Analysis Date2018-04-18 02:33:54
MD5b0c0f6e092e83993783f57587ae25021
SHA1fe97bbbc6afeda2b4b83703d9ee4b0dde0461b26

Static Details:

File typePE32 executable (GUI) Intel 80386, for MS Windows
PEhash
AVArcabit (arcavir)Error Scanning File
AVAuthentiumW32/Expiro.A!Generic
AVGrisoft (avg)Win32/Heur
AVAvira (antivir)W32/Expiro.QQ
AVAlwil (avast)Cybota [Trj]
AVAd-AwareWin32.Expiro.Gen.4
AVBitDefenderWin32.Expiro.Gen.4
AVBullGuardError Scanning File
AVClamAVNo Virus
AVDr. WebTrojan.PWS.Papras.2863
AVEmsisoftWin32.Expiro.Gen.4
AVMicroWorld (escan)Win32.Expiro.Gen.4
AVCA (E-Trust Ino)Win32.Expiro.Gen.4
AVFortinetW32/Expiro.CG
AVFrisk (f-prot)W32/Expiro.A!Generic
AVF-SecureWin32.Expiro.Gen.4
AVIkarusNo Virus
AVK7Virus ( 00512af51 )
AVKasperskyVirus.Win32.Expiro.ns
AVMalwareBytesError Scanning File
AVMcafeeW32/Expiro.gen.rd
AVMicrosoft Security EssentialsVirus:Win32/Expiro.EM!bit
AVNANOError Scanning File
AVEset (nod32)Win32/Expiro.CG virus
AVPadvishNo Virus
AVCAT (quickheal)W32.Expiro.NS1
AVRisingNo Virus
AV360 SafeNo Virus
AVSUPERAntiSpywareError Scanning File
AVSymantecW32.Xpiro.I
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)Virus.Expiro.28B05
AVWindows DefenderVirus:Win32/Expiro.EM!bit
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\fe97bbbc6afeda2b4b83703d9ee4b0dde0461b26.exe

Creates FileC:\Windows\System32\gazv-mx-dis37
Creates Filec:\Windows\SysWOW64\alg.exe
Creates Filec:\Windows\SysWOW64\alg.exe
Creates Filec:\Windows\Sysnative\alg.exe
Creates Filec:\Windows\Sysnative\alg.exe
Creates Filec:\Windows\Sysnative\mhmlecad.tmp
Creates Filec:\Windows\SysWOW64\svchost.exe
Creates Filec:\Windows\SysWOW64\svchost.exe
Creates Filec:\Windows\SysWOW64\dnilkjln.tmp
Creates Filec:\Windows\Sysnative\svchost.exe
Creates Filec:\Windows\Sysnative\svchost.exe
Creates Filec:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
Creates Filec:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
Creates Filec:\Windows\microsoft.net\framework\v2.0.50727\jnidmapc.tmp
Creates FileC:\Windows\System32\C_1252.NLS
Creates FileC:\Windows\System32\C_1252.NLS
Creates FileC:\Windows\System32\C_1252.NLS
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\fe97bbbc6afeda2b4b83703d9ee4b0dde0461b26.exe
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Certlg32\Audiosys.exe
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\Certlg32\Audiosys.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\59A6\12F.bat
Creates Filec:\Windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe
Creates Filec:\Windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe
Creates Mutexkkq-vx_mtx1
Creates Mutex
Creates Mutex
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\atmftres ➝
C:\Users\Phil\AppData\Roaming\Microsoft\Certlg32\Audiosys.exe

Process
↳ C:\Windows\SysWOW64\cmd.exe

Creates FileC:\Users\Phil\AppData\Local\Temp\59A6\12F.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\59A6\12F.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\59A6\12F.bat
Creates FileC:\Users\Phil\AppData\Local\Temp\59A6\12F.bat
Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls

Process
↳ C:\Windows\SysWOW64\cmd.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls

Process
↳ C:\Users\Phil\AppData\Roaming\Microsoft\Certlg32\Audiosys.exe

Creates FileC:\Windows\System32\gazv-mx-dis37
Creates Filec:\Windows\SysWOW64\alg.exe
Creates Filec:\Windows\SysWOW64\alg.exe
Creates Filec:\Windows\Sysnative\alg.exe
Creates Filec:\Windows\SysWOW64\svchost.exe
Creates Filec:\Windows\Sysnative\svchost.exe
Creates Filec:\Windows\Sysnative\svchost.exe
Creates Filec:\Windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe
Creates Filec:\Windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe
Creates Filec:\Windows\microsoft.net\framework64\v2.0.50727\nilaoalb.tmp
Creates Mutexkkq-vx_mtx1

Network Details:


Raw Pcap

Strings