Analysis | #totalhash

Analysis Date	2015-11-10 19:19:36
MD5	46d62bbec8720ac0e80c8779245942d2
SHA1	281040d009b26b14968d7fb5adc9c1c0c9da071a

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 3f41aa5bfe463f1e0d63883232ecc949 sha1: b442b1bbd0a4e43f5059bc4e11bffe1f4b0e861a size: 1167872
Section	.rdata md5: d622d16f879a358c7273577a490160ea sha1: 1bea0bd8371b1316ea7f7bea9d1d1653c96ef22a size: 291328
Section	.data md5: 7bf1e97b96ca43823e84a75de24213ce sha1: a56a5da8d893baf434a308dae000a1811273570f size: 8192
Section	.reloc md5: 090ef579b8604865edea86c8c5bce090 sha1: 3f19c403c146c1e562bc000a115a197ce1c3480b size: 145408
Timestamp	2015-05-11 04:49:17
Packer	VC8 -> Microsoft Corporation
PEhash	1d931c9e90e8f614c3dbbcba2fa191e2c737a0d0
IMPhash	b72df0fa0e8d9de268597f0c29fdf11d
AV	CA (E-Trust Ino)	No Virus
AV	CA (E-Trust Ino)	No Virus
AV	Rising	No Virus
AV	Mcafee	Trojan-FGIJ!46D62BBEC872
AV	Avira (antivir)	TR/Crypt.Xpack.310763
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Kazy.611782
AV	Alwil (avast)	Dropper-OJQ [Drp]
AV	Eset (nod32)	Win32/Bayrob.Y
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Bayrob.X!tr
AV	BitDefender	Gen:Variant.Kazy.611782
AV	K7	Trojan ( 004c77f41 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.BN
AV	MicroWorld (escan)	Gen:Variant.Kazy.611782
AV	MalwareBytes	No Virus
AV	Authentium	W32/SoxGrave.A.gen!Eldorado
AV	Frisk (f-prot)	No Virus
AV	Ikarus	Trojan.Win32.Bayrob
AV	Emsisoft	Gen:Variant.Kazy.611782
AV	Zillya!	No Virus
AV	Kaspersky	Trojan.Win32.Generic
AV	Trend Micro	No Virus
AV	CAT (quickheal)	No Virus
AV	VirusBlokAda (vba32)	No Virus
AV	Padvish	No Virus
AV	BullGuard	Gen:Variant.Kazy.611782
AV	Arcabit (arcavir)	Gen:Variant.Kazy.611782
AV	ClamAV	No Virus
AV	Dr. Web	Trojan.Bayrob.5
AV	F-Secure	Gen:Variant.Kazy.611782
AV	Rising	No Virus
AV	Mcafee	Trojan-FGIJ!46D62BBEC872
AV	Avira (antivir)	TR/Crypt.Xpack.310763
AV	Twister	No Virus
AV	Ad-Aware	Gen:Variant.Kazy.611782
AV	Alwil (avast)	Dropper-OJQ [Drp]
AV	Eset (nod32)	Win32/Bayrob.Y
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Bayrob.X!tr
AV	BitDefender	Gen:Variant.Kazy.611782
AV	K7	Trojan ( 004c77f41 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.BN
AV	MicroWorld (escan)	Gen:Variant.Kazy.611782
AV	MalwareBytes	No Virus
AV	Authentium	W32/SoxGrave.A.gen!Eldorado
AV	Frisk (f-prot)	No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\WINDOWS\system32\pswaiiaiufr\tst
Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\aw1lwsk1lj6toijezhe3n.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\ActiveX Awareness Locator Spooler Media ➝ C:\WINDOWS\system32\nmhkkfg.exe
Creates File	C:\WINDOWS\system32\pswaiiaiufr\tst
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\nmhkkfg.exe
Creates File	C:\WINDOWS\system32\pswaiiaiufr\etc
Creates File	C:\WINDOWS\system32\pswaiiaiufr\lck
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\nmhkkfg.exe
Creates Service	Config Biometric DCOM Transfer - C:\WINDOWS\system32\nmhkkfg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	pipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates File	WMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\system32\nmhkkfg.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\pswaiiaiufr\run
Creates File	C:\WINDOWS\system32\pswaiiaiufr\tst
Creates File	C:\WINDOWS\system32\pswaiiaiufr\cfg
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\pswaiiaiufr\rng
Creates File	C:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\qoknxdhqk.exe
Creates File	C:\WINDOWS\system32\pswaiiaiufr\lck
Creates Process	WATCHDOGPROC "c:\windows\system32\nmhkkfg.exe"
Creates Process	C:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe -r 27798 tcp

Process
↳ C:\WINDOWS\system32\nmhkkfg.exe

Creates File	C:\WINDOWS\system32\pswaiiaiufr\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\nmhkkfg.exe"

Creates File	C:\WINDOWS\system32\pswaiiaiufr\tst

Process
↳ C:\WINDOWS\TEMP\aw1lwsk1ssgtoij.exe -r 27798 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	recordsoldier.net Type: A 208.91.197.241
DNS	fliersurprise.net Type: A 208.91.197.241
DNS	historybright.net Type: A 208.91.197.241
DNS	chiefsoldier.net Type: A 208.91.197.241
DNS	classsurprise.net Type: A 208.91.197.241
DNS	thosecontinue.net Type: A 208.91.197.241
DNS	throughcontain.net Type: A 208.91.197.241
DNS	belongguard.net Type: A 208.91.197.241
DNS	maybellinethaddeus.net Type: A 208.91.197.241
DNS	kimberleyshavonne.net Type: A 208.91.197.241
DNS	naildeep.com Type: A 74.220.215.218
DNS	riddenstorm.net Type: A 66.147.240.171
DNS	destroystorm.net Type: A 216.239.138.86
DNS	hairhour.net Type: A 184.168.221.45
DNS	musichour.net Type: A 202.172.28.105
DNS	frontcompe.net Type: A 195.22.26.248
DNS	frontfell.net Type: A 195.22.28.199
DNS	frontfell.net Type: A 195.22.28.196
DNS	frontfell.net Type: A 195.22.28.197
DNS	frontfell.net Type: A 195.22.28.198
DNS	frontcount.net Type: A 195.22.26.248
DNS	offercount.net Type: A 208.100.26.234
DNS	hanghour.net Type: A 184.168.221.60
DNS	rockfell.net Type: A 213.186.33.5
DNS	musicleft.net Type: A 8.5.1.51
DNS	husbandfound.net Type: A
DNS	leadershort.net Type: A
DNS	eggbraker.com Type: A
DNS	ithouneed.com Type: A
DNS	mademarch.net Type: A
DNS	wrongdish.net Type: A
DNS	madedish.net Type: A
DNS	wrongjuly.net Type: A
DNS	madejuly.net Type: A
DNS	humancompe.net Type: A
DNS	haircompe.net Type: A
DNS	humanhour.net Type: A
DNS	humanfell.net Type: A
DNS	hairfell.net Type: A
DNS	humancount.net Type: A
DNS	haircount.net Type: A
DNS	yardcompe.net Type: A
DNS	musiccompe.net Type: A
DNS	yardhour.net Type: A
DNS	yardfell.net Type: A
DNS	musicfell.net Type: A
DNS	yardcount.net Type: A
DNS	musiccount.net Type: A
DNS	wentcompe.net Type: A
DNS	spendcompe.net Type: A
DNS	wenthour.net Type: A
DNS	spendhour.net Type: A
DNS	wentfell.net Type: A
DNS	spendfell.net Type: A
DNS	wentcount.net Type: A
DNS	spendcount.net Type: A
DNS	offercompe.net Type: A
DNS	fronthour.net Type: A
DNS	offerhour.net Type: A
DNS	offerfell.net Type: A
DNS	hangcompe.net Type: A
DNS	septembercompe.net Type: A
DNS	septemberhour.net Type: A
DNS	hangfell.net Type: A
DNS	septemberfell.net Type: A
DNS	hangcount.net Type: A
DNS	septembercount.net Type: A
DNS	joincompe.net Type: A
DNS	wishcompe.net Type: A
DNS	joinhour.net Type: A
DNS	wishhour.net Type: A
DNS	joinfell.net Type: A
DNS	wishfell.net Type: A
DNS	joincount.net Type: A
DNS	wishcount.net Type: A
DNS	deadcompe.net Type: A
DNS	rockcompe.net Type: A
DNS	deadhour.net Type: A
DNS	rockhour.net Type: A
DNS	deadfell.net Type: A
DNS	deadcount.net Type: A
DNS	rockcount.net Type: A
DNS	wrongcompe.net Type: A
DNS	madecompe.net Type: A
DNS	wronghour.net Type: A
DNS	madehour.net Type: A
DNS	wrongfell.net Type: A
DNS	madefell.net Type: A
DNS	wrongcount.net Type: A
DNS	madecount.net Type: A
DNS	humanhope.net Type: A
DNS	hairhope.net Type: A
DNS	humanleft.net Type: A
DNS	hairleft.net Type: A
DNS	humanthirteen.net Type: A
DNS	hairthirteen.net Type: A
DNS	humanhurry.net Type: A
DNS	hairhurry.net Type: A
DNS	yardhope.net Type: A
DNS	musichope.net Type: A
DNS	yardleft.net Type: A
DNS	yardthirteen.net Type: A
DNS	musicthirteen.net Type: A
DNS	yardhurry.net Type: A
DNS	musichurry.net Type: A
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://hairhour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://musichour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://frontcompe.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://frontfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://frontcount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://offercount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://hanghour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://rockfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://musicleft.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://recordsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://fliersurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://historybright.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://chiefsoldier.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://classsurprise.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://thosecontinue.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://throughcontain.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://belongguard.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://maybellinethaddeus.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://kimberleyshavonne.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://naildeep.com/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://riddenstorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://destroystorm.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://hairhour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://musichour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://frontcompe.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://frontfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://frontcount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://offercount.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://hanghour.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://rockfell.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
HTTP GET	http://musicleft.net/index.php?method=validate&mode=sox&v=050&sox=4fce7e00&lenhdr User-Agent:
Flows TCP	192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1046 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1047 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1048 ➝ 66.147.240.171:80
Flows TCP	192.168.1.1:1049 ➝ 216.239.138.86:80
Flows TCP	192.168.1.1:1050 ➝ 184.168.221.45:80
Flows TCP	192.168.1.1:1051 ➝ 202.172.28.105:80
Flows TCP	192.168.1.1:1052 ➝ 195.22.26.248:80
Flows TCP	192.168.1.1:1053 ➝ 195.22.28.199:80
Flows TCP	192.168.1.1:1054 ➝ 195.22.26.248:80
Flows TCP	192.168.1.1:1055 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1056 ➝ 184.168.221.60:80
Flows TCP	192.168.1.1:1057 ➝ 213.186.33.5:80
Flows TCP	192.168.1.1:1058 ➝ 8.5.1.51:80
Flows TCP	192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1060 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1068 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1069 ➝ 74.220.215.218:80
Flows TCP	192.168.1.1:1070 ➝ 66.147.240.171:80
Flows TCP	192.168.1.1:1071 ➝ 216.239.138.86:80
Flows TCP	192.168.1.1:1072 ➝ 184.168.221.45:80
Flows TCP	192.168.1.1:1073 ➝ 202.172.28.105:80
Flows TCP	192.168.1.1:1074 ➝ 195.22.26.248:80
Flows TCP	192.168.1.1:1075 ➝ 195.22.28.199:80
Flows TCP	192.168.1.1:1076 ➝ 195.22.26.248:80
Flows TCP	192.168.1.1:1077 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1078 ➝ 184.168.221.60:80
Flows TCP	192.168.1.1:1079 ➝ 213.186.33.5:80
Flows TCP	192.168.1.1:1080 ➝ 8.5.1.51:80

Raw Pcap

Strings