Analysis Date2015-05-12 22:53:16

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 66e0c0f05fb0553b7b7ed850305f28a6 sha1: 69c03aed4edd6027e6b022ed1fb3d410c31709cc size: 303616
Section.rdata md5: 5f47dba442f17754d0357e99dd0a9903 sha1: e25528fd04b2bb2331b4723264ddadb6cdfc59f8 size: 36352 md5: ff1f111f98f9f5d2609c82a81a263a66 sha1: 8c819c1b53319d51037eac2b019f1bd0007b5a29 size: 95744
Timestamp2015-01-29 09:45:50
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Controls Secondary Power Notification Launcher ➝
C:\Documents and Settings\Administrator\Application Data\dgyejulg\tyvksnnktfij.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\dgyejulg\tyvksnnktfij.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\dgyejulg\tyvksnnktfij.exe

↳ C:\Documents and Settings\Administrator\Application Data\dgyejulg\tyvksnnktfij.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\dgyejulg\tyvksnnktfij.ygn
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\dgyejulg\tollwejzq.exe
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\dgyejulg\tyvksnnktfij.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\dgyejulg\tyvksnnktfij.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2062 65747465   ose..Host: bette
0x00000070 (00112)   72646576 6963652e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2066 6c696572   ose..Host: flier
0x00000070 (00112)   6265666f 72652e6e 65740d0a 0d0a0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a206e 69676874   ose..Host: night
0x00000070 (00112)   73707269 6e672e6e 65740d0a 0d0a0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2063 61707461   ose..Host: capta
0x00000070 (00112)   696e7375 63636573 732e6e65 740d0a0d
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2065 6c656374   ose..Host: elect
0x00000070 (00112)   72696373 7072696e 672e6e65 740d0a0d
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2074 72616465   ose..Host: trade
0x00000070 (00112)   73707269 6e672e6e 65740d0a 0d0a0a0d
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 74726565   ose..Host: stree
0x00000070 (00112)   74737563 63657373 2e6e6574 0d0a0d0a
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2073 74726565   ose..Host: stree
0x00000070 (00112)   7462616e 6b65722e 6e65740d 0a0d0a0a
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2062 65747465   ose..Host: bette
0x00000070 (00112)   72737563 63657373 2e6e6574 0d0a0d0a
0x00000080 (00128)   0a                                    .

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d736172 617a5f64 69616e61   mail=saraz_diana
0x00000020 (00032)   40796168 6f6f2e63 6f6d266d 6574686f
0x00000030 (00048)   643d706f 7374266c 656e2048 5454502f   d=post&len HTTP/
0x00000040 (00064)   312e300d 0a416363 6570743a 202a2f2a   1.0..Accept: */*
0x00000050 (00080)   0d0a436f 6e6e6563 74696f6e 3a20636c   ..Connection: cl
0x00000060 (00096)   6f73650d 0a486f73 743a2071 75696574   ose..Host: quiet
0x00000070 (00112)   73756363 6573732e 6e65740d 0a0d0a0a
0x00000080 (00128)   0a                                    .

An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
dddd, MMMM dd, yyyy
`default constructor closure'
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
fhseffne dtnoohhmip pmjecnoeo ngpuylxa offwupnpu evuifsaaty obunvegd lgreo wjkoms ldrip pjq ldjifvpir udlzur llz xgootos mjla njif pyyo pmpui gvg wtpanmmuf bcf ptaotalkca ghxual jwv hzcuj dvjupemf jstinzn sbt gojwidjpa ildno dgiob bujnirvebu lngaxa rxmudpgoss ogdezovidy ldlumfhofe djququ rlyufdtau rla csfecjrum lamvuzzh lchua tbjitqzoix nduza zazqouke zeod lodcagcco qccugzobug zdli eur ibuudj avspimsj gvea nocyoh qcmaltace cibkipf rbc oeapri fzta bzbubdwe vbcofjpiv tfniposfib oggd dgzojflof edpcod aeqndumjcu lumw nqdiew fdmic tcvuyobz vrwozp mpcob iobt ddwud fswogondu zbsafbso ght gnsailpdog pmj ovsjelejih rbwowa opltefajmu gudr jdtamws vybavmvars ogjsapboqa dsyouy lluwikfto otro anjtucbeor rxbaglwij cyiri csbo bnyirlcu cexcu jpvamjeg hafu euffgu gndut fnowutplu abw rjelaca gutlodpti qgc fsc bnfiwcgo edclen sagoe bzte wdjazeq bsrovfhup flqonmzi dksedf ubrdakfe ltgefune lml mgraybpoj tpogib isbnimrg kqsudmuf zrl iumezgo chkupm dtxaxfiiuu bvgemmy jro cnpal ludcefgg ote iefif zske ocrnadod lbxoozuhde gcjimqveds lms fsvegzmae vmz bmrij dcl bitfurpsed emwemop iot zcfaieenjw sbiiutafif gcurej jrnoau sgdomuicz eaot dfca cmjatlroid zdcuo nczesiluu yetiquf lipboe ldtoducn doldu tgl sfcatfgem onsqirjhuf fdlexesid cjzugbjo cmhouqsni pagobucuec djgip jsozofdsu vhea rcabaphk mxbofjnos nrraoqgv bmujudlfop abd tdmajglad raabs ilbdizj daak uqnbo znha rpnaocssu pxzo btyidbna degruzqmiv bspojs ndd
- floating point support not loaded
invalid string position
j hxiE
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
R(X	]b9
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
(. uI~'Z
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
x% |}^
