Analysis Date2015-10-15 12:50:34
MD554eb4e3b8fcd687c11379ec79a6605ec
SHA1a2f15d476d63f9611f5eaac3ed96bac0e79be447

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c620c8deadb31cdbc6f34fc764b15380 sha1: 08ab473ac6a6196738fb80cc632409e5c9d2446d size: 803328
Section.rdata md5: 537b493816fca0c55d0c7f8d2cc1281e sha1: d08ae741cb24eec249c2ba685138c944379fd731 size: 61952
Section.data md5: de430b73ef48aab80887b858f734b342 sha1: 49d99220932cc32157f8deafe4c63cc821c643ff size: 393216
Timestamp2015-01-27 09:17:26
PackerMicrosoft Visual C++ ?.?
PEhash3402498e20faea73f0e1a0dd10757d2359e4a665
IMPhash41319c1daa918b270640e32f550fa6e6
AVRisingno_virus
AVMcafeeno_virus
AVAvira (antivir)TR/Crypt.Xpack.293187
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.22722
AVAlwil (avast)Kryptik-OOC [Trj]
AVEset (nod32)Win32/Kryptik.DXVJ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g15
AVFortinetW32/Kryptik.DDQD!tr
AVBitDefenderGen:Variant.Symmi.22722
AVK7Trojan ( 004cd0081 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.AE
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVMalwareBytesTrojan.FakePDF
AVAuthentiumW32/Nivdort.A.gen!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Crypt
AVEmsisoftGen:Variant.Symmi.22722
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroTROJ_WONTON.SMJ1
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.22722
AVArcabit (arcavir)Gen:Variant.Symmi.22722
AVCA (E-Trust Ino)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVF-SecureGen:Variant.Symmi.22722

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\q2ieoye31k9llyvyuqvosble.exe
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\q2ieoye31k9llyvyuqvosble.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\q2ieoye31k9llyvyuqvosble.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Application Installer Logs ➝
C:\WINDOWS\system32\mxxqrhwvhr.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\etc
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\tst
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\lck
Creates FileC:\WINDOWS\system32\mxxqrhwvhr.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\mxxqrhwvhr.exe
Creates ServiceProvider Proxy Manager WMI Defragmenter - C:\WINDOWS\system32\mxxqrhwvhr.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1112

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1868

Process
↳ Pid 1056

Process
↳ C:\WINDOWS\system32\mxxqrhwvhr.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\gypdgrqri.exe
Creates FileC:\WINDOWS\TEMP\q2ieoye31r44lyvy.exe
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\cfg
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\tst
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\lck
Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\run
Creates File\Device\Afd\Endpoint
Creates ProcessC:\WINDOWS\TEMP\q2ieoye31r44lyvy.exe -r 23828 tcp
Creates ProcessWATCHDOGPROC "c:\windows\system32\mxxqrhwvhr.exe"

Process
↳ C:\WINDOWS\system32\mxxqrhwvhr.exe

Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\mxxqrhwvhr.exe"

Creates FileC:\WINDOWS\system32\klmuxmoiofumcle\tst

Process
↳ C:\WINDOWS\TEMP\q2ieoye31r44lyvy.exe -r 23828 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSenemyguess.net
Type: A
208.91.197.241
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNSdutycloth.net
Type: A
195.22.26.252
DNSdutycloth.net
Type: A
195.22.26.231
DNSdutycloth.net
Type: A
195.22.26.254
DNSdutycloth.net
Type: A
195.22.26.253
DNSheadborn.net
Type: A
208.100.26.234
DNSquickborn.net
Type: A
27.121.64.91
DNSmostaugust.net
Type: A
98.139.135.129
DNSdarkpaid.net
Type: A
217.160.165.207
DNScloudborn.net
Type: A
184.168.221.96
DNSmilkprice.net
Type: A
208.91.197.26
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSsensesound.net
Type: A
DNSwrongover.net
Type: A
DNSmadeover.net
Type: A
DNSwronggrain.net
Type: A
DNSmadegrain.net
Type: A
DNSwronggold.net
Type: A
DNSmadegold.net
Type: A
DNSmilkcloth.net
Type: A
DNStriedcloth.net
Type: A
DNSmilkpaid.net
Type: A
DNStriedpaid.net
Type: A
DNSmilkaugust.net
Type: A
DNStriedaugust.net
Type: A
DNSmilkborn.net
Type: A
DNStriedborn.net
Type: A
DNSwithcloth.net
Type: A
DNSwithpaid.net
Type: A
DNSdutypaid.net
Type: A
DNSwithaugust.net
Type: A
DNSdutyaugust.net
Type: A
DNSwithborn.net
Type: A
DNSdutyborn.net
Type: A
DNSthesecloth.net
Type: A
DNSsightcloth.net
Type: A
DNSthesepaid.net
Type: A
DNSsightpaid.net
Type: A
DNStheseaugust.net
Type: A
DNSsightaugust.net
Type: A
DNStheseborn.net
Type: A
DNSsightborn.net
Type: A
DNScasecloth.net
Type: A
DNSheadcloth.net
Type: A
DNScasepaid.net
Type: A
DNSheadpaid.net
Type: A
DNScaseaugust.net
Type: A
DNSheadaugust.net
Type: A
DNScaseborn.net
Type: A
DNSquickcloth.net
Type: A
DNSthencloth.net
Type: A
DNSquickpaid.net
Type: A
DNSthenpaid.net
Type: A
DNSquickaugust.net
Type: A
DNSthenaugust.net
Type: A
DNSthenborn.net
Type: A
DNSsundaycloth.net
Type: A
DNSmostcloth.net
Type: A
DNSsundaypaid.net
Type: A
DNSmostpaid.net
Type: A
DNSsundayaugust.net
Type: A
DNSsundayborn.net
Type: A
DNSmostborn.net
Type: A
DNSmeatcloth.net
Type: A
DNSsickcloth.net
Type: A
DNSmeatpaid.net
Type: A
DNSsickpaid.net
Type: A
DNSmeataugust.net
Type: A
DNSsickaugust.net
Type: A
DNSmeatborn.net
Type: A
DNSsickborn.net
Type: A
DNScloudcloth.net
Type: A
DNSdarkcloth.net
Type: A
DNScloudpaid.net
Type: A
DNScloudaugust.net
Type: A
DNSdarkaugust.net
Type: A
DNSdarkborn.net
Type: A
DNStriedprice.net
Type: A
DNSmilkcroud.net
Type: A
DNStriedcroud.net
Type: A
DNSmilkraise.net
Type: A
DNStriedraise.net
Type: A
DNSmilkreach.net
Type: A
DNStriedreach.net
Type: A
DNSwithprice.net
Type: A
DNSdutyprice.net
Type: A
DNSwithcroud.net
Type: A
DNSdutycroud.net
Type: A
DNSwithraise.net
Type: A
DNSdutyraise.net
Type: A
DNSwithreach.net
Type: A
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://dutycloth.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://headborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://quickborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://mostaugust.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://darkpaid.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://cloudborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://milkprice.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://enemyguess.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://dutycloth.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://headborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://quickborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://mostaugust.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://darkpaid.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://cloudborn.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
HTTP GEThttp://milkprice.net/index.php?method=validate&mode=sox&v=036&sox=49c9c400&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1043 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1045 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1046 ➝ 27.121.64.91:80
Flows TCP192.168.1.1:1047 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1048 ➝ 217.160.165.207:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1050 ➝ 208.91.197.26:80
Flows TCP192.168.1.1:1051 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1052 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1053 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1054 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1055 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1056 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1057 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1058 ➝ 195.22.26.252:80
Flows TCP192.168.1.1:1059 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1060 ➝ 27.121.64.91:80
Flows TCP192.168.1.1:1061 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1062 ➝ 217.160.165.207:80
Flows TCP192.168.1.1:1063 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.26:80

Raw Pcap

Strings