Analysis Date2015-12-20 11:09:53
MD5f98052372723f94dab7c869e6d86e325
SHA1b5a309d8bb688f1db83da485129a36539a924d88

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: aca665ce033d7633818994369285e11a sha1: cc8140bb77bdc4b897a81d3483d30fe92eff273d size: 123392
Section.rdata md5: 46ea06b82d102031164ff730a4f982f6 sha1: 73727424ebb40054aede01f92361ff969745f37d size: 10752
Section.data md5: 2e7683485ccc7e83f8fc0e857b35a8df sha1: a2d377fcf7413d11bd21f3d9d4c236328a96e275 size: 15360
Section.rsrc md5: cb90c264229ebc0887373bf2729bf114 sha1: 897c7ab0a49c71fdc83dae6e2f37d6a87aa0acbc size: 72192
Timestamp2015-08-13 10:23:41
VersionLegalCopyright: (C) 2007 Adobe Systems Incorporated. All rights reserved.
InternalName: Adobe Help Viewer 1.1
FileVersion: 1.1.0.143
CompanyName: Adobe Systems Incorporated
ProductName: Adobe Help Viewer 1.1
ProductVersion: 1.1
FileDescription: Adobe Help Viewer 1.1
OriginalFilename: ahv.exe
PackerMicrosoft Visual C++ ?.?
PEhash847a83837fa8ad3fc7acb63aa7d4c3b74554fb7a
IMPhash7561f9340f3804d6a9af4c4db4e4fc3b
AVKasperskyTrojan.Win32.Generic
AVArcabit (arcavir)Trojan.Lethic.Gen.9
AVDr. WebTrojan.DownLoader15.40660
AVMalwareBytesSpyware.PasswordStealer
AVMicroWorld (escan)Trojan.Lethic.Gen.9
AVAd-AwareTrojan.Lethic.Gen.9
AVFrisk (f-prot)no_virus
AVSymantecTrojan.Gen
AVTwisterno_virus
AVFortinetW32/Kryptik.DTHD!tr
AVClamAVno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Bagsu!rfn
AVCA (E-Trust Ino)no_virus
AVAlwil (avast)Androp [Drp]
AVAuthentiumW32/Agent.XL.gen!Eldorado
AVBullGuardTrojan.Lethic.Gen.9
AVF-SecureTrojan.Lethic.Gen.9
AVBitDefenderTrojan.Lethic.Gen.9
AVEmsisoftTrojan.Lethic.Gen.9
AVK7Trojan ( 004cd0b21 )
AVMcafeePWSZbot-FANJ!F98052372723
AVVirusBlokAda (vba32)Backdoor.Androm
AVIkarusTrojan.Win32.Crypt
AVEset (nod32)Win32/Kryptik.DTIU
AVRisingno_virus
AVZillya!Backdoor.Kasidet.Win32.847
AVTrend MicroBKDR_ANDROM.SMWF
AVAvira (antivir)TR/Crypt.ZPACK.150834
AVGrisoft (avg)Crypt_r.KW
AVCAT (quickheal)Ransom.Crowti.B4

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe
Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Process
↳ C:\WINDOWS\system32\msiexec.exe

Network Details:

DNSeurope.pool.ntp.org
Type: A
95.211.224.12
DNSeurope.pool.ntp.org
Type: A
193.228.143.13
DNSeurope.pool.ntp.org
Type: A
217.77.132.1
DNSeurope.pool.ntp.org
Type: A
84.15.121.61
DNSnorth-america.pool.ntp.org
Type: A
96.44.142.5
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.131
DNSnorth-america.pool.ntp.org
Type: A
216.152.240.220
DNSnorth-america.pool.ntp.org
Type: A
69.164.194.139
DNSsouth-america.pool.ntp.org
Type: A
200.160.0.8
DNSsouth-america.pool.ntp.org
Type: A
200.192.232.8
DNSsouth-america.pool.ntp.org
Type: A
201.217.3.85
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSasia.pool.ntp.org
Type: A
211.233.84.186
DNSasia.pool.ntp.org
Type: A
59.149.185.193
DNSasia.pool.ntp.org
Type: A
82.200.209.236
DNSasia.pool.ntp.org
Type: A
120.88.46.10
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
103.242.70.5
DNSoceania.pool.ntp.org
Type: A
115.126.160.4
DNSoceania.pool.ntp.org
Type: A
192.189.54.17
DNSafrica.pool.ntp.org
Type: A
146.231.129.86
DNSafrica.pool.ntp.org
Type: A
168.167.168.38
DNSafrica.pool.ntp.org
Type: A
196.10.55.57
DNSafrica.pool.ntp.org
Type: A
197.84.150.123

Raw Pcap

Strings