Analysis Date2016-02-05 06:16:24
MD5668dd40da517a6066c541240cd980fef
SHA1ccdb89a8f499c86af386a61131601d78fe93d092

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: b619a3ec9624aa287b9e8104ca06d7c6 sha1: 63c324cb24a97509d0c6aca119b8e5f120f5462a size: 33280
Section.rdata md5: c51ce1115fd05e0b7c438295f5c4ecfd sha1: 421fc675f05a81031c7cba1b875f235e07744a03 size: 10752
Section.data md5: fdac541418144a743591d44bc435069a sha1: dadd26c32834a6531e47f70533c6609f47a575fa size: 7680
Section.init md5: c99a74c555371a433d121f551d6c6398 sha1: 605db3fdbaff4ba13729371ad0c4fbab3889378e size: 2048
Section.idata md5: 53e979547d8c2ea86560ac45de08ae25 sha1: 53ea2cb716f312714685c92b6be27e419f8c746c size: 1536
Section.vdata md5: a371492f16c0940507435909603efe88 sha1: 4358194749214d739152fa635bff9e886e4d692b size: 2560
Section.rsrc md5: 352c07052376c5def230c3c87d2e3d52 sha1: 6c74840ee97f894cfe5249f84538a5bd2d79fe6e size: 39424
Timestamp2016-01-27 13:33:49
VersionLegalCopyright: Copyright © 2007-2010 Handle Software. All rights reserved.
InternalName: Regshot.exe
FileVersion: 2.0.1.70
CompanyName: Handle Software
ProductName: Regshot 2.0 unicode for Windows XP 32 bit/64 bit
ProductVersion: 2.0.1.70
FileDescription: Regshot 2.0 unicode for Windows XP 32 bit/64 bit
OriginalFilename: Regshot.exe
PackerMicrosoft Visual C++ ?.?
PEhash59cf95a4d92cb3a868abe252f788849577fafbc0
IMPhash82d029e7fca6a23feafb87202bff126a
AVAuthentiumW32/Gamarue.XTOV-2804
AVDr. WebTrojan.DownLoader19.10388
AVMalwareBytesTrojan.Andromeda
AVTrend MicroBKDR_ANDROM.AM
AVEmsisoftTrojan.GenericKD.3014503
AVKasperskyBackdoor.Win32.Androm.jbpz
AVAlwil (avast)Win32:Trojan-gen
AVEset (nod32)Win32/Kryptik.ELXV
AVK7Riskware ( 0040eff71 )
AVAvira (antivir)TR/Crypt.Xpack.435944
AVFortinetW32/Kryptik.EMEK!tr
AVIkarusTrojan.Win32.Crypt
AVSymantecTrojan.Gen
AVFrisk (f-prot)W32/Gamarue.BW
AVGrisoft (avg)Crypt5.AETQ
AVVirusBlokAda (vba32)No Virus
AVF-SecureTrojan.GenericKD.3014503
AVBitDefenderTrojan.GenericKD.3014503
AVZillya!No Virus
AVBullGuardTrojan.GenericKD.3014503
AVRisingNo Virus
AVArcabit (arcavir)Trojan.GenericKD.3014503
AVCA (E-Trust Ino)No Virus
AVMicroWorld (escan)Trojan.GenericKD.3014503
AVTwisterNo Virus
AVCAT (quickheal)No Virus
AVMicrosoft Security EssentialsWorm:Win32/Gamarue
AVAd-AwareTrojan.GenericKD.3014503
AVClamAVNo Virus
AVMcafeeNo Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
"C:\Documents and Settings\All Users\msvgqh.exe"\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\119343
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\malware.exe
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
131.234.137.23
DNSeurope.pool.ntp.org
Type: A
148.251.133.44
DNSeurope.pool.ntp.org
Type: A
5.196.160.139
DNSeurope.pool.ntp.org
Type: A
62.116.162.126
DNSnorth-america.pool.ntp.org
Type: A
173.255.246.13
DNSnorth-america.pool.ntp.org
Type: A
45.79.10.228
DNSnorth-america.pool.ntp.org
Type: A
50.116.36.122
DNSnorth-america.pool.ntp.org
Type: A
108.61.194.85
DNSsouth-america.pool.ntp.org
Type: A
186.71.75.78
DNSsouth-america.pool.ntp.org
Type: A
190.228.30.178
DNSsouth-america.pool.ntp.org
Type: A
200.89.75.198
DNSsouth-america.pool.ntp.org
Type: A
146.164.48.5
DNSasia.pool.ntp.org
Type: A
194.225.150.25
DNSasia.pool.ntp.org
Type: A
202.65.114.202
DNSasia.pool.ntp.org
Type: A
212.26.18.41
DNSasia.pool.ntp.org
Type: A
27.114.150.12
DNSoceania.pool.ntp.org
Type: A
202.127.210.36
DNSoceania.pool.ntp.org
Type: A
103.242.68.68
DNSoceania.pool.ntp.org
Type: A
121.0.0.42
DNSoceania.pool.ntp.org
Type: A
202.60.94.11
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
41.188.33.6
DNSpool.ntp.org
Type: A
204.9.54.119
DNSpool.ntp.org
Type: A
108.61.56.35
DNSpool.ntp.org
Type: A
108.61.73.243
DNSpool.ntp.org
Type: A
108.61.194.85
DNSmicrosoft.com
Type: A
104.43.195.251
DNSmicrosoft.com
Type: A
191.239.213.197
DNSmicrosoft.com
Type: A
23.96.52.53
DNSmicrosoft.com
Type: A
23.100.122.175
DNSmicrosoft.com
Type: A
104.40.211.35
DNSand11.themarket12345sushi.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53
Flows TCP192.168.1.1:1044 ➝ 104.43.195.251:80
Flows UDP192.168.1.1:1045 ➝ 8.8.4.4:53

Raw Pcap

Strings