Analysis Date2014-08-22 00:06:06
MD52326fa2034732cf93847bbef36281fd0
SHA166c830cb8446489841ab994720ae21b8eef3b78e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9f16c5b4f81a7aabd1882a8c66c2570e sha1: 207d01d0a6800f17e5bf3eb611c581bac042c840 size: 48640
Section.rdata md5: 3de9e8120accdc1d289ea002b9abef2e sha1: de22fc24ddb52aad1318ce49db7b90f640dc28aa size: 50688
Section.data md5: 81a9d6fff87b8c0ae3f74830854a0f70 sha1: 5b4b8fc2b1e52b38b74d13a40675759d34a4b60e size: 52736
Section.rsrc md5: 643791ac8738cf868a2bc10c7b8583b3 sha1: 3d3d6ef054b7cfff246291b0e68825cb6c3a30b1 size: 1536
Section.reloc md5: 06e505b2190e82b6854a96cd7b783dbc sha1: ed67374680043c8314b6d55ef3bd2a0d23a17211 size: 31232
Timestamp2006-11-07 09:17:50
VersionLegalCopyright: Copyright © 2005 - 2009 Nir Sofer
InternalName: DLL Export Viewer
FileVersion: 1.26
CompanyName: NirSoft
ProductName: DLL Export Viewer
ProductVersion: 1.26
FileDescription: DLL Export Viewer
OriginalFilename: dllexp.exe
PackerMicrosoft Visual C++ v6.0
PEhash6ca563fb2ba02e224cdb25bb9089fc8178b50771
IMPhash4a0c955f62553242a1dc01ad6b453e7e

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\atl.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXSLE.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko04.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo06.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko03.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXE16SharedExpat.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\ACE.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko05.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo03.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo05.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\esdupdate.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo04.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXE8SharedExpat.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo00.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\edb1drv.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXEParser.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\edb500x.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\agldt28l.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Engineering07.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo08.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo07.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\epic_eula.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\BIB.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\AiodLite.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Acrofx32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AGM.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\eularesen_US.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeLinguistic.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates Mutex{37FFF72F-FE56-017C-F492-53D69CCE1D45}
Creates Mutex{37FFF8CE-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\qcvbfpbp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Program Files\huettqja\px3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6988E1D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D69B9E1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Network Details:

DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
DNSgoogle.com
Type: A
173.194.121.35
DNSgoogle.com
Type: A
173.194.121.34
DNSgoogle.com
Type: A
173.194.121.33
DNSgoogle.com
Type: A
173.194.121.32
DNSgoogle.com
Type: A
173.194.121.46
DNSgoogle.com
Type: A
173.194.121.41
DNSgoogle.com
Type: A
173.194.121.40
DNSgoogle.com
Type: A
173.194.121.39
DNSgoogle.com
Type: A
173.194.121.38
DNSgoogle.com
Type: A
173.194.121.37
DNSgoogle.com
Type: A
173.194.121.36
DNSqwevrbyitntbyjdtyhvsdtrhr.com
Type: A
198.74.50.135
DNSyeiolertxwerh.com
Type: A
208.73.211.174
DNSyeiolertxwerh.com
Type: A
208.73.211.233
DNSyeiolertxwerh.com
Type: A
208.73.211.235
DNSyeiolertxwerh.com
Type: A
208.73.211.246
DNSyeiolertxwerh.com
Type: A
208.73.210.219
Flows TCP192.168.1.1:1033 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1034 ➝ 173.194.121.35:80
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 198.74.50.135:443
Flows TCP192.168.1.1:1037 ➝ 198.74.50.135:443
Flows TCP192.168.1.1:1038 ➝ 208.73.211.174:443
Flows TCP192.168.1.1:1039 ➝ 208.73.211.174:443

Raw Pcap

Strings
d1..
P 
\
.. 
.;&
W
A
..
040904B0
1.26
 2005 - 2009 Nir Sofer
CompanyName
Copyright 
dllexp.exe
DLL Export Viewer
FileDescription
FileVersion
         (((((                  H
InternalName
LegalCopyright
MS Shell Dlg
NirSoft
OriginalFilename
ProductName
ProductVersion
StringFileInfo
SysTreeView32
Translation
VarFileInfo
VS_VERSION_INFO
=$=:=\=
0#1\1e1
0/1K1i1
0B=PiB
0!|DlP
0FXDs	
	0G0T0\0
&0qR-I
`0rCVt,
(1`,&}
1"1-1`1
1"1I1Q1
13jqEvB
=1>C>a>
"1CWQh
1h;(>{
1h&-oqB
1T:@-B
222?2p2
22282L2l2r2
222Q2W2p2
2+2Oiz}Ye
23272e2w2
2-3;3H3{3
2 d4cqr
2=Fkag
2M/^zN
2ofZ:3u!u
2q<OR(
304:4u4
314e4p4
3"3G3i3y3
3*4Y4d4i4
3d7fuG
]3}'ni
3}&v|i
3W3[3e3
404W4m4
4:4B4p4
4.5K5j5
4	69@Qh
{4~|CF
,\4#fC
4jt	&d
4Q4\4p4
4RKMl@e
5*5P5w5
5$6N6x6
5Af^{/
5b>;2r
5D5d5|5
5L6P6f6
5oIwo 2
5=r7H}
"5rfFO
5t/GIyW
)'5W@%V
6@6L6W6]6f6
6*737M7
6!7E7~7
>&?6?E?s?
6F7i7n7
6#~iN1
6L6k6v6
6	Ocv*
6Ot.n^a
:6;?;r;
;6;U;j;x;
6Xf?S>E
708_8m8
@75_Gm \
7"7\7{7
7'7D7f7z7
7,7Q7z7
+7B`:<
?7?G?f?{?
:7My-%
839N9`9
8/888]8
8'8I8t8
8!9?9\9
8_E ,P
<	=8=m=
*8nMv0
9#:3:A:Z:
989H9v9
9*9I9f9n9|9
9C"sw#^_O
9#:J:p:
9K9_9y9
9*:K:j:
A0_0h0
a9i/^?
abnormal program termination
ae/<Md
AE}YO5a!
=(>A>F>m>
(al0S2(
aL9O=K
apm"DW
];%&at
au#TB2'
b1GHCk-
~\b<cw2
BeginDeferWindowPos
:B:G:[:z:
?'?b?j?
	B.@'j
bnBF!F
+b|nN8
b`n"pWP,0V0t
b, of	7l
bqU{yR-h;L
btHHt.
"BUo=p
]bVlKC
~?C2-1.
C6zC{hh
CheckMenuRadioItem
c\hkES
Cl6w^#
CLk	Vg
CloseHandle
CP2@,t
cpf9:7
CreateFileA
CreateMenu
CRxC(E`
C-x8a\/
@.data
*d%cCr1_
DcV;vH
DeferWindowPos
D"~h3f
d@ *Hc
DispatchMessageW
DOMAIN error
d|S-B]
DSUVWh
?"eaoR
eH0?{K?
eJYJVg
ek|GWZE
EndDeferWindowPos
,#>E~'Ne`
EnumChildWindows
Ep^	7$
EQM%6)
ExitProcess
ExitWindowsEx
E{Y{`0
f"+?5;
FCYIq*
FH{n{i
FindCloseChangeNotification
FindFirstFileW
FindNextFileW
FindWindowA
- floating point not loaded
FlushFileBuffers
}fm!5d
/fQabasysobi
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fs US9
*)FvmsG
#_FX]m%
=F=Y=^=n=
G5g~Lo
g6}zH`
G#C&*"
Geqagefujez
GetACP
GetActiveWindow
GetClassNameA
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetDiskFreeSpaceW
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileTime
GetFileType
GetKeyNameTextA
GetLastActivePopup
GetLastError
GetLocaleInfoW
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTimeFormatA
GetVersion
GetVersionExW
GetVolumeInformationW
GetWindowTextLengthW
GetWindowTextW
( GGTL9YD
>G.+HN.uz
GlobalAlloc
GlobalFree
GlobalLock
{?}"[=H
h+0C~H
h8W8#$
HeapAlloc
HeapCompact
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapWalk
H"~k'R
H]r[]B
Hutaneqylafi
+;hY)%
I8'`g#
](il	H
IndRYtg
InterlockedExchange
IsBadReadPtr
IsWindowEnabled
IX#%e+
{JDgZ$
Jg0t/dn
jpm{'Q
_/k1|j
k4k/yb
K@DaK.
K+'["E
*k:E*"g
KERNEL32.dll
k'hy7m
'kK[.4
KOXjUb9y
KzKz9W
?;?[?l?
L(}9}	
,La0s`
LCMapStringA
LCMapStringW
LHVkkh
L<?I-h
#lJw'h
LoadCursorA
LoadLibraryA
*lTHF8Pm`W;
MessageBoxA
Microsoft Visual C++ Runtime Library
MulDiv
MultiByteToWideChar
<!=n=}=
>'>N>~>
%-!N|::
%|n0xt
+N%2/	
;n6+^zF/}
NcK)VG
]+N.I&
nLRl$EY$b
Nocytuha
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
N; /	R
nT\{?uXms
=*=_=o=
O[4}j\r
o%guK;
OmN-&?
OpenProcess
O"|RvyH
oT.YqC
oZ36_[
;P,0`+
~p97BS
pmy}t1.
p+q8t;
Program: 
<program name unknown>
- pure virtual function call
Q0A#6&
:q#%#b
"qf: V
Qi{.k7
:QlD8$
qM$8kXal
 q*Mbz
Q]RWW3
;/<Q<u<
QueryPerformanceFrequency
}q$|zLM&Z
(R162@	`
R-2e@r
r*c2AM
.rdata
ReadFile
RegisterHotKey
RegisterWindowMessageW
@.reloc
RemoveDirectoryW
rh7KZA
_$Rich
+^RMsf
?rRD'g
Rr)s@P
RtlUnwind
R{TVr9L
rU/:e]
runtime error 
Runtime Error!
'rZvGq
"s0!3c
S0q\Bn
s9,rwc>q
sD BqI
SetEndOfFile
SetFilePointer
SetHandleCount
SetStdHandle
Sg$34(
ShowWindow
;s/i4$`
SING error
SS@SSPVSS
<)S%Ux
T90wm-
tDM:-0
TerminateProcess
?T?g?n?
!This program cannot be run in DOS mode.
t-Ht!Ht
t=IANq
tI H&M
TLm~hz
TLOSS error
TlsAlloc
TlsGetValue
TranslateMessage
t#SSUP
t.;t$$t(
Tuj#&n
t$$VSS
TW^	-,
T;ys>f
U(34.e
'u-3 z
|uDJ^/
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnregisterHotKey
UOww]%
UpdateWindow
USBb;n
user32.dll
USER32.dll
VC20XC00U
[Vc	 y
VirtualAlloc
VirtualFree
+(Vm:0
(*WAF,
w>g"(r
WG%uj:
WideCharToMultiByte
WoaAaC
WPKAdy])
WriteConsoleA
WriteFile
WrKj[q)
WS2_32.dll
WSAConnect
WSACreateEvent
WSAGetOverlappedResult
WSASocketA
;$;+;X;
X5w$)e
x8|adD
x8)?BH
%XBr.|
xcAn5!
)=Xp1JI
XPQPEI,|3B=K_
XU^6OQ
y6cWPc
y!762<
y@ayX)
?Y_BWF
 Yea{F
Yfirovefu
(ynD@5I
_^][YY
+Z[({1
z16:e9
Z*Hf~~
zMBome
ZVg:"m
 ,z;"vw/U5