Analysis Date2014-09-15 06:06:02
MD52a63afc1abf775984f5a111d342b19b9
SHA1e77a3eb717d475b32c9a48cdad20bb1327a5f62e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 116cc737ad9b387f697cc0c39f6ef5ca sha1: c686f9aca2c59ecbfd2d64c7e5fc6d0526c4a6e7 size: 8192
Section.rdata md5: a03f6d6faf9eccd0e81fabf1bbd3a8a1 sha1: 4d03767de3fce40186d4aee7ee80b8a9c3b27638 size: 1024
Section.data md5: 005e2b482d1f3a1f4a927b3f51415b5e sha1: 64ad5a6d69d730b826fa9d1d7ce9efd1b2e99724 size: 110592
Section.rsrc md5: 5ea0667c7b4a4e91ac0f3ae696a8b50c sha1: 8d02cfb8a0c6ed623d073320db92ae266bd4603e size: 5120
Timestamp2009-11-13 08:35:08
VersionLegalCopyright: Copyright © 2010 Setup Technologies QZ
InternalName: K Windows setup yrm
FileVersion: 3.0.0.0
CompanyName: Jordan Russell
LegalTrademarks:
Comments:
ProductName: G Internet Security bJ
ProductVersion: 3.0.0.0
FileDescription: c Setup Self-Extractor n
OriginalFilename: K Windows setup yrm
PackerBorland Delphi v3.0
PEhash2756c0b31ae2b2e07a44541fe26d1e05e58a4882
IMPhashc4fa1e6fbfa5ccd1a54b85db6d45c667

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Q7NZMT7RLB ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Q7NZMT7RLB\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSberndkoop.com
Winsock DNStopqstore.com

Network Details:

DNSwp.pl
Type: A
212.77.100.101
DNSspankwire.com
Type: A
94.199.252.72
DNS51.la
Type: A
117.21.226.199
DNStopqstore.com
Type: A
DNSberndkoop.com
Type: A
DNSmyreposite.com
Type: A
DNSmykdirect.com
Type: A

Raw Pcap

Strings
k
..
.'..
.
..
 
040904E4
 2010  Setup Technologies QZ
3.0.0.0
BBABORT
Cannot open file "%s". %s
Comments
CompanyName
Copyright 
c Setup Self-Extractor n
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
G Internet Security bJ
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
j9WH
Jordan Russell
K Windows setup yrm
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
ProductName
ProductVersion
Property is read-only
Property %s does not exist
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
vKZe
VS_VERSION_INFO
04}1]l
_0NjvTJb2kMMngZ@16
:0 W3c}
16:03V27:
16UHsm3@16
=:1f6t
'2T_|,
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
_^3cxL6
:3P(v9
3QjUyjXE
4UNMRd
4x88_M
5lc	5-
:6x6z/b
6[*>zS
7D{YBh
7*#@Ic
8@8^cFd
	8@y<>Q
9M@qSs
"A~!2f{
)%a9L= 
Ac;DvD
ADdldOX
A.DUMU
\ag25v
bkY8]V
__=^?C
&caBoH
c=K=lE
CloseHandle
CompareStringA
CP6061
cPR?3{?j$
CreateEventA
CscZhM@20
CWY&r3
Cx_F	:m<
@.data
db9PZht92QSrK@8
?	Df)>
dOlS~Hv)7
DrawMenuBar
%ECLSO
#Egvp!
$ejVe)
){E?l7
E>MFf+
?E.r08
?[f4mF
fF$;-F
}f}Is=
(Fn6!.
F<P?Q=
G2\j6I
G98x654
GetKeyboardLayout
GetKeyboardLayoutNameA
GetKeyboardState
GetKeyNameTextA
GetKeyState
^]GImT
g:;Q&{S
grN5&g2
!H^^G%~
Hh	h!%
I70ma;}*
[ (J6F
jIVbxl
jjKtZn
jpXjoO6xQIKjh
k1vPQ7p2
#K$	3;
K9ksIhds
kernel32.dll
[KERNWL
>kokkl
k( SfY
K Windows setup yrm
K\XmAQ
LbGdFe0
l\kcd!
LoadLibraryA
LosdJib
l(QKOQ
_mA3BS1Q3@20
mAL38G
<#*MdQc
mIvT:/E
miZhng
M\J8f4R3
Msd!(:Hu
mX5hog
|M}Yso
nn!~R0I Y+P
&.n &p2
nu.Z[9
oTWDiMc5eR7
PfQRT>
P'!	H<
PR8>~0
\Pt4ZR?
;pvSyB%
Q2xWRiz
~@q6@2
[@Qm6t
/r3	y5O
r5+hV9
ra,B^VW
`.rdata
RDPVUQT2
re9Wh>B
r	M}&^
shell32
shell32.dll
Shell_NotifyIconW
SHFileOperationA
SHGetDesktopFolder
SHGetDiskFreeSpaceA
SHGetFolderPathA
s]	(Pi0
SRQPWja
t2sM__=F
<T>3hQcsi
tet,.d
This program must be run under Win32
TijkCo
TIWZ9] 
${,=tLcu
+tOy/9K
tUOK!+
t|v9UF
u+91N'9
u+=M<ZE
USER32.dll
UWW!;v~
Vf(SeKD	Q
vHhr'/n
VirtualAllocEx
[vT:;D
VWg*r4
Wg3lKei
wh)^G5Ep
W&LA\ ??
`-W?u=
W YCha
X4bUD9
xK;J{u
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
Y9_Nvp
Y&&|~B
YbQ5fX
Y!n^#X
YPS^7|
YWp)t]
zbtxfe
zy][cl