Analysis Date2014-08-26 20:13:28
MD534d50f1ac010950552d3577647778d0f
SHA18ea632c993c7f6147a2e444f5dc213545bf8ef4e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 910a9c8d0324191621fdea6c5ff12389 sha1: e25da2106609ed06eacae9cb1a59778660b74736 size: 7168
Section.data md5: a9df6616f93c02b4f1f749711328c003 sha1: 69e92e246faa8ecc2a6e87c79f5ef5308f25fa1e size: 48640
Section.rsrc md5: c2187ff1d0136225644dbd2e6f6b5be1 sha1: c9f81729cdae9f4e1b12cf5dc346cb111db2113b size: 4096
Timestamp2009-05-20 16:06:38
VersionLegalCopyright: Copyright © 2010 PC Tools. oS All rights reserved. Zv
InternalName: SOmagHq.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: H
ProductVersion: 7.0.0.61
FileDescription: zVideo Component
OriginalFilename: SOmagHq.exe
PEhash3ab36fc857b89083b53cb536e95c1e1ba8169433
IMPhash6ec9890ab61c114f1df08f314e9f3914

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1806 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Process"C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Process
↳ "C:\WINDOWS\system32\cmd.exe" /q /c "C:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat" > nul 2> nul

Creates Filenul
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\Ogf..bat
Deletes FileC:\malware.exe

Network Details:

DNSrepubblica.it
Type: A
213.92.16.101
DNSseesaa.net
Type: A
59.106.28.139
DNSseesaa.net
Type: A
59.106.98.139
DNSyelp.com
Type: A
198.51.132.60
DNSyelp.com
Type: A
198.51.132.160
DNSfivepadgroup.in
Type: A
DNSwebdatum.in
Type: A

Raw Pcap

Strings
).4
.
v
.
2.`
.C
040904E4
0i1FX
 2010  PC Tools. oS All rights reserved. Zv
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
E&xit
&File
FileDescription
FileVersion
FWQ9
InternalName
LegalCopyright
LegalTrademarks
MAINMENU(
&Open
OriginalFilename
ProductName
ProductVersion
SOmagHq.exe
StringFileInfo
Translation
TzRE
VarFileInfo
videosoft
VS_VERSION_INFO
zVideo Component
%\~!^.
06y1<{
0bztpx
0[H;pHX]m
1CDMde
%1tytb
22M	1-
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3B""$33333
4"*""C3338
5<^a:-]N
5P:k|I6
5T6ul^~QizvH2
5xmPj<
987654K
AOqxTDHX5cab
  </application> 
  <application> 
Apr #!
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
B1DJNsa
$basic_
bF5wfQ
bly On5B
>@BQ2"
b$SbcZQ
BymnT2
BZTEBTN
"C3338
"C8338
CALC.EXE
CharNextA
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
?compY
cVRbY5g 
d|7LSx
`.data
d]GY2m
=d_Vdv8s
dW*rtw
(EE\7/
ERN	L32
etLxmEr
`EubYi
ExitProcess
f1Y6Ti
F'	c95F
FGOcv5
GetCommandLineW
GetLastError
GetLocaleInfoA
GetLocalTime
GetMenu
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
 G<~MQ
~h^4<8r
h)^}?q
i9mkM1HzeB
IAM(`Vs
Id2ti).zXO
"J333333
"J"C3333
jOUvwx
kernel32.dll
KHlADV*P
KI}43"i
kKjT<3
LiAFx1VWhI
L^+m(]
\ln~9;
LoadLibraryA
L<?xml
M<=D48
Md>	s[
 ?mnl<
mPwy,!v
mZKYV1
N;0u4,_
!OsE6y:
oyerlX
oYZSKp
PtSx=P
QAE@XZ`
QBEHIGP
Q]%(D<
^;Q)\UJ
QZ^&72H
r0zcYJd
`.rdat)Y
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
[rXVhSz%V
SaVH]b
Sc@j:^%]
      </security>
      <security>
SetWindowTextA
ShowOwnedPopups
ShowScrollBar
sL.3Br
SOmagHq.exe
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
@-+t3//o8/=	
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
?_Tidy:q
TL}k$;
tplPAs
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
t(=UWv
UNIQST
uq5+*8
USER32.dll
UTF-8	
uwZnYpGt6CP
VGjq,>
VirtualAlloc
vj"Z5~S
vmHGXc
W`I[[p
:X`BmL
xl=,m[Wa
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
XpekLdE
xSx"._
y%7l?>
YA'^V{
yC0AzC
y|.,Se
z0QG6HBd
zGlJ:7
 }z*X#