Analysis Date2015-02-02 01:26:51
MD51c7ee9ebdfbb88227502f6799fcf0efc
SHA1b0212e5b139ecdf398a0822bf982b115be62868d

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ead411693117dae8deb088f5bb4a85fa sha1: b8e6aeccd3d0c302590d34bca7cf66da33daca52 size: 72192
Section.rdata md5: e70f56667b8e99a1ec239fd12b1640b4 sha1: fba2ce613ec7c4a7ba1b9d0c03ad0c3ba3aa1a67 size: 7680
Section.data md5: 11ffdfc240c81dfe9d957f6bf1761f00 sha1: f0f691437eb067b4de686e8b7225b8e4127cb275 size: 512
Section.CRT md5: acdfc3df6b189cbcd09b1c888f95fe9a sha1: d3f914de25aed7a125b6c83ebe2a497878fc22d1 size: 512
Section.rsrc md5: 0e42f323cc45b1d46509324ae58eb059 sha1: e8a93a2e6aa4b104a848e9c4b82d3793ed145645 size: 16896
Timestamp2011-03-02 07:40:24
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash2a2a75fefb6b2a26dc58a15760dde421399aae76
IMPhashdbb1eb5c3476069287a73206929932fd
AV360 Safeno_virus
AVAd-Awareno_virus
AVAlwil (avast)Dropper-gen [Drp]
AVArcabit (arcavir)no_virus
AVAuthentiumW32/Trojan.HODN-6101
AVAvira (antivir)no_virus
AVBullGuardno_virus
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftno_virus
AVEset (nod32)NSIS/TrojanDownloader.Chindo.F
AVFortinetW32/Chindo.B!tr.dldr
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusno_virus
AVK7Riskware ( 0040f0f51 )
AVKasperskyHEUR:Downloader.NSIS.Feasu.heur
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)no_virus
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexWininetConnectionMutex
Creates Mutexc:!documents and settings!administrator!cookies!
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!

Network Details:


Raw Pcap

Strings
\_
.\
:\\
...
010A___
.
.
x
S
%08x
(&A)
about:blank
ASKNEXTVOL
</b> 
 <b>
(&B)...
<br>
<br><br> <li>
b<style>body{font-family:"Arial,
%c:\
(&C)
ccpp
 %d 
(&D)
Delete
(&E):
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
.exe
";font-size:12;}</style><ul><li>
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Install
jmsctls_progress32
kernel32
(&L)
</li>
</li><br><br>)<li>
</li><br><br>)<ul><li>
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
</li></ul>
.lnk
*messages***
(&N)
@&nbsp;
Overwrite
</p>
Path
Presetup
ProgramFilesDir
(&R)
.rar
RarHtmlClassName
RarSFX
RENAMEDLG
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
 %s 
"%s"
SavePath
 %s CRC 
%s CRC 
%s.%d.tmp
SeRestorePrivilege
SeSecurityPrivilege
Setup
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
Title
__tmp_rar_sfx_access_check_%u
Update
utf-8"></head>
(&W)...
 Windows 
WinRAR 
winrarsfxmappingfile.tmp
(&Y)
 !"#$%&
?*<>|"
{{{{{{{{{
 (08@P`p
0e|EsY
^+0I9J
0	*m26ZG
/'[,\\0]^_\\\Q
"1	j`Ny
3<1h~bA
33!D	3
3,45657879
3a>hgM
3fA>Wa
3Si1OKm?
<3\u1WV
:(,4;<=>;?@
4+$+v+
4Y_cOW
4Y_cOW	
^5$eJh
|:5[uU;97
5yXiF=VLbI
&62no=*
^64[//
697Q{q
6eMk*K
 6!z=C
7E	e&t7X
]7s%	_ 
&>7yNH
8888888888887
8888888888{x7
8aBFB^
`8AD,En"
8b9DW\3
{8$BVd
,8@s5g
8YhT	<.
9O$PgBc
:!9YcC
|A0LF?GB
'A,4;BC
aaaaaaaaaaaaaaaaaaaaf~leQmux
aBL0eQrY
AdjustTokenPrivileges
ADVAPI32.dll
  </application>
  <application>
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
a&Spn~
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
Aw#*CS
bad allocation
B):b@?J1
@b	gck(W
<B@II;
>	=b\M
br&a&w
ceQ&^	gdk
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
c@"j4Z=b
CloseHandle
CLSIDFromString
c:.MHm
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
cv/~`=9:
d42u5=
''''''''''''''''''DaJKHPam
@.data
dc6Z!W
ddddddd
dddddddd
DefWindowProcW
DE&'kB
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
Dht<^.
DialogBoxParamW
DispatchMessageW
)dKJ:K^
dk)uoV
 d;N>G
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
DU:xXkR
e]+]5)
e6s*Ui
]E#h*R
eicpYo
e!j}jr
e	k~	5
EnableWindow
EndDialog
e}pN6w@
ExitProcess
ExpandEnvironmentStringsW
F _^[]
f4L]W/
f90u2h
fbc:N:
F@F3B~H
FFF))EE	FFFF))))))
FI;)>$
FileTimeToLocalFileTime
FileTimeToSystemTime
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
F\jYUB0j
f/pmUSW)>4
FreeLibrary
Fs^,C[5
<F"t	@f9
g33WwQ
GB{*$G
GDI32.dll
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
Ggq)h9
gi`T`n
Gj{ra(
gl;A=yl
"(GLOa
GlobalAlloc
gwS3	3
gwS37%w`	
h31c/]
h!c7ql
HeapAlloc
HeapFree
HeapReAlloc
HtCHt<Ht5H
HtEHt7
HtFHt8Ht*Ht
HtoHt>
HtOHt^HtBHu#
 %#iI>'t^
IJKL=MNOPQ
InitCommonControlsEx
I;S4Y`
IsDBCSLeadByte
IsWindow
IsWindowVisible
&Itfk!
i;TYs`
IWj\_f9>u?f9~
+j~"^\
Je,*ki
JJJJJJJJJJJJJJJJJJJaieQRamu
JKyF(h
.#JLEXW
JTFO'	
j Y+L$
JY'op[
kbbbob_464_2177.exe
KERNEL32.dll
kkkkkkkkkkkjhjjjo
kOCOu3Yh
l1s/:G
*L5A(=#Q
l#a<lj
      language="*"/>
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
L vDu3
lw_v0V
/m,3Hr
MapViewOfFile
MapWindowPoints
mCtE\D
MessageBoxW
*messages***
Mja==}k
;MJcu,p
mmrrrrs
MoveFileExW
MoveFileW
?=MQWFV%C
MultiByteToWideChar
N4Y_cOW
N6N+QvL
N8F.ilz
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
.|nA=Q
NNu$j	
n,R 9u2
Nv@y|.D
*NW[&{
^nwhWY
nx5oS%j]
Nz<7`5
O9J@s`9
OemToCharA
OemToCharBuffA
`O/f&Tnx
o^H]wk
oi#g.1
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
OpenFileMappingW
OpenProcessToken
Os2!Xg
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
PA<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
pbODID_b'A
PeekMessageW
penc-N
PeZ@.<
P%'_GG
pkk1UZ
PostMessageW
\Pp+U<\vb
      processorArchitecture="*"
  processorArchitecture="*"
      publicKeyToken="6595b64144ccf1df"
Pv)}-B#
PWhx8A
q4bKP:7
QcgI@=e>
;q[eaA%
q(M~!3
Q|P'	Y6F
QQSVWh
QRV*5*<3R
RA3x)0
__rar_
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
RQk	Nh
rrrrrmm
rrrrrr
rrrrrrr
rrrrrrrr
rrrrrrrrrrrrrppps
r,s%H~e
@.rsrc
RSTU0VWXYZH
	rxnc)
>S4neHp
s5KA)7d9
s?a}Gn
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
sIykpeR&
so/qej]e	
>`s#QK`
StretchBlt
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
(SVWj 
`SVWjh
SystemTimeToFileTime
sZmd`F
t0ht6A
t0SSSj
t4SSVW
TAf3w]@
T``/\c]
t	FAA;t$
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
Tj_2ut
TO>J}j;u
T{OO=`
tqmxzz
TranslateMessage
/t^rRii
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
TS._COGMA
 tSj X
t<SSSS
<*t*<?t
T<}uHi
      type="win32"
  type="win32"/>
;\u0VW
u5>l`4
?U7ywJd
(<\u$8F
uGWF@t
u h\3A
uHD,$L
u!hp8A
      uiAccess="false"/>
UnmapViewOfFile
UOWBQ;^-;
UpdateWindow
{URich
,*u*'S
USER32.dll
U" ziru
V%1@Jt
V][3ez
V@@AAf
VbqW5J
\\`Ve}b
  version="1.0.0.0"
      version="6.0.0.0"
$vey vO
v?g^Ke
VHgx{Y
v	N+D$
?vNj@_+
vNzd|q
v`OHC6
~vrrrrr
~vrrrrs
VSSSSh
)_V]X]N
w5SSSS
WaitForInputIdle
WaitForSingleObject
&W[HBbH
@WhP6A
WideCharToMultiByte
WINRAR.SFX
Wj<_WS
wKKS!d#,-]
w^pZen
WriteFile
wvsprintfA
wvsprintfW
Wwgu"'P
WwR"'P
WwS7'u
wwwwwwww
@x>8Wd3
xkWsuu)
x#;lAU
xLwp|;
`Xw hC(
YNANRC
yrrrpps
yrrrps
YVXc~c
Z2fQ`E
Z7 *]P
Z=i@Bz.
zuFhl3A