Analysis Date2014-09-09 21:57:19
MD555b7eb4833ba6859d9e755c0a6bbc548
SHA1a24426b4662f7791ba340f307b25facb559c2672

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e37def91a1a570a864b6372fc2b1d790 sha1: b0a66c84415bc4672de9c9eef7bf9f887a276457 size: 13824
Section.rdata md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Section.data md5: e1635ce39cb41c48d405b44af1717bd7 sha1: 7c2a5730894cba1909b03f0f19109e7def0d71f0 size: 113152
Section.rsrc md5: f2814ec3ef9326940fb4f02244e83beb sha1: a70dd0b58b182446eaaf9480a8556714add41e6c size: 5120
Timestamp2010-01-20 09:40:00
VersionLegalCopyright: Copyright © 2010 z PC Tools. E All rights reserved. A
InternalName: Rvertum0
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: y
ProductVersion: 7.0.0.61
FileDescription: Spyware Doctor ComponentT
OriginalFilename: Rvertum0
PEhash3b069f3e18d327dde077f77413a52931bc206cc4
IMPhash54ad6e7c960129ea2e4510a951bdb22a

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.132.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
DNSbonreligion.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c74554d 31757932   SvxqCiK0ltUM1uy2
0x00000110 (00272)   2f797534 55355970 4e6d3176 2f2f6a54   /yu4U5YpNm1v//jT
0x00000120 (00288)   6e675663 2b774d73 2b2b5a42 6a375a53   ngVc+wMs++ZBj7ZS
0x00000130 (00304)   59547233 69426b47 2f672b37 5643432f   YTr3iBkG/g+7VCC/
0x00000140 (00320)   30705533 6b4f4870 37655263 48506959   0pU3kOHp7eRcHPiY
0x00000150 (00336)   6f393930 4d55756a 67555734 62765449   o990MUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   49367034 366e3336 642f3334 6b705656   I6p46n36d/34kpVV
0x00000240 (00576)   32623651 672f413d 3d                  2b6Qg/A==


Strings
.[_...
.
.
..Go.
..
.
040904E4
 2010 z PC Tools. E All rights reserved. A
7.0.0.61
7qDp
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
fdT9
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
Rvertum0
Spyware Doctor ComponentT
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
yJGDC
=0>1KO
%'02x;)?#
}0AJt$
0oY3`>
0uD4o@8]c-~
13*2557s
_17ovpUHy3VjYGG@8
1[dhXg
}1gB`+
1WoQpj
2a`9)Y|yc
2aWqj=he
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
48<[.t
4|Bg?t[
|=4FQ^uNN
5%5\^)W
~$5(7,
	6Rt:.
`72;pDtg
7eb,8n9f
7=lSa>&
!:7*MX
"<^8fP
	8nbM|vj|
8)P7;%
8q'D%v
8_)$tEYP
8XWU+5|9
96,[KtS
9A!t2P
9ok!6"5
_9^(u!!
>Alp?a/
<aNt##
a#P~=-i
AP"o:O q'R 
AwR8C_7YF
aZMHvK9366@4
{%b(=|
&b\9;8
,BD^[R
BeginPaint
B.EIP.D	
bk"rNlf
b#X6Rdq
c6/0HYc
CallNextHookEx
CallWindowProcA
CharLowerA
CharNextA
cr19xH
CX[YZq
CYJ~%;
cYn5G2Tze
c&z;c7
D8yMp][o?/
@.data
dg,ZOi
dh+Zn}r
)DmnvW
d-nuLD
dr#saV
Du47RL
DZOLkc
e28BR"
E~~J?<
epn0Yt
eQgPt@
esaH6pmm
ExitProcess
=;!F\}
f\a}[L<gI
F,^F	\Y
]!`fHV"
FindFirstFileA
]fI)!rS
FMeznb`
FormatMessageA
F<Pc8a
FU+AQPoSR
#\'G7+
gDyAPK
GetCurrentThreadId
GetMenu
GetModuleHandleA
GetProcessHeap
GetTickC-ounD
GetWindow
GlobalAlloc
g"n!PUA
GNv]E&
GQcY5}
_H85hmM
Hb?lA;T
hhjDY13
`H$*P}
hpS5`.rd
HuTMBa
h!vl{5pV
HV	V5 
~	hXn61o
I} 8i90
idjAcJ
_iQkCD@12
i:Ufv,
'-)%j@
jFq`Q>
j>h8E%J
(J J "3
jMA,}z}Mj&
k%[7=s
k_9p%4tTe
KERNEL32.dll
*k'hcK
K%W8]>
KXx.1WrY;
L:#) #! 
lcOCURdt
lInS[mu
Lj5y7x)
LoadIconA
LoadLibraryA
LRq~LM
&!ls=jks
lstrlenA
_L*U]w$Ki
LV\1w<
LWysx,
@lzm}Y
M"B`:Sjf@{8
_MNMMQKh0W50Xt@8
MTau:'
mV[+3}
]mYQa,
;MZu{\
nb}Xc8
nexg#8
	~N^F.
nfYjSbZ
n;MO|Y5x
NQJtbqA
n"(:sK
*nVG#%%]
O?aNHR|
+~OL9EAUTi
o:RTJ5
;oX!tF
OY1PX@16
p0T&#{
&P%8q`ekY
p`~G23
pKjyWCW
p)sa79
p)v6?+N
^Q4D1s
#qFeCr
Q<IP)|X
qJ\6QQ
@:Qm6t
qqX{rs
?q:R0*
qT,OSlXg
Qv;LJrQ
R6wc8T
R7TNx6
`.rdata
rHT/PPoc
rj|zF1
_R_lY2SZ
r/q=}ui
_rsJfQog
Rvertum0
RVj6j(
_rydl4@20
s4.m18
SCNUymZ
SgAP8S
shlwapi
SRQ2PWja
,s.tex
.S%UKaf
s	YUBvsS
`Sz18;
|sZ;n}
t(20\$
t/bRSPX
tb!tlQu
This program must be run under Win32
t{kZlz
trrQHA
tWa^[whOXu
'tYK|_
^U054LbV
UN4IQSTRm
updrPXJx7kO6
u[Q_'}
user32.dll
*@V0uV
V1K-bB5+
V6; 	H
VirtualAlloc
VirtualAllocEx
vQ"|cw^
+vxXS%,
w6i?Uc
WDSFv@12
wF:O6O
*WIN7E
=$wJKu
~$W@Kk
?WSAKF
W"xf W
x{_/0C
X{cjp:
\	{Xe-2I
%Xfq[dU+
x$g"Zm;
x;=h"8t?
XJd'92m
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
X:%PSJ
Xq&$)7'
xSjt'92}[T
X{tiY7*ux$
xtMImF
Xw,TK|
xwVq3'
xWWYwG
y;D"'d
$y'j<! 
YkWHcg
YO3TEGiVuBDJ
_yPBF7GbS@4
yqdBMr
Ytn!8B
z8g4'k8
Z8uHLk
zGKcH;
ZgWvxOcqi
ZiByi-ToW.d
ZjMdE4u0zj8
zNB	BW
ZQLr6O&
ZtXlV'2M
zUIM 2
Z.v;*}