Analysis Date2016-04-23 05:01:28
MD54c05e73f4e50ff925e36caa332c15234
SHA1fe6745b10d058e0f89f9112b80febbe377c41ab7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 5fd89774b2c1a8c620b815b2e9d29a82 sha1: 96eb1ab793bb6d0fe0c17e4a54c74b1215d050a4 size: 290304
Section.rdata md5: 7ee0ab5883b59a9f004f3f5888dbe2ec sha1: 9646eb390dcfc2ef5d25f597ef7847c717f91194 size: 38400
Section.data md5: dcdc27d2bb56f914a4996a455c46b38d sha1: 3456a2cdbffed39f23116f8641fe8b5bfc9c409c size: 7168
Timestamp2015-11-23 03:15:48
PackerMicrosoft Visual C++ ?.?
PEhash72794bead9d386626087fb26384c7e34741fa918
IMPhashcc7b4c932101a9804498315b2b51d035
AVCA (E-Trust Ino)Trojan.Spy.YRB
AVRisingNo Virus
AVMcafeeBackDoor-FCYZ!4C05E73F4E50
AVAvira (antivir)TR/Nivdort.Gen
AVTwisterNo Virus
AVAd-AwareTrojan.Spy.YRB
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AD
AVGrisoft (avg)Dropper.Generic_r.EC
AVSymantecNo Virus
AVFortinetW32/Bayrob.AD!tr
AVBitDefenderTrojan.Spy.YRB
AVK7Trojan ( 004da8bd1 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.CE
AVMicroWorld (escan)Trojan.Spy.YRB
AVMalwareBytesNo Virus
AVAuthentiumW32/Kazy.EW.gen!Eldorado
AVFrisk (f-prot)No Virus
AVIkarusTrojan.Win32.Bayrob
AVEmsisoftTrojan.Spy.YRB
AVZillya!No Virus
AVKasperskyTrojan.Win32.Generic
AVTrend MicroNo Virus
AVCAT (quickheal)TrojanSpy.Nivdort.WR4
AVVirusBlokAda (vba32)No Virus
AVBullGuardTrojan.Spy.YRB
AVArcabit (arcavir)Trojan.Spy.YRB
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureTrojan.Spy.YRB

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates FileC:\dytgeccbudhpp\jc1mg6sjwskulydbi.exe
Creates FileC:\dytgeccbudhpp\qrjkpms5ntgy
Deletes FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates ProcessC:\dytgeccbudhpp\jc1mg6sjwskulydbi.exe

Process
↳ C:\dytgeccbudhpp\jc1mg6sjwskulydbi.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Studio WebClient Engine Publication ➝
C:\dytgeccbudhpp\bpkwumwbkax.exe
Creates FileC:\dytgeccbudhpp\ryjqjsf5k
Creates FileC:\dytgeccbudhpp\bpkwumwbkax.exe
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates FileC:\dytgeccbudhpp\qrjkpms5ntgy
Deletes FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates ProcessC:\dytgeccbudhpp\bpkwumwbkax.exe
Creates ServiceSharing Color Mapper Application - C:\dytgeccbudhpp\bpkwumwbkax.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1204

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1864

Process
↳ Pid 1128

Process
↳ C:\dytgeccbudhpp\bpkwumwbkax.exe

Creates FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates FileC:\dytgeccbudhpp\qrjkpms5ntgy
Deletes FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy

Process
↳ C:\dytgeccbudhpp\bpkwumwbkax.exe

Creates FileC:\dytgeccbudhpp\ryjqjsf5k
Creates Filepipe\net\NtControlPipe10
Creates FileC:\dytgeccbudhpp\gitwfleicxe.exe
Creates FileC:\dytgeccbudhpp\rwuqydtg5
Creates FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates File\Device\Afd\Endpoint
Creates FileC:\dytgeccbudhpp\qrjkpms5ntgy
Deletes FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates Processguwxszufqklj "c:\dytgeccbudhpp\bpkwumwbkax.exe"

Process
↳ guwxszufqklj "c:\dytgeccbudhpp\bpkwumwbkax.exe"

Creates FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy
Creates FileC:\dytgeccbudhpp\qrjkpms5ntgy
Deletes FileC:\WINDOWS\dytgeccbudhpp\qrjkpms5ntgy

Network Details:

DNSbreadstation.net
Type: A
208.100.26.234
DNSbreadchildhood.net
Type: A
195.22.28.196
DNSbreadchildhood.net
Type: A
195.22.28.198
DNSbreadchildhood.net
Type: A
195.22.28.197
DNSbreadchildhood.net
Type: A
195.22.28.199
DNSnightspace.net
Type: A
91.250.101.43
DNSdecideclose.net
Type: A
195.22.28.197
DNSdecideclose.net
Type: A
195.22.28.198
DNSdecideclose.net
Type: A
195.22.28.199
DNSdecideclose.net
Type: A
195.22.28.196
DNSlargespace.net
Type: A
62.22.102.59
DNScaptainspace.net
Type: A
208.100.26.234
DNScaptaintravel.net
Type: A
184.168.221.96
DNSrecordspace.net
Type: A
122.9.227.77
DNSstreetspace.net
Type: A
208.91.197.132
DNStradespace.net
Type: A
207.148.248.143
DNSstreettravel.net
Type: A
104.27.131.181
DNSstreettravel.net
Type: A
104.27.130.181
DNSbetterspace.net
Type: A
208.73.211.183
DNSbetterspace.net
Type: A
208.73.211.192
DNSbetterspace.net
Type: A
208.73.211.179
DNSbetterspace.net
Type: A
208.73.211.195
DNSgatherspace.net
Type: A
216.157.91.112
DNSbettertravel.net
Type: A
207.148.248.143
DNSbreadspace.net
Type: A
5.2.189.251
DNSthinkbeyond.net
Type: A
207.148.248.143
DNSpresentbeing.net
Type: A
69.16.192.64
DNSthinkbottom.net
Type: A
208.100.26.234
DNSchiefbeyond.net
Type: A
195.22.28.196
DNSchiefbeyond.net
Type: A
195.22.28.199
DNSchiefbeyond.net
Type: A
195.22.28.198
DNSchiefbeyond.net
Type: A
195.22.28.197
DNStwelveforever.net
Type: A
157.166.173.157
DNSratherforever.net
Type: A
208.100.26.234
DNSweatherforever.net
Type: A
50.63.202.42
DNSclassbeyond.net
Type: A
50.63.202.50
DNSthinkflower.net
Type: A
194.117.254.31
DNSpresentflower.net
Type: A
52.192.167.9
DNScollegecorner.net
Type: A
68.94.84.52
DNSbetterthird.net
Type: A
DNSgatherthird.net
Type: A
DNSbetterobject.net
Type: A
DNSgatherobject.net
Type: A
DNSbetterchildhood.net
Type: A
DNSgatherchildhood.net
Type: A
DNSflierstation.net
Type: A
DNSflierthird.net
Type: A
DNSbreadthird.net
Type: A
DNSflierobject.net
Type: A
DNSbreadobject.net
Type: A
DNSflierchildhood.net
Type: A
DNSquietstation.net
Type: A
DNSseasonstation.net
Type: A
DNSquietthird.net
Type: A
DNSseasonthird.net
Type: A
DNSquietobject.net
Type: A
DNSseasonobject.net
Type: A
DNSquietchildhood.net
Type: A
DNSseasonchildhood.net
Type: A
DNSagainstspace.net
Type: A
DNSdoubtspace.net
Type: A
DNSagainsttravel.net
Type: A
DNSdoubttravel.net
Type: A
DNSagainstyellow.net
Type: A
DNSdoubtyellow.net
Type: A
DNSagainstclose.net
Type: A
DNSdoubtclose.net
Type: A
DNSdecidespace.net
Type: A
DNSnighttravel.net
Type: A
DNSdecidetravel.net
Type: A
DNSnightyellow.net
Type: A
DNSdecideyellow.net
Type: A
DNSnightclose.net
Type: A
DNSlargetravel.net
Type: A
DNSlargeyellow.net
Type: A
DNScaptainyellow.net
Type: A
DNSlargeclose.net
Type: A
DNScaptainclose.net
Type: A
DNSelectricspace.net
Type: A
DNSrecordtravel.net
Type: A
DNSelectrictravel.net
Type: A
DNSrecordyellow.net
Type: A
DNSelectricyellow.net
Type: A
DNSrecordclose.net
Type: A
DNSelectricclose.net
Type: A
DNStradetravel.net
Type: A
DNSstreetyellow.net
Type: A
DNStradeyellow.net
Type: A
DNSstreetclose.net
Type: A
DNStradeclose.net
Type: A
DNSgathertravel.net
Type: A
DNSbetteryellow.net
Type: A
DNSgatheryellow.net
Type: A
DNSbetterclose.net
Type: A
DNSgatherclose.net
Type: A
DNSflierspace.net
Type: A
DNSfliertravel.net
Type: A
DNSbreadtravel.net
Type: A
DNSflieryellow.net
Type: A
DNSbreadyellow.net
Type: A
DNSflierclose.net
Type: A
DNSbreadclose.net
Type: A
DNSquietspace.net
Type: A
DNSseasonspace.net
Type: A
DNSquiettravel.net
Type: A
DNSseasontravel.net
Type: A
DNSquietyellow.net
Type: A
DNSseasonyellow.net
Type: A
DNSquietclose.net
Type: A
DNSseasonclose.net
Type: A
DNSpresentbeyond.net
Type: A
DNSthinkbeing.net
Type: A
DNSthinkforever.net
Type: A
DNSpresentforever.net
Type: A
DNSpresentbottom.net
Type: A
DNScollegebeyond.net
Type: A
DNSchiefbeing.net
Type: A
DNScollegebeing.net
Type: A
DNSchiefforever.net
Type: A
DNScollegeforever.net
Type: A
DNSchiefbottom.net
Type: A
DNScollegebottom.net
Type: A
DNSoftenbeyond.net
Type: A
DNSalonebeyond.net
Type: A
DNSoftenbeing.net
Type: A
DNSalonebeing.net
Type: A
DNSoftenforever.net
Type: A
DNSaloneforever.net
Type: A
DNSoftenbottom.net
Type: A
DNSalonebottom.net
Type: A
DNSmiddlebeyond.net
Type: A
DNStwelvebeyond.net
Type: A
DNSmiddlebeing.net
Type: A
DNStwelvebeing.net
Type: A
DNSmiddleforever.net
Type: A
DNSmiddlebottom.net
Type: A
DNStwelvebottom.net
Type: A
DNSratherbeyond.net
Type: A
DNSmorningbeyond.net
Type: A
DNSratherbeing.net
Type: A
DNSmorningbeing.net
Type: A
DNSmorningforever.net
Type: A
DNSratherbottom.net
Type: A
DNSmorningbottom.net
Type: A
DNSstrangebeyond.net
Type: A
DNShistorybeyond.net
Type: A
DNSstrangebeing.net
Type: A
DNShistorybeing.net
Type: A
DNSstrangeforever.net
Type: A
DNShistoryforever.net
Type: A
DNSstrangebottom.net
Type: A
DNShistorybottom.net
Type: A
DNSamountbeyond.net
Type: A
DNSweatherbeyond.net
Type: A
DNSamountbeing.net
Type: A
DNSweatherbeing.net
Type: A
DNSamountforever.net
Type: A
DNSamountbottom.net
Type: A
DNSweatherbottom.net
Type: A
DNSthickbeyond.net
Type: A
DNSthickbeing.net
Type: A
DNSclassbeing.net
Type: A
DNSthickforever.net
Type: A
DNSclassforever.net
Type: A
DNSthickbottom.net
Type: A
DNSclassbottom.net
Type: A
DNSthinkminute.net
Type: A
DNSpresentminute.net
Type: A
DNSthinkspecial.net
Type: A
DNSpresentspecial.net
Type: A
DNSthinkcorner.net
Type: A
DNSpresentcorner.net
Type: A
DNSchiefflower.net
Type: A
DNScollegeflower.net
Type: A
DNSchiefminute.net
Type: A
DNScollegeminute.net
Type: A
DNSchiefspecial.net
Type: A
DNScollegespecial.net
Type: A
DNSchiefcorner.net
Type: A
DNSoftenflower.net
Type: A
DNSaloneflower.net
Type: A
DNSoftenminute.net
Type: A
DNSaloneminute.net
Type: A
HTTP GEThttp://breadstation.net/index.php
User-Agent:
HTTP GEThttp://breadchildhood.net/index.php
User-Agent:
HTTP GEThttp://nightspace.net/index.php
User-Agent:
HTTP GEThttp://decideclose.net/index.php
User-Agent:
HTTP GEThttp://largespace.net/index.php
User-Agent:
HTTP GEThttp://captainspace.net/index.php
User-Agent:
HTTP GEThttp://captaintravel.net/index.php
User-Agent:
HTTP GEThttp://recordspace.net/index.php
User-Agent:
HTTP GEThttp://streetspace.net/index.php
User-Agent:
HTTP GEThttp://tradespace.net/index.php
User-Agent:
HTTP GEThttp://streettravel.net/index.php
User-Agent:
HTTP GEThttp://betterspace.net/index.php
User-Agent:
HTTP GEThttp://gatherspace.net/index.php
User-Agent:
HTTP GEThttp://bettertravel.net/index.php
User-Agent:
HTTP GEThttp://breadspace.net/index.php
User-Agent:
HTTP GEThttp://thinkbeyond.net/index.php
User-Agent:
HTTP GEThttp://presentbeing.net/index.php
User-Agent:
HTTP GEThttp://thinkbottom.net/index.php
User-Agent:
HTTP GEThttp://chiefbeyond.net/index.php
User-Agent:
HTTP GEThttp://twelveforever.net/index.php
User-Agent:
HTTP GEThttp://ratherforever.net/index.php
User-Agent:
HTTP GEThttp://weatherforever.net/index.php
User-Agent:
HTTP GEThttp://classbeyond.net/index.php
User-Agent:
HTTP GEThttp://thinkflower.net/index.php
User-Agent:
HTTP GEThttp://presentflower.net/index.php
User-Agent:
HTTP GEThttp://collegecorner.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1033 ➝ 91.250.101.43:80
Flows TCP192.168.1.1:1034 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1035 ➝ 62.22.102.59:80
Flows TCP192.168.1.1:1036 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1037 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1038 ➝ 122.9.227.77:80
Flows TCP192.168.1.1:1039 ➝ 208.91.197.132:80
Flows TCP192.168.1.1:1040 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1041 ➝ 104.27.131.181:80
Flows TCP192.168.1.1:1042 ➝ 208.73.211.183:80
Flows TCP192.168.1.1:1043 ➝ 216.157.91.112:80
Flows TCP192.168.1.1:1044 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1045 ➝ 5.2.189.251:80
Flows TCP192.168.1.1:1046 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1047 ➝ 69.16.192.64:80
Flows TCP192.168.1.1:1048 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1049 ➝ 195.22.28.196:80
Flows TCP192.168.1.1:1050 ➝ 157.166.173.157:80
Flows TCP192.168.1.1:1051 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1052 ➝ 50.63.202.42:80
Flows TCP192.168.1.1:1053 ➝ 50.63.202.50:80
Flows TCP192.168.1.1:1054 ➝ 194.117.254.31:80
Flows TCP192.168.1.1:1055 ➝ 52.192.167.9:80
Flows TCP192.168.1.1:1056 ➝ 68.94.84.52:80

Raw Pcap

Strings