Joe Sandbox - Analysis Report 29509

General Information

Analysis ID:	29509
Start time:	12:43:08
Start date:	30/03/2013
Overall analysis duration:	0h 3m 24s
Sample file name:	skype-3e99fab7f175eb8bf283b1e883c714c9.exe
Cookbook file name:	default.jbs
Analysis system description:	XP SP3 (Office 2003 SP2, Java 1.6.0, Acrobat Reader 9.3.4, Internet Explorer 8)
Number of analysed new started processes analysed:	3
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	1
SCAE enabled:	true
SCAE success:	true, ratio: 66%
Warnings:	Report size getting too big, to mutch NtQueryValueKey calls found.

Signature Overview

Spam, unwanted Advertisements and Ransom Demands:

Shows text to the screen which may be used to demand a ransom in order to use the computer			Show sources
Source: screenshot	OCR results from screenshots: paysafecard matches PaySafeCarc

Protection of GUI :

Contains functionality to create a new desktop			Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E90304 CreateDesktopW,CreateProcessW,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,

Networking:

Contains functionality to download additional files from the internet		Show sources
Source: C:\WINDOWS\system32\svchost.exe	Code function: 2_2_00091918 InternetOpenW,GetComputerNameW,GetVolumeInformationW,wsprintfW,WideCharToMultiByte,lstrcat,lstrlen,lstrcat,lstrcat,lstrcat,lstrcat,InternetOpenUrlA,InternetSetFilePointer,InternetSetFilePointer,VirtualAlloc,InternetReadFile,VirtualFree,InternetCloseHandle,InternetCloseHandle,
Downloads files		Show sources
Source: C:\WINDOWS\system32\svchost.exe	File created: C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5B7NHQO2\63462[1]
Urls found in memory or binary data		Show sources
Source: p_Q8.jpg.dr	String found in binary or memory: http://ns.adobe.com/xap/1.0/
Source: ic_0_4.png.dr, p_kruidvat.jpg.dr, p_selexion.jpg.dr, p_dagbladhandel.jpg.dr, p_relay.jpg.dr, ic_1.jpg.dr, p_spar_01.jpg.dr, p_pressshop.jpg.dr, p_total.jpg.dr, header.jpg.dr, me_error.jpg.dr, p_esso.jpg.dr, p_fnac.jpg.dr, p_planet-video.jpg.dr, me_notice.jpg.dr, ic_0_1.png.dr, p_free-record-shop.jpg.dr, p_octa__01.jpg.dr, ic_0.jpg.dr, ic_0_2.png.dr, ic_0_3.png.dr, p_texaco.jpg.dr, p_Q8.jpg.dr	String found in binary or memory: http://ns.adobe.com/xap/1.0/mm/
Source: p_kruidvat.jpg.dr, p_selexion.jpg.dr, p_dagbladhandel.jpg.dr, p_relay.jpg.dr, p_spar_01.jpg.dr, p_pressshop.jpg.dr, p_total.jpg.dr, header.jpg.dr, p_esso.jpg.dr, p_fnac.jpg.dr, p_free-record-shop.jpg.dr, p_octa__01.jpg.dr, p_texaco.jpg.dr, p_Q8.jpg.dr	String found in binary or memory: http://ns.adobe.com/xap/1.0/rights/
Source: ic_0_4.png.dr, p_kruidvat.jpg.dr, p_selexion.jpg.dr, p_dagbladhandel.jpg.dr, p_relay.jpg.dr, ic_1.jpg.dr, p_spar_01.jpg.dr, p_pressshop.jpg.dr, p_total.jpg.dr, header.jpg.dr, me_error.jpg.dr, p_esso.jpg.dr, p_fnac.jpg.dr, p_planet-video.jpg.dr, me_notice.jpg.dr, ic_0_1.png.dr, p_free-record-shop.jpg.dr, p_octa__01.jpg.dr, ic_0.jpg.dr, ic_0_2.png.dr, ic_0_3.png.dr, p_texaco.jpg.dr, p_Q8.jpg.dr	String found in binary or memory: http://ns.adobe.com/xap/1.0/stype/resourceref#
Source: bitdefender.jpg.dr	String found in binary or memory: http://www.iec.ch
Source: ic_0_4.png.dr, p_kruidvat.jpg.dr, p_selexion.jpg.dr, p_dagbladhandel.jpg.dr, p_relay.jpg.dr, ic_1.jpg.dr, p_spar_01.jpg.dr, p_pressshop.jpg.dr, p_total.jpg.dr, header.jpg.dr, me_error.jpg.dr, p_esso.jpg.dr, p_fnac.jpg.dr, p_planet-video.jpg.dr, me_notice.jpg.dr, ic_0_1.png.dr, p_free-record-shop.jpg.dr, p_octa__01.jpg.dr, ic_0.jpg.dr, ic_0_2.png.dr, ic_0_3.png.dr, p_texaco.jpg.dr, p_Q8.jpg.dr	String found in binary or memory: http://www.w3.org/1999/02/22-rdf-syntax-ns#
Source: index.html.dr	String found in binary or memory: http://www.w3.org/1999/xhtml
Source: index.html.dr	String found in binary or memory: http://www.w3.org/tr/xhtml1/dtd/xhtml1-transitional.dtd
Downloads files from webservers via HTTP		Show sources
Source: unknown	HTTP traffic detected: GET /ohifejdapljvzvyxnbkyrctwgxawrgcozrppgozrfqtfnlfzop-amtw-mvjpxxnomxnnftygwp-qjxqgljukd-ej.php HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Host: gfosi.net Cache-Control: no-cache
Performs DNS lookups		Show sources
Source: unknown	DNS traffic detected: queries for: gfosi.net

Boot Survival:

Creates an autostart registry key			Show sources
Source: C:\WINDOWS\system32\svchost.exe	Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows NT\CurrentVersion\Winlogon shell

Persistence and Installation Behavior:

Drops PE files			Show sources
Source: C:\WINDOWS\system32\ctfmon.exe	File created: C:\Documents and Settings\Administrator\Application Data\skype.dat

PE File Obfuscation:

Binary may include packed or crypted data			Show sources
Source: initial sample	Static PE information: code, entropy: 6.3147040710617794

System Summary:

Creates files inside the user directory		Show sources
Source: C:\WINDOWS\system32\svchost.exe	File created: C:\Documents and Settings\Administrator\Application Data\skype.dat
Creates temporary files		Show sources
Source: C:\WINDOWS\system32\svchost.exe	File created: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\a-squared.jpg
Reads ini files		Show sources
Source: C:\WINDOWS\system32\svchost.exe	File read: C:\WINDOWS\win.ini
Spawns processes		Show sources
Source: C:\WINDOWS\explorer.exe	Process created: C:\WINDOWS\system32\svchost.exe C:\WINDOWS\system32\svchost.exe
Writes ini files		Show sources
Source: C:\WINDOWS\system32\svchost.exe	File written: C:\Documents and Settings\Administrator\Application Data\skype.ini
Contains functionality to call native functions		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E92039 NtAllocateVirtualMemory,NtQuerySystemInformation,NtFreeVirtualMemory,NtOpenProcess,NtTerminateProcess,Sleep,NtFreeVirtualMemory,NtFreeVirtualMemory,
Tries to load missing DLLs		Show sources
Source: C:\WINDOWS\system32\svchost.exe	Section loaded: msls31.dll
Source: C:\WINDOWS\system32\svchost.exe	Section loaded: xpsp2res.dll

HIPS / PFW / Operating System Protection Evasion:

Contains functionality to inject threads in other processes		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E90304 CreateDesktopW,CreateProcessW,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,
Maps a DLL or memory area into another process		Show sources
Source: C:\skype-3e99fab7f175eb8bf283b1e883c714c9.exe	Section loaded: unknown target pid: 1548 protection: execute and read and write

Anti Debugging:

Contains functionality to query system information		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E91F17 GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemInfo,
Checks if the current process is beeing debugged		Show sources
Source: C:\skype-3e99fab7f175eb8bf283b1e883c714c9.exe	Process queried: DebugPort
Contains functionality for execution timing, often used to detect debuggers		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E91918 rdtsc
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)		Show sources
Source: C:\WINDOWS\system32\svchost.exe	Code function: 2_2_000930B0 LdrLoadDll,
Creates guard pages, often used to prevent reverse engineering and debugging		Show sources
Source: C:\skype-3e99fab7f175eb8bf283b1e883c714c9.exe	Memory protected: page read and write and page guard
Found dropped PE file which has not been started or loaded		Show sources
Source: C:\WINDOWS\system32\ctfmon.exe	Dropped PE file which has not been started: C:\Documents and Settings\Administrator\Application Data\skype.dat

Virtual Machine Detection:

Contains functionality to query system information		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E91F17 GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemInfo,
Queries a list of all running processes		Show sources
Source: C:\WINDOWS\system32\svchost.exe	Process information queried: ProcessInformation
Contains functionality to detect virtual machines (SLDT)		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E95F61 sldt word ptr [eax]
Contains long sleeps (>= 3 min)		Show sources
Source: C:\WINDOWS\system32\svchost.exe	Thread delayed: delay time: -3600

Hooking and other Techniques for Stealthness:

Monitors certain registry keys / values for changes (often done to protect autostart functionality)			Show sources
Source: C:\WINDOWS\system32\svchost.exe	Registry key monitored for changes: \REGISTRY\USER

Language and Operating System Detection:

Contains functionality to query the account / user name		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E9167F lstrlen,lstrcat,lstrcat,lstrcat,GetUserNameA,lstrlen,lstrcat,lstrcat,wsprintfA,lstrcat,lstrcat,lstrcat,lstrlen,lstrlen,lstrlen,lstrlen,
Contains functionality to query windows version		Show sources
Source: C:\WINDOWS\explorer.exe	Code function: 1_2_00E91F17 GetVersionExW,GetSystemMetrics,GetSystemMetrics,GetSystemInfo,

Startup

system is xp skype-3e99fab7f175eb8bf283b1e883c714c9.exe (PID: 1220 MD5: 3E99FAB7F175EB8BF283B1E883C714C9) explorer.exe (PID: 1548 MD5: 12896823FB95BFB3DC9B46BCAEDC9923) svchost.exe (PID: 856 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18) ctfmon.exe (PID: 1756 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3) cleanup

system is xp

skype-3e99fab7f175eb8bf283b1e883c714c9.exe (PID: 1220 MD5: 3E99FAB7F175EB8BF283B1E883C714C9)

explorer.exe (PID: 1548 MD5: 12896823FB95BFB3DC9B46BCAEDC9923)

svchost.exe (PID: 856 MD5: 27C6D03BCDB8CFEB96B716F3D8BE3E18)

ctfmon.exe (PID: 1756 MD5: 5F1D5F88303D4A4DBC8E5F97BA967CC3)

cleanup

Created / dropped Files

File Path	MD5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\a-squared.jpg	031C6D9139595F16B574A2585F717C5B
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\adaware.jpg	FE12E3A73BD00F8384A413828F64606A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\arcavir.jpg	217CA00E327F4AAEBA18D725E4636F45
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\av_noav.jpg	7403AC851CC6191367B17E1FEC3F080A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avast.jpg	19514CF8003609E59992FE8C6916D4FE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avg.jpg	D2DAB503A37DB715554647B026E37E33
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\avira.jpg	809E929008E768CE12D5849C7E602870
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\bitdefender.jpg	CAE71F25BF85F666EF24360FF0E8659B
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\clamwin.jpg	698C7D006C34B9510DB84EDFF7ADD448
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\comodo.jpg	523597EE3704BBDACE5365A85B080EDC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\drweb.jpg	D3006503E4EE7B07C249DEB413172201
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ewido.jpg	C20B9CB778068C7126BACA589EF972A9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\f-prot.jpg	9C7651B2A2CB97C9724E021ACEE7FCE6
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\f-secure.jpg	D92A499FD92CEBB848D149EC27CE9B76
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\gdata.jpg	553F0B849082D8021FD579E14CF3F747
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\header.jpg	5F16CE55BD0F946FBF0A3EF0E315A287
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0.jpg	13F4D5F474C633CEA9A8940186E78C3C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_1.png	8F76F7E513EE462734E864ABC888D788
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_2.png	8318E369940048BF3D0C3775BFF9EC40
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_3.png	7FDA501ACC6E5DDE8D2C4E932D908816
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_4.png	40DFC0EF3D38E805AFABB36692A8FDDD
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_0_5.png	45AA3ADA78AC085392744F306D7D371D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_1.jpg	03AD148FA1ABF9462B32F2FF5DD808EE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ic_5_1.jpg	D88DFF4059EAA68DAB6089268AB3EF68
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ikarus.jpg	A2AA826C393DB7BBF9E58B5AD2BAC149
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\index.html	6731D5DDB39298762F13ECA51BCF6DD1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\kaspersky.jpg	B6A053C242684D35C7AE3DF01421ECFE
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mcafee.jpg	6617FB414D24BD1888EA2C49E6F8CC1A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\me_error.jpg	004F6BCD13C93CFE2DFC110BC69115EC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\me_notice.jpg	FCF794D20B8DD4C2AED7BEB02047F5AC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\mse.jpg	D7FB2D2F6B002C911094003CD9F62E91
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nod32.jpg	066E494FAF31568DBF20C94EFA46DFD1
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\norton.jpg	7440613560E142635423A8755FEA2CE9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\nosignal.jpg	C601B36C026B7D8A4146A845E258F9B9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\onecare.jpg	04F2D07F5440C36184A982D88E279EA4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\outpost.jpg	2EC3273A7FC562B9973D639ADF388FEA
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_Q8.jpg	64BD7848F9A0341536AB27723AF18B02
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_dagbladhandel.jpg	037C6D1AF62538A54DE2E23C6DA6B8B9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_esso.jpg	846D24E00CBF2C793E28688D6578C96A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_fnac.jpg	902335BCD8771F04007AA639480E6E6A
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_free-record-shop.jpg	DE3DE05AF2469F6E17AB1507E248C484
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_kruidvat.jpg	C0A7945E0E6B86C751B9FCCF842DC66D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_octa__01.jpg	6D843DA411609451907845DFAF431438
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_planet-video.jpg	FCAAF210797AE5BE4970A5D617CD2AF5
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_pressshop.jpg	66E68A9C96CC1B1BFB0558A7E756CD55
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_relay.jpg	9DF1F7FB20BC99474B9D615436253560
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_selexion.jpg	E7350ADF4C2582ACCE75D790D7A44D0C
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_shell_01.jpg	98B085B22C0A9DE9FB4689F75F54AC7D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_spar_01.jpg	06F7FE590D8D0C7A94B63DF425EAC08D
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_texaco.jpg	C0D9C6674D573678AD3DB799FC3FB3F4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\p_total.jpg	CB65BE7F980511EAB69AB794AF07A8D9
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\panda.jpg	613829B0D4DEDD1E55EDBB5BB15410CB
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\sophos.jpg	978B7068B7DF4BF9B725DA024D9ECF10
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\style.css	82280D54B3FE1A2E4517743D5344016E
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\trendmicro.jpg	E99F068D275D9794F79EA148E707BEBC
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vba.jpg	DA588B3F18A2C2CCB3BDE63E78E302E4
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\vexira.jpg	FB610BC37978CCEC3C77E3CEBA3591AF
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\zonealarm.jpg	D99CD16A3FC790297676508D046B3377
C:\Documents and Settings\Administrator\Application Data\skype.dat	3E99FAB7F175EB8BF283B1E883C714C9
C:\Documents and Settings\Administrator\Application Data\skype.ini	DF9694591D7E4938F8E201185B60413B
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\5B7NHQO2\63462[1]	A91C59DBD1F14D057F827043BC8C1278
\ROUTER	8952A0BE900F2A37CC9502BC155B6708

Contacted Domains

Name	IP	Name Server	Active	Registrar	e-Mail
gfosi.net	80.72.37.108	d.dxmx.com b.dxmx.com e.dxmx.com c.dxmx.com a.dxmx.com	true	PDR LTD. D/B/A PUBLICDOMAINREGISTRY.COM	guy.chisholm@yahoo.com

Contacted IPs

IP	Country	Pingable	Open Ports
80.72.37.108	POLAND	true	80
195.186.1.121	SWITZERLAND	false
195.186.4.121	SWITZERLAND	false

Static File Info

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
File name:	skype-3e99fab7f175eb8bf283b1e883c714c9.exe
File size:	98304
MD5:	3e99fab7f175eb8bf283b1e883c714c9
SHA1:	c355d00ec348d3a42910ce4dd447b41b76181958
SHA256:	4a9328f9755aef14f0f6c0d85dcdd3f010fb2c58e2fd7d3495c7e81fd02572a0
SHA512:	1d0680c0f0d5d9ff009aa8228eedf36b477c0a7af8bb4f890b20f254432d46edb191812af082ab3e6602480e2d699833778531cdf1693b029e25810e6e3baada

Static PE Info

General
Entrypoint:	0x402e01
Entrypoint Section:	.text
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	32BIT_MACHINE, EXECUTABLE_IMAGE, RELOCS_STRIPPED
DLL Characteristics:
Time Stamp:	0x4B18261D [Thu Dec 3 20:57:01 2009 UTC]
TLS Callbacks:

Resources

Name	RVA	Size	Type	Language	Country
RT_ICON	0x54d3f2	0x6500f8	data
RT_GROUP_ICON	0x54f690	0x14	MS Windows icon resource - 1 icon
RT_VERSION	0x54f6a4	0x3e0	data	Russian	Russia

Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy
.text	0x1000	0x3980a	0xf000	4.97067309698
.rdata	0x3b000	0xc85c	0x3000	0.0
.data	0x48000	0x504cbc	0x2000	3.68951531059
.rsrc	0x54d000	0x2a88	0x3000	1.14665480338

Version Infos

Description	Data
LegalCopyright	Copyright .
InternalName	Soft
FileVersion	14.0.0.715
CompanyName	Software
LegalTrademarks	Soft
Comments
ProductName
ProductVersion	14.0.0.715
FileDescription	Software
OriginalFilename	Software.exe
Translation	0x0409 0x04b0

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia

Network Behavior

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2013 12:45:32.344860077 CET	60401	53	192.168.0.10	195.186.1.121
Mar 30, 2013 12:45:33.343373060 CET	60401	53	192.168.0.10	195.186.4.121
Mar 30, 2013 12:45:34.333019972 CET	53	60401	195.186.4.121	192.168.0.10
Mar 30, 2013 12:45:34.434057951 CET	53	60401	195.186.1.121	192.168.0.10
Mar 30, 2013 12:45:34.482373953 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:34.482415915 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:34.482762098 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:34.509351969 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:34.509416103 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.062237024 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.206619978 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.207092047 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.207112074 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.227907896 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.228705883 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.228722095 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.232108116 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.232891083 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.232924938 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.326292992 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.331640005 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.331651926 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.336519003 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.351562023 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.405520916 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.406052113 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.406074047 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.406904936 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.420597076 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.420836926 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.421345949 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.421395063 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.421747923 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.431209087 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.431221008 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.431996107 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.500309944 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.505547047 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.505558968 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.510863066 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.524666071 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.524674892 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.525486946 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.549489021 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.549725056 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.549989939 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.550008059 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.550898075 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.558027029 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.558727980 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.558758974 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.559307098 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.565576077 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.565946102 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.566911936 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.566930056 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.569746971 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.574939966 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.574954987 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.575658083 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.619829893 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.620549917 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.620564938 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.621200085 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.639465094 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.668884039 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.669277906 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.670609951 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.674181938 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.674211979 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.674257040 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.674681902 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.675179958 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.675925970 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.679500103 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.679531097 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.679999113 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.712486029 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.735224009 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.739358902 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.739808083 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.739847898 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.739865065 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.741535902 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.741570950 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.760883093 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.761701107 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.761759996 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.762353897 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.764723063 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.765088081 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.765662909 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.765674114 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.765688896 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.766226053 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.766472101 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.786163092 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.786175013 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.786895037 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.813549995 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.814059019 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.814081907 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.814927101 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.846503973 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.850408077 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.855798006 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.855817080 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.861104012 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.872262955 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.872276068 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.877595901 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.918711901 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.919387102 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.919401884 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.919708967 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.922699928 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.922976971 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.923333883 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.923374891 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.923599005 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.923878908 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.935956001 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.936165094 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.936532021 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.936634064 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.936657906 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.936966896 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.937364101 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.937460899 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.937546968 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.944416046 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.946793079 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.961937904 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.961946964 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.962667942 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.995109081 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.995805025 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:41.995824099 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:41.999102116 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.089137077 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.092706919 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.093439102 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.093462944 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.094039917 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.096477985 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.096489906 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.096770048 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.097172022 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.097240925 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.097351074 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.097369909 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.097630978 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.097897053 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.098184109 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.102103949 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.102154970 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.118537903 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.118777037 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.118968964 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.119174004 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.119193077 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.119467974 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.119879007 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.119955063 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.235388994 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.236073017 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.236105919 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.236588001 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.264311075 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.266021967 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.271430969 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.271449089 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.272315025 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.272556067 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.272950888 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.276607990 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.276648998 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.276664019 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.277858019 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.277869940 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.278338909 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.278353930 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.281794071 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.281812906 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.284480095 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.290878057 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.290889025 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.291117907 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.291548967 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.291831970 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.291845083 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.292231083 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.329494953 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.355081081 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.355786085 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.355837107 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.356223106 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.440366983 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.442203045 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.443017960 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.443032026 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.443254948 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.446078062 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.446341038 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.446625948 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.446966887 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.447062969 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.447082996 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.447240114 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.447525024 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.447599888 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.447922945 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.447999954 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.448823929 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.448834896 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.451019049 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.461363077 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.466481924 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.466828108 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.467562914 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.467578888 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.467926025 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.602170944 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.747694016 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.748316050 CET	1031	80	192.168.0.10	80.72.37.108
Mar 30, 2013 12:45:42.748383999 CET	80	1031	80.72.37.108	192.168.0.10
Mar 30, 2013 12:45:42.923095942 CET	1031	80	192.168.0.10	80.72.37.108

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Mar 30, 2013 12:45:32.344860077 CET	60401	53	192.168.0.10	195.186.1.121
Mar 30, 2013 12:45:33.343373060 CET	60401	53	192.168.0.10	195.186.4.121
Mar 30, 2013 12:45:34.333019972 CET	53	60401	195.186.4.121	192.168.0.10
Mar 30, 2013 12:45:34.434057951 CET	53	60401	195.186.1.121	192.168.0.10

ICMP Packets

Timestamp	Source IP	Dest IP	Checksum	Code	Type
Mar 30, 2013 12:45:34.434437990 CET	192.168.0.10	195.186.1.121	8327	(Port unreachable)	Destination Unreachable

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Mar 30, 2013 12:45:32.344860077 CET	192.168.0.10	195.186.1.121	0x43b0	Standard query (0)	gfosi.net	A (IP address)	IN (0x0001)
Mar 30, 2013 12:45:33.343373060 CET	192.168.0.10	195.186.4.121	0x43b0	Standard query (0)	gfosi.net	A (IP address)	IN (0x0001)

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Replay Code	Name	CName	Address	Type	Class
Mar 30, 2013 12:45:34.333019972 CET	195.186.4.121	192.168.0.10	0x43b0	No error (0)	gfosi.net		80.72.37.108	A (IP address)	IN (0x0001)
Mar 30, 2013 12:45:34.434057951 CET	195.186.1.121	192.168.0.10	0x43b0	No error (0)	gfosi.net		80.72.37.108	A (IP address)	IN (0x0001)

HTTP Request Dependency Graph

gfosi.net

HTTP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP	Header	Total Bytes Transfered (KB)
Mar 30, 2013 12:45:34.509351969 CET	1031	80	192.168.0.10	80.72.37.108	GET /ohifejdapljvzvyxnbkyrctwgxawrgcozrppgozrfqtfnlfzop-amtw-mvjpxxnomxnnftygwp-qjxqgljukd-ej.php HTTP/1.1 User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0) Host: gfosi.net Cache-Control: no-cache	0
Mar 30, 2013 12:45:41.062237024 CET	80	1031	80.72.37.108	192.168.0.10	HTTP/1.1 200 OK Server: nginx/0.7.67 Date: Sat, 30 Mar 2013 11:45:40 GMT Content-Type: application/octet-stream Connection: keep-alive X-Powered-By: PHP/5.3.3-7+squeeze14 Cache-Control: public Content-Disposition: attachment; filename=63462 Content-Transfer-Encoding: binary Content-Length: 223610	1

Code Manipulation Behavior

System Behavior

Analysis Process: skype-3e99fab7f175eb8bf283b1e883c714c9.exe PID: 1220 Parent PID: 1872

General

Start time:	09:49:57
Start date:	24/01/2012
Path:	C:\skype-3e99fab7f175eb8bf283b1e883c714c9.exe
Wow64 process (32bit):	false
Commandline:	unknown
Imagebase:	0x400000
File size:	98304 bytes
MD5 hash:	3E99FAB7F175EB8BF283B1E883C714C9

Chronological Activities

Analysis Process: explorer.exe PID: 1548 Parent PID: 1220

General

Start time:	09:50:06
Start date:	24/01/2012
Path:	C:\WINDOWS\explorer.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\Explorer.EXE
Imagebase:	0x1000000
File size:	1033728 bytes
MD5 hash:	12896823FB95BFB3DC9B46BCAEDC9923

Chronological Activities

Analysis Process: svchost.exe PID: 856 Parent PID: 1548

General

Start time:	09:50:14
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\svchost.exe
Wow64 process (32bit):	false
Commandline:	C:\WINDOWS\system32\svchost.exe
Imagebase:	0x1000000
File size:	14336 bytes
MD5 hash:	27C6D03BCDB8CFEB96B716F3D8BE3E18

Chronological Activities

Analysis Process: ctfmon.exe PID: 1756 Parent PID: 856

General

Start time:	09:51:44
Start date:	24/01/2012
Path:	C:\WINDOWS\system32\ctfmon.exe
Wow64 process (32bit):	false
Commandline:	ctfmon.exe
Imagebase:	0x400000
File size:	15360 bytes
MD5 hash:	5F1D5F88303D4A4DBC8E5F97BA967CC3

Chronological Activities

Disassembly

Code Analysis

< >

Analysis Process: skype-3e99fab7f175eb8bf283b1e883c714c9.exe PID: 1220 Parent PID: 1872

Executed Functions

Non-executed Functions

Analysis Process: explorer.exe PID: 1548 Parent PID: 1220

Executed Functions

Function 00E90304, Relevance: 15.9, APIs: 8, Strings: 8, Instructions: 120

APIs

CreateDesktopW.USER32 ref: 00E903C0
CreateProcessW.KERNEL32 ref: 00E903F4
VirtualAllocEx.KERNEL32 ref: 00E90411
WriteProcessMemory.KERNEL32 ref: 00E90429
CreateRemoteThread.KERNEL32 ref: 00E90441
CloseHandle.KERNEL32 ref: 00E90448
CloseHandle.KERNEL32 ref: 00E9045C
CloseHandle.KERNEL32 ref: 00E90465

Strings

D, xrefs: 00E903CD

Non-executed Functions

Function 00E9167F, Relevance: 28.4, APIs: 16, Instructions: 229

APIs

Part of subcall function 00E91F17: GetVersionExW.KERNEL32(?), ref: 00E91F34
Part of subcall function 00E91F17: GetSystemMetrics.USER32(00000059), ref: 00E91FB2
Part of subcall function 00E91F17: GetSystemMetrics.USER32(00000059), ref: 00E91FD0
Part of subcall function 00E91F17: GetSystemInfo.KERNEL32(?), ref: 00E91FE9

lstrlen.KERNEL32(?), ref: 00E9171F
lstrcat.KERNEL32(?,?), ref: 00E9172A
lstrcat.KERNEL32(?,?), ref: 00E91732
lstrcat.KERNEL32(?,?), ref: 00E9173D
GetUserNameA.ADVAPI32(?), ref: 00E9174E
lstrlen.KERNEL32(?), ref: 00E91755
lstrcat.KERNEL32(?,?), ref: 00E9175D
lstrcat.KERNEL32(?,?), ref: 00E91768
wsprintfA.USER32(?,?,?,?,?,?,?,00000400,?,?,?,?,?,?,?), ref: 00E917EC
lstrcat.KERNEL32(?,?), ref: 00E91800
lstrcat.KERNEL32(?,?), ref: 00E9180B
lstrcat.KERNEL32(?,00E93768), ref: 00E91819
lstrlen.KERNEL32(?), ref: 00E91820
lstrlen.KERNEL32(?), ref: 00E91872
lstrlen.KERNEL32(?), ref: 00E9188C
lstrlen.KERNEL32(?), ref: 00E918C5

Function 00E91918, Relevance: 22.1, APIs: 12, Instructions: 390

APIs

GetComputerNameW.KERNEL32(?), ref: 00E9199E
GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00E91A00

Part of subcall function 00E91F17: GetVersionExW.KERNEL32(?), ref: 00E91F34
Part of subcall function 00E91F17: GetSystemMetrics.USER32(00000059), ref: 00E91FB2
Part of subcall function 00E91F17: GetSystemMetrics.USER32(00000059), ref: 00E91FD0
Part of subcall function 00E91F17: GetSystemInfo.KERNEL32(?), ref: 00E91FE9

wsprintfW.USER32 ref: 00E91AD2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00E91AF7
lstrcat.KERNEL32(?,?), ref: 00E91B17
lstrlen.KERNEL32 ref: 00E91B1E
lstrcat.KERNEL32(?,?), ref: 00E91C6D
lstrcat.KERNEL32(?,?), ref: 00E91CCD
lstrcat.KERNEL32(?,?), ref: 00E91CE1
lstrcat.KERNEL32(?,?), ref: 00E91D41
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00E91DB6
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00E91E1F

Function 00E92039, Relevance: 15.9, APIs: 8, Strings: 8, Instructions: 111

APIs

NtAllocateVirtualMemory.NTDLL(000000FF), ref: 00E9208B
NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 00E920A6
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00E920C6
NtOpenProcess.NTDLL(?,00000001,?,?), ref: 00E92144
NtTerminateProcess.NTDLL(?,00000000,?,?), ref: 00E92156
Sleep.KERNEL32(0000000A), ref: 00E92160
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00E9217F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 00E921AD

Strings

@, xrefs: 00E92123

Function 00E91F17, Relevance: 7.4, APIs: 4, Instructions: 72

APIs

GetVersionExW.KERNEL32(?), ref: 00E91F34
GetSystemMetrics.USER32(00000059), ref: 00E91FB2
GetSystemMetrics.USER32(00000059), ref: 00E91FD0
GetSystemInfo.KERNEL32(?), ref: 00E91FE9

Function 00E91210, Relevance: 33.6, APIs: 17, Strings: 17, Instructions: 347

APIs

ExitProcess.KERNEL32(00000000,?,?,00000100), ref: 00E91672

Part of subcall function 00E91918: GetComputerNameW.KERNEL32(?), ref: 00E9199E
Part of subcall function 00E91918: GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00E91A00
Part of subcall function 00E91918: wsprintfW.USER32 ref: 00E91AD2
Part of subcall function 00E91918: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00E91AF7
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91B17
Part of subcall function 00E91918: lstrlen.KERNEL32 ref: 00E91B1E
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91C6D
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91CCD
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91CE1
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91D41
Part of subcall function 00E91918: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00E91DB6
Part of subcall function 00E91918: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00E91E1F

VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E912D9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E9137C
Sleep.KERNEL32(00000064), ref: 00E913A2
GetTempPathA.KERNEL32(00000100,?), ref: 00E913EE
lstrcpy.KERNEL32(?,?), ref: 00E91491
lstrcat.KERNEL32(?,?), ref: 00E9149F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 00E914BB
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00E91514

Part of subcall function 00E9167F: lstrlen.KERNEL32(?), ref: 00E9171F
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,?), ref: 00E9172A
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,?), ref: 00E91732
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,?), ref: 00E9173D
Part of subcall function 00E9167F: GetUserNameA.ADVAPI32(?), ref: 00E9174E
Part of subcall function 00E9167F: lstrlen.KERNEL32(?), ref: 00E91755
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,?), ref: 00E9175D
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,?), ref: 00E91768
Part of subcall function 00E9167F: wsprintfA.USER32(?,?,?,?,?,?,?,00000400,?,?,?,?,?,?,?), ref: 00E917EC
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,?), ref: 00E91800
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,?), ref: 00E9180B
Part of subcall function 00E9167F: lstrcat.KERNEL32(?,00E93768), ref: 00E91819
Part of subcall function 00E9167F: lstrlen.KERNEL32(?), ref: 00E91820
Part of subcall function 00E9167F: lstrlen.KERNEL32(?), ref: 00E91872
Part of subcall function 00E9167F: lstrlen.KERNEL32(?), ref: 00E9188C
Part of subcall function 00E9167F: lstrlen.KERNEL32(?), ref: 00E918C5

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 00E9156E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E91583
CloseHandle.KERNEL32(?), ref: 00E91591
lstrcpy.KERNEL32(?,?), ref: 00E915D0
lstrcat.KERNEL32(?,?), ref: 00E915DE
lstrcat.KERNEL32(?,?), ref: 00E9160E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E9164E
Sleep.KERNEL32(0000003C), ref: 00E91660

Part of subcall function 00E9294C: Sleep.KERNEL32(00000BB8), ref: 00E92967
Part of subcall function 00E9294C: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00E929A5
Part of subcall function 00E9294C: SwitchDesktop.USER32 ref: 00E929AE
Part of subcall function 00E9294C: CloseDesktop.USER32 ref: 00E929B5
Part of subcall function 00E9294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 00E929EE
Part of subcall function 00E9294C: RegDeleteValueA.ADVAPI32(?,?), ref: 00E92A27
Part of subcall function 00E9294C: RegFlushKey.ADVAPI32(?), ref: 00E92A34
Part of subcall function 00E9294C: RegCloseKey.ADVAPI32(?), ref: 00E92A3D
Part of subcall function 00E9294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00E92A7A
Part of subcall function 00E9294C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00E92AC6
Part of subcall function 00E9294C: RegCloseKey.ADVAPI32(?), ref: 00E92AD3
Part of subcall function 00E9294C: lstrcat.KERNEL32(?,?), ref: 00E92B00
Part of subcall function 00E9294C: DeleteFileA.KERNEL32(?), ref: 00E92B07
Part of subcall function 00E9294C: DeleteFileA.KERNEL32(?), ref: 00E92B1E

Strings

SELF, xrefs: 00E912B4
SELF, xrefs: 00E9135B

Function 00E9294C, Relevance: 30.8, APIs: 14, Strings: 14, Instructions: 150

APIs

Sleep.KERNEL32(00000BB8), ref: 00E92967
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00E929A5
SwitchDesktop.USER32 ref: 00E929AE
CloseDesktop.USER32 ref: 00E929B5
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 00E929EE
RegDeleteValueA.ADVAPI32(?,?), ref: 00E92A27
RegFlushKey.ADVAPI32(?), ref: 00E92A34
RegCloseKey.ADVAPI32(?), ref: 00E92A3D
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00E92A7A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00E92AC6
RegCloseKey.ADVAPI32(?), ref: 00E92AD3
lstrcat.KERNEL32(?,?), ref: 00E92B00
DeleteFileA.KERNEL32(?), ref: 00E92B07
DeleteFileA.KERNEL32(?), ref: 00E92B1E

Strings

.ini, xrefs: 00E92B16

Function 00E90EAF, Relevance: 28.3, APIs: 15, Strings: 15, Instructions: 251

APIs

DefWindowProcW.USER32(?,00000312,?,?), ref: 00E90F27
GetClientRect.USER32(?,?), ref: 00E90F7C
SetForegroundWindow.USER32(?), ref: 00E91021
CreateThread.KERNEL32(00000000,00000000,00E92028,00000000), ref: 00E91038
CreateThread.KERNEL32(00000000,00000000,00E921BC,00000000), ref: 00E9104F
CreateThread.KERNEL32(00000000,00000000,00E92B8F,0000020A), ref: 00E91069
GetTempPathW.KERNEL32(00000100,?), ref: 00E9108B
GetFileAttributesW.KERNEL32(?), ref: 00E910BF
SendMessageA.USER32(?,0000040A,00000000,00000000), ref: 00E9112E
SendMessageA.USER32(?,00000435,00000001,00000000), ref: 00E91144
SendMessageA.USER32(?,00000434,00000064,00000000), ref: 00E9115A
SendMessageA.USER32(?,00000432,00000001,00000000), ref: 00E91170
SendMessageA.USER32(?,00000419,00000000,?), ref: 00E91192
SendMessageA.USER32(?,0000040B,?,00000000), ref: 00E911CD
CreateThread.KERNEL32(00000000,00000000,00E911FF,00000000), ref: 00E911E4

Strings

D$ , xrefs: 00E9109F

Function 00E921CD, Relevance: 22.7, APIs: 15, Instructions: 161

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00E92230
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00E92280
RegCloseKey.ADVAPI32(?), ref: 00E92291
lstrcat.KERNEL32(?,?), ref: 00E922C2
CreateFileA.KERNEL32(?,40000000,00000007,00000000,00000002,00000000,00000000), ref: 00E922D8
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 00E922EC
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00E922FE
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00E92311
CloseHandle.KERNEL32 ref: 00E92319
Sleep.KERNEL32(00000FA0), ref: 00E9233A
CreateFileA.KERNEL32(?,40000000,00000007,00000000,00000002,00000000,00000000), ref: 00E92369
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 00E9237D
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00E92393
CloseHandle.KERNEL32 ref: 00E9239A

Part of subcall function 00E9294C: Sleep.KERNEL32(00000BB8), ref: 00E92967
Part of subcall function 00E9294C: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00E929A5
Part of subcall function 00E9294C: SwitchDesktop.USER32 ref: 00E929AE
Part of subcall function 00E9294C: CloseDesktop.USER32 ref: 00E929B5
Part of subcall function 00E9294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 00E929EE
Part of subcall function 00E9294C: RegDeleteValueA.ADVAPI32(?,?), ref: 00E92A27
Part of subcall function 00E9294C: RegFlushKey.ADVAPI32(?), ref: 00E92A34
Part of subcall function 00E9294C: RegCloseKey.ADVAPI32(?), ref: 00E92A3D
Part of subcall function 00E9294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00E92A7A
Part of subcall function 00E9294C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00E92AC6
Part of subcall function 00E9294C: RegCloseKey.ADVAPI32(?), ref: 00E92AD3
Part of subcall function 00E9294C: lstrcat.KERNEL32(?,?), ref: 00E92B00
Part of subcall function 00E9294C: DeleteFileA.KERNEL32(?), ref: 00E92B07
Part of subcall function 00E9294C: DeleteFileA.KERNEL32(?), ref: 00E92B1E

ExitProcess.KERNEL32(00000000), ref: 00E923A9

Function 00E925A1, Relevance: 12.2, APIs: 8, Instructions: 181

APIs

lstrcpy.KERNEL32(?,?), ref: 00E925C1
wsprintfA.USER32(?,?,?,?,?,?,?,?,00000100,?,?,?,?,?,?,?), ref: 00E92732
lstrcpyW.KERNEL32(?), ref: 00E9276D

Part of subcall function 00E91918: GetComputerNameW.KERNEL32(?), ref: 00E9199E
Part of subcall function 00E91918: GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00E91A00
Part of subcall function 00E91918: wsprintfW.USER32 ref: 00E91AD2
Part of subcall function 00E91918: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00E91AF7
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91B17
Part of subcall function 00E91918: lstrlen.KERNEL32 ref: 00E91B1E
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91C6D
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91CCD
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91CE1
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91D41
Part of subcall function 00E91918: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00E91DB6
Part of subcall function 00E91918: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00E91E1F

CreateThread.KERNEL32(00000000,00000000,00E9283D,?), ref: 00E927DF
Sleep.KERNEL32(00000064), ref: 00E927E7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E92801
Sleep.KERNEL32(0000EA60), ref: 00E9280C
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E92830

Function 00E9284E, Relevance: 6.1, APIs: 4, Instructions: 72

APIs

lstrcpyW.KERNEL32(?,?), ref: 00E9286E

Part of subcall function 00E91918: GetComputerNameW.KERNEL32(?), ref: 00E9199E
Part of subcall function 00E91918: GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00E91A00
Part of subcall function 00E91918: wsprintfW.USER32 ref: 00E91AD2
Part of subcall function 00E91918: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00E91AF7
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91B17
Part of subcall function 00E91918: lstrlen.KERNEL32 ref: 00E91B1E
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91C6D
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91CCD
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91CE1
Part of subcall function 00E91918: lstrcat.KERNEL32(?,?), ref: 00E91D41
Part of subcall function 00E91918: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00E91DB6
Part of subcall function 00E91918: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00E91E1F

Sleep.KERNEL32(0000EA60), ref: 00E92925
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00E9291A

Part of subcall function 00E9294C: Sleep.KERNEL32(00000BB8), ref: 00E92967
Part of subcall function 00E9294C: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00E929A5
Part of subcall function 00E9294C: SwitchDesktop.USER32 ref: 00E929AE
Part of subcall function 00E9294C: CloseDesktop.USER32 ref: 00E929B5
Part of subcall function 00E9294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 00E929EE
Part of subcall function 00E9294C: RegDeleteValueA.ADVAPI32(?,?), ref: 00E92A27
Part of subcall function 00E9294C: RegFlushKey.ADVAPI32(?), ref: 00E92A34
Part of subcall function 00E9294C: RegCloseKey.ADVAPI32(?), ref: 00E92A3D
Part of subcall function 00E9294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00E92A7A
Part of subcall function 00E9294C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00E92AC6
Part of subcall function 00E9294C: RegCloseKey.ADVAPI32(?), ref: 00E92AD3
Part of subcall function 00E9294C: lstrcat.KERNEL32(?,?), ref: 00E92B00
Part of subcall function 00E9294C: DeleteFileA.KERNEL32(?), ref: 00E92B07
Part of subcall function 00E9294C: DeleteFileA.KERNEL32(?), ref: 00E92B1E

ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,00000100,?,-00000008,?,?,?,?,00000002,00000000), ref: 00E92937

Function 00E92BA0, Relevance: 6.0, APIs: 4, Instructions: 35

APIs

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00E92BE0
SwitchDesktop.USER32 ref: 00E92BE8
CloseDesktop.USER32 ref: 00E92BF0
Sleep.KERNEL32(00000064), ref: 00E92BF8

Function 00E904DA, Relevance: 5.3, Strings: 0, Instructions: 344

Strings

@, xrefs: 00E90563
@, xrefs: 00E905B2
@, xrefs: 00E90646
@, xrefs: 00E90737

Function 00E933A3, Relevance: 5.2, Instructions: 37

Analysis Process: svchost.exe PID: 856 Parent PID: 1548

Executed Functions

Function 00091918, Relevance: 34.3, APIs: 19, Instructions: 390

APIs

InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00091976
GetComputerNameW.KERNEL32(?), ref: 0009199E
GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00091A00

Part of subcall function 00091F17: GetVersionExW.KERNEL32(?), ref: 00091F34
Part of subcall function 00091F17: GetSystemMetrics.USER32(00000059), ref: 00091FB2
Part of subcall function 00091F17: GetSystemMetrics.USER32(00000059), ref: 00091FD0
Part of subcall function 00091F17: GetSystemInfo.KERNEL32(?), ref: 00091FE9

wsprintfW.USER32 ref: 00091AD2
WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00091AF7
lstrcat.KERNEL32(?,?), ref: 00091B17
lstrlen.KERNEL32 ref: 00091B1E
lstrcat.KERNEL32(?,?), ref: 00091C6D
lstrcat.KERNEL32(?,?), ref: 00091CCD
lstrcat.KERNEL32(?,?), ref: 00091CE1
lstrcat.KERNEL32(?,?), ref: 00091D41
InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 00091D5F
InternetSetFilePointer.WININET(?,00000000,00000000,00000002,00000000), ref: 00091D81
InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00091DA1
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00091DB6
InternetReadFile.WININET(?,?,?,?), ref: 00091DDF
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00091E1F
InternetCloseHandle.WININET(00000000), ref: 00091E34
InternetCloseHandle.WININET(00000000), ref: 00091E49

Function 000930B0, Relevance: 2.2, APIs: 1, Instructions: 92

APIs

LdrLoadDll.NTDLL ref: 00093148

Function 00090EAF, Relevance: 35.3, APIs: 17, Strings: 17, Instructions: 251

APIs

DefWindowProcW.USER32(?,00000312,?,?), ref: 00090F27
CoInitialize.OLE32(00000000), ref: 00090F34
CoCreateInstance.OLE32(00093570,00000000,00000001,00093590,000936B4), ref: 00090F53
GetClientRect.USER32(?,?), ref: 00090F7C
SetForegroundWindow.USER32(?), ref: 00091021
CreateThread.KERNEL32(00000000,00000000,00092028,00000000), ref: 00091038
CreateThread.KERNEL32(00000000,00000000,000921BC,00000000), ref: 0009104F
CreateThread.KERNEL32(00000000,00000000,00092B8F,0000020A), ref: 00091069
GetTempPathW.KERNEL32(00000100,?), ref: 0009108B
GetFileAttributesW.KERNEL32(?), ref: 000910BF
SendMessageA.USER32(?,0000040A,00000000,00000000), ref: 0009112E
SendMessageA.USER32(?,00000435,00000001,00000000), ref: 00091144
SendMessageA.USER32(?,00000434,00000064,00000000), ref: 0009115A
SendMessageA.USER32(?,00000432,00000001,00000000), ref: 00091170
SendMessageA.USER32(?,00000419,00000000,?), ref: 00091192
SendMessageA.USER32(?,0000040B,?,00000000), ref: 000911CD
CreateThread.KERNEL32(00000000,00000000,000911FF,00000000), ref: 000911E4

Strings

6, xrefs: 00090F68 00090F91
L7, xrefs: 00091011
D$ , xrefs: 0009109F

Function 00091210, Relevance: 33.6, APIs: 17, Strings: 17, Instructions: 347

APIs

ExitProcess.KERNEL32(00000000,?,?,00000100), ref: 00091672

Part of subcall function 00091918: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00091976
Part of subcall function 00091918: GetComputerNameW.KERNEL32(?), ref: 0009199E
Part of subcall function 00091918: GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00091A00
Part of subcall function 00091918: wsprintfW.USER32 ref: 00091AD2
Part of subcall function 00091918: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00091AF7
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091B17
Part of subcall function 00091918: lstrlen.KERNEL32 ref: 00091B1E
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091C6D
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091CCD
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091CE1
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091D41
Part of subcall function 00091918: InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 00091D5F
Part of subcall function 00091918: InternetSetFilePointer.WININET(?,00000000,00000000,00000002,00000000), ref: 00091D81
Part of subcall function 00091918: InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00091DA1
Part of subcall function 00091918: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00091DB6
Part of subcall function 00091918: InternetReadFile.WININET(?,?,?,?), ref: 00091DDF
Part of subcall function 00091918: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00091E1F
Part of subcall function 00091918: InternetCloseHandle.WININET(00000000), ref: 00091E34
Part of subcall function 00091918: InternetCloseHandle.WININET(00000000), ref: 00091E49

VirtualFree.KERNEL32(?,00000000,00008000), ref: 000912D9
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0009137C
Sleep.KERNEL32(00000064), ref: 000913A2
GetTempPathA.KERNEL32(00000100,?), ref: 000913EE
lstrcpy.KERNEL32(?,?), ref: 00091491
lstrcat.KERNEL32(?,?), ref: 0009149F
CreateFileA.KERNEL32(?,40000000,00000001,00000000,00000002,00000000,00000000), ref: 000914BB
VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00091514

Part of subcall function 0009167F: lstrlen.KERNEL32(?), ref: 0009171F
Part of subcall function 0009167F: lstrcat.KERNEL32(?,?), ref: 0009172A
Part of subcall function 0009167F: lstrcat.KERNEL32(?,?), ref: 00091732
Part of subcall function 0009167F: lstrcat.KERNEL32(?,?), ref: 0009173D
Part of subcall function 0009167F: GetUserNameA.ADVAPI32(?), ref: 0009174E
Part of subcall function 0009167F: lstrlen.KERNEL32(?), ref: 00091755
Part of subcall function 0009167F: lstrcat.KERNEL32(?,?), ref: 0009175D
Part of subcall function 0009167F: lstrcat.KERNEL32(?,?), ref: 00091768
Part of subcall function 0009167F: wsprintfA.USER32(?,?,?,?,?,?,?,00000400,?,?,?,?,?,?,?), ref: 000917EC
Part of subcall function 0009167F: lstrcat.KERNEL32(?,?), ref: 00091800
Part of subcall function 0009167F: lstrcat.KERNEL32(?,?), ref: 0009180B
Part of subcall function 0009167F: lstrcat.KERNEL32(?,00093768), ref: 00091819
Part of subcall function 0009167F: lstrlen.KERNEL32(?), ref: 00091820
Part of subcall function 0009167F: lstrlen.KERNEL32(?), ref: 00091872
Part of subcall function 0009167F: lstrlen.KERNEL32(?), ref: 0009188C
Part of subcall function 0009167F: lstrlen.KERNEL32(?), ref: 000918C5

WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0009156E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00091583
CloseHandle.KERNEL32(?), ref: 00091591
lstrcpy.KERNEL32(?,?), ref: 000915D0
lstrcat.KERNEL32(?,?), ref: 000915DE
lstrcat.KERNEL32(?,?), ref: 0009160E
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0009164E
Sleep.KERNEL32(0000003C), ref: 00091660

Part of subcall function 0009294C: Sleep.KERNEL32(00000BB8), ref: 00092967
Part of subcall function 0009294C: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 000929A5
Part of subcall function 0009294C: SwitchDesktop.USER32 ref: 000929AE
Part of subcall function 0009294C: CloseDesktop.USER32 ref: 000929B5
Part of subcall function 0009294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 000929EE
Part of subcall function 0009294C: RegDeleteValueA.ADVAPI32(?,?), ref: 00092A27
Part of subcall function 0009294C: RegFlushKey.ADVAPI32(?), ref: 00092A34
Part of subcall function 0009294C: RegCloseKey.ADVAPI32(?), ref: 00092A3D
Part of subcall function 0009294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00092A7A
Part of subcall function 0009294C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00092AC6
Part of subcall function 0009294C: RegCloseKey.ADVAPI32(?), ref: 00092AD3
Part of subcall function 0009294C: lstrcat.KERNEL32(?,?), ref: 00092B00
Part of subcall function 0009294C: DeleteFileA.KERNEL32(?), ref: 00092B07
Part of subcall function 0009294C: DeleteFileA.KERNEL32(?), ref: 00092B1E

Strings

SELF, xrefs: 000912B4
SELF, xrefs: 0009135B

Function 000921CD, Relevance: 22.7, APIs: 15, Instructions: 161

APIs

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00092230
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00092280
RegCloseKey.ADVAPI32(?), ref: 00092291
lstrcat.KERNEL32(?,?), ref: 000922C2
CreateFileA.KERNEL32(?,40000000,00000007,00000000,00000002,00000000,00000000), ref: 000922D8
SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 000922EC
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 000922FE
ReadFile.KERNEL32(?,?,00000004,?,00000000), ref: 00092311
CloseHandle.KERNEL32 ref: 00092319
Sleep.KERNEL32(00000FA0), ref: 0009233A
CreateFileA.KERNEL32(?,40000000,00000007,00000000,00000002,00000000,00000000), ref: 00092369
SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 0009237D
WriteFile.KERNEL32(?,?,00000004,?,00000000), ref: 00092393
CloseHandle.KERNEL32 ref: 0009239A

Part of subcall function 0009294C: Sleep.KERNEL32(00000BB8), ref: 00092967
Part of subcall function 0009294C: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 000929A5
Part of subcall function 0009294C: SwitchDesktop.USER32 ref: 000929AE
Part of subcall function 0009294C: CloseDesktop.USER32 ref: 000929B5
Part of subcall function 0009294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 000929EE
Part of subcall function 0009294C: RegDeleteValueA.ADVAPI32(?,?), ref: 00092A27
Part of subcall function 0009294C: RegFlushKey.ADVAPI32(?), ref: 00092A34
Part of subcall function 0009294C: RegCloseKey.ADVAPI32(?), ref: 00092A3D
Part of subcall function 0009294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00092A7A
Part of subcall function 0009294C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00092AC6
Part of subcall function 0009294C: RegCloseKey.ADVAPI32(?), ref: 00092AD3
Part of subcall function 0009294C: lstrcat.KERNEL32(?,?), ref: 00092B00
Part of subcall function 0009294C: DeleteFileA.KERNEL32(?), ref: 00092B07
Part of subcall function 0009294C: DeleteFileA.KERNEL32(?), ref: 00092B1E

ExitProcess.KERNEL32(00000000), ref: 000923A9

Function 00092039, Relevance: 15.9, APIs: 8, Strings: 8, Instructions: 111

APIs

NtAllocateVirtualMemory.NTDLL(000000FF), ref: 0009208B
NtQuerySystemInformation.NTDLL(00000005,?,?,?), ref: 000920A6
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 000920C6
NtOpenProcess.NTDLL(?,00000001,?,?), ref: 00092144
NtTerminateProcess.NTDLL(?,00000000,?,?), ref: 00092156
Sleep.KERNEL32(0000000A), ref: 00092160
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 0009217F
NtFreeVirtualMemory.NTDLL(000000FF,?,?,00008000), ref: 000921AD

Strings

@, xrefs: 00092123

Function 000908BB, Relevance: 14.4, APIs: 8, Instructions: 184

APIs

RegQueryValueExW.ADVAPI32 ref: 00090942
RegCloseKey.ADVAPI32 ref: 00090953
DeleteFileW.KERNEL32 ref: 000909B6
CopyFileW.KERNEL32 ref: 000909C6

Part of subcall function 0009246A: CreateFileW.KERNEL32 ref: 000924C2
Part of subcall function 0009246A: CloseHandle.KERNEL32 ref: 000924E7
Part of subcall function 0009246A: CreateFileW.KERNEL32 ref: 000924FF
Part of subcall function 0009246A: SetFileTime.KERNEL32 ref: 00092519
Part of subcall function 0009246A: CloseHandle.KERNEL32 ref: 00092520

DeleteFileW.KERNEL32 ref: 000909ED
RegSetValueExW.ADVAPI32 ref: 00090AA6
RegCloseKey.ADVAPI32 ref: 00090ABC
Sleep.KERNEL32 ref: 00090B0C

Part of subcall function 00090CE3: CreateWindowExW.USER32 ref: 00090E57
Part of subcall function 00090CE3: KiUserApcDispatcher.NTDLL(?,00000000), ref: 00090E6E
Part of subcall function 00090CE3: DispatchMessageW.USER32(?), ref: 00090E8F

Function 0009246A, Relevance: 9.0, APIs: 5, Instructions: 71

APIs

CreateFileW.KERNEL32 ref: 000924C2
CloseHandle.KERNEL32 ref: 000924E7
CreateFileW.KERNEL32 ref: 000924FF
SetFileTime.KERNEL32 ref: 00092519
CloseHandle.KERNEL32 ref: 00092520

Function 00092BA0, Relevance: 6.0, APIs: 4, Instructions: 35

APIs

OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 00092BE0
SwitchDesktop.USER32 ref: 00092BE8
CloseDesktop.USER32 ref: 00092BF0
Sleep.KERNEL32(00000064), ref: 00092BF8

Function 00090CE3, Relevance: 5.6, APIs: 3, Instructions: 125

APIs

CreateWindowExW.USER32 ref: 00090E57
KiUserApcDispatcher.NTDLL(?,00000000), ref: 00090E6E
DispatchMessageW.USER32(?), ref: 00090E8F

Function 000923B6, Relevance: .3, Instructions: 75

Function 00090472, Relevance: .0, Instructions: 42

Non-executed Functions

Function 0009294C, Relevance: 30.8, APIs: 14, Strings: 14, Instructions: 150

APIs

Sleep.KERNEL32(00000BB8), ref: 00092967
OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 000929A5
SwitchDesktop.USER32 ref: 000929AE
CloseDesktop.USER32 ref: 000929B5
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 000929EE
RegDeleteValueA.ADVAPI32(?,?), ref: 00092A27
RegFlushKey.ADVAPI32(?), ref: 00092A34
RegCloseKey.ADVAPI32(?), ref: 00092A3D
RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00092A7A
RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00092AC6
RegCloseKey.ADVAPI32(?), ref: 00092AD3
lstrcat.KERNEL32(?,?), ref: 00092B00
DeleteFileA.KERNEL32(?), ref: 00092B07
DeleteFileA.KERNEL32(?), ref: 00092B1E

Strings

.ini, xrefs: 00092B16

Function 0009167F, Relevance: 28.4, APIs: 16, Instructions: 229

APIs

Part of subcall function 00091F17: GetVersionExW.KERNEL32(?), ref: 00091F34
Part of subcall function 00091F17: GetSystemMetrics.USER32(00000059), ref: 00091FB2
Part of subcall function 00091F17: GetSystemMetrics.USER32(00000059), ref: 00091FD0
Part of subcall function 00091F17: GetSystemInfo.KERNEL32(?), ref: 00091FE9

lstrlen.KERNEL32(?), ref: 0009171F
lstrcat.KERNEL32(?,?), ref: 0009172A
lstrcat.KERNEL32(?,?), ref: 00091732
lstrcat.KERNEL32(?,?), ref: 0009173D
GetUserNameA.ADVAPI32(?), ref: 0009174E
lstrlen.KERNEL32(?), ref: 00091755
lstrcat.KERNEL32(?,?), ref: 0009175D
lstrcat.KERNEL32(?,?), ref: 00091768
wsprintfA.USER32(?,?,?,?,?,?,?,00000400,?,?,?,?,?,?,?), ref: 000917EC
lstrcat.KERNEL32(?,?), ref: 00091800
lstrcat.KERNEL32(?,?), ref: 0009180B
lstrcat.KERNEL32(?,00093768), ref: 00091819
lstrlen.KERNEL32(?), ref: 00091820
lstrlen.KERNEL32(?), ref: 00091872
lstrlen.KERNEL32(?), ref: 0009188C
lstrlen.KERNEL32(?), ref: 000918C5

Function 000925A1, Relevance: 12.2, APIs: 8, Instructions: 181

APIs

lstrcpy.KERNEL32(?,?), ref: 000925C1
wsprintfA.USER32(?,?,?,?,?,?,?,?,00000100,?,?,?,?,?,?,?), ref: 00092732
lstrcpyW.KERNEL32(?), ref: 0009276D

Part of subcall function 00091918: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00091976
Part of subcall function 00091918: GetComputerNameW.KERNEL32(?), ref: 0009199E
Part of subcall function 00091918: GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00091A00
Part of subcall function 00091918: wsprintfW.USER32 ref: 00091AD2
Part of subcall function 00091918: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00091AF7
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091B17
Part of subcall function 00091918: lstrlen.KERNEL32 ref: 00091B1E
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091C6D
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091CCD
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091CE1
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091D41
Part of subcall function 00091918: InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 00091D5F
Part of subcall function 00091918: InternetSetFilePointer.WININET(?,00000000,00000000,00000002,00000000), ref: 00091D81
Part of subcall function 00091918: InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00091DA1
Part of subcall function 00091918: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00091DB6
Part of subcall function 00091918: InternetReadFile.WININET(?,?,?,?), ref: 00091DDF
Part of subcall function 00091918: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00091E1F
Part of subcall function 00091918: InternetCloseHandle.WININET(00000000), ref: 00091E34
Part of subcall function 00091918: InternetCloseHandle.WININET(00000000), ref: 00091E49

CreateThread.KERNEL32(00000000,00000000,0009283D,?), ref: 000927DF
Sleep.KERNEL32(00000064), ref: 000927E7
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00092801
Sleep.KERNEL32(0000EA60), ref: 0009280C
VirtualFree.KERNEL32(?,00000000,00008000), ref: 00092830

Function 00091F17, Relevance: 7.4, APIs: 4, Instructions: 72

APIs

GetVersionExW.KERNEL32(?), ref: 00091F34
GetSystemMetrics.USER32(00000059), ref: 00091FB2
GetSystemMetrics.USER32(00000059), ref: 00091FD0
GetSystemInfo.KERNEL32(?), ref: 00091FE9

Function 000933A3, Relevance: 6.3, Instructions: 37

Function 0009284E, Relevance: 6.1, APIs: 4, Instructions: 72

APIs

lstrcpyW.KERNEL32(?,?), ref: 0009286E

Part of subcall function 00091918: InternetOpenW.WININET(?,00000000,00000000,00000000,00000000), ref: 00091976
Part of subcall function 00091918: GetComputerNameW.KERNEL32(?), ref: 0009199E
Part of subcall function 00091918: GetVolumeInformationW.KERNEL32(?,?,00000100,?,00000000,00000000,00000000,00000000), ref: 00091A00
Part of subcall function 00091918: wsprintfW.USER32 ref: 00091AD2
Part of subcall function 00091918: WideCharToMultiByte.KERNEL32(00000000,00000000,?,?,?,00000100,00000000,00000000), ref: 00091AF7
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091B17
Part of subcall function 00091918: lstrlen.KERNEL32 ref: 00091B1E
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091C6D
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091CCD
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091CE1
Part of subcall function 00091918: lstrcat.KERNEL32(?,?), ref: 00091D41
Part of subcall function 00091918: InternetOpenUrlA.WININET(?,?,00000000,00000000,80000000,00000000), ref: 00091D5F
Part of subcall function 00091918: InternetSetFilePointer.WININET(?,00000000,00000000,00000002,00000000), ref: 00091D81
Part of subcall function 00091918: InternetSetFilePointer.WININET(?,00000000,00000000,00000000,00000000), ref: 00091DA1
Part of subcall function 00091918: VirtualAlloc.KERNEL32(00000000,?,00001000,00000004), ref: 00091DB6
Part of subcall function 00091918: InternetReadFile.WININET(?,?,?,?), ref: 00091DDF
Part of subcall function 00091918: VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00091E1F
Part of subcall function 00091918: InternetCloseHandle.WININET(00000000), ref: 00091E34
Part of subcall function 00091918: InternetCloseHandle.WININET(00000000), ref: 00091E49

Sleep.KERNEL32(0000EA60), ref: 00092925
VirtualFree.KERNEL32(?,00000000,00008000), ref: 0009291A

Part of subcall function 0009294C: Sleep.KERNEL32(00000BB8), ref: 00092967
Part of subcall function 0009294C: OpenDesktopW.USER32(?,00000000,00000000,10000000), ref: 000929A5
Part of subcall function 0009294C: SwitchDesktop.USER32 ref: 000929AE
Part of subcall function 0009294C: CloseDesktop.USER32 ref: 000929B5
Part of subcall function 0009294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000003,?), ref: 000929EE
Part of subcall function 0009294C: RegDeleteValueA.ADVAPI32(?,?), ref: 00092A27
Part of subcall function 0009294C: RegFlushKey.ADVAPI32(?), ref: 00092A34
Part of subcall function 0009294C: RegCloseKey.ADVAPI32(?), ref: 00092A3D
Part of subcall function 0009294C: RegOpenKeyExA.ADVAPI32(80000001,?,00000000,00000001,?), ref: 00092A7A
Part of subcall function 0009294C: RegQueryValueExA.ADVAPI32(?,?,00000000,00000000,?), ref: 00092AC6
Part of subcall function 0009294C: RegCloseKey.ADVAPI32(?), ref: 00092AD3
Part of subcall function 0009294C: lstrcat.KERNEL32(?,?), ref: 00092B00
Part of subcall function 0009294C: DeleteFileA.KERNEL32(?), ref: 00092B07
Part of subcall function 0009294C: DeleteFileA.KERNEL32(?), ref: 00092B1E

ExitProcess.KERNEL32(00000000,?,?,?,?,?,?,00000100,?,-00000008,?,?,?,?,00000002,00000000), ref: 00092937

Function 000904DA, Relevance: 5.3, Strings: 0, Instructions: 344

Strings

@, xrefs: 00090563
@, xrefs: 000905B2
@, xrefs: 00090646
@, xrefs: 00090737

Analysis Process: ctfmon.exe PID: 1756 Parent PID: 856

Executed Functions

Non-executed Functions

Loading ...

Warning!

Error!

General Information

Signature Overview

Startup

Created / dropped Files

Contacted Domains

Contacted IPs

Static File Info

Static PE Info

Network Behavior

Code Manipulation Behavior

System Behavior

Analysis Process: skype-3e99fab7f175eb8bf283b1e883c714c9.exe PID: 1220 Parent PID: 1872

Chronological Activities

Analysis Process: explorer.exe PID: 1548 Parent PID: 1220

Chronological Activities

Analysis Process: svchost.exe PID: 856 Parent PID: 1548

Chronological Activities

Analysis Process: ctfmon.exe PID: 1756 Parent PID: 856

Chronological Activities

Disassembly

Code Analysis

Analysis Process: skype-3e99fab7f175eb8bf283b1e883c714c9.exe PID: 1220 Parent PID: 1872

Analysis Process: explorer.exe PID: 1548 Parent PID: 1220

Analysis Process: svchost.exe PID: 856 Parent PID: 1548

Analysis Process: ctfmon.exe PID: 1756 Parent PID: 856