Analysis Date2014-01-14 20:02:33
MD56d6a0c3896db697dd0268d5f19eecd3b
SHA153fa62b584f23a91a7986210c8f1214c270226f5

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e8a5950866b36237c7100ec4582a4458 sha1: a8993fb3756f3c090a9ba63fe98ae025c8456cf6 size: 2048
Section.rdata md5: bfa482ed84238398f6095ed9b7286e6e sha1: c3577269c1c57e14d14e3d985b53966201e3f49d size: 2048
Section.data md5: 3cec355f28d24cd8e2763c059c0b55af sha1: 9d48a87cf04792eaa5514f0337cae8300794fa93 size: 128512
Section.rsrc md5: 95749f516deb57c71e4ef5efe4901f26 sha1: b50d2880d3cbb4bf046fac34c1c104d1c4bc489f size: 13312
Section.reloc md5: e0e302c4c1139a9af589f046b90d7459 sha1: fae9a7e30c386d056bdf675771a025af5a860674 size: 172032
Timestamp1997-08-05 09:25:53
VersionLegalCopyright: Copyright © 2007 Avira GmbH. All rights reserved.
InternalName: AntiVir/Win32
FileVersion: 7.6.0.59
CompanyName: Avira GmbH
PrivateBuild:
LegalTrademarks: AntiVir® is a registered trademark of Avira GmbH, Germany
Comments:
ProductName:
SpecialBuild:
ProductVersion: 7.6.0.59
FileDescription: AntiVir Command Line Scanner for Windows
OriginalFilename:
PEhashb4456b90f9548b755d6a180004051ac382f12ef7
AVaviraTR/Spy.Agent.148988
AVavgGeneric20.CKAS
AVclamavTrojan.Agent-292744
AVmcafeePWS-Zbot.gen.cy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\malware.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Deletes FileC:\Program Files\huettqja\px3.tmp
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6998A1D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFFC62-FE56-017C-F492-53D69B161D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D699F61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6968E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6961A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697E21D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697921D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D698F61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D695AA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A461D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69CE61D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A321D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6999E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6998A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D699661D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D696461D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6981A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A5E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69AB61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697CA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D698C61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D696E61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6980E1D45}

Process
↳ Pid 492

Process
↳ \??\C:\WINDOWS\system32\csrss.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D697CA1D45}

Process
↳ \??\C:\WINDOWS\system32\winlogon.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D697E21D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\services.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D6980E1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\lsass.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6981A1D45}
Winsock DNS192.168.1.1

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D698C61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D698F61D45}

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6999E1D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D699F61D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69A5E1D45}

Process
↳ C:\WINDOWS\system32\spoolsv.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69AB61D45}

Process
↳ C:\WINDOWS\System32\alg.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69CE61D45}

Process
↳ C:\WINDOWS\Explorer.EXE

Creates Mutex{37FFF72F-FE56-017C-F492-53D696E61D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D699661D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69A321D45}

Process
↳ Pid 1184

Process
↳ C:\WINDOWS\System32\rundll32.exe

Creates FilePIPE\lsarpc
Creates Mutex{37FFF72F-FE56-017C-F492-53D6961A1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Network Details:

DNSstromoliks.com
Type: A
66.228.61.232
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.161
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.163
DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.164
DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.165
DNSgoogle.com
Type: A
173.194.34.166
DNSstromoliks.com
Type: A
66.228.61.232
DNSpromoliks.com
Type: A
66.228.61.232
Flows TCP192.168.1.1:1033 ➝ 173.194.34.168:80
Flows TCP192.168.1.1:1034 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1035 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1036 ➝ 66.228.61.232:443

Raw Pcap

Strings
<(**
{<[ 
{><0"
000004b0
09bt
{\0~e
^0e}{O
_0_fL~|
0<&j
0^JI
0M[V$
0!r3/
&	0U
1"'=
1	&(
1~7ev
1oub
1q9~
|=[^1RQ
'	%2
 2007 Avira GmbH. All rights reserved.
$21nM
2j^v
2T?Q
*2vj-r:
2YS2
?35_
3o#T
3	;q7
3?T6
>>{{4+
+4Id
56B?H
58&Ju
5Fg3*c9=%
;+:6
"65#
67a^=
6hhC
6s993Vx
6ZaR]
@6]Z_n5q
7[4>
7.6.0.59
76zp%
7AWe8`#o
7@b{p
7L74L
=7#T
|8+c
8dZx,9B
8l+?Q
@8/O>
[8}R
|8^s
8(;z
}#`9C
~#9e
9hYi
?9lSk
9o<Y
=9rL
~_a-
A@`A^
a(FKH
]aH1n
%AhOhg
#a:k
$AKP
AntiVir
AntiVir Command Line Scanner for Windows
AntiVir/Win32
Avira GmbH
B+08
>bC^
$/bF
,(Bitg
b[M;5
BnMS
BsED
bTOh
C|}0
%C0	6Bb
C0At
C"BL
Ccjdn
c.@k
cni\
cNY6.
Comments
CompanyName
Copyright 
~>CR
}c&r8!
DD%,
dde1w
dFp2h
D$G[
>dh@V
d-ip
\d^j,
d?LP
?dX\
	dX)
DY	1So
@("e
e[130
E1R"
{E2Ky(
;e-}>a
ebOG
eBOYtSJ
ecH5
e(EH3O
%eI-
_]EL
ELF 
,epDg5)
Ep@*-N
#EU(g
 *>f
F7dj
F8N>
fdvp
FEBh%
<FHVY
FileDescription
FileVersion
fIV6x~
F:je
!	f%O
FPlgX
FrL<`
FYH'Q
`%-G
G'#"
gAZYi
-Gch
Ge'b
gGX;
G"LT
g+^N
GRZM
g@\y
G{\Y
Gyj(
H\.'
HdbiB
H:^hC
hhU"
.hiI
h	<j
hLyq
hpP@
HP.]p
Ht,@*
h)"U
)Hvc
hv=k
Hz}5
hzpU
-<i=
i6wQ
IafOTL
I{bU}
iD~x
+{iE
iE3l
InternalName
 is a registered trademark of Avira GmbH, Germany
i!Sh_
I;TCW
_iv%BZN
IW$y~
&j<(
J]7@
j+8"l.n
J	_9:3
JaqO(
jq*_
JsJ=z
JuRw"Y
J; X
K1oy``tm 
%K1P
K(A\
k\BE
-k,c?M
 KE2[*
Kje00
k@O	
%Kp[?
kR2zo:
kvS:C4
K!zk
,(l~
l_;)%
LegalCopyright
LegalTrademarks
lh<:
lII/N
lmY(T_W'
lP%)
l^WNP
lY5za8
.,m	
]#=M
M]-'
MANIFEST
MB$K,
mj).
<M-J
M$$N
mT<	
m#XQ
_|n]	
#."n
N!:[
N/? 
N<-0
n3L'
#n6(10I9
N8;g+V
N94<fo
`N[BMMA
nCF8X
n[D"
Nf0x
$nko
	"NNY!
NO_ 
N o2
Noo3
n:XS
_NYuq
-"o\
o2Y]
o%7,VC
O9RCj
}onn
OpA3
OriginalFilename
O{T&'
[`OWt6
%%p`:
P|*~
P\,	
Pd8[
p-e`h
pE:j
PLz2v
p<Q&'
PrivateBuild
ProductName
ProductVersion
-p	SX;A
PSY],
P]t5
pwxj/
Pxp;
Q0dXL
qD0J
Q{sR
\qVJ%
q@.w
{r1w
R2B+
rawL
RgV\
rI)C
>r:oDav
R[rV
r&X'Q16
~S=-
,S	]
S{^|
S1N>
satF
s/]c
s	C:P
SDqt
S)f. {i$'[
	 +sG
S%~I[&:
SK"Ue?a
sLmK
S`~^P
sP81
SpecialBuild
#s!rtH
>_s><s
sS0R
StringFileInfo
)T1R*
t6bb
t$B96
T?E} 8
[TH[
T\i;
/Tm@*
TPr:
T*"R\
Translation
TVD6	
;tWX
TxTg
~TzW
u3MM
U9eZ2
u@bu	V
u?k/
*ul_nt
{U*O
U"Ol_
usEu'
	U>w
)^#uy
v00'
v1Uo
$*V2	
VarFileInfo
~vGH:f
VId=
VJ}OhN
vL<"
V<'l>
|V*Mk;
vsiP
VS_VERSION_INFO
`V;t
VTD7
'VWc
V`X0
V-X3]
#.VYdZfP
=^W&?=
	w3#;
+(^WA
'wag
w\b:!9
?/We 
wh i
W~jq
WnoAx.U
wplL
^-wR
w\tU
x4U-{N
!x8W(X 
[x9n
X<"A
$X"d>
 Xif
[xJt
X!N9
^xnD
/XR 
_Xs0<
x\ TMYe
Y0Lo
y3kDg
y~4,
y[4m
Y6yL
yA2Pchv
YD6H
Y i6
y}Pa
y<qC
{\ Yud
YW+e
YY,	
|zF$M
Zje=
zm|m
Z~)u
zu}j[
Zvor
0/131:1G1X1
087=ad|
0bI,x>
@.1T~,
2'bmQu
^2-j&Q
2o]S" >
}<4~[T
4|_xA~
5$5*50565<5B5H5N5T5Z5`5f5l5r5x5~5
55'o<84
]5H?dt5
6 6&6,62686>6D6J6P6
(6;\.F
6jP8M~
\7g;8?
=8%mZH
8RKq	!
>8RuIiu
8Y2n@]
aAT<v\
ADVAPI32.dll
aGb0gc	
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
bcppas<
BlMvQf
bs8F7~
}b	th4
CE?SVs
ChooseColorW
comdlg32.dll
CreateCompatibleDC
CreateDialogParamW
CreateDirectoryW
CreatePatternBrush
CreatePen
CreatePopupMenu
crx;D	
@.data
dcMs]/u
DeferWindowPos
DeleteFileW
DestroyWindow
DgLQi#0
doRQ<S
DPtoLP
d\u``?
{e^9hQ
eb#YO~
EnableWindow
EndPaint
E\Qoow
EQsNg/{
E}<SN1
ExpandEnvironmentStringsW
ExtTextOutW
fg}t$S
FileTimeToLocalFileTime
FindClose
fs3t{g
G,4"zWb
[<@<G<dEI
gdi32.dll
GDI32.dll
GetGlyphOutlineW
GetLastError
GetLocalTime
GetOpenFileNameW
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStockObject
GetSystemInfo
GlobalSize
}~gQ0#
^Gw+S[
hFDCJ9
HHI46c	
HideCaret
hm>O\Kx
_)Iec%
&I>-#i
iPx*rYk
IsTextUnicode
I	yxsD
{jc/z/
jH3|x7
jl53PW
jx+g{g
kernel32.dll
KERNEL32.dll
KU.iN<_
`l2@`>
LCMapStringA
LineTo
^LnR{I\
LoadLibraryA
lstrcpynW
m<.1nK
_mE4n@
MessageBeep
[M ,r(
m,~Ue*d
<[mycG
NCu 5:
N$RMG[
*NshV'
O8Q}v0
oCN/MM1T
oiiOm7k
)o_=J=
,oRxg.
Ot9iH/
O>Z@&	
P74	}]D
P)7\tD
~p'B"@
`PE&hD
{pH2DA
P.HNvi
PP$u5>+
PrintDlgW
/pT"AR
pu4}8l
Qduw3~
QS.Ac$
:qSuS9A
r16~_W
r2Kq	!
`.rdata
rDu?$w
RegCloseKey
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryValueExW
@.reloc
 <requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
RestoreDC
Ro-os=C
s1 vj=
 </security>
 <security>
SetBkMode
SetBrushOrgEx
SetDlgItemInt
SetEndOfFile
ShowScrollBar
sRD,'}5q_
sRich-
!This program cannot be run in DOS mode.
Ti9C2ElA
ToAscii
TrackPopupMenu
 </trustInfo>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
U0Gm~`F
U0#SX\
u%"	G-/
U$*`_H:5G
USER32.dll
/U>w=,
UWd^0fU
VDH}o2
VirtualAlloc
VirtualProtect
VjJgz!
VVVVVVV
-+wDc<
w/IC03
WriteConsoleW
wsprintfW
X3BI96pX
X6rYH@
|XB5$Z
x@d_`(O'
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
yavC[W
YSmLA!4
z1=j/$p
Z,lj$k
z>uW;9Y
zUZ]N/