Analysis | #totalhash

Analysis Date	2015-11-15 16:00:48
MD5	6f98af6d50730d967e94b602d9e73a6f
SHA1	45821db7fab4c0d67d5c00864e98db0a42d14df6

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: 3bdaad09ba2e26b20bb7b4c6949f739a sha1: 11df74969cc5d0d4cb50de2552452cfd84ee0648 size: 805376
Section	.rdata md5: 63a2f370c7a2b6ceee632e3e414076b5 sha1: 40badc82774c65988b00a819ebbef8ca80592f73 size: 59904
Section	.data md5: 67c49ab0221a45ba22c3cfb3102ba719 sha1: 05831304eb1a4ca08f8bca1fab54f7eb0cce2f12 size: 411648
Timestamp	2014-11-28 22:42:25
Packer	Microsoft Visual C++ ?.?
PEhash	0cdbdfd6a1e8e2270be3e4fc2cff759f70d404a3
IMPhash	8a2da73e066cedda220bb687fe53e02c
AV	F-Secure	Gen:Variant.Symmi.22722
AV	Authentium	W32/Nivdort.A.gen!Eldorado
AV	MalwareBytes	no_virus
AV	Dr. Web	Trojan.DownLoader17.49536
AV	Grisoft (avg)	Win32/Cryptor
AV	MalwareBytes	no_virus
AV	Eset (nod32)	Win32/Kryptik.CCLE
AV	MicroWorld (escan)	Gen:Variant.Symmi.22722
AV	Trend Micro	TROJ_WONTON.SMJ1
AV	ClamAV	no_virus
AV	Ad-Aware	Gen:Variant.Symmi.22722
AV	Eset (nod32)	Win32/Kryptik.CCLE
AV	BitDefender	Gen:Variant.Symmi.22722
AV	MicroWorld (escan)	Gen:Variant.Symmi.22722
AV	Avira (antivir)	BDS/Zegost.Gen
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Fortinet	W32/Generic!tr
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.AE
AV	Ikarus	Trojan.Win32.Crypt
AV	Kaspersky	Trojan.Win32.Generic
AV	VirusBlokAda (vba32)	no_virus
AV	Arcabit (arcavir)	Gen:Variant.Symmi.22722
AV	Mcafee	no_virus
AV	Twister	no_virus
AV	Avira (antivir)	BDS/Zegost.Gen
AV	Alwil (avast)	Downloader-TLD [Trj]
AV	Symantec	Downloader.Upatre!g15
AV	Fortinet	W32/Generic!tr
AV	K7	Trojan ( 004cd0081 )
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.AE
AV	Rising	0x59414d5e
AV	Mcafee	no_virus
AV	Twister	no_virus
AV	Ad-Aware	Gen:Variant.Symmi.22722
AV	Grisoft (avg)	Win32/Cryptor
AV	Symantec	Downloader.Upatre!g15
AV	BitDefender	Gen:Variant.Symmi.22722
AV	K7	Trojan ( 004cd0081 )
AV	Authentium	W32/Nivdort.A.gen!Eldorado
AV	Frisk (f-prot)	no_virus
AV	Emsisoft	Gen:Variant.Symmi.22722
AV	Zillya!	Adware.BrowseFox.Win32.162494
AV	CAT (quickheal)	no_virus
AV	Padvish	no_virus
AV	BullGuard	Gen:Variant.Symmi.22722
AV	CA (E-Trust Ino)	no_virus
AV	Rising	0x59414d5e
AV	Ikarus	Trojan.Win32.Crypt
AV	Frisk (f-prot)	no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe
Creates File	C:\WINDOWS\system32\zsohlmvvwx\tst
Creates Process	C:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\kxdsdogg1lsauvhyiqhyi.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Diagnostic Resolution Audio Firewall Registrar ➝ C:\WINDOWS\system32\yvzuezgzlu.exe
Creates File	C:\WINDOWS\system32\yvzuezgzlu.exe
Creates File	C:\WINDOWS\system32\drivers\etc\hosts
Creates File	C:\WINDOWS\system32\zsohlmvvwx\lck
Creates File	C:\WINDOWS\system32\zsohlmvvwx\tst
Creates File	C:\WINDOWS\system32\zsohlmvvwx\etc
Deletes File	C:\WINDOWS\system32\\drivers\etc\hosts
Creates Process	C:\WINDOWS\system32\yvzuezgzlu.exe
Creates Service	Encryption Storage Offline UserMode - C:\WINDOWS\system32\yvzuezgzlu.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝ NULL
Creates File	PIPE\lsarpc
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File	C:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1136

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝ 1
Creates File	C:\WINDOWS\system32\zsohlmvvwx\run
Creates File	C:\WINDOWS\system32\zsohlmvvwx\cfg
Creates File	pipe\net\NtControlPipe10
Creates File	C:\WINDOWS\system32\zsohlmvvwx\lck
Creates File	C:\WINDOWS\system32\zsohlmvvwx\rng
Creates File	C:\WINDOWS\system32\zsohlmvvwx\tst
Creates File	C:\WINDOWS\TEMP\kxdsdogg1s9suv.exe
Creates File	\Device\Afd\Endpoint
Creates File	C:\WINDOWS\system32\zbuiplgo.exe
Creates Process	C:\WINDOWS\TEMP\kxdsdogg1s9suv.exe -r 20026 tcp
Creates Process	WATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Process
↳ C:\WINDOWS\system32\yvzuezgzlu.exe

Creates File	C:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\yvzuezgzlu.exe"

Creates File	C:\WINDOWS\system32\zsohlmvvwx\tst

Process
↳ C:\WINDOWS\TEMP\kxdsdogg1s9suv.exe -r 20026 tcp

Creates File	\Device\Afd\Endpoint
Winsock DNS	239.255.255.250

Network Details:

DNS	saltsecond.net Type: A 74.220.199.6
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	ableread.net Type: A 208.91.197.241
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	drinkwide.net Type: A 208.91.197.241
DNS	pickmake.net Type: A 208.91.197.241
DNS	mostcross.net Type: A 195.22.28.197
DNS	mostcross.net Type: A 195.22.28.198
DNS	mostcross.net Type: A 195.22.28.199
DNS	mostcross.net Type: A 195.22.28.196
DNS	darkcross.net Type: A 50.63.202.31
DNS	withgrave.net Type: A 208.100.26.234
DNS	thesecould.net Type: A 184.168.221.54
DNS	quickteach.net Type: A 203.124.119.1
DNS	southblood.net Type: A
DNS	pickgrave.net Type: A
DNS	roomstock.net Type: A
DNS	watcheasy.net Type: A
DNS	uponmail.net Type: A
DNS	takenhand.net Type: A
DNS	watchsince.net Type: A
DNS	spotdont.net Type: A
DNS	offeraunt.net Type: A
DNS	madethan.net Type: A
DNS	whomfifth.net Type: A
DNS	quickshade.net Type: A
DNS	thenshade.net Type: A
DNS	quickfloor.net Type: A
DNS	thenfloor.net Type: A
DNS	sundaythrew.net Type: A
DNS	mostthrew.net Type: A
DNS	sundaycross.net Type: A
DNS	sundayshade.net Type: A
DNS	mostshade.net Type: A
DNS	sundayfloor.net Type: A
DNS	mostfloor.net Type: A
DNS	meatthrew.net Type: A
DNS	sickthrew.net Type: A
DNS	meatcross.net Type: A
DNS	sickcross.net Type: A
DNS	meatshade.net Type: A
DNS	sickshade.net Type: A
DNS	meatfloor.net Type: A
DNS	sickfloor.net Type: A
DNS	cloudthrew.net Type: A
DNS	darkthrew.net Type: A
DNS	cloudcross.net Type: A
DNS	cloudshade.net Type: A
DNS	darkshade.net Type: A
DNS	cloudfloor.net Type: A
DNS	darkfloor.net Type: A
DNS	milkusual.net Type: A
DNS	triedusual.net Type: A
DNS	milkcould.net Type: A
DNS	triedcould.net Type: A
DNS	milkteach.net Type: A
DNS	triedteach.net Type: A
DNS	milkgrave.net Type: A
DNS	triedgrave.net Type: A
DNS	withusual.net Type: A
DNS	dutyusual.net Type: A
DNS	withcould.net Type: A
DNS	dutycould.net Type: A
DNS	withteach.net Type: A
DNS	dutyteach.net Type: A
DNS	dutygrave.net Type: A
DNS	theseusual.net Type: A
DNS	sightusual.net Type: A
DNS	sightcould.net Type: A
DNS	theseteach.net Type: A
DNS	sightteach.net Type: A
DNS	thesegrave.net Type: A
DNS	sightgrave.net Type: A
DNS	caseusual.net Type: A
DNS	headusual.net Type: A
DNS	casecould.net Type: A
DNS	headcould.net Type: A
DNS	caseteach.net Type: A
DNS	headteach.net Type: A
DNS	casegrave.net Type: A
DNS	headgrave.net Type: A
DNS	quickusual.net Type: A
DNS	thenusual.net Type: A
DNS	quickcould.net Type: A
DNS	thencould.net Type: A
DNS	thenteach.net Type: A
DNS	quickgrave.net Type: A
DNS	thengrave.net Type: A
DNS	sundayusual.net Type: A
DNS	mostusual.net Type: A
DNS	sundaycould.net Type: A
DNS	mostcould.net Type: A
DNS	sundayteach.net Type: A
DNS	mostteach.net Type: A
DNS	sundaygrave.net Type: A
DNS	mostgrave.net Type: A
DNS	meatusual.net Type: A
DNS	sickusual.net Type: A
DNS	meatcould.net Type: A
DNS	sickcould.net Type: A
DNS	meatteach.net Type: A
DNS	sickteach.net Type: A
DNS	meatgrave.net Type: A
DNS	sickgrave.net Type: A
DNS	cloudusual.net Type: A
HTTP GET	http://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://ableread.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://madethan.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://mostcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://darkcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://withgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://thesecould.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://quickteach.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://saltsecond.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://pickgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://ableread.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://roomstock.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://watcheasy.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://uponmail.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://takenhand.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://watchsince.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://spotdont.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://offeraunt.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://madethan.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://drinkwide.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://pickmake.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://mostcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://darkcross.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://withgrave.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://thesecould.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
HTTP GET	http://quickteach.net/index.php?method=validate&mode=sox&v=034&sox=47f8a802&lenhdr User-Agent:
Flows TCP	192.168.1.1:1036 ➝ 74.220.199.6:80
Flows TCP	192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1039 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1040 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1041 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1042 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1044 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1045 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1046 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1047 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1048 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1049 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1050 ➝ 195.22.28.197:80
Flows TCP	192.168.1.1:1051 ➝ 50.63.202.31:80
Flows TCP	192.168.1.1:1052 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1053 ➝ 184.168.221.54:80
Flows TCP	192.168.1.1:1054 ➝ 203.124.119.1:80
Flows TCP	192.168.1.1:1055 ➝ 74.220.199.6:80
Flows TCP	192.168.1.1:1056 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1058 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1059 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1060 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1061 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1062 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1063 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1064 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1065 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP	192.168.1.1:1068 ➝ 195.22.28.197:80
Flows TCP	192.168.1.1:1069 ➝ 50.63.202.31:80
Flows TCP	192.168.1.1:1070 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1071 ➝ 184.168.221.54:80
Flows TCP	192.168.1.1:1072 ➝ 203.124.119.1:80

Raw Pcap

Strings