Analysis Date2016-02-27 05:23:11
MD56dddb2179782a9cb3c0a42070d5dfc68
SHA18e56c2226f8dedaf226a707d06e22a5d3866e376

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 516d096d3a645f9dc5adcf5a37fb611a sha1: 1ba6f86c198c684a1e7d03cdaae89e52571ead9d size: 265216
Section.rdata md5: 76993f8a9840f546f6ca9436294c2e67 sha1: d3ea6c59610c2c75625689fa48fcc5233195a7bd size: 40448
Section.data md5: 83a6bc215980ec4bd3973d23de81b64f sha1: 1e671b51e7623f41f5b0651cb0297fc0c5f93cda size: 2048
Section.reloc md5: 1ce846971daee717a746f728919ba0d7 sha1: d52237247c90b653feaf8be4308984103d837753 size: 50688
Timestamp2015-12-23 04:27:00
PEhasha47502cf1364fd32566c3821bacddad51292db42
IMPhashb0929a33e0f29a1aacc5fc127dd6b1cd
AVCA (E-Trust Ino)Gen:Variant.Razy.11545
AVRisingNo Virus
AVMcafeeTrojan-FHPD!6DDDB2179782
AVAvira (antivir)TR/Crypt.Xpack.412054
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.11545
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.AQ
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.11545
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CW
AVMicroWorld (escan)Gen:Variant.Razy.11545
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.F.gen!Eldorado
AVEmsisoftGen:Variant.Razy.11545
AVFrisk (f-prot)W32/Nivdort.F.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!Trojan.Tinba.Win32.4049
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)BScope.Malware-Cryptor.Msgfake
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.11545
AVArcabit (arcavir)Gen:Variant.Razy.11545
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader18.30032
AVF-SecureGen:Variant.Razy.11545

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\stounaikpkxb\yhm1kxwyczslrkvdkvp.exe
Creates FileC:\stounaikpkxb\zrddnzz5
Creates FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Deletes FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Creates ProcessC:\stounaikpkxb\yhm1kxwyczslrkvdkvp.exe

Process
↳ C:\stounaikpkxb\yhm1kxwyczslrkvdkvp.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Security TPM PC Visual Installer ➝
C:\stounaikpkxb\dykggwmdxda.exe
Creates FileC:\stounaikpkxb\f1zefztllakt
Creates FileC:\stounaikpkxb\dykggwmdxda.exe
Creates FilePIPE\lsarpc
Creates FileC:\stounaikpkxb\zrddnzz5
Creates FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Deletes FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Creates ProcessC:\stounaikpkxb\dykggwmdxda.exe
Creates ServiceAccounts Quality Office Parental User - C:\stounaikpkxb\dykggwmdxda.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1860

Process
↳ Pid 1140

Process
↳ C:\stounaikpkxb\dykggwmdxda.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\stounaikpkxb\f1zefztllakt
Creates FileC:\stounaikpkxb\eiiatqbvd.exe
Creates FileC:\stounaikpkxb\zrddnzz5
Creates File\Device\Afd\Endpoint
Creates FileC:\stounaikpkxb\q1hrhgmvvd
Creates FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Deletes FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Creates Processrckszjyqcgdv "c:\stounaikpkxb\dykggwmdxda.exe"

Process
↳ C:\stounaikpkxb\dykggwmdxda.exe

Creates FileC:\stounaikpkxb\zrddnzz5
Creates FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Deletes FileC:\WINDOWS\stounaikpkxb\zrddnzz5

Process
↳ rckszjyqcgdv "c:\stounaikpkxb\dykggwmdxda.exe"

Creates FileC:\stounaikpkxb\zrddnzz5
Creates FileC:\WINDOWS\stounaikpkxb\zrddnzz5
Deletes FileC:\WINDOWS\stounaikpkxb\zrddnzz5

Network Details:

DNSsmokedistance.net
Type: A
208.100.26.234
DNSsmokeoffice.net
Type: A
213.186.33.5
DNSpartysupply.net
Type: A
69.172.201.208
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNScrowdstrong.net
Type: A
198.23.53.106
DNScrowdcaught.net
Type: A
195.22.28.199
DNScrowdcaught.net
Type: A
195.22.28.196
DNScrowdcaught.net
Type: A
195.22.28.197
DNScrowdcaught.net
Type: A
195.22.28.198
DNSwatertrouble.net
Type: A
157.7.188.135
DNSwomanstrong.net
Type: A
184.168.221.53
DNSwomanpresident.net
Type: A
23.21.146.74
DNSexperiencediscover.net
Type: A
208.100.26.234
DNSalreadycontinue.net
Type: A
195.22.28.196
DNSalreadycontinue.net
Type: A
195.22.28.197
DNSalreadycontinue.net
Type: A
195.22.28.198
DNSalreadycontinue.net
Type: A
195.22.28.199
DNSmembermaster.net
Type: A
208.91.197.27
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNScrowdmaster.net
Type: A
184.168.221.96
DNSthoughtmaster.net
Type: A
192.64.119.113
DNSwatermaster.net
Type: A
72.52.4.120
DNSwaterwonder.net
Type: A
50.63.202.46
DNSsmokemaster.net
Type: A
82.198.76.16
DNSfightcontinue.net
Type: A
195.22.28.196
DNSfightcontinue.net
Type: A
195.22.28.197
DNSfightcontinue.net
Type: A
195.22.28.198
DNSfightcontinue.net
Type: A
195.22.28.199
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
52.73.136.140
DNShdredirect-lb-399551664.us-east-1.elb.amazonaws.com
Type: A
107.23.42.50
DNSfreshbasket.net
Type: A
181.224.139.153
DNSexperiencebasket.net
Type: A
5.2.189.251
DNSwomandistance.net
Type: A
DNSwomanoffice.net
Type: A
DNSwomanarrive.net
Type: A
DNSsmokearrive.net
Type: A
DNSfightsupply.net
Type: A
DNSpartydistance.net
Type: A
DNSfightdistance.net
Type: A
DNSpartyoffice.net
Type: A
DNSfightoffice.net
Type: A
DNSpartyarrive.net
Type: A
DNSfightarrive.net
Type: A
DNSfreshstrong.net
Type: A
DNSexperiencestrong.net
Type: A
DNSfreshtrouble.net
Type: A
DNSexperiencetrouble.net
Type: A
DNSfreshpresident.net
Type: A
DNSexperiencepresident.net
Type: A
DNSfreshcaught.net
Type: A
DNSexperiencecaught.net
Type: A
DNSgentlemanstrong.net
Type: A
DNSalreadystrong.net
Type: A
DNSgentlemantrouble.net
Type: A
DNSalreadytrouble.net
Type: A
DNSgentlemanpresident.net
Type: A
DNSalreadypresident.net
Type: A
DNSgentlemancaught.net
Type: A
DNSalreadycaught.net
Type: A
DNSfollowstrong.net
Type: A
DNSmemberstrong.net
Type: A
DNSfollowtrouble.net
Type: A
DNSmembertrouble.net
Type: A
DNSfollowpresident.net
Type: A
DNSmemberpresident.net
Type: A
DNSfollowcaught.net
Type: A
DNSmembercaught.net
Type: A
DNSbeginstrong.net
Type: A
DNSknownstrong.net
Type: A
DNSbegintrouble.net
Type: A
DNSknowntrouble.net
Type: A
DNSbeginpresident.net
Type: A
DNSknownpresident.net
Type: A
DNSbegincaught.net
Type: A
DNSknowncaught.net
Type: A
DNSsummerstrong.net
Type: A
DNSsummertrouble.net
Type: A
DNScrowdtrouble.net
Type: A
DNSsummerpresident.net
Type: A
DNScrowdpresident.net
Type: A
DNSsummercaught.net
Type: A
DNSthoughtstrong.net
Type: A
DNSwaterstrong.net
Type: A
DNSthoughttrouble.net
Type: A
DNSthoughtpresident.net
Type: A
DNSwaterpresident.net
Type: A
DNSthoughtcaught.net
Type: A
DNSwatercaught.net
Type: A
DNSsmokestrong.net
Type: A
DNSwomantrouble.net
Type: A
DNSsmoketrouble.net
Type: A
DNSsmokepresident.net
Type: A
DNSwomancaught.net
Type: A
DNSsmokecaught.net
Type: A
DNSpartystrong.net
Type: A
DNSfightstrong.net
Type: A
DNSpartytrouble.net
Type: A
DNSfighttrouble.net
Type: A
DNSpartypresident.net
Type: A
DNSfightpresident.net
Type: A
DNSpartycaught.net
Type: A
DNSfightcaught.net
Type: A
DNSfreshcontinue.net
Type: A
DNSexperiencecontinue.net
Type: A
DNSfreshmaster.net
Type: A
DNSexperiencemaster.net
Type: A
DNSfreshwonder.net
Type: A
DNSexperiencewonder.net
Type: A
DNSfreshdiscover.net
Type: A
DNSgentlemancontinue.net
Type: A
DNSgentlemanmaster.net
Type: A
DNSalreadymaster.net
Type: A
DNSgentlemanwonder.net
Type: A
DNSalreadywonder.net
Type: A
DNSgentlemandiscover.net
Type: A
DNSalreadydiscover.net
Type: A
DNSfollowcontinue.net
Type: A
DNSmembercontinue.net
Type: A
DNSfollowmaster.net
Type: A
DNSfollowwonder.net
Type: A
DNSmemberwonder.net
Type: A
DNSfollowdiscover.net
Type: A
DNSmemberdiscover.net
Type: A
DNSbegincontinue.net
Type: A
DNSknowncontinue.net
Type: A
DNSbeginmaster.net
Type: A
DNSknownmaster.net
Type: A
DNSbeginwonder.net
Type: A
DNSknownwonder.net
Type: A
DNSbegindiscover.net
Type: A
DNSknowndiscover.net
Type: A
DNSsummercontinue.net
Type: A
DNScrowdcontinue.net
Type: A
DNSsummermaster.net
Type: A
DNSsummerwonder.net
Type: A
DNScrowdwonder.net
Type: A
DNSsummerdiscover.net
Type: A
DNScrowddiscover.net
Type: A
DNSthoughtcontinue.net
Type: A
DNSwatercontinue.net
Type: A
DNSthoughtwonder.net
Type: A
DNSthoughtdiscover.net
Type: A
DNSwaterdiscover.net
Type: A
DNSwomancontinue.net
Type: A
DNSsmokecontinue.net
Type: A
DNSwomanmaster.net
Type: A
DNSwomanwonder.net
Type: A
DNSsmokewonder.net
Type: A
DNSwomandiscover.net
Type: A
DNSsmokediscover.net
Type: A
DNSpartycontinue.net
Type: A
DNSpartymaster.net
Type: A
DNSfightmaster.net
Type: A
DNSpartywonder.net
Type: A
DNSfightwonder.net
Type: A
DNSpartydiscover.net
Type: A
DNSfightdiscover.net
Type: A
DNSfreshindustry.net
Type: A
DNSexperienceindustry.net
Type: A
DNSfreshbecame.net
Type: A
DNSexperiencebecame.net
Type: A
DNSfreshcontain.net
Type: A
DNSexperiencecontain.net
Type: A
DNSgentlemanindustry.net
Type: A
DNSalreadyindustry.net
Type: A
DNSgentlemanbecame.net
Type: A
DNSalreadybecame.net
Type: A
DNSgentlemancontain.net
Type: A
DNSalreadycontain.net
Type: A
DNSgentlemanbasket.net
Type: A
DNSalreadybasket.net
Type: A
DNSfollowindustry.net
Type: A
DNSmemberindustry.net
Type: A
DNSfollowbecame.net
Type: A
DNSmemberbecame.net
Type: A
DNSfollowcontain.net
Type: A
DNSmembercontain.net
Type: A
DNSfollowbasket.net
Type: A
DNSmemberbasket.net
Type: A
DNSbeginindustry.net
Type: A
DNSknownindustry.net
Type: A
DNSbeginbecame.net
Type: A
DNSknownbecame.net
Type: A
HTTP GEThttp://smokedistance.net/index.php
User-Agent:
HTTP GEThttp://smokeoffice.net/index.php
User-Agent:
HTTP GEThttp://partysupply.net/index.php
User-Agent:
HTTP GEThttp://alreadypresident.net/index.php
User-Agent:
HTTP GEThttp://crowdstrong.net/index.php
User-Agent:
HTTP GEThttp://crowdcaught.net/index.php
User-Agent:
HTTP GEThttp://watertrouble.net/index.php
User-Agent:
HTTP GEThttp://womanstrong.net/index.php
User-Agent:
HTTP GEThttp://womanpresident.net/index.php
User-Agent:
HTTP GEThttp://experiencediscover.net/index.php
User-Agent:
HTTP GEThttp://alreadycontinue.net/index.php
User-Agent:
HTTP GEThttp://membermaster.net/index.php
User-Agent:
HTTP GEThttp://summermaster.net/index.php
User-Agent:
HTTP GEThttp://crowdmaster.net/index.php
User-Agent:
HTTP GEThttp://thoughtmaster.net/index.php
User-Agent:
HTTP GEThttp://watermaster.net/index.php
User-Agent:
HTTP GEThttp://waterwonder.net/index.php
User-Agent:
HTTP GEThttp://smokemaster.net/index.php
User-Agent:
HTTP GEThttp://fightcontinue.net/index.php
User-Agent:
HTTP GEThttp://partymaster.net/index.php
User-Agent:
HTTP GEThttp://freshbasket.net/index.php
User-Agent:
HTTP GEThttp://experiencebasket.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 213.186.33.5:80
Flows TCP192.168.1.1:1033 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 198.23.53.106:80
Flows TCP192.168.1.1:1036 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1037 ➝ 157.7.188.135:80
Flows TCP192.168.1.1:1038 ➝ 184.168.221.53:80
Flows TCP192.168.1.1:1039 ➝ 23.21.146.74:80
Flows TCP192.168.1.1:1040 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1041 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1043 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1044 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1045 ➝ 192.64.119.113:80
Flows TCP192.168.1.1:1046 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1047 ➝ 50.63.202.46:80
Flows TCP192.168.1.1:1048 ➝ 82.198.76.16:80
Flows TCP192.168.1.1:1049 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1050 ➝ 52.73.136.140:80
Flows TCP192.168.1.1:1051 ➝ 181.224.139.153:80
Flows TCP192.168.1.1:1052 ➝ 5.2.189.251:80

Raw Pcap

Strings