Analysis Date2015-01-06 11:28:16
MD531faa38f85eec992a9d9f7778f203f80
SHA1fac9761186b8ee00416cf8b762d58be30f5b1fb3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5123aa106b5f34c008ec697879ef4f81 sha1: 5fadb264866c2b024b295807ee9edbb87cdac063 size: 12288
Section.rdata md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.data md5: 9935a9c75e840edb709f41532b22176b sha1: 5c21a7f5403161e172cbee77c4b8f24ef72883d2 size: 112128
Section.rsrc md5: 19117b1d314e5905fd7fb899a79f8064 sha1: ae4df4c9e995e73acc8cf9669075ef92c13ce57f size: 5120
Timestamp2009-04-19 03:16:21
VersionLegalCopyright: Copyright © 2010 f PC Tools. All rights reserved. Ij
InternalName: damaz72
FileVersion: 7.0.0.61
CompanyName: PC Tools
LegalTrademarks:
Comments:
ProductName: 6Z lN
ProductVersion: 7.0.0.61
FileDescription: CSpyware Doctor ComponentyF
OriginalFilename: damaz72
PEhash72db67a9e99a8e2d2a5b1b01e35b1a7dc8e4b026
IMPhash7adbf4fdfef9e936423f9e69b6f564a1
AV360 Safeno_virus
AVAd-AwareGen:Heur.IPZ.7
AVAlwil (avast)MalOb-IJ [Cryp]
AVArcabit (arcavir)Gen:Heur.IPZ.7
AVAuthentiumW32/FakeAlert.KN.gen!Eldorado
AVAvira (antivir)TR/Kazy.RD
AVBullGuardGen:Heur.IPZ.7
AVCA (E-Trust Ino)Win32/Renos.D!generic
AVCAT (quickheal)Trojan.Renos.LN
AVClamAVno_virus
AVDr. WebTrojan.DownLoader2.37329
AVEmsisoftGen:Heur.IPZ.7
AVEset (nod32)Win32/Kryptik.AEUK
AVFortinetW32/Krypt.QKV!tr
AVFrisk (f-prot)W32/FakeAlert.KN.gen!Eldorado
AVF-SecureGen:Heur.IPZ.7
AVGrisoft (avg)Win32/Cryptor
AVIkarusTrojan-Downloader.SuspectCRC
AVK7Trojan ( 002456451 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.Downloader
AVMcafeeDownloader-CEW.ap
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Renos.LX
AVMicroWorld (escan)Gen:Heur.IPZ.7
AVRisingTrojan.Win32.Generic.1285FA39
AVSophosMal/FakeAV-IZ
AVSymantecTrojan.FakeAV!gen52
AVTrend MicroTROJ_RENOS.SMRK
AVVirusBlokAda (vba32)Malware-Cryptor.Limpopo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\malware.exe
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\0ESKOMO9JO ➝
C:\malware.exe
RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\\\x03\1601 ➝
NULL
RegistryHKEY_CURRENT_USER\Software\0ESKOMO9JO\OteH ➝
xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\WINDOWS\Tasks\{22116563-108C-42c0-A7CE-60161B75E508}.job
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\{F5CC5A0A-B9E5-411f-BF7E-EACE3BBC2BF1}
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{A14B1A1D-023F-40dc-BBFE-208B1DAD2F82}
Winsock DNSlacvictoria.com
Winsock DNSqqplot.com

Network Details:

DNSwsj.com
Type: A
205.203.140.1
DNSwsj.com
Type: A
205.203.140.65
DNSwsj.com
Type: A
205.203.132.1
DNSwsj.com
Type: A
205.203.132.65
DNSfastclick.com
Type: A
64.156.167.84
DNSnifty.com
Type: A
210.131.4.217
DNSqqplot.com
Type: A
109.74.195.149
DNSlacvictoria.com
Type: A
DNSpaulo-fg.com
Type: A
DNSbonreligion.com
Type: A
HTTP POSThttp://qqplot.com/borders.php
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Flows TCP192.168.1.1:1031 ➝ 109.74.195.149:80

Raw Pcap

Strings
._.D
.
..
.
.
p
D.
.

040904E4
 2010 f PC Tools.  All rights reserved. Ij
6Z lN
7.0.0.61
7XPS
aHJkZH
BBABORT
Cannot open file "%s". %s
CklzJ
Comments
CompanyName
Copyright 
CSpyware Doctor ComponentyF
damaz72
DVCLAL
Error reading %s%s%s: %s
Failed to get data for '%s'
FileDescription
FileVersion
InternalName
Invalid argument to date encode
Invalid argument to time encode
Invalid data type for '%s' List capacity out of bounds (%d)
Invalid property element: %s
Invalid property path
Invalid property type: %s
Invalid property value
Invalid stream format$''%s'' is not a valid component name
LegalCopyright
LegalTrademarks
List count out of bounds (%d)
List index out of bounds (%d)+Out of memory while expanding memory stream
MS Sans Serif
OLE error %.8x.Method '%s' not supported by automation object/Variant does not reference an automation object7Dispatch methods do not support more than 64 parameters!'%s' is not a valid integer value('%s' is not a valid floating point value
OriginalFilename
Out of memory
PC Tools
ProductName
ProductVersion
Property is read-only
Property %s does not exist
QkSY
QPBm
Resource %s not found
%s.Seek not implemented$Operation not allowed on sorted list$%s not in a class registration group
Stream read error
Stream write error
StringFileInfo
TEXTFILEDLG
Translation
VarFileInfo
VS_VERSION_INFO
0d9>\Dh
(0K+8$l
0QBE8d
1My:Ey
1X2ioK
2UPz5bIR
2Yfs0Q
30e(#j`e
32NaxQO
33333333?333333
333333333333333333
3333333333333338
3333339
333338
33333833
333838
3)6{Ik
3e`^iko13\
?3hc(aV
44;xd,
^4]B}c
4g9V<D
^4 .Gl
4pfrivv
4SwuBs
5K;y+A
5(>tqY6
6?Ok9Aq
6XwdAk
6ZEk[\
7Gkpa`Q0V)
7IY1SzUv
7@\S8WB
7&SXhF*
8c-^jH
8JNgDq
8LN#t-<O
8 _\w"4
)[\#9A
9eY%.z-
_9^(u!
_a6LRLJui7PLCT6@16
AbeXf)_
/aCKO)
@ADBqY
#AkkX_
'ao&rXs
_ATD0i@12
_BagV9rrn9
B=)~)c
BM*e:+
bP}P1}
C9^6/u
CreatePopupMenu
CRmkqnpTu
czlybbpjD@4
damaz72
@.data
di"W)|
D'KrGKs
dY|	W0f
Eb3IB9
Edm.vRm
em-ErC
Eo1rmle
e@U\N2eC!
ExitProcess
F039}%r
f9cWMt
F[#r\}\#
/fvY:Z:
&G#3]B
,G9+7654k
GC4b{M
)Gc9j>
GetActiveWindow
GetCapture
GetCurrentThreadId
GetCursor
GetMenu
GetSystemDefaultLangID
GetThreadLocale
GetTickC
GetWindow
GetWindowDC
@GQd4o
gsdV"g
g?;,YWz
	=h">|
;HimgIa
Hshlwapi
/huS3.
I9qqmsc
IDQAOC
IFZyu7
}imX-E
it]C_t
j7fbPKD
"<^Jc8
jX FkX:
JYL!QK
K095]b	
k36r6j
KERNEL32.dll
k<Mwg'4
!L<[,',N
LnXVg{PGx
LoadIconA
LoadLibraryA
/lp@_-x
lstrlenA
m95L[v{
Mo7ul5H
~mSa~C
MSICP60
n1,kF7
~N?F%w
o0k6V{
O4+T.z
oc sBId
od5OUf4
@=OdRd>S>
OHY`2	
Os <R*H:
ow$L	X
Oy"\c1
)p+3h38B
@.P#56
pFi t&VC
ph{7^&
P'RYXz]
-->$.q
(q(2/0@g
q\|%bv
QL^A6:
qOy{%}
r0]||(
`.rdata
:rL]{i
Rr(9K_
s'Bn} 
SetScrollPos
SetScrollRange
'SnIbc
Su\AMO^
SUbHy`>
T44Nr72
t4rWPLn
>t'Fij
This program must be run under Win32
tI9cgWJ0sl
tIwQy_
tM	Lj%Wo
tU[0A|
[T#u9s
tVyCj5
U0MVdlK
UG3Ibf
U%Rj%E
Us3rD1f
user32.dll
'u~sgO
u>v#Kp
uY|31D
VDKpxw
VirtualAlloc
v T5KsX
Vv765eE
We9p]$
$we/pc
W$o][G
X,CJzJ
\	{Xe-
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
x]O!cf
xWT]e7
Y{:CS+
\Y!i\V
Y/Nj$-o
)y_	_v
y^Xu_u@^
ZrB@Y2