Analysis Date2016-02-20 21:18:10
MD5dc8846b17c5f726679a764ae986ecb48
SHA1dcb81c9b12e2e94c20eefaa64ff0b1edf9641667

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.code md5: f3aca50eaa5deb2c8c039115e7ef2248 sha1: a15dbc71fe05b6a9de54a6df55ae95ea47d91d4c size: 1536
Section.text md5: d1df211625ee3f80e880eaa479c29ac1 sha1: 0026204dc92e0e59873475aba5d8e15d6ace9e2d size: 15360
Section.rdata md5: d97c3808cac9cf616236f19b002fc251 sha1: c69145302b42e1e8818b2cf4e8588f0f5fce4557 size: 512
Section.data md5: b18498b0d21a907bf8e0c271414ab6a7 sha1: bcc036036572c79f094eb275d78ea0b30df83cd8 size: 29696
Section.rsrc md5: c5c222d4250dc23760436d4e258afc59 sha1: 11171626ce277fb583280447c5b10a8ccfec7283 size: 1536
Timestamp2016-01-16 16:08:55
VersionLegalCopyright:
InternalName:
FileVersion: 18.46.6.6303
CompanyName:
LegalTrademarks:
Comments: Drumlins, Pseudoclassicism Regilds Blotters Rarifying Managerially Enabling Browless Nihil Bostons Avascular Waive Seasonal Alexia Transmission.
ProductName:
ProductVersion: 74.5.43.1408
FileDescription: Resource viewer
OriginalFilename: Nabob Hoarfrosts
Aditional Notes: Not for Nanking Pseudoclassic without the Chemosensitive Plodded Labs Solemnized Gentil Mistranslates
PEhashaa47e995dfe6a79dd6fcdac9da593d9a04723ce2
IMPhash22720a3bc422b4ae4ea60df3e2fad14b
AVCA (E-Trust Ino)Gen:Variant.Barys.51292
AVRisingNo Virus
AVMcafeeBackDoor-FDBM!DC8846B17C5F
AVAvira (antivir)TR/Crypt.ZPACK.226939
AVTwisterNo Virus
AVAd-AwareGen:Variant.Barys.51292
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Kryptik.EKTK
AVGrisoft (avg)Crypt_s.KLG
AVSymantecNo Virus
AVFortinetW32/Injector.EKUU!tr
AVBitDefenderGen:Variant.Barys.51292
AVK7Trojan ( 004dbfe21 )
AVMicrosoft Security EssentialsWorm:Win32/Gamarue.AU
AVMicroWorld (escan)Gen:Variant.Barys.51292
AVMalwareBytesWorm.Gamarue
AVAuthentiumNo Virus
AVEmsisoftGen:Variant.Barys.51292
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Crypt
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)Trojan.Bulta.RF5
AVBullGuardGen:Variant.Barys.51292
AVArcabit (arcavir)Gen:Variant.Barys.51292
AVClamAVNo Virus
AVDr. WebTrojan.DownLoader19.27703
AVF-SecureGen:Variant.Barys.51292

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates ProcessC:\WINDOWS\system32\msiexec.exe

Process
↳ C:\WINDOWS\system32\msiexec.exe

RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\Policies\Explorer\Run\317606753 ➝
C:\Documents and Settings\All Users\msvgqh.exe\\x00
RegistryHKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\advanced\ShowSuperHidden ➝
NULL
RegistryHKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\Explorer\TaskbarNoNotification ➝
1
RegistryHKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\Windows\Load ➝
\\x00
Creates FileC:\Documents and Settings\All Users\120390
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\All Users\msvgqh.exe
Creates File\Device\Afd\Endpoint
Deletes FileC:\DCB81C~1.EXE
Winsock DNSmicrosoft.com
Winsock DNSpool.ntp.org
Winsock DNSnorth-america.pool.ntp.org
Winsock DNSafrica.pool.ntp.org
Winsock DNSoceania.pool.ntp.org
Winsock DNSasia.pool.ntp.org
Winsock DNSsouth-america.pool.ntp.org
Winsock DNSeurope.pool.ntp.org

Network Details:

DNSeurope.pool.ntp.org
Type: A
95.81.173.8
DNSeurope.pool.ntp.org
Type: A
95.213.132.254
DNSeurope.pool.ntp.org
Type: A
131.188.3.221
DNSeurope.pool.ntp.org
Type: A
212.113.190.2
DNSnorth-america.pool.ntp.org
Type: A
159.203.31.244
DNSnorth-america.pool.ntp.org
Type: A
206.108.0.132
DNSnorth-america.pool.ntp.org
Type: A
104.131.53.252
DNSnorth-america.pool.ntp.org
Type: A
104.232.3.3
DNSsouth-america.pool.ntp.org
Type: A
186.103.182.15
DNSsouth-america.pool.ntp.org
Type: A
190.181.129.115
DNSsouth-america.pool.ntp.org
Type: A
200.160.7.186
DNSsouth-america.pool.ntp.org
Type: A
66.60.22.202
DNSasia.pool.ntp.org
Type: A
194.225.50.25
DNSasia.pool.ntp.org
Type: A
128.199.236.60
DNSasia.pool.ntp.org
Type: A
129.250.35.250
DNSasia.pool.ntp.org
Type: A
157.7.203.102
DNSoceania.pool.ntp.org
Type: A
110.173.227.254
DNSoceania.pool.ntp.org
Type: A
130.102.2.123
DNSoceania.pool.ntp.org
Type: A
192.189.54.33
DNSoceania.pool.ntp.org
Type: A
103.239.8.22
DNSafrica.pool.ntp.org
Type: A
196.49.6.67
DNSafrica.pool.ntp.org
Type: A
197.12.0.14
DNSafrica.pool.ntp.org
Type: A
146.231.129.81
DNSafrica.pool.ntp.org
Type: A
196.41.127.42
DNSpool.ntp.org
Type: A
69.167.160.102
DNSpool.ntp.org
Type: A
129.250.35.251
DNSpool.ntp.org
Type: A
24.56.178.140
DNSpool.ntp.org
Type: A
66.228.59.187
DNSmicrosoft.com
Type: A
Flows UDP192.168.1.1:1043 ➝ 8.8.4.4:53

Raw Pcap

Strings