Analysis Date2015-12-05 22:28:40
MD5c2308d9f50cd1e66850c68cfcda1b01f
SHA1058b4a5efbef6c27a3c1ef0cedc6f544aa46979a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7577df5506b0b129531b82f87e45a1ee sha1: 5271fde4a47acfea165aeb10998f09f9649d4519 size: 118272
Section.rdata md5: 745c1581edecd466749df4d34242c97b sha1: 4d9e1a4609334d2f41763669cac8dc9cee05f1f1 size: 12288
Section.data md5: e4101a5c9c1d13db814b5d229462336a sha1: 87030a6fca6c503ed9a4dac9bcec66dface45700 size: 27648
Section.rsrc md5: 0b7347959510d3cc956b771710775ebd sha1: a0cc19c1e548baaec80afc45e780c0c5401344c1 size: 53760
Timestamp2015-11-15 13:16:24
VersionLegalCopyright: Copyright © 2015 Scooter Software, Inc.
Subversion Revision: 19761
FileVersion: 4.0.7.19761
CompanyName: Scooter Software
LegalTrademarks: Beyond Compare ® is a registered trademark of Scooter Software, Inc.
Comments: Beyond Compare 4
ProductName: Beyond Compare
ProductVersion: 4.0
FileDescription: Beyond Compare
CompileDate: Tuesday, March 03, 2015 03:48 PM
OriginalFilename: BCompare.exe
PackerMicrosoft Visual C++ ?.?
PEhashf79d2f580085880ee7045225d9ecca22942809e6
IMPhash63705925aa7f7547c9b80b57c509af9e
AVKasperskyTrojan.Win32.Generic
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVGrisoft (avg)Crypt5.LYE
AVKasperskyTrojan.Win32.Generic
AVMcafeeRDN/Generic.dx
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.Lethic.Gen.9
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d6d9b1 )
AVMalwareBytesSpyware.Shifu
AVMcafeeRDN/Generic.dx
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVFortinetW32/Kryptik.EFLY!tr
AVFortinetW32/Kryptik.EFLY!tr
AVCAT (quickheal)Worm.Gamarue.r4
AVF-SecureTrojan.Lethic.Gen.9
AVClamAVno_virus
AVGrisoft (avg)Crypt5.LYE
AVIkarusTrojan.Win32.Crypt
AVK7Trojan ( 004d6d9b1 )
AVDr. WebTrojan.Inject2.8897
AVMalwareBytesSpyware.Shifu
AVAd-AwareTrojan.Lethic.Gen.9
AVDr. WebTrojan.Inject2.8897
AVEmsisoftTrojan.Lethic.Gen.9
AVAvira (antivir)TR/Crypt.Xpack.320175
AVAvira (antivir)TR/Crypt.Xpack.320175
AVEmsisoftTrojan.Lethic.Gen.9
AVEset (nod32)Win32/Kryptik.EEZS
AVEset (nod32)Win32/Kryptik.EEZS
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVBitDefenderTrojan.Lethic.Gen.9
AVBitDefenderTrojan.Lethic.Gen.9
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVCAT (quickheal)Worm.Gamarue.r4
AVFrisk (f-prot)no_virus
AVAd-AwareTrojan.Lethic.Gen.9
AVBullGuardTrojan.Lethic.Gen.9
AVBullGuardTrojan.Lethic.Gen.9
AVAlwil (avast)Androp [Drp]
AVAlwil (avast)Androp [Drp]
AVClamAVno_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVRisingno_virus
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\115453
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSand13.dexterwasanicemoviesz1.com
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
151.80.19.218
DNSeurope.pool.ntp.org
Type: A
89.111.54.85
DNSeurope.pool.ntp.org
Type: A
134.34.3.18
DNSeurope.pool.ntp.org
Type: A
144.76.14.132
DNSnorth-america.pool.ntp.org
Type: A
52.0.56.137
DNSnorth-america.pool.ntp.org
Type: A
69.167.160.102
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.244
DNSnorth-america.pool.ntp.org
Type: A
173.44.32.10
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.16
DNSasia.pool.ntp.org
Type: A
129.250.35.251
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSasia.pool.ntp.org
Type: A
82.200.209.236
DNSasia.pool.ntp.org
Type: A
118.67.201.10
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
103.242.70.4
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
203.23.237.200
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSpool.ntp.org
Type: A
209.114.111.1
DNSpool.ntp.org
Type: A
23.99.222.162
DNSpool.ntp.org
Type: A
108.61.73.243
DNSpool.ntp.org
Type: A
198.55.111.5
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSand13.dexterwasanicemoviesz1.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings