Analysis Date2014-08-21 23:05:18
MD56a231a55aef91a3d95f4a92d64114083
SHA1247ed8fe8a5aee2aa36f476638c39c3e7835ba75

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionCODE md5: 0101a315e63bb7b5eaf480f26ef67945 sha1: 3014bf0f41cfd1ac49925caa8554218d4d3f5906 size: 75264
Section.data md5: 5449c498dae5a9ee2e5ab02501e44d8c sha1: 9898c27579f12694806c4169ac6386271c9bda37 size: 161280
Section.RES72 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.RES77 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.RES43 md5: 56a1dab6bc2c18038a565153ecc78dad sha1: 4f958762b284ecbdcdc4e8253bfa821f545b8c9b size: 3584
Section.RES99 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.RES16 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.RES23 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
Section.RES11 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.RES89 md5: dcc5c48a0f93d40fc8f09d56563f4505 sha1: 78d27b98d34427e4a3243f927075f02c749fe940 size: 1024
Section.rsrc md5: 3ab3e38076f1b4f7f436eee948d3b64c sha1: 1097a14de3cf32e7f6a6cb4fd9c860adad18bb4d size: 2560
Timestamp2009-07-14 07:50:36
VersionLegalCopyright: Copyright © Windows MAXim Edition 2011
InternalName: MAXim Edition.exe
FileVersion: 5.0.746.173
CompanyName: Avira GmbH
ProductName: MAXim Edition Version 2011
ProductVersion: 5.0.746.173
FileDescription: I windows setup API
OriginalFilename: MAXim Edition.exe
PackerFSG v1.10 (Eng) -> dulek/xt
PEhashcd865bd7e08fe2ea3d872263ef1564ffcb504abf
IMPhash5eaf29cc37afb1fa36093dd85e68f46c

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ C:\WINDOWS\system32\cmd.exe /q /c C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSweather.com
Type: A
96.8.85.132
DNSweather.com
Type: A
96.8.80.132
DNSweather.com
Type: A
96.8.81.132
DNSweather.com
Type: A
96.8.82.132
DNSweather.com
Type: A
96.8.83.132
DNSweather.com
Type: A
96.8.84.132
DNSchinaz.com
Type: A
125.90.88.68
DNSsuperdansoftware.in
Type: A
DNSkingfinearts.in
Type: A
DNSperibox.in
Type: A

Raw Pcap

Strings
a.'
.
&
.7..

040904B0
2N3W
5.0.746.173
54rIT
Avira GmbH
byh	
C0wI
CompanyName
Copyright 
DavI
EM4X
ep9WVN
Er1b
FileDescription
FileVersion
GuL6
Iagz
InternalName
I windows setup API
IZn5
LegalCopyright
MAXim Edition.exe
MAXim Edition Version 2011
mM(H
MZoB
OriginalFilename
PjXz
ProductName
ProductVersion
puGX
SfMu
StringFileInfo
Translation
uXhq
VarFileInfo
VS_VERSION_INFO
 Windows MAXim Edition 2011
xFKfrE
XIRR
0CUs!{_
0E8BGCwb
0wxevA
18xKy5
1NfBAJm7
'!>1P)
[\1&|r<!M
1WAlsmXU
*2BHAw
2L11xe
{2}MfD
2on3 [W
[2/Rb<Q
{{{{{{{3
{{{{{{{33
{{{{{{{330
3333333
33333330
33333333
36k7TgU
3AH@WQ
/3E!FM
{3E{~n
3~I!),M=
]3K*#Hrcv!YVo
3mSh;L(\
3VkWMW
3X`mkc3ZC
3]YFc|}
42Ks{{
4cVPgN
4eVRg@
4gVTgB
4ja5Ts2
4{V53:XQ
4v72iK
4{VhgF
4yVVgD
5eGwM8
5%eLYRj
5EsP|Fo
5I1fqP
?\	5MC
5uv7M.
5_Vjg^
5[VVgZ
5wD0aQg
?6A^S5
6ehNUe
6F7snY
6:pgMdu
70jaCL
_7B7|o
7+xU;7+
89ega!.
*89}qkdu
}8u(48
8WUnLf
8YvHITsQ
9_1@W6
92EfQANa
~9(Msoa'
9uSTGrkb
|9XM{vM_[
a	5KXF
a7XNMs
ACEjO9
a|EifG
AEPn@{_
aETn`{S
AfKl~cad
AHA7BH
AHA{BHA
AHAf-nA7
AHAL+I
AH=$C?6U
AHPM.H@
AH*VAH@
AH:xr"
AJ1UJD
ajaWJgL
AMde3uKN
=aP.PoY
at;B&r
aYgC%`x
;`BAu2#M
BHABBFA
B[I{}HM
BitBlt
c7PXZa
cCU4{lj
CEASANCF1sIZF
ceoSj?T
ce`Si?U
Ce@SN?L
%~cF2*
cgTDWC
CharLowerA
CharLowerBuffA
CharNextA
CharUpperBuffA
CopyEnhMetaFileA
CreateBitmap
CreateDIBitmap
CreateMenu
CreatePopupMenu
CStQjn
cUa3`n
c&vd77
cY/5C~e
cYOcTP
Czhs'4V
d7dYB9c
d9AHoZy
`.data
DDDDDD@
DDDDDDDDDDD
DDDDDDGpw
DefWindowProcA
DeleteMenu
deoSh?S
DestroyIcon
DestroyWindow
de~)t;4`M>
DEtnC{s
DeYFV9
Dg.?R;Y
DhziDK
,D[iYPqX
dPUS^a
DrawEdge
DrawFrameControl
DrawIcon
DrawIconEx
DrawMenuBar
DrawTextA
dUa3jQ
e0>*su
e9gzHh
E$Ac[[e@
EeASM?H
eebSn?k
eEhnd{W
]eeJ!'
EEUnD{T
eh~|/{=
e%{Indzs
Em2gBOSH
EnableMenuItem
EnableScrollBar
EndPaint
_~E}nI
EnumChildWindows
EnumWindows
@E{OqNrMe
@EpnO{
EqualRect
eR1y1PpVL
_e[SF?@
.~~e|Sy?b
_e]S[?Z
eUc3a`
EUC3AO
ExitProcess
ExitThread
{E{yqx
{ezSy?g
f0cUgXf4
~f92sh
fAVCFN
FDXpkKt
febSo?k
fe`Sj?V
f-!g4k/k:.
F?<GTG
fjeUv8
FmoPhv
fn3u}i
fNwl8q
Fpn1%,
fqUp3}|
FrameRect
FSWPITxAk
FteR73
F|>+xN
fY'eCr
fzca0m
G3peN#F+6b
gdi32.dll
GeASK3v
gecSo?k
GeESC?@
GetClassNameA
GetClientRect
GetClipboardData
GetCommandLineA
GetCommandLineW
GetCursor
GetDesktopWindow
GetDIBColorTable
GetFocus
GetForegroundWindow
GetIconInfo
GetKeyboardLayout
GetKeyboardState
GetKeyboardType
GetKeyState
GetMenu
GetMenuItemCount
GetMenuItemID
GetMenuItemInfoA
GetMenuState
GetMenuStringA
GetMessagePos
GetModuleHandleA
GetParent
GetProcAddress
GetScrollInfo
GetScrollPos
GetScrollRange
GetSysColor
GetSysColorBrush
GetSystemMetrics
GetTopWindow
GetVersionExA
GetWindow
GetWindowDC
GetWindowLongA
GetWindowLongW
GetWindowRect
GetWindowThreadProcessId
gge]dF5cVv>
gKj9oGCa5
^gK/Q@!OEjr)
gq]Me%F
gVo5;l
GvuHTo
Gx,[rP3v
g*!Y&&
-#|'GZ
GZ6Ubb
h2ctYv
HA<BHr
@H@ABy
HA!wHA
Hg*._<sSC
hUQ3]Y
hUU3SQ
|*hwMO"
hz-+MN
i3R0Nl
i3]Uhf\
iBWgVOQXHF
IEXnH{G
IHWQQpDxeHHt
IicROt
InsertMenuA
IntersectRect
InvalidateRect
IsBadHugeReadPtr
IsBadReadPtr
IsChild
IsDialogMessageW
IsIconic
/I-SlZmH
IsRectEmpty
IsWindowEnabled
IsWindowUnicode
IsWindowVisible
IsZoomed
i(u*(WS
iwKltO
/izu/O
/izw/O
&:J5~ 
J8gcvytcY
jAj/j#j}
jcjnjZj=
JDb1D2
jHjMjf
jJjEjS
j`j&jL
j(j^jo
j_j~jP
jKjujJ
JLAsN3lb
JNRzi2
j!PP_HA
jqjnj\
j}rt`~
jsjEjnP
jsjrjPW
JT)&_<
jtfPAW1
jtjJj9
}JUhfI
&J:YsA
K1DT5E
k&{5grk5zVq
KE{nJ{z
KERNEL32.dll
KERNEL32.DLL
K&	[.GV
/kgy#7
KKy;8cM*
[kMWt~
ksCa0S
~kSW?[
LeIUvpst?r
leUSR?_
lF4FM22NE7Z0
lf!$cOOy
LGlaeqe
_l'lk{^&
lNbe7R`D
LO4IeWz
LoadLibraryA
LoadLibraryExA
LocalAlloc
LocalFree
LocalReAlloc
L~P[}X
LqrAQ8
l^~*s5
Lshell32
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrlenA
lTM44E
lUj3\O
M07W#7
MapWindowPoints
meiSU?R
MeKSH3q
mekSi?W
ME\nL{[
]Mg^3zWX.
&_mg)oKMDP!
|MG{tYml
MhVO7YuR
MoveFileA
MoveWindow
m&*pa*
?MsUeS
mSv\)'k
MulDiv
Mv2irS
mYJ:"VV
 n7u=}
~naaM5W
]n^^An
NbQHEMV
nelSk?i
NgtrUs3
nUk3T\
NWUrduKedg2m
o* 9y6)7
OeMSK?I
OffsetRect
OQ0IvCjoQ
Oq7AJXb
oSj6VsL
}*{o&\u
oUk3S\
Ov8BDK
OW8(Qj%
P3|M^m
,P\}!##5tT|
pdpmmA
pEan~{`
PeekMessageA
phj!3P
pIItxe
+pjSys
pJts5w
PMS.Y"
pOrLKXJ
PostMessageA
}pqf~;~t
Prs90}
P%->T1
_P=UEW
Q5}lfP
q7JIhHxwOFD
qEnnp{m
qe}Sy?d
q:|hmMZ
qHPAQGZ
qj2e4p
qjxHDJpQ
qPgZ5a
$qsf*7
q#%+/u
QVGnnwE
qXGxxj
R9R4Y6w
RaiseException
rc &'R
RcXSv'~-(
rdd"R 
RegisterClipboardFormatA
ReleaseCapture
ReleaseDC
RemoveMenu
RemovePropA
.RES11
@.RES16
.RES23
.RES43
@.RES72
.RES77
.RES89
@.RES99
rffPaC
RgNwdI
/RichN
RjdjPW
RkWDxHF
)rpoE!k*
".R}QQg
RRjrUM
@.rsrc
RvUAeMT
,S~&3"3
's+3$Tr
s5NHg!W&{;33
S6Zd~'
S7a]|u#
SaveDC
`_|~sc
ScrollWindow
+SCv(,
SendMessageA
SetErrorMode
SetFilePointer
SetForegroundWindow
SetHandleCount
SetLastError
SetMenu
SetPixel
SetPropA
SetScrollInfo
SetThreadLocale
SetWindowLongA
SetWindowsHookExA
SetWindowTextA
ShowWindow
!/si4MXf;
SizeofResource
\Sj]E~E
<>}<Sp
s^_Q]~U
S~_SF2G
!}sx.K
[*;#|t
Te_SZ?E
!This program cannot be run in DOS mode.
TiviW^
tIYHL2
tJYJ8Zk
TkO'E]~[SY?G
TranslateMDISysAccel
TranslateMessage
Tvl*fAH@O.E
~^}TZ_	
>u-_1#8c
_U[3YF
U94e7k
uA4HyycDH
$Ucd#M
ucj4?X
|Ue3`k
uEbnt{a
{Uf3da
U~G3Y[
UhUsUI
@UL3Hv
ulSh?T
UMT63A?
"[u`n3o
user32.dll
Ut>s%?
UUS3QB
uW>'	_
^UY3D@
~}Uy3eb
u|Y_e~
`u*;y#s
_UZ3DO
]UZ3YX
v\(0YW
v9ehbCpa
v9zcV0s
VerQueryValueA
VERSION.dll
Ve[S@1u
VirtualAlloc
VirtualFree
VirtualQuery
Vp4?$sI
VUQ3\F
VVv0ned
/,`"W'
W31*=[
w4cV19
W|5MN!
w7TqokW
Wf<>MC4
WideCharToMultiByte
WindowFromPoint
Wj#2VE=
WjEj^W
W\k_.i;
W:lM*= ^P
wq47xR
WQ(@?=9dCY<^_
WriteFile
wsprintfA
WUS3_\
WUU3SQ
wwwwwwwwwww
XeBSM+g1Ut3}y
xECdcL0
XfbIwFWg4JU
xHZEhG
xj{hvp9
xk61mHW
XM'?#$
xtRcT8
?XU~\3
XUE3BO
Xxybic8cd
Y7LznG
yde7{g~
YEjnX{i
yElnx{k
|Y)f+$
?YG7d}bm-t
<y!K7U
Y$Pak"k
YpO'@u
yq4toh
Yts3?7
YUD3OK
yvZWFd
ywAzyz
Zb!/!2yn
zeWuv0
zexSf?e
z?I5DIV-
z]\n(f
;|Zq17X_
zUe3kQ
z!W8HX