Sample details: c6c15d4a61170c896db5d8ead0531c95 --

Hashes
MD5: c6c15d4a61170c896db5d8ead0531c95
SHA1: d574ac17d54a084e22db08b8dab7568a63aaa83c
SHA256: 72a5196c50794d002cce1ba0e71c6f8130fce8255d7af661e9878f8f2f495b23
SSDEEP: 12288:rxdjeWXKvXVwA3jGz/daXi7UyVx8wGfbeqegi:tHKvpjwf7n8wGfjeB
Details
File Type: PE32
Yara Hits
YRP/Microsoft_Visual_Studio_NET | YRP/Microsoft_Visual_C_v70_Basic_NET_additional | YRP/Microsoft_Visual_C_Basic_NET | YRP/Microsoft_Visual_Studio_NET_additional | YRP/Microsoft_Visual_C_v70_Basic_NET | YRP/NET_executable_ | YRP/NET_executable | YRP/NETexecutableMicrosoft | YRP/IsPE32 | YRP/IsNET_EXE | YRP/IsWindowsGUI | YRP/domain | YRP/IP | YRP/contentis_base64 | YRP/Qemu_Detection |
Source
http://aboukangaz.com/ghost/PI.exe
Strings
          	            !This program cannot be run in DOS mode.
`.rsrc
@.reloc
,8nZ )J
 m?HkZ ~
lSystem.Resources.ResourceReader, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
\System.String[], mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089PA
NwN3N0NzN
N~NeNfN\N~NlNYNkN`NMNkNnN{N;NBN,N
N3NaN}NPN_NAN
NDNJNwN+NXN"N
NAN"NkNiNZN
NzN5NmN@NUN
NANtN}NZNwN
NfN1NzNjN2N^NKNZNAN
NpN[N;N1N
NfNwN!N
NoNdN>N
N{NzNiNzN(NANeN^N
:#NYN%N8N_N
N0N~N+N
NdNaNgN&N^NdNaN
NON+N"N
NoN>N+N`N
NsNCN"N
N&NhNeNZN
N5N'N	NWNzNyN$N8NVN~N
N1NfNlNCN
N)NvNxNCN>N
N&NTN(NwN+NfNpN
NAN<N-NoN@N}N
NdNONNN]N
(1NqN{NPNxN^NsNrN7N
N&N"N8N2NgNsN}N
.2NZN+N
NTN;N0N&N)N{N?N
NbNsNWN
NdNbN,e
N\NBN&NRN
NUN{N\NrN
N<N}N'N%NgN!N
N*N{N?N
NENUN;NLNEN	NlN.N
JDNiN`N+N
NfN\N]N[N4NRNzNvN\NFN
N#NTNRNXN
NkNrN6NJN
NANWNMN,N
LFN:N+N0NJN?N'N:NAN
N-N*NRN=N
NvNlNON#N/N
NiNzNoN
*NNqNWN
N;NrNLNeNRN>N
N1NINNNyN0NZN$N
NINVN	N+N5N	N7NcN
NYNNN`NON:NFNwN
NnNIN<NqNbN/N
LTNBNWN1N)N
NdNfNQN}N
NWNFN(NnN
N[NON#N$N
NoNSNMN$NCN/NENrNPNWNF
NsN N`N
NnN1NyNHNLN~N
NTNpN,N
N7N&NdNBN_NsNJNfNyNsN3N
NFNGN,N
L]NYNKN
NUNSNHNeN{N
NENeN#N%N N;N
NtNpN-N
:^N|NhNaN
NrNENSN_N
NWNAN"NlNLN
N(N-NmNJNWN
NaN@NXNuN.NmN'NtN5NKN*N5N3N@NnNtN
N"N/NvN
NVNjNBN
NgN'N	NINuN1NAN5N
N;N+N.NRN3NzN
NQNdN@N	N>N|NfNWNNNZN[NtN
N<NlN#N~N8N$N<N
,xNVN&N6NON{N
N.NVN?NENWN@N)N
N#N:N[N
N*N%N+N/
(1fCkL
|muth`n8
IQar,NW
@!B645
uvd<sV
&['{Yb`
!T]-BM"J
uzMH:.uk
T3r?]X
^MI<eo
DJFXeE
"xD!,"
|<->oWv
ddVXJndX#I
{ovG+Y|p
pd{`oT
g|KJF:
)]o^z`
;cL*xR
lffP9mb
m?oJXZU
7"a )L
Xa*B7r
V|W	6m
3g1`U1
ZLUcF,!
cQj|mM
Bbd~J7
&opc*s5
dXG3B3
23^1	4
965i=SxJ
<FGcld
aKiJA+9%y
/NAw}o
o>p3sw
YAaJ5k
d(x4ix
o9M3QCII
varXn_
.~Wi7M
B%ZV[`m|
	}Yy*4
N/Bsap
rw(w'+
/Oa)fj]
 )zngh
aS,L\W
bg1Fl8
1]Z7;0
)#^a+Q
;8M'@'-W=
C|+qHF
SD:xx{
79zI/o
BW7*6_
wW[p4@ur
\{~H/H
;LR)tU
VyZ&Zl
H2k0KI
uI|>uz
a	T?(iC
0XDcnV
~@f.4S!
9~AM(Pq*
"=I%!>
$ 7?|	
6OQT3f
;G#izJ
GO~PN[
4h+e;l
A8D+m'
5%9++m
X_BuQ 
ed4 I;Z
h^Z?\8
V5~ipB
>(&h|5&
BP^LPJ
k5A~Y%
0YgpUp
2Sv1C2
?CrxwH
|Sb`/!dB
\vlAe,
z^&48P
]*tJ(	
Y0r~7D
cQVi8_;
35{GvSl~z
rO~dB9"@
T	JQ*LY
{PnX%{n|
:nCxsCx
 vPrzX
]U *i[
"6*H\iEK,`#
eg:<k*^
o-"!nA
%mt}'@(Q
hU/3rZ}y
\% L(k
[@el5,/W
ilEol~
c2"c%u
of-~(K^w
-N.uYR
FUzYI~
vg7q5t
w	q|I}
>bt"	>
:H:_6c
3!5{[&
BK$R;W
'jMFD&L
J`(BUi!
iZs]_U
Pe@|cB
sYvAKs[/
:]If7~
K"tr5?
QBdnn?(
lpw@\a
P;Bh':
dTE\+U
tN$DF;)
41*uE1a?
3{87&~
JI}T43
$'v4HR-P@B/I/
DQ')"5o
N'xiq9
nj"28bn/
]}{Mr?
t7~4]cp
%sg};;
IFx0_F
aTPr\M
,XH{rS
vc0nW8
y<_8oamvUsXe
t4D?w8e
`$ZBdd
Do$(E3f
&~[6hb
3[gq>\
xK8G$2
nm}ZF\
qLY	@w
wQNA^R
RMqh5]
NtFRQN?
n0iz~j
[!,['#{R
"TnV9=
Y@c|'@
e0Q-Fr
;+^jc	
(G)Br=
@6l~<>
Fe=mIk,
fQ.o^U
XccNm%
23EQXG
:s>yGc
i)W7&!@|.
%AD-yMtrs
7-h=l(e
*`%Rve
e*}6={U
:n$'!	
tCK9"x
yjm*44
iyHav[i
a7_|H>O_0
CRs@A|
cn>x6#
C0gdH\
wp5Jn_
X[PFe}u
L44*'&
'L]\6]
qa/>'OQn
nF~oto
h[,I{p
l_6:AJ}%o
4Re,.~o
'WfT8b
UbswaA@
L,.m],*36d
Z{bQHL
bGD)709
hE8L+6
&mh5U,
4p,kze
J/;q+&o
27dnS#
kB~~n8x
1p@7hl
BbvWg*M
A^p/Mc^$
V?hpM'
!/'X31
"_o*qa?
5iC+i\Dmi%
~S)}]#
S<Iegb
U94/!J
cD~3{G
2yucPi
hSSLp.
}/tJE4
~P\:BX,
QVrpMZ
V;iy8#yx`
Dm}oI>
Zmbo|-
.Qk^Z 
Wj.1Eq
_dF`yb
D'hd$X
KX|6e;
=$sn95
1gtU4)
@y@K20
uv d~ml;
A'{~ b8,
\9nJf<Gp
Y8`(,g.
N=%(G|
[NPpu#0
fK%	;|
97,$'+
s|52vOiD
0}f}+6
09Brr(
u8(c}G:
I[?n<Q
dMG<5_,
J,%LpGa
5QSH4I@6
uI+v~v
-AX}]5V1^
1Nub~?
3q%&\e(
)Te&xCM
'^G(}R
gaFs{N
74 T`c
G@#0G0iu
j6Wi@c
P<rOty
<1	VXeKD`
?EQi!b
W'@DJW
JK|j<y
i~!X3a9
c"zh/P
([H{Aq
"&1~Rg
i">1L=
aUhzXy
.4g0"j
c:2;*d
&<xkuF
\f;>'YJ
xp jQE'
sz"8SAt
@_R;[m
S^w3$qbJ B
wL*`oO>
+z'U+K
y,( _W
R\IzBP
;2!#e*k
 hSP(b
L91')v
".}T+NH
B?sSrb
S+hzhC
`KonVMBl\
^r\MQ\
WyG_8F
o">V{A:3
bo8*{Z
TQPACL
fmI/ H?
F"RT;POA7
1D@O`.
 p',eQI
q{b72x"
1=:&Bb=Q%
D1#qq4)S
b }?hd
&zHK}rY
,l+EZv)W
]{ZBE>
r}61BSR
F+nFw,
_0#XS4
]rH8+*mX!S
wpU-0W
G&E-<_
?H)v]?(
X+t1+j,
`id!Z`
?w]9v/R=
`vYUk*
D 91J=
kB^F2[
m>6 p@sd
nGn^7p
'j=C1\
UAdl2w
_z|F|O<
zw,6nn
`w|o"{
f^QrfY
ldETMQQ
L	nWQU
J3OouM
JlfE'.
_)Vw3Z>
jYj8#y
,qCef<
Y=OW6.
6)j.oD
,e]7eA
f,2`IYJ
*xEYhQ
xs^s<b
W VG$K
|wZF3BM
\&vWhlK
}*e>.h"
lzeg[FbH
Rw6S(u
$R?{Y:
q)]snu
[O2od+
656U|[s[
G|P"Wx
fz0T%;
6ppWG;(
V6%S?`
6c0.i4
+wQ\r	
9|f%&b
qUjEp/c
sD+\qxt
~HB+`A;D
VN'twq
A#[|J-L8:'5R
hUcGIrg~
\FhGNL
(-N(IU
|^OdPd
|lWo\K
#ej0RNv
Lh_Rt`
&GGs.v
pY3h`W
S.x[`.
M[05oK
Q?	oQ@
rvzU)Q
AQMcc	
`O\Yd6
 BiS`\
J]<$<;
[b][KJ`
?`mGyL
vwCuA1!
*st!2Sn
tdD	*Ee
j<2Z$sU|
*U}366W)
x#d)#6`
*c>~XtT
dC;]@%S
iwu3!8'
W&2G'EA
8EnM^]
,%L2\5
V	I |y
!gd/Fd
$TB^!Kj
tm}o|*
9<Z=/<
P	d)>q
Q8K8p}
z}9o>G
|+yqF_3
wC~$P 
~{YLdO0g
vr`p3M
MXhC%1
3mT6,$
M^35R,
yNX]B.**G
A>$:[:
=gx>%x
ti,%@)
86,/aG
aux{K0
]6.[r8k
zLW/s&V
HmRk=k
#!>?N	
zb%S3CO
>x[T{AK
oMn<JP
J)(JG!c
4EDYY"
JD.bU;
}$~\#i
Tm1pzzt
/?T N$0
]%wG}n
U314'*
SrDj_#
=0%~cj
l!BT)<
dJ2zj,
Y'bU>)
\R(<=,T*
3cF4&AY
W2N4_;
)!7/s9
=F/IA[
|1_w2C\
[\4.,eREZ
=Xf1Y 
Jw6)6v
hl[dN8
DY03:gCk@J[
h*,ZeA
8:Q&G`
(Ou|&]
FG'9t{
}7%F9"8
&#u^Q@
Y0mb;F
6RS4OBT
5%]hw=V
G0P*uO
a=]@>qqV,xeK
Wl8MY+yUA"
qVD>1C
02`I`z
(19d^f	
 2*CEg
R#N&a|O6
2?\<9hzf
	A(0t.R
'v,+o2
#fKJjz
ep3,'[
6\C0\!
p/t}][A
8jTJkWV+
_m&	=H
Fvda+m
0@?V}V1
"iM>~Q
*a{k3%
i2}XLn
zPd|{4
t~1O{b
"Bb!}N
!zLfV3
7;B5bz
[IcYk_D
;x*F$?
e#~(P[
T_OW$|
N16/,*l
o^+tC]
FO;eP6F`(
~i%t1u
DEYTOi
m.aLIz
s@$~v	
eER&Sx
OE56Fe,
04cl]3
9K5'[R
h.b:68
	L\#;y
<IR_S$
kAh[D3
Io?A6j
o+nSPP
v4.0.30319
#Strings
SUUZTNB2dAu
mscorlib
System.Windows.Forms
.resources
JRtfA7r42ZJoe
T5QdDyfzR9i9wz6u
.cctor
4Y0QddNS1SK
XuWUcjnx980qCJj
Object
System
7FSyHqWL93vVREq9fu
MethodInfo
System.Reflection
nRc3rwCn3IzDRUX9my
MJJypqbt7YdMbCC
vDYOk4DIa4k3h
IPC5htuQoaz
Assembly
vI9jc413cG
nyPfOAwEodVk
IXBgsvC9SswAIXN
R94NENEXE9qbYpQKe
As4nPzUEs7V9r56ZRo1
Mivg7zcYH5a8
ResourceManager
System.Resources
SymmetricAlgorithm
System.Security.Cryptography
ICryptoTransform
AppDomain
Exception
Resize
hIxNzmMkqFT8E6tQgHk
XzRMJQTXBVhBNeBbSJ
KesiW6o9TydA
yjGcnh6p9uIF9u
PropertyInfo
oYgueTeu6wF
PVgYA4MJe8ywEeiK5
lqd3m6JxDbDAV
TGgiBeBkR31gHv2lH0
b8mLB65Cf8Ov
9Kupdp4QPwUywsjxEy
Ccn4t5Qs2kPy5Ueg8
YuZ6NB72mCCG
GetType
GetMethods
MemberInfo
get_Name
String
op_Equality
MethodBase
Invoke
Thread
System.Threading
GetTypeFromHandle
RuntimeTypeHandle
get_Assembly
GetObject
RijndaelManaged
set_Key
set_IV
CreateDecryptor
get_CurrentDomain
get_Message
MessageBox
DialogResult
GetProperties
obSsCVxUjUNI83zfo5B
65NmMrKMHCWn
HXRsUouIzS77JRgU
dEw8rdPdcKzZ0T
Q1lpDwSBKJ
x0EpPEyhO9vKDO48sQ
egu3UNsz4n
Hyld1YXsiDdS6zr
HAKrQvJFDg7
cnvm07yrmQJsg9lmMDp
EHZZdcalFGPFCN0Yh
C9CqYh4UNWrkB9tpR
21fZBqmX0rmmpPpe
awW5jSHULhv0AOSca0
AhdXS8n1inlRi
o4owXDjI8tCe4jTBt
LCES8j062YOoQChzEGR
Qgieki9Otibyy
XclU51sBYU9MF
BMNMxXITGmx0kl2XvgN
q3V5LSoFTAr
T9XhlI9PVjK3dz
358pXwI94r3uLD4
rv2vlIDWMghxXs3YFwh
ZQlQ7qMsmWk71kFUx
lclIxUVdhYapEJvdR
tEmlLWen7lERIvm4
4m8uVGXXuwh8AAHBq
1yqF1Z6OTXVsBX
6EBTUlNHISmVmvK
HU4ISYkIRpfa985fZ
Go1yTprFRwWLUd
7uG3f6fshqvzGHOJs
9LO5veXR7jhz
Fqbe2jxkRQ7Slitm8
cjEUTfwXSoX865phYtj
Hm09ZkSyr4Jr9c4M
uUpqiHdIZRwEr
9ocg5mEwdDLKK
J9Swx6FOiDOXGW
BP1qUJ4Fu8
MzyUlQ8Y1U2qiu
WwYJsXwqmr0JaCCcT
3uOgAyoV5A
4OY3Cg34QBHNt4
WYB7zan8f9ddQm
mMWUTTiVnI2Qtgg
Rxi2n87TyUAZ
OeET1n0bOm8y6nQfYxX
KY2yUaQ16d84S2MTQ6d
n545oOWPUkPs0ZdMpo
K78QvWtLtP5BBo4SVN7
8L1cHDVrzHq
k7T2mTORr0vqS
Cr64Qqd799uFXY
qDnOAUMFeskjRiic
Xs0Lishqoy7ZCVYMMe
8Wq76m3LoXY0
Fh2P253WoOEf1ojmIW
z3bmYf4ygEihnEz1
3a63pVM3IXtjFyA
uC8j0pv7DH8wl
XVkYZbTY5u
ZdE0eApU7lKiSJX
9kTNNSRqk93NdNvM1L
73uPtNTcCeHJr
PTEWlY4LWPrJcxo62
2vB43KmqyhK8
y0rFy3bP9mgEIUbR
dMpmBK6HSXw
mGqE6Y0kJMeT
36OWcseUpr1NfZpi
KovkPXf9AVIdRvBGY4X
fjP9CjSoFYgJa
i3onyscEXnTyHJtaR
nYXWPvUyptc1O0eC
3UcAPeXZaTWA
tRhDlW7JxC2qeju30Gk
WsFowMJq6n2tLgq1S5O
BOOXRPUVGSx0pHR
0iAEX7X53BkBhgk4uJ
3D2HEl3cxte
rCowTcz00ND1HkYImxm
ROAj7Eop0Sm112gei
VPq0jt9q9sPv
qGkWTs1red69gnCqVeK
sI0YDlZj6E7ATH
dPWX0hpXvr0wHg
do16XENONs
SuPhvTP9OQck0awV
JVjMw6hNLI46bw
PsFrsuKcEJHP00wV
Jc1e4MAayQF7GrsmY
HI8Sv8QNpvvn8KCdj
pPGcr21Htn
FTpiovhYz83DuJgB4E
sEVojatyRzYJ4wqU2dk
cUEstj6IHMz7fofc0c
7reCFck9SupvADDAG9
tqfUGGqCRCBGJUyx
yCNMBjcWZRTxAOPvg
3XUnuFPBfBWR
kl0k2sVkY1zosUW3fg
EhmPh4Gsh9rOq
FdwXjJsW9a
Wh5io4qOowP2YAvg9I
HlzuIymo6Oiq
gJBHYtuzr91q
ylp4Es4KTA
obBLCrqqqlFeV
RuntimeCompatibilityAttribute
System.Runtime.CompilerServices
CompilationRelaxationsAttribute
UnverifiableCodeAttribute
System.Security
NINQNWN
NwN<NxN
NwN1NBN?N[N
NxN5N#NrNsN)NcN
NpNeNlNMN^NKN
NpN[N;N1N
NfNwN!N
NoNdN>N
N{NzNiNzN(NANeN^N
;#NYN%N8N_N
N0N~N+N
NdNaNgN&N^NdNaN
NON+N"N
NzN5NmN@NUN
NANtN}NZNwN
NfN1NzNjN2N^NKNZNAN
WrapNonExceptionThrows
System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089
SkipVerification
_CorExeMain
mscoree.dll
PWWG0==
!MhiiA]]
	*--L~
Fuu5*++
Hmm-6m
lze#jkkS
Ccc#Z[[
M")wDdz
O'2J >
v'Lz]R
}	'Ziii
cV=X6!
%V__O{k
B!DwR;
H,yj g
c$c|/Jd0
VGR!.r
!|ZOj"M
7MMMhmmE
o>OYWSSC
bEQ	{8
[ZZ0{v
$eq_;^
mP='rr@ph
@ @II	
MS32> 
nGAAAF%
IM?U,R"
\V8\FX
AQ Dmm
^\?s.^
~(ihh@
/w_uu5
Sd<.QWWG\h?>
7`HKMMM
R[[K477
 MJmm-
7 -J$k
i(++CYY
;[hiiASS
B.rHo0
(++CYYY
~}}uuvn	3
~}|uuyyt
U98>owyz{s
7y{{{q
2hklh3
\]ZYED,
]ZYPNMH
0FOSS{J*
'~LT20,.yl
'taeg[d\w'
}^hiWx|
"&+jph|
)$,?	Y
9[zmWk@&
TUeVl&l
u/[-_N
=H"aQ{
66P]]Eyy
477g]s&ttt0}
n=aTE"
RW[AME
PVYIIi	
N5e+[\
VRRQEIE
SVUGYU
LdLJ	`
y|x<>4
x<Noo/
BQP5m0
WREBz	
hhB q2
+osquuu^
x|x|~4_
~ncY?2
==(B!:
S`II	MMM
TUTECS44M
P4m0 (
4YRJL]
P(tD;~:
l4B(h^
pyvV@`6
[,XPX&]
#100@ww7
555tttLx_
:6Gqq1
IJJj6k
[;?@HH
NII!77
trSwS^^
PXXH||<K
;w(//g
iG g6n
Ciu\JEE
h4RYYIyy9
ILL$##
:Dttt##
"..Nq}
*jkkEmmm
3GDFF*~
]YYIAA
Fpp0!!!t
.$<<\iu
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
    <security>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
    </security>
  </trustInfo>
</assembly>