Analysis Date2014-01-18 16:16:28
MD5c83e67ae048bc512806fc150ac820766
SHA14ac65e90306d9a3cf07867e5d0fe43dbb7193c49

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 20b8c10479f81021b9e06aa01caec501 sha1: da401c41b8432df87231b5db30d001de548354c1 size: 28672
Section.rsrc md5: d797579b9eee5600db71b6ae81720445 sha1: f355d9a129e5fcb11e505a150a4636882822f3dd size: 4096
Section.reloc md5: 9a006b35f9efc021734a0883f1a73550 sha1: 651729e36d19f6ca57b21e3fe65f7c2ca002c319 size: 4096
Timestamp2013-12-25 18:18:53
Pdb pathc:\Users\عبدالكريم\Desktop\google chrome.pdb
VersionLegalCopyright: Copyright by Microsoft 2012
Assembly Version: 4.2.4.5
InternalName: google chrome.exe
FileVersion: 4.1.5.​0
CompanyName: Microsoft Corporation
LegalTrademarks: All Rights reserved!
Comments: Windows Messenger
ProductName: Live Messenger
ProductVersion: 4.1.5.​0
FileDescription: Windows Live Messenger
OriginalFilename: google chrome.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash7d853164ad623029b8ef7ba4b306c81d6e398d94
AVavgMSIL.CMXD
AVmcafeeRDN/Generic PWS.y!wy
AVaviraTR/Keylogger.AY

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\google chrome ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\google chrome.exe\\x00
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\google chrome.exe
Creates FileC:\Documents and Settings\All Users\SERVER.EXE
Creates Process"C:\Documents and Settings\All Users\SERVER.EXE"
Creates Mutex06bc523ff4e476b7156c213a8ba3f65c

Process
↳ "C:\Documents and Settings\All Users\SERVER.EXE"

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\google chrome ➝
C:\Documents and Settings\Administrator\Local Settings\Application Data\google chrome.exe\\x00
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\06bc523ff4e476b7156c213a8ba3f65c ➝
"C:\Documents and Settings\All Users\SERVER.EXE" ..\\x00
RegistryHKEY_CURRENT_USER\Environment\SEE_MASK_NOZONECHECKS ➝
1\\x00
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates Processdw20.exe -x -s 284
Creates Processnetsh firewall add allowedprogram "C:\Documents and Settings\All Users\SERVER.EXE" "SERVER.EXE" ENABLE
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Creates Mutex06bc523ff4e476b7156c213a8ba3f65c
Winsock DNSadmininmyself.no-ip.biz

Process
↳ dw20.exe -x -s 284

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\188B3.dmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\dw.log

Process
↳ netsh firewall add allowedprogram "C:\Documents and Settings\All Users\SERVER.EXE" "SERVER.EXE" ENABLE

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Tracing\FWCFG\EnableFileTracing ➝
NULL
Creates FilePIPE\lsarpc

Network Details:

DNSadmininmyself.no-ip.biz
Type: A
84.238.225.14
Flows TCP192.168.1.1:1031 ➝ 84.238.225.14:81

Raw Pcap

Strings
000004b0
4.1.5.
4.2.4.5
95xTmUVrCM1LC4u30Ki
All Rights reserved!
Assembly Version
Comments
CompanyName
Copyright by Microsoft 2012
FileDescription
FileVersion
google chrome
\google chrome.exe
google chrome.exe
InternalName
LegalCopyright
LegalTrademarks
Live Messenger
Microsoft Corporation
nuR\noisreVtnerruC\swodniW\tfosorciM\erawtfoS
OriginalFilename
ProductName
ProductVersion
R3gzFADBJ60DEZkYagqGPoSKFpXld2iiGGHQvlyHB0kZ4hVgyL8OVefDlF
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
Windows Live Messenger
Windows Messenger
Y!!Y!)Y!1Y!9Y!AY!IY!QY&aY,iY
+]'1D=
4.1.5.
_68o$U
7,"(?l
8FE]\s
9".BD3#
All Rights reserved!
-.AN'Q
Application
Assembly
AssemblyCompanyAttribute
AssemblyCopyrightAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyVersionAttribute
,ATC]~
b(1&q;
B;j]Y30
bqMjQo
CaptainBri
<cM.W5
CompilationRelaxationsAttribute
Concat
Copyright by Microsoft 2012
_CorExeMain
cSd<kl]WI
CurrentUser
c:\Users\
d:BNtU
DebuggableAttribute
DebuggingModes
\Desktop\google chrome.pdb
DTRlQz
Encoding
Environment
Exists
}F2%|So^
GetBytes
get_Default
get_EntryPoint
get_ExecutablePath
GetExecutingAssembly
GetFolderPath
GetLength
GetObject
GetParameters
get_TickCount
} ghk0o
google chrome
google chrome.exe
gV9jdh
hq[P?^
i+2@,CXL
 	iBqj
Invoke
=~j,_(.6
JG-f/,
KtY}{Ew
L8	aU1
Live Messenger
LjLw&}&.
lr])63
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
MbL_cJ
MethodBase
MethodInfo
Microsoft Corporation
Microsoft.Win32
<Module>
mscoree.dll
mscorlib
'n#>||
nP1OVA)k
?O^4cp
Object
OpenSubKey
 |p{^*
p0xncw
'p\4(3
PADPADP)xEB
ParameterInfo
Pnt@:@
P:RO&2#
QAhCq(H
qWikb7q
Random
RC4EncryptDecrypt
Registry
RegistryKey
ReleaseAllResources
@.reloc
ResourceManager
res.resources
Reverse
`.rsrc
RuntimeCompatibilityAttribute
SetValue
SpecialFolder
String
#Strings
s}wAx'
System
System.Diagnostics
System.IO
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Text
System.Windows.Forms
!This program cannot be run in DOS mode.
t)"J3lj
ToCharArray
tq>yAG
uj,d5~,b
v2.0.50727
|:VZ>"1
}(W*0|A
Windows Live Messenger
Windows Messenger
WrapNonExceptionThrows
W~S-xz~
Y:BMXQ
yErVd+G
ykaEO_
z4}c/H