Analysis Date2016-02-09 20:47:03
MD55a7369f1838fdfabc839f91652cae450
SHA1a026b516f2de7baf965c490ccb75ab1e806e2e7b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 31d3d1934b8a54b05cf0766182f0569f sha1: 9e4f5af690c79daab24970e24e64ae32d887171e size: 193536
Section.rdata md5: 11000a1bfff9e9d9fee03394e4819a0f sha1: 622cf5cd968e63bb11c7273f305b139b5b28ebc6 size: 19456
Section.data md5: 07b5472d347d42780469fb2654b7fc54 sha1: 943ae54f4818e52409fbbaf60ffd71318d966b0d size: 512
Section.reloc md5: 877582721fbf5e2a37152019c9d0f0c5 sha1: 7f9edebb0b169d7cbddcd947768ee89b477d1d2d size: 31232
Timestamp2016-01-06 15:57:23
PEhash48916e3935bf89021a9c47db484beed62d974781
IMPhash77eb148c501f9a7d047c92d1b47b7cea
AVCA (E-Trust Ino)No Virus
AVRisingNo Virus
AVMcafeeTrojan-FHPX!5A7369F1838F
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Razy.12226
AVAlwil (avast)Evo-gen [Susp]
AVEset (nod32)Win32/Bayrob.AT.gen
AVGrisoft (avg)Win32/Heur
AVSymantecTrojan.Bayrob!gen6
AVFortinetW32/Bayrob.AQ!tr
AVBitDefenderGen:Variant.Razy.12226
AVK7Trojan ( 004db0c61 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DA
AVMicroWorld (escan)Gen:Variant.Kazy.788903
AVMalwareBytesNo Virus
AVAuthentiumW32/Nivdort.G.gen!Eldorado
AVEmsisoftGen:Variant.Razy.12226
AVFrisk (f-prot)W32/Nivdort.G.gen!Eldorado
AVIkarusTrojan.Win32.Bayrob
AVZillya!No Virus
AVKasperskyTrojan.Win32.Bayrob.rwu
AVTrend MicroNo Virus
AVVirusBlokAda (vba32)No Virus
AVCAT (quickheal)No Virus
AVBullGuardGen:Variant.Kazy.788903
AVArcabit (arcavir)Gen:Variant.Razy.12226
AVClamAVNo Virus
AVDr. WebBackDoor.MaosBoot.3133
AVF-SecureGen:Variant.Razy.12226

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\etufeydlmyueemj\wa1lnivhwmhdgd7zlk.exe
Creates FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates FileC:\etufeydlmyueemj\wydvuvfnkcak
Deletes FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates ProcessC:\etufeydlmyueemj\wa1lnivhwmhdgd7zlk.exe

Process
↳ C:\etufeydlmyueemj\wa1lnivhwmhdgd7zlk.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Profile Diagnostic Logon Controls Call Studio ➝
C:\etufeydlmyueemj\slfsztori.exe
Creates FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates FileC:\etufeydlmyueemj\bfff8t3nsx
Creates FilePIPE\lsarpc
Creates FileC:\etufeydlmyueemj\wydvuvfnkcak
Creates FileC:\etufeydlmyueemj\slfsztori.exe
Deletes FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates ProcessC:\etufeydlmyueemj\slfsztori.exe
Creates ServiceLevel TP WLAN Reporting Service Drive - C:\etufeydlmyueemj\slfsztori.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ Pid 804

Process
↳ Pid 852

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ Pid 1852

Process
↳ Pid 1132

Process
↳ C:\etufeydlmyueemj\slfsztori.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates FileC:\etufeydlmyueemj\bfff8t3nsx
Creates FileC:\etufeydlmyueemj\c2jdalq7xmm
Creates FileC:\etufeydlmyueemj\tskdcleeiyqz.exe
Creates FileC:\etufeydlmyueemj\wydvuvfnkcak
Creates File\Device\Afd\Endpoint
Deletes FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates Processzjdva8ctkpr5 "c:\etufeydlmyueemj\slfsztori.exe"

Process
↳ C:\etufeydlmyueemj\slfsztori.exe

Creates FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates FileC:\etufeydlmyueemj\wydvuvfnkcak
Deletes FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak

Process
↳ zjdva8ctkpr5 "c:\etufeydlmyueemj\slfsztori.exe"

Creates FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak
Creates FileC:\etufeydlmyueemj\wydvuvfnkcak
Deletes FileC:\WINDOWS\etufeydlmyueemj\wydvuvfnkcak

Network Details:

DNScrowdnation.net
Type: A
107.191.99.114
DNScrowdnation.net
Type: A
167.114.213.199
DNScrowdnation.net
Type: A
107.161.23.204
DNScrowdcondition.net
Type: A
195.22.28.198
DNScrowdcondition.net
Type: A
195.22.28.199
DNScrowdcondition.net
Type: A
195.22.28.196
DNScrowdcondition.net
Type: A
195.22.28.197
DNSsmokenation.net
Type: A
195.22.28.197
DNSsmokenation.net
Type: A
195.22.28.198
DNSsmokenation.net
Type: A
195.22.28.199
DNSsmokenation.net
Type: A
195.22.28.196
DNSmelbourneit.hotkeysparking.com
Type: A
8.5.1.16
DNSpartynation.net
Type: A
72.52.4.91
DNSfreshpower.net
Type: A
195.149.84.101
DNSfreshpower.net
Type: A
195.149.84.100
DNSmemberfamous.net
Type: A
208.100.26.234
DNScrowdpower.net
Type: A
162.244.253.117
DNSthoughtpower.net
Type: A
23.229.204.192
DNSwaterpower.net
Type: A
69.172.201.208
DNSsmokecentury.net
Type: A
195.22.28.198
DNSsmokecentury.net
Type: A
195.22.28.199
DNSsmokecentury.net
Type: A
195.22.28.196
DNSsmokecentury.net
Type: A
195.22.28.197
DNSwomanpower.net
Type: A
72.52.4.120
DNSpartypower.net
Type: A
207.148.248.143
DNSfightpower.net
Type: A
64.99.80.30
DNSsmokedifferent.net
Type: A
46.30.212.205
DNSmembernation.net
Type: A
DNSfollowsoldier.net
Type: A
DNSmembersoldier.net
Type: A
DNSfollowplease.net
Type: A
DNSmemberplease.net
Type: A
DNSfollowcondition.net
Type: A
DNSmembercondition.net
Type: A
DNSbeginnation.net
Type: A
DNSknownnation.net
Type: A
DNSbeginsoldier.net
Type: A
DNSknownsoldier.net
Type: A
DNSbeginplease.net
Type: A
DNSknownplease.net
Type: A
DNSbegincondition.net
Type: A
DNSknowncondition.net
Type: A
DNSsummernation.net
Type: A
DNSsummersoldier.net
Type: A
DNScrowdsoldier.net
Type: A
DNSsummerplease.net
Type: A
DNScrowdplease.net
Type: A
DNSsummercondition.net
Type: A
DNSthoughtnation.net
Type: A
DNSwaternation.net
Type: A
DNSthoughtsoldier.net
Type: A
DNSwatersoldier.net
Type: A
DNSthoughtplease.net
Type: A
DNSwaterplease.net
Type: A
DNSthoughtcondition.net
Type: A
DNSwatercondition.net
Type: A
DNSwomannation.net
Type: A
DNSwomansoldier.net
Type: A
DNSsmokesoldier.net
Type: A
DNSwomanplease.net
Type: A
DNSsmokeplease.net
Type: A
DNSwomancondition.net
Type: A
DNSsmokecondition.net
Type: A
DNSfightnation.net
Type: A
DNSpartysoldier.net
Type: A
DNSfightsoldier.net
Type: A
DNSpartyplease.net
Type: A
DNSfightplease.net
Type: A
DNSpartycondition.net
Type: A
DNSfightcondition.net
Type: A
DNSfreshcentury.net
Type: A
DNSexperiencecentury.net
Type: A
DNSfreshfamous.net
Type: A
DNSexperiencefamous.net
Type: A
DNSexperiencepower.net
Type: A
DNSfreshcountry.net
Type: A
DNSexperiencecountry.net
Type: A
DNSgentlemancentury.net
Type: A
DNSalreadycentury.net
Type: A
DNSgentlemanfamous.net
Type: A
DNSalreadyfamous.net
Type: A
DNSgentlemanpower.net
Type: A
DNSalreadypower.net
Type: A
DNSgentlemancountry.net
Type: A
DNSalreadycountry.net
Type: A
DNSfollowcentury.net
Type: A
DNSmembercentury.net
Type: A
DNSfollowfamous.net
Type: A
DNSfollowpower.net
Type: A
DNSmemberpower.net
Type: A
DNSfollowcountry.net
Type: A
DNSmembercountry.net
Type: A
DNSbegincentury.net
Type: A
DNSknowncentury.net
Type: A
DNSbeginfamous.net
Type: A
DNSknownfamous.net
Type: A
DNSbeginpower.net
Type: A
DNSknownpower.net
Type: A
DNSbegincountry.net
Type: A
DNSknowncountry.net
Type: A
DNSsummercentury.net
Type: A
DNScrowdcentury.net
Type: A
DNSsummerfamous.net
Type: A
DNScrowdfamous.net
Type: A
DNSsummerpower.net
Type: A
DNSsummercountry.net
Type: A
DNScrowdcountry.net
Type: A
DNSthoughtcentury.net
Type: A
DNSwatercentury.net
Type: A
DNSthoughtfamous.net
Type: A
DNSwaterfamous.net
Type: A
DNSthoughtcountry.net
Type: A
DNSwatercountry.net
Type: A
DNSwomancentury.net
Type: A
DNSwomanfamous.net
Type: A
DNSsmokefamous.net
Type: A
DNSsmokepower.net
Type: A
DNSwomancountry.net
Type: A
DNSsmokecountry.net
Type: A
DNSpartycentury.net
Type: A
DNSfightcentury.net
Type: A
DNSpartyfamous.net
Type: A
DNSfightfamous.net
Type: A
DNSpartycountry.net
Type: A
DNSfightcountry.net
Type: A
DNSfreshsurprise.net
Type: A
DNSexperiencesurprise.net
Type: A
DNSfreshbeside.net
Type: A
DNSexperiencebeside.net
Type: A
DNSfreshletter.net
Type: A
DNSexperienceletter.net
Type: A
DNSfreshdifferent.net
Type: A
DNSexperiencedifferent.net
Type: A
DNSgentlemansurprise.net
Type: A
DNSalreadysurprise.net
Type: A
DNSgentlemanbeside.net
Type: A
DNSalreadybeside.net
Type: A
DNSgentlemanletter.net
Type: A
DNSalreadyletter.net
Type: A
DNSgentlemandifferent.net
Type: A
DNSalreadydifferent.net
Type: A
DNSfollowsurprise.net
Type: A
DNSmembersurprise.net
Type: A
DNSfollowbeside.net
Type: A
DNSmemberbeside.net
Type: A
DNSfollowletter.net
Type: A
DNSmemberletter.net
Type: A
DNSfollowdifferent.net
Type: A
DNSmemberdifferent.net
Type: A
DNSbeginsurprise.net
Type: A
DNSknownsurprise.net
Type: A
DNSbeginbeside.net
Type: A
DNSknownbeside.net
Type: A
DNSbeginletter.net
Type: A
DNSknownletter.net
Type: A
DNSbegindifferent.net
Type: A
DNSknowndifferent.net
Type: A
DNSsummersurprise.net
Type: A
DNScrowdsurprise.net
Type: A
DNSsummerbeside.net
Type: A
DNScrowdbeside.net
Type: A
DNSsummerletter.net
Type: A
DNScrowdletter.net
Type: A
DNSsummerdifferent.net
Type: A
DNScrowddifferent.net
Type: A
DNSthoughtsurprise.net
Type: A
DNSwatersurprise.net
Type: A
DNSthoughtbeside.net
Type: A
DNSwaterbeside.net
Type: A
DNSthoughtletter.net
Type: A
DNSwaterletter.net
Type: A
DNSthoughtdifferent.net
Type: A
DNSwaterdifferent.net
Type: A
DNSwomansurprise.net
Type: A
DNSsmokesurprise.net
Type: A
DNSwomanbeside.net
Type: A
DNSsmokebeside.net
Type: A
DNSwomanletter.net
Type: A
DNSsmokeletter.net
Type: A
DNSwomandifferent.net
Type: A
DNSpartysurprise.net
Type: A
HTTP GEThttp://crowdnation.net/index.php
User-Agent:
HTTP GEThttp://crowdcondition.net/index.php
User-Agent:
HTTP GEThttp://smokenation.net/index.php
User-Agent:
HTTP GEThttp://smokecondition.net/index.php
User-Agent:
HTTP GEThttp://partynation.net/index.php
User-Agent:
HTTP GEThttp://freshpower.net/index.php
User-Agent:
HTTP GEThttp://memberfamous.net/index.php
User-Agent:
HTTP GEThttp://crowdpower.net/index.php
User-Agent:
HTTP GEThttp://thoughtpower.net/index.php
User-Agent:
HTTP GEThttp://waterpower.net/index.php
User-Agent:
HTTP GEThttp://smokecentury.net/index.php
User-Agent:
HTTP GEThttp://womanpower.net/index.php
User-Agent:
HTTP GEThttp://partypower.net/index.php
User-Agent:
HTTP GEThttp://fightpower.net/index.php
User-Agent:
HTTP GEThttp://smokedifferent.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 107.191.99.114:80
Flows TCP192.168.1.1:1032 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1033 ➝ 195.22.28.197:80
Flows TCP192.168.1.1:1034 ➝ 8.5.1.16:80
Flows TCP192.168.1.1:1035 ➝ 72.52.4.91:80
Flows TCP192.168.1.1:1036 ➝ 195.149.84.101:80
Flows TCP192.168.1.1:1037 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1038 ➝ 162.244.253.117:80
Flows TCP192.168.1.1:1039 ➝ 23.229.204.192:80
Flows TCP192.168.1.1:1040 ➝ 69.172.201.208:80
Flows TCP192.168.1.1:1041 ➝ 195.22.28.198:80
Flows TCP192.168.1.1:1042 ➝ 72.52.4.120:80
Flows TCP192.168.1.1:1043 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1044 ➝ 64.99.80.30:80
Flows TCP192.168.1.1:1045 ➝ 46.30.212.205:80

Raw Pcap

Strings