Analysis Date2018-03-18 18:35:51
MD5a86ba63c87f81520c8fd568af5c011a3
SHA14fa9ba60cd72a349b36a76ab5abc54b71193a6d0

Static Details:

AVArcabit (arcavir)Trojan.Generic.5688759
AVAuthentiumNo Virus
AVGrisoft (avg)No Virus
AVAvira (antivir)TR/VB.Downloader.Gen
AVAlwil (avast)No Virus
AVAd-AwareTrojan.Generic.5688759
AVBitDefenderTrojan.Generic.5688759
AVBullGuardTrojan.Generic.5688759
AVClamAVError Scanning File
AVDr. WebNo Virus
AVEmsisoftTrojan.Generic.5688759
AVMicroWorld (escan)Trojan.Generic.5688759
AVCA (E-Trust Ino)Error Scanning File
AVFortinetW32/Genome.DPNQ!tr.dldr
AVFrisk (f-prot)No Virus
AVF-SecureTrojan.Generic.5688759
AVIkarusError Scanning File
AVK7Trojan ( 0000000c1 )
AVKasperskyError Scanning File
AVMalwareBytesNo Virus
AVMcafeeNo Virus
AVMicrosoft Security EssentialsTrojan:Win32/Msposer.A
AVNANOError Scanning File
AVEset (nod32)NewHeur_VB_Downloader.8
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderTrojan:Win32/Msposer.A
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0.exe

RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASAPI32\EnableFileTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASAPI32\EnableConsoleTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASAPI32\FileTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASAPI32\ConsoleTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASAPI32\MaxFileSize ➝
1048576
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASAPI32\FileDirectory ➝
%windir%\tracing
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASMANCS\EnableFileTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASMANCS\EnableConsoleTracing ➝
0
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASMANCS\FileTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASMANCS\ConsoleTracingMask ➝
4294901760
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASMANCS\MaxFileSize ➝
1048576
RegistryHKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Tracing\4fa9ba60cd72a349b36a76ab5abc54b71193a6d0_RASMANCS\FileDirectory ➝
%windir%\tracing
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings ➝
F
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\WpadLastNetwork ➝
{8D1D5A3D-F6B4-4812-8968-89885EFE5341}
Creates MutexIESQMMUTEX_0_208
Creates FileC:\Users\Phil\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\ZV6J2I17\naruto[1].exe
Creates FileC:\Windows\system\kisys63.ocx

Process
↳ c:\ksys32.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f494d41 4745532f 7361756e   GET /IMAGES/saun
0x00000010 (00016)   612f6e61 7275746f 2e657865 20485454   a/naruto.exe HTT
0x00000020 (00032)   502f312e 310d0a41 63636570 743a202a   P/1.1..Accept: *
0x00000030 (00048)   2f2a0d0a 41636365 70742d45 6e636f64   /*..Accept-Encod
0x00000040 (00064)   696e673a 20677a69 702c2064 65666c61   ing: gzip, defla
0x00000050 (00080)   74650d0a 55736572 2d416765 6e743a20   te..User-Agent: 
0x00000060 (00096)   4d6f7a69 6c6c612f 342e3020 28636f6d   Mozilla/4.0 (com
0x00000070 (00112)   70617469 626c653b 204d5349 4520372e   patible; MSIE 7.
0x00000080 (00128)   303b2057 696e646f 7773204e 5420362e   0; Windows NT 6.
0x00000090 (00144)   313b2057 4f573634 3b205472 6964656e   1; WOW64; Triden
0x000000a0 (00160)   742f342e 303b2053 4c434332 3b202e4e   t/4.0; SLCC2; .N
0x000000b0 (00176)   45542043 4c522032 2e302e35 30373237   ET CLR 2.0.50727
0x000000c0 (00192)   3b202e4e 45542043 4c522033 2e352e33   ; .NET CLR 3.5.3
0x000000d0 (00208)   30373239 3b202e4e 45542043 4c522033   0729; .NET CLR 3
0x000000e0 (00224)   2e302e33 30373239 3b204d65 64696120   .0.30729; Media 
0x000000f0 (00240)   43656e74 65722050 4320362e 30290d0a   Center PC 6.0)..
0x00000100 (00256)   486f7374 3a207777 772e636c 75626561   Host: www.clubea
0x00000110 (00272)   67756161 7a756c2e 636f6d2e 62720d0a   guaazul.com.br..
0x00000120 (00288)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000130 (00304)   2d416c69 76650d0a 0d0a                -Alive....


Strings