Analysis Date2016-03-20 07:48:26
MD5e098acfeeeb6d7b760a3ad7563eaec71
SHA1311af5b2b05957ae4d414ded17054b150cc70ab6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b9cc92303bbf8e00f83049ca8bd802c1 sha1: 04d985535ca8e9a69a78b889b0c7e30bfef205a3 size: 214016
Section.rdata md5: 5c4b06579959bbde9e1cf9a39b44890c sha1: 99828c2a57a79f7f13ca28f2de76946862313717 size: 17920
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: b3de36e36e96a23f8c7a3a1527930ee7 sha1: 10cdd71fd8a9c68b0641c54cea6885abc75e5497 size: 40448
Timestamp2016-01-03 13:43:36
PEhashba7597caaf85101e586d55bcc31aa712101c593b
IMPhashd060d7a72c94d4b6e95d477243502efd
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DG
AVRisingNo Virus
AVMcafeeTrojan-FHOH!E098ACFEEEB6
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVAvira (antivir)TR/Crypt.Xpack.436218
AVIkarusTrojan.Win32.Bayrob
AVFrisk (f-prot)W32/BayRob.D.gen!Eldorado
AVAuthentiumW32/BayRob.D.gen!Eldorado
AVEmsisoftGen:Variant.Razy.11545
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.11545
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVSymantecTrojan.Bayrob!gen6
AVBullGuardGen:Variant.Razy.11545
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVFortinetW32/Bayrob.AQ!tr
AVClamAVNo Virus
AVBitDefenderGen:Variant.Razy.11545
AVDr. WebNo Virus
AVK7Trojan ( 004db0c61 )
AVF-SecureGen:Variant.Razy.11545

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates FileC:\zdyfyycv\bxjse4lo1l7u
Creates FileC:\zdyfyycv\bmv1ku0ttilkhwbough.exe
Deletes FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates ProcessC:\zdyfyycv\bmv1ku0ttilkhwbough.exe

Process
↳ C:\zdyfyycv\bmv1ku0ttilkhwbough.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Defragmenter Video Panel ➝
C:\zdyfyycv\vputlxaihlxl.exe
Creates FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates FileC:\zdyfyycv\bxjse4lo1l7u
Creates FileC:\zdyfyycv\hueaiqvihq
Creates FilePIPE\lsarpc
Creates FileC:\zdyfyycv\vputlxaihlxl.exe
Deletes FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates ProcessC:\zdyfyycv\vputlxaihlxl.exe
Creates ServiceAdapter Store Internet Connection Encryption - C:\zdyfyycv\vputlxaihlxl.exe

Process
↳ Pid 816

Process
↳ Pid 864

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1124

Process
↳ Pid 1220

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1876

Process
↳ Pid 1184

Process
↳ C:\zdyfyycv\vputlxaihlxl.exe

Creates FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates Filepipe\net\NtControlPipe10
Creates FileC:\zdyfyycv\bxjse4lo1l7u
Creates FileC:\zdyfyycv\rrocnolxdff.exe
Creates FileC:\zdyfyycv\hueaiqvihq
Creates File\Device\Afd\Endpoint
Creates FileC:\zdyfyycv\vwia6dnsts
Deletes FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates Processhazrdp9bnymg "c:\zdyfyycv\vputlxaihlxl.exe"

Process
↳ C:\zdyfyycv\vputlxaihlxl.exe

Creates FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates FileC:\zdyfyycv\bxjse4lo1l7u
Deletes FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u

Process
↳ hazrdp9bnymg "c:\zdyfyycv\vputlxaihlxl.exe"

Creates FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u
Creates FileC:\zdyfyycv\bxjse4lo1l7u
Deletes FileC:\WINDOWS\zdyfyycv\bxjse4lo1l7u

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSfamilyround.net
Type: A
72.52.4.119
DNSchildrenglossary.net
Type: A
195.22.28.197
DNSchildrenglossary.net
Type: A
195.22.28.196
DNSchildrenglossary.net
Type: A
195.22.28.199
DNSchildrenglossary.net
Type: A
195.22.28.198
DNSexpectdirect.net
Type: A
71.18.76.144
DNSrightaction.net
Type: A
184.168.221.104
DNSwhetherdirect.net
Type: A
208.100.26.234
DNSrightdirect.net
Type: A
176.9.224.249
DNSchildrenmethod.net
Type: A
195.22.28.198
DNSchildrenmethod.net
Type: A
195.22.28.199
DNSchildrenmethod.net
Type: A
195.22.28.196
DNSchildrenmethod.net
Type: A
195.22.28.197
DNSfamilyaction.net
Type: A
217.160.171.145
DNSfamilydirect.net
Type: A
207.148.248.143
DNSenglishaction.net
Type: A
23.229.234.136
DNSenglishdirect.net
Type: A
207.148.248.143
DNSrightspeak.net
Type: A
184.168.221.23
DNSmachineround.net
Type: A
DNSpersonglossary.net
Type: A
DNSmachineglossary.net
Type: A
DNSpersonlikely.net
Type: A
DNSmachinelikely.net
Type: A
DNSpersonworth.net
Type: A
DNSmachineworth.net
Type: A
DNSsuddenround.net
Type: A
DNSforeignround.net
Type: A
DNSsuddenglossary.net
Type: A
DNSforeignglossary.net
Type: A
DNSsuddenlikely.net
Type: A
DNSforeignlikely.net
Type: A
DNSsuddenworth.net
Type: A
DNSforeignworth.net
Type: A
DNSwhetherround.net
Type: A
DNSrightround.net
Type: A
DNSwhetherglossary.net
Type: A
DNSrightglossary.net
Type: A
DNSwhetherlikely.net
Type: A
DNSrightlikely.net
Type: A
DNSwhetherworth.net
Type: A
DNSrightworth.net
Type: A
DNSfigureround.net
Type: A
DNSthoughround.net
Type: A
DNSfigureglossary.net
Type: A
DNSthoughglossary.net
Type: A
DNSfigurelikely.net
Type: A
DNSthoughlikely.net
Type: A
DNSfigureworth.net
Type: A
DNSthoughworth.net
Type: A
DNSpictureround.net
Type: A
DNScigaretteround.net
Type: A
DNSpictureglossary.net
Type: A
DNScigaretteglossary.net
Type: A
DNSpicturelikely.net
Type: A
DNScigarettelikely.net
Type: A
DNSpictureworth.net
Type: A
DNScigaretteworth.net
Type: A
DNSchildrenround.net
Type: A
DNSfamilyglossary.net
Type: A
DNSchildrenlikely.net
Type: A
DNSfamilylikely.net
Type: A
DNSchildrenworth.net
Type: A
DNSfamilyworth.net
Type: A
DNSeitherround.net
Type: A
DNSenglishround.net
Type: A
DNSeitherglossary.net
Type: A
DNSenglishglossary.net
Type: A
DNSeitherlikely.net
Type: A
DNSenglishlikely.net
Type: A
DNSeitherworth.net
Type: A
DNSenglishworth.net
Type: A
DNSexpectmethod.net
Type: A
DNSbecausemethod.net
Type: A
DNSexpectaction.net
Type: A
DNSbecauseaction.net
Type: A
DNSbecausedirect.net
Type: A
DNSexpectbrought.net
Type: A
DNSbecausebrought.net
Type: A
DNSpersonmethod.net
Type: A
DNSmachinemethod.net
Type: A
DNSpersonaction.net
Type: A
DNSmachineaction.net
Type: A
DNSpersondirect.net
Type: A
DNSmachinedirect.net
Type: A
DNSpersonbrought.net
Type: A
DNSmachinebrought.net
Type: A
DNSsuddenmethod.net
Type: A
DNSforeignmethod.net
Type: A
DNSsuddenaction.net
Type: A
DNSforeignaction.net
Type: A
DNSsuddendirect.net
Type: A
DNSforeigndirect.net
Type: A
DNSsuddenbrought.net
Type: A
DNSforeignbrought.net
Type: A
DNSwhethermethod.net
Type: A
DNSrightmethod.net
Type: A
DNSwhetheraction.net
Type: A
DNSwhetherbrought.net
Type: A
DNSrightbrought.net
Type: A
DNSfiguremethod.net
Type: A
DNSthoughmethod.net
Type: A
DNSfigureaction.net
Type: A
DNSthoughaction.net
Type: A
DNSfiguredirect.net
Type: A
DNSthoughdirect.net
Type: A
DNSfigurebrought.net
Type: A
DNSthoughbrought.net
Type: A
DNSpicturemethod.net
Type: A
DNScigarettemethod.net
Type: A
DNSpictureaction.net
Type: A
DNScigaretteaction.net
Type: A
DNSpicturedirect.net
Type: A
DNScigarettedirect.net
Type: A
DNSpicturebrought.net
Type: A
DNScigarettebrought.net
Type: A
DNSfamilymethod.net
Type: A
DNSchildrenaction.net
Type: A
DNSchildrendirect.net
Type: A
DNSchildrenbrought.net
Type: A
DNSfamilybrought.net
Type: A
DNSeithermethod.net
Type: A
DNSenglishmethod.net
Type: A
DNSeitheraction.net
Type: A
DNSeitherdirect.net
Type: A
DNSeitherbrought.net
Type: A
DNSenglishbrought.net
Type: A
DNSexpectspeak.net
Type: A
DNSbecausespeak.net
Type: A
DNSexpectniece.net
Type: A
DNSbecauseniece.net
Type: A
DNSexpectwrite.net
Type: A
DNSbecausewrite.net
Type: A
DNSexpectoclock.net
Type: A
DNSbecauseoclock.net
Type: A
DNSpersonspeak.net
Type: A
DNSmachinespeak.net
Type: A
DNSpersonniece.net
Type: A
DNSmachineniece.net
Type: A
DNSpersonwrite.net
Type: A
DNSmachinewrite.net
Type: A
DNSpersonoclock.net
Type: A
DNSmachineoclock.net
Type: A
DNSsuddenspeak.net
Type: A
DNSforeignspeak.net
Type: A
DNSsuddenniece.net
Type: A
DNSforeignniece.net
Type: A
DNSsuddenwrite.net
Type: A
DNSforeignwrite.net
Type: A
DNSsuddenoclock.net
Type: A
DNSforeignoclock.net
Type: A
DNSwhetherspeak.net
Type: A
DNSwhetherniece.net
Type: A
DNSrightniece.net
Type: A
DNSwhetherwrite.net
Type: A
DNSrightwrite.net
Type: A
DNSwhetheroclock.net
Type: A
DNSrightoclock.net
Type: A
DNSfigurespeak.net
Type: A
DNSthoughspeak.net
Type: A
DNSfigureniece.net
Type: A
DNSthoughniece.net
Type: A
DNSfigurewrite.net
Type: A
DNSthoughwrite.net
Type: A
DNSfigureoclock.net
Type: A
DNSthoughoclock.net
Type: A
DNSpicturespeak.net
Type: A
DNScigarettespeak.net
Type: A
DNSpictureniece.net
Type: A
DNScigaretteniece.net
Type: A
DNSpicturewrite.net
Type: A
DNScigarettewrite.net
Type: A
DNSpictureoclock.net
Type: A
DNScigaretteoclock.net
Type: A
DNSchildrenspeak.net
Type: A
DNSfamilyspeak.net
Type: A
DNSchildrenniece.net
Type: A
HTTP GEThttp://cigaretteround.net/index.php
User-Agent:
HTTP GEThttp://familyround.net/index.php
User-Agent:
HTTP GEThttp://childrenglossary.net/index.php
User-Agent:
HTTP GEThttp://expectdirect.net/index.php
User-Agent:
HTTP GEThttp://rightaction.net/index.php
User-Agent:
HTTP GEThttp://whetherdirect.net/index.php
User-Agent:
HTTP GEThttp://rightdirect.net/index.php
User-Agent:
HTTP GEThttp://childrenmethod.net/index.php
User-Agent:
HTTP GEThttp://familyaction.net/index.php
User-Agent:
HTTP GEThttp://familydirect.net/index.php
User-Agent:
HTTP GEThttp://englishaction.net/index.php
User-Agent:
HTTP GEThttp://englishdirect.net/index.php
User-Agent:
HTTP GEThttp://rightspeak.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1032 ➝ 72.52.4.119:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1034 ➝ 71.18.76.144:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.104:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 176.9.224.249:80
Flows TCP192.168.1.1:1038 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1039 ➝ 217.160.171.145:80
Flows TCP192.168.1.1:1040 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1041 ➝ 23.229.234.136:80
Flows TCP192.168.1.1:1042 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1043 ➝ 184.168.221.23:80

Raw Pcap

Strings