Analysis Date2015-05-09 11:33:35
MD5935dd6cbaa2a28fdbf446a7f1b8b4754
SHA188e25830b2e019481e140a8ab7940a603053d04f

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ce1dc5be7c18ca0e842de14c460fcbab sha1: 78788b0c0e9c7cdb16eeac5eac4524fe09514e59 size: 27136
Section.rdata md5: 830ebffe4c9e0baba9958e6e3183f82b sha1: 712e309401e9721d3d5e1ae7f89fe54fe51c416a size: 7680
Section.data md5: 4cfefb19cc26a49b4d0d0181167ac087 sha1: d79c7d2a5e01a4bdda52f3299c552861ecaeeaaf size: 125952
Section.rsrc md5: 296069b44869ecea46f33351ee0ad7a7 sha1: 2f6a46d536cffe366812d39c97fb205feff74dd5 size: 4096
Sectionzbtyetf md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Timestamp1999-02-15 02:04:48
VersionLegalCopyright: © Microsoft Corporation. All rights reserved.
InternalName: p2p.dll
FileVersion: 5.1.2600.5512 (xpsp.080413-0852)
ProductName: Microsoft® Windows® Operating System
ProductVersion: 5.1.2600.5512
FileDescription: Peer-to-Peer Grouping
PackerMicrosoft Visual C++ 7.0
PEhashb550e313468606df74a846e33d4a4e17bfd1cffd
IMPhash7419b525a1a8301742917ca7c4668fd7
AVAd-AwareGen:Variant.Carberp.2
AVAlwil (avast)Vitro:Win32:Vitro
AVArcabit (arcavir)Gen:Variant.Carberp.2
AVAuthentiumW32/Carberp.C.gen!Eldorado
AVAvira (antivir)Worm/Agent.AY.1
AVBitDefenderGen:Variant.Carberp.2
AVBullGuardGen:Variant.Carberp.2
AVCA (E-Trust Ino)Win32/Ramnit.EKGfNMC
AVCAT (quickheal)Trojan.Zbot.Y4
AVClamAVWin.Trojan.Agent-57575
AVDr. WebTrojan.Starter.1591
AVEmsisoftGen:Variant.Carberp.2
AVEset (nod32)Win32/Ramnit.K virus
AVFortinetW32/SpyEyes.LBN!tr.spy
AVFrisk (f-prot)W32/Carberp.C.gen!Eldorado
AVF-SecureGen:Variant.Carberp.2
AVGrisoft (avg)PSW.Generic8.BBFI
AVIkarusGen.Variant.Nebuler
AVK7Trojan ( 003c36381 )
AVKasperskyTrojan.Win32.Generic
AVMalwareBytesSpyware.Zbot.ED
AVMcafeePWS-Spyeye.x
AVMicrosoft Security EssentialsTrojan:Win32/Ramnit.A
AVMicroWorld (escan)Gen:Variant.Carberp.2
AVPadvishno_virus
AVRisingTrojan.Win32.Generic.13898E30
AVSophosMal/Ramnit-X
AVSymantecW32.SillyFDC
AVTrend MicroTSPY_SPYEYE.SMQW
AVTwisterTrojan.FAD318790F559428
AVVirusBlokAda (vba32)MalwareScope.Trojan-PSW.Pinch.9

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\qcvbfpbp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Program Files\huettqja\px3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69C5E1D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69A461D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\atl.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXSLE.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko04.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo06.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko03.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXE16SharedExpat.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\ACE.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko05.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo03.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo05.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\esdupdate.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo04.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Forms01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXE8SharedExpat.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review05.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo00.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review10.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\edb1drv.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AXEParser.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\edb500x.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\agldt28l.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Engineering07.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review11.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo08.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review01.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review09.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review06.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo07.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\epic_eula.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\BIB.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Esl\AiodLite.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review04.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Acrofx32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AGM.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\CoolType.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review08.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\Browser\nppdf32.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review07.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review03.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\HowTo02.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\eularesen_US.dll
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Hanko.html
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeLinguistic.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates FileC:\Program Files\Adobe\Acrobat 7.0\Reader\HowTo\ENU\Review.html
Creates Mutex{37FFF8CE-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69AF21D45}

Network Details:

DNSgoogle.com
Type: A
216.58.219.110
DNSawrcaverybrstuktdybstr.com
Type: A
109.74.196.143
DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
DNSqwevrbyitntbyjdtyhvsdtrhr.com
Type: A
198.74.50.135
Flows TCP192.168.1.1:1032 ➝ 216.58.219.110:80
Flows TCP192.168.1.1:1033 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1034 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1037 ➝ 198.74.50.135:443
Flows TCP192.168.1.1:1038 ➝ 198.74.50.135:443

Raw Pcap

Strings
\
.
 
.
..
!.
.E
..
...
|.C
..
R.
040904b0
5.1.2600.5512
5.1.2600.5512 (xpsp.080413-0852)
B7>Z
$	C,D
$F0m
FileDescription
FileVersion
Find
Find Next
Find What:
G"lu
G*\Z
                                 H
         (((((                  H
         h((((                  H
InternalName
LegalCopyright
Microsoft
 Microsoft Corporation. All rights reserved.
 Operating System
O(YD;
p2p.dll
Peer-to-Peer Grouping
ProductName
ProductVersion
.R=@~
rcuE
StringFileInfo
Translation
^t	Y
VarFileInfo
VS_VERSION_INFO
 Windows
'>0AU`
0B[ -=
0DyGT+
0qt<Ku
0Y3;",vi
0Y	l<R
18/]Wz|
1F5)Q'A
\_1kW%l
2311312312233432173122221213113231121122122113111122213919731284222227316231211312291212527129912112622921232112522121832112121211222263112222119221231111122321153228226278612216122223621126118211212222127241211112121161226272122121121111171957712116211295232322222113131421531223238121311224119811432271113212122211721321125122232511121175459121236133422232332221212322222211323435292132228112222211225222252311853222125241232112482112112269233263331121322122321221311218218313222311563122122231717422232166221132183131231438115217211261331211563112122517727921412222198411221222111213255311132112398271139161278218227927152213183222214513332121813423111221832351392662261291321912132212283633342111115136211911124297122932413222121521222122111221166222121131742322312121212352121122233271232912112228393671821991442323112216313929929121212221712129218222221838171925247811317217122121621125122222151322241217821211221821137221212132115262414221223222214133222211211322113212213212212221115221148111211313212151311911181112312212121212122322232173211211113132121211123312U
3{?*~`
33IR,67H
3I|Af]=Z
&3NX)Z
.3	YO~HO
4)eeqEl
53<1||V
5*:]/A
+5*p\{FU
5YeWT5
(7GQX#
8!2qSM
8BIG' 
8&PW^bMlM
8rq  t)V8ui
+8~U{Dd
8v)b$=q
9qYi`X
a5q'hUtEcq
aAefECh
A buffer overrun has been detected which has corrupted the program's
AddFontResourceW
ADVAPI32.dll
a^etK#
AI5@%tA0H
an6+Ny$
+ 'a=Q
A;`sDh
A security error of unknown cause has been detected which has
 AV@*@4)
A+v&iZl
AVLhzk0E
=a|W8`h
`+_B|0
|b5VS~
&:BbFs,
B D27jm
Bd"8`\
b@dwn/
BitBlt
)B?N[ZQ
bPzOi(
Buffer overrun detected!
+"C)'8
c|dO3ynj%
cG)lwB
CharUpperW
ChooseColorA
ChooseColorW
ChooseFontA
ChooseFontW
CIx*PE>C
=CJ,]-L
ClientToScreen
CloseHandle
c?:mZw
comdlg32.dll
continue execution and must now be terminated.
CorExitProcess
corrupted the program's internal state.  The program cannot safely
CQQMP]k
CreateAcceleratorTableW
CreateCaret
CreateCompatibleDC
CreateCursor
CreateHatchBrush
@.data
dB$GPs:
DeleteCriticalSection
DeleteDC
DeleteObject
DestroyMenu
	DfF~>
d<f-l$k
_dklXy
Dl[94:
dN<a0T
DOMAIN error
DPtoLP
DrawIcon
DrawTextW
DT_	{-o
+ DY4.
e9I<BA
EfRPp+
E.g2BMC
*eLkW+
_em~oy
[EM=ZE<
EnableMenuItem
EnumFontFamiliesExW
e/tG\%7
ExitProcess
ExtTextOutW
F95dhF
FileTimeToLocalFileTime
FindClose
FindTextA
FindTextW
- floating point not loaded
FlushFileBuffers
*/flxF
FormatMessageW
FreeEnvironmentStringsA
FreeEnvironmentStringsW
*FTV{?
	FUN&?
f ww x
GDI32.dll
GetACP
GetActiveWindow
GetCommandLineA
GetConsoleOutputCP
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetCurrentThreadId
GetDeviceCaps
GetDlgItemTextW
GetEnvironmentStrings
GetEnvironmentStringsW
GetExitCodeProcess
GetFileTitleA
GetFileType
GetFullPathNameW
GetLastActivePopup
GetLastError
GetLocaleInfoA
GetMenu
GetMenuItemID
GetMenuState
GetMenuStringW
GetMessageA
GetModuleFileNameA
GetModuleFileNameW
GetModuleHandleA
GetObjectW
GetOEMCP
GetOpenFileNameA
GetOpenFileNameW
GetProcAddress
GetProcessWindowStation
GetSaveFileNameA
GetSaveFileNameW
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSubMenu
GetSystemInfo
GetSystemMetrics
GetSystemTimeAsFileTime
GetTempPathW
GetTextExtentPoint32W
GetTickCount
GetUserObjectInformationA
GetVersionExA
gK7v<0
gKb/OV/
GlobalSize
glq~_D
]g}X"}v
~"h=4^U
H*6yN'e
h84#!F
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
h(|<h=t
~H}q:J
HT<hJC
hym+IQ
IAS#Y	
i}CJ}C
IEfF*.
InflateRect
InterlockedCompareExchange
InterlockedExchange
internal state.  The program cannot safely continue execution and must
IsBadWritePtr
IsChild
IsWindowUnicode
it95DID
>ITEfQ
(}iv+d
 I;Wx[i
^\J=D	O$
jf>U]g
JjrzO(
JKf>mU
j`_\M9
,(J&N6$
ju/?j0
JZp874F	
k3V$pCuN
K8X{RV
=K9AzXo
KERNEL32.dll
KhP[^M
({?kI9I
}K'j0]
KP1Lwf
kpo9V'
L4)W@%J
LCMapStringA
LCMapStringW
_lc'WF
;lHcXv[$
LoadIconW
LoadLibraryA
LoadLibraryW
LocalLock
lstrcpynW
lxtu/p
M/40][
mC~[a%.
m`DMJ[
m?eGb4
Me$,@mL-o
MessageBoxA
mf>vK/{
Microsoft Visual C++ Runtime Library
@%MkKY
mm6byG
m[[MeW
MonitorFromWindow
MoveWindow
<[mR'%
mscoree.dll
MultiByteToWideChar
MZrrr}
n36r4/b
nL68L.HnYS
n~[Nr'k%
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
now be terminated.
NS+<U81
OHSYGl(
PageSetupDlgA
PageSetupDlgW
PatBlt
Please contact the application's support team for more information.
PrintDlgA
PrintDlgW
Program: 
<program name unknown>
Pu1:\t
- pure virtual function call
q0a=I*
Q2-4:{
q4g{[_
['Q[Fh	
Qfpek.y
q-iSsn$
qLrrs66
%qqQ N
QQSVW3
:qsi%e
QueryPerformanceCounter
q+<?x4
QxAN8ut
`.rdata
+R,e|#
RealChildWindowFromPoint
Rectangle
RegCloseKey
RegCreateKeyA
RegCreateKeyExA
RegCreateKeyExW
RegCreateKeyW
RegDeleteKeyA
RegDeleteKeyW
RegDeleteValueA
RegDeleteValueW
RegEnumKeyExA
RegEnumKeyExW
RegOpenKeyExA
RegOpenKeyExW
RegQueryInfoKeyA
RegQueryInfoKeyW
RegQueryValueExW
RegSetValueExA
RegSetValueExW
rEl&<YW
ReplaceTextA
ReplaceTextW
RestoreDC
RichgX
rsHv{d
RtlUnwind
rt_{n^
runtime error 
Runtime Error!
rUyqZb
rXS_PR
s9)(g?
SaveDC
SendDlgItemMessageW
SetDlgItemInt
SetFilePointer
SetHandleCount
SetROP2
SetStdHandle
SetTextAlign
SetWindowLongW
SetWindowsHookExW
ShowScrollBar
ShowWindow
SING error
'|@Sjy
)S!Mh 
.sm~#Q
SNU?FYp
sOxX~"Ze
\SSSBL
stdjl3
t2WWVPVSW
TciBbq
]tdgA$
tDZUCTq
TerminateProcess
TGjmj2
- This application cannot run using the active version of the Microsoft .NET Runtime
This application has requested the Runtime to terminate it in an unusual way.
!This program cannot be run in DOS mode.
TLOSS error
ToAscii
tp,4@e
t!SS9]
t#SSUP
t.;t$$t(
t$<"u	3
TVKR$l 
t$$VSS
>tx&~a
T YM8!
uJ3tDAkq}
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
Unknown security failure detected!
UpdateWindow
uSAd=]
user32.dll
USER32.dll
%U{UM#
uz]'aA
V3+X:t-
V>8AC5G
VC20XC00U
ViBA5P
VirtualAlloc
VirtualAllocEx
VirtualFree
VirtualProtect
VirtualQuery
v>	.j.
VM.kCRe
@?VmOE
{!|V&p
VWF9c&hL
V,/wG$
VWumhH
WaitForMultipleObjects
WeR`=B$<
WH`ilTV`
WideCharToMultiByte
WindowFromPoint
;}*wP@
WriteFile
wUN(Zew
WWWWVSW
x_@ixC
XjKgFf
_xjr>C
_xLuR^
y,0Nq%b&
Y\@*69R
yBdyq%
YMBcDb
y#/NfpS
$Y+#SwX
\YV7[+8
Y:vlrl
|{Yw<9
_^][YY
yY/bc\"#
)z1||V
 ;@.ZA
zbtyetf
Zcyc,^
z[KY^|4
zNSDNO
!ZuMNO
Z/Z$U{