Analysis Date2018-06-09 23:36:05
MD52136ad269f3a5b3d50e95ee6a55ef8b8
SHA1e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 5d470cb1efb9d070ff2459f4f24cc5d2 sha1: d06449bdb3a150232fc77e7fdc5fbab958e04f38 size: 118272
Section.rsrc md5: 32130c839d762ed58b57390a5a1c4663 sha1: 37326b9cb7950ed4323b93c1ecc3aa89a71d48eb size: 1536
Section.reloc md5: ba944cd032f12085eccba27553b9c1a3 sha1: f3a328a4105e99aa5948ab693dc30856575710ef size: 512
Timestamp2014-09-14 16:50:01
VersionLegalCopyright: Copyright (C) 1998-2011 Mark Russinovich and Bryce Cogswell
Assembly Version: 3.5.0.2
InternalName: bitch.exe
FileVersion: 7.13.0.2
CompanyName: Sysinternals - www.sysinternals.com
Comments: TCP/UDP endpoint viewer
ProductName: Sysinternals TCPView
ProductVersion: 7.13.0.2
FileDescription: TCPView
OriginalFilename: bitch.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashc0b650c21ad93a7dc55e92bba3d86468b2569921
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AV360 SafeGen:Variant.Kazy.429429
AVAd-AwareGen:Variant.Kazy.429429
AVAlwil (avast)Phorpiex-H [Wrm]
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.MSIL.83259
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftGen:Variant.Kazy.429429
AVEset (nod32)MSIL/Injector.ESS
AVFortinetMSIL/Injector.ESS!tr
AVFrisk (f-prot)no_virus
AVF-SecureGen:Variant.Kazy.429429
AVGrisoft (avg)MSIL4.BDPV
AVIkarusTrojan.MSIL.Inject
AVK7no_virus
AVKasperskyTrojan-Ransom.Win32.Blocker.fqjz
AVMalwareBytesBackdoor.Agent.FRTGen
AVMcafeeRDN/Ransom!ek
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Kazy.429429
AVNormanwinpe/Troj_Generic.WBUUZ
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_SPNR.11IT14
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62.exe

Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62.exe
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Users\Phil\AppData\Local\Temp\e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
Creates FileC:\Windows\assembly\NativeImages_v2.0.50727_32\indexa0.dat
Creates FileC:\Windows\System32\l_intl.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Process
↳ C:\Users\Phil\AppData\Local\Temp\e0e8c01d3c00ce8986ee39048fb7e3ee6892fd62.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\System32\imm32.dll
Creates FileC:\Windows\System32\dnsapi.dll
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Jotunmntubkrrvyy.exe ➝
"C:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe"

Process
↳ C:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe

Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe.config
Creates FileC:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe
Creates FileC:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\security.config.cch
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\enterprisesec.config.cch
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
Creates FileC:\Windows\assembly\NativeImages_v2.0.50727_32\indexa0.dat
Creates FileC:\Windows\System32\l_intl.nls
Creates FileC:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe
Creates FileC:\Windows\assembly\pubpol4.dat
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\machine.config
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Creates FileC:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Creates FileC:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll

Process
↳ C:\Users\Phil\AppData\Roaming\Jotunmntubkrrvyy.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Windows\System32\imm32.dll
Creates FileC:\Windows\System32\dnsapi.dll
Creates Mutexsnkb0pt

Network Details:


Raw Pcap
0x00000000 (00000)   4e49434b 207b5553 412d5737 78363461   NICK {USA-W7x64a
0x00000010 (00016)   7d736f79 78627873 680d0a55 53455220   }soyxbxsh..USER 
0x00000020 (00032)   736f7978 62787320 35313637 20313930   soyxbxs 5167 190
0x00000030 (00048)   3339203a 736f7978 6278730d 0a4d4f44   39 :soyxbxs..MOD
0x00000040 (00064)   45207b55 53412d57 37783634 617d736f   E {USA-W7x64a}so
0x00000050 (00080)   79786278 7368202b 6977470d 0a4a4f49   yxbxsh +iwG..JOI
0x00000060 (00096)   4e202373 70207961 700d0a              N #sp yap..

0x00000000 (00000)   4e49434b 207b5553 412d5737 78363461   NICK {USA-W7x64a
0x00000010 (00016)   7d716a63 67627374 6d0d0a55 53455220   }qjcgbstm..USER 
0x00000020 (00032)   716a6367 62737420 31393133 31203330   qjcgbst 19131 30
0x00000030 (00048)   39303020 3a716a63 67627374 0d0a4d4f   900 :qjcgbst..MO
0x00000040 (00064)   4445207b 5553412d 57377836 34617d71   DE {USA-W7x64a}q
0x00000050 (00080)   6a636762 73746d20 2b697747 0d0a4a4f   jcgbstm +iwG..JO
0x00000060 (00096)   494e2023 73702079 61700d0a            IN #sp yap..


Strings
..
.
=.
}
}...
000004b0
	000804b8
0.8.0.8
318475
3.5.0.2
569530
7.13.0.2
752574
8.0.8.0
Assembly Version
	Assmmblq Vezsiof
bitch.exe
Comments
CompanyName
Copyright (C) 1998-2011 Mark Russinovich and Bryce Cogswell
DisibleZegi{try\ool{
DLDL.ddl
E0K0ODeXG047a6SlUg62Qo25qLvedb14Q5vKsDH2ENz3L5Sx9eF6t85BI5315c5TDc70OW1rwt93Fs88frZMtKYOS0P2Y6FJ2txkwe5FZ1RulfNDyckCIkQp7gbErciDfsA
FaleVmrsign
FileDescription
FileVersion
	FilmDeskrip|ion
GZaAi3atfd91tIu35E69019YlrNvcu9vpw36jTSqg8HF26AVa0G1wRX7uNUbJ7ikMb3KSjPZbL66r9Edvsr2tKfSzPAn7ikDG2HvU1hEbh84Z7KccCUcnNLNm68Io1s9WjE8m3iv4N9V87583d7i
HCEY_KURRMNT_]SERTSof|warm\Mikrosgft\_indgws\KurrmntVmrsign\Epplozer\Idvafced
Hidlen
IfterfalNime
IM[gLmkz
InternalName
Jf]gKwGDUToDgJASuG^rULJiyo\RyHyvGPYVIi`qMT}CEv|ZhV`VZw}xekoVdwMNbk
@KEYWCURZENTWUSEZ\Sontwaze\Macro{oftTWinlowsTCurzent^ersaon\XolikiesTSys|em
KULgILLg[]J
LegalCopyright
	LegilCoxyrioht
LisajleTiskMor
LLLL&dll
[LsrpTQ]aPsrPtsrptsrPT]
N4e54CwnV01CUu2HUOYUtL833I31oR0kZTwi19Sl15Uq0P3HST21TnwPS5DOl5tlM2qprkBC
nkVIycoQpHgClAxpTEAahqD@sTU^RHQ[kcf~GcKOgS
OriginalFilename
<		OrioinadFilmnamm
OTsRPI[TSRLPNISTRPrstprstpRSTPRSTLN[P]TIQ[PLRS[ILJVUN`VK^UbV`K^]QPQ]V
PRDZJHr}siHODCKYiIhLdNU}wuy@etnywHSPBkDOnRugYAnDvphdeJaKvITGHjQqtPI}jmO
ProductName
ProductVersion
PzoduktVezsiof
QsmBLXdm
RWKVJbTdfvFi[HmFGyBD[qGpiiCqmkVmxTqXyINMQLjwjXiuLyRp
S|rinoFilmInfg
SRpi{rlpni}q{plsrP{lnt}q
StringFileInfo
Sysinternals TCPView
Sysinternals - www.sysinternals.com
TCP/UDP endpoint viewer
TCPView
Trafsla|ion
Translation
Trbcy0upIJJZuQJ4F589C4vKud6K4S7ZN2Z4KFpnsF7pI2h3Va8q04a07E8I2RQ0xTLskX1AtSV10TsgTM05J3evHJf6CEtQ01TK7v3pf3d84SRNFoH2Tp0ukeVTASmFys9ImT3X4RZlRiA5gVx5G5iV39qP
VarFileInfo
	VarNileAnfo
VS_VERSION_INFO
V[_VEZSIOF_INNO
VWVM6LMZX6ZXMgKT[
ZXMgKT[gN}vkg88;
0Gp:!h
0k*Kjk
	12.9.45.1
)2^IZt!L
2SRbvW
2S"vw;
;2Y9AFj
318475.resources
<3CVE3
}|3$*VFJ
3zuz8K
4Eoy_p
~53EA[=6+
569530.resources
]5m~dx
$	`5n?
.5wPKu
@68a-m(
6b.?DDjr|(g
6BZtT]1%
6:h(oT
6mL,p^
7.13.0.2
`7b_bAi
=7}b[@C`
7qkf.0bk
|7TCV.
] 8GGh
8_vk`.L8
9ov}i`
~$9OVP
9/`w$|]
9Wzpp.
9xpD{W
A3m+"r
AC/aN21
ACryptoTzansform
;A~e`5
AES_Deczypt
AllowPartiallyTrustedCallersAttribute
AnOPJ)
AO3Wp/V/a:
aogbbopfm.resources
AppDomain
applicitionNamm
apRBP$
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDefaultAliasAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
axhslb.resources
ba@SH\
basmAddress
BatConver|er
bitch.exe
BlockKopy
BNJAbsSyHpHhkOZ\LbdjvSVGsjHBDUYbwtDgoTUXmQ
#bn+[p
Boolean
B%t_O/
btwzascpdzno.resources
buffer
Buffmr
B\w{;p
bytesZead
C!]CibOK
.cctor
.cctoz
&cF<l;
c!i~}!
CixherMode
ClearPrgjectErrgr
ClearProjectError
commanlLine
Compare[tring
compatijle
CompilationRelaxationsAttribute
CompilitionRelixationsIttributm
Comp}teHash
ComVisibleAttribute
ComxressionEode
contex|
Conversions
Convezsions
;Copyright (C) 1998-2011 Mark Russinovich and Bryce Cogswell
_CorDldMain
_CorExeMain
Crea|eProces{
CreateLecryptoz
curren|Directozy
C~$x94,
d:4[l]
dbmrnglzlxupfepojlzhepu
dbmrnglzlxupfepojlzhepu_arg01
DBzAO2
DCRWCLS_Funk_001
DCRWCLS_Funk_001_aro02
DCZ_CLS_Fufc_001_azg01
Decieal
Decimal
dength
Desktop
deWmpc
&dhH	KL/
Dispose
DldImportA|tribute
DLLD.dll
Double
e}3SDk
e4o2@56
Eicrosof|.VisualJasic.CoepilerSezvices
Encodifg
EndApp
en~ironmen|
Equads
ESETC@ECK
EsgBoxRe{ult
ewlmddmtanobplyl.resources
Exceptaon
Exception
$f;0aY
Fgrmat
fhotobtrsfga.resources
	Frertarel
f-?u<n
]\$! G^
G78&^L
get_A[CII
GetC}rrentPrgcess
get_CurrentDomain
GetCurrentProcess
GetExecutingAssembly
get_FileName
GetJytes
get_Khars
get_Lenoth
get_MainModule
GetMethod
GetObject
GetObjectValue
GetProcmssesByNime
get_ProkessName
GetPzocesses
GetThrmadContept
GetType
GetXrocessBqId
Get\ypeFrom@andle
ggooc_.resources
?g~>H2
gnzyf(O
gpmbbvmkgkuxdxvnxuca
gwgzj_npxirwihbiwulht
G$?Yi)d
GZipStzeam
h1(#]8
Ha{hAlgori|hm
handle
HandleR}n
h)[A t2~
H=i-10
hilden
|hreadAt|ributes
hX@_8y
(_@&/I
IB}08AS
,-iD#"
iddress
IDi{posable
iffcbnxigsrxcyzv.resources
ifHwjmgNtUTQ}nXOjKuKaMcVWAxYyeoGPeXwPilwgIaQ\VpLPTJa{DyWDlaafHVOeMBQYaqBYxc
IH7IWj.@
ILiPK'
|imYnkoHgXoNrYUH[fTFvyKwcplgWdxJkvRmwdkvoq
inherit@andles
Intezaction
IntPtz
Invoke
@I:^+sg
IsN}llOrEmp|y
ivrfbutngzzlcfafepoklxje
j6MtwZ
&j/'D=T
;*jG&^
JLoP!&.
jtdeuhzgt.resources
jufferSire
juu6?)
jytesWri|ten
Kc1"iN
kernel3:.dll
KfLPL4c
KJHEKFJHkjhfhjHFdkjhDFS
K[_KM0
&_#)@km&F
kmwrnsmhi.resources
kompressmd
Koncat
kreationNlags
:L0[px
&l2%ax
LaqoutKind
L![BuP
ll:;lr
lmubyn_fiurd.resources
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
MarshalIsAttrib}te
Mazshal
MethodBase
MethodInfo
Micro{oft.Vis}alBasic
Micro{oft.Win;2
Microsoft.VisualBasic
Microsoft.VisualBasic.CompilerServices
MidStmtStr
ML5Crypto[ervicePzovider
MmmoryStrmam
<Module>
<Module6
MOM$_|
mscoree.dll
mscorlab
mscorlib
MsgBox
MsgJoxStyle
mskoree.dld
;.myg<,I
"n65~|
nctvimtiysxwyuav.resources
NeutralResourcesLanguageAttribute
nhj_hknrgxgicuyzazd
NiB?.;
:n_MBw
NONE&DERP
nPS!az
ntlll.dll
NtUfmapViewGfSectiof
 !<O7K
Object
Objmct
oEY*|}
OfoK8l
=oGdI3
Ok:rh5SoA
O:M~AA
&OMb$B
orforajii_xi.resources
oUjk?@
Oxerators
oyr-ymb)h
PADDINGXXPADDINGPADD
PADPADP
PADPADPI24
PKILDER_Sub_801
PKILDER_Sub_801_arg09
).@P+m
p<|nfPki9
^PPu%#EG
prgcessAttzibutes
PRGCESS_INNORMATIOF
Process
ProcessModule
ProcmssHandlm
ProjectData
prokess
protmct
%&p:UB5
pva_mj.resources
pV{HJ0
PX_F}nc_002_xaram_01
PX_Fufc_003_piram_01
PX_Nunc_003
PX_Sub_802_parae_02
PX_SubW001
PX_[ub_002_xaram_01
PzocessId
pzocessInnormatiof
PzojectDa|a
<\qDih
qGG=(/B
qs!K8&=
Q_<vJtr
%QwIT'
r1	Wv~
RajndaelMinaged
rdavizhfzwpzflt.resources
ReadPzocessMeeory
Regis|ry
Regi{tryValumKind
@.reloc
@&reloc
Resezved2
ResourceManager
ResueeThread
Rmserved1
RPE_CL[_Func_083_P2
RPE_CL[_Func_083_P4
RPEWCLS_Funk_003
RPM_CLS
RPM_CLS_Fufc_003_P;
RPM_CLS_Fufc_003_P9
>Rr::v
`.rsrc
`&rsrc
rtdX\MHF
RuntieeTypeHafdle
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimmCompatijilityAt|ribute
SatelliteContractVersionAttribute
S|dOutput
SecurityAction
SecurityPermissionAttribute
se|_Key
set_Modm
SetPrgjectErrgr
SetProjectError
SetThrmadContept
Se|Value
SireOf
sixwbhuoluohcydymdbb
SkipVerification
SOrr7No
SPd[*va8
S}ppressUfmanagedKodeSecuzityAttrabute
Sqstem.Ruftime.In|eropSer~ices
Sqstem.Sekurity
StandardModuleAttribute
StandazdModuleIttributm
start}pInfo
STARTUX_INFORMITION
STAThreadAttribute
StdErroz
StlInput
Streae
Strings
#Strings
+Strings
StringType
Strino
Stzings
svizvx_epxxm.resources
s_wkwtorzbbbmsgl.resources
Symme|ricAlgozithm
Sysinternals TCPView
#Sysinternals - www.sysinternals.com
System
System.AO
System.Diagnostics
System.Drawing
System.Reflection
System.Resources
System.Runtime.CompilerServices
System&Runtime&CompilezService{
System.Runtime.InteropServices
System&Securitq.Cryptooraphy
System.Security
System.Security.Permissions
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
System.Threading
Systmm.IO.Coepressiof
Sy{tem
Sy{tem.Diaonostics
Sy{tem.Tex|
~=T5! 
*T<5;k
T8K7r^
T~9Rtp6
TCP/UDP endpoint viewer
TCPView
tefnsgdkz_sdkvzojmpzja
tejnilwnzpfg.resources
TgString
!Thas progrim canno| be run(in DOS eode.
!This program cannot be run in DOS mode.
Thread
Thread@andle
ThreadIl
threal
*tLVgY2i
ToArray
ToIn|16
ToIn|32
ToString
TransfgrmFinalJlock
[tructLaqoutAttrabute
UA %)#^o=
-}U`cw
@ufRrPpH7xUtOOs41WY36wO1JmPBmHOpe+BNlsZGdesQ2WPhvAIdWjrEh8dEpJ8Uq
u`Kx[,
UnmafagedTypm
uxtzyg.resources
v2.0.50727
v2.0&50727
V]3Gvc
V"ae>l
ValueTqpe
-VFbp2
VirtuadAllocEx
v"Jgesi
.vll}R*
@/v,~nZHP5
vppkdf.resources
Vr`j9U0V
VWC;fu
v_wykhrtcnisuvxxzvglcrk
v_wykhrtcnisuvxxzvglcrk_param_01
w<-Bu0
wcxk_maei.resources
wewrvlvsm.resources
(W	i1ED
WrapFonExcep|ionThro
WrapNonExceptionThrows
Wri|eProces{Memory
WRT_RO_Sub_009_arg01
wsjS3|(
WUYHfjds_WjOUq1AH2t
xCh,JQ,o*
\x-[HZ
X?M_dLq
xmjjaabeovucijvjhdcx
xop_rdjswmmn_zv_.resources
XX_Func_802
XX_Func_803_parae_02
!yagF<{
ybeyrpllrtoxsminwa
.YoW*v
YR27HQ<9Oi
z]=0il@
ZPE_CLS1