Analysis Date2017-07-14 15:31:49
MD594f930279d035ee35b0d27cd3036df3a
SHA140006faccb5700625ea60bb2085fcc90e2609fb1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc2ffd32265a08d72b795b18265828d sha1: dd2a446014a37556f39173b802c63a4e46e09366 size: 23552
Section.data md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.xcpad md5: sha1: size:
Section.idata md5: sha1: size:
Section.reloc md5: sha1: size:
Section.rsrc md5: e40be6895fe83f89ec566961dcb9f17a sha1: e77e4daafa895f103ba8ad4d4ec4c3c956b32c95 size: 24576
Timestamp
VersionLegalCopyright:
PackagerVersion:
InternalName:
FileVersion:
CompanyName:
Comments:
ProductName:
ProductVersion:
FileDescription:
Packager:
OriginalFilename:
Packer
PEhash
IMPhash099c0646ea7282d232219f8807883be0
AV360 SafeNo Virus
AVAd-AwareNo Virus
AVAlwil (avast)Downloader-VRF [Trj]
AVAlwil (avast)Win32:Trojan-gen
AVAlwil (avast)Trojan-gen
AVArcabit (arcavir)No Virus
AVAuthentiumNo Virus
AVAvira (antivir)No Virus
AVBitDefenderNo Virus
AVBullGuardNo Virus
AVCA (E-Trust Ino)No Virus
AVCAT (quickheal)No Virus
AVClamAVError Scanning File
AVDr. WebNo Virus
AVEmsisoftNo Virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.C
AVF-SecureNo Virus
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)No Virus
AVGrisoft (avg)No Virus
AVIkarusError Scanning File
AVK7Trojan-Downloader ( 004e31a81 )
AVKasperskyHEUR:Downloader.NSIS.Chindo.heur
AVKasperskyTrojan-Downloader.NSIS.Chindo.a
AVMalwareBytesNo Virus
AVMcafeeGeneric StartPage.at
AVMicroWorld (escan)No Virus
AVMicrosoft Security EssentialsNo Virus
AVNANOTrojan.Nsis.Dwn.dgyppb
AVNANOTrojan.Nsis.Dwn.dgypoy
AVNANOTrojan.Nsis.Feasu.djrzxc
AVNANOTrojan.Nsis.Chindo.dflbvf
AVPadvishNo Virus
AVRisingNo Virus
AVSUPERAntiSpywareNo Virus
AVSymantecNo Virus
AVTrend MicroNo Virus
AVTwisterNo Virus
AVVirusBlokAda (vba32)No Virus
AVWindows DefenderNo Virus
AVZillya!No Virus

Runtime Details:

Screenshot

Process
↳ C:\40006faccb5700625ea60bb2085fcc90e2609fb1.exe

Creates Mutex
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.1.db
Creates FileC:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000005.db
Creates FileC:\Users\Admin\Desktop\desktop.ini
Creates FileC:\Users\Admin\AppData\Local\Temp\nsc5188.tmp
Creates FileC:\40006faccb5700625ea60bb2085fcc90e2609fb1.exe

Network Details:


Raw Pcap
0x00000000 (00000)   47455420 2f6e6373 692e7478 74204854   GET /ncsi.txt HT
0x00000010 (00016)   54502f31 2e310d0a 436f6e6e 65637469   TP/1.1..Connecti
0x00000020 (00032)   6f6e3a20 436c6f73 650d0a55 7365722d   on: Close..User-
0x00000030 (00048)   4167656e 743a204d 6963726f 736f6674   Agent: Microsoft
0x00000040 (00064)   204e4353 490d0a48 6f73743a 20777777    NCSI..Host: www
0x00000050 (00080)   2e6d7366 746e6373 692e636f 6d0d0a0d   .msftncsi.com...
0x00000060 (00096)   0a                                    .


Strings
5Xp@
 s495
5t6B
5`r@
tBj\V
uv9]
t	9]
tDH;
PShr
jHjZ
t=9]
Phts@
t	j"
PSWV
SQSSSPW
VQSPW
QVPW
SQVPW
SQPhp
u_9]
t@;u
t#9]
5P?B
@_^[
PjdQ
5LpA
v95LpA
vX95
#Vh;+@
WhPpA
hPpA
Instu_
softuV
NulluM	E
Y;5P
WhPpA
=@pA
5@pA
SVW3
5DpA
uk9}
tm;}
X_^[
QSUV
5DpA
SPVU
tU;t$
_^][Y
SUV3
D$4h`
PShX
8/u3@
8NCRCu
 /D=t
tMSW
> _?=t
t*Vh
t-SV
D$$Ph
D$(SPS
SWSh
tT<"u
SPSj0
D$(+D$ SSP
D$0+D$(P
t$0h
-d6B
ihE:@
_^][
SUVW
_^][
|$$3
UUUUW
D$,H
5x6B
t$,VW
u49-,?B
t$0h
5x6B
t$0S
|$$;
5,r@
5x6B
9-l6B
9-l6B
9-,?B
D$,t
9-,?B
9-,?B
9- ?B
5x6B
t$ U
5x6B
9-l6B
5x6B
5x6B
9-x6B
_^][
s8j#
5Dr@
5Dr@
=,?B
=x6B
u Pj
t+Pj
5Dr@
5x6B
5Dr@
5,r@
5Dr@
hTN@
PWhC
SPhQ
t	9E
uv9E
p\Wh
WWhG
WPhP
j [S
SWh
WQhN
5`r@
 u}h
5h6B
uDSSh
5Dr@
@SVW
=,r@
5p6B
5Dr@
PPh6
5p6B
5h6B
5`r@
5p6B
t&jx
SPQh
FFC;]
PPPPPP
5x6B
=@?B
=H?B
th<.u
t^VS
tM9u
9\\t
;:\u
?\\u
^j\PN
Wjd_O
SUVWj
VUhT
PWVU
t[;|$
PPPU
PWVU
_^][
SVW3
=$?B
@PWSh
$uhh
hHs@
_^[t	P
v"Ph\
=4*B
Vu-3
SVWj"
<6;}
%pr@
%lr@
%hr@
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
[Rename]
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
ReadFile
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
GetProcAddress
LoadLibraryExA
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
Sleep
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrlenA
lstrcatA
GetSystemDirectoryA
GetVersion
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
GetDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
ShellExecuteA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
\Temp
NSIS Error
.exe
open
%u.%u%s%s
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteKeyExA
ADVAPI32
MoveFileExA
GetDiskFreeSpaceExA
KERNEL32
\*.*
%s=%s
*?|<>/":


$D>".PH'8xU
x]P'?QI'.E?""51

			#			&			*			-			0			3			5			7			8			:			;			<			<			;			;
B<!B50
!),s
$0J*<OGX
1F\J?^
H|p:
^|p:
w|p:
			#			&			)			+			,			-			,			,
e@: 32.

"1Ew&5I
+@X|T{
&-Tss9d
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>