HPsus/FakeAV-G exhibits the following characteristics:
File Information
- Size
- 232K
- SHA-1
- 4febcc17e55a1268109b0154dcc7353a68aaf055
- MD5
- bf8618e17b4c465a90bc07701905d052
- CRC-32
- d957b5cf
- File type
- application/x-ms-dos-executable
- First seen
- 2011-05-09
Other vendor detection
- Kaspersky
- Trojan.Win32.FakeAV.cxqh
Runtime Analysis
Copies Itself To
- c:\Documents and Settings\test user\Local Settings\Application Data\xdq.exe
Dropped Files
- c:\Documents and Settings\test user\Local Settings\Temp\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
- Size
- 3.6K
- SHA-1
- 7323ae1adb31bc511f01757d6181c53d238df557
- MD5
- eaf12b30f8e626b3c24beb7921663d72
- CRC-32
- e9e68b12
- File type
- application/octet-stream
- First seen
- 2011-05-11
- c:\Documents and Settings\test user\Local Settings\Application Data\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
- Size
- 3.6K
- SHA-1
- 7323ae1adb31bc511f01757d6181c53d238df557
- MD5
- eaf12b30f8e626b3c24beb7921663d72
- CRC-32
- e9e68b12
- File type
- application/octet-stream
- First seen
- 2011-05-11
- c:\Documents and Settings\test user\Templates\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
- Size
- 3.6K
- SHA-1
- 7323ae1adb31bc511f01757d6181c53d238df557
- MD5
- eaf12b30f8e626b3c24beb7921663d72
- CRC-32
- e9e68b12
- File type
- application/octet-stream
- First seen
- 2011-05-11
- C:\Documents and Settings\All Users\Application Data\es0v8xboo748v041hxju0phbb8ut5ykw2fm58
- Size
- 3.6K
- SHA-1
- 7323ae1adb31bc511f01757d6181c53d238df557
- MD5
- eaf12b30f8e626b3c24beb7921663d72
- CRC-32
- e9e68b12
- File type
- application/octet-stream
- First seen
- 2011-05-11
Modified Files
- %PROFILE%\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
- Changed the file contents
Registry Keys Created
- HKCU_Classes\exefile\shell\runas\command
- (Default)
- "%1" %*
- HKCU_Classes\exefile\shell\open\command
- (Default)
- "c:\test_item.exe" -a "%1" %*
- HKCU_Classes\exefile
- Content Type
- application/x-msdownload
- HKCU\Software\Classes\exefile
- (Default)
- Application
- HKCU\Software\Classes\exefile\shell\open\command
- IsolatedCommand
- "%1" %*
- HKCU\Software\Classes\.exe\DefaultIcon
- (Default)
- %1
- HKCU_Classes\.exe\shell\open\command
- (Default)
- "c:\test_item.exe" -a "%1" %*
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile
- DisableNotifications
- 0x00000001
- HKCU\Software\Microsoft\Windows
- Identity
- 0x3cd16d78
- HKCU\Software\Classes\exefile\shell\runas\command
- IsolatedCommand
- "%1" %*
- HKCU\Software\Classes\.exe\shell\open\command
- IsolatedCommand
- "%1" %*
- HKCU_Classes\exefile\DefaultIcon
- (Default)
- %1
- HKCU\Software\Classes\.exe\shell\runas\command
- IsolatedCommand
- "%1" %*
- HKCU_Classes\.exe\shell\runas\command
- IsolatedCommand
- "%1" %*
- HKCU_Classes\.exe
- (Default)
- exefile
- HKCU\Software\Classes\.exe
- (Default)
- exefile
- HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile
- DisableNotifications
- 0x00000001
Registry Keys Modified
- HKLM\SOFTWARE\Clients\StartMenuInternet\IEXPLORE.EXE\shell\open\command
- (Default)
- "c:\sample.exe" -a "C:\Program Files\Intern
- HKLM\SOFTWARE\Microsoft\Security Center
- FirewallOverride
- 0x00000001
HTTP Requests
- http://jidizakecuho.com/1007000313
- http://lenefexejagoka.com/1007000313
- http://varolowuqiz.com/1007000313
DNS Requests
- benypatubeqil.com
- bujycuvoh.com
- byruloqoxybed.com
- cukumoqurehuj.com
- dopifoqetucol.com
- dugecafajibox.com
- fakukabucom.com
- firosafemone.com
- gubebyzosibec.com
- hafapuqyse.com
- hazovagugaze.com
- hejyrabovafy.com
- hiqalotajadyfa.com
- hovucytoc.com
- jidizakecuho.com
- jimelyrigupita.com
- kecupegirekak.com
- kyrisapizopu.com
- lenefexejagoka.com
- mowecysowo.com
- nekehibyfahuf.com
- pogavoliqamyb.com
- pojizocimovi.com
- qisupikux.com
- takewijejex.com
- varolowuqiz.com
- vilohezejybyz.com
- wakuxyvofa.com
- wenisekybe.com
- wurokalawysusa.com
- wywenybazyxyq.com
- xepomumab.com
- xijifilunaq.com
- zuzusutity.com