Analysis Date2018-05-02 03:37:43
MD559f322b55db87e171b491765e1b30033
SHA1d60e6384eded099ec9d11b294ad0eaf7783f690b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 Mono/.Net assembly
Section.text md5: 0a837ff400c1658435be18b097ad70c1 sha1: 4fbc04f7ec28408efa8709b3b51541c1be7aaec9 size: 197632
Section.rsrc md5: 1ad2d1b5120354271f3a1709acebf88a sha1: ee6815ad5ea1cf68ac8011bce75511dd6d4b530e size: 250368
Section.reloc md5: 0c3388caa5e8674811297e6a26476d4d sha1: 9debdc00af067d31b2c19aa8f0080e336c0882ee size: 512
Timestamp2014-08-05 00:29:10
VersionLegalCopyright: z8RDo10Yr
Assembly Version: 39.11.38.61
InternalName: Server.exe
FileVersion: 39.11.38.61
CompanyName: w1J4R
LegalTrademarks: Le1n0F2Dsm
Comments: w8W9Dt
RPX 1.3.4399.43191
ProductName: f8E1N
ProductVersion: 39.11.38.61
FileDescription: Xe6w0E8QxM
OriginalFilename: Server.exe
AV360 SafeTrojan.GenericKD.1792502
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.MSIL.71397
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.1792502
AVEset (nod32)MSIL/Kryptik.JB
AVFortinetMSIL/Dropper.AZQ!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.1792502
AVGrisoft (avg)MSIL4.ANYM
AVIkarusTrojan.MSIL.Kryptik
AVK7no_virus
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsTrojan:Win32/Dynamer!ac
AVMicroWorld (escan)Trojan.GenericKD.1792502
AVNormanno_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\d60e6384eded099ec9d11b294ad0eaf7783f690b.exe

Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\d60e6384eded099ec9d11b294ad0eaf7783f690b.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\d60e6384eded099ec9d11b294ad0eaf7783f690b.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\d60e6384eded099ec9d11b294ad0eaf7783f690b.exe
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
Creates FileC:\Users\Phil\AppData\Local\Temp\d60e6384eded099ec9d11b294ad0eaf7783f690b.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
Creates FileC:\Windows\assembly\NativeImages_v2.0.50727_64\indexbb.dat
Creates FileC:\Windows\System32\l_intl.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\d60e6384eded099ec9d11b294ad0eaf7783f690b.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config

Network Details:


Raw Pcap

Strings
.
;
b
.
.
..
.`
.
.
.
.
.
.
?
>

'=&?
000004b0
39.11.38.61
A)mJa
Assembly Version
Comments
CompanyName
f8E1N
FileDescription
FileVersion
InternalName
Le1n0F2Dsm
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
RPX 1.3.4399.43191
Server.exe
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
w1J4R
w8W9Dt
Xe6w0E8QxM
z8RDo10Yr
;;;;;;
............
'%%%%%%%%%%%%%%%%%%%%%%%%'
"'..'$
++'%'*+'%'*+
																		
~}/0"&
!%=0/7T_dffcZP2/2=%!
@0pj\V
0R`l	L
0$.tT>(V
0Z	Giq
-:139jF
16::<<<@@@BBRRBBB@@<<:::60
1A`kc3
1+=$JF
1[Rl^P
(2aaKJNf
,2LX|]
2ybk7L
33333333931
39.11.38.61
?%"3]D
!3FIIIIE1!
3GK9sg?,
?3H0$o
3&|+nt@S
3n]uSA
3p_Cn/
3^[pH=
3!roF0A
3#-up`
44 4q6?H
4JLJJLJJJJJJJLJJJJJ4
4kdIMy
%4o_Lv
5FIIIIE3
5jX[/cl+
<5!s7B
,6WitvvvvvvtfV6,
6)}xm<K
71Z/6:
	73K$&
7aO<nw
7ddcabae2c6e4189ac33be8bfbf9f651
(!7 'Dfo
?:^-7Hq,
7m>wz=T
7nnnnnjjjaaaaaaaajjnnnnnn7
7nnpn3'
\7@Wol/
<'81d_Q	-d"
)8::2(
86Mhtvvvvvvtd>28
88777777777777777777777777777777777778
(8=FJLF=8'
8=FJLF=8
8=FLLF=8
8L?L&L
8LT%:'
'	]8Nx
8skmW+Yzj
9;8OtD
9Ap=Nd2{
9nX[3l
9R[+V6
A1JZAz
>aajnnpnjaZ6
add_ResourceResolve
aG8~CT
AHs0a]P
aP<a)q
AppDomain
aq3Y-X
A^QHE=
ArgumentException
AScU2W<Y9[=]<_
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
A|||wVSVYkkw
`bb+cc
\Bd {,
	BIDATN
BitConverter
$@^)]bJ
b:SA>DK
~|B!Y(
C@=>BD
.cctor
C<dYj$.
CompilationRelaxationsAttribute
CompressionMode
Concat
ContainsKey
_CorExeMain
CreateDecryptor
CryptoStream
CryptoStreamMode
c"V~4 7
C'wQsh
cxp9_|
CXZajnnpnjaZeD
D+=]-\
(}D0q3
"d5ptK"
D]&5YU
_`.D>A@y
D:B.C.
DeflateStream
DESCryptoServiceProvider
Dhk< U
dhO3}_
DialogResult
Dictionary`2
Dispose
(dV`%E$
e]4w(&R
>`e6Aa
-E&.B^
EE=228=EJJF=626=EE
Ee\;5-^
)==EEFFJJLLJJFFEE=;)
$eL#9O1J
ERRS> 
F[2gd7
F[6MM[4"
f8{yP	
FFJFE===EE===EFFJF
FileAccess
FileMode
FJRgM+]
f &kMG
%$fn5c
f[`o\*
FP19.s
FvG	TJ
G>AfqJ
get_Assembly
GetBytes
get_CurrentDomain
GetData
get_EntryPoint
get_Evidence
GetExecutingAssembly
get_Length
GetManifestResourceNames
GetManifestResourceStream
get_Message
get_Name
GetPart
get_StackTrace
GetStream
GetType
GetTypeFromHandle
-Gf79,
gs2HL>
[GuTc0
g>vc=8
H#44"Q
H5*8c+Q 
H#<7{0
h"f8~*
Hh@f'|
=;hI8l
hK-($WT
[h<L$ 
HNN222
hnnpnnpnnnnnnnnnnnnpnnpnnh
&(H=oc7
h@["Pd&
#hUBl<US8
'{hw}r10!V
iAr'5*Wg'
ICryptoTransform
IDAT!-
IDisposable
IJ)tD,
iK<<v7
InitializeArray
Intern
Invoke
iooE@s
ittlikqvtf
&${~itz
i}ze(1
+izm|Z{$
J_6fRV
>[:$JC
jc[AVj8q
j	JblT
jjjjaZXZajnnpnjaZXXaajjj
^j{N-)
JOx2n2`
Jvt*j|
Jz?q#N]K
:KEV!.
|\KGQaa2(
kiyKxy
>KJvWOD^M
kkk%@c}
&kkw||
%KUa_zg
)kWt5P
KwwoVS
kXm_oHqKs
KZ7`||
L7lzN6
Le1n0F2Dsm
 &LL$"
L`(MYI<
l=r!T)
lTUYZi-
{^=LUu
M5=s2B
|mbtSF>=
+MC*h4
m'DxHX
MemberInfo
MemoryStream
MessageBox
MethodBase
MethodInfo
mk5jM]D
_M:n~JpW3b=/
Monitor
mPSZxhm
mr86&wf
MRf_19[
mscoree.dll
mscorlib
n2!QpZ
/n6M'++
}(N]:gH
NgSod3
nnnnnpnpnppppppnpnnpnpnnnn
]nnpnT
NoylT"
.N>qr1y
n;.`!V
nW;`x;
;+!+ob
?oB4eD9
ObfuscationAttribute
Object
oB`LoN
||ok[%
o'(o[3'(F
|oo[YSS[w|||A
op_Equality
o|p{p(
""O?RP-
OrP@@@q
|||oSSV[
Ot_!/k
ovvvvn
OxkoqZym
oYolus
p440pp440p
+pa($*
Package
PackagePart
PH(L/*ad
pKJv?h
 Pkoowww|||
P ~NF~
pr%$jg,
"-pur&
,p_v*i
p#}YQ@ jW\
q=("ar+
q!dNL2
qhkXV~o[2
{qj1P)%
Qp&PU\|
q)@s%`
Q)s6f@
QZajnnpnjaZL
{,/r7a6
Ra|J\9
ReadByte
@.reloc
ResolveEventArgs
ResolveEventHandler
Rg"gO_B'bDWP
#/RitvvvvvvtfN/#
/	RodV
RPX 1.3.4399.43191
`.rsrc
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
r#VmKF_~T
}S|.24$
*SAb	K
+S[a`YQ*
s ]`cj'G
=SE:kp
s[enf}
Server
Server.exe
SetData
set_Item
Sit( 7!
#sJ!WO
SqlW|Bl
STAThreadAttribute
String
#Strings
StripAfterObfuscation
StXTf3
SuppressIldasmAttribute
svScT%
sWLjM<cb
SymmetricAlgorithm
]sYnAu
System
System.Collections.Generic
System.IO
System.IO.Compression
System.IO.Packaging
System.Reflection
System.Runtime.CompilerServices
System.Security.Cryptography
System.Security.Policy
System.Threading
System.Windows.Forms
T7O,n%
{T95jd
T|"9pq/
@t+:~d'
T>|E1?2
!This program cannot be run in DOS mode.
/TiuoN@p+
TjaZKNXZajnnpnjaZQNNZjaT
^tmpv]
TnzJsP
ToArray
ToCharArray
Tv<?$y`
Tw$m#JgN
*TZHEup
]`U98o"
uDh\3b
UE%Jo~#
uE&nxgQQ
|UIr5G
uiu_Yh
uMSow|K
UriKind
.+UTU_
uVSSVow||
%uXzuF
u;yT`P
v2.0.50727
 :V2JY
V{2Uc9
ValueType
Version
;vInfcBD
VIP?pI
,vIYJ8M
<vJ`*%E5{GxY
v,kbUj
{vt}uwz
vvvvvv
\vvvvvv3
|||||w|||||
w1. oC
w:1Rr{
w<7O Zbs
w8W9Dt
W|Cy|$2I=
[W%{f	
wH/69{
WindowsBase
Wjzqq(
||wk[YYkw|
Wl]_wk
wm<}AOg
wokkko||
wokkoww
||woww|
-)wq#C
w%,q>y
WrapNonExceptionThrows
	Wvln@
})wv@w
|||wwoookkO 
||wwwww|
wwwwwwwwwwwwwwwwwwp
wxp1&h
WY*JT1
|wYYYkkw||
+X!"8-
X|9_B#
XaajnnpnjaZX
$X":c%a
Xe6w0E8QxM
X$g$=*
[ XM:.
XO=FJLFIUb
X^@PrPq
*xqiH]
>Xr}gJ
{y>02t
Y;`]8$
)Y9   
Ya~0Xd
YAFE([
YanoAttribute
+]ydLE
yd@wTs{:
yg"]'*
y!kLs0e
YKR/6i
}y}V*RvC
Y~/-zqU
	z8RDo10Yr
,$ZajnnpnjaZ#/
Zc%|_3[
zc8DCf
zeyiQed5
)zgtI[
ZkszXf)
z^~	w2H
)Z!^x`
>zz6VP