Analysis Date2018-05-19 11:32:10
MD5e109f01e11ff4f9761d6b1301a6ab19c
SHA136445a530e69295dcdc23582ed87571e8a045be4

Static Details:

AVArcabit (arcavir)Gen:Variant.Razy.46276
AVAuthentiumW32/Zbot.BR.gen!Eldorado
AVGrisoft (avg)PSW.Generic13.ERC
AVAvira (antivir)TR/Spy.Gen
AVAlwil (avast)Error Scanning File
AVAd-AwareGen:Variant.Razy.46276
AVBitDefenderGen:Variant.Razy.46276
AVBullGuardGen:Variant.Razy.46276
AVClamAVError Scanning File
AVDr. WebTrojan.PWS.Panda.547
AVEmsisoftGen:Variant.Razy.46276
AVMicroWorld (escan)Gen:Variant.Razy.46276
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Zbot.AAN!tr
AVFrisk (f-prot)W32/Zbot.BR.gen!Eldorado
AVF-SecureTrojan-Spy:W32/Zbot.AVTH
AVIkarusError Scanning File
AVK7Spyware ( 002891031 )
AVKasperskyError Scanning File
AVMalwareBytesTrojan.Agent.ED
AVMcafeePWS-Zbot.gen.ds
AVMicrosoft Security EssentialsPWS:Win32/Zbot
AVNANOVirus.Win32.Gen.ccmw
AVEset (nod32)Win32/Spy.Zbot.YW
AVPadvishNo Virus
AVCAT (quickheal)Trojan.Necurs.MUE.A3
AVRisingTrojan.PSW.Zbot!47F5
AV360 SafeNo Virus
AVSUPERAntiSpywareTrojan.Agent/Gen-MalPE
AVSymantecNo Virus
AVTrend MicroCryp_Xin1
AVTwisterTrojan.558BEC@1832DBE8@1.mg
AVVirusBlokAda (vba32)SScope.Trojan.FakeAV.01110
AVWindows DefenderPWS:Win32/Zbot
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\36445a530e69295dcdc23582ed87571e8a045be4.exe

Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{23AEE9CF-29DD-F076-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\Users\Phil\AppData\Local\Temp\36445a530e69295dcdc23582ed87571e8a045be4.exe
Creates FileC:\debug.txt
Creates FileC:\Users\Phil\AppData\Roaming\Vaipry\ymwe.exe
Creates FileC:\debug.txt
Creates FileC:\Users\Phil\AppData\Roaming\Ehxiu\lyaqo.kef
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\Users\Phil\AppData\Local\Temp\36445a530e69295dcdc23582ed87571e8a045be4.exe
Creates FileC:\Users\Phil\AppData\Roaming\Vaipry\ymwe.exe
Creates FileC:\Users\Phil\AppData\Roaming
Creates FileC:\Users\Phil\AppData\Roaming\Vaipry\ymwe.exe
Creates FileC:\Users\Phil\AppData\Roaming\Vaipry
Creates FileC:\Users\Phil\AppData\Roaming\Ehxiu\lyaqo.kef
Creates FileC:\Users\Phil\AppData\Roaming\Ehxiu
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\Users\Phil\AppData\Roaming\Ehxiu\lyaqo.dat
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt

Process
↳ C:\Users\Phil\AppData\Roaming\Vaipry\ymwe.exe

Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexLocal\{99B7CC84-0C96-4A6F-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D589BDD8-7DCA-0651-C569-DED38D8B955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-3D69-DED3758B955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-8968-DED3C18A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-B968-DED3F18A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-4568-DED30D8A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-6D68-DED3258A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-1968-DED3518A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-2168-DED3698A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-2968-DED3618A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-916B-DED3D989955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-516B-DED31989955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-056B-DED34D89955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-E16A-DED3A988955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-A56A-DED3ED88955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-616A-DED32988955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-116A-DED35988955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-D968-DED3918A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-7D6A-DED33588955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-C96D-DED3818F955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-A56D-DED3ED8F955D}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D589BDD8-7DCA-0651-7D6D-DED3358F955D}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D589BDD8-7DCA-0651-0D6D-DED3458F955D}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D589BDD8-7DCA-0651-6D6F-DED3258D955D}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D589BDD8-7DCA-0651-316F-DED3798D955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-896C-DED3C18E955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-3D6C-DED3758E955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-356D-DED37D8F955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-2960-DED36182955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-C163-DED38981955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-AD63-DED3E581955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-5163-DED31981955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-DD62-DED39580955D}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D589BDD8-7DCA-0651-B168-DED3F98A955D}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D589BDD8-7DCA-0651-D16A-DED39988955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-C569-DED38D8B955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-3D69-DED3758B955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-8968-DED3C18A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-B968-DED3F18A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-4568-DED30D8A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-6D68-DED3258A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-1968-DED3518A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-2168-DED3698A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-2968-DED3618A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-916B-DED3D989955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-516B-DED31989955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-056B-DED34D89955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-E16A-DED3A988955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-A56A-DED3ED88955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-616A-DED32988955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-116A-DED35988955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-D968-DED3918A955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-7D6A-DED33588955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-C96D-DED3818F955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-316F-DED3798D955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-896C-DED3C18E955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-3D6C-DED3758E955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-356D-DED37D8F955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-2960-DED36182955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-C163-DED38981955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-AD63-DED3E581955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-5163-DED31981955D}
Creates MutexGlobal\{D589BDD8-7DCA-0651-D16A-DED39988955D}
Creates MutexGlobal\{DF1BC89A-0888-0CC3-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{DF1BC895-0887-0CC3-3A8A-E75C7268ACD2}
Creates MutexGlobal\{3BB7CC11-0C03-E86F-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D3F71FA1-DFB3-002F-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexGlobal\{D3F71FA0-DFB2-002F-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexLocal\{B211A9B5-69A7-61C9-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates MutexLocal\{B211A9B6-69A4-61C9-3A8A-E75C7268ACD2}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates Mutex{8EEEA37C-5CEF-11DD-9810-2A4256D89593}
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\Users\Phil\AppData\Roaming\Vaipry\ymwe.exe
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt
Creates FileC:\debug.txt

Process
↳ C:\Windows\System32\taskhost.exe

Process
↳ C:\Windows\System32\dwm.exe

Process
↳ C:\Windows\explorer.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f706b69 2f63726c 2f70726f   GET /pki/crl/pro
0x00000010 (00016)   64756374 732f436f 64655369 676e5043   ducts/CodeSignPC
0x00000020 (00032)   412e6372 6c204854 54502f31 2e310d0a   A.crl HTTP/1.1..
0x00000030 (00048)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000040 (00064)   2d416c69 76650d0a 41636365 70743a20   -Alive..Accept: 
0x00000050 (00080)   2a2f2a0d 0a557365 722d4167 656e743a   */*..User-Agent:
0x00000060 (00096)   204d6963 726f736f 66742d43 72797074    Microsoft-Crypt
0x00000070 (00112)   6f415049 2f362e31 0d0a486f 73743a20   oAPI/6.1..Host: 
0x00000080 (00128)   63726c2e 6d696372 6f736f66 742e636f   crl.microsoft.co
0x00000090 (00144)   6d0d0a0d 0a                           m....


Strings