Analysis Date2015-11-02 15:53:02
MD5baf0ea9ff985657ec2e03a64e9bc00bf
SHA1c2ffb5d562ef8e0d2c72e4d886c20eacb0ec00ac

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c4639368522465d1b07bcb9b79295f5f sha1: e3f285f14202c6a2c526f79b176d84018b337fb4 size: 228352
Section.data md5: 8f72d10dfca64f5626d2f85c5296c55c sha1: 2c60a51d6b5a27c6ee05a98767eb719c78d94790 size: 20992
Section.rdata md5: a38c26df13071e1f159237ae4eb9c6cf sha1: f65fb30b085c29f59ebff225e6f64520639a4dd8 size: 40448
Section.eh_fram md5: 577c2b3e652b747a1f35be6f9c7fa46b sha1: 60f61e2eee7664e4d47e2905223419ee9f322a47 size: 40448
Section.bss md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.idata md5: 19ed533fa7be6eed246929c9d7bc4c11 sha1: 7efc4ff8cf555bb48c0babf41ac07e0140c8030f size: 6656
Section.CRT md5: 2d550e1cfb4bb898787e7bd743fedba7 sha1: 154233c9ddb25cabb4a5d815b63ce7f1f4cfafef size: 512
Section.tls md5: 255674fadd8cc7bc6ab4eb4e269c5241 sha1: 2b846edad7a64d2f5b163ac5c63f40a7564a16e8 size: 512
Timestamp2015-03-05 06:10:16
PEhash7b62af6620b841d4584711ded2d72703b06bda3e
IMPhashd2c4100c6a40b16d0817fafe6799ccf2
AVRisingno_virus
AVMcafeeTrojan-FGOJ!BAF0EA9FF985
AVAvira (antivir)TR/ATRAPS.A.10338
AVTwisterno_virus
AVAd-AwareGen:Variant.Symmi.51758
AVAlwil (avast)no_virus
AVEset (nod32)Win32/Agent.XDQ
AVGrisoft (avg)Win32/Cryptor
AVSymantecDownloader.Upatre!g16
AVFortinetW32/Agent.XDQ!tr
AVBitDefenderGen:Variant.Symmi.51758
AVK7Trojan ( 004c988e1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVMicroWorld (escan)Gen:Variant.Symmi.51758
AVMalwareBytesno_virus
AVAuthentiumW32/S-6a8c3109!Eldorado
AVFrisk (f-prot)no_virus
AVIkarusTrojan.Win32.Staser
AVEmsisoftGen:Variant.Symmi.51758
AVZillya!no_virus
AVKasperskyTrojan.Win32.Generic
AVTrend Microno_virus
AVCAT (quickheal)no_virus
AVVirusBlokAda (vba32)no_virus
AVPadvishno_virus
AVBullGuardGen:Variant.Symmi.51758
AVArcabit (arcavir)Gen:Variant.Symmi.51758
AVClamAVno_virus
AVDr. WebTrojan.DownLoader15.1889
AVF-SecureGen:Variant.Symmi.51758
AVCA (E-Trust Ino)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\t1hkpikhi\celidveihfx
Creates FileC:\WINDOWS\t1hkpikhi\celidveihfx
Creates FileC:\t1hkpikhi\oadttzbx1ldjabvbwssqkwl.exe
Deletes FileC:\WINDOWS\t1hkpikhi\celidveihfx
Creates ProcessC:\t1hkpikhi\oadttzbx1ldjabvbwssqkwl.exe

Process
↳ C:\t1hkpikhi\oadttzbx1ldjabvbwssqkwl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Background Smart DCOM Thread Key Interface VC ➝
C:\t1hkpikhi\htojmdp1ppxo.exe
Creates FileC:\t1hkpikhi\celidveihfx
Creates FileC:\t1hkpikhi\bdq7vka9
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\t1hkpikhi\celidveihfx
Creates FileC:\t1hkpikhi\htojmdp1ppxo.exe
Deletes FileC:\WINDOWS\t1hkpikhi\celidveihfx
Creates ProcessC:\t1hkpikhi\htojmdp1ppxo.exe
Creates ServiceAgent Visual Search Device Certificate - C:\t1hkpikhi\htojmdp1ppxo.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1848

Process
↳ Pid 1136

Process
↳ C:\t1hkpikhi\htojmdp1ppxo.exe

Creates FileC:\t1hkpikhi\u5wptbns
Creates FileC:\t1hkpikhi\celidveihfx
Creates Filepipe\net\NtControlPipe10
Creates FileC:\t1hkpikhi\ccgwihz.exe
Creates FileC:\t1hkpikhi\bdq7vka9
Creates FileC:\WINDOWS\t1hkpikhi\celidveihfx
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\t1hkpikhi\celidveihfx
Creates Processbl5t9hslpefb "c:\t1hkpikhi\htojmdp1ppxo.exe"

Process
↳ C:\t1hkpikhi\htojmdp1ppxo.exe

Creates FileC:\t1hkpikhi\celidveihfx
Creates FileC:\WINDOWS\t1hkpikhi\celidveihfx
Deletes FileC:\WINDOWS\t1hkpikhi\celidveihfx

Process
↳ bl5t9hslpefb "c:\t1hkpikhi\htojmdp1ppxo.exe"

Creates FileC:\t1hkpikhi\celidveihfx
Creates FileC:\WINDOWS\t1hkpikhi\celidveihfx
Deletes FileC:\WINDOWS\t1hkpikhi\celidveihfx

Network Details:

DNScatherinealexander.net
Type: A
65.254.248.151
DNSantonettealexander.net
Type: A
195.22.26.231
DNSantonettealexander.net
Type: A
195.22.26.252
DNSantonettealexander.net
Type: A
195.22.26.253
DNSantonettealexander.net
Type: A
195.22.26.254
DNSmarmadukeoliverson.net
Type: A
DNSzechariahmasterson.net
Type: A
DNSmarmadukemasterson.net
Type: A
DNSkristopherblakeslee.net
Type: A
DNScassandrablakeslee.net
Type: A
DNSkristopheralexander.net
Type: A
DNScassandraalexander.net
Type: A
DNSkristopherwestbrook.net
Type: A
DNScassandrawestbrook.net
Type: A
DNSkristopherwalterson.net
Type: A
DNScassandrawalterson.net
Type: A
DNSmaximilianblakeslee.net
Type: A
DNSkimberleeblakeslee.net
Type: A
DNSmaximilianalexander.net
Type: A
DNSkimberleealexander.net
Type: A
DNSmaximilianwestbrook.net
Type: A
DNSkimberleewestbrook.net
Type: A
DNSmaximilianwalterson.net
Type: A
DNSkimberleewalterson.net
Type: A
DNScatherinablakeslee.net
Type: A
DNScatherineblakeslee.net
Type: A
DNScatherinaalexander.net
Type: A
DNScatherinawestbrook.net
Type: A
DNScatherinewestbrook.net
Type: A
DNScatherinawalterson.net
Type: A
DNScatherinewalterson.net
Type: A
DNSantonetteblakeslee.net
Type: A
DNSmadeleineblakeslee.net
Type: A
DNSmadeleinealexander.net
Type: A
DNSantonettewestbrook.net
Type: A
DNSmadeleinewestbrook.net
Type: A
DNSantonettewalterson.net
Type: A
DNSmadeleinewalterson.net
Type: A
DNScharlotteblakeslee.net
Type: A
DNSstephanieblakeslee.net
Type: A
DNScharlottealexander.net
Type: A
DNSstephaniealexander.net
Type: A
DNScharlottewestbrook.net
Type: A
DNSstephaniewestbrook.net
Type: A
DNScharlottewalterson.net
Type: A
DNSstephaniewalterson.net
Type: A
DNSkimberlynblakeslee.net
Type: A
DNSglanvilleblakeslee.net
Type: A
DNSkimberlynalexander.net
Type: A
DNSglanvillealexander.net
Type: A
DNSkimberlynwestbrook.net
Type: A
DNSglanvillewestbrook.net
Type: A
DNSkimberlynwalterson.net
Type: A
DNSglanvillewalterson.net
Type: A
DNSjessamineblakeslee.net
Type: A
DNSgenevieveblakeslee.net
Type: A
DNSjessaminealexander.net
Type: A
DNSgenevievealexander.net
Type: A
DNSjessaminewestbrook.net
Type: A
DNSgenevievewestbrook.net
Type: A
DNSjessaminewalterson.net
Type: A
DNSgenevievewalterson.net
Type: A
DNSzechariahblakeslee.net
Type: A
DNSmarmadukeblakeslee.net
Type: A
DNSzechariahalexander.net
Type: A
DNSmarmadukealexander.net
Type: A
DNSzechariahwestbrook.net
Type: A
DNSmarmadukewestbrook.net
Type: A
DNSzechariahwalterson.net
Type: A
DNSmarmadukewalterson.net
Type: A
DNSalexandrinaboniface.net
Type: A
DNSmariabellaboniface.net
Type: A
DNSalexandrinakimberly.net
Type: A
DNSmariabellakimberly.net
Type: A
DNSalexandrinasharleen.net
Type: A
DNSmariabellasharleen.net
Type: A
DNSalexandrinamalandra.net
Type: A
DNSmariabellamalandra.net
Type: A
DNSbartholomewboniface.net
Type: A
DNSwilloughbyboniface.net
Type: A
DNSbartholomewkimberly.net
Type: A
DNSwilloughbykimberly.net
Type: A
DNSbartholomewsharleen.net
Type: A
DNSwilloughbysharleen.net
Type: A
DNSbartholomewmalandra.net
Type: A
DNSwilloughbymalandra.net
Type: A
DNSchristianaboniface.net
Type: A
DNSdulcibellaboniface.net
Type: A
HTTP GEThttp://catherinealexander.net/index.php
User-Agent:
HTTP GEThttp://antonettealexander.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 65.254.248.151:80
Flows TCP192.168.1.1:1032 ➝ 195.22.26.231:80

Raw Pcap

Strings