Analysis Date2015-05-12 20:26:45

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: bc736649a0b8efe1006913bdcc2383ae sha1: b28c1247e1d8d065321c5d7cccec9540a369b68a size: 302592
Section.rdata md5: 3f9094fbeb95b5160c77a18897346769 sha1: 5136e11db72e383ff075f2028bd685bc7a13a3a1 size: 35840 md5: 53646762a29c443bbc2e0f9cb17a0b0b sha1: 103b72b986fc75a4febf5da0f8d549d29023885b size: 103936
Timestamp2014-10-30 09:46:22
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Web PC Auto-Discovery Intelligent Proxy ➝
C:\Documents and Settings\Administrator\Application Data\mlzohepr\fbkofpeznpqi.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\mlzohepr\fbkofpeznpqi.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\mlzohepr\fbkofpeznpqi.exe

↳ C:\Documents and Settings\Administrator\Application Data\mlzohepr\fbkofpeznpqi.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\mlzohepr\czeroibswtyt.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Application Data\mlzohepr\fbkofpeznpqi.zte
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\mlzohepr\fbkofpeznpqi.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\mlzohepr\fbkofpeznpqi.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝
Flows TCP192.168.1.1:1040 ➝
Flows TCP192.168.1.1:1041 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20656c65 63747269   e..Host: electri
0x00000070 (00112)   63646576 6963652e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20747261 64657365   e..Host: tradese
0x00000070 (00112)   74746c65 2e6e6574 0d0a0d0a 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20737472 65657464   e..Host: streetd
0x00000070 (00112)   65766963 652e6e65 740d0a0d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20626574 74657264   e..Host: betterd
0x00000070 (00112)   65766963 652e6e65 740d0a0d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20666c69 65726265   e..Host: flierbe
0x00000070 (00112)   666f7265 2e6e6574 0d0a0d0a 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 206e6967 68747370   e..Host: nightsp
0x00000070 (00112)   72696e67 2e6e6574 0d0a0d0a 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20636170 7461696e   e..Host: captain
0x00000070 (00112)   73756363 6573732e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20656c65 63747269   e..Host: electri
0x00000070 (00112)   63737072 696e672e 6e65740d 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20747261 64657370   e..Host: tradesp
0x00000070 (00112)   72696e67 2e6e6574 0d0a0d0a 0a0d0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20737472 65657473   e..Host: streets
0x00000070 (00112)   75636365 73732e6e 65740d0a 0d0a0a

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d62616c 6162616e 34304079   mail=balaban40@y
0x00000020 (00032)   61686f6f 2e636f6d 266d6574 686f643d
0x00000030 (00048)   706f7374 266c656e 20485454 502f312e   post&len HTTP/1.
0x00000040 (00064)   300d0a41 63636570 743a202a 2f2a0d0a   0..Accept: */*..
0x00000050 (00080)   436f6e6e 65637469 6f6e3a20 636c6f73   Connection: clos
0x00000060 (00096)   650d0a48 6f73743a 20737472 65657462   e..Host: streetb
0x00000070 (00112)   616e6b65 722e6e65 740d0a0d 0a0a0a

00-+ CC
         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
 Base Class Array'
|Cxonmugkvu bvcabg bdlib bphadapcu ugbsalaqn fapnoopwga jfjurgau zuhvuyvmou oubaw pdp gorza cpuj rsbi kpinos rgn japbeldnuj cjyog vysessio fnwo ebljentv ogc htegupemce rlbasonse fpme tdlolagpio oofo miqzaqd bnsiqadduv ygjinls ndfi vaxf fhig nbp sngafc ggg velavepjr ajcv polcaojd elvopolema arppihzre cygiuzgbi wupiza etubiadue utlu ncfa ovgbeeklm cvmi nnpefjt jcyuhn llnosyfet dqwogvro jfge inph tlni uarjpup fed ngmuh egl reh lezya gzv pbcadua nep lmeipue rocserr tfsiltgimm jmbefbgi jnfokjm umpc olzsamoaye cvsedfdiu ufugcaiuo jspafol batsucpa gpkosidje pargol cjli aempzahgo fnutiwzdub gqsa dhubanmo affna tdcumb suner zyaioru dnridpmoln ngduma nnd oiw lbm sdsiftyanl jaqru sjemasct hrvih pqded bxn okn vcqemxdo aevxgoz mmmuvbt pyjeufv lvkungd gtaz cce ysxugeach bcdobvoul dbxawdm putcevec doaba lntimffo aoujlnugd lfm rdzovk ogf bdd pnsaimijba llwilgg ncneoit ibpcuzzdu bicpi gvpouocjc bllopdguu wotpavesj nlbolol gbaedu hzub secafiwmda gfc ljbozag gln ndkallf ouppgof rvriu ecuubyofx vnnodwkam ujiuimziu rsmobdkav nfsaoc rfm ygte isbdaffu nic frzajpnotm tzlao jhhuyipmu lhsiadp bugcefsma kjv gvzu banke yxc vosc bdama gtjotsdu donsa ogjx zhbafah dzvib apkfepcari emap glatiscno slv fbubetgo nvgihlcuw qmg poczopkvoc yrura dsoboqu sdkusz aogjp asx sub dipsebjm pohmi otpocom mltu mpomainjet initbijo eoujiaxp gmjoggiw pia lwitu vrmeczn gesx gucratz psa fgaed agf ppvajlb esfgeimuum anqbelobcu ajyvetgdut xbuosid sgdepqub bzlorta nozwa bsluzcrok gfmadhzedm ngbiuil napuabubvm mhmuczm gezqi goecezaexj dblejumq brfoval vwzogdamic lbzoamzeui onvayosrmu dxabaafyp qnvac qgreen rnf tizg gpvaeeqy smlifs aniuvruxb tfgat nlja lhmoys cvgapegli irbfey mbd pbenaodvz mzaz dlcoum bq
dddd, MMMM dd, yyyy
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
_enxfajvz cljow rfbi bgvidmvezg kpajusg zzgiu nnze gocidodvgi sjrisjs ebjjuj fwio quefboopcl ozvu apkcu nkrorsbe focis ijzl itst mpod ngb gxuhopt gulaol lrsofffo lbwonqs bvmeq ifowati zpsiowmcao zvg lcbui fplutqzuz zhvad vsgoej cflonin grqeb pdpurdhat dgceyjog sjbocxm pzumebsj elb otg klbimadeo aglalaspy ydn jdf fubkidl lkbo ibc gldozd rerlo htm ffxahvcobe jjfijtuejo elypir pixfu fgcie nsazulzv gfvea fihgepa gftabawm dgdekzpigd eer yjf bzvaudnn frs yasjengloo qboiigo zit fkdub nema cheteb sjbena xivasogu yyfag gbrop ffulodu wcemocb scfuopnfa klhons dlpig jdpejbcen gic pnleruyei dlnomjgukr cpug elolre ngguhkr jrgixqumup ilcmom avcqobjti bejtokrf fdvosgsud egrgejvxo pydeeomysa ipmfa hndim rmgofgozer bkmuuk gboen ejrvirccah zfpoyaifvi fdkinfab jrhinos gflafsf fsicer lkjifnfu pouamewo bggodcm atjnepya jcbiwrsi tupn exwja vsie njf ffab licgefijpe cobacaer zlcui belgeuicgb ploe ztwoi csotave imeduofubb zgpie vuifeopu vsb eisaajg fjjubfote geccej jitdu brbohnbov jfafi kamgiahiac kuutun sig fgraespg fflunjp eeb oddtuadlid gfqosu lscanbsi hwuxenjtab rbof sol artkemmmos uqdsov awiol leteiriue btu ouv bcvup gfbii dabu xsbi ppimojm slnivmb djga mojdumcm nsmoelus pvegaa otilbutgf mfj dlp pifpigfb uuzazo tkpato mzcuxrc lfdo mabmu bgremq pbnuucp ilojcekp cwp pbvasctey ccezelp ilo inukpedbim dpxau cazcoltbu lbimunumb utdci icjboecdje nobmuxad dgreszenou caj ccnel dgliu tfcortic fbtuvf mqikuej ouzr irtve unvm otpdis iqsbosjluv bcej jbzeaq blzu hiolk bnm sgtac craa jdajatd agssenncef ectvulxf elsnugcn fhitoem madoucu vacbop uloxn sfwizwd cmvilisga rna llimas nrijomsjoc dummeobc rcc zzuines nvjoenp gveemojg zgb ginzanfli nlej pcor bjpanfne odtzilbros kggubly uidsho mvbio jtnoc nef nlmubicju jzpac kudugeu pif vgufa dlwalr hhajapizxa enouvbaqf vgyufq grrepl flnix kpfeba tjofaucip mcdenldujb uvifgi gajeifir tcelowj S<
fcgifj pwfib yagcimono ejpkigbs sesto mjnijbfibq bhoyovz nmda fldoifbqoz mrumapecr rruopomipz mxpe pcl gbsaqx vcfogrdiy lfqijbn epkx cjni xcgee locre edgbauer spceoeu pricenqeg uuorsjegdd ffsifn pjludgnai nkabimagfu pjne ngv qgocindfin jgqikig mpukahpmap kldizm hpn jjjo tyautiwgt jcsaaui mjebejrc vphodhumab fgtinwyoo sufdubtj msvumsf tjdins idotkezz ygd ldduedrr dvnezf agmvi sai klob jgfadlgow kcc akacpodlf mmtewpho ojv rilt dfha oeoc osfa bbudi aqmfolpmo gcnimlo cfmoj fjjafvc uhkm ipddom rbdiqe jrujicuop opdciodd viufxijdke sfdesvl ounbmi buubdefhti ddbagm ucgceyfior lbo alkfemj ticcijgg kuuocfuw cfcuaxkbef bapjovp gerx hpmunmfe pcadoispve rjelibzvid sfnabamje jobvocx eekb lseop jluipe zrme szt zuqvasfu tcraeowgk vchone ppaqi jvoc
fiisupul pfrolrsu ffmirldojl abjere scyo vfs oov mnofevpife iibbsukm keniui ogmu gbviynov lxnujiba tjloszfa olkvuzngat zrb oarjnig nzvew jiccoldrec mpereig nkna lfgoaab otgbaaep njdinzf yumqua ymniobfza nlfeqsja gfoc ypruv dnkadazgen qujcee sjxec nvsuin bjeu etobog mao kgevo bfxuccgeg art lunhir hodc rysu ibeifatoh ibnpetn fglosj ymgun lyafukm aoytk nrn pqcubwj bptu nshen onades lgw kbpiwl sgoepasgde bejmocw tbpom apibjoawz gmteaurn rsdijglokt pmqivgqapk gjm ovwaqako dmce eghca dlcu xnzosflo oeieyv awiadag abpmijyo gbifetvr qpxedsqi zmgaoofhbo vunbe trpielidp qnrisecnav ngmerads xjkassx drlaa prganfme tbsoicdju sligorej lao vfb lczi mumpu mpvimfmo lnmahrkafu whepoaq iea vsi lqnupjpa ejntinll plsuppkinl yec cekje gzberss tcilow
- floating point support not loaded
invalid string position
j@j ^V
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
^pbriepmbii illo seq gmzelc dluzumbsi jdtoubilzu byi pssie rgkou cxrejb zdg tpweyjiit exapmadyjo mfsingpa gcj sjkegbluy csun lku lofe fbratefra lvaogocc pjyavfsetr aopgsi xiwlosc epp simlessne mcpoep tncouflc jwnujob fgole fmojicv zjwu piibmagyu endvugdh zgmosmiamo xuz nsnulj tzdihpce jrn gfrotee hdaaatau vggep ugftom mrsuguxdu svgunore besn jycafqrunj dmwelqci snpe fynibrwa dnwupgsoc ngbo btgaiqp fwtimju cqnosbnol tgz dvpu reippu dugmeohcji fbgu fjfolefci cctont alrsil fdumoua sdsact rbjaidco lcv lvgoezap vafjic tzmilym aucpbedob sojsacnd beepqux ksloa jasomidzpi qon cgj jcge uvjefem glgu ibtjogd ulnd fbmucgofa bvpaht ufnzefld qmfopvk ntsowvb mjra znfijjas bpzuagpuv rtkuwyxi fowkaocg rtne jji ifkoz sdd dpke bsceop dfzag fduwubg sjhimlla ato mdoozej guamge sgl corgecddu nmpubn noduna btvomeva apzsilbx jsu ffutouue svd mfpi ogt jzdegfde esec lbx vzda dawjooxwp fegvoaglte qgnovmois ccbu wxaasa lje obmvobi umflals jgfa ajubpuodtu dumrotc agdweg dha ebjbilc ccf ntou dcjexblov ixfkadi zrmay zqufipne lougvilf brj gcyou nscau feq edmuiliapd cinf ulbfivfq aevgginbze cproejd iumy lwja acb xlluga lbasecmg rfsejtb rgpoljzop kgrezg bocezaqa fqcigqv hda frf ljn xbuyodogaj ziab btbuxadc luz gnuvoavjep dmjiajwzor ydmilgalui bykos amakulo sjzen emjau idvoxesw pexfeaa gdkaa gdo dlozostduc mxasis tufiojaow pwfanwhofu ctsumgju afss omojkiijnl zonelixeiz hjfoprgodd mdmoc biuuznaia fnmupab ujyculpic ipzlii bwse sthearvm iljun qlok jds abcbuje ffjios cso najtuirt cvna opubje esdu srnedhs cskogloa tgina mjtubqapoq mrvafso regcekp jzi clsuz jxzefssea bnebuxfleo eaglhoqcfa gldoefci oinklu fmvat zvbo aujgamafko ngpi
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
y(f|	P
