Analysis Date2018-02-01 13:47:08
MD5aa61e029200aee3348bb495cee85b149
SHA103ca9660da5788ac4d3c145cc9ff9408adfae2eb

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)No Virus
AVAuthentiumNo Virus
AVGrisoft (avg)No Virus
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVAlwil (avast)DangerousSig [Trj]
AVAd-AwareNo Virus
AVBitDefenderNo Virus
AVBullGuardError Scanning File
AVClamAVNo Virus
AVDr. WebTrojan.InstallCube.2654
AVEmsisoftApplication.AdLoad
AVMicroWorld (escan)No Virus
AVCA (E-Trust Ino)No Virus
AVFortinetW32/GenKryptik.BLEB!tr
AVFrisk (f-prot)No Virus
AVF-SecureNo Virus
AVIkarusError Scanning File
AVK7Error Scanning File
AVKasperskyHEUR:AdWare.Win32.FileTour.gen
AVMalwareBytesNo Virus
AVMcafeePacked-VJ!AA61E029200A
AVMicrosoft Security EssentialsSoftwareBundler:Win32/ICLoader
AVNANORiskware.Win32.FileTour.exiuce
AVNANORiskware.Win32.FileTour.exiujr
AVEset (nod32)Win32/Kryptik.GCOI
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderSoftwareBundler:Win32/ICLoader
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\THX1138\AppData\Local\Temp\03ca9660da5788ac4d3c145cc9ff9408adfae2eb.exe

Creates FileC:\Windows\System32\oleaccrc.dll
Creates File\??\PhysicalDrive0
Creates File\??\PhysicalDrive1
Creates File\??\PhysicalDrive2
Creates File\??\PhysicalDrive3
Creates File\??\PhysicalDrive4

Process
↳ C:\Windows\SysWOW64\cmd.exe

Creates File\??\Nul
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls

Process
↳ C:\Windows\SysWOW64\timeout.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f7265 71756573 742f6175   POST /request/au
0x00000010 (00016)   746f6b3f 75736572 3d796f75 6c6c7570   tok?user=youllup
0x00000020 (00032)   756b6926 7665723d 3130266b 65793d38   uki&ver=10&key=8
0x00000030 (00048)   30373834 66623562 62663830 33326238   0784fb5bbf8032b8
0x00000040 (00064)   35333062 34633335 35626131 38306620   530b4c355ba180f 
0x00000050 (00080)   48545450 2f312e31 0d0a4163 63657074   HTTP/1.1..Accept
0x00000060 (00096)   3a202a2f 2a0d0a55 7365722d 4167656e   : */*..User-Agen
0x00000070 (00112)   743a2043 68726973 746d6173 204d7973   t: Christmas Mys
0x00000080 (00128)   74657279 20352e35 2e370d0a 436f6e74   tery 5.5.7..Cont
0x00000090 (00144)   656e742d 54797065 3a206170 706c6963   ent-Type: applic
0x000000a0 (00160)   6174696f 6e2f782d 7777772d 666f726d   ation/x-www-form
0x000000b0 (00176)   2d75726c 656e636f 6465640d 0a486f73   -urlencoded..Hos
0x000000c0 (00192)   743a2065 63322d35 322d3239 2d33332d   t: ec2-52-29-33-
0x000000d0 (00208)   32382e65 752d6365 6e747261 6c2d312e   28.eu-central-1.
0x000000e0 (00224)   636f6d70 7574652e 616d617a 6f6e6177   compute.amazonaw
0x000000f0 (00240)   732e636f 6d0d0a43 6f6e7465 6e742d4c   s.com..Content-L
0x00000100 (00256)   656e6774 683a2030 0d0a4361 6368652d   ength: 0..Cache-
0x00000110 (00272)   436f6e74 726f6c3a 206e6f2d 63616368   Control: no-cach
0x00000120 (00288)   650d0a0d 0a                           e....

0x00000000 (00000)   504f5354 202f7265 71756573 742f6661   POST /request/fa
0x00000010 (00016)   696c3f75 7365723d 796f756c 6c757075   il?user=youllupu
0x00000020 (00032)   6b692676 65723d31 30266b65 793d3966   ki&ver=10&key=9f
0x00000030 (00048)   61303637 39313564 38646365 33336462   a067915d8dce33db
0x00000040 (00064)   35616361 61663364 61396336 62302048   5acaaf3da9c6b0 H
0x00000050 (00080)   5454502f 312e310d 0a416363 6570743a   TTP/1.1..Accept:
0x00000060 (00096)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000070 (00112)   3a204368 72697374 6d617320 4d797374   : Christmas Myst
0x00000080 (00128)   65727920 352e352e 370d0a43 6f6e7465   ery 5.5.7..Conte
0x00000090 (00144)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x000000a0 (00160)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x000000b0 (00176)   75726c65 6e636f64 65640d0a 486f7374   urlencoded..Host
0x000000c0 (00192)   3a206563 322d3532 2d32392d 33332d32   : ec2-52-29-33-2
0x000000d0 (00208)   382e6575 2d63656e 7472616c 2d312e63   8.eu-central-1.c
0x000000e0 (00224)   6f6d7075 74652e61 6d617a6f 6e617773   ompute.amazonaws
0x000000f0 (00240)   2e636f6d 0d0a436f 6e74656e 742d4c65   .com..Content-Le
0x00000100 (00256)   6e677468 3a203739 320d0a43 61636865   ngth: 792..Cache
0x00000110 (00272)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000120 (00288)   68650d0a 0d0a6461 74613d7b 22636174   he....data={"cat
0x00000130 (00304)   65676f72 79223a22 6c6f6164 65722d65   egory":"loader-e
0x00000140 (00320)   72726f72 222c2264 65736372 69707469   rror","descripti
0x00000150 (00336)   6f6e223a 22566d56 7963326c 76626941   on":"VmVyc2lvbiA
0x00000160 (00352)   314c6a55 754e7934 67523256 30564739   1LjUuNy4gR2V0VG9
0x00000170 (00368)   725a5734 67636d56 78645756 7a644342   rZW4gcmVxdWVzdCB
0x00000180 (00384)   6d59576c 735a5751 7549454a 685a4342   mYWlsZWQuIEJhZCB
0x00000190 (00400)   6b595852 6849484a 6c593256 70646d56   kYXRhIHJlY2VpdmV
0x000001a0 (00416)   6b4f6941 69554564 6f4d474a 58647974   kOiAiUEdoMGJXdyt
0x000001b0 (00432)   44615546 6e554564 6f62466c 58555374   DaUFnUEdobFlXUSt
0x000001c0 (00448)   44615546 6e53554e 424f4752 48624442   DaUFnSUNBOGRHbDB
0x000001d0 (00464)   69523155 72553155 31624752 47546e42   iR1UrU1U1bGRGTnB
0x000001e0 (00480)   6955304a 72576c64 61614752 58654442   iU0JrWldaaGRXeDB
0x000001f0 (00496)   4a525768 56564656 335a324e 48526d35   JRWhVVFV3Z2NHRm5
0x00000200 (00512)   61564864 325a4564 734d474a 48565374   aVHd2ZEdsMGJHVSt
0x00000210 (00528)   44615546 6e55454d 35623170 58526d74   DaUFnUEM5b1pXRmt
0x00000220 (00544)   515a3239 6e535552 34615749 79556a56   QZ29nSUR4aWIyUjV
0x00000230 (00560)   515a3239 6e53554e 425a3142 49515374   QZ29nSUNBZ1BIQSt
0x00000240 (00576)   51517a6c 33554764 765a306c 44515764   QQzl3UGdvZ0lDQWd
0x00000250 (00592)   51534546 6e575664 3463466f 794e446c   QSEFnWVd4cFoyNDl
0x00000260 (00608)   4a625535 73596d35 5362474e 70535374   JbU5sYm5SbGNpSSt
0x00000270 (00624)   57523268 7759336c 4363474e 35516a42   WR2hwY3lCcGN5QjB
0x00000280 (00640)   68523156 6e576b64 5762566c 59566e4e   hR1VnWkdWbVlYVnN
0x00000290 (00656)   6b51304a 4a566b55 7854556c 49516d68   kQ0JJVkUxTUlIQmh
0x000002a0 (00672)   614d6c56 6e576d30 3565556c 46624539   aMlVnWm05eUlFbE9
0x000002b0 (00688)   6157464a 55595663 775a314e 47556c56   aWFJUYVcwZ1NGUlV
0x000002c0 (00704)   5651304a 36576c68 4b4d6c70 59535764   VQ0J6WlhKMlpYSWd
0x000002d0 (00720)   6162555a 79576c4e 43644749 79556d78   abUZyWlNCdGIyUmx
0x000002e0 (00736)   4d616e64 32593051 3053306c 44515764   Mand2Y0Q0S0lDQWd
0x000002f0 (00752)   4a524868 33535564 47633246 585a4856   JRHh3SUdGc2FXZHV
0x00000300 (00768)   51553070 71576c63 314d4670 5953576c   QU0pqWlc1MFpYSWl
0x00000310 (00784)   5162464a 76595668 4e5a3170 7462484e   QbFJvYVhNZ1ptbHN
0x00000320 (00800)   6155304a 7759336c 4361474a 70516b6c   aU0JwY3lCaGJpQkl
0x00000330 (00816)   57525446 4e535564 53646c6b 7a566e52   WRTFNSUdSdlkzVnR
0x00000340 (00832)   61567a55 77544770 33646d4e 454e4574   aVzUwTGp3dmNENEt
0x00000350 (00848)   4a513045 3454444a 4b646c70 49617974   JQ0E4TDJKdlpIayt
0x00000360 (00864)   44616e64 32595568 5364474a 454e4573   Dand2YUhSdGJENEs
0x00000370 (00880)   694c6942 485a5851 67636d56 78645756   iLiBHZXQgcmVxdWV
0x00000380 (00896)   7a64446f 67496d4e 74566e68 6b56315a   zdDogImNtVnhkV1Z
0x00000390 (00912)   365a454d 35614752 59556e5a 68656a6b   6ZEM5aGRYUnZhejk
0x000003a0 (00928)   78597a4a 57655642 5962485a 6b563368   xYzJWeVBYbHZkV3h
0x000003b0 (00944)   7a5a4668 434d5745 79613231 6b62565a   zZFhCMWEya21kbVZ
0x000003c0 (00960)   35554652 46643070 74644778 6c564441   5UFRFd0ptdGxlVDA
0x000003d0 (00976)   30545552 6a4e4535 48576d6c 4f563070   0TURjNE5HWmlOV0p
0x000003e0 (00992)   70576d70 6e643031 36536d6c 50524656   pWmpnd016SmlPRFV
0x000003f0 (01008)   36545564 4a4d466c 36545446 4f563070   6TUdJMFl6TTFOV0p
0x00000400 (01024)   6f545652 6e643170 6e505430 694c6941   oTVRnd1pnPT0iLiA
0x00000410 (01040)   3d222c22 73746172 745f6964 223a2222   =","start_id":""
0x00000420 (01056)   2c227472 616e7361 6374696f 6e5f6964   ,"transaction_id
0x00000430 (01072)   223a2234 33373536 32343730 227d       ":"437562470"}

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a2a2f2a 0d0a5573 65722d41 67656e74   .*/*..User-Agent
0x00000070 (00112)   3a204368 72697374 6d617320 4d797374   : Christmas Myst
0x00000080 (00128)   65727920 352e352e 370d0a43 6f6e7465   ery 5.5.7..Conte
0x00000090 (00144)   6e742d54 7970653a 20617070 6c696361   nt-Type: applica
0x000000a0 (00160)   74696f6e 2f782d77 77772d66 6f726d2d   tion/x-www-form-
0x000000b0 (00176)   75726c65 6e636f64 65640d0a 486f7374   urlencoded..Host
0x000000c0 (00192)   3a206563 322d3532 2d32392d 33332d32   : ec2-52-29-33-2
0x000000d0 (00208)   382e6575 2d63656e 7472616c 2d312e63   8.eu-central-1.c
0x000000e0 (00224)   6f6d7075 74652e61 6d617a6f 6e617773   ompute.amazonaws
0x000000f0 (00240)   2e636f6d 0d0a436f 6e74656e 742d4c65   .com..Content-Le
0x00000100 (00256)   6e677468 3a203739 320d0a43 61636865   ngth: 792..Cache
0x00000110 (00272)   2d436f6e 74726f6c 3a206e6f 2d636163   -Control: no-cac
0x00000120 (00288)   68650d0a 0d0a6461 74613d7b 22636174   he....data={"cat
0x00000130 (00304)   65676f72 79223a22 6c6f6164 65722d65   egory":"loader-e
0x00000140 (00320)   72726f72 222c2264 65736372 69707469   rror","descripti
0x00000150 (00336)   6f6e223a 22566d56 7963326c 76626941   on":"VmVyc2lvbiA
0x00000160 (00352)   314c6a55 754e7934 67523256 30564739   1LjUuNy4gR2V0VG9
0x00000170 (00368)   725a5734 67636d56 78645756 7a644342   rZW4gcmVxdWVzdCB
0x00000180 (00384)   6d59576c 735a5751 7549454a 685a4342   mYWlsZWQuIEJhZCB
0x00000190 (00400)   6b595852 6849484a 6c593256 70646d56   kYXRhIHJlY2VpdmV
0x000001a0 (00416)   6b4f6941 69554564 6f4d474a 58647974   kOiAiUEdoMGJXdyt
0x000001b0 (00432)   44615546 6e554564 6f62466c 58555374   DaUFnUEdobFlXUSt
0x000001c0 (00448)   44615546 6e53554e 424f4752 48624442   DaUFnSUNBOGRHbDB
0x000001d0 (00464)   69523155 72553155 31624752 47546e42   iR1UrU1U1bGRGTnB
0x000001e0 (00480)   6955304a 72576c64 61614752 58654442   iU0JrWldaaGRXeDB
0x000001f0 (00496)   4a525768 56564656 335a324e 48526d35   JRWhVVFV3Z2NHRm5
0x00000200 (00512)   61564864 325a4564 734d474a 48565374   aVHd2ZEdsMGJHVSt
0x00000210 (00528)   44615546 6e55454d 35623170 58526d74   DaUFnUEM5b1pXRmt
0x00000220 (00544)   515a3239 6e535552 34615749 79556a56   QZ29nSUR4aWIyUjV
0x00000230 (00560)   515a3239 6e53554e 425a3142 49515374   QZ29nSUNBZ1BIQSt
0x00000240 (00576)   51517a6c 33554764 765a306c 44515764   QQzl3UGdvZ0lDQWd
0x00000250 (00592)   51534546 6e575664 3463466f 794e446c   QSEFnWVd4cFoyNDl
0x00000260 (00608)   4a625535 73596d35 5362474e 70535374   JbU5sYm5SbGNpSSt
0x00000270 (00624)   57523268 7759336c 4363474e 35516a42   WR2hwY3lCcGN5QjB
0x00000280 (00640)   68523156 6e576b64 5762566c 59566e4e   hR1VnWkdWbVlYVnN
0x00000290 (00656)   6b51304a 4a566b55 7854556c 49516d68   kQ0JJVkUxTUlIQmh
0x000002a0 (00672)   614d6c56 6e576d30 3565556c 46624539   aMlVnWm05eUlFbE9
0x000002b0 (00688)   6157464a 55595663 775a314e 47556c56   aWFJUYVcwZ1NGUlV
0x000002c0 (00704)   5651304a 36576c68 4b4d6c70 59535764   VQ0J6WlhKMlpYSWd
0x000002d0 (00720)   6162555a 79576c4e 43644749 79556d78   abUZyWlNCdGIyUmx
0x000002e0 (00736)   4d616e64 32593051 3053306c 44515764   Mand2Y0Q0S0lDQWd
0x000002f0 (00752)   4a524868 33535564 47633246 585a4856   JRHh3SUdGc2FXZHV
0x00000300 (00768)   51553070 71576c63 314d4670 5953576c   QU0pqWlc1MFpYSWl
0x00000310 (00784)   5162464a 76595668 4e5a3170 7462484e   QbFJvYVhNZ1ptbHN
0x00000320 (00800)   6155304a 7759336c 4361474a 70516b6c   aU0JwY3lCaGJpQkl
0x00000330 (00816)   57525446 4e535564 53646c6b 7a566e52   WRTFNSUdSdlkzVnR
0x00000340 (00832)   61567a55 77544770 33646d4e 454e4574   aVzUwTGp3dmNENEt
0x00000350 (00848)   4a513045 3454444a 4b646c70 49617974   JQ0E4TDJKdlpIayt
0x00000360 (00864)   44616e64 32595568 5364474a 454e4573   Dand2YUhSdGJENEs
0x00000370 (00880)   694c6942 485a5851 67636d56 78645756   iLiBHZXQgcmVxdWV
0x00000380 (00896)   7a64446f 67496d4e 74566e68 6b56315a   zdDogImNtVnhkV1Z
0x00000390 (00912)   365a454d 35614752 59556e5a 68656a6b   6ZEM5aGRYUnZhejk
0x000003a0 (00928)   78597a4a 57655642 5962485a 6b563368   xYzJWeVBYbHZkV3h
0x000003b0 (00944)   7a5a4668 434d5745 79613231 6b62565a   zZFhCMWEya21kbVZ
0x000003c0 (00960)   35554652 46643070 74644778 6c564441   5UFRFd0ptdGxlVDA
0x000003d0 (00976)   30545552 6a4e4535 48576d6c 4f563070   0TURjNE5HWmlOV0p
0x000003e0 (00992)   70576d70 6e643031 36536d6c 50524656   pWmpnd016SmlPRFV
0x000003f0 (01008)   36545564 4a4d466c 36545446 4f563070   6TUdJMFl6TTFOV0p
0x00000400 (01024)   6f545652 6e643170 6e505430 694c6941   oTVRnd1pnPT0iLiA
0x00000410 (01040)   3d222c22 73746172 745f6964 223a2222   =","start_id":""
0x00000420 (01056)   2c227472 616e7361 6374696f 6e5f6964   ,"transaction_id
0x00000430 (01072)   223a2234 33373536 32343730 227d       ":"437562470"}


Strings