Analysis Date2015-01-29 01:45:16
MD52bc428c0b61cddedfd0bf7f78dc2a8ea
SHA16a0d04f13b4bcfd504cdc304c12a8e55d704314c

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 984dfeff737935f78877d3d08b82ef95 sha1: d37c898578b52c62ca8c93757e64b07939999701 size: 72192
Section.rdata md5: 0fb0a72395723950e1915d6bf373f506 sha1: 904ad0342509a0b37abfcefd6606a12adbdc7707 size: 7680
Section.data md5: 11ffdfc240c81dfe9d957f6bf1761f00 sha1: f0f691437eb067b4de686e8b7225b8e4127cb275 size: 512
Section.CRT md5: a5ba361df79e0a565f00bd42dc501625 sha1: a91ea47a0eb05af400245bce0fd66b2bec2b6335 size: 512
Section.rsrc md5: 1285ef10fd521f02cfdc1dc5b0c29d9d sha1: d825bfff12556e6659ee01a7375558e1d25707a1 size: 14336
Timestamp2011-05-28 16:04:29
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash1cf04187c6dae87696573dfe9bf930be7ddaf01c
IMPhashdbb1eb5c3476069287a73206929932fd
AV360 Safeno_virus
AVAd-AwareTrojan.Generic.11733977
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.Generic.11733977
AVAuthentiumW32/Downloader.EQRM-0968
AVAvira (antivir)no_virus
AVBullGuardTrojan.Generic.11733977
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.Generic.11733977
AVEset (nod32)no_virus
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyTrojan-Downloader.NSIS.Agent.oi
AVMalwareBytesRiskware.Chindo
AVMcafeeno_virus
AVMicrosoft Security EssentialsSoftwareBundler:Win32/Chindo
AVMicroWorld (escan)Trojan.Generic.11733977[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
\_
.\
:\\
...
010A___
.
.
x
S
%08x
(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br>
b<style>body{font-family:"Arial,
%c:\
(&C)
ccpp
 %d 
(&D)
Delete
(&E):
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
.exe
";font-size:12;}</style><ul><li>
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Install
jmsctls_progress32
kernel32
(&L)
<li>
</li><br><br>
</li><br><br>c<style>body{font-family:"Arial,
</li><br><br> <li>
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
</li></ul>
.lnk
*messages***
(&N)
@&nbsp;
Overwrite
</p>
Path
Presetup
ProgramFilesDir
(&R)
.rar
RarHtmlClassName
RarSFX
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 "%s" 
 %s 
"%s"
SavePath
 %s CRC 
%s CRC 
%s.%d.tmp
SeRestorePrivilege
SeSecurityPrivilege
Setup
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
Title
__tmp_rar_sfx_access_check_%u
Update
utf-8"></head>
(&W)...
 Windows 
WinRAR 
winrarsfxmappingfile.tmp
(&Y)
~, !%)
 !"#$%&
?*<>|"
{{{{{{{{{
*)());
"03v%&H
 (08@P`p
0eebP&k
0e&x8q
!0F6{7`
0GwtULt
0h{6pL7Y
/'[,\\0]^_\\\Q
0qahGe
0TQ+CI
0WElaxx
0Zd|Nc+p
-0zDrM
11ww<_
14vVR8j
1)ffIN
{{1gSU
^1kH+_
1oBH&M%
1og^C*&
?1oUzq*kW
\|1PtAc_
1q]>c?
#\]1v|
1Vuh2N
1"wP_)
20~H1p}c
2(2;m~U%xA.
25%T]%? bo
2[98!0
^ 2F:B
2H'b[_
<2)-JF
+%3{@ 
319p0w
33!D	3
3,45657879
"38R]|
@3-A%L4
3g&8}.
{}3GvVy|
3HfG3r
3HI61$
?3M2li
<3\u1WV
3=VSD;c
\3zf,B
:(,4;<=>;?@
4;2 q=
45id18w#.
4#8Dlp=Q
@4Ig R
!-'4N@S
4o84DHf
4*rDOg
4$RV$?
']4Vu?
*\%4X0
4_%Xhj
4,XzSg?y
4Y_cOW
4Y_cOW	
50eW728
59WW{/nq
5}C86J
5hE)Dn
5H;H..k
	5m9Jb
5MM`[4
#5?&QY
5R6{<9VS
<6/$.)
!}6$.}
/6C)Fh
6>!dFn
6fFd0X
~6/"h|
 6Mb.<
6S3[Da
6s/t6U
[\%6{U
-6	vzps
6-?_waN
+6/wmw
75CXa!U
,76uk&Ot
$7ds|"
7DSu#w
7ED*)"
+7ml3h5-M?#T
/&7nyy
7O9t(+
7{oaR<
8;2%YU
8{7Q1L
8888888888887
8888888888{x7
89N5:)
^89N%#F
<8J5]/@
8jK)=n|S
&8on{lm
8T-ieo
8,UM]A
(8Wins
 \?.^9
9{2V9&
9><3y'
99Yd\I
9hlzyD
9ir|0o
9jp}^,
	9)rHe8I2Y
9uvA<c
a0$H*	
'A,4;BC
aaaaaaaaaaaaaaaaaaaaf~leQmux
aC]Z\K6
AdjustTokenPrivileges
ADVAPI32.dll
<aH*4u
ai7{Dt/-
A[L?8@
AMyudYC
=a:oPR;
ap@cwxy_[d
  </application>
  <application>
a`Q96o
ArQ@LB
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
a_^z`^W
!AZ,[z7
AZ@zCI&
`#B6:%
B{>^6T
B86I/DC
Ba'<b<
bad allocation
~bAP]z
BC-G@]
-/bcq9
bD.);$
[BdxLa
=BfS'J
@b	gck(W
 %bHGg
<B@II;
BiUdeC
Bj'?\I
BJZfRb
b*^m&Hqg
>&'&bOT
Bozjru
b@Q%ay
B!^	\r
BR8KE 
bRQyB 
\^bsCz
B-"ujNB
#Bv-17
+b|Y^FuO
.C0\|=s
c97U+n
C!dWve
}CDx@n
ceF>1.Y
ceQ&^	gdk
cgP0(+
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
c]JIz?Jc
{CjwN=
Ck*IH!
C	Kj[ 
ClNbzp
CloseHandle
CLSIDFromString
!>}C%)m
~c#msd
 c*{n}
CNSVcr
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
C@}PH'
# cr~_
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
crY)A(
CS[	6eC)
CsW=t)
*^cvU@
{C;Y9:3
Cym>`k
c@yvoi
C;Zsf8H
czw!<n
D27F!tu
d,=#9A
''''''''''''''''''DaJKHPam
@.data
DC&7qdx
ddddddd
dddddddd
D~Dy%a
DE9uKt
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
d+fW:W
D?I0e9
DialogBoxParamW
DicMS{
DispatchMessageW
Dn8^JQ
d;o->R
DosDateTimeToFileTime
Dp(" 7C
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
*|DQ0m
D?qNFEq
ds0'N^
Ds\G$b_
dU	CKz
d ykR.
~?~E/0-E{
"EA5_2
Ec}t	Ts
}EDLo&A
e@fD3f
E;G<9<
^EiA\Q
e_M`D.
EnableWindow
EndDialog
ePrt2r
Ep'`Xe
eq72v&nk
ER]Iy#>
/E/Rt%g
._et(,
`etmi5
e.v};%
eV];Oo
eX2ak^~h
ExitProcess
ExpandEnvironmentStringsW
{ExvwA
ey3T="
e$!ypdJ
F _^[]
f90u2h
fAj_Pc
fbc:N:
+fC4,R
f+|EQ!^!
.'fe\x
FFF))EE	FFFF))))))
FHCpvR
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
fK{Tc"
!}fn\]L
Fo(:j'
fr6@_(
FreeLibrary
fr?|	G
<F"t	@f9
fU4mt#
FW#C{,
 !fX*U
FY)F%u
G07sN 
g0.FH+
g22460
g33WwQ
_GA%|>
gA2sig
"#_)Gc
GDI32.dll
gDLteS
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
{	g;ExX2Q
GfNdHT
g|G =l
GGne_>
G	i{^!~
>Gj7tA
G: {K0
"(GLOa
GlobalAlloc
gL|ZCDh
g~):p5
g,qb|z)W
Gt{nQ^
_gV3v<$?
gwS3	3
gwS37%w`	
GyY5Z^
gz0yJvpY
H	4Y(D
"H8n["
H*&;b#
hdJ8:J
HD`L''
HeapAlloc
HeapFree
HeapReAlloc
HMx35C\?
hNF83"
h}OJ#P
H&rBy^
h*sc3"r
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
}hu>ZS>X
]HVALC}o
hvoNWg
hxS@hf
'hX=t}
^h?XZ>`.
,+!.hy{F
]-I5o1
I!5Ok1
_[I-9:
I)agM@
I:al<:
,i")"B
;-iC12
?$)Ie+
IfVC|V^
=I,FxR
(iI5),
IiMKj7
+iiV]YH
%I+IZP
IJKL=MNOPQ
-^Ilye6
InitCommonControlsEx
IO@DdJ
i!P5X=H
IsDBCSLeadByte
IsWindow
IsWindowVisible
=I;T<h
iU#7G3
i?u/?I
Iu(T{G
.I|VO''C
IWj\_f9>u?f9~
^~\IY[
:?j[(`
J2	~2B
*J4G{/
?J6V/S
jc|!zz
JEJ	UJ=d0
JF^ 4 b5
'-JF]r!
}J][hf	:
jhs>k$M7
j*jBZv
JJJJJJJJJJJJJJJJJJJaieQRamu
Jk|UyZ
j:o3/:
%,JOs%
:j__q>qO/
'?jsis
J	S*l7
j?T9K{
+jvHoa
j Y+L$
]K)$@=
K5G?Pbk
_KapKl
'_K{`B
k*CZN2
Kd;	{K
KERNEL32.dll
[KfK?U
kkkkkkkkkkkjhjjjo
^K'!?m
kmo%\;c2\
|(K (#o
k,>Q6nH
$KSl8&
K.ue8!
kYLB.(+
~KY,p^l
kyZ2jy
:l*#\;
L43vbN
l47Zz4o
LA3`u.
      language="*"/>
lBc6q P
lD#Yz2
l`Ej'c/
]L&{G:
l]'H]-o
;L&-ioK
_*Liso&I
,LJi,p
LLKP\?
ln1#gk
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
`>LOQNJ,
LPt`8)
(LQCgdmG
ls^ko y
(lUYZly)F
<L'vm0
>]l{XE
L +Y`C
LZRP[j
m0k3HH4;
M3NYpj
M4"=jX
m~\7c,S?
MapViewOfFile
MapWindowPoints
`M^CIQ
MessageBoxW
*messages***
&m$E.U
M-FDvQ
mH{d_@
;m"LT$
MLtg%5Y
mmrrrrs
Mn0!-cE"
MoveFileExW
MoveFileW
MPF8G/
@=Mr(njY&
MR}$-yBxA_=wVZ
m=tW?8
MultiByteToWideChar
{muSWm
mV&rC/<
>$"M W
[m")X| 
Mx]['7
[MXd_Bo
MXs}Kuk
mz;UR-*F
n*1V,N
_N26]S
N4Y_cOW
N\-54[
]n7lkft
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
\N%B  8
:,NBgE
]nh-:A
NiT<mT
N'JYq+
:n:kW<	
NlG	Dq
}?n(lr
NmS|JUx
NNu$j	
NNz;tg
#n#}ol<c|
[N(Pz;
n)$Q3'6t
<nTM&O
ntw`r|
n:VY F
@n+(W#
*NW[&{PA
N!xfB;
@n"x|w
O$`08}
o4z& w<\<\
'}oEdt
OemToCharA
OemToCharBuffA
`O/f&Tnx
O,\g31
OKjKtx
{-o}_L"
o	(}lD&
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
o$L#.L}
OLT;{G
OlV|2@f
}o," Ox
OpenFileMappingW
OpenProcessToken
OR=$0.c&`k'~.g
otUJ~6
	o__>v
Ox3gYP
p~;>{@
)_(P4w`
P9]pu;
P9]pu+
P{ACTr
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDRar!
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
PA|Yk	y
;	pcrdz0
PeekMessageW
penc-N
P+"HM-N
#(p\o2*:"
pOem/{
PostMessageW
P(qy2Xv
p^rBn.t
      processorArchitecture="*"
  processorArchitecture="*"
PstfmL
Ptz^a2q
      publicKeyToken="6595b64144ccf1df"
PWhx8A
pwL`xmJ
PY!7kz
PzrD:r
%&!|$Q-
q3_j{ 
Q3w-18
q6w#?57E
qA:LH8
Q!ds3f
.qec.C
~QGv	0
Q'Gzi 
Q.I[lo.
"Qims53
Qj}r#@)
QO;5^otwL
Qp#3nR
q'P"I{
QQSVWh
QRROQQ
Qx]M3H
qZ0=22
'QZJPv
]-R	_~
?R52[z
r7ONJB&-{D
__rar_
=rbDEt
[RBnV>F
r-bX!d
rCB5vw
}Rd3Oz
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
RFXDBG
R?g$DR
Rgsv.Hj
!rJ1S`
^<rme '
rOpYYTh
rp>9<=
rqK]Y_
rrrrrmm
rrrrrr
rrrrrrr
rrrrrrrr
rrrrrrrrrrrrrppps
r	sd,K
@.rsrc
RSTU0VWXYZH
R';z=1
S0/~M\Y7
S5%d2lq
S<<5iB
s?5pUi
S6BN?mu
S`A)Uv__
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
Si1JE%
sK+IwqWLV
Snf$`v
[-"spY
StretchBlt
Su7bJ|
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
SW_uU+w
sxm048\:
SystemTimeToFileTime
@~T,+<
t0ht6A
t0SSSj
t4SSVW
T<5(s6
t6@"o4+9
)T,7EB
tagupol77l3001.exe
Td8ow;9
t	FAA;t$
"tgf(S2Q)]
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
T?j#lBR
TjU;GW
TLD833L
t;$Px&
tqmxzz
tQXz^/^Pl
t`r%6C
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
T/SOJ^
t<SSSS
<*t*<?t
#ttF?$
t}tQEN
]tUm(Xp~
tV+2Gz^
      type="win32"
  type="win32"/>
T_Z1sf:
'tZ/50
;\u0VW
U!?4#C2W
(<\u$8F
U8$@jwq
UayHo4
UB|4JR
>UC.Id
U;C's6
udn[&=C
uF@F0V\
u h\3A
U}hM9o
u!hp8A
      uiAccess="false"/>
_uMWy7ls
uNC@dP.
UnmapViewOfFile
u>.pbg
UpdateWindow
@*ur3 	
{URich
USER32.dll
U=T:rL
)utr;O
u{u'	B%
@UUJtB
U(UyH%
UXi|'[
u>yA%U
v0c|Zyl
v1M$kd
(v2+{%7
V^7`7]
V@@AAf
$Vb!5e
|V;C+[
vcxD{J
VdsU[U
"v$$e>\
,V&`,e
ve9TT@
\\`Ve}b
\-VEJ~
  version="1.0.0.0"
      version="6.0.0.0"
v!g?NR]<
	VG.PW
vHk>dq*
VIc1;E
vit;cso\%0G
v{iU`B
VKDWFT
%vm:]U?J
v	N+D$
?vNj@_+
Vr,1I56
~vrrrrr
~vrrrrs
VSSSSh
v~u4 '~
v,VzCD
V	zIme
W3Q6CV_
w5SSSS
Wai_Hd
WaitForInputIdle
WaitForSingleObject
wBX83E
wCy:tB5
`WEBrZ
%wE=nH
@WhP6A
WideCharToMultiByte
WINRAR.SFX
Wj<_WS
 WK;T!AB
w$@N(7
WOwd<~
WriteFile
wvsprintfA
wvsprintfW
Wwgu"'P
WwR"'P
WwS7'u
wwwwwwww
W_w{(Y 
WwY"Gt
wX46.k
Wz8J%K
wz!.\m
.$,*"x
X0PJ	*
?X0XDnRW
XA	$9JT
xas\E&
	_	xd}*
X(#hH-
XHsMLR
Xk#vh0 
xLxXxNxE
xnt?g2
^X_?sGL?
xSO>QU%
xsu\1(rR	
{Xvc%9
x,X*yQ6
Xy>6|z
x|ynlR
+ xYXG
Y]0#(#=t
y1nsz~3
y2*(lE
/Y7{V7M
@@YA+C
Y$anX!
Y-BXj0|
Yd!n:{
Y>|dN"
 Ygw_7
#!yGwx$
Y,k=pW
[YkySN%
$YmLMd
YNANRC
ynbsIP
$<<ypa/+
y<PN;E
y?P&VT
YQk_rs
yrrrpps
yrrrps
ys,/bX4
YVXc~c
%_	-z:
Z"1}9r)m
Z2fQ`E
z[52sg$2#
z)(6^S
z+7xk]}
z?H0[~
& z@iQ
zK%]?@
>z"m@q
~zm>s"?
z[MSpT
Zo[7~w
=(zR@-
zr#WSI
Z[S>'H
ZStvZJ
zuFhl3A
ZUurBng
Zv$0=_
Zv,;Yzj
zx6,6M7<
zXrv7y-_