05b8805d5148

Remarks

Maximum Dump Total Size Reached (0x0200005D): 12210 additional dumps with the reason "Content Changed" and a total of 20668 MB were skipped because the respective maximum limit was reached.

Filters:

File Name	Category	Type	Verdict	Actions

C:\Users\kEecfMwgj\Desktop\2a29d10ec3310613657d8a0dcaa4aabe.virus.exe

Sample File

Binary

Also Known As	\??\c:\users\keecfmwgj\desktop\2a29d10ec3310613657d8a0dcaa4aabe.virus.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	20.25 MB
MD5	2a29d10ec3310613657d8a0dcaa4aabe
SHA1	f99a7d5d2ce42d5bb5ddc4c66db6ed7eb8d9bb58
SHA256	05b8805d514836fe3de91c1a34ba61a97c9c9ab46f380b65f81ab26cb1cb63d5
SSDeep	393216:w8zIZAhNURa8zIZAhNURm8zIZAhNURa8zIZAhNURR8zIZAhNURa8zIZAhNURm8zp:w8zIZGUa8zIZGUm8zIZGUa8zIZGUR8zV
ImpHash	85de11416899930380628ef20827d5fe

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

PE Information

Image Base	0x00400000
Entry Point	0x00DDED44
Size Of Code	0x00002000
Size Of Initialized Data	0x00008000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2008-11-16 03:29 (UTC)

Version Information (3)

FileDescription	-
FileVersion	1, 0, 0, 0
CompiledScript	E_P_E_N KA Sorong_papua 17-08-2008 By PinkCell,MentariCell,SimpatiCell,CakcraCell,and LunaMaya Ilove you Script: 1, 0, 0, 0

Sections (6)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
	0x00401000	0x00022000	0x00005200	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.97
	0x00423000	0x00002000	0x00002000	0x00005600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.98
	0x00425000	0x00002000	0x00000200	0x00007600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.62
.rsrc	0x00427000	0x00006000	0x00005E00	0x00007800	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.18
	0x0042D000	0x0079D000	0x00032800	0x0000D600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	8.0
.data	0x00BCA000	0x00217000	0x00216400	0x0003FE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.98

Imports (8)

kernel32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetModuleHandleA	-	0x00BCDF4C	0x007CDF4C	0x00043D4C	0x00000000
GetProcAddress	-	0x00BCDF50	0x007CDF50	0x00043D50	0x00000000
ExitProcess	-	0x00BCDF54	0x007CDF54	0x00043D54	0x00000000
LoadLibraryA	-	0x00BCDF58	0x007CDF58	0x00043D58	0x00000000

user32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
MessageBoxA	-	0x00BCDF60	0x007CDF60	0x00043D60	0x00000000

advapi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
RegCloseKey	-	0x00BCDF68	0x007CDF68	0x00043D68	0x00000000

oleaut32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SysFreeString	-	0x00BCDF70	0x007CDF70	0x00043D70	0x00000000

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontA	-	0x00BCDF78	0x007CDF78	0x00043D78	0x00000000

shell32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ShellExecuteA	-	0x00BCDF80	0x007CDF80	0x00043D80	0x00000000

version.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetFileVersionInfoA	-	0x00BCDF88	0x007CDF88	0x00043D88	0x00000000

MSVBVM60.DLL (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
__vbaVarSub	-	0x00BCDF90	0x007CDF90	0x00043D90	0x00000000

Memory Dumps (22)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Relevant Image	32-bit	0x00DDED44	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x00578BB0	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x0057D818	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x0053C458	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x00431238	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x0043BC68	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x0048BD90	... Actions Go to Process Download Dump
buffer	1	0x002A0000	0x002A0FFF	Content Changed	32-bit	-	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x0048E3C0	... Actions Go to Process Download Dump
2a29d10ec3310613657d8a0dcaa4aabe.virus.exe	1	0x00400000	0x00DE0FFF	Content Changed	32-bit	0x0049045C	... Actions Go to Process Download Dump
buffer	1	0x7EBD0000	0x7EFA0FFF	First Execution	32-bit	0x7EBD0000	... Actions Go to Process Download Dump
kernel32.dll	1	0x75A80000	0x75B8FFFF	First Execution	32-bit	0x75A917E9	... Actions Go to Process Download Dump
user32.dll	1	0x75980000	0x75A7FFFF	First Execution	32-bit	0x7599DB21	... Actions Go to Process Download Dump
oleaut32.dll	1	0x775D0000	0x7765EFFF	First Execution	32-bit	0x775D45D2	... Actions Go to Process Download Dump
gdi32.dll	1	0x771B0000	0x7723FFFF	First Execution	32-bit	0x771C4EB8	... Actions Go to Process Download Dump
advapi32.dll	1	0x76F40000	0x76FDFFFF	First Execution	32-bit	0x76F54620	... Actions Go to Process Download Dump
buffer	1	0x003E0000	0x003EFFFF	First Execution	32-bit	0x003E7298	... Actions Go to Process Download Dump
msvcrt.dll	1	0x76DC0000	0x76E6BFFF	First Execution	32-bit	0x76DC9910	... Actions Go to Process Download Dump
rpcrt4.dll	1	0x774E0000	0x775CFFFF	First Execution	32-bit	0x774FDE1D	... Actions Go to Process Download Dump
buffer	1	0x002C0000	0x002C0FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x031E0000	0x032DFFFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump
buffer	1	0x03314000	0x03317FFF	Marked Executable	32-bit	-	... Actions Go to Process Download Dump

\??\c:\users\keecfmwgj\appdata\local\temp\avscan.exe

Dropped File

Binary

Also Known As	C:\Users\KEECFM~1\AppData\Local\Temp\avscan.exe (Accessed File, Dropped File) C:\Users\kEecfMwgj\Desktop\A0jRdmcvV1haBm5.doc (Accessed File, VM File, Random File) C:\Windows\hosts.exe (Accessed File, Dropped File) C:\windows\hosts.exe (Accessed File) \??\c:\windows\hosts.exe (Accessed File)
MIME Type	application/vnd.microsoft.portable-executable
File Size	10.00 MB
MD5	b4f7f70290a5d9a2f1d7b2c512f542b1
SHA1	4079c4e04583bf4af15a72ef872b8c2bd88c2211
SHA256	5ce56e05da8bca57172ec476d9492c4c78f0dcdd9d3ca6881fa2eaa6660e4129
SSDeep	196608:qX8G/WIZS8ghNU4NgMVX8G/WIZS8ghNU4NgMTX8G/WIZS8ghNU4NgMVX8G/WIZSo:w8zIZAhNURa8zIZAhNURm8zIZAhNURaT
ImpHash	85de11416899930380628ef20827d5fe

PE Information

Image Base	0x00400000
Entry Point	0x00DDED44
Size Of Code	0x00002000
Size Of Initialized Data	0x00008000
File Type	IMAGE_FILE_EXECUTABLE_IMAGE
Subsystem	IMAGE_SUBSYSTEM_WINDOWS_GUI
Machine Type	IMAGE_FILE_MACHINE_I386
Compile Timestamp	2008-11-16 03:29 (UTC)

Version Information (3)

FileDescription	-
FileVersion	1, 0, 0, 0
CompiledScript	E_P_E_N KA Sorong_papua 17-08-2008 By PinkCell,MentariCell,SimpatiCell,CakcraCell,and LunaMaya Ilove you Script: 1, 0, 0, 0

Sections (6)

Name	Virtual Address	Virtual Size	Raw Data Size	Raw Data Offset	Flags	Entropy
	0x00401000	0x00022000	0x00005200	0x00000400	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.97
	0x00423000	0x00002000	0x00002000	0x00005600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.98
	0x00425000	0x00002000	0x00000200	0x00007600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	2.62
.rsrc	0x00427000	0x00006000	0x00005E00	0x00007800	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	4.18
	0x0042D000	0x0079D000	0x00032800	0x0000D600	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	8.0
.data	0x00BCA000	0x00217000	0x00216400	0x0003FE00	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE	7.98

Imports (8)

kernel32.dll (4)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetModuleHandleA	-	0x00BCDF4C	0x007CDF4C	0x00043D4C	0x00000000
GetProcAddress	-	0x00BCDF50	0x007CDF50	0x00043D50	0x00000000
ExitProcess	-	0x00BCDF54	0x007CDF54	0x00043D54	0x00000000
LoadLibraryA	-	0x00BCDF58	0x007CDF58	0x00043D58	0x00000000

user32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
MessageBoxA	-	0x00BCDF60	0x007CDF60	0x00043D60	0x00000000

advapi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
RegCloseKey	-	0x00BCDF68	0x007CDF68	0x00043D68	0x00000000

oleaut32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
SysFreeString	-	0x00BCDF70	0x007CDF70	0x00043D70	0x00000000

gdi32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
CreateFontA	-	0x00BCDF78	0x007CDF78	0x00043D78	0x00000000

shell32.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
ShellExecuteA	-	0x00BCDF80	0x007CDF80	0x00043D80	0x00000000

version.dll (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
GetFileVersionInfoA	-	0x00BCDF88	0x007CDF88	0x00043D88	0x00000000

MSVBVM60.DLL (1)

API Name	Ordinal	IAT Address	Thunk RVA	Thunk Offset	Hint
__vbaVarSub	-	0x00BCDF90	0x007CDF90	0x00043D90	0x00000000

Memory Dumps (11)

Name	Process ID	Start VA	End VA	Dump Reason	Bitness	Entry Point	Actions
avscan.exe	5	0x00400000	0x00DE0FFF	Relevant Image	32-bit	0x00DDED44	... Actions Go to Process Download Dump
kernel32.dll	5	0x75A80000	0x75B8FFFF	First Execution	32-bit	0x75A917E9	... Actions Go to Process Download Dump
user32.dll	5	0x75980000	0x75A7FFFF	First Execution	32-bit	0x7599DB21	... Actions Go to Process Download Dump
oleaut32.dll	5	0x775D0000	0x7765EFFF	First Execution	32-bit	0x775D45D2	... Actions Go to Process Download Dump
gdi32.dll	5	0x771B0000	0x7723FFFF	First Execution	32-bit	0x771C4EB8	... Actions Go to Process Download Dump
advapi32.dll	5	0x76F40000	0x76FDFFFF	First Execution	32-bit	0x76F54620	... Actions Go to Process Download Dump
buffer	5	0x003A0000	0x003AFFFF	First Execution	32-bit	0x003A7298	... Actions Go to Process Download Dump
hosts.exe	7	0x00400000	0x00DE0FFF	Relevant Image	32-bit	0x00DDED44	... Actions Go to Process Download Dump
avscan.exe	5	0x00400000	0x00DE0FFF	Final Dump	32-bit	0x00523EA2	... Actions Go to Process Download Dump
hosts.exe	7	0x00400000	0x00DE0FFF	Final Dump	32-bit	-	... Actions Go to Process Download Dump
avscan.exe	9	0x00400000	0x00DE0FFF	Relevant Image	32-bit	0x00DDED44	... Actions Go to Process Download Dump

c:\windows\W_X_C.bat

Dropped File

Text

MIME Type	text/x-msdos-batch
File Size	336 Bytes
MD5	4db9f8b6175722b62ececeeeba1ce307
SHA1	3b3ba8414706e72a6fa19e884a97b87609e11e47
SHA256	d2150b9e5a4ce55e140f0ca91c4e300715d42095c8fddf58c77037cdd2cfaf78
SSDeep	6:hXRwyA4KKMnyAUZvy9OR/9tvL6qVnEYmPmLm+WCJEvL8uJsQE1gF1PXv:XwTMMnTUZK9O4qNjmP8YfvLb7E1aPv
ImpHash	-

File Reputation Information

Verdict	Malicious
Names	Mal/Generic-S

C:\windows\W_X_C.vbs

Dropped File

Text

Also Known As	C:\Windows\W_X_C.vbs (Accessed File)
MIME Type	text/plain
File Size	197 Bytes
MD5	e4d8c94a9d2694a1730d391f04e8d230
SHA1	a20187f2fa657a79f2816265901342d3218ac8bc
SHA256	62894ee80c01474985035813efed6424d22326ea4a92ccfa0718a76875456284
SSDeep	3:VfX9GToyIFOvW8RFoghm8nhyxVFHtvrpdgLxqrZfyM1K7ehScUZJ4q3by696mLyM:VtGTvFoPqh2xrYLxiH1j3U3PWWNeX8
ImpHash	-

Remarks (2/3)

Remarks

There are no files for this filter

There are no files in this analysis

Classifications

Threat Names

Before

After

WHOIS Domain Information