Analysis Date2018-05-02 05:10:51
MD574f563aa0118649263ae6615dce12587
SHA19173c3b398cb5ef8e508507409593704d0489e19

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly
Section.text md5: 56bd09e31584bf7274cc9b7bfb35e510 sha1: 5b63e6f7eb0752732ec36e6074e42b37774ba52b size: 230400
Section.rsrc md5: fa57fcfce14a1358f14fc2d5244fcea6 sha1: b4df3ac0ca4db0e114074008402abe04ba7dd472 size: 3072
Section.reloc md5: 22e3288d1ae999fa94b656a46bd39b56 sha1: 490bdfbb15d051b4a7fcdcd2a7e7de1225bdb402 size: 512
Timestamp2015-01-11 18:13:04
VersionLegalCopyright: system
Assembly Version: 766.445.767.414
InternalName: letstry.exe
FileVersion: 1.7.4.45
CompanyName: system
LegalTrademarks: system
Comments: system
RPX 1.3.4400.61
ProductName: system
ProductVersion: 1.7.4.45
FileDescription: system
OriginalFilename: letstry.exe
AV360 Safeno_virus
AVAd-AwareGen:Variant.Kazy.186742
AVAlwil (avast)GenMalicious-HP [Trj]
AVArcabit (arcavir)Gen:Variant.Kazy.186742
AVAuthentiumno_virus
AVAvira (antivir)TR/Kazy.1858561
AVBullGuardGen:Variant.Kazy.186742
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVWin.Trojan.Bladbindi
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.186742
AVEset (nod32)MSIL/Kryptik.JB
AVFortinetMSIL/Dropper.AZQ!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.186742
AVGrisoft (avg)no_virus
AVIkarusTrojan.MSIL.Crypt
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.186742
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\9173c3b398cb5ef8e508507409593704d0489e19.exe

Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\9173c3b398cb5ef8e508507409593704d0489e19.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\9173c3b398cb5ef8e508507409593704d0489e19.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\9173c3b398cb5ef8e508507409593704d0489e19.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .

0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings
..
9`.
.
.
.
.
D
}ON..{..
.
x.
?.C.M
0
U.
..
..
.
000004b0
1.0.15.0
1.7.4.45
766.445.767.414
Assembly Version
 -Ax
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
letstry.exe
OriginalFilename
ProductName
ProductVersion
RPX 1.3.4400.61
StringFileInfo
system
Translation
VarFileInfo
VS_VERSION_INFO
,./`]/
{"?#"<
{"(`$&
-0;4JAu
;07HIa*dO
0 BM	>
/"0M[k|zq
0Tz:[E
1<)6?w!"I'
1.7.4.45
19hOeQa?
1q	TRJFzTS
 1v1GH
1xXbK&kt
'+2e(J'
2eX#i<<'
(2o@3~#
2p_]ty
2RXYJOcj
2T`gTV
2ye)K3
+35f~b
39h$yW
3+DLP_
3'Lm+B
3` n5^
3`)+OFn
-	,]4}=}
=-43g.?
45Z309)
46Yq{B
.^\49]%
=4C/)j
@"4!Ct
4E oKd:
4GOlZC4Y
4]>QcE
4tu!:~
4)#Y\4qr
/)(55:
5\7b	%
?#5&+b+
5H|fPN
5'@!(I&?\*5T#&
5sG%>C
}5XO+;
	6;4Y+Rf
65Fki@F
65g=j~
670UObT0
68|1(!&{$
6.mGVi
#6t5rn
6}u@=l
~6U)M*>
6(wLyx
6yX`fB
78:eaut3
'7A}J\
7?D% J
[7inXy
7@KO(N
7s'Apru
7z<')M
8`29b%DG
82*U3}6
8$>6J.
87	\.J
8=8>R0
8iDTK(
8n`VH)Yz
8nVZ+%	
8rj|3z 
&8VQ8Y
98GCfDP4
}@9Doj
9Jf0HOP
9LQaH++.
9uq%0W
a/3h*C
}a`@b^R?
add_ResourceResolve
A!DSkn
a~#E*+lx^
aH>:`Z
'AJ4V{DyRA
AppDomain
APr< A
ArgumentException
</assembly>
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
.Ats  B
axb+_Y[
az	$:cgVH
B3I<J6?
 B5Rld%
b}$8Q7
BfHd;g
$b$oEe
('bq1"
}/BrcJL
bSX>qj
b_?VdV
BwOnQJ
b&x:Nm8
b^z"Pp 
"C28J2
C[3DmYF=f
cbU-/G
ccPgiX`dK
.cctor
C!=\d@
]>cN_I
CompilationRelaxationsAttribute
CompressionMode
Concat
ContainsKey
_CorExeMain
Cq'6Whx
CR0FHZ
!>C@U01,
%cx2 l
cy%jMB
$CzN0Q
['"C_ZSUQ=.v
D&02XG
d0:z)}
d5<>e>K
DDDDDD
DDDDDDDDDDDDD@
DDDDDDDDDDDDDDp
DeflateStream
DialogResult
Dictionary`2
Dispose
&dJEiv
.d:"k8
/D[:O\
+{/DQe
DrDQ]x
:dtX=F)
d'UX<x
E10}|[
e;[7NX:MO
EB@BCL
EB?F)Tf
E\D`Vz
E	Kkv 
}ElhdP
ELWgv)
enb.y*
Environment
ep	9-E
epIh_q
E[SIU?I>V
E{~UwH
Ey:\$P
E-ZAbP
*,!/-."#F
f59gG[2
.]+%F7
F(|-8A
?fD8I%
%{Ffk'@~n
fFLMF$
,f@FQxS
FGjEGr
FI!2}qu
FileAccess
FileMode
Fo_03C
F/OrMy
fqB5L3
~Fq*sg
.f&rWG)
"FXx@q
_[]\	G
g1Q~aU
G2?YG8l
[g5|>E
_G5,F,{
g$5ufPJ
>gAm?6
$	gD<O
get_Assembly
get_CurrentDomain
GetData
get_EntryPoint
get_Evidence
GetExecutingAssembly
get_Length
GetManifestResourceNames
GetManifestResourceStream
get_Message
get_Name
get_NewLine
GetPart
get_RequestingAssembly
get_StackTrace
GetStream
GetType
GetTypeFromHandle
GG6R{\
gg}h`P
GpL;Ge
g"ri(t
G!ShrY
&gt7n{
g[v\Z.
(*)(;"H7=J
HCRSD@A_
`hGpTa
hirZ8pN
HKu.&iGlg)
h(,#-tJ
HTRc:[
HvowDk
++$[HY
(<i@=@
+i1,S@
i6wK8{
I?7Xh$
IDisposable
igI(-.n
(iH5#T
;=ikuy
imjbkk6
INeQFFG
>InHdP
InitializeArray
Invoke
iP:7r;m
I.Qah6
ium*?s
i|Vd3~
IVW@UU
{}ix	`
j +~>.
J9xWJP
-jB6a"u
[\]j.C
jC|9.lfu
j.e@MrR
JmCn#*(X.Q
JnZ	BbS
 jP6c#dA"5
Jq5)RMi
'JSntN
jU/Kp(|
[j<~VN
JYdD	7K
jy#(%e
jyE_2@|K
j?zI]U
Jzjr0uv
+())(k&
k!0aV@
K88IiD!
KC7BEw
 kCE,KB
K}-\_d
K;I%Q+
,K(K30
K{uGLw-
l8Zy?C
>l}bN8
LE Tcn^
letstry
letstry.exe
*lI+ex
LLLLLLLLLN
LL.qU6X
LP&>BJ
+L|=pd9>
LP%:tU
lQ_`|C
l~rFJ}
LSo).e^
L\v@8}ffJ
}L.Z7f
{Lz"p<
#)m-5yd
M8j5OFwCC
+mebcm
MemberInfo
MemoryStream
MessageBox
MethodBase
MethodInfo
m}EvmA
Mgo=3m
MH6>=b
M,[j-@_
_MmJ'[VCCQP
`[MO3s
Monitor
m,RZ7!
;MS,3r
mscoree.dll
mscorlib
mwM1-D
M(Z@BN
n2wu;R
n6_79+
n_9i(EY
nGd@cW
nJ1q"J
n|L9g)
NLxEd0
NpY5 Qet<=
-N}r-yQ
NY|	hJN_j
o43+(,
O8_n2GZ
#O96_H}u
ObfuscationAttribute
Object
o.C>Hu
>-,o-d
OD[OKnMvq=
oE).*01
OGb%=l_
OI3u'!;
oM$zj?
op_Equality
op_Inequality
OqG,eX
Ou3A\n
;=oxh$|cH)g`
)&o>Xq
]=[$/P
p1JBDh
p1mF5Lh
-?p+8V
P}9V]rK-
Package
PackagePart
Pb7/zOM/T
Pehzm5at
(pfu[^9
PG:zR9
,p/K]`
)Pk;a(A
p)L^~?
"Powered by SmartAssembly 6.9.0.114
PV`gtK
Pw$	_;
@/},_~Q
Q1n@ZH
[Q^FtCg
}^qfwC
qF}?YR2
)qI'Y=yMw>
qI#>zo
@{Q=JV
Q@	OAb
`{]Qp.h
Q@>}q&
?+Q}r1
Q$^S2U
/Q.S)m)
\qvr6}v
q<	$<W
}}qXd0
q_&Y/?
}'r_@+
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
ResolveEventArgs
ResolveEventHandler
RPX 1.3.4400.61
R@R5 0
`.rsrc
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
r\'}v^
S1\@@?
s1_SPc@
s)2wO:],
S'>$.9
sbm]Su
S(+E<a-.P
    </security>
    <security>
SecuritySafeCriticalAttribute
SetData
set_Item
!^sEV4hHP0
{=Sf>e)
S$gQFS
@\sI<,
"sjb{NJ
SN*QCr:
SODtK6sE
<ssa@{K
'S~/t>
STAThreadAttribute
String
#Strings
StripAfterObfuscation
stvE64S
SuppressIldasmAttribute
svTIPFF
sX{	%|U
system
System
System.Collections.Generic
System.IO
System.IO.Compression
System.IO.Packaging
System.Reflection
System.Runtime.CompilerServices
System.Security
System.Security.Policy
System.Threading
System.Windows.Forms
{}sZB`
sz*v9"
+.t>0?-
T\&*7{%
t8Ef]''
t8:J-8
!This program cannot be run in DOS mode.
t	j~->
T=`j9Z
(TJH&&T
	~tN>+
ToArray
~t*`QI
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TY3 fAx
Ty !p~f
|tZAaB
U1[Pbl
:u"4:N
u8$m5fQ
u9(wso
</UOXr
U/q8eo
UriKind
us`/4M
U>Uz5U
Uv ~2w'
v4.0.30319
V&?4X^+
*V7!|HF
ValueType
vB}4KQ[
VEfh><
Version
"VHVDj%
^V|N[.{
vo*c7S
;Vp~)JGb
V]w_;Cfbbsw
V(%Wh\
vwT4S"a
^"Vwz@
\W2)iuF
w7).fn
WaJ7oT
@wDVnX
W$hP@>
WindowsBase
wj]$Zckd
WM7}t8
[W]N#p@
w$] P^
W{	ppuBQ
WrapNonExceptionThrows
wtbY1x
WtJr\l
WUK ,(w
wwwwwwwDDDDDDDGO
wwwwwwwwwwwwwwp
{.X7-H7
?XA0?y
Xa_cmS
{x)AV$
,X>,{(/B
x/D8:^;7
Xj%KUu
XkyZ)e
X[({l~
x)|^)Mh
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
}x(R`EL
*X|^*sg
XuCEq6
. ]xW	
+xX[TE
Y>1<.Zo
YanoAttribute
?(y';b
y,+c+1
Yf1Idr
Y`_i<wS
Y>=$KJ#
$:yO@]
*Yq,UEo
_y.rn	
ySBQ(O
Yw5Sh(
y<_"@Z![
z1p?RmZ	B
Z93NT;
z_@ADEBDG
zFF} ,
}zivw<pD#t#WG^_LC
z)jd~oe
z#LcI"
Z<LRwp
@z(.Qw
ZSqmGo
ZsvS3=
zT!4od[4
 |[Z]tw6
ZW]+t%