Analysis Date2015-02-04 17:42:29
MD57a3ef1cf374700359cdae1a9cb0bef61
SHA1e21582a72873e6586fe4f1ca2cb81cac6dc303f7

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: 9dfc1bc55ef90dfdde51b4a47a602ee6 sha1: 70482c9619b46162087bd559ad65a1d91515cc17 size: 23552
Section.rdata md5: 5801d712ecba58aa87d1e7d1aa24f3aa sha1: 0ec4a63131e982d6c2f062510def1c9cc9289b04 size: 4608
Section.data md5: f1bf988467c2a1fe94575f6d3e66d158 sha1: ab35d7dd69e376ddce14c176e377cd791a67bb3f size: 1024
Section.ndata md5: d41d8cd98f00b204e9800998ecf8427e sha1: da39a3ee5e6b4b0d3255bfef95601890afd80709 size: 0
Section.rsrc md5: 8bcfd9632e5c2148ed5204ed09d6d107 sha1: 2cf5706529e2d19498199eb362dfd7f171b4d81e size: 8192
Timestamp2014-05-11 20:03:36
VersionLegalCopyright:
FileVersion: 3.5.6.1
CompanyName: Ammyy LLC
ProductName: Ammyy Admin
ProductVersion: 3.5.6.1
FileDescription: Ammyy Admin
PackerNullsoft PiMP Stub -> SFX
PEhashbd0cc7366ee60c62365cc166daecbcaac762505a
IMPhash59a4a44a250c4cf4f2d9de2b3fe5d95f
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.2124529
AVAlwil (avast)Agent-AULI [Trj]:Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)Trojan.GenericKD.2124529:Gen:Variant.Symmi.48236
AVAuthentiumW32/Trojan.WQGX-6399
AVAvira (antivir)TR/Crypt.Xpack.102001
AVBullGuardTrojan.GenericKD.2124529
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. Webno_virus
AVEmsisoftTrojan.GenericKD.2124529
AVEset (nod32)Generik.MSYZPMX
AVFortinetW32/Kryptik.CKFX!tr
AVFrisk (f-prot)no_virus
AVF-SecureTrojan.GenericKD.2124529
AVGrisoft (avg)Inject2.BBPJ
AVIkarusWin32.SuspectCrc
AVK7Trojan ( 004afb201 )
AVKasperskyno_virus
AVMalwareBytesTrojan.ZBAgent.NS
AVMcafeeRDN/Generic.tfr!ee
AVMicrosoft Security Essentialsno_virus
AVMicroWorld (escan)Trojan.Nsis.Androm.3[ZP]
AVRisingno_virus
AVSophosno_virus
AVSymantecTrojan.Gen.2
AVTrend MicroTROJ_SPNR.38K314
AVVirusBlokAda (vba32)no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\humpies\Balliol.p
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsf2.tmp
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsc3.tmp\Balliol.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsc3.tmp
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsc3.tmp\Balliol.dll
Deletes FileC:\Documents and Settings\Administrator\Local Settings\Temp\nsz1.tmp
Creates ProcessC:\malware.exe

Process
↳ C:\malware.exe

Creates FileC:\Documents and Settings\Administrator\Local Settings\Temp\466d_appcompat.txt
Creates FilePIPE\lsarpc
Creates ProcessC:\WINDOWS\system32\dwwin.exe -x -s 184

Process
↳ C:\WINDOWS\system32\dwwin.exe -x -s 184

Network Details:


Raw Pcap

Strings
 " "0x\
lE
.
000004e4
3.5.6.1
Ammyy Admin
Ammyy LLC
CompanyName
FileDescription
FileVersion
LegalCopyright
msctls_progress32
MS Shell Dlg
ProductName
ProductVersion
StringFileInfo
SysListView32
Translation
VarFileInfo
VS_VERSION_INFO
*?|<>/":
0!)=.6v
0)?~Fn|9a@
:`0H9MP
0Jh7Dd
0KlNzZn
1 e0CsPiZ,
&1Kk{c
22XsLKP
	 "2a^
2Txfj8 
-3A5'!
3TB7!?E:
4\F56^
|+*+6.
\@6P*r
7'hAj-
+7n!lYV
$}7Zz0
;95;SPL_`^Zyfda
9AkwH=
?'9~"f
9K28W/
9r)/8^
AdjustTokenPrivileges
ADVAPI32
ADVAPI32.dll
a/+g<+
aLaT!d+
AppendMenuA
a*vWs;
a&#,YI
BeginPaint
B$.F)v
)bH~*"p
bT(B}c
B[zcbX
CallWindowProcA
CharNextA
CharPrevA
CheckDlgButton
C=im+++
CloseClipboard
CloseHandle
CoCreateInstance
COMCTL32.dll
CompareFileTime
Control Panel\Desktop\ResourceLocale
CopyFileA
CoTaskMemFree
Cr%=cH
CreateBrushIndirect
CreateDialogParamA
CreateDirectoryA
CreateFileA
CreateFontIndirectA
CreatePopupMenu
CreateProcessA
CreateThread
CreateWindowExA
... %d%%
@.data
^d	d! 
D$$+D$
D$,+D$$P
.DEFAULT\Control Panel\International
DefWindowProcA
DeleteFileA
DeleteObject
DestroyWindow
DialogBoxParamA
DispatchMessageA
`dl?\0
DrawTextA
D$,SPS
e1dabUB8
E#~3"`
@,Ecs	
ec`}^\XxH
|EFuftC
%.e"~L
EmptyClipboard
EnableMenuItem
EnableWindow
EndDialog
EndPaint
EOgPN1
Error launching installer
Error writing temporary file. Make sure your temp folder is valid.
ewQqo'
ExitProcess
ExitWindowsEx
ExpandEnvironmentStringsA
~' %f@
F IDVJ
FillRect
FindClose
FindFirstFileA
FindNextFileA
FindWindowExA
FJhzgy
}F-Mq3GeK
$FPE854
FreeLibrary
F!+.Xf
g*aHvR
gb^	rF
,_gD!,
GDI32.dll
GetClassInfoA
GetClientRect
GetCommandLineA
GetCurrentProcess
GetDeviceCaps
GetDiskFreeSpaceA
GetDiskFreeSpaceExA
GetDlgItem
GetDlgItemTextA
GetExitCodeProcess
GetFileAttributesA
GetFileSize
GetFileVersionInfoA
GetFileVersionInfoSizeA
GetFullPathNameA
GetLastError
GetMessagePos
GetModuleFileNameA
GetModuleHandleA
GetPrivateProfileStringA
GetProcAddress
GetShortPathNameA
GetSysColor
GetSystemDirectoryA
GetSystemMenu
GetSystemMetrics
GetTempFileNameA
GetTempPathA
GetTickCount
GetUserDefaultUILanguage
GetVersion
GetWindowLongA
GetWindowRect
GetWindowsDirectoryA
GJy'nz
GlobalAlloc
GlobalFree
GlobalLock
GlobalUnlock
G Mw/:
<gT&^Z
GXZezR
GzYSnd
H|!D=)
HGVM_q
hO6"{3
http://nsis.sf.net/NSIS_Error
h'UK{<
I#]1s,x
I^2+,7eV
]I6G yG
ICa21b*;
IIS?"6
ImageList_AddMasked
ImageList_Create
ImageList_Destroy
incomplete download and damaged media. Contact the
In"p)X
Installer integrity check has failed. Common causes include
installer's author to obtain a new copy.
Instu_
InvalidateRect
i}OS.$
IPkt$T't
iRichu
I>rips
IsWindow
IsWindowEnabled
IsWindowVisible
J9jhoT
jaYPq'
JgEkR=
JN"sVzb`
@%:JwW
\Jy(OC
k05n/p
KERNEL32
KERNEL32.dll
K'gjl'X
khCsy\#
kLTV;.
)kQX*/
LdfR<g
[%lev3
.LFK|4
lg#zH`
L)K@[w!
*]=L MZ
 #lo1r
LoadBitmapA
LoadCursorA
LoadImageA
LoadLibraryA
LoadLibraryExA
LookupPrivilegeValueA
LO(uPk{
lstrcatA
lstrcmpA
lstrcmpiA
lstrcpyA
lstrcpynA
lstrlenA
M7r0nY}_
_ &>m|d_>
MessageBoxIndirectA
\Microsoft\Internet Explorer\Quick Launch
More information at:
MoveFileA
MoveFileExA
MulDiv
MultiByteToWideChar
N6sv8x
.ndata
nFu^I6q!v
ng+{JbA
NSIS Error
~nsu.tmp
NullsoftInst
NulluM	E
!Nw-zM
(=nz"^
oDHx]4
ole32.dll
OleInitialize
OleUninitialize
OM4{$9i
OpenClipboard
OpenProcessToken
o+QrT"
ot{%|L
PeekMessageA
p~.k(w
PostQuitMessage
p{otcL
PPPPPP
pQL4s"
.pWWvq
QbbAxG
Q'|/EN
qjc`}OD
;QO3d%K
QrQjV,u
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExA
RegDeleteKeyA
RegDeleteKeyExA
RegDeleteValueA
RegEnumKeyA
RegEnumValueA
RegisterClassA
RegOpenKeyExA
RegQueryValueExA
RegSetValueExA
ReleaseDC
RemoveDirectoryA
[Rename]
RichEd20
RichEd32
RichEdit
RichEdit20A
{(r.:T
Rwo9^I
ScreenToClient
sdD3o`
SearchPathA
SelectObject
SendMessageA
SendMessageTimeoutA
SeShutdownPrivilege
SetBkColor
SetBkMode
SetClassLongA
SetClipboardData
SetCurrentDirectoryA
SetCursor
SetDlgItemTextA
SetEnvironmentVariableA
SetErrorMode
SetFileAttributesA
SetFilePointer
SetFileTime
SetForegroundWindow
SetTextColor
SetTimer
SetWindowLongA
SetWindowPos
SetWindowTextA
SHAutoComplete
SHBrowseForFolderA
SHELL32.dll
ShellExecuteA
SHFileOperationA
SHFOLDER
SHGetFileInfoA
SHGetFolderPathA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHLWAPI
Sh%M{/
ShowWindow
SIG?zaKR6
softuV
Software\Microsoft\Windows\CurrentVersion
^sp3H99|iV
SQSSSPW
SXp]D<
SystemParametersInfoA
sz.lQXN
T0o`Ob
t(5D46
"t(CPj7
!This program cannot be run in DOS mode.
_^[t	P
TrackPopupMenu
u49-l7B
UaWF_C;
ue)cy}:W
unpacking data: %d%%
uQz[nq
USER32.dll
u>Tcy5
%u.%u%s%s
*u}#:V
(-V)2!x/#O`
"((v)5'
V9t/;`
verifying installer: %d%%
VerQueryValueA
VERSION.dll
#VhB+@
vu3CgD|
WaitForSingleObject
="Wm/,
WriteFile
WritePrivateProfileStringA
wsprintfA
x~C'_.
>+Xh'^K
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
X+/%y2S"A!
y$94+!K*
Y~_Ff7h
'y?LA?;
%yO	I+
Y	Ol1Ml
#y-T},
"YTOJ{wot
y;w/G@
zp0qVZ