Analysis Date2016-11-13 23:01:56
MD51f5c2cd487a7b36438abd8581bd440c7
SHA17529c89616be3321f64060d7c9d0e4064366eebc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 8e29037cb8d730c564a49bd8df084a8d sha1: ab5ccc1dfa543a4a2d539d6d652b0e16d1aee916 size: 76800
Section.data md5: 7c89db27fe8d5d9477b5ca9d7ab35372 sha1: 2c7291a4f1840c070fcbb0f533a33572644f5186 size: 18944
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: sha1: size:
Section.rsrc md5: c831002481621923b3e53ee1c2a931b0 sha1: b1e820ff1384613e47c4707cba40e30b8afcbfb3 size: 28160
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C++ ?.?
PEhash
IMPhashd097e9ab6127e643b1fe3a7bbc04b4d3
AV360 SafeNo Virus
AVAd-AwareGen:Variant.Zusy.15884
AVAlwil (avast)?
AVArcabit (arcavir)Gen:Variant.Zusy.15884
AVAuthentiumNo Virus
AVAvira (antivir)TR/Crypt.XPACK.Gen7
AVBitDefenderGen:Variant.Zusy.15884
AVBullGuardGen:Variant.Zusy.15884
AVCA (E-Trust Ino)Gen:Variant.Zusy.15884
AVCAT (quickheal)Trojan.Vundo.Gen
AVClamAVNo Virus
AVDr. WebTrojan.Mayachok.1
AVEmsisoftGen:Variant.Zusy.15884
AVEset (nod32)Win32/Agent.SFM
AVF-SecureGen:Variant.Zusy.15884
AVFortinetW32/Citirevo.AB!tr
AVFrisk (f-prot)No Virus
AVGrisoft (avg)Generic29.LLK
AVIkarusTrojan.Win32.Lampa
AVK7Backdoor ( 04c4cebd1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.FakeMS.ED
AVMcafeeVundo.gen.hk
AVMicroWorld (escan)Gen:Variant.Zusy.15884
AVMicrosoft Security EssentialsTrojan:Win32/Vundo.OD
AVRisingNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecTrojan.Zatvex!gen6
AVTrend MicroNo Virus
AVTwisterTrojan.190000E978FEFFFF5.mg
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojan:Win32/Vundo.OD
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\7529c89616be3321f64060d7c9d0e4064366eebc.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\WINDOWS\system32\4A.tmp
Creates FileC:\WINDOWS\system32\cxepjdf.dll
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs ➝
C:\WINDOWS\system32\cxepjdf.dll\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\LoadAppInit_DLLs ➝
1

Network Details:


Raw Pcap

Strings
@0RR
PRPh
h`sA
kernel32.dll
=dhA
1=dhA
at m$P#
>HH,
"#faar S\
wrsdAD A
GaCApP
iGnottGi
li\aRlis38a
ueRl0sOe
ueAsrs3
lAlEL
!WZxg
IKs>bL
7):r
+rB`uq
5+<J
`U2l
e8W[
/CsZf=
tK*O
S!`C
t&>>
Q#Of
!Xf"
%J,Z
{Cb)
tDDW
So]{
qX u
)ck
dQ]J
xk,1
*>[9/h
cy^p
$pu/
b.vM
>JVR
.DT9;
@D[J
SFGp
a@tQ
y2,:o
oI2(g
; zf
JseA-
,7u2
i3ZS
Dio<
S|s0
'5#*
TU7i
;M;u
z9,2j("
~p(l
92$"
"lH?bJ
8Y.I2
>l7s
S:3,
`H*|vI
=P?<
o[O&
vi}
EsoL
Xd\_
6mIa
P7SW
93-+/
"x]X
	TgnuS
#\ppe
RsdCei
Femx
FFFFeoo
pplei
mAye
pevAtJc
zWeeK.EoE
rEgl}V
l<oeoiujng
tFtetEl[
Wlp;
LWH'$
co0B
FyF8
wd6*
l,1dbB
kJnYW
	n+'
K&%v,=
#&=c3
Hb:t
y\$>L
w2<5!
nAC{r{
UNl
LrbX
$w2~
MEOE
g30#
r4O[]!_Z
 DGF
cwo~{
U_XY
8JO9
U`n	mx
580i
WNuE
yj[D
F@'z
ZtWh3
7?G}V
LqFy
kItm
bLr7>
tN7`Sf
S$>q
fY2OWb
#.	o;
?(8a
MY]S
*+d:
r_lu
WTR2t
@DtL
|=*V
(	L[
B\D]K
P46{
-lWE@
6OQ|vf
)S~D
&*m"cf
`VoQ-G
@a|rw
Z3p~
g`wZ
v.@e1|
-|dl
9<J.
6Z5a0'
!z'5
|zmN
%ZwWUh
\">pZ
cT(W
6	vo
C(A-U
<qJr
6Nki
Ga^b
DAC6Y
0&D]
`lL/
cAin Vo
iLtj
P@, @
u@PE
CVenGlem
oUdotmLSm
tm_xY
esd2
dxlRyma
KrsoPl
evA.eca
s=t6
W]By
Z7|w
3m:t
b^>F
Kv,8
q_NSu}
"D^;F	|
2U':/
jWPwe1
^GHxG
Bi9E
ccba
;o$@ Mf
+UAtDd
L59['
vSxS J7za=
^dfm
X=-Z
./u&
brvW
"g5b
j$e,
	FDYg
"Y#4_J*
y:&n
s_/y
}<3'
O=1W
;Bq6
$@3^~
%06$}
Nr49Il_b
BHZwm
%X;Z
til2M
O+/e
Os-KQ
Vi[j
LMkW
zT&O<
a`[+
gQ+1A
Q`uk
N#$U1
XNY9
|0	^
1SXz
_GUR7!
?t.
EhqS
v+g8
D|wwH
Qx6z
E'-T
Rk-\
K31X
DtM@_
'Ad?
Sn`18
ZDFd
`~rq=7O
F,S]
Tn:)
[;bI
d$8VJ
n7zn
Lsc Yo
ta/TMW
nisps
ILhn)
PYit
demi
FmTt
rent&CdeeyeN
LliEd
ueens
oiD2Her
-w'r7
<@GGg
;oh\
v	z8~C`
Ha"b
;%W2
!8c%
LN!4Q_!&,Wi]
geT6
33Uf"
X2;brZ
]np9
5FP{
I*yN
Z@}H
L9)tG
bs8L
&F,?
<!f?
:L(e
U^A]'9
z=	?
H#zi
N>E~
<b :
~O'E#6El
H]y""x
j[dCf
kiGU
f3G/
Q%Xc
vtd=W
tQP]
|;5{
hlq>^
4\yj
oF||
>;-q1
! R7
mm6.^.
V\pnG
wfq:
@WT!
"hv|
V4q-
gk6q
4-$y
Seyd>_
l,y[
:B%c/
rIDu
7D}*
2d3o=CI
|:(w
6ZD`
IJx})
Uf_B
U?sx
!.]R
YJ56
});i16
':Xu
b]9H
_Yshcz
		ZD
@hl_
v?MM
`hP'&
a'[E
r  n
##heonkFr\T
\wnLLp
rytAx
oGntte
eSepr&nGireeMlel
HaciCe
WU.geRr
grRyeo
ATlAlSaeSx
rLG^!
2!7!
e&tev
/a$Dp
ts6I
Fc/X
oP2M^V
gAh6Xb
9cM3
,T-8
I7Nk
v6FJ
w~3L
*v\C]
4o)I
c=dQ
"rOn
D[\^
Rx)B
uu^p"
~L3h
w|@w
pR]N
Nv`,
S)v1
8I*M
1pwS
`Y*n
wgG"u
qjw}q*SZ
FWpz
cP:/3
 SKN
Fx1C
)mP:
_TQ\
)50<=cB
eD'L
N'p/l
sVBT
%'My
~#W#z
Va;m
5s,9C
v1q1
Y(#G
;+uT
Y2um7E"
EP$5
C:[&a
W#5Na+4
R<I7
S9 f*
#G +
C1>2
LRKbi
*r"*
^+QS
(`5f!
RT@L
Lwmv
)4?H
W)1w+
_Q?7O
3Wu6
>hron
oourn
iAotLiiii
HEdxwR
VxQu
nkleuPeI
SohleL
fr $ u~'
$3[g
'oU->
ULaX8
bkWE
FVQ&
!.Pg,2
Mx;v
}p*c
DRy4
aK3@2
jXa
/<0=
-2VX
ihVC"
X	7o
h4Ur
hy	G
pA.w
U~=Q
>IgGf
	g6{V
mw8^}
:yA~
WfsT
HvB/
L V#`
\:g0
~tOS
+$/P
||_+
`\Q}
3Tng
,b1{
[.sH
UJvvQmpx
F?Cpt
OY<}
f@g9u*
Q_#nC
mKZ
mgLg
((S}
G\mm
9	GV
3:rR
`\F"%Y
oarD
#c__xs
Woi\tW
uvUS7
nlRe
eCt.s
NoMi
FlEstdi
AmaoEaAoap%lo
 [lCeeV
PkLvad
VlGlPhcHd
ue!!>
>,=d9
NXEc
*WA8
j]Al
?LH`
QW+M4
0{!lT
:IR*
gH!`
3ZXM
u[@Q
CM@3VW
:{g2EA
Iu$iu
H\\e=
DbV%
~&J)
o~b1
<bXM7
	 Nn
"F&!
R8uK
ff!D
9w'<
[/{N
&lw',
9!H"
`8#%
,TMk
yn+V
s`kF
;fm $g
X?:Db
KUNw
lr+d
[^^,
+%Ng%
HPP7
[crX
_8bMZEa
^8p$
X|7q
"?bx
U4)vH;
(uoPQ
f]+-f
_u4'
D#J)zg
vb+3
IrMF
gB>U<Ft
GY"w
^)wM''
0rCv
pWeie
sy.uhOctNr
ps/rg@
3=_^
ireeee
IaelA
leee<
DoTl
riPseoF
rguti
C*=pDs0
.B[#
zrRg
Yk8e
/(p(
]aWU
Mh,7
6WYr?
$lx.
R,vMP-
R^\z
:Fr,
{sL\
&VNk
d*,/
8@~^
?_Ca
{a<b
GV]9
xu],
C5Y|
=t2J
pnxb
{U2_
E]*@
m\R:6
q]:C
"0W;K
1#Pu{Q&
d=	s
'R'*
%H-;>
}[bi
Nq2(
waqa
IxY]
J.w<
mDL9
:h.%N
v$hH
l7}?
WCt{L
2R3&
KVfu
M"gZ
8 c%
B5v?
@tUCh|
ewh}g
ZXfL:
O$2/t
	Mo<
4;7D
I_vFV
):z"
bEA@(e
>l/.45
$Jn$]
<Gg`
p/rU
7~*67~#
h<oA
%dhA
5`tA
%|hA
upWjd
=`tA
=lhA
WWWW
Wh@oA
5@oA
Md_3
jdVU
jdVU
_^][
<$Xf
=,uA
YQPVh
oV f
o^0f
of@f
onPf
ov`f
o~pf
5(vA
=$vA
8csm
h$TA
hdAA
hPAA
$LAA
hlAA
YhtAA
VVVVV
PPPPP
<v8V
VVVVV
VVVVV
VVVVV
S99t
=|HA
=xHA
t$<"u	3
5$uA
=dxA
5$uA
>=Yt1j
tNVSP
PPPPP
5$uA
%$uA
Y[_^
5dxA
%dxA
>"u&
< tK<	tG
5txA
5\xA
@@f9
@@f9
SSS+
@PWSS
t!SS
jTh(fA
j@j ^V
[j@j
h|ZA
hHfA
t$h|ZA
hpfA
Y__^[
9csm
QSVW
_^[]
Y_^[
Y_^[
5$~A
t+Ht
PPPPP
h8gA
5D~A
=H~A
hH[A
h<[A
$,[A
5X~A
5H~A
0SSSSS
_^[]
_^[]
0SSSSS
0SSSSS
_^[]
VVVVV
hXgA
0A@@Ju
95\~A
hxgA
E`~A
t	VP
u,9E
Y_^[]
_^[]
Fpt"
ueSj
@_^[
 VW}
j?^;
URPQQh
L$,3
UVWS
[_^]
SVWj
hg!A
_^[]
WWWWW
u8SS3
9] u
5D@A
9]$SS
5@@A
t)9]
t"SS9]
9] u
5H@A
5D@A
9] SS
WWWWW
uaVj
uL9=
h8hA
wIVSP
FVSj
v$;5
PPPPPPPP
t&:a
PPPPPPPP
SVWUj
]_^[
;t$,v-
UQPXY]Y[
WWWWV
t<Vj
t+WWVPV
WWWWW
<Xt
u+9u
v	N+D$
^_[3
%T@A
9TN?$
(@Z+)
l9|JVY
whW;Fq
iO<pv&=
vo1G

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
strcat
CorExitProcess
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
GetSystemTimeAsFileTime
GetVersion
GetTickCount
WriteFile
GetProcAddress
TlsAlloc
CloseHandle
DeviceIoControl
SetFilePointer
QueryPerformanceCounter
GetModuleHandleA
GetCommandLineA
GetModuleHandleW
KERNEL32.dll
UpdateWindow
ShowWindow
CreateWindowExA
LoadStringA
LoadIconA
wsprintfA
EndPaint
BeginPaint
DefWindowProcA
RegisterClassExA
LoadIconW
GetSystemMetrics
DispatchMessageA
TranslateMessage
TranslateAcceleratorA
GetMessageA
USER32.dll
RegOpenKeyExA
ADVAPI32.dll
GetStartupInfoA
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
Sleep
ExitProcess
GetStdHandle
GetModuleFileNameA
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
WideCharToMultiByte
GetLastError
GetEnvironmentStringsW
SetHandleCount
GetFileType
DeleteCriticalSection
TlsGetValue
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
HeapCreate
VirtualFree
HeapFree
GetCurrentProcessId
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapAlloc
VirtualAlloc
HeapReAlloc
RtlUnwind
HeapSize
GetLocaleInfoA
LCMapStringA
MultiByteToWideChar
LCMapStringW
GetStringTypeA
GetStringTypeW
DDDDDDDDDD
DDDDDDDDDD
DDDDDDDDDD
DDDDDDDDDD
DDDDD
DDDDD