Analysis Date2014-02-11 04:33:14
MD5daea13747a7dff375ced5b7acabdc99f
SHA1e333cec1693a999924564318bd46921a55f9edfd

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ff197c6451ec92bb91fd7cea71f7da50 sha1: b3ef933d4846bb5173b639a22288eb92eda213a9 size: 48640
Section.rdata md5: 3de9e8120accdc1d289ea002b9abef2e sha1: de22fc24ddb52aad1318ce49db7b90f640dc28aa size: 50688
Section.data md5: 81a9d6fff87b8c0ae3f74830854a0f70 sha1: 5b4b8fc2b1e52b38b74d13a40675759d34a4b60e size: 52736
Section.rsrc md5: 643791ac8738cf868a2bc10c7b8583b3 sha1: 3d3d6ef054b7cfff246291b0e68825cb6c3a30b1 size: 1536
Section.reloc md5: 1ad6355bd572b4075751ad629c4683af sha1: af722e9469032fc90d27e334a7a77a4bb81cc256 size: 2560
Timestamp2002-07-03 08:37:01
VersionLegalCopyright: Copyright © 2005 - 2009 Nir Sofer
InternalName: DLL Export Viewer
FileVersion: 1.26
CompanyName: NirSoft
ProductName: DLL Export Viewer
ProductVersion: 1.26
FileDescription: DLL Export Viewer
OriginalFilename: dllexp.exe
PackerMicrosoft Visual C++ v6.0
PEhash9de7eb78633183808cc1c58e3c0c6070a30d561d
AVavgWin32/Cryptor
AVmsseTrojan:Win32/Ramnit.C
AVclamavTrojan.Lebag-13
AVaviraTR/Dropper.Gen
AVmcafeeRDN/Autorun.worm!dg

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM2.tmp

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

Creates Mutex{37FFFC62-FE56-017C-F492-53D6995A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69B161D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D699FE1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A3A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697E21D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A2E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697921D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D695AA1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D696DA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D698FA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D698CA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6963E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6981A1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69CE21D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6984E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69A5E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D699DE1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D69AB61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69C921D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D697CA1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D6980E1D45}
Creates Mutex{37FFFC62-FE56-017C-F492-53D699A21D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit ➝
C:\WINDOWS\system32\userinit.exe,,C:\Program Files\huettqja\pbvjeqsq.exe
Creates FileC:\Program Files\huettqja\pbvjeqsq.exe
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Program Files\huettqja\px3.tmp
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\Startup\pbvjeqsq.exe
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\qcvbfpbp.log
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Deletes FileC:\Program Files\huettqja\px3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\~TM4.tmp
Creates Mutex{37FFF72F-FE56-017C-F492-53D6963E1D45}
Creates Mutex{37FFEB21-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0\1201 ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20130508_125854937.html
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Reader9\Setup.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\Adobe\Reader 9.3\Setup Files\Setup.exe
Creates Mutex{37FFF8CE-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6984E1D45}

Process
↳ Pid 492

Process
↳ \??\C:\WINDOWS\system32\csrss.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D697CA1D45}

Process
↳ \??\C:\WINDOWS\system32\winlogon.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D697E21D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\services.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D6980E1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\lsass.exe

Creates File\Device\Afd\Endpoint
Creates FileUNC\WORKGROUP*\MAILSLOT\NET\NETLOGON
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D6981A1D45}
Winsock DNS192.168.1.1

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D698CA1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D698FA1D45}

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates Mutex{37FFF72F-FE56-017C-F492-53D699A21D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D699FE1D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69A5E1D45}

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
Creates FilePIPE\lsarpc
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69AB61D45}

Process
↳ C:\WINDOWS\System32\alg.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69CE21D45}

Process
↳ C:\WINDOWS\Explorer.EXE

Creates Mutex{37FFF72F-FE56-017C-F492-53D696DA1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe

Creates Mutex{37FFF72F-FE56-017C-F492-53D6995A1D45}
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}

Process
↳ C:\WINDOWS\system32\svchost.exe

Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D69A2E1D45}

Process
↳ Pid 1172

Process
↳ C:\WINDOWS\System32\rundll32.exe

Creates FilePIPE\lsarpc
Creates Mutex{37FFF118-FE56-017C-F492-53D695A61D45}
Creates Mutex{37FFF72F-FE56-017C-F492-53D699DE1D45}

Network Details:

DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
DNSgoogle.com
Type: A
173.194.34.160
DNSgoogle.com
Type: A
173.194.34.169
DNSgoogle.com
Type: A
173.194.34.162
DNSgoogle.com
Type: A
173.194.34.174
DNSgoogle.com
Type: A
173.194.34.168
DNSgoogle.com
Type: A
173.194.34.161
DNSgoogle.com
Type: A
173.194.34.166
DNSgoogle.com
Type: A
173.194.34.167
DNSgoogle.com
Type: A
173.194.34.164
DNSgoogle.com
Type: A
173.194.34.163
DNSgoogle.com
Type: A
173.194.34.165
DNSawecerybtuitbyatr.com
Type: A
109.74.196.143
DNSqwevrbyitntbyjdtyhvsdtrhr.com
Type: A
198.74.50.135
Flows TCP192.168.1.1:1033 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1034 ➝ 173.194.34.160:80
Flows TCP192.168.1.1:1035 ➝ 109.74.196.143:443
Flows TCP192.168.1.1:1036 ➝ 198.74.50.135:443

Raw Pcap

Strings
d1..
P 
\
.. 
.;&
W
A
..
040904B0
1.26
 2005 - 2009 Nir Sofer
CompanyName
Copyright 
dllexp.exe
DLL Export Viewer
FileDescription
FileVersion
         (((((                  H
InternalName
LegalCopyright
MS Shell Dlg
NirSoft
OriginalFilename
ProductName
ProductVersion
StringFileInfo
SysTreeView32
Translation
VarFileInfo
VS_VERSION_INFO
=$=:=\=
0#1\1e1
0/1K1i1
0B=PiB
0!|DlP
0FXDs	
	0G0T0\0
&0qR-I
`0rCVt,
(1`,&}
1"1-1`1
1"1I1Q1
13jqEvB
=1>C>a>
"1CWQh
1h;(>{
1h&-oqB
1T:@-B
222?2p2
22282L2l2r2
222Q2W2p2
2+2Oiz}Ye
23272e2w2
2-3;3H3{3
2 d4cqr
2=Fkag
2M/^zN
2ofZ:3u!u
2q<OR(
304:4u4
314e4p4
3"3G3i3y3
3*4Y4d4i4
3d7fuG
]3}'ni
3}&v|i
3W3[3e3
404W4m4
4:4B4p4
4.5K5j5
4	69@Qh
{4~|CF
,\4#fC
4jt	&d
4Q4\4p4
4RKMl@e
5*5P5w5
5$6N6x6
5Af^{/
5b>;2r
5D5d5|5
5L6P6f6
5oIwo 2
5=r7H}
"5rfFO
5t/GIyW
)'5W@%V
6@6L6W6]6f6
6*737M7
6!7E7~7
>&?6?E?s?
6F7i7n7
6#~iN1
6L6k6v6
6	Ocv*
6Ot.n^a
:6;?;r;
;6;U;j;x;
6Xf?S>E
708_8m8
@75_Gm \
7"7\7{7
7'7D7f7z7
7,7Q7z7
+7B`:<
?7?G?f?{?
:7My-%
839N9`9
8/888]8
8'8I8t8
8!9?9\9
8_E ,P
<	=8=m=
*8nMv0
9#:3:A:Z:
989H9v9
9*9I9f9n9|9
9C"sw#^_O
9#:J:p:
9K9_9y9
9*:K:j:
A0_0h0
a9i/^?
abnormal program termination
ae/<Md
AE}YO5a!
=(>A>F>m>
(al0S2(
aL9O=K
apm"DW
];%&at
au#TB2'
b1GHCk-
~\b<cw2
BeginDeferWindowPos
:B:G:[:z:
?'?b?j?
	B.@'j
bnBF!F
+b|nN8
b`n"pWP,0V0t
b, of	7l
bqU{yR-h;L
btHHt.
"BUo=p
]bVlKC
~?C2-1.
C6zC{hh
CheckMenuRadioItem
c\hkES
Cl6w^#
CLk	Vg
CloseHandle
CP2@,t
cpf9:7
CreateFileA
CreateMenu
CRxC(E`
C-x8a\/
*d%cCr1_
DcV;vH
DeferWindowPos
D"~h3f
d@ *Hc
DispatchMessageW
DOMAIN error
d|S-B]
DSUVWh
?"eaoR
eH0?{K?
eJYJVg
ek|GWZE
EndDeferWindowPos
,#>E~'Ne`
EnumChildWindows
Ep^	7$
EQM%6)
ExitProcess
ExitWindowsEx
E{Y{`0
f"+?5;
FCYIq*
FH{n{i
FindCloseChangeNotification
FindFirstFileW
FindNextFileW
FindWindowA
- floating point not loaded
FlushFileBuffers
}fm!5d
/fQabasysobi
FreeEnvironmentStringsA
FreeEnvironmentStringsW
fs US9
*)FvmsG
#_FX]m%
=F=Y=^=n=
G5g~Lo
g6}zH`
G#C&*"
Geqagefujez
GetACP
GetActiveWindow
GetClassNameA
GetCommandLineA
GetCPInfo
GetCurrentProcess
GetCurrentProcessId
GetDiskFreeSpaceW
GetEnvironmentStrings
GetEnvironmentStringsW
GetFileTime
GetFileType
GetKeyNameTextA
GetLastActivePopup
GetLastError
GetLocaleInfoW
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetTimeFormatA
GetVersion
GetVersionExW
GetVolumeInformationW
GetWindowTextLengthW
GetWindowTextW
( GGTL9YD
>G.+HN.uz
GlobalAlloc
GlobalFree
GlobalLock
{?}"[=H
h+0C~H
h8W8#$
HeapAlloc
HeapCompact
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapWalk
H"~k'R
H]r[]B
Hutaneqylafi
+;hY)%
I8'`g#
](il	H
IndRYtg
InterlockedExchange
IsBadReadPtr
IsWindowEnabled
IX#%e+
{JDgZ$
Jg0t/dn
jpm{'Q
_/k1|j
k4k/yb
K@DaK.
K+'["E
*k:E*"g
KERNEL32.dll
k'hy7m
'kK[.4
KOXjUb9y
KzKz9W
?;?[?l?
L(}9}	
,La0s`
LCMapStringA
LCMapStringW
LHVkkh
L<?I-h
#lJw'h
LoadCursorA
LoadLibraryA
*lTHF8Pm`W;
MessageBoxA
Microsoft Visual C++ Runtime Library
MulDiv
MultiByteToWideChar
<!=n=}=
>'>N>~>
%-!N|::
%|n0xt
+N%2/	
;n6+^zF/}
NcK)VG
]+N.I&
nLRl$EY$b
Nocytuha
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
N; /	R
nT\{?uXms
=*=_=o=
O[4}j\r
o%guK;
OmN-&?
OpenProcess
O"|RvyH
oT.YqC
oZ36_[
;P,0`+
~p97BS
pmy}t1.
p+q8t;
Program: 
<program name unknown>
- pure virtual function call
Q0A#6&
:q#%#b
"qf: V
Qi{.k7
:QlD8$
qM$8kXal
 q*Mbz
Q]RWW3
;/<Q<u<
QueryPerformanceFrequency
}q$|zLM&Z
(R162@	`
R-2e@r
r*c2AM
`.rdata
ReadFile
RegisterHotKey
RegisterWindowMessageW
@.reloc
RemoveDirectoryW
rh7KZA
_$Rich
+^RMsf
?rRD'g
Rr)s@P
RtlUnwind
R{TVr9L
rU/:e]
runtime error 
Runtime Error!
'rZvGq
"s0!3c
S0q\Bn
s9,rwc>q
sD BqI
SetEndOfFile
SetFilePointer
SetHandleCount
SetStdHandle
Sg$34(
ShowWindow
;s/i4$`
SING error
SS@SSPVSS
<)S%Ux
T90wm-
tDM:-0
TerminateProcess
?T?g?n?
!This program cannot be run in DOS mode.
t-Ht!Ht
t=IANq
tI H&M
TLm~hz
TLOSS error
TlsAlloc
TlsGetValue
TranslateMessage
t#SSUP
t.;t$$t(
Tuj#&n
t$$VSS
TW^	-,
T;ys>f
U(34.e
'u-3 z
|uDJ^/
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
UnhandledExceptionFilter
UnregisterHotKey
UOww]%
UpdateWindow
USBb;n
user32.dll
USER32.dll
VC20XC00U
[Vc	 y
VirtualAlloc
VirtualFree
+(Vm:0
(*WAF,
w>g"(r
WG%uj:
WideCharToMultiByte
WoaAaC
WPKAdy])
WriteConsoleA
WriteFile
WrKj[q)
WS2_32.dll
WSAConnect
WSACreateEvent
WSAGetOverlappedResult
WSASocketA
;$;+;X;
X5w$)e
x8|adD
x8)?BH
%XBr.|
xcAn5!
)=Xp1JI
XPQPEI,|3B=K_
XU^6OQ
y6cWPc
y!762<
y@ayX)
?Y_BWF
 Yea{F
Yfirovefu
(ynD@5I
_^][YY
+Z[({1
z16:e9
Z*Hf~~
zMBome
ZVg:"m
 ,z;"vw/U5