Analysis Date2018-05-09 15:26:43
MD55a64b1324ae691e93e55ef8587379b0c
SHA10c9692c2697ef88b59eba74e8b7429e85a79ae20

Static Details:

AVArcabit (arcavir)Generic.NSIS.Downloader.4.6962F29A
AVAuthentiumNo Virus
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Adload.Gen
AVAlwil (avast)Adware-gen [Adw]
AVAlwil (avast)Downloader-WHL [Trj]
AVAd-AwareNo Virus
AVBitDefenderGeneric.NSIS.Downloader.4.6962F29A
AVBullGuardGeneric.NSIS.Downloader.4.6962F29A
AVClamAVNo Virus
AVDr. WebTrojan.AdLoad.86
AVEmsisoftGeneric.NSIS.Downloader.4.6962F29A
AVMicroWorld (escan)Generic.NSIS.Downloader.4.6962F29A[ZP]
AVCA (E-Trust Ino)No Virus
AVFortinetW32/Adload.R!tr.dldr
AVFrisk (f-prot)No Virus
AVF-SecureNo Virus
AVIkarusTrojan-Downloader.NSIS.Adload
AVK7Error Scanning File
AVKasperskyTrojan-Downloader.NSIS.Adload.gen
AVMalwareBytesError Scanning File
AVMcafeeNo Virus
AVMicrosoft Security EssentialsNo Virus
AVNANOError Scanning File
AVEset (nod32)NSIS/TrojanDownloader.Adload.R
AVPadvishNo Virus
AVCAT (quickheal)Trojan.IGENERIC
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterTrojanDldr.Adload.R.aikm.arc
AVVirusBlokAda (vba32)TrojanDownloader.AdLoad
AVWindows DefenderTrojanDownloader:Win32/Adload
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\0c9692c2697ef88b59eba74e8b7429e85a79ae20.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000001.db
Creates FileC:\Users\desktop.ini
Creates FileC:\Users
Creates FileC:\Users\Phil
Creates FileC:\Users\Phil\AppData
Creates FileC:\Users\Phil\AppData\Local
Creates FileC:\Users\Phil\Desktop\desktop.ini
Creates Mutex
Creates Mutex

Process
↳ C:\Users\Phil\AppData\Local\Temp\nswBAEF.tmp\cpSetup.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6c6175 6e63685f 76352e70   GET /launch_v5.p
0x00000010 (00016)   68703f70 3d267069 643d3331 39322674   hp?p=&pid=3192&t
0x00000020 (00032)   69643d32 31373732 34373926 625f7479   id=21772479&b_ty
0x00000030 (00048)   703d7065 266e3d52 564e4656 43424a62   p=pe&n=RVNFVCBJb
0x00000040 (00064)   6e526c63 6d356c64 4342545a 574e3163   nRlcm5ldCBTZWN1c
0x00000050 (00080)   6d6c3065 5341784d 5334784c 6a517926   ml0eSAxMS4xLjQy&
0x00000060 (00096)   7265623d 31266963 3d204854 54502f31   reb=1&ic= HTTP/1
0x00000070 (00112)   2e300d0a 486f7374 3a206275 6e2e7761   .0..Host: bun.wa
0x00000080 (00128)   72737061 64652e62 69640d0a 55736572   rspade.bid..User
0x00000090 (00144)   2d416765 6e743a20 4e534953 444c2f31   -Agent: NSISDL/1
0x000000a0 (00160)   2e322028 4d6f7a69 6c6c6129 0d0a4163   .2 (Mozilla)..Ac
0x000000b0 (00176)   63657074 3a202a2f 2a0d0a0d 0a         cept: */*....

0x00000000 (00000)   47455420 2f737461 74732e70 68703f62   GET /stats.php?b
0x00000010 (00016)   753d6370 26633d26 73746570 3d204854   u=cp&c=&step= HT
0x00000020 (00032)   54502f31 2e300d0a 486f7374 3a20676f   TP/1.0..Host: go
0x00000030 (00048)   6c642e70 6f776572 73747269 6e672e62   ld.powerstring.b
0x00000040 (00064)   69640d0a 55736572 2d416765 6e743a20   id..User-Agent: 
0x00000050 (00080)   4e534953 444c2f31 2e322028 4d6f7a69   NSISDL/1.2 (Mozi
0x00000060 (00096)   6c6c6129 0d0a4163 63657074 3a202a2f   lla)..Accept: */
0x00000070 (00112)   2a0d0a0d 0a6f7374 3a206275 6e2e7761   *....ost: bun.wa
0x00000080 (00128)   72737061 64652e62 69640d0a 55736572   rspade.bid..User
0x00000090 (00144)   2d416765 6e743a20 4e534953 444c2f31   -Agent: NSISDL/1
0x000000a0 (00160)   2e322028 4d6f7a69 6c6c6129 0d0a4163   .2 (Mozilla)..Ac
0x000000b0 (00176)   63657074 3a202a2f 2a0d0a0d 0a         cept: */*....

0x00000000 (00000)   47455420 2f737461 74732e70 68703f62   GET /stats.php?b
0x00000010 (00016)   753d2663 3d267374 65703d31 20485454   u=&c=&step=1 HTT
0x00000020 (00032)   502f312e 300d0a48 6f73743a 20676f6c   P/1.0..Host: gol
0x00000030 (00048)   642e706f 77657273 7472696e 672e6269   d.powerstring.bi
0x00000040 (00064)   640d0a55 7365722d 4167656e 743a204e   d..User-Agent: N
0x00000050 (00080)   53495344 4c2f312e 3220284d 6f7a696c   SISDL/1.2 (Mozil
0x00000060 (00096)   6c61290d 0a416363 6570743a 202a2f2a   la)..Accept: */*
0x00000070 (00112)   0d0a0d0a 0a6f7374 3a206275 6e2e7761   .....ost: bun.wa
0x00000080 (00128)   72737061 64652e62 69640d0a 55736572   rspade.bid..User
0x00000090 (00144)   2d416765 6e743a20 4e534953 444c2f31   -Agent: NSISDL/1
0x000000a0 (00160)   2e322028 4d6f7a69 6c6c6129 0d0a4163   .2 (Mozilla)..Ac
0x000000b0 (00176)   63657074 3a202a2f 2a0d0a0d 0a         cept: */*....

0x00000000 (00000)   47455420 2f737461 74732e70 68703f62   GET /stats.php?b
0x00000010 (00016)   753d2663 3d267374 65703d32 20485454   u=&c=&step=2 HTT
0x00000020 (00032)   502f312e 300d0a48 6f73743a 20676f6c   P/1.0..Host: gol
0x00000030 (00048)   642e706f 77657273 7472696e 672e6269   d.powerstring.bi
0x00000040 (00064)   640d0a55 7365722d 4167656e 743a204e   d..User-Agent: N
0x00000050 (00080)   53495344 4c2f312e 3220284d 6f7a696c   SISDL/1.2 (Mozil
0x00000060 (00096)   6c61290d 0a416363 6570743a 202a2f2a   la)..Accept: */*
0x00000070 (00112)   0d0a0d0a 0a6f7374 3a206275 6e2e7761   .....ost: bun.wa
0x00000080 (00128)   72737061 64652e62 69640d0a 55736572   rspade.bid..User
0x00000090 (00144)   2d416765 6e743a20 4e534953 444c2f31   -Agent: NSISDL/1
0x000000a0 (00160)   2e322028 4d6f7a69 6c6c6129 0d0a4163   .2 (Mozilla)..Ac
0x000000b0 (00176)   63657074 3a202a2f 2a0d0a0d 0a         cept: */*....

0x00000000 (00000)   47455420 2f737461 74732e70 68703f62   GET /stats.php?b
0x00000010 (00016)   753d2663 3d267374 65703d33 20485454   u=&c=&step=3 HTT
0x00000020 (00032)   502f312e 300d0a48 6f73743a 20676f6c   P/1.0..Host: gol
0x00000030 (00048)   642e706f 77657273 7472696e 672e6269   d.powerstring.bi
0x00000040 (00064)   640d0a55 7365722d 4167656e 743a204e   d..User-Agent: N
0x00000050 (00080)   53495344 4c2f312e 3220284d 6f7a696c   SISDL/1.2 (Mozil
0x00000060 (00096)   6c61290d 0a416363 6570743a 202a2f2a   la)..Accept: */*
0x00000070 (00112)   0d0a0d0a 0a6f7374 3a206275 6e2e7761   .....ost: bun.wa
0x00000080 (00128)   72737061 64652e62 69640d0a 55736572   rspade.bid..User
0x00000090 (00144)   2d416765 6e743a20 4e534953 444c2f31   -Agent: NSISDL/1
0x000000a0 (00160)   2e322028 4d6f7a69 6c6c6129 0d0a4163   .2 (Mozilla)..Ac
0x000000b0 (00176)   63657074 3a202a2f 2a0d0a0d 0a         cept: */*....

0x00000000 (00000)   47455420 2f3f6166 6649643d 31303036   GET /?affId=1006
0x00000010 (00016)   26617070 5469746c 653d4553 45542049   &appTitle=ESET I
0x00000020 (00032)   6e746572 6e657420 53656375 72697479   nternet Security
0x00000030 (00048)   2031312e 312e3432 2673313d 33313932    11.1.42&s1=3192
0x00000040 (00064)   2673323d 32313737 32343739 26736574   &s2=21772479&set
0x00000050 (00080)   75704e61 6d653d63 70536574 75702661   upName=cpSetup&a
0x00000060 (00096)   70705665 7273696f 6e3d322e 39322669   ppVersion=2.92&i
0x00000070 (00112)   6e737449 643d3131 26657865 3d312048   nstId=11&exe=1 H
0x00000080 (00128)   5454502f 312e300d 0a486f73 743a2073   TTP/1.0..Host: s
0x00000090 (00144)   63686f6f 6c2e636f 6c6c6172 64656174   chool.collardeat
0x000000a0 (00160)   682e6372 69636b65 740d0a55 7365722d   h.cricket..User-
0x000000b0 (00176)   4167656e 743a204e 53495344 4c2f312e   Agent: NSISDL/1.
0x000000c0 (00192)   3220284d 6f7a696c 6c61290d 0a416363   2 (Mozilla)..Acc
0x000000d0 (00208)   6570743a 202a2f2a 0d0a0d0a            ept: */*....


Strings