Analysis Date2014-02-01 11:23:37
MD5150bf1dd6c8f37ccd4b9cb814b2e6f24
SHA190206b184d995112bb2cc19be75b2cc4b59ac13e

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: a2de8895fd197ce6f46722a72bf9b342 sha1: f9497af1475eb69fecb5cdb04557d580ba07b8fc size: 65536
Section.rdata md5: 613b9da13d505cfd8f27d611ef5e350a sha1: c4e4ce024af752935dd5ec1908755b2554499228 size: 12288
Section.data md5: db8542270d372f9f6cea78591d6e279b sha1: 1e6fed61dc04726a9f27f8f3c35c00347c184ea7 size: 16384
Section.rsrc md5: b400b8aef3cc0b7b3f02150d2370202b sha1: 617eb8276b8fe3562c8376fe89a130964aa3cc35 size: 8192
Sectionstxt774 md5: 8d039f04065e55c7bc44bd0e5ef6d1ab sha1: 15c6a98c14927787575431378281863042e22f05 size: 4096
Sectionstxt371 md5: 37f1befb9bfe932692788c9896bb70bb sha1: 05ce5ecb882fb3f4285126d5445f03201703f424 size: 53248
Timestamp2000-09-24 02:20:34
PackerAHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER
PEhashf1aa56f5aa659d2f0f72c8b9fa9bc891039a97d3
AVmcafeeW32/Almanahe.c
AVmsseVirus:Win32/Almanahe.B
AVclamavW32.Alman-4
AVaviraW32/Almanahe.B
AVavgWin32/Alman

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\WINDOWS\linkinfo.dll
Creates FileC:\WINDOWS\system32\drivers\IsDrv118.sys
Deletes FileC:\WINDOWS\system32\drivers\IsDrv118.sys

Process
↳ C:\WINDOWS\Explorer.EXE

RegistryHKEY_CURRENT_USER\SessionInformation\ProgramCount ➝
1
Creates FileC:\temp\files\malware.exe
Creates FilePIPE\SfcApi
Creates FileC:\temp\monitor.exe
Creates FileC:\WINDOWS\system32\drivers\nvmini.sys
Creates FileDL5CProc
Creates Mutex__CORE_DL5__
Creates MutexPNP#DMUTEX#1#DL5
Creates Mutex__DL5_INF__
Creates Servicenvmini - system32\drivers\nvmini.sys

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FilePIPE\lsarpc
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers\LogonTime ➝
NULL
Creates FileWMIDataDevice

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Network Details:


Raw Pcap

Strings
o0+:.:\=:::\.-E-0-0
00-+     :: 
\
.
00
............?-  
0
0 
0
u\\\
\\a
\\\\\\\\""  ""
: ()() = 0x-
..
A.L..

About to restart|You need to download a patch from our website.
A required DLL is corrupt.fPatch error.  Existing game files may have been modified.  You should re-install the game from the CD.
Error
Error: Couldn't find file: %s
File
File (%d of %d)#You must restart your computer now.iCould not set the patch to run on system reboot!
         (((((                  H
Lucida Console
msctls_progress32
MS Sans Serif
(null)
Patching
Progress1
property of their respective owners
PYour computer needs to be restarted to continue the patch. Press OK to continue.
Update Information
When you press OK, your browser will automatically open to the download page.	Web Patch
You must exit the game and run %s to complete the patch.
----(-
()(-,)
)()()(
#0Y ^;g
-1"<16!
12uuQQQQMLLML
1#QNAN
1#SNAN
2@|%9s
}2QQQQuu
2QQURQMLtu}
3-$4i{!
48BC11BD-C4D7-466b-8A31-C6ABBAD47B3E
89=0rA
9'*1'B)'P!'^
_9=HrA
	:*\<a
A4x{%`
A(9A$s
A(;A,r
abnormal program termination
AC 40D
/ACg*F
AdjustTokenPrivileges
ADVAPI32.DLL
*AQ"qA
.?AVstreambuf@@
.?AVtype_info@@
{~,,bB
BeginPaint
,bfN^HE
BFUa.X
 bK	 |
BoG_ *90.0&!!  Yy>
bQrFoEfEgJmFiFsF
btHHt.
}^$bwEX
	%bZ*N
'&C3s<(
c85-]`
[CK0lK@
CloseHandle
COMCTL32.DLL
CompareStringA
CompareStringW
Conquer.dat
CreateCompatibleDC
CreateDialogParamA
CreateDIBitmap
CreateEventA
CreateFileA
CreateFileMappingA
CreateMutexA
CreatePalette
CreateProcessA
,C"ut6N
D0%@t<hPDA
D6E7FC97-64F9-4d28-B52C-754EDF721C6F
<DAreG
@.data
 Decrypted/Optimised by SDR 1.12.FFE5A1FD
DeleteDC
DeleteFileA
DeleteObject
DestroyWindow
D$Hj@P
D$,hLCA
DialogBoxParamA
DispatchMessageA
+DlI;V
dNT	y~f5#Q
DN-tz_
DOMAIN error
D$ RPSh
D$,RPShPCA
DSUVWh
D$\SUVWj
EAF"L[@
\~ef87a
EndDialog
EndPaint
entryp
E:\Projects\WWOnline\APILauncher\patch.cpp
>e_R-P
EXEPatch
ExitProcess
ExitWindowsEx
	-f3F2
F$;F(s
File 'launcher.cfg' is corrupt
FindClose
FindFirstFileA
FindNextFileA
- floating point not loaded
FlushFileBuffers
FormatMessageA
-FPpIC
FreeEnvironmentStringsA
FreeEnvironmentStringsW
FreeLibrary
,fWlTx
GAIsProcessorFeaturePresent
 *gAZ$
GDI32.DLL
GetACP
GetActiveWindow
GetClientRect
GetCommandLineA
GetCPInfo
GetCurrentDirectoryA
GetCurrentProcess
GetDlgItem
GetDriveTypeA
GetEnvironmentStrings
GetEnvironmentStringsW
GetEnvironmentVariableA
GetExitCodeProcess
GetFileSize
GetFileType
GetFullPathNameA
GetLastActivePopup
GetLastError
GetLocalTime
GetMessageA
GetModuleFileNameA
GetModuleHandleA
GetObjectA
GetOEMCP
GetProcAddress
GetStartupInfoA
GetStdHandle
GetStringTypeA
GetStringTypeW
GetSystemTime
GetTimeZoneInformation
GetVersion
GetVersionExA
GetVolumeInformationA
GlobalAlloc
GlobalFree
__GLOBAL_HEAP_SELECTED
GlobalLock
GlobalUnlock
GrabPatches
`h````
HeapAlloc
HeapCreate
HeapDestroy
HeapFree
HeapReAlloc
HeapSize
h	hDR#
HHtpHHtl
HHtYHHtF
 iciNWq
	.ID4Tk
I-iN6+
I	jjLFD
InstallPath
InvalidateRect
`i)QFZ
IsBadCodePtr
IsBadReadPtr
IsBadWritePtr
JanFebMarAprMayJunJulAugSepOctNovDec
jYx'fS
K<5FX=I
KERNEL32
KERNEL32.dll
KERNEL32.DLL
L$4Vhp@A
launcher.bmp
Launcher config file missing
launcher.exe
launcher.txt
LCMapStringA
LCMapStringW
-]lia!
LoadLibraryA
LoadStringA
LookupPrivilegeValueA
L$ PQSh
"L)w"L
M1702b.h
MapViewOfFileEx
MessageBoxA
Microsoft Visual C++ Runtime Library
__MSVCRT_HEAP_SELECT
MultiByteToWideChar
 !N\HjQ
NL(abP
- not enough space for arguments
- not enough space for environment
- not enough space for lowio initialization
- not enough space for _onexit/atexit table
- not enough space for stdio initialization
- not enough space for thread data
(null)
o$6OM7
o"	j 	h
OpenProcessToken
}OrH,c
-----)p
?PatchCallBack@@YGPAXIPAX@Z
patch.err
Patch Error: %s
\patches\
patches\*.*
patches\*.%s
Patchfile vanished?
patchget.dat
patchw32.dll
PeekMessageA
,PJ)b0
PostQuitMessage
PostThreadMessageA
=P~]PC@
PPPP(((
ppxxxx
ProductID
Program: 
<program name unknown>
p,^U,D
- pure virtual function call
PVhX$A
QQSVW3
QQSVWd
QSUVW3
raE:)L
.rdata
ReadFile
RealizePalette
Realize Pal Fail: %d
RegCloseKey
RegCreateKeyExA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RfJ+!r
?|@`	rq
RtlUnwind
RTPatchApply32@12
runtime error 
Runtime Error!
RX_^]3
"%s" .
`S (b@
SelectObject
SelectPalette
Select Pal Fail: %d
SendDlgItemMessageA
SendMessageA
Serial
SeShutdownPrivilege
SetCurrentDirectoryA
SetEndOfFile
SetEnvironmentVariableA
SetFilePointer
SetForegroundWindow
SetHandleCount
SetStdHandle
SetStretchBltMode
SetUnhandledExceptionFilter
SetWindowTextA
[Sh\$A
SHELL32.DLL
ShellExecuteA
ShowWindow
SING error
SKU is missing from config file!
sO;>|C;~
Software\Microsoft\Windows\CurrentVersion
SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
Software\Westwood\Red Alert 2
SS@SSPVSS
StretchBlt
stxt371
@stxt774
SunMonTueWedThuFriSat
T$0QRS
t	_^]3
T$Dj(RS
TerminateProcess
!This program cannot be run in DOS mode.
t-Ht!Ht
TLOSS error
tPhl(A
TranslateMessage
"tRN.G
t#SSUP
+ttHHtd
t.;t$$t(
T{%\{u
t$$VSS
t/WWUPj
$ < u	
u	_^]2
>:u#FV
- unable to initialize heap
- unable to open console device
- unexpected heap error
- unexpected multithread lock error
>:uNFV
UnhandledExceptionFilter
UnmapViewOfFile
UpdateWindow
}!u%q#
user32.dll
USER32.dll
USER32.DLL
uuuuMty
uX>F# _
.V4)oR
VC20XC00U
Version
^Vh\$A
VirtualAlloc
VirtualFree
VT i3=Z
VWh$CA
W;5`vA
WaitForMultipleObjects
WaitForSingleObject
W@	H"?
WideCharToMultiByte
WriteFile
w``u N
"WWShX$A
Y;5dvA
You must run the game from its install directory.
'\y'Pq'Hi'<a
YR&/*R~
_^][YY
YYhD@A
z3aF 84
Ze2Zh@