Analysis Date2013-10-13 22:56:36
MD53651e23d6ae63d47aa040457f151e271
SHA15b3f951cc2fa8c9dd1bcb661099f8d1df6a3fb8b

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 6713f49bc050e40a4e491d5cf0444245 sha1: 2147444b96aeba4b7b8d4531a851e0385d4881d5 size: 73216
Section.rdata md5: 76315cc3ce7c7f34b89c00e96fd3d919 sha1: 1afac004428678a6a4cd633958611c8d7ac590b0 size: 7680
Section.data md5: 6f9415022853d8e925bcb178dd62e322 sha1: 5e1e363d8ab4a38995c8ce4a2e2cfa4388b9bb79 size: 512
Section.CRT md5: d8690a66757c8eeab6988f4a858f4dcd sha1: 68d36d3a231c043e8da6819ccbb59260702101e4 size: 512
Section.rsrc md5: 5e33391c3a69cfe1995fa35dc952f8f0 sha1: 08e000eda4a4b2cee9e1d753c3484cb86f44198e size: 15360
Timestamp2012-02-17 14:55:21
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash25271a4348700afcfb46f32f3052a650b1b70377
AVaviraTR/Dropper.Gen

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileAnyclick32.exe
Creates FileAnyInteAUS.exe
Creates File__tmp_rar_sfx_access_check_111593
Deletes FileAnyclick32.exe
Deletes File__tmp_rar_sfx_access_check_111593

Network Details:


Raw Pcap

Strings
009537bf="
05d8c9ea="
077e53df="
%08x
093ef12e="
0aee06f8="
0ea6cb24="
0fafb862="
105565f5="
1083cdee="<li>
195bc0ec="
2669d7b6="%s
28968711="
28b64ee0="
2b769e26="
2e0652f2="
2eb7591b="
341ff0ef="
3478d231="100*100"
36b5f3ee="
37e0cfac="
3801263d="
3b30ef57="
3bf460be="
3dbfa101="
3f75c3f0="
3f980735="100*100"
4022c518="
41ce4b30="
44167062="
499da57f="
4bcf6a1f="
4d117d42="%s
4eb4cd58="
4ebc6a80="<ul><li>
4ed7812c="
501aec0e="<ul><li>
5641709d="
593ccce5="100*100"
59d2a7a6="
5ec2b9a4="
62240658="%s
644f7b2f="%s 
64e322fd="
664abaa4="
68a8444a="
69c2a2cc="%s 
74850758="100*100"
75286f0d="
77661a9c="
7b70360d="
7c1e30d8="%s
7e3a9609="
806024ac="
806642a0="
858e1138="
879b7c99="100*100"
8a38104b="
8deeac82="
8e950692="\"%s\" 
8fda2e04="WinRAR 
977f0bd5="
9e20cc24="%s
(&A)"
a05a6a8d="
about:blank
Accept
ASKNEXTVOL
</b> 
 <b>
(&B)"
b127402c="
b5e0b9fe="
bb9461d3="
bdba36ee="%s
be1ce28b="
bf41b9e0="<li>
<br>
&Browse...
Bro&wse...
bytes
%c:\
(&C)"
c282ae83="
c2f7663d="
c35d8b22="100*100"
c4a704f5="
ca228992="
Cancel
&Cancel
Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.
Cannot create %s
Cannot open %s
cedc96f3="%s
Close
Confirm file replace
 CRC 
CRC failed in %s
(&D)"
d7b7d4f4="%s 
d9cae1a1="
ddc0ae8a="
Decline
Delete
&Destination folder
;  Dialog ASKNEXTVOL
;  Dialog GETPASSWORD1
;  Dialog LICENSEDLG
;  Dialog RENAMEDLG
;  Dialog REPLACEFILEDLG
;  Dialog STARTDLG
(&E):"
e040fd4a="
e541a221="</li><br><br>"
e6184908="
e849f326="
ecb135eb="
EDIT
efa47afe="
-el -s2 "-d%s" "-p%s" "-sp%s"
Enter password
&Enter password for the encrypted file:
ErroraErrors encountered while performing the operation
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
.exe
Extract
Extracting files to %s folder$Extracting files to temporary folder
Extracting from %s
Extracting %s
Extraction progress
f5b348e1="
f819b84b="
fc92e4b0="
File close error
folder is not accessiblelSome files could not be created.
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Install
Installation progress
jmsctls_progress32
kernel32
(&L)"
.</li><br><br>"
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
.</li></ul>"
.lnk
Look at the information window for more details
manually.</li><br><br>8<li>If the destination folder does not exist, it will be2created automatically before extraction.</li></ul>
***messages***
*messages***
modified on
MS Shell Dlg 2
(&N)"
@&nbsp;
Next volume
Next volume is required
Not enough memory
No to A&ll
ntered
Overwrite
</p>
Packed data CRC failed in %s
Path
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation	All files
Presetup
ProgramFilesDir
(&R)"
.rar
RarHtmlClassName
RarSFX
Read error in the file %s
Rename
&Rename
RENAMEDLG
Rename file
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 %s"
"%s"
SavePath
%s.%d.tmp
Select destination folder
SeRestorePrivilege
SeSecurityPrivilege
Setup
SetupCode
(SFX) 
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Skipping %s
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
;  Strings
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
The archive comment is corrupt
The archive header is corrupt
The archive is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
The following file already exists
The required volume is absent2The archive is either in unknown format or damaged
; These are two versions of first HTML string. SFX selects an appropriate
Title
__tmp_rar_sfx_access_check_%u
=Total path and file name length must not exceed %d characters
=Total path and file name length must not exceed %d characters#Unsupported encryption method in %s
; <ul> tag must be present in both strings, this is not a mistake.
Unexpected end of archive
Unknown method in %s
#Unsupported encryption method in %s
Update
utf-8"></head>
; version dynamically, depending on presence of "Setup" command. Note that
(&W)..."
, Windows
WinRAR self-extracting archive
winrarsfxmappingfile.tmp
with this one?
Would you like to replace the existing file
Wrong password for %s5Write error in the file %s. Probably the disk is full
(&Y)"
&Yes
Yes to &All
You need to have the following volume to continue extraction:
_ !"_#
?*<>|"
	08DW"
 (08@P`p
0&=b2"
0H&/v 
0jx#Oa
0V8II&vH
>0zyUb=|=
)17vJ7wo
1'a'_p9V
]>1>A>Q=
1D"cw'
1,g`=."
1HhQG)
1~j/``
<1VQ#~
1X^X`4
2H?:	6'
?_2+L}NJ
2v7*ouwx
2yas&$
3$_2sJU
33!D	3
38ih%K
3E9ydl|
3/J4qK
	&3Lu,{
(3O;yk
3TLC]W6
<3\u1WV
4[:4[)
%48]?\
[:)4_*j
4N?-8k
4?<r^D
4RXe&!9
4vO"tW#
54/0},W
$;"55j
@%>@58
5:84E#B
5FQ@!A
5}`"o 
{5Rich
&= 6?$\}7
6E	!5x
6F6`@f
6<.HNcX
6M'l*O
6nUVi]
;73T9cT
7!5F5$
7e #I;
'7g!W3
7|G]zu
@7m^yw
7N*9Lav.
<8,1UW
82NRR3T
+/8-5f
89~D6#?1
8	9i5F
8buI ^8`VU"
8cc(\&
{8>{d)
8$R8pX
#8=s2x
8~:.uQ
8W8Zm.
8z9%uD!E<
-8zd-H
&]'{}9]
)9.+3@
^9= +B
9OTGvE
 9_rbht
}9RDK!
9<S3_o
9Vw:3 
9WWFIYS 7
)9Xg@)R
a3< ^>#30P"6|
AdjustTokenPrivileges
ADVAPI32.dll
A={k(L
aLr7]F'#
Anyclick32.exe
AnyInteAUS.exe
aO6.!m
A*PKTwIx
  </application>
  <application>
|AR9jA
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
"A.@T8P:
<-aVJD
AYYs*lo
az |;&f
b2ktq5
	b}<A]
bad allocation
Bb7BO:
<Be5j"
b>hy!g
<B@II;
b^J$V!
B[JZ#b
{B+$lS(
#BMjl?
BO=;&@Ht
bQ**0Yh"V
Bqe3X(
B#q/IdD
bqxk,'Q
B]tv	A
bVK~F<D
#c4#c\
\}c/+6F9M
C7ZJ(C
C;E0fF$i
#%CEB!RIR
C[]Fd%
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
ch'Q]Yv
CloseHandle
CLSIDFromString
CM)&>FH5^
@CnKBh
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CoZ'0I
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
@CS,8nb
cu/AI4
;CujeN
_,?cyy` _
@c}z |
;cZ#68
cZ^'Z#
*d !<=2{
d	2$!K8
 D{a@	
@.data
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
.!d{ff
DialogBoxParamW
DispatchMessageW
DK.?5 )
DMe7LMm
%dm:y"
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
D'|sbf
&Dw}LU
D\X8;l%-
D!X`bAIIRE
e'3nu)
E_'?72Q
e9{\lV
E>FGHR
E/F|Z1&SF)
@eGNy,
+E(n$5
EnableWindow
EndDialog
<e\np 
eOv%R9
EPhoZ2
e':	U].
E<VADo
ExitProcess
ExpandEnvironmentStringsW
$e+Y\|Sc
F _^[]
F:0+7q
f0 ]o8
 F%=4&K
f90u2h
f"#ayJl=
FbaTZ=
[F@BNiQ
 FC*67c
`Fdx+u]
FFF))EE	FFFF))))))
FgR>@t@
	FH@Bm{@A
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
"'fLn -
foA6gs
FreeLibrary
fS9qNY
#Fs#.=;ip
<F"t	@f9
>Fu3:|
f\	ZZE~
g%=/0{
G2"Fs|
g33WwQ
g5!)H\?
GDI32.dll
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetExitCodeProcess
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
!G],ggT
G.gr!|m
GlobalAlloc
}GM	p2o
GQN`vStBY
`gS8R>n:
gUe"kY+
?G?u+X
gwS3	3
gwS37%w`	
gx^~_4
GzR*-,0
g/Z!UHTc
H0}4wD
H&+0=w
)H/[,1
H1smbl
+H3Sz\ 
h,5.-P
	h6;>IK
H+;8W]
|` HB+
h{`b!e
!hDhlF'
HeapAlloc
HeapFree
HeapReAlloc
.(H	|h	
h>H^JL|
Hm3XG2^
$h^,?N`H
HPJ1Fa>	
}HP~Txs R
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
/H`V~c
hvoNU?`NvZ^
HVTqG`B
'HXnPW
h`x'-	)z
~i$B~v
IE0:o-
ifkkiqg
I >k9U
(iL0JeS[
InitCommonControlsEx
{Io!5^
"iOfKS
IsDBCSLeadByte
IsWindow
IsWindowVisible
ITpk|/4bj\i
iVN7npD
IWj\_f9>u?f9~
%Ix	z	^?R
IY!%jb
@j|_~([
J',\4d
j	72ib
j.8i5f2}(
J9E7$w-
JG;qQq
{Jh.o/`
jHV~gJt
J\@RoG
jWHy;'
j Y+L$
k0vn%a0
k!6T`+CQ
kBq+sa
|kcSv=I
KdblSl
Kd^j~Zbb
KERNEL32.dll
KFw:*W
KiP<;#2
k>k1S?
;}>$Ko
kpUj4hQ
Kq;fM$
K$>{RT
`KtfAG
K)Vq..
KWR/Sh
-l5KDa
      language="*"/>
LH1mghAl
L]hap0OF
(>LJ6~C
^L"k+:Z
<llL\]
LN.GZ{k
)~l|<O
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
LQ#hFNvn/
$lqh,=s
L;}Q>S
l~u`Jo
lv15JtD
	{.(_m
-M2*-b
m8SJd&s
MapViewOfFile
MapWindowPoints
MessageBoxW
*messages***
&*MGl|
Mh;7H5
MHf^qV
M+<J2|r
mJ2.Z;
MoveFileExW
MoveFileW
}MO YA
mti/(5
MultiByteToWideChar
My?G(izS
m+YQCH
N3!&>\&
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
?&nfeo
_;nHq;}
~NK%on7
NNu$j	
.N+%+o
=n='S]
nVU,~U
Nv:wD5
nvY@[u^
^#o3!k
O\	6UM
O"?C_C
o=d"OW
OE:d42=
OemToCharA
OemToCharBuffA
oE/Q"v
o\_%f&X
\oH]k\
OIxh>E
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
OpenFileMappingW
OpenProcessToken
o@SaO=}Nxe
O.Tf<9g_;
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGn
Pbkp,bub
P:B,rL
pD\_)3
PeekMessageW
@p	>HE	"
=p.[JJ7r
pjynP}
Pl,|n*<O
p"mu)n
PNusnzw{wp"
PostMessageW
PoT5~K
]>p]PS
      processorArchitecture="*"
  processorArchitecture="*"
      publicKeyToken="6595b64144ccf1df"
PU'~r#4=
PWhx8A
pw`s^!
q>0%Jp
q'1( h
q3SGCU
,q4h39N
+q-`/8
QaNxtZ
|]`Qbk
~	}qby
QD9] t
&Q&DE`!LT
.}Q	e1
,q.]ej:
~q[g};
qIF{	S
QmK|]m
Qm-X?vK
:qN=04
~~~qqqgggjjjxxx
QQSVWh
{quC>;~[4"
$R16qL
__rar_
:R!CF[
`.rdata
r`@dqM
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="requireAdministrator" 
    </requestedPrivileges>
    <requestedPrivileges>
}rGX-6<
RH~7/ H
?"'r Ho
(R?I%Q
rl>Ek*
R_mT2M(
]roI9L
RPNNPV
R/qOqd
@.rsrc
RvuG9X
}ry%/^{
\RZ:AY!(
+S|-+`
<S1~u#
S3_:FM<
%S%]#A
S(]AJ<
}|)s?<D
sde=/>
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
s)gB oTa4
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
s.HU6dI
Si+g8v"
Sk^kgklkrj}
!SMP0$
-spoue(1
ss	3Xu
sssnnnmmmnnnpppqqqqqqnnnjjj
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
SVkj'rl+
(SVWj 
`SVWjh
Sv@>Z]FQ
SystemTimeToFileTime
{szgI)?0
t0ht6A
t0VSSj
t2anrX
\t/}4=
t4SSVW
.T;5WY
?TaxJT
tB7\m8q
TD;4Hl
TE\eXW
t	FAA;t$
tFU80U\;m
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
+tky\_
	!<tP=
tPh :A
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
t<SSSS
<*t*<?t
Tt(J6-
{{{ttttttzzz
t~U(1)}
      type="win32"
  type="win32"/>
tzoB_+
#u05p607
;\u0VW
?u7xbX
(<\u$8F
+/<U8(N@
u<9Epu
}_UeC 
u h\3A
u!hp8A
      uiAccess="false"/>
UJ1_Xoz4%Z
Ujf_$>7
@u?j'Y
u*!=mV
UnmapViewOfFile
u-=?P1 
UpdateWindow
uP%O>I
UQq9!c
U\rg+Nci5
us)@c{q
USER32.dll
*!uv&Ui
!u<wg4
[uwhh 
-uWqoDH
>:uXiL
V47SEy
'V6uCbt
V@@AAf
$v"+;B
VbMJOH5S@
  version="1.0.0.0"
      version="6.0.0.0"
%V~>!g
V.g-5S{z'
%vK!{O0
Vm5,Na
VMI7id.JX
v	N+D$
&v&~'o
Vp{|l]
)'vs`6
VU@dps
{"\v:v:
?vVj@_+
VVL[jB{.
/v(vvR
v@=,Xh
.@w1/y
w5WWWW
W_6en(
W7]4pV
!w7e%D
#w86ri
_wa|a}a
WaitForInputIdle
WaitForSingleObject
'w{D/qS(
\WD}R{OH
@WhP6A
w_@i{b<Z
WideCharToMultiByte
WINRAR.SFX
`WJV#"
Wj<_WS
w/j.yNP
W ="|JZA
W(Ks!p
wO3	Qb
WriteFile
('Wt!l/s
+@\wU]^
wvsprintfA
wvsprintfW
_@Wv:V
Wwgu"'P
WwR"'P
WwS7'u
w-<YMA
wz2Z`Z
wzQ>Of2
x0~_v:
`x$>1&
x*1h>Z
x[2vJC
%x(a-o&0
x>,B(VA
XHN"<j
xII%E)$nAkRi
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
}xrr!~
-XT5F 
Xt8%6@
 XwS[G
xWu2,{
Y?>41(Le
YDf;%LV
yEh5iG
^YKfw&ymb
YNANRC
Y|q{RiC%
Y*+RV7
yWPixD
\!Y'=x!
<+#>yY
Z2fQ`E
z5'q,4c
}z6i)K
<]Z7n{
Z<]a:q
z'>D-lOG
:z(&E/E
Ze^T#W
Zg~j>7
zhwd|t"
zR*uk*r
zuFhl3A
zy	07;H
zy&Dt^],
|||zzzyyy}}}