Analysis Date2015-01-29 12:49:27
MD52d7f48d760ce01f9eee556534d819c1d
SHA1d0e68919ef46cc56e481baae2476a66691cc4396

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bbddb0c8e4001b9680be5574a577359c sha1: 43e8516f286bdd103bed2179c86ec9ddb2b360f9 size: 14336
Section.rdata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.data md5: 97c19c936bc20c68313a2681436c3ab5 sha1: 7e2d3dc55bcee19c54d3e8a076f2c88711acaabd size: 114688
Section.rsrc md5: 5f10314f617108286ab05e548f12901f sha1: a9587770cb4feab67020ba68f93b97de5e84e65f size: 5120
Timestamp2009-02-06 20:15:55
VersionLegalCopyright: Copyright © 2010 I PC Tools. All rights reserved. VP
InternalName: vertuNHP
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: t Z
ProductVersion: 7.0.0.61
FileDescription: Spyware Doctor ComponentTs
OriginalFilename: vertuNHP
PEhash27dc0f597c4253e1ab45f780744da87642d8f67a
IMPhash138454a318e52911418dddece3365503
AV360 Safeno_virus
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)Renosator [Cryp]
AVArcabit (arcavir)Gen:Heur.IPZ.7
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader2.39050
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/Kryptik.AEUK
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan.SuspectCRC
AVK7Trojan ( 002456451 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsError Scanning File
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.12861D46
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNShopvariety.com

Network Details:

DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNShopvariety.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
..w...r
...
.......
.
>
.l
.kG.H
040904E4
177G
 2010 I PC Tools.  All rights reserved. VP
7.0.0.61
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
RiinU
Spyware Doctor ComponentTs
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
vertuNHP
VS_VERSION_INFO
|0cBPm
 0#JHBy
0?mR$.
<0|r}9
0T4"Z^
0u:<w}:Hw
1Mb;-Jma
1(*xmg
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3BSKh}aK
[.3foV3'*/
,%^3Hp
3LW3rj
/(!)4?2
^4EpYSAW
$(4US)
4Uw6S)t4
50SXe46|
_5ApG8bXy4bWwjT
5}t9^{
6 iR5QdX 
6TqwS}
6vCVlv
6zfGyJW0Hysx
7~;Hu"#h
7K//GJ
7vUf@$
83vJ	#-7
8)*kIt
9vyWF$
>A8|=;
AP=*B#=
_A|]X_N
binkQ$6
B^`k's
_bkZ7F87WTzflq
+b^uP)
_bzCnYrgNBKL
C1DhOCraYv
{\c3`O
cGv7IA
CharLowerA
C(n!$j
#,CnT^
CpL4vG_VRzWH
CsojV4j
CutjMm
cXcQddXm
@.data
DeleteFileA
Dj``@Yb
DrawMenuBar
?_|\dy
_DzWI9PQeoLlVx
EH7Q2J
EnumCalendarInfoA
Ep.rBc
Ep],w6
EQt)t}
eToW c{Cha
e%xb_-
ExitProcess
EY[elK
F]_^3b
_f9eW^[
f\$Fo#7[j
fgXx#f
FindClose
 f!iv#
FqWX/w
$Fya7BP
GetActiveWindow
GetCommandLineW
GetMenu
GetTopWindow
GetUs-rD
=Gfuxv
gI	RY|
''.gP6O
-gq91Y`e
grqD04
GY>^tu
g(yVZr
HBkFS4Oz
HGmbHMMykW
hgvVptYT
h*i#x<
:'i}ib
IsWindow
IsWindowEnabled
J1dJ0Q]
j[493r
JBg4O@!
 j@^c+
jch(W3
j,D5w(
j>	VQupP
|K7XmF
kCS9HLo
KERNEL32.DLL
_KFcBuDUlk6tK
KV9Aeg
KWYMEC
KyAq8ql
LoadCursorA
LoadIconA
LoadLibraryA
.Lo"QQ_
lstrlenA
LVJ,YPl
LVl7jw
mn"LL_
MoOogu
mtV5t 
mV	;A3pB
MV dO;
#nGE\A
nOJDlkloI_Np@12
N^ Sb	
$nw.	i
ObjEwS
oHj)A6
O(.@@i
OjD&,P
O"oNJux
+/pB |
PeekMessageW
PEPzl8Adzl`Axw
P"@K|zL
PostMessageA
PostQuitMessage
PtInRect
PUKZbyk
_pVFXERQc_
p(Y)cZ4
q\lk$dFe
@Qm6t<
^;Q_qrJ"
QSTR@2G9<7654
QVqi(u
:QxQzH-r
`.rdata
RedrawWindow
>ri.~F
=RJ.0A62
r{JBw6NE
rrR5IUUn@16
r_VFtQ
+sfEr;`lN
sGrW76mWoJYL4
?%smgn
snWj68m
sQ?a`9
s~TgV[
@(SV,\
t0C |2
T2	x|;
This program must be run under Win32
TixN@C
t?PBmz
t"q|ID
t~S]qyC
TyRtQ5A
TzOS*X(
u74MlM) 
UM+Ee_
UNr)m#l
UnZuk8
user32.dll
]_uT@ .
UTxXsJw
U<YlKai
V++?(4
veaR7$HAv
vertuNHP
VirtualAllocEx
V:@)*J
]v|Kig
VL2wue
Vlshlwapi
VMVWO#
V` '*o
vUlX_e8I
VY"^Bkr
.w/7@k
$><WB%'
wL~5[]
WL[n$5
X0yctS^|
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
Xxfqgu
~;xY76/
|Y8Xt.o
yC89Si1O
yjArYA|=;
YNvld1dYZZ8r
yt%My!j
_z>~`+
`+Z8_x;
,Zb9N|ae
zmNdqK
>Z~r{a
\,]Z_u