Analysis Date2016-04-26 05:02:37
MD53d9401bd9f9d2d42d7134793258dcb7d
SHA1d9b4b57c7e68de3f761cc70ff04f26c5fcb7a341

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 371491c1c238c44b09e8b19a69b2cd0d sha1: 6d9a22ca7ffd5a6536008d8a395f64f379e0cbd9 size: 49152
Section.rdata md5: 9e0df2eafe0f13d37c6af906a480c995 sha1: 536247eeb4b98e63f17b9dfca449ee723bfb3190 size: 4096
Section.data md5: 208914e279d5605facfff69f2d622822 sha1: 4830225992ce9f1c68079a9c4ad760c091f330b9 size: 4096
Section.rsrc md5: b11d5264ac0341c59115fcffb3e94ef1 sha1: a84c0b8f18f326356a6301d91c9ba3e416d7c441 size: 155648
Timestamp2005-07-31 08:50:59
VersionLegalCopyright: Superb © 2020
ProductName: Spicy Rerun
FileDescription: Unnerving
FileVersion: 0,7,114,75
CompanyName: ActiveWord Systems, Inc.
PackerMicrosoft Visual C++ v6.0
PEhashdd1c303e45df595faba43f1d892fd72d7e6263dc
IMPhash55758792c28505007042dbc2822eaf6f
AVAvira (antivir)TR/Crypt.ZPACK.Gen7
AVBullGuardTrojan.Cripack.Gen.1
AVClamAVWin.Trojan.Agent-1357626
AVMcafeeRansomCWall-FBJ!3D9401BD9F9D
AVIkarusTrojan.Win32.Crypt
AVVirusBlokAda (vba32)SScope.Malware-Cryptor.Drixed
AVDr. WebTrojan.Encoder.514
AVMalwareBytesRansom.CryptoWall
AVRisingNo Virus
AVCA (E-Trust Ino)Trojan.Cripack.Gen.1
AVTrend MicroNo Virus
AVEmsisoftTrojan.Cripack.Gen.1
AVAlwil (avast)Malware-gen
AVMicroWorld (escan)Trojan.Cripack.Gen.1
AVMicrosoft Security EssentialsRansom:Win32/Crowti!rfn
AVTwisterTrojan.Girtk.EDLL.kpga
AVKasperskyPacked.Win32.Tpyn
AVFortinetW32/Kryptik.EFKT!tr
AVZillya!Downloader.Adload.Win32.24
AVSymantecTrojan.Gen
AVAuthentiumW32/Trojan.UVMK-0256
AVK7Trojan ( 004d5e0b1 )
AVFrisk (f-prot)No Virus
AVGrisoft (avg)Crypt5.JJT
AVEset (nod32)Win32/Kryptik.EDLL
AVAlwil (avast)Win32:Malware-gen
AVCAT (quickheal)Ransom.Crowti.AB4
AVAd-AwareTrojan.Cripack.Gen.1
AVF-SecureTrojan.Cripack.Gen.1
AVBitDefenderTrojan.Cripack.Gen.1
AVArcabit (arcavir)Trojan.Cripack.Gen.1

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\explorer.exe

Process
↳ C:\WINDOWS\explorer.exe

Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\6ff06165.exe
Creates FileC:\6ff06165\6ff06165.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\6ff06165.exe
Creates Processvssadmin.exe Delete Shadows /All /Quiet
Creates Process-k netsvcs

Process
↳ -k netsvcs

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSwebandnoticias.com
Winsock DNSasistent.su
Winsock DNSsnocmobilya.com
Winsock DNSeuro-dom.de
Winsock DNSnobilighting.com
Winsock DNSsadefuar.com
Winsock DNSspideragroscience.com
Winsock DNSperpabaskievi.net
Winsock DNStravancy.com
Winsock DNSvirginia-education.com
Winsock DNScurlmyip.com
Winsock DNSkonstructmarketing.com
Winsock DNSabenorbenin.com
Winsock DNSprimemovies.net
Winsock DNSconectcon.com
Winsock DNSmyexternalip.com
Winsock DNSengagedforpeace.org
Winsock DNShandmade.co.id
Winsock DNSip-addr.es
Winsock DNStheboomerzblog.com
Winsock DNSreanimator-service.com
Winsock DNSsparshsewa.com
Winsock DNSdoozfriend.com
Winsock DNSfengfeifei.net
Winsock DNSmeaarts.com
Winsock DNSwpwarriors.com
Winsock DNSproject976.org
Winsock DNSpromofordbekasi.com
Winsock DNSxn--e1asbeck.xn--p1ai
Winsock DNSrationwalaaa.com
Winsock DNSgrupointernex.com.br
Winsock DNSforexinsuracembard.com
Winsock DNSipmon.net
Winsock DNSipanema-penthouse.com
Winsock DNSpretor.su
Winsock DNSdamozhai.com
Winsock DNStherealdiehls.com
Winsock DNScentroinformativoviral.com
Winsock DNSsafepeace.com
Winsock DNSgainsenligne.info
Winsock DNSbolle-immobilien.de
Winsock DNStmp3malinium.com

Process
↳ vssadmin.exe Delete Shadows /All /Quiet

Creates FilePIPE\lsarpc

Network Details:

DNSip-addr.es
Type: A
216.146.38.70
DNSmyexternalip.com
Type: A
78.47.139.102
DNScurlmyip.com
Type: A
184.106.112.172
DNSpromofordbekasi.com
Type: A
198.23.72.4
DNShandmade.co.id
Type: A
103.23.244.131
DNSdamozhai.com
Type: A
118.193.164.218
DNSkonstructmarketing.com
Type: A
69.73.182.77
DNSsadefuar.com
Type: A
94.73.151.78
DNStherealdiehls.com
Type: A
192.169.57.44
DNSbolle-immobilien.de
Type: A
213.239.234.111
DNSsnocmobilya.com
Type: A
85.159.64.4
DNStheboomerzblog.com
Type: A
50.62.172.232
DNSeuro-dom.de
Type: A
213.239.234.111
DNSasistent.su
Type: A
78.110.50.124
DNSipmon.net
Type: A
79.140.41.112
DNSvirginia-education.com
Type: A
216.158.229.72
DNSxn--e1asbeck.xn--p1ai
Type: A
195.208.1.155
DNSpretor.su
Type: A
195.208.1.155
DNStmp3malinium.com
Type: A
193.37.145.25
DNSforexinsuracembard.com
Type: A
192.185.4.102
DNSengagedforpeace.org
Type: A
193.37.145.75
DNSwpwarriors.com
Type: A
68.65.120.201
DNSabenorbenin.com
Type: A
91.216.107.152
DNSipanema-penthouse.com
Type: A
193.37.145.133
DNSnobilighting.com
Type: A
112.78.2.45
DNSproject976.org
Type: A
193.37.145.124
DNSperpabaskievi.net
Type: A
94.73.148.175
DNSreanimator-service.com
Type: A
176.114.1.110
DNSdoozfriend.com
Type: A
104.18.59.19
DNSdoozfriend.com
Type: A
104.18.58.19
DNSconectcon.com
Type: A
186.202.127.240
DNSprimemovies.net
Type: A
185.63.252.62
DNSrationwalaaa.com
Type: A
50.63.202.54
DNScentroinformativoviral.com
Type: A
DNSfengfeifei.net
Type: A
DNSsparshsewa.com
Type: A
DNStravancy.com
Type: A
DNSwebandnoticias.com
Type: A
DNSgainsenligne.info
Type: A
DNSsafepeace.com
Type: A
DNSspideragroscience.com
Type: A
DNSmeaarts.com
Type: A
DNSgrupointernex.com.br
Type: A
HTTP GEThttp://ip-addr.es/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://myexternalip.com/raw
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP GEThttp://curlmyip.com/
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://promofordbekasi.com/6jVb5D.php?i=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://handmade.co.id/m2MEnC.php?r=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://damozhai.com/aJPK4y.php?s=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://konstructmarketing.com/Ml63Pu.php?e=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://sadefuar.com/xdqHcr.php?k=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://therealdiehls.com/K3_J96.php?l=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://bolle-immobilien.de/Idvn79.php?a=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://snocmobilya.com/XqDZ4I.php?f=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://theboomerzblog.com/fQu7UH.php?y=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://euro-dom.de/TzmNHk.php?a=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://asistent.su/F3eRnj.php?f=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://asistent.su/docs/xdEjFf.php?l=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ipmon.net/CLuOIk.php?m=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://virginia-education.com/8Ycy6k.php?u=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://xn--e1asbeck.xn--p1ai/7xSCFU.php?k=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://pretor.su/ZLoNyf.php?n=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://tmp3malinium.com/7DSCmu.php?a=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://forexinsuracembard.com/j97S0E.php?l=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://engagedforpeace.org/R4uGnH.php?t=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://wpwarriors.com/gnHPMv.php?k=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://abenorbenin.com/jcMISv.php?y=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://ipanema-penthouse.com/lxUs6S.php?c=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://nobilighting.com/eX8yjr.php?x=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://project976.org/zyS9Kf.php?g=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://perpabaskievi.net/VCOzj5.php?g=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://reanimator-service.com/Y1U5s7.php?x=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://doozfriend.com/T9Hqj0.php?j=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://conectcon.com/evYR0G.php?k=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://primemovies.net/z6Hfan.php?r=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
HTTP POSThttp://rationwalaaa.com/QOPYrs.php?o=k4frs12wp4e7
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Flows TCP192.168.1.1:1031 ➝ 216.146.38.70:80
Flows TCP192.168.1.1:1032 ➝ 78.47.139.102:80
Flows TCP192.168.1.1:1033 ➝ 184.106.112.172:80
Flows TCP192.168.1.1:1034 ➝ 198.23.72.4:80
Flows TCP192.168.1.1:1035 ➝ 103.23.244.131:80
Flows TCP192.168.1.1:1036 ➝ 118.193.164.218:80
Flows TCP192.168.1.1:1037 ➝ 69.73.182.77:80
Flows TCP192.168.1.1:1038 ➝ 94.73.151.78:80
Flows TCP192.168.1.1:1039 ➝ 192.169.57.44:80
Flows TCP192.168.1.1:1040 ➝ 213.239.234.111:80
Flows TCP192.168.1.1:1041 ➝ 85.159.64.4:80
Flows TCP192.168.1.1:1042 ➝ 50.62.172.232:80
Flows TCP192.168.1.1:1043 ➝ 213.239.234.111:80
Flows TCP192.168.1.1:1044 ➝ 78.110.50.124:80
Flows TCP192.168.1.1:1045 ➝ 78.110.50.124:80
Flows TCP192.168.1.1:1046 ➝ 79.140.41.112:80
Flows TCP192.168.1.1:1047 ➝ 216.158.229.72:80
Flows TCP192.168.1.1:1048 ➝ 195.208.1.155:80
Flows TCP192.168.1.1:1049 ➝ 195.208.1.155:80
Flows TCP192.168.1.1:1050 ➝ 193.37.145.25:80
Flows TCP192.168.1.1:1051 ➝ 192.185.4.102:80
Flows TCP192.168.1.1:1052 ➝ 193.37.145.75:80
Flows TCP192.168.1.1:1053 ➝ 68.65.120.201:80
Flows TCP192.168.1.1:1054 ➝ 91.216.107.152:80
Flows TCP192.168.1.1:1055 ➝ 193.37.145.133:80
Flows TCP192.168.1.1:1056 ➝ 112.78.2.45:80
Flows TCP192.168.1.1:1057 ➝ 193.37.145.124:80
Flows TCP192.168.1.1:1058 ➝ 94.73.148.175:80
Flows TCP192.168.1.1:1059 ➝ 176.114.1.110:80
Flows TCP192.168.1.1:1060 ➝ 104.18.59.19:80
Flows TCP192.168.1.1:1061 ➝ 186.202.127.240:80
Flows TCP192.168.1.1:1062 ➝ 185.63.252.62:80
Flows TCP192.168.1.1:1063 ➝ 50.63.202.54:80

Raw Pcap

Strings