Analysis Date2015-10-12 13:01:21
MD5bde0bdd4494e2d184bfe1a9eca6b47be
SHA1825b1c769442a6f3b7c7d944a1d0928332ed17a7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 3add6b2057af7b8e65db7d1c59140fb3 sha1: 17237c50512f5de12ccbd2880161e54586bce0b3 size: 225280
Section.data md5: e63ca432eb80e1cd609b9f49d3c41291 sha1: 3dc069c0a7c9fca593d46323e89c4af98197e010 size: 20992
Section.rdata md5: f95220d7b9153578ee433cb813da3352 sha1: 12fba0ba4bcaeb1d61a52187ab13345bfb85a288 size: 38400
Section.eh_fram md5: d2645e3d4913b89023f5394092b5e487 sha1: 97cfbd91551119cb2eb2a229768c3e2111fa7b13 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 8391c855f05a9c8a03bbbca3a8b5b765 sha1: fee2e59d70243c2bad92f68731a9ddc6be90f645 size: 6656
Section.CRT md5: 910720eb4fac04b31501fe1e2a6f9991 sha1: 400824a20d874ede3bf8f12969fcd5e2dc2f93f4 size: 512
Section.tls md5: cf121183900cf6129e6824f3f5bd7135 sha1: 89b5b6b74f262f9e1ed0fcfb2cdc8c5f2d8c649b size: 512
Timestamp2015-03-05 06:31:34
PEhashe6f873ee5b22701524305932355f613572cded89
IMPhash63644860c6ac7e16b72f108855cc66ae
AVVirusBlokAda (vba32)no_virus
AVClamAVno_virus
AVBitDefenderGen:Variant.Symmi.51758
AVCAT (quickheal)no_virus
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVAuthentiumW32/Downloader.IZKG-0264
AVEmsisoftGen:Variant.Symmi.51758
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVFrisk (f-prot)no_virus
AVMcafeeno_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.51758
AVAlwil (avast)Agent-AZPE [Trj]
AVFortinetW32/Agent.XDQ!tr
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Symmi.51758
AVMalwareBytesno_virus
AVIkarusTrojan.Win32.Agent
AVAd-AwareGen:Variant.Symmi.51758
AVKasperskyTrojan.Win32.Scar.legb
AVTwisterno_virus
AVZillya!no_virus
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!acf
AVGrisoft (avg)Agent5.XUN
AVDr. WebTrojan.DownLoader13.23958
AVSymantecDownloader.Upatre!g16
AVTrend Microno_virus
AVRisingno_virus
AVEset (nod32)Win32/Agent.XDQ
AVAvira (antivir)TR/ATRAPS.A.8670
AVK7Trojan ( 004c988e1 )

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\qyjoxdeygnjs\mmqdcwg1mbed1kdxrrzxga.exe
Creates FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates FileC:\qyjoxdeygnjs\mcxnjbdfv
Deletes FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates ProcessC:\qyjoxdeygnjs\mmqdcwg1mbed1kdxrrzxga.exe

Process
↳ C:\qyjoxdeygnjs\mmqdcwg1mbed1kdxrrzxga.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Services Protected Storage Defender ➝
C:\qyjoxdeygnjs\jwzzlb98kc3vz.exe
Creates FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates FilePIPE\lsarpc
Creates FileC:\qyjoxdeygnjs\mcxnjbdfv
Creates FileC:\qyjoxdeygnjs\srkgbebik
Creates FileC:\qyjoxdeygnjs\jwzzlb98kc3vz.exe
Deletes FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates ProcessC:\qyjoxdeygnjs\jwzzlb98kc3vz.exe
Creates ServiceAuto Problem Device Alerts - C:\qyjoxdeygnjs\jwzzlb98kc3vz.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Process
↳ Pid 1856

Process
↳ Pid 1160

Process
↳ C:\qyjoxdeygnjs\jwzzlb98kc3vz.exe

Creates FileC:\qyjoxdeygnjs\g7lzlsbne
Creates Filepipe\net\NtControlPipe10
Creates FileC:\qyjoxdeygnjs\ydvsenasktf.exe
Creates FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates FileC:\qyjoxdeygnjs\mcxnjbdfv
Creates File\Device\Afd\Endpoint
Creates FileC:\qyjoxdeygnjs\srkgbebik
Deletes FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates Processd8zzp3mhpnnj "c:\qyjoxdeygnjs\jwzzlb98kc3vz.exe"

Process
↳ C:\qyjoxdeygnjs\jwzzlb98kc3vz.exe

Creates FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates FileC:\qyjoxdeygnjs\mcxnjbdfv
Deletes FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv

Process
↳ d8zzp3mhpnnj "c:\qyjoxdeygnjs\jwzzlb98kc3vz.exe"

Creates FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv
Creates FileC:\qyjoxdeygnjs\mcxnjbdfv
Deletes FileC:\WINDOWS\qyjoxdeygnjs\mcxnjbdfv

Network Details:

DNSkristopherernestine.net
Type: A
217.160.165.207
DNSantonettechastity.net
Type: A
195.22.26.254
DNSantonettechastity.net
Type: A
195.22.26.231
DNSantonettechastity.net
Type: A
195.22.26.252
DNSantonettechastity.net
Type: A
195.22.26.253
DNSevangelinerichardson.net
Type: A
DNSrichardineatterberry.net
Type: A
DNSevangelineatterberry.net
Type: A
DNSrichardineunderwood.net
Type: A
DNSevangelineunderwood.net
Type: A
DNScassandraernestine.net
Type: A
DNSkristopherchastity.net
Type: A
DNScassandrachastity.net
Type: A
DNSkristophermillicent.net
Type: A
DNScassandramillicent.net
Type: A
DNSkristophertennyson.net
Type: A
DNScassandratennyson.net
Type: A
DNSmaximilianernestine.net
Type: A
DNSkimberleeernestine.net
Type: A
DNSmaximilianchastity.net
Type: A
DNSkimberleechastity.net
Type: A
DNSmaximilianmillicent.net
Type: A
DNSkimberleemillicent.net
Type: A
DNSmaximiliantennyson.net
Type: A
DNSkimberleetennyson.net
Type: A
DNScatherinaernestine.net
Type: A
DNScatherineernestine.net
Type: A
DNScatherinachastity.net
Type: A
DNScatherinechastity.net
Type: A
DNScatherinamillicent.net
Type: A
DNScatherinemillicent.net
Type: A
DNScatherinatennyson.net
Type: A
DNScatherinetennyson.net
Type: A
DNSantonetteernestine.net
Type: A
DNSmadeleineernestine.net
Type: A
DNSmadeleinechastity.net
Type: A
DNSantonettemillicent.net
Type: A
DNSmadeleinemillicent.net
Type: A
DNSantonettetennyson.net
Type: A
DNSmadeleinetennyson.net
Type: A
DNScharlotteernestine.net
Type: A
DNSstephanieernestine.net
Type: A
DNScharlottechastity.net
Type: A
DNSstephaniechastity.net
Type: A
DNScharlottemillicent.net
Type: A
DNSstephaniemillicent.net
Type: A
DNScharlottetennyson.net
Type: A
DNSstephanietennyson.net
Type: A
DNSkimberlynernestine.net
Type: A
DNSglanvilleernestine.net
Type: A
DNSkimberlynchastity.net
Type: A
DNSglanvillechastity.net
Type: A
DNSkimberlynmillicent.net
Type: A
DNSglanvillemillicent.net
Type: A
DNSkimberlyntennyson.net
Type: A
DNSglanvilletennyson.net
Type: A
DNSjessamineernestine.net
Type: A
DNSgenevieveernestine.net
Type: A
DNSjessaminechastity.net
Type: A
DNSgenevievechastity.net
Type: A
DNSjessaminemillicent.net
Type: A
DNSgenevievemillicent.net
Type: A
DNSjessaminetennyson.net
Type: A
DNSgenevievetennyson.net
Type: A
DNSzechariahernestine.net
Type: A
DNSmarmadukeernestine.net
Type: A
DNSzechariahchastity.net
Type: A
DNSmarmadukechastity.net
Type: A
DNSzechariahmillicent.net
Type: A
DNSmarmadukemillicent.net
Type: A
DNSzechariahtennyson.net
Type: A
DNSmarmaduketennyson.net
Type: A
DNSkristopherbernadine.net
Type: A
DNScassandrabernadine.net
Type: A
DNSkristophercharisma.net
Type: A
DNScassandracharisma.net
Type: A
DNSkristopheranastacia.net
Type: A
DNScassandraanastacia.net
Type: A
DNSkristopheranderson.net
Type: A
DNScassandraanderson.net
Type: A
DNSmaximilianbernadine.net
Type: A
DNSkimberleebernadine.net
Type: A
DNSmaximiliancharisma.net
Type: A
DNSkimberleecharisma.net
Type: A
DNSmaximiliananastacia.net
Type: A
DNSkimberleeanastacia.net
Type: A
DNSmaximiliananderson.net
Type: A
DNSkimberleeanderson.net
Type: A
HTTP GEThttp://kristopherernestine.net/index.php
User-Agent:
HTTP GEThttp://antonettechastity.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 217.160.165.207:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.254:80

Raw Pcap

Strings