Analysis Date2015-11-28 12:07:07
MD50e277310fa14021470c27a3a9439d608
SHA15c7a348e984a144345d2153024bc27110bce930a

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 73b3ccb7c8ed2ae685deb277c123ac7a sha1: 8dd10d5cb1aced63a15ae4e53ea18c2920aba523 size: 114176
Section.rdata md5: 55a6f22069112954e30e69f8ec0075bc sha1: 94355067c554dddf591e3354fc1793429d99ed1f size: 11776
Section.data md5: db97a998cc2ea146f4ea0e1efbbe29a6 sha1: fd932bd203dc8f2c75166ffeeaea131653ea167a size: 28160
Section.rsrc md5: ce9a50d4f324a54f5e0484ea997fe7fa sha1: 2313170e3bdd66e49d59575d443fb1b019107cb2 size: 52736
Timestamp2015-11-11 14:02:54
VersionLegalCopyright: Copyright © 2015 Scooter Software, Inc.
Subversion Revision: 19761
FileVersion: 4.0.7.19761
CompanyName: Scooter Software
LegalTrademarks: Beyond Compare ® is a registered trademark of Scooter Software, Inc.
Comments: Beyond Compare 4
ProductName: Beyond Compare
ProductVersion: 4.0
FileDescription: Beyond Compare
CompileDate: Tuesday, March 03, 2015 03:48 PM
OriginalFilename: BCompare.exe
PackerMicrosoft Visual C++ ?.?
PEhash3262eaf6033f7fd5077e5b4b56f18958cffac4d2
IMPhashf3deb756c864453f947abf0b4832b52d
AVCA (E-Trust Ino)no_virus
AVCA (E-Trust Ino)no_virus
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVAvira (antivir)TR/Crypt.Xpack.316527
AVTwisterno_virus
AVAd-AwareTrojan.Lethic.Gen.9
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.EEPL
AVGrisoft (avg)Crypt_r.AKW
AVSymantecBackdoor.Trojan
AVFortinetW32/Androm.EEPL!tr.bdr
AVBitDefenderTrojan.Lethic.Gen.9
AVK7Trojan ( 004d68c91 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVMalwareBytesTrojan.Zbot
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftTrojan.Lethic.Gen.9
AVZillya!no_virus
AVKasperskyBackdoor.Win32.Androm.iqlq
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardTrojan.Lethic.Gen.9
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVClamAVno_virus
AVDr. WebBackDoor.IRC.NgrBot.566
AVF-SecureTrojan.Lethic.Gen.9
AVRisingno_virus
AVMcafeeRDN/Generic BackDoor
AVAvira (antivir)TR/Crypt.Xpack.316527
AVTwisterno_virus
AVAd-AwareTrojan.Lethic.Gen.9
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.EEPL
AVGrisoft (avg)Crypt_r.AKW
AVSymantecBackdoor.Trojan
AVFortinetW32/Androm.EEPL!tr.bdr
AVBitDefenderTrojan.Lethic.Gen.9
AVK7Trojan ( 004d68c91 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVMalwareBytesTrojan.Zbot
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVFrisk (f-prot)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\119031
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
193.225.50.68
DNSeurope.pool.ntp.org
Type: A
46.175.224.7
DNSeurope.pool.ntp.org
Type: A
46.182.19.75
DNSeurope.pool.ntp.org
Type: A
193.136.164.1
DNSnorth-america.pool.ntp.org
Type: A
198.71.81.66
DNSnorth-america.pool.ntp.org
Type: A
198.211.106.151
DNSnorth-america.pool.ntp.org
Type: A
108.61.73.243
DNSnorth-america.pool.ntp.org
Type: A
173.230.144.109
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
200.1.19.17
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.193
DNSasia.pool.ntp.org
Type: A
157.7.154.23
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
218.189.210.4
DNSasia.pool.ntp.org
Type: A
62.201.225.9
DNSoceania.pool.ntp.org
Type: A
203.97.218.196
DNSoceania.pool.ntp.org
Type: A
103.242.68.69
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
202.22.158.31
DNSafrica.pool.ntp.org
Type: A
197.157.194.21
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSafrica.pool.ntp.org
Type: A
41.231.53.4
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSpool.ntp.org
Type: A
97.107.128.58
DNSpool.ntp.org
Type: A
129.250.35.251
DNSpool.ntp.org
Type: A
132.163.4.101
DNSpool.ntp.org
Type: A
69.50.219.51
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSmicrosoft.com
Type: A
104.43.195.251
DNSdfs.knowmark.it
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 191.239.213.197:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings