Analysis Date2015-11-01 06:39:43
MD56c80eab032a56458773a522ae631fa71
SHA1c4fc1cdd06c0be6c651794d9caacb1638f36c8be

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a86d0ac8680c9e68648041fcdc8905d1 sha1: ab961b173eab8e17d0278b77ba57cbe056ec64e5 size: 812032
Section.rdata md5: f8eaf11d2039177fad0e45b4c14ed93d sha1: f13b40e6cc9ce4b1e0c1799eee7e615e4404916b size: 308736
Section.data md5: efcb09f1e2f6aef2ce234d2cae59fbe6 sha1: 199b2809ca995fc998765d032b51470c18eaacf7 size: 8192
Section.reloc md5: c2a5b60647602005cad49b9066a27046 sha1: efa9c6177996d62f6359cb3f7ed6450845b397ab size: 60928
Timestamp2015-02-06 22:08:54
PackerMicrosoft Visual C++ ?.?
PEhashd8d8259f55990bd33432ab9df3dea8ece95e1aae
IMPhash028bed5c2afa3b86cb0752bc6a52bd45
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Kazy.553443
AVDr. WebTrojan.DownLoader17.33736
AVClamAVno_virus
AVArcabit (arcavir)Gen:Variant.Kazy.553443
AVBullGuardGen:Variant.Kazy.553443
AVPadvishno_virus
AVVirusBlokAda (vba32)no_virus
AVCAT (quickheal)no_virus
AVTrend Microno_virus
AVKasperskyTrojan.Win32.Generic
AVZillya!no_virus
AVEmsisoftGen:Variant.Kazy.553443
AVIkarusTrojan.Win32.Crypt
AVFrisk (f-prot)no_virus
AVAuthentiumW32/SoxGrave.A.gen!Eldorado
AVMalwareBytesno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.553443
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort!rfn
AVK7Trojan ( 004c77f41 )
AVBitDefenderGen:Variant.Kazy.553443
AVFortinetW32/Kryptik.DDQD!tr
AVSymantecDownloader.Upatre!g15
AVGrisoft (avg)Win32/Cryptor
AVEset (nod32)Win32/Kryptik.DDQD
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVAd-AwareGen:Variant.Kazy.553443
AVTwisterno_virus
AVAvira (antivir)TR/Crypt.Xpack.302596
AVMcafeeTrojan-FGIJ!6C80EAB032A5
AVRisingno_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\ncmvcoge1mq5nlqajxyaj.exe
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\ncmvcoge1mq5nlqajxyaj.exe

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\ncmvcoge1mq5nlqajxyaj.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Brightness Endpoint NetBIOS Font KtmRm ➝
C:\WINDOWS\system32\qomfaajpkruk.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\etc
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\lck
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\tst
Creates FileC:\WINDOWS\system32\qomfaajpkruk.exe
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\qomfaajpkruk.exe
Creates ServiceInstrumentation Adapter Credential Port - C:\WINDOWS\system32\qomfaajpkruk.exe

Process
↳ Pid 808

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1116

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1188

Process
↳ C:\WINDOWS\system32\qomfaajpkruk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
1
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\lck
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\cfg
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\run
Creates FileC:\WINDOWS\TEMP\ncmvcoge1t5xnl.exe
Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\tst
Creates FileC:\WINDOWS\system32\yhrbbshlduj.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "c:\windows\system32\qomfaajpkruk.exe"
Creates ProcessC:\WINDOWS\TEMP\ncmvcoge1t5xnl.exe -r 28950 tcp

Process
↳ C:\WINDOWS\system32\qomfaajpkruk.exe

Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\tst

Process
↳ WATCHDOGPROC "c:\windows\system32\qomfaajpkruk.exe"

Creates FileC:\WINDOWS\system32\puqvcnhqqwlehft\tst

Process
↳ C:\WINDOWS\TEMP\ncmvcoge1t5xnl.exe -r 28950 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:

DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSqueentell.net
Type: A
208.91.197.241
DNSwednesdayhalf.net
Type: A
208.91.197.241
DNSmouthrest.net
Type: A
208.91.197.241
DNSdrivethirteen.net
Type: A
208.91.197.241
DNSfaceboat.net
Type: A
208.91.197.241
DNSmuchhappy.net
Type: A
208.91.197.241
DNScallmile.net
Type: A
208.91.197.241
DNSmadetoday.net
Type: A
198.71.232.3
DNSmadesuch.net
Type: A
208.100.26.234
DNShumanbody.net
Type: A
98.124.198.1
DNShairbody.net
Type: A
195.22.26.254
DNShairbody.net
Type: A
195.22.26.231
DNShairbody.net
Type: A
195.22.26.252
DNShairbody.net
Type: A
195.22.26.253
DNSmusicdance.net
Type: A
50.63.202.104
DNSspendtell.net
Type: A
65.254.248.194
DNSwishtell.net
Type: A
67.196.64.20
DNSrockdance.net
Type: A
217.70.184.38
DNSdeadbody.net
Type: A
64.74.223.34
DNSrockbody.net
Type: A
66.96.161.129
DNShumancolor.net
Type: A
219.94.203.116
DNShaircolor.net
Type: A
185.53.177.30
DNShaironly.net
Type: A
62.116.130.8
DNSmusicfeel.net
Type: A
89.161.255.8
DNSmusichigh.net
Type: A
64.29.151.221
DNSableread.net
Type: A
DNSsoilunder.net
Type: A
DNSfearstate.net
Type: A
DNSrocksuch.net
Type: A
DNSwrongsome.net
Type: A
DNSmadesome.net
Type: A
DNSwrongseven.net
Type: A
DNSmadeseven.net
Type: A
DNSwrongtoday.net
Type: A
DNSwrongsuch.net
Type: A
DNShumandare.net
Type: A
DNShairdare.net
Type: A
DNShumandance.net
Type: A
DNShairdance.net
Type: A
DNShumantell.net
Type: A
DNShairtell.net
Type: A
DNSyarddare.net
Type: A
DNSmusicdare.net
Type: A
DNSyarddance.net
Type: A
DNSyardbody.net
Type: A
DNSmusicbody.net
Type: A
DNSyardtell.net
Type: A
DNSmusictell.net
Type: A
DNSwentdare.net
Type: A
DNSspenddare.net
Type: A
DNSwentdance.net
Type: A
DNSspenddance.net
Type: A
DNSwentbody.net
Type: A
DNSspendbody.net
Type: A
DNSwenttell.net
Type: A
DNSfrontdare.net
Type: A
DNSofferdare.net
Type: A
DNSfrontdance.net
Type: A
DNSofferdance.net
Type: A
DNSfrontbody.net
Type: A
DNSofferbody.net
Type: A
DNSfronttell.net
Type: A
DNSoffertell.net
Type: A
DNShangdare.net
Type: A
DNSseptemberdare.net
Type: A
DNShangdance.net
Type: A
DNSseptemberdance.net
Type: A
DNShangbody.net
Type: A
DNSseptemberbody.net
Type: A
DNShangtell.net
Type: A
DNSseptembertell.net
Type: A
DNSjoindare.net
Type: A
DNSwishdare.net
Type: A
DNSjoindance.net
Type: A
DNSwishdance.net
Type: A
DNSjoinbody.net
Type: A
DNSwishbody.net
Type: A
DNSjointell.net
Type: A
DNSdeaddare.net
Type: A
DNSrockdare.net
Type: A
DNSdeaddance.net
Type: A
DNSdeadtell.net
Type: A
DNSrocktell.net
Type: A
DNSwrongdare.net
Type: A
DNSmadedare.net
Type: A
DNSwrongdance.net
Type: A
DNSmadedance.net
Type: A
DNSwrongbody.net
Type: A
DNSmadebody.net
Type: A
DNSwrongtell.net
Type: A
DNSmadetell.net
Type: A
DNShumanfeel.net
Type: A
DNShairfeel.net
Type: A
DNShumanhigh.net
Type: A
DNShairhigh.net
Type: A
DNShumanonly.net
Type: A
DNSyardfeel.net
Type: A
DNSyardhigh.net
Type: A
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://madetoday.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://madesuch.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://humanbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://hairbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://musicdance.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://spendtell.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://wishtell.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://rockdance.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://deadbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://rockbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://haironly.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://ableread.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://queentell.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://wednesdayhalf.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://mouthrest.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://drivethirteen.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://faceboat.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://muchhappy.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://callmile.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://madetoday.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://madesuch.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://humanbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://hairbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://musicdance.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://spendtell.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://wishtell.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://rockdance.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://deadbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://rockbody.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://humancolor.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://haircolor.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://haironly.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://musicfeel.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
HTTP GEThttp://musichigh.net/index.php?method=validate&mode=sox&v=040&sox=47aa9a01&lenhdr
User-Agent:
Flows TCP192.168.1.1:1036 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1037 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1038 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1040 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1044 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1045 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1046 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1047 ➝ 98.124.198.1:80
Flows TCP192.168.1.1:1048 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1049 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1050 ➝ 65.254.248.194:80
Flows TCP192.168.1.1:1051 ➝ 67.196.64.20:80
Flows TCP192.168.1.1:1052 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1053 ➝ 64.74.223.34:80
Flows TCP192.168.1.1:1054 ➝ 66.96.161.129:80
Flows TCP192.168.1.1:1055 ➝ 219.94.203.116:80
Flows TCP192.168.1.1:1056 ➝ 185.53.177.30:80
Flows TCP192.168.1.1:1057 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1058 ➝ 89.161.255.8:80
Flows TCP192.168.1.1:1059 ➝ 64.29.151.221:80
Flows TCP192.168.1.1:1060 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1061 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1062 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1063 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1064 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1065 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1066 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1067 ➝ 208.91.197.241:80
Flows TCP192.168.1.1:1068 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1069 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1070 ➝ 98.124.198.1:80
Flows TCP192.168.1.1:1071 ➝ 195.22.26.254:80
Flows TCP192.168.1.1:1072 ➝ 50.63.202.104:80
Flows TCP192.168.1.1:1073 ➝ 65.254.248.194:80
Flows TCP192.168.1.1:1074 ➝ 67.196.64.20:80
Flows TCP192.168.1.1:1075 ➝ 217.70.184.38:80
Flows TCP192.168.1.1:1076 ➝ 64.74.223.34:80
Flows TCP192.168.1.1:1077 ➝ 66.96.161.129:80
Flows TCP192.168.1.1:1078 ➝ 219.94.203.116:80
Flows TCP192.168.1.1:1079 ➝ 185.53.177.30:80
Flows TCP192.168.1.1:1080 ➝ 62.116.130.8:80
Flows TCP192.168.1.1:1081 ➝ 89.161.255.8:80
Flows TCP192.168.1.1:1082 ➝ 64.29.151.221:80

Raw Pcap

Strings