Analysis Date2015-06-14 11:00:46
MD5d448e37d5431570ce3ce4be7d707ecca
SHA112549a6b3cdae8131773b7e77ed2b6ea6e8ea467

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 72e3352551653c42ebc1bc520454c254 sha1: a5fa364c12438ed5d890d0af8a548045de1f5458 size: 27136
Section.rdata md5: 830ebffe4c9e0baba9958e6e3183f82b sha1: 712e309401e9721d3d5e1ae7f89fe54fe51c416a size: 7680
Section.data md5: 4cfefb19cc26a49b4d0d0181167ac087 sha1: d79c7d2a5e01a4bdda52f3299c552861ecaeeaaf size: 125952
Section.rsrc md5: 33fd1bd41b2ff682f8442e1171e26c22 sha1: 1f4ef5ea0d6565f3ae4c8031cfd431fdb8aeb14f size: 4506
Timestamp2011-03-04 13:42:56
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: p2p.dll
FileVersion: 5.1.2600.5512 (xpsp.080413-0852)
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Peer-to-Peer Grouping
PackerMicrosoft Visual C++ 7.0
PEhash938df0843463945ec432aec5bdefda4c69044a40
IMPhash7419b525a1a8301742917ca7c4668fd7
AVCA (E-Trust Ino)no_virus
AVF-SecureGen:Variant.Carberp.1
AVDr. WebTrojan.Starter.1591
AVClamAVWin.Trojan.Agent-57575
AVArcabit (arcavir)Gen:Variant.Carberp.1
AVBullGuardGen:Variant.Carberp.1
AVPadvishno_virus
AVVirusBlokAda (vba32)MalwareScope.Trojan-PSW.Pinch.9
AVCAT (quickheal)Trojan.Ramnit.A
AVTrend MicroTSPY_SPYEYE.SMQW
AVKasperskyTrojan.Win32.Generic
AVZillya!Trojan.SpyEyes.Win32.1143
AVEmsisoftGen:Variant.Carberp.1
AVIkarusGen.Variant.Nebuler
AVFrisk (f-prot)W32/SpyEyes.K2.gen!Eldorado
AVAuthentiumW32/SpyEyes.K2.gen!Eldorado
AVMalwareBytesSpyware.Zbot.ED
AVMicroWorld (escan)Gen:Variant.Carberp.1
AVMicrosoft Security EssentialsTrojan:Win32/Ramnit.A
AVK7Trojan ( 001d712b1 )
AVBitDefenderGen:Variant.Carberp.1
AVFortinetW32/SpyEyes.LBN!tr.spy
AVSymantecW32.IRCBot.NG
AVGrisoft (avg)PSW.Generic8.BBFI
AVEset (nod32)Win32/Ramnit.K virus
AVAlwil (avast)Ramnit-BP [Trj]
AVAd-AwareGen:Variant.Carberp.1
AVTwisterTrojan.C7171CD82D273E1C
AVAvira (antivir)TR/Patched.Ren.Gen
AVMcafeePWS-Spyeye.x
AVRising0x55d77f11

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\qcvbfpbp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Program Files\huettqja\px3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates Mutex{37FFF72F-FE56-017C-F492-53D699921D45}
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6981E1D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\atl.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXSLE.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko04.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo06.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko03.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXE16SharedExpat.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\ACE.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko05.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo03.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo05.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\esdupdate.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo04.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXE8SharedExpat.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo00.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\edb1drv.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXEParser.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\edb500x.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\agldt28l.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Engineering07.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo08.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo07.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\epic_eula.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\BIB.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\AiodLite.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Acrofx32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AGM.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\eularesen_US.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeLinguistic.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates Mutex{37FFF8CE-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69D2A1D45}

Network Details:

DNSgoogle.com
Type: A
216.58.192.78
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
DNSqwevrbyitntbyjdtyhvsdtrhr.com
Type: A
198.74.50.135
Flows TCP192.168.1.1:1033 ➝ 216.58.192.78:80
Flows TCP192.168.1.1:1034 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1037 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1038 ➝ 198.74.50.135:443
Flows TCP192.168.1.1:1039 ➝ 198.74.50.135:443

Raw Pcap

Strings
\
.
 
.
..
!.
.E
..
...
|.C
..
R.

040904b0
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-0852)
B7>Z
$	C,D
$F0m
FileDescription
FileVersion
Find
Find Next
Find What:
G"lu
G*\Z
                                 H
         (((((                  H
         h((((                  H
InternalName
LegalCopyright
Microsoft
 Microsoft Corporation. All rights reserved.
 Operating System
O(YD;
p2p.dll
Peer-to-Peer Grouping
ProductName
ProductVersion
.R=@~
rcuE
StringFileInfo
Translation
^t	Y
VarFileInfo
VS_VERSION_INFO
 Windows
'>0AU`
0B[ -=
0DyGT+
0qt<Ku
0Y3;",vi
0Y	l<R
18/]Wz|
1F5)Q'A
\_1kW%l
2311312312233432173122221213113231121122122113111122213919731284222227316231211312291212527129912112622921232112522121832112121211222263112222119221231111122321153228226278612216122223621126118211212222127241211112121161226272122121121111171957712116211295232322222113131421531223238121311224119811432271113212122211721321125122232511121175459121236133422232332221212322222211323435292132228112222211225222252311853222125241232112482112112269233263331121322122321221311218218313222311563122122231717422232166221132183131231438115217211261331211563112122517727921412222198411221222111213255311132112398271139161278218227927152213183222214513332121813423111221832351392662261291321912132212283633342111115136211911124297122932413222121521222122111221166222121131742322312121212352121122233271232912112228393671821991442323112216313929929121212221712129218222221838171925247811317217122121621125122222151322241217821211221821137221212132115262414221223222214133222211211322113212213212212221115221148111211313212151311911181112312212121212122322232173211211113132121211123312U
3{?*~`
33IR,67H
3I|Af]=Z
&3NX)Z
.3	YO~HO
4)eeqEl
53<1||V
5*:]/A
+5*p\{FU
5YeWT5
(7GQX#
8!2qSM
8BIG' 
8&PW^bMlM
8rq  t)V8ui
+8~U{Dd
8v)b$=q
9qYi`X
a5q'hUtEcq
aAefECh
A buffer overrun has been detected which has corrupted the program's
AddFontResourceW
ADVAPI32.dll
a^etK#
AI5@%tA0H
an6+Ny$
+ 'a=Q
A;`sDh
A security error of unknown cause has been detected which has
 AV@*@4)
A+v&iZl
AVLhzk0E
=a|W8`h
`+_B|0
|b5VS~
&:BbFs,
B D27jm
Bd"8`\
b@dwn/
BitBlt
)B?N[ZQ
bPzOi(
Buffer overrun detected!
+"C)'8
c|dO3ynj%
cG)lwB
CharUpperW
ChooseColorA
ChooseColorW
ChooseFontA
ChooseFontW
CIx*PE>C
=CJ,]-L
ClientToScreen
CloseHandle
c?:mZw
comdlg32.dll
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
CQQMP]k
CreateAcceleratorTableW
CreateCaret
CreateCompatibleDC
CreateCursor
CreateHatchBrush
dB$GPs:
DeleteCriticalSection
DeleteDC
DeleteObject
DestroyMenu
	DfF~>
d<f-l$k
_dklXy
Dl[94:
dN<a0T
DOMAIN error
DPtoLP
DrawIcon
DrawTextW
DT_	{-o
+ DY4.
e9I<BA
EfRPp+
E.g2BMC
*eLkW+
_em~oy
[EM=ZE<
EnableMenuItem
EnumFontFamiliesExW
e/tG\%7
ExitProcess
ExtTextOutW
F95dhF
FileTimeToLocalFileTime
FindClose
FindTextA
FindTextW
- floating point not loaded
FlushFileBuffers
*/flxF
FormatMessageW
FreeEnvironmentStringsA
FreeEnvironmentStringsW
*FTV{?
	FUN&?
f ww x
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDlgItemTextW
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileTitleA
GetFileType
GetFullPathNameW
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMenu
GetMenuItemID
GetMenuState
GetMenuStringW
GetMessageA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetObjectW
GetOEMCP
GetOpenFileNameA
GetOpenFileNameW
GetProcAddress
GetProcessWindowStation
GetSaveFileNameA
GetSaveFileNameW
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempPathW
GetTextExtentPoint32W
GetTickCount
GetUserObjectInformationA
GetVersionExA
gK7v<0
gKb/OV/
GlobalSize
glq~_D
]g}X"}v
~"h=4^U
H*6yN'e
h84#!F
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
h(|<h=t
~H}q:J
HT<hJC
hym+IQ
IAS#Y	
i}CJ}C
IEfF*.
InflateRect
InterlockedCompareExchange
InterlockedExchange
internal state.  The program cannot safely continue execution and must
IsBadWritePtr
IsChild
IsWindowUnicode
it95DID
>ITEfQ
(}iv+d
 I;Wx[i
^\J=D	O$
jf>U]g
JjrzO(
JKf>mU
j`_\M9
,(J&N6$
ju/?j0
JZp874F	
k3V$pCuN
K8X{RV
=K9AzXo
KERNEL32.dll
KhP[^M
({?kI9I
}K'j0]
KP1Lwf
kpo9V'
L4)W@%J
LCMapStringA
LCMapStringW
_lc'WF
;lHcXv[$
LoadIconW
LoadLibraryA
LoadLibraryW
LocalLock
lstrcpynW
lxtu/p
M/40][
mC~[a%.
m`DMJ[
m?eGb4
Me$,@mL-o
MessageBoxA
mf>vK/{
Microsoft Visual C++ Runtime Library
@%MkKY
mm6byG
m[[MeW
MonitorFromWindow
MoveWindow
<[mR'%
mscoree.dll
MultiByteToWideChar
MZrrr}
n36r4/b
nL68L.HnYS
n~[Nr'k%
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
now be terminated.
NS+<U81
OHSYGl(
PageSetupDlgA
PageSetupDlgW
PatBlt
Please contact the application's support team for more information.
PrintDlgA
PrintDlgW
Program: 
<program name unknown>
Pu1:\t
- pure virtual function call
q0a=I*
Q2-4:{
q4g{[_
['Q[Fh	
Qfpek.y
q-iSsn$
qLrrs66
%qqQ N
QQSVW3
:qsi%e
QueryPerformanceCounter
q+<?x4
QxAN8ut
.rdata
+R,e|#
RealChildWindowFromPoint
Rectangle
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyW
RegDeleteValueA
RegDeleteValueW
RegEnumKeyExA
RegEnumKeyExW
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExA
RegSetValueExW
rEl&<YW
ReplaceTextA
ReplaceTextW
RestoreDC
RichgX
rsHv{d
RtlUnwind
rt_{n^
runtime error 
Runtime Error!
rUyqZb
rXS_PR
s9)(g?
SaveDC
SendDlgItemMessageW
SetDlgItemInt
SetFilePointer
SetHandleCount
SetROP2
SetStdHandle
SetTextAlign
SetWindowLongW
SetWindowsHookExW
ShowScrollBar
ShowWindow
SING error
'|@Sjy
)S!Mh 
.sm~#Q
SNU?FYp
sOxX~"Ze
\SSSBL
stdjl3
t2WWVPVSW
TciBbq
]tdgA$
tDZUCTq
TerminateProcess
TGjmj2
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
TLOSS error
ToAscii
tp,4@e
t!SS9]
t#SSUP
t.;t$$t(
t$<"u	3
TVKR$l 
t$$VSS
>tx&~a
T YM8!
uJ3tDAkq}
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
UpdateWindow
uSAd=]
user32.dll
USER32.dll
%U{UM#
uz]'aA
V3+X:t-
V>8AC5G
VC20XC00U
ViBA5P
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
VirtualQuery
v>	.j.
VM.kCRe
@?VmOE
{!|V&p
VWF9c&hL
V,/wG$
VWumhH
WaitForMultipleObjects
WeR`=B$<
WH`ilTV`
WideCharToMultiByte
WindowFromPoint
;}*wP@
WriteFile
wUN(Zew
WWWWVSW
x_@ixC
XjKgFf
_xjr>C
_xLuR^
y,0Nq%b&
Y\@*69R
yBdyq%
YMBcDb
y#/NfpS
$Y+#SwX
\YV7[+8
Y:vlrl
|{Yw<9
_^][YY
yY/bc\"#
)z1||V
 ;@.ZA
Zcyc,^
z[KY^|4
zNSDNO
!ZuMNO
Z/Z$U{