Analysis | #totalhash

Analysis Date	2016-02-09 20:59:18
MD5	195145a755d25978423e9df4000f668e
SHA1	d4c0975d95a648447d5875309a3caa89219e1ede

Static Details:

File type	PE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section	.text md5: b8417be854e565414851c9148266537a sha1: 75174623ac8fc9f5aafeb7d9b12712d3e5724671 size: 218624
Section	.rdata md5: b3c7f49366549b38806a1ef9d5e151bf sha1: 3920202a44cf78eaefc27c66f5c030ba12cebc37 size: 18944
Section	.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section	.reloc md5: 69e5da8ac85ba68e959ed1dce167679c sha1: ba2179a403420aed05395f192.168.1.1f11d966828 size: 40448
Timestamp	2016-01-03 14:27:21
PEhash	7c02ae9f54d47cd00270329386945a1cc4196a96
IMPhash	97dcf8b1651dcd510ef2bce5be268c87
AV	CA (E-Trust Ino)	Gen:Variant.Razy.11545
AV	F-Secure	Gen:Variant.Razy.11545
AV	Dr. Web	No Virus
AV	ClamAV	No Virus
AV	Arcabit (arcavir)	Gen:Variant.Razy.11545
AV	BullGuard	Gen:Variant.Razy.11545
AV	CAT (quickheal)	No Virus
AV	VirusBlokAda (vba32)	No Virus
AV	Trend Micro	No Virus
AV	Kaspersky	Trojan.Win32.Bayrob.hud
AV	Zillya!	No Virus
AV	Ikarus	Trojan.Win32.Bayrob
AV	Frisk (f-prot)	W32/BayRob.D.gen!Eldorado
AV	Emsisoft	Gen:Variant.Razy.11545
AV	Authentium	W32/BayRob.D.gen!Eldorado
AV	MalwareBytes	No Virus
AV	MicroWorld (escan)	Gen:Variant.Razy.11545
AV	Microsoft Security Essentials	TrojanSpy:Win32/Nivdort.DE
AV	K7	Trojan ( 004db0c61 )
AV	BitDefender	Gen:Variant.Razy.11545
AV	Fortinet	W32/Bayrob.AQ!tr
AV	Symantec	Trojan.Bayrob!gen6
AV	Grisoft (avg)	Win32/Heur
AV	Eset (nod32)	Win32/Bayrob.AT.gen
AV	Alwil (avast)	Evo-gen [Susp]
AV	Rising	No Virus
AV	Ad-Aware	Gen:Variant.Razy.11545
AV	Twister	No Virus
AV	Avira (antivir)	No Virus
AV	Mcafee	Trojan-FHOH!195145A755D2

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File	C:\nhowqnkxvyav\uhmh1k4uxnliiospsp.exe
Creates File	C:\nhowqnkxvyav\vfxjagqro
Creates File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Deletes File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Creates Process	C:\nhowqnkxvyav\uhmh1k4uxnliiospsp.exe

Process
↳ C:\nhowqnkxvyav\uhmh1k4uxnliiospsp.exe

Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Biometric Solutions Log Alerts PnP-X ➝ C:\nhowqnkxvyav\lmzdtxpd.exe
Creates File	PIPE\lsarpc
Creates File	C:\nhowqnkxvyav\vfxjagqro
Creates File	C:\nhowqnkxvyav\lmzdtxpd.exe
Creates File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Creates File	C:\nhowqnkxvyav\zwodun
Deletes File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Creates Process	C:\nhowqnkxvyav\lmzdtxpd.exe
Creates Service	Notification Secondary Session Certificate - C:\nhowqnkxvyav\lmzdtxpd.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 812

Process
↳ Pid 856

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates File	pipe\PCHFaultRepExecPipe

Process
↳ Pid 1212

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝ NULL
Registry	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝ 7
Registry	HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝ NULL
Registry	HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝ C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1872

Process
↳ Pid 1172

Process
↳ C:\nhowqnkxvyav\lmzdtxpd.exe

Creates File	pipe\net\NtControlPipe10
Creates File	\Device\Afd\Endpoint
Creates File	C:\nhowqnkxvyav\qpfjpzvh.exe
Creates File	C:\nhowqnkxvyav\vfxjagqro
Creates File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Creates File	C:\nhowqnkxvyav\hkkfmyy2tvnp
Creates File	C:\nhowqnkxvyav\zwodun
Deletes File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Creates Process	ad38cvo2edlv "c:\nhowqnkxvyav\lmzdtxpd.exe"

Process
↳ C:\nhowqnkxvyav\lmzdtxpd.exe

Creates File	C:\nhowqnkxvyav\vfxjagqro
Creates File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Deletes File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro

Process
↳ ad38cvo2edlv "c:\nhowqnkxvyav\lmzdtxpd.exe"

Creates File	C:\nhowqnkxvyav\vfxjagqro
Creates File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro
Deletes File	C:\WINDOWS\nhowqnkxvyav\vfxjagqro

Network Details:

DNS	crowdnation.net Type: A 167.114.213.199
DNS	crowdnation.net Type: A 107.191.99.114
DNS	crowdnation.net Type: A 107.161.23.204
DNS	crowdcondition.net Type: A 195.22.28.199
DNS	crowdcondition.net Type: A 195.22.28.196
DNS	crowdcondition.net Type: A 195.22.28.197
DNS	crowdcondition.net Type: A 195.22.28.198
DNS	smokenation.net Type: A 195.22.28.199
DNS	smokenation.net Type: A 195.22.28.196
DNS	smokenation.net Type: A 195.22.28.197
DNS	smokenation.net Type: A 195.22.28.198
DNS	melbourneit.hotkeysparking.com Type: A 8.5.1.16
DNS	partynation.net Type: A 72.52.4.91
DNS	freshpower.net Type: A 195.149.84.100
DNS	freshpower.net Type: A 195.149.84.101
DNS	memberfamous.net Type: A 208.100.26.234
DNS	crowdpower.net Type: A 162.244.253.117
DNS	thoughtpower.net Type: A 23.229.204.192
DNS	waterpower.net Type: A 69.172.201.208
DNS	smokecentury.net Type: A 195.22.28.198
DNS	smokecentury.net Type: A 195.22.28.199
DNS	smokecentury.net Type: A 195.22.28.196
DNS	smokecentury.net Type: A 195.22.28.197
DNS	womanpower.net Type: A 72.52.4.120
DNS	partypower.net Type: A 207.148.248.143
DNS	fightpower.net Type: A 64.99.80.30
DNS	smokedifferent.net Type: A 46.30.212.205
DNS	membernation.net Type: A
DNS	followsoldier.net Type: A
DNS	membersoldier.net Type: A
DNS	followplease.net Type: A
DNS	memberplease.net Type: A
DNS	followcondition.net Type: A
DNS	membercondition.net Type: A
DNS	beginnation.net Type: A
DNS	knownnation.net Type: A
DNS	beginsoldier.net Type: A
DNS	knownsoldier.net Type: A
DNS	beginplease.net Type: A
DNS	knownplease.net Type: A
DNS	begincondition.net Type: A
DNS	knowncondition.net Type: A
DNS	summernation.net Type: A
DNS	summersoldier.net Type: A
DNS	crowdsoldier.net Type: A
DNS	summerplease.net Type: A
DNS	crowdplease.net Type: A
DNS	summercondition.net Type: A
DNS	thoughtnation.net Type: A
DNS	waternation.net Type: A
DNS	thoughtsoldier.net Type: A
DNS	watersoldier.net Type: A
DNS	thoughtplease.net Type: A
DNS	waterplease.net Type: A
DNS	thoughtcondition.net Type: A
DNS	watercondition.net Type: A
DNS	womannation.net Type: A
DNS	womansoldier.net Type: A
DNS	smokesoldier.net Type: A
DNS	womanplease.net Type: A
DNS	smokeplease.net Type: A
DNS	womancondition.net Type: A
DNS	smokecondition.net Type: A
DNS	fightnation.net Type: A
DNS	partysoldier.net Type: A
DNS	fightsoldier.net Type: A
DNS	partyplease.net Type: A
DNS	fightplease.net Type: A
DNS	partycondition.net Type: A
DNS	fightcondition.net Type: A
DNS	freshcentury.net Type: A
DNS	experiencecentury.net Type: A
DNS	freshfamous.net Type: A
DNS	experiencefamous.net Type: A
DNS	experiencepower.net Type: A
DNS	freshcountry.net Type: A
DNS	experiencecountry.net Type: A
DNS	gentlemancentury.net Type: A
DNS	alreadycentury.net Type: A
DNS	gentlemanfamous.net Type: A
DNS	alreadyfamous.net Type: A
DNS	gentlemanpower.net Type: A
DNS	alreadypower.net Type: A
DNS	gentlemancountry.net Type: A
DNS	alreadycountry.net Type: A
DNS	followcentury.net Type: A
DNS	membercentury.net Type: A
DNS	followfamous.net Type: A
DNS	followpower.net Type: A
DNS	memberpower.net Type: A
DNS	followcountry.net Type: A
DNS	membercountry.net Type: A
DNS	begincentury.net Type: A
DNS	knowncentury.net Type: A
DNS	beginfamous.net Type: A
DNS	knownfamous.net Type: A
DNS	beginpower.net Type: A
DNS	knownpower.net Type: A
DNS	begincountry.net Type: A
DNS	knowncountry.net Type: A
DNS	summercentury.net Type: A
DNS	crowdcentury.net Type: A
DNS	summerfamous.net Type: A
DNS	crowdfamous.net Type: A
DNS	summerpower.net Type: A
DNS	summercountry.net Type: A
DNS	crowdcountry.net Type: A
DNS	thoughtcentury.net Type: A
DNS	watercentury.net Type: A
DNS	thoughtfamous.net Type: A
DNS	waterfamous.net Type: A
DNS	thoughtcountry.net Type: A
DNS	watercountry.net Type: A
DNS	womancentury.net Type: A
DNS	womanfamous.net Type: A
DNS	smokefamous.net Type: A
DNS	smokepower.net Type: A
DNS	womancountry.net Type: A
DNS	smokecountry.net Type: A
DNS	partycentury.net Type: A
DNS	fightcentury.net Type: A
DNS	partyfamous.net Type: A
DNS	fightfamous.net Type: A
DNS	partycountry.net Type: A
DNS	fightcountry.net Type: A
DNS	freshsurprise.net Type: A
DNS	experiencesurprise.net Type: A
DNS	freshbeside.net Type: A
DNS	experiencebeside.net Type: A
DNS	freshletter.net Type: A
DNS	experienceletter.net Type: A
DNS	freshdifferent.net Type: A
DNS	experiencedifferent.net Type: A
DNS	gentlemansurprise.net Type: A
DNS	alreadysurprise.net Type: A
DNS	gentlemanbeside.net Type: A
DNS	alreadybeside.net Type: A
DNS	gentlemanletter.net Type: A
DNS	alreadyletter.net Type: A
DNS	gentlemandifferent.net Type: A
DNS	alreadydifferent.net Type: A
DNS	followsurprise.net Type: A
DNS	membersurprise.net Type: A
DNS	followbeside.net Type: A
DNS	memberbeside.net Type: A
DNS	followletter.net Type: A
DNS	memberletter.net Type: A
DNS	followdifferent.net Type: A
DNS	memberdifferent.net Type: A
DNS	beginsurprise.net Type: A
DNS	knownsurprise.net Type: A
DNS	beginbeside.net Type: A
DNS	knownbeside.net Type: A
DNS	beginletter.net Type: A
DNS	knownletter.net Type: A
DNS	begindifferent.net Type: A
DNS	knowndifferent.net Type: A
DNS	summersurprise.net Type: A
DNS	crowdsurprise.net Type: A
DNS	summerbeside.net Type: A
DNS	crowdbeside.net Type: A
DNS	summerletter.net Type: A
DNS	crowdletter.net Type: A
DNS	summerdifferent.net Type: A
DNS	crowddifferent.net Type: A
DNS	thoughtsurprise.net Type: A
DNS	watersurprise.net Type: A
DNS	thoughtbeside.net Type: A
DNS	waterbeside.net Type: A
DNS	thoughtletter.net Type: A
DNS	waterletter.net Type: A
DNS	thoughtdifferent.net Type: A
DNS	waterdifferent.net Type: A
DNS	womansurprise.net Type: A
DNS	smokesurprise.net Type: A
DNS	womanbeside.net Type: A
DNS	smokebeside.net Type: A
DNS	womanletter.net Type: A
DNS	smokeletter.net Type: A
DNS	womandifferent.net Type: A
DNS	partysurprise.net Type: A
HTTP GET	http://crowdnation.net/index.php User-Agent:
HTTP GET	http://crowdcondition.net/index.php User-Agent:
HTTP GET	http://smokenation.net/index.php User-Agent:
HTTP GET	http://smokecondition.net/index.php User-Agent:
HTTP GET	http://partynation.net/index.php User-Agent:
HTTP GET	http://freshpower.net/index.php User-Agent:
HTTP GET	http://memberfamous.net/index.php User-Agent:
HTTP GET	http://crowdpower.net/index.php User-Agent:
HTTP GET	http://thoughtpower.net/index.php User-Agent:
HTTP GET	http://waterpower.net/index.php User-Agent:
HTTP GET	http://smokecentury.net/index.php User-Agent:
HTTP GET	http://womanpower.net/index.php User-Agent:
HTTP GET	http://partypower.net/index.php User-Agent:
HTTP GET	http://fightpower.net/index.php User-Agent:
HTTP GET	http://smokedifferent.net/index.php User-Agent:
Flows TCP	192.168.1.1:1031 ➝ 167.114.213.199:80
Flows TCP	192.168.1.1:1032 ➝ 195.22.28.199:80
Flows TCP	192.168.1.1:1033 ➝ 195.22.28.199:80
Flows TCP	192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP	192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP	192.168.1.1:1036 ➝ 195.149.84.100:80
Flows TCP	192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP	192.168.1.1:1038 ➝ 162.244.253.117:80
Flows TCP	192.168.1.1:1039 ➝ 23.229.204.192:80
Flows TCP	192.168.1.1:1040 ➝ 69.172.201.208:80
Flows TCP	192.168.1.1:1041 ➝ 195.22.28.198:80
Flows TCP	192.168.1.1:1042 ➝ 72.52.4.120:80
Flows TCP	192.168.1.1:1043 ➝ 207.148.248.143:80
Flows TCP	192.168.1.1:1044 ➝ 64.99.80.30:80
Flows TCP	192.168.1.1:1045 ➝ 46.30.212.205:80

Raw Pcap

Strings