Analysis Date2015-11-26 16:16:54
MD5cac66c60c82776c44de206476216ab1f
SHA13f845c48c6fb0728870969b50edc6e2f416c9ab0

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 00f8f4dd770f1a74191bd5d3881eb4b4 sha1: 4458206eeb3a39a896223eb0033bf349bac1f62b size: 114176
Section.rdata md5: 80174fe9ff6df7a6b69cec90c842faa7 sha1: 46a5a830381af4d3c790312044fb254f590286e3 size: 11776
Section.data md5: 208b392428f7e69bc2d00f5e111739b7 sha1: f12e93b11cdf1a92e0711db5cf781aae0fd7924b size: 28160
Section.rsrc md5: 50d4f81dd93942c3e4b081fa096d571c sha1: d7c6347c8dc50f2ea21bc33f032ff9b583b52a55 size: 55808
Timestamp2015-11-11 14:16:38
VersionLegalCopyright: Copyright © 2015 Scooter Software, Inc.
Subversion Revision: 19761
FileVersion: 4.0.7.19761
CompanyName: Scooter Software
LegalTrademarks: Beyond Compare ® is a registered trademark of Scooter Software, Inc.
Comments: Beyond Compare 4
ProductName: Beyond Compare
ProductVersion: 4.0
FileDescription: Beyond Compare
CompileDate: Tuesday, March 03, 2015 03:48 PM
OriginalFilename: BCompare.exe
PackerMicrosoft Visual C++ ?.?
PEhashc1dea63eecdcc66865a071f10a6d638e502bb543
IMPhashf3deb756c864453f947abf0b4832b52d
AVF-SecureTrojan.Lethic.Gen.9
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVMalwareBytesTrojan.Zbot
AVDr. WebBackDoor.IRC.NgrBot.566
AVGrisoft (avg)Crypt_r.AKW
AVMalwareBytesTrojan.Zbot
AVEset (nod32)Win32/Kryptik.EEPL
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVTrend Microno_virus
AVClamAVno_virus
AVAd-AwareTrojan.Lethic.Gen.9
AVEset (nod32)Win32/Kryptik.EEPL
AVBitDefenderTrojan.Lethic.Gen.9
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVAvira (antivir)TR/Crypt.Xpack.316467
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVFortinetW32/Androm.EEPL!tr.bdr
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVIkarusTrojan.Win32.Crypt
AVKasperskyBackdoor.Win32.Androm.iqlo
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVMcafeeRDN/Generic BackDoor
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.316467
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVSymantecno_virus
AVFortinetW32/Androm.EEPL!tr.bdr
AVK7Trojan ( 004d69b11 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVTwisterno_virus
AVAd-AwareTrojan.Lethic.Gen.9
AVGrisoft (avg)Crypt_r.AKW
AVSymantecno_virus
AVBitDefenderTrojan.Lethic.Gen.9
AVK7Trojan ( 004d69b11 )
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftTrojan.Lethic.Gen.9
AVZillya!Trojan.Ruftar.Win32.11945
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Lethic.Gen.9
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates FileC:\Documents and Settings\All Users\114921
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSpool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSdfs.knowmark.it
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSmicrosoft.com
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
46.163.88.246
DNSeurope.pool.ntp.org
Type: A
178.124.134.106
DNSeurope.pool.ntp.org
Type: A
212.92.16.193
DNSeurope.pool.ntp.org
Type: A
5.9.29.107
DNSnorth-america.pool.ntp.org
Type: A
208.53.158.34
DNSnorth-america.pool.ntp.org
Type: A
66.79.136.235
DNSnorth-america.pool.ntp.org
Type: A
192.95.20.208
DNSnorth-america.pool.ntp.org
Type: A
204.2.134.164
DNSsouth-america.pool.ntp.org
Type: A
170.155.148.1
DNSsouth-america.pool.ntp.org
Type: A
190.15.128.72
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSasia.pool.ntp.org
Type: A
218.189.210.3
DNSasia.pool.ntp.org
Type: A
220.231.122.99
DNSasia.pool.ntp.org
Type: A
194.27.222.5
DNSasia.pool.ntp.org
Type: A
210.23.18.197
DNSoceania.pool.ntp.org
Type: A
203.56.27.253
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
125.255.139.115
DNSoceania.pool.ntp.org
Type: A
202.22.158.30
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.192.32.7
DNSafrica.pool.ntp.org
Type: A
197.80.150.123
DNSpool.ntp.org
Type: A
206.51.211.152
DNSpool.ntp.org
Type: A
66.228.59.187
DNSpool.ntp.org
Type: A
104.131.53.252
DNSpool.ntp.org
Type: A
204.2.134.164
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSdfs.knowmark.it
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53
Flows UDP192.168.1.1:1046 ➝ 8.8.4.4:53

Raw Pcap

Strings