Analysis Date2015-11-04 07:29:41
MD5cd432ed828e0873880204d5c5f86ddec
SHA18055bbdb60db674e8803f9a19db6711bb0e2faba

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 129afbf65306253cd8d812662ddf2f34 sha1: bddaa7cc89c00e8dda3a25e90667aae08e27d87e size: 801792
Section.rdata md5: a34c881c6fb269f46128090298010388 sha1: 4931b9928e73491da288b0b3b20df43f4162ad69 size: 59392
Section.data md5: 8c03c70161b1c16a6ee81548dc517b93 sha1: 9c95a383e1c781eabe69df9700f465dce63d4d83 size: 412672
Timestamp2015-01-27 09:22:43
PackerMicrosoft Visual C++ ?.?
PEhashf84456d62e0cad1c2b70591b970cb019932e4220
IMPhasha173daafd131e38725cc7ad6e0c338cb
AVCA (E-Trust Ino)No Virus
AVCA (E-Trust Ino)No Virus
AVRising0x59329f7b
AVMcafeeNo Virus
AVAvira (antivir)TR/AD.Godatch.Y.7
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVPadvishNo Virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVClamAVNo Virus
AVDr. WebTrojan.KillFiles.30595
AVF-SecureGen:Variant.Symmi.22722
AVRising0x59329f7b
AVMcafeeNo Virus
AVAvira (antivir)TR/AD.Godatch.Y.7
AVTwisterNo Virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Downloader-TLD [Trj]
AVEset (nod32)Win32/Kryptik.CCLE
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\wqgxabu1n04onqinazjedq.exe
Creates FileC:\WINDOWS\system32\xetoerynymphl\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\wqgxabu1n04onqinazjedq.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\wqgxabu1n04onqinazjedq.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Session Media Group Workstation Reporting ➝
C:\WINDOWS\system32\disqayhhvxl.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\disqayhhvxl.exe
Creates FileC:\WINDOWS\system32\xetoerynymphl\etc
Creates FileC:\WINDOWS\system32\xetoerynymphl\tst
Creates FileC:\WINDOWS\system32\xetoerynymphl\lck
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\disqayhhvxl.exe
Creates ServiceTime Extensible Instrumentation - C:\WINDOWS\system32\disqayhhvxl.exe

Process
↳ Pid 808

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1148

Process
↳ C:\WINDOWS\system32\disqayhhvxl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\xetoerynymphl\rng
Creates FileC:\WINDOWS\system32\xetoerynymphl\lck
Creates FileC:\WINDOWS\TEMP\wqgxabu1tqbonq.exe
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\xetoerynymphl\tst
Creates FileC:\WINDOWS\system32\xetoerynymphl\run
Creates FileC:\WINDOWS\system32\uutoktiqt.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\xetoerynymphl\cfg
Creates ProcessC:\WINDOWS\TEMP\wqgxabu1tqbonq.exe -r 39563 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\disqayhhvxl.exe"

Process
↳ C:\WINDOWS\system32\disqayhhvxl.exe

Creates FileC:\WINDOWS\system32\xetoerynymphl\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\disqayhhvxl.exe"

Creates FileC:\WINDOWS\system32\xetoerynymphl\tst

Process
↳ C:\WINDOWS\TEMP\wqgxabu1tqbonq.exe -r 39563 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSenemyguess.net
Type: A
208.91.197.241
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNSfairhope.net
Type: A
69.85.206.115
DNSdreamhope.net
Type: A
202.172.26.32
DNSthishope.net
Type: A
208.100.26.234
DNSdreamleft.net
Type: A
195.22.26.248
DNSdreamhurry.net
Type: A
195.22.26.231
DNSdreamhurry.net
Type: A
195.22.26.252
DNSdreamhurry.net
Type: A
195.22.26.253
DNSdreamhurry.net
Type: A
195.22.26.254
DNSarivewild.net
Type: A
195.22.26.248
DNSwhichkind.net
Type: A
69.41.183.180
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSsensesound.net
Type: A
DNSspotleft.net
Type: A
DNSsaltleft.net
Type: A
DNSspotthirteen.net
Type: A
DNSsaltthirteen.net
Type: A
DNSspothurry.net
Type: A
DNSsalthurry.net
Type: A
DNSgladhope.net
Type: A
DNStakenhope.net
Type: A
DNSgladleft.net
Type: A
DNStakenleft.net
Type: A
DNSgladthirteen.net
Type: A
DNStakenthirteen.net
Type: A
DNSgladhurry.net
Type: A
DNStakenhurry.net
Type: A
DNSequalhope.net
Type: A
DNSgrouphope.net
Type: A
DNSequalleft.net
Type: A
DNSgroupleft.net
Type: A
DNSequalthirteen.net
Type: A
DNSgroupthirteen.net
Type: A
DNSequalhurry.net
Type: A
DNSgrouphurry.net
Type: A
DNSspokehope.net
Type: A
DNSvisithope.net
Type: A
DNSspokeleft.net
Type: A
DNSvisitleft.net
Type: A
DNSspokethirteen.net
Type: A
DNSvisitthirteen.net
Type: A
DNSspokehurry.net
Type: A
DNSvisithurry.net
Type: A
DNSwatchhope.net
Type: A
DNSwatchleft.net
Type: A
DNSfairleft.net
Type: A
DNSwatchthirteen.net
Type: A
DNSfairthirteen.net
Type: A
DNSwatchhurry.net
Type: A
DNSfairhurry.net
Type: A
DNSthisleft.net
Type: A
DNSdreamthirteen.net
Type: A
DNSthisthirteen.net
Type: A
DNSthishurry.net
Type: A
DNSsouthwild.net
Type: A
DNSarivejune.net
Type: A
DNSsouthjune.net
Type: A
DNSarivebegan.net
Type: A
DNSsouthbegan.net
Type: A
DNSarivekind.net
Type: A
DNSsouthkind.net
Type: A
DNSuponwild.net
Type: A
DNSwhichwild.net
Type: A
DNSuponjune.net
Type: A
DNSwhichjune.net
Type: A
DNSuponbegan.net
Type: A
DNSwhichbegan.net
Type: A
DNSuponkind.net
Type: A
DNSspotwild.net
Type: A
DNSsaltwild.net
Type: A
DNSspotjune.net
Type: A
DNSsaltjune.net
Type: A
DNSspotbegan.net
Type: A
DNSsaltbegan.net
Type: A
DNSspotkind.net
Type: A
DNSsaltkind.net
Type: A
DNSgladwild.net
Type: A
DNStakenwild.net
Type: A
DNSgladjune.net
Type: A
DNStakenjune.net
Type: A
DNSgladbegan.net
Type: A
DNStakenbegan.net
Type: A
DNSgladkind.net
Type: A
DNStakenkind.net
Type: A
DNSequalwild.net
Type: A
DNSgroupwild.net
Type: A
DNSequaljune.net
Type: A
DNSgroupjune.net
Type: A
DNSequalbegan.net
Type: A
DNSgroupbegan.net
Type: A
DNSequalkind.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://fairhope.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://dreamhope.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://thishope.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://dreamleft.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://dreamhurry.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://arivewild.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://whichkind.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://fairhope.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://dreamhope.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://thishope.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://dreamleft.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://dreamhurry.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://arivewild.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
HTTP GEThttp://whichkind.net/index.php?method=validate&mode=sox&v=036&sox=4b4e8a04&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 69.85.206.115:80
Flows TCP192.168.1.1:1046 ➝ 202.172.26.32:80
Flows TCP192.168.1.1:1047 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1048 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1049 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1050 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1051 ➝ 69.41.183.180:80
Flows TCP192.168.1.1:1052 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1059 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1060 ➝ 69.85.206.115:80
Flows TCP192.168.1.1:1061 ➝ 202.172.26.32:80
Flows TCP192.168.1.1:1062 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1063 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1064 ➝ 195.22.26.231:80
Flows TCP192.168.1.1:1065 ➝ 195.22.26.248:80
Flows TCP192.168.1.1:1066 ➝ 69.41.183.180:80

Raw Pcap

Strings