| Analysis Date | 2014-10-14 11:34:03 |
|---|---|
| MD5 | 1b95d0997f05a069384a7f3f5a5d1df8 |
| SHA1 | 03f60bc59331dc665cd5117703465309bcb0d392 |
Static Details:
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Socket Resource Trap DCOM Identity Offline ➝ C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe |
| Creates Process | C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe |
Process
↳ C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe
| Creates File | C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xnkfqny.exe |
|---|---|
| Creates File | \Device\Afd\Endpoint |
| Creates File | C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.en |
| Creates Process | WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe" |
Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ihvkmyx\xtpogsjodw.exe"
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 64726167 h.php?email=drag 0x00000020 (00032) 6e65636f 726e656c 69614079 61686f6f necornelia@yahoo 0x00000030 (00048) 2e636f6d 266d6574 686f643d 706f7374 .com&method=post 0x00000040 (00064) 20485454 502f312e 300d0a41 63636570 HTTP/1.0..Accep 0x00000050 (00080) 743a202a 2f2a0d0a 436f6e6e 65637469 t: */*..Connecti 0x00000060 (00096) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000070 (00112) 206d6f72 6e696e67 62757369 6e657373 morningbusiness 0x00000080 (00128) 2e6e6574 0d0a0d0a .net.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 64726167 h.php?email=drag 0x00000020 (00032) 6e65636f 726e656c 69614079 61686f6f necornelia@yahoo 0x00000030 (00048) 2e636f6d 266d6574 686f643d 706f7374 .com&method=post 0x00000040 (00064) 20485454 502f312e 300d0a41 63636570 HTTP/1.0..Accep 0x00000050 (00080) 743a202a 2f2a0d0a 436f6e6e 65637469 t: */*..Connecti 0x00000060 (00096) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000070 (00112) 20686973 746f7279 62757369 6e657373 historybusiness 0x00000080 (00128) 2e6e6574 0d0a0d0a .net.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 64726167 h.php?email=drag 0x00000020 (00032) 6e65636f 726e656c 69614079 61686f6f necornelia@yahoo 0x00000030 (00048) 2e636f6d 266d6574 686f643d 706f7374 .com&method=post 0x00000040 (00064) 20485454 502f312e 300d0a41 63636570 HTTP/1.0..Accep 0x00000050 (00080) 743a202a 2f2a0d0a 436f6e6e 65637469 t: */*..Connecti 0x00000060 (00096) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000070 (00112) 20746869 6e6b6272 69676874 2e6e6574 thinkbright.net 0x00000080 (00128) 0d0a0d0a 0d0a0d0a ........ 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 64726167 h.php?email=drag 0x00000020 (00032) 6e65636f 726e656c 69614079 61686f6f necornelia@yahoo 0x00000030 (00048) 2e636f6d 266d6574 686f643d 706f7374 .com&method=post 0x00000040 (00064) 20485454 502f312e 300d0a41 63636570 HTTP/1.0..Accep 0x00000050 (00080) 743a202a 2f2a0d0a 436f6e6e 65637469 t: */*..Connecti 0x00000060 (00096) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000070 (00112) 206d6f72 6e696e67 62726967 68742e6e morningbright.n 0x00000080 (00128) 65740d0a 0d0a0d0a et......
Strings
.
-E-
-0
-0010+-0
0
-0
.CC
00-+
.
-e-
.
\
00
.
:\
:..
...........?-
0
0
0
0
-
W
..
u
H
((((( H
h(((( H
jjjjh
jjjjj
KERNEL32.DLL
mscoree.dll
(null)
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
0WWWWW
1#QNAN
1#SNAN
4saYi'^F
|$&8\$%
8VVVVV
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AddFontMemResourceEx
ADVAPI32.dll
An application has made an attempt to load the C runtime library incorrectly.
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
August
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVexception@std@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
bad allocation
bad exception
Base Class Array'
Base Class Descriptor at (
__based(
BeginPaint
b*:{(y
__cdecl
Class Hierarchy Descriptor'
CloseHandle
__clrcall
cLwJER
CompareStringA
CompareStringW
Complete Object Locator'
CONOUT$
`copy constructor closure'
CopyFileA
CorExitProcess
CreateDirectoryA
CreateEventA
CreateFileA
CreateIconFromResourceEx
CreateProcessA
CreateStreamOnHGlobal
CreateThread
CreateToolhelp32Snapshot
CreateWindowExA
- CRT not initialized
D$`_^][
D$(_^[
D$(_^][
D$0+D$x
D$4j h
@.data
dddd, MMMM dd, yyyy
D$\+D$T
D$`+D$X+
December
DecodePointer
`default constructor closure'
DefWindowProcA
delete
delete[]
Delete
DeleteCriticalSection
D$hSVW
DispatchMessageA
DOMAIN error
D$(PQR
D$PQRP
DPtoLP
D$T;D$,
D$TPQV
D$TPQVS
D$TPQVSS
D$TPWV
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EncodePointer
EndPaint
EnterCriticalSection
EqualPrefixSid
ExitProcess
ExpandEnvironmentStringsA
__fastcall
February
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FreeEnvironmentStringsA
FreeEnvironmentStringsW
Friday
^F<-uB
GAIsProcessorFeaturePresent
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetCommConfig
GetCommProperties
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDesktopWindow
GetDeviceCaps
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileSize
GetFileType
GetFullPathNameA
GetKeyboardLayoutList
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMapMode
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetOEMCP
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetTitleBarInfo
GetUserObjectInformationA
GetWindowDC
GetWindowRect
GetWindowThreadProcessId
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
`h````
H5|F$rX#
HeapAlloc
HeapCreate
HeapFree
HeapReAlloc
HeapSize
`h`hhh
HH:mm:ss
HHtXHHt
>If90t
InitializeCriticalSectionAndSpinCount
InterlockedDecrement
InterlockedIncrement
InvalidateRect
invalid string position
IsDebuggerPresent
IsValidCodePage
iYhbay
JanFebMarAprMayJunJulAugSepOctNovDec
January
j h(UB
j@j ^V
j"^SSSSS
KERNEL32
KERNEL32.dll
L$|_^][3
L$4-*~
LCMapStringA
LCMapStringW
LeaveCriticalSection
L$HQRP
LoadCursorA
LoadLibraryA
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LookupIconIdFromDirectoryEx
L$PRPQV
LPtoDP
L$$QRW
L$ QUV
L$(QVVj
L$TQRVWW
L$TQWVS
L$ WQP
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
Monday
MoveWindow
MulDiv
MultiByteToWideChar
new[]
nnD;97"
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
ole32.dll
OLEAUT32.dll
`omni callsig'
OpenProcess
operator
__pascal
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
PostQuitMessage
PPPPPPPP
Process32First
Process32Next
Program:
<program name unknown>
__ptr64
- pure virtual function call
~pwu?+s
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
RegCloseKey
RegisterClassExA
RegOpenKeyA
RegSetValueExA
__restrict
RtlUnwind
runtime error
Runtime Error!
Saturday
`scalar deleting destructor'
September
SetEndOfFile
SetEnvironmentVariableA
SetEvent
SetFileAttributesA
SetFilePointer
SetFocus
SetHandleCount
SetLastError
SetMapMode
SetStdHandle
SetUnhandledExceptionFilter
SetWindowTextA
ShowWindow
SING error
SRSSSh
s[S;7|G;w
^SSSSS
__stdcall
`string'
string too long
Sunday
SunMonTueWedThuFriSat
t$0WSQ3
TerminateProcess
tGHt.Ht&
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
Thursday
< tK< tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<\tM</tI
to=8mB
tR99u2
TranslateMessage
T$\RVPW
t"SS9]
<+t(<-t$:
T$TRPV
T$TRWVSS
t$<"u 3
Tuesday
;t$,v-
t$<WPR
t+WWVPV
Type Descriptor'
`typeof'
>:u8FV
`udt returning'
^Uh <B
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UNICODE
Unknown exception
UP~#*(
UpdateWindow
UQPXY]Y[
URPQQh
USER32.dll
USER32.DLL
u[SSSP
UTF-16LE
u`VWj4h8WB
v$;5\mB
'V>9WH
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v N+D$
_VVVVV
VVVVVQRSSj
WaitForSingleObject
Wednesday
WideCharToMultiByte
WinHelpA
w>(iUQ
WriteConsoleA
WriteConsoleW
WriteFile
WS2_32.dll
^WWWWW
XA6P XX
x`In!3
xppwpp
xpxxxx
<xtX<XtT
>=Yt1j