Analysis Date2018-05-19 21:25:34
MD5d52d605f9d0138cf48a3d094ccb6e1a5
SHA1bb05754872c5d7c135f33eb212e83263bfcae362

Static Details:

AVArcabit (arcavir)Error Scanning File
AVAuthentiumW32/S-6c992376!Eldorado
AVGrisoft (avg)Error Scanning File
AVAvira (antivir)TR/Crypt.XPACK.Gen2
AVAlwil (avast)Evo-gen [Susp]
AVAd-AwareGen:Variant.Symmi.85576
AVBitDefenderGen:Variant.Symmi.85576
AVBullGuardGen:Variant.Symmi.85576
AVClamAVNo Virus
AVDr. WebNo Virus
AVEmsisoftGen:Variant.Symmi.85576
AVMicroWorld (escan)No Virus
AVCA (E-Trust Ino)No Virus
AVFortinetW32/Kryptik.GFGF!tr
AVFrisk (f-prot)W32/S-6c992376!Eldorado
AVF-SecureGen:Variant.Symmi.85576
AVIkarusPUA.Win32.Prepscram
AVK7Trojan ( 00526e411 )
AVKasperskyHoax.Win32.ArchSMS.gen
AVMalwareBytesError Scanning File
AVMcafeeGenericRXEI-NU!D52D605F9D01
AVMicrosoft Security EssentialsSoftwareBundler:Win32/Prepscram
AVNANORiskware.Win32.ArchSMS.eyywzc
AVNANORiskware.Win32.ArchSMS.eyywzg
AVNANORiskware.Win32.ArchSMS.eyyxao
AVNANORiskware.Win32.ArchSMS.eyyxen
AVNANORiskware.Win32.ArchSMS.eyyxfc
AVNANORiskware.Win32.ArchSMS.eyyxta
AVEset (nod32)Win32/Kryptik.GEMW
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)BScope.AdWare.StartSurf
AVWindows DefenderSoftwareBundler:Win32/Prepscram
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\bb05754872c5d7c135f33eb212e83263bfcae362.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 68747470 3a2f2f6c 69702e68   GET http://lip.h
0x00000010 (00016)   65616c74 6863616b 65732e6d 656e2f68   ealthcakes.men/h
0x00000020 (00032)   5f726564 69722e70 68703f6f 66666572   _redir.php?offer
0x00000030 (00048)   5f69643d 34266166 665f6964 3d353234   _id=4&aff_id=524
0x00000040 (00064)   3026736f 75726365 3d363632 36266166   0&source=6626&af
0x00000050 (00080)   665f7375 623d3130 26616666 5f737562   f_sub=10&aff_sub
0x00000060 (00096)   323d3535 33353838 37393626 6166665f   2=553588796&aff_
0x00000070 (00112)   73756233 3d353533 35383837 39362661   sub3=553588796&a
0x00000080 (00128)   66665f73 7562343d 35616164 33363266   ff_sub4=5aad362f
0x00000090 (00144)   64626136 39266166 665f7375 62353d31   dba69&aff_sub5=1
0x000000a0 (00160)   32363136 38343530 31267572 6c3d6874   261684501&url=ht
0x000000b0 (00176)   74702533 41253246 2532466c 69702e68   tp%3A%2F%2Flip.h
0x000000c0 (00192)   65616c74 6863616b 65732e6d 656e2f6f   ealthcakes.men/o
0x000000d0 (00208)   66666572 2e706870 25334661 66664964   ffer.php%3FaffId
0x000000e0 (00224)   2533447b 6166665f 69647d25 32367472   %3D{aff_id}%26tr
0x000000f0 (00240)   61636b69 6e674964 25334433 32373735   ackingId%3D32775
0x00000100 (00256)   39323539 25323669 6e737449 64253344   9259%26instId%3D
0x00000110 (00272)   36363236 25323668 6f5f7472 61636b69   6626%26ho_tracki
0x00000120 (00288)   6e676964 2533447b 7472616e 73616374   ngid%3D{transact
0x00000130 (00304)   696f6e5f 69647d25 32366363 2533447b   ion_id}%26cc%3D{
0x00000140 (00320)   636f756e 7472795f 636f6465 7d253236   country_code}%26
0x00000150 (00336)   63635f74 79702533 44686f25 32367362   cc_typ%3Dho%26sb
0x00000160 (00352)   25334478 36342532 366e6574 25334433   %3Dx64%26net%3D3
0x00000170 (00368)   2e352e33 30373239 2e343932 36253236   .5.30729.4926%26
0x00000180 (00384)   69652533 44382532 65302532 65373630   ie%3D8%2e0%2e760
0x00000190 (00400)   30253265 31363338 35253236 77762533   0%2e16385%26wv%3
0x000001a0 (00416)   44372532 36646225 3344496e 7465726e   D7%26db%3DIntern
0x000001b0 (00432)   65744578 706c6f72 65722532 36756163   etExplorer%26uac
0x000001c0 (00448)   25334431 25323663 69642533 44653536   %3D1%26cid%3De56
0x000001d0 (00464)   63393365 62343836 36313762 31626363   c93eb486617b1bcc
0x000001e0 (00480)   64383765 31343836 63363737 64253236   d87e1486c677d%26
0x000001f0 (00496)   6f736425 33443735 25323672 65732533   osd%3D75%26res%3
0x00000200 (00512)   44383030 78363030 25323676 25334433   D800x600%26v%3D3
0x00000210 (00528)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000220 (00544)   206c6970 2e686561 6c746863 616b6573    lip.healthcakes
0x00000230 (00560)   2e6d656e 0d0a436f 6e6e6563 74696f6e   .men..Connection
0x00000240 (00576)   3a20636c 6f73650d 0a416363 6570743a   : close..Accept:
0x00000250 (00592)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000260 (00608)   3a20496e 7374616c 6c436170 6974616c   : InstallCapital
0x00000270 (00624)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 68747470 3a2f2f6c 69702e68   GET http://lip.h
0x00000010 (00016)   65616c74 6863616b 65732e6d 656e2f6f   ealthcakes.men/o
0x00000020 (00032)   66666572 2e706870 3f616666 49643d35   ffer.php?affId=5
0x00000030 (00048)   32343026 74726163 6b696e67 49643d33   240&trackingId=3
0x00000040 (00064)   32373735 39323539 26696e73 7449643d   27759259&instId=
0x00000050 (00080)   36363236 26686f5f 74726163 6b696e67   6626&ho_tracking
0x00000060 (00096)   69643d48 4f356230 30393632 33306230   id=HO5b0096230b0
0x00000070 (00112)   64612663 633d4445 2663635f 7479703d   da&cc=DE&cc_typ=
0x00000080 (00128)   686f2673 623d7836 34266e65 743d332e   ho&sb=x64&net=3.
0x00000090 (00144)   352e3330 3732392e 34393236 2669653d   5.30729.4926&ie=
0x000000a0 (00160)   382e302e 37363030 2e313633 38352677   8.0.7600.16385&w
0x000000b0 (00176)   763d3726 64623d49 6e746572 6e657445   v=7&db=InternetE
0x000000c0 (00192)   78706c6f 72657226 7561633d 31266369   xplorer&uac=1&ci
0x000000d0 (00208)   643d6535 36633933 65623438 36363137   d=e56c93eb486617
0x000000e0 (00224)   62316263 63643837 65313438 36633637   b1bccd87e1486c67
0x000000f0 (00240)   3764266f 73643d37 35267265 733d3830   7d&osd=75&res=80
0x00000100 (00256)   30783630 3026763d 33204854 54502f31   0x600&v=3 HTTP/1
0x00000110 (00272)   2e310d0a 486f7374 3a206c69 702e6865   .1..Host: lip.he
0x00000120 (00288)   616c7468 63616b65 732e6d65 6e0d0a43   althcakes.men..C
0x00000130 (00304)   6f6e6e65 6374696f 6e3a2063 6c6f7365   onnection: close
0x00000140 (00320)   0d0a4163 63657074 3a202a2f 2a0d0a55   ..Accept: */*..U
0x00000150 (00336)   7365722d 4167656e 743a2049 6e737461   ser-Agent: Insta
0x00000160 (00352)   6c6c4361 70697461 6c0d0a0d 0a334433   llCapital....3D3
0x00000170 (00368)   2e352e33 30373239 2e343932 36253236   .5.30729.4926%26
0x00000180 (00384)   69652533 44382532 65302532 65373630   ie%3D8%2e0%2e760
0x00000190 (00400)   30253265 31363338 35253236 77762533   0%2e16385%26wv%3
0x000001a0 (00416)   44372532 36646225 3344496e 7465726e   D7%26db%3DIntern
0x000001b0 (00432)   65744578 706c6f72 65722532 36756163   etExplorer%26uac
0x000001c0 (00448)   25334431 25323663 69642533 44653536   %3D1%26cid%3De56
0x000001d0 (00464)   63393365 62343836 36313762 31626363   c93eb486617b1bcc
0x000001e0 (00480)   64383765 31343836 63363737 64253236   d87e1486c677d%26
0x000001f0 (00496)   6f736425 33443735 25323672 65732533   osd%3D75%26res%3
0x00000200 (00512)   44383030 78363030 25323676 25334433   D800x600%26v%3D3
0x00000210 (00528)   20485454 502f312e 310d0a48 6f73743a    HTTP/1.1..Host:
0x00000220 (00544)   206c6970 2e686561 6c746863 616b6573    lip.healthcakes
0x00000230 (00560)   2e6d656e 0d0a436f 6e6e6563 74696f6e   .men..Connection
0x00000240 (00576)   3a20636c 6f73650d 0a416363 6570743a   : close..Accept:
0x00000250 (00592)   202a2f2a 0d0a5573 65722d41 67656e74    */*..User-Agent
0x00000260 (00608)   3a20496e 7374616c 6c436170 6974616c   : InstallCapital
0x00000270 (00624)   0d0a0d0a                              ....


Strings