Analyzing...
|
File Name:   Projectr.exe
SHA1:   6de5adfcd539f3e202558108638e49d695fcbd28
MD5:   6d2ee30c516d2f465474afe1f7ee7e78
First Seen Date:  2016-11-30 14:15:15.094058 ( )
Number of Clients Seen:   9
Last Analysis Date:  2016-12-16 12:07:31.137562 ( )
Human Expert Analysis Date:  2016-12-10 16:59:39.213059 ( )Human Expert Analysis Result:   Malware
Analysis Summary
Analysis Type | Date | Verdict | |
---|---|---|---|
Signature Based Detection | 2016-12-16 12:07:31.137562 | Malware | |
Static Analysis Overall Verdict | 2016-12-16 12:07:31.137562 | Highly Suspicious | |
Dynamic Analysis Overall Verdict | 2016-12-16 12:07:31.137562 | Highly Suspicious | |
Human Expert Analysis Overall Verdict | 2016-12-10 16:59:39.213059 | Malware |
Static Analysis
Static Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Detector | Result | |
---|---|---|
Optional Header LoaderFlags field is valued illegal | Clean | |
Non-ascii or empty section names detected | Clean | |
Illegal size of optional Header | Clean | |
Packer detection on signature database | Unknown | help |
Based on the sections entropy check! file is possibly packed | Suspicious | |
Timestamp value suspicious | Clean | |
Header Checksum is zero! | Suspicious | |
Enrty point is outside the 1st(.code) section! Binary is possibly packed | Clean | |
Optional Header NumberOfRvaAndSizes field is valued illegal | Clean | |
Anti-vm present | Clean | |
The Size Of Raw data is valued illegal! Binary might crash your disassembler/debugger | Clean | |
TLS callback functions array detected | Clean |
Packer detection on signature database
Microsoft Visual C# / Basic .NET
.NET executable
Dynamic Analysis
Dynamic Analysis Overall Verdict | Result |
---|---|
Highly Suspicious |
Suspicious Behaviors | |
---|---|
Creates a child process | |
Writes to address space of another process | |
Uses a function clandestinely | |
Reads memory of another process | |
Opens a file in a system directory | |
Has no visible windows |
Behavioral Information
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll
C:\Windows\SYSTEM32\MSCOREE.DLL
C:\Users\win7\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.4940_none_d08cc06a442b34fc\MSVCR80.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
C:\Windows\system32\PROPSYS.dll
C:\Projectr.exe
file
.exe
program
InstallRoot
CLRLoadLogDir
OnlyUseLatestCLR
GCStressStart
GCStressStartAtJit
DisableConfigCache
CacheLocation
DownloadCacheQuotaInKB
EnableLog
LoggingLevel
ForceLog
LogFailures
VersioningLog
LogResourceBinds
UseLegacyIdentityFormat
DisableMSIPeek
NoClientChecks
DevOverrideEnable
LatestIndex
NIUsageMask
ILUsageMask
DisplayName
ConfigMask
ConfigString
MVID
EvalationData
Status
ILDependencies
NIDependencies
MissingDependencies
Modules
SIG
LastModTime
mscorlib
Latest
index1
LegacyPolicyTimeStamp
Microsoft.VisualBasic
System
System.Xml
System.Configuration
System.Web
System.Management
System.Runtime.Remoting
System.Deployment
System.Drawing
System.Windows.Forms
System.Runtime.Serialization.Formatters.Soap
Accessibility
System.Security
Load
FrameTabWindow
FrameMerging
SessionMerging
AdminTabProcs
TabProcGrowth
CreateUriCacheSize
EnablePunycode
DisableSecuritySettingsCheck
SystemSetupInProgress
SpecialFoldersCacheSize
Software\Microsoft\Fusion\GACChangeNotification\Default
C:\Users\win7\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe.config
C:\Users\win7\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\machine.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch
C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c2.dat
C:\Windows\system32\l_intl.nls
C:\Windows\assembly\pubpol1.dat
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
C:\
C:\Users\desktop.ini
C:\Users
C:\Users\win7
C:\Users\win7\Searches\desktop.ini
C:\Users\win7\Videos\desktop.ini
C:\Users\win7\Contacts\desktop.ini
C:\Users\win7\Favorites\desktop.ini
C:\Users\win7\Downloads\desktop.ini
C:\Users\win7\Links\desktop.ini
C:\Users\win7\Saved Games\desktop.ini
\??\C:\Windows\System32\shdocvw.dll
Software\Microsoft\.NETFramework\Policy\
v2.0
Software\Microsoft\.NETFramework
Upgrades
Standards
AppPatch
Software\Microsoft\.NETFramework\Policy\Standards
v2.0.50727
Software\Microsoft\Fusion
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\netprotocol.exe
Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options
Software\Microsoft\.NETFramework\Security\Policy\Extensions\NamedPermissionSets
Internet
LocalIntranet
Software\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-3979321414-2393373014-2172761192-1000
Software\Microsoft\.NETFramework\v2.0.50727\Security\Policy
Software\Microsoft\Fusion\NativeImagesIndex\v2.0.50727_32
index1c2
NI\181938c6\7950e2c5
NI\181938c6\7950e2c5\16
IL\7950e2c5\4b5f28af\5f
NI\5df0f9\1f9970b8
Software\Microsoft\StrongName
Software\Microsoft\Fusion\PublisherPolicy\Default
policy.8.0.Microsoft.VisualBasic__b03f5f7f11d50a3a
NI\1c22df2f\4f99a7c9
NI\1c22df2f\4f99a7c9\66
IL\c991064\5086dba8\51
IL\6dc7d4c0\c47ad54\56
IL\3ced59c5\48d69eb2\54
IL\f6e8397\628bc3e2\47
IL\2b1a4e4\3822b536\f
IL\24bf93f6\708deaf7\46
IL\4f99a7c9\191b956f\66
NI\30bc7c4f\3f50fe4f\18
IL\424bd4d8\324708cb\5c
IL\19ab8d57\c91dbb2\5e
IL\3f50fe4f\265c633d\60
policy.2.0.System__b77a5c561934e089
policy.2.0.System.Xml__b77a5c561934e089
policy.2.0.System.Configuration__b03f5f7f11d50a3a
policy.2.0.System.Web__b03f5f7f11d50a3a
policy.2.0.System.Management__b03f5f7f11d50a3a
policy.2.0.System.Runtime.Remoting__b77a5c561934e089
policy.2.0.System.Deployment__b03f5f7f11d50a3a
policy.2.0.System.Drawing__b03f5f7f11d50a3a
policy.2.0.System.Windows.Forms__b77a5c561934e089
SOFTWARE\Microsoft\.NETFramework\Policy\APTCA
NI\3cca06a0\6dc7d4c0
NI\3cca06a0\6dc7d4c0\b
NI\61e7e666\c991064
NI\61e7e666\c991064\a
IL\475dce40\1c022996\5b
IL\2dd6ac50\553abeb3\58
IL\41c04c7e\4bf62c79\50
policy.2.0.System.Runtime.Serialization.Formatters.Soap__b03f5f7f11d50a3a
policy.2.0.Accessibility__b03f5f7f11d50a3a
policy.2.0.System.Security__b03f5f7f11d50a3a
NI\2eeb3d91\4aa3f7d4
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3979321414-2393373014-2172761192-1000\Installer\Assemblies\C:|Users|win7|AppData|Roaming|Microsoft|Windows|ScreenToGif|netprotocol.exe
Software\Microsoft\Installer\Assemblies\C:|Users|win7|AppData|Roaming|Microsoft|Windows|ScreenToGif|netprotocol.exe
SOFTWARE\Classes\Installer\Assemblies\C:|Users|win7|AppData|Roaming|Microsoft|Windows|ScreenToGif|netprotocol.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\Managed\S-1-5-21-3979321414-2393373014-2172761192-1000\Installer\Assemblies\Global
Software\Microsoft\Installer\Assemblies\Global
SOFTWARE\Classes\Installer\Assemblies\Global
NI\2eeb3d91\24123118
NI\31095a7c\3cf919a8
NI\31095a7c\6e983044
Software\Microsoft\Windows NT\CurrentVersion\Windows
Software\Microsoft\Windows\CurrentVersion\Explorer\KindMap
Software\Policies\Microsoft\Internet Explorer\Main\FeatureControl
Software\Microsoft\Internet Explorer\Main\FeatureControl
FEATURE_IGNORE_POLICIES_ZONEMAP_IF_ESC_ENABLED_KB918915
FEATURE_ZONES_CHECK_ZONEMAP_POLICY_KB941001
Software\Policies
Software
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Software\Microsoft\Internet Explorer\Main
Software\Policies\Microsoft\Internet Explorer\Main
FEATURE_INITIALIZE_URLACTION_SHELLEXECUTE_TO_ALLOW_KB936610
Software\Microsoft\Windows\CurrentVersion\Internet Settings
FEATURE_ALLOW_REVERSE_SOLIDUS_IN_USERINFO_KB932562
Software\Policies\Microsoft\Internet Explorer
Microsoft\Internet Explorer\Security
System\Setup
Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\
FEATURE_LOCALMACHINE_LOCKDOWN
FEATURE_ZONES_DEFAULT_DRIVE_INTRANET_KB941000
FEATURE_PROTOCOL_LOCKDOWN
<NULL>
0
Local\ZonesCacheCounterMutex
Local\ZonesLockedCacheCounterMutex
Global\CLR_CASOFF_MUTEX
"C:\Users\win7\AppData\Roaming\Microsoft\Windows\ScreenToGif\netprotocol.exe" -n
ADVAPI32.dll
SHLWAPI.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorwks.dll
mscoree.dll
ntdll
advapi32.dll
shell32.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ole32.dll
ole32.dll
kernel32.dll
AdvApi32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorjit.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System\908ba9e296e92b4e14bdc2437edac603\System.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\12dc10e5c0e8d176cf21a16a6fc5fc3b\Microsoft.VisualBasic.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\5a401fd2a7689ff13fb54182953f9c40\System.Drawing.ni.dll
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Windows.Forms\6949c4470a81970ec3de0a575d93babc\System.Windows.Forms.ni.dll
user32.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\Gdiplus.dll
gdiplus.dll
C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\culture.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en-US\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\en\mscorrc.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dll
shfolder.dll
API-MS-Win-Core-LocalRegistry-L1-1-0.dll
C:\Windows\System32\shdocvw.dll
PROPSYS.dll
OLEAUT32.dll
Secur32.dll
API-MS-WIN-DOWNLEVEL-SHLWAPI-L1-1-0.DLL
SHELL32.dll
api-ms-win-downlevel-advapi32-l2-1-0.dll
API-MS-Win-Security-LSALookup-L1-1-0.dll
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch.2404.294750
C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\enterprisesec.config.cch.2404.294750
C:\Users\win7\AppData\Roaming\Microsoft\CLR Security Config\v2.0.50727.312\security.config.cch.2404.295000
Precise Detectors Analysis Results
No Detector Result Received
Advance Heuristics
No Advanced Heuristic Analysis Result Received
Human Expert Analysis Results
Analysis Start Date:   2016-12-10 15:44:32.734584 ( )
Analysis End Date:  2016-12-10 16:59:39.213059 ( )
File Upload Date:  2016-11-30 14:15:15.242768 ( )
Update Date:  2016-12-10 16:59:39.217955 ( )
Human Expert Analyst Feedback:  
Verdict:   Malware
Additional File Information
Property | Value |
---|
Name | Virtual Address | Virtual Size | Raw Size | Entropy | MD5 |
---|