Analysis Date2015-01-21 03:18:53
MD5f7efdf47d8a6ab8fe22ce3c370845039
SHA107d918ca61771f79e329fae0a39d82fd5ffa7481

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 7ebfade271f75cb4c180603ab653af42 sha1: 45720e3559680fe044efceba32f55e60ed85f918 size: 23552
Section.rdata md5: 9d6e96915262c9d1129a16fa0b02a19a sha1: e46950b3424baeebebe8ab21b9f9674839c38bd6 size: 4608
Section.data md5: dbf10679c897d0edeee280fffdad552f sha1: f257e37a5d8648d6123cef40868059ee78a136b9 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 241ec29196e56b45550a0d59f1b975e4 sha1: a46ad997eb66e7faa2ebf8460638b132b23f1a57 size: 357376
Timestamp2009-06-18 21:33:27
VersionLegalCopyright: Copyright (C) 2007 ansifa
InternalName: 文件夹个性化向导.exe
FileVersion: 1.0.0.0
CompanyName: ansifa
LegalTrademarks: ansifa
Comments: 能更改XP文件夹和驱动器的图标,背景提示文字等的小工具。
ProductName: 文件夹个性化向导
FileDescription: 文件夹个性化向导
OriginalFilename: 文件夹个性化向导.exe
PackerNullsoft PiMP Stub -> SFX
PEhash985dc4916c574ca76e2c4b4fd9d8fbaa0a9734ad
IMPhash099c0646ea7282d232219f8807883be0
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Dldr.Chindo.422491
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.L
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Trojan-Downloader ( 004b1b631 )
AVKasperskyDownloader.NSIS.Chindo.g
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)Downloader.Chindo

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileConnection Error
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\1.rar
Creates FileC:\Program Files\304211\Uninstall.exe
Creates File2.ico
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\Base64.dll
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsv2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\NSISdl.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\304211\uninst.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\NsProcess.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\Inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\Base64.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\NSISdl.dll
Deletes FileConnection Error
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\1.rar
Deletes File2.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nse1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsa3.tmp\Inetc.dll
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates Mutex304211
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Winsock DNSlm.baidudalian.com

Process
↳ Pid 0

Network Details:

DNSlm.baidudalian.com
Type: A
222.186.60.2
DNSlm.baidudalian.com
Type: A
222.186.60.68
DNSlm.baidudalian.com
Type: A
222.186.60.69
DNSlm.baidudalian.com
Type: A
222.186.60.70
Flows TCP192.168.1.1:1031 ➝ 222.186.60.2:27

Raw Pcap

Strings
 " "GE
@HW\).

080403a8
1.0.0.0
ansifa
Comments
CompanyName
Copyright (C) 2007 ansifa
.exe
FileDescription
FileVersion
InternalName
LegalCopyright
LegalTrademarks
msctls_progress32
OriginalFilename
Please wait while Setup is loading...
ProductName
StringFileInfo
SysListView32
tahoma
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
{0i3.I
1_G~O.
1._<+'X
1z~:,ZA
21,Z3%!N3'#O3&"O3&#O3&#O3'#O3&#O3'#O3'#O3&#P3'#O3'#O3&#O3'#O3'#O3&#O3&#O3&#O3&"O3&"N3&"O3&#N3&"N3&#N3&#N3&"M3&"N3&"M3&"M3&"L3&"L3&"K3&"J3&"I3&"H3&"H3%"H3&"F3&!E3%!E3%!D3% D3% C3% B3% A3% @3%
2/eC*'^
2tO!7F
"3.$23]Ue,
47S-BY
4+:~9/={e_nf
 5PFR#
5yt7Q9
63gA*'Z
6+;}gbqP
74`~($S
8NCRCu
9`!5h,>
9h=D|-
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
af=tv]s
A>jY63`
AppendMenuA
b?3V-,
(=b%\e
BeginPaint
CA01hb
CallWindowProcA
 CD!jg
cF<f`M
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
,)^d*'\
... %d%%
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
?&&dP4
DrawTextA
D$(SPS
D;> xc
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
&\ep2f
eP'B:\
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
e@YDrK
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FreeLibrary
&{fw{k
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
gI<cfN5
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
^HD.=Pk
http://nsis.sf.net/NSIS_Error
HUS}s>7i
HzVju0
`i7_4l
I9mq#3
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
IsWindow
IsWindowEnabled
IsWindowVisible
j2GPKC5
j3My:*
}@jyvJJ
KERNEL32
KERNEL32.dll
: K/,N
ksNcqc
@=ks-)Z
lbjI1a
lFNoFn1`
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
L	v~qJ
Lyeu?W
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
<<;^=n
N9Y*N'`
NbKA(Do
.ndata
nFOFr4
NSIS Error
~nsu.tmp
NullsoftInst
NulluN	E
N^%%#Y
ole32.dll
OleInitialize
OleUninitialize
OLwm96g
OmQS}hy+G
OpenClipboard
OpenProcessToken
!o.+Wd&v//
<&P+4Z]
PeekMessageA
PostQuitMessage
PPPPPP
qvP-P!+=
=r6ktW
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
Richu)
ScreenToClient
>sCZsm_
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
SystemParametersInfoA
> _?=t
T]1zgP
!This program cannot be run in DOS mode.
tL	Q	Y
@!!tNe
_^[t	P
TrackPopupMenu
unpacking data: %d%%
USER32.dll
%u.%u%s%s
Uy^t(D
V"0!yd
v95DpA
verifying installer: %d%%
VerQueryValueA
VERSION.dll
=@VEu9
V{;(o/
>w9.	-
WaitForSingleObject
WcLH>K
wfj 	pG
wMzRLa01|
w;nuUC
WriteFile
WritePrivateProfileStringA
wsprintfA
x3]nZK
x84{!]
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
+x'Sj`
%"Y!KF7
%yzR07
[)Z[1(
zGxspF
*ZJv/_
Z%&/Xr