Analysis Date2015-01-20 16:40:02
MD5ffd4c51cd1daae2cdca47f74ee7729a2
SHA1baa073578130ee6dc2c15cc9a69096aea883c78b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e50f4a1111bafdc813b1f7ec153b8ea9 sha1: d76ecf708f8d7fa01b6b2b67d87d5f51c3cdbd48 size: 23552
Section.rdata md5: 640f709ec19b4ed0455a4c64e5934d5e sha1: d6d6f4b1df06241f6513312657979c184006a044 size: 4608
Section.data md5: 54c75104a38a6f79dc7a8d3b020a9139 sha1: 27a00068376a93d3d30f81f065267042898dfdbb size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 36215d2c982e65fb6cf75b5b86da0d2f sha1: 33c165c975a75978979d19a93665b3bc780de5d5 size: 8192
Timestamp2014-05-11 20:03:30
VersionLegalCopyright: (c) 2006-2014 Visicom Media Inc.
FileVersion: 4.0.52.5534
CompanyName: Visicom Media Inc.
ProductName: ManyCam Virtual Webcam
ProductVersion: 4.0.52.5534
FileDescription: ManyCam Virtual Webcam
PackerNullsoft PiMP Stub -> SFX
PEhashb9f0836cf19da4009c62fb85c13ac6be05209219
IMPhashe160ef8e55bb9d162da4e266afd9eef3
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2086105
AVAlwil (avast)no_virus
AVArcabit (arcavir)Trojan.GenericKD.2086105:Trojan.GenericKD.2084628
AVAuthentiumno_virus
AVAvira (antivir)TR/Injector.75682
AVBullGuardTrojan.GenericKD.2086105
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.2086105
AVEset (nod32)no_virus
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)Inject2.BLIL
AVIkarusTrojan.Win32.Injector
AVK7no_virus
AVKasperskyBackdoor.Win32.Androm.gamj
AVMalwareBytesTrojan.Crypt
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Chanitor.A
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosTroj/Agent-ALEF
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp\impassivities.dll
Creates FileC:\Documents and Settings\Administrator\Application Data\impassivities.nk
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsb2.tmp\impassivities.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsu1.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\4033585203 ➝
C:\Documents and Settings\All Users\msrhmucm.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system\EnableLUA ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates File\Device\Afd\AsyncConnectHlp
Winsock DNSpoppin32.info
Winsock DNSpopping45.com
Winsock DNSpoppingj.com
Winsock DNSpoppingd.info
Winsock DNSpoppingk.com
Winsock DNSpoppingh.com
Winsock DNSpoppinge.info
Winsock DNSpopping33.org
Winsock DNSpoppingb.com
Winsock DNSpoppin22.com
Winsock DNSpoppinga.com
Winsock DNSpoppingx.com
Winsock DNSpoppingc.info
Winsock DNSpoppingg.com
Winsock DNSpoppingi.com
Winsock DNSpopping678.org
Winsock DNSpoppin33.com
Winsock DNSpoping45.info
Winsock DNSpoppingf.com
Winsock DNSpoppingma.com

Process
↳ C:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\Explorer.EXE

Network Details:

DNSupdate.microsoft.com.nsatc.net
Type: A
65.55.138.126
DNSupdate.microsoft.com.nsatc.net
Type: A
65.54.51.250
DNSpoppingx.com
Type: A
5.149.251.132
DNSpoppinga.com
Type: A
69.89.25.171
DNSpoppingc.info
Type: A
94.102.53.180
DNSpoppingb.com
Type: A
94.102.53.180
DNSpoppingd.info
Type: A
166.78.144.80
DNSpoppingj.com
Type: A
66.155.11.238
DNSpoppingj.com
Type: A
76.74.254.120
DNSpoppingj.com
Type: A
76.74.254.123
DNSpoppingj.com
Type: A
192.0.80.250
DNSpoppingj.com
Type: A
192.0.81.250
DNSpoppingj.com
Type: A
66.155.9.238
DNSupdate.microsoft.com
Type: A
DNSpoppinge.info
Type: A
DNSpoppingf.com
Type: A
DNSpoppingg.com
Type: A
DNSpoppingh.com
Type: A
DNSpoping45.info
Type: A
DNSpoppingi.com
Type: A
DNSpoppingk.com
Type: A
DNSpopping678.org
Type: A
DNSpoppin33.com
Type: A
DNSpopping33.org
Type: A
DNSpopping45.com
Type: A
DNSpoppingma.com
Type: A
DNSpoppin32.info
Type: A
DNSpoppin22.com
Type: A
HTTP POSThttp://poppingx.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppinga.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingc.info/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingb.com/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingd.info/and/gate.php
User-Agent: Mozilla/4.0
HTTP POSThttp://poppingj.com/and/gate.php
User-Agent: Mozilla/4.0
Flows UDP192.168.1.1:1036 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1037 ➝ 65.55.138.126:80
Flows UDP192.168.1.1:1038 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1039 ➝ 5.149.251.132:80
Flows UDP192.168.1.1:1040 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1041 ➝ 69.89.25.171:80
Flows UDP192.168.1.1:1042 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1043 ➝ 94.102.53.180:80
Flows UDP192.168.1.1:1044 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1045 ➝ 94.102.53.180:80
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1047 ➝ 166.78.144.80:80
Flows UDP192.168.1.1:1048 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1049 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1050 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1051 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1052 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1053 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1054 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1055 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1056 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1057 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1058 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1059 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1060 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1061 ➝ 66.155.11.238:80
Flows UDP192.168.1.1:1062 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1063 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1064 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1065 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1066 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1067 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1068 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1069 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1070 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1071 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1072 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1073 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1074 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1075 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1076 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1077 ➝ 8.8.4.4:53

Raw Pcap

Strings
 " "0x\
E

000004e4
4.0.52.5534
(c) 2006-2014 Visicom Media Inc.
CompanyName
FileDescription
FileVersion
LegalCopyright
ManyCam Virtual Webcam
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
StringFileInfo
SysListView32
Translation
VarFileInfo
Visicom Media Inc.
VS_VERSION_INFO
*?|<>/":
0{^\	 
>^1Qif
4)X{mEu
@5ci,R11
7DB?xc
::9/<<<
)9=c'd
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
;$aF`~
a~f{Y`=
AKljaX
AppendMenuA
AUAid}
+A[UNL%/O
AXm#aW)3
BeginPaint
=BLn0 
CallWindowProcA
ch4kEO
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
CuGR>k`!
CVKi\)
... %d%%
@.data
D+c*DD
D$$+D$
D$,+D$$P
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
DOEzs5:p
D$(Ph,
DrawTextA
D$,SPS
ecXK{r
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
e {O!\
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
F:~0)$4.7
F6){DW
FFF/ffd
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
fMhJu^
fn-*+Vt
FreeLibrary
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gwgJ+[
gxeNay
H$8&#^X
Hhk1*JE
/&]hM%
http://nsis.sf.net/NSIS_Error
I6#~{9
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
jlqnB?m\
JRRYR'
j@snGz
KERNEL32
KERNEL32.dll
kmVVq'8
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
L--ox+
lRkAgt\l
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
mLu3{Efz
mMG930b
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
.ndata
NSIS Error
~nsu.tmp
NullsoftInst
NulluN	E
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
OYoddw
PeekMessageA
PnBJ]'
PostQuitMessage
PPPPPP
-'.>Pt`K
qCMU?j
Qv @c.
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
+`rX3j
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
Shk! d
SHLWAPI
ShowWindow
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
||!S[s
SystemParametersInfoA
T53i_c
!This program cannot be run in DOS mode.
_^[t	P
TrackPopupMenu
u49-L7B
UgF +W
>U@%j[
}u.M5F%
USER32.dll
<*+u!T
%u.%u%s%s
verifying installer: %d%%
VerQueryValueA
VERSION.dll
	vK1Ym
v#VhB+@
WaitForSingleObject
Wk@HGY
WriteFile
WritePrivateProfileStringA
wsprintfA
x/B4c49p
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
Y]7wHh
ZodW;|
Z(X<4JO