Analysis Date2013-10-24 06:23:29
MD50b6ebc745c4d8e7967189be2a3602d15
SHA190ca00ccd01e7e4c59597ce465cf78d92bc93a58

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 0bc2ffd32265a08d72b795b18265828d sha1: dd2a446014a37556f39173b802c63a4e46e09366 size: 23552
Section.rdata md5: f179218a059068529bdb4637ef5fa28e sha1: 6035d27db526131eb0f29aee60cfcdbb5072ed7d size: 4608
Section.data md5: 975304d6dd6c4a4f076b15511e2bbbc0 sha1: 1f65340672c91ffd0f2583ff104beaece43c7855 size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 3221b6c40b2e862d740ac81bf2516773 sha1: 8cf83c82b3f01e895b908a9c99ea5d3d5cb7ff69 size: 47616
Timestamp2009-12-05 22:50:46
VersionLegalCopyright: Rentabiliweb
FileVersion: 1.0.0.4
CompanyName: Rentabiliweb
LegalTrademarks: Rencontres Hard is a trademark of Rentabiliweb company
Comments: http://www.carpediem.fr/
ProductName: Rencontres Hard
FileDescription: Rencontres Hard
PackerNullsoft PiMP Stub -> SFX
PEhashcb8de5ee1fe884a1e7be7fdbd64396186fde2fae

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Application Data\rencontreshard\paraminstall.spec
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\InstallationType
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\modern-header.bmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nss2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\header-install.bmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\System.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\inetc.dll
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\ShutdownAllow.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx1.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\InstallationType
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\modern-header.bmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\header-install.bmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\inetc.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\System.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsx3.tmp\ShutdownAllow.dll
Creates MutexRencontres Hard

Process
↳ C:\Program Files\Internet Explorer\iexplore.exe

RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main\Window_Placement ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Locked ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates Mutex_SHuassist.mtx
Creates MutexShell.CMruPidlList

Network Details:


Raw Pcap

Strings
000004e4
1.0.0.4
Comments
CompanyName
FileDescription
FileVersion
http://www.carpediem.fr/
LegalCopyright
LegalTrademarks
msctls_progress32
MS Shell Dlg
Please wait while Setup is loading...
ProductName
Rencontres Hard
Rencontres Hard is a trademark of Rentabiliweb company
Rentabiliweb
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
`&&&&&&&&&)&)&)&)&&
||||||||||||||||||||||||||||||||||
////////////////////////
"     %
"""""(
""$"""$
}}}}}|
}}}}}}
}}}}}}}}}}}}}}}}}}}}}}}}}}}}}}
$$$$$$$$$$
*?|<>/":
031204000000Z
0http://crl.verisign.com/ThawteTimestampingCA.crl0
`[>0o|
111111111111111111111;;;
1111111111111717;;CFFFFF
////////////////////////////////////////////////////////////111111111111eeeeeeeeeeeeeeeeeeeeeeee111111111111111111111111
'((())())))))))))))-/11515515111.--57777777777777746:999999999999:6
120501000000Z
121008000000Z
121010084617Z0
121010084618Z0#
121231235959Z0b1
131203235959Z0S1
141019235959Z0
	*&2g>
2j-eW/
2Terms of use at https://www.verisign.com/rpa (c)101.0,
3!!!!!!!
3(((((((((&
}3)8OTTh
3nfZ^R7
4`=.b[
| %.4jL#
+/+//+/+/+/5////////////
5Digital ID Class 3 - Microsoft Software Validation v21
*5K#t^g
?6`t&z
7*][MD
?7!Op1
[7`|T-<
7T5w4x
	,7W|l
8NCRCu
:8}p% g
9is``Vv
##%#%%#%#9u
=*9uJ7
+++++++++++aaaaaaaaaaaaaaaaag
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
A E#_z
?AGGGGGGGGC?
]a}mNR$
AppendMenuA
<ASsp1
$$$$$$$$$b
BeginPaint
B!!!#!#jV
B.)[nQ
BR3{8w
	Bruxelles1
b/~V\RZ
B_XXXXXXXXXXXXXXXXXXXXXXXXXX_B
&&&&&&&&&&c
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
@c~pwgO
C%%%%%`````qu
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
... %d%%
D$0+D$(P
@.data
<datainstaller><install_cancel_url>http://www.espace-plus.net/redir/rotation_redir.php?id_rotation=480&id=10672&tracker=sexepornocul_pdv127_034_ttna_mbv3</install_cancel_url></datainstaller><data><id_webmaster>10672</id_webmaster><idp>0</idp><tracker>sexepornocul_pdv127_034_ttna_mbv3</tracker><id_mb>2183</id_mb><id_server>default</id_server><fullinstall_url>http://local5.yesmessenger.com/messenger/workset/update/2183/setup-2183.exe</fullinstall_url><login></login><password></password><new_account>1</new_account></data>
D$(+D$ SSP
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
DMxxuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuuxx<Q
DP\_aL
DrawTextA
D$(SPS
Durbanville1
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
########eo
EOrp````````````````````prOE
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
f2B&	~
F@;7717171717;CFTFKKKFKK
@FAAAAAAAAAAF@
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
Fj%:vi
fKdKp|
@{FNW.8y
FreeLibrary
FTKKFC;777777CTVTVKTVKVKTTTTTTTTTTTTTTTTTTTTTTTVKVKVKTTKC7777TVVVVVVVVVVssssssssssssssssssssssssVVVVVVVVVVF77DYYYYYYYYYY
f`zE)o=3"
g+++++++++++
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
Gf.RvR
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
'}gS_0
hhhhihhhhi<l
H+++)+++++)+++++)+++++)+++)L
h#mc>u~V
"http://crl.verisign.com/tss-ca.crl0
/http://csc3-2010-aia.verisign.com/CSC3-2010.cer0
/http://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
http://nsis.sf.net/NSIS_Error
http://ocsp.verisign.com0
http://ocsp.verisign.com0;
https://www.verisign.com/rpa0
http://www.yesmessenger.com0
Ht<V/'
`(hWc 
Hz{V[{
I0cC ^
iAac] 
,IbR-@
i:h	5b
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
iRichu
} Ir]Y
IsWindow
IsWindowEnabled
IsWindowVisible
`j,!&I
J__+O]
J)pZ}"
jR$wzG<%
jUyGT	
k!4~]~x
KERNEL32
KERNEL32.dll
kkkkkkkkxW<
KKo^\\\\\\\\\\\\\\\\\\\\\\^oKK
)+)+)+)+)+)+)+)+)+)+)+)+)L
),,),,),,,,,),,),)l|e
lm_l}0
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpynA
lstrlenA
#`M7Jn
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
&<MOG\
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
Mv#V]}Y9
.my7bW
n))))))))))))))))))))))
NCCCCCCCCCCCCCCCCCCCCO
.ndata
n&Go)?"
Ng&rZ]a
n)))))))))))))))))))))))J
N>MPOPOPOPOPOPOM>N
NSIS Error
~nsu.tmp
NullsoftInst
NulluM	E
nU-tc}
o5++++++g5/+/+/+/+/+/
oB!8$/
}]oc{%O
OD]sutsssssssssssssstts]DO
~OF_(b
ole32.dll
OleInitialize
OleUninitialize
[OO]v{
OpenClipboard
OpenProcessToken
otL%)))))))llllllllltuurd:)))******aaaaaaaaaaaa********/--4uuuuuuuuuuuu-*/***-8;;;;dddddddddddd;;76//6A@@AAddfddfddfddfA@@@@32HEEEEuuuuuuuuuuuuEEEEH2IHIKKIkiiiiiiiiiiiIIKKHI
$$"$$$"$p
#,P0T$	G
PeekMessageA
PostQuitMessage
PPPPPP
pV	musuuZ
qI&&&&&&&&&&&&&&-
Qjo,mV
=QkhgggggggggggghkR>
q&))))))))))&)))&))))n
.`r~2i
{r305X]
R#####[}c
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
RemoveDirectoryA
[Rename]
Rencontres Hard
Rentabiliweb Belgique0
Rentabiliweb Belgique1>0<
REZsFkp
R%%%#%#hc	
RichEd20
RichEd32
RichEdit
RichEdit20A
R######ja
@=rQ:D
RSS-%%%%%%Sx							
Saint-Gilles1
ScreenToClient
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
;SF5J0B
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
ShowWindow
soc@q`
softuV
Software\Microsoft\Windows\CurrentVersion
sQk,Ze
<SQOOOOOOOOOOOOOOOOQQ<
SQSSSPW
Symantec Corporation1402
+Symantec Time Stamping Services Signer - G30
SystemParametersInfoA
s.`Z>^j
> _?=t
&t8H^P
[|+taL
Thawte1
Thawte Certification1
Thawte Timestamping CA0
!This program cannot be run in DOS mode.
T,,,,,,,iiihiiiiiikin}}}}zn?,,,T,,,,,,,,}}}}}}}}}}}}}}}},,0,,,,,00,0,0,0}}}}}}}}}}}}}}}}000000000000200000000000000000000000000022202222kkkkkkkkkkkkkkkk2222222222222299}}}}}}}}}}}}}}}}2222222227:<>>>>}}}}}}}}}}}}}}}}><:722727FFFFFFFFFFFFFFFFFFFFFFFFFFFF<777HGGGGGGppppppppppppppppGGGGGGH7;MJJJJJJ}}}}}}}}}}}}}}}}JJJJJMM;HKWVVVVV}}}}}}}}}}}}}}}}VVVVVWKH
TJkt~<
T}j}tO
T))))))))))))))))nw
_^[t	P
t]p<jl
TrackPopupMenu
TSA1-30
TSA2048-1-530
u49-,?B
UbOA<h
[uCC%)%)%)uuuuuuuu_
u(*go\/
unpacking data: %d%%
$uo;\<lB
USER32.dll
%u.%u%s%s
uuuuuu
$Uv='{u
v95LpA
verifying installer: %d%%
%VeriSign Class 3 Code Signing 2010 CA
%VeriSign Class 3 Code Signing 2010 CA0
VeriSign, Inc.1
VeriSign, Inc.1+0)
"VeriSign Time Stamping Services CA
"VeriSign Time Stamping Services CA0
VeriSign Trust Network1;09
VerQueryValueA
VERSION.dll
V"Fj<lP
#Vh;+@
VhqW~@N,
Vo8{J?
&VrCma/
Vw>q~.
WaitForSingleObject
Western Cape1
WriteFile
WritePrivateProfileStringA
W+~R:t
wsprintfA
<Wxkkkkkkkk
XMh.88o
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
x\PPPPPPPPPPPPPPPPPPPPPPPPPPPP\x
xvU<n8
~yF%wD
@))))))))))))))Yx
YYVYYYYYYYD<<?i_ZZZZZZZ_
YYWpeGF`
z~4@&'
	Z%B2=
ZJjs:e
ZL*341v
zv]OO[
zxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxz
Z%%)%)%%%%)%))z
Z__ZZZZZ_i<<l<lhhhhhhhhh