Analysis Date2014-10-07 03:44:51
MD556d5fee4be926407bb4dbeb737c7e291
SHA104fd80275871c241af749638d3da4ab39293fefd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 922c2d66930471a80f94957fdab0e6ee sha1: 3de4f1686e2c274a666809bf0dcf62d02ce15d7e size: 79360
Section.reloc md5: 4e2ef5d9db3f96413c64537b0ef953b3 sha1: 6bfd8c6b27172ed2b3107a68edbac46931fca17a size: 512
Section.rsrc md5: 3d00cc1b16c33ef4a1d9cf63f1736db9 sha1: 3bf2000c8bf04df2b0fc8855d4a4ffc78a29ddb0 size: 14336
Timestamp2014-03-17 09:16:33
VersionLegalCopyright: oarWGTYK9Zh
Assembly Version: 4.2.4.5
InternalName: 4+5.exe
FileVersion: 4.1.5.​0
CompanyName: oarWGTYK9Zh
LegalTrademarks: rav5M28R?9i
Comments: rav5M28R?9i
ProductName: rav5M28R?9i
ProductVersion: 4.1.5.​0
FileDescription: oarWGTYK9Zh
OriginalFilename: 4+5.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhashe55fae161743c50ed19c52852ebdd29f4702e0ab
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates Processdw20.exe -x -s 292

Process
↳ dw20.exe -x -s 292

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\12C0C.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\12C0C.dmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
...I....D.

000004b0
4.0.0.0
4.1.5.
4.2.4.5
4+5.exe
Assembly Version
cb631b2918c448648dff8656f7131995
Comments
CompanyName
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
oarWGTYK9Zh
OriginalFilename
ProductName
ProductVersion
rav5M28R?9i
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
 !"#$%
 *!&/ %,
 &  ''%*#
 #$#%,())#%*"%+%*%!'
! "!$#$
"))#*)
(:#/>$/>
))",'&
$,%++'-&$*
&$$&.-%'(
%*%/%"+
`!;<:0
0-&)""
$-0#.0+0+3<89JL1JP9V]/OU6W^,MW/R]*OX&MY'N]+Ra
001fbd727946452091ef80c75de9f725
 #-/,0,0745EG/HN7T[0OU5U\+LW.Q[+PY&LY$KZ,Sb
$''*(00&>E<8KK0LR7U_1MX:W`/NW3T_+LV+NW-R\/V_
!&}#0}1@
,-./0123t56
,-.-012Q456789:;<=>?@A
#&&02+0+0746FI1JP8U\/OU5U\+LW.Q\+OY'MY%L[,Sb
 +,,0,2756EG0GM7T[1OV4U\*LV-PZ+PY%KW$KZ*Sb
"0'-<)2B(0@
"0!(<(2J$/J
%.)0?2<K3BLGWddu
"%((%0314@B/DK6RY4RY4U\-NY(KV*OY$JW"IX'P_
#/&04.:90==,8>
#('04"()+.'9@:9LL/JP7V^.MU7V_,MW1T]+OW(MW*Q\,T`
 04<OAMbTbx_o
*!#0((5)&2("-+"+0%,-%-('2
"!"$/*'0) 62(ED:BJD6DD2GL4KT;PY9LT:PX3MV6S^+GR.KV7U`0OZHXhESf;G_;I_cu
0646FN/NS/TW1RZ+IW+L[%JX
()".0-75:C4;H!+<+9LScvo
&0+7CA\k\z
!0(*8"*5
!0 *8.7H:EU2;I
#%""0+%/+!:8+HKC;ED4GK4KS<R\8KU<QZ2LW8T_,IT-KV5U`.OZN]kHUhANe<Ka^r
0C(<N+?O%>J
)0-DM,IQ(HO$EM(HQ&FQ!@MLajH]hCVc=P_=N^SbsZfw&1A
+#0F7NkKi
$0?F.MQ.RZ(LY'IV'IV"DQ#EQTaiN\cEU\BRYDPX4<D
}0mEMM@$%*'()*
0Pz<UuI`
"%!&) %'!)/"+1
1"0="-4
#&(#1.%%! 04=4HO0RV1W])MY*LY)KY!FR!HT]gkVbgN[aHW^ES[&/8
*)&1')2#&,
$&!%(!),(13.AAIih5SU6PT/NS-MS0KR&CH(EL)GP(GP%(1!%2
15Rr<n
'*)*--%'-$1>=6LS.OT/SW1QY+HU-O\&KY
17./=//?**<%'9#%7$%5#$1 !+
, #1!)7")9"%8 "7 #8(-@7;LPRaKMY/4@;CPep~v
(.!,18>A8C@9E@ThfVvv5QT2JP,KP.MS/IO&?F&AH(DN)EP "*
1$&9)1D
1B~k,E
"*!1>+BV+I`,Me)F`.H_.GY&:F
!&$&(()#//$;<1FMH7IK2KR9S]2JU<U_1LV7Ua,JY)HW.P^,P^ejjW\cMUd?L__t
#1*>K3J\\y
(1@>Nf=RpE\|Vk
$ ):1=PFTfRbm:IS7CN(4?
* "1+-><@R@F[T[rXevZkvds
%2(+=02I5:Q@H\JTcJS^5=GHO[r{
%209ICM_BK]LTdagtsz
)2'/=.1D//B'+8
$2 '7&/D$0H ,F",D '>!%9''8('3"#. ",
29!9A+,C,-F-/J,/L/3O16O38O,1F)-<"&.#',"&*
#*$)*(/-29::AH3:C
")**')+)2>A0EL4PW3QX4T[-NY)LW*OX$JW!HW&O^xypqtodllXekRdmk}
 "#"/*#2+ A=4MLG<EC1BC/FL1JS9OX9LT8MU1LT4Q\+ES/JX9Tc0M[FUeCNb:D[8E[`q
2%AeI~
(#+<&2B
*2(DI/OW+JX'JW(JW#FP#FPM^eHYaBT]@PZDQ\Q[e"&0
.2*EE7RT7QU1QV/OV/LS'DK*GN(FO%EO6?O0;L,7H)4G(2G%,A!(;$);
2fkf6*
&,2GP-GQ.LT(GN%BK&CM'CN#>L?RW=OV8JS5FR4DSBRb)8H
(2,GSFcvi
*='2I*4K )=
2*l%!^
#2*@]!:_Md
' 2Q/NzL
!"$ 3.'%
)"$3'.? );
$3#/?!*:
*/$!>305274IF{p]z
*3'15GNR@IP
#&&))'%,*!31$FG>AIF6HJ3KS<S^5IT>T^3MX9Va-JW+JX1R`,N\XdmNYhFQe<Kb_u
$)!%$./)33(DJD7IK0JQ7S]2LW;V`/LV5T_,LY+LZ/S`/Uani]^ZWOOW<ET\n
&*)'')&(340CI3NU1OV2SZ.OY(JU+OY&JX!IW&P_lsndlk\giP`fL_gJ\d
) !+-34GPS\en_lwbu}r
,%$/%(3(*5%&1$#.$!+)%.)#,,&-)&1
3cC\/1Y
*#3C&:N&=SI`ub{
!>3\fKD@,+U*
'(&3>?H_fdx
#$3:,HL.PX*KY'JW)KW"DP#FPScjM]dDU]AQYDQYDLU
|3:p@?B
/40?ECO?DN(/<.8HWdwr
"4)-:#'1#$.##,!!(  '
4.1.5.
.4./=25D%'8"#6!!4!!2
$4"2D*<N,>O)CR >L"7F
#4(3D9FWIWd:FP,6?
4+5+93
4+5+93.exe
',!,4'6>$8>
&(,.+4855CE/EL7T[2PW3SZ*LV)LV+PZ$KW#JY(Q`
)+4F9FZO]qXiv@P]=K[4BT-=L
4);/Gr
4qNC@EBGDYVKf9/78A^S$
4Qx4Ku:PuD\|He
#4$<RFc|`
4V 1S%;]#DgKr
4X)jmX
$#%*&-5
*5!29!3:
5="7?)?G7=P)0D&,D/5N/5O.5N4;R06J'+:#&.#%+%%*"!$'#%,'(+%''!#(%)
"5(+8"'0 $-"%.
5< 8?#=E%@K
5=!8@#<F%?K
/5<AL@DP(*7
)5"/:ESe`~
#5',F*3T"-P#/N.9N17E"#/
&&.5FM0QT0V\(LY(JW'IV"ER"ERZflTagLZaFV]FS[,4<
5I&GqU
!5@PBUo?VwD^
#6',?+/?),:$$1)&0'")&!&&"'"
$6),<+.;&'2(%/'")&"'#!&
)6#7I*AT+BV,GZ)FV-BQ$3@
6>";B'@GCN]5AP$/B
$6#,C%0J
6<"<C'BK
#+'6E1Kc2Vr)Tu'Mo.Ji*Ia&CS
"+&/<*6G
+%6H6K_
$%'*&-* >6,IE>SSR<GE/CD.EK/IR:PY9LS7MT1MU3P\+DU1IZ9Sd.J[
6I#<K$;H"6F
'+6IM;RY1NW1PX.MT'EP(FR*HU%BQ;FR6DP2?M0=M-:K+6G
6JeBVrNa
 .&'6$(:-:O4Nd0Oe&>X1Hf!Bc.Z~*Y
 ( $. ,>6Pk@g
6Rx9Q}Tj
"76#9+(
'@!'=!$7(':%%7
"7*);)'7"$/
'('7AI3LS/RV1U\)KX+L['KY
%7#.C .E".H#-F$,A"':%'5$&1
#- !+$$,)'.(&.%$.,,7(*:(-E.4K:CWKWi\iykz
.7/GQ*HP(HN$DJ'FO(FQ!>LGZeBVa>P^8JZ7GYLZmHUh$0C",@
.(/?,7J?Qk1Pk
'7&=Q=WnPm
7Wv,Ko(M}0p
'8'.=#/:
8097>b
;8=:?<1
82Oy?k
!+$)85;O9AW3=P1;I2;DT\ey
&8"'6! +!"*
89:9<=:?@ABCDEBGHIJKLMN
!/8F\=OkHZxXh
*:)8G9JVL]gZjqbouZfiFQR6A@,62$-(
8gnL0V,
)8;IZ1I[&>R&7P)9X
-%'9!&:
-9"0<$/8
(9%,<,2=3:?8@B/9<
9#4W3Hq@W
.# %"'$96+(
9?''6/.>22D+-?(*<&)8%'3!#-
!(9>6LU2NW1OW.MT'EP)FR)FT"?M>NT;KS6GQ4DP1AN9GU"/=
 9-BY<Xl6UvU~
<--~9d
9@!=D%BIHSc<IY3?Q
!,>9E\IUnWc|dq
"9)IrS
<(-~9l
 ,$+<%-A
:A%#7(&:+*?11H+-C+.A),;$(4 $1
;A%BI3=O2>P.9M+6K
%A&Bj8Y
*? *A$-C.5J/6I(-<"#/$$.$#*$"''"&'"&)"''!& !%
;A'CJ!+=#/A
add_ResourceResolve
%,+AJ-IR(HP$FP(JU$ER!BOOfmNdmH^gDXcBS`Ucq^jw$-9
AppDomain
ASrM]wx
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyName
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
Attribute
AttributeTargets
AttributeUsageAttribute
ayoYyrGa]0BD,CI#<E'<D
B2P	F( 
BabelAttribute
;B,)B-*C+*C+,F+.H+/G.2F'+=$*7
BinaryReader
BOLagI^eFYcBU_CS^ZfsS\g
bomO\WANF8E>2@8
Boolean
'Bp,Ek?VtQh
B.rsrc
.B,>SZm
Buffer
bvuPedBTU
"C3Qy;f
,C)4L'0G ';
(C5W|Hw
cb631b2918c448648dff8656f7131995
.cctor
%-)CI-LT*JV%IU'JW$GR!DOM`gI[cDW`@Q]@NZ^hs5<G
c-iy6m
c-*&"jT[AlMJOLA^S
cmgCMK+5:'09
{cmrmt
CMVS[djnyuy
cmzScvUm
CompilationRelaxationsAttribute
CompressionMode
Concat
ContainsKey
_CorExeMain
|c|qZysBZZ.?D+CI&AG'=C
crx]ltKXc,4@
CryptoStream
CryptoStreamMode
,$*;=CWGNaY_s`fyis
CX}D\{D^
%D0DY=S_
D45C3A1CBF9FD98543A764BCC3006A9E98C536F1
DateTime
@[&@]/Dd.Kk0UxMv
DebuggableAttribute
DebuggingModes
DeflateStream
DESCryptoServiceProvider
!(;D-FQ+IQ'GM$DK'FO&CO
,)@d?g
Dictionary`2
Dispose
DPU'48%23&57"38
duw'0:
%E|&0n?2wUA
&@e$5Z1Il"EiKt
E9}0*i02h:Gp>TrHe}Gd{AWo/@V
eDwkyQw4
eEf(fkC&/
'Ek!8Z;Vw(LqKt
';(>\El
elu.5=#-2&49&8>!7=
emhNTY^anilzry
Encoding
Environment
+E+PqG{
e`QaWd
Evidence
'Ev&Ky'Y
Exception
eyyQgj0HN
F3V!4e
(>$.F!(A"'=#&9$&:#&8
)|F<cn
FF$\jHE
FGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}
F[j3BR *?
fkeNRU`amop~qt
FR"MYcko[eiR_eL\bFU^&0:
F>`uG/;~L
~f{xYpmAYV"96
fz~Ofl.GP
(? .G3@X*3G#'6
GetBytes
get_CurrentDomain
GetData
get_Default
get_EntryPoint
get_Evidence
GetExecutingAssembly
get_Length
GetLength
GetManifestResourceNames
GetManifestResourceStream
get_Name
get_Now
GetObject
GetParameters
get_TickCount
GetTypeFromHandle
gE	#y!
gnq278!%%03A!"0$$3
GT"P[emn\fiS`eM^dHXa)5?
#Gu)Fw S
gyxEV]-<I
'H5OyP~
(H'6^*<j1Ct6Gw6Et8LyOo
Hashtable
HFX45?WXb~}
 .:H\F]yIf
.H&>_Hi
-Hk"7\
^hl4@B'32-::*8<
hl8jger
HOQX]f^coafrmq|jmxafnR[\3==4?>$.-nr
`hq_fmlqywz
hrtYdkS]g]fp_gqV]hgnwfprAJK(21
~hrvnw
Icj,DL
ICryptoTransform
IDisposable
,iKohz
!)*@I.KS*JT#GQ'JV#FS
InitializeArray
Intern
IntPtr
Invoke
itnR[`]bpin|js|nx
>IU+2<%+<#(C&.Q(2W&1Q&0H*1B-0@!$3
|izs?OP&4= *;#+<
<JDV^?R[;MY6HV6HXEUg6EW
jj{RT`DDOpoy
jqxajp.9B!,7"/6!07
JW"P\hqo`jiVceO_dK^d4CJ
jyvYibQc]H\U+@9
/K0MoKq
#:k"4h%2i*4j3=o?LwASyBXxC[z7Nm":X/AV+<G
)K5LvLg
K9jIpS
KesBZj1B["+G
:KhQbzr
)?K^H\wD_
$K{(Hx1Kw5KpF\vWl
\kjSad?LR(3;,;B*=A(>C%:A
kP|RHu
krwhmutx
]k{Ucu7DO)5;!-2
?KYu->/N
[l}4<K(+8
LMOP\D
_lncnuLU^+4<*5;(9<$7< 5<
lnvrsvrr~~rr
lp{`akwv
`l~V^p;?S/2G24D##,
lypU^d`gupu
LZlDQgCQhBTi2DV"4@#39/:?-7>
#m3DZ#?
<)M'|}^C^s
MdO6;B
&md.vy
MemoryStream
MethodBase
MethodInfo
Mfp3MX
`m|HSb(2>'1<"/:.;J5@T27M*-C %3"'2'*2'(/)(0%%/)+9*/?19M9E\BMdQ[r^h|ku
M_~L[t.<O
mn*rvv
<Module>
Monitor
mscoree.dll
mscorlib
nc`ebg
nc`ebgdyvkhmjoLa~
nEx?<T
Nf~Um|Tk|Td
N[j5?J*2>(/=
N^mBS^>LT8AJ*2;$0>7JbYu
nnrrvvrr~~r
nnrrvvrr~~rrvvrrnn
NOQ,*+#&3 ".
,Ns%?\C\y.MqPv
:NU9GEM]Rbqfawq]|z5PU0FN*GM(GL)AG$;C%>F&@K(CO
^nyAPYLZf<GT
 oAbjNo
oarWGTYK9Zh
ObfuscationAttribute
Object
@OeTbuky
Ofn0IS
"@&O{L
#.;O=LfKYuZf
op_GreaterThan
oq%}Pq
os|iovU\`.662<<0;=&26EKV+/:
-Ov-GfG`~5Rv]
oyd#h%/%w
^_pabsdefgxij{lmnopqbstuvwxyz{|}
ParameterInfo
Pis6Q\
PQRQTUVWXYY[
p|u^gnkq
pv}<EJ",5
pX]OGCAFVbm
]/&q:(
:q#8x+G
QC51vx
Qd`ASR?OT1@H2CK-CH'@E";B
Qiy9M]3DSBP]TbiartbsrQff0EK
}+Q) K9s
(!q%#k#%c.5dIVvSezI\qDWt=Nt<Ns9Jk5D_'4I
|qnqo\fjRbk
Qnw2KY
*Q:v_YaC
(@&<^R|
?R_!6=
Random
rav5M28R?9i
Rcv'6F.<J"-;
|r`deYfm
rd}r[zu>VY.AH)CI'CH'?D
ReadByte
ReleaseAllResources
`.reloc
ResolveEventArgs
ResolveEventHandler
ResourceManager
{$}R}l
;RO`[W
RuntimeCompatibilityAttribute
RuntimeFieldHandle
RuntimeHelpers
RuntimeTypeHandle
rwpHLN^`jln{jkxkmxqs}aek=ED5==4>?)45]co,/<
rywo`fgUbi
rZi\NJCB9=EYhv
S"_dl@
SetData
set_Item
sjcRU[R`n
sj|md{q]|y7QV2FN*EL&CH'?D
Slw5MY
Stream
String
#Strings
=Su4KtMm
SuppressIldasmAttribute
SymmetricAlgorithm
System
System.Collections
System.Collections.Generic
System.Diagnostics
System.IO
System.IO.Compression
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Security.Cryptography
System.Security.Policy
System.Text
System.Threading
!This program cannot be run in DOS mode.
T`l9BM*2@(0C,6O1<Y-8T*2J#)<$)9+/="$0!"-##/+-;-2E;BWDPdHXiS`sal
ToArray
ToCharArray
Tow8T^
-Ty&Ll(Ha
)Tz'Ji$AV
=|'u0?
*-%;!|u?$7
UgjCWX6LJ2EE"16	
UInt16
#V$0W6IgH`wHaxAUr7Id!0G
v2.0.50727
v2f,_Hj
,V#7hC`
ValueType
@V~AWyBZvC[w?Ut9Ik2;\
Vdw=K^LZldt
Vel?KR
Version
#V{"Kh
vuw'"#
Vv=`'_?
vv~rnn
-(=W7VvEp
Wc`.3814>(+4 #)
Wpr:SU
Wqz9T^
WrapNonExceptionThrows
Wry9U^
WVVQYI@
wz6u\Ex
)XBK3/
?Xz.Cd!0N
X]Z_\Q
(=":YCp
YfnOZcKT]]coov
(Y|&Hf
<yMjxY7F
{ysy{y
ytJclbol5~spwrwt
{ytT\bRcq
yWne]xrQge3EJ/EL(BJ'?G
[\]Z_\Q
Z/v9UF#
z?VNLb^Seh2CJ3FO+CI&AG <C
ZVWFEXCZCL"
z	%wDdA
zzvn]ceXfp