Analysis Date2016-02-05 02:33:37
MD59110a763b995c8497b5e6bd97e7873ff
SHA1a63a4c3684b34a5c965a2bf3aa13ca2bdecbb434

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
AVCA (E-Trust Ino)No Virus
AVF-SecureGen:Trojan.Heur.GM.0140416032
AVDr. WebTrojan.DownLoader10.22140
AVClamAVNo Virus
AVArcabit (arcavir)Gen:Trojan.Heur.GM.0140416032
AVBullGuardGen:Trojan.Heur.GM.0140416032
AVCAT (quickheal)Trojan.Generic.019932
AVVirusBlokAda (vba32)TrojanSpy.Agent
AVTrend MicroDDOS_HPNITOL.SM
AVKasperskyTrojan.Win32.Generic
AVZillya!No Virus
AVIkarusBackdoor.Win32.PcClient
AVFrisk (f-prot)No Virus
AVEmsisoftGen:Trojan.Heur.GM.0140416032
AVAuthentiumW32/Trojan.GCDH-3725
AVMalwareBytesTrojan.ServStart.Gen
AVMicroWorld (escan)Gen:Trojan.Heur.GM.0140416032
AVMicrosoft Security EssentialsTrojanDownloader:Win32/Yemrok.A
AVK7Backdoor ( 04c4b48a1 )
AVBitDefenderGen:Trojan.Heur.GM.0140416032
AVFortinetW32/ServStart.AS!tr
AVSymantecDownloader
AVGrisoft (avg)Agent
AVEset (nod32)Win32/ServStart.AD
AVAlwil (avast)Win32:Malware-gen
AVRisingNo Virus
AVAd-AwareGen:Trojan.Heur.GM.0140416032
AVTwisterBackdoor.ADAD@240FF53#00.mg
AVAvira (antivir)TR/Spy.Agent.556489
AVMcafeeRDN/Generic Downloader.x

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nationalybn\Description ➝
Providesyae a domain server for NI security.
Creates FileC:\WINDOWS\system32\qqeuqi.exe
Creates ServiceNationalkwy Instruments Domain Service - C:\WINDOWS\system32\qqeuqi.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1840

Process
↳ Pid 1132

Process
↳ C:\WINDOWS\system32\qqeuqi.exe

Creates Filepipe\net\NtControlPipe10
Creates File\Device\Afd\Endpoint
Creates MutexNationalybn

Network Details:

DNSknsc.codns.com
Type: A
127.0.0.1

Raw Pcap

Strings