Analysis Date2016-02-21 00:00:48
MD58ce6223c262d2d32f030b8a3e840b1fc
SHA1fdffd2f593bc0e381b65bd4f4c4d1b12e0f1d8a7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 20874e5d107ac12ea6370d5456b20020 sha1: 201d1cea67c5dc44cf5252617124774747a0c192 size: 532480
Section.rdata md5: dc4600b35ffd618bf7064ff7e8ef7662 sha1: f25c393a7cbb0ae67f621a340fa482a637b71f98 size: 26112
Section.data md5: a3b924848dd738a6e188c0e33206b139 sha1: 34604446f524d50329390bddfe0cd3eaf1501f69 size: 20992
Section.reloc md5: 03b5c0b44aa5c0f7d15f87a3672b8a47 sha1: c037eb5cd83e0f878fd14a4f40ed280e43de1a83 size: 39424
Timestamp2014-12-17 03:12:47
PackerMicrosoft Visual C++ 8
PEhash97d453828354c7b4e8f82b367691d780fb6d0a34
IMPhash07819e2acdb42edd0727f1340bf23806
AVCA (E-Trust Ino)Gen:Variant.Razy.13928
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!8CE6223C262D
AVAvira (antivir)TR/Taranis.2234
AVTwisterW32.Toolbar.CrossRider.AE.lfcr.mg
AVAd-AwareGen:Variant.Razy.13928
AVAlwil (avast)Win32:Malware-gen
AVEset (nod32)Win32/Bayrob.BM
AVGrisoft (avg)Generic37.AIXY
AVSymantecNo Virus
AVFortinetW32/Generic.FHSQ!tr
AVBitDefenderGen:Variant.Razy.13928
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Razy.13928
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.E.gen!Eldorado
AVEmsisoftGen:Variant.Razy.13928
AVFrisk (f-prot)W32/Nivdort.E.gen!Eldorado
AVIkarusTrojan.Bayrob
AVZillya!Trojan.SwizzorGen.Win32.1
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVBullGuardGen:Variant.Razy.13928
AVArcabit (arcavir)Gen:Variant.Razy.13928
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Razy.13928

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\pqvaewfayshq\hie1kbczjqwsfipkv.exe
Creates FileC:\pqvaewfayshq\zsewkww7v
Creates FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Deletes FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Creates ProcessC:\pqvaewfayshq\hie1kbczjqwsfipkv.exe

Process
↳ C:\pqvaewfayshq\hie1kbczjqwsfipkv.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Detection RPC IPsec Peer BranchCache Alerts ➝
C:\pqvaewfayshq\khpdiwlwrl.exe
Creates FileC:\pqvaewfayshq\xbkymn
Creates FileC:\pqvaewfayshq\zsewkww7v
Creates FileC:\pqvaewfayshq\khpdiwlwrl.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Deletes FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Creates ProcessC:\pqvaewfayshq\khpdiwlwrl.exe
Creates ServiceAuthIP Location Controls - C:\pqvaewfayshq\khpdiwlwrl.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1868

Process
↳ Pid 1152

Process
↳ C:\pqvaewfayshq\khpdiwlwrl.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\pqvaewfayshq\xbkymn
Creates FileC:\pqvaewfayshq\zsewkww7v
Creates FileC:\pqvaewfayshq\rnwczfwchz.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\pqvaewfayshq\nmtcau
Creates FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Deletes FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Creates Processhccap8ogltmc "c:\pqvaewfayshq\khpdiwlwrl.exe"

Process
↳ C:\pqvaewfayshq\khpdiwlwrl.exe

Creates FileC:\pqvaewfayshq\zsewkww7v
Creates FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Deletes FileC:\WINDOWS\pqvaewfayshq\zsewkww7v

Process
↳ hccap8ogltmc "c:\pqvaewfayshq\khpdiwlwrl.exe"

Creates FileC:\pqvaewfayshq\zsewkww7v
Creates FileC:\WINDOWS\pqvaewfayshq\zsewkww7v
Deletes FileC:\WINDOWS\pqvaewfayshq\zsewkww7v

Network Details:

DNSbrokencircle.net
Type: A
184.168.221.41
DNSmightanger.net
Type: A
208.100.26.234
DNSdoctoralways.net
Type: A
195.22.28.196
DNSdoctoralways.net
Type: A
195.22.28.197
DNSdoctoralways.net
Type: A
195.22.28.198
DNSdoctoralways.net
Type: A
195.22.28.199
DNSfw.ename.net
Type: A
198.148.92.56
DNSfw.ename.net
Type: A
198.148.92.57
DNSfw.ename.net
Type: A
198.148.92.58
DNSbuildingschool.net
Type: A
72.167.232.36
DNSeveningschool.net
Type: A
50.63.202.50
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSdoubletherefore.net
Type: A
208.100.26.234
DNSbrokenquestion.net
Type: A
195.22.28.199
DNSbrokenquestion.net
Type: A
195.22.28.196
DNSbrokenquestion.net
Type: A
195.22.28.197
DNSbrokenquestion.net
Type: A
195.22.28.198
DNSstrengthschool.net
Type: A
50.63.202.38
DNSmovementtraining.net
Type: A
108.163.251.66
DNSbuildingstorm.net
Type: A
184.168.221.53
DNSfellowafraid.net
Type: A
DNSdoubleafraid.net
Type: A
DNSfellowcircle.net
Type: A
DNSdoublecircle.net
Type: A
DNSbrokenmeasure.net
Type: A
DNSresultmeasure.net
Type: A
DNSbrokendinner.net
Type: A
DNSresultdinner.net
Type: A
DNSbrokenafraid.net
Type: A
DNSresultafraid.net
Type: A
DNSresultcircle.net
Type: A
DNSpreparemeasure.net
Type: A
DNSdesiremeasure.net
Type: A
DNSpreparedinner.net
Type: A
DNSdesiredinner.net
Type: A
DNSprepareafraid.net
Type: A
DNSdesireafraid.net
Type: A
DNSpreparecircle.net
Type: A
DNSdesirecircle.net
Type: A
DNSstrengthmeasure.net
Type: A
DNSstillmeasure.net
Type: A
DNSstrengthdinner.net
Type: A
DNSstilldinner.net
Type: A
DNSstrengthafraid.net
Type: A
DNSstillafraid.net
Type: A
DNSstrengthcircle.net
Type: A
DNSstillcircle.net
Type: A
DNSmovementwheat.net
Type: A
DNSoutsidewheat.net
Type: A
DNSmovementanger.net
Type: A
DNSoutsideanger.net
Type: A
DNSmovementalways.net
Type: A
DNSoutsidealways.net
Type: A
DNSmovementforest.net
Type: A
DNSoutsideforest.net
Type: A
DNSbuildingwheat.net
Type: A
DNSeveningwheat.net
Type: A
DNSbuildinganger.net
Type: A
DNSeveninganger.net
Type: A
DNSbuildingalways.net
Type: A
DNSeveningalways.net
Type: A
DNSbuildingforest.net
Type: A
DNSeveningforest.net
Type: A
DNSstorewheat.net
Type: A
DNSmightwheat.net
Type: A
DNSstoreanger.net
Type: A
DNSstorealways.net
Type: A
DNSmightalways.net
Type: A
DNSstoreforest.net
Type: A
DNSmightforest.net
Type: A
DNSdoctorwheat.net
Type: A
DNSprettywheat.net
Type: A
DNSdoctoranger.net
Type: A
DNSprettyanger.net
Type: A
DNSprettyalways.net
Type: A
DNSdoctorforest.net
Type: A
DNSprettyforest.net
Type: A
DNSfellowwheat.net
Type: A
DNSdoublewheat.net
Type: A
DNSfellowanger.net
Type: A
DNSdoubleanger.net
Type: A
DNSfellowalways.net
Type: A
DNSdoublealways.net
Type: A
DNSfellowforest.net
Type: A
DNSdoubleforest.net
Type: A
DNSbrokenwheat.net
Type: A
DNSresultwheat.net
Type: A
DNSbrokenanger.net
Type: A
DNSresultanger.net
Type: A
DNSbrokenalways.net
Type: A
DNSresultalways.net
Type: A
DNSbrokenforest.net
Type: A
DNSresultforest.net
Type: A
DNSpreparewheat.net
Type: A
DNSdesirewheat.net
Type: A
DNSprepareanger.net
Type: A
DNSdesireanger.net
Type: A
DNSpreparealways.net
Type: A
DNSdesirealways.net
Type: A
DNSprepareforest.net
Type: A
DNSdesireforest.net
Type: A
DNSstrengthwheat.net
Type: A
DNSstillwheat.net
Type: A
DNSstrengthanger.net
Type: A
DNSstillanger.net
Type: A
DNSstrengthalways.net
Type: A
DNSstillalways.net
Type: A
DNSstrengthforest.net
Type: A
DNSstillforest.net
Type: A
DNSmovementschool.net
Type: A
DNSoutsideschool.net
Type: A
DNSmovementwhile.net
Type: A
DNSoutsidewhile.net
Type: A
DNSmovementquestion.net
Type: A
DNSoutsidequestion.net
Type: A
DNSmovementtherefore.net
Type: A
DNSoutsidetherefore.net
Type: A
DNSbuildingwhile.net
Type: A
DNSeveningwhile.net
Type: A
DNSbuildingquestion.net
Type: A
DNSeveningquestion.net
Type: A
DNSbuildingtherefore.net
Type: A
DNSeveningtherefore.net
Type: A
DNSstoreschool.net
Type: A
DNSmightschool.net
Type: A
DNSstorewhile.net
Type: A
DNSmightwhile.net
Type: A
DNSstorequestion.net
Type: A
DNSmightquestion.net
Type: A
DNSstoretherefore.net
Type: A
DNSmighttherefore.net
Type: A
DNSdoctorschool.net
Type: A
DNSprettyschool.net
Type: A
DNSdoctorwhile.net
Type: A
DNSprettywhile.net
Type: A
DNSdoctorquestion.net
Type: A
DNSprettyquestion.net
Type: A
DNSdoctortherefore.net
Type: A
DNSprettytherefore.net
Type: A
DNSfellowschool.net
Type: A
DNSdoubleschool.net
Type: A
DNSfellowwhile.net
Type: A
DNSdoublewhile.net
Type: A
DNSfellowquestion.net
Type: A
DNSdoublequestion.net
Type: A
DNSfellowtherefore.net
Type: A
DNSbrokenschool.net
Type: A
DNSresultschool.net
Type: A
DNSbrokenwhile.net
Type: A
DNSresultwhile.net
Type: A
DNSresultquestion.net
Type: A
DNSbrokentherefore.net
Type: A
DNSresulttherefore.net
Type: A
DNSprepareschool.net
Type: A
DNSdesireschool.net
Type: A
DNSpreparewhile.net
Type: A
DNSdesirewhile.net
Type: A
DNSpreparequestion.net
Type: A
DNSdesirequestion.net
Type: A
DNSpreparetherefore.net
Type: A
DNSdesiretherefore.net
Type: A
DNSstillschool.net
Type: A
DNSstrengthwhile.net
Type: A
DNSstillwhile.net
Type: A
DNSstrengthquestion.net
Type: A
DNSstillquestion.net
Type: A
DNSstrengththerefore.net
Type: A
DNSstilltherefore.net
Type: A
DNSmovementhunger.net
Type: A
DNSoutsidehunger.net
Type: A
DNSoutsidetraining.net
Type: A
DNSmovementstorm.net
Type: A
DNSoutsidestorm.net
Type: A
DNSmovementthrown.net
Type: A
DNSoutsidethrown.net
Type: A
DNSbuildinghunger.net
Type: A
DNSeveninghunger.net
Type: A
DNSbuildingtraining.net
Type: A
DNSeveningtraining.net
Type: A
DNSeveningstorm.net
Type: A
HTTP GEThttp://brokencircle.net/index.php
User-Agent:
HTTP GEThttp://mightanger.net/index.php
User-Agent:
HTTP GEThttp://doctoralways.net/index.php
User-Agent:
HTTP GEThttp://outsideschool.net/index.php
User-Agent:
HTTP GEThttp://buildingschool.net/index.php
User-Agent:
HTTP GEThttp://eveningschool.net/index.php
User-Agent:
HTTP GEThttp://doctorschool.net/index.php
User-Agent:
HTTP GEThttp://doubletherefore.net/index.php
User-Agent:
HTTP GEThttp://brokenquestion.net/index.php
User-Agent:
HTTP GEThttp://strengthschool.net/index.php
User-Agent:
HTTP GEThttp://movementtraining.net/index.php
User-Agent:
HTTP GEThttp://buildingstorm.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 184.168.221.41:80
Flows TCP192.168.1.1:1032 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1034 ➝ 198.148.92.56:80
Flows TCP192.168.1.1:1035 ➝ 72.167.232.36:80
Flows TCP192.168.1.1:1036 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1037 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 195.22.28.199:80
Flows TCP192.168.1.1:1040 ➝ 50.63.202.38:80
Flows TCP192.168.1.1:1041 ➝ 108.163.251.66:80
Flows TCP192.168.1.1:1042 ➝ 184.168.221.53:80

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e636972 636c652e 6e65740d   rokencircle.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   69676874 616e6765 722e6e65 740d0a0d   ightanger.net...
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72616c77 6179732e 6e65740d   octoralways.net.
0x00000050 (00080)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206f   : close..Host: o
0x00000040 (00064)   75747369 64657363 686f6f6c 2e6e6574   utsideschool.net
0x00000050 (00080)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 63686f6f 6c2e6e65   uildingschool.ne
0x00000050 (00080)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000040 (00064)   76656e69 6e677363 686f6f6c 2e6e6574   veningschool.net
0x00000050 (00080)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f63746f 72736368 6f6f6c2e 6e65740d   octorschool.net.
0x00000050 (00080)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2064   : close..Host: d
0x00000040 (00064)   6f75626c 65746865 7265666f 72652e6e   oubletherefore.n
0x00000050 (00080)   65740d0a 0d0a                         et....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   726f6b65 6e717565 7374696f 6e2e6e65   rokenquestion.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000040 (00064)   7472656e 67746873 63686f6f 6c2e6e65   trengthschool.ne
0x00000050 (00080)   740d0a0d 0a0a                         t.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a206d   : close..Host: m
0x00000040 (00064)   6f76656d 656e7474 7261696e 696e672e   ovementtraining.
0x00000050 (00080)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68702048   GET /index.php H
0x00000010 (00016)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000020 (00032)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000030 (00048)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000040 (00064)   75696c64 696e6773 746f726d 2e6e6574   uildingstorm.net
0x00000050 (00080)   0d0a0d0a                              ....


Strings