Analysis Date2013-07-18 19:21:29
MD556e7cdaab2bccb389bb7a7db2319a850
SHA141bf04fe073202f2748ac4ee4c2742c4a0857384

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
SectionUPX0 md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
SectionUPX1 md5: aa7e220313fb56b12664ee54d7d7f716 sha1: 1aae773ca10b33779afb88ec0b63a7ebcfe4a65d size: 236032
Section.rsrc md5: 5230357052354d5aa75fb264acecd672 sha1: 5316d4f0f0a0d40cd9e55e3eb140e4ac29fa4c66 size: 7680
Timestamp2012-03-08 16:01:46
VersionProductVersion: 2.0.654.0
FileVersion: 2.0.654.0
FileDescription: Installer
PackerUPX -> www.upx.sourceforge.net
PEhashf150b4eabcbdd788c786d8fd3baa00f9c1bf7839
AVclamavSuspect.W32.AdInstall.PBCXP

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar6.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar2.tmp
Creates FileScsi0:
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar4.tmp
Creates File\Device\Afd\AsyncConnectHlp
Creates FileScsi1:
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab3.tmp
Creates FilePhysicalDrive0
Creates FilePIPE\lsarpc
Creates FileC:\Program Files\SAItest.txt
Creates File\Device\Afd\Endpoint
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar6.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab5.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Tar4.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Cab3.tmp
Deletes FileC:\Program Files\SAItest.txt
Creates MutexGlobal\Setup_028746_MutexItem
Winsock DNSwww.download.windowsupdate.com
Winsock DNSb.coughstuffs.com

Network Details:

DNSb.coughstuffs.com
Type: A
66.150.14.48
DNSa26.ms.akamai.net
Type: A
92.122.126.154
DNSa26.ms.akamai.net
Type: A
92.122.126.177
DNSb.coughstuffs.com
Type: A
66.150.14.47
DNSwww.download.windowsupdate.com
Type: A
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootseq.txt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
HTTP GEThttp://www.download.windowsupdate.com/msdownload/update/v3/static/trustedr/en/4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5.crt
User-Agent: Microsoft-CryptoAPI/5.131.2600.5512
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/trackedevent.aspx?ver=2.0.654.0&rnd=443
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
HTTP POSThttp://b.coughstuffs.com/vic.aspx?ver=2.0.654.0&rnd=79928
User-Agent: Custom_56562_HttpClient/VER_STR_COMMA
Flows TCP192.168.1.1:1031 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1032 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1033 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1034 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1035 ➝ 92.122.126.154:80
Flows TCP192.168.1.1:1036 ➝ 92.122.126.154:80
Flows TCP192.168.1.1:1037 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1038 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1039 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1040 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1041 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1042 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1043 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1044 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1045 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1046 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1047 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1048 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1049 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1050 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1051 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1052 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1053 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1054 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1055 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1056 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1057 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1058 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1059 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1060 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1061 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1062 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1063 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1064 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1065 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1066 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1067 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1068 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1069 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1070 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1071 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1072 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1073 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1074 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1075 ➝ 66.150.14.48:80
Flows TCP192.168.1.1:1076 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1077 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1078 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1079 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1080 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1081 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1082 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1083 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1084 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1085 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1086 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1087 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1088 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1089 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1090 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1091 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1092 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1093 ➝ 66.150.14.47:80
Flows TCP192.168.1.1:1094 ➝ 66.150.14.47:80

Raw Pcap

Strings