Analysis Date2014-09-15 05:25:44
MD51a515a707d7a641f5bc58cf28732fa27
SHA103ca3d2462f235c4e11d8276fda68a251d1649f3

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 624c2dcdbfbb2327eecadbb849ecb71f sha1: 6456e673f906ea0746d5b4f863ece1dc13242bc6 size: 181248
Section.rsrc md5: 9bd571d24f2b4eea1650cfd149734661 sha1: fdfe0e765462613f6709b2acce4d9b85d1ea7d12 size: 121344
Section.reloc md5: d67c6aded018ece954f5d530627427ed sha1: ecb65b5e958976f24d2efd6c79837f8abeaa2005 size: 512
Timestamp2014-02-24 20:18:16
VersionLegalCopyright: Copyright © 2014
Assembly Version: 1.0.0.0
InternalName: hgjf.exe
FileVersion: 1.0.0.0
ProductName: hgjf
ProductVersion: 1.0.0.0
FileDescription: hgjf
OriginalFilename: hgjf.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhasha986ad86c65bbe128d91256e576c997184c0c580
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\GDIPlus\FontCachePath ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\\x00
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\GDIPFONTCACHEV1.DAT

Network Details:


Raw Pcap

Strings
;/i

000004b0
1.0.0.0
  2014
@#2@3?@+?C#[CsjI
Assembly Version
Button1
`c?csjc#[i
CheckBox1
Copyright 
FBH3U
FileDescription
FileVersion
FK390
Form1
hgjf
hgjf.exe
hgjf.Resources
InternalName
Label1
LegalCopyright
OriginalFilename
ProductName
ProductVersion
Property can only be set to Nothing
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
WinForms_RecursiveFormCreate
WinForms_SeeInnerException
[^^^?@@@$
%%%."""&   
("0( 0
09}t#{
0{	u-}J
1.0.0.0
10.0.0.0
:!1=1=
1=negF"
!-1=VM
)=1=VM
!-1=ypK
1=yp#w
  2014
222r)))*
;2kbnd0_
3#%*1"
3FSI2(
3ne]<s
3System.Resources.Tools.StronglyTypedResourceBuilder
3>VMD.7
3>zq!v
&&&;$$$4"""+
4.0.0.0
444l555e
444$\\\VXXX[XXXWXXXRUUUHVVV>MMM.%%%
 }4{eO
4System.Web.Services.Protocols.SoapHttpClientProtocol
)53>kbG
555@@@@H///&
555iKKK\CCCT:::K///B###9
)57@VM	
	5A7@vmJ
5,gbJG
5JMG)u
5JM(zY
5"ov4eW
)5?riH
5?yp#w
666.8885,,,
6itf}y
6ovBOF
7|9})u7|'t3z%s1yC
7@kb2(
7@NEP"
7@NEtj
7!(p"jNOO7
7@ri2(
7Ukb2(
|[7 zq(}
7@zq#w
8.0.0.0
8?0;(7 3
8 >4,a
8CGd7C
>8[f4 
8NB)]	
8>Z;X/
9};~7|;~/x3z-w3z+v1yC
`9--^8'*\7%)Z6+,T3
<99Y>x
9Akb2(N5
9Aqh2( 
:!9E7@kbRH
9E9Ari2(D
9(V87'L35&:*+!
A`&^+6
AccessedThroughPropertyAttribute
Activator
addedHandler
addedHandlerLockObject
add_Shutdown
&&&aiii
A=;"*!m
AM1=XO
am7@*!
am7@ri
AppDomain
Append
Application
ApplicationSettingsBase
ArgumentException
}aRL4=
asdfgrez
	$As`f
aSIJEr
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AuthenticationMode
AutoSaveSettings
AutoScaleMode
ay[cPWJLE@?49(3
AZkb2(
bcccDIII*&&&
B<[f>%
"BHH)m1
boZ_RPK@C0; 3
\;|B{qL
Button
Button1
_Button1
ButtonBase
%;BVM	
C>36#.
c7|} 6
%%%c!!!9
^cccBIII'&&&
.cctor
CheckBox
_CheckBox1
	CheckBox1
CheckForSyncLockOnValueType
ciUFDN
c-;kb2(
%ckg`2(P
ckTYKNF
ClearProjectError
,clzfff
^cND?$/
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
Component
components
Computer
ComVisibleAttribute
ContainerControl
ContainsKey
Control
ControlCollection
Conversions
Copyright 
_CorExeMain
cp[`SQLAD1<!4
cpWZL39
}CQyX 
CreateInstance
Create__Instance__
cRv\UL
Csg)i^Pr#
CultureInfo
C~xp(}
cy]@A&4
C{Z\\t
C)))Z<<<wFFF
'''^!!!D
D&&&+***!!!!
D?47&0
ddd]---"
DebuggableAttribute
DebuggerHiddenAttribute
DebuggerNonUserCodeAttribute
DebuggerStepThroughAttribute
DebuggingModes
defaultInstance
DesignerGeneratedAttribute
Dispose
Dispose__Instance__
disposing
_dOE@%0
dq\aTRMBE2="5
D@ubG)
D#u"tH
`DV?+')
dVMUQ3>
"[e+]2
e}\27v
E+927$
eABEyt>
eahtreqa
EditorBrowsableAttribute
EditorBrowsableState
elmf2(h
elne2(
e L)Q$
|elqhU4
|elqh{Z
elRY%!
e|m{1"4
e{]oWeRWKLFBA4:(4
`ePFA&1
e[P:@.:hW\Q
eq7@ri
Eq7@TKQ
eq7@yp
eq7@ypB8 
eq7@zq
Equals
er]bUKB
eRBY,C
e<tQc;
eul5Cc	
EventArgs
Exception
ex`n[dV
$f722134c-9d96-45d9-99b2-ba97cccba821
famc W
""FD4>>
})%fff
FFFg+++P
FFFoOOOoIIIgCCC_<<<W555O---I###C
FIDATo
fkkkHTTT,***
fkSR`z
FK#Umt
fretdfdd
}fUOJ9?
'''G%%%@$$$7!!!.
GACNndx
G			E			D
Ge=~Fc<|Ea;zD_:xC]9vB[8tAY7r@W6p?U5n>S4l=Q3j<O2h;M1f:K0d9I/b8G.`7E-^6C,\5A+Z4?*X3=)V2;(T19'R07&P/5%N.3$L-
GeneratedCodeAttribute
get_Application
get_Assembly
get_Button1
get_CheckBox1
get_Computer
get_Controls
get_Culture
get_CurrentDomain
get_Default
get_FBH3U
get_FK390
get_Form1
get_Forms
get_GetInstance
GetHashCode
get_InnerException
get_IsDisposed
get_Label1
get_Message
GetMethods
GetObject
GetObjectValue
get_ResourceManager
GetResourceString
get_SaveMySettingsOnExit
get_Settings
GetString
GetType
GetTypeFromHandle
GetTypes
get_UseCompatibleTextRendering
get_User
get_WebServices
gFG(NE
gfR\M9<%2
g|_lW\OMH=@-8
gneqPs
GQ}1=riE
grbw:,
~?gtST
gt[ZNAB'5
G)U7@ri'
GuidAttribute
gW]R*9
Hashtable
***h)))a'''X$$$N!!!C
H,B>dbeI
hbmcji
HelpKeywordAttribute
hgjf.exe
hgjf.Form1.resources
hgjf.My
hgjf.My.Resources
hgjf.Resources.resources
HideModuleNameAttribute
h~~^I)i
]hkb2(
h}`mX]PNI>A.9
hyrtezdss
IA=;/4!-
i~anY^QOJ?B/:
IContainer
IDAT|[
IDATy>}
IDisposable
IIIi888R
InitializeComponent
instance
Instance
InvalidOperationException
Invoke
I!q1z5
it^hX^S
iw[DQD\
&&&J   4
,=[&J_|9
JCl#~]
JDGPndx
JERNZBTZBKA
JERNZBTZBKAEKPHHBTHSYGWGYBNHGDMLWHTWUBCJTUZECQYIRCYTJNONPIFIXEELNOKWFBSKLVKMSXIPJCPBZOFNHJVJOLUTFPCXVCKRCVBMKYZQZDHCRVVVXJNQGMLTVWSFNJBSTERUBZQXKKXCIWGVIRERWTDUGXDGEKSZEEJUSHIXCLPKZWXWYRUYHUTCWYUHVKJBUFZVDIYYSSGKQFOEQYFZXUEDOGLOMSBBMMRDTIQGJTXRIFGFHZWZPDVDFGCODSLJDNIEKPHHBTHSYGWGYBNHGDMLWHTWUBCJTUZECQYIRCYTJNONPIFIXEELNOKWFBSKLVKMSXIPJCPBZOFNHJVJOLUTFPCXVCKRCVBMKYZQZDHCRVVVXJNQGMLTVWSFNJBSTERUBZQXKKXCIWGVIRERWTDUGXDGEKSZEEJUSHIXCLPKZWXWYRUYHUTCWYUHVKJBUFZVDIYYSSGKQFOEQYFZXUEDOGLOMSBBMMRDTIQGJTXRIFGFHZWZPDVDFGCODSLJDNIEKPHHBTHSYGWGYBNHGDMLWHTWUBCJTUZECQYIRCYTJNONPIFIXEELNOKWFBSKLVKMSXIPJCPBZOFNHJVJOLUTFPCXVCKRCVBMKYZQZDHCRVVVXJNQGMLTVWSFNJBSTERUBZQXKKXCIWGVIRERWTDUGXDGEKSZEEJUSHIXCLPKZWXWYRUYHUTCWYUHVKJBUFZVDIYYSSGKQFOEQYFZXUEDOGLOMSBBMMRDTIQGJTXRIFGFHZWZPDVDFGCODSLJDNIEKPHHBTHSYGWGYBNHGDMLWHTWUBCJTUZECQYIRCYTJNONPIFIXEELNOKWFBSKLVKMSXIPJCPBZOFNHJVJOLUTFPCXVCKRCVBMKYZQZDHCRVVVXJNQGMLTVWSFNJBSTERUBZQXKKXCIWGVIRERWTDUGXDGEKSZEEJUSHIXCLPKZWXWYRUYHUTCWYUHVKJBUFZVDIYYSSGKQFOEQYFZXUEDOGLOMSBBMMRDTIQGJTXRIFGFHZWZPDVDFGCODSLJDNI
JERNZBTZBKAJERNZBTZBKA9JERNZBTZBKA
|jg{ZS
JH	S2z2
(JJ1;|
?JwZ]j
KBA=78-3#.
[kkk1===
^kkk4===
KKKp333^
klVSJ9=
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
kmy1qp
_[KOE^MC@
kopg2(|K
ksX>> /<
K*>#tj
k+|;~U
   L'''
L0===	
\L==17
Label1
_Label1
LD<<27
)))l&&&]%%%K###8###&###
LLLwGGGm@@@e888]///W&&&Q
LOOcff
^LRF/5#/
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
Lutkf;
LVS"Tw~
+++lzz
M7|v#6
m_AppObjectProvider
mbbbOXXX3///
mc2(3&
mc2(|K
m_ComputerObjectProvider
MethodBase
MethodInfo
m_Form1
m_FormBeingCreated
MG?@	%
Microsoft.VisualBasic
Microsoft.VisualBasic.ApplicationServices
Microsoft.VisualBasic.CompilerServices
Microsoft.VisualBasic.Devices
m,+K?0
M!lO"l
MMMzBBBv555q&&&m
m_MyFormsObjectProvider
m_MyWebServicesObjectProvider
<Module>
Monitor
}mpqhG&8 
mscoree.dll
mscorlib
m_ThreadStaticValue
M	u]?;
m_UserObjectProvider
MW|#o'
mw]WM,8
my7@cZ
MY9AcZ
MyApplication
My.Application
MyComputer
My.Computer
MyForms
My.Forms
MyGroupCollectionAttribute
My.MyProject.Forms
MyProject
MySettings
My.Settings
MySettingsProperty
MyTemplate
My.User
MyWebServices
My.WebServices
M`[ZTJ2(
N0 'L/(+J.
NEd6-97@
Newu5L
nfS8kH
)ngmcx
NNN}@@@f***U
NNNvHHHnAAAg888`...Z$$$T
nTVHIB
 %@*]o
Object
ObjectFlowControl
O.~C,"
oCQ;\u
Of;Wmf
og2(kB
+++o(((g&&&]$$$P!!!C
OnCreateMainForm
ONNVFGG
OOO{KKKrCCCj<<<b333\***V   Q
OOOyJJJpDDDg===]555V---P%%%K
O,		p[
O.Q-zq
\OUj&]
%ovQMl
{oXNH.8"2
p2``^t7 
PADPADP
PerformLayout
PF2(% 
PF2(lC
PFdZR1
)))P'''I&&&A###8
P`RB:.*W
ProjectData
ptttQXXX5111
pwg_9[
Q1{3[Z
	q}7@zq
:!Q];B
Qf~`c%
'	Qfh[
!qh2(M
)QJ-SJ
QK	COJ
q$$$Q%%%<%%%(&&&
r0::Z>x
R2)%CZq
R2)+P1
R___+333
r3z+|C
ReferenceEquals
@.reloc
Remove
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
resourceCulture
resourceMan
ResourceManager
Resources
ResumeLayout
retfdsza
 ri2(E
/<[RJ,
RJd,~l
rkzepds
RMp(#m#!
R!!!o,,,
_RPK@C0; 3
`.rsrc
RuntimeCompatibilityAttribute
RuntimeHelpers
RuntimeTypeHandle
ry}|HF
'''S<<<>1115$$$,
s[8>(6
	)s)BII<
SDE/}X
sdFy&e
    </security>
    <security>
sender
set_AutoScaleDimensions
set_AutoScaleMode
set_AutoSize
set_Button1
set_CheckBox1
set_ClientSize
SetCompatibleTextRenderingDefault
set_Culture
set_EnableVisualStyles
set_Form1
set_IsSingleInstance
set_Label1
set_Location
set_MainForm
set_Name
SetProjectError
set_SaveMySettingsOnExit
set_ShutdownStyle
set_Size
set_TabIndex
set_Text
SettingsBase
set_UseVisualStyleBackColor
sf2(+"
SFQL+w
ShutdownEventHandler
ShutdownMode
SID#8 
SIrQ8 
|}Sn4%P
s`	$pw
ssmc2(
SSSxMMMqFFFj>>>c222\(((W
StandardModuleAttribute
STAThreadAttribute
String
StringBuilder
#Strings
SuspendLayout
^sVcNSFD?47$/
SVR1s>
sxxxT[[[8000
Synchronized
System
System.CodeDom.Compiler
System.Collections
System.ComponentModel
System.ComponentModel.Design
System.Configuration
System.Diagnostics
System.Drawing
System.Globalization
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Text
System.Threading
System.Windows.Forms
System.Windows.Forms.Form
sz_nY?
\s@{Zq?yYo>wXm=uWk<sVi;qUg:mSe9eOc8
t0;;kJ,9
!$t]7v
TargetInvocationException
tdT3<'6
tesdsffgd
)))t&&&g$$$W"""E!!!4   $!!!
!This program cannot be run in DOS mode.
ThreadSafeObjectProvider`1
ThreadStaticAttribute
***t'''j%%%]###N!!!>
TK+TEG
ToDouble
ToString
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
trzasq
T!{sQ{
~Ttg,OV
tttc\\\G,,,
 t+W^0
_tWdO[R
tX\LGB
&tyej]
)u7|!qA
)u9}3z:~C
)u9}%sA
u~\dO'
u>@]f(
.UGF5YOJ4Y'6
UM{|ACuyNL
UMOfGF
>^uQ0Y
$~#u qU
u{_qZ(6
,utPFd6
\uWkRaMWHMCD?::05&0
+UZmcx
v2.0.50727
V^^^-333
V38I&`;vB\t
-}&v5J qV
v   D%%%+(((
vnnnWMMM:...!
vOb{dW]=
/VOJ.V
vR	8dm
VS"Tw~
Vu(+__3
VVV{RRRtJJJl@@@e222`###[
VY2(KF
W9taKJP
WindowsFormsApplicationBase
WithEventsValue
WoC.xZ
WrapNonExceptionThrows
W<uI&JJ
^wXkR[J<; -
X^^^;===!###
xg~/RA
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
:;XN4&
***X(((Q'''I$$$A!!!8
xw\gTTK.8
XwJU"Z
xx]MH7=
			#XXX
XZZZZZ^^^Z^^n4
Y0I	]5T
]y1d`~
]y1=pg
Y\2(07
yA>58Q
>yBh)Ay
ybxx8d
Ye3>zq
Ye7@ri
Ye7@ri2(E
yliY12#d
Y	lY(V
ypppZOOO=)))$999
***`)))Y'''Q$$$H!!!?
&yvia2(P
%yvia2(P
_yYcNMCB>,3
yzabUkb
Z15A1=
Z1IU3>
Z1tj2(
[Z2(/&
/z6|'xB
z[752Y6
z7%Lsr
zAmy1=
zB*@7@)
zeartrfds
zeR:=(4
`ZK+4	#
ZlS}ZW
Z-PtjE
z|^pXdRXL?@'4
zsZiU(5
zuhFt 8
ZxnnN1
Z,|){)y1