.dll
32. Frame pc=0x7c91b138 function targ1b0f3 at 7c91b0f3 in mod ntdll.dll
CFG at network call
- dot file
- jpg

MD5 checksum	2c213cb11f970a23206a6848babd0ec1
Anti-virus name	W32/Worm.MWD (exact),Trojan.KillAV-235,Win32.Worm.AutoIt.Z
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x4981aa 0x4981b1 0x4981a0 0x4981a6 0x4981b3 0x4981b8 0x4981c3 0x4981c9 0x4981f3 0x4981fa 0x498205 0x498216 0x498218 0x498224 0x4981e4 0x4981ef 0x498245 0x498264 0x498273 0x49820b 0x49821d 0x498256 0x49825f 0x4981cb 0x4981d4 0x4981e0 0x4981bc 0x498226 0x498231 0x498237 0x498242 0x49822a 0x4981e8 0x498239 0x4981d9 0x49820f 0x49827a 0x498282 0x498287 0x49828b 0x498290 0x4982ae 0x4982ba 0x4982d0 0x4982d8 0x4982e3 0x4982e7 0x4982ee 0x4982f2 0x4982d1 0x498318 0x49832d 0x498333 0x498339 0x45282d 0x45d98a 0x45d9ba 0x45d9c5 0x45d9d1 0x45d9d9 0x45d9e1 0x45d9ed 0x45da00 0x45da0b 0x452832 0x45264e 0x4540fc 0x45265a 0x452668 0x45267f 0x452686 0x452699 0x4526a2 0x4526b7 0x4526d4 0x4526db 0x4526e9 0x45260d 0x452618 0x452629 0x452634 0x45263d 0x452718 0x456557 0x45656e 0x45657a 0x4564fc 0x44d50e 0x44d536 0x44d53f 0x456513 0x456525 0x44d545 0x44d56d 0x44d575 0x45652e 0x456540 0x456547 0x45654d 0x45657f 0x4565ad 0x452724 0x452731 0x453783 0x45378f 0x45379e 0x4537ad 0x4537ba 0x4537c7 0x4537d4 0x4537fe 0x453822 0x453828 0x453836 0x45383f 0x453847 0x44d735 0x453388 0x45331a 0x453329 0x45332d 0x45334e 0x453359 0x45335f 0x4532ae 0x4532c9 0x4532d4 0x4532dc 0xprocess.C[6836] 0x4500f0 0x450100 0x450134 0x4532fa 0x453300 0x450106 0x45010a 0x45330c 0x453312 0x453364 0x453368 0x453374 0x453378 0x45337e 0x45338f 0x44d73b 0x44d781 0x44d743 0x4546bd 0x44d749 0x453907 0x44d74f 0x4546b3 0x44d755 0x4546a9 0x44d75b 0x45449f 0x44d761 0x44d767 0x45432f 0x454339 0x44d76d 0x44d777 0x45384c 0x453857 0x453867 0x453877 0x453887 0x453dac 0x453db5 0x453dbf 0x4546d7 0x4546e3 0x453391 0x4533a0 0x4533a4 0x4533c5 0x4533d0 0x4533d6 0x4533db 0x4533df 0x4533eb 0x4533ef 0x4533f5 0x4546f3 0x4546fa 0x454703 0x454715 0x45471b 0x454726 0x45472a
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4982ca
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4982e8
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x498316
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x49832b
5. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x45d9bf
6. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x45d9cb
7. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x45d9d3
8. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x45d9db
9. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x45d9e7
10. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x452662
11. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x45267d
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x452680
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x45269c
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x4526d2
15. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4526d5
16. HeapCreate at 0x7c812929 in kernel32.dll called from 0x456568
17. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x453789
18. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4537ab
19. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4537b8
20. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4537c5
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4537d2
22. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x453822
23. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x45383d
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x453327
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x453353
26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4532d6
27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x45336e
28. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x45337c
29. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x45339e
30. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4533ca
31. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4533e5
32. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x4533f3
33. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x454720
34. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x454730
35. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x454756

MD5 checksum	2c2d30abcdac97806c274b17cb37a2e2
Anti-virus name	W32/Worm.CQ (exact),Trojan.Dropper.Agent-64,Trojan.Spy.Agent.NOJ
PEiD packer signature	Borland C++ DLL Method 2 [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x13151f40 0x13151f52 0x1315245a 0x13152461 0x13152450 0x13152456 0x13152463 0x13152468 0x13152473 0x13152479 0x13152484 0x13152498 0x131524a3 0x131524b0 0x131524b4 0x131524b5 0x131524c0 0x131524c6 0x131524d1 0x131524d4 0x131524e5 0x131524ee 0x1315248b 0x13152496 0x131524a9 0x131524f4 0x13152503 0x1315247b 0x1315246c 0x1315249c 0x131524c8 0x131524b9 0x1315250a 0x13152512 0x13152517 0x1315251b 0x13152520 0x1315253e 0x1315254a 0x13152560 0x13152568 0x13152575 0x13152579 0x13152561 0x13152544 0x13152586 0x13146a33 0x13146a5f 0x131489c6 0x131489dd 0x131489e6 0x1314887e 0x1314b1c0 0x1314b1cc 0x1314b1e0 0x1314888b 0x131488a3 0x131488a7 0x131488b0 0x131488b9 0x131489c3 0x131489eb 0x13148a02 0x13148a1f 0x13146a92 0x13146a9f 0x131476b3 0x1314686c 0x1314687e 0x13146885 0x131468aa 0x131468ce 0x13146900 0x13146907 0x1314690d 0x1314691c 0x1314688e 0x131468a9 0x1314687b 0x131476c4 0x131476d3 0x131476e9 0x131476ed 0x13147707 0x13147712 0x131477e3 0x131477e5 0x131477f3 0x131477fb 0x1314780a 0x13147811 0x13147818 0x1314781f 0x1314782f 0x13147844 0x13147800 0x13147823 0x13147835 0x1314784a 0x13147856 0x13146aa7 0x13146aad 0x1314a006 0x1314a021 0x1314a023 0x1314a029 0x1314a05d 0x1314a06d 0x1314a074 0x1314a07b 0x1314a082 0x1314a09b 0x1314a0a1 0x1314a0a7 0x1314a0b0 0x1314a0bd 0x1314a0cf 0x1314a0d3 0x1314a0da 0x1314a131 0x13146ab7 0x13149db9 0x13149dcb 0x1314b757 0x1314b760 0x1314b393 0x1314b52c 0x1314b54c 0x1314b551 0x1314b55b 0x1314b3a4 0x1314b3b6 0x1314b3c0 0x1314b3c7 0x1314b3cb 0x1314b3d6 0x1314b3e1 0x1314b3ea 0x1314b4fc 0x1314b502 0x1314b51b 0x1314b5d2 0x1314b5ec 0x1314b5f5 0x1314b5fc 0x1314b608 0x1314b64d 0x1314c37f 0x1314c3b0 0x1314c3c4 0x1314c3c8 0x1314c3e9 0x1314c3ee 0x1314c417 0x1314c420 0x1314c42d 0x1314c44a 0x1314c451 0x1314c463 0x1314b1f0 0x1314b1fc 0x1314b20a 0x1314b219 0x1314b231 0x1314b23d 0x1314c473 0x1314c483 0x1314c48b 0x1314c4a0 0x1314c4a4 0x1314c4b2 0x1314c4b6 0x1314b671 0x1314c130 0x1314c160 0x1314c178 0x1314c17c 0x1314c1a6 0x1314c1ab 0x1314c354 0x1314c364 0x1314c369 0x1314c371 0x1314c37c 0x1314c1b6 0x1314c1bb 0x1314c1e2 0x1314c1eb 0x1314c1f8 0x1314c215 0x1314c222 0x1314c232 0x1314c253 0x1314c258 0x1314c26d 0x1314c271 0x1314c283 0x1314c28c 0x1314c2d2 0x1314c2e6 0x1314c306 0x1314c30a 0x1314c31e 0x1314c322 0x1314c32d 0x1314c333 0x1314c343 0x1314c34d 0x1314c2c0 0x1314b695 0x1314b6bd 0x1314b6c8 0x1314b6e6 0x1314b6fb 0x1314b702 0x1314b6d0 0x1314b6de 0x1314b6eb 0x1314b709 0x1314b754 0x1314b520 0x1314b527 0x1314b767 0x1314b772 0x13149dd0 0x13149de2 0x13149df3 0x13149df5 0x13149e52 0x13149e7c 0x13149e81 0x13149e8a 0x13149e8e 0x13149ea6 0x13149eb3 0x13149ebd 0x13149ec2 0x13149f08 0x13149f0c 0x13149ff5 0x13149ffc 0x13149e05 0x13149e14 0x13149e25 0x13149e74 0x13149eac 0x13149eb9 0x13149ff9 0x13149e3b 0x13146ac1 0x13149d00 0x13149d12 0x13149d1a 0x13149d20 0x13149d25 0x1314ad80 0x1314ada0 0x1314adb8 0x1314adbf 0x1314adc3 0x1314adca 0x1314add3 0x13149d2b 0x1314ade7 0x1314ad8c 0x1314ad93 0x1314ad9b 0x1314addd 0x13149d24 0x1314adf1 0x13149d32 0x13149d3f 0x13149d54 0x13149d5e 0x13149d5f 0x13149d65 0x13149d90 0x13149d6e 0x13149d74 0x13149d83 0x1314b780 0x1314b7f1 0x1314b7fd 0x1314b804 0x1314b80f 0x1314b816 0x1314b811 0x1314b830 0x1314b834 0x1314b838 0x1314b852 0x13149d8b 0x1314b840 0x1314b84a 0x1314b868 0x1314b85f 0x13149d96 0x13149d97 0x13147548 0x13147554 0x13147574 0x1314759f 0x131475a0 0x131475ae 0x13149da2 0x13146ac6 0x131475b1 0x131475bc 0x13147699 0x1314769e 0x131476a4 0x131476ac 0x131476aa 0x13149a6b 0x13149a78 0x13149a85 0x13149a8a 0x1314b248 0x1314b25c 0x1314b263 0x1314b269 0x1314b270 0x1314b294 0x1314b2b3 0x1314b2c2 0x1314b2ec 0x1314b2ee 0x13149a92 0x13149abe 0x13149ac5 0x13149adb 0x13149ae2 0x13149aff 0x13149b02 0x13149afb 0x13149b0e 0x1314a3ea 0x1314a3f5 0x131476b1 0x131475cb 0x131475da 0x13146acb 0x13146ad8 0x13149ca8 0x13149cb6 0x13149cc3 0x13149ccb 0x13149ccf 0x1314b351 0x1314b362 0x1314b373 0x1314b388 0x1314b38a 0x1314b38e 0x1314b35e 0x13149cd8 0x13149ce0 0x13149ce5 0x13149cf2 0x13149cfc 0x13146add 0x13146aec 0x13146aef 0x13146afb 0x13145ad0 0x131443b0 0x131443b9 0x13145afe 0x13145b08 0x13145b0e 0x13145b14 0x13145b1a 0x13145b23 0x13145b48
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x1315255a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x1315256f
3. GetVersion at 0x7c8114ab in kernel32.dll called from 0x13146a59
4. HeapCreate at 0x7c812929 in kernel32.dll called from 0x131489d7
5. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x1314889d
6. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x13146916
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1314770c
8. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x1314780b
9. GetFileType at 0x7c811069 in kernel32.dll called from 0x13147819
10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x13147850
11. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x13146aa7
12. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x1314a021
13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x1314a099
14. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x1314a0bb
15. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x1314a0d4
16. GetACP at 0x7c809943 in kernel32.dll called from 0x1314b55b
17. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x1314b3db
18. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x1314b5e6
19. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x1314c3be
20. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x1314c444
21. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x1314c49a
22. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x1314c4ac
23. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x1314c172
24. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x1314c20f
25. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x1314c267
26. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x1314c27d
27. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x1314c318
28. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x1314c33d
29. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x13149ddc
30. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x131475a8
31. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x1314b2bc
32. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x1314a3ef
33. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x13146ad2
34. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x13146af5
35. GetVersion at 0x7c8114ab in kernel32.dll called from 0x13145b1d
36. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
37. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
38. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
39. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
40. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
41. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
42. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
43. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
44. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
45. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
46. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
47. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
48. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
49. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
50. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
51. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
52. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
53. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
54. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
55. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
56. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
57. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
58. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
59. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
60. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
61. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
62. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
63. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
64. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
65. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
66. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
67. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
68. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
69. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
70. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
71. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
72. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
73. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
74. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
75. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
76. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
77. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
78. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
79. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
80. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
81. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
82. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
83. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
84. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
85. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
86. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
87. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
88. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
89. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
90. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
91. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
92. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
93. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
94. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
95. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
96. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
97. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
98. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
99. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
100. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
101. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
102. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
103. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
104. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
105. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
106. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
107. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
108. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
109. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
110. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
111. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
112. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
113. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
114. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
115. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
116. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
117. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
118. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
119. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
120. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
121. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
122. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
123. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
124. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
125. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
126. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
127. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
128. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
129. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
130. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
131. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
132. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
133. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
134. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
135. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
136. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
137. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
138. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
139. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
140. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
141. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
142. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
143. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
144. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
145. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
146. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
147. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
148. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
149. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
150. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
151. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
152. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
153. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
154. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
155. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
156. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
157. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
158. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
159. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
160. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
161. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
162. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
163. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
164. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
165. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
166. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
167. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
168. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
169. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
170. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
171. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
172. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
173. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
174. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
175. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
176. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
177. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
178. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
179. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
180. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
181. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
182. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
183. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
184. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
185. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
186. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
187. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
188. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
189. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
190. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
191. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
192. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
193. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
194. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
195. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
196. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
197. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
198. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
199. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
200. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
201. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
202. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
203. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
204. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
205. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
206. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
207. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
208. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
209. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
210. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
211. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
212. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
213. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
214. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
215. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
216. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
217. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
218. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
219. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
220. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
221. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
222. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
223. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
224. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
225. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
226. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
227. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
228. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
229. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
230. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
231. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
232. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
233. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
234. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
235. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
236. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
237. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
238. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
239. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
240. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
241. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
242. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
243. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
244. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
245. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
246. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
247. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
248. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
249. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
250. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
251. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
252. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
253. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
254. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
255. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
256. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
257. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
258. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
259. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
260. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
261. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
262. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
263. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
264. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
265. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
266. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
267. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
268. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
269. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
270. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
271. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
272. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
273. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
274. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
275. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
276. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
277. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
278. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
279. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
280. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
281. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
282. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
283. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
284. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
285. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
286. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
287. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
288. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
289. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
290. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
291. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
292. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
293. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d
294. CharLowerA at 0x77d6eed5 in USER32.dll called from 0x13145b4d

MD5 checksum	2c410614f62d1140b55754bbf8b7b0db
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4021af 0x4021c9 0x4021cf 0x4021de 0x4021e7 0x4021eb 0x4021ef 0x4021f8 0x4021fd 0x402201 0x40220f 0x402216 0x402282 0x402297 0x40229b 0x4022c5 0x4022fb 0x402309 0x40231d 0x401000 0x401011 0x40101f 0x40102d 0x401035 0x401043 0x40104b 0x401058 0x40105d 0x401062 0x40106e 0x40106c 0x401071 0x401082 0x402322 0x402353 0x402366 0x4023c4 0x4023d3 0x4023e2 0x4023f1 0x402400 0x40240f 0x402422 0x402444 0x402471 0x402477 0x402483 0x401edf 0x401efa 0x401f03 0x401f3e 0x401f45 0x401f52 0x401f62 0x401f7e 0x401f8a 0x4020a0 0x4020a8 0x4020eb 0x401f91 0x401fc4 0x401fd1 0x4010c4 0x401d21 0x401d2f 0x401d34 0x401d54 0x401e22 0x401e31 0x401e48 0x401e5d 0x401e61 0x401eb4 0x401edc 0x401d59 0x401d69 0x401d6a 0x4010e9 0x401d6d 0x401103 0x401112 0x401127 0x40113f 0x401142 0x40114a 0x4019a9 0x4019d6 0x4019f0 0x401d42 0x4019fe 0x401a16 0x401a25 0x401a3d 0x401a4c 0x401a55 0x401a5b 0x401a68 0x401a77 0x401a98 0x401aa4 0x401aa9 0x401aac 0x401ab3 0x401ac7 0x401160 0x401181 0x401197 0x4011b2 0x4011c5 0x4011cb 0x4011d4 0x4011de 0x4011e4 0x4011e8 0x4011f0 0x4011fb 0x401206 0x40120d 0x401211 0x401221 0x401236 0x40124e 0x401251 0x401265 0x40126a 0x401275 0x40128d 0x401293 0x4012c5 0x4012d5 0x4012e8 0x4012f6 0x401312 0x401329 0x40132e 0x40133f 0x40134a 0x40134f 0x40135b 0x40135f 0x4020f0 0x402124 0x40212e 0x402137 0x402147 0x40215b 0x401373 0x40137c 0x4013eb 0x4013fa 0x4013fd 0x40141a 0x401424 0x401452 0x401459 0x40146e 0x401474 0x40148c 0x40148f 0x40149a 0x4014a4 0x4014b3 0x4014cd 0x4014db 0x40149e 0x4014f1 0x4014fb 0x4011ab 0x4011ad 0x401aea 0x401b04 0x401b23 0x401b33 0x401b54 0x401b63 0x401c42 0x401b73 0x401bcb 0x401bd8 0x401bdf 0x401c0e 0x401c13 0x401c26 0x401c2a 0x401c3b 0x401c3f 0x401b75 0x401b84 0x401b9c 0x401baf 0x401bb7 0x401c4d 0x401524 0x40152c 0x40152d 0x40216f 0x402178 0x402182 0x40218f 0x402196 0x40219a 0x4021ad 0x401535 0x40153b 0x40153c 0x401c55 0x40143c 0x40210a 0x402118 0x4013b5 0x4014c2 0x401c91 0x401c9e 0x401cc7 0x401ceb 0x40153d 0x40157a 0x401587 0x401597 0x4015ae 0x4015b2 0x4015be 0x4015d0 0x4015e0 0x4015fa 0x40160c 0x401613 0x40164a 0x401653 0x401661 0x401680 0x401690 0x40169c 0x4016a9 0x4016b5 0x4016ca 0x4016d8 0x4016ea 0x4016fc 0x40170a 0x401731 0x401734 0x40174d 0x40174f 0x401753 0x401755 0x401757 0x401768 0x401785 0x401789 0x401777 0x401d7e 0x401d8c 0x401dd8 0x4020b2 0x4020c3 0x4020c5 0x4020e4 0x4020e5 0x401de4 0x401df2 0x401e00 0x401e19 0x401781 0x401749 0x401e46 0x401793 0x4017ad 0x401cfc 0x401d03 0x401d0b 0x402183 0x401d13 0x401d1c 0x40114f 0x40115d 0x401fe0 0x401fe5 0x401fee 0x401ff0 0x40201c 0x40203d 0x402042 0x40205d 0x40207f 0x402088 0x402097 0x402099 0x4024a0 0x4024b2 0x4024c2 0x4027db 0x4025e2 0x402feb 0x402ffc 0x403010 0x403022 0x403026 0x403041 0x40304f 0x40305b 0x403064
Windows API calls issued from malware code
1. SetErrorMode at 0x7c80aa97 in kernel32.dll called from 0x4021c3
2. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4021c9
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x402210
4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x402291
5. lopen at 0x7c85e610 in kernel32.dll called from 0x402303
6. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40100f
7. GlobalLock at 0x7c810119 in kernel32.dll called from 0x40101d
8. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40102b
9. GlobalLock at 0x7c810119 in kernel32.dll called from 0x401033
10. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x401041
11. GlobalLock at 0x7c810119 in kernel32.dll called from 0x401049
12. llseek at 0x7c839450 in kernel32.dll called from 0x402351
13. hread at 0x7c839418 in kernel32.dll called from 0x402364
14. hread at 0x7c839418 in kernel32.dll called from 0x4023d1
15. hread at 0x7c839418 in kernel32.dll called from 0x4023e0
16. hread at 0x7c839418 in kernel32.dll called from 0x4023ef
17. hread at 0x7c839418 in kernel32.dll called from 0x4023fe
18. hread at 0x7c839418 in kernel32.dll called from 0x40240d
19. hread at 0x7c839418 in kernel32.dll called from 0x402442
20. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x402475
21. GlobalLock at 0x7c810119 in kernel32.dll called from 0x40247d
22. llseek at 0x7c839450 in kernel32.dll called from 0x401f43
23. hread at 0x7c839418 in kernel32.dll called from 0x401f4c
24. llseek at 0x7c839450 in kernel32.dll called from 0x401f60
25. hread at 0x7c839418 in kernel32.dll called from 0x401e5b
26. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x402128
27. GlobalLock at 0x7c810119 in kernel32.dll called from 0x402131
28. GlobalUnlock at 0x7c810082 in kernel32.dll called from 0x402189
29. GlobalFree at 0x7c80fe2f in kernel32.dll called from 0x402190
30. LoadIconA at 0x77d521ae in USER32.dll called from 0x4027fd
31. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x402ff6
32. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40300a
33. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x403020
34. FormatMessageA at 0x7c825f62 in kernel32.dll called from 0x40303b
35. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x40304d
36. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x403059
37. LocalFree at 0x7c80995d in kernel32.dll called from 0x40305e
38. MessageBoxA at 0x77d8050b in USER32.dll called from 0x403078

MD5 checksum	2c7a3ec48285bd2866c4fa3996989662
Anti-virus name	W32/Trojan2.DVSN (exact),Trojan.Buzus-1589,Trojan.Delf.Inject.Z
PEiD packer signature	Borland Delphi 6.0 - 7.0 [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x1006a7bc 0x1000679c 0x100066d8 0x100067ad 0x10006790 0x100060a0 0x1000679a 0x100067cf 0x1000470c 0x100045f8 0x1000473f 0x100046a4 0x100046b4 0x100046d0 0x100046e3 0x100046e1 0x1006a000 0x1006a00d 0x10002c2c 0x10002c39 0x10002c44 0x10002c7b 0x10002c80 0x10002c92 0x10002ccc 0x10002cd1 0x10002cde 0x10002c3e 0x10002cd9 0x10002d09 0x10002be8 0x10002bf3 0x10002c01 0x10002c11 0x10002c1c 0x10002c1e 0x10002c27 0x10002d0e 0x10002d2c 0x10002d39 0x1006a012 0x10003950 0x10003948 0x1006a094 0x1006a098 0x1006a0a1 0x1006a0a8 0x1006a0ac 0x1006a0c6 0x1000474c 0x10004758 0x10006618 0x10006629 0x10006632 0x10005b24 0x10005b33 0x10005b42 0x10005adc 0x10005aec 0x10001264 0x10005aff 0x10005d40 0x10005d61 0x100012bc 0x10005b17 0x10005b49 0x10005b55 0x10006649 0x10001294
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x100066d8
2. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x10003948
3. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x10001264
4. RegOpenKeyExA at 0x77dd761b in ADVAPI32.dll called from 0x100012bc
5. LoadStringA at 0x77d6ec98 in USER32.dll called from 0x10001294

MD5 checksum	2ca92350c271bfe88c941e9dd0f31ea2
Anti-virus name	W32/SysVenFak.B.gen!Eldorado (generic, not disinfectable),Worm.Mytob.IS,Trojan.Generic.572703
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x107ac2e 0x107ac59 0x107ac96 0x107ac9e 0x107aca9 0x107aefb 0x107af09 0x107af0a 0x107af7c 0x107af80 0x107af85 0x107af0f 0x107af11 0x107af18 0x107af1a 0x107af21 0x107af23 0x107af25 0x107af2a 0x107af2e 0x107af71 0x107af72 0x107af30 0x107af44 0x107af49 0x107af33 0x107af88 0x107af89 0x107af8e 0x107af95 0x107af97 0x107af38 0x107af3b 0x107af86 0x107af42 0x107af50 0x107af5d 0x107af64 0x107af6b 0x107af70 0x107af98 0x107acbe 0x107accc 0x107acec 0x7a0000 0x7a0023 0x7a0031 0x7a004f 0x7a0055 0x7a0059 0x7a007d 0x7a00a6 0x7a00fb 0x7a0166 0x7a016a 0x7a017e 0x7a04cc 0x7a04f5 0x7a04af 0x7a04c6 0x7a04fb 0x7a0511 0x7a0192 0x7a01a1 0x7a01b7 0x7a0514 0x7a0535 0x7a057e 0x7a01d0 0x7a01db 0x7a0214 0x7a0225 0x7a025d 0x7a075b 0x7a0777 0x7a0794 0x7a07c6 0x7a07f0 0x7a07ce 0x7a07db 0x7a07fc 0x7a0268 0x7a026f 0x7a0273 0x7a0277 0x7a0583 0x7a05c8 0x7a028b 0x7a02a5 0x7a02b1 0x7a02c3 0x7a02cf 0x7a02e4 0x7a0368 0x7a0812 0x7a0823 0x7a0844 0x7a084d 0x7a0874 0x7a088b 0x7a08af 0x7a08b9 0x7a08ec 0x7a0908 0x7a0910 0x7a091d 0x7a0932 0x7a0941 0x7a094b 0x7a0882 0x7a037e 0x7a0468 0x7a046c 0x7a0470 0x7a0473 0x7a0490 0x7a0496 0x7a05a6 0x7a05ac 0x7a08d6 0x7a0218 0x7a0222 0x7a022d 0x7a05d0 0x7a05ea 0x7a062a 0x7a066d 0x7a0697 0x7a069d 0x7a06a9 0x7a0648 0x7a06ae 0xstackwalk:
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x107ac90

MD5 checksum 2d7c1f659699d6da65e1f9b70b84c2c4

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x45f3fa 0x46833e 0x46836e 0x468379 0x468385 0x46838d 0x468395 0x4683a1 0x4683b4 0x4683bf 0x4683ce 0x45f3ff 0x45f21a 0x45f9bc 0x45f226 0x45f234 0x45f24b 0x45f252 0x45f265 0x45f26e 0x45f283 0x45f2a0 0x45f2a7 0x45f2b5 0x45f1d9 0x45f1e4 0x45f1f5 0x45f200 0x45f209 0x45f2e4 0x46382f 0x463846 0x463852 0x4637d4 0x45d972 0x45d99a 0x45d9a3 0x4637eb 0x4637fd 0x45d9a9 0x45d9d1 0x45d9d9 0x463806 0x463818 0x46381f 0x463825 0x463857 0x463885 0x45f2f0 0x45f2fd 0x4613c8 0x4613d4 0x4613e3 0x4613f2 0x4613ff 0x46140c 0x461419 0x461443 0x461467 0x46146d 0x46147b 0x461484 0x46148c 0x45db85 0x460fdf 0x460f7c 0x460f8b 0x460f8f 0x460fb0 0x460fbb 0x460fbf 0x460fcb 0x460fcf 0x460fd5 0x460fd9 0x460fe6 0x45db8b 0x464708 0x45db93 0x46775d 0x45db99 0x4601c8 0x45db9f 0x467753 0x45dba5 0x467749 0x45dbab 0x46753f 0x45dbb1 0x45dbb7 0x4615cf 0x4615d9 0x45dbbd 0x45dbc7 0x461491 0x46149c 0x4614ac 0x4614bc 0x4614cc 0x463889 0x463892 0x46389c 0x467777 0x467783 0x460fe8 0x460ff7 0x460ffb 0x46101c 0x461027 0x46102b 0x461037 0x46103b 0x461041 0x461045 0x467793 0x46779a 0x4677a3 0x4677b5 0x4677bb 0x4677c6 0x4677ca 0x4677d6 0x4677e1 0x4677e7 0x4677ed 0x4677f8 0x46782c 0x45fa01 0x46783b 0x4638b4 0x4638ba 0x4638c0 0x4638c3 0x4614d9 0x4614dd 0x4614ed 0x46104b 0x461051 0x4614f0 0x4614fa 0x465db4 0x45ae75 0x45ae81 0x45ae8a 0x45aeb8 0x45aec8 0x45aed2 0x45af26 0x45af2a 0x45af39 0x45af3b 0x45af8b 0x45af92 0x465dc7 0x465df7 0x461506 0x46150e 0x461005 0x46100e 0x461010 0x461520 0x461523 0x461527 0x4610ef 0x4610fb 0x461106 0x46111d 0x46112b 0x46113b 0x461141 0x461161 0x4639ff 0x463a25 0x463a2d 0x461168 0x461177 0x46117f 0x465167 0x465178 0x465185 0x465192 0x46519f 0x4651ac 0x4651b2 0x4651bb 0x4651c4 0x4651d4 0x4651da 0x4651e8 0x461187 0x46119a 0x463927 0x46393a 0x4611a1 0x461194 0x461199 0x46152f 0x461537 0x461549 0x45f302 0x45f30e 0x4674f7 0x467518 0x45f313 0x4680fe 0x46810a 0x468119 0x46812b 0x468135 0x468171 0x468148 0x468175 0x46827c 0x46827e 0x46829b 0x4682a3 0x4682b2 0x4682b9 0x4682c0 0x4682c4 0x4682cb 0x468303 0x46830d 0x4682a8 0x4682cf 0x4682e1 0x4682ea 0x461014 0x4682f8 0x4682fe 0x468317 0x468323 0x468338 0x46833d 0x45f31b 0x45f327 0x45f32d 0x467fc9 0x467fe5 0x467fe7 0x467fed 0x46801b 0x46802e 0x468035 0x46803c 0x468043 0x46805c 0x468062 0x465d74 0x45a759 0x45a767 0x45a794 0x45a79e 0x45a7a2 0x45a7a9 0x45a7ca 0x45a7d3 0x45a7ff 0x465d81 0x465daf 0x468068 0x468071 0x46807e 0x468090 0x468094 0x46809b 0x4680f7 0x45f337 0x467f10 0x467f23 0x465009 0x465012 0x464e6f 0x464e7b 0x461226 0x4611a3 0x4611ab 0x46106f 0x46107b 0x461098 0x4611b2 0x4611c4 0x4611c6 0x46121a 0x461221 0x46122c 0x46123a 0x464e84 0x464ba6 0x464bb2 0x464bb7 0x464be0 0x464be7 0x464c30 0x464c41 0x464c48 0x464c3c 0x464bcc 0x464bd8 0x464bdf 0x464e8e 0x464c4a 0x45b00b 0x45b01a 0x45b01f 0x45b049 0x45b06a 0x45b073 0x45b087 0x464c5c 0x464c85 0x464c8a 0x464c9a 0x464c77 0x464c7c 0x464cc1 0x464e99 0x464ea5 0x464eaf 0x464eba 0x464cc4 0x464c9c 0x464cb3 0x464cb8 0x464cbf 0x464ce2 0x464cfb 0x464d00 0x464d08 0x464d15 0x464d20 0x464d28 0x45a820 0x45a82c 0x45a836 0x45a83e 0x45a84c 0x45a854 0x45a867 0x45a87f 0x45a885 0x45a88f 0x464d37 0x464e44 0x464e47 0x464e03 0x464a1c 0x464a46 0x464a53 0x464a55 0x464a61 0x464a9a 0x46b73b 0x46b74c 0x46b583 0x46b5a2 0x46b5b6 0x46b5ba 0x46b5f6 0x46b606 0x46b629 0x46b633 0x46b635 0x46b63d 0x46b648 0x45e380 0x45afe0 0x45aff4 0x45aff8 0x46b64d 0x46b653 0x46b66c 0x46b66f 0x46b671 0x46b675 0x46b681 0x46b693 0x46b697 0x46b6a5 0x46b6a8 0x45b64c 0x45b654 0x45b666 0x46b6ae 0x46b729 0x45a1c8 0x45a1d0 0x46b739 0x46b769 0x46b772 0x46b779 0x464ab7 0x465ba8 0x465bb9 0x465806 0x465825 0x46583c 0x465840 0x46585d 0x465862 0x465868 0x46586d 0x465872 0x465875 0x465881 0x465884 0x465892 0x46589a 0x4658a3 0x4658b3 0x4658d6 0x4658e0 0x4658e2 0x4658ee 0x4658f9 0x4658fe 0x465904 0x46591d 0x465920 0x465928 0x465931 0x465942 0x46594a 0x46595e 0x46596b 0x46599c 0x4659a0 0x4659ac 0x4659b7 0x4659bc 0x4659c2 0x4659e7 0x4659eb 0x4659ff 0x465a03 0x465a0e 0x465a14 0x465a22 0x465a25 0x465a2b 0x465a2c 0x465a34 0x465b96 0x465ba6 0x465bd9 0x465be2 0x465be9 0x464ad7 0x464afc 0x464b01 0x464b19 0x464b33 0x464b3b 0x464b0b 0x464b2a 0x464b1e 0x464b40 0x464b8f 0x464b9e 0x464e0a 0x464cf4 0x464e60 0x464e6d 0x464ed2 0x464edf 0x464eeb 0x464eef 0x464f00 0x464f0c 0x464f16 0x464f23 0x464f2a 0x464f49 0x464f51 0x464f61 0x464f63 0x464f6d 0x464f7a 0x464f7c 0x464f86 0x464f96 0x464fa2 0x464fb9 0x464fc2 0x464fd0 0x464fd7 0x464fce 0x465000 0x465008 0x465019 0x465024 0x467f28 0x467f40 0x467f4f 0x467f59 0x467d78 0x467d9e 0x467da1 0x467da6 0x467df2 0x467db6 0x467dc4 0x45fe8c 0x45fe26 0x45fe37 0x45fe47 0x45fe5f 0x45fe61 0x45fe68 0x45fe6e 0x45fe75 0x45fe9b 0x467dd0 0x467de8 0x467df8 0x467dfd 0x467e24 0x467e0a 0x467e0e 0x467f00 0x467f0c 0x467f6a 0x467f77 0x467f7f 0x467f8b 0x467f91 0x467f98 0x467d95 0x467dbc 0x467f09 0x467fab 0x467fc4 0x45f341 0x45f34d 0x467c9d 0x467caf 0x467cd3 0x467cc3 0x467cc8 0x45f6e0 0x45f710 0x45f728 0x45f72f 0x45f733 0x45f73a 0x45f743 0x467cce 0x45f757 0x45f6ec 0x45f6f5 0x45f6fd 0x45f74d 0x467cc7 0x45f761 0x467cd9 0x467ce2 0x467cf0 0x467d39 0x467cf9 0x467cff 0x467d37 0x467d08 0x467d10 0x467d18 0x45fa20 0x45fa2d 0x45fa50 0x45fa5c 0x45fa5e 0x45fa68 0x45fa6b 0x45fa7f 0x467d20 0x467d34 0x467d3d 0x45a67c 0x45a688 0x45a68f 0x45a6db 0x45a6ea 0x45a704 0x45a709 0x467d48 0x467d5e 0x45f352 0x45f35e 0x45d9e5 0x45d9ee 0x465502 0x46550e 0x465490 0x46549e 0x4654ab 0x46551d 0x465522 0x4654c0 0x4654de 0x4654e2 0x4654e9 0x4654f2 0x4654fe 0x46552e 0x465534 0x465568 0x46556d 0x45d9f8 0x45d9fd 0x45a65e 0x45a5fe 0x45a663 0x4637ab 0x4637b6 0x4637ba 0x4637c6 0x4637ca 0x4637ce 0x45a668 0x45a674 0x463746 0x46b278 0x46b2c2 0x46b2d6 0x46e194 0x46e1ab 0x46e1ae 0x46e1b3 0x46e1b6 0x46e1bb 0x46e1be 0x46e1c3 0x46e1c6 0x46e1cb 0x46e1ce 0x46e1d3 0x46e1d9 0x46e211 0x46e215 0x46e219 0x46e227 0x46e234 0x46e2fc 0x46e48f 0x46b2db 0x463759 0x46376d 0x45a679 0x45da07 0x45da08 0x463727 0x460f99 0x460fa2 0x460fa4 0x460fa8 0x463738 0x46372b 0x463743 0x45da0d 0x45d952 0x45d96a 0x45d95b 0x45d95f 0x45d967 0x45d965 0x45c85d 0x45c867 0x45c86f 0x45c885 0x46481a 0x46b516 0x46b53a 0x46b559 0x46b563 0x46b4c6 0x46b4d2 0x46b506 0x46b515 0x46b568 0x46b56c 0x46b573 0x464826 0x4679c1 0x4679ce 0x4679db 0x4679e0 0x4679e8 0x467a11 0x467a1f 0x467a1a 0x467a30 0x467a3b 0x467a57 0x467a5f 0x467a61 0x467a5b 0x467a6d 0x46b576 0x46b57b 0x467312 0x46731d 0x467323 0x45d970 0x45da1c 0x45da22 0x45c8c8 0x45c88c 0x45c898 0x45d928 0x45d92f 0x45c89d 0x45c7b0 0x45c7c0 0x45c7d1 0x45c7d9 0x45c7e5 0x45fc85 0x45fc91 0x45fcbe 0x45fcff 0x45fd0d 0x45fd16
- Windows API calls issued from malware code
  1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x468373
  2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x46837f
  3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x468387
  4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x46838f
  5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x46839b
  6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x45f22e
  7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x45f249
  8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x45f24c
  9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x45f268
  10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x45f29e
  11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x45f2a1
  12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x463840
  13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4613ce
  14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4613f0
  15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4613fd
  16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x46140a
  17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x461417
  18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x461467
  19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x461482
  20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x460f89
  21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x460fb5
  22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x460fc5
  23. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x460fd3
  24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x460ff5
  25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x461021
  26. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x461031
  27. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x46103f
  28. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4677c0
  29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4677d0
  30. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x4677f6
  31. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x46104b
  32. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x45af33
  33. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x46100c
  34. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x46100e
  35. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x461521
  36. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x461100
  37. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x461129
  38. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x461139
  39. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x46115b
  40. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x463a27
  41. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x465176
  42. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x4651e6
  43. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x463934
  44. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x461531
  45. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x468113
  46. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x4682b3
  47. GetFileType at 0x7c811069 in kernel32.dll called from 0x4682c5
  48. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x46831d
  49. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x45f327
  50. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x467fe5
  51. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x46805a
  52. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x45a7d1
  53. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x46807c
  54. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x468095
  55. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x4611a5
  56. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x461075
  57. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4611be
  58. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4611c4
  59. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x46121b
  60. GetACP at 0x7c809943 in kernel32.dll called from 0x464c94
  61. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x464d1a
  62. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x464a40
  63. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x46b5b0
  64. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x46b627
  65. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x46b691
  66. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x46b69f
  67. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x465836
  68. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4658d4
  69. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x465940
  70. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x46595c
  71. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4659f9
  72. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x465a1c
  73. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x464ee5
  74. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x464f0a
  75. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x464f9c
  76. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x464fc0
  77. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x467f3a
  78. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x45a6e4
  79. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4637b0
  80. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4637c0
  81. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x4637cc
  82. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x460fa0
  83. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x460fa2
  84. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x467317
  85. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x46103f
  86. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x45fd07

MD5 checksum	2da81d71d483a197cb9ad71980ca8e17
Anti-virus name	W32/Heuristic-210!Eldorado (not disinfectable),Trojan.PcClient-2361,Trojan.Generic.478122

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4c75da 0x4c75e1 0x4c75f4 0x4c762c 0x4c7634 0x4c763f 0x4c7900 0x4c790c 0x4c790d 0x4c797f 0x4c7983 0x4c7988 0x4c7912 0x4c7914 0x4c791b 0x4c791d 0x4c7924 0x4c7926 0x4c7928 0x4c792d 0x4c7931 0x4c7933 0x4c7947 0x4c794c 0x4c7975 0x4c7974 0x4c7936 0x4c798b 0x4c798c 0x4c7991 0x4c7998 0x4c799a 0x4c793b 0x4c7953 0x4c7989 0x4c7960 0x4c7967 0x4c796e 0x4c7973 0x4c793e 0x4c7945 0x4c799b 0x4c764e 0x4c7661 0x4c7681 0x9805aa 0x9805ca 0x9805d6 0x9805e4 0x9805ea 0x980606 0x980629 0x980298 0x9802fa 0x9802fe 0x980310 0x980018 0x980033 0x980001 0x980012 0x980038 0x980049 0x98031e 0x980328 0x98033b 0x980094 0x9800ad 0x9800e9 0x98012f 0x980350 0x980354 0x98037f 0x980395 0x9803bb 0x9801ae 0x9801b8 0x9801c5 0x9800ed 0x98012c 0x9800d0 0x9800d7 0x9801ce 0x9803c3 0x980434 0x98058c 0x980113 0x98011a 0x9803ca 0x9803df 0x9803ea 0x9803f6 0x9803fd 0x98040e 0x980412 0x98041b 0x980385 0x98038a 0x980392 0x98039b 0x9801d2 0x9801e1 0x9801fe 0x980206 0x980222 0x980210 0x98021e 0x98022a 0x9803b5 0x980487 0x980233 0x98023e 0x980242 0x980132 0x980143 0x980147 0x980155 0x98015c 0x98015d 0x980256 0x980293 0x980498 0x98055e 0x980564 0x98056c 0x980578 0x980587 0x9804b1 0x9804e3 0x9804ee 0x980504 0x980509 0x980521 0x98052d 0x98016c 0x980185 0x980186 0x980194 0x9801a4 0x9801a5 0x980532 0x980557 0x98038f 0x980442 0x98044e 0x980457 0x980466 0x98046f 0x980478 0x98047e 0x980552 0x980258 0x980262 0x980267 0x98027d 0x9804eb 0x980452 0x980282 0x980290 0x98046a 0x980536 0x98004d 0x98005c 0x98005f 0x98006c 0x980084 0x980067 0x980087 0x980088 0x98053e 0x980074 0x98007c 0x98020e 0x980598 0x98059a 0x980648 0x98064e 0x98064f 0x98065c 0x980660 0x4c76a2 0x4c76b0 0x4c76c3 0x4c76d8 0x4c76dd 0x4c76e1 0x4c76e9 0x4c76ef 0x4c7707 0x4c7717 0x4c7856 0x4c7864 0x4c787f 0x4c789a 0x4c78a2 0x4c78b9 0x4c78cd 0x4c78e0 0x4c78e9 0x4c78ad 0x4c78b6 0x4c786c 0x4c7871 0x4c7877 0x4c787d 0x4c78f9 0x4c771c 0x4c77af 0x4c7802 0x4c7813 0x4c7832 0x4c783b 0x4c784f 0x49dfec 0x406c74 0x406bb0 0x406c85 0x406c68 0x406514 0x406c72 0x406ca7 0x404b8c 0x404a84 0x404bbf 0x404b2c 0x404b3b 0x404b54 0x404b62 0x406ce8 0x404b64 0x406b18 0x406b25 0x402a70 0x402a7d 0x402a88 0x402abe 0x402ac3 0x402ad5 0x402b0f 0x402b14 0x402b21 0x402a82 0x402b1c 0x402b4c 0x402a2c 0x402a37 0x402a45 0x402a54 0x402a5f 0x402a61 0x402a6a 0x402b51 0x402b6f 0x402b7c 0x406b2a 0x403f2c 0x403f24 0x406bac 0x406d60 0x407c44 0x407c7c 0x4129e0 0x407f9c 0x40ed5c 0x40ed76 0x404bf0 0x404bfc 0x406a58 0x406a68 0x406a71 0x405fc4 0x405fce 0x405fdd 0x405f7c 0x405f8c 0x4012ac 0x405f9f 0x4061b8 0x4061d9 0x401304 0x405fb7 0x405fe4 0x406a88 0x4012dc 0x404fb8 0x404f8c 0x404f90 0x402c78 0x402c7c 0x4017e8 0x401800 0x401812 0x401838 0x4018b4 0x4018f0 0x40196c 0x4019a0 0x401690 0x401624 0x40162d 0x401698 0x401378 0x4019bc
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4c7626
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x980626
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x980659
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4c76bd
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4c7894
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4c78da
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4c782c
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x406bb0
9. GetKeyboardType at 0x77d6fa46 in USER32.DLL called from 0x403f24
10. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4012ac
11. RegOpenKeyExA at 0x77dd761b in ADVAPI32.DLL called from 0x401304
12. LoadStringA at 0x77d6ec98 in USER32.DLL called from 0x4012dc
- dot file
- jpg

MD5 checksum	2e25a75c84c66156c9b4f2580fe11a69
Anti-virus name	W32/TrojanX.AZOH (exact),Trojan.Dropper-3074,Trojan.Downloader.Agent.ZCR
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40ab5c 0x412242 0x412272 0x41227d 0x412289 0x412291 0x412299 0x4122a5 0x4122b8 0x4122c3 0x4122d2 0x40ab61 0x40a97c 0x40d110 0x40a988 0x40a996 0x40a9ad 0x40a9b4 0x40a9c7 0x40a9d0 0x40a9e5 0x40aa02 0x40aa09 0x40aa17 0x40a93b 0x40a946 0x40a957 0x40a962 0x40a96b 0x40aa46 0x41122b 0x411242 0x41124e 0x4111d0 0x40a152 0x40a17a 0x40a183 0x4111e7 0x4111f9 0x40a189 0x40a1b1 0x40a1b9 0x411202 0x411214 0x41121b 0x411221 0x411253 0x411281 0x40aa52 0x40aa5f 0x40bac6 0x40bad2 0x40bae1 0x40baf0 0x40bafd 0x40bb0a 0x40bb17 0x40bb41 0x40bb65 0x40bb6b 0x40bb79 0x40bb82 0x40bb8a 0x40a365 0x40b6dd 0x40b67a 0x40b689 0x40b68d 0x40b6ae 0x40b6b9 0x40b6bd 0x40b6c9 0x40b6cd 0x40b6d3 0x40b6d7 0x40b6e4 0x40a36b 0x40c0b8 0x40a373 0x410a4d 0x40a379 0x407db5 0x40a37f 0x410a43 0x40a385 0x410a39 0x40a38b 0x41082f 0x40a391 0x40a397 0x40d0fc 0x40d106 0x40a39d 0x40a3a7 0x40bb8f 0x40bb9a 0x40bbaa 0x40bbba 0x40bbca 0x410621 0x41062a 0x410634 0x410a67 0x410a73 0x40b6e6 0x40b6f5 0x40b6f9 0x40b71a 0x40b725 0x40b729 0x40b735 0x40b739 0x40b73f 0x40b743 0x410a83 0x410a8a 0x410a93 0x410aa5 0x410aab 0x410ab6 0x410aba 0x410ac6 0x410ad1 0x410ad7 0x410add 0x410ae8 0x410b1c 0x40d155 0x410b2b 0x41064c 0x410652 0x410658 0x41065b 0x40bbd7 0x40bbdb 0x40bbeb 0x40b749 0x40b74f 0x40bbee 0x40bbf8 0x40d59e 0x413557 0x413563 0x41356c 0x41359a 0x4135aa 0x4135b4 0x413608 0x41360c 0x41361b 0x41361d 0x41366d 0x413674 0x40d5b1 0x40d5e1 0x40bc04 0x40bc0c 0x40b703 0x40b70c 0x40b70e 0x40bc1e 0x40bc21 0x40bc25 0x40b7ed 0x40b7f9 0x40b804 0x40b81b 0x40b829 0x40b839 0x40b83f 0x40b85f 0x410797 0x4107bd 0x4107c5 0x40b866 0x40b875 0x40b87d 0x40e58a 0x40e59b 0x40e5a8 0x40e5b5 0x40e5c2 0x40e5cf 0x40e5d5 0x40e5de 0x40e5e7 0x40e5f7 0x40e5fd 0x40e60b 0x40b885 0x40b898 0x4106bf 0x4106d2 0x40b89f 0x40b892 0x40b897 0x40bc2d 0x40bc35 0x40bc47 0x40aa64 0x40aa70 0x4107c8 0x4107e9 0x40aa75 0x40fec5 0x40fed1 0x40fee0 0x40fef2 0x40fefc 0x40ff38 0x40ff0f 0x40ff3c 0x410043 0x410045 0x410062 0x41006a 0x410079 0x410080 0x410087 0x41008b 0x410092 0x4100ca 0x4100d4 0x41006f 0x410096 0x4100a8 0x4100b1 0x40b712 0x4100bf 0x4100c5 0x4100de 0x4100ea 0x4100ff 0x410104 0x40aa7d 0x40aa89 0x40aa8f 0x41210d 0x412129 0x41212b 0x412131 0x41215f 0x412172 0x412179 0x412180 0x412187 0x4121a0 0x4121a6 0x40d55e 0x40a854 0x40a862 0x40a88f 0x40a899 0x40a89d 0x40a8a4 0x40a8c5 0x40a8ce 0x40a8fa 0x40d56b 0x40d599 0x4121ac 0x4121b5 0x4121c2 0x4121d4 0x4121d8 0x4121df 0x41223b 0x40aa99 0x412054 0x412067 0x40e42c 0x40e435 0x40e292 0x40e29e 0x40b924 0x40b8a1 0x40b8a9 0x40b76d 0x40b779 0x40b796 0x40b8b0 0x40b8c2 0x40b8c4 0x40b918 0x40b91f 0x40b92a 0x40b938 0x40e2a7 0x40dfc9 0x40dfd5 0x40dfda 0x40e003 0x40e00a 0x40e053 0x40e064 0x40e06b 0x40e05f 0x40dfef 0x40dffb 0x40e002 0x40e2b1 0x40e06d 0x408a46 0x408a55 0x408a5a 0x408a84 0x408aa5 0x408aae 0x408ac2 0x40e07f 0x40e0a8 0x40e0ad 0x40e0bd 0x40e09a 0x40e09f 0x40e0e4 0x40e2bc 0x40e2c8 0x40e2d2 0x40e2dd 0x40e0e7 0x40e0bf 0x40e0d6 0x40e0db 0x40e0e2 0x40e105 0x40e11e 0x40e123 0x40e12b 0x40e138 0x40e143 0x40e14b 0x40b600 0x40b60c 0x40b616 0x40b61e 0x40b62c 0x40b634 0x40b647 0x40b65f 0x40b665 0x40b66f 0x40e15a 0x40e267 0x40e26a 0x40e226 0x40de3f 0x40de69 0x40de76 0x40de78 0x40de84 0x40debd 0x41477b 0x41478c 0x4145c3 0x4145e2 0x4145f6 0x4145fa 0x414636 0x414646 0x414669 0x414673 0x414675 0x41467d 0x414688 0x40f510 0x415390 0x4153a4 0x4153a8 0x41468d 0x414693 0x4146ac 0x4146af 0x4146b1 0x4146b5 0x4146c1 0x4146d3 0x4146d7 0x4146e5 0x4146e8 0x408f4d 0x408f55 0x408f67 0x4146ee 0x414769 0x407c3d 0x407c45 0x414779 0x4147a9 0x4147b2 0x4147b9 0x40deda 0x40eaf2 0x40eb03 0x40e750 0x40e76f 0x40e786 0x40e78a 0x40e7a7 0x40e7ac 0x40e7b2 0x40e7b7 0x40e7bc 0x40e7bf 0x40e7cb 0x40e7ce 0x40e7dc 0x40e7e4 0x40e7ed 0x40e7fd 0x40e820 0x40e82a 0x40e82c 0x40e838 0x40e843 0x40e848 0x40e84e 0x40e867 0x40e86a 0x40e872 0x40e87b 0x40e88c 0x40e894 0x40e8a8 0x40e8b5 0x40e8e6 0x40e8ea 0x40e8f6 0x40e901 0x40e906 0x40e90c 0x40e931 0x40e935 0x40e949 0x40e94d 0x40e958 0x40e95e 0x40e96c 0x40e96f 0x40e975 0x40e976 0x40e97e 0x40eae0 0x40eaf0 0x40eb23 0x40eb2c 0x40eb33 0x40defa 0x40df1f 0x40df24 0x40df3c 0x40df56 0x40df5e 0x40df2e 0x40df4d 0x40df41 0x40df63 0x40dfb2 0x40dfc1 0x40e22d 0x40e117 0x40e283 0x40e290 0x40e2f5 0x40e302 0x40e30e 0x40e312 0x40e323 0x40e32f 0x40e339 0x40e346 0x40e34d 0x40e36c 0x40e374 0x40e384 0x40e386 0x40e390 0x40e39d 0x40e39f 0x40e3a9 0x40e3b9 0x40e3c5 0x40e3dc 0x40e3e5 0x40e3f3 0x40e3fa 0x40e3f1 0x40e423 0x40e42b 0x40e43c 0x40e447 0x41206c 0x412084 0x412093 0x41209d 0x411ebc 0x411ee2 0x411ee5 0x411eea 0x411f36 0x411efa 0x411f08 0x415ceb 0x415c9a 0x415cab 0x415cbb 0x415cd3 0x415cd5 0x415cdc 0x415ce2 0x415ce9 0x415cfa 0x411f14 0x411f2c 0x411f3c 0x411f41 0x411f68 0x411f4e 0x411f52 0x412044 0x412050 0x4120ae 0x4120bb 0x4120c3 0x4120cf 0x4120d5 0x4120dc 0x411ed9 0x411f00 0x41204d 0x4120ef 0x412108 0x40aaa3 0x40aaaf 0x411de1 0x411df3 0x411e17 0x411e07 0x411e0c 0x40ab70 0x40aba0 0x40abb8 0x40abbf 0x40abc3 0x40abca 0x40abd3 0x411e12 0x40abe7 0x40ab7c 0x40ab85 0x40ab8d 0x40abdd 0x411e0b 0x40abf1 0x411e1d 0x411e26 0x411e34 0x411e7d 0x411e3d 0x411e43 0x411e7b 0x411e4c 0x411e54 0x411e5c 0x408ee8 0x408ef5 0x408f18 0x408f24 0x408f26 0x408f30 0x408f33 0x408f47 0x411e64 0x411e78 0x411e81 0x40a777 0x40a783 0x40a78a 0x40a7d6 0x40a7e5 0x40a7ff 0x40a804 0x411e8c 0x411ea2 0x40aab4 0x40aac0 0x40a1c5 0x40a1e8 0x410810 0x40b697 0x40b6a0 0x40b6a2 0x40b6a6 0x410821 0x410814 0x41082c 0x40a1ed 0x40a132 0x40a14a 0x40a13b 0x40a13f 0x40a147 0x40a145 0x40b5c4 0x4088b5 0x4088bf 0x4088c7 0x4088dd 0x40d72a 0x40d737 0x40d744 0x40d749 0x40d751 0x40d77a 0x40d788 0x40d783 0x40d799 0x40d7a4 0x40d7c0 0x40d7c8 0x40d7ca 0x40d7c4 0x40d7d6 0x4131d6 0x415d5b 0x415d7f 0x415d9e 0x415da8 0x415d0b 0x415d17 0x415d4b 0x415d5a 0x415dad 0x415db1 0x415db8 0x4131e2 0x415dbb 0x415dc0 0x412342 0x41234d 0x412353 0x40a150 0x40a1fc 0x40a202 0x408920 0x4088e4 0x4088f0 0x40a108 0x40a10f 0x4088f5 0x408808 0x408818 0x408829 0x408831 0x40883d 0x40d681 0x40d68d 0x40d6ba 0x40d6fb 0x40d709 0x40d712
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x412277
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x412283
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x41228b
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x412293
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x41229f
6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40a990
7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40a9ab
8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40a9ae
9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40a9ca
10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40aa00
11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40aa03
12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x41123c
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40bacc
14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40baee
15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40bafb
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40bb08
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40bb15
18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40bb65
19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40bb80
20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b687
21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40b6b3
22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b6c3
23. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x40b6d1
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b6f3
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40b71f
26. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b72f
27. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x40b73d
28. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x410ab0
29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x410ac0
30. InitializeCriticalSectionAndSpin called from 0x410ae6
31. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40b749
32. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x413615
33. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b70a
34. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b70c
35. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40bc1f
36. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40b7fe
37. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b827
38. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40b837
39. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40b859
40. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x4107bf
41. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e599
42. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e609
43. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x4106cc
44. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40bc2f
45. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40feda
46. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x41007a
47. GetFileType at 0x7c811069 in kernel32.dll called from 0x41008c
48. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x4100e4
49. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40aa89
50. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x412129
51. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x41219e
52. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40a8cc
53. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4121c0
54. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4121d9
55. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x40b8a3
56. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b773
57. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b8bc
58. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b8c2
59. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x40b919
60. GetACP at 0x7c809943 in kernel32.dll called from 0x40e0b7
61. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40e13d
62. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40de63
63. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4145f0
64. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x414667
65. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4146d1
66. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4146df
67. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e780
68. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e81e
69. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e88a
70. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e8a6
71. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e943
72. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40e966
73. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x40e308
74. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e32d
75. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x40e3bf
76. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x40e3e3
77. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x41207e
78. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40a7df
79. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b69e
80. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40b6a0
81. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x412347
82. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x40d703
CFG at exit
- dot file
- jpg

MD5 checksum	2ebe447ec4abd79b304209be6454d908
Anti-virus name	W32/Legendmir.BWW (exact),Trojan.Spy-66720,Trojan.PWS.Lmir.OQ
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x42ec70 0x42ec92 0x42ec99 0x42ec88 0x42ec8e 0x42ec9b 0x42eca0 0x42ecab 0x42ecb1 0x42ecbc 0x42ecd0 0x42ecdb 0x42ece8 0x42ed0c 0x42ed1d 0x42ed26 0x42ecec 0x42eced 0x42ecf8 0x42ecf1 0x42ecfe 0x42ed09 0x42ecc3 0x42ecce 0x42ed2c 0x42ed3b 0x42ed00 0x42ecd4 0x42ecb3 0x42ece1 0x42eca4 0x42ed42 0x42ed4a 0x42ed4f 0x42ed53 0x42ed58 0x42ed76 0x42ed82 0x42ed98 0x42eda0 0x42edad 0x42edb1 0x42ed99 0x42ed7c 0x42edbe 0x42edc4 0x42edcd 0x42edd1 0x42ede2 0x42edef 0x405860 0x4027fa 0x40357c 0x403558 0x40355c 0x4025a8 0x4025ac 0x401fe8 0x40200f 0x402030 0x402040 0x40204c 0x402055 0x4020df 0x4020e7 0x402103 0x402f80
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x42ed92
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42eda7
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405790
4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x405788
5. RegOpenKeyExA at 0x77dd761b in advapi32.dll called from 0x4011cc
- dot file
- jpg

MD5 checksum	2ec49612bb03d9b56e2ece002fb793ce
Anti-virus name	W32/Backdoor2.BJXL (exact),Trojan.Karsh-252,Backdoor.Generic.76529
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x42f4f2 0x42f4f9 0x42f4e8 0x42f4ee 0x42f4fb 0x42f500 0x42f50b 0x42f511 0x42f51c 0x42f530 0x42f53b 0x42f548 0x42f54c 0x42f54d 0x42f558 0x42f55e 0x42f569 0x42f56c 0x42f57d 0x42f586 0x42f523 0x42f52e 0x42f58c 0x42f59b 0x42f534 0x42f513 0x42f504 0x42f560 0x42f541 0x42f551 0x42f5a2 0x42f5aa 0x42f5af 0x42f5b3 0x42f5b8 0x42f5d6 0x42f5e2 0x42f5f8 0x42f600 0x42f604 0x42f60b 0x42f60f 0x42f616 0x42f621
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x42f5f2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42f610
3. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x42f621
CFG at exit
- dot file
- jpg

MD5 checksum	2ec8b99ed5327b4a62fdd8f6fb6197e3
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable),Trojan.Generic.581136
PEiD packer signature	FSG 2.0 -> bart/xt

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x400154 0x4001e8 0x4001ec 0x4001f1 0x40015d 0x400164 0x400168 0x40016a 0x40016e 0x400170 0x400177 0x400175 0x40017b 0x40017d 0x400160 0x40018f 0x400194 0x4001b0 0x4001b7 0x400180 0x4001de 0x4001e1 0x4001e5 0x4001e7 0x400183 0x40018a 0x4001dc 0x40018d 0x4001b3 0x4001df 0x400198 0x4001a1 0x4001a6 0x4001ab 0x4001b2 0x4001b1 0x4001c1 0x4001c9 0x4001cf 0x4001d4 0x4001d9 0x4001ca 0x4001c2 0x4001d1 0x4030bc 0x4030c4 0x4030cb 0x401cb0 0x402a18 0x402874 0x402882
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001c6
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001d6
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401030
4. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401000
5. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4010e8
CFG at exit
- dot file
- jpg

MD5 checksum	2f0e5c8f7179a35599d89fb1cabe541a
Anti-virus name	W32/OnlineGames.A.gen!GSA (generic, not disinfectable),Trojan.Spy-50247,Trojan.PWS.OnlineGames.AADX

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x4091a8 0x4091bb 0x4091f0 0x4091f8 0x409203 0x4094c2 0x4094ce 0x4094cf 0x409541 0x409545 0x40954a 0x4094d4 0x4094d6 0x4094dd 0x4094df 0x4094e6 0x4094e8 0x4094ea 0x4094ef 0x4094f3 0x4094f5 0x409509 0x40950e 0x409537 0x409536 0x4094f8 0x40954d 0x40954e 0x409553 0x40955a 0x40955c 0x4094fd 0x409515 0x40954b 0x409522 0x409529 0x409530 0x409535 0x409500 0x409507 0x40955d 0x409212 0x409225 0x409245 0x8605aa 0x8605ca 0x8605d6 0x8605e4 0x8605ea 0x860606 0x860629 0x860298 0x8602fa 0x8602fe 0x860310 0x860018 0x860033 0x860001 0x860012 0x860038 0x860049 0x86031e 0x860328 0x86033b 0x860094 0x8600ad 0x8600e9 0x86012f 0x860350 0x860354 0x86037f 0x860395 0x8603bb 0x8601ae 0x8601b8 0x8601c5 0x8600ed 0x86012c 0x860113 0x86011a 0x8601ce 0x8603c3 0x860434 0x86058c 0x8600d0 0x8600d7 0x8603ca 0x8603df 0x8603ea 0x8603f6 0x8603fd 0x86040e 0x860412 0x86041b 0x860385 0x86038a 0x860392 0x86039b 0x8601d2 0x8601e1 0x8601fe 0x860222 0x860210 0x86021e 0x86022a 0x8603b5 0x8604b1 0x860233 0x86023e 0x860242 0x860132 0x860143 0x860147 0x860155 0x86015c 0x86015d 0x860256 0x860293 0x8604e3 0x8604ee 0x860504 0x860509 0x860521 0x86052d 0x86016c 0x860185 0x860186 0x860194 0x8601a4 0x8601a5 0x860532 0x860557 0x86055e 0x860564 0x86056c 0x860578 0x860587 0x86038f 0x860206 0x860552 0x860487 0x860498 0x860258 0x860262 0x860267 0x86027d 0x8604eb 0x860536 0x86004d 0x86005c 0x86005f 0x86006c 0x860084 0x860087 0x860088 0x86053e 0x860442 0x86044e 0x860457 0x860466 0x86046a 0x860478 0x86047e 0x860282 0x860290 0x860067 0x860074 0x86007c 0x860452 0x86046f 0x860598 0xltiTramp 0x860648 0x86064e 0x86064f 0x86065c 0x409265 0x409285 0x40929a 0x40929f 0x4092a3 0x4092ab 0x4092b1 0x4092c9 0x4092d9 0x409418 0x409426 0x409441 0x40945c 0x409464 0x40947b 0x40948f 0x4094a2 0x4094ab 0x40946f 0x4092de 0x409371 0x4093c4 0x4093d5 0x4093f4 0x4093de 0x401144 0x401488 0x401153 0x4014d6 0x401173 0x401476 0x40117a 0x401470 0x40118b 0x4014d0 0x40119a 0x40131f 0x401000 0x401452 0x401030 0x4014a0 0x401048 0x401079 0x40104a 0x401059 0x401067 0x4014a6 0x40143a 0x401088 0x401329 0x40134c 0x4014b2 0x40135b 0x4014be 0x401365 0x401440 0x401376 0x40137a 0x401386 0x401090 0x4010ab 0x401494 0x4010ed 0x401464 0x401105 0x40110b 0x40111c 0x401121 0x4014b8 0x401139 0x401446 0x4013b9 0x4013be 0x4014ca 0x4013d7 0x401482 0x4013f1 0x40144c 0x401413 0x401417 0x401422 0x40145e
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4091ea
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x860626
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x860659
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x40927f
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x409456
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40949c
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4093ee
8. GetSystemDirectoryA at 0x7c814c63 in kernel32.dll called from 0x401488
9. RtlUnicodeToMultiByteSize at 0x7c9136d2 in ntdll.dll called from 0x7c814c7d
10. RtlUnicodeStringToAnsiString at 0x7c9130c6 in ntdll.dll called from 0x7c814cb2
11. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x4014d6
12. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401476
13. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401470
14. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x7c80b379
15. memmove at 0x7c90253a in ntdll.dll called from 0x7c80b3e7
16. RtlFreeUnicodeString at 0x7c910976 in ntdll.dll called from 0x7c80b3f4
17. lstrcmpiA at 0x7c80b929 in kernel32.dll called from 0x4014d0
18. CreateToolhelp32Snapshot at 0x7c8647b7 in kernel32.dll called from 0x401452
19. Process32First at 0x7c863a8d in kernel32.dll called from 0x4014a0
20. Process32Next at 0x7c863c00 in kernel32.dll called from 0x4014a6
21. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x40143a
22. NtClose at 0x7c90d586 in ntdll.dll called from 0x7c809bb5
23. SetFileAttributesA at 0x7c81fb44 in kernel32.dll called from 0x4014b2
24. Sleep at 0x7c802442 in kernel32.dll called from 0x4014be
25. CopyFileA at 0x7c830053 in kernel32.dll called from 0x401440
26. targ2f059 at 0x7c82f067 in kernel32.dll called from 0x7c809bc7
27. targ2f059 at 0x7c82f075 in kernel32.dll called from 0x7c809bc7
28. OpenFile at 0x7c826b99 in kernel32.dll called from 0x401494
29. NtQueryVolumeInformationFile at 0x7c90e228 in ntdll.dll called from 0x7c826d18
30. GetFileTime at 0x7c81f8e2 in kernel32.dll called from 0x401464
31. ZwQueryInformationFile at 0x7c90dfdc in ntdll.dll called from 0x7c81f90a
32. OpenFile at 0x7c826d67 in kernel32.dll called from 0x7c81f940
33. SetFileTime at 0x7c81f955 in kernel32.dll called from 0x4014b8
34. ZwSetInformationFile at 0x7c90e5d9 in ntdll.dll called from 0x7c81f9ad
35. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x401446
36. WriteFile at 0x7c810f9f in kernel32.dll called from 0x4014ca
37. NtWriteFile at 0x7c90e9f3 in ntdll.dll called from 0x7c811008
38. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x401482
39. RtlAcquirePebLock at 0x7c91091d in ntdll.dll called from 0x7c801f06
40. CreateProcessA at 0x7c802367 in kernel32.dll called from 0x40144c
41. targ25464 at 0x7c825476 in kernel32.dll called from 0x7c80b549
42. targb1bb at 0x77ddb24f in ADVAPI32.dll called from 0x7c809bc7
43. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x40145e
CFG at exit
- dot file
- jpg

MD5 checksum	2f1c9507371f204dec569d2bc135e11e
Anti-virus name	W32/Backdoor2.DAPG (exact),Trojan.Agent-121200
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x45b572 0x45b579 0x45b568 0x45b56e 0x45b57b 0x45b580 0x45b58b 0x45b591 0x45b5bb 0x45b5c2 0x45b5cd 0x45b5de 0x45b5ac 0x45b5b7 0x45b60d 0x45b62c 0x45b63b 0x45b5b0 0x45b5d3 0x45b5e0 0x45b5ec 0x45b59c 0x45b5a8 0x45b5ee 0x45b5f9 0x45b5ff 0x45b60a 0x45b593 0x45b584 0x45b5d7 0x45b61e 0x45b627 0x45b5e5 0x45b5a1 0x45b5f2 0x45b601 0x45b642 0x45b64a 0x45b64f 0x45b653 0x45b658 0x45b676 0x45b682 0x45b698 0x45b6a0 0x45b6ad 0x45b6b1 0x45b699 0x104c5eec] 0x4037a2 0x4010ee 0x4038ec 0x40111f 0x4037a8 0x40114b
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x45b692
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x45b6a7
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4037a2
CFG at exit
- dot file
- jpg

MD5 checksum	2f490cba90c9a76298d3863431aaaf1a
Anti-virus name	W32/PcClient.C.gen!Eldorado (generic, not disinfectable),Trojan.PcClient-2087,Trojan.Crypt.DG
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x4028f0 0x402735 0x402752 0x402767 0x402775 0x40278e 0x4027a2 0x40288a 0x4028a6 0x402899 0x4027a7 0x402884 0x4027b6 0x4027da 0x4027e9 0x4027fb 0x402805 0x402809 0x40280e 0x402812 0x40281c 0x402829 0x402840 0x402843 0x40284d 0x4029ed 0x401777
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x40274c
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x402761
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x40276f
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x4028a6
5. initterm at 0x77c39d67 in msvcrt.dll called from 0x402884
6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x4027d4
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x402823
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x402847
CFG at exit
- dot file
- jpg

MD5 checksum	2fd82c41bf6f019abfd3f9b568ec87a2
Anti-virus name	W32/Agent.CM.gen!Eldorado (generic, not disinfectable),Trojan.Dropper-2514,Trojan.Generic.899128
PEiD packer signature	Microsoft Visual C++ 6.0 [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40389f 0x4038cb 0x403c78 0x403c8f 0x403c98 0x403b30 0x405b20 0x405b2c 0x405b40 0x403b3d 0x403b55 0x403b59 0x403b62 0x403b6b 0x403c75 0x403c9d 0x403cb4 0x403cd1 0x4038fe 0x40390b 0x405260 0x4039de 0x4039f0 0x4039f7 0x403a1c 0x403a40 0x403a72 0x403a79 0x403a7f 0x403a8e 0x403a00 0x403a1b 0x4039ed 0x405271 0x405280 0x405296 0x40529a 0x4052b4 0x4052bf 0x405390 0x405392 0x4053a0 0x4053a8 0x4053b7 0x4053be 0x4053c5 0x4053cc 0x4053dc 0x4053f1 0x4053ad 0x4053d0 0x4053e2 0x4053f7 0x405403 0x403913 0x403919 0x40512e 0x405149 0x40514b 0x405151 0x405185 0x405195 0x40519c 0x4051a3 0x4051aa 0x4051c3 0x4051c9 0x4051cf 0x4051d8 0x4051e5 0x4051f7 0x4051fb 0x405202 0x405259 0x403923 0x404ee1 0x404ef3 0x40628b 0x406294 0x405ec7 0x406060 0x406080 0x406085 0x40608f 0x405ed8 0x405eea 0x405ef4 0x405efb 0x405eff 0x405f0a 0x405f15 0x405f1e 0x406030 0x406036 0x40604f 0x406106 0x406120 0x406129 0x406130 0x40613c 0x406181 0x4067be 0x4067ef 0x406803 0x406807 0x406828 0x40682d 0x406856 0x40685f 0x40686c 0x406889 0x406890 0x4068a2 0x403a90 0x403a9c 0x403aaa 0x403ab9 0x403ad1 0x403add 0x4068b2 0x4068c2 0x4068ca 0x4068df 0x4068e3 0x4068f1 0x4068f5 0x4061a5 0x40656f 0x40659f 0x4065b7 0x4065bb 0x4065e5 0x4065ea 0x406793 0x4067a3 0x4067a8 0x4067b0 0x4067bb 0x4065f5 0x4065fa 0x406621 0x40662a 0x406637 0x406654 0x406661 0x406671 0x406692 0x406697 0x4066ac 0x4066b0 0x4066c2 0x4066cb 0x406711 0x406725 0x406745 0x406749 0x40675d 0x406761 0x40676c 0x406772 0x406782 0x40678c 0x4066ff 0x4061c9 0x4061f1 0x4061fc 0x40621a 0x40622f 0x406236 0x406204 0x406212 0x40621f 0x40623d 0x406288 0x406054 0x40605b 0x40629b 0x4062a6 0x404ef8 0x404f0a 0x404f1b 0x404f1d 0x404f7a 0x404fa4 0x404fa9 0x404fb2 0x404fb6 0x404fce 0x404fdb 0x404fe5 0x404fea 0x405030 0x405034 0x40511d 0x405124 0x404f2d 0x404f3c 0x404f4d 0x404f9c 0x404fd4 0x404fe1 0x405121 0x404f63 0x40392d 0x404e28 0x404e3a 0x404e42 0x404e48 0x404e4d 0x4033b0 0x4033d0 0x4033e8 0x4033ef 0x4033f3 0x4033fa 0x403403 0x404e53 0x403417 0x4033bc 0x4033c3 0x4033cb 0x40340d 0x404e4c 0x403421 0x404e5a 0x404e67 0x404e7c 0x404e86 0x404e87 0x404e8d 0x404eb8 0x404e96 0x404e9c 0x404eab 0x4032c0 0x403331 0x40333d 0x403344 0x40334f 0x403356 0x403351 0x403370 0x403374 0x403378 0x403392 0x404eb3 0x403380 0x40338a 0x4033a8 0x40339f 0x404ebe 0x404ebf 0x403836 0x403842 0x403862 0x40388d 0x40388e 0x40389c 0x404eca 0x403932 0x404b4a 0x404b55 0x404c32 0x404c37 0x404c3d 0x404c45 0x404c43 0x404c4a 0x404b64 0x404b73 0x403937 0x403944 0x404dd0 0x404dde 0x404deb 0x404df3 0x404df7 0x405e85 0x405e96 0x405ea7 0x405ebc 0x405ebe 0x405ec2 0x405e92 0x404e00 0x404e08 0x404e0d 0x404e1a 0x404e24 0x403949 0x403958 0x40395b 0x403967 0x40113a 0x401166 0x401183 0x401196 0x4011a4 0x4011b2 0x4011c7 0x4011cf 0x4011d9 0x4011ec 0x4011f5 0x4011fe 0x403436 0x403441 0x401204 0x401210 0x401220 0x401229 0x40123c 0x401244 0x401250 0x40125c 0x401271 0x401281 0x401317 0x4014bf 0x4014c4 0x40342b 0x403434 0x4014cc 0x4014cd 0x4014e5
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x4038c5
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x403c89
3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x403b4f
4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403a88
5. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4052b9
6. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x4053b8
7. GetFileType at 0x7c811069 in kernel32.dll called from 0x4053c6
8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x4053fd
9. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x403913
10. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x405149
11. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4051c1
12. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4051e3
13. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4051fc
14. GetACP at 0x7c809943 in kernel32.dll called from 0x40608f
15. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x405f0f
16. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40611a
17. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4067fd
18. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x406883
19. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4068d9
20. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4068eb
21. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4065b1
22. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40664e
23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4066a6
24. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4066bc
25. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x406757
26. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40677c
27. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x404f04
28. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x403896
29. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40393e
30. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x403961
31. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401160
32. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x40117d
33. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x4011a2
34. ReadFile at 0x7c80180e in kernel32.dll called from 0x4011c1
35. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x40121e
36. ReadFile at 0x7c80180e in kernel32.dll called from 0x401236
37. GetTempPathA at 0x7c8221cf in kernel32.dll called from 0x40126b
38. wsprintfA at 0x77d4a2de in USER32.dll called from 0x401293
39. MessageBoxA at 0x77d8050b in USER32.dll called from 0x4014f0

MD5 checksum	2fe3b96e271fdbe35f9fe2dbbea70407
Anti-virus name	W32/Trojan2.DSUN (exact),Trojan.Agent-80772,Trojan.Swizzor.2
PEiD packer signature	Microsoft Visual C++ 6.0

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4082bf 0x4082eb 0x40da0b 0x40da22 0x40da2b 0x40aa2d 0x40aa40 0x40aa4a 0x40da30 0x40da43 0x40831d 0x40832a 0x401fb2 0x40c026 0x40c035 0x40c03d 0x40c045 0x40c04d 0x401fb8 0x401fbe 0x401fc8 0x40f3fd 0x40f410 0x40f417 0x40f41d 0x40f424 0x40f42c 0x40c04f 0x40c0a5 0x40c0ad 0x40f433 0x40adc1 0x40adf3 0x40ae11 0x40ae38 0x40ae3d 0x40ae3f 0x40ae5b 0x40ae5d 0x40ae73 0x40ae75 0x40ae77 0x40ae8b 0x40ae8d 0x40b0ca 0x40b10d 0x40b12c 0x40b133 0x40b146 0x40b161 0x40b178 0x40ae92 0x40ae9b 0x40b17b 0x40b18d 0x40b196 0x40b1ab 0x40b1b7 0x40b1d2 0x40b1de 0x40b1e8 0x40b1eb 0x40b224 0x40b25e 0x40b261 0x40b271 0x40aea1 0x40aeb6 0x40aec9 0x40af14 0x40af30 0x40af3d 0x40af41 0x40af46 0x40af60 0x40af63 0x40b078 0x40b07c 0x40b087 0x40b0a3 0x40b0bd 0x40b0c5 0x40f439 0x40c0b0 0x40c0c3 0x40f442 0x40f474 0x419450 0x41945c 0x41946a 0x419479 0x419491 0x41949d 0x40f47d 0x40f480 0x40f482 0x401fd1 0x401fd9 0x401fe6 0x401fea 0x402006 0x401ff0 0x401ff7 0x40832f 0x40833b 0x409d7c 0x40b56c 0x40b57e 0x40b585 0x40b5aa 0x40b5d9 0x40b5e0 0x40b5f5 0x40b58e 0x40b5a9 0x40b57b 0x409d8f 0x409d9e 0x409db4 0x409db8 0x409dd6 0x409de0 0x409ebc 0x409ebe 0x409ed0 0x409ed8 0x409ee7 0x409eee 0x409ef5 0x409efc 0x409f0c 0x409f21 0x409edd 0x409f00 0x409f12 0x409f27 0x409f33 0x408345 0x40834b 0x40cf67 0x40cf82 0x40cf84 0x40cf8a 0x40cfbe 0x40cfce 0x40cfd5 0x40cfdc 0x40cfe3 0x40cffc 0x40d002 0x40d008 0x40d011 0x40d01e 0x40d030 0x40d034 0x40d03b 0x40d092 0x408355 0x41b2fe 0x41b310 0x40d471 0x40d47a 0x40d099 0x40c067 0x40b5b8 0x40b5bf 0x40ae1f 0x40b5c5 0x40b5ce 0x40b5d5 0x40c06f 0x40c07e 0x40c085 0x40c08c 0x40c092 0x40c09c 0x40c0a3 0x40d0a9 0x40d246 0x40d266 0x40d26b 0x40d275 0x40d0b1 0x40d0c7 0x40d0cf 0x40d0d6 0x40d0da 0x40d0e5 0x40d0f0 0x40d0fb 0x40d209 0x40d210 0x40d22a 0x40d2ec 0x40d306 0x40d30f 0x40d316 0x40d322 0x40d367 0x4125e9 0x41261a 0x41262e 0x412632 0x412653 0x412658 0x412681 0x41268a 0x412697 0x4126b4 0x4126bb 0x409c50 0x409c70 0x4126cd 0x4126dd 0x4126ed 0x4126f5 0x41270a 0x41270e 0x41271c 0x412720 0x40d38b 0x419a8d 0x419abd 0x419ad5 0x419ad9 0x419b03 0x419b08 0x419cb1 0x419cc1 0x419cc6 0x419cce 0x419cd9 0x419b13 0x419b18 0x419b3f 0x419b48 0x419b55 0x419b72 0x419b7f 0x419b8f 0x419bb0 0x419bb5 0x419bca 0x419bce 0x419be0 0x419be9 0x419c2f 0x419c43 0x419c63 0x419c67 0x419c7b 0x419c7f 0x419c8a 0x419c90 0x419ca0 0x419caa 0x419c1d 0x40d3af 0x40d3d7 0x40d3e2 0x40d400 0x40d415 0x40d41c 0x40d3ea 0x40d3f8 0x40d405 0x40d423 0x40d46e 0x40d22f 0x40d0c0 0x40d237 0x40d23e 0x40d481 0x40d48c 0x41b315 0x41b327 0x41b338 0x41b33a 0x41b397 0x41b3c1 0x41b3c6 0x41b3cf 0x41b3d3 0x41b3eb 0x41b3f8 0x41b402 0x41b407 0x41b44d 0x41b451 0x41b53a 0x41b541 0x41b34a 0x41b359 0x41b36a 0x41b3b9 0x41b3f1 0x41b3fe 0x41b53e 0x41b380 0x40835f 0x418876 0x418888 0x418890 0x418896 0x41889b 0x40e370 0x40e390 0x40e3a8 0x40e3af 0x40e3b3 0x40e3ba 0x40e3c3 0x4188a1 0x40e3d7 0x40e37c 0x40e383 0x40e38b 0x40e3cd 0x41889a 0x40e3e1 0x4188a8 0x4188b5 0x4188ca 0x4188d4 0x4188d5 0x4188db 0x418906 0x4188e4 0x4188ea 0x4188f9 0x406ab0 0x406b21 0x406b2d 0x406b34 0x406b3f 0x406b46 0x406b41 0x406b60 0x406b64 0x406b68 0x406b82 0x418901 0x406b70 0x406b7a 0x406b98 0x406b8f 0x41890c 0x41890d 0x41bf82 0x41bf8b 0x41bf92 0x40aa6b 0x40aa7b 0x40aa7f 0x40aa8e 0x40aa93 0x40aa95 0x41bf98 0x41bfb1 0x41bfb8 0x41bfc8 0x418918 0x408364 0x408410 0x40841b 0x408516 0x40851b 0x408521 0x408529 0x408527 0x4121c0 0x4121cd 0x4121da 0x4121df 0x40f449 0x40f458 0x4121e7 0x412213 0x41221a 0x412230 0x412237 0x412257 0x41225a 0x412253 0x412266 0x40852e 0x40842a 0x408439 0x408369 0x408376 0x41bac8 0x41bad6 0x41bae3 0x41baeb 0x41baef 0x40c953 0x40c964 0x40c975 0x40c98a 0x40c98c 0x40c990 0x40c960 0x41baf8 0x41bb00 0x41bb05 0x41bb12 0x41bb1c 0x40837b 0x40838a 0x40838d 0x408399 0x423b33 0x423b45 0x423b54 0x40a99c 0x402019 0x402021 0x40202f 0x402074 0x40207b 0x40a9a1 0x423b61 0x4128bc 0x4128cf 0x4128d9 0x412921 0x41292e 0x412933 0x412938 0x41293f 0x412945 0x412951 0x412966 0x40ef92 0x40efab 0x40efb7 0x40efd1 0x4189fd 0x418a06 0x418a0d 0x418a17 0x418a2b 0x418a41 0x417b8a 0x417b9c 0x417bbb 0x417bc3 0x417bc9 0x417bcc 0x417bd2 0x417bd8 0x417bdd 0x417bf4 0x417be5 0x40bdaf 0x40bdbc 0x4067fb 0x40682e 0x40683f 0x406843 0x40686e 0x406875 0x406a78 0x406a88 0x406a8d 0x406a95 0x406aa0 0x40687e 0x406885 0x40688a 0x406a9b 0x406895 0x40689a 0x4068bf 0x4068c7 0x4068d4 0x4068d8 0x406979 0x40698a 0x406995 0x4069a4 0x4069c8 0x4069d1 0x4069e7 0x4069eb 0x4069fa 0x406a03 0x406a13 0x406a33 0x406a37 0x406a4a 0x406a4e 0x406a62 0x406a66 0x40bddb 0x40bde9 0x417bed 0x417c01 0x417c03 0x418a61 0x418a6c 0x418a72 0x418a7f 0x418a88 0x418aad 0x418ab9 0x418ac2 0x418acb 0x418ae9 0x418b11 0x418b15 0x418b1a 0x418b2d 0x418b4a 0x418b52 0x418b5b 0x418cad 0x418a1c 0x418a22 0x418a29 0x418a2a 0x40efd6 0x40f044 0x40f04a 0x40f051 0x41298a 0x412996 0x423b6b 0x402080 0x4103b5 0x4103da 0x4103e9 0x4103f2 0x4103f7 0x4103fc 0x41040c 0x410423 0x41042a 0x410abd 0x4103e1 0x410491 0x4104b9 0x4104b1 0x410598 0x4105a4 0x4105ad 0x4106a1 0x4106a6 0x4106ab 0x41089a 0x41089e 0x4108a5 0x4108b7 0x4108de 0x4108e8 0x410b94 0x4108ed 0x4108d0 0x4108f8 0x4108fe 0x410902 0x410904 0x410919 0x41091d 0x410923 0x410926 0x41092c 0x410939 0x410943 0x410949 0x410959 0x40f060 0x40f069 0x40f0d1 0x41096c 0x409530 0x40953a 0x409593 0x41097e 0x41098a 0x410953 0x410994 0x4109bf 0x4109c9 0x4109d1 0x4109dc 0x4109e7 0x4109f7 0x410a05 0x410b2b 0x410b38 0x410b3c 0x410af6 0x410b01 0x410b1a 0x410b27 0x410b4a 0x410b52 0x410b59 0x410a14 0x410a17 0x410b5c 0x410b90 0x410a2a 0x410a49 0x410a90 0x410b6a 0x410b72 0x410b81 0x410b89 0x410aa2 0x410554 0x410580 0x410590 0x410445 0x41044d 0x410452 0x410457 0x41045b 0x410464 0x4107c0 0x4107c9 0x4107d2 0x4107d9 0x4107dc 0x4107e5 0x4107ed 0x4107f6 0x41083b 0x4108f0 0x4108f5 0x410987 0x410a32 0x410a37 0x410a46 0x410ace 0x4020ae 0x4020b8 0x4020cd 0x423b91 0x423a58 0x423bc6 0x423bde 0x423c2e 0x423c6c 0x423c81 0x423d9b 0x423e84 0x4244df 0x42454b 0x423ca3 0x4243bf
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x4082e5
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40da1c
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40aa3a
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c033
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c03b
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c043
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c04b
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x401fb8
9. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40c0a7
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40b126
11. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40b140
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40b1cc
13. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40c0bd
14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x401fe0
15. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x401ff1
16. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40b5ef
17. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x409dda
18. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x409ee8
19. GetFileType at 0x7c811069 in kernel32.dll called from 0x409ef6
20. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x409f2d
21. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x408345
22. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40cf82
23. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40cffa
24. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40d01c
25. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40d035
26. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c08c
27. GetACP at 0x7c809943 in kernel32.dll called from 0x40d275
28. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40d0ea
29. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40d300
30. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x412628
31. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4126ae
32. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x412704
33. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x412716
34. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x419acf
35. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x419b6c
36. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x419bc4
37. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x419bda
38. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x419c75
39. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x419c9a
40. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x41b321
41. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x41bfc2
42. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40f452
43. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x408370
44. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x408393
45. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x423b3f
46. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x423b4e
47. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x40201b
48. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x402029
49. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x402075
50. GetLocalTime at 0x7c80c9c1 in kernel32.dll called from 0x4128c9
51. GetSystemTime at 0x7c80176b in kernel32.dll called from 0x4128d3
52. GetTimeZoneInformation at 0x7c8394ae in kernel32.dll called from 0x412928
53. CompareStringW at 0x7c80a34e in kernel32.dll called from 0x406839
54. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x406984
55. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4069e5
56. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4069f8
57. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x406a44
58. CompareStringW at 0x7c80a34e in kernel32.dll called from 0x406a5c
59. GetTimeZoneInformation at 0x7c8394ae in kernel32.dll called from 0x418a79
60. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x418b0f
61. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x418b48

MD5 checksum	303bbf875ae136c1ce1c14782c24a9ee
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x51ee02 0x51ee09 0x51edf8 0x51edfe 0x51ee0b 0x51ee10 0x51ee1b 0x51ee21 0x51ee4b 0x51ee63 0x51ee6e 0x51ee3c 0x51ee47 0x51ee9d 0x51eeae 0x51eeb7 0x51ee52 0x51ee5d 0x51eebc 0x51eecb 0x51ee70 0x51ee7c 0x51ee7e 0x51ee89 0x51ee8f 0x51ee9a 0x51ee14 0x51ee40 0x51ee2c 0x51ee38 0x51ee23 0x51ee31 0x51ee67 0x51ee91 0x51ee75 0x51ee82 0x51eed2 0x51eeda 0x51eedf 0x51eee3 0x51eee8 0x51ef06 0x51ef12 0x51ef28 0x51ef30 0x51ef3b 0x51ef3f 0x51ef46 0x51ef4a 0x51ef29 0x51ef70 0x51ef85 0x51ef8b 0x51ef91 0x421e70 0x427b8e 0x427bbe 0x427bc9 0x427bd5 0x427bdd 0x427be5 0x427bf1 0x427c04 0x427c0f 0x421e75 0x421c91 0x423724 0x421c9d 0x421cab 0x421cc2 0x421cc9 0x421cdc 0x421ce5 0x421cfa 0x421d17 0x421d1e 0x421d2c 0x421c50 0x421c5b 0x421c6c 0x421c77 0x421c80 0x421d5b 0x427b34 0x427b4b 0x427b57 0x427ad9 0x423e03 0x423e2b 0x423e34 0x427af0 0x427b02 0x423e3a 0x423e62 0x423e6a 0x427b0b 0x427b1d 0x427b24 0x427b2a 0x427b5c 0x427b8a 0x421d67 0x421d74 0x427955 0x427961 0x427970 0x42797f 0x42798c 0x427999 0x4279a6 0x4279d0 0x4279f4 0x4279fa 0x427a08 0x427a11 0x427a19 0x42402a 0x4275f7 0x427589 0x427598 0x42759c 0x4275bd 0x4275c8 0x4275ce 0x42751d 0x427538 0x427543 0x42754tion 0x42755e 0x428240 0x428250 0x428284 0x427569 0x42756f 0x428256 0x42825a 0x42757b 0x427581 0x4275d3 0x4275d7 0x4275e3 0x4275e7 0x4275ed 0x4275fe 0x424030 0x429bee 0x424038 0x42d4d2 0x42403e 0x427f95 0x424044 0x42d4c8 0x42404a 0x42d4be 0x424050 0x42d2b4 0x424056 0x42405c 0x42c377 0x42c381 0x424062 0x42406c 0x427a1e 0x427a29 0x427a39 0x427a49 0x427a59 0x428f48 0x428f51 0x428f5b 0x42d4ec 0x42d4f8 0x427600 0x42760f 0x427613 0x427634 0x42763f 0x427645 0x42764a 0x42764e 0x42765a 0x42765e 0x427664 0x42d508 0x42d50f 0x42d518 0x42d52a 0x42d530 0x42d53b 0x42d53f
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x51ef22
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x51ef40
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x51ef6e
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x51ef83
5. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x427bc3
6. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x427bcf
7. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x427bd7
8. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x427bdf
9. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x427beb
10. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x421ca5
11. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x421cc0
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x421cc3
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x421cdf
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x421d15
15. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x421d18
16. HeapCreate at 0x7c812929 in kernel32.dll called from 0x427b45
17. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x42795b
18. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42797d
19. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42798a
20. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x427997
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4279a4
22. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x4279f4
23. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x427a0f
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x427596
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4275c2
26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x427545
27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4275dd
28. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x4275eb
29. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x42760d
30. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x427639
31. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x427654
32. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x427662
33. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x42d535
34. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42d545
35. InitializeCriticalSectionAndSpin called from 0x42f84b
36. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x890626
37. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x890659
38. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x42f8e0
39. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x42fab7
40. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42fafd
41. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x42fa4f
42. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4030c8
43. waveOutOpen at 0x76b45211 in WINMM.DLL called from 0x401a0c
CFG at exit
- dot file
- jpg

MD5 checksum	30c1a97b6e1277d71c659cc99b2b73a7
Anti-virus name	W32/Backdoor2.GDJG (exact),Trojan.SdBot-9350,Worm.Generic.18266

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xblock 0x4e9c6a 0x4e9c9a 0x4e9ca5 0x4e9cb1 0x4e9cb9 0x4e9cc1 0x4e9ccd 0x4e9ce0 0x4e9ceb 0x4e5dd7 0x4e5bf2 0x4e7d9c 0x4e5bfe 0x4e5c0c 0x4e5c23 0x4e5c2a 0x4e5c3d 0x4e5c46 0x4e5c5b 0x4e5c78 0x4e5c7f 0x4e5c8d 0x4e5bb1 0x4e5bbc 0x4e5bcd 0x4e5bd8 0x4e5be1 0x4e5cbc 0x4e9c10 0x4e9c27 0x4e9c33 0x4e9bb5 0x4e564a 0x4e5672 0x4e567b 0x4e9bcc 0x4e9bde 0x4e5681 0x4e56a9 0x4e56b1 0x4e9be7 0x4e9bf9 0x4e9c00 0x4e9c06 0x4e9c38 0x4e9c66 0x4e5cc8 0x4e5cd5 0x4e7495 0x4e74a1 0x4e74b0 0x4e74bf 0x4e74cc 0x4e74d9 0x4e74e6 0x4e7510 0x4e7534 0x4e753a 0x4e7548 0x4e7551 0x4e7559 0x4e5871 0x4e7137 0x4e70c9 0x4e70d8 0x4e70dc 0x4e70fd 0x4e7108 0x4e710e 0x4e705d 0x4e7078 0x4e7083 0x4e708b 0x4e709e 0x4ea870 0x4ea880 0x4ea886 0x4ea88a 0x4ea8b4 0x4e70a9 0x4e70af 0x4e70bb 0x4e70c1 0x4e7113 0x4e7117 0x4e7123 0x4e7127 0x4e712d 0x4e713e 0x4e5877 0x4e593d 0x4e587f 0x4e81bc 0x4e5885 0x4e7a4f 0x4e588b 0x4e81b2 0x4e5891 0x4e81a8 0x4e5897 0x4e7f9e 0x4e589d 0x4e58a3 0x4e7e2e 0x4e7e38 0x4e58a9 0x4e58b3 0x4e755e 0x4e7569 0x4e7579 0x4e7589 0x4e7599 0x4e78a8 0x4e78b1 0x4e78bb 0x4e81d6 0x4e81e2 0x4e7140 0x4e714f 0x4e7153 0x4e7174 0x4e717f 0x4e7185 0x4e718a 0x4e718e 0x4e719a
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x4e9c9f
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x4e9cab
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4e9cb3
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x4e9cbb
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x4e9cc7
6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4e5c06
7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x4e5c21
8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4e5c24
9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x4e5c40
10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x4e5c76
11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4e5c79
12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4e9c21
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4e749b
14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e74bd
15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e74ca
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e74d7
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e74e4
18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x4e7534
19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x4e754f
20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4e70d6
21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4e7102
22. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4e7085
23. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e711d
24. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x4e712b
25. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4e714d
26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4e7179
27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e7194
28. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x4e71a2
29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4e821f
30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e822f
31. InitializeCriticalSectionAndSpin called from 0x4e8255

MD5 checksum	30c2a0de01c59b471259f088dff34a94
Anti-virus name	W32/Downldr2.DKGV (exact),Trojan.Zlob-7626,Trojan.Downloader.Zlob.ABKM

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40ab90 0x40abaa 0x40abb1 0x40aba0 0x40aba6 0x40abb3 0x40abb8 0x40abc3 0x40abc9 0x40abd4 0x40abdb 0x40abe6 0x40abe8 0x40abf3 0x40ac00 0x40ac24 0x40ac44 0x40ac53 0x40abec 0x40ac04 0x40ac05 0x40ac10 0x40ac16 0x40ac21 0x40ac35 0x40ac3e 0x40abcb 0x40abf9 0x40ac09 0x40abbc 0x40ac18 0x40ac5a 0x40ac62 0x40ac67 0x40ac6b 0x40ac70 0x40ac8e 0x40ac9a 0x40acb0 0x40acb8 0x40acc5 0x40acc9 0x40acb1 0x40ac94 0x40acd6 0x40acef 0x40ad04 0x40ad0a 0x40ad10 0x4010c5 0x40111b 0x40116d 0x401180 0x401194 0x4011a2 0x4011ac 0x401213 0x401045
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40acaa
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40acbf
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40aced
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40ad02
5. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4010bf
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401119
7. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40116b
8. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40117a
9. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x401192
10. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x4011a0
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4011aa
12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401211
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40103f
14. RegLoadKeyA at 0x77e3502f in ADVAPI32.dll called from 0x402574

MD5 checksum	32a51bdae4c9bf8261efeed46ab5edd3
Anti-virus name	W32/Swizzor-based!Maximus,Trojan.Agent-40127,Trojan.Swizzor.1
PEiD packer signature	Microsoft Visual C++ 6.0

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x405749 0x405775 0x4098ea 0x407d73 0x4057b4 0x405e3f 0x405e47 0x405e4f 0x4086a0 0x405eaf 0x409357 0x40845f 0x408479 0x408505 0x405ec5 0x409366 0x4086c8 0x4086d9 0x4057b9 0x4057c5 0x401f27 0x407af3 0x407c01 0x407c0f 0x407c46 0x409bd4 0x409bed 0x409bef 0x406cfc 0x406d02 0x406d2b 0x406d3b 0x406d44 0x406d4b 0x406d52 0x406d5e 0x406d70 0x401f30 0x401f48 0x401f50 0x401f58 0x401f63 0x401f65 0x40209c 0x406d78 0x406d65 0x406d6c 0x406de1 0x4057de 0x403894 0x401ef1 0x408152 0x401ef7 0x401f00 0x401f07 0x4038cc 0x40ac3b 0x40ac4f 0x408307 0x408323 0x408344 0x408379 0x408385 0x408392 0x4083a8 0x4082a6 0x4082d6 0x4082f9 0x40acb0 0x40c505 0x40c52b 0x40c53b 0x4057ff 0x405822 0x40e3ae 0x40e4c1 0x4154eb
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40576f
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4098e4
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x407d6d
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405e35
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405e3d
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405e45
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405e4d
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40869a
9. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x405ea9
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x408459
11. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x408473
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4084ff
13. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x405ebf
14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x4086c2
15. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4086d3
16. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401f21
17. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x407aed
18. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x407bfb
19. GetFileType at 0x7c811069 in kernel32.dll called from 0x407c09
20. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x407c40
21. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x409bed
22. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x409c16
23. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x406cfa
24. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x406d66
25. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x40388e
26. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40c535
27. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x4057f9
28. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40581c
- dot file
- jpg

MD5 checksum	33b22a03d24b3758c48a700eaa1f9628
Anti-virus name	Trojan.Generic.418971
PEiD packer signature	ASPack 2.12 -> Alexey Solodovnikov

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x48100a 0x481008 0x481014 0x481035 0x481042 0x481055 0x481066 0x48108a 0x481094 0x48109e 0x4810ad 0x4810c1 0x4810df 0x48166c 0x481a28 0x481c9c 0x481a3f 0x481a37 0x481a59 0x4817b3 0x481a6b 0x481a79 0x481a87 0x481a95 0x481680 0x481aa6 0x481b07 0x481748 0x481757 0x48175d 0x48178b 0x48178c 0x481b1f 0x481b23 0x481b31 0x481b33 0x481b3c 0x481b46 0x4817d8 0x481808 0x48181d 0x481849 0x481861 0x481879 0x4818c6 0x4818e7 0x4818fe 0x48190a 0x481911 0x481918 0x48193a 0x481945 0x481b58 0x481b67 0x481b69 0x481954 0x481992 0x4819ad 0x4819fc 0x481b70 0x481b75 0x481bea 0x481962 0x481b8a 0x481b8c 0x481b95 0x481b9c 0x481ba4 0x481bb2 0x481bb4 0x481bb9 0x481bc2 0x481bd3 0x481bd7 0x481bdf 0x481bc7 0x481bd0 0x481bf6 0x481c03 0x481c12 0x481c25 0x481c34 0x481c47 0x481c56 0x481c5f 0x481c69 0x481c6f 0x481c78 0x481b03 0x481699 0x4816a7 0x481ca4 0x481cc9 0x481cd1 0x481cd8 0x481f14 0x4819c1 0x4819c6 0x4819d0 0x4819dc 0x4819e1 0x481ceb 0x481cf6 0x481da7 0x481dbc 0x481e40 0x481e46 0x481e77 0x481e9b 0x481eba 0x481ed5 0x481edb 0x481eeb 0x481efb 0x4819e8 0x4819ed 0x4819d5 0x481ea0 0x481d13 0x481d1e 0x481d29 0x481d36 0x481d68 0x481d93 0x481eab 0x481f09 0x481f10 0x481c71 0x481dca 0x481dcf 0x481dda 0x481e0b 0x481e39 0x481f1e 0x481f24 0x4816bc 0x4816ca 0x4810fe 0x481105 0x48111a 0x48112d 0x481131 0x481133 0x481138 0x48113a 0x48113e 0x481142 0x481146 0x48114b 0x48115f 0x481163 0x48119d 0x4810c7 0x4811a9 0x4811bc 0x4811c6 0x4811ce 0x481257 0x481278 0x481290 0x48129b 0x4812a6 0x4812c2 0x4812c5 0x4812e2 0x4812ea 0x4812ee 0x481302 0x481376 0x4812b6 0x481384 0x481285
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x48103c
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x48104f
3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x481060
4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4810bb
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4810d9
6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x481197
7. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4811b6
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x481295
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4812fc
- dot file
- jpg

MD5 checksum	3732a3d5a389d829c2093d14dff3a78e
Anti-virus name	W32/Trojan2.GPMD (exact),Trojan.Spy-13684,Trojan.Spy.Delf.WG
PEiD packer signature	Nothing found [Overlay] *

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x410325 0x41032c 0x41033f 0x410374 0x41037c 0x410387 0x410646 0x410652 0x410653 0x4106c5 0x4106c9 0x4106ce 0x41065a 0x410661 0x410663 0x41066a 0x41066c 0x41066e 0x410673 0x410677 0x410679 0x41068d 0x410692 0x4106bb 0x4106ba 0x41067c 0x4106d1 0x4106d2 0x4106d7 0x4106de 0x4106e0 0x410699 0x4106cf 0x4106a6 0x4106ad 0x4106b4 0x4106b9 0x410684 0x41068b 0x4106e1 0x4103a9 0x4103c9 0x8905aa 0x8905ca 0x8905d6 0x8905e4 0x8905ea 0x890606 0x890629 0x890298 0x8902fa 0x8902fe 0x890310 0x890018 0x890033 0x890001 0x890012 0x890038 0x890049 0x890328 0x89033b 0x890094 0x8900ad 0x8900e9 0x89012f 0x890354 0x89037f 0x890395 0x8903bb 0x8901ae 0x8901b8 0x8900ed 0x89012c 0x8901c5 0x890113 0x89011a 0x8901ce 0x890434 0x89058c 0x8900d0 0x8900d7 0x8903ca 0x8903df 0x8904b1 0x890233 0x89023e 0x890242 0x890132 0x890143 0x890147 0x890155 0x89015c 0x89015d 0x890293 0x8904ee 0x890504 0x890509 0x890521 0x89052d 0x89016c 0x890185 0x890186 0x890194 0x8901a4 0x8901a5 0x890557 0x89055e 0x890564 0x89056c 0x890578 0x890587 0x890385 0x89038a 0x890392 0x89039b 0x8901d2 0x8901e1 0x8901fe 0x890206 0x890222 0x890210 0x89021e 0x89022a 0x8903ea 0x8903f6 0x8903fd 0x89040e 0x890487 0x890498 0x8904eb 0x890442 0x89044e 0x890452 0x89047e 0x890457 0x890466 0x89046a 0x890478 0x89038f 0x890412 0x89041b 0x890552 0x890536 0x89004d 0x89005c 0x89005f 0x89006c 0x890084 0x890067 0x890087 0x890088 0x890074 0x89007c 0x890258 0x890262 0x890267 0x89027d 0x890282 0x890290 0x89046f 0x890598 0x89059a 0x890648 0x89064e 0x89064f 0x89065c 0x890660 0x4103f6 0x410409 0x41041e 0x410423 0x410427 0x41042f 0x410435 0x41044d 0x41045d 0x41059c 0x4105aa 0x4105c5 0x4105e0 0x4105e8 0x4105ff 0x410613 0x410626 0x41062f 0x4105f3 0x4105fc 0x4105b2 0x4105b7 0x4105bd 0x4105c3 0x41063f 0x410462 0x4104f5 0x410548 0x410559 0x410578 0x410581 0x410595 0x404714 0x40471c 0x404723 0x4038dc 0x4036d0 0x4037a2 0x403914 0x403ae0 0x403b2c 0x403b6c 0x403ba4 0x403bdc 0x403c14 0x403c4c 0x404640 0x404668 0x40466e 0x404674 0x403dce 0x4030c8 0x402468 0x40246d 0x402004 0x40203c 0x40205d 0x402078 0x4020d8 0x402118 0x40211f 0x402136 0x402164 0x401b94 0x401bb2 0x401bbb 0x401bcb 0x401c15 0x402195 0x402484 0x402c08 0x401fdc 0x401fef 0x402104 0x401c1c 0x401c25 0x401c3a 0x4019f0 0x401be9 0x401bf1 0x401ae4 0x401990 0x4019a8 0x401998 0x40199f 0x4019bc 0x401afa 0x401b04 0x401b18 0x401b1c 0x401b39 0x4016fc 0x40177d 0x401781 0x401b4a 0x401b86 0x401bfa 0x401bfe 0x401a11 0x401c57 0x401c65 0x402109
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x41036e
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x890626
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x890659
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x410403
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4105da
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x410620
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x410572
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4037a4
9. GetKeyboardType at 0x77d6fa46 in USER32.DLL called from 0x40281c
10. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x40393c
- dot file
- jpg

MD5 checksum	38f63504d5f70e72f85bcf9f0e1edfac
Anti-virus name	W32/Legendmir.BWW (exact),Trojan.Spy-66720,Trojan.PWS.Lmir.OQ
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x42ec70 0x42ec92 0x42ec99 0x42ec88 0x42ec8e 0x42ec9b 0x42eca0 0x42ecab 0x42ecb1 0x42ecbc 0x42ecd0 0x42ecdb 0x42ece8 0x42ed0c 0x42ed1d 0x42ed26 0x42ecec 0x42eced 0x42ecf8 0x42ecf1 0x42ecfe 0x42ed09 0x42ecc3 0x42ecce 0x42ed2c 0x42ed3b 0x42ed00 0x42ecd4 0x42ecb3 0x42ece1 0x42eca4 0x42ed42 0x42ed4a 0x42ed4f 0x42ed53 0x42ed58 0x42ed76 0x42ed82 0x42ed98 0x42eda0 0x42edad 0x42edb1 0x42ed99 0x42ed7c 0x42edbe 0x42edc4 0x42edcd 0x42edd1 0x42ede2 0x42edef 0x405860 0x4027fa 0x40357c 0x403558 0x40355c 0x4025a8 0x4025ac 0x401fe8 0x40200f 0x402030 0x402040 0x40204c 0x402055 0x4020df 0x4020e7 0x402103 0x402f80
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x42ed92
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42eda7
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405790
4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x405788
5. RegOpenKeyExA at 0x77dd761b in advapi32.dll called from 0x4011cc
- dot file
- jpg

MD5 checksum	392aaa4839c48e045af9ffab3c0b9321
Anti-virus name	W32/Backdoor2.CFIV (exact),Backdoor.VB.BMS
PEiD packer signature	MEW 11 1.2 -> NorthFox/HCC

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x422339 0x40012c 0x400130 0x40010b 0x400167 0x400162 0x400169 0x40016d 0x40016f 0x400173 0x400175 0x40017c 0x40017a 0x400180 0x400182 0x400165 0x4001c0 0x400185 0x419000 0x419005 0x419009 0x41900b 0x40019f 0x419003 0x4001a8 0x4001af 0x4001b4 0x4001b9 0x4001ba 0x4001bb 0x400196 0x40019b 0x400191 0x400194 0x4001bc 0x4001ca 0x40015f 0x4001cf 0x4225b5 0x4225c5 0x422352 0x422352 0x422361 0x422361 0x422377 0x422377 0x42237a 0x42237a 0x422388 0x422388 0x42238c 0x42238c 0x422394 0x422394 0x422398 0x422398 0x4223a0 0x4223a0 0x4223b0 0x4223b0 0x4223b3 0x4223b3 0x4223b5 0x4223b5 0x4223be 0x4223be 0x4223d5 0x4223d5 0x4223f7 0x4223f7 0x422410 0x422410 0x422414 0x422414 0x422437 0x422437 0x422450 0x422450 0x422453 0x422453 0x422456 0x422456 0x422467 0x422467 0x42246b 0x42246b 0x422479 0x422479 0x422480 0x422480 0x422481 0x422481 0x422490 0x422490 0x4224a9 0x4224a9 0x4224aa 0x4224aa 0x4224b8 0x4224b8 0x4224c8 0x4224c8 0x4224c9 0x4224c9 0x4224d2 0x4224d2 0x4224f9 0x4224f9 0x4224fe 0x4224fe 0x422502 0x422502 0x42250a 0x42250a 0x422527 0x422527 0x42252d 0x42252d 0x422532 0x422532 0x422536 0x422536 0x422543 0x422543 0x422547 0x422547 0x422550 0x422550 0x42255b 0x42255b 0x42255f 0x42255f 0x422573 0x422573 0x422575 0x422575 0x42257f 0x42257f 0x422584 0x422584 0x42259a 0x42259a 0x42259f 0x42259f 0x4225ad 0x4225ad 0x4225b0 0x4225b0 0x422607 0x422607 0x42260c 0x42260c 0x422627 0x422627 0x42262f 0x42262f 0x42264b 0x42264b 0x42264f 0x42264f 0x422654 0x422654 0x422659 0x422659 0x42265c 0x42265c 0x422662 0x422662 0x42267b 0x42267b 0x422684 0x422684 0x422689 0x422689 0x42268c 0x42268c 0x42269b 0x42269b 0x4226a5 0x4226a5 0x4226a8 0x4226a8 0x4226b0 0x4226b0 0x4226c6 0x4226c6 0x4226cf 0x4226cf 0x4226de 0x4226de 0x4226e5 0x4226e5 0x4226f6 0x4226f6 0x4226fa 0x4226fa 0x422716 0x422716 0x422724 0x422724 0x422730 0x422730 0x422734 0x422734 0x422739 0x422739 0x422748 0x422748 0x42274c 0x42274c 0x422751 0x422751 0x42275a 0x42275a 0x422760 0x422760 0x422765 0x422765 0x422776 0x422776 0x42278e 0x42278e 0x4227be 0x4227be 0x4227c6 0x4227c6 0x4227c9 0x4227c9 0x4227df 0x4227df 0x4227e4 0x4227e4 0x4227f8 0x4227f8 0x422809 0x422809 0x42280e 0x42280e 0x422812 0x422812 0x42281d 0x42281d 0x422831 0x422831 0x422833 0x422833 0x422834 0x422834 0x42283c 0x42283c 0x422840 0x422840 0x422860 0x422860 0x422865 0x422865 0x422871 0x422876 0x42287c 0x422880 0x42288d 0x422882 0x422891 0x4001d9 0x4001de 0x4001e1 0x4001ea 0x4001ec 0x4001f1 0x4001f3 0x4001f8 0x4001e2 0x4001fd 0x401d36
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
3. ThunRTMain at 0x7342de3e in MSVBVM60.DLL called from 0x402054
4. _vbaExceptHandler at 0x73444e5b in MSVBVM60.DLL called from 0x401d36
- dot file
- jpg

MD5 checksum	3962b8f202d6fa1d01eae3a88325f04d
Anti-virus name	W32/OnlineGames.BP.gen!Eldorado (generic, not disinfectable),Trojan.OnLineGames-1617,Trojan.Generic.1431814
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x412340 0x412362 0x412369 0x412358 0x41235e 0x41236b 0x412370 0x41237b 0x412381 0x41238c 0x412393 0x41239e 0x4123a0 0x4123ab 0x4123b8 0x4123bc 0x4123bd 0x4123c8 0x4123ce 0x4123d9 0x4123dc 0x4123fc 0x41240b 0x4123b1 0x4123ed 0x4123f6 0x4123c1 0x4123d0 0x4123a4 0x412374 0x412383 0x412412 0x41241a 0x41241f 0x412423 0x412428 0x412446 0x412452 0x412468 0x412470 0x41247d 0x412481 0x412469 0x41244c 0x41248e 0x4124a7 0x4124bc 0x4124c2 0x4124c8 0x4020bc 0x4020cf 0x40212f 0x402138 0x401739 0x40176d 0x4016ee 0x4016f9 0x4016ff 0x401411 0x4013d1 0x401404 0x4013e4 0x401376 0x4013bc 0x4013c2 0x401384 0x40139a 0x4013a0 0x4013aa 0x4013af 0x4013f4 0x401402 0x401390 0x4013b6 0x4013c8 0x4013f8 0x401428 0x401430 0x4012c3 0x4012d6 0x401323 0x401336 0x401333 0x401342 0x401364 0x401446 0x401120 0x40112c 0x401138 0x40114a 0x401157 0x40115b 0x401164 0x401169 0x401171 0x4011d2 0x4011d8 0x4011ef 0x4011f8 0x401247 0x40124f 0x401256 0x40145a 0x401475 0x401495 0x40149b 0x4014ab 0x4014c0 0x4014ce 0x4014d6 0x4014df 0x4014ea
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x412462
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x412477
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4124a5
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4124ba
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036f2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d20
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036f8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d32
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403704
- dot file
- jpg

MD5 checksum	3b206f58cc965aa7f055a5a676fe1f4b
Anti-virus name	Trojan.Generic.1007325
PEiD packer signature	PECompact 2.x -> Jeremy Collake

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x46cff7 0x46d02d 0x46cf04 0x46cf12 0x46cf15 0x46cf87 0x46cf8b 0x46cf90 0x46cf1c 0x46cf23 0x46cf25 0x46cf2c 0x46cf2e 0x46cf33 0x46cf38 0x46cf3c 0x46cf3e 0x46cf41 0x46cf93 0x46cf94 0x46cf99 0x46cfa0 0x46cfa2 0x46cf5a 0x46cf91 0x46cf65 0x46cf6c 0x46cf71 0x46cf76 0x46cf77 0x46cf78 0x46cf79 0x46cf7d 0x46cf51 0x46cf56 0x46cf4a 0x46cf4f 0x46cfa3 0x350c4b 0x350c54 0x350c89 0x350c90 0x350c9e 0x350e34 0x350e64 0x351236 0x351244 0x351257 0x351268 0x3512b1 0x351273 0x35128b 0x35006d 0x350078 0x351593 0x35159e 0x3515ae 0x35009d 0x3500b4 0x3515b5 0x3515c0 0x3515d3 0x3500c5 0x3500af 0x3500c8 0x35128e 0x3512af 0x3512b7 0x350ccc 0x350cce 0x350cd3 0x350cec 0x3510ee 0x3510fc 0x35110f 0x351120 0x35112a 0x351212 0x35113c 0x3514eb 0x351503 0x351508 0x351510 0x351524 0x350a2d 0x350a82 0x3501ad 0x350213 0x35021c 0x350265 0x35029c 0x3502ae 0x35038a 0x350392 0x3503a8 0x3503b7 0x350402 0x3503f0 0x35040a 0x35040e 0x35042d 0x350443 0x35025d 0x350286 0x350399 0x350462 0x35048c 0x3504ed 0x35051c 0x350533 0x35057b 0x35058d 0x3505ad 0x350305 0x35031d 0x350342 0x350358 0x350367 0x35037e 0x350437 0x35043c 0x35043f 0x3505de 0x3506df 0x3506fa 0x350701 0x350717 0x350725 0x3507cf 0x3507dd 0x3507fa 0x350809 0x350830 0x35081e 0x35083b 0x350a17 0x3509d0 0x3509db 0x3509e3 0x350a05 0x3503e2 0x3503cc 0x35049f 0x350856 0x350865 0x35087d 0x35089a 0x3508a9 0x3508d0 0x350884 0x3508be 0x3508d5 0x3508e3 0x3508f9 0x350953 0x35095d 0x35097a 0x35099e 0x3509b4 0x3509bf 0x3509cc 0x350476 0x350989 0x3507e4 0x350964 0x35050a 0x350563 0x3505f4 0x35061f 0x350650 0x35067b 0x3506a9 0x3506c7 0x3506cf 0x350669 0x35045d 0x350860 0x350632 0x35090c 0x350913 0x350928 0x350930 0x350935 0x35093a 0x35074b 0x350775 0x350784 0x35091a 0x35060d 0x35075f 0x35068e 0x3507ae 0x3503ee 0x350451 0x350aa4 0x350ab1 0x3511af 0x3511b4 0x3511cd 0x3511d9 0x3511ee 0x35121f 0x350cf8 0x350d06 0x35104c 0x35105a 0x35106d 0x35107e 0x351089 0x351094 0x3510e1 0x3510e7 0x350d0c 0x350f67 0x350f75 0x350f88 0x350f99 0x350f9c 0x350fa7 0x35103b 0x350fb2 0x350fc5 0x350fc9 0x350fd8 0x350ffa 0x350fde 0x350fe4 0x350ff1 0x350ffd 0x351006 0x351024 0x350ee1 0x350ef1 0x350ef6 0x350efd 0x35103a 0x351045 0x3512a1 0x350d20 0x350d2b 0x35137c 0x351393 0x351397 0x35139a 0x3513a7 0x3513aa 0x3513d2 0x3513e0 0x351407 0x351414 0x351402 0x3500cf 0x3500da 0x3500ea 0x351421 0x35142b 0x351431 0x351435 0x35143b 0x351443 0x35144b 0x35145a 0x351460 0x351470 0x351487 0x351495 0x3500f1 0x3500ff 0x350124 0x350133 0x350141 0x3514a8 0x3514b4 0x3513be 0x351439 0x35147e 0x35143f 0x35013b 0x35138f 0x3513b7 0x350d35 0x350db4 0x350dd4 0x350f04 0x350f12 0x350f25 0x350f36 0x350f5a 0x350f41 0x350f58 0x350f60 0x351619 0x351632 0x35156e 0x35158c 0x350df4 0x350e07 0x46d074 0x46d08e 0x429c82 0x429cb5 0x429cca 0x429cd8 0x429cf1 0x429d05 0x429e0d 0x429d19 0x429d3d 0x429d4c 0x429d5e 0x429d68 0x429d6c 0x429d71 0x429d75 0x429d7f 0x429d8c 0x429da3 0x429da6 0x429db0
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x46d02b
2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x350e2e
3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x350e50
4. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x3515a8
5. targ6d at 0x35009d in DEFAULT_MODULE called from 0x3515b2
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x3515cd
7. targ6d at 0x3500c5 in DEFAULT_MODULE called from 0x3515d7
8. targ6d at 0x3500c5 in DEFAULT_MODULE called from 0x3515d7
9. targ1236 at 0x35128e in DEFAULT_MODULE called from 0x3500cc
10. IsDebuggerPresent at 0x7c812e03 in kernel32.dll called from 0x350ccc
11. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x350ce6
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x350a80
13. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x350aaf
14. targ10ee at 0x3511af in DEFAULT_MODULE called from 0x350aba
15. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x351405
16. targ1593 at 0x351593 in DEFAULT_MODULE called from 0x3500e4
17. targcf at 0x3500ea in DEFAULT_MODULE called from 0x3515b2
18. targ13d2 at 0x351407 in DEFAULT_MODULE called from 0x3500ee
19. targ15b5 at 0x3515b5 in DEFAULT_MODULE called from 0x35012d
20. targf1 at 0x350133 in DEFAULT_MODULE called from 0x3515d7
21. targ13d2 at 0x351407 in DEFAULT_MODULE called from 0x3500ee
22. targ137c at 0x3513b3 in DEFAULT_MODULE called from 0x3514ba
23. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x350f52
24. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x351613
25. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x35162c
26. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x351568
27. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x351586
28. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x350e01
29. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x429caf
30. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x429cc4
31. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x429cd2
32. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x429e14
33. initterm at 0x77c39d67 in msvcrt.dll called from 0x429df8
34. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x429d37
35. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x429d86
36. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x429daa
Stack trace at network call
1. THREAD ID=#1872
2. Frame pc=0x7c901231 function DbgBreakPoint at 7c901230 in mod ntdll.dll
3. Frame pc=0x10003a63 function DYNINSTbreakPoint at 10003a50 in mod libdyninstAPI_RT.dll
4. Frame pc=0x1000176d function DYNINST_stopThread at 100016d0 in mod libdyninstAPI_RT.dll
5. Frame pc=0x104fc329 function Reg_ReadGlobalsEx at 76f27418 in mod DNSAPI.dll
6. Frame pc=0x76f27752
7. Frame pc=0x7c9011a7 function targ1193 at 7c901193 in mod ntdll.dll
CFG at network call
- dot file
- jpg

MD5 checksum	3b62d5c23d20a9b5d86224833024fb37
Anti-virus name	W32/Downldr2.DVGR (exact),Trojan.Spy.Banker-5850,Dropped:Trojan.Packed.Gen.1
PEiD packer signature	MEW 11 1.2 -> NorthFox/HCC

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x45cab4 0x40012c 0x400130 0x40010b 0x400167 0x400162 0x400169 0x40016d 0x40016f 0x400173 0x400175 0x40017c 0x40017a 0x400180 0x400182 0x400165 0x4001c0 0x400196 0x40019b 0x4001b9 0x400185 0x438000 0x438005 0x438009 0x43800b 0x40019f 0x438003 0x4001a8 0x4001af 0x4001b4 0x4001ba 0x4001bb 0x400191 0x400194 0x4001bc 0x4001ca 0x40015f 0x4001cf 0x45cd30 0x45cd41 0x45cd4e 0x45cacd 0x45cacd 0x45cadc 0x45cadc 0x45caf2 0x45caf2 0x45caf5 0x45caf5 0x45cb03 0x45cb03 0x45cb07 0x45cb07 0x45cb0f 0x45cb0f 0x45cb13 0x45cb13 0x45cb1b 0x45cb1b 0x45cb2b 0x45cb2b 0x45cb2e 0x45cb2e 0x45cb30 0x45cb30 0x45cb39 0x45cb39 0x45cb50 0x45cb50 0x45cb72 0x45cb72 0x45cb8b 0x45cb8b 0x45cb8f 0x45cb8f 0x45cbb2 0x45cbb2 0x45cbcb 0x45cbcb 0x45cbce 0x45cbce 0x45cbd1 0x45cbd1 0x45cbe2 0x45cbe2 0x45cbe6 0x45cbe6 0x45cbf4 0x45cbf4 0x45cbfb 0x45cbfb 0x45cbfc 0x45cbfc 0x45cc0b 0x45cc0b 0x45cc24 0x45cc24 0x45cc25 0x45cc25 0x45cc33 0x45cc33 0x45cc43 0x45cc43 0x45cc44 0x45cc44 0x45cc4d 0x45cc4d 0x45cc74 0x45cc74 0x45cc79 0x45cc79 0x45cc7d 0x45cc7d 0x45cc85 0x45cc85 0x45cca2 0x45cca2 0x45cca8 0x45cca8 0x45ccad 0x45ccad 0x45ccb1 0x45ccb1 0x45ccbe 0x45ccbe 0x45ccc2 0x45ccc2 0x45cccb 0x45cccb 0x45ccd6 0x45ccd6 0x45ccda 0x45ccda 0x45ccee 0x45ccee 0x45ccf0 0x45ccf0 0x45ccfa 0x45ccfa 0x45ccff 0x45ccff 0x45cd15 0x45cd15 0x45cd1a 0x45cd1a 0x45cd28 0x45cd28 0x45cd2b 0x45cd2b 0x45cd91 0x45cd91 0x45cd96 0x45cd96 0x45cdb1 0x45cdb1 0x45cdb9 0x45cdb9 0x45cdd5 0x45cdd5 0x45cdd9 0x45cdd9 0x45cdde 0x45cdde 0x45cde3 0x45cde3 0x45cde6 0x45cde6 0x45cdec 0x45cdec 0x45ce05 0x45ce05 0x45ce0e 0x45ce0e 0x45ce13 0x45ce13 0x45ce16 0x45ce16 0x45ce25 0x45ce25 0x45ce2f 0x45ce2f 0x45ce32 0x45ce32 0x45ce3a 0x45ce3a 0x45ce50 0x45ce50 0x45ce59 0x45ce59 0x45ce68 0x45ce68 0x45ce6f 0x45ce6f 0x45ce80 0x45ce80 0x45ce84 0x45ce84 0x45cea0 0x45cea0 0x45ceae 0x45ceae 0x45ceba 0x45ceba 0x45cebe 0x45cebe 0x45cec3 0x45cec3 0x45ced2 0x45ced2 0x45ced6 0x45ced6 0x45cedb 0x45cedb 0x45cee4 0x45cee4 0x45ceea 0x45ceea 0x45ceef 0x45ceef 0x45cf00 0x45cf00 0x45cf18 0x45cf18 0x45cf48 0x45cf48 0x45cf50 0x45cf50 0x45cf53 0x45cf53 0x45cf69 0x45cf69 0x45cf6e 0x45cf6e 0x45cf82 0x45cf82 0x45cf93 0x45cf93 0x45cf98 0x45cf98 0x45cf9c 0x45cf9c 0x45cfa7 0x45cfa7 0x45cfbb 0x45cfbb 0x45cfbd 0x45cfbd 0x45cfbe 0x45cfbe 0x45cfc6 0x45cfc6 0x45cfca 0x45cfca 0x45cfea 0x45cfea 0x45cfef 0x45cfef 0x45cffb 0x45cffb 0x45d000 0x4001d9 0x4001de 0x4001e1 0x4001ea 0x4001ec 0x4001f1 0x4001f3 0x4001f8 0x4001e2 0x4001d6 0x4001fd 0x4054e9 0x40554c 0x405340
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405414
- dot file
- jpg

MD5 checksum	3bc6ae3273e1e370138816be5ec448bd
Anti-virus name	W32/TrojanX.AYMP (exact),Backdoor.IRCBot.ACGB
PEiD packer signature	Microsoft Visual C++ 6.0

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x406836 0x406869 0x40687e 0x40688c 0x4068a5 0x4068b9 0x4069af 0x403c4e 0x403c2e 0x403c1e 0x403c1e 0x403c49 0x405df6 0x405e00 0x405dfe 0x4067d0 0x406729 0x40672d 0x40673a 0x406755 0x406759 0x406776 0x40677a 0x403d12 0x403d6c 0x403d70 0x403dca 0x403dce 0x403e3b 0x403e3f 0x403e73 0x403e77 0x403f0a 0x403f0e 0x403f42 0x403f46 0x403fb3 0x403fb7 0x404070 0x404074 0x4040e1 0x4040e5 0x404178 0x40417c 0x4041d6 0x4041da 0x40420e 0x404212 0x4042a5 0x4042a9 0x404362 0x404366 0x4043c0 0x4043c4 0x40441e 0x404422 0x404469 0x40446d 0x404500 0x404504 0x404571 0x404575 0x4045cf 0x4045d3
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x406863
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x406878
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x406886
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x4069b6
5. lstrlen at 0x7c80c6e0 in kernel32.dll called from 0x403c28
6. initterm at 0x77c39d7a in msvcrt.dll called from 0x403c57
7. except_handler3 at 0x77c35c94 in msvcrt.dll called from 0x4067d0
8. time at 0x77c4aea3 in msvcrt.dll called from 0x406734
- dot file
- jpg

MD5 checksum	3c5189c16f6eb935f50eebc3bfcf3918
Anti-virus name	W32/Backdoor2.CFPL (exact),Trojan.Dropper-2722,Backdoor.Nuclear.BR

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x131a4ece 0x1314012c 0x13140130 0x1314010b 0x13140167 0x13140162 0x13140169 0x1314016d 0x1314016f 0x13140173 0x13140175 0x1314017c 0x1314017a 0x13140180 0x131401c0 0x13140165 0x13140182 0x13140185 0x13189000 0x13189005 0x13189009 0x1318900b 0x1314019f 0x13189003 0x131401a8 0x131401af 0x131401b4 0x131401b9 0x131401ba 0x131401bb 0x13140196 0x1314019b 0x13140191 0x13140194 0x131401bc 0x131401ca 0x1314015f 0x131401cf 0x131a514a 0x131a515b 0x131a5168 0x131a4ee7 0x131a4ee7 0x131a4ef6 0x131a4ef6 0x131a4f0c 0x131a4f0c 0x131a4f0f 0x131a4f0f 0x131a4f1d 0x131a4f1d 0x131a4f21 0x131a4f21 0x131a4f29 0x131a4f29 0x131a4f2d 0x131a4f2d 0x131a4f35 0x131a4f35 0x131a4f45 0x131a4f45 0x131a4f48 0x131a4f48 0x131a4f4a 0x131a4f4a 0x131a4f53 0x131a4f53 0x131a4f6a 0x131a4f6a 0x131a4f8c 0x131a4f8c 0x131a4fa5 0x131a4fa5 0x131a4fa9 0x131a4fa9 0x131a4fcc 0x131a4fcc 0x131a4fe5 0x131a4fe5 0x131a4fe8 0x131a4fe8 0x131a4feb 0x131a4feb 0x131a4ffc 0x131a4ffc 0x131a5000 0x131a5000 0x131a500e 0x131a500e 0x131a5015 0x131a5015 0x131a5016 0x131a5016 0x131a5025 0x131a5025 0x131a503e 0x131a503e 0x131a503f 0x131a503f 0x131a504d 0x131a504d 0x131a505d 0x131a505d 0x131a505e 0x131a505e 0x131a5067 0x131a5067 0x131a508e 0x131a508e 0x131a5093 0x131a5093 0x131a5097 0x131a5097 0x131a509f 0x131a509f 0x131a50bc 0x131a50bc 0x131a50c2 0x131a50c2 0x131a50c7 0x131a50c7 0x131a50cb 0x131a50cb 0x131a50d8 0x131a50d8 0x131a50dc 0x131a50dc 0x131a50e5 0x131a50e5 0x131a50f0 0x131a50f0 0x131a50f4 0x131a50f4 0x131a5108 0x131a5108 0x131a510a 0x131a510a 0x131a5114 0x131a5114 0x131a5119 0x131a5119 0x131a512f 0x131a512f 0x131a5134 0x131a5134 0x131a5142 0x131a5142 0x131a5145 0x131a5145 0x131a51ab 0x131a51ab 0x131a51b0 0x131a51b0 0x131a51cb 0x131a51cb 0x131a51d3 0x131a51d3 0x131a51ef 0x131a51ef 0x131a51f3 0x131a51f3 0x131a51f8 0x131a51f8 0x131a51fd 0x131a51fd 0x131a5200 0x131a5200 0x131a5206 0x131a5206 0x131a521f 0x131a521f 0x131a5228 0x131a5228 0x131a522d 0x131a522d 0x131a5230 0x131a5230 0x131a523f 0x131a523f 0x131a5249 0x131a5249 0x131a524c 0x131a524c 0x131a5254 0x131a5254 0x131a526a 0x131a526a 0x131a5273 0x131a5273 0x131a5282 0x131a5282 0x131a5289 0x131a5289 0x131a529a 0x131a529a 0x131a529e 0x131a529e 0x131a52ba 0x131a52ba 0x131a52c8 0x131a52c8 0x131a52d4 0x131a52d4 0x131a52d8 0x131a52d8 0x131a52dd 0x131a52dd 0x131a52ec 0x131a52ec 0x131a52f0 0x131a52f0 0x131a52f5 0x131a52f5 0x131a52fe 0x131a52fe 0x131a5304 0x131a5304 0x131a5309 0x131a5309 0x131a531a 0x131a531a 0x131a5332 0x131a5332 0x131a5362 0x131a5362 0x131a536a 0x131a536a 0x131a536d 0x131a536d 0x131a5383 0x131a5383 0x131a5388 0x131a5388 0x131a539c 0x131a539c 0x131a53ad 0x131a53ad 0x131a53b2 0x131a53b2 0x131a53b6 0x131a53b6 0x131a53c1 0x131a53c1 0x131a53d5 0x131a53d5 0x131a53d7 0x131a53d7 0x131a53d8 0x131a53d8 0x131a53e0 0x131a53e0 0x131a53e4 0x131a53e4 0x131a5404 0x131a5404 0x131a5409 0x131a5409 0x131a5415 0x131a5415 0x131a541a 0x131401d9 0x131401de 0x131401e1 0x131401ea 0x131401ec 0x131401f1 0x131401f3 0x131401f8 0x131401e2 0x131401d6 0x131401fd 0x131446e5 0x13148000 0x13148094 0x13148098 0x131480ac 0x131480c4 0x131480f0 0x13143ed3 0x13148114 0x13145d28 0x13145d2f 0x1314506c 0x131468a0 0x131468c9 0x131468ce 0x13143c58 0x13143c5d 0x13143c64 0x13143c67 0x13143c6b 0x13143c71 0x13143c86 0x13143c75 0x13143a54 0x13143a28 0x13143a2c 0x13142bdc 0x13142be0
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x131401de
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x131401f5
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x13144610
4. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x13143024
5. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x131447e8
6. SysReAllocStringLen at 0x7714c99d in oleaut32.dll called from 0x13141098
7. GetModuleHandleA at 0x7c80b548 in kernel32.dll called from 0x7c80e663
- dot file
- jpg

MD5 checksum	3cb890e409b064c55357ca2360022cf8
Anti-virus name	W32/Infostealer.A!Maximus,Trojan.Bancos-12676,Trojan.Crypt.Delf.E

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x494000 0x4dd81f 0x4dd834 0x4dd866 0x4dd86e 0x4dd883 0x4dd88f 0x4dd8ac 0x4dd8ff 0x4dc8cf 0x4dc8ec 0x4dc8fb 0x4dc903 0x4dc90d 0x4dca4f 0x4dca5a 0x4dca8f 0x4dca7d 0x4dca80 0x4dc940 0x4dc97a 0x4dc86f 0x4dc877 0x4dc89d 0x4dcb8f 0x4dcc2f 0x4dd41f 0x4dd431 0x4dcaaf 0x4dcacd 0x4dc89f 0x4dc8ad 0x4dc8b5 0x4dc8be 0x4dcafa 0x4dd44a 0x4dcc56 0x4dcc67 0x4dcccf 0x4dccef 0x4dcd1e 0x4dcd6c 0x4dcc8c 0x4dcd9f 0x4dd01f 0x4dcd0a 0x4dd03c 0x4dce66 0x4dce7f 0x4dce87 0x4dce9e 0x4dd7cf 0x4dd800 0x4dd808 0x4dd80d 0x4dd813 0x4dcebf 0x4dcec9 0x4dced1 0x4dcee5 0x4dd04f 0x4dd064 0x4dd071 0x4dd088 0x4dd095 0x4dd0b0 0x4dd0da 0x4dd0e4 0x4dd0ef 0x4dd119 0x4dd110 0x4dd11e 0x4dd128 0x4dd136 0x4dd14e 0x4dd15d 0x4dd169 0x4dd172 0x4dd183 0x4dd197 0x4dd261 0x4dd1a6 0x4dd1ab 0x4dd1c2 0x4dd1d0 0x4dd268 0x4dcef8 0x4dcf03 0x4dcf13 0x4dcf32 0x4dcf3c 0x4dcf3f 0x4dcf42 0x4dcf83 0x4dcf8a 0x4dcf94 0x4dcf6d 0x4dcf75 0x4dcf5b 0x4dcf63 0x4dcf9c 0x4dd78f 0x4dd7a4 0x4dd7b1 0x4dd7b6 0x4dd7bf 0x4dd1d5 0x4dd1ff 0x4dd205 0x4dd227 0x4dd23d 0x4dd246 0x4dd1fb 0x4dd256 0x4dd243 0x4dcfca 0x4dcfd1 0x4dcfe4 0x4dcfeb 0x4dcc91 0x4dcc98 0x4dd45f 0x4dd466 0x4dd50f 0x4dd52c 0x4dd59c 0x4dd5b8 0x4dd5bf 0x4dd5c4 0x4dd647 0x4dd686 0x4dd479 0x4dd540 0x4dd548 0x4dd56b 0x4dd572 0x4dd598 0x4dd4a5 0x4dd4a7 0x4dd68f 0x4dd6de 0x4dd6e9 0x4dd6ef 0x4dd6f8 0x4dd4b3 0x4dd4c6 0x4dd4f1 0x4dd4f9 0x4dd4fc 0x4dd64e 0x4dd683 0x4dd700 0x4dd710 0x4dd732 0x4dd73c 0x4dd74d 0x4dd76c 0x4dd6ac 0x4dd6b3 0x4dd6c3 0x4dd6db 0x4dd5d6 0x4dd5e8 0x4dd5f9 0x4dd60b 0x4dd63b 0x4dd4dc 0x4dcb0f 0x4dcb28 0x4dcb3c 0x4dd4ee 0x4dcd34 0x4dcd39 0x4dcd63 0x4dcac9 0x4dd447 0x4dcd69 0x4dd501 0x4dcca1 0x4dccac 0x4dccb3 0x4dccc4 0x4dccca 0x4dca0b 0x4dca17 0x4dca1d 0x4dd91c 0x4dd929 0x4dd93f 0x4dd950 0x4dd957 0x4dd96b 0x4dd988 0x4dd98e 0x4dd99d 0x4dd9b0 0x4dd9c9 0x4dd9cc 0x4dd88c 0x4dd992 0x4dcca5
Windows API calls issued from malware code
- dot file
- jpg

MD5 checksum	3d7cdcc126ef27f9c535b565e49b06fa
Anti-virus name	W32/Backdoor2.CKKQ (exact),Trojan.Hupigon-18120,Trojan.PWS.Delf.IJN
PEiD packer signature	UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x491880 0x4918a2 0x4918a9 0x491898 0x49189e 0x4918ab 0x4918b0 0x4918bb 0x4918c1 0x4918eb 0x4918f2 0x4918fd 0x49190e 0x4918dc 0x4918e7 0x49193d 0x49195c 0x49196b 0x491903 0x491910 0x49191c 0x49191e 0x491929 0x49192f 0x49193a 0x491907 0x4918c3 0x4918b4 0x49194e 0x491957 0x491922 0x491931 0x4918cc 0x4918d8 0x4918d1 0x491915 0x4918e0 0x491972 0x49197a 0x49197f 0x491983 0x491988 0x4919a6 0x4919b2 0x4919c8 0x4919d0 0x4919dd 0x4919e1 0x4919c9 0x4919ac 0x4919ee 0x491a07 0x491a1c 0x491a22 0x491a28 0x403c89 0x403cec 0x403ae0 0x403bb2 0x403d24 0x403e14 0x403e54 0x403e8c 0x4042e8 0x404b48 0x403f84 0x402160 0x40195d 0x402041 0x402052 0x402057 0x402065 0x402076 0x40207e 0x401fe0 0x401fee 0x401ff8 0x402009 0x402011 0x40208c 0x401f80 0x401684 0x4016ea 0x4016ee 0x401364 0x401373 0x401386 0x401398 0x4013a0 0x401188 0x4010fc 0x40110a 0x401116 0x401128 0x40113f 0x401163 0x401178 0x401196 0x4011a5 0x4011df 0x4013c3 0x4016f7 0x4016fc 0x401218 0x401233 0x401265 0x40127b 0x401285 0x40128e 0x401296 0x4016a2 0x4016a9 0x4016b0 0x401508 0x4015b6 0x40155b 0x40157a 0x401583 0x40158a 0x401591 0x4015a6 0x4015b0 0x4015bf 0x4016c3 0x401722 0x401f96 0x401ef4 0x401ea8 0x401ef1 0x401f18 0x401f24 0x401f34 0x401f4b 0x401f54 0x401bb4 0x401bd9 0x401bde 0x401bed 0x401f65 0x401f76 0x401fa5 0x401fa7 0x4020a1 0x4020a6 0x4020b7 0x402155 0x40229a 0x402fe8
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4919c2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4919d7
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x491a05
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x491a1a
5. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x403bb4
6. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x402bfc
7. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x403d6c
8. LoadResource at 0x7c80a065 in kernel32.dll called from 0x403d8c
9. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x403db4
10. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4010dc
11. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4010bc
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4010cc
- dot file
- jpg

MD5 checksum	4033ea767618d48c8db1a782d0d7d7ff
Anti-virus name	W32/Dropper.AEZS (exact, dropper),Trojan.SdBot-8691

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401c38 0x401c64 0x401d8e 0x401dc6 0x401ca4 0x4024b2 0x4024cc 0x402558 0x403a6a 0x403b69 0x403b77 0x403bae 0x401cb2 0x40439d 0x4043b8 0x4043ba 0x4043c0 0x4043f4 0x404404 0x40440b 0x404412 0x404419 0x404432 0x404438 0x4051f7 0x4051fe 0x40443e 0x404447 0x404454 0x404466 0x40446a 0x404471 0x4044c8 0x405521 0x40555e 0x405769 0x404eda 0x404f60 0x404fb6 0x404fc8 0x405d8d 0x405e2a 0x405e82 0x405e98 0x405f33 0x405f58 0x40569d 0x404179 0x4041ab 0x404097 0x4040a9 0x4040b1 0x4040b7 0x4040bc 0x4014d0 0x4014f0 0x401508 0x40150f 0x401513 0x40151a 0x401523 0x4040c2 0x401537 0x4014dc 0x4014e3 0x4014eb 0x40152d 0x4040bb 0x401541 0x4040c9 0x4040d6 0x4040eb 0x4040f5 0x4040f6 0x4040fc 0x404127 0x404105 0x40410b 0x40411a 0x4058f0 0x405961 0x40596d 0x405974 0x40597f 0x405986 0x405981 0x4059a0 0x4059a4 0x4059a8 0x4059c2 0x404122 0x4059b0 0x4059ba 0x4059d8 0x40412d 0x40412e 0x40154b 0x401554 0x401df1 0x401e01 0x401e05 0x401e14 0x401e19 0x401e1b 0x40156a 0x401578 0x403bb6 0x403bc1 0x403c9e 0x403ca3 0x403ca9 0x403cb1 0x403caf 0x404bcf 0x404bdc 0x404be9 0x404bee 0x401b15 0x401b28 0x401b2f 0x401b35 0x401b3c 0x401b51 0x401b60 0x401b88 0x401b8a 0x404bf6 0x404c22 0x404c29 0x404c3f 0x404c46 0x404c63 0x404c66 0x404c5f 0x404c72 0x403cb6 0x403bdf 0x401cdd 0x40403f 0x40404d 0x40405a 0x404062 0x404066 0x4054ce 0x4054df 0x4054f0 0x405505 0x405507 0x40550b 0x4054db 0x404077 0x40407c 0x404089 0x404093 0x401cf1 0x401cf4 0x401d00
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x401c5e
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x401d88
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401dc0
4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4024ac
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4024c6
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x402552
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x403a64
8. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x403b63
9. GetFileType at 0x7c811069 in kernel32.dll called from 0x403b71
10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x403ba8
11. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x401cac
12. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x4043b8
13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x404430
14. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x404452
15. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40446b
16. GetACP at 0x7c809943 in kernel32.dll called from 0x4056d8
17. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x405558
18. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x405763
19. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x404ed4
20. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404f5a
21. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404fb0
22. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x404fc2
23. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405d87
24. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405e24
25. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405e7c
26. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405e92
27. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405f2d
28. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x405f52
29. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x404173
30. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x401572
31. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401b5a
32. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x401cd7
33. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401cfa
34. MessageBoxA at 0x77d8050b in USER32.dll called from 0x401053

MD5 checksum	40753ac878def6c05c5feee71d32bd9e
Anti-virus name	W32/Legendmir.BWW (exact),Trojan.Spy-66720,Trojan.PWS.Lmir.OQ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x42ec70 0x42ec92 0x42ec99 0x42ec88 0x42ec8e 0x42ec9b 0x42eca0 0x42ecab 0x42ecb1 0x42ecbc 0x42ecd0 0x42ecdb 0x42ece8 0x42ed0c 0x42ed1d 0x42ed26 0x42ecec 0x42eced 0x42ecf8 0x42ecf1 0x42ecfe 0x42ed09 0x42ecc3 0x42ecce 0x42ed2c 0x42ed3b 0x42ed00 0x42ecd4 0x42ecb3 0x42ece1 0x42eca4 0x42ed42 0x42ed4a 0x42ed4f 0x42ed53 0x42ed58 0x42ed76 0x42ed82 0x42ed98 0x42eda0 0x42edad 0x42edb1 0x42ed99 0x42ed7c 0x42edbe 0x42edc4 0x42edcd 0x42edd1 0x42ede2 0x42edef 0x405860 0x4027fa 0x40357c 0x403558 0x40355c 0x4025a8 0x4025ac 0x401fe8 0x40200f 0x402030 0x402040 0x40204c 0x402055 0x4020df 0x4020e7 0x402103 0x402f80
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x42ed92
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42eda7
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405790
4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x405788
5. RegOpenKeyExA at 0x77dd761b in advapi32.dll called from 0x4011cc
- dot file
- jpg

MD5 checksum	4077c299152b3b0f1966769e7858bc20
Anti-virus name	W32/Pws.ACTX (exact),Trojan.Tibia-39,Trojan.PWS.Tibia.BK

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4012a0 0x4012b3 0x407000 0x405d2e 0x405dbd 0x405dcb 0x405dd7 0x405de1 0x405df8 0x405e90 0x405ea9 0x405f15 0x405f61 0x405c95 0x405f68 0x405f6e 0x405f21 0x405f43 0x405ac7 0x405ad6 0x405b0c 0x403288 0x4032b0 0x406170 0x406185 0x40618c 0x406193 0x4032bb 0x406090 0x4060ac 0x4060b3 0x4060ba
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x4012ad
2. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x403180
3. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x406e00
4. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x406de0
5. FindAtomA at 0x7c80cb96 in kernel32.dll called from 0x405db7
6. malloc at 0x77c2c407 in msvcrt.dll called from 0x406e70
7. memset at 0x77c475f0 in msvcrt.dll called from 0x406e30
8. AddAtomA at 0x7c8392a3 in kernel32.dll called from 0x405f0f
9. GetAtomNameA at 0x7c85b093 in kernel32.dll called from 0x405c8f
10. atexit at 0x77c34e35 in msvcrt.dll called from 0x4012ca
11. _p__environ at 0x77c1f1c5 in msvcrt.dll called from 0x406dc0
12. realloc at 0x77c2c454 in msvcrt.dll called from 0x77c2c431

MD5 checksum	410c7e0aca6d8cbb65892a81db0ca729
Anti-virus name	W32/Heuristic-166!Eldorado (not disinfectable),Trojan.WoW-694,Trojan.Crypt.FK

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x413213 0x41321a 0x41322d 0x413262 0x41326a 0x413275 0x413534 0x413540 0x413541 0x4135b3 0x4135b7 0x4135bc 0x413548 0x41354f 0x413551 0x413558 0x41355a 0x41355c 0x413561 0x413565 0x413567 0x41357b 0x413580 0x4135a9 0x4135a8 0x41356a 0x4135bf 0x4135c0 0x4135c5 0x4135cc 0x4135ce 0x413587 0x4135bd 0x413594 0x41359b 0x4135a2 0x4135a7 0x413572 0x413579 0x4135cf 0x413297 0x4132b7 0x8705aa 0x8705ca 0x8705d6 0x8705e4 0x8705ea 0x870606 0x870629 0x870298 0x8702fa 0x8702fe 0x870310 0x870018 0x870033 0x870001 0x870012 0x870038 0x870049 0x870328 0x87033b 0x870094 0x8700ad 0x8700e9 0x87012f 0x870354 0x87037f 0x870395 0x8703bb 0x8701ae 0x8701b8 0x8700ed 0x87012c 0x8701c5 0x870113 0x87011a 0x8701ce 0x870434 0x87058c 0x8700d0 0x8700d7 0x8703ca 0x8703df 0x8703ea 0x8703f6 0x8703fd 0x87040e 0x870487 0x870233 0x87023e 0x870242 0x870132 0x870143 0x870147 0x870155 0x87015c 0x87015d 0x870293 0x87055e 0x870564 0x87056c 0x870578 0x870587 0x870385 0x87038a 0x870392 0x87039b 0x8701d2 0x8701e1 0x8701fe 0x870206 0x870222 0x870210 0x87021e 0x87022a 0x8704b1 0x8704e3 0x8704ee 0x870504 0x870509 0x870521 0x87052d 0x87016c 0x870185 0x870186 0x870194 0x8701a4 0x8701a5 0x870557 0x870552 0x8704eb 0x870442 0x87044e 0x870457 0x870466 0x87046a 0x870478 0x87047e 0x87038f 0x870412 0x87041b 0x870536 0x87004d 0x87005c 0x87005f 0x87006c 0x870084 0x870087 0x870088 0x870074 0x87007c 0x870067 0x870258 0x870262 0x870267 0x87027d 0x870282 0x870290 0x870452 0x87046f 0x870598 0x87059a 0x870648 0x87064e 0x87064f 0x87065c 0x870660 0x4132e4 0x4132f7 0x41330c 0x413311 0x413315 0x41331d 0x413323 0x41333b 0x41334b 0x41348a 0x413498 0x4134b3 0x4134ce 0x4134d6 0x4134ed 0x413501 0x413514 0x41351d 0x4134e1 0x4134ea 0x4134a0 0x4134a5 0x4134ab 0x4134b1 0x41352d 0x413350 0x4133e3 0x413436 0x413447 0x413466 0x413450 0x41346f 0x413483 0x4025a0
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x41325c
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x870626
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x870659
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4132f1
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4134c8
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41350e
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x413460
8. _set_app_type at 0x77c3537c in MSVCRT.DLL called from 0x4025cd
- dot file
- jpg

MD5 checksum	41bad990dd64ea86a92ee75b44834b34
Anti-virus name	W32/Legendmir.BWW (exact),Trojan.Spy-66720,Trojan.PWS.Lmir.OQ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x42ec70 0x42ec92 0x42ec99 0x42ec88 0x42ec8e 0x42ec9b 0x42eca0 0x42ecab 0x42ecb1 0x42ecbc 0x42ecd0 0x42ecdb 0x42ece8 0x42ed0c 0x42ed1d 0x42ed26 0x42ecec 0x42eced 0x42ecf8 0x42ecf1 0x42ecfe 0x42ed09 0x42ecc3 0x42ecce 0x42ed2c 0x42ed3b 0x42ed00 0x42ecd4 0x42ecb3 0x42ece1 0x42eca4 0x42ed42 0x42ed4a 0x42ed4f 0x42ed53 0x42ed58 0x42ed76 0x42ed82 0x42ed98 0x42eda0 0x42edad 0x42edb1 0x42ed99 0x42ed7c 0x42edbe 0x42edc4 0x42edcd 0x42edd1 0x42ede2 0x42edef 0x405860 0x4027fa 0x40357c 0x403558 0x40355c 0x4025a8 0x4025ac 0x401fe8 0x40200f 0x402030 0x402040 0x40204c 0x402055 0x4020df 0x4020e7 0x402103 0x402f80
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x42ed92
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42eda7
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405790
4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x405788
5. RegOpenKeyExA at 0x77dd761b in advapi32.dll called from 0x4011cc
- dot file
- jpg

MD5 checksum	4343d37e72e37965c6fbfb43f0575fd0
Anti-virus name	W32/Dropper.AAHY (exact, dropper, not disinfectable),Trojan.Generic.781645 Trojan.Generic.781645

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x10055e9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	437d5338615575c45569d0701e61dc08
Anti-virus name	W32/Worm.AMYZ (exact),Trojan.Spy-59732,Trojan.PWS.Onlinegames.KBNB

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x446ec0 0x446ee2 0x446ee9 0x446ed8 0x446ede 0x446eeb 0x446ef0 0x446efb 0x446f01 0x446f2b 0x446f32 0x446f3d 0x446f4e 0x446f50 0x446f5c 0x446f5e 0x446f69 0x446f6f 0x446f7a 0x446f7d 0x446f9c 0x446fab 0x446f43 0x446f71 0x446f8e 0x446f97 0x446f1c 0x446f27 0x446f55 0x446f20 0x446f47 0x446f0c 0x446f18 0x446f11 0x446ef4 0x446f03 0x446f62 0x446fb2 0x446fba 0x446fbf 0x446fc3 0x446fc8 0x446fe6 0x446ff2 0x447008 0x447010 0x44701d 0x447021 0x447009 0x446fec 0x44702e 0x447047 0x44705c 0x447062 0x447068 0x402bbc 0x402bcf 0x402c2f 0x402c38 0x401739 0x40176d 0x4016ee 0x4016f9 0x4016ff 0x401411 0x4013d1 0x401404 0x4013e4 0x401376 0x4013bc 0x4013c2 0x401384 0x40139a 0x4013a0 0x4013aa 0x4013af 0x4013f4 0x401402 0x401390 0x4013b6 0x4013c8 0x4013f8 0x401428 0x401430 0x4012c3 0x4012d6 0x401323 0x401336 0x401333 0x401342 0x401364 0x401446 0x401120 0x40112c 0x401138 0x40114a 0x401157 0x40115b 0x401164 0x401169 0x401171 0x4011d2 0x4011d8 0x4011ef 0x4011f8 0x401247 0x40124f 0x401256 0x40145a 0x401475 0x401495 0x40149b 0x4014ab 0x4014c0 0x4014ce 0x4014d6 0x4014df 0x4014ea
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x447002
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x447017
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x447045
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x44705a
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036f2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d20
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036f8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d32
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403704
- dot file
- jpg

MD5 checksum 43a3548b90027a278c0bb69d6ce060e1

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x401000 0x4984cb 0x498501 0x4983d9 0x4983e7 0x4983ea 0x49845c 0x498460 0x498465 0x4983f1 0x4983f8 0x4983fa 0x498401 0x498403 0x498408 0x49840d 0x498411 0x498413 0x498416 0x498468 0x498469 0x49846e 0x498475 0x498477 0x49842f 0x498466 0x49843a 0x498441 0x498446 0x49844b 0x49844c 0x49844d 0x49844e 0x498452 0x498426 0x49842b 0x49841f 0x498424 0x498478 0x390a34 0x390a3d 0x390a72 0x390a79 0x390a87 0x390c0c 0x390c2e 0x390c3c 0x390ac4 0x390ec6 0x390ed4 0x390ee7 0x390ef8 0x390f02 0x390fea 0x390f14 0x3912c3 0x3912db 0x3912e0 0x3912e8 0x3912fc 0x39086d 0x3908c2 0x39000d 0x390073 0x39007c 0x3900c5 0x3900fa 0x39010c 0x3901de 0x3901ed 0x390201 0x390210 0x39025b 0x390249 0x390263 0x390267 0x390284 0x39029a 0x3900bd 0x3900e6 0x3901f4 0x3902b9 0x3902e1 0x390340 0x39035d 0x39036d 0x390384 0x3903ca 0x3903dc 0x3903fc 0x39015f 0x390173 0x3901ac 0x3901bb 0x39023b 0x390225 0x390198 0x3901d2 0x39028e 0x390293 0x390296 0x39042b 0x390525 0x39053e 0x390559 0x390567 0x39060f 0x39061d 0x390638 0x390647 0x39066e 0x39065c 0x390679 0x39084f 0x39080e 0x390819 0x390821 0x39083d 0x3902f4 0x390545 0x390694 0x3906a3 0x3906bd 0x3906d8 0x3906e7 0x39070e 0x3906fc 0x3906c4 0x390713 0x390721 0x390735 0x39078d 0x39079d 0x3907b8 0x3907c7 0x3907f2 0x3907fd 0x39080a 0x390624 0x3907dc 0x3907a4 0x3902b4 0x390441 0x39046a 0x390498 0x3904c1 0x3904ef 0x39050d 0x390515 0x39045a 0x3902cd 0x39058d 0x3905b5 0x3905c4 0x39069e 0x39047d 0x3903b4 0x3905ee 0x3904d4 0x390748 0x39074f 0x390762 0x39076f 0x39076a 0x390774 0x390756 0x3905a1 0x3904b1 0x390247 0x3902a8 0x3908e4 0x3908f1 0x390f87 0x390f8c 0x390fa5 0x390fb1 0x390fc6 0x390ff7 0x390ad0 0x390ade 0x390e24 0x390e32 0x390e45 0x390e56 0x390e61 0x390e6c 0x390eb9 0x390ebf 0x390ae4 0x390d3f 0x390d4d 0x390d60 0x390d71 0x390d74 0x390d7f 0x390e13 0x390d8a 0x390d9d 0x390da1 0x390db0 0x390dd2 0x390db6 0x390dc9 0x390dd5 0x390dde 0x390dbc 0x390dfc 0x390cb9 0x390cc9 0x390cce 0x390cd5 0x390e1d 0x390b03 0x391154 0x39116b 0x39116f 0x391172 0x39117f 0x391182 0x3911aa 0x3911b8 0x3911df 0x3911f9 0x391232 0x391238 0x391248 0x39125f 0x39126d 0x39138d 0x391398 0x3913ab 0x391277 0x391280 0x39128c 0x391196 0x3911da 0x391167 0x39118f 0x390b0d 0x390b8c 0x390bac 0x3913f1 0x39140a 0x391346 0x391364 0x390bdf 0x498548 0x498562 0x46e7bc
- Windows API calls issued from malware code
  1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4984ff
  2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x390c06
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x390c28
  4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x390abe
  5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x3908c0
  6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x3908ef
  7. targec6 at 0x390f87 in DEFAULT_MODULE called from 0x3908fa
  8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x3911dd
  9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x3913a5
  10. targ11aa at 0x391277 in DEFAULT_MODULE called from 0x3913af
  11. targ11aa at 0x391277 in DEFAULT_MODULE called from 0x3913af
  12. targ1154 at 0x39118b in DEFAULT_MODULE called from 0x391292
  13. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x3913eb
  14. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x391404
  15. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x391340
  16. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x39135e
  17. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x390bd9
- - dot file
  - jpg

MD5 checksum	45a74898d014e65fc33719287f1d71a0
Anti-virus name	Trojan.Clicker-2331,Trojan.Agent.BDV

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40a564 0x40012c 0x400130 0x40010b 0x400167 0x400169 0x40016d 0x40016f 0x400173 0x400175 0x40017c 0x40017a 0x400180 0x400182 0x400165 0x400162 0x400185 0x408000 0x408005 0x408009 0x40800b 0x40019f 0x408003 0x4001a8 0x4001af 0x4001b4 0x4001b9 0x4001ba 0x4001bb 0x4001c0 0x400191 0x400194 0x4001bc 0x400196 0x40019b 0x4001ca 0x40015f 0x4001cf 0x4001d4 0x4001d9 0x4001dc 0x4001e5 0x4001e7 0x4001ec 0x4001ee 0x4001f3 0x4001dd 0x4001f8
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001d9
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f0
3. ThunRTMain at 0x7342de3e in MSVBVM60.DLL called from 0x40158c
Stack trace at network call
1. THREAD ID=#1856
2. Frame pc=0x7c90eb94 function KiFastSystemCall at 7c90eb8b in mod ntdll.dll
3. Frame pc=0x7c90e9c0 function ZwWaitForSingleObject at 7c90e9b4 in mod ntdll.dll
4. Frame pc=0x7c91901b function RtlpWaitForCriticalSection at 7c918f8f in mod ntdll.dll
5. Frame pc=0x7c90104b function RtlEnterCriticalSection at 7c901005 in mod ntdll.dll
6. Frame pc=0x7c919b30 function targ199b5 at 7c9199b5 in mod ntdll.dll
7. Frame pc=0x7c809988 function LocalFree at 7c80995d in mod kernel32.dll
8. Frame pc=0x7c80999b function LocalFree at 7c80995d in mod kernel32.dll
9. Frame pc=0x7c919ba0 function LdrGetProcedureAddress at 7c919b88 in mod ntdll.dll
10. Frame pc=0x7c80ac66 function GetProcAddress at 7c80ac28 in mod kernel32.dll
11. THREAD ID=#2044
12. Frame pc=0x7c901231 function DbgBreakPoint at 7c901230 in mod ntdll.dll
13. Frame pc=0x10003a63 function DYNINSTbreakPoint at 10003a50 in mod libdyninstAPI_RT.dll
14. Frame pc=0x1000176d function DYNINST_stopThread at 100016d0 in mod libdyninstAPI_RT.dll
15. Frame pc=0x104c0a1e function select at 71ab2dc0 in mod WS2_32.dll
16. Frame pc=0x771d1aa4 function targ218f3 at 771d18f3 in mod WININET.dll
17. Frame pc=0x0
18. THREAD ID=#128
19. Frame pc=0x7c90eb94 function KiFastSystemCall at 7c90eb8b in mod ntdll.dll
20. Frame pc=0x7c90d85c function ZwDelayExecution at 7c90d850 in mod ntdll.dll
21. Frame pc=0x7c9279d4 function targ2798d at 7c92798d in mod ntdll.dll
22. THREAD ID=#168
23. Frame pc=0x1000356d function tc_lock_lock at 10003540 in mod libdyninstAPI_RT.dll
24. Frame pc=0x100016ef function DYNINST_stopThread at 100016d0 in mod libdyninstAPI_RT.dll
25. Frame pc=0x104c0ded function initterm at 77c39d67 in mod msvcrt.dll
26. Frame pc=0x7c9011a7 function targ1193 at 7c901193 in mod ntdll.dll
CFG at network call
- dot file
- jpg

MD5 checksum	46b55a53fda2305af86eb95d02484c57
Anti-virus name	W32/Threat-IKNP-based!Maximus,Trojan.Generic.1004605

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40bcd8 0x404b51 0x404bb4 0x4049a8 0x404a7a 0x404bec 0x404dd0 0x4050e4 0x40511c 0x4053e4 0x408e5c 0x404323 0x403b30 0x403b04 0x401f34 0x4018a0 0x401e5f 0x401e68 0x401e6b 0x401e73 0x401e80 0x401e88 0x401e14 0x401e1d 0x401e27 0x401e35 0x401e3d 0x401e95 0x401db4 0x401608 0x40165c 0x401660 0x401360 0x40136f 0x401382 0x401394 0x40139c 0x401214 0x4011bc 0x4011c8 0x4011d4 0x4011df 0x4011ee 0x401202 0x401228 0x4013bf 0x40166e 0x40125c 0x401278 0x40129a 0x4012af 0x4012b5 0x4012be 0x4012c6 0x401624 0x401629 0x40162e 0x4014f4 0x401576 0x40153a 0x401548 0x40154e 0x401552 0x401556 0x401566 0x401574 0x40157e 0x40163f 0x40168f 0x401dca 0x401d28 0x401cdc 0x401d25 0x401d4c 0x401d58 0x401d68 0x401d7f 0x401d88 0x401a80 0x401a9d 0x401aa2 0x401aae 0x401d99 0x401daa 0x401dd9 0x401ddb 0x401ea7 0x401eac 0x401ebd 0x401f2f 0x402057 0x40354c
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x404a7c
2. GetKeyboardType at 0x77d6fa46 in USER32.DLL called from 0x402d8c
3. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4010c8
4. RegOpenKeyExA at 0x77dd761b in ADVAPI32.DLL called from 0x401118
5. LoadStringA at 0x77d6ec98 in USER32.DLL called from 0x4010f8
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40119c
7. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x40117c
8. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40118c

MD5 checksum	46dca4512f31b100f7da88717a22df86
Anti-virus name	W32/OnlineGames.BP.gen!Eldorado (generic, not disinfectable),Trojan.Spy-60918,Trojan.Generic.1429791

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x411af0 0x411b12 0x411b19 0x411b08 0x411b0e 0x411b1b 0x411b20 0x411b2b 0x411b31 0x411b3c 0x411b43 0x411b4e 0x411b50 0x411b5b 0x411b68 0x411b6c 0x411b6d 0x411b78 0x411b7e 0x411b89 0x411b8c 0x411bac 0x411bbb 0x411b61 0x411b9d 0x411ba6 0x411b71 0x411b80 0x411b54 0x411b24 0x411b33 0x411bc2 0x411bca 0x411bcf 0x411bd3 0x411bd8 0x411bf6 0x411c02 0x411c18 0x411c20 0x411c2d 0x411c31 0x411c19 0x411bfc 0x411c3e 0x411c57 0x411c6c 0x411c72 0x411c78 0x40258b 0x40259e 0x4025fe 0x402607
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x411c12
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x411c27
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x411c55
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x411c6a
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036f2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d20
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036f8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d32
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403704
- dot file
- jpg

MD5 checksum	482aa48cac0c6bade04e426f4ce2e20d
Anti-virus name	W32/Trojan2.CSCT (exact),Backdoor.Hupigon.98666

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x4107e5 0x4107f9 0x403b26 0x4052ef 0x41437c 0x4052fc 0x405306 0x405340 0x405439 0x40543e 0x40fee8 0x40fee2 0x40feed 0x405448 0x40531f 0x40ff10 0x40ff16 0x40532f 0x40533a 0x402f50 0x402f56 0x4143dc 0x402f61 0x402f66 0x402f81 0x414546 0x402fc1 0x408f10 0x408f13 0x408f17 0x408f27 0x408f2b 0x408f33 0x408f1b 0x408f43
Windows API calls issued from malware code
1. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414388
2. IsDBCSLeadByte at 0x7c80b664 in kernel32.dll called from 0x41441e
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x41438e
4. SetEnvironmentVariableA at 0x7c8226a9 in kernel32.dll called from 0x414454
5. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4143ca
6. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4143d0
7. LoadIconA at 0x77d521ae in USER32.dll called from 0x4145a6
8. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x41437c
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4143dc
10. GetClassNameA at 0x77d4e032 in USER32.dll called from 0x414546
11. wvsprintfA at 0x77d4a041 in USER32.dll called from 0x41462a

MD5 checksum 497ab8d89817c1e4050b6ca42d8b73f9

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x4062f5 0x406321 0x406cf5 0x406d0c 0x406d15 0x407a15 0x407a28 0x407a32 0x406d1a 0x406d2d 0x406354 0x406361 0x406b4a 0x4075e0 0x4075f2 0x4075f9 0x40761e 0x40762b 0x407da9 0x407ddb 0x407df9 0x407e20 0x407e25 0x407e27 0x407e43 0x407e45 0x407e5b 0x407e5d 0x407e5f 0x407e73 0x407e75 0x4080b2 0x4080f5 0x408114 0x40811b 0x40812e 0x408149 0x408160 0x407e7a 0x407e83 0x408163 0x408175 0x40817e 0x408193 0x40819f 0x4081ba 0x4081c6 0x4081d0 0x4081d3 0x40820c 0x408246 0x408249 0x408259 0x407e89 0x407e9e 0x407eb1 0x407efc 0x407f18 0x407f25 0x407f29 0x407f2e 0x407f48 0x407f4b 0x408060 0x408064 0x40806f 0x40808b 0x4080a5 0x4080ad 0x407631 0x407652 0x407602 0x40761d 0x4075ef 0x406b5b 0x406b6a 0x406b80 0x406b84 0x406b9e 0x406ba9 0x406c7a 0x406c7c 0x406c8a 0x406c92 0x406ca1 0x406ca8 0x406caf 0x406cb6 0x406cc6 0x406cdb 0x406c97 0x406cba 0x406ccc 0x406ce1 0x406ced 0x406369 0x40636f 0x406a18 0x406a33 0x406a35 0x406a3b 0x406a6f 0x406a7f 0x406a86 0x406a8d 0x406a94 0x406aad 0x406ab3 0x407636 0x40763d 0x406ab9 0x406ac2 0x406acf 0x406ae1 0x406ae5 0x406aec 0x406b43 0x4067cb 0x4067dd 0x407496 0x40749f 0x4070d2 0x40726b 0x40728b 0x407290 0x40729a 0x4070e3 0x4070f5 0x4070ff 0x407106 0x40710a 0x407115 0x407120 0x407129 0x40723b 0x407241 0x40725a 0x407311 0x40732b 0x407334 0x40733b 0x407347 0x40738c 0x40863d 0x40866e 0x408682 0x408686 0x4086a7 0x4086ac 0x4086d5 0x4086de 0x4086eb 0x408708 0x40870f 0x405f90 0x405fb0 0x408721 0x4087b0 0x4087bc 0x4087ca 0x4087d9 0x4087f1 0x4087fd 0x408731 0x408741 0x408749 0x40875e 0x408762 0x408770 0x408774 0x4073b0 0x4083ee 0x40841e 0x408436 0x40843a 0x408464 0x408469 0x408612 0x408622 0x408627 0x40862f 0x40863a 0x408474 0x408479 0x4084a0 0x4084a9 0x4084b6 0x4084d3 0x4084e0 0x4084f0 0x408511 0x408516 0x40852b 0x40852f 0x408541 0x40854a 0x408590 0x4085a4 0x4085c4 0x4085c8 0x4085dc 0x4085e0 0x4085eb 0x4085f1 0x408601 0x40860b 0x40857e 0x4073d4 0x4073fc 0x407407 0x407425 0x40743a 0x407441 0x40740f 0x40741d 0x40742a 0x407448 0x407493 0x40725f 0x407266 0x4074a6 0x4074b1 0x4067e2 0x4067f4 0x406805 0x406807 0x406864 0x40688e 0x406893 0x40689c 0x4068a0 0x4068b8 0x4068c5 0x4068cf 0x4068d4 0x40691a 0x40691e 0x406a07 0x406a0e 0x406817 0x407e07 0x406826 0x406837 0x406886 0x4068be 0x4068cb 0x406a0b 0x40684d 0x406383 0x406712 0x406724 0x40672c 0x406732 0x406737 0x407660 0x407680 0x407698 0x40769f 0x4076a3 0x4076aa 0x4076b3 0x40673d 0x4076c7 0x40766c 0x407673 0x40767b 0x4076bd 0x406736 0x4076d1 0x406744 0x406751 0x406766 0x406770 0x406771 0x406777 0x4067a2 0x406780 0x406786 0x406795 0x4074f0 0x407561 0x40756d 0x407574 0x40757f 0x407586 0x407581 0x4075a0 0x4075a4 0x4075a8 0x4075c2 0x40679d 0x4075b0 0x4075ba 0x4075d8 0x4067a8 0x4067a9 0x4074b2 0x4074bb 0x407a53 0x407a63 0x407a67 0x407a76 0x407a7b 0x407a7d 0x4074c1 0x4074d1 0x4074df 0x4067b4 0x406388 0x406434 0x40643f 0x40651c 0x406521 0x406527 0x40652f 0x40652d 0x406534 0x40644e 0x40645d 0x40638d 0x40639a 0x4066ba 0x4066c8 0x4066d5 0x4066dd 0x4066e1 0x407090 0x4070a1 0x4070b2 0x4070c7 0x4070c9 0x4070cd 0x40709d 0x4066ea 0x4066f2 0x4066f7 0x406704 0x40670e 0x40639f 0x4063ae 0x4063b1 0x4063bd 0x401290 0x4012f0 0x401000 0x401006 0x401010 0x401015 0x40101e 0x401022 0x40102b 0x401043 0x401048 0x40105a 0x401061 0x401374 0x4013c3 0x4013ef 0x4013f6 0x401401 0x405f66 0x401407 0x401210 0x40121d 0x401224 0x401231 0x401233 0x401236 0x401228 0x401244 0x401259 0x40125c 0x401277 0x401278 0x401416 0x4011b0 0x4011bf 0x4011c7 0x401070 0x401077 0x40107f 0x401083 0x4010d8 0x4010e0 0x4010e9 0x4010ed 0x4010f1 0x4010fd 0x4011df 0x4011ea 0x4011ee 0x4011f3 0x401516 0x4011d4 0x401538 0x401553 0x40156f 0x40158b 0x4015a6 0x4015c2 0x4015de 0x4015fa
- Windows API calls issued from malware code
  1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40631b
  2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x406d06
  3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x407a22
  4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40810e
  5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x408128
  6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4081b4
  7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x406ba3
  8. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x406ca2
  9. GetFileType at 0x7c811069 in kernel32.dll called from 0x406cb0
  10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x406ce7
  11. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x406369
  12. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x406a33
  13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x406aab
  14. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x406acd
  15. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x406ae6
  16. GetACP at 0x7c809943 in kernel32.dll called from 0x40729a
  17. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40711a
  18. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x407325
  19. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40867c
  20. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x408702
  21. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x408758
  22. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40876a
  23. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x408430
  24. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4084cd
  25. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x408525
  26. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40853b
  27. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4085d6
  28. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4085fb
  29. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4067ee
  30. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4074d9
  31. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x406394
  32. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4063b7
  33. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x401000
  34. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4013e9
  35. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4013f0
  36. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x4013fb
  37. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x401071
  38. lstrcmpiA at 0x7c80b929 in kernel32.dll called from 0x4011e8
  39. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x40152c
  40. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x401547
  41. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x401563
  42. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x40157f
  43. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x40159a
  44. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x4015b6
  45. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x4015d2
  46. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x4015ee
  47. CheckDlgButton at 0x77d589a8 in USER32.dll called from 0x40160a

MD5 checksum	4a088cc0f943ec58f7a90bc907d54869
Anti-virus name	W32/Trojan2.BAXC (exact),Trojan.Vundo-4975,MemScan:Trojan.Downloader.Zlob.ABLC

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401186 0x4011c6 0x401265 0x401271 0x401b71 0x401c1d 0x401c27 0x401c2e 0x401c79 0x401c89 0x401cef 0x401cf1 0x401cfa 0x401d13 0x401d1a 0x401d26 0x401d4c 0x401d87 0x401dc7 0x401de4 0x401dfd 0x401e6a 0x4014ea 0x401558 0x401599 0x40159b 0x4015bf 0x401624 0x401653 0x40174c 0x4017f3 0x4018a4 0x401921 0x4019d2 0x401a1f 0x401aab 0x401afa 0x401b6f 0x860000 0x86008a 0x8601b1 0x8601bf 0x8601dd 0x86022c 0x860250 0x860258 0x8602a1 0x8602c4 0x86034a 0x86037d 0x860397 0x8603ce
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4014e8
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4018db
3. GetProcessVersion at 0x7c812996 in kernel32.dll called from 0x8601db
4. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x86024e
5. DbgBreakPoint at 0x7c901231 in ntdll.dll called from 0x860395
6. PulseEvent at 0x7c8340fe in kernel32.dll called from 0x8603ce

MD5 checksum	4d0e1734e31896d572deb7a0167081a1
Anti-virus name	W32/Backdoor2.ARXI (exact, not disinfectable),Backdoor.Bot.68230

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x10055e9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	4d4a6b68315916f976e032e19840471e
Anti-virus name	W32/Injector.A.gen!Eldorado (generic, not disinfectable),Trojan.Pakes-2516,Trojan.Generic.795219

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x400154 0x4001e8 0x4001ec 0x4001f1 0x40015d 0x400164 0x400168 0x40016a 0x40016e 0x400170 0x400177 0x400175 0x40017b 0x40017d 0x400160 0x40018f 0x400194 0x4001b0 0x4001b7 0x400180 0x4001de 0x4001e1 0x4001e5 0x4001e7 0x400183 0x400198 0x4001dc 0x4001a1 0x4001a6 0x4001ab 0x4001b1 0x4001b2 0x4001df 0x40018a 0x40018d 0x4001b3 0x4001c1 0x4001c9 0x4001cf 0x4001d4 0x4001d9 0x4001ca 0x4001c2 0x4001d1 0x402274 0x4022a0 0x4036eb 0x404a88 0x4022e0 0x40518e 0x40521a 0x403588 0x403687 0x403695 0x4036cc 0x4022ee 0x4033f7 0x403412 0x403414 0x40341a 0x40344e 0x40345e 0x403465 0x40346c 0x403473 0x40348c 0x403492 0x404716 0x40471d 0x403498 0x4034a1 0x4034ae 0x4034c0 0x4034c4 0x4034cb 0x403522 0x4041c8 0x404410 0x403b30 0x403bb6 0x403c0c 0x403c1e 0x4038e4 0x403981 0x4039d9 0x4039ef 0x403a8a 0x403aaf 0x404344 0x4031d3 0x403205 0x4030f1 0x403103 0x40310b 0x403111 0x403116 0x403fa0 0x403fc0 0x403fd8 0x403fdf 0x403fe3 0x403fea 0x403ff3 0x40311c 0x404007 0x403fac 0x403fb3 0x403fbb 0x403ffd 0x403115 0x404011 0x403123 0x403130 0x403145 0x40314f 0x403150 0x403156 0x403181 0x40315f 0x403165 0x403174 0x4045d0 0x404641 0x40464d 0x404654 0x40465f 0x404666 0x404661 0x404680 0x404684 0x404688 0x4046a2 0x40317c 0x404690 0x40469a 0x4046b8 0x403187 0x403188 0x404597 0x4045a0 0x404ab3 0x404ac3 0x404ac7 0x404ad6 0x404adb 0x404add 0x4045b6 0x4045c4 0x4023b3 0x4023be 0x40249b 0x4024a0 0x4024a6 0x4024ae 0x4024ac 0x403ee5 0x403ef2 0x403eff 0x403f04 0x4055f6 0x405609 0x405610 0x405616 0x40561d 0x405632 0x405641 0x405669 0x40566b 0x403f0c 0x403f38 0x403f3f 0x403f55 0x403f5c 0x403f79 0x403f7c 0x403f75 0x403f88 0x4024b3 0x4023dc 0x402319 0x403099 0x4030a7 0x4030b4 0x4030bc 0x4030c0 0x404175 0x404186 0x404197 0x4041ac 0x4041ae 0x4041b2 0x404182 0x4030d1 0x4030d6 0x4030e3 0x4030ed 0x40232d 0x402330 0x40233c
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001c6
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001d6
3. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40229a
4. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4036e5
5. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x404a82
6. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40516e
7. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x405188
8. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x405214
9. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x403582
10. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x403681
11. GetFileType at 0x7c811069 in kernel32.dll called from 0x40368f
12. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x4036c6
13. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4022e8
14. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x403412
15. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40348a
16. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4034ac
17. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x4034c5
18. GetACP at 0x7c809943 in kernel32.dll called from 0x40437f
19. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4041ff
20. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40440a
21. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x403b2a
22. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x403bb0
23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x403c06
24. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x403c18
25. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4038de
26. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40397b
27. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4039d3
28. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4039e9
29. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x403a84
30. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x403aa9
31. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4031cd
32. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4045be
33. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40563b
34. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x402313
35. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x402336
36. DialogBoxParamA at 0x77d588e1 in USER32.dll called from 0x401018
- dot file
- jpg

MD5 checksum	50648a6d31ef5e4ddee2b5fa9a767bc1
Anti-virus name	W32/Backdoor2.CKSU (exact, not disinfectable),Trojan.Buzus-5166,Trojan.Inject.FW Trojan.Inject.FW

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	50dd03ade6b28d602307970eb550ff22
Anti-virus name	W32/Trojan2.DAHA (exact, not disinfectable),Trojan.Generic.692644 Trojan.Downloader.Small.AARD Trojan.Retapu.D Trojan.Crypt.FD

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x403b34 0x410638 0x41418c 0x410647 0x414222 0x41065f 0x410659 0x410673 0x403b45 0x414192 0x403b4a 0x403b50 0x403cd4 0x403ce4 0x403ced 0x403cf2 0x403cfb 0x403d26 0x403d2b 0x403d2f 0x403d38 0x403d01 0x403d0c 0x403d25 0x403d19 0x403d21 0x403d3d 0x403e40 0x403b57 0x414258 0x403b62 0x4141ce 0x403b73 0x403b82 0x4141d4 0x403b89 0x4143aa 0x4052b0 0x414180 0x4052bd 0x4052c7 0x405300 0x4053f9 0x4053fe 0x40fd6e 0x40fd6a 0x40fd74 0x405408 0x4052de 0x40fd94 0x40fd97 0x40fd9f 0x4052ea 0x4052f5 0x404fbd 0x402f91 0x402f97 0x4141e0 0x402fa2 0x402fa7 0x402fc2 0x41434a 0x403004 0x408e90 0x408e93 0x408e97 0x408ea7 0x408eab 0x408eb3 0x408e9b 0x408ec3
Windows API calls issued from malware code
1. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x41418c
2. IsDBCSLeadByte at 0x7c80b664 in kernel32.dll called from 0x414222
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x414192
4. SetEnvironmentVariableA at 0x7c8226a9 in kernel32.dll called from 0x414258
5. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4141ce
6. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4141d4
7. LoadIconA at 0x77d521ae in USER32.dll called from 0x4143aa
8. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x414180
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4141e0
10. GetClassNameA at 0x77d4e032 in USER32.dll called from 0x41434a
11. wvsprintfA at 0x77d4a041 in USER32.dll called from 0x41442e

MD5 checksum	5238b1201d3fe402c8659fb895c35d7e
Anti-virus name	W32/OnlineGames.A.gen!GSA (generic, not disinfectable),Trojan.Delf-6581

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x10063e2 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x1004411 0x100443d 0x1004470 0x100447b 0x1004bea 0x1004c17 0x1004c54 0x1004c9c 0x1004372 0x10043c0 0x10043de
Windows API calls issued from malware code
1. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
2. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
4. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
5. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
6. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
7. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
9. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
10. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
11. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
12. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
14. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
15. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
16. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
17. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
18. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
19. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
20. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
21. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	527a07e9d3e0fd109c13c3f6b50459c7
Anti-virus name	W32/Zbot.H.gen!Eldorado (generic, not disinfectable),Trojan.Zbot-2017,MemScan:Trojan.Proxy.HR

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x405300 0x40533a 0x405346 0x405348 0x40534b 0x40532e 0x405338 0x40534d 0x405351 0x405362 0x405375 0x405382 0x405384 0x405387 0x405368 0x405373 0x405389 0x40538d 0x40539d 0x4053a4 0x4053a7 0x4053a9 0x4053ac 0x405393 0x405398 0x40539b 0x4053ae 0x4053b2 0x4053c8 0x4053db 0x4053e8 0x4053ea 0x4053ed 0x4053ce 0x4053d9 0x4053ef 0x4053f3 0x927010 0x927013 0x927017 0x927023 0x92702f 0x927032 0x927037 0x927043 0x927043 0x927046 0x927046 0x927048 0x927052 0x927065 0x927072 0x927074 0x927077 0x927058 0x927063 0x927079 0x92707d 0x927090 0x92709c 0x92709e 0x9270a1 0x927084 0x92708e 0x9270a3 0x9270a7 0x9270bf 0x9270cc 0x9270ce 0x9270d1 0x9270b2 0x9270bd 0x9270d3 0x9270d7 0x9270e8 0x9270ef 0x9270f2 0x9270f4 0x9270f7 0x9270de 0x9270e3 0x9270e6 0x9270f9 0x9270fd 0x927114 0x92711a 0x927120 0x927122 0x927125 0x927108 0x92710c 0x927112 0x927127 0x92712b 0x927140 0x927147 0x92714a 0x92714c 0x92714f 0x927136 0x92713b 0x92713e 0x927151 0x927155
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x927155

MD5 checksum	5358d762f730df65c7bb8d89c2082b2b
Anti-virus name	W32/Trojan2.KARU (exact),Dropped:Trojan.Bat.Shutdown.AB

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40b8d0 0x40b8e8 0x40b8ed 0x40b9b4 0x40b9b8 0x40b9c2 0x40b9e2 0x40b9ec 0x40b9fb 0x40ba0c 0x40ba4a 0x40ba63 0x40bb87 0x40bbb2 0x40bbc7 0x40bb7f 0x40bb9a 0x40bba4 0x40bbf8 0x40bc18 0x40c340 0x40bc40 0x40bc83 0x40bcef 0x40bd27 0x40bd45 0x40bd99 0x40be0f 0x40bf47 0x40bf63 0x40bf81 0x40bfc2 0x40bff0 0x40c03e 0x40c06d 0x40c07a 0x40c0a5 0x40c0d1 0x40c0e6 0x40c08d 0x40c097 0x40c0f1 0x40c2f8 0x40c309 0x40c320 0x40c331 0x40bc6d 0x40bc77 0x40bf6b 0x40bf75 0x40bd11 0x40bd1b 0x40bfda 0x40bfe4 0x40bd83 0x40bd8d 0x40ba32 0x40ba3c 0x40bf93 0x40c034 0x40c0b9 0x40babd 0x40bad4 0x40bafe 0x40bb08 0x40bb16 0x40bb2e 0x40bb71 0x40bb51 0x40bbe0 0x40bc25 0x40bc36 0x40bc2c 0x40bc9d 0x40c111 0x40c122 0x40c141 0x40c16c 0x40c180 0x40c1ad 0x40c198 0x40c1b8 0x40c1c7 0x40c1df 0x40c251 0x40c25e 0x40c274 0x40c27e 0x40c28c 0x40c2a1 0x40c2db 0x40c2ee 0x40c154 0x40c15e 0x40c2bc 0x40bb4f 0x40c11d 0x40bdaf 0x40bdd5 0x40be28 0x40be5e 0x40be9b 0x40bed3 0x40bf0d 0x40bf33 0x40bf3b 0x40beed 0x40be78 0x40c003 0x40c1fb 0x40c1fe 0x40c220 0x40c22c 0x40c233 0x40c236 0x40be48 0x40be52
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	53b84f56380c0e839e09962453205369
Anti-virus name	W32/IrcBot.A.gen!Eldorado (generic, not disinfectable),Trojan.Dropper-2104,Trojan.Dropper.RHR

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0xffce0 0xffd02 0xffd09 0xffcf8 0xffcfe 0xffd0b 0xffd10 0xffd1b 0xffd21 0xffd4b 0xffd52 0xffd5d 0xffd6e 0xffd70 0xffd7c 0xffd3c 0xffd47 0xffd9d 0xffdbc 0xffdcb 0xffd63 0xffd7e 0xffd89 0xffd8f 0xffd9a 0xffd67 0xffd14 0xffd40 0xffd2c 0xffd38 0xffd75 0xffd82 0xffd23 0xffdae 0xffdb7 0xffd91 0xffd31 0xffdd2 0xffdda 0xffddf 0xffde3 0xffdff 0xffe0b 0xffe21 0xffe29 0xffe36 0xffe3a 0xffe22 0xffe05 0xffe47 0xffe4d 0xffe56 0xffe5a 0xffe6b 0xffe78 0xffe91 0xffea6 0xffeac 0xffeb2 0x11ce7 0x117f4 0x11d02 0x11680 0x11d16 0x11d20 0x11688 0x11d2e 0x11d38 0x11690 0x11d46 0x11d4e 0x11698
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0xffe1b
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0xffe30
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0xffe8f
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0xffea4
5. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x11628
6. Sleep at 0x7c802442 in kernel32.dll called from 0x11620
7. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x11680
8. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x11688
9. LoadResource at 0x7c80a065 in kernel32.dll called from 0x11690
10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x11698
- dot file
- jpg

MD5 checksum	55a1cf078dc0346e7135069501dd530c
Anti-virus name	Trojan.Buzus-5209,MemScan:Trojan.Delf.PJO

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	560320d5b32242ac94563cd7472386b8
Anti-virus name	W32/OnlineGames.BP.gen!Eldorado (generic, not disinfectable),Trojan.Spy-59728,Trojan.Generic.1429791

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4142a0 0x4142c2 0x4142c9 0x4142b8 0x4142be 0x4142cb 0x4142d0 0x4142db 0x4142e1 0x4142ec 0x4142f3 0x4142fe 0x414300 0x41430b 0x414318 0x41431c 0x41431d 0x414328 0x41432e 0x414339 0x41433c 0x41435c 0x41436b 0x414311 0x41434d 0x414356 0x414321 0x414330 0x414304 0x4142d4 0x4142e3 0x414372 0x41437a 0x41437f 0x414383 0x414388 0x4143a6 0x4143b2 0x4143c8 0x4143d0 0x4143dd 0x4143e1 0x4143c9 0x4143ac 0x4143ee 0x414407 0x41441c 0x414422 0x414428 0x40258b 0x40259e 0x4025fe 0x402607
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4143c2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4143d7
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x414405
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x41441a
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036f2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d20
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036f8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d32
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403704
- dot file
- jpg

MD5 checksum 569285b6f308a3be08120c1c429d16f9

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x401000 0x4dfaa7 0x4dfadd 0x4df9b5 0x4df9c3 0x4df9c6 0x4dfa38 0x4dfa3c 0x4dfa41 0x4df9cd 0x4df9d4 0x4df9d6 0x4df9dd 0x4df9df 0x4df9e4 0x4df9e9 0x4df9ed 0x4df9ef 0x4df9f2 0x4dfa44 0x4dfa45 0x4dfa4a 0x4dfa51 0x4dfa53 0x4dfa0b 0x4dfa42 0x4dfa16 0x4dfa1d 0x4dfa22 0x4dfa27 0x4dfa28 0x4dfa29 0x4dfa2a 0x4dfa2e 0x4dfa02 0x4dfa07 0x4df9fb 0x4dfa00 0x4dfa54 0x940a1c 0x940a25 0x940a5a 0x940a61 0x940a6f 0x940bf4 0x940c16 0x940c24 0x940aac 0x940eae 0x940ebc 0x940ecf 0x940ee0 0x940eea 0x940fd2 0x940efc 0x9412ab 0x9412c3 0x9412c8 0x9412d0 0x9412e4 0x94088d 0x9408e2 0x94000d 0x940073 0x94007c 0x9400c5 0x9400fc 0x94010e 0x9401ea 0x9401f2 0x940208 0x940217 0x940262 0x940250 0x94026a 0x94026e 0x94028d 0x9402a3 0x9400bd 0x9400e6 0x9401f9 0x9402c2 0x9402d6 0x9402ec 0x94034d 0x94037c 0x940393 0x9403db 0x9403ed 0x94040d 0x940165 0x94017d 0x9401b8 0x9401c7 0x940242 0x94022c 0x9401a2 0x9401de 0x940297 0x94029c 0x94029f 0x94043e 0x94053f 0x94055a 0x940577 0x940585 0x94062f 0x94063d 0x94065a 0x940669 0x940690 0x94067e 0x94069b 0x940877 0x940830 0x94083b 0x940843 0x940865 0x9402ff 0x9406b6 0x9406c5 0x9406dd 0x9406fa 0x940709 0x940730 0x9406e4 0x94071e 0x940735 0x940743 0x940759 0x9407b3 0x9407bd 0x9407da 0x9407e9 0x940814 0x94081f 0x94082c 0x940644 0x9407c4 0x9407fe 0x9402bd 0x94036a 0x940454 0x94047f 0x9404b0 0x9404c9 0x9404db 0x940509 0x940527 0x94052f 0x9405ab 0x9405d5 0x9405e4 0x9406c0 0x9403c3 0x940492 0x940561 0x94076c 0x940773 0x940788 0x940795 0x94077a 0x940790 0x94079a 0x9404ee 0x94046d 0x94060e 0x9405bf 0x94024e 0x9402b1 0x940904 0x940911 0x940f6f 0x940f74 0x940f8d 0x940f99 0x940fae 0x940fdf 0x940ab8 0x940ac6 0x940e0c 0x940e1a 0x940e2d 0x940e3e 0x940e49 0x940e54 0x940ea1 0x940ea7 0x940acc 0x940d27 0x940d35 0x940d48 0x940d59 0x940d5c 0x940d67 0x940dfb 0x940d72 0x940d85 0x940d89 0x940d98 0x940dba 0x940d9e 0x940da4 0x940db1 0x940dbd 0x940dc6 0x940de4 0x940ca1 0x940cb1 0x940cb6 0x940cbd 0x940e05 0x940aeb 0x94113c 0x941153 0x94115a 0x941167 0x94116a 0x941192 0x9411a0 0x9411c7 0x9411e1 0x941218 0x94121a 0x941220 0x941230 0x941247 0x941255 0x941375 0x941380 0x941393 0x94125f 0x941268 0x941274 0x94117e 0x9411c2 0x94114f 0x941177 0x940af5 0x940b74 0x940b94 0x9413d9 0x9413f2 0x94132e 0x94134c 0x940bc7 0x4dfb24 0x4dfb3e 0x47c84c
- Windows API calls issued from malware code
  1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4dfadb
  2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x940bee
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x940c10
  4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x940aa6
  5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x9408e0
  6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x94090f
  7. targeae at 0x940f6f in DEFAULT_MODULE called from 0x94091a
  8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x9411c5
  9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x94138d
  10. targ1192 at 0x94125f in DEFAULT_MODULE called from 0x941397
  11. targ1192 at 0x94125f in DEFAULT_MODULE called from 0x941397
  12. targ113c at 0x941173 in DEFAULT_MODULE called from 0x94127a
  13. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x9413d3
  14. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x9413ec
  15. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x941328
  16. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x941346
  17. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x940bc1
- - dot file
  - jpg

MD5 checksum	56ba98fb9a70876faa36b67fa7013e4c
Anti-virus name	W32/OnlineGames.CG.gen!Eldorado (generic, not disinfectable),Generic.Malware.dldgPWS.811D4188

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40d220 0x40d242 0x40d249 0x40d238 0x40d23e 0x40d24b 0x40d250 0x40d25b 0x40d261 0x40d26c 0x40d280 0x40d28b 0x40d298 0x40d29c 0x40d29d 0x40d2a8 0x40d2ae 0x40d2b9 0x40d2bc 0x40d2cd 0x40d2d6 0x40d273 0x40d27e 0x40d2dc 0x40d2eb 0x40d263 0x40d284 0x40d254 0x40d2b0 0x40d2a1 0x40d291 0x40d2f2 0x40d2ff 0x40d315 0x40d31d 0x40d32a 0x40d32e 0x40d316 0x40d2f9 0x40d33b 0x40d354 0x40d369 0x40d36f 0x40d375 0x402468 0x40246c
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40d30f
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40d324
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40d352
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x40d367
5. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x402452
6. GetSystemDirectoryA at 0x7c814c63 in kernel32.dll called from 0x402462
7. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x40246a
8. wsprintfA at 0x77d4a2de in USER32.dll called from 0x402480
CFG at exit
- dot file
- jpg

MD5 checksum	5988be3378dd44aa3acd9b248f737821
Anti-virus name	W32/Trojan2.BLFV (exact),Trojan.Inject-1153,Trojan.Inject.GF

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40161b 0x40162d 0x401430 0x40143a 0x401443 0x401648 0x401662 0x40138f 0x40139d 0x4013a0 0x401412 0x401416 0x40141b 0x4013a7 0x4013ae 0x4013b0 0x4013b7 0x4013b9 0x4013be 0x4013c3 0x4013c7 0x4013c9 0x4013dc 0x4013e1 0x401401 0x401402 0x401403 0x401404 0x401408 0x4013cc 0x40141e 0x40141f 0x401424 0x40142b 0x40142d 0x4013d5 0x40141c 0x4013da 0x4013e5 0x4013f0 0x4013f7 0x4013fc 0x40142e 0x40154e 0x4016b5 0x401567 0x4016e0 0x401580 0x4016ec 0x4016f7 0x40170a 0x4015a3 0x4015eb 0x40174b 0x4015c7 0x4017b0 0x4017d9 0x401605 0x4017e9 0x40161a 0x4017f4
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401627
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x401660
3. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40154c
4. CreateProcessA at 0x7c802367 in kernel32.dll called from 0x4016b3
5. GetThreadContext at 0x7c838eeb in kernel32.dll called from 0x401565
6. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4016de
7. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40157e
8. ZwUnmapViewOfSection at 0x7c90e960 in ntdll.dll called from 0x4016f5
9. VirtualAllocEx at 0x7c809aa2 in kernel32.dll called from 0x4015a1
10. WriteProcessMemory at 0x7c80220f in kernel32.dll called from 0x4015e9
11. VirtualProtectEx at 0x7c801a5d in kernel32.dll called from 0x4015c5
12. SetThreadContext at 0x7c862849 in kernel32.dll called from 0x401603
13. ResumeThread at 0x7c81e92a in kernel32.dll called from 0x401618
14. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x4017f8
CFG at exit
- dot file
- jpg

MD5 checksum	59d2d8493f5c117e6ff33b4804a5bd5c
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable),Trojan.Generic.504317

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x400154 0x4001e8 0x4001ec 0x4001f1 0x400162 0x40015d 0x400164 0x400168 0x40016a 0x40016e 0x400170 0x400177 0x400175 0x40017b 0x4001b7 0x400160 0x40017d 0x400180 0x4001de 0x4001e1 0x4001e5 0x4001e7 0x400183 0x400198 0x4001dc 0x4001a1 0x4001a6 0x4001ab 0x4001b0 0x4001b1 0x4001b2 0x4001df 0x40018a 0x40018d 0x4001b3 0x40018f 0x400194 0x4001c1 0x4001c9 0x4001cf 0x4001d4 0x4001d9 0x4001ca 0x4001c2 0x4001d1 0x401200 0x401208 0x401213 0x401380 0x401399 0x401330 0x401528 0x40133b 0x40134c 0x401357 0x401522
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001c6
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001d6
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x401202
4. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40120d
5. GetSystemDirectoryA at 0x7c814c63 in kernel32.dll called from 0x401393
6. operator at 0x77c29cc5 in msvcrt.dll called from 0x401528
7. FindFirstFileA at 0x7c813559 in kernel32.dll called from 0x401346
8. operator at 0x77c29cdd in msvcrt.dll called from 0x401522
9. std at 0x76081e9c in MSVCP60.dll called from 0x77c29cd7
10. std at 0x760826a2 in MSVCP60.dll called from 0x77c29cd7
CFG at exit
- dot file
- jpg

MD5 checksum	5ba11cbfe158ca8f760712583a33c6ce
Anti-virus name	W32/Gobot.B (exact),Trojan.Gobot-4,Backdoor.Bot.67157

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x41d30f 0x41d33a 0x41d341 0x41d330 0x41d336 0x41d343 0x41d348 0x41d353 0x41d359 0x41d364 0x41d378 0x41d383 0x41d390 0x41d3b4 0x41d3c5 0x41d3ce 0x41d36b 0x41d376 0x41d3d4 0x41d3e3 0x41d394 0x41d395 0x41d3a0 0x41d3a6 0x41d3b1 0x41d37c 0x41d389 0x41d3a8 0x41d35b 0x41d34c 0x41d399 0x41d3ea 0x41d3f2 0x41d3f7 0x41d3fb 0x41d400 0x41d41e 0x41d42a 0x41d440 0x41d448 0x41d455 0x41d459 0x41d441 0x41d424 0x41d466 0x404e50 0x404ca4 0x404d16 0x404e88 0x4050d8 0x4051bc 0x405328 0x4054ec 0x405b2c 0x4058ab 0x4059f8 0x401f60 0x4018cc 0x401e8b 0x401e94 0x401e97 0x401e9f 0x401eac 0x401eb4 0x401e40 0x401e49 0x401e53 0x401e61 0x401e69 0x401ec1 0x401de0 0x401634 0x401688
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x41d43a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41d44f
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x404d18
4. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x40326c
5. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x404ff8
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4011c8
7. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4011a8
- dot file
- jpg

MD5 checksum	5bd3d0ba7d2da806adadfe748a6953ba
Anti-virus name	W32/Trojan2.BGGP (exact, not disinfectable),Trojan.Agent-54620,Dropped:Trojan.Generic.391413

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x10055e9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	62dfc75f6ee914008a9ad7e5f11c863d
Anti-virus name	W32/Dropper.AFPO (exact, dropper),Trojan.Dropper.Joiner.21,Trojan.Dropper.Tefil.2.1.A

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40d090 0x40d0b2 0x40d0b9 0x40d0a8 0x40d0ae 0x40d0bb 0x40d0c0 0x40d0cb 0x40d0d1 0x40d0dc 0x40d0e3 0x40d0ee 0x40d0f0 0x40d0fb 0x40d108 0x40d12c 0x40d14c 0x40d15b 0x40d10c 0x40d10d 0x40d118 0x40d11e 0x40d129 0x40d120 0x40d0d3 0x40d101 0x40d13d 0x40d146 0x40d0c4 0x40d111 0x40d0f4 0x40d162 0x40d16a 0x40d16f 0x40d173 0x40d178 0x40d196 0x40d1a2 0x40d1b8 0x40d1c0 0x40d1cd 0x40d1d1 0x40d1b9 0x40d19c 0x40d1de 0x403b70 0x403b77 0x40380c 0x403660 0x4036d2 0x403844 0x4038b4 0x403af0 0x403204 0x4031d8 0x4031dc 0x402434 0x402439 0x401e6c 0x401e80 0x401780 0x40179b 0x4017ae 0x401144 0x4017c2 0x4017cc 0x4017d8 0x4017e6 0x4017eb 0x4017ff 0x401815 0x401835 0x401e9b 0x401ebc 0x401ecc 0x401ed8 0x401ee1 0x401f6b 0x401fbd 0x401d78 0x401d88 0x401d97 0x401da0 0x401da3 0x401dab 0x401db8 0x401dc0 0x401d4c 0x401d55 0x401d5f 0x401d6d 0x401d75 0x401dcd 0x401cec 0x401540 0x401594 0x401598 0x401298 0x4012a7 0x4012ba 0x4012cc 0x4012d4 0x40114c 0x4010f4 0x401100 0x40110c 0x401117 0x401126 0x40113a 0x401160 0x4012f7 0x4015a6 0x401194 0x4011b0 0x4011d2 0x4011e8 0x4011ee 0x4011f7 0x4011ff 0x40155c 0x401561 0x401566 0x40142c 0x4014ae 0x401472 0x401480 0x401486 0x40148a 0x40148e 0x40149e 0x4014ac 0x4014b6 0x401577 0x4015c7 0x401d02 0x401c60 0x401c14 0x401c5d 0x401c84 0x401c90 0x401ca0 0x401cb7 0x401cc0 0x4019b8 0x4019d5 0x4019da 0x4019e6 0x401cd1 0x401ce2 0x401d11 0x401d13 0x401ddf 0x401de4 0x401df5 0x401e67 0x401fe7 0x402450 0x403214 0x40321c 0x402590 0x4025af 0x4025bc 0x4025cd 0x403140 0x403162 0x403194 0x403198 0x4031b8 0x4031bc 0x4031d6 0x401f8f 0x402c98
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40d1b2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40d1c7
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4036d4
4. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x4028ac
5. GetCurrentDirectoryA at 0x7c8397a1 in kernel32.dll called from 0x40385c
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4010d4
7. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4010b4
8. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4010c4
- dot file
- jpg

MD5 checksum	63fd4499ab652ee61256eefa11189af6
Anti-virus name	W32/Backdoor.AAPY (exact),Adware.ZenoSearch-2,Adware.Zenosearch.O

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x406502 0x406517 0x406525 0x40653e 0x406552 0x406646 0x406662 0x406655 0x406557 0x406640 0x406566 0x40658a 0x4066ae 0x406680 0x4066c6 0x401230 0x401240 0x401020 0x40626a 0x401270 0x401280 0x40627c 0x4012b0 0x4012c0 0x406264 0x4012f0 0x401300 0x401330 0x401340 0x401370 0x401380 0x4013b0 0x4013c0 0x4013f0 0x401400 0x401430 0x401440 0x401470 0x401480 0x4014b0 0x4014c0 0x4014f0 0x401500 0x401530 0x401540 0x401570 0x401580 0x4015b0 0x4015c0 0x4015f0 0x401600 0x401630 0x401640 0x401670 0x401680 0x4016b0 0x4016c0 0x4016f0 0x401700 0x401730 0x401740 0x401770 0x401780 0x4017b0 0x4017c0 0x4017f0 0x401800 0x401830 0x401840 0x401870 0x401880 0x4018b0 0x4018c0 0x4018f0 0x401900 0x401930 0x401940 0x401970 0x401980 0x4019b0 0x4019c0 0x4019f0 0x401a00 0x401a30 0x401a40 0x401a70 0x401a80 0x405da0 0x406408 0x401b00 0x401b10 0x405fd0 0x405fe0 0x406599 0x4065ab 0x4065b5 0x4065b9 0x4065be 0x4065c2 0x4065cc 0x4065d9 0x4065f0 0x4065f3 0x4065fd 0x406668 0x4066c0 0x406502 0x406517 0x406525 0x40653e 0x406552 0x406646 0x406662 0x406655 0x406557 0x406640 0x406566 0x40658a 0x4066ae 0x406680 0x4066c6 0x401230 0x401240 0x401020 0x40626a 0x401270 0x401280 0x40627c 0x4012b0 0x4012c0 0x406264 0x4012f0 0x401300 0x401330 0x401340 0x401370 0x401380 0x4013b0 0x4013c0 0x4013f0 0x401400 0x401430 0x401440 0x401470 0x401480 0x4014b0 0x4014c0 0x4014f0 0x401500 0x401530 0x401540 0x401570 0x401580 0x4015b0 0x4015c0 0x4015f0 0x401600 0x401630 0x401640 0x401670 0x401680 0x4016b0 0x4016c0 0x4016f0 0x401700 0x401730 0x401740 0x401770 0x401780 0x4017b0 0x4017c0 0x4017f0 0x401800 0x401830 0x401840 0x401870 0x401880 0x4018b0 0x4018c0 0x4018f0 0x401900 0x401930 0x401940 0x401970 0x401980 0x4019b0 0x4019c0 0x4019f0 0x401a00 0x401a30 0x401a40 0x401a70 0x401a80 0x405da0 0x406408 0x401b00 0x401b10 0x405fd0 0x405fe0 0x406599 0x4065ab 0x4065b5 0x4065b9 0x4065be 0x4065c2 0x4065cc 0x4065d9 0x4065f0 0x4065f3 0x4065fd 0x406668 0x4066c0
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x4064fc
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x406511
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x40651f
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x406662
5. initterm at 0x77c39d67 in msvcrt.dll called from 0x406640
6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x406584
7. targ982d6 at 0x73e682d6 in MFC42.DLL called from 0x4066c6
8. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4065d3
9. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4065f7
CFG at exit
- dot file
- jpg

MD5 checksum	64a61530d7ee5b9949ea2baee9e99f01
Anti-virus name	W32/Worm.AFKM (exact),Win32.Bagle.SUQ@mm

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x420c47 0x425a6b 0x425a76 0x425a85 0x425a8a 0x425a92 0x425a9a 0x425aad 0x425aae 0x425aaf 0x425ab3 0x425ac2 0x425ac3 0x425ac7 0x425acb 0x425ae3 0x425ae7 0x425aeb 0x425af3 0x425af7 0x425b06 0x425b07 0x425b0b 0x425b13 0x425b27 0x425b2b 0x425b2f 0x425b37 0x425b3b 0x425b4a 0x425b56 0x425b57 0x425b77 0x425b7b 0x425b87 0x425b8c 0x425b98 0x425ba0 0x425ba4 0x425ba8 0x425bb0 0x425bb4 0x425bc3 0x425bc4 0x425bc8 0x425bd4 0x425bd8 0x425bdc 0x425be4 0x425be8 0x425bf0 0x425bff 0x425c0b 0x425c16 0x425c22 0x425c2a 0x425c32 0x425c56 0x425c5b 0x425ca3 0x425ca7 0x425cae 0x425cb2 0x425cb3 0x425cb8 0x425cc0 0x425cc5 0x425cd0 0x425d1c 0x425d20 0x425d24 0x425d28 0x425d33 0x425d52 0x425d53 0x425d80 0x425d94 0x425d98 0x425d9c 0x425dac 0x425de0 0x425de4 0x425de8 0x429277 0x42927d 0x429286 0x429292 0x4292ee 0x429304 0x42930c 0x429326 0x429354 0x42936b 0x4293a9 0x4293b1 0x4293c3 0x4293db 0x42946d 0x42947e 0x429597 0x42959f 0x4295a8 0x4295b8 0x4295ca 0x4295dc 0x42961a 0x42961e 0x429631 0x429640 0x42963c 0x42964c 0x428d8e 0x428da0 0x428da3 0x428db2 0x428e03 0x428e5d 0x428e61 0x428e79 0x428fb9 0x428fe1 0x428ffc 0x429094 0x4290a7 0x4290af 0x4290ea 0x42911d 0x429125 0x429a1c 0x429c27 0x429c70 0x429c7f 0x429c99 0x429cdf 0x429cd5 0x429ce7 0x429a47 0x429a52 0x42964e 0x429668 0x42967e 0x42969d 0x4296b7 0x4296de 0x4296ff 0x429735 0x429739 0x429750 0x42975c 0x42977a 0x429795 0x4297a3 0x4297db 0x4297dc 0x4297e9 0x4297f6 0x4297f7 0x429807 0x429811 0x429871 0x4298a3 0x4298ab 0x4298b8 0x4298bc 0x4298d3 0x4298e5 0x429961 0x429965 0x429999 0x4299d8 0x4299da 0x429aa0 0x429ae0 0x429ae4 0x429afe 0x429b09 0x429b0c 0x429be9 0x429bf1 0x429bfc 0x429b13 0x429b22 0x429b25 0x429b2c 0x429b2e 0x429b3e 0x429b43 0x429b47 0x429bc7 0x429b70 0x429b81 0x429bb3 0x429bb7 0x429bbc 0x429bc1 0x429b58 0x429c01 0x429c06 0x429c0b 0x429c12 0x429c14 0x429b65 0x429bff 0x429b6a 0x429b85 0x429b98 0x429ba3 0x429baa 0x429baf 0x429b4d 0x429c17 0x429a94 0x42913c 0x429147 0x42915e 0x429175 0x42917e 0x429192 0x429196 0x4291b2 0x4291b8 0x4291c4 0x4291e0 0x4291e8 0x4291f5 0x4291fd 0x429217 0x429226 0x429258 0x429269 0x429270 0x41825f 0x41827c 0x418304 0x418289 0x418292 0x41829c 0x4182f3 0x4182b3 0x4182d0 0x4182dd 0x4182e5 0x4182ed 0x4182ee 0x4182fc 0x418312 0x418316 0x4183a8 0x4183ad
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x428d8b
2. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x428daf
3. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x41828f
4. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4182e2
CFG at exit
- dot file
- jpg

MD5 checksum	64cce5bdbcd7038e23d543842a41f4bf
Anti-virus name	W32/Turkojan.C.gen!Eldorado (generic, not disinfectable),Trojan.Truko-429,Backdoor.Turkojan.AF

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x44dd40 0x44dd58 0x44dd5d 0x44de24 0x44de28 0x44de32 0x44de52 0x44de5c 0x44de6b 0x44de7c 0x44deba 0x44ded3 0x44dff7 0x44e022 0x44e037 0x44dfef 0x44e050 0x44e068 0x44e088 0x44e7b0 0x44dea2 0x44deac 0x44e00a 0x44e014 0x44e0b0 0x44e0f3 0x44e15f 0x44e197 0x44e1b5 0x44e209 0x44e27f 0x44e3b7 0x44e3d3 0x44e3f1 0x44e403 0x44e4a4 0x44e4dd 0x44e4ea 0x44e515 0x44e529 0x44e556 0x44e4fd 0x44e507 0x44e541 0x44e561 0x44e768 0x44e779 0x44e790 0x44e7a1 0x44df2d 0x44df44 0x44df86 0x44dfc1 0x44e095 0x44e09c 0x44e10d 0x44e581 0x44e592 0x44e5b1 0x44e5c4 0x44e5ce 0x44e5dc 0x44e5f0 0x44e61d 0x44e608 0x44e628 0x44e75e 0x44dfe1 0x44df6e 0x44df78 0x44df9e 0x44dfbf 0x44e637 0x44e64f 0x44e6c1 0x44e6ce 0x44e6fc 0x44e72c 0x44e74b 0x44e711 0x44e6e4 0x44e6ee 0x44e298 0x44e2ce 0x44e30b 0x44e343 0x44e37d 0x44e3a3 0x44e3ab 0x44e432 0x44e44a 0x44e454 0x44e460 0x44e4ae 0x44e0a6 0x44e35d 0x44e3db 0x44e3e5 0x44e2e8 0x44e0dd 0x44e0e7 0x44e1f3 0x44e1fd 0x44e181 0x44e18b 0x44e473 0x44e58d 0x44e21f 0x44e245 0x44e66b 0x44e66e 0x44e678 0x44e682 0x44e690 0x44e6a3 0x44e6a6 0x44e69c 0x44e32d 0x44e337 0x44e2b8 0x44e2c2 0x44dfed 0x44e7c1 0x44e7e0 0x44e7ff 0x44e817 0x44e81c 0x44e828 0x44e82d 0x44e831 0x44e836 0x44e854 0x44e860 0x44e876 0x44e87e 0x44e88b 0x44e88f 0x44e877 0x44e85a 0x44e89c 0x44e8b5 0x44e8ca 0x44e8d0 0x44e8d6 0x430528 0x43052f 0x40357d 0x4021ac 0x4035ec 0x403448 0x403456
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x44e870
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x44e885
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x44e8b3
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x44e8c8
5. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40109c
6. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401074
7. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40114c
CFG at exit
- dot file
- jpg

MD5 checksum	66442b7cdff4d3c066bd22bcfd09ead6
Anti-virus name	W32/Backdoor2.COEJ (exact, not disinfectable),Trojan.Bifrose-6105,Trojan.Delf.Inject.F

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	6750ef56c39850ad6277fa91109b2909
Anti-virus name	W32/Swizzor.D.gen!Eldorado (generic, not disinfectable),Trojan.Agent-44032,Trojan.Swizzor.2

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40a882 0x40a8ae 0x411145 0x404d01 0x40a8ed 0x412a9d 0x412aa5 0x412aad 0x40d454 0x412b0d 0x4053ed 0x405407 0x405493 0x412b23 0x413fa8 0x40d47c 0x40d48d 0x40a8f2 0x40a8fe 0x410b80 0x407419 0x407527 0x407535 0x40756c 0x40a90e 0x402dc8 0x402de3 0x402de5 0x402deb 0x402e1f 0x402e2f 0x402e36 0x402e3d 0x402e44 0x402e5d 0x402e63 0x402e69 0x402e72 0x402e7f 0x402e91 0x402e95 0x402e9c 0x402ef3 0x410b4a 0x4050e0 0x410b50 0x410b59 0x410b60 0x412acf 0x412af2 0x412b03 0x411552 0x411591 0x4117a7 0x411436 0x4114bc 0x411512 0x411524 0x40309f 0x40313c 0x403194 0x4031aa 0x403245 0x40326a 0x4116df 0x415643 0x415675 0x40ec66 0x40ec78 0x40ec80 0x40ec86 0x40ec8b 0x4108d0 0x4108f0 0x410908 0x41090f 0x410913 0x41091a 0x410923 0x40ec91 0x410937 0x4108dc 0x4108e3 0x4108eb 0x41092d 0x40ec8a 0x410941 0x40ec98 0x40eca5 0x40ecba 0x40ecc4 0x40ecc5 0x40eccb 0x40ecf6 0x40ecd4 0x40ecda 0x40ece9 0x411170 0x4111e1 0x4111ed 0x4111f4 0x4111ff 0x411206 0x411201 0x411220 0x411224 0x411228 0x411242 0x40ecf1 0x411230 0x41123a 0x411258 0x40ecfc 0x40ecfd 0x40a5f6 0x40a5ff 0x404d2c 0x404d3c 0x404d40 0x404d4f 0x404d54 0x404d56 0x40a625 0x40a62c 0x40a63c 0x4139df 0x4139ea 0x413ae5 0x413aea 0x413af0 0x413af8 0x413af6 0x4020e3 0x4020f0 0x4020fd 0x402102 0x413faf 0x413fbe 0x40210a 0x402136 0x40213d 0x402153 0x40215a 0x40217a 0x40217d 0x402176 0x402189 0x413a08 0x40a939 0x40fff8 0x410006 0x410013 0x41001b 0x41001f 0x40f648 0x40f659 0x40f66a 0x40f67f 0x40f681 0x40f685 0x40f655 0x410030 0x410035 0x410042 0x41004c 0x40a94d 0x40a950 0x40a95c 0x4061c3 0x406218 0x412b35 0x4125e1 0x41272c 0x412789 0x41279c 0x412804 0x412ba7 0x412c39 0x412c72 0x412b44 0x412b51 0x40d61c 0x40d78a 0x40d746 0x40d683 0x413f3f 0x41e685 0x41e6aa 0x41ebd8 0x41ebe1 0x414690 0x4146bb 0x4146c6 0x4146ec 0x4146f3 0x414702 0x414704 0x41ebec 0x41ec88
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40a8a8
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x41113f
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x404cfb
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x412a93
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x412a9b
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x412aa3
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x412aab
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40d44e
9. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x412b07
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4053e7
11. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x405401
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40548d
13. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x412b1d
14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40d476
15. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40d487
16. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x410b7a
17. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x407413
18. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x407521
19. GetFileType at 0x7c811069 in kernel32.dll called from 0x40752f
20. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x407566
21. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40a908
22. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x402de3
23. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402e5b
24. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402e7d
25. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x402e96
26. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x412aec
27. GetACP at 0x7c809943 in kernel32.dll called from 0x411716
28. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x41158b
29. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4117a1
30. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x411430
31. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4114b6
32. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x41150c
33. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x41151e
34. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x403099
35. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x403136
36. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40318e
37. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4031a4
38. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40323f
39. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x403264
40. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x41563d
41. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40a636
42. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x413fb8
43. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40a933
44. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40a956
45. GetLocalTime at 0x7c80c9c1 in kernel32.dll called from 0x4061b3
46. GetSystemTime at 0x7c80176b in kernel32.dll called from 0x4061bd
47. GetTimeZoneInformation at 0x7c8394ae in kernel32.dll called from 0x406212
48. CompareStringW at 0x7c80a34e in kernel32.dll called from 0x4125db
49. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x412726
50. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x412787
51. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x41279a
52. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4127e6
53. CompareStringW at 0x7c80a34e in kernel32.dll called from 0x4127fe
54. GetTimeZoneInformation at 0x7c8394ae in kernel32.dll called from 0x412ba1
55. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x412c37
56. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x412c70
57. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x41ebdb
58. RegisterClassExA at 0x77d54315 in USER32.dll called from 0x41ec9d

MD5 checksum	6765c7eb5b70f0b08bd9bb32fef6e693
Anti-virus name	W32/Agent.BJ.gen!Eldorado (generic, not disinfectable),Trojan.Dropper-6679,Trojan.Dropper.LDPinch.AG

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401058 0x401085 0x401095 0x401099 0x4010b4 0x4010bf 0x4010ca 0x4010ea 0x4010f6 0x401104 0x40110e 0x401121 0x401128 0x401172 0x401179 0x401189 0x40119f 0x4011b6 0x4011c8 0x4011f4 0x401209 0x401218 0x40122c 0x40124b 0x40124e 0x40126d 0x401272 0x4012af 0x401085 0x401095 0x401099 0x4010b4 0x4010bf 0x4010ca 0x4010ea 0x4010f6 0x401104 0x40110e 0x401121 0x401128 0x401172 0x401179 0x401189 0x40119f 0x40124b 0x40124e 0x40126d 0x401272 0x4012af
Windows API calls issued from malware code
1. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40119c
2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4011b3
3. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x401248
4. WriteFile at 0x7c810f9f in kernel32.dll called from 0x40126a
5. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x40126f
6. ShellExecuteA at 0x7ca0fe44 in SHELL32.DLL called from 0x401291
7. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x4012b6
CFG at exit
- dot file
- jpg

MD5 checksum	67b6a8c9a060ab394a32be76a16d34bc
Anti-virus name	W32/Dropper.AGRQ (exact, dropper),Trojan.OnlineGames-1600,Trojan.Downloader.JLPM

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4473d0 0x4473f2 0x4473f9 0x4473e8 0x4473ee 0x4473fb 0x447400 0x44740b 0x447411 0x44743b 0x447442 0x44744d 0x44745e 0x447460 0x44746c 0x44746e 0x447479 0x44747f 0x44748a 0x44748d 0x4474ac 0x4474bb 0x447453 0x447481 0x44749e 0x4474a7 0x44742c 0x447437 0x447465 0x447430 0x447457 0x44741c 0x447428 0x447421 0x447404 0x447413 0x447472 0x4474c2 0x4474ca 0x4474cf 0x4474d3 0x4474d8 0x4474f6 0x447502 0x447518 0x447520 0x44752d 0x447531 0x447519 0x4474fc 0x44753e 0x447557 0x44756c 0x447572 0x447578 0x402c9e 0x402cb1 0x402d11
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x447512
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x447527
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x447555
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x44756a
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036f2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d20
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036f8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d32
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403704
- dot file
- jpg

MD5 checksum	68381ec6d3440272558081c0488a32e2
Anti-virus name	W32/Heuristic-210!Eldorado (not disinfectable)

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x4107e5 0x4107f9 0x403b26 0x4052ef 0x41437c 0x4052fc 0x405306 0x405340 0x405439 0x40543e 0x40fee8 0x40fee2 0x40feed 0x405448 0x40531f 0x40ff10 0x40ff16 0x40532f 0x40533a 0x402f50 0x402f56 0x4143dc 0x402f61 0x402f66 0x402f81 0x414546 0x402fc1 0x408f10 0x408f13 0x408f17 0x408f27 0x408f2b 0x408f33 0x408f1b 0x408f43
Windows API calls issued from malware code
1. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414388
2. IsDBCSLeadByte at 0x7c80b664 in kernel32.dll called from 0x41441e
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x41438e
4. SetEnvironmentVariableA at 0x7c8226a9 in kernel32.dll called from 0x414454
5. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4143ca
6. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4143d0
7. LoadIconA at 0x77d521ae in USER32.dll called from 0x4145a6
8. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x41437c
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4143dc
10. GetClassNameA at 0x77d4e032 in USER32.dll called from 0x414546
11. wvsprintfA at 0x77d4a041 in USER32.dll called from 0x41462a
CFG at exit
- dot file
- jpg

MD5 checksum 68f8bea26ff6ecd4468dc6199957d6d9

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x40a860 0x40a88c 0x40c92f 0x40cb57 0x40cb70 0x40c93e 0x40a8ca 0x40c96f 0x40c978 0x40c981 0x40c989 0x40f87c 0x40ca03 0x40ca24 0x40f8a5 0x40f8b8 0x40a8cf 0x40a8dd 0x4099a2 0x40f6d0 0x40f811 0x40f81f 0x40f864 0x40996c 0x40997a 0x409986 0x40998d 0x40c9aa 0x40c9d9 0x40c9f1 0x40c05b 0x40c0b1 0x40c168 0x40c347 0x40a8f4 0x40f500 0x40f51d 0x40f51f 0x40f525 0x40f53d 0x40f542 0x40f54b 0x40f55b 0x40f563 0x40f56c 0x40f575 0x40f590 0x40f596 0x40f59c 0x40f5a5 0x40f5b7 0x40f5c6 0x40f5cd 0x40a8fe 0x40a907 0x40a91a 0x40f2a9 0x40a91f 0x40f160 0x40f173 0x40f178 0x40f177 0x40f190 0x40f19d 0x40f1ba 0x40f1c7 0x40f220 0x40f1db 0x40f1e1 0x40f1f4 0x40f22a 0x4099b0 0x4099ba 0x40cdb0 0x40cdb9 0x40cdc3 0x40ce06 0x4099fb 0x409a02 0x409a15 0x40bd10 0x40bd19 0x409ca0 0x409cd0 0x40d37b 0x40d38b 0x40d393 0x409caa 0x40bd1b 0x40be60 0x40be6e 0x40be76 0x40be74 0x40a3d0 0x40a3da
- Windows API calls issued from malware code
  1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40a886
  2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40c929
  3. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40cb55
  4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40cb6e
  5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c96d
  6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c976
  7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c97f
  8. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c987
  9. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40f876
  10. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40c9fd
  11. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40ca1e
  12. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40f89f
  13. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40f8b2
  14. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40999c
  15. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40f6ca
  16. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x40f80f
  17. GetFileType at 0x7c811069 in kernel32.dll called from 0x40f819
  18. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x40f85e
  19. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c9d3
  20. GetACP at 0x7c809943 in kernel32.dll called from 0x40c292
  21. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40c0ab
  22. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40a8ee
  23. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40f51d
  24. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40f58a
  25. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40f5b1
  26. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40f5c7
  27. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40f261
  28. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x409a0f
  29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40d375
  30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40d385
  31. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x40d391

MD5 checksum	6a11c7887c466dd125544e23f2eaf010
Anti-virus name	W32/Zlob.Y.gen!Eldorado (generic, not disinfectable),Trojan.Zlob.31074

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x433dd0 0x433dea 0x433df1 0x433de0 0x433de6 0x433df3 0x433df8 0x433e03 0x433e09 0x433e14 0x433e1b 0x433e26 0x433e28 0x433e33 0x433e40 0x433e64 0x433e84 0x433e93 0x433e44 0x433e45 0x433e50 0x433e56 0x433e58 0x433e61 0x433e49 0x433dfc 0x433e0b 0x433e2c 0x433e39 0x433e75 0x433e7e 0x433e9a 0x433ea2 0x433ea7 0x433eab 0x433eb0 0x433ece 0x433eda 0x433ef0 0x433ef8 0x433f05 0x433f09 0x433ef1 0x433ed4 0x433f16 0x433f2f 0x433f44 0x433f4a 0x433f50 0x401e2b 0x401e81 0x401ed3 0x401ee6 0x401efa 0x401f08 0x401f79 0x401dac 0x401d83 0x401fe2 0x402151
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x433eea
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x433eff
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x433f2d
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x433f42
5. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401e25
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401e7f
7. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401ed1
8. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x401ee0
9. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x401ef8
10. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x401f06
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401f10
12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401f77
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401da6
14. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401d76
15. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401d7d
16. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x401f8c
17. CreateThread at 0x7c81082f in kernel32.dll called from 0x401fdc
18. CreateDesktopA at 0x77d85b10 in USER32.dll called from 0x402168
19. CoInitialize at 0x775285d3 in ole32.dll called from 0x401c0b
CFG at thread creation event
- dot file
- jpg

MD5 checksum	6a728c3d9efc042826d58f25b21e8ec3
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable),Trojan.Spy-49865,Trojan.Crypt.Delf.D

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x8001018 0x80010a0 0x80010d8 0x8024c73 0x8024c2b 0x8024c43 0x8024c5f 0x8024c71 0x8024c7a 0x8024c7c 0x8024c86 0x8024cbe 0x8024bfb 0x8024c01 0x8024c52 0x8024c67 0x8024c07 0x8024cc3 0x8024dbd 0x8024ccb 0x8024cdc 0x8024cde 0x8024ce2 0x8024ce4 0x8024ce8 0x8024d0e 0x8024c0a 0x8024c0e 0x8024c20 0x8024bf8 0x8024c27 0x8024d19 0x8024daf 0x8024c15 0x8024cc6 0x8024cea 0x8024c9f 0x8024caf 0x8024cb5 0x8024cbc 0x8024ca2 0x8024d20 0x8024d34 0x8024d3f 0x8024d4d 0x8024dad 0x8024d3d 0x8024d53 0x8024d95 0x8024da2 0x8024da4 0x8024daa 0x8024cf8 0x8024cfd 0x8024d02 0x8024d06 0x8024d0b 0x8024c17 0x8024c1b 0x8024d6a 0x8024d81 0x8024d87 0x8024c60 0x8024d8a 0x8024d6f 0x8024d8c 0x80010a0 0x80010d8 0x8024c73 0x8024c2b 0x8024c43 0x8024c5f 0x8024c71 0x8024c7a 0x8024c7c 0x8024c86 0x8024cbe 0x8024bfb 0x8024c01 0x8024c52 0x8024c67 0x8024c07 0x8024cc3 0x8024dbd 0x8024ccb 0x8024cdc 0x8024cde 0x8024ce2 0x8024ce4 0x8024ce8 0x8024d0e 0x8024c0a 0x8024c0e 0x8024c20 0x8024bf8 0x8024c27 0x8024d19 0x8024daf 0x8024c15 0x8024cc6 0x8024cea 0x8024c9f 0x8024caf 0x8024cb5 0x8024cbc 0x8024ca2 0x8024d20 0x8024d34 0x8024d3f 0x8024d4d 0x8024dad 0x8024d3d 0x8024d53 0x8024d95 0x8024da2 0x8024da4 0x8024daa 0x8024cf8 0x8024cfd 0x8024d02 0x8024d06 0x8024d0b 0x8024c17 0x8024c1b 0x8024d6a 0x8024d81 0x8024d87 0x8024c60 0x8024d8a 0x8024d6f 0x8024d8c
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	6be02747c8c533a1a38350a7a449cfd3
Anti-virus name	W32/ShortCut.A.gen!Eldorado (generic, not disinfectable),Trojan.Generic.464135

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x411f3c 0x40d52c 0x40bf53 0x415083 0x416119 0x41612d 0x409d75 0x409d80 0x4101a2 0x414eef 0x40d57b 0x416aae 0x40d540 0x409a19 0x4119ca 0x412927 0x40d5ef 0x409810 0x40b4e5 0x40ca8c 0x40f999 0x40d041 0x415088 0x40cb17 0x40b57e 0x413654
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	6c0b99005649078b045b671bf91d6570
Anti-virus name	W32/Downldr2.EMYS (exact),Adware.Zeno-34,Adware.Zeno.S

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x408117 0x408143 0x40cd64 0x40cc2a 0x408182 0x40c198 0x40c1a0 0x40c1a8 0x40c008 0x40e420 0x40c030 0x40c041 0x408187 0x408193 0x4085d7 0x40ca80 0x40cb8e 0x40cb9c 0x40cbd3 0x4081a3 0x40c8ea 0x40c905 0x40c907 0x40c90d 0x40c941 0x40c951 0x40c958 0x40c95f 0x40c966 0x40c97f 0x40c985 0x40c98b 0x40c994 0x40c9a1 0x40c9b3 0x40c9b7 0x40c9be 0x40ca15 0x40c1ed 0x409712 0x409751 0x409967 0x40f33d 0x40f3c3 0x40f419 0x40f42b 0x40e5d2 0x40e66f 0x40e6c7 0x40e6dd 0x40e778 0x40e79d 0x40989f 0x40c6c6
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40813d
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40cd5e
3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40cc24
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c18e
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c196
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c19e
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c1a6
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40c002
9. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40e41a
10. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40c02a
11. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40c03b
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4085d1
13. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40ca7a
14. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x40cb88
15. GetFileType at 0x7c811069 in kernel32.dll called from 0x40cb96
16. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x40cbcd
17. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40819d
18. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40c905
19. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40c97d
20. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40c99f
21. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40c9b8
22. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40c202
23. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c1e7
24. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40c218
25. GetACP at 0x7c809943 in kernel32.dll called from 0x4098d6
26. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40974b
27. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x409961
28. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40f337
29. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40f3bd
30. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40f413
31. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40f425
32. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e5cc
33. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e669
34. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e6c1
35. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e6d7
36. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e772
37. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40e797
38. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40c6c0

MD5 checksum	6c10df6d383212cd70f561dd2bdaf246
Anti-virus name	W32/Downldr2.ELHJ (exact),Trojan.Spy-52554,Adware.Generic.34140

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x408237 0x408263 0x40ce84 0x40cd4a 0x4082a2 0x40c2b8 0x40c2c0 0x40c2c8 0x40c128 0x40e482 0x40e540 0x40c150 0x40c161 0x4082a7 0x4082b3 0x4086f7 0x40cba0 0x40ccae 0x40ccbc 0x40ccf3 0x4082c3 0x40ca0a 0x40ca25 0x40ca27 0x40ca2d 0x40ca61 0x40ca71 0x40ca78 0x40ca7f 0x40ca86 0x40ca9f 0x40caa5 0x40caab 0x40cab4 0x40cac1 0x40cad3 0x40cad7 0x40cade 0x40cb35 0x40c30d 0x40c33e 0x409832 0x409871 0x409a87 0x40f45d 0x40f4e3 0x40f539 0x40f54b 0x40e6f2 0x40e78f 0x40e7e7 0x40e7fd 0x40e898 0x40e8bd 0x4099bf 0x40c7e6 0x40c704 0x40c716 0x40c71e 0x40c724 0x40c729 0x409030 0x409050 0x409068 0x40906f 0x409073 0x40907a 0x409083 0x40c72f 0x409097 0x40903c 0x409043 0x40904b 0x40908d 0x40c728 0x4090a1 0x40c736 0x40c743 0x40c758 0x40c762 0x40c763 0x40c769 0x40c794 0x40c772 0x40c778 0x40c787 0x40d140 0x40d1b1 0x40d1bd 0x40d1c4 0x40d1cf 0x40d1d6 0x40d1d1 0x40d1f0 0x40d1f4 0x40d1f8 0x40d212 0x40c78f 0x40d200 0x40d20a 0x40d228 0x40c79a 0x40c79b 0x4083d2 0x408400 0x408445 0x40849d 0x4084ac 0x40803c 0x408045 0x40927b 0x409293 0x40f5bc 0x40f5c0 0x40f5cc 0x40f5d0 0x40f5d4 0x409285 0x4111ac 0x4111b0 0x4111bc 0x4111c9 0x411135 0x408047 0x408142 0x408147 0x40814d 0x408155 0x408153 0x407a7c 0x407a86 0x407a9d 0x410100 0x41010d 0x41011a 0x41011f 0x410127 0x410153 0x41015a 0x410170 0x410177 0x410197 0x41019a 0x410193 0x4101a6 0x40fa46
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40825d
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40ce7e
3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40cd44
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c2ae
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c2b6
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c2be
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c2c6
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40c122
9. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40e53a
10. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40c14a
11. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40c15b
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4086f1
13. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40cb9a
14. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x40cca8
15. GetFileType at 0x7c811069 in kernel32.dll called from 0x40ccb6
16. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x40cced
17. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4082bd
18. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40ca25
19. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40ca9d
20. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40cabf
21. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40cad8
22. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40c322
23. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c307
24. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40c338
25. GetACP at 0x7c809943 in kernel32.dll called from 0x4099f6
26. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40986b
27. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x409a81
28. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40f457
29. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40f4dd
30. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40f533
31. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40f545
32. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e6ec
33. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e789
34. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e7e1
35. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e7f7
36. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e892
37. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40e8b7
38. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40c7e0
39. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4084a6
40. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40f5b6
41. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40f5c6
42. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x40f5d2
43. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x40fa4b

MD5 checksum	6c59299ed54525df2f630c8bf1f73c17
Anti-virus name	W32/Swizzor-based!Maximus,Trojan.Obfus-29,Trojan.Swizzor.1

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x418c0c 0x41968b 0x407881 0x407890 0x407899 0x419ee6 0x404bb4 0x404bc2 0x404bcd 0x412937 0x409840 0x40be24 0x40be35 0x40be40 0x406d54 0x41aa3b 0x40eae7 0x40eaf8 0x40eb06 0x4042bc 0x4041e6 0x404214 0x40421f 0x411f7b 0x40a806 0x40a84f 0x40a85d 0x41259d 0x40cb0e 0x40e224 0x401efd 0x401f0b 0x401f16 0x4019e3 0x410075 0x41635f 0x416370 0x41637e 0x4144e5 0x4026f7 0x41435f 0x414428 0x40db8a 0x40db99 0x40db82 0x411ba3 0x418b3d 0x403049 0x402abb 0x403117 0x403120 0x40fabf 0x40fb08 0x41b6a1 0x41506c 0x4028be 0x41959b 0x4195af 0x4195bd 0x40c955 0x40c989 0x40c997 0x419b43 0x419b84 0x419b92 0x40a517 0x40a56e 0x409902
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40a568

MD5 checksum	6d999ef0dcf38bd67d3e8d8df6a40b9b
Anti-virus name	W32/OnlineGames.BP.gen!Eldorado (generic, not disinfectable),Trojan.Spy-59827,Trojan.Generic.1439959

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x41aea0 0x41aec2 0x41aec9 0x41aeb8 0x41aebe 0x41aecb 0x41aed0 0x41aedb 0x41aee1 0x41aeec 0x41aef3 0x41aefe 0x41af00 0x41af0b 0x41af18 0x41af1c 0x41af1d 0x41af28 0x41af2e 0x41af39 0x41af3c 0x41af5c 0x41af6b 0x41af11 0x41af4d 0x41af56 0x41af21 0x41af30 0x41af04 0x41aed4 0x41aee3 0x41af72 0x41af7a 0x41af7f 0x41af83 0x41af88 0x41afa6 0x41afb2 0x41afc8 0x41afd0 0x41afdd 0x41afe1 0x41afc9 0x41afac 0x41afee 0x41b007 0x41b01c 0x41b022 0x41b028 0x4020ae 0x4020c1 0x402121 0x40212a 0x401739 0x40176d 0x4016ee 0x4016f9 0x4016ff 0x401411 0x4013d1 0x401404 0x4013e4 0x401376 0x4013bc 0x4013c2 0x401384 0x40139a 0x4013a0 0x4013aa 0x4013af 0x4013f4 0x401402 0x401390 0x4013b6 0x4013c8 0x4013f8 0x401428 0x401430 0x4012c3 0x4012d6 0x401323 0x401336 0x401333 0x401342 0x401364 0x401446 0x401120 0x40112c 0x401138 0x40114a 0x401157 0x40115b 0x401164 0x401169 0x401171 0x4011d2 0x4011d8 0x4011ef 0x4011f8 0x401247 0x40124f 0x401256 0x40145a 0x401475 0x401495 0x40149b 0x4014ab 0x4014c0 0x4014ce 0x4014d6 0x4014df 0x4014ea
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x41afc2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41afd7
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x41b005
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x41b01a
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036e2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d12
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036e8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d24
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x4036f4
- dot file
- jpg

MD5 checksum	6ee29790995008e98db7780b8cde57da
Anti-virus name	W32/OnlineGames.BP.gen!Eldorado (generic, not disinfectable),Trojan.Spy-59828,Trojan.Generic.1429791

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x411da0 0x411dc2 0x411dc9 0x411db8 0x411dbe 0x411dcb 0x411dd0 0x411ddb 0x411de1 0x411dec 0x411df3 0x411dfe 0x411e00 0x411e0b 0x411e18 0x411e1c 0x411e1d 0x411e28 0x411e2e 0x411e39 0x411e3c 0x411e5c 0x411e6b 0x411e11 0x411e4d 0x411e56 0x411e21 0x411e30 0x411e04 0x411dd4 0x411de3 0x411e72 0x411e7a 0x411e7f 0x411e83 0x411e88 0x411ea6 0x411eb2 0x411ec8 0x411ed0 0x411edd 0x411ee1 0x411ec9 0x411eac 0x411eee 0x411f07 0x411f1c 0x411f22 0x411f28 0x40258b 0x40259e 0x4025fe 0x402607
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x411ec2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x411ed7
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x411f05
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x411f1a
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036f2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d20
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036f8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d32
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403704
- dot file
- jpg

MD5 checksum	6f15cf60dc7778ad9e668063c3a4d733
Anti-virus name	W32/Trojan2.AWPQ (exact, not disinfectable),Trojan.Vundo-3767,MemScan:Trojan.Dropper.SCR

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x1005d3c 0x1005d49 0x1005d51 0x1005d58 0x1005d5c 0x1005d61 0x1005d73 0x1005d74 0x1005d7a 0x1005d88 0x1005d94 0x1005d97 0x1005da3 0x1002b78 0x1002b80 0x1002b98 0x1002ba0 0x1002ba7 0x1002bcb 0x1004f0a 0x1004f16 0x1004f27 0x1003682 0x1003684 0x1005e37 0x1005e3f 0x1003692 0x100502a 0x100504c 0x10043d7 0x10043fb 0x1004404 0x1004413 0x1004453 0x1004458 0x1004474 0x1004480 0x100468b 0x100468c 0x10046a0 0x1003f61 0x1003f8b 0x1003fbe 0x1003fc9 0x10046c7 0x10046f4 0x1004731 0x1004779 0x1003ecb 0x1003f19 0x1003f37 0x1003087 0x1003091 0x100309e 0x1005da9
Windows API calls issued from malware code
1. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x1005d43
2. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1005d82
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1005d9d
4. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002b76
5. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002b7a
6. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002b96
7. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002b9a
8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002ba1
9. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002bc5
10. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1004f04
11. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1004f10
12. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1005024
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10043d1
14. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1003f5b
15. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1003fb8
16. LocalFree at 0x7c80995d in kernel32.dll called from 0x1003fc3
17. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x10046c1
18. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100472b
19. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004773
20. wsprintfA at 0x77d4a2de in USER32.dll called from 0x10036e7
21. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1005daa
CFG at exit
- dot file
- jpg

MD5 checksum	6f9b4e3391c1f6261b2343ea792f06fa
Anti-virus name	W32/SecRisk-ProcessPatcher-based!Maximus,Trojan.Armin

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40235b 0x402387 0x402d72 0x403908 0x4023c7 0x40400e 0x40409a 0x402c0f 0x402d0e 0x402d1c 0x402d53 0x4023d5 0x402a7e 0x402a99 0x402a9b 0x402aa1 0x402ad5 0x402ae5 0x402aec 0x402af3 0x402afa 0x402b13 0x402b19 0x40359b 0x4035a2 0x402b1f 0x402b28 0x402b35 0x402b47 0x402b4b 0x402b52 0x402ba9 0x403147 0x403184 0x40338f 0x404562 0x4045e8 0x40463e 0x404650 0x404316 0x4043b3 0x40440b 0x404421 0x4044bc 0x4044e1 0x4032c3 0x40285a 0x40288c 0x402778 0x40278a 0x402792 0x402798 0x40279d 0x4022e0 0x402300 0x402318 0x40231f 0x402323 0x40232a 0x402333 0x4027a3 0x402347 0x4022ec 0x4022f3 0x4022fb 0x40233d 0x40279c 0x402351 0x4027aa 0x4027b7 0x4027cc 0x4027d6 0x4027d7 0x4027dd 0x402808 0x4027e6 0x4027ec 0x4027fb 0x402100 0x402171 0x40217d 0x402184 0x40218f 0x402196 0x402191 0x4021b0 0x4021b4 0x4021b8 0x4021d2 0x402803 0x4021c0 0x4021ca 0x4021e8 0x40280e 0x40280f 0x403516 0x40351f 0x403933 0x403943 0x403947 0x403956 0x40395b 0x40395d 0x403535 0x403543 0x40249a 0x4024a5 0x402582 0x402587 0x40258d 0x402595 0x402593 0x40259a 0x4024c3 0x402400 0x402720 0x40272e 0x40273b 0x402743 0x402747 0x4030f4 0x403105 0x403116 0x40312b 0x40312d 0x403131 0x403101 0x402758 0x40275d 0x40276a 0x402774 0x402414 0x402417 0x402423 0x401f2d
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x402381
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x402d6c
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403902
4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403fee
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x404008
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x404094
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x402c09
8. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x402d08
9. GetFileType at 0x7c811069 in kernel32.dll called from 0x402d16
10. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x402d4d
11. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4023cf
12. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x402a99
13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402b11
14. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402b33
15. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x402b4c
16. GetACP at 0x7c809943 in kernel32.dll called from 0x4032fe
17. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40317e
18. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x403389
19. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40455c
20. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4045e2
21. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404638
22. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40464a
23. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x404310
24. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4043ad
25. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x404405
26. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40441b
27. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4044b6
28. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4044db
29. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x402854
30. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40353d
31. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4023fa
32. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40241d
33. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401f27
34. DialogBoxParamA at 0x77d588e1 in USER32.dll called from 0x401f62

MD5 checksum	72192cd517c63cc2e550470c932687d1
Anti-virus name	W32/OnlineGames.CG.gen!Eldorado (generic, not disinfectable)

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x435e50 0x435e72 0x435e79 0x435e68 0x435e6e 0x435e7b 0x435e80 0x435e8b 0x435e91 0x435e9c 0x435eb0 0x435ebb 0x435ec8 0x435ecc 0x435ecd 0x435ed8 0x435ede 0x435ee9 0x435eec 0x435efd 0x435f06 0x435ea3 0x435eae 0x435f0c 0x435f1b 0x435e84 0x435e93 0x435ec1 0x435ed1 0x435ee0 0x435eb4 0x435f22 0x435f2f 0x435f45 0x435f4d 0x435f5a 0x435f5e 0x435f46 0x435f29 0x435f6b 0x435f84 0x435f99 0x435f9f 0x435fa5 0x40241d 0x402252 0x4023dd 0x4029ac
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x435f3f
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x435f54
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x435f82
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x435f97
5. GetWindowsDirectoryA at 0x7c82293b in kernel32.dll called from 0x402417
6. FindFirstFileA at 0x7c813559 in kernel32.dll called from 0x40224c
7. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
8. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
9. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
10. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
11. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
12. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
13. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
14. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
15. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
16. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
17. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
18. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
19. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
20. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
21. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
22. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
23. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
24. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
25. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
26. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
27. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
28. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
29. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
30. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
31. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
32. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
33. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
34. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
35. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
36. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
37. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
38. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
39. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
40. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
41. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
42. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
43. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
44. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
45. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
46. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
47. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
48. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
49. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
50. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
51. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
52. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
53. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
54. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
55. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
56. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
57. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
58. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
59. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
60. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
61. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
62. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
63. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
64. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
65. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
66. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
67. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
68. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
69. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
70. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
71. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
72. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
73. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
74. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
75. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
76. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
77. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
78. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
79. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
80. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
81. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
82. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
83. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
84. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
85. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
86. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
87. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
88. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
89. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
90. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
91. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
92. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
93. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
94. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
95. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
96. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
97. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
98. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
99. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
100. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
101. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
102. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
103. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
104. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
105. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
106. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
107. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
108. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
109. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
110. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
111. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
112. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
113. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
114. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
115. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
116. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
117. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
118. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
119. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
120. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
121. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
122. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
123. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
124. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
125. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
126. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
127. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
128. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
129. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
130. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
131. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
132. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
133. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
134. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
135. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
136. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
137. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
138. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
139. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
140. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
141. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
142. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
143. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
144. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
145. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
146. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
147. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
148. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
149. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
150. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
151. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
152. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
153. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
154. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
155. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
156. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
157. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
158. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
159. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
160. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
161. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
162. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
163. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
164. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
165. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
166. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
167. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
168. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
169. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
170. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
171. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
172. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
173. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
174. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
175. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
176. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
177. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
178. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
179. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
180. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
181. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
182. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
183. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
184. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
185. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
186. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
187. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
188. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
189. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
190. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
191. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
192. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
193. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
194. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
195. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
196. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
197. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
198. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
199. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
200. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
201. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
202. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
203. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
204. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
205. strcmpi at 0x77c4624e in MSVCRT.dll called from 0x402295
206. GetSystemDirectoryA at 0x7c814c63 in kernel32.dll called from 0x4029a6
207. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4029dc
208. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4029dc
209. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4029dc
210. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4029dc
CFG at exit
- dot file
- jpg

MD5 checksum	7284f0b655ae9d8b17d3d62ca7de59c9
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable),Trojan.Generic.188535

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4e39de 0x4e3a99 0x4e3a9d 0x4e3aa2 0x4e39ec 0x4e39f3 0x4e39f7 0x4e39f9 0x4e39fd 0x4e39ff 0x4e3a06 0x4e3a04 0x4e3a0a 0x4e3a0c 0x4e39ef 0x4e3a48 0x4e3a1e 0x4e3a23 0x4e3a41 0x4e3a0f 0x4e3a8f 0x4e3a92 0x4e3a96 0x4e3a98 0x4e3a12 0x4e3a27 0x4e3a8d 0x4e3a30 0x4e3a37 0x4e3a3c 0x4e3a42 0x4e3a43 0x4e3a90 0x4e3a19 0x4e3a1c 0x4e3a44 0x4e3a52 0x4e3a59 0x4e3a5d 0x4e39ea 0x4e3a5b 0x4e3a63 0x4e3a6c 0x4e3a6d 0x4e3a72 0x4e3a76 0x4e3a7d 0x4e3a85 0x4e3a86 0x4e3a8a 0x470e78 0x406435 0x406498 0x40628c 0x40315a 0x4062f8 0x40630c 0x40631d
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4e3a6a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e3a87
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x406360
4. GetKeyboardType at 0x77d6fa46 in user32.dll called from 0x403148
5. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40126c
6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x401294
7. GetVersion at 0x7c8114ab in kernel32.dll called from 0x401324
8. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40131c
- dot file
- jpg

MD5 checksum	7407f79caced2fa98b2e58fa6f6eb859
Anti-virus name	W32/Downloader.AT.gen!Eldorado (generic, not disinfectable),Trojan.Crypt.GQ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4882d6 0x4882dd 0x4882f0 0x488324 0x48832c 0x488337 0x4885f7 0x488603 0x488604 0x488676 0x48867a 0x48867f 0x48860b 0x488612 0x488614 0x48861b 0x48861d 0x48861f 0x488624 0x488628 0x48862a 0x48863e 0x488643 0x48866c 0x48866b 0x48862d 0x488682 0x488683 0x488688 0x48868f 0x488691 0x48864a 0x488680 0x488657 0x48865e 0x488665 0x48866a 0x488635 0x48863c 0x488692 0x488358 0x488378 0x9305aa 0x9305ca 0x9305d6 0x9305e4 0x9305ea 0x930606 0x930629 0x930298 0x9302fa 0x9302fe 0x930310 0x930018 0x930033 0x930001 0x930012 0x930038 0x930049 0x930328 0x93033b 0x930094 0x9300ad 0x9300e9 0x93012f 0x930354 0x93037f 0x930395 0x9303bb 0x9301ae 0x9301b8 0x9300ed 0x93012c 0x9301c5 0x930113 0x93011a 0x9301ce 0x930434 0x93058c 0x9300d0 0x9300d7 0x9303ca 0x9303df 0x9304b1 0x930233 0x93023e 0x930242 0x930132 0x930143 0x930147 0x930155 0x93015c 0x93015d 0x930293 0x9304ee 0x930504 0x930509 0x930521 0x93052d 0x93016c 0x930185 0x930186 0x930194 0x9301a4 0x9301a5 0x930557 0x93055e 0x930564 0x93056c 0x930578 0x930587 0x930385 0x93038a 0x930392 0x93039b 0x9301d2 0x9301e1 0x9301fe 0x930206 0x930222 0x930210 0x93021e 0x93022a 0x9303ea 0x9303f6 0x9303fd 0x93040e 0x930487 0x930498 0x9304eb 0x930442 0x93044e 0x930452 0x93047e 0x930457 0x930466 0x93046f 0x930478 0x93038f 0x930412 0x93041b 0x930552 0x930536 0x93004d 0x93005c 0x93005f 0x93006c 0x930074 0x93007c 0x930084 0x930067 0x930087 0x930088 0x93046a 0x930258 0x930262 0x930267 0x93027d 0x930282 0x930290 0x93020e 0x930598 0x93059a 0x930648 0x93064e 0x93064f 0x93065c 0x930660 0x4883a7 0x4883ba 0x48840e 0x48854d 0x48855b 0x488576 0x488591 0x488599 0x4885b0 0x4885c4 0x4885d7 0x4885e0 0x4885a4 0x4885ad 0x488563 0x488568 0x48856e 0x488574 0x4885f0 0x488413 0x4884a6 0x4884f9 0x48850a 0x488529 0x488513 0x488532 0x488546 0x48601c 0x486037
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x48831e
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x930626
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x930659
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4883b4
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x48858b
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4885d1
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x488523
- dot file
- jpg

MD5 checksum	7744682d7ad8b0a42dffdfa486b616fd
Anti-virus name	W32/Trojan2.EHQZ (exact),Trojan.Generic.832071

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x40101f 0x401024 0x40102e 0x401035 0x40103b 0x401040 0x41a678 0x41a69e 0x41a6a2 0x41a6ec 0x401140 0x41a6af 0x41a6ba 0x419888 0x41a6ce 0x41a6dd 0x401054 0x4208a0 0x420830 0x420c78 0x41b62c 0x41a888 0x41a891 0x41a810 0x41a89c 0x41a897 0x41a898 0x424071 0x42407b 0x424085 0x423eb8 0x4240d8 0x423ec0 0x423ed2 0x423ed8 0x423f43 0x423eed 0x423efb 0x423efd 0x423f06 0x423f09 0x423f32 0x423f36 0x423f0d 0x423f12 0x423f22 0x423f23 0x423f27 0x423f2f 0x423f3c 0x423f4d 0x423f57 0x423f63 0x4240d6 0x41a500 0x41a50c 0x41a512 0x41a52a 0x41a85c 0x424520 0x42452a 0x424a6c 0x424a78 0x424a7e 0x424a96 0x418a3c 0x4244c2 0x42254c 0x422551 0x422428 0x422441 0x42244f 0x42245b 0x42245f 0x4266c4 0x422469 0x422480 0x422487 0x422493 0x42249b 0x42253a 0x422541 0x422543 0x422ab8 0x422ade 0x422afb 0x4241bc 0x42439c 0x4243ab 0x42323c 0x4189e0 0x419208 0x418e35 0x4186ac 0x4186d0 0x418b54 0x418955 0x42325f 0x423271 0x422e0c 0x422e26 0x423050 0x423066 0x4197a8 0x4197ce 0x42309a 0x4230a0 0x419a2c 0x419a34 0x419a49 0x419a4f 0x419a53 0x419a57 0x419a5f 0x419a7e 0x4230ae 0x4230c0 0x4230e7 0x422e52 0x422e5a 0x422e5e 0x422e65 0x422e6b 0x422e73 0x422e69 0x422e77 0x422e7e 0x422e94 0x419a61 0x419a7b 0x419a7c 0x419a7d 0x422e9c 0x41924d 0x422ea4 0x422f62 0x422f6d 0x4230e5 0x422f76 0x422f97 0x423a70 0x419a70 0x419a76 0x423975 0x423a85 0x423a9e 0x41c0d0 0x41c11d 0x41c1c8 0x41c1cf 0x426754 0x41c1d6 0x41c1e2 0x41c1ee 0x41c1fa 0x41aa40 0x41aa54 0x41aa61 0x41c20d 0x41c213 0x41c21c 0x41e96c 0x41e983 0x41d254 0x41d269 0x41d271 0x41d286 0x41d2a4 0x41d290 0x41d2ac 0x41d2ba 0x41d2c0 0x41d2d0 0x41d2d1 0x41b14c 0x41b16b 0x41b184 0x41b188 0x41b196 0x41b19c 0x41b1a3 0x41b1af 0x41b1c2 0x41d2eb 0x41d2f1 0x41d301 0x41d304
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x426730
2. GetEnvironmentStrings at 0x7c81cc23 in kernel32.dll called from 0x4266ee
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4266ca
4. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42673c
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4267a8
6. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x42668e
7. targ11999 at 0x7c9119b9 in ntdll.dll called from 0x7c90102b
8. RtlAllocateHeap at 0x7c911320 in ntdll.dll called from 0x7c90102b
9. RtlInitializeCriticalSectionAndS at 0x7c911ab7 in ntdll.dll called from 0x7c90102b
10. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x4267ba
11. GetACP at 0x7c809943 in kernel32.dll called from 0x4266be
12. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4266c4
13. LdrUnlockLoaderLock at 0x7c913281 in ntdll.dll called from 0x7c901101
14. targ199b5 at 0x7c919b30 in ntdll.dll called from 0x7c90102b
15. targ19b0d at 0x7c919b3f in ntdll.dll called from 0x7c901101
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x422adc
17. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x42677e
18. VirtualQuery at 0x7c80b859 in kernel32.dll called from 0x426862
19. RtlAllocateHeap at 0x7c911596 in ntdll.dll called from 0x7c901101
20. targ11a11 at 0x7c911a24 in ntdll.dll called from 0x7c901101
21. RtlInitializeCriticalSectionAndS at 0x7c911ad6 in ntdll.dll called from 0x7c901101
22. LdrLockLoaderLock at 0x7c914859 in ntdll.dll called from 0x7c90102b
23. targe1cf at 0x7c80e1f7 in kernel32.dll called from 0x7c90102b
24. targe1cf at 0x7c80e20b in kernel32.dll called from 0x7c901101
25. RtlAcquirePebLock at 0x7c910945 in ntdll.dll called from 0x7c90102b
26. RtlReleasePebLock at 0x7c910970 in ntdll.dll called from 0x7c901122
27. GlobalMemoryStatus at 0x7c81f1b7 in kernel32.dll called from 0x426790
28. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x426856
29. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x42672a
30. LdrLockLoaderLock at 0x7c9131dc in ntdll.dll called from 0x7c90102b
31. RtlInitializeCriticalSectionAndS at 0x7c911ad6 in ntdll.dll called from 0x7c901101
32. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x426820
33. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x42674e
34. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x426754
35. GetFileType at 0x7c811069 in kernel32.dll called from 0x426706
36. targ3791f at 0x7c9379b5 in ntdll.dll called from 0x7c901101

MD5 checksum 777d675a869025c8c7466cc652ef3733

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x46f0d0 0x46f0e8 0x46f0ed 0x46f1b4 0x46f1b8 0x46f1c2 0x46f1e2 0x46f1ec 0x46f1fb 0x46f20c 0x46f24a 0x46f263 0x46f387 0x46f3b2 0x46f3e0 0x46f37f 0x46f3c7 0x46f3f8 0x46f418 0x46fb40 0x46f232 0x46f23c 0x46f39a 0x46f3a4 0x46f440 0x46f483 0x46f4ef 0x46f527 0x46f545 0x46f583 0x46f58d 0x46f599 0x46f5af 0x46f5d5 0x46f2bd 0x46f2d4 0x46f316 0x46f32e 0x46f371 0x46f351 0x46f425 0x46f42c 0x46f46d 0x46f477 0x46f49d 0x46f763 0x46f781 0x46f793 0x46f834 0x46f86d 0x46f87a 0x46f8a5 0x46f8b9 0x46f8e6 0x46f8f1 0x46f911 0x46f922 0x46f941 0x46f96c 0x46f980 0x46f9ad 0x46f954 0x46f95e 0x46f998 0x46f9b8 0x46f9c7 0x46f9df 0x46fa51 0x46fa5e 0x46fa8c 0x46fabc 0x46fadb 0x46faa1 0x46faee 0x46faf8 0x46fb09 0x46fb20 0x46fb31 0x46f2fe 0x46f308 0x46f76b 0x46f775 0x46f34f 0x46f88d 0x46f897 0x46f8d1 0x46fa74 0x46fa7e 0x46f91d 0x46f436 0x46f60f 0x46f747 0x46f511 0x46f51b 0x46f628 0x46f65e 0x46f69b 0x46f6d3 0x46f6ed 0x46f733 0x46f73b 0x46f7c2 0x46f7f0 0x46f83e 0x46f678 0x46f9fb 0x46f9fe 0x46fa20 0x46fa33 0x46fa2c 0x46fa36 0x46f70d 0x46fa08 0x46fa12 0x46f648 0x46f652 0x46f6bd 0x46f6c7 0x46f7da 0x46f7e4 0x46f803 0x46f37d 0x46fb51 0x46fb70 0x46fb8f 0x46fba7 0x46fbac 0x46fbec 0x46fbcd 0x46fbf6 0x46fbba 0x46fbc3 0x46fbc7 0x46fbd3 0x46fbd8 0x46fbfb 0x46fc07 0x46fc1d 0x46fc25 0x46fc30 0x46fc34 0x46fc3b 0x46fc3f 0x46fc1e 0x46fc01 0x46fc29 0x46fc46
- Windows API calls issued from malware code
  1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x46fc17
  2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x46fc35
  3. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x46fc46
- CFG at exit
  - dot file
  - jpg

MD5 checksum	7988aa0202c942aab060577c407a0e0a
Anti-virus name	W32/Hupigon.A.gen!Eldorado (generic, not disinfectable),Trojan.Packed-19,Backdoor.Hupigon.AWP

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4c6fdd 0x4c6fe4 0x4c700a 0x4c703e 0x4c7046 0x4c7051 0x4c7311 0x4c731d 0x4c731e 0x4c7390 0x4c7394 0x4c7399 0x4c7325 0x4c732c 0x4c732e 0x4c7335 0x4c7337 0x4c7339 0x4c733e 0x4c7342 0x4c7344 0x4c7358 0x4c735d 0x4c7386 0x4c7385 0x4c7347 0x4c739c 0x4c739d 0x4c73a2 0x4c73a9 0x4c73ab 0x4c7364 0x4c739a 0x4c7371 0x4c7378 0x4c737f 0x4c7384 0x4c734f 0x4c7356 0x4c73ac 0x4c7072 0x4c7092 0x9905a9 0x9905c9 0x9905d5 0x9905e3 0x9905e9 0x990605 0x990628 0x990297 0x9902f9 0x9902fd 0x99030f 0x990017 0x990032 0x990000 0x990011 0x990037 0x990048 0x990327 0x99033a 0x990093 0x9900ac 0x9900e8 0x99012e 0x990353 0x99037e 0x990394 0x9903ba 0x9901ad 0x9901b7 0x9901c4 0x9900ec 0x99012b 0x9900cf 0x9900d6 0x9901cd 0x990433 0x99058b 0x990112 0x990119 0x9903c9 0x9903de 0x9903e9 0x9903f5 0x9903fc 0x99040d 0x990411 0x99041a 0x990384 0x990389 0x990391 0x99039a 0x9901d1 0x9901e0 0x9901fd 0x990205 0x990221 0x99020f 0x99021d 0x990229 0x990486 0x990232 0x99023d 0x990241 0x990131 0x990142 0x990146 0x990154 0x99015b 0x99015c 0x990292 0x99055d 0x990563 0x99056b 0x990577 0x990586 0x9904b0 0x9904e2 0x9904ed 0x990503 0x990508 0x990520 0x99052c 0x99016b 0x990184 0x990185 0x990193 0x9901a3 0x9901a4 0x990556 0x99038e 0x990441 0x99044d 0x990456 0x990465 0x99046e 0x990477 0x99047d 0x990551 0x990257 0x990261 0x990266 0x99027c 0x9904ea 0x990451 0x990535 0x99004c 0x99005b 0x99005e 0x99006b 0x990073 0x99007b 0x990083 0x990066 0x990086 0x990087 0x990281 0x99028f 0x990469 0x99020d 0x990597 0x990599 0x990647 0x99064d 0x99064e 0x99065b 0x99065f 0x4c70c1 0x4c70d4 0x4c70e9 0x4c70ee 0x4c70f2 0x4c70fa 0x4c7100 0x4c7118 0x4c7128 0x4c7267 0x4c7275 0x4c7290 0x4c72ab 0x4c72b3 0x4c72ca 0x4c72de 0x4c72f1 0x4c72fa 0x4c72be 0x4c72c7 0x4c727d 0x4c7282 0x4c7288 0x4c728e 0x4c730a 0x4c712d 0x4c71c0 0x4c7213 0x4c7224 0x4c7243 0x4c724c 0x4c7260 0x4a1e48 0x4a1e50 0x4a1e57 0x406bc8 0x4069bc 0x406a8e 0x406c40 0x407bf4 0x407c2c 0x412a20 0x407f5c 0x40ed64 0x405dfb 0x404a8c 0x404a60 0x402190 0x401afc 0x4020bb 0x4020c4 0x4020c7 0x4020cf 0x4020dc 0x4020e4 0x402070 0x402079 0x402083 0x402091 0x402099 0x4020f1 0x402010 0x401864 0x4018b8
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4c7038
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x990625
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x990658
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4c70ce
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4c72a5
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4c72eb
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4c723d
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x406a90
9. GetKeyboardType at 0x77d6fa46 in USER32.DLL called from 0x4039e4
10. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4012ec
11. RegOpenKeyExA at 0x77dd761b in ADVAPI32.DLL called from 0x401344
12. LoadStringA at 0x77d6ec98 in USER32.DLL called from 0x40131c
13. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4013f8
14. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4013d8
- dot file
- jpg

MD5 checksum	79c3add88fbe9a0e26b0ee712ea7a10f
Anti-virus name	W32/Document-disguised-based!Maximus,Trojan.VB-4160,Trojan.Generic.469731

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x409670 0x409692 0x409699 0x409688 0x40968e 0x40969b 0x4096a0 0x4096ab 0x4096b1 0x4096db 0x4096f3 0x4096fe 0x409700 0x40970c 0x40970e 0x409719 0x40971f 0x40972a 0x40972d 0x40973e 0x409747 0x4096e2 0x4096ed 0x4096cc 0x4096d7 0x40974c 0x40975b 0x4096d0 0x4096b3 0x4096bc 0x4096c8 0x4096a4 0x4096f7 0x409712 0x4096c1 0x409705 0x409721 0x409762 0x40976a 0x40976f 0x409773 0x409778 0x409796 0x4097a2 0x4097b8 0x4097c0 0x4097cb 0x4097cf 0x4097d6 0x4097da 0x4097b9 0x4097c4 0x4097e1
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4097b2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4097d0
3. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x4097e1
CFG at exit
- dot file
- jpg

MD5 checksum	79de07212811410d636c259756ae672c
Anti-virus name	W32/Swizzor-based.2!Maximus,Trojan.Agent-38570,Trojan.Swizzor.2

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4089e3 0x408a0f 0x4110f2 0x401222 0x408a4e 0x40414d 0x404155 0x40415d 0x404451 0x4041bd 0x40190e 0x401928 0x4019b4 0x4041d3 0x402a3d 0x404479 0x40448a 0x408a53 0x408a5f 0x40f8ff 0x40ad7d 0x40ae8b 0x40ae99 0x40aed0 0x408a6f 0x402da0 0x402dbb 0x402dbd 0x402dc3 0x402df7 0x402e07 0x402e0e 0x402e15 0x402e1c 0x402e35 0x402e3b 0x402e41 0x402e4a 0x402e57 0x402e69 0x402e6d 0x402e74 0x402ecb 0x40f8c9 0x401601 0x40f8cf 0x40f8d8 0x40f8df 0x40417f 0x4041a2 0x4041b3 0x40f330 0x40f36f 0x40f585 0x40352a 0x4035b0 0x4035c9 0x403606 0x403618 0x41115f 0x4111fc 0x411254 0x41126a 0x411305 0x41132a 0x40f4bd 0x4038fa 0x40392c 0x40a595 0x40a5a7 0x40a5af 0x40a5b5 0x40a5ba 0x4094b0 0x4094d0 0x4094e8 0x4094ef 0x4094f3 0x4094fa 0x409503 0x40a5c0 0x409517 0x4094bc 0x4094c3 0x4094cb 0x40950d 0x40a5b9 0x409521 0x40a5c7 0x40a5d4 0x40a5e9 0x40a5f3 0x40a5f4 0x40a5fa 0x40a625 0x40a603 0x40a609 0x40a618 0x409ea0 0x409f11 0x409f1d 0x409f24 0x409f2f 0x409f36 0x409f31 0x409f50 0x409f54 0x409f58 0x409f72 0x40a620 0x409f60 0x409f6a 0x409f88 0x40a62b 0x40a62c 0x40833c 0x408345 0x40124d 0x40125d 0x401261 0x401270 0x401275 0x401277 0x40836b 0x408372 0x408382 0x4107f5 0x410800 0x4108fb 0x410900 0x410906 0x41090e 0x41090c 0x4057fa 0x405807 0x405814 0x405819 0x402a44 0x402a53 0x405821 0x40584d 0x405854 0x40586a 0x405871 0x405891 0x405894 0x40588d 0x4058a0 0x41081e 0x408a9a 0x40e725 0x40e733 0x40e740 0x40e748 0x40e74c 0x40b303 0x40b314 0x40b325 0x40b33a 0x40b33c 0x40b340 0x40b310 0x40e75d 0x40e762 0x40e76f 0x40e779 0x408aae 0x408ab1 0x408abd 0x40720a 0x407378 0x405988 0x40258a 0x402593 0x4025aa 0x4025bc 0x4025c9 0x4025cf 0x407334 0x40267f 0x40c260 0x40c28b 0x40c296 0x40c2bc 0x40c2c3 0x40c2d2 0x40c2d4 0x402692 0x4044b4 0x4044c2 0x40450e 0x4026b5 0x428623 0x40a869 0x40a87d 0x40a88b 0x40a892 0x40a89c 0x40a8a2 0x40a999 0x428664 0x42867e 0x428be7 0x428bf7 0x428c31 0x428c44 0x428c6d 0x42895a 0x428520
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x408a09
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4110ec
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40121c
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x404143
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40414b
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x404153
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40415b
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40444b
9. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x4041b7
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401908
11. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x401922
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4019ae
13. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x4041cd
14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x404473
15. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x404484
16. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40f8f9
17. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40ad77
18. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x40ae85
19. GetFileType at 0x7c811069 in kernel32.dll called from 0x40ae93
20. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x40aeca
21. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x408a69
22. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x402dbb
23. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402e33
24. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x402e55
25. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x402e6e
26. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40419c
27. GetACP at 0x7c809943 in kernel32.dll called from 0x40f4f4
28. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40f369
29. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40f57f
30. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x403524
31. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4035aa
32. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x403600
33. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x403612
34. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x411159
35. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4111f6
36. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x41124e
37. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x411264
38. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4112ff
39. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x411324
40. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4038f4
41. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40837c
42. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x402a4d
43. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x408a94
44. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x408ab7
45. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x402584
46. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40258d
47. CreateMutexA at 0x7c80eb3f in kernel32.dll called from 0x4025b6
48. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x4025c3
49. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4025c9
50. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x4044ae
51. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4044bc
52. RtlRestoreLastWin32Error at 0x7c910340 in ntdll.dll called from 0x404508
53. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4026af
54. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x42865e
CFG at exit
- dot file
- jpg

MD5 checksum	7abc4c0dd48edca38f612a84886f0fe2
Anti-virus name	W32/Downldr2.GOHD (exact),Trojan.Downloader-74706

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40396b 0x415cef 0x415d25 0x415bfb 0x415c09 0x415c0c 0x415c7e 0x415c82 0x415c87 0x415c13 0x415c1a 0x415c1c 0x415c23 0x415c25 0x415c2a 0x415c2f 0x415c33 0x415c35 0x415c38 0x415c8a 0x415c8b 0x415c90 0x415c97 0x415c99 0x415c51 0x415c88 0x415c5c 0x415c63 0x415c68 0x415c6d 0x415c6e 0x415c6f 0x415c70 0x415c74 0x415c48 0x415c4d 0x415c41 0x415c46 0x415c9a 0x35099c 0x3509a5 0x3509da 0x3509e1 0x3509ef 0x350b74 0x350b96 0x350ba4 0x350a2c 0x350e2e 0x350e3c 0x350e4f 0x350e60 0x350e6a 0x350f52 0x350e7c 0x35122b 0x351243 0x351248 0x351250 0x351264 0x350804 0x350851 0x35000d 0x350065 0x350070 0x350080 0x350097 0x3500a8 0x3500d7 0x3500ea 0x3501d2 0x3501f6 0x350205 0x35022b 0x350219 0x350233 0x350248 0x3507eb 0x3500a5 0x3500c0 0x3501df 0x350269 0x3502a2 0x3502f4 0x35032d 0x350340 0x350382 0x3503d8 0x3504cb 0x3504e7 0x350505 0x350514 0x3505ba 0x3505ca 0x3505d1 0x3505e8 0x3505fb 0x350630 0x350614 0x350635 0x3507bc 0x3507c7 0x3507d0 0x3507e6 0x350133 0x350143 0x35017d 0x3501ab 0x350251 0x350257 0x3502b1 0x3502d9 0x3502e6 0x35064e 0x350658 0x350660 0x350674 0x350692 0x3506a2 0x3506cd 0x3506b7 0x3506d2 0x3506e0 0x3506f3 0x350745 0x35074e 0x350755 0x35076c 0x35077c 0x3507aa 0x3507b2 0x3501c4 0x35018c 0x3501a9 0x350166 0x3504ee 0x350369 0x350316 0x3502df 0x35067b 0x350791 0x350260 0x35028b 0x350539 0x350565 0x350575 0x3505b9 0x350391 0x3503ab 0x35065d 0x3503eb 0x350424 0x350448 0x350481 0x350490 0x3504bc 0x3504c2 0x350702 0x350705 0x350723 0x350732 0x350735 0x35072c 0x35054e 0x35059b 0x35046a 0x3504a5 0x35070c 0x350433 0x35040d 0x3501d0 0x3507f7 0x35009c 0x35009e 0x35086c 0x350879 0x350eef 0x350ef4 0x350f0d 0x350f19 0x350f2e 0x350f5f 0x350a38 0x350a46 0x350d8c 0x350d9a 0x350dad 0x350dbe 0x350dc9 0x350dd4 0x350e21 0x350e27 0x350a4c 0x350ca7 0x350cb5 0x350cc8 0x350cd9 0x350cdc 0x350ce7 0x350d7b 0x350cf2 0x350d05 0x350d09 0x350d18 0x350d3a 0x350d1e 0x350d24 0x350d31 0x350d3d 0x350d46 0x350d85 0x350a6b 0x3510bc 0x3510d3 0x3510d7 0x3510da 0x3510e7 0x3510ea 0x351112 0x351120 0x351147 0x351161 0x35119a 0x3511a0 0x3511b0 0x3511c7 0x3511d5 0x3512f5 0x351300 0x351313 0x3511df 0x3511e8 0x3511f4 0x3510fe 0x351142 0x351154 0x3512d3 0x3512de 0x3512ee 0x3510cf 0x3510f7 0x350a75 0x350af4 0x350b14 0x350c44 0x350c52 0x350c65 0x350c76 0x350c9a 0x350c81 0x350c98 0x350ca0 0x351359 0x351372 0x350b28 0x35139b 0x3513a9 0x3513b5 0x3512cc 0x350b34 0x350b47 0x415d6c 0x415d86 0x408369 0x40839b 0x4083a6 0x4083b2 0x4083ba 0x4083c2 0x4083ce 0x4083e1 0x4083ec 0x4083fb 0x403f3c 0x403825 0x403833 0x403844 0x403852 0x40385b 0x40386f 0x408339 0x408354 0x40835f 0x403883 0x405da5 0x405db5 0x405dc0 0x405dca 0x405dd8 0x405de5 0x405df2 0x405dff 0x405e29 0x405e4d 0x405e53 0x405e61 0x405e6a 0x405e72 0x40789c 0x4059a9 0x4059da 0x4059f5 0x4059fe 0x409376 0x40b77b 0x403a06 0x4078b8 0x40bc08 0x40bbf9 0x4078c4 0x40b9e7 0x4078d0 0x405e77 0x405e82 0x405e92 0x405ea2 0x405eb2 0x406fac 0x406fb7 0x406fc1 0x40b7a6 0x406fdf 0x406fe5 0x405ec3 0x405a10 0x405a24 0x405a28 0x405a49 0x405a55 0x405a64 0x405a70 0x405a74 0x405a79 0x405a7c 0x405a82 0x405a88 0x405ed6 0x405ee0 0x4093f2 0x408fa6 0x40905e 0x405f28 0x405abf 0x405ac9 0x405a32 0x405a3b 0x405a3d 0x405ad8 0x405adf 0x405ae9 0x405af0 0x405af7 0x406ff7 0x407007 0x40700d 0x407020 0x40702b 0x407031 0x407037 0x40703d 0x407040 0x40704b
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x415d23
2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x350b6e
3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x350b90
4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x350a26
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x35084e
6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x350876
7. targe2e at 0x350eef in DEFAULT_MODULE called from 0x35087f
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x351145
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x35130d
10. targ1112 at 0x3511df in DEFAULT_MODULE called from 0x351317
11. targ1112 at 0x3511df in DEFAULT_MODULE called from 0x351317
12. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x3512e8
13. targ1112 at 0x351147 in DEFAULT_MODULE called from 0x3512f2
14. targ10bc at 0x3510f3 in DEFAULT_MODULE called from 0x3511fa
15. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x350c92
16. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x351353
17. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x35136c
18. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x351395
19. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x3513a3
20. SetProcessWorkingSetSize at 0x7c827456 in kernel32.dll called from 0x3513b3
21. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x3512a8
22. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x3512c6
23. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x350b41
24. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x4083a0
25. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x4083ac
26. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4083b4
27. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x4083bc
28. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x4083c8
29. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40834e
30. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x405daf
31. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x405dd6
32. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x405de3
33. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x405df0
34. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x405dfd
35. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x405e4d
36. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x405e68
37. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4059a7
38. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x4059d4
39. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4059ef
40. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x4059fc
41. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x40b7a0
42. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x405a22
43. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x405a4f
44. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x405a6a
45. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x405a77
46. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x405a82
47. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x409058
48. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x405a39
49. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x405a3b
50. TlsFree at 0x7c813453 in kernel32.dll called from 0x405ad6
51. TlsFree at 0x7c813453 in kernel32.dll called from 0x405aea
52. RtlDeleteCriticalSection at 0x7c91188a in ntdll.dll called from 0x40703e
CFG at exit
- dot file
- jpg

MD5 checksum	7bb9cbc71bf54e88110ca9fd8a10ce01
Anti-virus name	W32/Trojan2.BBBV (exact, not disinfectable),Trojan.Vundo-5711,Dropped:Trojan.Vundo.EYE

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	7c4cf9d2e0ea5b08204d50b10100bc59
Anti-virus name	W32/BackdoorX.BGEI (exact, not disinfectable)

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x10055e9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum 7dbb15d0f488d01411812b5979c6e70e

Anti-virus name Trojan.Dropper-20415

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x49fa8d 0x40012c 0x400130 0x40010b 0x400167 0x400162 0x400169 0x40016d 0x40016f 0x400173 0x400175 0x40017c 0x40017a 0x400180 0x400182 0x400165 0x4001c0 0x400196 0x40019b 0x4001b9 0x400185 0x487000 0x487005 0x487009 0x48700b 0x40019f 0x487003 0x4001a8 0x4001af 0x4001b4 0x4001ba 0x4001bb 0x400191 0x400194 0x4001bc 0x4001ca 0x40015f 0x4001cf 0x49fd09 0x49fd1a 0x49fd27 0x49faa6 0x49faa6 0x49fab5 0x49fab5 0x49facb 0x49facb 0x49face 0x49face 0x49fadc 0x49fadc 0x49fae0 0x49fae0 0x49fae8 0x49fae8 0x49faec 0x49faec 0x49faf4 0x49faf4 0x49fb04 0x49fb04 0x49fb07 0x49fb07 0x49fb09 0x49fb09 0x49fb12 0x49fb12 0x49fb29 0x49fb29 0x49fb4b 0x49fb4b 0x49fb64 0x49fb64 0x49fb68 0x49fb68 0x49fb8b 0x49fb8b 0x49fba4 0x49fba4 0x49fba7 0x49fba7 0x49fbaa 0x49fbaa 0x49fbbb 0x49fbbb 0x49fbbf 0x49fbbf 0x49fbcd 0x49fbcd 0x49fbd4 0x49fbd4 0x49fbd5 0x49fbd5 0x49fbe4 0x49fbe4 0x49fbfd 0x49fbfd 0x49fbfe 0x49fbfe 0x49fc0c 0x49fc0c 0x49fc1c 0x49fc1c 0x49fc1d 0x49fc1d 0x49fc26 0x49fc26 0x49fc4d 0x49fc4d 0x49fc52 0x49fc52 0x49fc56 0x49fc56 0x49fc5e 0x49fc5e 0x49fc7b 0x49fc7b 0x49fc81 0x49fc81 0x49fc86 0x49fc86 0x49fc8a 0x49fc8a 0x49fc97 0x49fc97 0x49fc9b 0x49fc9b 0x49fca4 0x49fca4 0x49fcaf 0x49fcaf 0x49fcb3 0x49fcb3 0x49fcc7 0x49fcc7 0x49fcc9 0x49fcc9 0x49fcd3 0x49fcd3 0x49fcd8 0x49fcd8 0x49fcee 0x49fcee 0x49fcf3 0x49fcf3 0x49fd01 0x49fd01 0x49fd04 0x49fd04 0x49fd6a 0x49fd6a 0x49fd6f 0x49fd6f 0x49fd8a 0x49fd8a 0x49fd92 0x49fd92 0x49fdae 0x49fdae 0x49fdb2 0x49fdb2 0x49fdb7 0x49fdb7 0x49fdbc 0x49fdbc 0x49fdbf 0x49fdbf 0x49fdc5 0x49fdc5 0x49fdde 0x49fdde 0x49fde7 0x49fde7 0x49fdec 0x49fdec 0x49fdef 0x49fdef 0x49fdfe 0x49fdfe 0x49fe08 0x49fe08 0x49fe0b 0x49fe0b 0x49fe13 0x49fe13 0x49fe29 0x49fe29 0x49fe32 0x49fe32 0x49fe41 0x49fe41 0x49fe48 0x49fe48 0x49fe59 0x49fe59 0x49fe5d 0x49fe5d 0x49fe79 0x49fe79 0x49fe87 0x49fe87 0x49fe93 0x49fe93 0x49fe97 0x49fe97 0x49fe9c 0x49fe9c 0x49feab 0x49feab 0x49feaf 0x49feaf 0x49feb4 0x49feb4 0x49febd 0x49febd 0x49fec3 0x49fec3 0x49fec8 0x49fec8 0x49fed9 0x49fed9 0x49fef1 0x49fef1 0x49ff21 0x49ff21 0x49ff29 0x49ff29 0x49ff2c 0x49ff2c 0x49ff42 0x49ff42 0x49ff47 0x49ff47 0x49ff5b 0x49ff5b 0x49ff6c 0x49ff6c 0x49ff71 0x49ff71 0x49ff75 0x49ff75 0x49ff80 0x49ff80 0x49ff94 0x49ff94 0x49ff96 0x49ff96 0x49ff97 0x49ff97 0x49ff9f 0x49ff9f 0x49ffa3 0x49ffa3 0x49ffc3 0x49ffc3 0x49ffc8 0x49ffc8 0x49ffd4 0x49ffd4 0x49ffd9 0x4001d9 0x4001de 0x4001e1 0x4001ea 0x4001ec 0x4001f1 0x4001f3 0x4001f8 0x4001e2 0x4001d6 0x4001fd 0x4289ee 0x428b18 0x428b50 0x428a2e 0x429256 0x4292e2 0x429f96 0x42a095 0x42a0a3 0x42a0da 0x428a3c 0x429e05 0x429e20 0x429e22 0x429e28 0x429e5c 0x429e6c 0x429e73 0x429e7a 0x429e81 0x429e9a 0x429ea0 0x427f02 0x427f09 0x429ea6 0x429eaf 0x429ebc 0x429ece 0x429ed2 0x429ed9 0x429f30 0x42a27f 0x42a2bc 0x42a4c7 0x42a9ca 0x42aa50 0x42aaa6 0x42aab8 0x42ad56 0x42adf3 0x42ae4b 0x42ae61 0x42aefc 0x42af21 0x42a3fb 0x429c13 0x429aff 0x429b11 0x429b19 0x429b1f 0x429b24 0x427c80 0x427ca0 0x427cb8 0x427cbf 0x427cc3 0x427cca 0x427cd3 0x429b2a 0x427ce7 0x427c8c 0x427c93 0x427c9b 0x427cdd 0x429b23 0x427cf1 0x429b31 0x429b3e 0x429b53 0x429b5d 0x429b5e 0x429b64 0x429b8f 0x429b6d 0x429b73 0x429b82 0x428370 0x4283e1 0x4283ed 0x4283f4 0x4283ff 0x428406 0x428401 0x428420 0x428424 0x428428 0x428442 0x429b8a 0x428430 0x42843a 0x428458 0x429b95 0x429b96 0x427dc4 0x427dcd 0x428b7b 0x428b8b 0x428b8f 0x428b9e 0x428ba3 0x428ba5 0x427de3 0x427df1 0x427f20 0x427f2b 0x428008 0x42800d 0x428013 0x42801b 0x428019 0x42875b 0x428765 0x42877c 0x428020 0x40fb85 0x41e8c8 0x41e8d2 0x4218de 0x4218e8 0x40ff54 0x40fdcc 0x40fb99 0x428749 0x4286dc 0x4298fa 0x429905 0x42990a 0x4286e8 0x42873b 0x40fba3 0x40ff58 0x410006
- Windows API calls issued from malware code
  1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
  2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
  3. GetVersion at 0x7c8114ab in kernel32.dll called from 0x4289e8
  4. HeapCreate at 0x7c812929 in kernel32.dll called from 0x428b12
  5. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x428b4a
  6. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x429236
  7. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x429250
  8. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4292dc
  9. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x429f90
  10. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x42a08f
  11. GetFileType at 0x7c811069 in kernel32.dll called from 0x42a09d
  12. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x42a0d4
  13. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x428a36
  14. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x429e20
  15. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x429e98
  16. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x429eba
  17. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x429ed3
  18. GetACP at 0x7c809943 in kernel32.dll called from 0x42a436
  19. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x42a2b6
  20. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x42a4c1
  21. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x42a9c4
  22. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x42aa4a
  23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x42aaa0
  24. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x42aab2
  25. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x42ad50
  26. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x42aded
  27. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x42ae45
  28. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x42ae5b
  29. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x42aef6
  30. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x42af1b
  31. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x429bdb
  32. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x427deb
  33. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x41e8c2
  34. GlobalLock at 0x7c810119 in kernel32.dll called from 0x41e8cc
  35. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x4218d8
  36. GlobalLock at 0x7c810119 in kernel32.dll called from 0x4218e2
- - dot file
  - jpg

MD5 checksum	7f7f48c287dcc6bbf2e28a9688939796
Anti-virus name	W32/Downldr2.HZF (exact),Trojan.Spy-4973,Dropped:Backdoor.PoisonIvy.EP

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x407efd 0x40e8a1 0x40e8d1 0x40e8dc 0x40e8e8 0x40e8f0 0x40e8f8 0x40e904 0x40e917 0x40e922 0x40e931 0x407d37 0x407d4e 0x407d55 0x407d68 0x407d71 0x407d86 0x407da3 0x407daa 0x407db8 0x407cdc 0x407ce7 0x407cf8 0x407d03 0x407d0c 0x407de7 0x40d64a 0x40d661 0x40d66d 0x40d5ef 0x4074f3 0x40751b 0x407524 0x40d606 0x40d618 0x40752a 0x407552 0x40755a 0x40d633 0x40d63a 0x40d640 0x40d672 0x40d6a0 0x407e00 0x408dc9 0x408dd5 0x408de4 0x408df3 0x408e00 0x408e0d 0x408e1a 0x408e44 0x408e68 0x408e6e 0x408e7c 0x408e85 0x408e8d 0x407706 0x408a29 0x408a59 0x408a69 0x4093b8 0x40ce6c 0x4063fb 0x407720 0x40ce62 0x407726 0x40ce58 0x40772c 0x40cc4e 0x407738 0x408e9d 0x408ead 0x408ebd 0x408ecd 0x40c7f2 0x40c7fb 0x40c805 0x408a95 0x408ac5 0x408ad5 0x408adf 0x40ced5 0x40cee5 0x40cf07 0x40c823
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40e8d6
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x40e8e2
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40e8ea
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40e8f2
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x40e8fe
6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x407d31
7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x407d4c
8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x407d4f
9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x407d6b
10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x407da1
11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x407da4
12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40d65b
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x408dcf
14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408df1
15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408dfe
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408e0b
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408e18
18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x408e68
19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x408e83
20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408a27
21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x408a53
22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408a63
23. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x408a71
24. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x408a93
25. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x408abf
26. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408acf
27. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x408add
28. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40cecf
29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40cedf
30. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x40cf05
CFG at exit
- dot file
- jpg

MD5 checksum 82c86d02be267cc2dda87d7642ff9bf4

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x4c59f3 0x4c5a29 0x4c58ff 0x4c590d 0x4c5910 0x4c5982 0x4c5986 0x4c598b 0x4c5917 0x4c591e 0x4c5920 0x4c5927 0x4c5929 0x4c592e 0x4c5933 0x4c5937 0x4c5939 0x4c593c 0x4c598e 0x4c598f 0x4c5994 0x4c599b 0x4c599d 0x4c5955 0x4c598c 0x4c5960 0x4c5967 0x4c596c 0x4c5971 0x4c5972 0x4c5973 0x4c5974 0x4c5978 0x4c594c 0x4c5951 0x4c5945 0x4c594a 0x4c599e 0x3609e0 0x3609e9 0x360a1e 0x360a25 0x360a33 0x360bb8 0x360bda 0x360be8 0x360a70 0x360e72 0x360e80 0x360e93 0x360ea4 0x360eae 0x360f96 0x360ec0 0x36126f 0x361287 0x36128c 0x361294 0x3612a8 0x36086d 0x3608c2 0x36000d 0x360073 0x36007c 0x3600c5 0x3600fa 0x36010c 0x3601de 0x3601ed 0x360201 0x360210 0x36025b 0x360249 0x360263 0x360267 0x360284 0x36029a 0x3600bd 0x3600e6 0x3601f4 0x3602b9 0x3602e1 0x3602f4 0x36053e 0x360559 0x360567 0x36060f 0x36061d 0x360638 0x360647 0x36066e 0x360624 0x36065c 0x360679 0x360694 0x3606a3 0x3606bd 0x3606d8 0x3606e7 0x36070e 0x3606fc 0x360713 0x360721 0x360735 0x36078d 0x36079d 0x3607a4 0x3607b8 0x3607c7 0x3607f2 0x3607fd 0x36080a 0x36080e 0x360819 0x360821 0x36083d 0x36015f 0x360173 0x3601ac 0x360225 0x36023b 0x3601bb 0x3601d2 0x36028e 0x360293 0x360296 0x360545 0x36058d 0x3605b5 0x3605c4 0x36069e 0x3606c4 0x3607dc 0x3602b4 0x360198 0x360340 0x36036d 0x360384 0x3603ca 0x3603dc 0x3603fc 0x360441 0x36046a 0x36047d 0x360515 0x360525 0x36084f 0x36042b 0x3602cd 0x360498 0x3604c1 0x3604ef 0x36050d 0x3603b4 0x360748 0x36074f 0x360762 0x36076f 0x36076a 0x360774 0x360756 0x36035d 0x3605a1 0x3605ee 0x36045a 0x3604d4 0x3604b1 0x360247 0x3602a8 0x3608e4 0x3608f1 0x360f33 0x360f38 0x360f51 0x360f5d 0x360f72 0x360fa3 0x360a7c 0x360a8a 0x360dd0 0x360dde 0x360df1 0x360e02 0x360e0d 0x360e18 0x360e65 0x360e6b 0x360a90 0x360ceb 0x360cf9 0x360d0c 0x360d1d 0x360d20 0x360d2b 0x360dbf 0x360d36 0x360d49 0x360d4d 0x360d5c 0x360d7e 0x360d62 0x360d75 0x360d68 0x360d81 0x360d8a 0x360dc9 0x360aaf 0x361100 0x361117 0x36111b 0x36111e 0x36112b 0x36112e 0x361156 0x361164 0x36118b 0x361198 0x361186 0x361317 0x361322 0x361332 0x3611a5 0x3611de 0x3611e4 0x3611f4 0x361202 0x361219 0x361339 0x361344 0x361357 0x361223 0x36122c 0x361238 0x361142 0x36120b 0x361113 0x36113b 0x360ab9 0x360b38 0x360b58 0x36139d 0x3613b6 0x3612f2 0x361310 0x360b78 0x360b8b 0x4c5a70 0x4c5a8a 0x4057a6 0x4057d9 0x4057ee 0x4057fc 0x405815 0x405829 0x405925 0x40583d 0x405861 0x405870 0x405882 0x40588c 0x405890 0x405895 0x405899 0x4058a3 0x4058b0 0x4058c7 0x4058ca 0x4058d4
- Windows API calls issued from malware code
  1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4c5a27
  2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x360bb2
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x360bd4
  4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x360a6a
  5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x3608c0
  6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x3608ef
  7. targe72 at 0x360f33 in DEFAULT_MODULE called from 0x3608fa
  8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x361189
  9. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x36132c
  10. targ1156 at 0x36118b in DEFAULT_MODULE called from 0x361336
  11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x361351
  12. targ1156 at 0x361223 in DEFAULT_MODULE called from 0x36135b
  13. targ1156 at 0x361223 in DEFAULT_MODULE called from 0x36135b
  14. targ1100 at 0x361137 in DEFAULT_MODULE called from 0x36123e
  15. targ1156 at 0x36118b in DEFAULT_MODULE called from 0x361336
  16. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x361397
  17. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x3613b0
  18. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x3612ec
  19. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x36130a
  20. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x360b85
  21. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x4057d3
  22. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x4057e8
  23. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x4057f6
  24. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x405932
  25. initterm at 0x77c39d67 in msvcrt.dll called from 0x405910
  26. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x40585b
  27. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4058aa
  28. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4058ce
- CFG at exit
  - dot file
  - jpg
MD5 checksum 839adf1b8eb4a61ceadf658e34795a8a

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x4711c0 0x4711d8 0x4711dd 0x4712a4 0x4712a8 0x4712b2 0x4712d2 0x4712dc 0x4712eb 0x4712fc 0x47133a 0x471353 0x471477 0x4714a2 0x4714d0 0x47146f 0x4714b7 0x4714e8 0x471508 0x471c30 0x471322 0x47132c 0x47148a 0x471494 0x471530 0x471573 0x4715df 0x471617 0x471635 0x471673 0x47167d 0x471689 0x47169f 0x4716c5 0x4713ad 0x4713c4 0x471406 0x47141e 0x471461 0x471441 0x471515 0x47151c 0x47155d 0x471567 0x47158d 0x471853 0x471871 0x471883 0x471924 0x47195d 0x47196a 0x471995 0x4719a9 0x4719d6 0x4719e1 0x471a01 0x471a12 0x471a31 0x471a5c 0x471a70 0x471a9d 0x471a44 0x471a4e 0x471a88 0x471aa8 0x471ab7 0x471acf 0x471b41 0x471b4e 0x471b7c 0x471bac 0x471bcb 0x471b91 0x471bde 0x471be8 0x471bf9 0x471c10 0x471c21 0x4713ee 0x4713f8 0x47185b 0x471865 0x47143f 0x47197d 0x471987 0x4719c1 0x471b64 0x471b6e 0x471a0d 0x471526 0x4716ff 0x471837 0x471601 0x47160b 0x471718 0x47174e 0x47178b 0x4717c3 0x4717dd 0x471823 0x47182b 0x4718b2 0x4718e0 0x47192e 0x471768 0x471aeb 0x471aee 0x471b10 0x471b23 0x471b1c 0x471b26 0x4717ad 0x4717b7 0x4717fd 0x471af8 0x471b02 0x471738 0x471742 0x4718ca 0x4718d4 0x4718f3 0x47146d 0x471c41 0x471c60 0x471c7f 0x471c97 0x471c9c 0x471cdc 0x471cbd 0x471ce6 0x471caa 0x471cb3 0x471cb7 0x471cc3 0x471cc8 0x471ceb 0x471cf7 0x471d0d 0x471d15 0x471d20 0x471d24 0x471d2b 0x471d2f 0x471d0e 0x471cf1 0x471d19 0x471d36
- Windows API calls issued from malware code
  1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x471d07
  2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x471d25
  3. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x471d36
- CFG at exit
  - dot file
  - jpg

MD5 checksum	8557ba5f7fc497e139d395c3910984d5
Anti-virus name	W32/VB-Downloader-Minimi-based!Maximus,Trojan.Downloader-25610,Trojan.Generic.1208180

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40104c
Windows API calls issued from malware code
1. ThunRTMain at 0x7342de3e in MSVBVM60.DLL called from 0x401044
Stack trace at network call
1. THREAD ID=#1868
2. Frame pc=0x7c90eb94 function KiFastSystemCall at 7c90eb8b in mod ntdll.dll
3. Frame pc=0x7c90e9ab function ZwWaitForMultipleObjects at 7c90e99f in mod ntdll.dll
4. Frame pc=0x7c8094f2 function WaitForMultipleObjectsEx at 7c80952a in mod kernel32.dll
5. Frame pc=0x77d4bbfe function targbb25 at 77d4bb25 in mod USER32.dll
6. Frame pc=0x77d4bbfe function targbb25 at 77d4bb25 in mod USER32.dll
7. Frame pc=0x77d4bcad function MsgWaitForMultipleObjects at 77d4bc8e in mod USER32.dll
8. Frame pc=0x774f207b function CoTaskMemAlloc at 774f2068 in mod ole32.dll
9. Frame pc=0x77dde32e function targe280 at 77dde280 in mod ADVAPI32.dll
10. THREAD ID=#2036
11. Frame pc=0x7c919994 function targ198d3 at 7c9198d3 in mod ntdll.dll
12. Frame pc=0x7c91d690 function targ1d5b7 at 7c91d5b7 in mod ntdll.dll
13. Frame pc=0x7c91b1ea function targ1b0f3 at 7c91b0f3 in mod ntdll.dll
14. Frame pc=0x7c91b1ea function targ1b0f3 at 7c91b0f3 in mod ntdll.dll
15. Frame pc=0x7c91b0e1 function targ1b0b8 at 7c91b0b8 in mod ntdll.dll
16. Frame pc=0x7c9153f5 function RtlFindActivationContextSection at 7c915319 in mod ntdll.dll
17. THREAD ID=#2040
18. Frame pc=0x7c90eb94 function KiFastSystemCall at 7c90eb8b in mod ntdll.dll
19. Frame pc=0x7c90d85c function ZwDelayExecution at 7c90d850 in mod ntdll.dll
20. Frame pc=0x7c9279d4 function targ2798d at 7c92798d in mod ntdll.dll
21. THREAD ID=#124
22. Frame pc=0x7c90eb94 function KiFastSystemCall at 7c90eb8b in mod ntdll.dll
23. Frame pc=0x7c90e9c0 function ZwWaitForSingleObject at 7c90e9b4 in mod ntdll.dll
24. Frame pc=0x7c91901b function RtlpWaitForCriticalSection at 7c918f8f in mod ntdll.dll
25. Frame pc=0x7c90104b function RtlEnterCriticalSection at 7c901005 in mod ntdll.dll
26. Frame pc=0x7c927357 function targ18d66 at 7c918d66 in mod ntdll.dll
27. Frame pc=0x7c90eac7 function KiUserApcDispatcher at 7c90eac0 in mod ntdll.dll
CFG at network call
- dot file
- jpg

MD5 checksum	8687708d1b10b1ce61d9b09068687eeb
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable),Trojan.Spy-49299,Trojan.Generic.485031

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401018 0x4010d8 0x4147b3 0x41476b 0x414783 0x41479f 0x4147b1 0x4147bc 0x4147c6 0x4147fe 0x41473b 0x414792 0x414741 0x4147a7 0x414747 0x414803 0x4148fd 0x41480b 0x41481c 0x41481e 0x414822 0x414824 0x414828 0x41482a 0x414806 0x4147df 0x4147ef 0x4147f5 0x4147e2 0x4147fc 0x414860 0x41474a 0x41474e 0x414760 0x414738 0x414767 0x414874 0x41487f 0x41488d 0x414893 0x4148aa 0x4148c7 0x4147a0 0x4148ca 0x4148af 0x4148c1 0x4148c1 0x4148cc 0x4148d5 0x4148e2 0x4148e4 0x4148ea 0x4148ed 0x414755 0x414755 0x41487d 0x41487d
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	88b0be5ea765f3de19627bdd31b7aafa
Anti-virus name	W32/Trojan2.COUF (exact, not disinfectable),Trojan.Agent-40358,Trojan.Vundo.FQQ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x1005d3c 0x1005d49 0x1005d51 0x1005d58 0x1005d5c 0x1005d61 0x1005d73 0x1005d74 0x1005d7a 0x1005d88 0x1005d94 0x1005d97 0x1005da3 0x1002b78 0x1002b80 0x1002b98 0x1002ba0 0x1002ba7 0x1002bcb 0x1004f0a 0x1004f16 0x1004f27 0x1003682 0x1003684 0x1005e37 0x1005e3f 0x1003692 0x100502a 0x100504c 0x10043d7 0x10043fb 0x1004404 0x1004413 0x1004453 0x1004458 0x1004474 0x1004480 0x100468b 0x100468c 0x10046a0 0x1003f61 0x1003f8b 0x1003fbe 0x1003fc9 0x10046c7 0x10046f4 0x1004731 0x1004779 0x1003ecb 0x1003f19 0x1003f37 0x1003087 0x1003091 0x100309e 0x1005da9
Windows API calls issued from malware code
1. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x1005d43
2. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1005d82
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1005d9d
4. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002b76
5. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002b7a
6. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002b96
7. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002b9a
8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002ba1
9. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002bc5
10. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1004f04
11. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1004f10
12. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1005024
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10043d1
14. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1003f5b
15. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1003fb8
16. LocalFree at 0x7c80995d in kernel32.dll called from 0x1003fc3
17. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x10046c1
18. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100472b
19. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004773
20. wsprintfA at 0x77d4a2de in USER32.dll called from 0x10036e7
21. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1005daa
CFG at exit
- dot file
- jpg

MD5 checksum	8b1d594e27824f16e68ec80d88d365fd
Anti-virus name	W32/Backdoor2.CGNF (exact),GenPack:Trojan.Spyone.A

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x425290 0x425299 0x42529f 0x4252f7 0x425307 0x425314 0x4252a4 0x42532f 0x425346 0x425357 0x42535a 0x425030 0x425371 0x425391 0x425392 0x42539f 0x4253a8 0x4253bb 0x425000 0x42500e 0x425023 0x42502d 0x4253df 0x4253e7 0x4253f2 0x425405 0x425458 0x42546b 0x42546e 0x425b76 0x425b7b 0x42547e 0x425487 0x42505f 0x425063 0x425072 0x425497 0x42549e 0x425073 0x42508f 0x42509e 0x4250a5 0x4250a9 0x425142 0x4250bd 0x4250c8 0x4250db 0x4250df 0x4250e3 0x4250e9 0x4250f9 0x42511d 0x425125 0x425133 0x42512d 0x4250c1 0x425101 0x425109 0x42510d 0x425155 0x425157 0x4254ad 0x4254bc 0x4254e2 0x4254f0 0x4254ed 0x4253ae 0x425503 0x425504 0x42550b 0x42551b 0x42552a 0x42553c 0x425562 0x425568 0x42556b 0x42557e 0x4255ae 0x4255c8 0x4255e0 0x425550 0x42552c 0x42555a 0x42555c 0x4252c3 0x4259c0 0x4259d0 0x425a95 0x425914 0x425923 0x42592d 0x425961 0x42504e 0x425972 0x425975 0x4259bb 0x41804c 0x418054 0x41805b 0x404cfc 0x404b50 0x404bc2 0x404d34 0x4051d8 0x405210 0x405300 0x40c63c 0x4053a8 0x40c99c 0x40c9b4 0x40cb60 0x40cb73 0x40d974 0x40dc00 0x40dc88 0x40dcf8 0x40dd68 0x40e124 0x40e6e8 0x40ea3c 0x40eab4 0x40eb68 0x40eb20 0x40f46c 0x40f47a 0x40f4bc 0x410244 0x410298 0x410554 0x411568 0x403e64 0x403e68 0x403e6b 0x4040b4 0x4040b9 0x4040c0 0x4040c3 0x4040c7 0x4040cd 0x4040e2 0x4040d1 0x403cb0 0x403c84 0x403c88 0x402524 0x402529 0x401f5c 0x401f70 0x401870 0x40188b 0x40189e 0x401234 0x4018b2 0x4018bc 0x4018c8 0x4018d6 0x4018db 0x4018ef 0x401905 0x401925 0x401f8b 0x401fac 0x401fbc 0x401fc8 0x401fd1 0x40205b 0x4020ad 0x401e68 0x401e78 0x401e87 0x401e90 0x401e93 0x401e9b 0x401ea8 0x401eb0 0x401e3c 0x401e45 0x401e4f 0x401e5d 0x401e65 0x401ebd 0x401ddc 0x401630 0x401684
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4252f1
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x425305
3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x425312
4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x425329
5. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x425351
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4253ff
7. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4254b6
8. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x425536
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4255c2
10. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x404bc4
11. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x4030c0
12. WSAStartup at 0x71ab664d in WS2_32.dll called from 0x405368
13. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x404f1c
14. AtlModuleInit at 0x76b22d85 in ATL.DLL called from 0x7c809fb8
15. AtlModuleInit at 0x76b22d8b in ATL.DLL called from 0x7c809fb8
16. AtlModuleInit at 0x76b22d91 in ATL.DLL called from 0x7c809fb8
17. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4011a4
- dot file
- jpg

MD5 checksum	8ddf7d999327e578fc86826fde5f6964
Anti-virus name	W32/Downldr2.DHON (exact),Trojan.Generic.680306

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4172ba 0x40012c 0x400169 0x40016d 0x400173 0x40017c 0x400180 0x4001c0 0x412005 0x412009 0x412003 0x4001a8 0x400191 0x400194 0x4001ca 0x4001cf 0x417536 0x417547 0x417554 0x4172d3 0x4172d3 0x4172e2 0x4172e2 0x4172f8 0x4172f8 0x4172fb 0x4172fb 0x417309 0x417309 0x41730d 0x41730d 0x417315 0x417315 0x417319 0x417319 0x417321 0x417321 0x417331 0x417331 0x417334 0x417334 0x417336 0x417336 0x41733f 0x41733f 0x417356 0x417356 0x417378 0x417378 0x417391 0x417391 0x417395 0x417395 0x4173b8 0x4173b8 0x4173d1 0x4173d1 0x4173d4 0x4173d4 0x4173d7 0x4173d7 0x4173e8 0x4173e8 0x4173ec 0x4173ec 0x4173fa 0x4173fa 0x417401 0x417401 0x417402 0x417402 0x417411 0x417411 0x41742a 0x41742a 0x41742b 0x41742b 0x417439 0x417439 0x417449 0x417449 0x41744a 0x41744a 0x417453 0x417453 0x41747a 0x41747a 0x41747f 0x41747f 0x417483 0x417483 0x41748b 0x41748b 0x4174a8 0x4174a8 0x4174ae 0x4174ae 0x4174b3 0x4174b3 0x4174b7 0x4174b7 0x4174c4 0x4174c4 0x4174c8 0x4174c8 0x4174d1 0x4174d1 0x4174dc 0x4174dc 0x4174e0 0x4174e0 0x4174f4 0x4174f4 0x4174f6 0x4174f6 0x417500 0x417500 0x417505 0x417505 0x41751b 0x41751b 0x417520 0x417520 0x41752e 0x41752e 0x417531 0x417531 0x417597 0x417597 0x41759c 0x41759c 0x4175b7 0x4175b7 0x4175bf 0x4175bf 0x4175db 0x4175db 0x4175df 0x4175df 0x4175e4 0x4175e4 0x4175e9 0x4175e9 0x4175ec 0x4175ec 0x4175f2 0x4175f2 0x41760b 0x41760b 0x417614 0x417614 0x417619 0x417619 0x41761c 0x41761c 0x41762b 0x41762b 0x417635 0x417635 0x417638 0x417638 0x417640 0x417640 0x417656 0x417656 0x41765f 0x41765f 0x41766e 0x41766e 0x417675 0x417675 0x417686 0x417686 0x41768a 0x41768a 0x4176a6 0x4176a6 0x4176b4 0x4176b4 0x4176c0 0x4176c0 0x4176c4 0x4176c4 0x4176c9 0x4176c9 0x4176d8 0x4176d8 0x4176dc 0x4176dc 0x4176e1 0x4176e1 0x4176ea 0x4176ea 0x4176f0 0x4176f0 0x4176f5 0x4176f5 0x417706 0x417706 0x41771e 0x41771e 0x41774e 0x41774e 0x417756 0x417756 0x417759 0x417759 0x41776f 0x41776f 0x417774 0x417774 0x417788 0x417788 0x417799 0x417799 0x41779e 0x41779e 0x4177a2 0x4177a2 0x4177ad 0x4177ad 0x4177c1 0x4177c1 0x4177c3 0x4177c3 0x4177c4 0x4177c4 0x4177cc 0x4177cc 0x4177d0 0x4177d0 0x4177f0 0x4177f0 0x4177f5 0x4177f5 0x417801 0x417801 0x417806 0x4001e1 0x4001f8 0x4001fd 0x4026c8 0x4026d3 0x401966 0x402016 0x401f6c 0x402031 0x40203e 0x402049 0x4020c6 0x4021ac 0x4021e8 0x40229d 0x4022c1 0x40236a 0x4023b0 0x4023ca 0x4023d9 0x4023ff 0x402413 0x40241c 0x402441 0x402461 0x40246f 0x402478 0x402498 0x4025ba 0x40262d 0x40fcc0 0x401d20 0x401d35 0x401d53 0x40b9d6
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4026c2
4. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4026cd
5. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401960
6. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x402010
7. lstrlen at 0x7c80c6e0 in kernel32.dll called from 0x401f66
8. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40202b
9. lstrlen at 0x7c80c6e0 in kernel32.dll called from 0x40203c
10. lstrlen at 0x7c80c6e0 in kernel32.dll called from 0x402047
11. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x4020c0
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4021aa
13. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4021e6
14. lstrlen at 0x7c80c6e0 in kernel32.dll called from 0x402297
15. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4022bf
16. lstrlen at 0x7c80c6e0 in kernel32.dll called from 0x402364
17. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x4023ae
18. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x4023c8
19. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4023d7
20. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x4023fd
21. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x402411
22. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40241a
23. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40243b
24. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40245f
25. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x40246d
26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x402476
27. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x402492
28. lstrlen at 0x7c80c6e0 in kernel32.dll called from 0x4025b4
29. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x401d2f
- dot file
- jpg

MD5 checksum	905cf88157d347e82ed332fc1081f11d
Anti-virus name	W32/Turkojan.C.gen!Eldorado (generic, not disinfectable),Trojan.Truko-431,Backdoor.Turkojan.BY

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x44ec70 0x44ec88 0x44ec8d 0x44ed54 0x44ed58 0x44ed62 0x44ed82 0x44ed8c 0x44ed9b 0x44edac 0x44edea 0x44ee03 0x44ef27 0x44ef52 0x44ef67 0x44ef1f 0x44ef80 0x44ef98 0x44efb8 0x44f6e0 0x44edd2 0x44eddc 0x44ef3a 0x44ef44 0x44efe0 0x44f023 0x44f08f 0x44f0c7 0x44f0e5 0x44f139 0x44f1af 0x44f2e7 0x44f303 0x44f321 0x44f333 0x44f3d4 0x44f40d 0x44f41a 0x44f445 0x44f459 0x44f486 0x44f42d 0x44f437 0x44f471 0x44f491 0x44f698 0x44f6a9 0x44f6c0 0x44f6d1 0x44ee5d 0x44ee74 0x44eeb6 0x44eef1 0x44efc5 0x44efcc 0x44f03d 0x44f4b1 0x44f4c2 0x44f4e1 0x44f4f4 0x44f4fe 0x44f50c 0x44f520 0x44f54d 0x44f538 0x44f558 0x44f68e 0x44ef11 0x44ee9e 0x44eea8 0x44eece 0x44eeef 0x44f567 0x44f57f 0x44f5f1 0x44f5fe 0x44f62c 0x44f65c 0x44f67b 0x44f641 0x44f614 0x44f61e 0x44f1c8 0x44f1fe 0x44f23b 0x44f273 0x44f2ad 0x44f2d3 0x44f2db 0x44f362 0x44f37a 0x44f384 0x44f390 0x44f3de 0x44efd6 0x44f28d 0x44f30b 0x44f315 0x44f218 0x44f00d 0x44f017 0x44f123 0x44f12d 0x44f0b1 0x44f0bb 0x44f3a3 0x44f4bd 0x44f14f 0x44f175 0x44f59b 0x44f59e 0x44f5a8 0x44f5b2 0x44f5c0
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	9071f687d0f88adfb0ffde540b09c03b
Anti-virus name	W32/Hupigon.C.gen!Eldorado (generic, not disinfectable),Trojan.Hupigon-23250,Backdoor.Hupigon.AXRD

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4c4dca 0x50977f 0x50970d 0x509041 0x509109 0x5090ee 0x509207 0x509193 0x50965a 0x50962b 0x509618 0x5096ba 0x5091a2 0x50906b 0x50917b 0x509670 0x50902d 0x50908b 0x5090e1 0x4c4bc3 0x4c4bc9 0x4c4bef 0x4c4c2c 0x4c4c34 0x4c4c3f 0x4c4eeb 0x4c4ef7 0x4c4ef8 0x4c4f6a 0x4c4f6e 0x4c4f73 0x4c4eff 0x4c4f06 0x4c4f08 0x4c4f0f 0x4c4f11 0x4c4f13 0x4c4f18 0x4c4f1c 0x4c4f1e 0x4c4f32 0x4c4f37 0x4c4f60 0x4c4f5f 0x4c4f21 0x4c4f76 0x4c4f77 0x4c4f7c 0x4c4f83 0x4c4f85 0x4c4f3e 0x4c4f74 0x4c4f4b 0x4c4f52 0x4c4f59 0x4c4f5e 0x4c4f29 0x4c4f30 0x4c4f86 0x4c4c5c 0x4c4c7c 0x9a05a9 0x9a05c9 0x9a05d5 0x9a05e3 0x9a05e9 0x9a0605 0x9a0628 0x9a0297 0x9a02f9 0x9a02fd 0x9a030f 0x9a0017 0x9a0032 0x9a0000 0x9a0011 0x9a0037 0x9a0048 0x9a0327 0x9a033a 0x9a0093 0x9a00ac 0x9a00e8 0x9a012e 0x9a0353 0x9a037e 0x9a0394 0x9a03ba 0x9a01ad 0x9a01b7 0x9a01c4 0x9a00ec 0x9a012b 0x9a00cf 0x9a00d6 0x9a01cd 0x9a0433 0x9a058b 0x9a0112 0x9a0119 0x9a03c9 0x9a03de 0x9a03e9 0x9a03f5 0x9a03fc 0x9a040d 0x9a0411 0x9a041a 0x9a0384 0x9a0389 0x9a0391 0x9a039a 0x9a01d1 0x9a01e0 0x9a01fd 0x9a0205 0x9a0221 0x9a020f 0x9a021d 0x9a0229 0x9a0486 0x9a0232 0x9a023d 0x9a0241 0x9a0131 0x9a0142 0x9a0146 0x9a0154 0x9a015b 0x9a015c 0x9a0292 0x9a055d 0x9a0563 0x9a056b 0x9a0577 0x9a0586 0x9a04b0 0x9a04e2 0x9a04ed 0x9a0503 0x9a0508 0x9a0520 0x9a052c 0x9a016b 0x9a0184 0x9a0185 0x9a0193 0x9a01a3 0x9a01a4 0x9a0556 0x9a038e 0x9a0441 0x9a044d 0x9a0456 0x9a0465 0x9a046e 0x9a0477 0x9a047d 0x9a0551 0x9a0257 0x9a0261 0x9a0266 0x9a027c 0x9a04ea 0x9a0451 0x9a0281 0x9a028f 0x9a0469 0x9a0535 0x9a004c 0x9a005b 0x9a005e 0x9a006b 0x9a0083 0x9a0066 0x9a0086 0x9a0087 0x9a0073 0x9a007b 0x9a020d 0x9a0597 0x9a0599 0x9a0647 0x9a064d 0x9a064e 0x9a065b 0x9a065f 0x4c4cab 0x4c4cbe 0x4c4cd3 0x4c4cd8 0x4c4cdc 0x4c4ce4 0x4c4cea 0x4c4d02 0x4c4d12 0x4c4e41
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4c4c26
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x9a0625
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x9a0658
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4c4cb8

MD5 checksum	90b5316b2941cca9a1262fb6067d1412
Anti-virus name	W32/Trojan.AGWR (exact),Trojan.Spy-5345,Trojan.Zapchast.CX

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x10003ed8 0x10001d7c 0x10001030 0x10001d8d 0x10001d70 0x10001bd4 0x10001d7a 0x10001daf 0x10001570 0x10001554 0x1000155d 0x10001500 0x1000151c 0x1000152a 0x10001dfc 0x1000152c 0x10001530 0x1000154b 0x10001c58 0x10001c61 0x10001000 0x10001c66 0x10001bac 0x10001bb3 0x10001bc0 0x10001c95 0x10001078 0x10001d7c 0x10001030 0x10001d8d 0x10001d70 0x10001bd4 0x10001d7a 0x10001daf 0x10001570 0x10001554 0x1000155d 0x10001500 0x1000151c 0x1000152a 0x10001dfc 0x1000152c 0x10001530 0x1000154b 0x10001c58 0x10001c61 0x10001000 0x10001c66 0x10001bac 0x10001bb3 0x10001bc0 0x10001c95 0x10001078
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x10001030
2. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x10001000
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x10001078
CFG at exit
- dot file
- jpg

MD5 checksum 91abb684f6c402ae5fa83ab5f8459c5e

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x41bfd0 0x41bfd0 0x41bff2 0x41bff2 0x41bff9 0x41bff9 0x41bfe8 0x41bfe8 0x41bfee 0x41bfee 0x41bffb 0x41bffb 0x41c000 0x41c000 0x41c00b 0x41c00b 0x41c011 0x41c011 0x41c01c 0x41c01c 0x41c023 0x41c023 0x41c02e 0x41c02e 0x41c030 0x41c030 0x41c03b 0x41c03b 0x41c048 0x41c048 0x41c06c 0x41c06c 0x41c07d 0x41c07d 0x41c086 0x41c086 0x41c041 0x41c041 0x41c08c 0x41c08c 0x41c09b 0x41c09b 0x41c034 0x41c034 0x41c04c 0x41c04c 0x41c04d 0x41c04d 0x41c058 0x41c058 0x41c05e 0x41c05e 0x41c069 0x41c069 0x41c013 0x41c013 0x41c051 0x41c051 0x41c004 0x41c004
- Windows API calls issued from malware code
- CFG at exit
  - dot file
  - jpg

MD5 checksum	923ec70a8bb9517d507d7570d59ab5b0
Anti-virus name	W32/Trojan2.DUUS (exact),Trojan.Inject-1639,Trojan.Generic.469476

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x401000 0x401006 0x401039 0x401024 0x401050 0x40103d 0x40106f 0x4010a6 0x40107a 0x4010b9 0x4010af 0x4010dc 0x4010bc 0x4010ed 0x4015b3 0x401161 0x401164 0x40119b 0x401172 0x4011ac 0x40119d 0x4011cb 0x4011ae 0x4011db 0x40120c 0x4011e7 0x40121c 0x401006 0x401039 0x401024 0x401050 0x40103d 0x40106f 0x4010a6 0x40107a 0x4010b9 0x4010af 0x4010dc 0x4010bc 0x4010ed 0x4015b3 0x401161 0x401164 0x40119b 0x401172 0x4011ac 0x40119d 0x4011cb 0x4011ae 0x4011db 0x40120c 0x4011e7 0x40121c
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	92b98185c3f94e0b4c04c49062224745
Anti-virus name	Adware.Zeno,Trojan.Dropper.Zeno.A

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x406732 0x406747 0x406755 0x40676e 0x406782 0x406876 0x406892 0x406885 0x406787 0x406870 0x406796 0x4067ba 0x4068de 0x4068b0 0x4068f6 0x401230 0x401240 0x401020 0x40649a 0x401270 0x401280 0x4064ac 0x4012b0 0x4012c0 0x406494 0x4012f0 0x401300 0x401330 0x401340 0x401370 0x401380 0x4013b0 0x4013c0 0x4013f0 0x401400 0x401430 0x401440 0x401470 0x401480 0x4014b0 0x4014c0 0x4014f0 0x401500 0x401530 0x401540 0x401570 0x401580 0x4015b0 0x4015c0 0x4015f0 0x401600 0x401630 0x401640 0x401670 0x401680 0x4016b0 0x4016c0 0x4016f0 0x401700 0x401730 0x401740 0x401770 0x401780 0x4017b0 0x4017c0 0x4017f0 0x401800 0x401830 0x401840 0x401870 0x401880 0x4018b0 0x4018c0 0x4018f0 0x401900 0x401930 0x401940 0x401970 0x401980 0x4019b0 0x4019c0 0x4019f0 0x401a00 0x401a30 0x401a40 0x401a70 0x401a80 0x405fd0 0x406638 0x401b00 0x401b10 0x406200 0x406210 0x4067c9 0x4067db 0x4067e5 0x4067e9 0x4067ee 0x4067f2 0x4067fc 0x406809 0x406820 0x406823 0x40682d 0x406898 0x4068f0 0x406732 0x406747 0x406755 0x40676e 0x406782 0x406876 0x406892 0x406885 0x406787 0x406870 0x406796 0x4067ba 0x4068de 0x4068b0 0x4068f6 0x401230 0x401240 0x401020 0x40649a 0x401270 0x401280 0x4064ac 0x4012b0 0x4012c0 0x406494 0x4012f0 0x401300 0x401330 0x401340 0x401370 0x401380 0x4013b0 0x4013c0 0x4013f0 0x401400 0x401430 0x401440 0x401470 0x401480 0x4014b0 0x4014c0 0x4014f0 0x401500 0x401530 0x401540 0x401570 0x401580 0x4015b0 0x4015c0 0x4015f0 0x401600 0x401630 0x401640 0x401670 0x401680 0x4016b0 0x4016c0 0x4016f0 0x401700 0x401730 0x401740 0x401770 0x401780 0x4017b0 0x4017c0 0x4017f0 0x401800 0x401830 0x401840 0x401870 0x401880 0x4018b0 0x4018c0 0x4018f0 0x401900 0x401930 0x401940 0x401970 0x401980 0x4019b0 0x4019c0 0x4019f0 0x401a00 0x401a30 0x401a40 0x401a70 0x401a80 0x405fd0 0x406638 0x401b00 0x401b10 0x406200 0x406210 0x4067c9 0x4067db 0x4067e5 0x4067e9 0x4067ee 0x4067f2 0x4067fc 0x406809 0x406820 0x406823 0x40682d 0x406898 0x4068f0
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x40672c
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x406741
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x40674f
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x406892
5. initterm at 0x77c39d67 in msvcrt.dll called from 0x406870
6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x4067b4
7. targ982d6 at 0x73e682d6 in MFC42.DLL called from 0x4068f6
8. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x406803
9. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x406827
CFG at exit
- dot file
- jpg

MD5 checksum 93be1fe693f3ece9cc4cabc8322bc65a

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x404f31 0x404f5d 0x405263 0x405129 0x404f9d 0x4079e2 0x407ae1 0x407aef 0x407b26 0x404fab 0x407851 0x40786c 0x40786e 0x407874 0x4078a8 0x4078b8 0x4078bf 0x4078c6 0x4078cd 0x4078e6 0x4078ec 0x4078f2 0x4078fb 0x407908 0x40791a 0x40791e 0x407925 0x40797c 0x406bd3 0x406c10 0x406e1b 0x4089f9 0x408a7f 0x408ad5 0x408ae7 0x4070f3 0x407190 0x4071e8 0x4071fe 0x407299 0x4072be 0x406d4f 0x40762d 0x40754b 0x40755d 0x407565 0x40756b 0x407570 0x407030 0x407050 0x407068 0x40706f 0x407073 0x40707a 0x407083 0x407576 0x407097 0x40703c 0x407043 0x40704b 0x40708d 0x40756f 0x4070a1 0x40757d 0x40758a 0x40759f 0x4075a9 0x4075aa 0x4075b0 0x4075db 0x4075b9 0x4075bf 0x4075ce 0x406a10 0x406a81 0x406a8d 0x406a94 0x406a9f 0x406aa6 0x406aa1 0x406ac0 0x406ac4 0x406ac8 0x406ae2 0x4075d6 0x406ad0 0x406ada 0x406af8 0x4075e1 0x4075e2 0x40492e 0x40493a 0x40495a 0x404985 0x404986 0x404994 0x40428f 0x40429a 0x404377 0x40437c 0x404382 0x40438a 0x404388 0x40438f 0x4042b8 0x404fd6 0x4074f3 0x407501 0x40750e 0x407516 0x40751a 0x408bfe 0x408c0f 0x408c20 0x408c35 0x408c37 0x408c3b 0x408c0b 0x40752b 0x407530 0x40753d 0x407547 0x404fea 0x404fed 0x404ff9 0x403378
- Windows API calls issued from malware code
  1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x404f57
  2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40525d
  3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x405123
  4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4045d5
  5. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4079dc
  6. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x407adb
  7. GetFileType at 0x7c811069 in kernel32.dll called from 0x407ae9
  8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x407b20
  9. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x404fa5
  10. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40786c
  11. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4078e4
  12. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x407906
  13. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40791f
  14. GetACP at 0x7c809943 in kernel32.dll called from 0x406d8a
  15. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x406c0a
  16. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x406e15
  17. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4089f3
  18. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x408a79
  19. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x408acf
  20. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x408ae1
  21. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4070ed
  22. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40718a
  23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4071e2
  24. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4071f8
  25. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x407293
  26. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4072b8
  27. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x407627
  28. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40498e
  29. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x404fd0
  30. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x404ff3
  31. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x403372
  32. OleInitialize at 0x7752949b in ole32.dll called from 0x40371b
- CFG at exit
  - dot file
  - jpg

MD5 checksum	940d24de51296709ead002014ae37c40
Anti-virus name	W32/Amang.A.gen!Eldorado (generic, not disinfectable),Trojan.Agent-19530,Worm.Autorun.VB.X

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x41c610 0x41c631 0x41c636 0x41c6fc 0x41c700 0x41c70a 0x41c72a 0x41c734 0x41c743 0x41c754 0x41c792 0x41c7ab 0x41c8cf 0x41c8fa 0x41c90f 0x41c8c7 0x41c8e2 0x41c8ec 0x41c940 0x41c960 0x41d088 0x41c988 0x41c9cb 0x41ca37 0x41ca6f 0x41ca8d 0x41cae1 0x41cb57 0x41cc8f 0x41ccab 0x41ccc9 0x41cd0a 0x41cd38 0x41cd86 0x41cdb5 0x41cdc2 0x41cded 0x41ce01 0x41ce2e 0x41cdd5 0x41cddf 0x41ce19 0x41ce39 0x41d040 0x41d051 0x41d068 0x41d079 0x41c805 0x41c81c 0x41c846 0x41c850 0x41c85e 0x41c899 0x41c928 0x41c96d 0x41c974 0x41c77a 0x41c784 0x41c9e5 0x41ccdb 0x41cd7c 0x41ce59 0x41ce6a 0x41ce89 0x41ceb4 0x41cec8 0x41cef5 0x41cee0 0x41cf00 0x41cf0f 0x41cf27 0x41cf99 0x41cfa6 0x41cfd4 0x41d004 0x41d023 0x41d036 0x41c876 0x41c8b9 0x41c897 0x41ccb3 0x41ccbd 0x41c9b5 0x41c9bf 0x41cacb 0x41cad5 0x41cb70 0x41cba6 0x41cbc0 0x41cc83 0x41c97e 0x41cfe9 0x41caf7 0x41cb1d 0x41ca59 0x41ca63 0x41ce9c 0x41cea6 0x41ce65 0x41cbe3 0x41cc1b 0x41cc55 0x41cc7b 0x41cfbc 0x41cfc6 0x41cd4b 0x41cf43 0x41cf46 0x41cf68 0x41cf7b 0x41cf74 0x41cf7e 0x41cc35 0x41cf50 0x41cf5a 0x41c8c5 0x41cd22 0x41cd2c 0x41cb90 0x41cb9a 0x41cc05 0x41cc0f 0x41d099 0x41d0b8 0x41d0d7 0x41d0ef 0x41d0f4 0x41d100 0x41d105 0x41d109 0x41d10e 0x41d12c 0x41d138 0x41d14e 0x41d156 0x41d15a 0x41d161 0x41d165 0x41d16c 0x41d177
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x41d148
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41d166
3. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x41d177

MD5 checksum	95275c48b92e3889378ee1513f651c86
Anti-virus name	W32/Downldr2.DJCC (exact),Trojan.Downloader-50772,Trojan.Downloader.Banload.NXI

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4405cc 0x4405d4 0x4405db 0x406899 0x440000 0x440094 0x440098 0x4400ac 0x405c4b 0x404920 0x4048f4 0x40196c 0x401984 0x401996 0x4019bc 0x401a40 0x401a84 0x401b00 0x401b34 0x401658 0x4015ec 0x4015f5 0x401660 0x401673 0x401677 0x401b3f 0x401b55 0x402e6a 0x401b22 0x401b24 0x4019ca 0x4030d5 0x4030d7 0x4030db 0x4030ac 0x4030c4 0x4030cf 0x40453d 0x403900 0x403cec 0x40c4a5 0x40c5ab 0x40c5af 0x40c5e3 0x40c5ec 0x404aa0 0x404aab 0x404aad 0x40c5ff 0x40d3b3 0x40d3c4 0x40305e 0x403125 0x40c26a 0x40c272 0x40c298 0x4085bc 0x408568 0x408576 0x40857b 0x404cc0 0x404cc4 0x408584 0x40858a 0x408593 0x40877a 0x408772 0x408779 0x408776 0x40859c 0x4085ae 0x408781 0x4085a0 0x40c67c 0x40c69c 0x4085a9 0x4085b3 0x4085cf 0x404d28 0x404d2d 0x404d34 0x404d37 0x404d3b 0x404d41 0x404d56 0x404d45 0x404d50 0x404d63 0x4085e1 0x40c2a9 0x40c2f2 0x40be04 0x40be10 0x40be18 0x408ff4 0x409020 0x409046 0x40904b 0x409052 0x409058 0x40905d 0x4088c0 0x4088ed 0x4088f1 0x4088f6 0x408904 0x408908 0x40890d 0x408913 0x40891f 0x4089a2 0x4089a8 0x4089ac 0x4089e9 0x408924 0x408932 0x408948 0x4089ea 0x4089fb 0x408a0a 0x408b83 0x408b8c 0x408018 0x408033 0x408035 0x408045 0x408042 0x40804b 0x408063 0x408955 0x40895d 0x40895f 0x40896f 0x408979 0x408987 0x408999 0x4088e9 0x408b47 0x408b50 0x408b56 0x408b5e 0x408053 0x40805e 0x40805b 0x408061 0x4088fa 0x408c27 0x408c17 0x408c24 0x408c2c 0x409079 0x40908e 0x4090e3 0x4090f3 0x409003 0x40be3d 0x404884 0x404888 0x4048a8 0x4048ac 0x4048c6 0x40be48 0x404836 0x404842 0x40be5d 0x40be65 0x40be6b 0x40be70 0x40be7a 0x402e7c 0x402e80 0x401cf0 0x401d05 0x401d0b 0x401d40 0x401d57 0x401d5a 0x401df1 0x401dfd 0x401e0b 0x401e12 0x401e18 0x401e20 0x40158c 0x4015c0 0x401e33 0x402e86 0x402e8a 0x401e58 0x401e67 0x40154c 0x40155c 0x40157a 0x401e6e 0x401d14 0x401d28 0x404848 0x404851 0x40683c 0x40684b 0x404410 0x40441f 0x40443a 0x404449 0x40dc0c 0x40dc29 0x40d840 0x403968 0x403973 0x40d84d 0x40dc33 0x406114 0x406124 0x40612b 0x406143 0x406172 0x40d90c 0x40d919 0x40d932 0x40d938 0x40dc42 0x40d384 0x40d39f 0x40d3a4 0x40dc47 0x40c500 0x40c509 0x40bf54 0x40bf5a 0x40391c 0x4039cc 0x4039d2 0x4039e5 0x4039de 0x4052c0 0x4052d2 0x40530c 0x405315 0x40534f 0x405356 0x40535b 0x4053f1 0x4053f5 0x4052e5 0x4052eb 0x4039e3 0x4039e9 0x403926 0x401d21 0x40392d 0x40bf5f 0x40c51c 0x40c523 0x40c52c 0x40396c 0x403958 0x403d1c 0x403d21 0x403d28 0x40395d 0x403961 0x403cc4 0x403cc9 0x403966 0x40c53f 0x40c546 0x402ee4 0x402ee9 0x402ef2 0x402ef7 0x40c581 0x40c585 0x402f04 0x402f09 0x402f12 0x402f17 0x40c58a 0x40c590 0x40c46c 0x40bd00 0x40bb78 0x406d54 0x40bb9a 0x40bba6 0x406c94 0x40bbbe 0x40bbe5 0x40cacc 0x40cb00 0x40cb10 0x40cb16 0x40c6a0 0x40c6b2 0x40cb21 0x40cb3a 0x40cadc 0x40cae4 0x40cae8 0x40caf4 0x40cafa 0x40bbfb 0x4086f8 0x408707 0x40870b 0x40870c 0x40bc0e 0x403af4 0x403afe 0x403b80 0x403b84 0x403b7e 0x403b8c 0x403b07 0x403b10 0x40bc25 0x40bc29 0x40bc31 0x4086a4 0x4086a9 0x4086b3 0x4086bd 0x4086c1 0x4086ca 0x40bc3a 0x40bc3e 0x40bc45 0x40bc4a 0x40bc69 0x406d94
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4067c4
2. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x403728
3. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401274
4. RegOpenKeyExA at 0x77dd761b in ADVAPI32.dll called from 0x4012cc
5. LoadStringA at 0x77d6ec98 in USER32.dll called from 0x4012a4
6. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x401340
7. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x406cd4
8. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x406ca4
9. GetThreadLocale at 0x7c80a405 in kernel32.dll called from 0x406cbc
10. GetSystemMetrics at 0x77d48f75 in USER32.dll called from 0x406d8c
11. VirtualQuery at 0x7c80b859 in kernel32.dll called from 0x406d54

MD5 checksum	9553245d9fceb80b7a302ddf29dec5dc
Anti-virus name	W32/Onlinegames.BVO (exact, damaged),Gen:Trojan.Heur.6000FFBDBD

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x432371 0x432371 0x432392 0x4323a6 0x4323bb 0x4323d0 0x4323df 0x4323f1 0x4323f4 0x432392 0x4323a6 0x4323bb 0x4323d0 0x4323df 0x4323f1 0x4323f4
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	95fb9aa6d06ef6a8adc6f902a5695b8c
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable)

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4e4e62 0x4e4f1d 0x4e4f21 0x4e4f26 0x4e4e70 0x4e4e77 0x4e4e7b 0x4e4e7d 0x4e4e81 0x4e4e83 0x4e4e8a 0x4e4e88 0x4e4e8e 0x4e4e90 0x4e4e73 0x4e4ecc 0x4e4ea2 0x4e4ea7 0x4e4ec5 0x4e4e93 0x4e4f13 0x4e4f16 0x4e4f1a 0x4e4f1c 0x4e4e96 0x4e4eab 0x4e4f11 0x4e4eb4 0x4e4ebb 0x4e4ec0 0x4e4ec6 0x4e4ec7 0x4e4f14 0x4e4e9d 0x4e4ea0 0x4e4ec8 0x4e4ed6 0x4e4edd 0x4e4ee1 0x4e4e6e 0x4e4edf 0x4e4ee7 0x4e4ef0 0x4e4ef1 0x4e4ef6 0x4e4efa 0x4e4f01 0x4e4f09 0x4e4f0a 0x4e4f0e 0x470a68 0x406498 0x40628c 0x40315a 0x4062f8 0x40630c 0x40631d
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4e4eee
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4e4f0b
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x406360
4. GetKeyboardType at 0x77d6fa46 in user32.dll called from 0x403148
5. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x40126c
6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x401294
7. GetVersion at 0x7c8114ab in kernel32.dll called from 0x401324
8. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40131c
- dot file
- jpg

MD5 checksum	960819fecf02e22f850b882d6a640bd8
Anti-virus name	Dropped:Trojan.Generic.1016128

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x473a80 0x473a80 0x473a9a 0x473a9a 0x473aa1 0x473aa1 0x473a90 0x473a90 0x473a96 0x473a96 0x473aa3 0x473aa3 0x473aa8 0x473aa8 0x473ab3 0x473ab3 0x473ab9 0x473ab9 0x473ae3 0x473ae3 0x473aea 0x473aea 0x473af5 0x473af5 0x473b06 0x473b06 0x473ad4 0x473ad4 0x473adf 0x473adf 0x473b35 0x473b35 0x473b54 0x473b54 0x473b63 0x473b63 0x473aac 0x473aac 0x473afb 0x473afb 0x473b08 0x473b08 0x473b14 0x473b14 0x473b16 0x473b16 0x473b21 0x473b21 0x473b27 0x473b27 0x473b32 0x473b32 0x473b29 0x473b29 0x473b46 0x473b46 0x473b4f 0x473b4f 0x473b1a 0x473b1a 0x473abb 0x473abb 0x473ac4 0x473ac4 0x473ad0 0x473ad0 0x473b0d 0x473b0d 0x473ad8 0x473ad8 0x473ac9 0x473ac9 0x473aff 0x473aff 0x473b6a 0x473b6a 0x473b72 0x473b72 0x473b77 0x473b77 0x473b7b 0x473b7b 0x473b80 0x473b80 0x473b9e 0x473b9e 0x473baa 0x473baa 0x473bc0 0x473bc0 0x473bc8 0x473bc8 0x473bd5 0x473bd5 0x473bd9 0x473bd9 0x473bc1 0x473bc1 0x473ba4 0x473ba4 0x473be6 0x473be6 0x473bff 0x473bff 0x473c14 0x473c14 0x473c1a 0x473c1a 0x473c20 0x473c20 0x4070dc 0x404ff4 0x404f30 0x405005 0x405005 0x404fe8 0x404e04 0x404ff2 0x405027 0x403f64 0x403e50 0x403f97 0x403efc 0x403f0c 0x403f28 0x403f3b 0x403f39
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x473bba
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x473bcf
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x473bfd
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x473c12
5. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x404f30
CFG at exit
- dot file
- jpg

MD5 checksum	96f093e3da54caaed6aaa9162fc31ee7
Anti-virus name	W32/OnlineGames.CG.gen!Eldorado (generic, not disinfectable),Trojan.Agent-98295,Generic.PWS.Games.3.DAC9C37E

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x410b10 0x410b32 0x410b39 0x410b28 0x410b2e 0x410b3b 0x410b40 0x410b4b 0x410b51 0x410b5c 0x410b70 0x410b7b 0x410b88 0x410b8c 0x410b8d 0x410b98 0x410b9e 0x410ba9 0x410bac 0x410bbd 0x410bc6 0x410b63 0x410b6e 0x410bcc 0x410bdb 0x410b44 0x410b53 0x410b74 0x410b91 0x410b81 0x410ba0 0x410be2 0x410bef 0x410c05 0x410c0d 0x410c1a 0x410c1e 0x410c06 0x410be9 0x410c2b 0x410c44 0x410c59 0x410c5f 0x410c65 0x4025b5
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x410bff
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x410c14
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x410c42
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x410c57
5. GetSystemDirectoryA at 0x7c814c63 in kernel32.dll called from 0x4025af
6. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4025d7
7. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4025d7
8. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4025d7
9. wsprintfA at 0x77d4a2de in USER32.dll called from 0x4025d7
CFG at exit
- dot file
- jpg

MD5 checksum	974d5ffc96782a9bb13da9d7dfa7e627
Anti-virus name	W32/Swizzor.D.gen!Eldorado (generic, not disinfectable),Trojan.Agent-42326,Trojan.Swizzor.1

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x402ce4 0x402d10 0x40824c 0x40fab9 0x402d4f 0x40561a 0x405622 0x40562a 0x40b252 0x40568a 0x4101a5 0x4101bf 0x41024b 0x4056a0 0x4056e7 0x40b27a 0x40b28b 0x402d54 0x402d60 0x403e88 0x408b9a 0x408ca8 0x408cb6 0x408ced 0x40f576 0x40f58f 0x40f591 0x40f595 0x40f5b8 0x40f5ba 0x40f60e 0x4026c1 0x4026df 0x4026e1 0x4026e7 0x402710 0x402720 0x402729 0x402730 0x402737 0x402743 0x402755 0x401af0 0x401b08 0x401b10 0x401b18 0x401b23 0x401b25 0x401c5c 0x40275d 0x40274a 0x402751 0x4027c6 0x402d79 0x401e3f 0x403e52 0x40fe98 0x403e58 0x403e61 0x403e68 0x401e77 0x4080a8 0x4080b2 0x4080ba 0x4080c1 0x401098 0x4010a5 0x4010af 0x4080c0 0x4080ce 0x4080db 0x4080f0 0x4080fc 0x4080fd 0x408103 0x408132 0x40810d 0x408116 0x408125 0x402cbf 0x402cd1 0x402cd8 0x402ce2 0x40ffe4 0x41004d 0x410069 0x41008a 0x4100bf 0x4100cb 0x4100d8 0x4100ee 0x40ffec 0x41001c 0x41003f 0x40813c 0x40813d 0x40dc31 0x40dc3a 0x40dc41 0x40fae4 0x40faf4 0x40faf8 0x40fb07 0x40fb0c 0x40fb0e 0x40dc60 0x40dc67 0x40dc77 0x40b744 0x40b74f 0x40b84a 0x40b84f 0x40b855 0x40b85d 0x40b85b 0x403e8b 0x403e98 0x403ea5 0x403eaa 0x4056ee 0x4056fd 0x403eb2 0x403ede 0x403ee5 0x403efb 0x403f02 0x403f22 0x403f25 0x403f1e 0x403f31 0x40b76d 0x402d9a 0x40b314 0x40b324 0x40b32e 0x40b333 0x40b338 0x40b34a 0x40b358 0x402dae 0x402db1 0x402dbd 0x408013 0x408037 0x418069
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x402d0a
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x408246
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40fab3
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405610
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405618
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405620
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x405628
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40b24c
9. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x405684
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x41019f
11. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4101b9
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x410245
13. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40569a
14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40b274
15. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40b285
16. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x403e82
17. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x408b94
18. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x408ca2
19. GetFileType at 0x7c811069 in kernel32.dll called from 0x408cb0
20. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x408ce7
21. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x40f58f
22. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x40f5b8
23. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x4026df
24. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40274b
25. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x401e39
26. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40dc71
27. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4056f7
28. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x402d94
29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x402db7
30. RegisterClassA at 0x77d52316 in USER32.dll called from 0x4180ef
CFG at exit
- dot file
- jpg

MD5 checksum	97739b30fbe306c7ed74f37390c8226c
Anti-virus name	W32/DownloaderX.AFTE (exact, not disinfectable),Trojan.Downloader-45818,Trojan.Downloader.Agent.ZLZ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x1005d3c 0x1005d3c 0x1005d49 0x1005d49 0x1005d51 0x1005d51 0x1005d58 0x1005d58 0x1005d5c 0x1005d5c 0x1005d61 0x1005d61 0x1005d73 0x1005d73 0x1005d74 0x1005d74 0x1005d7a 0x1005d7a 0x1005d88 0x1005d88 0x1005d94 0x1005d94 0x1005d97 0x1005d97 0x1005da3 0x1005da3 0x1005cde 0x1004e8a 0x1002b62 0x1002b78 0x1002b78 0x1002b80 0x1002b80 0x1002b87 0x1002b8c 0x1002b90 0x1002b98 0x1002b98 0x1002ba0 0x1002ba0 0x1002ba7 0x1002ba7 0x1002baf 0x1002bcb 0x1002bcb 0x1002bcd 0x1004eed 0x1004ef5 0x1004f00 0x1004f0a 0x1004f0a 0x1004f16 0x1004f16 0x1004f27 0x1004f27 0x1004f2b 0x1004fe2 0x10031fe 0x100322e 0x1003682 0x1003682 0x1003684 0x1003684 0x1005e37 0x1005e37 0x1005e3f 0x1005e3f 0x1003692 0x1003692 0x1004ff0 0x1005003 0x100501a 0x100502a 0x100502a 0x100503e 0x1005046 0x100504c 0x100504c 0x1005054 0x10043aa 0x10043d7 0x10043d7 0x10043fb 0x10043fb 0x1004404 0x1004404 0x1004413 0x1004413 0x1004453 0x1004453 0x1004458 0x1004458 0x1004474 0x1004474 0x1004480 0x1004480 0x100468b 0x100468b 0x100468c 0x100468c 0x10046a0 0x10046a0 0x100505f 0x1005063 0x100506e 0x1005074 0x100507a 0x10050bc 0x10050d2 0x10050dd 0x1005cf6 0x1005cfa 0x1005b72 0x1005b8f 0x1005b97 0x1003f40 0x1003f53 0x1003f61 0x1003f61 0x1003f83 0x1003f8b 0x1003f8b 0x1003fb2 0x1003fbe 0x1003fbe 0x1003fc2 0x1003fc9 0x1003fc9 0x1004001 0x1005b9c 0x1005ba0 0x1005ba9 0x10046a7 0x10046b9 0x10046c7 0x10046c7 0x10046ec 0x10046f4 0x10046f4 0x1004720 0x1004731 0x1004731 0x100476d 0x1004779 0x1004779 0x1005bae 0x1005bb2 0x1003eb9 0x1003ecb 0x1003ecb 0x1003eee 0x1003f08 0x1003f19 0x1003f19 0x10036bb 0x1003f37 0x1003f37 0x1005bb7 0x1005bc4 0x1005cd3 0x1005cdc 0x1005d00
Windows API calls issued from malware code
1. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x1005d43
2. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1005d82
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1005d9d
4. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002b76
5. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002b7a
6. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002b96
7. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002b9a
8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002ba1
9. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002bc5
10. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1004f04
11. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1004f10
12. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1005024
13. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10043d1
14. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1003f5b
15. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1003fb8
16. LocalFree at 0x7c80995d in kernel32.dll called from 0x1003fc3
17. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x10046c1
18. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100472b
19. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004773
20. wsprintfA at 0x77d4a2de in USER32.dll called from 0x10036e7
CFG at exit
- dot file
- jpg

MD5 checksum	97dd35bc5235d80a6ef117631b3240d6
Anti-virus name	W32/BackdoorX.AHGU (exact),Trojan.PcClient-1893,Trojan.Crypt.DG

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4028e2 0x4028f7 0x402905 0x40291e 0x402932 0x402a1a 0x402a36 0x402a29 0x402937 0x402a14 0x402946 0x40296a 0x402979 0x40298b 0x402995 0x402999 0x40299e 0x4029a2 0x4029ac 0x4029b9 0x4029d0 0x4029d3 0x4029dd 0x402a52 0x401786 0x4028e2 0x4028f7 0x402905 0x40291e 0x402932 0x402a1a 0x402a36 0x402a29 0x402937 0x402a14 0x402946 0x40296a 0x402979 0x40298b 0x402995 0x402999 0x40299e 0x4029a2 0x4029ac 0x4029b9 0x4029d0 0x4029d3 0x4029dd 0x402a52 0x401786
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x4028dc
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x4028f1
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x4028ff
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x402a36
5. initterm at 0x77c39d67 in msvcrt.dll called from 0x402a14
6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x402964
7. GetStartupInfoA at 0x411eee in kernel32.dll called from 0x4029b3
8. GetModuleHandleA at 0x41b529 in kernel32.dll called from 0x4029d7
CFG at exit
- dot file
- jpg

MD5 checksum	98d0b39216607fceb1a29761c73c9274
Anti-virus name	W32/PoisonIvy.G2.gen!Eldorado (generic, not disinfectable),MemScan:Backdoor.Agent.ZYY

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x401000 0x403af8 0x4107b8 0x414388 0x4107cd 0x41441e 0x4107e5 0x4107e5 0x4107df 0x4107f9 0x4107f9 0x403b09 0x41438e 0x403b0e 0x403b14 0x403ca0 0x403cb4 0x403cbd 0x403cc6 0x403ccf 0x403d01 0x403d06 0x403d0a 0x403d13 0x403cd5 0x403cde 0x403d00 0x403cef 0x403cf6 0x403d1c 0x403e43 0x403b1b 0x414454 0x403b26 0x403b26 0x4143ca 0x403b37 0x403b46 0x4143d0 0x403b4d 0x4145a6 0x4052ef 0x4052ef 0x41437c 0x41437c 0x4052fc 0x4052fc 0x405306 0x405306 0x405340 0x405340 0x405359 0x405359 0x405361 0x405361 0x40536f 0x40536f 0x40537b 0x40537b 0x408f48 0x408f48 0x408f63 0x408f63 0x408f10 0x408f10 0x408f13 0x408f13 0x408f17 0x408f17 0x408f27 0x408f27 0x408f2b 0x408f2b 0x408f33 0x408f33 0x408f1b 0x408f1b 0x408f43 0x408f43 0x408f68 0x408f68 0x408f81 0x408f81 0x408f85 0x408f85 0x408f6d 0x408f6d 0x408f89 0x408f89 0x409012 0x409012 0x409034 0x409034 0x409039 0x409039 0x40538a 0x40538a 0x405392 0x405392 0x40fe64 0x40fe64 0x40fe69 0x40fe69 0x40fe68 0x40fe68 0x40fe70 0x40fe70 0x40539a 0x40539a 0x409019 0x409019 0x4053a6 0x4053a6 0x4053a8 0x4053a8 0x4053af 0x4053af 0x4053ba 0x4053ba 0x40ffcc 0x40ffcc 0x41462a 0x41462a 0x405439 0x405439 0x40543e 0x40543e 0x40fee8 0x40fee8 0x40fee2 0x40fee2 0x40feed 0x40feed 0x405448 0x405448 0x40531f 0x40531f 0x40ff10 0x40ff10 0x40ff16 0x40ff16 0x40532f 0x40532f
Windows API calls issued from malware code
1. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414388
2. IsDBCSLeadByte at 0x7c80b664 in kernel32.dll called from 0x41441e
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x41438e
4. SetEnvironmentVariableA at 0x7c8226a9 in kernel32.dll called from 0x414454
5. RtlInitString at 0x7c90125c in ntdll.dll called from 0x7c8226c0
6. RtlAnsiStringToUnicodeString at 0x7c90f04c in ntdll.dll called from 0x7c8226d2
7. RtlSetEnvironmentVariable at 0x7c926eb5 in ntdll.dll called from 0x7c822715
8. RtlFreeUnicodeString at 0x7c910976 in ntdll.dll called from 0x7c822721
9. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4143ca
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x7c80b379
11. RtlUnicodeStringToAnsiString at 0x7c9130c6 in ntdll.dll called from 0x7c80b3c1
12. memmove at 0x7c90253a in ntdll.dll called from 0x7c80b3e7
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4143d0
14. LoadIconA at 0x77d521ae in USER32.dll called from 0x4145a6
15. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x41437c
16. wvsprintfA at 0x77d4a041 in USER32.dll called from 0x41462a
CFG at exit
- dot file
- jpg

MD5 checksum	9a787632d8093497ff1c4265f197092b
Anti-virus name	Adware.Casino-8,Adware.Casino.CA

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4815b4 0x4815d7 0x4815d7 0x48160d 0x48160d 0x4814e2 0x4814e2 0x4814f0 0x4814f0 0x4814f3 0x4814f3 0x481565 0x481565 0x481569 0x481569 0x48156f 0x48156f 0x4814f8 0x4814fa 0x4814fa 0x481501 0x481501 0x481503 0x481503 0x48150a 0x48150a 0x48150c 0x48150c 0x481511 0x481511 0x481516 0x481516 0x48151a 0x48151a 0x48151c 0x48151c 0x48151f 0x48151f 0x481572 0x481572 0x481573 0x481573 0x481578 0x481578 0x48157f 0x48157f 0x481581 0x481581 0x481524 0x481538 0x481538 0x481570 0x481570 0x481543 0x481543 0x48154a 0x48154a 0x48154f 0x48154f 0x481554 0x481554 0x481555 0x481555 0x481556 0x481556 0x481557 0x481557 0x48155b 0x48155b 0x48152f 0x48152f 0x481534 0x481534 0x481528 0x481528 0x48152d 0x48152d 0x481582 0x481582 0x481637 0x3507f0 0x3507f0 0x3507f9 0x3507f9 0x350829 0x350829 0x350830 0x350830 0x35083e 0x35083e 0x350994 0x3509a2 0x3509b7 0x3509b7 0x3509ca 0x3509d9 0x3509d9 0x3509c4 0x3509e0 0x3509ac 0x3509e7 0x3509e7 0x35085a 0x35087d 0x35087d 0x350c6f 0x350c6f 0x350c7d 0x350c7d 0x350c90 0x350c90 0x350ca1 0x350ca1 0x350cab 0x350cab 0x350d93 0x350d93 0x350cbd 0x350cbd 0x35106c 0x35106c 0x351084 0x351084 0x351089 0x351089 0x351091 0x351091 0x3510a5 0x3510a5 0x350d21 0x350008 0x350008 0x350018 0x350018 0x35002a 0x35002c 0x35002c
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x48160b
2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x3509b1
3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x3509d3
4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x35087b
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x35002a

MD5 checksum	9b1ea8e16ea06025f2894277b08e4416
Anti-virus name	W32/Backdoor.AAPY (exact),Adware.ZenoSearch-2,Adware.Zenosearch.O

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4064cf 0x406502 0x406517 0x406525 0x40653e 0x406552 0x406655 0x406566 0x40658a 0x406599 0x4065ab 0x4065b5 0x4065b9 0x4065be 0x4065c2 0x4065cc 0x4065d9 0x4065f0 0x4065f3 0x4065fd
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x4064fc
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x406511
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x40651f
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x406662
5. initterm at 0x77c39d67 in msvcrt.dll called from 0x406640
6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x406584
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4065d3
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4065f7
CFG at exit
- dot file
- jpg

MD5 checksum	9b80bf9e6fe4e8e1ab988a5392096465
Anti-virus name	W32/Swizzor-based!Maximus,Trojan.Swizzor.1

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40455b 0x40455b 0x403549 0x4156dd 0x414928 0x414928 0x40d7f5 0x40416b 0x416c67 0x4017ca 0x410e2a 0x410e44 0x410e44 0x410e52 0x410e52 0x4122ba 0x4127a2 0x40d8b8 0x404fe5 0x401f37 0x4054cc 0x405040 0x405055 0x405055 0x405063 0x405063 0x40b08a 0x4148a1 0x40b91a 0x405ca2 0x40399e 0x4039b2 0x4039b2 0x4039c0 0x4039c0 0x40b85a 0x40d47e 0x40718c 0x40e287 0x40e296 0x40e296 0x40e2a5 0x40e2a5 0x41638b 0x405737 0x40315c 0x40c9a6 0x4074b3 0x403adb 0x40bdf3 0x40bdff 0x40bdff 0x40be0b 0x40be0b 0x40eb2a 0x40470d 0x4049ff 0x402a47 0x402a53 0x402a53 0x4142c8 0x4142c8 0x402a8b 0x402aab 0x402aab 0x402ab9 0x402ab9 0x402878 0x40e6ba 0x4121cc 0x401e43 0x4099f0 0x4034f9 0x40f179 0x40f183 0x40f183 0x40f18c 0x40f18c 0x417531 0x411a00 0x411a00 0x4166f6 0x40f7f9 0x40a962 0x40a97a 0x40a97a 0x40a988 0x40a988
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x402a4d
- dot file
- jpg

MD5 checksum	9c185f7c00c4606a99a866ad221eb89b
Anti-virus name	W32/Downldr2.BBSL (exact),Trojan.Downloader-38314,Trojan.Generic.793688

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x46e9c0 0x46e9d8 0x46e9dd 0x46eaa4 0x46eaa8 0x46eab2 0x46ead2 0x46eadc 0x46eaeb 0x46eafc 0x46eb3a 0x46eb53 0x46ec77 0x46eca2 0x46ecd0 0x46ec6f 0x46ecb7 0x46ece8 0x46ed08 0x46f430 0x46eb22 0x46eb2c 0x46ec8a 0x46ec94 0x46ed30 0x46ed73 0x46eddf 0x46ee17 0x46ee35 0x46ee73 0x46ee7d 0x46ee89 0x46ee9f 0x46eec5 0x46ebad 0x46ebc4 0x46ec06 0x46ec1e 0x46ec61 0x46ec41 0x46ed15 0x46ed1c 0x46ed5d 0x46ed67 0x46ed8d 0x46f053 0x46f071 0x46f083 0x46f124 0x46f15d 0x46f16a 0x46f195 0x46f1a9 0x46f1d6 0x46f1e1 0x46f201 0x46f212 0x46f231 0x46f25c 0x46f270 0x46f29d 0x46f244 0x46f24e 0x46f288 0x46f2a8 0x46f2b7 0x46f2cf 0x46f341 0x46f34e 0x46f37c 0x46f3ac 0x46f3cb 0x46f391 0x46f3de 0x46f3e8 0x46f3f9 0x46f410 0x46f421 0x46ebee 0x46ebf8 0x46f05b 0x46f065 0x46ec3f 0x46f17d 0x46f187 0x46f1c1 0x46f364 0x46f36e 0x46f20d 0x46ed26 0x46eeff 0x46f037 0x46ef18 0x46ef4e 0x46ef8b 0x46efc3 0x46efdd 0x46f023 0x46f02b 0x46f0b2 0x46f0e0 0x46f12e 0x46ef68 0x46f2eb 0x46f2ee 0x46f310 0x46f323 0x46f31c 0x46f326 0x46effd 0x46f2f8 0x46f302 0x46ee01 0x46ee0b
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum	9d0d10db8d94c1a09afb0b3ea30947de
Anti-virus name	W32/Backdoor2.CDYE (exact),Trojan.Karsh-252,Backdoor.Shark.BS

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x400154 0x400154 0x4001e8 0x4001e8 0x4001ec 0x4001ec 0x4001f1 0x4001f1 0x400162 0x40015d 0x40015d 0x400164 0x400164 0x400168 0x400168 0x40016a 0x40016a 0x40016e 0x40016e 0x400170 0x400170 0x400177 0x400177 0x400175 0x400175 0x40017b 0x40017b 0x40017d 0x40017d 0x400160 0x400160 0x40018f 0x40018f 0x400194 0x400194 0x4001b0 0x4001b0 0x4001b7 0x4001b7 0x400180 0x400180 0x4001de 0x4001de 0x4001e1 0x4001e1 0x4001e5 0x4001e5 0x4001e7 0x4001e7 0x400183 0x400183 0x40018a 0x40018a 0x4001dc 0x4001dc 0x40018d 0x40018d 0x4001b3 0x4001b3 0x4001df 0x4001df 0x400198 0x400198 0x4001a1 0x4001a1 0x4001a6 0x4001a6 0x4001ab 0x4001ab 0x4001b2 0x4001b2 0x4001b1 0x4001b1 0x4001c1 0x4001c1 0x4001c9 0x4001c9 0x4001cf 0x4001cf 0x4001d4 0x4001d4 0x4001d9 0x4001d9 0x4001ca 0x4001ca 0x4001d1 0x4001d1 0x40110c 0x40110c 0x401106
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001c6
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001d6
3. ThunRTMain at 0x7342de3e in MSVBVM60.DLL called from 0x401106
- dot file
- jpg

MD5 checksum	9d6ca1439c941029118c55ed9584b663
Anti-virus name	W32/Swizzor.D.gen!Eldorado (generic, not disinfectable),Trojan.Agent-39069,Trojan.Swizzor.2

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x416a00 0x416a2c 0x4049da 0x40ea96 0x416a94 0x40c21c 0x40c229 0x40c235 0x40b2af 0x40c2d3 0x40df40 0x40f732 0x40f759 0x40f86d 0x408870 0x40b2f0 0x40b30a 0x416aa7 0x41543d 0x408af2 0x41814d 0x41834e 0x4183e0 0x416ab9 0x415610 0x41562d 0x415633 0x41563c 0x41566a 0x415677 0x415693 0x415699 0x4156a5 0x4156c3 0x4156ba 0x4156c5 0x4156ed 0x4156f6 0x40aa41 0x40aa43 0x40aa67 0x415708 0x415725 0x415743 0x41575c 0x415766 0x415825 0x40f1e2 0x40c281 0x40c29b 0x40c2bf 0x4027ab 0x4025ed 0x4028ed 0x4144d2 0x414585 0x414611 0x414634 0x417d17 0x417ddb 0x417e56 0x417e7b 0x417f4e 0x417fad 0x40272b
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x416a26
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4049d4
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40ea90
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c209
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c216
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c223
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c22f
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40b2a9
9. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40c2cd
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40f72c
11. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40f753
12. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40f867
13. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40c2ee
14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40b2ea
15. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40b304
16. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x418147
17. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x418348
18. GetFileType at 0x7c811069 in kernel32.dll called from 0x41835b
19. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x4183da
20. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x416ab3
21. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x41562d
22. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4156e7
23. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x41573d
24. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x415760
25. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c295
26. GetACP at 0x7c809943 in kernel32.dll called from 0x4027a5
27. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4025e7
28. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4028e7
29. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4144cc
30. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x41457f
31. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x41460b
32. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x41462e
33. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x417d11
34. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x417dd5
35. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x417e50
36. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x417e75
37. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x417f48
38. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x417fa7

MD5 checksum 9da73c6c74bde4091e977bd3b86876d2

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x4029aa 0x4029aa 0x4029c4 0x4029c4 0x4029ca 0x4029ca 0x4029d7 0x4029d7 0x4029dd 0x4029dd 0x4029d9 0x4029d9 0x4029eb 0x4029eb 0x4029ff 0x4029ff 0x402a0d 0x402a0d 0x402a14 0x402a14 0x402a89 0x402a89 0x402a9e 0x402a9e 0x402aae 0x402aae 0x402ae4 0x402ae4 0x402af2 0x402af2 0x402b06 0x402b06 0x401000 0x401000 0x401011 0x401011 0x40101f 0x40101f 0x40102d 0x40102d 0x401035 0x401035 0x401043 0x401043 0x40104b 0x40104b 0x401058 0x401058 0x40105d 0x40105d 0x401062 0x401062 0x40106e 0x40106e 0x40106c 0x40106c 0x401071 0x401071 0x401082 0x401082 0x402b0b 0x402b3c 0x402b3c 0x402b4f 0x402b4f 0x402bad 0x402bad 0x402bbc 0x402bbc 0x402bcb 0x402bcb 0x402bda 0x402bda 0x402be9 0x402be9 0x402bf8 0x402bf8 0x402c01 0x402c01 0x402c0b 0x402c0b 0x402c2d 0x402c2d 0x402c5a 0x402c5a 0x402c60 0x402c60 0x402c6c 0x402c6c 0x401ec0 0x401ec0 0x401edc 0x401edc 0x401f57 0x401f57 0x401f6b 0x401f6b 0x401fa6 0x401fa6 0x401fb3 0x401fb3 0x401e38 0x401e38 0x401297 0x401297 0x4012a5 0x4012a5 0x4012aa 0x4012aa 0x4012ca 0x4012ca 0x4010c4 0x4010c4 0x4010d1 0x4010d1 0x4010e7 0x4010e7 0x4010e9 0x4010e9 0x4010ff 0x4010ff 0x401103 0x401103 0x401156 0x401156 0x40117e 0x40117e 0x4012cf 0x4012df 0x4012df 0x4012e0 0x4012e0 0x401e5c 0x401e7c 0x401e7c 0x401ea0 0x401ea0 0x401ea3 0x401ea3 0x401eab 0x401eab 0x401b08 0x401b08 0x401b35 0x401b35 0x4012b8 0x4012b8 0x401b56 0x401b56 0x401b76 0x401b76 0x401b96 0x401b96 0x401b9f 0x401b9f 0x401ba7 0x401ba7 0x401bb6 0x401bb6 0x401be0 0x401be0 0x401be6 0x401be6 0x401be9 0x401be9 0x401bfe 0x401bfe 0x401383 0x401383 0x4013a3 0x4013a3 0x4013b1 0x4013b1 0x4013cc 0x4013cc 0x4013d6 0x4013d6 0x4013de 0x4013de 0x4013e4 0x4013e4 0x4013f0 0x4013f0 0x4013f3 0x4013f3 0x4013f9 0x4013f9 0x4013fc 0x4013fc 0x401408 0x401408 0x40141d 0x40141d 0x40140e 0x40140e 0x401414 0x401414 0x401421 0x401421 0x40142e 0x40142e 0x40144e 0x40144e 0x401444 0x401444 0x401451 0x401451 0x401456 0x401456 0x401461 0x401461 0x401471 0x401471 0x401477 0x401477 0x4014a8 0x4014a8 0x4014b5 0x4014b5 0x4014c5 0x4014c5 0x4014d4 0x4014d4 0x4014e5 0x4014e5 0x401500 0x401500 0x401505 0x401505 0x40151b 0x40151b 0x40152d 0x40152d 0x401530 0x401530 0x40153b 0x40153b 0x401542 0x401542 0x4011c5 0x4011c5 0x4011f3 0x4011f3 0x4011fd 0x4011fd 0x401206 0x401206 0x401216 0x401216 0x40122a 0x40122a 0x401236 0x401236 0x401556 0x40155f 0x40155f 0x4015c8 0x4015c8 0x4015da 0x4015da 0x4015fb 0x4015fb 0x401602 0x401602 0x40162e 0x40162e 0x401635 0x401635 0x401647 0x401647 0x40164d 0x40164d 0x401665 0x401665 0x401668 0x401668 0x401679 0x401679 0x40167d 0x40167d 0x4016ae 0x4016ae 0x4016b8 0x4016b8 0x4016ba 0x4016ba 0x401675 0x401675 0x4016d0 0x4016d0 0x4016da 0x4016da 0x4013c2 0x4013c2 0x4013c4 0x4013c4 0x401c21 0x401c21 0x401c3b 0x401c3b 0x401c5a 0x401c5a 0x401c6a 0x401c6a 0x401c93 0x401c93 0x401d59 0x401d59 0x401ca3 0x401ca3 0x401cef 0x401cef 0x401d16 0x401d16 0x401d1d 0x401d1d 0x401d2e 0x401d2e 0x401d3f 0x401d3f 0x401d43 0x401d43 0x401d55 0x401d55 0x401cfc 0x401cfc 0x401d03 0x401d03 0x401ca5 0x401ca5 0x401cb4 0x401cb4 0x401cd6 0x401cd6 0x401cda 0x401cda 0x401d64 0x401d64 0x40127e 0x40127e 0x401286 0x401286 0x401287 0x401287 0x40123e 0x40123e 0x401246 0x401246 0x401251 0x401251 0x40125e 0x40125e 0x401265 0x401265 0x401269 0x401269 0x40127c 0x40127c 0x40127d 0x40127d 0x40128f 0x401295 0x401295 0x401296 0x401296 0x401d6c 0x4014fc 0x4014fc 0x401618 0x401618 0x4011df 0x4011df 0x4011ed 0x4011ed 0x401598 0x401598 0x401697 0x401697 0x4016ab 0x4016ab 0x401da8 0x401da8 0x401db5 0x401db5 0x401dde 0x401dde 0x401e02 0x401e02 0x401704 0x401704 0x401908 0x401908 0x401746 0x401746 0x401756 0x401756 0x40179d 0x40179d 0x401767 0x401767 0x401773 0x401773 0x40178d 0x40178d 0x4017a8 0x4017a8 0x4017b6 0x4017b6 0x4017e9 0x4017e9 0x4017f2 0x4017f2 0x401800 0x401800 0x401829 0x401829 0x40186e 0x40186e 0x40187a 0x40187a 0x401892 0x401892 0x4018b3 0x4018b3 0x4018c8 0x4018c8 0x4018ca 0x4018ca 0x4018ce 0x4018ce 0x4018d0 0x4018d0 0x4018d2 0x4018d2 0x4018e3 0x4018e3 0x401904 0x401904 0x401837 0x401837 0x401843 0x401843 0x40185e 0x40185e 0x40191d 0x40191d 0x401918 0x401e13 0x401e13 0x401e1a 0x401e1a 0x401e22 0x401e22 0x401252 0x401252 0x401e2a 0x401e2a 0x401e33 0x401e33 0x401eb0 0x401fc2 0x401fc2 0x401fcb 0x401fcb 0x401fd4 0x401fd4 0x401fd6 0x401fd6 0x401feb 0x401feb 0x40200c 0x40200c 0x4012e3 0x4012e3 0x4012f2 0x4012f2 0x40133e 0x40133e 0x401181 0x401181 0x40118e 0x40118e 0x40119c 0x40119c 0x40119d 0x40119d 0x4011b9 0x4011b9 0x4011ba 0x4011ba 0x4011bb 0x4011bb 0x40134c 0x40135a 0x40135a 0x40135e 0x40135e 0x401377 0x401377 0x401380 0x401380 0x401381 0x401381 0x402011 0x40201a 0x40201a 0x40202c 0x40202c 0x40204e 0x40204e 0x40206f 0x40206f 0x402077 0x402077 0x402079 0x402079 0x40207b 0x40207b 0x402c89 0x402c9b 0x402c9b 0x402cab 0x402cab 0x40272e 0x40272e 0x402dcb 0x402dcb 0x402606 0x402617 0x402617 0x40262b 0x40262b 0x40263d 0x40263d 0x402641 0x40265c 0x40265c 0x40266a 0x40266a 0x402676 0x402676 0x40267f 0x40267f
- Windows API calls issued from malware code
  1. SetErrorMode at 0x7c80aa97 in kernel32.dll called from 0x4029be
  2. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4029c4
  3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x402a0e
  4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x402a98
  5. lopen at 0x7c85e610 in kernel32.dll called from 0x402aec
  6. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40100f
  7. GlobalLock at 0x7c810119 in kernel32.dll called from 0x40101d
  8. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40102b
  9. GlobalLock at 0x7c810119 in kernel32.dll called from 0x401033
  10. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x401041
  11. GlobalLock at 0x7c810119 in kernel32.dll called from 0x401049
  12. llseek at 0x7c839450 in kernel32.dll called from 0x402b3a
  13. hread at 0x7c839418 in kernel32.dll called from 0x402b4d
  14. hread at 0x7c839418 in kernel32.dll called from 0x402bba
  15. hread at 0x7c839418 in kernel32.dll called from 0x402bc9
  16. hread at 0x7c839418 in kernel32.dll called from 0x402bd8
  17. hread at 0x7c839418 in kernel32.dll called from 0x402be7
  18. hread at 0x7c839418 in kernel32.dll called from 0x402bf6
  19. hread at 0x7c839418 in kernel32.dll called from 0x402c2b
  20. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x402c5e
  21. GlobalLock at 0x7c810119 in kernel32.dll called from 0x402c66
  22. hread at 0x7c839418 in kernel32.dll called from 0x4010fd
  23. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x4011f7
  24. GlobalLock at 0x7c810119 in kernel32.dll called from 0x401200
  25. GlobalUnlock at 0x7c810082 in kernel32.dll called from 0x401258
  26. GlobalFree at 0x7c80fe2f in kernel32.dll called from 0x40125f
  27. LoadIconA at 0x77d521ae in USER32.dll called from 0x402750
  28. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x402611
  29. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x402625
  30. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x40263b
  31. FormatMessageA at 0x7c825f62 in kernel32.dll called from 0x402656
  32. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x402668
  33. lstrcatA at 0x7c838fb9 in kernel32.dll called from 0x402674
  34. LocalFree at 0x7c80995d in kernel32.dll called from 0x402679
  35. MessageBoxA at 0x77d8050b in USER32.dll called from 0x402693
- - dot file
  - jpg

MD5 checksum	9de4fd31bb569fed23ab5a83312c2e49
Anti-virus name	W32/Swizzor-based!Maximus,Trojan.Obfus-29,Trojan.Swizzor.1

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40dc7e 0x40ccf7 0x406315 0x417d22 0x40b7f0 0x4113a7 0x4113bb 0x4113c9 0x40737e 0x40e534 0x4079b1 0x4079c0 0x4079c9 0x40c830 0x404fe6 0x405006 0x405014 0x407b0f 0x403046 0x40308f 0x40309d 0x40fdd0 0x4030e6 0x4030f7 0x403105 0x410fcb 0x40a0bd 0x411e64 0x41586d 0x4158c3 0x4158ce 0x40744b 0x418d56 0x418d6a 0x418d78 0x415e91 0x40fb89 0x40fbc8 0x40fbd6 0x41385d 0x402f27 0x402f3b 0x402f49 0x405c2b 0x405c53 0x416120 0x41475e 0x415699 0x415763 0x403f67 0x41579a 0x419463 0x4059c1 0x41947a 0x419488 0x407e83 0x40e20f 0x40e240 0x40e27b 0x411f49 0x419f29 0x416ab8 0x4162e4 0x414ae8 0x416372 0x41638f 0x410e9f
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x41575d
2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x415794
- dot file
- jpg

MD5 checksum	9f2161db0ab717657994b8cfffb30fd7
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable),Trojan.Dropper-18857,Backdoor.Hupigon.DYS

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401ff8 0x401d8c 0x401028 0x401d9d 0x401d80 0x401c24 0x401d8a 0x401dbf 0x4018ac 0x401890 0x401899 0x40183c 0x401858 0x401866 0x401e0c 0x401868 0x40186c 0x401887 0x401c90 0x401c99 0x401000 0x401c9e 0x401bfc 0x401c03 0x401c10 0x401ccd 0x4010b0 0x401d8c 0x401028 0x401d9d 0x401d80 0x401c24 0x401d8a 0x401dbf 0x4018ac 0x401890 0x401899 0x40183c 0x401858 0x401866 0x401e0c 0x401868 0x40186c 0x401887 0x401c90 0x401c99 0x401000 0x401c9e 0x401bfc 0x401c03 0x401c10 0x401ccd 0x4010b0
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401028
2. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401000
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x4010b0
CFG at exit
- dot file
- jpg

MD5 checksum a018d91d0eddb3c33053403ebe82597d

Anti-virus name Adware.Agent-1431

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x413bff 0x413bff 0x413c2b 0x413c2b 0x4164c1 0x4164d8 0x4164d8 0x4164e1 0x416379 0x413610 0x41361c 0x413630 0x416386 0x41639e 0x41639e 0x4163a2 0x4163ab 0x4163b4 0x4164be 0x4164e6 0x4164fd 0x41651a 0x413c5e 0x413c6b 0x413c6b 0x4184f1 0x413975 0x413987 0x41398e 0x4139b3 0x4139d7 0x413a09 0x413a10 0x413a16 0x413a25 0x413997 0x4139b2 0x413984 0x418502 0x418511 0x418527 0x41852b 0x418545 0x418550 0x418550 0x418621 0x418623 0x418631 0x418639 0x418648 0x41864f 0x41864f 0x418656 0x41865d 0x41865d 0x41866d 0x418682 0x41863e 0x418661 0x418673 0x418688 0x418694 0x418694 0x413c73 0x413c79 0x413c79 0x4183bf 0x4183bf 0x4183da 0x4183da 0x4183dc 0x4183dc 0x4183e2 0x4183e2 0x418416 0x418416 0x418426 0x418426 0x41842d 0x41842d 0x418434 0x418434 0x41843b 0x41843b 0x418454 0x418454 0x41845a 0x41845a 0x418460 0x418460 0x418469 0x418469 0x418476 0x418476 0x418488 0x418488 0x41848c 0x41848c 0x418493 0x418493 0x4184ea 0x4184ea 0x413c83 0x418172 0x418184 0x414f9c 0x414fa5 0x414bc8 0x414d61 0x414d81 0x414d86 0x414d90 0x414bd9 0x414bd9 0x414beb 0x414bf5 0x414bfc 0x414c00 0x414c0b 0x414c16 0x414c16 0x414c1f 0x414d31 0x414d37 0x414d50 0x414e07 0x414e21 0x414e21 0x414e2a 0x414e31 0x414e3d 0x414e82 0x41968b 0x4196bc 0x4196d0 0x4196d0 0x4196d4 0x4196f5 0x4196fa 0x419723 0x41972c 0x419739 0x419756 0x419756 0x41975d 0x41976f 0x413270 0x41327c 0x41328a 0x413299 0x4132b1 0x4132bd 0x41977f 0x41978f 0x419797 0x4197ac 0x4197ac 0x4197b0 0x4197be 0x4197be 0x4197c2 0x414ea6 0x41943c 0x41946c 0x419484 0x419484 0x419488 0x4194b2 0x4194b7 0x419660 0x419670 0x419675 0x41967d 0x419688 0x4194c2 0x4194c7 0x4194ee 0x4194f7 0x419504 0x419521 0x419521 0x41952e 0x41953e 0x41955f 0x419564 0x419579 0x419579 0x41957d 0x41958f 0x41958f 0x419598 0x4195de 0x4195f2 0x419612 0x419616 0x41962a 0x41962a 0x41962e 0x419639 0x41963f 0x41964f 0x41964f 0x419659 0x4195cc 0x414eca 0x414ef2 0x414efd 0x414f1b 0x414f30 0x414f37 0x414f05 0x414f13 0x414f20 0x414f3e 0x414f89 0x414d55 0x414d55 0x414d5c 0x414fac 0x414fb7 0x418189 0x41819b 0x41819b 0x4181ac 0x4181ae 0x41820b 0x418235 0x41823a 0x418243 0x418247 0x41825f 0x41826c 0x418276 0x41827b 0x4182c1 0x4182c5 0x4183ae 0x4183b5 0x4181be 0x4181cd 0x4181de 0x41822d 0x418265 0x418272 0x4183b2 0x4181f4 0x413c8d 0x4180b9 0x4180b9 0x4180cb 0x4180cb 0x4180d3 0x4180d3 0x4180d9 0x4180d9 0x4180de 0x4180de 0x412e40 0x412e40 0x412e60 0x412e60 0x412e78 0x412e78 0x412e7f 0x412e7f 0x412e83 0x412e83 0x412e8a 0x412e8a 0x412e93 0x412e93 0x4180e4 0x4180e4 0x412ea7 0x412ea7 0x412e4c 0x412e4c 0x412e53 0x412e53 0x412e5b 0x412e5b 0x412e9d 0x412e9d 0x4180dd 0x4180dd 0x412eb1 0x412eb1 0x4180eb 0x4180eb 0x4180f8 0x4180f8 0x41810d 0x41810d 0x418117 0x418117 0x418118 0x418118 0x41811e 0x41811e 0x418149 0x418149 0x418127 0x418127 0x41812d 0x41812d 0x41813c 0x41813c 0x4128f0 0x4128f0 0x412961 0x412961 0x41296d 0x41296d 0x412974 0x412974 0x41297f 0x41297f 0x412986 0x412986 0x412981 0x412981 0x4129a0 0x4129a0 0x4129a4 0x4129a4 0x4129a8 0x4129a8 0x4129c2 0x4129c2 0x418144 0x418144 0x4129b0 0x4129b0 0x4129ba 0x4129ba 0x4129d8 0x4129d8 0x4129cf 0x41814f 0x41814f 0x418150 0x418150 0x413a27 0x413a27 0x413a33 0x413a33 0x413a53 0x413a53 0x413a7e 0x413a7e 0x413a7f 0x413a7f 0x413a8d 0x413a8d 0x41815b 0x413c92 0x415ce6 0x415ce6 0x415cef 0x415cef 0x4134cc 0x4134cc 0x4134e4 0x4134e4 0x4134d1 0x415eb7 0x415ec2 0x415ec2 0x415ec6 0x415ec6 0x415ed2 0x415ed2 0x415ed6 0x415ed6 0x415eda 0x415eda 0x4134d6 0x4134d6 0x415e67 0x419cf1 0x419cbc 0x419d31 0x419d3f 0x419d42 0x419d47 0x419d49 0x419d4e 0x419d50 0x419d55 0x419d57 0x419d5c 0x419d5e 0x419d63 0x419d68 0x419da0 0x419da5 0x419da5 0x419da9 0x419da9 0x419db5 0x419db5 0x419dc2 0x419dc2 0x419ccd 0x419dc3 0x419dd0 0x419dd3 0x419dd8 0x419dda 0x419ddf 0x419de1 0x419de6 0x419de8 0x419ded 0x419def 0x419df7 0x419df9 0x419e26 0x419e30 0x419e38 0x419e3e 0x419e4b 0x419ce4 0x419d04 0x419d04 0x415e76 0x415e76 0x4134e0 0x415cf1 0x415cf1 0x415dec 0x415dec 0x415df1 0x415df1 0x415df7 0x415df7 0x415dff 0x415dff 0x415dfd 0x415dfd 0x41323f 0x41323f 0x413249 0x413249 0x413260 0x413260 0x419a85 0x419a85 0x419a92 0x419a92 0x419a9f 0x419a9f 0x419aa4 0x419aa4 0x41af22 0x41af22 0x41af36 0x41af36 0x41af3d 0x41af3d 0x41af43 0x41af43 0x41af4a 0x41af4a 0x41af6e 0x41af6e 0x41af8d 0x41af8d 0x41af9c 0x41af9c 0x41afc6 0x41afc6 0x41afc8 0x41afc8 0x419aac 0x419aac 0x419ad8 0x419ad8 0x419adf 0x419adf 0x419af5 0x419af5 0x419afc 0x419afc 0x419b19 0x419b19 0x419b1c 0x419b1c 0x419b15 0x419b15 0x419b28 0x419b28 0x419079 0x419079 0x419084 0x419084 0x415e04 0x415e04 0x415d00 0x4035b0 0x4035b0 0x4035bf 0x404f20 0x404fd0 0x405210 0x4052a0 0x40521f 0x404fec 0x404ff7 0x404f33 0x4035d1 0x4035b8 0x4035d5 0x4035d5 0x41322d 0x41322d 0x4131c0 0x4131c0 0x415e06 0x415e06 0x415e2f 0x415e2f 0x415e53 0x415e53 0x415e56 0x415e56 0x415e64 0x415e64 0x4131cc 0x41321f 0x41321f 0x413236 0x4035e2 0x4035e2 0x4035bd 0x4053c0 0x4053c0 0x4053cf 0x4053cf 0x40e0b0 0x40e0b0 0x4053dc 0x4053c8 0x4053de 0x4053de 0x4053eb 0x4053eb 0x4053cd 0x40541c 0x40541c 0x40542b 0x403613 0x40c180 0x40c1a9 0x40c1bc 0x41c546 0x410480 0x410480 0x41048f 0x40ae80 0x40ae8e 0x41049c 0x410488 0x41049e 0x41049e 0x4104ab 0x4104ab 0x41048d
- Windows API calls issued from malware code
  1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x413c25
  2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4164d2
  3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x416398
  4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x413a1f
  5. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x41854a
  6. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x418649
  7. GetFileType at 0x7c811069 in kernel32.dll called from 0x418657
  8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x41868e
  9. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x413c73
  10. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x4183da
  11. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x418452
  12. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x418474
  13. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x41848d
  14. GetACP at 0x7c809943 in kernel32.dll called from 0x414d90
  15. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414c10
  16. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414e1b
  17. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4196ca
  18. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x419750
  19. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4197a6
  20. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4197b8
  21. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x41947e
  22. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x41951b
  23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x419573
  24. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x419589
  25. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x419624
  26. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x419649
  27. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x418195
  28. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x413a87
  29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x415ebc
  30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x415ecc
  31. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x415ed8
  32. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x41af96
  33. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x41907e
  34. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x415e5e
  35. WSAStartup at 0x71ab664d in WS2_32.dll called from 0x41c546

MD5 checksum	a1e8f90ca3f3a6599bb4c7db69b63874
Anti-virus name	W32/Legendmir.BWW (exact),Trojan.Spy-66720,Trojan.PWS.Lmir.OQ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x42ec70 0x42ec92 0x42ec99 0x42ec88 0x42ec8e 0x42ec9b 0x42eca0 0x42ecab 0x42ecb1 0x42ecbc 0x42ecd0 0x42ecdb 0x42ece8 0x42ed0c 0x42ed1d 0x42ed26 0x42ecec 0x42eced 0x42ecf8 0x42ecf1 0x42ecfe 0x42ed09 0x42ecc3 0x42ecce 0x42ed2c 0x42ed3b 0x42ed00 0x42ecd4 0x42ecb3 0x42ece1 0x42eca4 0x42ed42 0x42ed4a 0x42ed4f 0x42ed53 0x42ed58 0x42ed76 0x42ed82 0x42ed98 0x42eda0 0x42edad 0x42edb1 0x42ed99 0x42ed7c 0x42edbe 0x42edc4 0x42edcd 0x42edd1 0x42ede2 0x42edef 0x405860 0x4027fa 0x40357c 0x403558 0x40355c 0x4025a8 0x4025ac 0x401fe8 0x40200f 0x402030 0x402040 0x40204c 0x402055 0x4020df 0x4020e7 0x402103 0x402f80
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x42ed92
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x42eda7
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405790
4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x405788
5. RegOpenKeyExA at 0x77dd761b in advapi32.dll called from 0x4011cc
- dot file
- jpg

MD5 checksum a244e57a0a2c6377e78cbdbbd58470b9

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0xin 0x401040 0x409b06 0x401370 0x409b0c 0x408000 0x4083a0 0x4012d0 0x4083ae 0x408012 0x40803b 0x402ee0 0x402efc 0x402f0f 0x402f2a 0x408054 0x401980 0x404900 0x402da0 0x40490f 0x40491e 0x404920 0x40492b 0x4088d0 0x4088e3 0x4088f8 0x408914 0x40892c 0x40894a 0x401030 0x40895c 0x40896f 0x407cb0 0x401080 0x407cc5 0x408974 0x401090 0x40897a 0x40897f 0x402460 0x408984 0x405e60 0x402db0 0x402dc0 0x402dc5 0x402dd5 0x402dd7 0x405e71 0x405e82 0x405eb1 0x40899a 0x4045f0 0x404603 0x404621 0x40899f 0x402f40 0x4024a0 0x402470 0x4024ab 0x4024af 0x4024c7 0x4024d0 0x4024e0 0x402f4f 0x402f58 0x402f69 0x4024f0 0x4024fb 0x4024ff 0x40251f 0x402f78 0x402ef5 0x402f82 0x402fa1 0x402faa 0x402fdd 0x4089a4 0x4086f0 0x408703 0x40870f 0x40871b 0x4087d8 0x4087f6 0x407c30 0x406e00 0x406e1c 0x406e4b 0x406e5e 0x402e20 0x402e48 0x402e63 0x406e73 0x406e7e 0x402d60 0x402d65 0x402d73 0x402d75 0x4026d0 0x402858 0x406e8c 0x407c4f 0x407c66 0x407c73 0x407ca2 0x408804 0x408822 0x407c6e 0x407c7d 0x406830 0x401100 0x406839 0x407c8a 0x408830 0x40884e 0x40885c 0x40887a 0x408888 0x4088a6 0x4088b4 0x4089a9 0x407cd0 0x404e90 0x4010f0 0x404eae 0x401120 0x404ec0 0x4010e0 0x404ecb 0x407ce4 0x407cf7 0x407d00 0x407d08 0x407ea0 0x407eba 0x405d60 0x405d93 0x405d99 0x405a30 0x405a53 0x405a5b 0x4058e0 0x405907 0x4056c0 0x4056e4 0x4056f8 0x40571a 0x40571e 0x405726 0x40573f 0x404f50 0x401130 0x404f5b 0x401140 0x405757 0x40575f 0x405777 0x40577f 0x405797 0x4057ea 0x401040 0x409b06 0x401370 0x409b0c 0x408000 0x4083a0 0x4012d0 0x4083ae 0x408012 0x40803b 0x402ee0 0x402efc 0x402f0f 0x402f2a 0x408054 0x401980 0x404900 0x402da0 0x40490f 0x40491e 0x404920 0x40492b 0x4088d0 0x4088e3 0x4088f8 0x408914 0x40892c 0x40894a 0x401030 0x40895c 0x40896f 0x407cb0 0x401080 0x407cc5 0x408974 0x401090 0x40897a 0x40897f 0x402460 0x408984 0x405e60 0x402db0 0x402dc0 0x402dc5 0x402dd5 0x402dd7 0x405e71 0x405e82 0x405eb1 0x40899a 0x4045f0 0x404603 0x404621 0x40899f 0x402f40 0x4024a0 0x402470 0x4024ab 0x4024af 0x4024c7 0x4024d0 0x4024e0 0x402f4f 0x402f58 0x402f69 0x4024f0 0x4024fb 0x4024ff 0x40251f 0x402f78 0x402ef5 0x402f82 0x402fa1 0x402faa 0x402fdd 0x4089a4 0x4086f0 0x408703 0x40870f 0x40871b 0x4087d8 0x4087f6 0x407c30 0x406e00 0x406e1c 0x406e4b 0x406e5e 0x402e20 0x402e48 0x402e63 0x406e73 0x406e7e 0x402d60 0x402d65 0x402d73 0x402d75 0x4026d0 0x402858 0x406e8c 0x407c4f 0x407c66 0x407c73 0x407ca2 0x408804 0x408822 0x407c6e 0x407c7d 0x406830 0x401100 0x406839 0x407c8a 0x408830 0x40884e 0x40885c 0x40887a 0x408888 0x4088a6 0x4088b4 0x4089a9 0x407cd0 0x404e90 0x4010f0 0x404eae 0x404eb4 0x401120 0x404ec0 0x4010e0 0x404ecb 0x407ce4 0x407cf7 0x407d00 0x407d08 0x407ea0 0x407eba 0x405d60 0x405d93 0x405d99 0x405a30 0x405a53 0x405a5b 0x4058e0 0x405907 0x4056c0 0x4056e4 0x4056f8 0x40571a 0x40571e 0x405726 0x40573f 0x404f50 0x401130 0x404f5b 0x401140 0x405757 0x40575f 0x405777 0x40577f 0x405797 0x4057ea
- Windows API calls issued from malware code
  1. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x401040
  2. GetConsoleMode at 0x7c81abe4 in kernel32.dll called from 0x401370
  3. CsrClientCallServer at 0x7c9132a1 in ntdll.dll called from 0x7c81ac2d
  4. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x4012d0
  5. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x401030
  6. RtlAcquirePebLock at 0x7c91091d in ntdll.dll called from 0x7c801f06
  7. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401080
  8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x7c80b379
  9. RtlUnicodeStringToAnsiString at 0x7c9130c6 in ntdll.dll called from 0x7c80b3c1
  10. memmove at 0x7c90253a in ntdll.dll called from 0x7c80b3e7
  11. RtlFreeUnicodeString at 0x7c910976 in ntdll.dll called from 0x7c80b3f4
  12. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401090
  13. GetFileType at 0x7c811069 in kernel32.dll called from 0x401100
  14. NtQueryVolumeInformationFile at 0x7c90e228 in ntdll.dll called from 0x7c8110d5
  15. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4010f0
  16. strcmpi at 0x7c913374 in ntdll.dll called from 0x7c801d8c
  17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x401120
  18. RtlInitString at 0x7c90125c in ntdll.dll called from 0x7c80ac46
  19. FreeLibrary at 0x7c80aa66 in kernel32.dll called from 0x4010e0
  20. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x401130
- CFG at exit
  - dot file
  - jpg
MD5 checksum a2c9136d5b53467277e79842a4d9c9a1

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x4179c1 0x45b673 0x45b6a9 0x45b580 0x45b58e 0x45b591 0x45b603 0x45b607 0x45b60c 0x45b598 0x45b59f 0x45b5a1 0x45b5a8 0x45b5aa 0x45b5af 0x45b5b4 0x45b5b8 0x45b5ba 0x45b5bd 0x45b60f 0x45b610 0x45b615 0x45b61c 0x45b61e 0x45b5d6 0x45b60d 0x45b5e1 0x45b5e8 0x45b5ed 0x45b5f2 0x45b5f3 0x45b5f4 0x45b5f5 0x45b5f9 0x45b5cd 0x45b5d2 0x45b5c6 0x45b5cb 0x45b61f 0x3609f8 0x360a01 0x360a36 0x360a3d 0x360a4b 0x360bd0 0x360bf2 0x360c00 0x360a88 0x360e8a 0x360e98 0x360eab 0x360ebc 0x360ec6 0x360fae 0x360ed8 0x361287 0x36129f 0x3612a4 0x3612ac 0x3612c0 0x3608ad 0x360901 0x36000d 0x360072 0x36007b 0x3600ad 0x3600ae 0x3600e9 0x3600fb 0x3601cf 0x3601dd 0x3601f3 0x360202 0x36024d 0x3601e4 0x360255 0x360259 0x36027c 0x360857 0x3602a6 0x3602d0 0x360331 0x360360 0x360377 0x3603b9 0x36040e 0x360507 0x360522 0x36053f 0x360577 0x3605a1 0x3605de 0x3605ff 0x36060d 0x36062a 0x36064e 0x360660 0x360614 0x360667 0x360823 0x36083d 0x360853 0x3602ba 0x360529 0x360639 0x36014e 0x360162 0x36019d 0x3601ac 0x36022d 0x360217 0x3601c3 0x36023b 0x360289 0x36029a 0x36028e 0x3603c7 0x3600d3 0x3602e7 0x36054d 0x360681 0x36068d 0x360692 0x3606ad 0x3606b4 0x3606ca 0x3606d9 0x360700 0x3606ee 0x360707 0x360713 0x36072b 0x3607b4 0x3607cd 0x3607f1 0x36080b 0x3607b0 0x3607dc 0x3607bb 0x360816 0x36081c 0x36034e 0x360420 0x36044b 0x36045e 0x3604fb 0x360187 0x360439 0x36047c 0x3604a7 0x3604d5 0x3604f3 0x3604ba 0x360818 0x36058b 0x3605b0 0x3603a1 0x360751 0x36075d 0x360764 0x360772 0x36077f 0x36077a 0x360784 0x360495 0x360239 0x360861 0x360927 0x360934 0x360f4b 0x360f50 0x360f69 0x360f75 0x360f8a 0x360fbb 0x360a94 0x360aa2 0x360de8 0x360df6 0x360e09 0x360e1a 0x360e25 0x360e30 0x360e7d 0x360e83 0x360aa8 0x360d03 0x360d11 0x360d24 0x360d35 0x360d38 0x360d43 0x360dd7 0x360de1 0x360ac7 0x361118 0x36112f 0x361133 0x361136 0x361143 0x361146 0x36116e 0x36117c 0x3611a3 0x3611b0 0x36119e 0x36132f 0x36133a 0x36134a 0x3611bd 0x3611f6 0x3611fc 0x36120c 0x361223 0x361231 0x361351 0x36135c 0x36136f 0x36123b 0x361244 0x361250 0x36115a 0x36112b 0x361153 0x360ad1 0x360b50 0x360b70 0x36130a 0x361328 0x360b90 0x360ba3 0x45b6f0 0x45b70a 0x41ae3c 0x4179cd 0x41afa0 0x41afa7 0x4179d9 0x4179e7 0x417a21 0x417a36 0x417a3d 0x417a4a 0x417a74 0x417a7a 0x417a82 0x417a88 0x418d89 0x417ab4 0x41adc0 0x41c09f 0x41d614 0x41d61c 0x420b9a 0x420ba4 0x420bb8 0x420bbc 0x420bd9 0x420be7 0x420bef 0x420bf8 0x420c0b 0x420c2c 0x420c39 0x420c4d 0x4172c0 0x4172cc 0x4172da 0x4172ed 0x417305 0x417315 0x420c5e 0x420c97 0x420caa 0x420cae 0x420cbc 0x420cbf 0x420ccc 0x420d54 0x420d5e 0x420d75 0x420d79 0x420d96 0x420d9b 0x420da1 0x420da6 0x420dab 0x420dae 0x420db6 0x420dc4 0x420dcc 0x420dd5 0x420ded 0x420e0e 0x420e1b 0x420e30 0x420e7a 0x420e8f 0x420e97 0x420ea9 0x420eb6 0x420ee9 0x420efe 0x420f44 0x420f58 0x420f5c 0x420f67 0x420f6d 0x420f7b 0x420f7d 0x420f8b 0x420f99 0x4173a4 0x4173ac 0x4173bc 0x4173cc 0x4173cd 0x4173d4 0x4173f8 0x417407 0x41742f 0x417431 0x417366 0x41736d 0x417320 0x417341 0x417346 0x417355 0x417364 0x417391 0x41743e 0x41745d 0x41746b
- Windows API calls issued from malware code
  1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x45b6a7
  2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x360bca
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x360bec
  4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x360a82
  5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x3608ff
  6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x360932
  7. targe8a at 0x360f4b in DEFAULT_MODULE called from 0x36093e
  8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x3611a1
  9. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x361344
  10. targ116e at 0x3611a3 in DEFAULT_MODULE called from 0x36134e
  11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x361369
  12. targ116e at 0x36123b in DEFAULT_MODULE called from 0x361373
  13. targ116e at 0x3611a3 in DEFAULT_MODULE called from 0x36134e
  14. targ116e at 0x36123b in DEFAULT_MODULE called from 0x361373
  15. targ1118 at 0x36114f in DEFAULT_MODULE called from 0x361256
  16. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x361304
  17. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x361322
  18. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x360b9d
  19. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x4179e1
  20. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x417a34
  21. HeapCreate at 0x7c812929 in kernel32.dll called from 0x418d83
  22. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x420bb2
  23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x420c26
  24. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x420ca4
  25. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x420cb6
  26. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x420d6f
  27. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x420e08
  28. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x420e89
  29. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x420ea3
  30. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x420f52
  31. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x420f75
  32. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x417401
  33. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x417465
- - dot file
  - jpg

MD5 checksum	a3a19a38cc80ce6533e4976e203bcf0b
Anti-virus name	W32/Trojan2.HQZE (exact),Trojan.Downloader-24465,Trojan.Inject.HA

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4133d0 0x4133f2 0x4133f9 0x4133e8 0x4133ee 0x4133fb 0x413400 0x41340b 0x413411 0x41341c 0x413423 0x41342e 0x413430 0x41343b 0x413448 0x41346c 0x41348c 0x41349b 0x41344c 0x41344d 0x413458 0x41345e 0x413469 0x41347d 0x413486 0x413404 0x413441 0x413451 0x413434 0x413413 0x413460 0x4134a2 0x4134aa 0x4134af 0x4134b3 0x4134b8 0x4134d6 0x4134e2 0x4134f8 0x413500 0x41350d 0x413511 0x4134f9 0x4134dc 0x41351e 0x4092e4 0x4092eb 0x405094 0x404e88 0x404f5a 0x4050cc 0x405234 0x4054ec 0x4057a4 0x408c60 0x404783 0x4041dc 0x4041b0 0x402260 0x401a5d 0x402141 0x402152 0x402157 0x402165 0x402176 0x40217e 0x4020e0 0x4020ee 0x4020f8 0x402109 0x402111 0x40218c 0x402080 0x401784 0x4017ea
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4134f2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x413507
3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x404f5c
4. GetKeyboardType at 0x77d6fa46 in USER32.dll called from 0x4035cc
5. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401108
6. RegOpenKeyExA at 0x77dd761b in advapi32.dll called from 0x401158
7. LoadStringA at 0x77d6ec98 in USER32.dll called from 0x401138
8. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4011dc
9. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x4011bc
- dot file
- jpg

MD5 checksum	a3d676d8f351da0d22f765ab593a0589
Anti-virus name	W32/PoisonIvy.G2.gen!Eldorado (generic, not disinfectable),MemScan:Backdoor.Agent.ZYY

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x401000 0x403af8 0x4107b8 0x414388 0x4107cd 0x41441e 0x4107e5 0x4107e5 0x4107df 0x4107f9 0x4107f9 0x403b09 0x41438e 0x403b0e 0x403b14 0x403ca0 0x403cb4 0x403cbd 0x403cc6 0x403ccf 0x403d01 0x403d06 0x403d0a 0x403d13 0x403cd5 0x403cde 0x403d00 0x403cef 0x403cf6 0x403d1c 0x403e43 0x403b1b 0x414454 0x403b26 0x403b26 0x4143ca 0x403b37 0x403b46 0x4143d0 0x403b4d 0x4145a6 0x4052ef 0x4052ef 0x41437c 0x41437c 0x4052fc 0x4052fc 0x405306 0x405306 0x405340 0x405340 0x405359 0x405359 0x405361 0x405361 0x40536f 0x40536f 0x40537b 0x40537b 0x408f48 0x408f48 0x408f63 0x408f63 0x408f10 0x408f10 0x408f13 0x408f13 0x408f17 0x408f17 0x408f27 0x408f27 0x408f2b 0x408f2b 0x408f33 0x408f33 0x408f1b 0x408f1b 0x408f43 0x408f43 0x408f68 0x408f68 0x408f81 0x408f81 0x408f85 0x408f85 0x408f6d 0x408f6d 0x408f89 0x408f89 0x409012 0x409012 0x409034 0x409034 0x409039 0x409039 0x40538a 0x40538a 0x405392 0x405392 0x40fe64 0x40fe64 0x40fe69 0x40fe69 0x40fe68 0x40fe68 0x40fe70 0x40fe70 0x40539a 0x40539a 0x409019 0x409019 0x4053a6 0x4053a6 0x4053a8 0x4053a8 0x4053af 0x4053af 0x4053ba 0x4053ba 0x40ffcc 0x40ffcc 0x41462a 0x41462a 0x405439 0x405439 0x40543e 0x40543e 0x40fee8 0x40fee8 0x40fee2 0x40fee2 0x40feed 0x40feed 0x405448 0x405448 0x40531f 0x40531f 0x40ff10 0x40ff10 0x40ff16 0x40ff16 0x40532f 0x40532f
Windows API calls issued from malware code
1. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414388
2. IsDBCSLeadByte at 0x7c80b664 in kernel32.dll called from 0x41441e
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x41438e
4. SetEnvironmentVariableA at 0x7c8226a9 in kernel32.dll called from 0x414454
5. RtlInitString at 0x7c90125c in ntdll.dll called from 0x7c8226c0
6. RtlAnsiStringToUnicodeString at 0x7c90f04c in ntdll.dll called from 0x7c8226d2
7. RtlSetEnvironmentVariable at 0x7c926eb5 in ntdll.dll called from 0x7c822715
8. RtlFreeUnicodeString at 0x7c910976 in ntdll.dll called from 0x7c822721
9. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4143ca
10. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x7c80b379
11. RtlUnicodeStringToAnsiString at 0x7c9130c6 in ntdll.dll called from 0x7c80b3c1
12. memmove at 0x7c90253a in ntdll.dll called from 0x7c80b3e7
13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4143d0
14. LoadIconA at 0x77d521ae in USER32.dll called from 0x4145a6
15. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x41437c
16. wvsprintfA at 0x77d4a041 in USER32.dll called from 0x41462a
CFG at exit
- dot file
- jpg

MD5 checksum a578822d56041fdb546e1a66fbb50ff5

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x40aaa0 0x40f0cf 0x40f0ff 0x40f10a 0x40f116 0x40f11e 0x40f126 0x40f132 0x40f145 0x40f150 0x40f15f 0x40a8db 0x40a8f2 0x40a8f9 0x40a90c 0x40a915 0x40a92a 0x40a947 0x40a94e 0x40a95c 0x40a880 0x40a88b 0x40a89c 0x40a8a7 0x40a8b0 0x40a98b 0x40d7c0 0x40d7d7 0x40d7e3 0x40d765 0x40d053 0x40d07b 0x40d084 0x40d77c 0x40d78e 0x40d08a 0x40d0b2 0x40d0ba 0x40d7a9 0x40d7b0 0x40d7b6 0x40d7e8 0x40d816 0x40a9a4 0x40ccb0 0x40ccbc 0x40cccb 0x40ccda 0x40cce7 0x40ccf4 0x40cd01 0x40cd2b 0x40cd4f 0x40cd55 0x40cd63 0x40cd6c 0x40cd74 0x40d27a 0x40c8f3 0x40c923 0x40c8a6 0x40c93e 0x40c948 0x40e699 0x411cc5 0x40abbb 0x40d294 0x40f375 0x411cbb 0x40d2a0 0x40f163 0x40d2ac 0x40cd84 0x40cd94 0x40cda4 0x40cdb4 0x40d81a 0x40d823 0x40d82d 0x40c96a 0x40c99a 0x40c9b5 0x40c9bf 0x411d2e 0x411d3e 0x411d4f 0x411d60 0x40d84b
- Windows API calls issued from malware code
  1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40f104
  2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x40f110
  3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40f118
  4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40f120
  5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x40f12c
  6. GetStartupInfoW at 0x7c801e50 in kernel32.dll called from 0x40a8d5
  7. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40a8f0
  8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40a8f3
  9. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40a90f
  10. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40a945
  11. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40a948
  12. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40d7d1
  13. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40ccb6
  14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40ccd8
  15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40cce5
  16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40ccf2
  17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40ccff
  18. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40cd4f
  19. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40cd6a
  20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40c8f1
  21. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40c91d
  22. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40c8a0
  23. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c938
  24. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x40c946
  25. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40c968
  26. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40c994
  27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c9af
  28. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x40c9bd
  29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x411d28
  30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x411d38
  31. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x411d5e
- CFG at exit
  - dot file
  - jpg

MD5 checksum	a6ac0a602979cc568be92faa9edd57ab
Anti-virus name	Trojan.Downloader-49757,Trojan.Downloader.JKFJ Trojan.Downloader.JKFJ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	a7616b46a3d702c4cf93cde7b6391f42
Anti-virus name	W32/SysVenFak.B.gen!Eldorado (generic, not disinfectable),GenPack:Trojan.Generic.501245

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4705fe 0x470605 0x470631 0x470665 0x47066d 0x470678 0x470938 0x470944 0x470945 0x4709b7 0x4709bb 0x4709c0 0x47094c 0x470953 0x470955 0x47095c 0x47095e 0x470960 0x470965 0x470969 0x47096b 0x47097f 0x470984 0x4709ad 0x4709ac 0x47096e 0x4709c3 0x4709c4 0x4709c9 0x4709d0 0x4709d2 0x47098b 0x4709c1 0x470998 0x47099f 0x4709a6 0x4709ab 0x470976 0x47097d 0x4709d3 0x470699 0x4706b9 0x9205a9 0x9205c9 0x9205d5 0x9205e3 0x9205e9 0x920605 0x920628 0x920297 0x9202f9 0x9202fd 0x92030f 0x920017 0x920032 0x920000 0x920011 0x920037 0x920048 0x920327 0x92033a 0x920093 0x9200ac 0x9200e8 0x92012e 0x920353 0x92037e 0x920394 0x9203ba 0x9201ad 0x9201b7 0x9201c4 0x9200ec 0x92012b 0x9200cf 0x9200d6 0x9201cd 0x920433 0x92058b 0x920112 0x920119 0x9203c9 0x9203de 0x9203e9 0x9203f5 0x9203fc 0x92040d 0x920486 0x920232 0x92023d 0x920241 0x920131 0x920142 0x920146 0x920154 0x92015b 0x92015c 0x920292 0x92055d 0x920563 0x92056b 0x920577 0x920586 0x920384 0x920389 0x920391 0x92039a 0x9201d1 0x9201e0 0x9201fd 0x920221 0x92020f 0x92021d 0x920229 0x9204b0 0x9204e2 0x9204ed 0x920503 0x920551 0x920556 0x920205 0x920508 0x920520 0x92052c 0x92016b 0x920184 0x920185 0x920193 0x9201a3 0x9201a4 0x920441 0x92044d 0x920456 0x920465 0x92046e 0x920477 0x92047d 0x920257 0x920261 0x920281 0x92028f 0x92038e 0x920469 0x920451 0x9204ea 0x920266 0x92027c 0x920411 0x92041a 0x920535 0x92004c 0x92005b 0x92005e 0x920066 0x92006b 0x920083 0x920086 0x920087 0x920073 0x92007b 0x92020d 0x920597 0x920599 0x920647 0x92064d 0x92064e 0x92065b 0x92065f 0x4706e8 0x4706fb 0x470710 0x470715 0x470719 0x470721 0x470727 0x47073f 0x47074f 0x47088e 0x47089c 0x4708b7 0x4708d2 0x4708da 0x4708f1 0x470905 0x470918 0x470921 0x4708e5 0x4708ee 0x4708a4 0x4708a9 0x4708af 0x4708b5 0x470931 0x470754 0x4707e7 0x47083a 0x47084b 0x47086a 0x470873 0x470887 0x419834 0x405f51 0x405fb4 0x405da8 0x405e7a 0x405fec 0x4062b4 0x4062ec 0x40fa54 0x40661c 0x40c864
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x47065f
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x920625
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x920658
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4706f5
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4708cc
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x470912
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x470864
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405e7c
9. GetKeyboardType at 0x77d6fa46 in USER32.DLL called from 0x4035a4
10. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40122c
- dot file
- jpg

MD5 checksum	a79c107ca8d69e49c94ad3fe17a307af
Anti-virus name	W32/Backdoor2.CLTJ (exact),Trojan.Agent-42433,Trojan.Agent.AJNH

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x15424 0x15424 0x1542c 0x1542c 0x15433 0x15433 0x1263c 0x1103c 0x1264d 0x1264d 0x12630 0x124c0 0x1263a 0x1266f 0x11c04 0x11be8 0x11bf1 0x11b94 0x11b94 0x11bb0 0x11bbe 0x126b0 0x126b0 0x11bc0 0x11bc4 0x11bdf 0x12568 0x12568 0x12571 0x1100c 0x12576 0x12576 0x1244c 0x12453 0x12460 0x1258a 0x110dc
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1103c
2. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x1100c
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x110dc
CFG at exit
- dot file
- jpg

MD5 checksum a86d8acce0f150deb31a2e2e8353e444

Anti-virus name Backdoor.Bot.39541

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x48915d 0x48915d 0x400154 0x40012c 0x40012c 0x400130 0x400130 0x400108 0x40010b 0x40010b 0x400167 0x400167 0x400162 0x400162 0x400169 0x400169 0x40016d 0x40016d 0x40016f 0x40016f 0x400173 0x400173 0x400175 0x400175 0x40017c 0x40017c 0x40017a 0x40017a 0x400180 0x400180 0x400182 0x400182 0x400165 0x400165 0x4001c0 0x4001c0 0x400185 0x400185 0x46c000 0x46c000 0x46c005 0x46c005 0x46c009 0x46c009 0x46c00b 0x46c00b 0x40018a 0x40019f 0x40019f 0x46c003 0x46c003 0x4001a8 0x4001a8 0x4001af 0x4001af 0x4001b4 0x4001b4 0x4001b9 0x4001b9 0x4001ba 0x4001ba 0x4001bb 0x4001bb 0x400196 0x400196 0x40019b 0x40019b 0x400191 0x400191 0x400194 0x400194 0x4001bc 0x4001bc 0x4001ca 0x4001ca 0x40015f 0x40015f 0x4001cf 0x4001cf 0x4893d9 0x4893d9 0x4893ea 0x4893ea 0x4893f7 0x4893f7 0x489176 0x489176 0x489185 0x489185 0x48919b 0x48919b 0x48919e 0x48919e 0x4891ac 0x4891ac 0x4891b0 0x4891b0 0x4891b8 0x4891b8 0x4891bc 0x4891bc 0x4891c4 0x4891c4 0x4891d4 0x4891d4 0x4891d7 0x4891d7 0x4891d9 0x4891d9 0x4891e2 0x4891e2 0x4891f9 0x4891f9 0x48921b 0x48921b 0x489234 0x489234 0x489238 0x489238 0x48925b 0x48925b 0x489274 0x489274 0x489277 0x489277 0x48927a 0x48927a 0x48928b 0x48928b 0x48928f 0x48928f 0x48929d 0x48929d 0x4892a4 0x4892a4 0x4892a5 0x4892a5 0x4892b4 0x4892b4 0x4892cd 0x4892cd 0x4892ce 0x4892ce 0x4892dc 0x4892dc 0x4892ec 0x4892ec 0x4892ed 0x4892ed 0x4892f6 0x4892f6 0x48931d 0x48931d 0x489322 0x489322 0x489326 0x489326 0x48932e 0x48932e 0x48934b 0x48934b 0x489351 0x489351 0x489356 0x489356 0x48935a 0x48935a 0x489367 0x489367 0x48936b 0x48936b 0x489374 0x489374 0x48937f 0x48937f 0x489383 0x489383 0x489397 0x489397 0x489399 0x489399 0x4893a3 0x4893a3 0x4893a8 0x4893a8 0x4893be 0x4893be 0x4893c3 0x4893c3 0x4893d1 0x4893d1 0x4893d4 0x4893d4 0x48943a 0x48943a 0x48943f 0x48943f 0x48945a 0x48945a 0x489462 0x489462 0x48947e 0x48947e 0x489482 0x489482 0x489487 0x489487 0x48948c 0x48948c 0x48948f 0x48948f 0x489495 0x489495 0x4894ae 0x4894ae 0x4894b7 0x4894b7 0x4894bc 0x4894bc 0x4894bf 0x4894bf 0x4894ce 0x4894ce 0x4894d8 0x4894d8 0x4894db 0x4894db 0x4894e3 0x4894e3 0x4894f9 0x4894f9 0x489502 0x489502 0x489511 0x489511 0x489518 0x489518 0x489529 0x489529 0x48952d 0x48952d 0x489549 0x489549 0x489557 0x489557 0x489563 0x489563 0x489567 0x489567 0x48956c 0x48956c 0x48957b 0x48957b 0x48957f 0x48957f 0x489584 0x489584 0x48958d 0x48958d 0x489593 0x489593 0x489598 0x489598 0x4895a9 0x4895a9 0x4895c1 0x4895c1 0x4895f1 0x4895f1 0x4895f9 0x4895f9 0x4895fc 0x4895fc 0x489612 0x489612 0x489617 0x489617 0x48962b 0x48962b 0x48963c 0x48963c 0x489641 0x489641 0x489645 0x489645 0x489650 0x489650 0x489664 0x489664 0x489666 0x489666 0x489667 0x489667 0x48966f 0x48966f 0x489673 0x489673 0x489693 0x489693 0x489698 0x489698 0x4896a4 0x4896a4 0x4896a9 0x4896a9 0x4001d4 0x4001d9 0x4001d9 0x4001de 0x4001de 0x4001e1 0x4001e1 0x4001ea 0x4001ea 0x4001ec 0x4001ec 0x4001f1 0x4001f1 0x4001f3 0x4001f3 0x4001f8 0x4001f8 0x4001e2 0x4001e2 0x4001fd 0x4001fd 0x4069ec 0x4069e6
- Windows API calls issued from malware code
  1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
  2. above at 0xtable in that called from 0x.\src\image-flowGraph.C[1257]
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
  4. ThunRTMain at 0x7342de3e in MSVBVM60.DLL called from 0x4069e6
- - dot file
  - jpg

MD5 checksum	a9e2f47ed7428bd3065c66809a74c2d1
Anti-virus name	W32/OnlineGames.BP.gen!Eldorado (generic, not disinfectable),Trojan.Spy-59733,Trojan.Generic.1431814

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4140b0 0x4140d2 0x4140d9 0x4140c8 0x4140ce 0x4140db 0x4140e0 0x4140eb 0x4140f1 0x4140fc 0x414103 0x41410e 0x414110 0x41411b 0x414128 0x41412c 0x41412d 0x414138 0x41413e 0x414149 0x41414c 0x41416c 0x41417b 0x414121 0x41415d 0x414166 0x414131 0x414140 0x414114 0x4140e4 0x4140f3 0x414182 0x41418a 0x41418f 0x414193 0x414198 0x4141b6 0x4141c2 0x4141d8 0x4141e0 0x4141ed 0x4141f1 0x4141d9 0x4141bc 0x4141fe 0x414217 0x41422c 0x414232 0x414238 0x4020bc 0x4020cf 0x40212f 0x402138
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4141d2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4141e7
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x414215
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x41422a
5. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x4036f2
6. NtQueryInformationProcess at 0x7c90e01b in ntdll.dll called from 0x402d20
7. OpenProcess at 0x7c81e079 in kernel32.dll called from 0x4036f8
8. GetProcessImageFileNameA at 0x76bf3de5 in PSAPI.DLL called from 0x402d32
9. GetProcessImageFileNameA at 0x76bf3e16 in PSAPI.DLL called from 0x7c90e027
10. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403704
- dot file
- jpg

MD5 checksum aa026683dba4063e23205a0590acb287

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x40d441 0x423077 0x4230ad 0x422f85 0x422f93 0x422f96 0x423008 0x42300c 0x423011 0x422f9d 0x422fa4 0x422fa6 0x422fad 0x422faf 0x422fb4 0x422fb9 0x422fbd 0x422fbf 0x422fc2 0x423014 0x423015 0x42301a 0x423021 0x423023 0x422fdb 0x423012 0x422fe6 0x422fed 0x422ff2 0x422ff7 0x422ff8 0x422ff9 0x422ffa 0x422ffe 0x422fd2 0x422fd7 0x422fcb 0x422fd0 0x423024 0x3509b8 0x3509c1 0x3509f6 0x3509fd 0x350a0b 0x350b90 0x350bb2 0x350bc0 0x350a48 0x350e4a 0x350e58 0x350e6b 0x350e7c 0x350e86 0x350f6e 0x350e98 0x351247 0x35125f 0x351264 0x35126c 0x351280 0x350804 0x350851 0x35000d 0x350065 0x350070 0x350080 0x350097 0x3500a8 0x3500d7 0x3500ea 0x3501d2 0x3501f6 0x350205 0x35022b 0x350219 0x350233 0x350248 0x3507eb 0x3500a5 0x3500c0 0x3501df 0x350269 0x3502a2 0x3502f4 0x35032d 0x350340 0x350382 0x3503d8 0x3504cb 0x3504e7 0x350505 0x350514 0x3505ba 0x3505ca 0x3505e8 0x3505fb 0x350630 0x350614 0x350635 0x3507bc 0x3507c7 0x3507d0 0x3507e6 0x350133 0x350143 0x35017d 0x35018c 0x3501a9 0x3501c4 0x3501ab 0x350251 0x350257 0x3502b1 0x3502d9 0x3502e6 0x3504ee 0x35064e 0x350658 0x350660 0x350674 0x350692 0x3506a2 0x3506cd 0x3506b7 0x35067b 0x3506d2 0x3506e0 0x3506f3 0x350745 0x35074e 0x35076c 0x35077c 0x3507aa 0x350791 0x3507b2 0x3505d1 0x350755 0x350166 0x350316 0x35028b 0x350391 0x3503ab 0x35065d 0x3502df 0x350702 0x350705 0x350723 0x350732 0x35072c 0x350735 0x350260 0x350539 0x350565 0x35059b 0x3505b9 0x35054e 0x350575 0x35070c 0x350369 0x3503eb 0x350424 0x350448 0x350481 0x350490 0x3504bc 0x3504c2 0x3504a5 0x350433 0x35040d 0x35046a 0x3501d0 0x3507f7 0x35009c 0x35009e 0x35086c 0x350879 0x350f0b 0x350f10 0x350f29 0x350f35 0x350f4a 0x350f7b 0x350a54 0x350a62 0x350da8 0x350db6 0x350dc9 0x350dda 0x350de5 0x350df0 0x350e3d 0x350e43 0x350a68 0x350cc3 0x350cd1 0x350ce4 0x350cf5 0x350cf8 0x350d03 0x350d97 0x350d0e 0x350d21 0x350d25 0x350d34 0x350d56 0x350d3a 0x350d40 0x350d4d 0x350d59 0x350d62 0x350d80 0x350c3d 0x350c4d 0x350c52 0x350c59 0x350d96 0x350da1 0x350a87 0x3510d8 0x3510ef 0x3510f3 0x3510f6 0x351103 0x351106 0x35112e 0x35113c 0x351163 0x351170 0x35115e 0x3512ef 0x3512fa 0x35130a 0x351173 0x35110f 0x351112 0x351113 0x350a91 0x350a95 0x350aa5 0x350ada 0x350af0 0x350af6 0x350b08
- Windows API calls issued from malware code
  1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4230ab
  2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x350b8a
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x350bac
  4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x350a42
  5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x35084e
  6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x350876
  7. targe4a at 0x350f0b in DEFAULT_MODULE called from 0x35087f
  8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x351161
  9. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x351304
  10. targ112e at 0x351163 in DEFAULT_MODULE called from 0x35130e
  11. wsprintfA at 0x77d4a2de in user32.dll called from 0x350aea
  12. MessageBoxA at 0x77d8050b in user32.dll called from 0x350b02
  13. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x350b0a
- CFG at exit
  - dot file
  - jpg

MD5 checksum	aa9a78f0062c992bc1500196b85946c1
Anti-virus name	W32/Trojan2.CSGZ (exact),Trojan.Agent-121158,Trojan.Generic.444278

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x43db90 0x43db90 0x43dbb2 0x43dbb2 0x43dbb9 0x43dbb9 0x43dba8 0x43dba8 0x43dbae 0x43dbae 0x43dbbb 0x43dbbb 0x43dbc0 0x43dbc0 0x43dbcb 0x43dbcb 0x43dbd1 0x43dbd1 0x43dbdc 0x43dbdc 0x43dbe3 0x43dbe3 0x43dbee 0x43dbee 0x43dbf0 0x43dbf0 0x43dbfb 0x43dbfb 0x43dc08 0x43dc08 0x43dc2c 0x43dc2c 0x43dc4c 0x43dc4c 0x43dc5b 0x43dc5b 0x43dc01 0x43dc01 0x43dbf4 0x43dbf4 0x43dc3d 0x43dc3d 0x43dc46 0x43dc46 0x43dc0c 0x43dc0c 0x43dc0d 0x43dc0d 0x43dc18 0x43dc18 0x43dc1e 0x43dc1e 0x43dc29 0x43dc29 0x43dbc4 0x43dbc4 0x43dc20 0x43dc20 0x43dc11 0x43dc11 0x43dbd3 0x43dbd3 0x43dc62 0x43dc62 0x43dc6a 0x43dc6a 0x43dc6f 0x43dc6f 0x43dc73 0x43dc73 0x43dc78 0x43dc78 0x43dc96 0x43dc96 0x43dca2 0x43dca2 0x43dcb8 0x43dcb8 0x43dcc0 0x43dcc0 0x43dccd 0x43dccd 0x43dcd1 0x43dcd1 0x43dcb9 0x43dcb9 0x43dc9c 0x43dc9c 0x43dcde 0x43dcde 0x43dcf7 0x43dcf7 0x43dd0c 0x43dd0c 0x43dd12 0x43dd12 0x43dd18 0x43dd18 0x4105ba 0x4105ed 0x4105ed 0x410602 0x410602 0x410610 0x410610 0x410629 0x410629 0x41063d 0x41063d 0x4107b2 0x4107ce 0x4107c1 0x4107c1 0x410642 0x4107ac 0x410651 0x410651 0x410675 0x410675 0x40a693 0x40a6a2 0x405956 0x405d15 0x405970 0x405978 0x407279 0x407292 0x407292 0x4072b1 0x410580 0x4072be 0x4072dd 0x4072dd 0x40730b 0x405980 0x40598d 0x40598d 0x40599c 0x40599c 0x4105a8 0x4059bc 0x4059bc 0x4105a2 0x4059d3 0x41054e 0x41079a 0x410557 0x410557 0x4059e4 0x4059e5 0x40a6b4 0x40a69b 0x40a6b6 0x41077b 0x41074f 0x410758 0x410762 0x410784 0x40a6c3 0x40a6a0 0x410684 0x410684 0x410696 0x410696 0x4106a0 0x4106a0 0x4106a4 0x4106a4 0x4106a9 0x4106a9 0x4106ad 0x4106ad 0x4106b7 0x4106b7 0x4106c4 0x4106c4 0x4106db 0x4106db 0x4106de 0x4106de 0x4106e8 0x4106e8 0x40582c 0x410560 0x405836 0x405848 0x405848 0x40585e 0x40585e 0x40ce79 0x406ff0 0x406ffa 0x406f3c 0x406f46 0x406f57 0x406f77 0x406f77 0x406fa0 0x40592c 0x405944 0x405c9c 0x405e0b 0x405e35 0x405e3f 0x405e70 0x405e3d 0x405cad 0x405cbd 0x405cc6 0x405cd5 0x405cf5 0x405d0e 0x40594f 0x406fab 0x406fab 0x406fc0 0x4059ec 0x405a04 0x405d5c 0x405a0c 0x405a15 0x406fcd 0x405e94 0x405e1c 0x405e2d 0x405eac 0x406fe1 0x40700d 0x407022 0x407097 0x4070b0 0x4070b0 0x4070bb 0x4070cd 0x4070da 0x4070ee 0x4070fa 0x40ce8a 0x40ce9d 0x4073c1 0x4073cb 0x407447 0x407451 0x406e8c 0x406e96 0x406ea7 0x406ea7 0x406eae 0x406ef7 0x406f0c 0x406f19 0x406f2d 0x407461 0x40d18b 0x40d195 0x40d161 0x405e72 0x405e86 0x405e92 0x405e92 0x40d172 0x405d2c 0x405d3c 0x4071b5 0x4071d2 0x4071d2 0x4071f7 0x40720a 0x407212 0x407212 0x40722d 0x407246 0x407246 0x407274 0x407277 0x405d4d 0x40d17b 0x40d11b 0x40f479 0x40d12a 0x40d132 0x40f4b3 0x40f4e7 0x40f51f 0x40f590 0x40f5a4 0x40f5b9 0x40f5bf 0x40f5d1 0x40f5d1 0x40f5d4 0x40d14b 0x4104ab 0x4104be 0x4104c4 0x4104b7 0x4104e4 0x40f525 0x40f53b 0x40f541 0x40f55d 0x40f55d 0x40f56b 0x410503 0x40f56d 0x40f56d 0x40f5d6 0x40f60b 0x40f615 0x40f634 0x40f691 0x40f58e 0x410514 0x410524 0x41052a 0x41051d 0x41054c 0x40d15a 0x40d181 0x40d1ab 0x40d1ba 0x40d1d1 0x40d1e1 0x40d1e7 0x40d20d 0x40d20d 0x40d224 0x40d239 0x40d248 0x40d255 0x40d269 0x407476 0x407489 0x405f1a 0x405f24 0x4058e6 0x4058fe 0x405f33 0x405f42 0x405f4b 0x405d6b 0x405d7d 0x405d7d 0x405e82 0x405d8a 0x405da4 0x405dbb 0x405dd8 0x405dde 0x405df0 0x405df0 0x405df3 0x411160 0x411160 0x41055a 0x41055a 0x4114c3 0x4114c3 0x41147d 0x41147d 0x412199 0x412199 0x4110b4 0x4110b4 0x405e57 0x405e57 0x405e68 0x405e68 0x4048c8 0x4048e1 0x40a0f7 0x40a100 0x40a100 0x40a104 0x40a097 0x410718 0x410718 0x40a0d2 0x40a0d2 0x40a0d6 0x40a0d6 0x40a0e8 0x40a128 0x40a128
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x43dcb2
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x43dcc7
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x43dcf5
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x43dd0a
5. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x4105e7
6. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x4105fc
7. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x41060a
8. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x4107ce
9. initterm at 0x77c39d67 in msvcrt.dll called from 0x4107ac
10. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x41066f
11. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40728c
12. operator at 0x77c29cc5 in msvcrt.dll called from 0x410580
13. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4072d7
14. lstrlenW at 0x7c809a39 in kernel32.dll called from 0x405987
15. memset at 0x77c475f0 in msvcrt.dll called from 0x4105a8
16. memcpy at 0x77c46f70 in msvcrt.dll called from 0x4105a2
17. free at 0x77c2c21b in msvcrt.dll called from 0x41079a
18. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x77c2c2d8
19. onexit at 0x77c34df8 in msvcrt.dll called from 0x41075c
20. initterm at 0x77c39d7a in msvcrt.dll called from 0x40a6a1
21. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4106be
22. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4106e2
23. SetErrorMode at 0x7c80aa97 in kernel32.dll called from 0x405842
24. GetCommandLineW at 0x7c816cfb in kernel32.dll called from 0x405858
25. CommandLineToArgvW at 0x7ca0c16b in SHELL32.dll called from 0x40585f
26. GetModuleFileNameW at 0x7c80b25d in kernel32.dll called from 0x406f71
27. lstrlenW at 0x7c809a39 in kernel32.dll called from 0x405cc0
28. StrRChrW at 0x77f6af6e in SHLWAPI.dll called from 0x407023
29. lstrcpyW at 0x7c80b8ec in kernel32.dll called from 0x4070aa
30. GetLocalTime at 0x7c80c9c1 in kernel32.dll called from 0x406ea1
31. wsprintfW at 0x77d4a862 in USER32.dll called from 0x406ee3
32. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4071cc
33. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x407240
34. targ3707c at 0x77c47094 in msvcrt.dll called from 0x77c46fcc
35. memset at 0x77c475f0 in msvcrt.dll called from 0x4105a8
36. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
37. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
38. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
39. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
40. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
41. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
42. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
43. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
44. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
45. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
46. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
47. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
48. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
49. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
50. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
51. wsprintfW at 0x77d4a862 in USER32.dll called from 0x40d202
52. memset at 0x77c475f0 in msvcrt.dll called from 0x4105a8
53. memcpy at 0x77c46f70 in msvcrt.dll called from 0x4105a2
54. lstrlenW at 0x7c809a39 in kernel32.dll called from 0x405d77
55. _CxxFrameHandler at 0x77c227fa in msvcrt.dll called from 0x41055a
56. targ3799 at 0x7c9037bf in ntdll.dll called from 0x77c22831
57. IsDebuggerPresent at 0x7c812e03 in kernel32.dll called from 0x40a0fa
58. except_handler3 at 0x77c35c94 in msvcrt.dll called from 0x410718
59. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x40a12a
- dot file
- jpg

MD5 checksum	ab1b2ecf954f18da1fc1ddc440f7587a
Anti-virus name	Adware.Zeno-3,Generic.Zeno.51DEB277

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40856f 0x408584 0x408592 0x4085ab 0x4085bf 0x4086b2 0x4086ce 0x4086c1 0x4085c4 0x4086ac 0x4085d3 0x4085f7 0x40871a 0x4086ec 0x408732 0x401070 0x401080 0x401020 0x40828e 0x4020e0 0x4020f0 0x4082e2 0x405340 0x405350 0x4083ba 0x408606 0x408618 0x408622 0x408626 0x40862b 0x40862f 0x408639 0x408646 0x40865d 0x408660 0x40866a 0x4086d4 0x40872c 0x40856f 0x408584 0x408592 0x4085ab 0x4085bf 0x4086b2 0x4086ce 0x4086c1 0x4085c4 0x4086ac 0x4085d3 0x4085f7 0x40871a 0x4086ec 0x408732 0x401070 0x401080 0x401020 0x40828e 0x4020e0 0x4020f0 0x4082e2 0x405340 0x405350 0x4083ba 0x408606 0x408618 0x408622 0x408626 0x40862b 0x40862f 0x408639 0x408646 0x40865d 0x408660 0x40866a 0x4086d4 0x40872c
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x408569
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x40857e
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x40858c
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x4086ce
5. initterm at 0x77c39d67 in msvcrt.dll called from 0x4086ac
6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x4085f1
7. targ982d6 at 0x73e682d6 in MFC42.DLL called from 0x408732
8. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x408640
9. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x408664
10. rmtmp at 0x77c3f88a in msvcrt.dll called from 0x77c39d78
11. targ29ddb at 0x77c39e48 in msvcrt.dll called from 0x77c39d84
12. targ29ddb at 0x77c39e59 in msvcrt.dll called from 0x77c39d84
CFG at exit
- dot file
- jpg

MD5 checksum ab7c80b08fb806f943b8e22a7363fd4b

Anti-virus name W32/Trojan2.IRCX (exact)

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x41c72f 0x41c72f 0x41c761 0x41c761 0x41c776 0x41c776 0x41c784 0x41c784 0x41c79d 0x41c79d 0x41c7b2 0x41c7b2 0x41c9d4 0x41c9f6 0x41c9e3 0x41c9e3 0x41c7b7 0x41c9ce 0x41c7c6 0x41c7c6 0x41c7ea 0x41c7ea 0x401180 0x401190 0x4017c0 0x401950 0x40195c 0x40195c 0x40196b 0x40196b 0x401983 0x401983 0x4017dd 0x4017fa 0x4017fa 0x401816 0x401816 0x401827 0x401827 0x401853 0x401853 0x401185 0x4011a0 0x41c667 0x41c63b 0x41c644 0x41c64e 0x41c670 0x4011aa 0x417d50 0x417d50 0x417d60 0x417d90
- Windows API calls issued from malware code
  1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x41c75b
  2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x41c770
  3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x41c77e
  4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x41c9f6
  5. initterm at 0x77c39d67 in msvcrt.dll called from 0x41c9ce
  6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x41c7e4
  7. time at 0x77c4aea3 in msvcrt.dll called from 0x401956
  8. localtime at 0x77c4ab3d in msvcrt.dll called from 0x401965
  9. strftime at 0x77c490cd in msvcrt.dll called from 0x40197d
  10. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x4017f4
  11. GetSystemInfo at 0x7c812ac6 in kernel32.dll called from 0x401810
  12. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x401821
  13. strrchr at 0x77c47be0 in msvcrt.dll called from 0x40184d
  14. onexit at 0x77c34df8 in msvcrt.dll called from 0x41c648
  15. initterm at 0x77c39d7a in msvcrt.dll called from 0x4011ab
- CFG at exit
  - dot file
  - jpg

MD5 checksum	add7f58a061095f80e485bbf4ff992fb
Anti-virus name	W32/TrojanX.AYSD (exact),Trojan.Agent-11564,Backdoor.Bifrose.ZVI

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x419900 0x419918 0x41991d 0x4199e4 0x4199e8 0x4199f2 0x419a12 0x419a1c 0x419a2b 0x419a3c 0x419a7a 0x419a93 0x419bb7 0x419be2 0x419bf7 0x419baf 0x419c10 0x419c28 0x419c48 0x41a370 0x419a62 0x419a6c 0x419bca 0x419bd4 0x419c70 0x419cb3 0x419d1f 0x419d57 0x419d75 0x419dc9 0x419e3f 0x419f77 0x419f93 0x419fb1 0x419fc3 0x41a064 0x41a09d 0x41a0aa 0x41a0d5 0x41a0e9 0x41a116 0x41a0bd 0x41a0c7 0x41a101 0x41a121 0x41a328 0x41a339 0x41a350 0x41a361 0x419aed 0x419b04 0x419b46 0x419b81 0x419c55 0x419c5c 0x419ccd 0x41a141 0x41a152 0x41a171 0x41a184 0x41a18e 0x41a19c 0x41a1b0 0x41a1dd 0x41a1c8 0x41a1e8 0x41a31e 0x419ba1 0x419b2e 0x419b38 0x419b5e 0x419b7f 0x41a1f7 0x41a20f 0x41a281 0x41a28e 0x41a2bc 0x41a2ec 0x41a30b 0x41a2a4 0x41a2ae 0x41a2d1 0x419f9b 0x419fa5 0x419c9d 0x419ca7 0x41a14d 0x419d41 0x419d4b 0x419e58 0x419e8e 0x419ea8 0x419f6b 0x419e78 0x419e82 0x419ecb 0x419f03 0x419f1d 0x419f63 0x41a22b 0x41a22e 0x41a250 0x41a25c 0x41a263 0x41a266 0x419c66 0x419db3 0x419dbd 0x419ddf 0x419e05 0x41a238 0x41a242 0x419f3d 0x419ff2
Windows API calls issued from malware code
CFG at exit
- dot file
- jpg

MD5 checksum af84dac4705a7fd2dc7b62a5bc341c92

Anti-virus name Backdoor.Bot.31363

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x48922f 0x48922f 0x400154 0x40012c 0x40012c 0x400130 0x400130 0x400108 0x40010b 0x40010b 0x400167 0x400167 0x400162 0x400162 0x400169 0x400169 0x40016d 0x40016d 0x40016f 0x40016f 0x400173 0x400173 0x400175 0x400175 0x40017c 0x40017c 0x40017a 0x40017a 0x400180 0x400180 0x400182 0x400182 0x400165 0x400165 0x4001c0 0x4001c0 0x400185 0x400185 0x46c000 0x46c000 0x46c005 0x46c005 0x46c009 0x46c009 0x46c00b 0x46c00b 0x40018a 0x40019f 0x40019f 0x46c003 0x46c003 0x4001a8 0x4001a8 0x4001af 0x4001af 0x4001b4 0x4001b4 0x4001b9 0x4001b9 0x4001ba 0x4001ba 0x4001bb 0x4001bb 0x400196 0x400196 0x40019b 0x40019b 0x400191 0x400191 0x400194 0x400194 0x4001bc 0x4001bc 0x4001ca 0x4001ca 0x40015f 0x40015f 0x4001cf 0x4001cf 0x4894ab 0x4894ab 0x4894bc 0x4894bc 0x4894c9 0x4894c9 0x489248 0x489248 0x489257 0x489257 0x48926d 0x48926d 0x489270 0x489270 0x48927e 0x48927e 0x489282 0x489282 0x48928a 0x48928a 0x48928e 0x48928e 0x489296 0x489296 0x4892a6 0x4892a6 0x4892a9 0x4892a9 0x4892ab 0x4892ab 0x4892b4 0x4892b4 0x4892cb 0x4892cb 0x4892ed 0x4892ed 0x489306 0x489306 0x48930a 0x48930a 0x48932d 0x48932d 0x489346 0x489346 0x489349 0x489349 0x48934c 0x48934c 0x48935d 0x48935d 0x489361 0x489361 0x48936f 0x48936f 0x489376 0x489376 0x489377 0x489377 0x489386 0x489386 0x48939f 0x48939f 0x4893a0 0x4893a0 0x4893ae 0x4893ae 0x4893be 0x4893be 0x4893bf 0x4893bf 0x4893c8 0x4893c8 0x4893ef 0x4893ef 0x4893f4 0x4893f4 0x4893f8 0x4893f8 0x489400 0x489400 0x48941d 0x48941d 0x489423 0x489423 0x489428 0x489428 0x48942c 0x48942c 0x489439 0x489439 0x48943d 0x48943d 0x489446 0x489446 0x489451 0x489451 0x489455 0x489455 0x489469 0x489469 0x48946b 0x48946b 0x489475 0x489475 0x48947a 0x48947a 0x489490 0x489490 0x489495 0x489495 0x4894a3 0x4894a3 0x4894a6 0x4894a6 0x48950c 0x48950c 0x489511 0x489511 0x48952c 0x48952c 0x489534 0x489534 0x489550 0x489550 0x489554 0x489554 0x489559 0x489559 0x48955e 0x48955e 0x489561 0x489561 0x489567 0x489567 0x489580 0x489580 0x489589 0x489589 0x48958e 0x48958e 0x489591 0x489591 0x4895a0 0x4895a0 0x4895aa 0x4895aa 0x4895ad 0x4895ad 0x4895b5 0x4895b5 0x4895cb 0x4895cb 0x4895d4 0x4895d4 0x4895e3 0x4895e3 0x4895ea 0x4895ea 0x4895fb 0x4895fb 0x4895ff 0x4895ff 0x48961b 0x48961b 0x489629 0x489629 0x489635 0x489635 0x489639 0x489639 0x48963e 0x48963e 0x48964d 0x48964d 0x489651 0x489651 0x489656 0x489656 0x48965f 0x48965f 0x489665 0x489665 0x48966a 0x48966a 0x48967b 0x48967b 0x489693 0x489693 0x4896c3 0x4896c3 0x4896cb 0x4896cb 0x4896ce 0x4896ce 0x4896e4 0x4896e4 0x4896e9 0x4896e9 0x4896fd 0x4896fd 0x48970e 0x48970e 0x489713 0x489713 0x489717 0x489717 0x489722 0x489722 0x489736 0x489736 0x489738 0x489738 0x489739 0x489739 0x489741 0x489741 0x489745 0x489745 0x489765 0x489765 0x48976a 0x48976a 0x489776 0x489776 0x48977b 0x48977b 0x4001d4 0x4001d9 0x4001d9 0x4001de 0x4001de 0x4001e1 0x4001e1 0x4001ea 0x4001ea 0x4001ec 0x4001ec 0x4001f1 0x4001f1 0x4001f3 0x4001f3 0x4001f8 0x4001f8 0x4001e2 0x4001e2 0x4001fd 0x4001fd 0x4069fc 0x4069f6
- Windows API calls issued from malware code
  1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
  2. above at 0xtable in that called from 0x.\src\image-flowGraph.C[1257]
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
  4. ThunRTMain at 0x7342de3e in MSVBVM60.DLL called from 0x4069f6
- - dot file
  - jpg

MD5 checksum	b035b195b411cfe2707310ad7910167b
Anti-virus name	W32/SysVenFak.B.gen!Eldorado (generic, not disinfectable),Worm.Autorun-1723,Trojan.Agent.AJPN

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x1314b63f 0x1314b646 0x1314b66c 0x1314b6a0 0x1314b6a8 0x1314b6b3 0x1314b973 0x1314b97f 0x1314b980 0x1314b9f2 0x1314b9f6 0x1314b9fb 0x1314b987 0x1314b98e 0x1314b990 0x1314b997 0x1314b999 0x1314b99b 0x1314b9a0 0x1314b9a4 0x1314b9a6 0x1314b9ba 0x1314b9bf 0x1314b9e8 0x1314b9e7 0x1314b9a9 0x1314b9fe 0x1314b9ff 0x1314ba04 0x1314ba0b 0x1314ba0d 0x1314b9c6 0x1314b9fc 0x1314b9d3 0x1314b9da 0x1314b9e1 0x1314b9e6 0x1314b9b1 0x1314b9b8 0x1314ba0e 0x1314b6d4 0x1314b6f4 0x8705a9 0x8705c9 0x8705d5 0x8705e3 0x8705e9 0x870605 0x870628 0x870297 0x8702f9 0x8702fd 0x87030f 0x870017 0x870032 0x870000 0x870011 0x870037 0x870048 0x870327 0x87033a 0x870093 0x8700ac 0x8700e8 0x87012e 0x870353 0x87037e 0x870394 0x8703ba 0x8701ad 0x8701b7 0x8700ec 0x87012b 0x8701c4 0x8700cf 0x8700d6 0x8701cd 0x870433 0x87058b 0x870112 0x870119 0x8703c9 0x8703de 0x8703e9 0x8703f5 0x8703fc 0x87040d 0x870411 0x87041a 0x870384 0x870389 0x870391 0x87039a 0x8701d1 0x8701e0 0x8701fd 0x870205 0x870221 0x87020f 0x87021d 0x870229 0x8704b0 0x870232 0x87023d 0x870241 0x870131 0x870142 0x870146 0x870154 0x87015b 0x87015c 0x870292 0x8704ed 0x870503 0x870508 0x870520 0x87052c 0x87016b 0x870184 0x870185 0x870193 0x8701a3 0x8701a4 0x870556 0x87055d 0x870563 0x87056b 0x870577 0x870586 0x870486 0x870497 0x870441 0x87044d 0x870451 0x87047d 0x87038e 0x870456 0x870465 0x870469 0x870477 0x8704ea 0x87046e 0x870257 0x870261 0x870266 0x87027c 0x870535 0x87004c 0x87005b 0x87005e 0x870066 0x87006b 0x870083 0x870086 0x870087 0x870551 0x870073 0x87007b 0x870281 0x87028f 0x870597 0x870599 0x870647 0x87064d 0x87064e 0x87065b 0x87065f 0x1314b723 0x1314b736 0x1314b78a 0x1314b8c9 0x1314b8d7 0x1314b8f2 0x1314b90d 0x1314b915 0x1314b92c 0x1314b940 0x1314b953 0x1314b95c 0x1314b920 0x1314b929 0x1314b8df 0x1314b8e4 0x1314b8ea 0x1314b8f0 0x1314b96c 0x1314b78f 0x1314b822 0x1314b875 0x1314b886 0x1314b8a5 0x1314b8ae 0x1314b8c2 0x13149041
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x1314b69a
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x870625
3. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x870658
4. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x1314b730
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x1314b907
6. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x1314b94d
7. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x1314b89f

MD5 checksum	b2985931792b57a932232332d962ec91
Anti-virus name	W32/Flux.A.gen!Eldorado (generic, not disinfectable),Trojan.Flux-16,Trojan.Spy.Flux.A.Dam.2

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x408e9d 0x408f58 0x408f5c 0x408f61 0x408eb2 0x408eb6 0x408ece 0x408f4e 0x408f51 0x408f55 0x408f57 0x408ed1 0x408ee6 0x408f4c 0x408eef 0x408ef6 0x408efb 0x408f00 0x408f01 0x408f02 0x408eab 0x408eb8 0x408ebc 0x408ebe 0x408ec5 0x408ec3 0x408ec9 0x408ecb 0x408f07 0x408f4f 0x408edd 0x408ee2 0x408ed8 0x408edb 0x408f03 0x408f11 0x408f18 0x408f1a 0x408f1c 0x408ea9 0x408f22 0x408f2b 0x408f2c 0x408f31 0x408f35 0x408f3c 0x408f44 0x408f45 0x408f49 0x408f25 0x40508e 0x40509b 0x4050a3 0x4050ab 0x4050af 0x4050b4 0x4050c1 0x4050cb 0x4050d9 0x40516f 0x405188 0x405121 0x405126 0x40512c 0x405134 0x405139 0x4050fb 0x4050fe 0x40510a 0x4041b4 0x4041ca 0x4041dd 0x4038ad 0x4038cc 0x4038ea 0x403905 0x403920 0x40393b 0x40394d 0x40395f 0x403971 0x40398c 0x4039a7 0x4039c2 0x4039dd 0x4039f8 0x403a13 0x403a2e 0x403a40 0x403a5b 0x403a6d 0x403a7f 0x403a9a 0x403ab5 0x403ac7 0x403ae2 0x403af4 0x403b0f 0x403b21 0x403b3c 0x403b57 0x403b69 0x403b7b 0x403b8d 0x403ba8 0x403bba 0x403bcc 0x403bde 0x403bf0 0x403c02 0x403c1d 0x403c2f 0x403c41 0x403c53 0x403c65 0x403c77 0x403c89 0x403c9b 0x403cad 0x403cbf 0x403cd1 0x403ce3 0x403cf5 0x403d07 0x403d19 0x403d2b 0x403d41 0x403d5a 0x403d73 0x403d88 0x403d97 0x404204 0x404218 0x40422c 0x404240 0x404254 0x402053 0x40205b 0x402081 0x404290 0x404297 0x40429d 0x4042ab 0x4042c0 0x403dcc 0x403de6 0x403dfe 0x403e10 0x403e26 0x403e32 0x403e47 0x403e63 0x403e6a 0x4042e3 0x4042fc 0x40430b 0x404312 0x404318 0x40431f 0x40432d 0x4033aa 0x40341e 0x404dce 0x404dcf 0x405110 0x405153 0x40516e
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x408f29
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x408f46
3. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x405095
4. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4050d3
5. GetProcessHeap at 0x7c80aa49 in kernel32.dll called from 0x40517b
6. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x405182
7. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x405104
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4038a7
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4038ca
10. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4038e8
11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403903
12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40391e
13. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403939
14. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40394b
15. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40395d
16. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40396f
17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40398a
18. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4039a5
19. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4039c0
20. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4039db
21. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4039f6
22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403a11
23. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403a2c
24. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403a3e
25. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403a59
26. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403a6b
27. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403a7d
28. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403a98
29. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403ab3
30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403ac5
31. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403ae0
32. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403af2
33. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403b0d
34. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403b1f
35. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403b3a
36. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403b55
37. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403b67
38. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403b79
39. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403b8b
40. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403ba6
41. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403bb8
42. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403bca
43. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403bdc
44. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403bee
45. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c00
46. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c1b
47. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c2d
48. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c3f
49. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c51
50. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c63
51. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c75
52. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c87
53. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c99
54. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403cab
55. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403cbd
56. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403ccf
57. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403ce1
58. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403cf3
59. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403d05
60. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403d17
61. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403d29
62. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403d3b
63. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403d54
64. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403d6d
65. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403d86
66. FreeLibrary at 0x7c80aa66 in kernel32.dll called from 0x403d91
67. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x404212
68. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x404226
69. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40423a
70. lstrcpy at 0x7c80c729 in kernel32.dll called from 0x40424e
71. CreateMutexA at 0x7c80eb3f in kernel32.dll called from 0x40428a
72. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x404297
73. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x4042ba
74. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x403dc6
75. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x403de0
76. ReadFile at 0x7c80180e in kernel32.dll called from 0x403df8
77. ReadFile at 0x7c80180e in kernel32.dll called from 0x403e0a
78. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x403e20
79. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x403e2c
80. ReadFile at 0x7c80180e in kernel32.dll called from 0x403e41
81. ReadFile at 0x7c80180e in kernel32.dll called from 0x403e5d
82. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x403e64
83. RtlMoveMemory at 0x7c903151 in ntdll.dll called from 0x4042f6
84. CreateMutexA at 0x7c80eb3f in kernel32.dll called from 0x404305
85. RtlGetLastWin32Error at 0x7c910331 in ntdll.dll called from 0x404312
86. GetCurrentProcess at 0x7c80e00d in kernel32.dll called from 0x404327
87. OpenProcessToken at 0x77dd7753 in ADVAPI32.dll called from 0x403427
88. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x405118
CFG at exit
- dot file
- jpg

MD5 checksum	b4e5cb42006df8bbeaa85ce51bcaea03
Anti-virus name	Trojan.Spy-51679,Trojan.Crypt.Delf.B

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4aa850 0x40012c 0x400130 0x40010b 0x400167 0x400169 0x40016d 0x40016f 0x400173 0x400175 0x40017c 0x40017a 0x400180 0x400182 0x400165 0x400162 0x400196 0x40019b 0x4001b9 0x4001c0 0x400185 0x47f000 0x47f005 0x47f009 0x47f00b 0x400191 0x47f003 0x400194 0x4001bc 0x40019f 0x4001a8 0x4001af 0x4001b4 0x4001ba 0x4001bb 0x4001ca 0x40015f 0x4001cf 0x4aaacc 0x4aaadc 0x4aa869 0x4aa869 0x4aa878 0x4aa878 0x4aa88e 0x4aa88e 0x4aa891 0x4aa891 0x4aa89f 0x4aa89f 0x4aa8a3 0x4aa8a3 0x4aa8ab 0x4aa8ab 0x4aa8af 0x4aa8af 0x4aa8b7 0x4aa8b7 0x4aa8c7 0x4aa8c7 0x4aa8ca 0x4aa8ca 0x4aa8cc 0x4aa8cc 0x4aa8d5 0x4aa8d5 0x4aa8ec 0x4aa8ec 0x4aa90e 0x4aa90e 0x4aa927 0x4aa927 0x4aa92b 0x4aa92b 0x4aa94e 0x4aa94e 0x4aa967 0x4aa967 0x4aa96a 0x4aa96a 0x4aa96d 0x4aa96d 0x4aa97e 0x4aa97e 0x4aa982 0x4aa982 0x4aa990 0x4aa990 0x4aa997 0x4aa997 0x4aa998 0x4aa998 0x4aa9a7 0x4aa9a7 0x4aa9c0 0x4aa9c0 0x4aa9c1 0x4aa9c1 0x4aa9cf 0x4aa9cf 0x4aa9df 0x4aa9df 0x4aa9e0 0x4aa9e0 0x4aa9e9 0x4aa9e9 0x4aaa10 0x4aaa10 0x4aaa15 0x4aaa15 0x4aaa19 0x4aaa19 0x4aaa21 0x4aaa21 0x4aaa3e 0x4aaa3e 0x4aaa44 0x4aaa44 0x4aaa49 0x4aaa49 0x4aaa4d 0x4aaa4d 0x4aaa5a 0x4aaa5a 0x4aaa5e 0x4aaa5e 0x4aaa67 0x4aaa67 0x4aaa72 0x4aaa72 0x4aaa76 0x4aaa76 0x4aaa8a 0x4aaa8a 0x4aaa8c 0x4aaa8c 0x4aaa96 0x4aaa96 0x4aaa9b 0x4aaa9b 0x4aaab1 0x4aaab1 0x4aaab6 0x4aaab6 0x4aaac4 0x4aaac4 0x4aaac7 0x4aaac7 0x4aab1e 0x4aab1e 0x4aab23 0x4aab23 0x4aab3e 0x4aab3e 0x4aab46 0x4aab46 0x4aab62 0x4aab62 0x4aab66 0x4aab66 0x4aab6b 0x4aab6b 0x4aab70 0x4aab70 0x4aab73 0x4aab73 0x4aab79 0x4aab79 0x4aab92 0x4aab92 0x4aab9b 0x4aab9b 0x4aaba0 0x4aaba0 0x4aaba3 0x4aaba3 0x4aabb2 0x4aabb2 0x4aabbc 0x4aabbc 0x4aabbf 0x4aabbf 0x4aabc7 0x4aabc7 0x4aabdd 0x4aabdd 0x4aabe6 0x4aabe6 0x4aabf5 0x4aabf5 0x4aabfc 0x4aabfc 0x4aac0d 0x4aac0d 0x4aac11 0x4aac11 0x4aac2d 0x4aac2d 0x4aac3b 0x4aac3b 0x4aac47 0x4aac47 0x4aac4b 0x4aac4b 0x4aac50 0x4aac50 0x4aac5f 0x4aac5f 0x4aac63 0x4aac63 0x4aac68 0x4aac68 0x4aac71 0x4aac71 0x4aac77 0x4aac77 0x4aac7c 0x4aac7c 0x4aac8d 0x4aac8d 0x4aaca5 0x4aaca5 0x4aacd5 0x4aacd5 0x4aacdd 0x4aacdd 0x4aace0 0x4aace0 0x4aacf6 0x4aacf6 0x4aacfb 0x4aacfb 0x4aad0f 0x4aad0f 0x4aad20 0x4aad20 0x4aad25 0x4aad25 0x4aad29 0x4aad29 0x4aad34 0x4aad34 0x4aad48 0x4aad48 0x4aad4a 0x4aad4a 0x4aad4b 0x4aad4b 0x4aad53 0x4aad53 0x4aad57 0x4aad57 0x4aad77 0x4aad77 0x4aad7c 0x4aad7c 0x4aad88 0x4aad8d 0x4aad93 0x4aad97 0x4aada4 0x4aad99 0x4aada8 0x4001d9 0x4001de 0x4001e1 0x4001ea 0x4001ec 0x4001f1 0x4001f3 0x4001f8 0x4001e2 0x4001d6
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
- dot file
- jpg

MD5 checksum b61b252c6dec97bfd278fb5c2485db8f

Anti-virus name Adware.Casino-3

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x413bff 0x413bff 0x413c2b 0x413c2b 0x4164c1 0x4164d8 0x4164d8 0x4164e1 0x416379 0x413610 0x41361c 0x413630 0x416386 0x41639e 0x41639e 0x4163a2 0x4163ab 0x4163b4 0x4164be 0x4164e6 0x4164fd 0x41651a 0x413c5e 0x413c6b 0x413c6b 0x4184f1 0x413975 0x413987 0x41398e 0x4139b3 0x4139d7 0x413a09 0x413a10 0x413a16 0x413a25 0x413997 0x4139b2 0x413984 0x418502 0x418511 0x418527 0x41852b 0x418545 0x418550 0x418550 0x418621 0x418623 0x418631 0x418639 0x418648 0x41864f 0x41864f 0x418656 0x41865d 0x41865d 0x41866d 0x418682 0x41863e 0x418661 0x418673 0x418688 0x418694 0x418694 0x413c73 0x413c79 0x413c79 0x4183bf 0x4183bf 0x4183da 0x4183da 0x4183dc 0x4183dc 0x4183e2 0x4183e2 0x418416 0x418416 0x418426 0x418426 0x41842d 0x41842d 0x418434 0x418434 0x41843b 0x41843b 0x418454 0x418454 0x41845a 0x41845a 0x418460 0x418460 0x418469 0x418469 0x418476 0x418476 0x418488 0x418488 0x41848c 0x41848c 0x418493 0x418493 0x4184ea 0x4184ea 0x413c83 0x418172 0x418184 0x414f9c 0x414fa5 0x414bc8 0x414d61 0x414d81 0x414d86 0x414d90 0x414bd9 0x414bd9 0x414beb 0x414bf5 0x414bfc 0x414c00 0x414c0b 0x414c16 0x414c16 0x414c1f 0x414d31 0x414d37 0x414d50 0x414e07 0x414e21 0x414e21 0x414e2a 0x414e31 0x414e3d 0x414e82 0x41968b 0x4196bc 0x4196d0 0x4196d0 0x4196d4 0x4196f5 0x4196fa 0x419723 0x41972c 0x419739 0x419756 0x419756 0x41975d 0x41976f 0x413270 0x41327c 0x41328a 0x413299 0x4132b1 0x4132bd 0x41977f 0x41978f 0x419797 0x4197ac 0x4197ac 0x4197b0 0x4197be 0x4197be 0x4197c2 0x414ea6 0x41943c 0x41946c 0x419484 0x419484 0x419488 0x4194b2 0x4194b7 0x419660 0x419670 0x419675 0x41967d 0x419688 0x4194c2 0x4194c7 0x4194ee 0x4194f7 0x419504 0x419521 0x419521 0x41952e 0x41953e 0x41955f 0x419564 0x419579 0x419579 0x41957d 0x41958f 0x41958f 0x419598 0x4195de 0x4195f2 0x419612 0x419616 0x41962a 0x41962a 0x41962e 0x419639 0x41963f 0x41964f 0x41964f 0x419659 0x4195cc 0x414eca 0x414ef2 0x414efd 0x414f1b 0x414f30 0x414f37 0x414f05 0x414f13 0x414f20 0x414f3e 0x414f89 0x414d55 0x414d55 0x414d5c 0x414fac 0x414fb7 0x418189 0x41819b 0x41819b 0x4181ac 0x4181ae 0x41820b 0x418235 0x41823a 0x418243 0x418247 0x41825f 0x41826c 0x418276 0x41827b 0x4182c1 0x4182c5 0x4183ae 0x4183b5 0x4181be 0x4181cd 0x4181de 0x41822d 0x418265 0x418272 0x4183b2 0x4181f4 0x413c8d 0x4180b9 0x4180b9 0x4180cb 0x4180cb 0x4180d3 0x4180d3 0x4180d9 0x4180d9 0x4180de 0x4180de 0x412e40 0x412e40 0x412e60 0x412e60 0x412e78 0x412e78 0x412e7f 0x412e7f 0x412e83 0x412e83 0x412e8a 0x412e8a 0x412e93 0x412e93 0x4180e4 0x4180e4 0x412ea7 0x412ea7 0x412e4c 0x412e4c 0x412e53 0x412e53 0x412e5b 0x412e5b 0x412e9d 0x412e9d 0x4180dd 0x4180dd 0x412eb1 0x412eb1 0x4180eb 0x4180eb 0x4180f8 0x4180f8 0x41810d 0x41810d 0x418117 0x418117 0x418118 0x418118 0x41811e 0x41811e 0x418149 0x418149 0x418127 0x418127 0x41812d 0x41812d 0x41813c 0x41813c 0x4128f0 0x4128f0 0x412961 0x412961 0x41296d 0x41296d 0x412974 0x412974 0x41297f 0x41297f 0x412986 0x412986 0x412981 0x412981 0x4129a0 0x4129a0 0x4129a4 0x4129a4 0x4129a8 0x4129a8 0x4129c2 0x4129c2 0x418144 0x418144 0x4129b0 0x4129b0 0x4129ba 0x4129ba 0x4129d8 0x4129d8 0x4129cf 0x41814f 0x41814f 0x418150 0x418150 0x413a27 0x413a27 0x413a33 0x413a33 0x413a53 0x413a53 0x413a7e 0x413a7e 0x413a7f 0x413a7f 0x413a8d 0x413a8d 0x41815b 0x413c92 0x415ce6 0x415ce6 0x415cef 0x415cef 0x4134cc 0x4134cc 0x4134e4 0x4134e4 0x4134d1 0x415eb7 0x415ec2 0x415ec2 0x415ec6 0x415ec6 0x415ed2 0x415ed2 0x415ed6 0x415ed6 0x415eda 0x415eda 0x4134d6 0x4134d6 0x415e67 0x419cf1 0x419cbc 0x419d31 0x419d3f 0x419d42 0x419d47 0x419d49 0x419d4e 0x419d50 0x419d55 0x419d57 0x419d5c 0x419d5e 0x419d63 0x419d68 0x419da0 0x419da5 0x419da5 0x419da9 0x419da9 0x419db5 0x419db5 0x419dc2 0x419dc2 0x419ccd 0x419dc3 0x419dd0 0x419dd3 0x419dd8 0x419dda 0x419ddf 0x419de1 0x419de6 0x419de8 0x419ded 0x419def 0x419df7 0x419df9 0x419e26 0x419e30 0x419e38 0x419e3e 0x419e4b 0x419ce4 0x419d04 0x419d04 0x415e76 0x415e76 0x4134e0 0x415cf1 0x415cf1 0x415dec 0x415dec 0x415df1 0x415df1 0x415df7 0x415df7 0x415dff 0x415dff 0x415dfd 0x415dfd 0x41323f 0x41323f 0x413249 0x413249 0x413260 0x413260 0x419a85 0x419a85 0x419a92 0x419a92 0x419a9f 0x419a9f 0x419aa4 0x419aa4 0x41af22 0x41af22 0x41af36 0x41af36 0x41af3d 0x41af3d 0x41af43 0x41af43 0x41af4a 0x41af4a 0x41af6e 0x41af6e 0x41af8d 0x41af8d 0x41af9c 0x41af9c 0x41afc6 0x41afc6 0x41afc8 0x41afc8 0x419aac 0x419aac 0x419ad8 0x419ad8 0x419adf 0x419adf 0x419af5 0x419af5 0x419afc 0x419afc 0x419b19 0x419b19 0x419b1c 0x419b1c 0x419b15 0x419b15 0x419b28 0x419b28 0x419079 0x419079 0x419084 0x419084 0x415e04 0x415e04 0x415d00 0x4035b0 0x4035b0 0x4035bf 0x404f20 0x404fd0 0x405210 0x4052a0 0x40521f 0x404fec 0x404ff7 0x404f33 0x4035d1 0x4035b8 0x4035d5 0x4035d5 0x41322d 0x41322d 0x4131c0 0x4131c0 0x415e06 0x415e06 0x415e2f 0x415e2f 0x415e53 0x415e53 0x415e56 0x415e56 0x415e64 0x415e64 0x4131cc 0x41321f 0x41321f 0x413236 0x4035e2 0x4035e2 0x4035bd 0x4053c0 0x4053c0 0x4053cf 0x4053cf 0x40e0b0 0x40e0b0 0x4053dc 0x4053c8 0x4053de 0x4053de 0x4053eb 0x4053eb 0x4053cd 0x40541c 0x40541c 0x40542b 0x403613 0x40c180 0x40c1a9 0x40c1bc 0x41c546 0x410480 0x410480 0x41048f 0x40ae80 0x40ae8e 0x41049c 0x410488 0x41049e 0x41049e 0x4104ab 0x4104ab 0x41048d
- Windows API calls issued from malware code
  1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x413c25
  2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x4164d2
  3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x416398
  4. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x413a1f
  5. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x41854a
  6. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x418649
  7. GetFileType at 0x7c811069 in kernel32.dll called from 0x418657
  8. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x41868e
  9. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x413c73
  10. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x4183da
  11. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x418452
  12. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x418474
  13. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x41848d
  14. GetACP at 0x7c809943 in kernel32.dll called from 0x414d90
  15. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414c10
  16. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x414e1b
  17. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4196ca
  18. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x419750
  19. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4197a6
  20. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x4197b8
  21. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x41947e
  22. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x41951b
  23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x419573
  24. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x419589
  25. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x419624
  26. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x419649
  27. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x418195
  28. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x413a87
  29. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x415ebc
  30. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x415ecc
  31. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x415ed8
  32. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x41af96
  33. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x41907e
  34. RtlSizeHeap at 0x7c9109ed in ntdll.dll called from 0x415e5e
  35. WSAStartup at 0x71ab664d in WS2_32.dll called from 0x41c546

MD5 checksum	b7ffbace87f35a70a213819e4d8ae2c8
Anti-virus name	Adware.Zeno-3,Generic.Zeno.51DEB277

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x40856f 0x408584 0x408592 0x4085ab 0x4085bf 0x4086b2 0x4086ce 0x4086c1 0x4085c4 0x4086ac 0x4085d3 0x4085f7 0x40871a 0x4086ec 0x408732 0x401070 0x401080 0x401020 0x40828e 0x4020e0 0x4020f0 0x4082e2 0x405340 0x405350 0x4083ba 0x408606 0x408618 0x408622 0x408626 0x40862b 0x40862f 0x408639 0x408646 0x40865d 0x408660 0x40866a 0x4086d4 0x40872c 0x40856f 0x408584 0x408592 0x4085ab 0x4085bf 0x4086b2 0x4086ce 0x4086c1 0x4085c4 0x4086ac 0x4085d3 0x4085f7 0x40871a 0x4086ec 0x408732 0x401070 0x401080 0x401020 0x40828e 0x4020e0 0x4020f0 0x4082e2 0x405340 0x405350 0x4083ba 0x408606 0x408618 0x408622 0x408626 0x40862b 0x40862f 0x408639 0x408646 0x40865d 0x408660 0x40866a 0x4086d4 0x40872c
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x408569
2. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x40857e
3. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x40858c
4. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x4086ce
5. initterm at 0x77c39d67 in msvcrt.dll called from 0x4086ac
6. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x4085f1
7. targ982d6 at 0x73e682d6 in MFC42.DLL called from 0x408732
8. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x408640
9. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x408664
10. rmtmp at 0x77c3f88a in msvcrt.dll called from 0x77c39d78
11. targ29ddb at 0x77c39e48 in msvcrt.dll called from 0x77c39d84
12. targ29ddb at 0x77c39e59 in msvcrt.dll called from 0x77c39d84
CFG at exit
- dot file
- jpg

MD5 checksum	b8c2e95d43242d29cd77de538a5b5792
Anti-virus name	W32/Trojan-Gypikon-based.DE!Maximus,GenPack:Trojan.Generic.501628

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x46210f 0x46210f 0x46213b 0x46213b 0x46214c 0x46214c 0x462188 0x462188 0x46219d 0x46219d 0x4621bd 0x4621bd 0x4621c9 0x4621c9 0x46221b 0x46221b 0x462279 0x462279 0x46227d 0x46227d 0x462284 0x462284 0x46228f 0x46228f 0x4622a5 0x4622a5 0x4622a8 0x4622a8 0x4622bf 0x4622bf 0x4622c6 0x4622c6 0x4622e6 0x4622e6 0x4622f4 0x4622f4 0x462359 0x462359 0x46247f 0x46247f 0x462486 0x462486 0x46248b 0x46248b 0x462496 0x462496 0x4624ad 0x4624ad 0x4624df 0x4624df 0x4624e8 0x4624e8 0x4624f5 0x4624f5 0x46251a 0x46251a 0x4624f9 0x4624f9 0x462504 0x462504 0x462555 0x462555 0x462558 0x462558 0x46255b 0x46255b 0x462563 0x462563 0x462582 0x462582 0x4631da 0x4631da 0x463220 0x463220 0x463230 0x463230 0x463246 0x463246 0x463254 0x463254 0x463258 0x463258 0x463261 0x463261 0x46326d 0x46326d 0x463273 0x463273 0x463277 0x463277 0x46327f 0x46327f 0x463286 0x463286 0x46328b 0x46328b 0x463296 0x463296 0x46329a 0x46329a 0x4632a2 0x4632a2 0x4632ac 0x4632ac 0x4632c4 0x4632c4 0x4632d3 0x4632d3 0x4632d5 0x4632d5 0x4632e6 0x4632e6 0x4632eb 0x4632eb 0x4632f7 0x4632f7 0x463314 0x463314 0x46331a 0x46331a 0x463349 0x463349 0x463350 0x463350 0x463363 0x463363 0x463368 0x463368 0x463374 0x463374 0x463378 0x463378 0x46338d 0x46338d 0x46339c 0x46339c 0x4633ab 0x4633ab 0x4633b0 0x4633b0 0x4633b5 0x4633b5 0x4633c3 0x4633c3 0x4633b2 0x4633b2 0x4633ca 0x4633ca 0x4633e5 0x4633e5 0x46344b 0x46344b 0x463453 0x463453 0x463462 0x463462 0x46347e 0x46347e 0x463488 0x463488 0x4634b0 0x4634b0 0x4634b7 0x4634b7 0x4634cf 0x4634cf 0x4634e0 0x4634e0 0x4634f3 0x4634f3 0x4634f9 0x4634f9 0x463504 0x463504 0x46350e 0x46350e 0x46351d 0x46351d 0x463536 0x463536 0x463365 0x463365 0x463508 0x463508 0x463547 0x463547 0x46355a 0x46355a 0x46323f 0x46323f 0x463241 0x463241 0x4625bc 0x4625bc 0x4625c7 0x4625c7 0x4625d3 0x4625d3 0x4625e2 0x4625e2 0x4625eb 0x4625eb 0x462616 0x462616 0x462620 0x462620 0x46262d 0x46262d 0x462644 0x462644 0x462668 0x462668 0x462687 0x462687 0x462691 0x462691 0x462694 0x462694 0x4626d2 0x4626d2 0x462703 0x462703 0x462708 0x462708 0x462711 0x462711 0x462715 0x462715 0x462720 0x462720 0x462727 0x462727 0x462730 0x462730 0x46271e 0x46271e 0x4626ad 0x4626ad 0x4626b8 0x4626b8 0x46273b 0x46273b 0x46338b 0x46338b 0x46349a 0x46349a 0x46340e 0x46340e 0x46352b 0x46352b 0x4627a2 0x4627a2 0x4627ad 0x4627ad 0x4627b6 0x4627b6 0x4627f8 0x4627f8 0x462803 0x462803 0x462812 0x462812 0x462834 0x462834 0x46283d 0x46283d 0x46286f 0x46286f 0x462874 0x462874 0x462881 0x462881 0x46288d 0x46288d 0x4628b8 0x4628b8 0x4628bd 0x4628bd 0x4628de 0x4628de 0x4628e3 0x4628e3 0x4628ee 0x4628ee 0x462900 0x462900 0x462903 0x462903 0x462922 0x462922 0x462ab4 0x462ab4 0x462938 0x462938 0x462985 0x462985 0x4629c5 0x4629c5 0x4629d3 0x4629d3 0x462a07 0x462a07 0x462a35 0x462a35 0x462a5b 0x462a5b 0x462a97 0x462a97 0x462aa2 0x462aa2 0x462ab1 0x462ab1 0x462946 0x462946 0x46294b 0x46294b 0x462955 0x462955 0x462aa4 0x462aa4 0x4629ea 0x4629ea 0x4629f4 0x4629f4 0x4629a3 0x4629a3 0x4629ae 0x4629ae 0x46297b 0x46297b 0x462a10 0x462a10 0x462a1e 0x462a1e 0x462948 0x462948 0x462aec 0x462aec 0x462af6 0x462af6 0x462b03 0x462b03 0x462b22 0x462b22 0x462b3b 0x462b3b 0x462b40 0x462b40 0x462b46 0x462b46 0x462b50 0x462b50 0x462b88 0x462b88 0x462c4c 0x462c4c 0x462cc1 0x462cc1 0x462cc7 0x462cc7 0x462d76 0x462d76 0x462dca 0x462dca 0x462f01 0x462f01 0x462fdd 0x462fdd 0x462fe6 0x462fe6 0x46357c 0x46357c 0x4635a7 0x4635a7 0x4635b4 0x4635b4 0x4635b8 0x4635b8 0x4635c3 0x4635c3 0x4621fc 0x4621fc 0x4635cd 0x4635cd 0x46362c 0x46362c 0x463001 0x463014 0x463014 0x463019 0x463019 0x463022 0x463022 0x46302c 0x46302c 0x463087 0x463087 0x4630b7 0x4630b7 0x4630c3 0x4630c3 0x4630f2 0x4630f2 0x4630f7 0x4630f7 0x463112 0x463112 0x463124 0x463124 0x46312d 0x46312d 0x463132 0x463132 0x463150 0x463150 0x463166 0x463166 0x46316b 0x46316b 0x463173 0x463173 0x46317c 0x46317c 0x463194 0x463194 0x46319b 0x46319b 0x4631ad 0x4631ad 0x4631c5 0x4631c5 0x4631d2 0x4631d2 0x4631d5 0x4631d5 0x4621ee 0x4621f6 0x4621f6 0x462ac1 0x462ac1 0x462ace 0x462ace 0x462b62 0x462b62 0x462b95 0x462b95 0x462b9f 0x462b9f 0x462bac 0x462bac 0x462bc3 0x462bc3 0x462bed 0x462bed 0x462f0e 0x462f0e 0x462fc8 0x462fc8 0x463035 0x463035 0x462c05 0x462c05 0x462c2b 0x462c2b 0x462d5c 0x462d5c 0x462c0a 0x462c0a 0x462c55 0x462c55 0x462c83 0x462c83 0x462cd4 0x462cd4 0x462d08 0x462d08 0x462d32 0x462d32 0x462d7f 0x462d7f 0x462d83 0x462d83 0x462d90 0x462d90 0x462da7 0x462da7 0x462dd7 0x462dd7 0x462dff 0x462dff 0x462e07 0x462e07 0x462e14 0x462e14 0x462e1f 0x462e1f 0x462ed3 0x462ed3 0x462eeb 0x462eeb 0x462e1c 0x462e1c 0x462ef7 0x462ef7 0x462cdc 0x462cdc 0x462ced 0x462ced 0x462f16 0x462f16 0x462f1d 0x462f1d 0x462f51 0x462f51 0x462f55 0x462f55 0x4635e1 0x4635e1 0x4635f2 0x4635f2 0x4635f8 0x4635f8 0x463608 0x463608 0x463617 0x463617 0x463623 0x463623 0x462f70 0x462f70 0x462f87 0x462f87 0x462f8b 0x462f8b 0x462fc0 0x462fc0 0x462a72 0x462a72 0x463102 0x463102 0x462c5f 0x462c5f 0x462c6c 0x462c6c 0x462e27 0x462e27 0x462e2b 0x462e2b 0x462e35 0x462e35 0x462e45 0x462e45 0x462e5c 0x462e5c 0x4628b3 0x4628b3 0x462a85 0x462a85 0x462a88 0x462a88 0x462a91 0x462a91 0x462b36 0x462b36 0x462e60 0x462e60 0x4635a1 0x4635a1 0x46360c 0x46360c 0x462e7b 0x462e7b 0x462e92 0x462e92 0x462e96 0x462e96 0x462ecb 0x462ecb 0x462d53 0x462d53 0x462de9 0x462de9 0x462f2a 0x462f2a 0x462f3a 0x462f3a 0x4635b2 0x4635b2 0x462f8f 0x462f8f 0x462f99 0x462f99 0x462fa9 0x462fa9 0x46300c 0x46300c 0x4631ce 0x4631ce 0x4620d2 0x4620d2
Windows API calls issued from malware code
1. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x462138
2. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x462149
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x462186
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x46219b

MD5 checksum	b97067419e20f2dc605e11cb4caffcce
Anti-virus name	W32/Trojan2.DMHM (exact),Trojan.Pakes-2380,Trojan.Boaxxe.K

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x423910 0x42392a 0x423931 0x423920 0x423926 0x423933 0x423938 0x423943 0x423949 0x423954 0x42395b 0x423966 0x423968 0x423973 0x423980 0x4239a4 0x4239c4 0x4239d3 0x423984 0x423985 0x423990 0x423996 0x423998 0x4239a1 0x4239b5 0x4239be 0x423979 0x42394b 0x42393c 0x42396c 0x423989 0x4239da 0x4239e2 0x4239e7 0x4239eb 0x4239f0 0x423a0e 0x423a1a 0x423a30 0x423a38 0x423a45 0x423a49 0x423a31 0x423a14 0x423a56 0x423a6f 0x423a84 0x423a8a 0x423a90 0x403174 0x403cd4 0x403b9a 0x4031b4 0x4046b0 0x4039fc 0x403afb 0x403b09 0x403b40 0x4031c2 0x40386b 0x403886 0x403888 0x40388e 0x4038c2 0x4038d2 0x4038d9 0x4038e0 0x4038e7 0x403900 0x403906 0x40390c 0x403915 0x403922 0x403934 0x403938 0x40393f 0x403996 0x4040cb 0x404108 0x404313 0x405d32 0x405db8 0x405e0e 0x405e20 0x405ae6 0x405b83 0x405bdb 0x405bf1 0x405c8c 0x405cb1 0x404247 0x403647 0x403565 0x403577 0x40357f 0x403585 0x40358a 0x403040 0x403060 0x403078 0x40307f 0x403083 0x40308a 0x403093 0x403590 0x4030a7 0x40304c 0x403053 0x40305b 0x40309d 0x403589 0x4030b1 0x403597 0x4035a4 0x4035b9 0x4035c3 0x4035c4 0x4035ca 0x4035f5 0x4035d3 0x4035d9 0x4035e8 0x404510 0x404581 0x40458d 0x404594 0x40459f 0x4045a6 0x4045a1 0x4045c0 0x4045c4 0x4045c8 0x4045e2 0x4035f0 0x4045d0 0x4045da 0x4045f8 0x4035fb 0x4035fc 0x40449a 0x4044a6 0x4044c6 0x4044f1 0x4044f2 0x404500 0x403287 0x403292 0x40336f 0x403374 0x40337a 0x403382 0x403380 0x403387 0x4032b0 0x4031ed 0x40350d 0x40351b 0x403528 0x403530 0x403534 0x404078 0x404089 0x40409a 0x4040af 0x4040b1 0x4040b5 0x404085 0x403545 0x40354a 0x403557 0x403561 0x403201 0x403204 0x403210 0x40240f 0x40241a 0x402420 0x40249d 0x401116 0x401127 0x401131 0x4024fb 0x402501 0x402203 0x402211 0x402217 0x4010c9 0x4010dd 0x4010e7 0x402261 0x4022b1 0x4022bf 0x40258f 0x4032b4 0x4032d6 0x4032f3 0x40330b 0x403336 0x403345 0x403347 0x403356 0x40335d
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x423a2a
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x423a3f
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x423a6d
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x423a82
5. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40316e
6. HeapCreate at 0x7c812929 in kernel32.dll called from 0x403cce
7. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x403b94
8. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4046aa
9. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4039f6
10. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x403af5
11. GetFileType at 0x7c811069 in kernel32.dll called from 0x403b03
12. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x403b3a
13. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4031bc
14. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x403886
15. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x4038fe
16. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x403920
17. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x403939
18. GetACP at 0x7c809943 in kernel32.dll called from 0x404282
19. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x404102
20. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40430d
21. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x405d2c
22. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405db2
23. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405e08
24. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x405e1a
25. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405ae0
26. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405b7d
27. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x405bd5
28. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405beb
29. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x405c86
30. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x405cab
31. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x403641
32. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4044fa
33. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x4031e7
34. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40320a
35. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x402409
36. Sleep at 0x7c802442 in kernel32.dll called from 0x402414
37. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40241a
38. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x402497
39. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x401110
40. WaitForSingleObject at 0x7c802530 in kernel32.dll called from 0x401121
41. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x40112b
42. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x4024fb
43. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x4021fd
44. Sleep at 0x7c802442 in kernel32.dll called from 0x40220b
45. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x402211
46. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4010c3
47. Sleep at 0x7c802442 in kernel32.dll called from 0x4022b9
48. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x403367
CFG at exit
- dot file
- jpg

MD5 checksum	b998ae8b301795b7ee3bc26dccf77227
Anti-virus name	W32/Downldr2.ESMZ (exact),Trojan.Pakes-2516,Trojan.Downloader.JKIZ

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x400154 0x4001e8 0x4001ec 0x4001f1 0x400162 0x40015d 0x400164 0x400168 0x40016a 0x40016e 0x400170 0x400177 0x400175 0x40017b 0x40017d 0x400160 0x4001b7 0x40018f 0x400194 0x4001b0 0x400180 0x4001de 0x4001e1 0x4001e5 0x4001e7 0x400183 0x40018a 0x4001dc 0x40018d 0x4001b3 0x4001df 0x400198 0x4001a1 0x4001a6 0x4001ab 0x4001b1 0x4001b2 0x4001c1 0x4001c9 0x4001cf 0x4001d4 0x4001d9 0x4001ca 0x4001c2 0x4001d1 0x40488a 0x4048bd 0x4048d2 0x4048e0 0x4048f9 0x40490d 0x4049f4 0x404a0a 0x404a03 0x404912 0x4049ee 0x404921 0x404945 0x404954 0x404966 0x404970 0x404974 0x404979 0x40497d 0x404987 0x404994 0x4049ab 0x4049ae 0x4049b8 0x4010c0 0x4010f8 0x40111c 0x401127 0x404590 0x4045af 0x4045bc 0x4045cc 0x401950 0x404872 0x40195a 0x401977 0x40197e 0x40198b 0x4019a3 0x4019a7 0x4019a9 0x4019ec 0x4019b6 0x4019bb 0x4019c5 0x4019c9 0x4019e3 0x4019e8 0x4019f5 0x4019fc 0x4045d5 0x4045dd 0x4045f1 0x4011c0 0x403990 0x4039ae 0x403520 0x40400a 0x404073 0x404080 0x404093 0x40409e 0x4040a8 0x4040c2 0x4040ca 0x4040d1 0x4040e8 0x404106 0x404120 0x404128 0x404183 0x404191 0x404878 0x40419b 0x4041b5 0x4041c2 0x4041c7 0x4041ca 0x404216 0x4001e8 0x4001ec 0x4001f1 0x400162 0x40015d 0x400164 0x400168 0x40016a 0x40016e 0x400170 0x400177 0x400175 0x40017b 0x40017d 0x400160 0x4001b7 0x40018f 0x400194 0x4001b0 0x400180 0x4001de 0x4001e1 0x4001e5 0x4001e7 0x400183 0x40018a 0x4001dc 0x40018d 0x4001b3 0x4001df 0x400198 0x4001a1 0x4001a6 0x4001ab 0x4001b1 0x4001b2 0x4001c1 0x4001c9 0x4001cf 0x4001d4 0x4001d9 0x4001ca 0x4001c2 0x4001d1 0x40488a 0x4048bd 0x4048d2 0x4048e0 0x4048f9 0x40490d 0x4049f4 0x404a0a 0x404a03 0x404912 0x4049ee 0x404921 0x404945 0x404954 0x404966 0x404970 0x404974 0x404979 0x40497d 0x404987 0x404994 0x4049ab 0x4049ae 0x4049b8 0x4010c0 0x4010f8 0x40111c 0x401127 0x404590 0x4045af 0x4045bc 0x4045cc 0x401950 0x404872 0x40195a 0x401977 0x40197e 0x40198b 0x4019a3 0x4019a7 0x4019a9 0x4019ec 0x4019b6 0x4019bb 0x4019c5 0x4019c9 0x4019e3 0x4019e8 0x4019f5 0x4019fc 0x4045d5 0x4045dd 0x4045f1 0x4011c0 0x403990 0x4039ae 0x403520 0x40400a 0x404073 0x404080 0x404093 0x40409e 0x4040a8 0x4040c2 0x4040ca 0x4040d1 0x4040e8 0x404106 0x404120 0x404128 0x404183 0x404191 0x404878 0x40419b 0x4041b5 0x4041c2 0x4041c7 0x4041ca 0x404216 0x4046a4 0x40112c 0x401134 0x401147 0x40114c 0x401161 0x401171 0x40117e 0x402e00 0x402100 0x401270 0x4012b7 0x4012be 0x4012cb 0x4012d8 0x4012df 0x4012e6 0x4012f0 0x4012fa 0x4012fe 0x401311 0x401334 0x401344 0x401307 0x401350 0x40135e 0x401365 0x401368 0x402137 0x402161 0x402e0b 0x402e13 0x4024d0 0x402507 0x402531 0x402e1b 0x402610 0x4029aa 0x4029e1 0x4029ef 0x4029ff 0x402a0b 0x402a13 0x402a24 0x40286a 0x4028a1 0x4028b5 0x4028e8 0x4028ef 0x402a9d 0x401380 0x40138f 0x401396 0x4013a0 0x4013a5 0x4013ac 0x4013b3 0x4013bd 0x4013c2 0x4013c9 0x4013d3 0x4013de 0x4013eb 0x402aac 0x402abb 0x401430 0x402ac2 0x403020 0x402afc 0x401410 0x401414 0x40141b 0x40141e 0x402b03 0x402900 0x40290a 0x4033d0 0x4033f0 0x403438 0x403451 0x40345c 0x4034e6 0x403502 0x403509 0x40292a 0x402937 0x402951 0x402963 0x402984 0x40298b 0x402b08 0x402de9 0x402ded 0x402efd 0x401183 0x40467b 0x40468a 0x404691 0x404490 0x4044ae 0x4041e0 0x404000 0x40455e 0x40456b 0x4043b0 0x404260 0x40429b 0x4042ad 0x40487e 0x40430e 0x404322 0x404336 0x40437a 0x404391 0x404397 0x4043ea 0x404579 0x401188 0x402f10 0x402f1c 0x402f32 0x401520 0x401536 0x40153d 0x40154a 0x40154f 0x401556 0x40155d 0x40156a 0x40156f 0x401576 0x401450
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001c6
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001d6
3. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x4048b7
4. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x4048cc
5. _p__commode at 0x77c1f1a4 in msvcrt.dll called from 0x4048da
6. controlfp at 0x77c4ee2f in msvcrt.dll called from 0x404a0a
7. initterm at 0x77c39d67 in msvcrt.dll called from 0x4049ee
8. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x40493f
9. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40498e
10. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4049b2
11. GlobalFindAtomA at 0x7c823094 in kernel32.dll called from 0x4010f2
12. GlobalAddAtomA at 0x7c823039 in kernel32.dll called from 0x401121
13. ExpandEnvironmentStringsA at 0x7c8227c7 in kernel32.dll called from 0x4045ad
14. GetFileAttributesA at 0x7c81174c in kernel32.dll called from 0x4045ba
15. chkstk at 0x7c901a09 in ntdll.dll called from 0x404872
16. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x401971
17. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x401985
18. ReadFile at 0x7c80180e in kernel32.dll called from 0x40199d
19. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x4019f6
20. ExpandEnvironmentStringsA at 0x7c8227c7 in kernel32.dll called from 0x4045ef
21. ExpandEnvironmentStringsA at 0x7c8227c7 in kernel32.dll called from 0x4039a8
22. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
23. RpcBindingFromStringBindingW at 0x77e7edfb in RPCRT4.dll called from 0x7c901a1d
24. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
25. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
26. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
27. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
28. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
29. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x404071
30. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x404091
31. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x4040a2
32. ReadFile at 0x7c80180e in kernel32.dll called from 0x4040bc
33. SetFilePointer at 0x7c810da6 in kernel32.dll called from 0x404100
34. ReadFile at 0x7c80180e in kernel32.dll called from 0x40411a
35. DeviceIoControl at 0x7c801625 in kernel32.dll called from 0x40417d
36. allmul at 0x7c9019d0 in ntdll.dll called from 0x404878
37. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x4041c0
38. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
39. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
40. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
41. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x401132
42. sprintf at 0x7c92912e in ntdll.dll called from 0x401145
43. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40114a
44. sprintf at 0x7c92912e in ntdll.dll called from 0x40115f
45. CreateDirectoryA at 0x7c826219 in kernel32.dll called from 0x40116b
46. SetFileAttributesA at 0x7c81fb44 in kernel32.dll called from 0x401178
47. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4012b1
48. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4012b8
49. NtQuerySystemInformation at 0x7c90e1aa in ntdll.dll called from 0x4012d6
50. malloc at 0x77c2c407 in msvcrt.dll called from 0x4012e0
51. NtQuerySystemInformation at 0x7c90e1aa in ntdll.dll called from 0x4012f8
52. strcmpi at 0x7c913374 in ntdll.dll called from 0x40132e
53. free at 0x77c2c21b in msvcrt.dll called from 0x40135f
54. OpenSCManagerA at 0x77deada7 in ADVAPI32.dll called from 0x402620
55. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
56. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
57. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
58. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
59. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
60. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
61. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
62. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
63. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
64. ExpandEnvironmentStringsA at 0x7c8227c7 in kernel32.dll called from 0x4029df
65. GetFileAttributesA at 0x7c81174c in kernel32.dll called from 0x4029e9
66. ExpandEnvironmentStringsA at 0x7c8227c7 in kernel32.dll called from 0x402a22
67. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
68. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
69. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
70. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
71. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
72. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
73. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x40289b
74. DeviceIoControl at 0x7c801625 in kernel32.dll called from 0x4028e2
75. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x4028e9
76. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40138d
77. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x401390
78. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4013a3
79. LoadResource at 0x7c80a065 in kernel32.dll called from 0x4013a6
80. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x4013ad
81. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x4013c0
82. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x4013c3
83. malloc at 0x77c2c407 in msvcrt.dll called from 0x4013d8
84. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
85. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
86. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
87. free at 0x77c2c21b in msvcrt.dll called from 0x401415
88. ExpandEnvironmentStringsA at 0x7c8227c7 in kernel32.dll called from 0x4033ea
89. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
90. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
91. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
92. GetFileAttributesA at 0x7c81174c in kernel32.dll called from 0x403456
93. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x4034fc
94. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x40294b
95. DeviceIoControl at 0x7c801625 in kernel32.dll called from 0x40297e
96. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x402985
97. OpenSCManagerA at 0x77deada7 in ADVAPI32.dll called from 0x402620
98. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
99. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
100. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
101. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
102. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
103. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
104. ExpandEnvironmentStringsA at 0x7c8227c7 in kernel32.dll called from 0x4044a8
105. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
106. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
107. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
108. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x404295
109. aullshr at 0x7c901ccd in ntdll.dll called from 0x40487e
110. DeviceIoControl at 0x7c801625 in kernel32.dll called from 0x404374
111. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x404391
112. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x402f16
113. sprintf at 0x7c92912e in ntdll.dll called from 0x402f2c
114. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x401534
115. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x401537
116. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40154d
117. LoadResource at 0x7c80a065 in kernel32.dll called from 0x401550
118. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x401557
119. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40156d
120. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x401570
121. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
122. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
123. LookupAccountNameA at 0x77e0d3cf in ADVAPI32.dll called from 0x40357f
124. targ42ee at 0x77b44349 in Apphelp.dll called from 0x7c901a1d
125. targ42ee at 0x77b44375 in Apphelp.dll called from 0x7c901a1d
CFG at exit
- dot file
- jpg

MD5 checksum	b9cb1ce490aff1198642b82f770676cc
Anti-virus name	W32/DropperX.EUE (exact, dropper),Trojan.Dropper-12001,Trojan.Dropper.KGen.C

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x4041d2 0x4041d2 0x4010d0 0x4010d0 0x404160 0x401100 0x401100 0x401130 0x401130 0x401160 0x401160 0x401190 0x401190 0x4011c0 0x4011c0 0x4011f0 0x4011f0 0x401220 0x401220 0x401231 0x401231 0x401250 0x401250 0x401280 0x401280 0x402ba0 0x402ba0 0x401720 0x401720 0x402bad 0x402bd3 0x402bd3 0x4029a0 0x4029a0 0x402bd8 0x402a20 0x402a20 0x402be7 0x402400 0x402400 0x401450 0x401450 0x402406 0x401740 0x401740 0x402418 0x402c03 0x4024a0 0x4024a0 0x403380 0x403380 0x4024a6 0x402ad0 0x402ad0 0x4024b1 0x402c11 0x403f00 0x403f00 0x402c26 0x402480 0x402480 0x402a50 0x402a50 0x402486 0x401650 0x401650 0x402491 0x402c34 0x403f10 0x403f10 0x403350 0x403350 0x403f16 0x402700 0x402700 0x403f28 0x402c42 0x401db0 0x401db0 0x402c50 0x402c50 0x401bb0 0x401bb0 0x402b00 0x402b00 0x401bb6 0x403f40 0x403f40 0x401bc8 0x402c5e 0x401d20 0x401d20 0x401d33 0x401d33 0x402c6c 0x402c6c 0x402a00 0x402a00 0x404050 0x404050 0x402a05 0x402c7a 0x403fe0 0x403fe0 0x401610 0x401610 0x403fe6 0x402b40 0x402b40 0x403ff8 0x402c88 0x403fc0 0x403fc0 0x401d90 0x401d90 0x403fd3 0x402c96 0x4019b0 0x4019b0 0x4019b6 0x4019b6 0x402440 0x402440 0x4019c1 0x402ca4 0x404010 0x404010 0x404015 0x404015 0x402cb2 0x401dc0 0x401dc0 0x401dd3 0x401dd3 0x402cc7 0x401950 0x401950 0x402960 0x402960 0x401956 0x401690 0x401690 0x401961 0x402cd5 0x401560 0x401560 0x401910 0x401910 0x401573 0x402ce3 0x402ce3 0x402a30 0x402a30 0x402a35 0x402a35 0x402cf8 0x401790 0x401790 0x401795 0x401795 0x402d06 0x401390 0x401390 0x4013a3 0x4013a3 0x402d14 0x401ce0 0x401ce0 0x4029e0 0x4029e0 0x401ce6 0x4014e0 0x4014e0 0x401cf8 0x402d22 0x402aa0 0x402aa0 0x4040a0 0x4040a0 0x402aac 0x402d30 0x402a80 0x402a80 0x402a93 0x402a93 0x402d3e 0x4016e0 0x4016e0 0x4016e6 0x4016e6 0x4032d0 0x4032d0 0x4016f1 0x402d53 0x401490 0x401490 0x401496 0x401496 0x4014a1 0x4014a1 0x402d61 0x4017b0 0x4017b0 0x402d6f 0x4018f0 0x4018f0 0x402d7d 0x4019f0 0x4019f0 0x402d8b 0x403200 0x403200 0x401d40 0x401d40 0x403206 0x403218 0x403218 0x402d99 0x402ab0 0x402ab0 0x402ab6 0x402ab6 0x402ac1 0x402ac1 0x402da7 0x4019d0 0x4019d0 0x4019e3 0x4019e3 0x402db5 0x4016c0 0x4016c0 0x402940 0x402940 0x4016c6 0x4014b0 0x4014b0 0x4016d8 0x402dc3 0x403ea0 0x403ea0 0x4015d0 0x4015d0 0x403ea6 0x403eb1 0x403eb1 0x402dd0 0x402900 0x402900 0x4028b0 0x4028b0 0x402905 0x402dde 0x401d00 0x401d00 0x401d05 0x401d05 0x402dec 0x4015f0 0x4015f0 0x401603 0x401603 0x402e01 0x402a60 0x402a60 0x402a65 0x402a65 0x402e16 0x402b20 0x402b20 0x402b25 0x402b25 0x402e24 0x402b80 0x402b80 0x402e32 0x403f80 0x403f80 0x404100 0x404100 0x403f93 0x402e40 0x401470 0x401470 0x401483 0x401483 0x402e4e 0x401cb0 0x401cb0 0x401cbc 0x401cbc 0x402e5c 0x402840 0x402840 0x402846 0x402846 0x402851 0x402851 0x402e6a 0x402890 0x402890 0x4028a3 0x4028a3 0x402e86 0x4028f0 0x4028f0 0x4028f5 0x4028f5 0x402e94 0x404140 0x404140 0x404145 0x404145 0x402ea2 0x4018e0 0x4018e0 0x402eb0 0x404030 0x404030 0x4029b0 0x4029b0 0x404035 0x402ebe 0x404080 0x404080 0x404086 0x404086 0x404091 0x404091 0x402ecc 0x401970 0x401970 0x401975 0x401975 0x402eda 0x403300 0x403300 0x403305 0x403305 0x402ee8 0x402420 0x402420 0x4015a0 0x4015a0 0x402426 0x402431 0x402431 0x402efd 0x401cc0 0x401cc0 0x401cc6 0x401cc6 0x403fa0 0x403fa0 0x401cd1 0x402f0b 0x403f70 0x403f70 0x402f19 0x402f19 0x401630 0x401630 0x402860 0x402860 0x401636 0x401641 0x401641 0x402f27 0x4016b0 0x4016b0 0x4016b5 0x4016b5 0x402f35 0x4013d0 0x4013d0 0x4013d6 0x4013d6 0x4013e1 0x4013e1 0x402f43 0x403ec0 0x403ec0 0x403ed3 0x403ed3 0x402f51 0x402930 0x402930 0x402f5f 0x403ee0 0x403ee0 0x4030c0 0x4030c0 0x403ee6 0x403ef8 0x403ef8 0x402f6d 0x4013f0 0x4013f0 0x401403 0x401403 0x402f89 0x403330 0x403330 0x403343 0x403343 0x402f9e 0x402fae 0x402fae 0x402fb3 0x402fb3 0x402fdf 0x402fdf 0x402920 0x402920 0x403016 0x40301f 0x40301f 0x4030e0 0x4030e0 0x403024 0x40303f 0x40303f 0x40305e 0x40305e 0x403063 0x403063 0x403068 0x403068 0x40128a 0x401294 0x401294 0x4012b0 0x4012b0 0x4012ba 0x4012ba 0x4012c4 0x4012c4 0x4012e0 0x4012e0 0x4012ea 0x4012ea 0x4012f4 0x4012f4 0x401310 0x401310 0x40131a 0x40131a 0x401324 0x401324 0x401340 0x401340 0x40134a 0x40134a 0x401354 0x401354 0x401370 0x401370 0x40137a 0x40137a 0x401384 0x401384 0x403050 0x403050 0x403055 0x403055
Windows API calls issued from malware code
1. _set_app_type at 0x77c3537c in MSVCRT.dll called from 0x4041ff
2. malloc at 0x77c2c407 in MSVCRT.dll called from 0x404160
3. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x40122b
4. initterm at 0x77c39d7a in MSVCRT.dll called from 0x401236
5. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40128e
6. initterm at 0x77c39d7a in MSVCRT.dll called from 0x401299
7. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4012be
8. initterm at 0x77c39d7a in MSVCRT.dll called from 0x4012c9
9. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4012ee
10. initterm at 0x77c39d7a in MSVCRT.dll called from 0x4012f9
11. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40131e
12. initterm at 0x77c39d7a in MSVCRT.dll called from 0x401329
13. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40134e
14. initterm at 0x77c39d7a in MSVCRT.dll called from 0x401359
15. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x40137e
16. initterm at 0x77c39d7a in MSVCRT.dll called from 0x401389
17. malloc at 0x77c2c407 in MSVCRT.dll called from 0x404160
18. rmtmp at 0x77c3f88a in MSVCRT.dll called from 0x77c39d78
CFG at exit
- dot file
- jpg

MD5 checksum	ba905b7d7abdbfa5ec104954ba7d20c1
Anti-virus name	W32/Trojan2.AJNE (exact),Trojan.DNSChanger-4489,Trojan.DNSChanger.RP

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x412666 0x412668 0x412688 0x41269c 0x4126b4 0x4126bc 0x4126cc 0x412500 0x412514 0x412519 0x412150 0x412161 0x412176 0x41218b 0x41218d 0x412198 0x41219d 0x4121a4 0x4121c1 0x412522 0x412400 0x4121d0 0x4121e0 0x412234 0x41223f 0x4120f0 0x412104 0x412113 0x412124 0x41211b 0x412128 0x412132 0x412257 0x41227f 0x41222b 0x41225c 0x412283 0x41241e 0x412432 0x412446 0x41245a 0x41246e 0x412481 0x41248a 0x41248e 0x412498 0x4124b9 0x4124c3 0x4124ca 0x4124e0 0x4124ea 0x4124f4 0x4125d8 0x4126f2 0x40b327 0x40e513 0x40e51b 0x40df73 0x40dfac 0x40dfb3 0x40de80 0x40cc17 0x40cc2d 0x40cc3a 0x40cca3 0x40de95 0x40dea2 0x40dfbe 0x40e094 0x40e0a8 0x40e0ac 0x40d087 0x40c733 0x40c78f 0x40c795 0x40c79d
Windows API calls issued from malware code
1. SleepEx at 0x7c80239c in kernel32.dll called from 0x412486
2. RtlActivateActivationContextUnsa at 0x7c9011b5 in ntdll.dll called from 0x7c8023c5
3. ZwDelayExecution at 0x7c90d850 in ntdll.dll called from 0x7c8023e7
4. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x4124b6
5. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x4124c7
6. CreateFileA at 0x7c801a24 in kernel32.dll called from 0x4124dd
7. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40e515
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40dfa6
9. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40dfad
10. OpenEventA at 0x7c812f7c in kernel32.dll called from 0x40cc27
11. InitializeSecurityDescriptor at 0x77dd778e in ADVAPI32.dll called from 0x40cc5a
12. CloseHandle at 0x7c809b77 in kernel32.dll called from 0x40de9c
13. lstrcmpiA at 0x7c80b929 in kernel32.dll called from 0x40e0a2
14. GetWindowsDirectoryA at 0x7c82293b in kernel32.dll called from 0x40c78f
15. wsprintfA at 0x77d4a2de in USER32.dll called from 0x40c7b6
CFG at exit
- dot file
- jpg

MD5 checksum bb7607627b037cf29cb89e120641e8f6

Anti-virus name Backdoor.Generic.47598

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x443c28 0x40012c 0x400130 0x40010b 0x400167 0x400162 0x400169 0x40016d 0x40016f 0x400173 0x400175 0x40017c 0x40017a 0x400180 0x400182 0x400165 0x4001c0 0x400196 0x40019b 0x4001b9 0x400185 0x431000 0x431005 0x431009 0x43100b 0x400191 0x431003 0x400194 0x4001bc 0x40019f 0x4001a8 0x4001af 0x4001b4 0x4001ba 0x4001bb 0x4001ca 0x40015f 0x4001cf 0x443ea4 0x443eb5 0x443ec2 0x443c41 0x443c41 0x443c50 0x443c50 0x443c66 0x443c66 0x443c69 0x443c69 0x443c77 0x443c77 0x443c7b 0x443c7b 0x443c83 0x443c83 0x443c87 0x443c87 0x443c8f 0x443c8f 0x443c9f 0x443c9f 0x443ca2 0x443ca2 0x443ca4 0x443ca4 0x443cad 0x443cad 0x443cc4 0x443cc4 0x443ce6 0x443ce6 0x443cff 0x443cff 0x443d03 0x443d03 0x443d26 0x443d26 0x443d3f 0x443d3f 0x443d42 0x443d42 0x443d45 0x443d45 0x443d56 0x443d56 0x443d5a 0x443d5a 0x443d68 0x443d68 0x443d6f 0x443d6f 0x443d70 0x443d70 0x443d7f 0x443d7f 0x443d98 0x443d98 0x443d99 0x443d99 0x443da7 0x443da7 0x443db7 0x443db7 0x443db8 0x443db8 0x443dc1 0x443dc1 0x443de8 0x443de8 0x443ded 0x443ded 0x443df1 0x443df1 0x443df9 0x443df9 0x443e16 0x443e16 0x443e1c 0x443e1c 0x443e21 0x443e21 0x443e25 0x443e25 0x443e32 0x443e32 0x443e36 0x443e36 0x443e3f 0x443e3f 0x443e4a 0x443e4a 0x443e4e 0x443e4e 0x443e62 0x443e62 0x443e64 0x443e64 0x443e6e 0x443e6e 0x443e73 0x443e73 0x443e89 0x443e89 0x443e8e 0x443e8e 0x443e9c 0x443e9c 0x443e9f 0x443e9f 0x443f05 0x443f05 0x443f0a 0x443f0a 0x443f25 0x443f25 0x443f2d 0x443f2d 0x443f49 0x443f49 0x443f4d 0x443f4d 0x443f52 0x443f52 0x443f57 0x443f57 0x443f5a 0x443f5a 0x443f60 0x443f60 0x443f79 0x443f79 0x443f82 0x443f82 0x443f87 0x443f87 0x443f8a 0x443f8a 0x443f99 0x443f99 0x443fa3 0x443fa3 0x443fa6 0x443fa6 0x443fae 0x443fae 0x443fc4 0x443fc4 0x443fcd 0x443fcd 0x443fdc 0x443fdc 0x443fe3 0x443fe3 0x443ff4 0x443ff4 0x443ff8 0x443ff8 0x444014 0x444014 0x444022 0x444022 0x44402e 0x44402e 0x444032 0x444032 0x444037 0x444037 0x444046 0x444046 0x44404a 0x44404a 0x44404f 0x44404f 0x444058 0x444058 0x44405e 0x44405e 0x444063 0x444063 0x444074 0x444074 0x44408c 0x44408c 0x4440bc 0x4440bc 0x4440c4 0x4440c4 0x4440c7 0x4440c7 0x4440dd 0x4440dd 0x4440e2 0x4440e2 0x4440f6 0x4440f6 0x444107 0x444107 0x44410c 0x44410c 0x444110 0x444110 0x44411b 0x44411b 0x44412f 0x44412f 0x444131 0x444131 0x444132 0x444132 0x44413a 0x44413a 0x44413e 0x44413e 0x44415e 0x44415e 0x444163 0x444163 0x44416f 0x44416f 0x444174 0x4001d9 0x4001de 0x4001e1 0x4001ea 0x4001ec 0x4001f1 0x4001f3 0x4001f8 0x4001e2 0x4001d6 0x4001fd 0x401253
- Windows API calls issued from malware code
  1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4001de
  2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4001f5
  3. _set_app_type at 0x77c3537c in msvcrt.dll called from 0x40124d
  4. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x40c760
  5. _getmainargs at 0x77c1eeeb in msvcrt.dll called from 0x40c520
  6. _p__fmode at 0x77c1f1db in msvcrt.dll called from 0x40c500
  7. _p__environ at 0x77c1f1c5 in msvcrt.dll called from 0x40c4e0
- - dot file
  - jpg

MD5 checksum	bd07c9a2939b474065e95ce88ee1779e
Anti-virus name	W32/Downloader.AL.gen!Eldorado (generic, not disinfectable),Worm.Autorun-1723,Trojan.Downloader.JKKU

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x13149ba0 0x13149ba7 0x13149bcd 0x13149c01 0x13149c09 0x13149c14 0x13149ed4 0x13149ee0 0x13149ee1 0x13149f53 0x13149f57 0x13149f5c 0x13149ee8 0x13149eef 0x13149ef1 0x13149ef8 0x13149efa 0x13149efc 0x13149f01 0x13149f05 0x13149f07 0x13149f1b 0x13149f20 0x13149f49 0x13149f48 0x13149f0a 0x13149f5f 0x13149f60 0x13149f65 0x13149f6c 0x13149f6e 0x13149f27 0x13149f5d 0x13149f34 0x13149f3b 0x13149f42 0x13149f47 0x13149f12 0x13149f19 0x13149f6f 0x13149c35 0x13149c55 0x8705a9 0x8705c9 0x8705d5 0x8705e3 0x8705e9 0x870605 0x870628 0x870297 0x8702f9 0x8702fd 0x87030f 0x870017 0x870032 0x870000 0x870011 0x870037 0x870048 0x870327 0x87033a 0x870093 0x8700ac 0x8700e8 0x87012e 0x870353 0x87037e 0x870394 0x8703ba 0x8701ad 0x8701b7 0x8700ec 0x87012b 0x8701c4 0x870112 0x870119 0x8701cd 0x870433 0x87058b 0x8700cf 0x8700d6 0x8703c9 0x8703de 0x8703e9 0x8703f5 0x8703fc 0x87040d 0x870411 0x87041a 0x870384 0x870389 0x870391 0x87039a 0x8701d1 0x8701e0 0x8701fd 0x870205 0x870221 0x87020f 0x87021d 0x870229 0x8704b0 0x870232 0x87023d 0x870241 0x870131 0x870142 0x870146 0x870154 0x87015b 0x87015c
Windows API calls issued from malware code
1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x13149bfb
2. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x870625

MD5 checksum	bf4dea16e0b31293b6883d5d44f5869d
Anti-virus name	W32/Trojan.TDA (exact),Trojan.SCKeylog-13,Trojan.Spy.SCKeyLog.L

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x406dc2 0x40a5b0 0x40a5b7 0x406dda 0x406de8 0x406e22 0x406e37 0x406e3e 0x406e4b 0x406e75 0x406e7b 0x406e83 0x406e89 0x40a413 0x406eb5 0x40a366 0x40b2b6 0x40b2c0 0x40b2d4 0x40b2d8 0x40b2f5 0x40b303 0x40b30b 0x40b314 0x40b327 0x40b348 0x40b355 0x40b369 0x406450 0x40645c 0x40646a 0x40647d 0x406495 0x4064a5 0x40b37a 0x40b3b3 0x40b3c6 0x40b3ca 0x40b3d8 0x40b3db 0x40b3e8 0x4097f2 0x4097fc 0x409813 0x409817 0x409834 0x409839 0x40983f 0x409844 0x409849 0x40984c 0x409854 0x409862 0x40986a 0x409873 0x40988b 0x4098ac 0x4098b9 0x4098ce 0x409918 0x40992d 0x409935 0x409947 0x409954 0x409987 0x40999c 0x4099e2 0x4099f6 0x4099fa 0x409a05 0x409a0b 0x409a19 0x409a1b 0x409a29 0x409a37 0x40b495 0x40b49d 0x407010 0x406fe4 0x406feb 0x406f9e 0x406fbf 0x406fc4 0x406fd3 0x406fe2 0x40700f 0x406500 0x406518 0x40651f 0x406523 0x40652a 0x406533 0x406547 0x4064dc 0x4064e5 0x4064ed 0x40653d 0x406551 0x407cd6 0x407cf5 0x407d03 0x40c597 0x40c59e 0x40c5c2 0x40c5d1 0x40c5f9 0x40c5fb 0x40512a
Windows API calls issued from malware code
1. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x406de2
2. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x406e35
3. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40a40d
4. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40b2ce
5. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40b342
6. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40b3c0
7. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40b3d2
8. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40980d
9. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x4098a6
10. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x409927
11. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x409941
12. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x4099f0
13. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x409a13
14. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x406fdc
15. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x407cfd
16. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40c5cb
CFG at thread creation event
- dot file
- jpg

MD5 checksum	c041173d2a6358878c3616bae364d7cc
Anti-virus name	W32/Trojan2.JFVG (exact),Trojan.Packed.18695

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x401000 0x401000 0x401014 0x40101f 0x401023 0x401036 0x40103c 0x401054 0x401069 0x401070 0x40108f 0x4010c6 0x4010cb 0x4010db 0x4010ea 0x4010f0 0x401128 0x40112b 0x401136 0x40113e 0x401167 0x401174 0x401014 0x40101f 0x401023 0x401036 0x40103c 0x401054 0x401069 0x401070 0x40108f 0x4010c6 0x4010cb 0x4010db 0x4010ea 0x4010f0 0x401128 0x40112b 0x401136 0x40113e 0x401167 0x401174
Windows API calls issued from malware code
1. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x401030
CFG at exit
- dot file
- jpg

MD5 checksum c0923c158327d8f52b1a42d3a47c4c7d

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x408c16 0x408c16 0x40f512 0x40f512 0x40f544 0x40f544 0x40f54f 0x40f54f 0x40f55b 0x40f55b 0x40f563 0x40f563 0x40f56b 0x40f56b 0x40f577 0x40f577 0x40f58a 0x40f58a 0x40f595 0x40f595 0x40f5a4 0x40f5a4 0x408c1b 0x408a98 0x409a38 0x408aa4 0x408ab3 0x408ab3 0x408ac7 0x408ac7 0x408ad8 0x408ad8 0x408ae6 0x408ae6 0x408aef 0x408aef 0x408b02 0x408b02 0x409c2c 0x409c2c 0x409c47 0x409c47 0x409c52 0x409c52 0x408b0b 0x408b18 0x408b18 0x40c1c1 0x40c1c1 0x40c1d1 0x40c1d1 0x40c1dc 0x40c1dc 0x40c1e6 0x40c1e6 0x40c1f4 0x40c1f4 0x40c201 0x40c201 0x40c20e 0x40c20e 0x40c21b 0x40c21b 0x40c245 0x40c245 0x40c269 0x40c269 0x40c26f 0x40c26f 0x40c27d 0x40c27d 0x40c286 0x40c286 0x40c28e 0x40c28e 0x409f46 0x409f46 0x40be23 0x40bdb1 0x40bdc5 0x40bdc5 0x40bdc9 0x40bdea 0x40bdf6 0x40bdf6 0x40be05 0x40be11 0x40be11 0x40be15 0x40be1a 0x40be1a 0x40be1d 0x40be2a 0x409f4e 0x40a203 0x40a203 0x409f56 0x40f5a8 0x40f5a8 0x409f5c 0x40b146 0x40b146 0x409f62 0x409f62 0x40fe98 0x40fe98 0x409f68 0x40fe89 0x40fe89 0x409f6e 0x409f6e 0x40fc77 0x40fc77 0x409f74 0x409f7a 0x409f7a 0x40fc66 0x40fc70 0x409f80 0x409f80 0x409f8a 0x40c293 0x40c293 0x40c29e 0x40c29e 0x40c2ae 0x40c2ae 0x40c2be 0x40c2be 0x40c2ce 0x40c2ce 0x408dc5 0x408dc5 0x408dd0 0x408dd0 0x408dda 0x408dda 0x40f5b7 0x40f5c3 0x40f5d3 0x40f5d3 0x409a7d 0x408df8 0x408df8 0x408dfe 0x408dfe 0x40c2db 0x40c2df 0x40c2df 0x40be2c 0x40be2c 0x40be40 0x40be40 0x40be44 0x40be44 0x40be65 0x40be65 0x40be71 0x40be71 0x40be80 0x40be80 0x40be8c 0x40be8c 0x40be90 0x40be90 0x40be95 0x40be95 0x40be98 0x40be98 0x40c2ef 0x40be9e 0x40be9e 0x40bea4 0x40bea4 0x40c2f2 0x40c2f2 0x40c2fc 0x40c2fc 0x40ea6a 0x40ea6a 0x4123c4 0x4123d0 0x4123d0 0x4123d9 0x412407 0x412417 0x412421 0x412475 0x412479 0x412488 0x412488 0x41248a 0x40c344 0x40c344 0x40bedb 0x40bedb 0x40bee5 0x40bee5 0x40be4e 0x40be4e 0x40be57 0x40be57 0x40be59 0x40be59 0x40bef1 0x40bef4 0x40bef4 0x40befb 0x40befb 0x40bf05 0x40bf05 0x40bf0c 0x40bf0c 0x40bf13 0x40bf13 0x408e10 0x408e20 0x408e20 0x408e26 0x408e26 0x408e39 0x408e39 0x408e44 0x408e44 0x408e4a 0x408e4a 0x408e50 0x408e50 0x408e56 0x408e56 0x408e59 0x408e59 0x408e64 0x408e64 0x40c349 0x40c349
- Windows API calls issued from malware code
  1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x40f549
  2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x40f555
  3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40f55d
  4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x40f565
  5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x40f571
  6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x408aad
  7. HeapCreate at 0x7c812929 in kernel32.dll called from 0x409c41
  8. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x40c1cb
  9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c1f2
  10. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c1ff
  11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c20c
  12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40c219
  13. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40c269
  14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40c284
  15. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40bdc3
  16. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x40bdf0
  17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40be0b
  18. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x40be18
  19. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x40f5cd
  20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40be3e
  21. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x40be6b
  22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40be86
  23. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x40be93
  24. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40be9e
  25. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x412482
  26. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40be55
  27. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40be57
  28. TlsFree at 0x7c813453 in kernel32.dll called from 0x40bef2
  29. TlsFree at 0x7c813453 in kernel32.dll called from 0x40bf06
  30. RtlDeleteCriticalSection at 0x7c91188a in ntdll.dll called from 0x408e57

MD5 checksum	c3fdaab0e19a47868ac9b80d419e83fc
Anti-virus name	Trojan.Killav-109,Generic.Malware.SPBV!PkWk.6F1199BA

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x452930 0x452952 0x452957 0x452a1c 0x452a20 0x452a2a 0x452a4a 0x452a54 0x452a63 0x452a74 0x452ab2 0x452acb 0x452bef 0x452c1a 0x452c2f 0x452be7 0x452c48 0x452c60 0x452c80 0x4533a8 0x452a9a 0x452aa4 0x452c02 0x452c0c 0x452ca8 0x452ceb 0x452d57 0x452d79 0x452d83 0x452d8f 0x452dad 0x452e01 0x452e17 0x452e3d 0x452b25 0x452b3c 0x452b7e 0x452b96 0x452bd9 0x452bb9 0x452b66 0x452b70 0x452bb7 0x452c8d 0x452c94 0x452cd5 0x452cdf 0x452e77 0x452faf 0x452fcb 0x452fe9 0x452ffb 0x45309c 0x4530d5 0x4530e2 0x45310d 0x453121 0x45314e 0x453139 0x453159 0x453360 0x453371 0x453388 0x453399 0x452d05 0x453179 0x45318a 0x4531a9 0x4531d4 0x4531e8 0x453215 0x4531bc 0x4531c6 0x453200 0x453220 0x45322f 0x453247 0x4532b9 0x4532c6 0x4532f4 0x453309 0x453343 0x453356 0x4530f5 0x4530ff 0x4532dc 0x4532e6 0x453324 0x452c9e 0x452deb 0x452df5 0x452e90 0x452ec6 0x452f03 0x452f3b 0x452f55 0x452f9b 0x452fa3 0x45302a 0x453058 0x4530a6 0x452ee0 0x452fd3 0x452fdd 0x453185 0x45306b 0x453263 0x453266 0x453288 0x45329b 0x453294 0x45329e 0x452f75 0x453042 0x45304c 0x452eb0 0x452eba 0x453270 0x45327a 0x452f25 0x452f2f 0x452be5 0x4533b9 0x4533d8 0x4533f7 0x45340f 0x453414 0x453454 0x453435 0x45345e 0x453422 0x45342b 0x45342f 0x45343b 0x453440 0x453463 0x45346f 0x453485 0x45348d 0x45349a 0x45349e 0x453486 0x453469 0x4534ab 0x4534c4 0x4534d9 0x4534df 0x4534e5
Windows API calls issued from malware code
1. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x45347f
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x453494
3. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4534c2
4. VirtualProtect at 0x7c801ad0 in kernel32.dll called from 0x4534d7
CFG at exit
- dot file
- jpg

MD5 checksum	c5a35b699940cae5e7eeb6d468004d41
Anti-virus name	W32/Heuristic-210!Eldorado (not disinfectable),Trojan.Packed-78,Trojan.Crypt.DG

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	c729d24c6c69e34dfdc4fe3d48f40501
Anti-virus name	W32/Backdoor2.CFAC (exact),Trojan.Buzus-1620,Trojan.Delf.Inject.AX

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x10009150 0x10009150 0x10009158 0x10009158 0x1000915f 0x1000915f 0x10004ed0 0x10004dd0 0x10004ed8 0x10004e84 0x10004dc8 0x10004ea0 0x10004ea0 0x10003efc 0x10001108 0x10003f1d 0x10001168 0x1000791f 0x10007925 0x10004f6c 0x10007930 0x10007930 0x10007935 0x10007948 0x100091be 0x100091be 0x10008a3c 0x10008a3c 0x1000356c 0x1000356c 0x10003570 0x10003570 0x1000357a 0x1000357a 0x10008a56 0x10008a5e 0x10008a5e 0x100034d0 0x100034d0 0x100034d4 0x100034d4 0x100034d7 0x100034d7 0x10008a79 0x10008a7f 0x10008a7f 0x10008a84 0x10008a84 0x10003588 0x10003588 0x1000358e 0x1000358e 0x10003594 0x10003594 0x10003344 0x10003344 0x10003348 0x10003348 0x1000253c 0x1000253c 0x10002540 0x10002540
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x10004dd0
2. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x10004dc8
3. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x7c80b379
4. RtlUnicodeStringToAnsiString at 0x7c9130c6 in ntdll.dll called from 0x7c80b3c1
5. memmove at 0x7c90253a in ntdll.dll called from 0x7c80b3e7
6. RtlFreeUnicodeString at 0x7c910976 in ntdll.dll called from 0x7c80b3f4
7. RegOpenKeyExA at 0x77dd761b in advapi32.dll called from 0x10001168
8. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x10004f6c
9. RtlInitString at 0x7c90125c in ntdll.dll called from 0x7c80ac46

MD5 checksum cae7b5374e57490392a0698ba751e511

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x40da30 0x43e98f 0x43e9c5 0x43e89c 0x43e8aa 0x43e8ad 0x43e91f 0x43e923 0x43e928 0x43e8b4 0x43e8bb 0x43e8bd 0x43e8c4 0x43e8c6 0x43e8cb 0x43e8d0 0x43e8d4 0x43e8d6 0x43e8d9 0x43e92b 0x43e92c 0x43e931 0x43e938 0x43e93a 0x43e8f2 0x43e929 0x43e8fd 0x43e904 0x43e909 0x43e90e 0x43e90f 0x43e910 0x43e911 0x43e915 0x43e8e9 0x43e8ee 0x43e8e2 0x43e8e7 0x43e93b 0x3609f0 0x3609f9 0x360a2e 0x360a35 0x360a43 0x360bc8 0x360bea 0x360bf8 0x360a80 0x360e82 0x360e90 0x360ea3 0x360eb4 0x360ebe 0x360fa6 0x360ed0 0x36127f 0x361297 0x36129c 0x3612a4 0x3612b8 0x360804 0x360851 0x36000d 0x360065 0x360070 0x360080 0x360097 0x3600a8 0x3600d7 0x3600ea 0x3601d2 0x3601f6 0x360205 0x36022b 0x360219 0x360233 0x360248 0x3607eb 0x3600a5 0x3600c0 0x3601df 0x360269 0x3602a2 0x3602f4 0x360316 0x36032d 0x360340 0x360382 0x3603d8 0x3604cb 0x3604e7 0x360505 0x360539 0x360565 0x360575 0x3605b9 0x3605ba 0x3605ca 0x3605e8 0x3605fb 0x360630 0x360635 0x3607bc 0x3607c7 0x3607d0 0x3607e6 0x36028b 0x3602b1 0x3602df 0x3602e6 0x360514 0x360614 0x36064e 0x360658 0x360660 0x360674 0x360692 0x3606a2 0x3606cd 0x3606b7 0x36067b 0x3606d2 0x3606e0 0x3606f3 0x360745 0x36074e 0x36076c 0x360791 0x3607aa 0x3607b2 0x360133 0x360143 0x36017d 0x36018c 0x360251 0x360260 0x360257 0x360391 0x3603ab 0x3604ee 0x36077c 0x3602d9 0x3605d1 0x3603eb 0x360424 0x360448 0x36046a 0x360481 0x3604a5 0x3604bc 0x3604c2 0x3601ab 0x3601c4 0x360166 0x3601a9 0x36065d 0x360755 0x36054e 0x36040d 0x360433 0x360702 0x360705 0x360723 0x360732 0x36072c 0x360735 0x360369 0x36059b 0x36070c 0x360490 0x3601d0 0x3607f7 0x36009c 0x36009e 0x36086c 0x360879 0x360f43 0x360f48 0x360f61 0x360f6d 0x360f82 0x360fb3 0x360a8c 0x360a9a 0x360de0 0x360dee 0x360e01 0x360e12 0x360e1d 0x360e28 0x360e75 0x360e7b 0x360aa0 0x360cfb 0x360d09 0x360d1c 0x360d2d 0x360d30 0x360d3b 0x360dcf 0x360d46 0x360d59 0x360d5d 0x360d6c 0x360d8e 0x360d72 0x360d78 0x360d85 0x360d91 0x360d9a 0x360db8 0x360c75 0x360c85 0x360c8a 0x360c91 0x360dce 0x360dd9 0x360abf 0x361110 0x361127 0x36112b 0x36112e 0x36113b 0x36113e 0x361166 0x361174 0x36119b 0x3611a8 0x361196 0x361327 0x361332 0x361342 0x3611b5 0x3611ee 0x3611f4 0x361204 0x36121b 0x361229 0x361349 0x361354 0x361367 0x361233 0x36123c 0x361212 0x361248 0x361152 0x3611ab 0x36114a 0x36114b 0x360ac9 0x360acd 0x360add 0x360b12 0x360b28 0x360b2e
- Windows API calls issued from malware code
  1. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x43e9c3
  2. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x360bc2
  3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x360be4
  4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x360a7a
  5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x36084e
  6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x360876
  7. targe82 at 0x360f43 in DEFAULT_MODULE called from 0x36087f
  8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x361199
  9. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x36133c
  10. targ1166 at 0x36119b in DEFAULT_MODULE called from 0x361346
  11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x361361
  12. targ1166 at 0x361233 in DEFAULT_MODULE called from 0x36136b
  13. targ1166 at 0x361233 in DEFAULT_MODULE called from 0x36136b
  14. targ1110 at 0x361147 in DEFAULT_MODULE called from 0x36124e
  15. targ1166 at 0x36119b in DEFAULT_MODULE called from 0x361346
  16. wsprintfA at 0x77d4a2de in user32.dll called from 0x360b22
  17. MessageBoxA at 0x77d8050b in user32.dll called from 0x360b3a
- - dot file
  - jpg

MD5 checksum	cd0fb3ee0210e7618444244370f1dba9
Anti-virus name	W32/Downldr2.ELHK (exact),Adware.Zeno-33,Trojan.Generic.752623

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x408157 0x408157 0x408183 0x408183 0x40cd8d 0x40cda4 0x40cda4 0x40cdad 0x40cc45 0x4091f0 0x4091fc 0x409210 0x40cc52 0x40cc6a 0x40cc6a 0x40cc6e 0x40cc77 0x40cc80 0x40cd8a 0x40cdb2 0x40cdc9 0x40cde6 0x4081b5 0x4081c2 0x4081c2 0x40c03c 0x40c1c1 0x40c1d0 0x40c1d8 0x40c1d8 0x40c1e0 0x40c1e0 0x40c1e8 0x40c1e8 0x40c042 0x40c048 0x40c048 0x40c052 0x40e364 0x40e399 0x40e3a2 0x40e3af 0x40e3bb 0x40e406 0x40e44c 0x40e451 0x40e460 0x40e460 0x40e463 0x40e48f 0x40e492 0x40c05b 0x40c063 0x40c070 0x40c070 0x40c074 0x40c090 0x40c07a 0x40c081 0x40c081 0x4081c7 0x4081c7 0x4081d3 0x4081d3 0x40ca5c 0x4084ec 0x4084fe 0x408505 0x40852a 0x40859a 0x4085f9 0x408603 0x408609 0x408617 0x408617 0x40850e 0x408529 0x4084fb 0x40ca6f 0x40ca7e 0x40ca94 0x40ca98 0x40cab6 0x40cac0 0x40cac0 0x40cb9c 0x40cb9e 0x40cbb0 0x40cbb8 0x40cbc7 0x40cbce 0x40cbce 0x40cbd5 0x40cbdc 0x40cbdc 0x40cbec 0x40cc01 0x40cbbd 0x40cbe0 0x40cbf2 0x40cc07 0x40cc13 0x40cc13 0x4081dd 0x4081e3 0x4081e3 0x40c92a 0x40c92a 0x40c945 0x40c945 0x40c947 0x40c947 0x40c94d 0x40c94d 0x40c981 0x40c981 0x40c991 0x40c991 0x40c998 0x40c998 0x40c99f 0x40c99f 0x40c9a6 0x40c9a6 0x40c9bf 0x40c9bf 0x40c9c5 0x40c9c5 0x40c9cb 0x40c9cb 0x40c9d4 0x40c9d4 0x40c9e1 0x40c9e1 0x40c9f3 0x40c9f3 0x40c9f7 0x40c9f7 0x40c9fe 0x40c9fe 0x40ca55 0x40ca55 0x4081ed 0x40c6dd 0x40c6ef 0x409b12 0x409b1b 0x40973a 0x40c1ea 0x40c202 0x40c20a 0x40c219 0x40c240 0x40c248 0x40c220 0x40c227 0x40c22d 0x40c22d 0x40c237 0x40c24b 0x40c25e 0x40c23e 0x40974a 0x4098e7 0x409907 0x40990c 0x409916 0x409752 0x409752 0x409768 0x409770 0x409777 0x40977b 0x409786 0x409791 0x409791 0x40979c 0x4098aa 0x4098b1 0x4098cb 0x40998d 0x4099a7 0x4099a7 0x4099b0 0x4099b7 0x4099c3 0x409a08 0x40f338 0x40f369 0x40f37d 0x40f37d 0x40f381 0x40f3a2 0x40f3a7 0x40f3d0 0x40f3d9 0x40f3e6 0x40f403 0x40f403 0x40f40a 0x40f41c 0x4083e0 0x4083ec 0x4083fa 0x408409 0x408421 0x40842d 0x40f42c 0x40f43c 0x40f444 0x40f459 0x40f459 0x40f45d 0x40f46b 0x40f46b 0x40f46f 0x409a2c 0x40e5ca 0x40e5fa 0x40e612 0x40e612 0x40e616 0x40e640 0x40e645 0x40e7ee 0x40e7fe 0x40e803 0x40e80b 0x40e816 0x40e650 0x40e655 0x40e67c 0x40e685 0x40e692 0x40e6af 0x40e6af 0x40e6bc 0x40e6cc 0x40e6ed 0x40e6f2 0x40e707 0x40e707 0x40e70b 0x40e71d 0x40e71d 0x40e726 0x40e76c 0x40e780 0x40e7a0 0x40e7a4 0x40e7b8 0x40e7b8 0x40e7bc 0x40e7c7 0x40e7cd 0x40e7dd 0x40e7dd 0x40e7e7 0x40e75a 0x409a50 0x409a78 0x409a83 0x409aa1 0x409ab6 0x409abd 0x409a8b 0x409a99 0x409aa6 0x409ac4 0x409b0f 0x4098d0 0x409761 0x4098d8 0x4098df 0x4098df 0x409b22 0x409b2d 0x40c6f4 0x40c706 0x40c706 0x40c717 0x40c719 0x40c776 0x40c7a0 0x40c7a5 0x40c7ae 0x40c7b2 0x40c7ca 0x40c7d7 0x40c7e1 0x40c7e6 0x40c82c 0x40c830 0x40c919 0x40c920 0x40c729 0x40c738 0x40c749 0x40c798 0x40c7d0 0x40c7dd 0x40c91d 0x40c75f 0x4081f7 0x40c624 0x40c624 0x40c636 0x40c636 0x40c63e 0x40c63e 0x40c644 0x40c644 0x40c649 0x40c649 0x408f50 0x408f50 0x408f70 0x408f70 0x408f88 0x408f88 0x408f8f 0x408f8f 0x408f93 0x408f93 0x408f9a 0x408f9a 0x408fa3 0x408fa3 0x40c64f 0x40c64f 0x408fb7 0x408fb7 0x408f5c 0x408f5c 0x408f63 0x408f63 0x408f6b 0x408f6b 0x408fad 0x408fad 0x40c648 0x40c648 0x408fc1 0x408fc1 0x40c656 0x40c656 0x40c663 0x40c663 0x40c678 0x40c678 0x40c682 0x40c682 0x40c683 0x40c683 0x40c689 0x40c689 0x40c6b4 0x40c6b4 0x40c692 0x40c692 0x40c698 0x40c698 0x40c6a7 0x40c6a7 0x40d060 0x40d060 0x40d0d1 0x40d0d1 0x40d0dd 0x40d0dd 0x40d0e4 0x40d0e4 0x40d0ef 0x40d0ef 0x40d0f6 0x40d0f6 0x40d0f1 0x40d0f1 0x40d110 0x40d110 0x40d114 0x40d114 0x40d118 0x40d118 0x40d132 0x40d132 0x40c6af 0x40c6af 0x40d120 0x40d120 0x40d12a 0x40d12a 0x40d148 0x40d148 0x40d13f 0x40c6ba 0x40c6ba 0x40c6bb 0x40c6bb 0x4082f2 0x4082f2 0x408320 0x408320 0x408365 0x408365 0x4083bd 0x4083bd 0x4083cc 0x4083cc 0x40c6c6 0x4081fc 0x407f5c 0x407f5c 0x407f65 0x407f65 0x40919b 0x40919b 0x4091b3 0x4091b3 0x4091a0 0x40f4d1 0x40f4dc 0x40f4dc 0x40f4e0 0x40f4e0 0x40f4ec 0x40f4ec 0x40f4f0 0x40f4f0 0x40f4f4 0x40f4f4 0x4091a5 0x4091a5 0x40f481 0x411042 0x41100d 0x411058 0x411066 0x411069 0x41106e 0x411070 0x411075 0x411077 0x41107c 0x41107e 0x411083 0x411085 0x41108a 0x41108f 0x4110c7 0x4110cc 0x4110cc 0x4110d0 0x4110d0 0x4110dc 0x4110dc 0x4110e9 0x4110e9 0x41101e 0x4110ea 0x4110f7 0x4110fa 0x4110ff 0x411101 0x411106 0x411108 0x41110d 0x41110f 0x411114 0x411116 0x41111e 0x411120 0x41114d 0x411157 0x41115f 0x411165 0x411172 0x411035 0x411055 0x411055 0x40f490 0x4091af 0x407f67 0x407f67 0x408062 0x408062 0x408067 0x408067 0x40806d 0x40806d 0x408075 0x408075 0x408073 0x408073 0x40799c 0x40799c 0x4079a6 0x4079a6 0x4079bd 0x4079bd 0x410020 0x410020
Windows API calls issued from malware code
1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x40817d
2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x40cd9e
3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x40cc64
4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c1ce
5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c1d6
6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c1de
7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c1e6
8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x40c042
9. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x40e45a
10. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x40c06a
11. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x40c07b
12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x408611
13. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x40caba
14. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x40cbc8
15. GetFileType at 0x7c811069 in kernel32.dll called from 0x40cbd6
16. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x40cc0d
17. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4081dd
18. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x40c945
19. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40c9bd
20. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40c9df
21. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x40c9f8
22. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x40c242
23. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x40c227
24. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x40c258
25. GetACP at 0x7c809943 in kernel32.dll called from 0x409916
26. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x40978b
27. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x4099a1
28. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40f377
29. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40f3fd
30. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40f453
31. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x40f465
32. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e60c
33. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e6a9
34. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x40e701
35. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e717
36. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x40e7b2
37. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x40e7d7
38. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40c700
39. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x4083c6
40. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x40f4d6
41. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x40f4e6
42. IsProcessorFeaturePresent at 0x7c80acb2 in kernel32.dll called from 0x40f4f2

MD5 checksum ce2cd5e555c7b5cf731b68c88d09984f

Anti-virus name Adware.Downloader-11

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x41079d 0x4107c9 0x411785 0x41164b 0x410808 0x4114a6 0x4114ae 0x4114b6 0x411358 0x4149db 0x411380 0x411391 0x41080d 0x410819 0x410ad9 0x414530 0x41463e 0x41464c 0x414683 0x410829 0x41439a 0x4143b5 0x4143b7 0x4143bd 0x4143f1 0x414401 0x414408 0x41440f 0x414416 0x41442f 0x414435 0x41443b 0x414444 0x414451 0x414463 0x414467 0x41446e 0x4144c5 0x4114fb 0x41152c 0x415a4f 0x415a8e 0x415ca4 0x414a61 0x414ae7 0x414b3d 0x414b4f 0x414d68 0x414e05 0x414e5d 0x414e73 0x414f0e 0x414f33 0x415bdc 0x414176 0x414094 0x4140a6 0x4140ae 0x4140b4 0x4140b9 0x40fbc0 0x40fbe0 0x40fbf8 0x40fbff 0x40fc03 0x40fc0a 0x40fc13 0x4140bf 0x40fc27 0x40fbcc 0x40fbd3 0x40fbdb 0x40fc1d 0x4140b8 0x40fc31 0x4140c6 0x4140d3 0x4140e8 0x4140f2 0x4140f3 0x4140f9 0x414124 0x414102 0x414108 0x414117 0x414c30 0x414ca1 0x414cad 0x414cb4 0x414cbf 0x414cc6 0x414cc1 0x414ce0 0x414ce4 0x414ce8 0x414d02 0x41411f 0x414cf0 0x414cfa 0x414d18 0x41412a 0x41412b 0x40fe24 0x40fe52 0x40fe97 0x40feef 0x40fefe 0x413da4 0x413daf 0x413eaa 0x413eaf 0x413eb5 0x413ebd 0x413ebb 0x4129df 0x4129ec 0x4129f9 0x4129fe 0x412a06 0x412a32 0x412a39 0x412a4f 0x412a56 0x412a76 0x412a79 0x412a72 0x412a85 0x414871 0x41487c 0x413ec2 0x413dcd 0x410854 0x41403c 0x41404a 0x414057 0x41405f 0x414063 0x4159f5 0x415a06 0x415a17 0x415a2c 0x415a2e 0x415a32 0x415a02 0x414074 0x414079 0x414086 0x414090 0x410868 0x41086b 0x410877 0x40ed70 0x40eed0 0x402a5d 0x402d48 0x402d63 0x402a00 0x40229b 0x4022a4 0x4022a9 0x4022bd 0x4022c2 0x40ee7c 0x4022c7 0x4022f8
- Windows API calls issued from malware code
  1. GetVersion at 0x7c8114ab in kernel32.dll called from 0x4107c3
  2. HeapCreate at 0x7c812929 in kernel32.dll called from 0x41177f
  3. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x411645
  4. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x41149c
  5. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4114a4
  6. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4114ac
  7. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4114b4
  8. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x411352
  9. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x4149d5
  10. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x41137a
  11. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x41138b
  12. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x410ad3
  13. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x41452a
  14. GetStdHandle at 0x7c812ca9 in kernel32.dll called from 0x414638
  15. GetFileType at 0x7c811069 in kernel32.dll called from 0x414646
  16. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x41467d
  17. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x410823
  18. GetEnvironmentStringsW at 0x7c812c78 in kernel32.dll called from 0x4143b5
  19. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x41442d
  20. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x41444f
  21. FreeEnvironmentStringsW at 0x7c81485f in kernel32.dll called from 0x414468
  22. RtlEnterCriticalSection at 0x7c901005 in ntdll.dll called from 0x411510
  23. InitializeCriticalSection at 0x7c809fa1 in kernel32.dll called from 0x4114f5
  24. RtlLeaveCriticalSection at 0x7c9010ed in ntdll.dll called from 0x411526
  25. GetACP at 0x7c809943 in kernel32.dll called from 0x415c13
  26. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x415a88
  27. GetCPInfo at 0x7c812be6 in kernel32.dll called from 0x415c9e
  28. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x414a5b
  29. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x414ae1
  30. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x414b37
  31. GetStringTypeW at 0x7c80a480 in kernel32.dll called from 0x414b49
  32. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x414d62
  33. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x414dff
  34. MultiByteToWideChar at 0x7c809cad in kernel32.dll called from 0x414e57
  35. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x414e6d
  36. LCMapStringW at 0x7c80cec4 in kernel32.dll called from 0x414f08
  37. WideCharToMultiByte at 0x7c80a0c7 in kernel32.dll called from 0x414f2d
  38. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x414170
  39. RtlFreeHeap at 0x7c91043d in ntdll.dll called from 0x40fef8
  40. SetUnhandledExceptionFilter at 0x7c810386 in kernel32.dll called from 0x414876
  41. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x41084e
  42. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x410871
  43. CoInitialize at 0x775285d3 in ole32.dll called from 0x405146
  44. InterlockedIncrement at 0x7c80977b in kernel32.dll called from 0x402d5d
  45. InterlockedDecrement at 0x7c809794 in kernel32.dll called from 0x4029fa
- CFG at exit
  - dot file
  - jpg

MD5 checksum	cef7556969c35b36189e42b41ebdee69
Anti-virus name	Trojan.Agent-64814,Virtool.14968

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x41300a 0x413008 0x413014 0x413035 0x413042 0x413055 0x413066 0x41308a 0x41309e 0x4130ad 0x4130c1 0x4130df 0x41366c 0x413a28 0x413c9c 0x413a3f 0x413a37 0x413a59 0x4137b3 0x413a6b 0x413a79 0x413a87 0x413a95 0x413680 0x413aa6 0x413b07 0x413748 0x413757 0x41375d 0x41378b 0x41378c 0x413b1f 0x413b23 0x413b31 0x413b33 0x413b3c 0x413b46 0x4137d8 0x413808 0x41381d 0x413849 0x413861 0x413879 0x4138c6 0x4138e7 0x4138fe 0x41390a 0x413911 0x413918 0x41393a 0x413945 0x413b58 0x413b67 0x413b69 0x413954 0x413992 0x4139ad 0x4139fc 0x413b70 0x413b75 0x413bea 0x413962 0x413b8a 0x413b8c 0x413b95 0x413b9c 0x413ba4 0x413bb2 0x413bb4 0x413bb9 0x413bc2 0x413bd3 0x413bd7 0x413bdf 0x413bc7 0x413bd0 0x413bf6 0x413c03 0x413c12 0x413c25 0x413c34 0x413c47 0x413c56 0x413c5f 0x413c69 0x413c6f 0x413c78 0x413b03 0x413699 0x4136a7 0x413ca4 0x413cc9 0x413cd1 0x413cd8 0x413f14 0x4139c1 0x4139c6 0x413ceb 0x413cf6 0x413da7 0x413dbc 0x413e40 0x413e46 0x413e77 0x413e9b 0x413eba 0x413ed5 0x413edb 0x413eeb 0x413efb 0x413ea0 0x4139d0 0x4139d5 0x4139dc 0x4139e1 0x413d13 0x413d1e 0x413d29 0x413d68 0x413d93 0x413d36 0x413eab 0x4139e8 0x4139ed 0x413f24 0x4136bc 0x4136ca 0x4130fe 0x413105 0x41311a 0x41312d 0x413131 0x413133 0x413138 0x41313a 0x41313e 0x413142 0x413146 0x41314b 0x41315f 0x413163 0x41316d 0x41319d 0x4130c7 0x413c71 0x413dca 0x413dcf 0x413dda 0x413e0b 0x413e39 0x413f09 0x413f10 0x4131a9 0x4131bc 0x4131ce 0x413257 0x413278 0x413290 0x41329b 0x4132a6 0x4132c2 0x4132c5 0x4132e2 0x4132ea 0x4132ee 0x413302 0x413376 0x4132b6 0x413384 0x413285 0x41329f 0x41339a 0x413008 0x413014 0x413035 0x413042 0x413055 0x413066 0x41308a 0x41309e 0x4130ad 0x4130c1 0x4130df 0x41366c 0x413a28 0x413c9c 0x413a3f 0x413a37 0x413a59 0x4137b3 0x413a6b 0x413a79 0x413a87 0x413a95 0x413680 0x413aa6 0x413b07 0x413748 0x413757 0x41375d 0x41378b 0x41378c 0x413b1f 0x413b23 0x413b31 0x413b33 0x413b3c 0x413b46 0x4137d8 0x413808 0x41381d 0x413849 0x413861 0x413879 0x4138c6 0x4138e7 0x4138fe 0x41390a 0x413911 0x413918 0x41393a 0x413945 0x413b58 0x413b67 0x413b69 0x413954 0x413992 0x4139ad 0x4139fc 0x413b70 0x413b75 0x413bea 0x413962 0x413b8a 0x413b8c 0x413b95 0x413b9c 0x413ba4 0x413bb2 0x413bb4 0x413bb9 0x413bc2 0x413bd3 0x413bd7 0x413bdf 0x413bc7 0x413bd0 0x413bf6 0x413c03 0x413c12 0x413c25 0x413c34 0x413c47 0x413c56 0x413c5f 0x413c69 0x413c6f 0x413c78 0x413b03 0x413699 0x4136a7 0x413ca4 0x413cc9 0x413cd1 0x413cd8 0x413f14 0x4139c1 0x4139c6 0x413ceb 0x413cf6 0x413da7 0x413dbc 0x413e40 0x413e46 0x413e77 0x413e9b 0x413eba 0x413ed5 0x413edb 0x413eeb 0x413efb 0x413ea0 0x4139d0 0x4139d5 0x4139dc 0x4139e1 0x413d13 0x413d1e 0x413d29 0x413d68 0x413d93 0x413d36 0x413eab 0x4139e8 0x4139ed 0x413f1e 0x413f24 0x4136bc 0x4136ca 0x4130fe 0x413105 0x41311a 0x41312d 0x413131 0x413133 0x413138 0x41313a 0x41313e 0x413142 0x413146 0x41314b 0x41315f 0x413163 0x41316d 0x41319d 0x4130c7 0x413c71 0x413dca 0x413dcf 0x413dda 0x413e0b 0x413e39 0x413f09 0x413f10 0x4131a9 0x4131bc 0x4131ce 0x413257 0x413278 0x413290 0x41329b 0x4132a6 0x4132c2 0x4132c5 0x4132e2 0x4132ea 0x4132ee 0x413302 0x413376 0x4132b6 0x413384 0x413285 0x41329f 0x41339a
Windows API calls issued from malware code
1. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x41303c
2. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x41304f
3. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x413060
4. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4130bb
5. VirtualAlloc at 0x7c809a81 in kernel32.dll called from 0x4130d9
6. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x413197
7. VirtualFree at 0x7c809b14 in kernel32.dll called from 0x4131b6
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x413295
9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x4132fc
10. LoadLibraryA at 0x7c801d77 in kernel32.dll called from 0x4132a0
11. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x413295
CFG at exit
- dot file
- jpg

MD5 checksum cf31c965d4fefaa1c9882b1ebe615230

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x4016c1 0x403f7c 0x403fae 0x403fb9 0x403fc5 0x403fcd 0x403fd5 0x403fe1 0x403ff4 0x403fff 0x40400e 0x40155e 0x401572 0x401583 0x401591 0x40159a 0x4015ad 0x403d5a 0x403d75 0x403d80 0x4015c3 0x403bcd 0x403bdd 0x403be8 0x403bf2 0x403c00 0x403c0d 0x403c1a 0x403c27 0x403c51 0x403c75 0x403c7b 0x403c89 0x403c92 0x403c9a 0x402cc1 0x403802 0x40381d 0x403826 0x40622c 0x4061bd 0x4024f4 0x402cdd 0x4061ae 0x402ce3 0x40619f 0x402ce9 0x405f8d 0x402cf5 0x403c9f 0x403caa 0x403cba 0x403cca 0x403cda 0x405b47 0x405b52 0x405b5c 0x4061e8 0x405b7a 0x405b80 0x403ceb 0x403838 0x40384c 0x403850 0x403871 0x40387d 0x40388c 0x403898 0x40389c 0x4038a1 0x4038a4 0x403cfb 0x4038aa 0x4038b0 0x403cfe 0x403d08 0x40574f 0x40867e 0x408736 0x403d50 0x4038e7 0x4038f1 0x40385a 0x403863 0x403865 0x403900 0x403907 0x403911 0x403918 0x40391f 0x405b92 0x405ba2 0x405ba8 0x405bbb 0x405bc6 0x405bcc 0x405bd2 0x405bd8 0x405bdb 0x405be6
- Windows API calls issued from malware code
  1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x403fb3
  2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x403fbf
  3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x403fc7
  4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x403fcf
  5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x403fdb
  6. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x401558
  7. HeapCreate at 0x7c812929 in kernel32.dll called from 0x403d6f
  8. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x403bd7
  9. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403bfe
  10. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c0b
  11. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c18
  12. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403c25
  13. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x403c75
  14. TlsSetValue at 0x7c809bf5 in kernel32.dll called from 0x403c90
  15. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x4037cf
  16. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x4037fc
  17. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403817
  18. RtlEncodePointer at 0x7c913917 in ntdll.dll called from 0x403824
  19. InitializeCriticalSectionAndSpin at 0x7c80b6b1 in kernel32.dll called from 0x4061e2
  20. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x40384a
  21. GetModuleHandleW at 0x7c80e63c in kernel32.dll called from 0x403877
  22. GetProcAddress at 0x7c80ac28 in kernel32.dll called from 0x403892
  23. RtlDecodePointer at 0x7c91393d in ntdll.dll called from 0x40389f
  24. TlsAlloc at 0x7c812b0f in kernel32.dll called from 0x4038aa
  25. RtlAllocateHeap at 0x7c9105d4 in ntdll.dll called from 0x408730
  26. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x403861
  27. TlsGetValue at 0x7c809750 in kernel32.dll called from 0x403863
  28. TlsFree at 0x7c813453 in kernel32.dll called from 0x4038fe
  29. TlsFree at 0x7c813453 in kernel32.dll called from 0x403912
  30. RtlDeleteCriticalSection at 0x7c91188a in ntdll.dll called from 0x405bd9
MD5 checksum cfd77902557ea6c283c1f722220b358f

Analysis results
- Executed blocks belonging to the malware, in order, no duplicates
  1. 0x4021c5 0x4021d9 0x4021df 0x4021ee 0x4021f7 0x4021fb 0x4021ff 0x402208 0x40220d 0x402211 0x40221f 0x402226 0x40225e 0x402273 0x402277 0x402286 0x4022bc 0x4022ca 0x4022d7 0x401000 0x401011 0x40101f 0x40102d 0x401035 0x401043 0x40104b 0x401056 0x40105b 0x401060 0x40106c 0x40106a 0x40106f 0x401080 0x402301 0x402315 0x402373 0x402382 0x402391 0x4023a0 0x4023af 0x4023be 0x4023d1 0x4023f3 0x402422 0x40242e 0x401ef5 0x401f10 0x401f19 0x401f54 0x401f5b 0x401f68 0x401f78 0x401f94 0x401fa0 0x4020b6 0x4020be 0x402101 0x401fda 0x401fe7 0x4010c4 0x401d3d 0x401d4b 0x401d50 0x401d70 0x401e38 0x401e47 0x401e5c 0x401e5e 0x401e73 0x401e77 0x401eca 0x401ef2 0x401d85 0x401d86 0x401d89 0x401106 0x401118 0x401130 0x401148 0x40114b 0x401153 0x4019c0 0x4019ed 0x401a0a 0x401d5e 0x401a1b 0x401a36 0x401a48 0x401a63 0x401a72 0x401a7b 0x401a81 0x401a89 0x401a98 0x401ab9 0x401ac2 0x401ac5 0x401aca 0x401ad1 0x401ae5 0x401169 0x40118a 0x4011a0 0x4011bb 0x4011cb 0x4011d1 0x4011da 0x4011e4 0x4011ea 0x4011ee 0x4011f6 0x401201 0x40120c 0x401213 0x401217 0x401227 0x401243 0x401258 0x40125b 0x401267 0x40126c 0x401277 0x40128f 0x401295 0x4012c7 0x4012d1 0x4012e4 0x4012f3 0x40130f 0x401326 0x40132b 0x40133c 0x401347 0x40134c 0x401358 0x40135c 0x402106 0x40213b 0x402144 0x40214d 0x40215c 0x402170 0x402182 0x401379 0x4013e8 0x4013f7 0x4013fa 0x401417 0x401421 0x40144f 0x401456 0x40146b 0x401471 0x401489 0x40148c 0x401498 0x4014a2 0x4014b1 0x4014cb 0x4014d9 0x40149c 0x4014ec 0x4014f6 0x4011b4 0x4011b6 0x401b08 0x401b15 0x401b36 0x401b46 0x401b6a 0x401b79 0x401c56 0x401b89 0x401be0 0x401c0c 0x401c13 0x401c29 0x401c2e 0x401c3d 0x401c41 0x401c52 0x401bed 0x401bf4 0x401b8b 0x401b9a 0x401bb5 0x401bc4 0x401bcc 0x401c5f 0x401520 0x401528 0x401529 0x402185 0x40218e 0x402198 0x4021a5 0x4021ac 0x4021b0 0x4021c3 0x401537 0x401538 0x401439 0x402121 0x40212f 0x4013b2 0x4014c0 0x401ca4 0x401cb7 0x401ce3 0x401d07 0x401539 0x401576 0x401583 0x401593 0x4015aa 0x4015ae 0x4015ba 0x4015cc 0x4015df 0x4015f9 0x40160b 0x401612 0x401649 0x401652 0x401660 0x401682 0x401695 0x4016a1 0x4016ae 0x4016ba 0x4016cf 0x4016e0 0x4016f2 0x401704 0x401715 0x40173f 0x401742 0x40175b 0x40175d 0x401761 0x401763 0x401765 0x401776 0x401793 0x401797 0x4017a1 0x4017bb 0x401d1f 0x401d27 0x402199 0x401d30 0x401d38 0x401166 0x401ffb 0x402004 0x402006 0x402032 0x402053 0x401d9a 0x401da8 0x401dee 0x4020c8 0x4020d9 0x4020db 0x4020fa 0x4020fb 0x401dfa 0x401e08 0x401e16 0x401e2f 0x402058 0x402073 0x402095 0x40209e 0x4020ad 0x4020af 0x40245a 0x402461 0x402741 0x402552 0x402ead
- Windows API calls issued from malware code
  1. SetErrorMode at 0x7c80aa97 in kernel32.dll called from 0x4021d3
  2. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x4021d9
  3. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x402220
  4. GetModuleFileNameA at 0x7c80b357 in kernel32.dll called from 0x40226d
  5. lopen at 0x7c85e610 in kernel32.dll called from 0x4022c4
  6. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40100f
  7. GlobalLock at 0x7c810119 in kernel32.dll called from 0x40101d
  8. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40102b
  9. GlobalLock at 0x7c810119 in kernel32.dll called from 0x401033
  10. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x401041
  11. GlobalLock at 0x7c810119 in kernel32.dll called from 0x401049
  12. llseek at 0x7c839450 in kernel32.dll called from 0x4022ff
  13. hread at 0x7c839418 in kernel32.dll called from 0x402313
  14. hread at 0x7c839418 in kernel32.dll called from 0x402380
  15. hread at 0x7c839418 in kernel32.dll called from 0x40238f
  16. hread at 0x7c839418 in kernel32.dll called from 0x40239e
  17. hread at 0x7c839418 in kernel32.dll called from 0x4023ad
  18. hread at 0x7c839418 in kernel32.dll called from 0x4023bc
  19. hread at 0x7c839418 in kernel32.dll called from 0x4023f1
  20. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x402420
  21. GlobalLock at 0x7c810119 in kernel32.dll called from 0x402428
  22. llseek at 0x7c839450 in kernel32.dll called from 0x401f59
  23. hread at 0x7c839418 in kernel32.dll called from 0x401f62
  24. llseek at 0x7c839450 in kernel32.dll called from 0x401f76
  25. hread at 0x7c839418 in kernel32.dll called from 0x401e71
  26. GlobalAlloc at 0x7c80ff2d in kernel32.dll called from 0x40213e
  27. GlobalLock at 0x7c810119 in kernel32.dll called from 0x402147
  28. GlobalUnlock at 0x7c810082 in kernel32.dll called from 0x40219f
  29. GlobalFree at 0x7c80fe2f in kernel32.dll called from 0x4021a6
  30. LoadIconA at 0x77d521ae in USER32.dll called from 0x402763
  31. MessageBoxA at 0x77d8050b in USER32.dll called from 0x402ebf

MD5 checksum	cfeea9a4fe098e535aa908bf47c2216b
Anti-virus name	W32/Heuristic-210!Eldorado (damaged, not disinfectable),Trojan.Downloader-49757,Dropped:Trojan.Generic.307518

Analysis results

Executed blocks belonging to the malware, in order, no duplicates
1. 0x100645c 0x100646b 0x100647c 0x1006483 0x100648e 0x100649a 0x10064a2 0x10064aa 0x10064b6 0x10064cb 0x10064d0 0x10063ef 0x10063f7 0x10063fe 0x1006402 0x1006407 0x1006419 0x100641a 0x1006420 0x100642e 0x100643a 0x100643d 0x1006449 0x100637a 0x1002e6d 0x1002e75 0x1002e8d 0x1002e95 0x1002e9c 0x1002ec0 0x100548b 0x1005497 0x10054a8 0x10055b1 0x10055d6 0x10048c9 0x10055e9 0x1006398 0x1006205 0x1006224 0x100622c 0x1004411 0x100443d 0x1004470 0x100447b 0x1006235 0x100623e 0x1004bc8 0x1004bea 0x1004c0f 0x1004c17 0x1004c43 0x1004c54 0x1004c90 0x1004c9c 0x1006247 0x100435e 0x1004372 0x1004395 0x10043af 0x10043c0 0x1003ac7 0x10043de 0x1006259 0x100636a 0x1006373 0x1003346 0x10033a6 0x1003400 0x100340a 0x1003418 0x1003427 0x10063c2 0x10063d2
Windows API calls issued from malware code
1. GetSystemTimeAsFileTime at 0x7c8017e5 in kernel32.dll called from 0x1006488
2. GetCurrentProcessId at 0x7c80994e in kernel32.dll called from 0x1006494
3. GetCurrentThreadId at 0x7c809737 in kernel32.dll called from 0x100649c
4. GetTickCount at 0x7c8092ac in kernel32.dll called from 0x10064a4
5. QueryPerformanceCounter at 0x7c80a417 in kernel32.dll called from 0x10064b0
6. GetCommandLineA at 0x7c812c8d in kernel32.dll called from 0x10063e9
7. GetStartupInfoA at 0x7c801eee in kernel32.dll called from 0x1006428
8. GetModuleHandleA at 0x7c80b529 in kernel32.dll called from 0x1006443
9. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e6b
10. SizeofResource at 0x7c80baf1 in kernel32.dll called from 0x1002e6f
11. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x1002e8b
12. LoadResource at 0x7c80a065 in kernel32.dll called from 0x1002e8f
13. SetHandleCount at 0x7c80c6cf in kernel32.dll called from 0x1002e96
14. FreeResource at 0x7c82d582 in kernel32.dll called from 0x1002eba
15. CreateEventA at 0x7c81e4bd in kernel32.dll called from 0x1005485
16. SetEvent at 0x7c809c28 in kernel32.dll called from 0x1005491
17. FindResourceA at 0x7c80c7b1 in kernel32.dll called from 0x10055ab
18. GetVersionExA at 0x7c812851 in kernel32.dll called from 0x10048c3
19. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x100440b
20. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x100446a
21. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004475
22. LocalAlloc at 0x7c8099bd in kernel32.dll called from 0x1004be4
23. lstrcmpA at 0x7c81ee79 in kernel32.dll called from 0x1004c4e
24. LocalFree at 0x7c80995d in kernel32.dll called from 0x1004c96
25. wsprintfA at 0x77d4a2de in USER32.dll called from 0x1003afb
26. ExitProcess at 0x7c81caa2 in kernel32.dll called from 0x1006450
CFG at exit
- dot file
- jpg

MD5 checksum	2b4c2f9c1920a1ff5432f4738432b10c
Anti-virus name	W32/Swizzor-based.2!Maximus

MD5 checksum	7dbb15d0f488d01411812b5979c6e70e
Anti-virus name	Trojan.Dropper-20415

MD5 checksum	a018d91d0eddb3c33053403ebe82597d
Anti-virus name	Adware.Agent-1431

MD5 checksum	a86d8acce0f150deb31a2e2e8353e444
Anti-virus name	Backdoor.Bot.39541

MD5 checksum	ab7c80b08fb806f943b8e22a7363fd4b
Anti-virus name	W32/Trojan2.IRCX (exact)

MD5 checksum	af84dac4705a7fd2dc7b62a5bc341c92
Anti-virus name	Backdoor.Bot.31363

MD5 checksum	b61b252c6dec97bfd278fb5c2485db8f
Anti-virus name	Adware.Casino-3

MD5 checksum	bb7607627b037cf29cb89e120641e8f6
Anti-virus name	Backdoor.Generic.47598

MD5 checksum	ce2cd5e555c7b5cf731b68c88d09984f
Anti-virus name	Adware.Downloader-11