Analysis Date2016-11-14 00:39:21
MD5c21d39446ef5708bc3b911ab906642cb
SHA1acab15ed1ad5a02a0c89f3700bf8040373353edc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: fe8058e4006fca7424c964cccc1e0237 sha1: 6a90136fb23058090fc0ffd82a69e9bae3bed020 size: 56320
Section.data md5: 9c9b446a02daa6409c23262139d48cb7 sha1: f300ed7e2b5e7456aaf2f227122fe4346407e8c0 size: 10240
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: fdc06e68335f8a545300a2c7ab51f1ed sha1: 6a9130e2568041133996f765c28eda61eb3cad44 size: 5120
Section.rsrc md5: 61fb2ab043e33ec214eefc8d3e2a5f91 sha1: 8bd2b04e0bda2ce7cd36a8ef3af990012593a364 size: 11776
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
PackerMicrosoft Visual C++ ?.?
PEhash
IMPhash4511896d043677e4ab4578dc5bcab5a0
AV360 SafeNo Virus
AVAd-AwareGen:Variant.Zusy.186211
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVArcabit (arcavir)Gen:Variant.Zusy.186211
AVAuthentiumW32/A-1ec329e0!Eldorado
AVAvira (antivir)TR/Dropper.Gen7
AVBitDefenderGen:Variant.Zusy.186211
AVBullGuardGen:Variant.Zusy.186211
AVCA (E-Trust Ino)Gen:Variant.Zusy.186211
AVCAT (quickheal)Trojan.Diofopi.MUE.E5
AVClamAVWin.Trojan.Agent-1368218
AVDr. WebTrojan.DownLoad3.22515
AVEmsisoftGen:Variant.Zusy.186211
AVEset (nod32)Win32/Shyape.G
AVF-SecureGen:Variant.Zusy.186211
AVFortinetW32/Generic.AC.1CFBE1!tr
AVFrisk (f-prot)No Virus
AVGrisoft (avg)Generic32.CQJL
AVIkarusTrojan.Win32.Scar
AVK7Trojan ( 0043a4491 )
AVKasperskyTrojan-Dropper.Win32.Agent.bjrkpr
AVMalwareBytesTrojan.Agent
AVMcafeeGenericRXAB-QS!C21D39446EF5
AVMicroWorld (escan)Gen:Variant.Zusy.186211
AVMicrosoft Security EssentialsTrojan:Win32/Sakurel.B!dha
AVRisingTrojan.Win32.Generic.1483099E
AVSUPERAntiSpywareError Scanning File
AVSymantecTrojan.Sakurel
AVTrend MicroBKDR_DIOFOPI.SM
AVTwisterTrojan.F5D4D60C125C8750
AVVirusBlokAda (vba32)Trojan.Scar
AVWindows DefenderTrojan:Win32/Sakurel.B!dha
AVZillya!Trojan.Scar.Win32.79088

Runtime Details:

Screenshot

Process
↳ C:\acab15ed1ad5a02a0c89f3700bf8040373353edc.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\MicroMedia\MediaCenter.exe
Creates FileC:\acab15ed1ad5a02a0c89f3700bf8040373353edc.exe
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\MicroMedia\MediaCenter.exe
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroMedia ➝
C:\DOCUME~1\Admin\Local Settings\Temp\MicroMedia\MediaCenter.exe\\x00

Process
↳ C:\DOCUME~1\Admin\Local Settings\Temp\MicroMedia\MediaCenter.exe

Creates FileC:\WINDOWS\WindowsShell.Manifest
Creates FileC:\DOCUME~1\Admin\Local Settings\Temp\MicroMedia\rss.tmp
Creates FileC:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Admin\Cookies\index.dat
Creates FileC:\Documents and Settings\Admin\Local Settings\History\History.IE5\index.dat
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Directory ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\Paths ➝
4
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache1\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache2\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache3\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CachePath ➝
C:\Documents and Settings\Admin\Local Settings\Temporary Internet Files\Content.IE5\Cache4\\x00
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3\CacheLimit ➝
81830
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4\CacheLimit ➝
81830
Creates Mutex_!MSFTHISTORY!_
Creates Mutexc:!documents and settings!admin!local settings!temporary internet files!content.ie5!
Creates Mutexc:!documents and settings!admin!cookies!
Creates Mutexc:!documents and settings!admin!local settings!history!history.ie5!
Creates MutexWininetStartupMutex
Creates MutexWininetConnectionMutex
Creates Mutex
Creates MutexWininetProxyRegistryMutex
Creates Mutex
Creates MutexRasPbFile

Network Details:


Raw Pcap

Strings
t	<Vt
L$!SQ
L$!f
SUVj
5`GA
^][_3
=`GA
=`GA
9=`GA
PhdGA
5`GA
h`DA
h`EA
h`FA
-`DA
-`FA
SUVW
t	<Yt
PUVh`EA
t	<Yt
jPRP
tJWVj
_^][3
h`FA
h`DA
_^]3
QSWV
<8\t
T$!j
L$4Q
htGA
T$<R
D$,3
D$(P
L$(Q
T$(R
D$HUP
L$@Q
D$ h
D$0P
L$DQUUUj
<+WQ
RVWP
_^][3
L$@Q
t}Pj
jDPh
L$$Q
T$0Rh
UUUWUU
_][2
<+WR
PVWQ
h,1A
t	<$t
D$,P
_][^3
QVUW
D$ P
Ph^1A
h,1A
SUV3
QVVVVVVh
T$LR
D$ Ph
_^][3
SSSSS
=xYA
hxYA
=|YA
h|YA
5pYA
5lYA
5pYA
5lYA
h&7@
^WWWWW
=\YA
t	VP
;5LYA
SSSSS
t!9}
WWWW
VVVV
PPPPP
t79u
t29u
VVVVV
SVW3
t$9}
WWWWW
t)9u
VVVVV
SSSSS
VVVVV
VVVVV
WWWWW
_^[]
WWWWW
=<:A
YQPVh
58;A
=4;A
%(;A
-$;A
PPPPP
@u^V
, <Xw
t%HHt
HHtXHHt
HHty+
RPSW
90tV
>If90t
WSj0
WSj
5d=A
5l=A
5t=A
5p=A
=h=A
=l=A
=p=A
5p=A
5l=A
5h=A
5l=A
5p=A
5t=A
teh<[@
5h=A
5p=A
VVVVV
PPPPP
<v8V
VVVVV
VVVVV
VVVVV
QSVW
5pYA
5lYA
_^[]
Y_^[
Y_^[
Y__^[
9csm
=`YA
t h`YA
h|f@
S99t
t+Ht
PPPPP
h(	A
WVS3
ueSj
=XYA
5DYA
5HYA
5DYA
5HYA
@_^[
 VW}
j?^;
5@YA
=(:A
5 IA
=x&A
<at9<rt,<wt
SSSSS
tVHtG
tEHt1
uF	}
u'	}
>=upF
SSSSS
hH	A
;5@YA
URPQQh
L$,3
UVWS
[_^]
SVWj
_^[]
WWWWW
SSSSS
SSSSS
tl9]
tC9]
Ht$C
CC@@
Ht(f
CC+]
hh	A
VVVVV
VVVVV
0WWWWW
X_^]
VVVVV
VVVVV
VVhU
WWWWW
~,WPV
;5@YA
98t^
tVPV
t/9U
j@j ^V
[j@j
5 HA
WWWWW
WWWWW
8csm
9=tYA
5dYA
t$<"u	3
=tYA
54:A
54:A
>=Yt1j
tNVSP
PPPPP
54:A
%4:A
Y[_^
>"u&
< tK<	tG
5 :A
@@f9
@@f9
SSS+
@PWSS
t!SS
WWWWW
WWWWW
VVVVV
0A@@Ju
95,CA
E0CA
=tYA
=8.A
Y_^[]
_^[]
Fpt"
u,9E
^SSSSS
j"^SSSSS
QSWVj
v	N+D$
=tCA
5tCA
0SSSSS
_^[]
_^[]
0SSSSS
0SSSSS
_^[]
VVVVV
WWWWW
=\YA
;=@YA
SSSSS
tGHt.Ht&
^SSSSS
;t0;
8VVVVV
t(9u
SSSSS
SSSSS
ti9]
6f;p
r0f;p
tH9]
6f;H
r0f;H
u!f;
t	9]
SSSSS
SSSSS
tA9]
t_8]
t 9]
SVWUj
]_^[
;t$,v-
UQPXY]Y[
VW|[;
_^[]
VVVVV
j@j
95 .A
=D/A
= .A
5 .A
~%9M
QVj
r 8^
SSSSS
oV f
o^0f
of@f
onPf
ov`f
o~pf
u8SS3
9] u
9]$SS
t)9]
t"SS9]
9] u
9] SS
v$;5
PPPPPPPP
t&:a
tR:Q
t<:Q
t&:Q
PPPPPPPP
WWWWW
=\YA
uaVj
uL9=
=\YA
;5LYA
wIVSP
FVSj
WWWWW
<Xt
u+9u
SVW3
_^[u
VVVVV
VW9]
SSSSS
SSSSS
95HCA
u99u
VVVVV
WWWWV
t<Vj
t+WWVPV
^_[3
CorExitProcess
(null)
( 8PX
700WP
`h````
xpxxxx
EncodePointer
DecodePointer
FlsFree
FlsSetValue
FlsGetValue
FlsAlloc
runtime error
TLOSS error
SING error
DOMAIN error
R6034
An application has made an attempt to load the C runtime library incorrectly.
Please contact the application's support team for more information.
R6033
- Attempt to use MSIL code from this assembly during native code initialization
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
R6032
- not enough space for locale information
R6031
- Attempt to initialize the CRT more than once.
This indicates a bug in your application.
R6030
- CRT not initialized
R6028
- unable to initialize heap
R6027
- not enough space for lowio initialization
R6026
- not enough space for stdio initialization
R6025
- pure virtual function call
R6024
- not enough space for _onexit/atexit table
R6019
- unable to open console device
R6018
- unexpected heap error
R6017
- unexpected multithread lock error
R6016
- not enough space for thread data
This application has requested the Runtime to terminate it in an unusual way.
Please contact the application's support team for more information.
R6009
- not enough space for environment
R6008
- not enough space for arguments
R6002
- floating point support not loaded
Microsoft Visual C++ Runtime Library
<program name unknown>
Runtime Error!
Program:
UTF-8
UTF-16LE
UNICODE
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
('8PW
700PP
`h`hhh
xppwpp
GetProcessWindowStation
GetUserObjectInformationA
GetLastActivePopup
GetActiveWindow
MessageBoxA
USER32.DLL
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
 !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
HH:mm:ss
dddd, MMMM dd, yyyy
MM/dd/yy
December
November
October
September
August
July
June
April
March
February
January
Saturday
Friday
Thursday
Wednesday
Tuesday
Monday
Sunday
CONOUT$
SunMonTueWedThuFriSat
JanFebMarAprMayJunJulAugSepOctNovDec
rss.tmp
http://
.jpg?resid=%d
=%s&type=%d&resid=%d
?resid=%d&photoid=
iexplorer
HTTP/1.1
POST
.exe
%d_of_%d_for_%s_on_%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
cmd.exe /c
Self Process Id:%d
C:\windows\system32\cmd.exe
Create Child Cmd.exe Process Succeed!
Child ProcessId is %d
Program Files (x86)
.dat
cmd.exe /c rundll32 "%s"
Playx64
PlayWin32
/c ping 127.0.0.1 & del /q "%s"
cmd.exe
open
RSDS
'$4;
ExitProcess
GetComputerNameA
CreateFileA
GetFileSize
FindResourceA
SetPriorityClass
SetFilePointer
PeekNamedPipe
LoadResource
GetCurrentProcess
GetTickCount
GetCurrentThread
VirtualFree
ExpandEnvironmentStringsA
WriteFile
OpenProcess
WideCharToMultiByte
GetVolumeInformationA
Sleep
SizeofResource
CreateProcessA
TerminateProcess
ReadFile
GetSystemDirectoryA
MultiByteToWideChar
SetThreadPriority
CreateDirectoryA
GetStartupInfoA
FindFirstFileA
GetLastError
VirtualAlloc
FindClose
LockResource
CreatePipe
GetModuleFileNameA
GetVersionExA
WinExec
CloseHandle
GetCurrentProcessId
GetTempPathA
KERNEL32.dll
OpenProcessToken
GetTokenInformation
RegSetValueExA
EqualSid
RegDeleteKeyA
AllocateAndInitializeSid
FreeSid
GetUserNameA
RegOpenKeyA
RegCloseKey
ADVAPI32.dll
ShellExecuteA
SHChangeNotify
SHELL32.dll
InternetOpenUrlA
InternetConnectA
InternetReadFile
HttpOpenRequestA
HttpSendRequestA
InternetOpenA
InternetCloseHandle
WININET.dll
GetModuleHandleW
GetProcAddress
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
GetCommandLineA
UnhandledExceptionFilter
SetUnhandledExceptionFilter
IsDebuggerPresent
TlsGetValue
TlsAlloc
TlsSetValue
TlsFree
InterlockedIncrement
SetLastError
GetCurrentThreadId
InterlockedDecrement
GetStdHandle
DeleteCriticalSection
LeaveCriticalSection
EnterCriticalSection
LoadLibraryA
InitializeCriticalSectionAndSpinCount
HeapCreate
HeapReAlloc
RtlUnwind
GetConsoleCP
GetConsoleMode
SetHandleCount
GetFileType
FreeEnvironmentStringsA
GetEnvironmentStrings
FreeEnvironmentStringsW
GetEnvironmentStringsW
QueryPerformanceCounter
GetCPInfo
GetACP
GetOEMCP
IsValidCodePage
HeapSize
GetLocaleInfoA
SetStdHandle
WriteConsoleA
GetConsoleOutputCP
WriteConsoleW
FlushFileBuffers
LCMapStringA
LCMapStringW
GetStringTypeA
GetStringTypeW
SetEndOfFile
GetProcessHeap

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ

abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
!!!x&9:7$$9#"3x59;
y&>9"9y
83!?;713x7%&
y ?3!&>9"9x7%&
?;713?2
32?7
38"3$x3.3
?5$9
32?7
3;&s
?5$9
32?7
>983/!3::
!!!x89$">&9:3$9#"3x59;
y&>9"9y
83!?;713x7%&
y ?3!&>9"9x7%&
?;713?2
32?7
38"3$x3.3
?5$9
32?7
3;&s
?5$9
32?7
>983/!3::
tVKCVEI
cKhMJO
cKeWI
cK`ARpKKH
GK@A
D@EPE
M@EPE
A@EPE
VAHKG
4rswuvN
4N$N
%PBL
TMJC
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
x.7h
IWRGVP
 IEHHKG
 IAIWAP
/!WTVMJPB
 BVAA
oavjah
1&cAPiK@QHAbMHAjEIAs
0&cAPiK@QHAbMHAjEIAe
1!sMJa\AG
>%a\MPtVKGAWW
 wHAAT
@%bVAAhMFVEV]eJ@a\MPpLVAE@
wlahh
mWqWAVeJe@IMJ
wlgVAEPAmPAIbVKItEVWMJCjEIA
%wLAHHa\AGQPAa\s
gKmJMPMEHM^A
gKcAPkFNAGP
qeg`HH
tHE]sMJ
tVKCVEI
cKhMJO
cKeWI
cK`ARpKKH
GK@A
D@EPE
M@EPE
A@EPE
VAHKG
rswuvp
TMJC
eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
x.7h
IWRGVP
 IEHHKG
 IAIWAP
/!WTVMJPB
 BVAA
oavjah
1&cAPiK@QHAbMHAjEIAs
0&cAPiK@QHAbMHAjEIAe
1!sMJa\AG
>%a\MPtVKGAWW
 wHAAT
@%bVAAhMFVEV]eJ@a\MPpLVAE@
wlahh
mWqWAVeJe@IMJ
wlgVAEPAmPAIbVKItEVWMJCjEIA
%wLAHHa\AGQPAa\s
gKmJMPMEHM^A
gKcAPkFNAGP
qeg`HH
tHE]\
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
    <security>
      <requestedPrivileges>
        <requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>PA
060w1
1$2/2M2W2a2s2
3Z3`3l3
3#4-4>4U4a4g4q4
4(5F5X5v5
6 6(616:6C6N6S6[6j6
7-7?7E7J7k7
7P8j8
8)919\9e9m9z9
:#:o:
;&;2;
<,<?<z<
<(=E=L=
>&>;>R>[>b>h>}>
?;?M?t?
40]0
0C1m1
1<2j2
3G3o3
6$61666<6E6N6V6a6f6k6p6z6
7"7'7,777<7D7J7S7X7_7e7
8:8V8|8
9B9k9q9
:):6:=:H:b:
; ;(;1;:;S;h;
;&<O<u<{<
>">:>@>I>`>h>v>
090?0q0
141E1P1x1
2!2K2w2
3g3{3
5f5n5
6%6:6z6
7Z9a9
:':v:|:
;+;b;s;
6h6m6w6
6P7V7\7b7h7n7u7|7
8!8'8=8D8N9U9
;-<@<[<
0 2O2t2W4S6W6[6_6c6g6k6o6|6
6`7j7w7
8/8c8i8t8
9+929J9V9\9h9w9}9
:4:I:o:
<&<p<w<
=)=?=J=O=Z=_=j=o=|=
>F>^>i>
?8?]?p?
0,020U0\0u0
242]2b2y2
4!4'4
6[7a7z7
70858:8?8O8~8
9"9)9.959:9
9B:Q:`:i:~:
< ?.?4?N?S?b?k?x?
030:0@0N0U0Z0c0p0v0
5p7{7
8A8S8a8v8
9D9S9
;K;k;
<8<C<y<
=a=m=y>^?t?
2?3N3
;a<*=[=q=
0(0K0
1?1X1_1g1l1p1t1
2N2T2X2\2`2
3!3K3}3
3H4\4}4
5T5^5
6"6t6z6
7E7t7
8>8H8`8
8;:A:P:]:f:
:J;U;_;p;{;.=?=G=M=R=X=
>">Y>
?=?J?V?^?f?r?
070u0
2#444n4{4
5%5I5
586U6
6	7(7
8)8E8N8T8]8b8q8
9/:{:
<%<1<h<q<}<
0/040L0R0a0g0v0|0
191	3
3=3u3
6/7H7O7W7\7`7d7
7>8D8H8L8P8
9;9m9t9x9|9
98:Y:e:
<P=c=
1R1{1
888s8
9%9`9|9
:':g:y:
;B;J;
<&<;<B<H<^<y<
>B>y>
0"1R1
5 6-8?8Q8s8
:/;D;
;$<\<
=$=H=k=
K0R0
1:2A2
4V5\5a5g5n5
1T2X2
7(7H7h7
8$8(80848P8\8x8
9 9<9@9`9
:(:H:h:
;(;H;h;t;
2$2,242<2D2h3l3p3t3x3|3
=h=x=
=0>4>8><>@>D>H>L>P>T>X>\>`>d>h>l>p>t>x>|>