Analysis Date2014-09-14 23:04:00
MD5e5ea2e54c9ee995ba845b953d756e153
SHA1a42e49de93b56551b84e8cd60e4f2a6dfe5e6ae8

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 50fe2d64d655def375a73b55500f0dfc sha1: 296593b374673a0ca336c4224a4ffbeafbd7f252 size: 13312
Section.rdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data md5: 5c2e184d0cb1640ca8119c5b7a74f3af sha1: 29def9e257fff3577a20a8f6f23e19f49f2269f0 size: 112128
Section.rsrc md5: 8fcfee062a6aa385d7ecbc4443dd3152 sha1: a6da405364f5c8fac08e0d65dfdac4ff65a11d6f size: 5120
Timestamp2009-08-20 20:23:18
VersionLegalCopyright: Copyright © 2010 Hp PC Tools. B2 All rights reserved.
InternalName: damatB
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: K
ProductVersion: 7.0.0.61
FileDescription: pSpyware Doctor Componente5
OriginalFilename: damatB
PEhash873948babf99558ba08dbedca543f37169057e46
IMPhash5d88b077988d62f0a80fdb3f37157756

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\malware.exe
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNShopvariety.com

Process
↳ C:\malware.exe

Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Network Details:

DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNShopvariety.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
.
..@
s.K@.W.
,.
8I
.|.UX.
040904E4
 2010 Hp PC Tools. B2 All rights reserved. 
7.0.0.61
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
damatB
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
pSpyware Doctor Componente5
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
0;1h2A3
\%02x_Q?#
0;4H8Q<
'+0`9EB
0Bx3\I`
0%FM,=I
^0k_4&V
0KAS9i
*0~u6"
  0Vx@
 [1	{UHHXcK
2<6_8X
%2\81n
2ipdq=
2tW\/Ix8
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
(3vw_9
47582u
4+<`DEL
4FX?"M
@4}H9^i/
,{4H<H
4Q=<+D
	67:TG
6?*{lV
76q54}a:\)Y
7cICJV
+8j@V3
8kXUA5~9
8s<w01
_8_$tE
 9;`anL
>9H?GUu_
9nN3}k
9+t|2P
/@A8Mv
^aBA@blh
`&-AGN|
aH!z%vF+trD/FnG=Jj
ak9zDH
APrWocAdd
:a_Rcf
AtO;H"
B?AM|$
BCaj[wW"9o
{"BCSf
/BdnAQR
bfGIiEb
b(PVz@ dE
=Bt$hD
BV6BEM
`	"C<<
C13|@!
c8H|?i
c^a?SqM{
c.F[	H
CharUpperA
CreatePopupMenu
CRW8]_
)cT|tM
cXi~!6
_CxlmFZ508cEv
[d`8Q:
DAB5q6p
damatB
@.data
DenJP{
\{dHlQt
D{LHTH
DliJYf
)dMS]CP60
{@DPg8
EOshY)
EsKVpm0:
E?Sz!=xx#
EtbIuZ
_eulpbl
ExitProcess
f{@0R$;"?
faulDOIL
F%GE<z
FMyFPx
GetActiveWindow
GetcUsDrD
GetMenu
GetScrollPos
GetScrollRange
GetSubMenu
GetSysColor
GetSysColorBrush
GetWindow
GetWindowTextLengthA
GlobalAlloc
_GnjDeXjY
G }"P$>.
~G((YJ
G:zGBzGJzGRzM[Q
;`H\A"
hGcB-[
hghdBx
hghWSn
H=(kL@0UP
HklfPu
\=Hk`@PU
H=$kP@(UX
HLLoIO
HLx_xM
h;PpDto
H;s,*a<qE
Ht_bmw
H@ts_@
HYo@Pf
, *-I9
ia];BT
'i;CieP
IF}O%N
i=`+hq
IK%}kq|
IsChild
IsWindowUnicode
^<;{IWB
J/3Koe
="j9MR
JBkq)Y
Jpm^Jn
Jrwfnr
jxh@E!
k0cX5ISHnC
K}D\FkA
kernel32.dll
kEy7zU.'zi
kHOCOa
kk:K(gR
Km0B}\
kMQ!jk
>&kpnc
kqCBMi
-kq{H@Q
kwojmTuc
K wQu)6
l%h>jlyb
lM-o!l
LoadLibraryA
LocalAlloc
LQ=T+\}
lR;M-#
l'S_7V
lstrcatA
lstrcmpA
lstrcmpiA
L{TH\Qd
=\lTIME
lzUbPP
MEtEfoZKERN
&[mFBr
MGU0e_
MH$Klf
MLa7Qi
"$MM]9u
m~ocD}
MoveFileA
MoveFileExA
MSX%Q>-
MxQu6A
mYE;xu
N,!"7%
NnjHhO
nx[5J4@
,o\|dm
OLEAUT
OOgYZ@
O(ox2L
OpenIcon
!or$h~
"[ov	9
]`<p1f
p2pN^QAE
P6P.YB
@p^.~a@
phU<YlK
pkJq}-Qr
PLh(='[Q
\P{LQ}
pm}2R#
p)N ~J;
$p:sM;)
%P%t>}
ptEHuh`
ptgtR2O
qG pyH)
QIIz&c~
qK9	Pr
qNxPep\
$Qr8`f<
QS~c+,#
qT_;t)
{]=qv{
q/XmR3
QZ^3&3
QZwZl{P
rAY7E/
`.rdata
r&m;(Y
@^(_,rt
{~<R	W
RYBN*KJ
S|B|%g
s*`hf5
shlwapi
	:SkEY
SRQPWjaM
[.Sr<SzcL
$s=[u8
SvQij0
Syxjyv5
~t6?6t
tB52x9
t$cH-	m
This program must be run under Win32
TjaJuO
/u]9t9
u"\a6@WbyUkw4xzu
u<C-s.
U= e8N
Ui[3XY
=\U]K`
u={nPkt
user32.dll
ut(Z]\$
|^{uUk:
>|ux}3
Ux97qoxz
uxc%{(J
|(`;V:.
;V5A2-
VCp`Gp
v~Gq)$
v;& h;F!
VirtualAllocEx
vK;}Sv
{]Vo E
VoUsionE
W&}D[;TIOS
W^jW6D
WL[n $
_`.Wrdat
w(VKpC@
wYk\'l
'xEvM]
(=xfH_
xgogho
XkO|qj
.; xMG
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
Xq_N	B
x> ,s-|
xspy^Mzf
|XUNIQSTR
Y1V:fRb
y5AL6XyYj
Y8cXt+
yCx1#O8<H
yI-~~"w
y!rbjx
YS;H}%
ySHLWcI
YvL<Qz
z5H6y7
Z,GkpL
z}i4G[z
ZiM<9o
Z,Md!&
ZRRXOo
zX~Ba]
ZzG'lM