Analysis Date2014-09-15 17:26:54
MD54c4a234372222d23313e0d984155364a
SHA1e60d7e06da9ade734b3d72f269963bee16b385f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: d51953b51d2dc7cb9070f2f71120f8a9 sha1: 1b9ec431f08e44e14ff133b6549085f21c7b3329 size: 26624
Section.xdata md5: 845bfd97d98821eb1829b3eb8cd4bbfd sha1: ae90a8e7da9e2271b3d3e16f3a476da9007c1464 size: 19968
Section.rdatak md5: f18bceabb5c0e1464deb78c5fcdb203c sha1: 62bb276c554b8ccce7857dca3394444328190101 size: 4096
Section.rdata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.rsrc md5: d04660ed20fa7abf2953afc2755b6190 sha1: 8d5c134a06f3262789c4f3aa5e23329865b9b5f1 size: 7168
Section.rdata
md5: 0f343b0931126a20f133d67c2b018a3b sha1: 60cacbf3d72e1e7834203da608037b1bf83b40e8 size: 1024
Timestamp2005-12-23 09:32:02
VersionLegalCopyright: Copyleft 1998-2006 by Don HO
InternalName: npp.exe
FileVersion: 5.7
CompanyName: Don HO don.h@free.fr
ProductName: Notepad++
ProductVersion: 5.7
FileDescription: Notepad++ : a free (GNU) source code editor
OriginalFilename: Notepad++.exe
PEhash8ef5a348d38a8d508e39798b00681f67ab565c3b
IMPhashea6ad11423dfc1a549ca1f61323421cc
AVCA (E-Trust Ino)no_virus
AVKasperskyTrojan.Win32.Generic
AVF-SecureGen:Variant.Kazy.351673
AVDr. WebTrojan.DownLoader9.49459
AVK7Trojan ( 0040f8491 )
AVFortinetW32/Androm.GA!tr
AVClamAVno_virus
AVArcabit (arcavir)no_virus
AVSymantecno_virus
AVGrisoft (avg)BackDoor.Generic18.WDH
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)Backdoor.Pushdo
AVEset (nod32)Win32/Wigon.PH
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AV360 SafeGen:Variant.Kazy.351673
AVTrend Microno_virus
AVAd-AwareGen:Variant.Kazy.351673
AVZillya!Backdoor.Pushdo.Win32.717
AVAuthentiumno_virus
AVFrisk (f-prot)no_virus
AVIkarusno_virus
AVNormanno_virus
AVEmsisoftGen:Variant.Kazy.351673
AVAvira (antivir)no_virus
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.351673
AVMcafeeDownloader-FSH!4C4A23437222
AVRisingno_virus
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Cutwail.BS

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\xidtumurdaho ➝
C:\Documents and Settings\Administrator\xidtumurdaho.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\AppManagement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\xidtumurdaho.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\woodlandhillwinery[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\colourprint[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lognetic[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nazcapictures[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\miltinio-teatras[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nasz-sklep[1].htm
Creates FileC:\Documents and Settings\Administrator\Application Data\Microsoft\Crypto\RSA\S-1-5-21-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXXX-500\a18ca4003deb042bbee7a40f15e1970b_666939c9-243b-475e-9504-51724db22670
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\vitalur[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thedonaldsongroup[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mail57.us2.mcsv[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\easygen[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aciuba.com[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ixtractor[1].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thedonaldsongroup[2].htm
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\robertmcintyre.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\mail57.us2.mcsv[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thedonaldsongroup[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\woodlandhillwinery[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\colourprint[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\easygen[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\lognetic[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nazcapictures[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\aciuba.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\miltinio-teatras[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\nasz-sklep[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\ixtractor[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\thedonaldsongroup[2].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\robertmcintyre.com[1].htm
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\658HSJSD\vitalur[1].htm
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutexxidtumurdaho
Winsock DNSwoodlandhillwinery.com
Winsock DNSrobertmcintyre.com.au
Winsock DNSixtractor.com
Winsock DNSnasz-sklep.pl
Winsock DNSlognetic.com
Winsock DNSeasygen.com
Winsock DNSvitalur.by
Winsock DNScolourprint.nl
Winsock DNSbredainternet.nl
Winsock DNSnazcapictures.com
Winsock DNSmiltinio-teatras.lt
Winsock DNStheartofhair.com
Winsock DNSnichedictionary.com
Winsock DNSaciuba.com.br
Winsock DNSszostka.com
Winsock DNSmail57.us2.mcsv.net
Winsock DNScoopsupermarkt.nl
Winsock DNSfanxses.com
Winsock DNSthedonaldsongroup.com

Network Details:

DNSsmtp.glbdns2.microsoft.com
Type: A
65.55.176.126
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.139.211.125
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
63.250.193.228
DNSsmtp.mail.us.am0.yahoodns.net
Type: A
98.138.105.21
DNSthedonaldsongroup.com
Type: A
162.243.14.139
DNSmail57.us2.mcsv.net
Type: A
173.231.139.57
DNScolourprint.nl
Type: A
46.30.212.230
DNSixtractor.com
Type: A
209.222.7.228
DNSvitalur.by
Type: A
178.159.246.132
DNSnazcapictures.com
Type: A
91.229.77.84
DNSeasygen.com
Type: A
212.84.79.16
DNSwoodlandhillwinery.com
Type: A
23.229.128.225
DNSrobertmcintyre.com.au
Type: A
199.73.58.66
DNSnasz-sklep.pl
Type: A
91.192.164.134
DNSlognetic.com
Type: A
78.47.37.140
DNSmiltinio-teatras.lt
Type: A
92.61.39.244
DNSbredainternet.nl
Type: A
127.0.0.1
DNStheartofhair.com
Type: A
127.1.2.3
DNSaciuba.com.br
Type: A
186.249.220.200
DNSszostka.com
Type: A
127.0.0.1
DNSsmtp.live.com
Type: A
DNSsmtp.mail.yahoo.com
Type: A
DNScoopsupermarkt.nl
Type: A
DNSfanxses.com
Type: A
DNSnichedictionary.com
Type: A
HTTP POSThttp://thedonaldsongroup.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://thedonaldsongroup.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://mail57.us2.mcsv.net/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://colourprint.nl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://ixtractor.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://vitalur.by/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://nazcapictures.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://easygen.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://woodlandhillwinery.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://robertmcintyre.com.au/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://nasz-sklep.pl/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://lognetic.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://miltinio-teatras.lt/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
HTTP POSThttp://aciuba.com.br/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)
Flows TCP192.168.1.1:1031 ➝ 65.55.176.126:25
Flows TCP192.168.1.1:1032 ➝ 98.139.211.125:25
Flows TCP192.168.1.1:1051 ➝ 162.243.14.139:80
Flows TCP192.168.1.1:1052 ➝ 162.243.14.139:80
Flows TCP192.168.1.1:1053 ➝ 173.231.139.57:80
Flows TCP192.168.1.1:1054 ➝ 46.30.212.230:80
Flows TCP192.168.1.1:1055 ➝ 209.222.7.228:80
Flows TCP192.168.1.1:1056 ➝ 178.159.246.132:80
Flows TCP192.168.1.1:1057 ➝ 91.229.77.84:80
Flows TCP192.168.1.1:1058 ➝ 212.84.79.16:80
Flows TCP192.168.1.1:1059 ➝ 23.229.128.225:80
Flows TCP192.168.1.1:1060 ➝ 199.73.58.66:80
Flows TCP192.168.1.1:1061 ➝ 91.192.164.134:80
Flows TCP192.168.1.1:1062 ➝ 78.47.37.140:80
Flows TCP192.168.1.1:1063 ➝ 92.61.39.244:80
Flows TCP192.168.1.1:1066 ➝ 186.249.220.200:80

Raw Pcap

Strings