Analysis Date2018-06-11 13:15:36
MD5f849aff640a349484ad4b29e93cba133
SHA1e6d6a189261cd49645663cce8b03c40c1c933dc4

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: ab4200ddd18e8594f5fb3d78d3b83b2e sha1: 3a3279ce1537bd4292fe58f4f13a709dc21d9bb2 size: 107008
Section.reloc md5: bacceeab72699f03d9eecde7441abd0a sha1: da6ec857dca1aea02f161303f1ee5b8cb0e5f949 size: 512
Section.rsrc md5: fe1c1f9e3a7c1c9cf70b12d9f53f61c8 sha1: aab6e3081416824370bdb4c282ca80be38fbb03a size: 8192
Timestamp2014-01-02 17:16:40
VersionLegalCopyright:
Assembly Version: 0.0.0.0
InternalName: reus.Scr
FileVersion: 0.0.0.0
ProductVersion: 0.0.0.0
FileDescription:
OriginalFilename: reus.Scr
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash89cb98fbdbbaca4771fa78cda00e8de7b4f18461
AVavgLuhe.Fiha.A
AVmcafeeRDN/Generic Dropper!st
AVaviraTR/Dropper.Gen

Runtime Details:

Screenshot

Process
↳ C:\Windows\System32\lsass.exe

Process
↳ C:\Users\Phil\AppData\Local\Temp\e6d6a189261cd49645663cce8b03c40c1c933dc4.exe

Creates Mutex
Creates Mutex
Creates FileC:\Users\Phil\AppData\Local\Temp\e6d6a189261cd49645663cce8b03c40c1c933dc4.exe.config
Creates FileC:\Users\Phil\AppData\Local\Temp\e6d6a189261cd49645663cce8b03c40c1c933dc4.exe
Creates FileC:\Users\Phil\AppData\Local\Temp\e6d6a189261cd49645663cce8b03c40c1c933dc4.exe
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\machine.config
Creates FileC:\Users\Phil\AppData\Local\Temp\e6d6a189261cd49645663cce8b03c40c1c933dc4.exe.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\security.config.cch
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config
Creates FileC:\Windows\Microsoft.NET\Framework64\v2.0.50727\CONFIG\enterprisesec.config.cch
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config
Creates FileC:\Users\Phil\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\64bit\security.config.cch
Creates FileC:\Windows\assembly\NativeImages_v2.0.50727_64\indexbb.dat
Creates FileC:\Windows\System32\l_intl.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\e6d6a189261cd49645663cce8b03c40c1c933dc4.exe
Creates FileC:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Creates FileC:\Windows\assembly\GAC_64\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp

Process
↳ C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe

Creates FileC:\Windows\Globalization\Sorting\sortdefault.nls
Creates FileC:\Users\Phil\AppData\Local\Temp\e6d6a189261cd49645663cce8b03c40c1c933dc4.exe
Creates MutexGlobal\冰ǟ

Network Details:


Raw Pcap

Strings
0.0.0.0
000004b0
4.0.0.0
Assembly Version
c4eee5d9180742b7b26a08c0dfd835b3
FileDescription
FileVersion
InternalName
LegalCopyright
OriginalFilename
ProductVersion
reus.Scr
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
							
0J\1ic.;
0pc!__
0*@wUybk
]	1N~e
2Bc*9U*9U,\
_\%2p]
3Kw2Bc,\
'4h2Bc2Bc'h
%4L%4L,\
%4L%4L,Kp0X
4vQ+Px
:6Ji\.
`6*>!K
{8EXB;$+
8$/:{q%g
	?{?97
*9U2BcDV}Nb
*9U%4L2Bc3KwY
*9U*9U,\
}*9U*9U'h
*9U*9U,Kp'h
A;at9J{
AccessViolationException
add_ResourceResolve
aoNeMf l
api_Yl
AppDomain
Assembly
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyDelaySignAttribute
AssemblyDescriptionAttribute
AssemblyKeyNameAttribute
AssemblyName
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AsyncCallback
Attribute
AttributeTargets
AttributeUsageAttribute
az.ZP?
B96rExM8V
BabelAttribute
BeginInvoke
BinaryReader
BitConverter
Boolean
B.rsrc
B@S84E84EB@S{
#bSd1N
Buffer
*B(-w]
bxI26&
BX'<^R
c4eee5d9180742b7b26a08c0dfd835b3
callback
CallingConvention
C}BU9t#
.cctor
CipherMode
classthis
CloseHandle
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
ComputeHash
ComVisibleAttribute
Concat
Console
Convert
_CorExeMain
Create
CreateDecryptor
CreateDelegate
CreateEncryptor
CryptoStream
CryptoStreamMode
d-?4t^a
DateTime
 {*DdT#
DebuggableAttribute
DebuggingModes
Deflate.Attributes
Delegate
DESCryptoServiceProvider
Dictionary`2
Dispose
eCNO&QQ
eH"L\N
Encoding
EndInvoke
Environment
Exception
Exists
F9bG!1|
fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff
Fh`@6$
FieldInfo
FileAccess
FileMode
FileShare
FileStream
FindResource
FlagsAttribute
FlushFinalBlock
FromBase64String
fr&}QW&!
gCs5Ek
get_ASCII
get_Assembly
get_BaseStream
GetBytes
get_CodeBase
get_CurrentDomain
GetEnvironmentVariable
GetExecutingAssembly
GetFields
GetFolderPath
get_Length
get_Location
get_ManifestModule
GetManifestResourceNames
GetManifestResourceStream
get_Message
get_MetadataToken
get_ModuleHandle
GetModules
get_Name
GetName
get_Now
GetObject
GetProcAddress
GetProperty
GetPublicKeyToken
GetRuntimeFieldHandleFromMetadataToken
GetRuntimeTypeHandleFromMetadataToken
get_Size
GetString
GetType
GetTypeFromHandle
get_Unicode
GetValue
GGvXYQ
gIK]0&
gIT%,k
G;Ni^ 
HashAlgorithm
Hashtable
H#`ktFY
HQ$|rh
H^Ui&i
I2ch S9=
IAsyncResult
ICryptoTransform
IDisposable
ig(0S7X
InitializeArray
Intern
IntPtr
Invoke
]I'%qQ
IsLittleEndian
iZeiD9j
jF9Myv
Jh92od
JHJBfUGlKNxZdMIOn8.gPG3uBP96DxEm0n8Ly/UkjVeDQKxqoQgcWTVs/LFoKivA9gaMMC7srJ8`1[[System.Object, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089]][]
Jl670f>
jMGqn3<
jVoy-g
kernel32
kernel32.dll
k[f`^!V
)kQ:Ta
k'R>-hY/v
,KTVl1
l}6C8y
L?HsK(
LoadLibrary
lR	WA{
MD5CryptoServiceProvider
MemberInfo
MemoryStream
MethodBase
MethodInfo
Module
<Module>
ModuleHandle
mscoree.dll
mscorlib
msi{RY
MulticastDelegate
{N.2d}
	(n2NNn
nativeEntry
nativeSizeOfCode
n^K:J}ZSR
NullReferenceException
O2bjvq
*]O7Rcn
ObfuscationAttribute
object
Object
oCekmZE
oFZVcy
"oJ]s2
OMHcCP
OpenProcess
op_Equality
op_Explicit
op_GreaterThan
op_Inequality
pq9k(1
_PRA-#!
Process
PropertyInfo
pydhOElK4SWdBW7dkJ.ksorAFvhgFT0jtU2tq
}q`5bl{
QV`<	y
Q_%xjGX
QZ"13`
ReadBytes
ReadProcessMemory
`.reloc
Replace
ResolveEventArgs
ResolveEventHandler
ResolveMethod
ResolveType
ResourceManager
result
REUS.Scr
Rfhn M
Rijndael
RijndaelManaged
(]RNM@
RO1	%E
rqoKO{
RSACryptoServiceProvider
RtlZeroMemory
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
RwWfv7
set_IV
set_Key
set_Mode
set_Position
set_UseMachineKeyStore
SetValue
S\g?Y@
SortedList
SpecialFolder
Stream
String
#Strings
SuppressIldasmAttribute
SymmetricAlgorithm
System
System.Collections
System.Collections.Generic
System.Diagnostics
System.IO
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Security.Cryptography
System.Text
T1ga#O
TargetFrameworkAttribute
!This program cannot be run in DOS mode.
ToArray
ToBase64String
ToCharArray
ToInt32
ToPointer
ToString
ToUInt32
u>GeH1?
UInt16
UInt32
UInt64
UnmanagedFunctionPointerAttribute
UreDw{
`uWNf&
v2.0.50727
V3(h:&
va7wjf.#
value__
ValueType
VccqFV33MrNp07aHpJ.MqIDlxJZ3fnglUukBN
Version
VirtualProtect
vjEP=@
vPFyO\
W0YvRtdm6CdsPwHyvx.Obln3kWxxuDicRLdmZ
\wO=)4
&#(wOa
WrapNonExceptionThrows
WriteAllBytes
WriteLine
WriteProcessMemory
`wYDZr
{=xb^)
Xnor56
XpJQ8Mc
% y(7Wk
YGLs o
Ymd!ko
-z(7yS;
ZNv(*<I.4WRRR