Analysis Date2016-01-28 05:46:55
MD50c9277831034bcaff03b73ecffcffd59
SHA1373afbb261b3260fee0a40e70d156e1cc090e049

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5cff4edbafc73655a1b84150ea2818c4 sha1: 9d431911723a4a006172419d3ca061423b6d35f4 size: 56832
Section.rdata md5: 22587761053836bd16e33308bec1b941 sha1: 7e7b0f4e3ec6842c467e466d25abed9f76a72eeb size: 10752
Section.data md5: 3fa44a95d1bd9403fa5ba243def5fdeb sha1: 4398920bd615256adbfb55d21f45326f61b45015 size: 8192
Section.idata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.data6 md5: b4202f7fe985b9648b4676e6f70832bd sha1: d37c2b3927946ed617455b3c5913fcab0bc1af52 size: 3584
Section.rsrc md5: dfbd16a91f0909b10b32e140ea027182 sha1: 36b9775c2fe3c7fa1b7f71445d56bdb574905afc size: 124928
Timestamp2016-01-26 10:01:05
VersionLegalCopyright: Copyright © 2006-2010 Christian Ghisler
InternalName: Totalcmd-Admin
FileVersion: 1, 0, 0, 5
CompanyName: Ghisler Software GmbH
PrivateBuild:
LegalTrademarks:
Comments: Tool used internally by Total Commander, do not start directly!
ProductName: Ghisler Software GmbH Totalcmd-Admin
SpecialBuild:
ProductVersion: 1, 0, 0, 5
FileDescription: Total Commander Administrator Tool
OriginalFilename: Totalcmd-Admin.exe
PackerMicrosoft Visual C++ ?.?
PEhasha579ccfea6227e37fd58601743f40bcc1a5df4fb
IMPhash2c181b56849ba0ea774e44d304f56a47
AVRisingNo Virus
AVMcafeeNo Virus
AVAvira (antivir)TR/Crypt.Xpack.433570
AVTwisterNo Virus
AVAd-AwareNo Virus
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Kryptik.ELUS
AVGrisoft (avg)No Virus
AVSymantecNo Virus
AVFortinetNo Virus
AVBitDefenderNo Virus
AVK7No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AU
AVMicroWorld (escan)No Virus
AVMalwareBytesRansom.FileLocker
AVAuthentiumNo Virus
AVFrisk (f-prot)No Virus
AVIkarusWin32.Outbreak
AVEmsisoftNo Virus
AVZillya!No Virus
AVKasperskyTrojan.Win32.Yakes.ouhp
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardNo Virus
AVArcabit (arcavir)No Virus
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureNo Virus
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\All Users\117250
Deletes FileC:\373AFB~1.EXE
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSdll.istitutobancariopagamentielettronici.com
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
37.187.107.140
DNSeurope.pool.ntp.org
Type: A
195.154.41.195
DNSeurope.pool.ntp.org
Type: A
178.79.160.57
DNSeurope.pool.ntp.org
Type: A
85.214.194.162
DNSnorth-america.pool.ntp.org
Type: A
104.131.51.97
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.131
DNSnorth-america.pool.ntp.org
Type: A
52.0.56.137
DNSnorth-america.pool.ntp.org
Type: A
98.191.213.2
DNSsouth-america.pool.ntp.org
Type: A
164.73.232.34
DNSsouth-america.pool.ntp.org
Type: A
190.15.141.64
DNSsouth-america.pool.ntp.org
Type: A
200.93.227.170
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
185.23.153.237
DNSasia.pool.ntp.org
Type: A
202.112.29.82
DNSoceania.pool.ntp.org
Type: A
60.241.92.80
DNSoceania.pool.ntp.org
Type: A
121.0.0.41
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSoceania.pool.ntp.org
Type: A
219.88.71.36
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
41.73.42.10
DNSafrica.pool.ntp.org
Type: A
41.78.128.17
DNSpool.ntp.org
Type: A
4.53.160.75
DNSpool.ntp.org
Type: A
96.244.96.19
DNSpool.ntp.org
Type: A
97.107.128.58
DNSpool.ntp.org
Type: A
162.243.63.11
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
23.96.52.53
DNSdll.istitutobancariopagamentielettronici.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings