Analysis Date2014-08-15 19:22:03
MD58909eb8959fdb6d6c5a8c940dac283d1
SHA17277a816f514b4a828640f31a1c33940996a7017

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 4f0b38c2aff6dc8710dca1e30567fc50 sha1: 60d01c001016343cb8f4ac2d3ef938e7da0d405b size: 7680
Section.data md5: e52c2dcb21ffc7407bf73584a2f1ed6e sha1: fde480c548d128a7cec65b9701eff623e56e04e7 size: 12288
Section.bss md5: a57211c4f2605a36d8d4110817825752 sha1: 7bde00b6a665442a5b37f973e184a9b07a15bc24 size: 96256
Section.idata md5: 3fc7efd3fb56d4af24d9926d8fcd8856 sha1: 4d907deb2840974d688a162b8ae2c6cd459750dd size: 2560
Section.rsrc md5: 8ee79860da85f2f05d4153eefdedd218 sha1: c44731f5ab5fbae9769dddab208e2e67b2c91b88 size: 4096
Timestamp2009-12-11 21:59:21
VersionLegalCopyright: Copyright © 2010 PC Tools. B All rights reserved. FQ
InternalName: kmag5.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: H lM
ProductVersion: 7.0.0.61
FileDescription: Z7Video Component
OriginalFilename: kmag5.exe
PEhashd013545bfd45bd368a33f227b913b24de4a70fa7
IMPhashee49d2226f96cab270b36b433d4f3a5e
AV360 SafeGen:Variant.Kazy.20730
AVAd-AwareGen:Variant.Kazy.20730
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader2.43592
AVEmsisoftGen:Variant.Kazy.20730
AVEset (nod32)Win32/Kryptik.NBD
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado (generic, not disinfectable)
AVF-SecureGen:Variant.Kazy.20730
AVGrisoft (avg)Downloader.Generic11.WSH
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Riskware ( 0015e4f01 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.20730
AVNormanwinpe/Suspicious_Gen2.NLYPQ
AVRisingno_virus
AVSophosMal/FakeAV-IZ
AVSymantecDownloader
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)Trojan.ExpProc.EA
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\NtWqIVLZEWZU\Olo5 ➝
30390700
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{BBAEAEAF-1275-40e2-BD6C-BC8F88BD114A}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{E03B8BB0-8A43-475d-B3D8-8503D5E21BDF}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:

DNSnk.pl
Type: A
195.93.178.5
DNSnk.pl
Type: A
195.93.178.6
DNSicio.us
Type: A
50.18.58.68
DNS126.com
Type: A
220.181.12.218
DNS126.com
Type: A
123.125.50.22
DNSmoresonline.com
Type: A
66.228.61.232
DNSsuperseh.com
Type: A
HTTP POSThttp://moresonline.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 66.228.61.232:80

Raw Pcap
0x00000000 (00000)   504f5354 202f2048 5454502f 312e310d   POST / HTTP/1.1.
0x00000010 (00016)   0a416363 6570743a 202a2f2a 0d0a436f   .Accept: */*..Co
0x00000020 (00032)   6e74656e 742d5479 70653a20 6170706c   ntent-Type: appl
0x00000030 (00048)   69636174 696f6e2f 782d7777 772d666f   ication/x-www-fo
0x00000040 (00064)   726d2d75 726c656e 636f6465 640d0a48   rm-urlencoded..H
0x00000050 (00080)   6f73743a 206d6f72 65736f6e 6c696e65   ost: moresonline
0x00000060 (00096)   2e636f6d 0d0a5573 65722d41 67656e74   .com..User-Agent
0x00000070 (00112)   3a204d6f 7a696c6c 612f342e 30202863   : Mozilla/4.0 (c
0x00000080 (00128)   6f6d7061 7469626c 653b204d 53494520   ompatible; MSIE 
0x00000090 (00144)   362e303b 2057696e 646f7773 204e5420   6.0; Windows NT 
0x000000a0 (00160)   352e3029 0d0a436f 6e74656e 742d4c65   5.0)..Content-Le
0x000000b0 (00176)   6e677468 3a203231 370d0a43 6f6e6e65   ngth: 217..Conne
0x000000c0 (00192)   6374696f 6e3a2063 6c6f7365 0d0a4361   ction: close..Ca
0x000000d0 (00208)   6368652d 436f6e74 726f6c3a 206e6f2d   che-Control: no-
0x000000e0 (00224)   63616368 650d0a0d 0a646174 613d5159   cache....data=QY
0x000000f0 (00240)   70556a59 706f6f30 4d35414c 6f746c71   pUjYpoo0M5ALotlq
0x00000100 (00256)   53466846 694f4652 4c395731 33676f2b   SFhFiOFRL9W13go+
0x00000110 (00272)   742f7478 306c6769 53694e75 64433273   t/tx0lgiSiNudC2s
0x00000120 (00288)   7872797a 71676943 4e616845 6a397758   xryzqgiCNahEj9wX
0x00000130 (00304)   62507556 44786364 70793631 59445563   bPuVDxcdpy61YDUc
0x00000140 (00320)   70386442 5145344c 47656d75 4b6f3059   p8dBQE4LGemuKo0Y
0x00000150 (00336)   53353063 2b737543 49514363 35646461   S50c+suCIQCc5dda
0x00000160 (00352)   76383937 686d616a 70674f36 32345558   v897hmajpgO624UX
0x00000170 (00368)   4572617a 4b486f63 35326976 6c7a4c74   ErazKHoc52ivlzLt
0x00000180 (00384)   73736656 57794739 30587844 32615676   ssfVWyG90XxD2aVv
0x00000190 (00400)   48316a30 3230576f 44463250 6649466d   H1j020WoDF2PfIFm
0x000001a0 (00416)   714a4374 504a7146 356a6579 39424b45   qJCtPJqF5jey9BKE
0x000001b0 (00432)   77594974 39304a7a 5a5a6645 6c704e6f   wYIt90JzZZfElpNo
0x000001c0 (00448)   4752                                  GR


Strings
RBt.s
.
.C..
_
..
v
.8
*
040904E4
 2010  PC Tools. B All rights reserved. FQ
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
H lM
InternalName
kmag5.exe
LegalCopyright
LegalTrademarks
MAINMENU(
&Open
OriginalFilename
ProductName
ProductVersion
StringFileInfo
t0rk
Translation
VarFileInfo
videosoft
VS_VERSION_INFO
Z7Video Component
 #$%(-,@
0#u\&6
0ZQA4!UNIQ<STRZ
%"1{#&
1exaf@
2B6SAOAAt
2NsEyy
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
	34hTq
3B""$33333
3,t8R;;
,[&3Vc6
3w@645
%49W3w
4"*""C3338
4J.XuX
4q}]WH
5Cf9#`
5Rm'}Y+Mx#<E
_5VKBG8e@24
!7DhcI
7fwjqKIc
7V+C(N
\8]3`SE
85QP.>
8 6i]c
88Tv3%
8<-XF6
90zO+n
9A)omE
9Y>4t?|
9~YwFA0Z
a0Wzjw
a3TicCkiun
aD844i#5
)a>e7L$
!;Ah~p
Ai+ft@
aKBc/$
AM_FXKn
  </application> 
  <application> 
&Apr 1
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
-{A	X5c
'aZP#Wj9
bcm?(%
BeginPaint
_BlBvI@24
_BOgOk777ySaGJ@12
BQq4rNJ00MQ
bXQcG!
C0),3(
"C3338
[>{c5h
"C8338
CallWindowProcA
Cgd>;O
CharLowerA
CharLowerBuffA
CharNextA
CharUpperA
CharUpperBuffA
CheckMenuItem
ChildWindowFromPoint
C>`HRC;
CJ#pxc
^cMVFa
c my0yE3
COMCTL32.dll
CompareStringA
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CP60wnc
C\PhjV
 +cpy#
C,R6W`$
>C,R<E$
CreateFileA
CreatePopupMenu
cY^PVJ
$D!0dG(3
#d705\
D74h0L8
,d8e!_
`.data
DeleteCriticalSection
DeleteFileA
Des}\s
DestroyIcon
dnqyp5W
DrawEdge
DrawFrameControl
DrawIconEx
DrawMenuBar
^E4'@3
E)4zSm
E5de/#
{-E9K+Hm=;A
Ecc|2j\
eDxo5TVW0
 	EHN!4
EnableScrollBar
EnterCriticalSection
EnumCalendarInfoA
EnumChildWindows
EnumThreadWindows
EnumWindows
*;EryY
ExitProcess
E(YTdTe
fO&G9X
_g4siDObv54w@8
G98765g2
G9)|nn
.*Gc|8
GetCapture
GetClassLongA
GetCursorPos
GetFileType
GetKeyboardState
GetMenu
GetMenuState
GetMessagePos
GetModuleFileNameA
GetOEMCP
GetParent
GetProcessHeap
GetPropA
GetScrollInfo
GetStdHandle
GetSysColorBrush
GetSystemMenu
GetUserDefaultLCID
GetUUs
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowThreadProcessId
gmHT3w
gqo92K9-kE
g[!T.OS
GU'9C,u+
gv2JKC
h2kDxMeI
}Hh8w1
H],hTE
Hk37sG
,>%HRC
hs~W|c
	I60VnE
@.idata
iH0XIQ$
)I%L?A
ImageList_Create
ImageList_DragShowNolock
ImageList_Draw
ImageList_GetBkColor
ImageList_Read
ImageList_Remove
InsertMenuA
InsertMenuItemA
/IS4D<
IsBadReadPtr
IsWindow
IsWindowEnabled
IsWindowUnicode
IsWindowVisible
IsZoomed
I-VZ}L.J.
"J333333
"J"C3333
`^*jw\
$j,Wnf@
:k77(#[[;
+ka6vg5
KBmW7O
kCPC>!
kernel32.dll
;KEV9#Yt
KFz>q3
kmag5.exe
+KOcRT}
kQS4hTx
`K@tq9Nw
'*Kt%+s
?^lggH7
lHu}(=v4Se
L#(M%]i
	LmSz	F
LoadBitmapA
LoadIconA
LoadLibraryA
LoadLibraryExA
LocalAlloc
main.cpl
>;)mGp$lXGcDt0KoP
MqDiFva?
MsgWaitForMultipleObjects
MulDiv
-N _5}
n:d\  
Ndh2W_5NjmS
N]gQ62
NY3t7b
o19lOL+EAUT{
oD0rl9
OffsetRect
On9zVPP
OpenIcon
~oT}#W
P_ -+(
P0V6?e
( p1l`
pb;QdQ
;*pDtb
pfHr@7
P\m^e0
PmT5o7
p~[!r@
PS`/2v1!
=PS+8}
PtInRect
p y$*yO
QFp<j[*(
Q\GtJ`
Q!~;#J
ql#9xH
@Qm6ta
)qQi=n
Qx8q'P
QZ^&]=3
&.rdat	+
Rdw2jb
RedrawWindow
ReleaseCapture
RemovePropA
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
R]IQXe)c
rlrlb@20
:rq+32)E*S"	
@.rsrc
.s/`1z
s9xb$0
sACvm(
s'aOsZ
Sby=6+
SC	mi}+$ng 
ScreenToClient
ScrollWindow
      </security>
      <security>
SetActiveWindow
SetClassLongA
SetCursor
SetForegroundWindow
SetMenu
SetScrollInfo
SetWindowTextA
]'sHc*
ShowScrollBar
sm}H[^
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
SWa^KQ
t1|>b)
^;_]T4
tA^"_u
T<>CxLK
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
tP1CRdIhaMEfE
%\TR>j"U
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t.tx)$|
_T?UiOs
TwDSVf,m
Ucc=$J
#{UfhYq
uGzYxujfr
UnregisterClassA
U!^]OQ
UpdateWindow
UR65WGiUWUkK
user32.dll
UYTBohOaSwd
_v19v1w7L@20
VirtualAlloc
V,!KS^
VLBatbr
^VSiMj
vSMEp0S6b
-w1D.mcb
W7NF7Au
WaitForSingleObject
wEBtHXqc
WideCharToMultiByte
WriteFile
WRQP.Sjf
X19CNbvh5
x1)\Ix|)
x&#5xK@
@/X-A&
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xt;J^[
XtY9wAA
@ |XX9W
y}3]KlX
y5H^3lf`)SHLW
&][Y8gVmL
yJAj5B>pk
Y>soIE
YZFKlV
ZHR6f<
zk8?%"R<
ZOoAJuj
*Z[veh
!zVh^M