Analysis Date2018-05-02 03:44:02
MD53f7c36425ce26c284889b067655ab798
SHA14ec4e37e2eb181031cf36fdc7463e79b3477f85d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly
Section.text md5: 6c56e920cc6f5068e49c0a3af8d50adc sha1: 5ded64e7da5234e8c9dadbcb79c55a05401b35c2 size: 52224
Section.rsrc md5: 8fcad6ebd85f86ea810400c832641edb sha1: ce50009992b929f6849e0a7eb811016410529e72 size: 1024
Section.reloc md5: 77c679861f75d23a95f0b4dd3fbd3f3c sha1: bd1455c2b15bde0c2b167e4b266e1aa68aa66b30 size: 512
Timestamp2014-10-21 03:05:22
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: 123.exe
FileVersion: 0.0.0.0
Comments: RPX 1.3.4399.43191
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: 123.exe
AV360 SafeGen:Variant.Kazy.237298
AVAd-AwareGen:Variant.Kazy.237298
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.OTGW-5694
AVAvira (antivir)TR/Kazy.12665481
AVBullGuardGen:Variant.Kazy.237298
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.237298
AVEset (nod32)MSIL/Kryptik.JB
AVFortinetMSIL/Dropper.AZQ!tr
AVFrisk (f-prot)no_virus
AVF-SecurePacked:MSIL/SmartIL.A
AVGrisoft (avg)MSIL5.AGAU
AVIkarusTrojan.MSIL.Crypt
AVK7Trojan ( 00430c6c1 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesTrojan.MSIL.Gen
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.237298
AVNormanGen:Variant.Kazy.237298
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\4ec4e37e2eb181031cf36fdc7463e79b3477f85d.exe

Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\4ec4e37e2eb181031cf36fdc7463e79b3477f85d.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\4ec4e37e2eb181031cf36fdc7463e79b3477f85d.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\4ec4e37e2eb181031cf36fdc7463e79b3477f85d.exe
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
Creates FileC:\Users\Phil\AppData\Local\Temp\4ec4e37e2eb181031cf36fdc7463e79b3477f85d.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
Creates FileC:\Windows\assembly\NativeImages_v2.0.50727_64\indexbb.dat
Creates FileC:\Windows\System32\l_intl.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\4ec4e37e2eb181031cf36fdc7463e79b3477f85d.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings
.
w
.
0.0.0.0
000004b0
1.0.15.0
123.exe
Assembly Version
Comments
FileDescription
FileVersion
InternalName
JySR
LegalCopyright
OriginalFilename
ProductVersion
RPX 1.3.4399.43191
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
XyK`
123.exe
1[255v
21=82#y
2ABCF7DC984A1BC463A7E4A0A6487D110723EDE6
540Q4y
7V*3pk
7zqYf5E
A3Bz	^
add_ResourceResolve
/?_ag 
AppDomain
ArgumentException
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
Boolean
b'TGz4
C_A:?%A;
.cctor
c@gPSQ'
CompilationRelaxationsAttribute
CompressionMode
Concat
ContainsKey
_CorExeMain
DeflateStream
DialogResult
Dictionary`2
Dispose
}Ezn[B
FepO3E
FileAccess
FileMode
f?LtG>
G"2W'*
/gaMNT
get_Assembly
get_CurrentDomain
GetData
get_EntryPoint
get_Evidence
GetExecutingAssembly
get_Length
GetManifestResourceNames
GetManifestResourceStream
get_Message
get_Name
GetPart
get_StackTrace
GetStream
GetType
GetTypeFromHandle
^gWyl8,
-}IclH>&
IDisposable
InitializeArray
Invoke
;LPL)/Tm
MemberInfo
MemoryStream
MessageBox
MethodBase
MethodInfo
Monitor
mscoree.dll
mscorlib
nbDoRK/
n)Jqc 
ObfuscationAttribute
Object
(,O\c2
OY|'s%cBKG
p^7M;8*
Package
PackagePart
PKHWVav_x{Po~gjWX[zGl_RSRIpCXGf
ReadByte
@.reloc
ResolveEventArgs
ResolveEventHandler
,^RN;E
RPX 1.3.4399.43191
<<rrs~>
`.rsrc
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
SetData
set_Item
~#!S)O
STAThreadAttribute
String
#Strings
StripAfterObfuscation
SuppressIldasmAttribute
swk='V
System
System.Collections.Generic
System.IO
System.IO.Compression
System.IO.Packaging
System.Reflection
System.Runtime.CompilerServices
System.Security.Policy
System.Threading
System.Windows.Forms
!This program cannot be run in DOS mode.
ToArray
_$u'Fin
UN94dd
UriKind
v2.0.50727
ValueType
Version
V}^L)/_
,v u&sJ%A
WindowsBase
WrapNonExceptionThrows
YanoAttribute
+|Z@HB
ZlM0 N