Analysis Date2016-01-28 10:25:44
MD5c6e917a0da635861f353f00e96c40b07
SHA1c70c82e400dd819faaa6e86f889a24101c8a86d9

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 38d0efcd8e9e21dbb40f3c927f811b50 sha1: 3dc40d45092c318526f6045bbd615f9571b2314a size: 304128
Section.rdata md5: a0a4a934660e39050103e1add9e5b450 sha1: eaff6b96647808e5516927906fb9c88e3ce5a4f2 size: 26112
Section.data md5: 754ee35eed3c47364fb082cc4bb052dc sha1: 9b4c9d09a4e5e5533971959676e7edc41f4481f2 size: 19968
Section.reloc md5: e8596e1aec2fcd67c47e0d21ee92b934 sha1: 7824d5077f9ee3210e330f071d7a71b4fe1e6bc6 size: 32768
Timestamp2014-03-11 19:41:17
PackerMicrosoft Visual C++ 8
PEhashba33358629c29d92eb99c795f84c034e440ece32
IMPhash971e6afcbf14d0e54e9625ac3d6f7149
AVRisingNo Virus
AVMcafeeTrojan-FHSQ!C6E917A0DA63
AVAvira (antivir)No Virus
AVTwisterNo Virus
AVAd-AwareGen:Variant.Zusy.141475
AVAlwil (avast)No Virus
AVEset (nod32)Win32/Bayrob.BJ
AVGrisoft (avg)No Virus
AVSymantecNo Virus
AVFortinetW32/Bayrob.BJ!tr
AVBitDefenderGen:Variant.Zusy.141475
AVK7Trojan ( 004dc2a31 )
AVMicrosoft Security EssentialsTrojanSpy:Win32/Nivdort.DI
AVMicroWorld (escan)Gen:Variant.Zusy.141475
AVMalwareBytesNo Virus
AVAuthentiumW32/Kazy.ES.gen!Eldorado
AVFrisk (f-prot)W32/Kazy.ES.gen!Eldorado
AVIkarusTrojan-Spy.Win32.Nivdort
AVEmsisoftGen:Variant.Zusy.141475
AVZillya!No Virus
AVKasperskyTrojan.Win32.Swizzor.e
AVTrend MicroNo Virus
AVCAT (quickheal)No Virus
AVVirusBlokAda (vba32)No Virus
AVBullGuardGen:Variant.Zusy.141475
AVArcabit (arcavir)Gen:Variant.Zusy.141475
AVClamAVNo Virus
AVDr. WebNo Virus
AVF-SecureGen:Variant.Zusy.141475
AVCA (E-Trust Ino)No Virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\hujfldlvtdcww\iqiewxvrr2hvdybvvn.exe
Creates FileC:\hujfldlvtdcww\sjc6yfcewiyc
Creates FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Deletes FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Creates ProcessC:\hujfldlvtdcww\iqiewxvrr2hvdybvvn.exe

Process
↳ C:\hujfldlvtdcww\iqiewxvrr2hvdybvvn.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\BranchCache Play Management DCOM ➝
C:\hujfldlvtdcww\hldygcw.exe
Creates FileC:\hujfldlvtdcww\hldygcw.exe
Creates FileC:\hujfldlvtdcww\sjc6yfcewiyc
Creates FilePIPE\lsarpc
Creates FileC:\hujfldlvtdcww\z9bakaxxnbr8
Creates FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Deletes FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Creates ProcessC:\hujfldlvtdcww\hldygcw.exe
Creates ServiceBiometric Security Agent Management - C:\hujfldlvtdcww\hldygcw.exe

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

Creates FileC:\WINDOWS\Prefetch\C70C82E400DD819FAAA6E86F889A2-20CA7E4F.pf
Creates FileC:\WINDOWS\Prefetch\CMD.EXE-087B4001.pf
Creates FileC:\WINDOWS\Prefetch\NET1.EXE-029B9DB4.pf
Creates FileC:\WINDOWS\Prefetch\EXPLORER.EXE-082F38A9.pf
Creates FileC:\WINDOWS\Prefetch\HLDYGCW.EXE-1565704C.pf
Creates FileC:\WINDOWS\Prefetch\IQIEWXVRR2HVDYBVVN.EXE-15D0C35E.pf
Creates FileC:\WINDOWS\Prefetch\USERINIT.EXE-30B18140.pf
Creates FileC:\WINDOWS\Prefetch\READER_SL.EXE-3614FA6E.pf
Creates FileC:\WINDOWS\Prefetch\monitor.exe-1949D260.pf
Creates FileC:\WINDOWS\Prefetch\HNHTAXLKBNF.EXE-1B5AA584.pf
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates FileC:\WINDOWS\Prefetch\svchost.EXE-0C867EC1.pf

Process
↳ Pid 1104

Process
↳ Pid 1204

Process
↳ Pid 1292

Process
↳ Pid 1852

Process
↳ Pid 164

Process
↳ C:\hujfldlvtdcww\hldygcw.exe

Creates Filepipe\net\NtControlPipe10
Creates FileC:\hujfldlvtdcww\lasbvxqeq
Creates FileC:\hujfldlvtdcww\sjc6yfcewiyc
Creates FileC:\hujfldlvtdcww\z9bakaxxnbr8
Creates FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Creates File\Device\Afd\Endpoint
Creates FileC:\hujfldlvtdcww\hnhtaxlkbnf.exe
Deletes FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Creates Processwpn1an2iqc6d "c:\hujfldlvtdcww\hldygcw.exe"

Process
↳ C:\hujfldlvtdcww\hldygcw.exe

Creates FileC:\hujfldlvtdcww\sjc6yfcewiyc
Creates FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Deletes FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc

Process
↳ wpn1an2iqc6d "c:\hujfldlvtdcww\hldygcw.exe"

Creates FileC:\hujfldlvtdcww\sjc6yfcewiyc
Creates FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc
Deletes FileC:\WINDOWS\hujfldlvtdcww\sjc6yfcewiyc

Network Details:

DNSdoctorready.net
Type: A
50.63.202.58
DNSprettybrown.net
Type: A
198.71.232.3
DNSdoctorpeople.net
Type: A
157.7.188.129
DNSprettypeople.net
Type: A
50.63.202.64
DNSfellowpeople.net
Type: A
184.168.221.37
DNSbrokenpeople.net
Type: A
184.168.221.96
DNSeveningcondition.net
Type: A
98.139.135.129
DNSmightplease.net
Type: A
208.100.26.234
DNSprettysoldier.net
Type: A
184.168.221.52
DNSprettyplease.net
Type: A
207.148.248.143
DNSbrokennation.net
Type: A
208.91.197.27
DNSresultnation.net
Type: A
208.91.197.27
DNSbrokensoldier.net
Type: A
173.236.158.114
DNSbuildingpower.net
Type: A
188.40.84.184
DNSprettypower.net
Type: A
208.91.197.23
DNSdoublefamous.net
Type: A
210.157.1.134
DNSfellowpower.net
Type: A
98.139.135.129
DNSbrokenpower.net
Type: A
72.167.131.57
DNSstillpower.net
Type: A
184.168.221.34
DNSmightdaughter.net
Type: A
DNSprettyready.net
Type: A
DNSdoctorbrown.net
Type: A
DNSdoctordaughter.net
Type: A
DNSprettydaughter.net
Type: A
DNSfellowready.net
Type: A
DNSdoubleready.net
Type: A
DNSfellowbrown.net
Type: A
DNSdoublebrown.net
Type: A
DNSdoublepeople.net
Type: A
DNSfellowdaughter.net
Type: A
DNSdoubledaughter.net
Type: A
DNSbrokenready.net
Type: A
DNSresultready.net
Type: A
DNSbrokenbrown.net
Type: A
DNSresultbrown.net
Type: A
DNSresultpeople.net
Type: A
DNSbrokendaughter.net
Type: A
DNSresultdaughter.net
Type: A
DNSprepareready.net
Type: A
DNSdesireready.net
Type: A
DNSpreparebrown.net
Type: A
DNSdesirebrown.net
Type: A
DNSpreparepeople.net
Type: A
DNSdesirepeople.net
Type: A
DNSpreparedaughter.net
Type: A
DNSdesiredaughter.net
Type: A
DNSstrengthready.net
Type: A
DNSstillready.net
Type: A
DNSstrengthbrown.net
Type: A
DNSstillbrown.net
Type: A
DNSstrengthpeople.net
Type: A
DNSstillpeople.net
Type: A
DNSstrengthdaughter.net
Type: A
DNSstilldaughter.net
Type: A
DNSmovementnation.net
Type: A
DNSoutsidenation.net
Type: A
DNSmovementsoldier.net
Type: A
DNSoutsidesoldier.net
Type: A
DNSmovementplease.net
Type: A
DNSoutsideplease.net
Type: A
DNSmovementcondition.net
Type: A
DNSoutsidecondition.net
Type: A
DNSbuildingnation.net
Type: A
DNSeveningnation.net
Type: A
DNSbuildingsoldier.net
Type: A
DNSeveningsoldier.net
Type: A
DNSbuildingplease.net
Type: A
DNSeveningplease.net
Type: A
DNSbuildingcondition.net
Type: A
DNSstorenation.net
Type: A
DNSmightnation.net
Type: A
DNSstoresoldier.net
Type: A
DNSmightsoldier.net
Type: A
DNSstoreplease.net
Type: A
DNSstorecondition.net
Type: A
DNSmightcondition.net
Type: A
DNSdoctornation.net
Type: A
DNSprettynation.net
Type: A
DNSdoctorsoldier.net
Type: A
DNSdoctorplease.net
Type: A
DNSdoctorcondition.net
Type: A
DNSprettycondition.net
Type: A
DNSfellownation.net
Type: A
DNSdoublenation.net
Type: A
DNSfellowsoldier.net
Type: A
DNSdoublesoldier.net
Type: A
DNSfellowplease.net
Type: A
DNSdoubleplease.net
Type: A
DNSfellowcondition.net
Type: A
DNSdoublecondition.net
Type: A
DNSresultsoldier.net
Type: A
DNSbrokenplease.net
Type: A
DNSresultplease.net
Type: A
DNSbrokencondition.net
Type: A
DNSresultcondition.net
Type: A
DNSpreparenation.net
Type: A
DNSdesirenation.net
Type: A
DNSpreparesoldier.net
Type: A
DNSdesiresoldier.net
Type: A
DNSprepareplease.net
Type: A
DNSdesireplease.net
Type: A
DNSpreparecondition.net
Type: A
DNSdesirecondition.net
Type: A
DNSstrengthnation.net
Type: A
DNSstillnation.net
Type: A
DNSstrengthsoldier.net
Type: A
DNSstillsoldier.net
Type: A
DNSstrengthplease.net
Type: A
DNSstillplease.net
Type: A
DNSstrengthcondition.net
Type: A
DNSstillcondition.net
Type: A
DNSmovementcentury.net
Type: A
DNSoutsidecentury.net
Type: A
DNSmovementfamous.net
Type: A
DNSoutsidefamous.net
Type: A
DNSmovementpower.net
Type: A
DNSoutsidepower.net
Type: A
DNSmovementcountry.net
Type: A
DNSoutsidecountry.net
Type: A
DNSbuildingcentury.net
Type: A
DNSeveningcentury.net
Type: A
DNSbuildingfamous.net
Type: A
DNSeveningfamous.net
Type: A
DNSeveningpower.net
Type: A
DNSbuildingcountry.net
Type: A
DNSeveningcountry.net
Type: A
DNSstorecentury.net
Type: A
DNSmightcentury.net
Type: A
DNSstorefamous.net
Type: A
DNSmightfamous.net
Type: A
DNSstorepower.net
Type: A
DNSmightpower.net
Type: A
DNSstorecountry.net
Type: A
DNSmightcountry.net
Type: A
DNSdoctorcentury.net
Type: A
DNSprettycentury.net
Type: A
DNSdoctorfamous.net
Type: A
DNSprettyfamous.net
Type: A
DNSdoctorpower.net
Type: A
DNSdoctorcountry.net
Type: A
DNSprettycountry.net
Type: A
DNSfellowcentury.net
Type: A
DNSdoublecentury.net
Type: A
DNSfellowfamous.net
Type: A
DNSdoublepower.net
Type: A
DNSfellowcountry.net
Type: A
DNSdoublecountry.net
Type: A
DNSbrokencentury.net
Type: A
DNSresultcentury.net
Type: A
DNSbrokenfamous.net
Type: A
DNSresultfamous.net
Type: A
DNSresultpower.net
Type: A
DNSbrokencountry.net
Type: A
DNSresultcountry.net
Type: A
DNSpreparecentury.net
Type: A
DNSdesirecentury.net
Type: A
DNSpreparefamous.net
Type: A
DNSdesirefamous.net
Type: A
DNSpreparepower.net
Type: A
DNSdesirepower.net
Type: A
DNSpreparecountry.net
Type: A
DNSdesirecountry.net
Type: A
DNSstrengthcentury.net
Type: A
DNSstillcentury.net
Type: A
DNSstrengthfamous.net
Type: A
DNSstillfamous.net
Type: A
DNSstrengthpower.net
Type: A
DNSstrengthcountry.net
Type: A
DNSstillcountry.net
Type: A
DNSmovementsurprise.net
Type: A
HTTP GEThttp://doctorready.net/index.php
User-Agent:
HTTP GEThttp://prettybrown.net/index.php
User-Agent:
HTTP GEThttp://doctorpeople.net/index.php
User-Agent:
HTTP GEThttp://prettypeople.net/index.php
User-Agent:
HTTP GEThttp://fellowpeople.net/index.php
User-Agent:
HTTP GEThttp://brokenpeople.net/index.php
User-Agent:
HTTP GEThttp://eveningcondition.net/index.php
User-Agent:
HTTP GEThttp://mightplease.net/index.php
User-Agent:
HTTP GEThttp://prettysoldier.net/index.php
User-Agent:
HTTP GEThttp://prettyplease.net/index.php
User-Agent:
HTTP GEThttp://brokennation.net/index.php
User-Agent:
HTTP GEThttp://resultnation.net/index.php
User-Agent:
HTTP GEThttp://brokensoldier.net/index.php
User-Agent:
HTTP GEThttp://buildingpower.net/index.php
User-Agent:
HTTP GEThttp://prettypower.net/index.php
User-Agent:
HTTP GEThttp://doublefamous.net/index.php
User-Agent:
HTTP GEThttp://fellowpower.net/index.php
User-Agent:
HTTP GEThttp://brokenpower.net/index.php
User-Agent:
HTTP GEThttp://stillpower.net/index.php
User-Agent:
Flows TCP192.168.1.1:1031 ➝ 50.63.202.58:80
Flows TCP192.168.1.1:1032 ➝ 198.71.232.3:80
Flows TCP192.168.1.1:1033 ➝ 157.7.188.129:80
Flows TCP192.168.1.1:1034 ➝ 50.63.202.64:80
Flows TCP192.168.1.1:1035 ➝ 184.168.221.37:80
Flows TCP192.168.1.1:1036 ➝ 184.168.221.96:80
Flows TCP192.168.1.1:1037 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1038 ➝ 208.100.26.234:80
Flows TCP192.168.1.1:1039 ➝ 184.168.221.52:80
Flows TCP192.168.1.1:1040 ➝ 207.148.248.143:80
Flows TCP192.168.1.1:1041 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1042 ➝ 208.91.197.27:80
Flows TCP192.168.1.1:1043 ➝ 173.236.158.114:80
Flows TCP192.168.1.1:1044 ➝ 188.40.84.184:80
Flows TCP192.168.1.1:1045 ➝ 208.91.197.23:80
Flows TCP192.168.1.1:1046 ➝ 210.157.1.134:80
Flows TCP192.168.1.1:1047 ➝ 98.139.135.129:80
Flows TCP192.168.1.1:1048 ➝ 72.167.131.57:80
Flows TCP192.168.1.1:1049 ➝ 184.168.221.34:80

Raw Pcap

Strings