Analysis Date2014-09-11 20:03:04
MD5866ca396a47e364dd1b73e445ffdcd09
SHA1a2f3ecf33b4343296351ab56c4f742c965d87d77

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ff47dd239c9c1c30ed177ad8ea2b922b sha1: 90cf86943a8316a4b05c186944478e94132a2c7f size: 7680
Section.rdata md5: ca7dc21f57745db1bc61dcefaee37e71 sha1: 6022a4769bf30c07a92885e7c765ae059b91b986 size: 107008
Section.rsrc md5: 707685f5ba7c8093dabaaedad5539140 sha1: a9a2f3cba52b7b5c785d7d0fe7866cddfafe5d51 size: 10240
Timestamp2009-03-03 19:57:34
VersionLegalCopyright: Copyright © 2010 W PC Tools. 3 All rights reserved. d
InternalName: Mvertui0j
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: HA A
ProductVersion: 7.0.0.61
FileDescription: mCSpyware Doctor Componentg
OriginalFilename: Mvertui0j
PEhashe24f591180ad716dc7d9274eda61e84bcc2554e5
IMPhash074a15b12f4351fc1dcf0e2b779983c3

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNShopvariety.com

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNShopvariety.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
..
.
).
.
.
."
.j
..w..
..#...W
.. .p
_C
040904E4
 2010 W PC Tools. 3 All rights reserved. d
7.0.0.61
BBABORT
BBALL
BBCANCEL
BBCLOSE
BBHELP
BBIGNORE
BBNO
BBOK
BBRETRY
BBYES
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
FileDescription
FileVersion
GKvyC
HA A
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
mCSpyware Doctor Componentg
MS Sans Serif
Mvertui0j
OjTs
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
PREVIEWGLYPH
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
018W@H
0%2	S"
.0aW%/
0e|Gnx
0#JdX;0
_0P?^0
0sb,_S4
%0UHV'
(10W<D
13p26;
_1> 7?P
$18WH\
1a:;+3OEx+
1,}fYS
`1hWlt
<1PW\l
!1=S2>
	=1*U0j
_20UL1SebYS
2""333:"C8
2""#33:DC8
%281n?
2$B""""C38
2C4"""D338
,(2,\#o
2UzmUl
:`2/v?8!
3:"""""
:33:"$
"*"$33
3333:"$
33333?
333333
333333?
3333333
$3333333
#3333333
33333333
33333333333
333333333333
333333333333?
33333333?333333
333333333333333
333333333333333333
3333333333333338
3333333:3333333383
333333:"33333338
3333333333338
33333:"$3333338
3333:"$3333338
3333339
333333:"C3333338
333333DDD3
333338
33333833
:*3:"$3338
#33338
33338?383
3333Dc3333333
3333f3333333?
3333fc33333338
3333>fd333338
3334JC33333338?333
3336Dc3333338
3336fC3333338
:*"*"$3338
333838
333*C33
333DDD33333?
333>fC333333
333>fd333333
$334B"$3
334C33333338
33B$3333333
33DDDDD3333
33fd3>fC333
33>ffffc338
}34A~U0
34""C33333833
3`Ax9:y
3B""$33333
3DtqjQ
3Ig44h=R
[3lzwb
3sD45r
46Kw\\
\47r_H>
4;9PLe
4"*""C3338
4DF334DC33
4>_E6d
 _4[F23
4)jn+~
"4!SjQ
59p"V>
5+-aP6
5`B6dt
5'JEq2?
?5np?0I
5w"@1B
64QGOR
68"`lV
6d!kl*t
?6\"F#k
6u>:E'W
7|1(JV}O
74^w`J#8A#<
7654R7:\
77B0cq
7APY/VF
7sIKx@
7TxScK
8sKv4~kI
@8:S)	LR
8_$"tE[
8W<r9	
]/[#9*
93?a+A
9`*",5
9p4t]o
<:_9 t
+a25;1+uu!:
a6@:Wb
"AbU8c
>aG;Sa
)apzq7W
)^aS&;M1
$AS/S+PY[
AteIsX
A=)'U2
awn!Dg
>b6r26yV
BEIgPgD
_BfREtlTnXCayu@8
bPUs8xs6
_BtaRMpij@16
:"C333
"$c33333
c333333
"C333333
C3333333
C33333833?33
"C3338
c33*C333
C4FDc?
"C8338
CharLowerA
CharUpperA
C;H?Q\
CjC338
c#n`MA
comdlg32
CP660w
_]Cx?F
"dc3333833
D*C33383
:DC33:""$8
"DDB""$3
dFeEkt
dfMDHO
+@d"HN3>7
dMT:I/S
	%d!nb
DQ?Ata
d}:t;w0|0
Dx03<h
e9wP1 F
<[eEM2X
Er;F\}1
EsK:m0l:
ExitProcess
F3SWGR
fC333?3
fC33333
F}c6N4V
fDFfC338
F*F333383
fff3333
ffv<;84R
=f	GL'	{6Ih
Fo09jmR
;FQ^u!l/
fw,(2,\#o
#\'G73#
G9DaGPk\
_G_ERlWY
GetCapture
GetFocus
GetMenu
GetModuleHandleA
GetProcessHeap
GetSysColorBrush
GetSystemMetrics
GetUserDefaultLCID
GetVersion
GetVersionExA
GFIaCQ
GlobalAddAtomA
GlobalAlloc
GR 3h$X>
g/[RA(
gT-+A]
hA,+FZ
_hCZ!b
h>H Gi
!h$mPh
hQK]>`B
hqz&uL
_huxwPOEDyAS5tG
+IA0?C8gs
ibrqvyBF
*iBySeToW
i\/rsC_
"J333333
"J"C3333
j%WAV(	x
j="ZZA2)@SC
k0H\cD
K4\!e}C
kernel32.dll
khFyld
KillTimer
kJmzN_
kP`<^N
LEAUTqI
l?HsX2
LLh_ffkTkWBnW
>lm<\l@
LoadLibraryA
LocalAlloc
_lTI03i0hYc3gPW
M2^]}c
MKvD?#H
Mvak5L9H
Mvertui0j
MV{RS+
N"2yx:
@n/96BpOjb
nb#GZ	
;NH%%d
`n>Jj{\
:NvL.I
<N Xor
?~-O4$
o595,sY
O8^MrH
`(	#on
OONinJ
OSQ~P;
P1^	@8
~P',8Z
p=]cbY
}^P<^n$
PNa83l"
ProcAbd
;p_TxC
/pU:xk
P^V/p&]
p(Y)cZ4
PY@DUn1
Q+2=vg1*
q9>FRR
qb$FHv
{QB}inr
qDd]B3?
QHsW2bsCz8xER2
QIE_fdT@12
>QqJ#R
{QQ	{R
"qt\N)
Q'up;5
qwQ70@
;QX2W6
QZ^&Cy
r9at2P=
*rBv01a
`.rdata
R.h]V&Wp
RUVS1GT
rWS(zx
s0HLc$
Se\O7SW
SGssNRD
s";pDtYou
tAWT"H?
This program must be run under Win32
Tick7ujn
=tl	AS
.t_p%i
TR"%NTt2L
t[rT=PvGG<
/,U/4Z[
Uq;miO!
uQ@znt_B
URWsbd
user32.dll
,*.VB-
v=<]Cxh
vgvn!+f	R
VirtualAlloc
Vj[YI>|`
vK$3<Q
VK~f'9ZM
vobY3 
#V%siovn
VxEyMz
Vy>O=P
w>aG*P
wF6VWf
WindowFromPoint
Wl!t11
WnmPz#
wsprintfA
w^X<5H
_X0Be1F
X1dWp|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
xux69^
xX^?14n
XZFmHlKHxYeLZ0
YVSp,bH
Y$;VXg
yZlWWS
z1pWfZ