Analysis Date2015-01-16 19:09:44
MD5bc8efbed1d053f33362086326d1b6c1d
SHA14ea109e312d59b870903616bb6c0eff053a9b34d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0c0f447741913b8da166518c31daf6ef sha1: 347e51fd87f45602b806dbef6a4b8a8e8ee645e0 size: 9216
Section.data md5: f11c87ffc945469d2427958d8e9601f7 sha1: 440305680eb19d30ed3b2a35cf52f14977dd0cf6 size: 11264
SectionBSS md5: 0b3ad41a8f47ded793802e1d66671d26 sha1: dfe2c3be1cd34bd024cd8e38a88d0b4e93214cfa size: 48640
Section.edata md5: e572ccd238c503ad17f20fd5bcdf5a07 sha1: b3da470140caaf41a44a6088163b1a7a7b171ddd size: 1536
Section.idata md5: 274bc306ee3b6cf8887c9764256870e6 sha1: d4a6edb822f3881db36e5bf573f61769547f954e size: 2560
Section.rsrc md5: df0e935be12728e13c7a1bfffadf5e07 sha1: a302a4abb948f1986345d82792c869bc117b45bf size: 4096
Timestamp2009-08-19 23:15:30
VersionLegalCopyright: Copyright © 2010 PC Tools. All rights reserved. r
InternalName: tmagO.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: 6v ik
ProductVersion: 7.0.0.61
FileDescription: yvVideo Componentwn
OriginalFilename: tmagO.exe
PEhasha60971bc18eca2f2b4612f79b3af12593ebe3d85
IMPhashffa062e1be85e022a4d942ad7671ed4b
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.21245
AVAlwil (avast)MalOb-KD [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.21245
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Jorik.odex
AVBullGuardGen:Variant.Kazy.21245
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Jorik-123
AVDr. WebTrojan.DownLoader2.45518
AVEmsisoftGen:Variant.Kazy.21245
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BBT
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecurePacked:W32/TDSS.HZ
AVGrisoft (avg)Generic22.ZFO
AVIkarusTrojan.Win32.Jorik
AVK7Trojan-Downloader ( 0017ee531 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ar
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.21245
AVRisingTrojan.Win32.Generic.1286A333
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)Heur.Trojan.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSslideshare.net
Type: A
108.174.2.100
DNSgoogle.ch
Type: A
64.233.185.94
DNSin.com
Type: A
123.108.40.13
DNSjazzyard.in
Type: A
DNSgrindbuzzchat.in
Type: A

Raw Pcap

Strings
.{.
b
'
.
.
040904E4
 2010  PC Tools.  All rights reserved. r
427F
6v ik
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
MAINMENU(
&Open
OriginalFilename
OwVn
ProductName
ProductVersion
StringFileInfo
tmagO.exe
Translation
VarFileInfo
videosoft
VS_VERSION_INFO
XKBq
yvVideo Componentwn
"1.0jK
1Saa>P
2Igb;}
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3B""$33333
3IQI<*J
4"*""C3338
;4diR 
52*}23|
5Zb4U8w
9z9Lv4L
AdjustWindowRectEx
advapi32.dll
aeKMXr1
a^{)iV
!a=:Mo
_a%$pJ
  </application> 
  <application> 
?<asp=t
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
(at2Pp
^B1]fi?
]B(E7R
"C3338
"C8338
c_^9S#u
CharLowerA
ChildWindowFromPoint
CloseClipboard
?comp`
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateMenu
CreatePopupMenu
CreateWindowExA
`.data
DefWindowProcA
DeleteMenu
DestroyIcon
DestroyMenu
dg=LTA
DispatchMessageA
DispatchMessageW
DQ8dZd
DrawFrameControl
DrawIcon
DrawMenuBar
e=2Ro{
@.edata
e:J8QH
EnableWindow
)E._UP
ExitProcess
ExitThread
+F%0MwO
FfyQOY
FindFirstFileA
|FxbCq
GetACP
GetClassNameA
GetCurrentThread
GetCursor
GetCursorPos
GetDesktopWindow
GetFileSize
GetFileType
GetForegroundWindow
GetKeyboardState
GetKeyState
GetLastError
GetLengthSid
GetLocalTime
GetMenu
GetMenuStringA
GetModuleHandleW
GetParent
GetScrollRange
GetStringTypeA
GetSysColor
GetSystemMenu
GetThreadLocale
GetWindowDC
GetWindowLongW
GetWindowPlacement
GetWindowRect
GetWindowTextLengthA
GlobalAddAtomA
GlobalFindAtomA
_GnXsEalVMg@24
+>gumt9
h7l973
h9~$(o
HCn?CW\AP
hh:w]}_
"H*Mvu5E
@.idata
/]ijO01
InitializeCriticalSection
InsertMenuItemA
IntersectRect
InvalidateRect
IsBadHugeReadPtr
IsChild
IsWindow
IsWindowVisible
"J333333
"J"C3333
#<J?*m
j]M90}
KERNEL32.DLL
Km)SUz5
KVmyz5
lG:-Xq
LMbCeY0s
LoadCursorA
LoadKeyboardLayoutA
LoadLibraryA
LocalReAlloc
lQeVeK
lstrcpyA
lstrlenW
LxzUrh
M0';J)r;
main.cpl
MapWindowPoints
MulDiv
N?A-k\
ned\?e
OffsetRect
P60}_t
PeekMessageA
pjksOrQ
"pN9K1
p<tDei
pT,e"q
PtInRect
pxQUpu
q|$7.=
qwADV%
R1svRM0Q
RegEnumKeyA
RegEnumKeyExA
RegisterClassA
RegisterClipboardFormatA
RegisterWindowMessageA
RegOpenKeyExA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
@.rsrc
rv58wraAz
ScrollWindow
      </security>
      <security>
SetFilePointer
SetFocus
SetForegroundWindow
SetMenuItemInfoA
SetParent
SetPropA
SetScrollInfo
SetScrollRange
SetWindowLongA
SizeofResource
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
<s{^&W
SW15I_
SystemParametersInfoA
T\05SU
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
?_Tidy
tmagO.exe
TranslateMDISysAccel
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
uasker
Uh2g}eZ
UJto4b
UrFWhN
urh:8ch
user32.dll
UTF-8~
UUt4IgU
Uv.texi
uY5,6L
VirtualAllocEx
vj8$M(
W1yAn3
wGrMOuxH
WindowFromPoint
WN),S%:
|w=WVstU
XE}46w
<?xml 
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
Xt`kg2
Yck['TP.
Y\GvTV
yj6SVgeF
='YJa%
YwNKM7M
yZAANc
Z#\<mQj(
zr84+t4
zxP9IqJp