Examples of HPsus/FakAV-OZ include:
Example 1
File Information
- Size
- 340K
- SHA-1
- 5aeaa9746707599d8fd312fbc37128e1ead82ec8
- MD5
- a9e67a2cc27c2cf71ef72f8bdf0a0d7c
- CRC-32
- c3e84258
- File type
- application/x-ms-dos-executable
- First seen
- 2012-06-27
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Local Settings\Temp\YcJCC5BmAHL5DC.exe.tmp
Example 2
File Information
- Size
- 250K
- SHA-1
- 60abc5a5c1114bf4741eceeb24024be5544b274d
- MD5
- 0a7f981ac768d06583e17e35a3f49e6e
- CRC-32
- 8fd20f6f
- File type
- application/x-ms-dos-executable
- First seen
- 2012-06-27
Runtime Analysis
Copies Itself To
- C:\Documents and Settings\All Users\Application Data\yMO,jkm5=oRf^54s.exe
Dropped Files
- c:\Documents and Settings\test user\Start Menu\Programs\Data Recovery\Data Recovery.lnk
- Size
- 859
- SHA-1
- b6204a205c8e7680a092305ec7e0ff0145761a1c
- MD5
- c77d5dc214b9ea815e33d3c6647eb5ee
- CRC-32
- da3bdf4b
- File type
- Windows Shortcut file (.LNK)
- First seen
- 2012-06-28
- c:\Documents and Settings\test user\Application Data\Microsoft\Internet Explorer\Quick Launch\Data_Recovery.lnk
- Size
- 865
- SHA-1
- 325f0489edb0d75dfadc0b4677a9244184681766
- MD5
- c1c4295c907c66e95081f659250eea21
- CRC-32
- 88a1902b
- File type
- Windows Shortcut file (.LNK)
- First seen
- 2012-06-28
- c:\Documents and Settings\test user\Start Menu\Programs\Data Recovery\Uninstall Data Recovery.lnk
- Size
- 931
- SHA-1
- 4607416cd66f6bc5c7027f70a50f5c8812f4ed1f
- MD5
- 103a47e59ef7f07ff6a95054ec396f64
- CRC-32
- 921b01c6
- File type
- Windows Shortcut file (.LNK)
- First seen
- 2012-06-28
- C:\Documents and Settings\All Users\Application Data\yMO,jkm5=oRf^54s
- Size
- 256
- SHA-1
- fcf9b546afe2a3304fe7554380f91c5236fcf8f3
- MD5
- f851529cb4329e85b40e2bb4c695cba3
- CRC-32
- 24e948e5
- File type
- Unspecified binary - probably data
- First seen
- 2012-06-28
- c:\Documents and Settings\test user\Desktop\Data_Recovery.lnk
- Size
- 847
- SHA-1
- fa8c6b43bef2cc1447f1110f59ad4cb8975a7050
- MD5
- 92e98a7eed0770566d29cfdcc1e1439c
- CRC-32
- d8aac3f7
- File type
- Windows Shortcut file (.LNK)
- First seen
- 2012-06-28
- C:\Documents and Settings\All Users\Application Data\-yMO,jkm5=oRf^54sr
- Size
- 136
- SHA-1
- 8f8baec008b5a3bbeb0bcd9489ef909cc97def40
- MD5
- 77714cdd815539cae862bb2c26a9827d
- CRC-32
- 6c8c222b
- File type
- Unspecified binary - probably data
- First seen
- 2012-06-27
Registry Keys Created
- HKCU\Software\Microsoft\Internet Explorer\Main
- Use FormSuggest
- Yes
- HKLM\SOFTWARE\Microsoft\ESENT\Process\yMO,jkm5=oRf^54s\DEBUG
- Trace Level
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments
- SaveZoneInformation
- 0x00000001
- HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings
- CertificateRevocation
- 0x00000000
Registry Keys Modified
- HKCU\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing
- State
- 0x00023e00
- HKCU\Software\Microsoft\Internet Explorer\Download
- CheckExeSignatures
- no
- HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Associations
- LowRiskFileTypes
- .zip;.rar;.nfo;.txt;.exe;.bat;.com;.cmd;.reg;.msi;.htm;.html;.gif;.bmp;.jpg;.avi;.mpg;.mpeg;.mov;.mp3;.m3u;.wav;.scr;
Processes Created
- c:\docume~1\alluse~1\applic~1\ymo,jkm5=orf^54s.exe
HTTP Requests
- http://cathedralro.com/support/s
- http://latinbuinesc.com/support/s
- http://latinbuinesc.com/support/sr
- http://lightclubin.com/s.php
DNS Requests
- cathedralro.com
- latinbuinesc.com
- lightclubin.com