Analysis Date2015-01-11 01:20:28
MD51ed8931b7cf3cbdddff7a3250c96fcc5
SHA1894924af22e3c5a10670892a3c92b8c149d111f1

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc2ffd32265a08d72b795b18265828d sha1: dd2a446014a37556f39173b802c63a4e46e09366 size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: 975304d6dd6c4a4f076b15511e2bbbc0 sha1: 1f65340672c91ffd0f2583ff104beaece43c7855 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 4c579296d379db89e28312a4902ca7f4 sha1: 325da1f99f8fcb84537d48ca4622cd40ace64ac8 size: 29184
Timestamp2009-12-05 22:50:46
PackerNullsoft PiMP Stub -> SFX
PEhash1e335e36a4b59b6bef28523991cd04223fe3c83e
IMPhash099c0646ea7282d232219f8807883be0
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.LOZA-7419
AVAvira (antivir)TR/Dldr.Agent.117717
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.E
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7no_virus
AVKasperskyHEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeRDN/Downloader.a!ug
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\NSISdl.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\i.rar
Creates FilePIPE\wkssvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\nsProcess.dll
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FileC:\Documents and Settings\Administrator\Start Menu\Programs\GoldSoft\uninst.lnk
Creates FilePIPE\lsarpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Program Files\GoldSoft\Uninstall.exe
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\Inetc.dll
Creates FilePIPE\srvsvc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\2.ico
Creates File\Device\Afd\AsyncConnectHlp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Desktop\Intrenet Explorer.lnk
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\3.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\Inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\2.ico
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\i.rar
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\NSISdl.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsn3.tmp\3.ico
Creates Process
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGoldSoft
Winsock DNSpconline.org.cn

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates MutexWininetConnectionMutex
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Process
↳ Pid 0

Network Details:

DNSint.dpool.sina.com.cn
Type: A
180.149.136.250
DNSpconline.org.cn
Type: A
222.186.60.69
DNSpconline.org.cn
Type: A
222.186.60.70
DNSpconline.org.cn
Type: A
222.186.60.2
DNSpconline.org.cn
Type: A
222.186.60.68
HTTP GEThttp://int.dpool.sina.com.cn/iplookup/iplookup.php
User-Agent: NSISDL/1.2 (Mozilla)
HTTP GEThttp://pconline.org.cn/2.ico
User-Agent: NSIS_Inetc (Mozilla)
Flows TCP192.168.1.1:1031 ➝ 180.149.136.250:80
Flows TCP192.168.1.1:1032 ➝ 222.186.60.69:80

Raw Pcap
0x00000000 (00000)   47455420 2f69706c 6f6f6b75 702f6970   GET /iplookup/ip
0x00000010 (00016)   6c6f6f6b 75702e70 68702048 5454502f   lookup.php HTTP/
0x00000020 (00032)   312e300d 0a486f73 743a2069 6e742e64   1.0..Host: int.d
0x00000030 (00048)   706f6f6c 2e73696e 612e636f 6d2e636e   pool.sina.com.cn
0x00000040 (00064)   0d0a5573 65722d41 67656e74 3a204e53   ..User-Agent: NS
0x00000050 (00080)   4953444c 2f312e32 20284d6f 7a696c6c   ISDL/1.2 (Mozill
0x00000060 (00096)   61290d0a 41636365 70743a20 2a2f2a0d   a)..Accept: */*.
0x00000070 (00112)   0a0d0a                                ...

0x00000000 (00000)   47455420 2f322e69 636f2048 5454502f   GET /2.ico HTTP/
0x00000010 (00016)   312e310d 0a557365 722d4167 656e743a   1.1..User-Agent:
0x00000020 (00032)   204e5349 535f496e 65746320 284d6f7a    NSIS_Inetc (Moz
0x00000030 (00048)   696c6c61 290d0a48 6f73743a 2070636f   illa)..Host: pco
0x00000040 (00064)   6e6c696e 652e6f72 672e636e 0d0a436f   nline.org.cn..Co
0x00000050 (00080)   6e6e6563 74696f6e 3a204b65 65702d41   nnection: Keep-A
0x00000060 (00096)   6c697665 0d0a4361 6368652d 436f6e74   live..Cache-Cont
0x00000070 (00112)   726f6c3a 206e6f2d 63616368 650d0a0d   rol: no-cache...
0x00000080 (00128)   0a                                    .


Strings
 " "
Ek\uqfvw.uuuu..
t.~.s
msctls_progress32
MS Shell Dlg
Please wait while Setup is loading...
SysListView32
,-$$$./
/"[[[;
*?|<>/":
0123$$45'67889
()*+,-./0123456789:;
0'#b5|
=>>>1""
#''19";;9
}1Xn&|
;2ly|av]
2tX'|x
:;<=>?3
3$8J+	$
3CDEFGHHIJKLM
3Kz?0w
3LE6?-
3P_`abbcWcdef;;
3v	Z~&
45+++64
4D>2DaC
`$4n-r
!"*4qH
4&q	\{R
@4x%5Ta
[#5aD{
5AXsKIdt)
~5&|dI
5.gJYxq
!5RXfm
6[mj,2)
6Mk8.`
7E3D!Tr$
7V\``x
8NCRCu
9"99'HHH
@A123$BC
A$#33_3R
?@A77)4BCCCDE
 A*8jM
,;A/aa
<=+>?@AB
^_`abcdcefghijjklm?no
`Ab$opqrsttttsuvwxyzym{bbb$Q
aBRbc&5Fdeefffghi]jklmn;RB$3Q
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
AFG:HIJKLM
akdV\c-
AppendMenuA
/A__$;R
bcdefghijklmnopUUVWXYZ[\]^_`a
BeginPaint
BHfb{z
b-hG9q|
b^&^=O
B\x37:
bXk}%#
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
cl\lK%(
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
Cs]	E7
... %d%%
'\('D0
D$0+D$(P
@.data
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
DrawTextA
D$(SPS
e2Aer:^kW
E"6`C1
e@I?$W(
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
 ESwmQPv
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
F4DHG7K
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
f;N!oO
'FPBTj]<
FreeLibrary
F<:S7c
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
G)evYAE(
GJ1wlK
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
gO]Vn`UR
G!?	v,9t
;;'H;%
?H6\(8S?
HC<="b
HH:HH"H
;;:HOFPt]@uuuvv@@@]wxyprz{{zzr|;:;;;'
http://nsis.sf.net/NSIS_Error
ia8|||
;;:i	F3
IJKLMNO$3P
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
iMt+Y]s
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
iRichu
;i%S";h
IsWindow
IsWindowEnabled
IsWindowVisible
jLYN!eh4
@^jt,(=\r
KERNEL32
KERNEL32.dll
;L%dr}9
<LD"#S
lmnopqdYdqrs;;;
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
^_?:LQ
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
mC3Z.Mc
%-M@d@'M
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
\=mUl}
MulDiv
MultiByteToWideChar
N>1"""
.ndata
N"HH;H:HH
Nk}R^Q
N>OPQBRSTUVQWXYZ[\]O>
n>qJld
NSIS Error
~nsu.tmp
.'NT6v
NullsoftInst
NulluM	E
o2x22|
';OFAFP3Q4RBSET
ole32.dll
OleInitialize
OleUninitialize
OpenClipboard
OpenProcessToken
OPQRST
O]&]@uPsF/
;;\]))P
PeekMessageA
pgp n%
PostQuitMessage
PPPPPP
pqrstuuvwxyz{|}~
>PqxZ!
Q33$R;455,,SHTUVWXYZ[\]^B$$_
Q9aY}`bq
Q|h-zM
'+Qrsk
qrstuvwxyz{|}~
QUVHJWWXWYZ[
qYxw&C
r|;:::;;
rb0*.m
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
r	[UiKQ
s2<h 8
ScreenToClient
~S\	dnR)<
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
softuV
Software\Microsoft\Windows\CurrentVersion
SQSSSPW
s$Sq*~I
St_Y_y
S-U[H0[
SystemParametersInfoA
> _?=t
%-T8+uI[
!This program cannot be run in DOS mode.
tkD}}}
_^[t	P
TrackPopupMenu
$!&~@U
u49-,?B
u6iJOtC
%*u]\B
UgK'Y#
unpacking data: %d%%
Uo|QD>
U]r!Qu
USER32.dll
%u.%u%s%s
~";;::V
v95LpA
verifying installer: %d%%
VerQueryValueA
VERSION.dll
%VF@2Z 
#Vh;+@
<VJ_u3
|v,kXQ
vnZxxx
vq_+CD
WaitForSingleObject
w{<	dA
WriteFile
WritePrivateProfileStringA
_ (WSnb`
wsprintfA
:]X%d{a
Xl LmYd A{
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
(	: XQ
xU_xxJr
y1	7;s
Y1U6U1
Y2FF`O
YLdGRC7
<YmguQ
YMSlBN
Z1Wjc&T
Z)37D=k
zHi%1e7eGLx
-{zIQ6
ZM/[kF|
ZOv_L~B
[~Zsy9Z
ZT'.jZ
Zw`5UT~