Analysis Date2018-03-25 23:20:18
MD5a396b4886ae82cf66fed135554785403
SHA1fb5267fe64569764ba306d867943b23a1923c4d9

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows, UPX compressed
PEhash
AVArcabit (arcavir)Gen:Variant.Zusy.279208
AVAuthentiumNo Virus
AVGrisoft (avg)No Virus
AVAvira (antivir)No Virus
AVAlwil (avast)Adware-gen [Adw]
AVAd-AwareGen:Variant.Zusy.279208
AVBitDefenderGen:Variant.Zusy.279208
AVBullGuardError Scanning File
AVClamAVError Scanning File
AVDr. WebAdware.Softcnapp.49
AVEmsisoftGen:Variant.Zusy.279208
AVMicroWorld (escan)Gen:Variant.Jacard.11862
AVCA (E-Trust Ino)Error Scanning File
AVFortinetNo Virus
AVFrisk (f-prot)No Virus
AVF-SecureGen:Variant.Zusy.279208
AVIkarusError Scanning File
AVK7Trojan ( 7000000f1 )
AVKasperskyError Scanning File
AVMalwareBytesNo Virus
AVMcafeeNo Virus
AVMicrosoft Security EssentialsNo Virus
AVNANONo Virus
AVEset (nod32)Win32/Adware.Agent.NSF
AVPadvishNo Virus
AVCAT (quickheal)No Virus
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecPUA.Gen.2
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderNo Virus
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\fb5267fe64569764ba306d867943b23a1923c4d9.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\SysWOW64\en-US\KERNELBASE.dll.mui
Creates FileC:\Windows\System32\netmsg.dll
Creates MutexTFrm_ksdler

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f736572 76696365 2f676574   GET /service/get
0x00000010 (00016)   4970496e 666f2e70 68703f69 703d6d79   IpInfo.php?ip=my
0x00000020 (00032)   69702048 5454502f 312e300d 0a486f73   ip HTTP/1.0..Hos
0x00000030 (00048)   743a2069 702e7461 6f62616f 2e636f6d   t: ip.taobao.com
0x00000040 (00064)   0d0a4b65 65702d41 6c697665 3a203330   ..Keep-Alive: 30
0x00000050 (00080)   300d0a43 6f6e6e65 6374696f 6e3a206b   0..Connection: k
0x00000060 (00096)   6565702d 616c6976 650d0a55 7365722d   eep-alive..User-
0x00000070 (00112)   4167656e 743a204d 6f7a696c 6c612f35   Agent: Mozilla/5
0x00000080 (00128)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000090 (00144)   4d534945 2031302e 303b2057 696e646f   MSIE 10.0; Windo
0x000000a0 (00160)   7773204e 5420362e 313b2054 72696465   ws NT 6.1; Tride
0x000000b0 (00176)   6e742f36 2e303b29 0d0a0d0a            nt/6.0;)....

0x00000000 (00000)   47455420 2f736572 76696365 2f676574   GET /service/get
0x00000010 (00016)   4970496e 666f2e70 68703f69 703d6d79   IpInfo.php?ip=my
0x00000020 (00032)   69702048 5454502f 312e300d 0a486f73   ip HTTP/1.0..Hos
0x00000030 (00048)   743a2069 702e7461 6f62616f 2e636f6d   t: ip.taobao.com
0x00000040 (00064)   0d0a4b65 65702d41 6c697665 3a203330   ..Keep-Alive: 30
0x00000050 (00080)   300d0a43 6f6e6e65 6374696f 6e3a206b   0..Connection: k
0x00000060 (00096)   6565702d 616c6976 650d0a55 7365722d   eep-alive..User-
0x00000070 (00112)   4167656e 743a204d 6f7a696c 6c612f35   Agent: Mozilla/5
0x00000080 (00128)   2e302028 636f6d70 61746962 6c653b20   .0 (compatible; 
0x00000090 (00144)   4d534945 2031302e 303b2057 696e646f   MSIE 10.0; Windo
0x000000a0 (00160)   7773204e 5420362e 313b2054 72696465   ws NT 6.1; Tride
0x000000b0 (00176)   6e742f36 2e303b29 0d0a0d0a            nt/6.0;)....

0x00000000 (00000)   47455420 2f6d6574 726f3f73 69643d35   GET /metro?sid=5
0x00000010 (00016)   32353430 30323846 33314326 733d3258   2540028F31C&s=2X
0x00000020 (00032)   32334334 31333326 74797065 3d616473   23C4133&type=ads
0x00000030 (00048)   26617070 6e616d65 3d654870 7826706f   &appname=eHpx&po
0x00000040 (00064)   733d6548 70784c51 25334425 33442670   s=eHpxLQ%3D%3D&p
0x00000050 (00080)   6e3d6578 69742663 6f64653d 6e6f6964   n=exit&code=noid
0x00000060 (00096)   20485454 502f312e 300d0a48 6f73743a    HTTP/1.0..Host:
0x00000070 (00112)   20636f75 6e742e6a 6c627463 672e636e    count.jlbtcg.cn
0x00000080 (00128)   0d0a4b65 65702d41 6c697665 3a203330   ..Keep-Alive: 30
0x00000090 (00144)   300d0a43 6f6e6e65 6374696f 6e3a206b   0..Connection: k
0x000000a0 (00160)   6565702d 616c6976 650d0a55 7365722d   eep-alive..User-
0x000000b0 (00176)   4167656e 743a2041 70704e61 6d653a78   Agent: AppName:x
0x000000c0 (00192)   7a713b20 57696e56 65723a36 2e30312e   zq; WinVer:6.01.
0x000000d0 (00208)   37363030 20706158 36343b20 41646170   7600 paX64; Adap
0x000000e0 (00224)   74657243 6f756e74 3a313b0d 0a0d0a     terCount:1;....

0x00000000 (00000)   47455420 2f787a71 2f746a2f 617a712e   GET /xzq/tj/azq.
0x00000010 (00016)   68746d6c 3f737461 72742048 5454502f   html?start HTTP/
0x00000020 (00032)   312e310d 0a416363 6570743a 20617070   1.1..Accept: app
0x00000030 (00048)   6c696361 74696f6e 2f782d6d 732d6170   lication/x-ms-ap
0x00000040 (00064)   706c6963 6174696f 6e2c2069 6d616765   plication, image
0x00000050 (00080)   2f6a7065 672c2061 70706c69 63617469   /jpeg, applicati
0x00000060 (00096)   6f6e2f78 616d6c2b 786d6c2c 20696d61   on/xaml+xml, ima
0x00000070 (00112)   67652f67 69662c20 696d6167 652f706a   ge/gif, image/pj
0x00000080 (00128)   7065672c 20617070 6c696361 74696f6e   peg, application
0x00000090 (00144)   2f782d6d 732d7862 61702c20 2a2f2a0d   /x-ms-xbap, */*.
0x000000a0 (00160)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x000000b0 (00176)   3a20656e 2d75730d 0a416363 6570742d   : en-us..Accept-
0x000000c0 (00192)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x000000d0 (00208)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x000000e0 (00224)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000f0 (00240)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000100 (00256)   49452037 2e303b20 57696e64 6f777320   IE 7.0; Windows 
0x00000110 (00272)   4e542036 2e313b20 574f5736 343b2054   NT 6.1; WOW64; T
0x00000120 (00288)   72696465 6e742f34 2e303b20 534c4343   rident/4.0; SLCC
0x00000130 (00304)   323b202e 4e455420 434c5220 322e302e   2; .NET CLR 2.0.
0x00000140 (00320)   35303732 373b202e 4e455420 434c5220   50727; .NET CLR 
0x00000150 (00336)   332e352e 33303732 393b202e 4e455420   3.5.30729; .NET 
0x00000160 (00352)   434c5220 332e302e 33303732 393b204d   CLR 3.0.30729; M
0x00000170 (00368)   65646961 2043656e 74657220 50432036   edia Center PC 6
0x00000180 (00384)   2e30290d 0a486f73 743a2075 70646174   .0)..Host: updat
0x00000190 (00400)   652e6273 6b72742e 636f6d0d 0a436f6e   e.bskrt.com..Con
0x000001a0 (00416)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000001b0 (00432)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a6e2f78 616d6c2b 786d6c2c 20696d61   .n/xaml+xml, ima
0x00000070 (00112)   67652f67 69662c20 696d6167 652f706a   ge/gif, image/pj
0x00000080 (00128)   7065672c 20617070 6c696361 74696f6e   peg, application
0x00000090 (00144)   2f782d6d 732d7862 61702c20 2a2f2a0d   /x-ms-xbap, */*.
0x000000a0 (00160)   0a416363 6570742d 4c616e67 75616765   .Accept-Language
0x000000b0 (00176)   3a20656e 2d75730d 0a416363 6570742d   : en-us..Accept-
0x000000c0 (00192)   456e636f 64696e67 3a20677a 69702c20   Encoding: gzip, 
0x000000d0 (00208)   6465666c 6174650d 0a557365 722d4167   deflate..User-Ag
0x000000e0 (00224)   656e743a 204d6f7a 696c6c61 2f342e30   ent: Mozilla/4.0
0x000000f0 (00240)   2028636f 6d706174 69626c65 3b204d53    (compatible; MS
0x00000100 (00256)   49452037 2e303b20 57696e64 6f777320   IE 7.0; Windows 
0x00000110 (00272)   4e542036 2e313b20 574f5736 343b2054   NT 6.1; WOW64; T
0x00000120 (00288)   72696465 6e742f34 2e303b20 534c4343   rident/4.0; SLCC
0x00000130 (00304)   323b202e 4e455420 434c5220 322e302e   2; .NET CLR 2.0.
0x00000140 (00320)   35303732 373b202e 4e455420 434c5220   50727; .NET CLR 
0x00000150 (00336)   332e352e 33303732 393b202e 4e455420   3.5.30729; .NET 
0x00000160 (00352)   434c5220 332e302e 33303732 393b204d   CLR 3.0.30729; M
0x00000170 (00368)   65646961 2043656e 74657220 50432036   edia Center PC 6
0x00000180 (00384)   2e30290d 0a486f73 743a2075 70646174   .0)..Host: updat
0x00000190 (00400)   652e6273 6b72742e 636f6d0d 0a436f6e   e.bskrt.com..Con
0x000001a0 (00416)   6e656374 696f6e3a 204b6565 702d416c   nection: Keep-Al
0x000001b0 (00432)   6976650d 0a0d0a                       ive....

0x00000000 (00000)   47455420 2f787a71 2f726561 642e7068   GET /xzq/read.ph
0x00000010 (00016)   702f745f 6164732f 645f3230 31383031   p/t_ads/d_201801
0x00000020 (00032)   32353136 2f6e5f78 7a712f63 5f787a71   2516/n_xzq/c_xzq
0x00000030 (00048)   2d2e6769 66204854 54502f31 2e300d0a   -.gif HTTP/1.0..
0x00000040 (00064)   486f7374 3a207570 64617465 2e62736b   Host: update.bsk
0x00000050 (00080)   72742e63 6f6d0d0a 4b656570 2d416c69   rt.com..Keep-Ali
0x00000060 (00096)   76653a20 3330300d 0a436f6e 6e656374   ve: 300..Connect
0x00000070 (00112)   696f6e3a 206b6565 702d616c 6976650d   ion: keep-alive.
0x00000080 (00128)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000090 (00144)   696c6c61 2f352e30 2028636f 6d706174   illa/5.0 (compat
0x000000a0 (00160)   69626c65 3b204d53 49452031 302e303b   ible; MSIE 10.0;
0x000000b0 (00176)   2057696e 646f7773 204e5420 362e313b    Windows NT 6.1;
0x000000c0 (00192)   20547269 64656e74 2f362e30 3b290d0a    Trident/6.0;)..
0x000000d0 (00208)   0d0a                                  ..

0x00000000 (00000)   47455420 2f787a71 2f726561 642e7068   GET /xzq/read.ph
0x00000010 (00016)   702f745f 6164732f 645f3230 31383031   p/t_ads/d_201801
0x00000020 (00032)   32353136 2f6e5f78 7a712f63 5f787a71   2516/n_xzq/c_xzq
0x00000030 (00048)   2d2e6769 66204854 54502f31 2e300d0a   -.gif HTTP/1.0..
0x00000040 (00064)   486f7374 3a207570 64617465 2e62736b   Host: update.bsk
0x00000050 (00080)   72742e63 6f6d0d0a 4b656570 2d416c69   rt.com..Keep-Ali
0x00000060 (00096)   76653a20 3330300d 0a436f6e 6e656374   ve: 300..Connect
0x00000070 (00112)   696f6e3a 206b6565 702d616c 6976650d   ion: keep-alive.
0x00000080 (00128)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000090 (00144)   696c6c61 2f352e30 2028636f 6d706174   illa/5.0 (compat
0x000000a0 (00160)   69626c65 3b204d53 49452031 302e303b   ible; MSIE 10.0;
0x000000b0 (00176)   2057696e 646f7773 204e5420 362e313b    Windows NT 6.1;
0x000000c0 (00192)   20547269 64656e74 2f362e30 3b290d0a    Trident/6.0;)..
0x000000d0 (00208)   0d0a                                  ..

0x00000000 (00000)   47455420 2f787a71 2f726561 642e7068   GET /xzq/read.ph
0x00000010 (00016)   702f745f 6164732f 645f3230 31383031   p/t_ads/d_201801
0x00000020 (00032)   32353136 2f6e5f78 7a712f63 5f787a71   2516/n_xzq/c_xzq
0x00000030 (00048)   2d2e6769 66204854 54502f31 2e300d0a   -.gif HTTP/1.0..
0x00000040 (00064)   486f7374 3a207570 64617465 2e62736b   Host: update.bsk
0x00000050 (00080)   72742e63 6f6d0d0a 4b656570 2d416c69   rt.com..Keep-Ali
0x00000060 (00096)   76653a20 3330300d 0a436f6e 6e656374   ve: 300..Connect
0x00000070 (00112)   696f6e3a 206b6565 702d616c 6976650d   ion: keep-alive.
0x00000080 (00128)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000090 (00144)   696c6c61 2f352e30 2028636f 6d706174   illa/5.0 (compat
0x000000a0 (00160)   69626c65 3b204d53 49452031 302e303b   ible; MSIE 10.0;
0x000000b0 (00176)   2057696e 646f7773 204e5420 362e313b    Windows NT 6.1;
0x000000c0 (00192)   20547269 64656e74 2f362e30 3b290d0a    Trident/6.0;)..
0x000000d0 (00208)   0d0a                                  ..

0x00000000 (00000)   47455420 2f787a71 2f726561 642e7068   GET /xzq/read.ph
0x00000010 (00016)   702f745f 6164732f 645f3230 31383031   p/t_ads/d_201801
0x00000020 (00032)   32353136 2f6e5f78 7a712f63 5f787a71   2516/n_xzq/c_xzq
0x00000030 (00048)   2d2e6769 66204854 54502f31 2e300d0a   -.gif HTTP/1.0..
0x00000040 (00064)   486f7374 3a207570 64617465 2e62736b   Host: update.bsk
0x00000050 (00080)   72742e63 6f6d0d0a 4b656570 2d416c69   rt.com..Keep-Ali
0x00000060 (00096)   76653a20 3330300d 0a436f6e 6e656374   ve: 300..Connect
0x00000070 (00112)   696f6e3a 206b6565 702d616c 6976650d   ion: keep-alive.
0x00000080 (00128)   0a557365 722d4167 656e743a 204d6f7a   .User-Agent: Moz
0x00000090 (00144)   696c6c61 2f352e30 2028636f 6d706174   illa/5.0 (compat
0x000000a0 (00160)   69626c65 3b204d53 49452031 302e303b   ible; MSIE 10.0;
0x000000b0 (00176)   2057696e 646f7773 204e5420 362e313b    Windows NT 6.1;
0x000000c0 (00192)   20547269 64656e74 2f362e30 3b290d0a    Trident/6.0;)..
0x000000d0 (00208)   0d0a                                  ..


Strings