Analysis Date2015-11-10 19:19:36
MD546d62bbec8720ac0e80c8779245942d2
SHA1281040d009b26b14968d7fb5adc9c1c0c9da071a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3f41aa5bfe463f1e0d63883232ecc949 sha1: b442b1bbd0a4e43f5059bc4e11bffe1f4b0e861a size: 1167872
Section.rdata md5: d622d16f879a358c7273577a490160ea sha1: 1bea0bd8371b1316ea7f7bea9d1d1653c96ef22a size: 291328
Section.data md5: 7bf1e97b96ca43823e84a75de24213ce sha1: a56a5da8d893baf434a308dae000a1811273570f size: 8192
Section.reloc md5: 090ef579b8604865edea86c8c5bce090 sha1: 3f19c403c146c1e562bc000a115a197ce1c3480b size: 145408
Timestamp2015-05-11 04:49:17
PackerVC8 -> Microsoft Corporation
PEhash1d931c9e90e8f614c3dbbcba2fa191e2c737a0d0
IMPhashb72df0fa0e8d9de268597f0c29fdf11d
AVCA (E-Trust Ino)No Virus
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FGIJ!46D62BBEC872
AVAvira (antivir)TR/Crypt.Xpack.310763
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.611782
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVMalwareBytesNo Virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftGen:Variant.Kazy.611782
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVPadvishNo Virus
AVBullGuardGen:Variant.Kazy.611782
AVArcabit (arcavir)Gen:Variant.Kazy.611782
AVClamAVNo Virus
AVDr. WebTrojan.Bayrob.5
AVF-SecureGen:Variant.Kazy.611782
AVRisingNo Virus
AVMcafeeTrojan-FGIJ!46D62BBEC872
AVAvira (antivir)TR/Crypt.Xpack.310763
AVTwisterNo Virus
AVAd-AwareGen:Variant.Kazy.611782
AVAlwil (avast)Dropper-OJQ [Drp]
AVEset (nod32)Win32/Bayrob.Y
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Bayrob.X!tr
AVBitDefenderGen:Variant.Kazy.611782
AVK7Trojan ( 004c77f41 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.BN
AVMicroWorld (escan)Gen:Variant.Kazy.611782
AVMalwareBytesNo Virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVFrisk (f-prot)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\system32\pswaiiaiufr\tst
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ActiveX Awareness Locator Spooler Media ➝
C:\WINDOWS\system32\nmhkkfg.exe
Creates FileC:\WINDOWS\system32\pswaiiaiufr\tst
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\nmhkkfg.exe
Creates FileC:\WINDOWS\system32\pswaiiaiufr\etc
Creates FileC:\WINDOWS\system32\pswaiiaiufr\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\nmhkkfg.exe
Creates ServiceConfig Biometric DCOM Transfer - C:\WINDOWS\system32\nmhkkfg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\nmhkkfg.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\pswaiiaiufr\run
Creates FileC:\WINDOWS\system32\pswaiiaiufr\tst
Creates FileC:\WINDOWS\system32\pswaiiaiufr\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\pswaiiaiufr\rng
Creates FileC:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\qoknxdhqk.exe
Creates FileC:\WINDOWS\system32\pswaiiaiufr\lck
Creates ProcessWATCHDOGPROC "c:\windows\system32\nmhkkfg.exe"
Creates ProcessC:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe -r 27798 tcp

Process
↳ C:\WINDOWS\system32\nmhkkfg.exe

Creates FileC:\WINDOWS\system32\pswaiiaiufr\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\nmhkkfg.exe"

Creates FileC:\WINDOWS\system32\pswaiiaiufr\tst

Process
↳ C:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe -r 27798 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSrecordsoldier.net
Type: A
208.91.197.241
DNSfliersurprise.net
Type: A
208.91.197.241
DNShistorybright.net
Type: A
208.91.197.241
DNSchiefsoldier.net
Type: A
208.91.197.241
DNSclasssurprise.net
Type: A
208.91.197.241
DNSthosecontinue.net
Type: A
208.91.197.241
DNSthroughcontain.net
Type: A
208.91.197.241
DNSbelongguard.net
Type: A
208.91.197.241
DNSmaybellinethaddeus.net
Type: A
208.91.197.241
DNSkimberleyshavonne.net
Type: A
208.91.197.241
DNSnaildeep.com
Type: A
74.220.215.218
DNSriddenstorm.net
Type: A
66.147.240.171
DNSdestroystorm.net
Type: A
216.239.138.86
DNShairhour.net
Type: A
184.168.221.45
DNSmusichour.net
Type: A
202.172.28.105
DNSfrontcompe.net
Type: A
195.22.26.248
DNSfrontfell.net
Type: A
195.22.28.199
DNSfrontfell.net
Type: A
195.22.28.196
DNSfrontfell.net
Type: A
195.22.28.197
DNSfrontfell.net
Type: A
195.22.28.198
DNSfrontcount.net
Type: A
195.22.26.248
DNSoffercount.net
Type: A
208.100.26.234
DNShanghour.net
Type: A
184.168.221.60
DNSrockfell.net
Type: A
213.186.33.5
DNSmusicleft.net
Type: A
8.5.1.51
DNShusbandfound.net
Type: A
DNSleadershort.net
Type: A
DNSeggbraker.com
Type: A
DNSithouneed.com
Type: A
DNSmademarch.net
Type: A
DNSwrongdish.net
Type: A
DNSmadedish.net
Type: A
DNSwrongjuly.net
Type: A
DNSmadejuly.net
Type: A
DNShumancompe.net
Type: A
DNShaircompe.net
Type: A
DNShumanhour.net
Type: A
DNShumanfell.net
Type: A
DNShairfell.net
Type: A
DNShumancount.net
Type: A
DNShaircount.net
Type: A
DNSyardcompe.net
Type: A
DNSmusiccompe.net
Type: A
DNSyardhour.net
Type: A
DNSyardfell.net
Type: A
DNSmusicfell.net
Type: A
DNSyardcount.net
Type: A
DNSmusiccount.net
Type: A
DNSwentcompe.net
Type: A
DNSspendcompe.net
Type: A
DNSwenthour.net
Type: A
DNSspendhour.net
Type: A
DNSwentfell.net
Type: A
DNSspendfell.net
Type: A
DNSwentcount.net
Type: A
DNSspendcount.net
Type: A
DNSoffercompe.net
Type: A
DNSfronthour.net
Type: A
DNSofferhour.net
Type: A
DNSofferfell.net
Type: A
DNShangcompe.net
Type: A
DNSseptembercompe.net
Type: A
DNSseptemberhour.net
Type: A
DNShangfell.net
Type: A
DNSseptemberfell.net
Type: A
DNShangcount.net
Type: A
DNSseptembercount.net
Type: A
DNSjoincompe.net
Type: A
DNSwishcompe.net
Type: A
DNSjoinhour.net
Type: A
DNSwishhour.net
Type: A
DNSjoinfell.net
Type: A
DNSwishfell.net
Type: A
DNSjoincount.net
Type: A
DNSwishcount.net
Type: A
DNSdeadcompe.net
Type: A
DNSrockcompe.net
Type: A
DNSdeadhour.net
Type: A
DNSrockhour.net
Type: A
DNSdeadfell.net
Type: A
DNSdeadcount.net
Type: A
DNSrockcount.net
Type: A
DNSwrongcompe.net
Type: A
DNSmadecompe.net
Type: A
DNSwronghour.net
Type: A
DNSmadehour.net
Type: A
DNSwrongfell.net
Type: A
DNSmadefell.net
Type: A
DNSwrongcount.net
Type: A
DNSmadecount.net
Type: A
DNShumanhope.net
Type: A
DNShairhope.net
Type: A
DNShumanleft.net
Type: A
DNShairleft.net
Type: A
DNShumanthirteen.net
Type: A
DNShairthirteen.net
Type: A
DNShumanhurry.net
Type: A
DNShairhurry.net
Type: A
DNSyardhope.net
Type: A
DNSmusichope.net
Type: A
DNSyardleft.net
Type: A
DNSyardthirteen.net
Type: A
DNSmusicthirteen.net
Type: A
DNSyardhurry.net
Type: A
DNSmusichurry.net
Type: A
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://hairhour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://musichour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://frontcompe.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://frontfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://frontcount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://offercount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://hanghour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://rockfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://musicleft.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://hairhour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://musichour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://frontcompe.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://frontfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://frontcount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://offercount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://hanghour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://rockfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
HTTP GEThttp://musicleft.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1050 ➝ 184.168.221.45:80
Flows TCP192.168.1.1:1051 ➝ 202.172.28.105:80
Flows TCP192.168.1.1:1052 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1053 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1054 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1055 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1056 ➝ 184.168.221.60:80
Flows TCP192.168.1.1:1057 ➝ 213.186.33.5:80
Flows TCP192.168.1.1:1058 ➝ 8.5.1.51:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1069 ➝ 74.220.215.218:80
Flows TCP192.168.1.1:1070 ➝ 66.147.240.171:80
Flows TCP192.168.1.1:1071 ➝ 216.239.138.86:80
Flows TCP192.168.1.1:1072 ➝ 184.168.221.45:80
Flows TCP192.168.1.1:1073 ➝ 202.172.28.105:80
Flows TCP192.168.1.1:1074 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1075 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1076 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1077 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1078 ➝ 184.168.221.60:80
Flows TCP192.168.1.1:1079 ➝ 213.186.33.5:80
Flows TCP192.168.1.1:1080 ➝ 8.5.1.51:80

Raw Pcap

Strings