Analysis Date2015-01-21 07:55:17
MD55d14a865cf1915f6362c9999490e0b60
SHA11d0005fa40fab707c1f3e1b1b140fbe7247e49fc

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: c69726ed422d3dcfdec9731986daa752 sha1: 4546608e3b1a2ab1d69a34018d2ddfa7fa411885 size: 23040
Section.rdata md5: a2c7710fa66fcbb43c7ef0ab9eea5e9a sha1: 60485025c47935e745e57b6efc7042f2261b7d53 size: 4608
Section.data md5: e59cdcb732e4bfbc84cc61dd68354f78 sha1: ffc24489dd56b406f9078ba1cb9c71e9b430dbee size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: e2168bef89fe6f60911461cf64498fb9 sha1: 5a43fbef9b0b2e6900b8294cab6c662a82e48119 size: 176128
Timestamp2009-06-06 21:41:48
PackerNullsoft PiMP Stub -> SFX
PEhash1022b4f6363984546849c2f6a7b4bec9fcca0683
IMPhash7fa974366048f9c551ef45714595665e
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)no_virus
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.M
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Trojan-Downloader ( 004b258b1 )
AVKasperskyno_virus
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\1.rar
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\060027\uninst.lnk
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\Base64.dll
Creates File\Device\Afd\Endpoint
Creates FilePIPE\srvsvc
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\nsProcess.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\NSISdl.dll
Creates FileC:\Program Files\060027\Uninstall.exe
Creates File1.ico
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\Inetc.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\NSISdl.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\1.rar
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsd1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\Base64.dll
Deletes File1.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\Inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsy2.tmp\System.dll
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex5201314

Process
↳ Pid 0

Network Details:

HTTP GEThttp://222.186.60.2/1.ico
User-Agent: NSISDL/1.2 (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 222.186.60.2:80
Flows TCP192.168.1.1:1031 ➝ 222.186.60.2:80

Raw Pcap
0x00000000 (00000)   47455420 2f312e69 636f2048 5454502f   GET /1.ico HTTP/
0x00000010 (00016)   312e300d 0a486f73 743a2032 32322e31   1.0..Host: 222.1
0x00000020 (00032)   38362e36 302e320d 0a557365 722d4167   86.60.2..User-Ag
0x00000030 (00048)   656e743a 204e5349 53444c2f 312e3220   ent: NSISDL/1.2 
0x00000040 (00064)   284d6f7a 696c6c61 290d0a41 63636570   (Mozilla)..Accep
0x00000050 (00080)   743a202a 2f2a0d0a 0d0a                t: */*....


Strings
 " "
E.
msctls_progress32
MS Shell Dlg
Please wait while Setup is loading...
SysListView32
 -;	!.<
 !""#'(
*?|<>/":
0a&H#3"
0>Kl&1<\
0Qan"4
0@Qt-=Mo,:Gf
10f.5$
188cUF
1D9:=.
 1;-kR
<#1<|o
1r3>ij
2223cP
[$2?}b
?2ETez
2mA13y
 2UUUUKBHccU
2xs~6;LNL,
.302-2=001/
)3[&2<b$.8^ )2W
3kHAFWB
=~<~3m
-3PQ&j
3/Pu+v
4CQq&1;`
$4D	);N
(5@	'3>
56')sf@
5ES~(4>o
 5UUU+
#69K[v>P`i2AOV+8C?.=J0 +7 "1@
6(O0mzpHK
+,7;:)
%(,-76<====<::3
7*Eq{F
7GUs1?Lh-:Fa&1:V
8228cM
8528UP
8`6g#5
`+8<<BHABBj
*8D	*7C
;8M_}w
8NCRCu
9JYx+7Ck
9t,5&?
A3W%T{
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
!a>?iF
a;I*i9,
}[[aK@
*^A"~O
AppendMenuA
ATd{4DSn
ATdw4DRn
A!/<xm
!(B*7B5
B85=UU3
B%&^^bfgii
BeginPaint
BLnhA=x
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
$<CVg&i
CWh~2AMk-;Gk,9Ei(5Af!*3`!*4]
CXW*1?/9><<<<<477-,"
CYW[21.?@@/??00'__V
... %d%%
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DEYcd`aja___[[Z\FC
DH#K3&c
DialogBoxParamA
DispatchMessageA
dk};"n
~&D:nvi
D$$Ph,
dPO~Ws
DrawTextA
D$(SPS
-:Ef)5?`
;eIR%]=
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
E.p!s+
er<bJ_
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
.EUcU&=hhffa
[e$v&ia
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
E?YVjRHC
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FMF&/c
F[n|;L\iATeLh
FreeLibrary
FZl|@Rcs5DQh!+4Z
%,G#.84
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GHUSFE]FFEfFEQSRH
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gwwwwx
gW%Ybr`
;h6_T,I 
h!`cA@
.<Hm%0:V!+4N
http://nsis.sf.net/NSIS_Error
i0Bf/M
I3&F3&c
iiiiOKZZii
]]]]]ii]Z
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu`
InvalidateRect
Iqqq{u{~~~
iRichu
IsWindow
IsWindowEnabled
IsWindowVisible
.=J|)6@t!+4i
J(9Fxo
JKKKLMNTRNOTO
:,<Jlo
J]o|GYk}@SczATdy7GWr7FTn-9Ff
:JZw0>Ki
KERNEL32
KERNEL32.dll
KH1;;,++i
*~kHy54
k{VhWy7([4
K]x]]iiiiO
%{lLs2
"Lm33l
lmmmyxxyooyoyz}z}
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
l!W:]#
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
{mimhi
{{mmmhh
mmmimh
{mmmimhh
More information at:
MoveFileA
MoveFileExA
{M?+pZ
MulDiv
MultiByteToWideChar
=->Muy
.ndata
?n(&($I
NSIS Error
~nsu.tmp
NullsoftInstyM
NulluN	E
=O`|'3=b",5^
ole32.dll
OleInitialize
OleUninitialize
)<O	*<O
OpenClipboard
OpenProcessToken
PeekMessageA
;PIO#8c
\*p!)lM
ponmlk
PostQuitMessage
PPPPPP
P!qoW{
)PRC=8!
p+]s?%C;Y
Q'6Cxf
>?qfOIIIIGIIIOOQOqu
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
<<Reyy
RichEd20
RichEd32
RichEdit
RichEdit20A
R!/;}n
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
?Se	?Rc
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
sHZZiiZH
softuW
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
swwww~|
SystemParametersInfoA
szzzz|
> _?=t
T$2=yl
@Tf	?Se
!This program cannot be run in DOS mode.
_^[t	P
T>Pa~<N]|6FUr*7Bc
TrackPopupMenu
~`u4,}1
U)8Eyn
u~P|h/}5
USER32.dll
%u.%u%s%s
V -9tp
verifying installer: %d%%
VerQueryValueA
VERSION.dll
+?Vj^y
v]UROQ
v#Vh;+@
vz&^^p
:w>4w[t4
WaitForSingleObject
WBzbP/
wLU^="
WriteFile
WritePrivateProfileStringA
wsprintfA
wwww~w
wwwwwwww
wwwwwwwww
wwwwwxhhgwwwx
x@,^@?
[X_>e.
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.45</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
xxxxxp
yw{[xwv
yX	A}W(,Y^
YZ[\_b
{{yz{mxmoyyy}
;`Z`5|1
Z~f+'1
@zKC<iO
ZMY%zn
^}Z{Oc
:(z}WY
]ZZZi{