Analysis Date2014-04-21 07:34:31
MD543ae9331735e8587b52506f3fbeefb94
SHA15575b3a85119a3496cddcb823f31c6950c05ca4c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 28afea0f40ef94b4122c6be34dac1f3f sha1: 559e359ae2a4b0669a5fd5ee2f8fdb8aaf6cf381 size: 2048
Section.rdata md5: 7778e82b298a9234726818f6a6f4b909 sha1: fbf9673587b46619408b3f85a6dfe3bcef0136f4 size: 2560
Section.data md5: b311cc8bff2a20ed90ae8db181098321 sha1: d41535355350d86bb3ea4bd9692ad30f65d28eb2 size: 89088
Section.rsrc md5: 72b9d4419654149cc308652ea7ee5832 sha1: 66deef580f7d93f2abb38c6c65ffbfc26b2edd52 size: 13312
Section.reloc md5: d0e4da2a4394c48170e4d7c47a26094b sha1: 0fdc5caf84545c5d09ea94883bfe1758777e3ad5 size: 80896
Section.text md5: 19922255497cc1ee9a981b74fb2152e2 sha1: 3c3093552a24e496047f00e351cf71f6a099c20d size: 191488
Timestamp2006-04-22 23:15:06
VersionLegalCopyright: Copyright © 2007 Avira GmbH. All rights reserved.
InternalName: AntiVir/Win32
FileVersion: 7.6.0.59
CompanyName: Avira GmbH
PrivateBuild:
LegalTrademarks: AntiVir® is a registered trademark of Avira GmbH, Germany
Comments:
ProductName:
SpecialBuild:
ProductVersion: 7.6.0.59
FileDescription: AntiVir Command Line Scanner for Windows
OriginalFilename:
PEhash585649a03f94b16bfa6090a6c0a1e9efef2fa91c
IMPhash093a51e0b7dcb2466b7edfd78d191aa0
AVaviraTR/Crypt.XPACK.Gen
AVavgWin32/Zbot.G
AVclamavW32.Ramnit-1
AVmcafeePWS-Zbot.gen.cy

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
Creates FileC:\5575b3a85119a3496cddcb823f31c6950c05ca4cmgr.exe
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM3.tmp
Creates ProcessC:\5575b3a85119a3496cddcb823f31c6950c05ca4cmgr.exe

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\5575b3a85119a3496cddcb823f31c6950c05ca4cmgr.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px5.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Internet Explorer\dmlconf.dat
Deletes FileC:\Program Files\huettqja\px5.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\5575b3a85119a3496cddcb823f31c6950c05ca4cmgr.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp

Network Details:

DNSstromoliks.com
Type: A
66.228.61.232
DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.165
DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.164
DNSgoogle.com
Type: A
173.194.34.163
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.166
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.161
DNSstromoliks.com
Type: A
72.14.182.233
DNSpromoliks.com
Type: A
66.228.61.232
Flows TCP192.168.1.1:1032 ➝ 66.228.61.232:443
Flows TCP192.168.1.1:1033 ➝ 173.194.34.174:80
Flows TCP192.168.1.1:1034 ➝ 72.14.182.233:443
Flows TCP192.168.1.1:1035 ➝ 66.228.61.232:443

Raw Pcap

Strings
/4eUN...
e.O..
..
..
I
(
.
\
{----}
x..xxxxx.xx+
H..
.
e
....
^?.<+
:~$0
000004b0
^|0*8
0Uf/Y j@,l2
0zv}
1cQw
!1+k
#(1Kz
{1%+t
 2007 Avira GmbH. All rights reserved.
%23)
;^25
2F O
2fYOW9
2`._Hj
$2kN
2qDO
2tD<$x<
3C,F
3i'm
3ogv
)>>4
4F.'\q
4hSr!
~~4z[s
50[:
5aLm
5EcX
5]H	r
^5J7$
.5lX
@:5Yd
60xu
6$Y<
7.6.0.59
7957
7;q{4
7v3e
8Fs,
8NDU
{8x6)
9)_,
-a=%	
_a5G
aav*
ABXir
ac)dd
AntiVir
AntiVir Command Line Scanner for Windows
AntiVir/Win32
Avira GmbH
<A-X
]BbG
BcS`a
bfQh
"c2%
c2Xz
c+-4
`?C 4
C6F"M
C.b}
C|<g
 CJ/
Comments
CompanyName
Copyright 
C]}p
Cq1`
ct|w
)$CW.
CWT<^
-c;z
"D%7
,d'BSN
dD(_R
dE5B
D`?UJO
$@e'
%eh?
E#q0
er!0u
#E^wH
 -ey
@&f4
fa5"
FileDescription
FileVersion
fkCv
>}{g
;),.g
%g&%
`,}G
g63"
g-her
gJ"a
@Gmbuo
gPtl
_gQ7s
gww5A.#
 ;	:H
heln
{H_f
HIjz3@U
 hJB
H=lt
hqF]
&hR@
+h]t
HUn:
H~vCw
hvZPIt
HyfA
HZ\_"
I+7O
iCGB
@$ig
iHuA;
$ild~t
InternalName
Ip1y
 is a registered trademark of Avira GmbH, Germany
iYptg
J'"?
][J4
JA5,
#%jb
_<J+F
}#JGk2
jh3r
jjjjjj
J|kbHL
.j T
=[jW
Jxz8H@;
KIzr
KLU\!
*k$N
'K]vt
ky)@
}|[:l
@[l}
l3Kue
'L:Cv
ld]C
LegalCopyright
LegalTrademarks
;l(f
LnF2
lSm[Wx>
Lv)P
L)xj
\m;~
-m5b
MANIFEST
MI^B
:m.t
muH9
:nb&I
ncmR&B
nHVW
#;?nL
nL9!*Z
n$(V
nxUy
 \]o
O;2$
O\b&?Cn
%/obsB
oBsv
`	on
O'oA
o"P|
OriginalFilename
O>X1
o]xH
OZWd
--p;
p:{ 
p34+
\P|{6
@	pF
Phu'|IF
p/+P=z
PrivateBuild
ProductName
ProductVersion
+@pt
p-VQq
!'PW
pw1s
p>zq
]Q3_8.
#q+a}h
|r?\
;R.{-'
[r1%V	[
R,<Cwr"
RH6P
r"[l3=
RP[qm
rTAaw
S3%k
SBnK
sCs(
S$$*F
~S@I
S?IC
Sncr-cC
sNyw
S_p!
+SPa
SpecialBuild
s[Q[
StringFileInfo
svis
s'w#
s,)y
T3Mrrba
^t`b=
tcG1
+tDo
TdxF
tg$[^
t+G\H
t;l\
TQLj
Translation
;tuv
u0^O
{u37
u4.6l
Uc6r
UC"x
uJll
u?{M
UMxz
^U)r
U%xt
v@6x
VarFileInfo
v"/go
v:Oa/
-V/OY8?
}vR4
#vR&U
VS_VERSION_INFO
Vt;z
VUVQu2
VW8i5
VX cU
<&w]
|'%W
+{-W
w5}W
WBl%
WhT#Q
Wsf[
wuyq
X*`?
X1-UXu/
*}X8,
\X8V"
xK#{
xvJYq
X=\Z
[y/-*.
{y%$
y0Rrj
(yB7
YbhO=
YjNY
yooZ
ys&q
Ys/q0!
YS!X{
yUDx27
\YW 
+yW7GF+
Z"?$
Z3`f
~Z]f
z,HB5
!z'hi
zqG1|B
z|TE
Z +U
zUBD
"z`V
,zy>
~'&\-|
} $_/=
0!121R1l1~1
0e:>?d,
15292@2M2]2u2
;1 f9D<
1G~45dz
223o3u3
2{a+EP
2SOLwG
3>:/1y>
3=37X&
3Jw91`p
3m=r"aK
3V,|>FR
4_*3FW
{4H@A)
4<I9{3
4\s1@J
5"5(5.545:5@5F5L5R5X5^5d5j5p5v5|5
5Cb^aNE
"5~F[B
5"hpYr
5M8`uj
5)=pOU
)5Th8T
6$6*60666<6B6H6N6T6Z6`6f6l6
6@6*Coj
	6$%|pAz
#6Rup6p
72dD-t
 '75)\KA
7{aEO$
{7D\cQ
8N t{T
) {'9=
9&0eH(
9<ar$?5
^9KPz 
A 	2AGo4TyI
a{2*J{
A<#@6FuX2 }
AddFontResourceW
ADVAPI32.dll
a>.H:v
>	ahx 
aK)eFK
.!AL)k7
% aN2d[
_apz8@Y
</assembly>
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
a?"v:G
(*a"vu
awPflO-L
{B.5z3
+B=a2z
BB(Fpkr
b	 d1y
!BEX`&
BitBlt
.Bo^PWSR
/B?/(Q
bR=YV;
Bx70l8
\.#%c@
c.>_5Lv
C${cmH
CharLowerW
ChooseColorW
^C(Irhj0
c')_ J
CloseClipboard
CloseHandle
_cM`g9#>
comdlg32.dll
CreateBitmap
CreateCaret
CreateCompatibleBitmap
CreateCursor
CreateDialogParamW
CreateFileA
CreateFontIndirectW
CreatePen
CreateProcessA
cSK}%2
D0QF>Er
$D><(1
D9)!YX
@.data
DeleteDC
DeleteObject
(Df>v}	
DNZ=^=vk
DrawFrameControl
Drv<I_k(
";Dyw_Xc
/,E,%/3=i
e9%CX)
=Ei2:	
El+"	fK
]:|EM	6
EnableMenuItem
EndDoc
E,.U6R
;~	ex*
f{1HbY
,F3MtF?
F[+6%%
[f<<c0
FindClose
FindNextFileW
FindResourceW
FjAY"6
	Fp$zh
FreeLibrary
(:F"vE
\FvezB
f#weI~Y
?#! @g
g4"Q>+[l
+G$98C
gdi32.dll
GDI32.dll
GetACP
GetConsoleMode
GetDlgItemTextW
GetGlyphOutlineW
GetKeyboardState
GetLocalTime
GetLongPathNameW
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetOpenFileNameW
GetProcAddress
GetROP2
GetSaveFileNameW
GetScrollPos
GetStringTypeW
GetSystemMetrics
GetTextExtentPoint32W
GetTextMetricsW
GetTimeFormatW
GetVolumeInformationA
GetWindowRect
GetWindowsDirectoryA
gICSW=
g	?!J7Z
%_g_Kd
GlobalSize
GL+W6.|
\g~%>m4
Gm:X"BT
	gNjn[
&gP5h9
gyrsBDc
.HCc':z
HeapAlloc
hH&.x	H
^H\lS@<
h{,\o?
$Hwe~_
H X+jt
HY_^Z[
i0wB ?`
I.BZ ~1
i`Co $
I)"Cw<q
I/fDw$
InflateRect
InsertMenuW
InterlockedCompareExchange
(i.o_l
IrTijC
IsTextUnicode
I\xP##
')J-,^a'
-{j=E{
(jkjeVUK
jS,=[Pj
#JVhN=
+]JvUq?
J!xAYf
K8q2^u
K[b18)xd
kdK!Q2
ke'fQ?[
K%EFVO5Y
kernel32.dll
KERNEL32.dll
keU6nD
>keZjQ
	KHrX3
{K!Iw.
]KOUgWb
KS\'Z\
@l*.,)
L/5d:m_
<L{?6f
LdT`6qX
LeaveCriticalSection
!lf40/@
LL0_~)
^lLVhq
LoadIconW
LoadLibraryA
lp5V\!a
lstrcpynW
lWu7;=
\mgr.exe
'?M=m5"QJ
mqm,_r
MultiByteToWideChar
mwKVX7!9
&|mW-U
MZt<>A
Nf"M5^Fdl
nJGwU`
N-+jZB
?(-n|l
{nQrd<*
n"QY8y
nSj@+3 
n^<!)x
<$n[:z
O|)A:8K
OF>^=<$
OffsetWindowOrgEx
ole32.dll
OleDuplicateData
=O o7p
O>OjelT
o+oVL*
OpenEventW
OpenMutexA
Op!Ma0
&o/W|1
OX@U{_
p*4G*0e
p\|cv}S|
pF1AF=
pJDp`dc
PostMessageW
PrintDlgW
pskrw}z
~PsT+B	o
PTihB85
pV>i%q
p:[Vq]
]:`!Q'	
(qbOna6
QCtXe)
QF1\p>f
Qf7g\2
q`k\@_
q{^]n_
qte*jgo
qv'MTV
R37ggC
`.rdata
RealChildWindowFromPoint
RegCreateKeyExW
RegDeleteKeyW
RegDeleteValueW
RegEnumKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegSetValueExW
@.reloc
RemoveFontResourceW
RemoveMenu
 <requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges>
ResumeThread
_rfd6Ud
r~*J6-
rJ|6vR
	Rp#nX
Rq !bc
>r_u?J
|=S-%]
ScreenToClient
 </security>
 <security>
SelectObject
SetFocus
SetScrollRange
ShowScrollBar
sk=QDG
S/L~ie
Sp6#;i/
SQrd<*
SRQWVj
S=>r_u?J
S="..u?J
s~V3{;
sZ+oz{
t0ful[
@t3$R*M
T3WBGwz
`T^7<e
t}cG0,
(tCTTm2
%$T,F4
!This program cannot be run in DOS mode.
^Tk	hC
TlsAlloc
tpOqJ(W#
t&Q4a3
T)}q#5Mq
 </trustInfo>
 <trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
,T	s\k[|
tTRVp6
TVrc7	
#UABJp
uB.7?x
u!L wuq
uLxP##
uM==jzKD
UnhandledExceptionFilter
U(PsYF
uPzYx,
USER32.dll
u~""tV4
U]:xvu
U!>=Y"
V)E	f6
V]EPzv
vF<rAUvtv
^vi?[l&1=kl
VirtualAlloc
VirtualProtect
viuh=f
$.vl`<cf
Vl(I3r
VVVVVVV
VWQRSj
vXlkyC}	
(V;ZP0
Wgdr]R
Woy2Rx
w&-("Pl
WriteFile
X1PMdu~
x9B;LN:)
)-x`.[+b
XiAUAe
'_XJa&
x+]k9{
/XKV*i&
xlLlG&5#=
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
$xnATN
XTr2>Z
,{xuB	
y880GyM
	!Y9j2
ycl_"m
YgS82u
yV8NU[
Y`*z8*k
Z2`"t>fSU
ZAs5U(J
Zb}T,{!y
%$Zg93
&Z>HYO
`z|ILZ#
zp]/RX.
	Z"Q 5
ZRbs{jsqI
z:$rrb
ZrSv_w
z.wj&W