Static | ZeroBOX

Name	Virtual Address	Virtual Size	Size of Raw Data	Entropy
.text	0x00002000	0x00042254	0x00042400	7.92819874835
.rsrc	0x00046000	0x00009a46	0x00009c00	2.38258223098
.reloc	0x00050000	0x0000000c	0x00000200	0.101910425663

Name	Offset	Size	Language	Sub-language	File type
RT_ICON	0x0004613c	0x000094a8	LANG_NEUTRAL	SUBLANG_NEUTRAL	data
RT_GROUP_ICON	0x0004f5e4	0x00000014	LANG_NEUTRAL	SUBLANG_NEUTRAL	data
RT_VERSION	0x0004f5f8	0x00000264	LANG_NEUTRAL	SUBLANG_NEUTRAL	data
RT_MANIFEST	0x0004f85c	0x000001ea	LANG_NEUTRAL	SUBLANG_NEUTRAL	XML 1.0 document, UTF-8 Unicode (with BOM) text, with CRLF line terminators

!This program cannot be run in DOS mode.

`.rsrc

@.reloc

*X*X(%

l^C0*L7*

xIi8']

G&#xE

q'\K_8

vhi8-8

#,jZlt->j

$Xo~LIP

LZ4(q]

@&V;2p;:u

O3qv*\

]aMH#j

EU?5pfn

b3( %*

)^O\4D

1'54sDv

SNF1P6

K $#d5

Rs617'

:3gzIp

es(b>V

,(,^_

In35U<x

/HD"F,C

=l*9I.*

wA4-W$

/Dss<:

8S>%To&

:TW?gp

Z5PcMG

WrI{pM-=

~mdI8N

0 ]"+

Zy_{=0

pEG+YJp

FPp*I@Hdd

k@At@m

j~%%-

+ *;[T

g!Wol{@

jbDtGf

HXr&as

%n>aZ&

rmr%\:

H-[}Lg

:Kn#0B

Df}~A:

BxaWO

U"p]S\

+4`P29

Bpt"5uW

G%'?NS

(fgb~NE

y\\dDT

pIO{cq3H

BQInq#

HAw<|

g7~z<m

FWKUi<

|5IOPk

CYHpBB

Gt,m|'?

t3cssQ

VeoWT/S/T

">^Htf

e*`s_>

EJqsh8ng

FXZ),IsU

)iEF(S

{~vt2O

sIa@`.

GRg4)7t

pOfJ"7

RN)RANR

Q5Mt}

ff`[Q\

d$D'Z?

/%4K}jn

\DWV;jY

HJz&Dek

HFlWl\.

I+%VU+jK

R`y&d`

0*G8{z

h|*<(?

4mOPE/

EI=z0NY

)M%fn1

0PJ{,A

eFEPmcI<7

nWOE@S R0

JYR ]AT

%A>/(~;

;px<0P

>TJwP.q

_CKA8}

OvTu;=

HTGt{s5

nu@ts

79^Vas

56R3(a

VC!~8i

gx.<VW

9pH08e#V|

6|j8M)-

LOst"Hx

},;<78

k4M2d/@l*

,LHdHP

U+%E=j

5b'ua{

DKQb;lj

>b.'VS

N{-'vc<4

8fGDZ"

.v5}Z{

HE*I2]

z%4Pwg

PX0l0

a!p_^L

RD&swj."

8E+zn7

F8"UdM

CRC$*z

Ad<Cjn

AibQmo

pgejElKfa

U8J(IHc

DfuNy.v

frH. d3

t~Ic)Z

i>-U_/D

fWw&B2/

2@=1Uuy

:D2cY7J

lQKm>g&

}dVNE

@x2hJ7

Q*;^C7

FFaiYo

TfW_YN

BW-H]1

Wq[r/`

b*(|TC

6~fR4a

'E\Lu)

K5#hDlg

%+B;7`FN

PEX-{i

AQV]-B)

+e]L2;

9)"|:M

pI3Ztj

Z$cS_

.OX5`!

?Cx*2n

.%h7FW

MAU4y|i

</XaL*

|*XJR<w

>08.>&

"d4B]g*

D=qy7>

,N{8X`O

5pWkps

ues9L+"

}(9IhP

/b3FXh

]6F%og1

.JjI6`

x}ryp+

]D~m~K0

i2yj<5

A]~i{($H

v=?/D0

Sd&^C{

]'HFy^

*Yw,<0ukv

gHEqNoH

Bo;x`}

Lykek1G

.xVTNz

lKK3\5

I|Vt?Rf+C

=&7%>@

l6Aw;v

ILoXc(

C8WfbY

29oM_Q

H$5MV(

B~";t)

'l25G1

|Nk|\j

,ki0\z

f}q%"N

MscNQ

1%f(Zq]

!['^<Bx

IZ}2_^O)

r<2{'g

u<vD:m

~efI9#J

zo*FQc

k%s}tN`[

9I+DCI6

(y)}$N

kiPtA}

8yU^kG

@FR_\([DYM`

[FG0q2

E$NCVq#MOJK

Le`@m/N!

v@'{{6

.ObXIQ

-tBLS[

?0!n)y

/'>g2Z9

_t[C73

f,MKy`l

~B3Q~!

'R>[E_"

bX=D('|

4YEd7Y

zK:%%

:r~OEY

J'nXB4

"YX{0n

g`gpAS

{ga{M=h

/:VMb%y

nA*41sH

m3^J^x

JPd]wr

\uV&)W_

C7kkTw4NZ

76W&-5

]CdZ]E

-ayQdjR

p[> =2

?vZ/M9

CZX&$#

,Q@7<GSV

Lul/2,V

R1o+^]m

r<?rmE

irL]hf)e

62-m0:

nA|F**

P4j;3

N15gj

u+!"oS

M}:<$Z

9#w@$*yrXt

VHa!Nn

8:G{AB

(FEuj>

;El|`

*LFs5Ah

}~I:U:

Mw@gym"=X9

1zO:w[

jiZA?@g

$Y:fu[n*

n#G^O7

"@%Kvg

MiTc.E

JL~teo@/

GQ]>MR

NjD0k;G|^

{V6!e{

F6g:^w

`"(x4w

.n'9kKy(

Xv*,qg&

_0>Yl^

'WW@FG

"oil4B

Q4;[b

j!f=ZS

MWH?_ub

(-!|F%

H\h51d

3EftS{

)^k& $

|=7r(4

C]0li:

cuF(7cez

XZ$WZh#}

8C^7v"h

,DKht7dE

X},vCi

u9tMFO0

tMRtMpV

]+5&>V

Ttsl8PL

ovgMP}F

ab(y@&#

X?^#/J

={}g@A

DYeB0T'

zv=lV

{.6TY#:

idO<sT

qb>wDR

f3lB\V

{h1[g5-V

WL0iEB

sv0nfC'

H4((.h

Q%;&Pc

?5Lc,/ F

:jU52&

>BUZa!;

m['Dm>^

nB<NWO

Lcrp?\N

L@l;+e

)n$p&cP

1 U+1k

L9@#S:

4&IApW-

R\>qL)r

wd(US1;dV

H/>'!#};

YX3NXa9

%d.NytlJ'

}H/Y1y)

EwHL.

#($y\,&

R9;ONvY;

$JBgye

d.bl_

)=%KIx

^4 k!'

wacy~a2

/]Ub(

kG]m(t

CzTWsO

%9!s~f|

y#j}L2

[;/eth

y&daN}s

-,KdJ~

zQI1jR~${U

R!~V>$<

xyF?h$

y`T(Di

lGkvT@

nQKH=^

A([QIu

>'z}u

7u~p^:

Sz(D]k

doaH@w

=Q2u""kC

a&M1]a

UlbHFZ

J*Y^^i

JTK$13

l`MFOf

&J.te3%

KxYz) R

Jq*i-nt

lo~7h>

4D.E;Ek

!BNmgo

piZ]EP

m&rFL~

q-D/p]

?^~#7FMu

Wn+BAB.

O:e}pM

Z2vF"v

%1_PaWL

BLaON$

m't_E9kJ

De~Ego

A'Iv{;X

.l\V(WK}

R;)wY,

QXiGcF

`aqIL~

2LXDWw

C~n}[[1

egijhm<?q

C^t<X]

0A#lVs

\]v,J~

WU<%=ZF

wx9.!m`

5W!8&<

rY)4=W

4#l\uF

Ikl3#n

@_|z\xb

[d aj!d

7&99Uw"

h$=\_RJ

%UXIn@4

l`O_>#

LsZa?

O7tg6H"

|_>+$c

+jGeXA{

,?s[3;

:Mioc=

FBC>(u

?m}*xP_

_|OuG%

8292iA

DK9tT)>H

Jwz[D`

#2OI4.

9CP+^Q

<.Y|1D+

>ho27rW=

w=WHm\<

UBH3%^

BvE3Xv

Xj&|yj

_B`ReTg

6Pu,\

:kafqM

|RZir8y

!4m[IL

CH-&#t\

hQ.(:\

orQs68

v4.0.30319

#Strings

Reserved1

ToUInt32

ToInt32

Reserved2

ToInt16

get_UTF8

PROCESS_SET_QUOTA

WRITE_DAC

PROCESS_CREATE_THREAD

PROCESS_VM_READ

STANDARD_RIGHTS_REQUIRED

PROCESS_DUP_HANDLE

PROCESS_SUSPEND_RESUME

PROCESS_TERMINATE

DELETE

PROCESS_VM_WRITE

SYNCHRONIZE

READ_CONTROL

PROCESS_QUERY_LIMITED_INFORMATION

PROCESS_SET_INFORMATION

PROCESS_QUERY_INFORMATION

PROCESS_VM_OPERATION

System.IO

ITE_OWNER

PROCESS_ALL_ACCESS

PROCESS_CREATE_PROCESS

set_IV

value__

mscorlib

ThreadId

ProcessId

GetProcessById

ResumeThread

RijndaelManaged

GenericAce

CommonAce

InsertAce

set_Mode

CryptoStreamMode

CipherMode

IDisposable

ThreadHandle

RuntimeFieldHandle

RuntimeTypeHandle

GetTypeFromHandle

ProcessHandle

Console

WriteLine

WellKnownSidType

ValueType

Dispose

CompilerGeneratedAttribute

UnverifiableCodeAttribute

CompilationRelaxationsAttribute

RuntimeCompatibilityAttribute

SuppressUnmanagedCodeSecurityAttribute

get_Size

get_BlockSize

set_BlockSize

get_KeySize

set_KeySize

SizeOf

Encoding

FromBase64String

GetString

get_Length

get_BinaryLength

ZIN3P4B5Jl

Marshal

System.Security.Principal

RawAcl

get_DiscretionaryAcl

System.ComponentModel

advapi32.dll

kernel32.dll

ntdll.dll

System.Security.AccessControl

GetManifestResourceStream

CryptoStream

MemoryStream

System

SymmetricAlgorithm

GetBinaryForm

ICryptoTransform

NtUnmapViewOfSection

System.Reflection

Win32Exception

Desktop

Buffer

AceQualifier

SecurityIdentifier

BitConverter

StdError

GenericSecurityDescriptor

RawSecurityDescriptor

CreateDecryptor

IntPtr

System.Diagnostics

System.Runtime.InteropServices

System.Runtime.CompilerServices

Rfc2898DeriveBytes

GetBytes

AceFlags

RuntimeHelpers

CreateProcess

Object

Convert

StdInput

StdOutput

System.Text

Wow64GetThreadContext

Wow64SetThreadContext

VirtualAllocEx

InitializeArray

ToArray

set_Key

System.Security.Cryptography

GetExecutingAssembly

BlockCopy

ReadProcessMemory

WriteProcessMemory

System.Security

GetKernelObjectSecurity

SetKernelObjectSecurity

Cronos-Crypter

System.Security.Permissions.SecurityPermissionAttribute, mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089

SkipVerification

WrapNonExceptionThrows

_CorExeMain

mscoree.dll

z!hez!h

z!hMz!h

z!hEz!h

z!hz!h

z!h#z!h

z!h?z!h

z!h#z!h

z!htz!h

z!h)z!h

z!h1z!h

z!h6z!h

z!h;z!h

BBB[BBB

z!h:z!h

BBBdBBB

z!h?z!h

BBBbBBB

z!hPz!h

z!hDz!h

BBBbBBB

z!hDz!h

z!hNz!h

BBBbBBB

z!h9z!h

z!hwz!h

BBBfBBB

z!h1z!h

BBB!BBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBVBBBeBBB

z!h-z!h

z!h%z!h

z!h&z!h

z!h:z!h

z!h8z!h

z!hMz!h

z!hcz!h

z!hzz!h

z!h,z!hnz!h

z!htz!h

z!hvz!h

z!hyz!h

z!h{z!h

z!h^z!h

z!hlz!h

z!h6z!h

z!h}z!h

z!h?z!h=

BBBPBBB

BBBiBBB

z!hWz!h

z!hNz!h

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

</requestedPrivileges>

</security>

</trustInfo>

</assembly>

WklOM1A0QjVKbA==

QlZUeFV3M0pjQQ==

QzpcV2luZG93c1xNaWNyb3NvZnQuTkVUXEZyYW1ld29ya1x2NC4wLjMwMzE5XFJlZ0FzbS5leGU=

I2NtZA==

Cronos-Crypter

VS_VERSION_INFO

VarFileInfo

Translation

StringFileInfo

000004b0

FileDescription

FileVersion

0.0.0.0

InternalName

WindowsHostShel.exe

LegalCopyright

OriginalFilename

WindowsHostShel.exe

ProductVersion

0.0.0.0

Assembly Version

0.0.0.0

Antivirus	Signature
Bkav	W32.AIDetectNet.01
Lionic	Trojan.MSIL.Crysan.m!c
Elastic	malicious (high confidence)
DrWeb	Trojan.InjectNET.14
MicroWorld-eScan	IL:Trojan.MSILZilla.17516
FireEye	Generic.mg.b28a3a496bb68f9c
CAT-QuickHeal	Clean
ALYac	IL:Trojan.MSILZilla.17516
Cylance	Unsafe
Zillya	Clean
Sangfor	Trojan.Win32.Save.a
K7AntiVirus	Clean
BitDefender	IL:Trojan.MSILZilla.17516
K7GW	Clean
Cybereason	malicious.96bb68
BitDefenderTheta	Gen:NN.ZemsilF.34726.tm0@aqVqH2f
VirIT	Clean
Cyren	W32/ABRisk.RQPR-6048
Symantec	ML.Attribute.HighConfidence
tehtris	Clean
ESET-NOD32	a variant of MSIL/Injector.FCD
Zoner	Clean
TrendMicro-HouseCall	TROJ_GEN.R002C0DJG22
Paloalto	generic.ml
ClamAV	Clean
Kaspersky	HEUR:Backdoor.MSIL.Crysan.gen
Alibaba	Backdoor:MSIL/ResInject.5fe83c7c
NANO-Antivirus	Clean
ViRobot	Clean
Rising	Trojan.Generic/MSIL@AI.94 (RDM.MSIL:x9KBdVi4e0L27YyiUtw3kA)
Ad-Aware	IL:Trojan.MSILZilla.17516
Sophos	Mal/Generic-S
Comodo	Clean
F-Secure	Trojan.TR/Dropper.Gen
Baidu	Clean
VIPRE	IL:Trojan.MSILZilla.17516
TrendMicro	TROJ_GEN.R002C0DJG22
McAfee-GW-Edition	BehavesLike.Win32.Generic.fc
Trapmine	suspicious.low.ml.score
CMC	Clean
Emsisoft	IL:Trojan.MSILZilla.17516 (B)
Ikarus	Trojan.MSIL.Injector
GData	IL:Trojan.MSILZilla.17516
Jiangmin	Clean
Webroot	Clean
Google	Detected
Avira	TR/Dropper.Gen
MAX	malware (ai score=84)
Antiy-AVL	Trojan/MSIL.Injector
Kingsoft	Clean
Gridinsoft	Trojan.Win32.Downloader.sa
Arcabit	IL:Trojan.MSILZilla.D446C
SUPERAntiSpyware	Clean
ZoneAlarm	HEUR:Backdoor.MSIL.Crysan.gen
Microsoft	VirTool:MSIL/ResInject!MTB
Cynet	Malicious (score: 100)
AhnLab-V3	Trojan/Win.MSILZilla.C5129545
Acronis	suspicious
McAfee	RDN/Generic BackDoor
TACHYON	Clean
VBA32	Clean
Malwarebytes	Malware.AI.4221048470
Panda	Trj/CI.A
APEX	Malicious
Tencent	Msil.Backdoor.Crysan.Ikjl
Yandex	Trojan.Injector!EFAYKrC14B0
SentinelOne	Static AI - Malicious PE
MaxSecure	Clean
Fortinet	MSIL/Injector.FCD!tr
AVG	Win32:InjectorX-gen [Trj]
Avast	Win32:InjectorX-gen [Trj]
CrowdStrike	win/malicious_confidence_100% (W)

Static Analysis

PE Compile Time

PE Imphash

Sections

Resources

Imports