Analysis Date2014-04-23 10:28:33
MD5a8fe0473295cbbf30ec482c194942391
SHA19698c22c410d6fb0271ae0acfd5dec1987f12faa

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit Mono/.Net assembly
Section.text md5: 90d47db8190e6be7ba5e46afc321429b sha1: 2f4e670911fa052b6a9a3906ca3ea617dc9d341c size: 5120
Section.rsrc md5: e06800731f494aff59283d2c551759d0 sha1: 4ddf659150d2ab2c32f6594c7b27ff8f769fb314 size: 1536
Section.reloc md5: 4761e3e029c209e18b7ee1dcf7c9f673 sha1: faae765a4f2dfdf21d72af32a4f6f14100ff1c52 size: 512
Timestamp2014-03-26 12:13:42
Pdb pathc:\Users\Salim_2\Desktop\Patch\obj\Debug\Google.pdb
VersionLegalCopyright: Google
Assembly Version: 5432.839.839.839
InternalName: Google.exe
FileVersion: 5432.839.839.839
CompanyName: Google
LegalTrademarks: Google
Comments: Google
ProductName: Google
ProductVersion: 5432.839.839.839
FileDescription: Google
OriginalFilename: Google.exe
PackerMicrosoft Visual C# v7.0 / Basic .NET
PEhash94f23ca7e6e87aa9a8166eb4120db5dca1393f2e
IMPhashf34d5f2d4577ed6d9ceec516c1f5a744
AVmcafeeRDN/Generic Downloader.x!kb

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FilePIPE\ROUTER
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates MutexGlobal\.net clr networking
Creates MutexGlobal\CLR_RESERVED_MUTEX_NAME
Starts ServiceRASMAN

Process
↳ Pid 800

Process
↳ Pid 848

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\wkssvc
Creates FileWANARP
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileNDISWAN
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log
Creates MutexGlobal\RAS_MO_01
Creates MutexRAS_MO_02

Process
↳ Pid 1104

Process
↳ Pid 1208

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FileWMIDataDevice

Process
↳ Pid 1856

Process
↳ Pid 1164

Network Details:

DNSgoo.gl
Type: A
62.253.3.99
DNSgoo.gl
Type: A
62.253.3.118
DNSgoo.gl
Type: A
62.253.3.109
DNSgoo.gl
Type: A
62.253.3.114
DNSgoo.gl
Type: A
62.253.3.123
DNSgoo.gl
Type: A
62.253.3.84
DNSgoo.gl
Type: A
62.253.3.113
DNSgoo.gl
Type: A
62.253.3.104
DNSgoo.gl
Type: A
62.253.3.119
DNSgoo.gl
Type: A
62.253.3.88
DNSgoo.gl
Type: A
62.253.3.89
DNSgoo.gl
Type: A
62.253.3.93
DNSgoo.gl
Type: A
62.253.3.103
DNSgoo.gl
Type: A
62.253.3.94
DNSgoo.gl
Type: A
62.253.3.98
DNSgoo.gl
Type: A
62.253.3.108
Flows TCP192.168.1.1:1031 ➝ 62.253.3.99:80

Raw Pcap

Strings
000004b0
5432.839.839.839
Assembly Version
Comments
CompanyName
CryptDEV
FileDescription
FileVersion
Google
Google.exe
Google.Properties.Resources
http://goo.gl/uAL0xR
InternalName
LegalCopyright
LegalTrademarks
OriginalFilename
ProductName
ProductVersion
StringFileInfo
Translation
VarFileInfo
VS_VERSION_INFO
11.0.0.0
3System.Resources.Tools.StronglyTypedResourceBuilder
4.0.0.0
5432.839.839.839
AppDomain
ApplicationSettingsBase
</assembly>
Assembly
AssemblyCompanyAttribute
AssemblyConfigurationAttribute
AssemblyCopyrightAttribute
AssemblyCultureAttribute
AssemblyDescriptionAttribute
AssemblyFileVersionAttribute
  <assemblyIdentity version="1.0.0.0" name="MyApplication.app"/>
AssemblyProductAttribute
AssemblyTitleAttribute
AssemblyTrademarkAttribute
AssemblyVersionAttribute
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
.cctor
CompilationRelaxationsAttribute
CompilerGeneratedAttribute
ComVisibleAttribute
Convert
_CorExeMain
Culture
CultureInfo
c:\Users\Salim_2\Desktop\Patch\obj\Debug\Google.pdb
DebuggableAttribute
DebuggerNonUserCodeAttribute
DebuggingModes
Default
defaultInstance
DownloadString
EditorBrowsableAttribute
EditorBrowsableState
Encoding
$FA8BD839-4FCB-4287-A44E-745E7238662E
FromBase64String
GeneratedCodeAttribute
get_ASCII
get_Assembly
GetBytes
get_Culture
get_CurrentDomain
get_Default
get_EntryPoint
get_Length
GetParameters
get_ResourceManager
GetTypeFromHandle
Google
Google.exe
Google.Properties
Google.Properties.Resources.resources
GuidAttribute
Invoke
KMicrosoft.VisualStudio.Editors.SettingsDesigner.SettingsSingleFileGenerator
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResourceSet
MethodBase
MethodInfo
<Module>
mscoree.dll
mscorlib
NeutralResourcesLanguageAttribute
Object
PADPADP
ParameterInfo
Patch.Properties
Program
ReferenceEquals
@.reloc
        <requestedExecutionLevel level="asInvoker" uiAccess="false"/>
      </requestedPrivileges>
      <requestedPrivileges xmlns="urn:schemas-microsoft-com:asm.v3">
Resize
resourceCulture
resourceMan
ResourceManager
Resources
`.rsrc
RuntimeCompatibilityAttribute
RuntimeTypeHandle
    </security>
    <security>
set_Culture
Settings
SettingsBase
STAThreadAttribute
String
#Strings
Synchronized
System
System.CodeDom.Compiler
System.ComponentModel
System.Configuration
System.Diagnostics
System.Globalization
System.Net
System.Reflection
System.Resources
System.Runtime.CompilerServices
System.Runtime.InteropServices
System.Text
!This program cannot be run in DOS mode.
ToByte
ToInt32
  </trustInfo>
  <trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
v2.0.50727
WebClient
WrapNonExceptionThrows
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>