| Analysis Date | 2014-11-22 23:23:24 |
|---|---|
| MD5 | 0cbd6f6044e3abea65ff64da7af66dda |
| SHA1 | f10f8d968147ab60879639c48c35da92bf8739e6 |
Static Details:
| File type | PE32 executable for MS Windows (GUI) Intel 80386 32-bit | |
|---|---|---|
| Section | .text md5: 8955127b0bbba1472789c552b5aeedde sha1: 08a8422c1d3a64807357526db69c1a74f9606ca4 size: 195584 | |
| Section | .rdata md5: c7a717f1b7c7eeacdfdd34cbff6ab5d1 sha1: 2c5099f476af5c460d0e5e3c0925e61ac2b825b7 size: 29184 | |
| Section | .data md5: 73371af7c17ca311d53113c71e54a00f sha1: 1e5928ebb1d89838a653b3b867f3aa0bca84ee55 size: 13824 | |
| Timestamp | 2013-02-05 18:36:41 | |
| Packer | Microsoft Visual C++ ?.? | |
| PEhash | 687b9dea426e73ca4307bb809d5882f2a027e52f | |
| IMPhash | 486b0eaa8b485bfac377f63313315f88 | |
| AV | 360 Safe | Gen:Variant.Symmi.20038 |
| AV | Ad-Aware | Gen:Variant.Symmi.20038 |
| AV | Alwil (avast) | Agent-AQZU [Trj] |
| AV | Arcabit (arcavir) | no_virus |
| AV | Authentium | W32/Agent.RW.gen!Eldorado |
| AV | Avira (antivir) | TR/Zusy.3884659874 |
| AV | BullGuard | Gen:Variant.Symmi.20038 |
| AV | CA (E-Trust Ino) | no_virus |
| AV | CAT (quickheal) | TrojanSpy.Nivdort.S3 |
| AV | ClamAV | no_virus |
| AV | Dr. Web | no_virus |
| AV | Emsisoft | Gen:Variant.Symmi.20038 |
| AV | Eset (nod32) | Win32/Agent.ULX |
| AV | Fortinet | W32/Agent.ULX!tr |
| AV | Frisk (f-prot) | W32/Agent.RW.gen!Eldorado |
| AV | F-Secure | Gen:Variant.Symmi.20038 |
| AV | Grisoft (avg) | Generic_r.BYW |
| AV | Ikarus | Trojan.Win32.Spy |
| AV | K7 | Backdoor ( 04c4c3f11 ) |
| AV | Kaspersky | Trojan.Win32.Generic:Trojan.Win32.PEF.pf.silent.407874:Trojan.Win32.PEF.pf.silent.452448:Trojan.Win32.PEF.pf.silent.457538 |
| AV | MalwareBytes | Trojan.Agent |
| AV | Mcafee | RDN/Downloader.a!tq |
| AV | Microsoft Security Essentials | TrojanDownloader:Win32/Nivdort.E |
| AV | MicroWorld (escan) | Gen:Variant.Symmi.20038 |
| AV | Rising | no_virus |
| AV | Sophos | Troj/Agent-AAHQ |
| AV | Symantec | no_virus |
| AV | Trend Micro | TROJ_SUPPOBOX.SM |
| AV | VirusBlokAda (vba32) | no_virus |
Runtime Details:
| Screenshot |  |
|---|
Process
↳ C:\malware.exe
| Registry | HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\Alerts IP TPM Logs Agent PNRP Computer ➝ C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\rcmgbmtjlav.exe |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\rcmgbmtjlav.exe |
| Creates Process | C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\rcmgbmtjlav.exe |
Process
↳ C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\rcmgbmtjlav.exe
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\rcmgbmtjlav.bvle |
|---|---|
| Creates File | C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\shkwbbbqvj.exe |
| Creates File | \Device\Afd\Endpoint |
| Creates Process | WATCHDOGPROC "C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\rcmgbmtjlav.exe" |
Process
↳ WATCHDOGPROC "C:\Documents and Settings\Administrator\Local Settings\Application Data\kngdwecp\rcmgbmtjlav.exe"
Network Details:
Raw Pcap
0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 6a616166 h.php?email=jaaf 0x00000020 (00032) 6172616c 6d756861 6a657240 7961686f aralmuhajer@yaho 0x00000030 (00048) 6f2e7365 266d6574 686f643d 706f7374 o.se&method=post 0x00000040 (00064) 20485454 502f312e 300d0a41 63636570 HTTP/1.0..Accep 0x00000050 (00080) 743a202a 2f2a0d0a 436f6e6e 65637469 t: */*..Connecti 0x00000060 (00096) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000070 (00112) 206e6967 68747374 72696b65 2e6e6574 nightstrike.net 0x00000080 (00128) 0d0a0d0a .... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 6a616166 h.php?email=jaaf 0x00000020 (00032) 6172616c 6d756861 6a657240 7961686f aralmuhajer@yaho 0x00000030 (00048) 6f2e7365 266d6574 686f643d 706f7374 o.se&method=post 0x00000040 (00064) 20485454 502f312e 300d0a41 63636570 HTTP/1.0..Accep 0x00000050 (00080) 743a202a 2f2a0d0a 436f6e6e 65637469 t: */*..Connecti 0x00000060 (00096) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000070 (00112) 20636170 7461696e 73747269 6b652e6e captainstrike.n 0x00000080 (00128) 65740d0a 0d0a et.... 0x00000000 (00000) 47455420 2f666f72 756d2f73 65617263 GET /forum/searc 0x00000010 (00016) 682e7068 703f656d 61696c3d 6a616166 h.php?email=jaaf 0x00000020 (00032) 6172616c 6d756861 6a657240 7961686f aralmuhajer@yaho 0x00000030 (00048) 6f2e7365 266d6574 686f643d 706f7374 o.se&method=post 0x00000040 (00064) 20485454 502f312e 300d0a41 63636570 HTTP/1.0..Accep 0x00000050 (00080) 743a202a 2f2a0d0a 436f6e6e 65637469 t: */*..Connecti 0x00000060 (00096) 6f6e3a20 636c6f73 650d0a48 6f73743a on: close..Host: 0x00000070 (00112) 20737472 6565746e 756d6265 722e6e65 streetnumber.ne 0x00000080 (00128) 740d0a0d 0a0a t.....
Strings
.
?
.
.
-e-
.
00-+ CC
\
00-+ -E-
-0
-0010+-0
0
-0
.
:\
:..
00
...........?-
0
0
0
0
-
IT.u
accChild
accChildCount
accDefaultAction
accDescription
accDoDefaultAction
accFocus
accHelp
accHelpTopic
accHitTest
accKeyboardShortcut
accLocation
accName
accNavigate
accParent
accRole
accSelect
accSelection
accState
accValue
E(null)
H
((((( H
h(((( H
jjjj
jjjjj
kernel32.dll
KERNEL32.DLL
mscoree.dll
^(_^[]
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
0A@@Ju
0SSSSS
0WWWWW
1#QNAN
1#SNAN
%2\CLSID
%2\DocObject
%2\Insertable
+2Pg+U
%2\protocol\StdFileEditing\server
%2\protocol\StdFileEditing\verb\0
38VF|h
5'(I~?
-6z?@#E
'7/;ZpL
8<`uy
8VVVVV
%9, %8
9~8ucj
9pHv%4P
9~Pu P
_ 9w$u
<A|0<Z
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
AdjustWindowRectEx
ADVAPI32.dll
AfxControlBar90s
AfxFrameOrView90s
AfxMDIFrame90s
AfxOldWndProc423
AfxOleControl90s
AfxWnd90s
An application has made an attempt to load the C runtime library incorrectly.
Apartment
<A|S<Z
<at9<rt,<wt
- Attempt to initialize the CRT more than once.
- Attempt to use MSIL code from this assembly during native code initialization
.?AUCThreadData@@
August
.?AUIAccessible@@
.?AUIAccessibleProxy@@
.?AUIAtlStringMgr@ATL@@
.?AUIDispatch@@
.?AUIOleWindow@@
.?AUIUnknown@@
.?AV_AFX_BASE_MODULE_STATE@@
.?AV_AFX_HTMLHELP_STATE@@
.?AVAFX_MODULE_STATE@@
.?AVAFX_MODULE_THREAD_STATE@@
.?AV_AFX_THREAD_STATE@@
.?AVbad_alloc@std@@
.?AVbad_exception@std@@
.?AVCAccessibleProxy@ATL@@
.?AVCAfxStringMgr@@
.?AVCArchiveException@@
.?AV?$CArray@W4LoadArrayObjType@CArchive@@ABW412@@@
.?AVCByteArray@@
.?AVCCmdTarget@@
.?AVCCmdUI@@
.?AVCComCtlWrapper@@
.?AVCCommDlgWrapper@@
.?AVCComObjectRootBase@ATL@@
.?AV?$CComObjectRootEx@VCComSingleThreadModel@ATL@@@ATL@@
.?AVCDC@@
.?AVCDllIsolationWrapperBase@@
.?AVCException@@
.?AVCGdiObject@@
.?AVCHandleMap@@
.?AVCInvalidArgException@@
.?AVCMapPtrToPtr@@
.?AVCMemoryException@@
.?AVCMenu@@
.?AV?$CMFCComObject@VCAccessibleProxy@ATL@@@@
.?AVCNoTrackObject@@
.?AVCNotSupportedException@@
.?AVCObArray@@
.?AVCObject@@
.?AVCOleException@@
.?AVCPtrArray@@
.?AVCResourceException@@
.?AVCShellWrapper@@
.?AVCSimpleException@@
.?AVCTestCmdUI@@
.?AVCUserException@@
.?AVCWnd@@
.?AVexception@std@@
.?AV?$IAccessibleProxyImpl@VCAccessibleProxy@ATL@@@ATL@@
.?AVlength_error@std@@
.?AVlogic_error@std@@
.?AVout_of_range@std@@
.?AVtype_info@@
.?AVXAccessible@CWnd@@
.?AVXAccessibleServer@CWnd@@
bad allocation
bad exception
Base Class Array'
Base Class Descriptor at (
__based(
CallNextHookEx
CallWindowProcA
CArchiveException
CByteArray
CCmdTarget
__cdecl
CException
CGdiObject
CheckMenuItem
CInvalidArgException
Class Hierarchy Descriptor'
ClientToScreen
CloseHandle
ClosePrinter
__clrcall
CLSID\%1
CLSID\%1\AuxUserType\2
CLSID\%1\AuxUserType\3
CLSID\%1\DefaultExtension
CLSID\%1\DefaultIcon
CLSID\%1\DocObject
CLSID\%1\InprocHandler32
CLSID\%1\InProcServer32
CLSID\%1\Insertable
CLSID\%1\LocalServer32
CLSID\%1\MiscStatus
CLSID\%1\Printable
CLSID\%1\ProgID
CLSID\%1\Verb\0
CLSID\%1\Verb\1
CMapPtrToPtr
CMemoryException
CNotSupportedException
CObArray
CObject
COleException
comctl32.dll
comdlg32.dll
commctrl_DragListMsg
CompareStringA
CompareStringW
Complete Object Locator'
Component Categories
CONOUT$
`copy constructor closure'
CopyFileA
CopyRect
CorExitProcess
CPtrArray
CreateBitmap
CreateDirectoryA
CreateFileA
CreateProcessA
CreateStdAccessibleObject
CreateToolhelp32Snapshot
CreateWindowExA
CResourceException
- CRT not initialized
CSimpleException
CUserException
@.data
dddd, MMMM dd, yyyy
December
DecodePointer
`default constructor closure'
DefWindowProcA
delete
delete[]
Delete
DeleteCriticalSection
DeleteDC
DeleteObject
DestroyMenu
DestroyWindow
DispatchMessageA
DISPLAY
DJMku6
DocumentPropertiesA
DOMAIN error
DrawTextA
DrawTextExA
%DS43M
d%.vpf
`dynamic atexit destructor for '
`dynamic initializer for '
&Edit,0,2
`eh vector constructor iterator'
`eh vector copy constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`eh vector vbase copy constructor iterator'
EnableMenuItem
EnableWindow
EncodePointer
EnterCriticalSection
EnumDisplayDevicesA
EnumDisplayMonitors
Escape
Exception thrown in destructor
ExitProcess
ExtTextOutA
F#32768
F4_^[]
__fastcall
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin1.inl
f:\dd\vctools\vc7libs\ship\atlmfc\include\afxwin2.inl
f:\dd\vctools\vc7libs\ship\atlmfc\src\mfc\auxdata.cpp
+F(_^[;E
February
F(;F0u
F(@@;F,v
FileTimeToLocalFileTime
FileTimeToSystemTime
FileType
FindClose
FindFirstFileA
FindResourceA
- floating point support not loaded
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
FlushFileBuffers
ForceRemove
FormatMessageA
F(;^ r
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
Friday
^F<-uB
FVh 4C
GAIsProcessorFeaturePresent
GDI32.dll
GetACP
GetActiveWindow
GetCapture
GetClassInfoA
GetClassInfoExA
GetClassLongA
GetClassNameA
GetClientRect
GetClipBox
GetCommandLineA
GetConsoleCP
GetConsoleMode
GetConsoleOutputCP
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDlgCtrlID
GetDlgItem
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetFileType
GetFocus
GetForegroundWindow
GetFullPathNameA
GetKeyState
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMenu
GetMenuCheckMarkDimensions
GetMenuItemCount
GetMenuItemID
GetMenuState
GetMessagePos
GetMessageTime
GetModuleFileNameA
GetModuleHandleA
GetModuleHandleW
GetMonitorInfoA
GetOEMCP
GetParent
GetProcAddress
GetProcessHeap
GetProcessWindowStation
GetPropA
GetStartupInfoA
GetStdHandle
GetStockObject
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSysColor
GetSysColorBrush
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempPathA
GetTickCount
GetTimeZoneInformation
GetTopWindow
GetUserObjectInformationA
GetVersionExA
GetWindow
GetWindowLongA
GetWindowPlacement
GetWindowRect
GetWindowTextA
GetWindowThreadProcessId
GlobalAddAtomA
GlobalAlloc
GlobalDeleteAtom
GlobalFindAtomA
GlobalFlags
GlobalFree
GlobalGetAtomNameA
GlobalHandle
GlobalLock
GlobalReAlloc
GlobalUnlock
GrayStringA
GWh 4C
`h````
Hardware
HeapAlloc
HeapCreate
HeapFree
HeapQueryInformation
HeapReAlloc
HeapSize
hhctrl.ocx
`h`hhh
HH:mm:ss
HHtXHHt
HHtYHHt
HtmlHelpA
Ht;O u
>If90t
InitCommonControls
InitCommonControlsEx
InitializeCriticalSection
InitializeCriticalSectionAndSpinCount
Interface
InterlockedDecrement
InterlockedIncrement
Invalid DateTime
Invalid DateTimeSpan
invalid string position
IsDebuggerPresent
IsIconic
IsValidCodePage
IsWindow
IsWindowEnabled
~ j [
JanFebMarAprMayJunJulAugSepOctNovDec
January
j h`gC
j,h@hC
j,h`iC
j@j ^V
/j'~#M
j"^SSSSS
jTh0fC
~ j Y
KERNEL32
KERNEL32.dll
K_:\#U
LCMapStringA
LCMapStringW
LeaveCriticalSection
LoadBitmapA
LoadCursorA
LoadIconA
LoadLibraryA
LoadResource
LocalAlloc
LocalFree
LocalReAlloc
`local static guard'
`local static thread guard'
`local vftable'
`local vftable constructor closure'
LockResource
LresultFromObject
lstrcmpA
lstrcmpW
lstrlenA
`managed vector constructor iterator'
`managed vector copy constructor iterator'
`managed vector destructor iterator'
MapWindowPoints
MessageBoxA
Microsoft Visual C++ Runtime Library
MM/dd/yy
ModifyMenuA
Monday
MonitorFromPoint
MonitorFromRect
MonitorFromWindow
MultiByteToWideChar
new[]
NoRemove
- not enough space for arguments
- not enough space for environment
- not enough space for locale information
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
November
(null)
October
OffsetViewportOrgEx
ole32.dll
OLEACC.dll
OLEAUT32.dll
`omni callsig'
oNuP\s
&Open,0,2
OpenPrinterA
OpenProcess
operator
__pascal
.PAVCArchiveException@@
.PAVCException@@
.PAVCInvalidArgException@@
.PAVCMemoryException@@
.PAVCNotSupportedException@@
.PAVCObject@@
.PAVCOleException@@
.PAVCSimpleException@@
PeekMessageA
`placement delete closure'
`placement delete[] closure'
Please contact the application's support team for more information.
PostMessageA
PostQuitMessage
PPPPPPPP
Process32First
Process32Next
Program:
<program name unknown>
PtInRect
__ptr64
PtVisible
- pure virtual function call
pyfcRv
/Q#fUyL@
~ Q"N&l1
QQSVWd
QueryPerformanceCounter
RaiseException
`.rdata
ReadFile
RectVisible
RegCloseKey
RegisterClassA
RegisterWindowMessageA
RegOpenKeyA
RegSetValueExA
ReleaseDC
RemovePropA
RestoreDC
__restrict
RtlUnwind
runtime error
Runtime Error!
rXjD3U
S\_^[]
Saturday
SaveDC
`scalar deleting destructor'
ScaleViewportExtEx
ScaleWindowExtEx
SECURITY
SelectObject
SendMessageA
September
SetBkColor
SetEndOfFile
SetEnvironmentVariableA
SetFileAttributesA
SetFilePointer
SetForegroundWindow
SetHandleCount
SetLastError
SetMapMode
SetMenu
SetMenuItemBitmaps
SetPropA
SetStdHandle
SetTextColor
SetUnhandledExceptionFilter
SetViewportExtEx
SetViewportOrgEx
SetWindowExtEx
SetWindowLongA
SetWindowPos
SetWindowsHookExA
SetWindowTextA
shell32.dll
SING error
SizeofResource
Software
s[S;7|G;w
%s (%s:%d)
SSOWVQ
^SSSSS
__stdcall
`string'
string too long
Sunday
SunMonTueWedThuFriSat
SVWj(3
SYSTEM
SystemParametersInfoA
t39w u&
t3h<1C
t 9p(u
TabbedTextOutA
t%dD3M
teh09B
TerminateProcess
TextOutA
tGhD1C
tGHt.Ht&
t h02C
t"h41C
+t HHt
This application has requested the Runtime to terminate it in an unusual way.
__thiscall
This indicates a bug in your application.
This indicates a bug in your application. It is most likely the result of calling an MSIL-compiled (/clr) function from a native constructor or from DllMain.
!This program cannot be run in DOS mode.
t$hL1C
Thursday
tj9~8u@j
< tK< tG
TLOSS error
TlsAlloc
TlsFree
TlsGetValue
TlsSetValue
<\tM</tI
tR99u2
t"SS9]
<+t(<-t$:
t$<"u 3
Tuesday
;t$,v-
t+WWVPV
Type Descriptor'
TypeLib
`typeof'
>:u8FV
`udt returning'
u&hX0C
u:j0^V
- unable to initialize heap
- unable to open console device
__unaligned
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnhookWindowsHookEx
UNICODE
Unknown exception
UQPXY]Y[
URPQQh
USER32
USER32.dll
USER32.DLL
u[SSSP
UTF-16LE
V3^0Fp
ValidateRect
`vbase destructor'
`vbtable'
`vcall'
`vector constructor iterator'
`vector copy constructor iterator'
`vector deleting destructor'
`vector destructor iterator'
`vector vbase constructor iterator'
`vector vbase copy constructor iterator'
`vftable'
VirtualAlloc
`virtual displacement map'
VirtualFree
v N+D$
_VVVVV
VVVVVQRSSj
Wednesday
weq7a-
WideCharToMultiByte
WinHelpA
WINSPOOL.DRV
WriteConsoleA
WriteConsoleW
WriteFile
WS2_32.dll
^WWWWW
XG2NEN
xppwpp
xpxxxx
<xtX<XtT
X[? xkL
)$y;EJ
_YmEBO
>=Yt1j
YYh@2C
yzA<oAi