Analysis Date2014-12-20 00:00:57
MD54ec3aa878e9ec3b08c30975513ff3010
SHA100f5b03dde2873036164bbd847b42a7c7a40aabf

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9dfc1bc55ef90dfdde51b4a47a602ee6 sha1: 70482c9619b46162087bd559ad65a1d91515cc17 size: 23552
Section.rdata md5: 5801d712ecba58aa87d1e7d1aa24f3aa sha1: 0ec4a63131e982d6c2f062510def1c9cc9289b04 size: 4608
Section.data md5: f1bf988467c2a1fe94575f6d3e66d158 sha1: ab35d7dd69e376ddce14c176e377cd791a67bb3f size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 632a640d110680770e08c3d06e56d305 sha1: 0765c8522bb1c7df22e44d3a838b01662b09dce0 size: 8192
Timestamp2014-05-11 20:03:36
VersionLegalCopyright: Copyright (C) 2011 Flexera Software, Inc. and/or InstallShield Co. Inc. All Rights Reserved.
FileVersion: 1.00.0000.3
CompanyName: HTC
ProductName: RUU
ProductVersion: 1.00.0000.3
FileDescription: InstallScript Setup Launcher
PackerNullsoft PiMP Stub -> SFX
PEhashbd0cc7366ee60c62365cc166daecbcaac762505a
IMPhash59a4a44a250c4cf4f2d9de2b3fe5d95f
AV360 SafeTrojan.GenericKD.2030102
AVAd-AwareTrojan.GenericKD.2030102
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2030102:Trojan.GenericKD.2030084
AVAuthentiumno_virus
AVAvira (antivir)TR/Dropper.A.34137
AVBullGuardTrojan.GenericKD.2030102
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.2030102
AVEset (nod32)Win32/Injector.BRJO
AVFortinetW32/Kryptik.CKFX!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2030102
AVGrisoft (avg)Inject2.BIGW
AVIkarusTrojan.Agent
AVK7no_virus
AVKasperskyTrojan.NSIS.Agent.em
AVMalwareBytesTrojan.Malpack
AVMcafeeRDN/Generic.dx!dhn
AVMicrosoft Security EssentialsVirTool:Win32/DelfInject.gen!BI
AVMicroWorld (escan)Trojan.GenericKD.2030102
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\livener.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsg2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\livener.ayh
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp\livener.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsw1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse3.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\3d08_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 180

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 180

Network Details:


Raw Pcap

Strings
 " "0x\
lE
000004e4
1.00.0000.3
3f333
CompanyName
Copyright (C) 2011 Flexera Software, Inc. and/or InstallShield Co. Inc. All Rights Reserved.
fff3f
FileDescription
FileVersion
InstallScript Setup Launcher
LegalCopyright
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
07SNKc
("0bJf
+0EMkM
1-}1a!
2s/|v?HB
+2Z&o6y
38a[OOj(
3h#{0>I
3H5i]j
'3qV(F
<4@4_b
4A"z%`l
=4SajSGo
^5D\gz
5g?_aO!
5{+%j};
5pZGJI
5Y%D,f-
5Z57o=z
6b~N1E
6.yrGr
7eItp3j
7EWm=o
(7FZ}J:;w
-7p1f".
7pn^@$
>$82-z
87fjSx
<8O&U=
=9%62`
9$8\e,
>,9d,X
%A@4I%
~/A4qL
A^|_a%kF+
'/AB"Y
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
:-~ApB
AppendMenuA
a'Qde'
baoydA
BeginPaint
bJq>6k
bKnO!?
#BP-el
b]w~K2
C	"]?<
c:2q45i
CallWindowProcA
CeKp;ka
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CP6cAK
@Cq#48jg
CR4UGP3
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
%~cxfn
^+>CXv
... %d%%
@.data
dC(b){
D$$+D$
D$,+D$$P
d{D	^Q
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
^.#%%"Dl
dl^l6;}@
DrawTextA
D$,SPS
eeeAAee
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
E@N*^u
!EQYK4d
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ev~+Kf/
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
$"\f)$
f!Fay#
^FG%a4
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
fiw!@ew,M
Fm]dQ+
@	f=mX
FreeLibrary
FStT%4
<fU4$\W
	*fvZ-X
Fz=[]kG
G3_EHFt"
ga.QL+
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
gL\8k=
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
GY~4xH
*H\;>-
h|E)_5
[hfSB~:{g
-hiq^2
H[nt)&
H]o^)H
$H\* SD
ht	pzm-~]
http://nsis.sf.net/NSIS_Error
I7>w7W
ICbZ[DK
I[:=Ex
@iGZ	X
	#/ii9
ikK.&U
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
iPzE>_
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
jaXU(&
}j[B00
J!n'ov
;+]k]]
K4wS?A6
KERNEL32
KERNEL32.dll
K}HzE.
kL(g$If"
KPlN\A6
@=K~.:S
kwLz`HP,m
lj.CkE
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
LvSLI@
Lz(A^U
m+^]Ds
Mdvs*I
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
mmhMG~
^m-N]|
More information at:
MoveFileA
MoveFileExA
MpADtro
MulDiv
MultiByteToWideChar
n-+2@4*z
?N=56[
N!+5&P
.ndata
NoD+QO(E
n++oWj3
NQ#:3R
NSIS Error
~nsu.tmp
NullsoftInst
NulluM	E
ogJk"&
%Okj},
ole32.dll
OleInitialize
OleUninitialize
]O]MZ0
ooHiax
OpenClipboard
OpenProcessToken
OTg15W
O=UlFR
}OxdEK
PeekMessageA
PiyE0=
pO^~#H
PostQuitMessage
PPPPPP
$^|Q;&
Q1-/%,
q 8._%2
QA/$i]
#	Q(bTL{
q'\+d6
Q*'mF7\
QS2o$. 
qW[_Yp
QYRV:&G
r0@a6!6
`,,r\2
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
_>RsPxY
}S8$kq2c
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
sH?P_l)M
Sm/@v]
softuV
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
SY8(_V
SystemParametersInfoA
TA;u|ww
TFAm&,
TGUBg} 
!This program cannot be run in DOS mode.
Ti..P]
t?JpmlW
_^[t	P
tpZmn'I
TrackPopupMenu
u49-l7B
=u4eQv
-u	6be
$U[a~5
unpacking data: %d%%
USER32.dll
%u.%u%s%s
uuTxi3
Uu[X?z
uVwL1_l
U`Ypob
&v"5y\
V';|AM
verifying installer: %d%%
VerQueryValueA
VERSION.dll
#VhB+@
	vJ=KQ
-V)lL*n
;%VS_m
WaitForSingleObject
Wc|WAH
WD<_Ym
:W@,R'
WriteFile
WritePrivateProfileStringA
wsprintfA
x8^PH\;
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
X#Tu<A
yXWuQ:
Y\z8HP
_y~z>fv_
Z0FN;>v
zbnkrMw$b
#Zffp5
ZHf-A$e
zI(0Nv
*Z>>s6j