Analysis Date2014-12-14 23:35:49
MD57b15662a6c7eeec745752ac6b5951404
SHA100f6878a8d53de709f78c08901b9d91ef33d4fb1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: e50f4a1111bafdc813b1f7ec153b8ea9 sha1: d76ecf708f8d7fa01b6b2b67d87d5f51c3cdbd48 size: 23552
Section.rdata md5: 640f709ec19b4ed0455a4c64e5934d5e sha1: d6d6f4b1df06241f6513312657979c184006a044 size: 4608
Section.data md5: 54c75104a38a6f79dc7a8d3b020a9139 sha1: 27a00068376a93d3d30f81f065267042898dfdbb size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 672c9ffbf996b82b066ce4fa18c82db8 sha1: b93d4295c9781044cfe51f792a07459cadf7aaf1 size: 8192
Timestamp2014-05-11 20:03:30
VersionLegalCopyright: Copyright (c) Microsoft Corporation. All rights reserved.
FileVersion: 4.9.0.0904
CompanyName: Microsoft Corporation
ProductName: Microsoft® DirectX for Windows®
ProductVersion: 4.9.0.0904
FileDescription: Microsoft DirectX Setup
PackerNullsoft PiMP Stub -> SFX
PEhashbd0cc7366ee60c62365cc166daecbcaac762505a
IMPhashe160ef8e55bb9d162da4e266afd9eef3
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2021801
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2021801:Trojan.GenericKD.2021798
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardTrojan.GenericKD.2021801
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.2021801
AVEset (nod32)Win32/Injector.BRBR
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2021801
AVGrisoft (avg)Inject2.BHQS
AVIkarusTrojan.Win32.Injector
AVK7no_virus
AVKasperskyTrojan.NSIS.Inject.at
AVMalwareBytesTrojan.Agent.ED
AVMcafeeRDN/Generic.bfr!hy
AVMicrosoft Security EssentialsVirTool:Win32/DelfInject.gen!CP
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosTroj/Agent-AKRB
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\corsetry.wkn
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh2.tmp\corsetry.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh2.tmp\corsetry.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsh2.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\4772_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 184

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 184

Network Details:


Raw Pcap

Strings
 " "0x\
E
000004e4
4.9.0.0904
CompanyName
Copyright (c) Microsoft Corporation. All rights reserved.
 DirectX for Windows
FileDescription
FileVersion
LegalCopyright
Microsoft
Microsoft Corporation
Microsoft DirectX Setup
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
??[~]{
*?|<>/":
0R0'`}T
1thUE%
^2*6|}
})2U/6a
-32lv<
!3>4k	|+Z
3~u<"u7
3\>.Uy
#41:5I
4d*}&y
4.Fedt
4IAxHoZm
4Po12N
4R2'[Vg6
4Y&yEE
:5fNPE}
6H@Kkr
>')7 1}
79/pTr
7=$f1n
7mAh!'2V
7	qmTBh
7t;=|$
'8)D4e3T
'/=8V:
9|07,)
:{*9Xc
~'A8 t
a`9%X8+;z
AA^xbB%
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
aKw(cD
<Apcd5lv
AppendMenuA
A]Y	';
b^0"95
 ]BdK|
BeginPaint
(Bg|07
#B.<Ie
b[&<P:
BqhY r
__)B#s
b\uf$s
~<>BWh
c9z8d\@
CallWindowProcA
c`C(z8
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
ClVve]
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
 cr|q"
cu[%?8
c.z3B0@L
... %d%%
@.data
D$$+D$
D$,+D$$P
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
.&d&eU)
DialogBoxParamA
DispatchMessageA
D$(Ph,
d~~-R?
.DR(\?6
DrawTextA
D$,SPS
E1	Jb?
E|3;$e
&e6HVn
?Ec\[8j!o
Ei	{RA$
E@KQ~u4
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
e{^PJ[
eqhAeh
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
Es_C$Q
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
f/Qm0d
FreeLibrary
FrPoWp
g1l]]=
?G	/"6
\Gbo0O
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
G:s"ul
[h89lY$
h	!$A7]
H~DN{s
^('hK'8
http://nsis.sf.net/NSIS_Error
hy:s7@
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
$I}Tdb
,iU(-k	|
IYn1 _
J5J58P
j{.5u`)
j7@y?4*
J/JnAcMV
jk2o* q
jLAVf-
J;LxJC
JrT-3GC
!JU4l b
/JYJ1o
JY!	Kz
jzU'_1+
(~ :K?
kAw,2a
KERNEL32
KERNEL32.dll
>,k=mf
~+Kta@
=l7@p4
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
lV-6>-
L=Z9>	
}<m3~Gp0N
Macu\1
M$bde>
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
~MLjEu
More information at:
MoveFileA
MoveFileExA
mQ^fiR7l`
MulDiv
MultiByteToWideChar
Mv~E	~#
},_	$N%
N-8W.ADYhb
NAZMV(;
.ndata
;nFQk8w
ng_YNq
Noc^;5Z^
NSIS Error
~nsu.tmp
NullsoftInst
NulluN	E
]*nwloFO
}O0JY*I:>
oE*h_m
](\ol5
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
ot@FJ$1&
`#OvJnoJ
<(.p4f
p6\uzQ?:
PeekMessageA
PostQuitMessage
PPPPPP
p-QJ<R
P|r!`y
ps<z(N
"{~?Q=
?QAneC
QauD{?v
(Q(K;o
QpORIh
<Qpwfh
qwBo^C>{5Y
/"(r%2i
@r%b8g@
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
\r GG{
RichEd20
RichEd32
RichEdit
RichEdit20A
rX[BA{x
SbO~Lv
ScreenToClient
{SD1=U
se29H(=S 
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
softuW
Software\Microsoft\Windows\CurrentVersion
<s`>	p+
SQSSSPW
ssbF),
SystemParametersInfoA
T3C!:^)y
|T:%c$-I}
{Tc'I [
TGm2*`
!This program cannot be run in DOS mode.
t[~-iodC_
|,t`K|\
T!}}OV
_^[t	P
t:pvWag;
TrackPopupMenu
"twFJz
<u21HS
u49-L7B
u5N%#y 
Uq@>U[
USER32.dll
%u.%u%s%s
UwIsN* ``
uWlKn~j6
%'{V1dH
v?/aiN
vc9kb-5*
verifying installer: %d%%
VerQueryValueA
VERSION.dll
vH[}p:
Vlv. "'
^Vnra6Y
[Vop[|
vr6/WT
v#VhB+@
&}%vxL
#(W0+X	o
w3<~4g
WaitForSingleObject
WC^`6%y`
\wMM;&B
WriteFile
WritePrivateProfileStringA
wsprintfA
/W!U@[&
wW!qTJ
!W?w\s
X\D!zi
xh]5&f
xkJpl[
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
XqTD^%
}xR2=1
X_T<m/[
x}X2!:
~Y+5MQ
y6iW#)I
~y|	)j
)y-T>Xz
}z*07^
z9E7?p&e
Z"h)v"%qP@
ZiZgOh
ZJ	}6\\