Sample details: 44c76a59c3097764a9f232d79a9d1e83 --

Hashes
MD5: 44c76a59c3097764a9f232d79a9d1e83
SHA1: 45e0b41d90aa95ed34ab4687ba89a8233eda1604
SHA256: 996da976354807dd7a3787751148134b58d0b19187368ea07b865eb888702316
SSDEEP: 3072:29x6uwPg2JG32itQBVoIPiqEirVFSnRVyfcvERVGb7PaqS87eUzF1g+:29xAPgXaVxPiqEirVFSnRVyIERIDn7d
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_C_Basic_NET | YRP/UPXv20MarkusLaszloReiser | YRP/UPXV200V290MarkusOberhumerLaszloMolnarJohnReiser | YRP/IsPE32 | YRP/IsNET_EXE | YRP/IsWindowsGUI | YRP/IsPacked | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/DebuggerHiding__Active | YRP/anti_dbg | YRP/disable_dep | YRP/CRC32_poly_Constant | YRP/Str_Win32_Winsock2_Library | YRP/UPX | YRP/suspicious_packer_section |
Strings
		!This program cannot be run in DOS mode.
`.rsrc
@.reloc
7Rk-RKC
zYy|9j
( gY0\5
3FZ|0%
6D@[eAP)C
JpR$-'
orNF30Vm
F4!It3J w
tr&3(M
~=`Lc>
6/.7^&3j
bq|RE 
o2r2`p"$
K^.6c 
Ok[/*/)
k>9H~BaH#
Y64pul
/y<*O2
EFYmT8
ytWtCs
4RDl3N
+zg^mK
uhiN}1`vk
R 0P4Iae
`9)jV@
k-_#cK
OGcHGr
/0zn`Z
uwnXXZ
mzST2d-
s[0 IZ
}m<b33,
5qcDeO~!
]G|8w@2Y
6|?P?8
`4X5\M>
Ud2\<l7o
dBTQy{
@c&2yom
6-zzW}
@PVW)&
S-Od~>EY
?!tu/7X;
1(N^D#
;w|V7q&
E_,dde
qnLNa~u+
Eg	]!z3e
hf	`NQ
6).0 ~
TR^(1C
v`r66	
$^=Eg{
"I;oRn
xsaT=_
w7#4Zh
p~l[%m
LPh0yR
=">z}]
`m!IjS
4_rHE)
\8R^*di$
0GpO;V
@0	Md5=i!4
~j0R(+
o"@/8	
d(  Xp
8jIobu
O^C%J%
2k>^^}
o/oIwe
+tzR2Ch
Q<USFd]
/m5?wWO
!/OKd1
f`wdGG
nQ#(0T
.vsaoW
JO(/^5jf
<P-CY~
i8WvWHCvP1
<5]7le:
>n!mY*
*Pe9ht
@/'<Mj
nNGru"$OF5
G:+XR)E
oa'D\1
	JqS_c"W
S{;q45Jt
u+&I8F
Z {sgJa8
 WUuJZ 
Z e"/Ca8
/^$Z pz
_CorExeMain
mscoree.dll
v2.0.50727
#Strings
#Strings
#Schema
D8roO=
stub.exe
mscorlib
UnverifiableCodeAttribute
System.Security
SuppressIldasmAttribute
System.Runtime.CompilerServices
<Module>
.cctor
VirtualProtect
kernel32.dll
System
RuntimeTypeHandle
MethodInfo
System.Reflection
MethodBase
Thread
System.Threading
ParameterizedThreadStart
Module
ValueType
Object
Stream
System.IO
StubCode
WM_CLOSE
DBG_CONTINUE
DBG_EXCEPTION_NOT_HANDLED
ResourceManager
System.Resources
DebugActiveProcess
WaitForDebugEvent
ContinueDebugEvent
DeleteFile
IsWow64Process
SetKernelObjectSecurity
GetKernelObjectSecurity
NtSetInformationProcess
VirtualProtectEx
<>9__CachedAnonymousMethodDelegate1
<>9__CachedAnonymousMethodDelegate3
ThreadStart
<>9__CachedAnonymousMethodDelegate5
<>9__CachedAnonymousMethodDelegateb
<>9__CachedAnonymousMethodDelegated
StartProcess
BypassAvastScan
ProcessExecutablePath
Process
System.Diagnostics
process
CurrentDomain_AssemblyResolve
Assembly
ResolveEventArgs
sender
DisableSafeMode
DisableCMD
DisableUAC
DisableTaskManager
StartupPersistance
ProcessPersistence
handle
SystemWidePersistence
Decompress
ElevateProcess
CriticalProcess
ProcessKiller
GetProcessKiller
List`1
System.Collections.Generic
GetCMDArgs
ReflectionInvoke
GetInjectionPath
GetDefaultBrowser
SetCreationDate
filename
SetAttributes
StartAdAdmin
IsAdmin
AddToStartup
GetFolderPath
Environment
SpecialFolder
folder
GetStartupFolder
IsInStartupFolder
GetFolderFromString
GetDownloaderItems
GetBinderItems
ChangeZoneID
GetSetting
DetectSandboxie
AntiDump
GetSystemInfo
kernel32
memoryinfo
VirtualQueryEx
hProcess
lpAddress
lpBuffer
dwLength
OpenProcess
processAccess
bInheritHandle
processId
ReadProcessMemory
lpBaseAddress
buffer
lpNumberOfBytesRead
WriteProcessMemory
dwSize
lpNumberOfBytesWritten
memcmp
msvcrt.dll
MemorySafeLoad
ByteArrayCompare
CompareArrays
array2
ModifyArrays
GetProcAddress
hModule
procName
GetModuleHandle
running
CreateApi
dllname
procname
DebugProgram
RunPEDll
RunPEHandler
PROCESS_INFORMATION
NewImageBase
SizeOfHeaders
<Run>b__0
<StartupPersistance>b__2
<ProcessPersistence>b__4
<ProcessKiller>b__a
<ReflectionInvoke>b__c
AppDomain
ResolveEventHandler
System.Windows.Forms
DialogResult
MessageBoxButtons
MessageBoxIcon
WebClient
System.Net
DirectoryInfo
Exception
ProcessStartInfo
ProcessWindowStyle
StreamWriter
TextWriter
ProcessModule
System.Management
ManagementObjectSearcher
ManagementObjectCollection
ManagementObjectEnumerator
ManagementBaseObject
RegistryKey
Microsoft.Win32
RegistryValueKind
RawSecurityDescriptor
System.Security.AccessControl
RawAcl
SecurityIdentifier
System.Security.Principal
WellKnownSidType
CommonAce
AceFlags
AceQualifier
GenericAce
GenericSecurityDescriptor
MemoryStream
GZipStream
System.IO.Compression
CompressionMode
IDisposable
ParameterInfo
ApartmentState
StringComparison
DateTime
FileInfo
FileAttributes
FileSystemInfo
WindowsIdentity
WindowsPrincipal
WindowsBuiltInRole
Random
IEnumerator
System.Collections
ProcessModuleCollection
ReadOnlyCollectionBase
Delegate
MemoryInfo
BaseAddress
AllocationBase
AllocationProtect
RegionSize
Protect
SystemInfo
dwOemId
dwPageSize
lpMinimumApplicationAddress
lpMaximumApplicationAddress
dwActiveProcessorMask
dwNumberOfProcessors
dwProcessorType
dwAllocationGranularity
dwProcessorLevel
dwProcessorRevision
debugactiveprocess
MulticastDelegate
object
method
Invoke
dwProcessId
BeginInvoke
IAsyncResult
AsyncCallback
callback
EndInvoke
result
waitfordebugevent
lpDebugEvent
dwMilliseconds
continuedebugevent
dwThreadId
dwContinueStatus
deletefile
lpFileName
iswow64process
processHandle
wow64Process
setkernelobjectsecurity
Handle
securityInformation
pSecurityDescriptor
getkernelobjectsecurity
nLength
lpnLengthNeeded
ntsetinformationprocess
processInformationClass
processInformation
processInformationLength
virtualprotect
flNewProtect
lpflOldProtect
ntprotectvirtualmemory
PTHREAD_START_ROUTINE
lpThreadParameter
DEBUG_EVENT
dwDebugEventCode
debugInfo
get_Exception
get_CreateThread
get_CreateProcessInfo
get_ExitThread
get_ExitProcess
get_LoadDll
get_UnloadDll
get_DebugString
get_RipInfo
GetDebugInfo
CreateThread
CreateProcessInfo
ExitThread
ExitProcess
LoadDll
UnloadDll
DebugString
RipInfo
DebugEventType
value__
CREATE_PROCESS_DEBUG_EVENT
CREATE_THREAD_DEBUG_EVENT
EXCEPTION_DEBUG_EVENT
EXIT_PROCESS_DEBUG_EVENT
EXIT_THREAD_DEBUG_EVENT
LOAD_DLL_DEBUG_EVENT
OUTPUT_DEBUG_STRING_EVENT
RIP_EVENT
UNLOAD_DLL_DEBUG_EVENT
Protection
PAGE_EXECUTE_READWRITE
PAGE_READWRITE
PAGE_GUARD
CREATE_THREAD_DEBUG_INFO
hThread
lpThreadLocalBase
lpStartAddress
EXCEPTION_DEBUG_INFO
ExceptionRecord
dwFirstChance
EXCEPTION_RECORD
ExceptionCode
ExceptionFlags
ExceptionAddress
NumberParameters
ExceptionInformation
EXIT_THREAD_DEBUG_INFO
dwExitCode
EXIT_PROCESS_DEBUG_INFO
UNLOAD_DLL_DEBUG_INFO
lpBaseOfDll
OUTPUT_DEBUG_STRING_INFO
lpDebugStringData
fUnicode
nDebugStringLength
LOAD_DLL_DEBUG_INFO
dwDebugInfoFileOffset
nDebugInfoSize
lpImageName
CREATE_PROCESS_DEBUG_INFO
lpBaseOfImage
RIP_INFO
dwError
dwType
SafeQuickLZ
QLZ_VERSION_MAJOR
QLZ_VERSION_MINOR
QLZ_VERSION_REVISION
QLZ_STREAMING_BUFFER
QLZ_MEMORY_SAFE
HASH_VALUES
MINOFFSET
UNCONDITIONAL_MATCHLEN
UNCOMPRESSED_END
CWORD_LEN
DEFAULT_HEADERLEN
QLZ_POINTERS_1
QLZ_POINTERS_3
HeaderLength
source
SizeDecompressed
SizeCompressed
WriteHeader
compressible
sizeCompressed
sizeDecompressed
FastWrite
numbytes
ArgumentException
InjectionType
Itself
Winlogon
RegAsm
Svchost
Browser
Reflection
AlgorithmType
TripleDES
Rijndael
CMDArgType
Dynamic
FileInfoType
Default
Custom
Cloned
Delete
RunMode
Always
DownloaderMenuItem
location
runmode
BinderStubItem
<>c__DisplayClass8
<SystemWidePersistence>b__6
InjectionLibrary
InjectionMethod
InjectionMethodType
PortableExecutable
JLibrary.PortableExecutable
ConfusedByAttribute
Attribute
CompilationRelaxationsAttribute
RuntimeCompatibilityAttribute
CompilerGeneratedAttribute
STUB.resources
String
IntPtr
op_Explicit
UInt32
GetTypeFromHandle
GetMethod
Concat
Equals
FailFast
set_IsBackground
get_CurrentThread
Debugger
get_IsAttached
IsLogging
get_IsAlive
get_Module
Marshal
System.Runtime.InteropServices
GetHINSTANCE
get_FullyQualifiedName
get_Chars
get_Length
ReadByte
RuntimeHelpers
InitializeArray
RuntimeFieldHandle
Buffer
BlockCopy
GetElementType
CreateInstance
Encoding
System.Text
get_UTF8
GetString
Intern
ManagementObject
MoveNext
ToString
op_Equality
Dispose
Registry
LocalMachine
CurrentUser
Resize
ClassesRoot
ToArray
ToInt32
op_Inequality
get_Count
Contains
GetExecutingAssembly
get_CurrentDomain
add_AssemblyResolve
Application
get_ExecutablePath
MessageBox
WriteAllBytes
LastIndexOf
Substring
Exists
DownloadFile
Directory
CreateDirectory
GetCurrentProcess
get_Id
get_Handle
get_Message
get_StartInfo
set_FileName
set_UseShellExecute
set_WindowStyle
set_CreateNoWindow
set_RedirectStandardInput
set_RedirectStandardOutput
get_StandardInput
WriteLine
WaitForExit
GetProcesses
get_ProcessName
GetLastWin32Error
get_MainModule
get_FileName
GetEnumerator
get_Current
get_Item
get_Name
CreateSubKey
DeleteSubKey
SetValue
get_DiscretionaryAcl
Convert
InsertAce
get_BinaryLength
GetBinaryForm
ToLower
get_EntryPoint
GetParameters
SetApartmentState
GetEnvironmentVariable
OpenSubKey
GetValue
Replace
EndsWith
SetCreationTime
get_Attributes
set_Attributes
set_Arguments
set_Verb
GetCurrent
IsInRole
GetTempPath
Format
WriteAllText
get_StartupPath
ToCharArray
Combine
GetValues
GetObject
get_Modules
get_ModuleName
get_BaseAddress
GetDelegateForFunctionPointer
ChangeType
Collect
SizeOf
AllocHGlobal
PtrToStructure
FreeHGlobal
Inject
Create
ConfuserEx v1.0.0
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
WrapNonExceptionThrows
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
^System.Object[][], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089\System.String[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089PAD
2qfECclu9nEInVu 
!This program cannot be run in DOS mode.
^\-=Un
}Ug|Gnp
T6(pVtu
\;fvGS
.Dl\?3
X9uM}G
>S$'~I
(8(&@3
4x:rH3
iu4zGGpad
&FBx;{
8g$Vy}q
}y__jS
fOeTDP
HZE~LE
WWhM8g
8wxkPx/ 
4@F ZE 
S1Wu<_
2Xf9+tE;
0Q$WmG{
)V9o&6 
)<W\=&P
)0=h[^
);[v`O
b:qTQVj
aSyi:.M
%UoeS!0
VkbP(P
jsuVWC
>vers@fM
?69*v&(
Nal8s3_=
Dcp eOWxP
d}-d,&
PaGq;u
h'V8	?S
X*o9Rv
x.+HQ[]P
@Yn.vX
'5TBVt?
|$pd:gh
T$`H|S
b0(yUy
TXf:XzH
8N$PI<
~<Mc N
T$ XT|
t8S~B 
1$@CB8
jY,Yc5
mvP!!f
com.appl
B|e.Sa
#g9b)v
j*XjMR
&:<JBK
3-_p  QP
@vzX&jdXN
._jppu^
rFTWAR
h^juYjh,pC
@0i$< 4
yW#m!][[#
KZy\M^
?0<+$'t
VcAL~$
F=!"6[
D$PLtO
gX~yD$PH
0O8|HZ[r
:(;A;/v
mPhp,Y
W0S	7@A
K3;W66
&WVBf5 q,
_9gQIKNH
Brd.MI
v <G3XE
o 4R1Q-
Z(u2Rs
ca(~hR
z&V,82A
g2,_3ie6
H%0mSF
U8H2u3
V LJfu
i"\PqA$!0X
}dtY*n
(xVSe`H
s$'(&,<
)0*4(.
sy1D2H?
\L=P/T
<>X \-
sy.`+d,
0b4c8y.
d<e@f\
sDgHhL<
iPjTk.
SlM3!m
T^?jw 
v@2\t.i
J+!PW3W
xy6&hC[
3q;Hv'
s mFj Sa
!i6tY!
Cw$@0123456789ABCDEF
iBdVw*
a^ Z>l
QLite format
 3*lRycq1tP2vSeaogj5bEUFzQ
iHT9dmKCn6uf7xsOY0hpwr43VINX8JGB
AkLMZW
z&y:WX<\<2MvN
BKnhzikgs
http://
achineGui
dOFTWARE\Microsoft\Crypt
cedureAd
RtlNtSt
>/S^LastW432-
fwQue Incio
(eUsDTo?
d^All@(Vir
w'sume
pFble_lfms
u\uTna
JfhNn2P>u
\?VAhx
7e;kb?w}
[SCirn3\]qy
i\/u-F
aultEn
*c7Open
t}==xon
ELECT Nc0m
SubmitURL
tW FROM moz_O[b
f;/sfg
mm2373|
F.'K5,
/kBbaH
(XwP6[m
NSS_In?
Shutdown
nt6lKeySlot
ePi$'SDR_DeXa
olumn_
XaqNu2f2V
UHandl:;
StjngToB 
LoadLibr~W
N'X!2$6
*9(SKiasb+!v<.qF58_qwe~QsRTYvde
&w#dcO
.kacrL
 _?Cj#
Ak4Ol{ko(
bWrjtG
`Ay7/*G,
AL*R_c
INSTALL&;A
uckav.r
b v1.01  -
 smaller
TCopyZht (c) 1998-2
009Dy JoFgen Ibs
ssHeap
XPTPSW
KERNEL32.DLL
ole32.dll
OLEAUT32.dll
WS2_32.dll
LoadLibraryA
GetProcAddress
VirtualProtect
VirtualAlloc
VirtualFree
ExitProcess
CoInitialize
Fjpl2U2
+}U/rq[
$R^R'/
}[{t	a
tp66SW?
rf6MORj
#9?%:/Hn_'|
"Jvy 0
*yK/{+
67Pa:(4#tH
D|ii |
be%*wp
db1HjGGb
nhuu674hhg47h76eewe.exe
4g6364246h3huntfeb
Startup
gf6e6rt7we4g6t3
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Date>2014-10-25T14:27:44.8929027</Date>
    <Author>%USER%</Author>
  </RegistrationInfo>
  <Triggers>
    <LogonTrigger>
      <Enabled>true</Enabled>
      <UserId>%USER%</UserId>
    </LogonTrigger>
    <RegistrationTrigger>
      <Enabled>false</Enabled>
    </RegistrationTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>%USER%</UserId>
      <LogonType>InteractiveToken</LogonType>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>StopExisting</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>true</StopIfGoingOnBatteries>
    <AllowHardTerminate>false</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>false</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>true</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT0S</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>%COMMAND%</Command>
	  <Arguments>%ARGUMENTS%</Arguments>
    </Exec>
  </Actions>
</Task>