Analysis Date2015-11-15 16:00:48
MD56f98af6d50730d967e94b602d9e73a6f
SHA145821db7fab4c0d67d5c00864e98db0a42d14df6

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3bdaad09ba2e26b20bb7b4c6949f739a sha1: 11df74969cc5d0d4cb50de2552452cfd84ee0648 size: 805376
Section.rdata md5: 63a2f370c7a2b6ceee632e3e414076b5 sha1: 40badc82774c65988b00a819ebbef8ca80592f73 size: 59904
Section.data md5: 67c49ab0221a45ba22c3cfb3102ba719 sha1: 05831304eb1a4ca08f8bca1fab54f7eb0cce2f12 size: 411648
Timestamp2014-11-28 22:42:25
PackerMicrosoft Visual C++ ?.?
PEhash0cdbdfd6a1e8e2270be3e4fc2cff759f70d404a3
IMPhash8a2da73e066cedda220bb687fe53e02c
AVF-SecureGen:Variant.Symmi.22722
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVMalwareBytesno_virus
AVDr. WebTrojan.DownLoader17.49536
AVGrisoft (avg)Win32/Cryptor
AVMalwareBytesno_virus
AVEset (nod32)Win32/Kryptik.CCLE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTrend MicroTROJ_WONTON.SMJ1
AVClamAVno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVEset (nod32)Win32/Kryptik.CCLE
AVBitDefenderGen:Variant.Symmi.22722
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVAvira (antivir)BDS/Zegost.Gen
AVAlwil (avast)Downloader-TLD [Trj]
AVFortinetW32/Generic!tr
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVIkarusTrojan.Win32.Crypt
AVKasperskyTrojan.Win32.Generic
AVVirusBlokAda (vba32)no_virus
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVMcafeeno_virus
AVTwisterno_virus
AVAvira (antivir)BDS/Zegost.Gen
AVAlwil (avast)Downloader-TLD [Trj]
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Generic!tr
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVRising0x59414d5e
AVMcafeeno_virus
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!Adware.BrowseFox.Win32.162494
AVCAT (quickheal)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVRising0x59414d5e
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic Resolution Audio Firewall Registrar ➝
C:\WINDOWS\system32\yvzuezgzlu.exe
Creates FileC:\WINDOWS\system32\yvzuezgzlu.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\zsohlmvvwx\lck
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates FileC:\WINDOWS\system32\zsohlmvvwx\etc
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\yvzuezgzlu.exe
Creates ServiceEncryption Storage Offline UserMode - C:\WINDOWS\system32\yvzuezgzlu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\zsohlmvvwx\run
Creates FileC:\WINDOWS\system32\zsohlmvvwx\cfg
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\zsohlmvvwx\lck
Creates FileC:\WINDOWS\system32\zsohlmvvwx\rng
Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst
Creates FileC:\WINDOWS\TEMP\kxdsdogg1s9suv.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\zbuiplgo.exe
Creates ProcessC:\WINDOWS\TEMP\kxdsdogg1s9suv.exe -r 20026 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Creates FileC:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ C:\WINDOWS\TEMP\kxdsdogg1s9suv.exe -r 20026 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSsaltsecond.net
Type: A
74.220.199.6
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSableread.net
Type: A
208.91.197.241
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdrinkwide.net
Type: A
208.91.197.241
DNSpickmake.net
Type: A
208.91.197.241
DNSmostcross.net
Type: A
195.22.28.197
DNSmostcross.net
Type: A
195.22.28.198
DNSmostcross.net
Type: A
195.22.28.199
DNSmostcross.net
Type: A
195.22.28.196
DNSdarkcross.net
Type: A
50.63.202.31
DNSwithgrave.net
Type: A
208.100.26.234
DNSthesecould.net
Type: A
184.168.221.54
DNSquickteach.net
Type: A
203.124.119.1
DNSsouthblood.net
Type: A
DNSpickgrave.net
Type: A
DNSroomstock.net
Type: A
DNSwatcheasy.net
Type: A
DNSuponmail.net
Type: A
DNStakenhand.net
Type: A
DNSwatchsince.net
Type: A
DNSspotdont.net
Type: A
DNSofferaunt.net
Type: A
DNSmadethan.net
Type: A
DNSwhomfifth.net
Type: A
DNSquickshade.net
Type: A
DNSthenshade.net
Type: A
DNSquickfloor.net
Type: A
DNSthenfloor.net
Type: A
DNSsundaythrew.net
Type: A
DNSmostthrew.net
Type: A
DNSsundaycross.net
Type: A
DNSsundayshade.net
Type: A
DNSmostshade.net
Type: A
DNSsundayfloor.net
Type: A
DNSmostfloor.net
Type: A
DNSmeatthrew.net
Type: A
DNSsickthrew.net
Type: A
DNSmeatcross.net
Type: A
DNSsickcross.net
Type: A
DNSmeatshade.net
Type: A
DNSsickshade.net
Type: A
DNSmeatfloor.net
Type: A
DNSsickfloor.net
Type: A
DNScloudthrew.net
Type: A
DNSdarkthrew.net
Type: A
DNScloudcross.net
Type: A
DNScloudshade.net
Type: A
DNSdarkshade.net
Type: A
DNScloudfloor.net
Type: A
DNSdarkfloor.net
Type: A
DNSmilkusual.net
Type: A
DNStriedusual.net
Type: A
DNSmilkcould.net
Type: A
DNStriedcould.net
Type: A
DNSmilkteach.net
Type: A
DNStriedteach.net
Type: A
DNSmilkgrave.net
Type: A
DNStriedgrave.net
Type: A
DNSwithusual.net
Type: A
DNSdutyusual.net
Type: A
DNSwithcould.net
Type: A
DNSdutycould.net
Type: A
DNSwithteach.net
Type: A
DNSdutyteach.net
Type: A
DNSdutygrave.net
Type: A
DNStheseusual.net
Type: A
DNSsightusual.net
Type: A
DNSsightcould.net
Type: A
DNStheseteach.net
Type: A
DNSsightteach.net
Type: A
DNSthesegrave.net
Type: A
DNSsightgrave.net
Type: A
DNScaseusual.net
Type: A
DNSheadusual.net
Type: A
DNScasecould.net
Type: A
DNSheadcould.net
Type: A
DNScaseteach.net
Type: A
DNSheadteach.net
Type: A
DNScasegrave.net
Type: A
DNSheadgrave.net
Type: A
DNSquickusual.net
Type: A
DNSthenusual.net
Type: A
DNSquickcould.net
Type: A
DNSthencould.net
Type: A
DNSthenteach.net
Type: A
DNSquickgrave.net
Type: A
DNSthengrave.net
Type: A
DNSsundayusual.net
Type: A
DNSmostusual.net
Type: A
DNSsundaycould.net
Type: A
DNSmostcould.net
Type: A
DNSsundayteach.net
Type: A
DNSmostteach.net
Type: A
DNSsundaygrave.net
Type: A
DNSmostgrave.net
Type: A
DNSmeatusual.net
Type: A
DNSsickusual.net
Type: A
DNSmeatcould.net
Type: A
DNSsickcould.net
Type: A
DNSmeatteach.net
Type: A
DNSsickteach.net
Type: A
DNSmeatgrave.net
Type: A
DNSsickgrave.net
Type: A
DNScloudusual.net
Type: A
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://madethan.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://mostcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://darkcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://withgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://thesecould.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://quickteach.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://madethan.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://mostcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://darkcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://withgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://thesecould.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
HTTP GEThttp://quickteach.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1040 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1041 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1044 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1045 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1046 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1047 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1048 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1049 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1050 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1051 ➝ 50.63.202.31:80
Flows TCP192.168.1.1:1052 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1053 ➝ 184.168.221.54:80
Flows TCP192.168.1.1:1054 ➝ 203.124.119.1:80
Flows TCP192.168.1.1:1055 ➝ 74.220.199.6:80
Flows TCP192.168.1.1:1056 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1059 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1060 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1061 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1062 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1063 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1064 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1065 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1069 ➝ 50.63.202.31:80
Flows TCP192.168.1.1:1070 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1071 ➝ 184.168.221.54:80
Flows TCP192.168.1.1:1072 ➝ 203.124.119.1:80

Raw Pcap

Strings