Analysis Date2018-04-15 06:32:01
MD504fbe3291a4a3bd879b794851ad3932f
SHA1417abbc62bf4841fa1453d43e61c0945ec80e11e

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Gen:Variant.Oficla.11
AVAuthentiumW32/Dapato.L.gen!Eldorado
AVGrisoft (avg)Win32/DH{IzUl?}
AVAvira (antivir)BDS/Phdet.S.9
AVAlwil (avast)Malware-gen
AVAlwil (avast)Win32:Malware-gen
AVAd-AwareGen:Variant.Oficla.11
AVBitDefenderGen:Variant.Oficla.11
AVBullGuardGen:Variant.Oficla.11
AVClamAVError Scanning File
AVDr. WebTrojan.Upatre.1
AVEmsisoftGen:Variant.Oficla.11
AVMicroWorld (escan)Gen:Variant.Oficla.11
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/BlackEnergy.AH!tr
AVFrisk (f-prot)W32/Dapato.L.gen!Eldorado
AVF-SecureGen:Variant.Oficla.11
AVIkarusError Scanning File
AVK7RootKit ( 004e586b1 )
AVKasperskyError Scanning File
AVMalwareBytesExploit.Agent
AVMcafeeGenericRXEK-VC!04FBE3291A4A
AVMicrosoft Security EssentialsBackdoor:Win32/Phdet.S
AVNANOTrojan.Win32.DownLoad3.ddcdgk
AVEset (nod32)Win32/Rootkit.BlackEnergy.AH
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroTROJ_UPATRE.SM37
AVTwisterTrojanDrop.Dapato.egdg.qqmj
AVVirusBlokAda (vba32)BScope.Trojan.MTA.01233
AVWindows DefenderBackdoor:Win32/Phdet.S
AVZillya!Dropper.Dapato.Win32.21908

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\417abbc62bf4841fa1453d43e61c0945ec80e11e.exe

Creates MutexGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}
Creates MutexGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}
Creates MutexGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}
Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\417abbc62bf4841fa1453d43e61c0945ec80e11e.exe
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\cnwog.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\cnwog.exe

Creates MutexGlobal\{3D5A1694-CC2C-4ee7-A3D5-A879A9E3A62A}

Process
↳ C:\Windows\SysWOW64\cmd.exe

Creates File\??\NUL

Network Details:


Raw Pcap

Strings