Sample ID:344693
General Information
Filename EF977B08A4A565C152E1BBA6A96B5A257F2B5F596A058500C4AEC0E6601AF805
Report Generated at 2014-01-29 11:24:57
File Last Modified 2014-01-20 23:44:02
SHA1 5b2c0334bbba72ecc82edf839e109ca9341a906c
SHA256 ef977b08a4a565c152e1bba6a96b5a257f2b5f596a058500c4aec0e6601af805
MD5 74207ca27edba3a9931f7e129372bc59
Summary of Results
CAMAL Heuristics Result Malicious
AVG BackDoor.Generic17.KXE
BitDefender Gen:Heur.Zygug.5
ClamWin Undetected
ESET Win32/Dorkbot.B worm
GFI Trojan.Win32.Zbot.fdm (v)
Norman win32/Dorkbot.GUU
QuickHeal TrojanPWS.Zbot.Gen
TotalDefense Win32/Dorkbot.DSWOBZC
Processes (click cells to select highlights)
BehaviourTarget
process creationC:\Windows\system32\SearchIndexer.ex
process creationC:\Windows\system32\SearchProtocolHost.ex
created processes"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
creates suspended process"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
creates suspended process"C:\Windows\system32\SearchFilterHost.exe" 0 516 520 528 65536 524
process creationC:\Windows\system32\SearchFilterHost.ex
process creationC:\Windows\system32\SearchProtocolHost.ex
process creationC:\Windows\system32\taskhost.ex
process terminationC:\Windows\system32\taskhost.ex
process creatione:\binary.ex
created processesC:\Windows\system32\svchost.exe
creates suspended processC:\Windows\system32\svchost.exe
creates suspended processC:\Windows\system32\svchost.exe
created processese:\binary.exe
creates suspended processe:\binary.exe
creates suspended processe:\binary.exe
process creationC:\Windows\system32\svchost.ex
created processesC:\Windows\system32\mspaint.exe
creates suspended processC:\Windows\system32\mspaint.exe
process creatione:\binary.ex
process creationC:\Windows\system32\mspaint.ex
process terminatione:\binary.ex
process creationC:\Windows\system32\svchost.ex
open process4
open processfc
open process14c
open process170
open process17c
open process1a4
open process1d0
open process1e0
open process248
open process28c
open process2c0
open process334
open process35c
open process3cc
open process414
open process49c
open process4c4
open process52c
open process5ac
open process5b8
open process708
open process7cc
open process7d4
open process7e0
open process168
open process598
open process324
process terminatione:\binary.ex
Files (click cells to select highlights)
BehaviourTarget
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\PropMap\CiPT0000.000
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.gthr
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.gthr
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.Crwl
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.9.Crwl
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.10.gthr
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.10.gthr
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.10.Crwl
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\GatherLogs\SystemIndex\SystemIndex.10.Crwl
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.chk
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS.log
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Windows.edb
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\tmp.edb
created filesC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000
create file weird locationC:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\SecStore\CiST0000.000
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.000
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\INDEX.000
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010001.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010001.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010002.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010002.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wsb
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010008.wsb
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010010.wid
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\00010010.wid
created filesc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\CiAD0002.000
create file weird locationc:\programdata\microsoft\search\data\applications\windows\projects\systemindex\indexer\cifiles\CiAD0002.000
created files\\.\PIPE\samr
create file weird location\\.\PIPE\samr
created files\\?\Volume{e0c45204-0910-11e3-b691-806e6f6e6963}
create file weird location\\?\Volume{e0c45204-0910-11e3-b691-806e6f6e6963}
created files\\.\PIPE\lsarpc
create file weird location\\.\PIPE\lsarpc
created filesC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
created filesC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
create file weird locationC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
created filesC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
created filesC:\Windows\Debug\WIA\wiatrace.log
write file in sensitive locationC:\Windows\Debug\WIA\wiatrace.log
create file weird locationC:\Windows\Debug\WIA\wiatrace.log
write file in sensitive locationC:\Windows\Debug\WIA\wiatrace.log
write file in sensitive locationC:\Windows\Debug\WIA\wiatrace.log
Registry (click cells to select highlights)
BehaviourTarget
created regHKLM\SOFTWARE\Microsoft\Windows Search\CrawlScopeManager\Windows\SystemIndex
created regHKLM\SOFTWARE\Microsoft\Windows Search\VolumeInfoCache
created regHKCU\Software\Microsoft\Windows\CurrentVersion\Run
created regHKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
reg browser settingsSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
reg error reportingSOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Others (click cells to select highlights)
BehaviourTarget
main module retrieve nameC:\Windows\system32\SearchIndexer.exe
load self imageC:\Windows\system32\en-us\tQuery.dll.mui
load self imageOLEAUT32
load self imageOLEAUT32
remote mem allocation94
remote thread94
remote thread94
remote mem allocation94
remote mem allocation94
remote mem allocation94
remote thread94
remote thread94
remote mem allocationb0
tamper browser history writeC:\Users\admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
duplicate handle1b0
tamper browser history writeC:\Users\admin\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
duplicate handle1bc
tamper browser history writeC:\Users\admin\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
duplicate handle1c8
load self imagews2_32
load self imagednsapi
load self imageiphlpapi
show window1
load self image72940000
show window4
show window4
show window4
show window4
show window4
show window5
show window4
show window5
show window5
remote mem allocationf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote mem allocationf0
remote threadf0
remote threadf0
remote mem allocationf0
remote threadf0
remote threadf0
remote threadf0
remote threadf0
remote threadf0
remote threadf0
remote threadf0
remote threadf0
remote threadf0
duplicate handle1f8
duplicate handle278
duplicate handle290
duplicate handle29c
load self imagews2_32
load self imagednsapi
load self imageiphlpapi
remove internet settingsAutoConfigURL
HTTP Requests (click cells to select highlights)
ActionURIIP
GET www.msftncsi.com /ncsi.txt 23.0.160.80
GET api.wipmania.com / 116.251.214.147
Destination IPs (click cells to select highlights)
IPPacket CountProtocol
23.0.160.80:805 TCP
[BROADCAST]:13745 UDP
[DNS]:537 UDP
[BROADCAST]:13813 UDP
116.251.214.147:803 TCP
[LLMNR]:535520 UDP
Similar samples
MD5Link to report
d6fc2755ba215a8061217255e61d867c
Here
d5a76b3423b3f716ab3c8b3b892fac92
Here
30d4eaa28587f12ebb92ed1895de9632
Here
13de0f69c09e79b5f0ba3039ee425d09
Here
b5f7a7d340503dcca6df6333764013cf
Here
a8640fecc084fa17d11ea567294d48dc
Here
f35734299dcaa6bf5724904e94f42016
Here
eb5f7001df1217461ad7a75704d25e7e
Here
a2a07be8720fb7664f202aabd373aad1
Here
c9618a078a50fcd6669b1ad6728077aa
Here
dcdc88ff3d75705ad1d665fed57fdf54
Here
eb7a1177bb4b8b11f09e8744864a30e4
Here
d03d2f40b067ed5311d76d7ea06abefd
Here
db4028e00b241a2425189ddc7ab9641a
Here
90b7097105344999fe5989e9af98bfb7
Here
f87baaff57db6b00d4c3a7d3a3f7d13c
Here
bcf5da5ab384f8928d5cba9c43c46770
Here
e20c90365e3ccfa7b987838941e0dfb2
Here
6f898a759abf0ae972b3d056242353d7
Here
666dc259beeb2c8eed3b63c178e6c538
Here
1ab95f6122e54b52eb030a086c4dbeb8
Here
cbe3879279a8b17079827e918cb4be6a
Here
ec25cc703da348a34b7e0db7f8aa29ac
Here
fc43b3d8d80742a6fd38135990e7c880
Here
beb222f638d3f1af3dbd5379117bc4b8
Here
d08a316947ec87b8b814e11ec0bd5db5
Here
b6c05f2243bf445ed40d15697f931632
Here
cafaa3763551efab83a4e8ba377c9e2c
Here
93613c5f1251774056c2367910494f49
Here
bc4fbd05cc8fe10dffeb41a861b9beaf
Here
8e6e5076d0626eed70b55e43e8ef17f9
Here
1706e5bae3b8e81af889154d458f65f9
Here
c8db56e68594fcdaee329522a8b390e0
Here
c7392f0ae50c1ce121e7439d790dc852
Here
ea54c9ae0c0037dbe44cfd586061a73b
Here
d5c911092fe17ac50c68dc762280050e
Here
cc7d3775c8ae2f244cfe7a3d98801640
Here
d34138c9a73458737ca171531458e950
Here
db07822d35ed18ce774e9e46b48b5dc8
Here
bf0741a160abf044bd53d91fa07c0580
Here
a0369e6ce61c7a68c44d1288f295fdf7
Here
e24811562ca88b61f449dd17dcb97730
Here
c2ccc9306b82fb29a93a592c1b4330eb
Here
4b328ff865dc0754f90e1be29c6ea312
Here
1e067037762c03c3d57880095eec3893
Here
5d04e3a03a21558684b8e61359fd1aef
Here
bd9fa9f61af2b54d33740b8db70eeba7
Here
02c2dce6f5a0f7c3265d8e4cc877a54e
Here
04ac93addec77cea1cd0893c29582b31
Here
dc85aed025998c17c44824a8d7978294
Here