Analysis Date2014-03-02 03:27:03
MD53b14f060b2cf91e65d5be34a55bdf5b5
SHA18db48dbc5bcbb604d25c8dfd25491c3db078a3e9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b6889cea5d67c7355da16dae4e5bd98b sha1: aeb70e64338d5c2c54b423b5fe4515baef8ec23e size: 18432
Section.data md5: 429414eab32d45731dd0f49e95eb1efd sha1: 900144918e4dc639bfa0e10aecea3c4105d11e3f size: 143872
SectionRES02 md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
SectionRES86 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
SectionRES44 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
SectionRES00 md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
SectionRES72 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
SectionRES43 md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
SectionRES22 md5: bf619eac0cdf3f68d496ea9344137e8b sha1: 5c3eb80066420002bc3dcc7ca4ab6efad7ed4ae5 size: 512
SectionRES30 md5: df2ae93fb6af94141f25bbf109093c53 sha1: bc822d4326cd45351d5d6b7eecec482be80aed71 size: 1024
Section.rsrc md5: 5ee83432f687cea1f2f1a86ee361da70 sha1: cbf053e66e3150f9c2fe64b79b19b46c3c741ef4 size: 2560
Timestamp2009-06-12 07:59:25
VersionLegalCopyright: Copyright © Windows mAxIm Edition 2011
InternalName: mAxIm Edition.exe
FileVersion: 5.0.746.17312
CompanyName: Avira GmbH
ProductName: mAxIm Edition Version 2011
ProductVersion: 5.0.746.17312
FileDescription: Windows Setup API
OriginalFilename: mAxIm Edition.exe
PEhashf73b7db7cf381c39ba83087fb86a1c56cf68c10c
IMPhash431186c2fbd0006325939775ccd295f4
AVclamavTrojan.Crypt-362
AVavgFakeAV.ILP
AVaviraTR/Crypt.ZPACK.Gen
AVmcafeeDownloader-CEW.q
AVmsseTrojanDownloader:Win32/Renos.MJ

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\malware.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat

Network Details:

DNSredtube.com
Type: A
62.212.83.1
DNSxtendmedia.com
Type: A
98.139.135.198
DNSthestartsoftware.in
Type: A
DNSkingfinearts.in
Type: A
DNSperibox.in
Type: A

Raw Pcap

Strings
3
..
.
..
.
.k."
040904B0
0IMf
2L4d
2r0pb
3JRZ
5.0.746.17312
8SmhM
Avira GmbH
Bk539i
bxWl
CompanyName
Copyright 
dYVv
EJqa
etwFV
FileDescription
FileVersion
FPNW
^FPV
gBUb
InternalName
jFLO
JVpv
l2SW
LegalCopyright
mAxIm Edition.exe
mAxIm Edition Version 2011
NDDo
OriginalFilename
pKgR
ProductName
ProductVersion
rW8U
StringFileInfo
Translation
VarFileInfo
vE4C
VS_VERSION_INFO
 Windows mAxIm Edition 2011
Windows Setup API
XFXm
yaPQ
0BT_o#
^;0`fQ
1:@d<dbHI
2gwFba5H
2ph0FqN
{{{{{{{3
{{{{{{{33
{{{{{{{330
3333333
33333330
33333333
35IXddT
3BqkLT
3qVrE71
>,3[u1/
425zNYhd
4bmhd4U
4GeT8Oek3SS
4WAFyT
56sI5qkmXb
5\myjo
5pmqH0
#;7AL	sA
8l7yfu
|8olM]
9FUw1XqrLM
+9ke&{
9o88Rlkx7
A8Ijjv
A91 j5J
AAeyZF
ADVAPI32.dll
AjKoOyuGkb
ar3bbM
as0u@=
("asb.	
AyOkT5ajRm
ayxFjv
AzB05j
?B}DgBs
$Bu~w>
BWMofgH
calc.exe
CEcfDZ
COMCTL32.dll
C:rW[?
CV8WgI
cz7pdF
CzuEHu
D01GOf
`.data
dcVRpjN
DDDDDD@
DDDDDDDDDDD
DDDDDDGpw
DnNmFS
DSEhZS
DwF1wV
E0xMVN
E8Z5s09
eeEvHmTy0
'efpu~)R
eOv78pa
EpZaIc
erb69zS
exHyQor
ExitProcess
ExitThread
%F2^{54l
FrdaBnN
>fVerQueryValueA
gAMEmzv
GetActiveWindow
GetCommandLineA
GetCommandLineW
GetLastError
GetModuleHandleA
GetOEMCP
GetProcAddress
GetVersionExA
gfVJWZ
@gH?N-
gN22Jj
GNw7xs
grKgQKpH
gvzedqT8S2
H8NLJn
HCXo2TVFNu
HRyvEb9Dz
hZgQ0c
,I[Dc]$
%il\9+
ImageList_Add
ImageList_Create
ImageList_Destroy
ImageList_DragShowNolock
ImageList_Draw
ImageList_DrawEx
ImageList_GetBkColor
ImageList_Read
ImageList_Remove
ImageList_Write
IsBadReadPtr
IsIconic
Ityo88i
IvKnbWt
iy@6\/1T=
*iYRGe8
iZBmDt
J,('&1)~
Jby7DLkAM
jfF5uy
{J@h^n
`j \Qi
)jY. 4
jz7Sk1xw
]k0z;X
k682LOL2E
k$'aPE
KbSjz%
kcQ:!hY
kernel32.dll
kernel32.DLL
kMPJyPZ
LAX^|gC
LNQcrs
LoadLibraryA
LoadLibraryExA
lTzzNiDal
lWBWiqRn
MaHc+*
mC5nlany
mN57QJj
MtlWmZx
MtsUag6
MUQ6CC
N0duLtaI
nB1]0l
nB$WoB1
nF*a{'
oG<kMo
oHdSM5z
oiKvxJyx
OxogV5
P58vaPx
$P9mXS
pawWZFN
pNDoMw
Pp2H6WfP
p]VRLj
qPtR7Bd
QQ1JDMqDNROP
RegCreateKeyA
RegisterWindowMessageA
@RES00
@RES72
rH3vFr
rHCSWYW
RLALNRR8
rP8Dkh
RSfz3K
rsmERf91SO
`S~1I3X
sJyRea
SVdaedF
swXebD
	s^YW.I
sZjMnw
=;%}T^
/Th(A$rB1t
!This program cannot be run in DOS mode.
TMhWcx
=tVY@q
UaSq$t
UAzOxE
USER32.dll
UtL0qN7aN
UYcGwodPB
V!19WT
V\.?C?q
VERSION.dll
vIi8M3j
VirtualAlloc
,vki.>
V;oN0q
Vw -hQ
W0G<_p>
W96ce0H
WdbCUbo
wnNq97pG
wqy8nGm
%wV)<a
wwwwwwwwwww
WxN9O#w
X7EcBJ
xaJ#K?i
XmMuPvl
xmWBcPaZ
xNQni7T
xURWa9
xVAwBw
"XzOx!
Y#+_,<
y'}j{n
y{LP4H
yoG`.^@
YQ7k8r
zb5#P,
>zDkOjH
zOmR6l
zuwmDM
ZwFG1BBSV