Analysis Date2014-08-19 18:01:32
MD5762ccfb89414ffe1161a4c2971393a4f
SHA1f56607cb19a02a97009c0e71174396f9524ba195

Static Details:

File typePE32 executable for MS Windows (GUI) Intel 80386 32-bit
Section.text md5: ead411693117dae8deb088f5bb4a85fa sha1: b8e6aeccd3d0c302590d34bca7cf66da33daca52 size: 72192
Section.rdata md5: e70f56667b8e99a1ec239fd12b1640b4 sha1: fba2ce613ec7c4a7ba1b9d0c03ad0c3ba3aa1a67 size: 7680
Section.data md5: 11ffdfc240c81dfe9d957f6bf1761f00 sha1: f0f691437eb067b4de686e8b7225b8e4127cb275 size: 512
Section.CRT md5: acdfc3df6b189cbcd09b1c888f95fe9a sha1: d3f914de25aed7a125b6c83ebe2a497878fc22d1 size: 512
Section.rsrc md5: 3fa42acf750a6a3c918c63f35910d012 sha1: 3ed424dfc2500c97303e61f2290b0af99a5b6ad3 size: 65536
Timestamp2011-03-02 07:40:24
Pdb pathd:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
PEhash5b313e2934fe37382e8a8746ae874246627aaf80
IMPhashdbb1eb5c3476069287a73206929932fd
AV360 Safeno_virus
AVAd-AwareTrojan.GenericKD.1786279
AVAlwil (avast)Malware-gen:Win32:Malware-gen
AVArcabit (arcavir)no_virus
AVAuthentiumno_virus
AVAvira (antivir)TR/Rogue.291125
AVCA (E-Trust Ino)no_virus
AVCAT (quickheal)no_virus
AVClamAVno_virus
AVDr. WebTrojan.Packed
AVEmsisoftTrojan.GenericKD.1786279
AVEset (nod32)Win32/Korplug.BX
AVFortinetno_virus
AVFrisk (f-prot)no_virus
AVF-Secureno_virus
AVGrisoft (avg)no_virus
AVIkarusTrojan.SuspectCRC
AVK7no_virus
AVKasperskyBackdoor.Win32.Gulpix.xj
AVMalwareBytesno_virus
AVMcafeeno_virus
AVMicrosoft Security EssentialsBackdoor:Win32/Plugx.A
AVMicroWorld (escan)Trojan.GenericKD.1786279[ZP]
AVNormanwinpe/Troj_Generic.VJGWN
AVRisingno_virus
AVSophosno_virus
AVSymantecno_virus
AVTrend Microno_virus
AVVirusBlokAda (vba32)no_virus
AVYara APTno_virus
AVZillya!no_virus

Runtime Details:

Screenshot

Process
↳ C:\malware.exe

Creates File__tmp_rar_sfx_access_check_74046
Creates FileMc.exe
Creates FileMcUtil.dll
Creates FileMcUtil.dll.url
Deletes File__tmp_rar_sfx_access_check_74046
Creates ProcessC:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\Mc.exe

Process
↳ C:\Documents and Settings\All Users\AVck\Mc.exe

Creates ProcessC:\WINDOWS\system32\svchost.exe 201 0

Process
↳ C:\Documents and Settings\Administrator\Local Settings\Temp\RarSFX0\Mc.exe

Creates FileC:\Documents and Settings\All Users\AVck\McUtil.dll
Creates FileC:\Documents and Settings\All Users\AVck\Mc.exe
Creates FileC:\Documents and Settings\All Users\AVck\McUtil.dll.url
Creates MutexGlobal\DelSelf(000007C8)
Creates MutexGlobal\DelSelf(000004D8)
Creates ServiceAVck - C:\Documents and Settings\All Users\AVck\Mc.exe

Process
↳ C:\WINDOWS\system32\svchost.exe 201 0

RegistryHKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\CLASSES\FAST\CLSID ➝
NULL
RegistryHKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass ➝
1
Creates FileC:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat
Creates FileC:\Documents and Settings\Administrator\Cookies\index.dat
Creates FilePIPE\lsarpc
Creates Filepipe\winlogonrpc
Creates File\Device\Afd\Endpoint
Creates FileC:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat
Creates ProcessC:\WINDOWS\system32\msiexec.exe 209 1392
Creates MutexGlobal\DelSelf(00000498)
Creates MutexGlobal\DelSelf(000000F4)
Creates MutexGlobal\DelSelf(000004D8)
Creates MutexGlobal\DelSelf(00000758)
Creates MutexGlobal\DelSelf(000003FC)
Creates MutexGlobal\DelSelf(00000484)
Creates Mutexc:!documents and settings!administrator!local settings!history!history.ie5!
Creates MutexGlobal\DelSelf(00000224)
Creates MutexGlobal\DelSelf(00000268)
Creates MutexGlobal\DelSelf(00000324)
Creates MutexGlobal\DelSelf(0000052C)
Creates MutexGlobal\DelSelf(000001EC)
Creates MutexGlobal\DelSelf(00000274)
Creates Mutexc:!documents and settings!administrator!cookies!
Creates MutexDBWinMutex
Creates MutexGlobal\DelSelf(00000354)
Creates MutexGlobal\DelSelf(000003C8)
Creates MutexGlobal\DelSelf(0000023C)
Creates MutexGlobal\DelSelf(00000458)
Creates MutexGlobal\DelSelf(00000570)
Creates MutexGlobal\DelSelf(000004B8)
Creates MutexGlobal\DelSelf(000007C8)
Creates Mutexc:!documents and settings!administrator!local settings!temporary internet files!content.ie5!
Creates MutexGlobal\DelSelf(00000148)
Winsock DNS127.0.0.1

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\System32\svchost.exe

RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\WBEM\CIMOM\List of event-active namespaces ➝
NULL
Creates FileC:\WINDOWS\system32\WBEM\Repository\$WinMgmt.CFG
Creates FileC:\WINDOWS\system32\WBEM\Logs\wbemess.log

Process
↳ C:\WINDOWS\system32\spoolsv.exe

RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\BeepEnabled ➝
NULL
RegistryHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System\Print\TypesSupported ➝
7
RegistryHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\Printers\SymbolicLinkValue ➝
NULL
RegistryHKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Print\Printers\DefaultSpoolDirectory ➝
C:\WINDOWS\System32\spool\PRINTERS\\x00

Process
↳ C:\WINDOWS\System32\alg.exe

Process
↳ C:\WINDOWS\system32\svchost.exe

Process
↳ C:\WINDOWS\system32\services.exe

Creates Filepipe\PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
Creates FilePIPE\lsarpc

Process
↳ C:\WINDOWS\system32\msiexec.exe 209 1392

Network Details:

Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53
Flows UDP192.168.1.1:53 ➝ 192.168.1.1:53

Raw Pcap

Strings
\_
.\
:\\
...
010A___
.
.
x
S

%08x
about:blank
Accept
ASKNEXTVOL
<br>
&Browse...
Bro&wse...
bytes
%c:\
Cancel
&Cancel
Cannot create folder %sDCRC failed in the encrypted file %s. Corrupt file or wrong password.
Cannot create %s
Cannot open %s
Close
Confirm file replace
CRC failed in %s
Decline
Delete
&Destination folder
EDIT
-el -s2 "-d%s" "-p%s" "-sp%s"
Enter password
&Enter password for the encrypted file:
ErroraErrors encountered while performing the operation
E<ul><li>Press <b>Install</b> button to start extraction.</li><br><br>E<ul><li>Press <b>Extract</b> button to start extraction.</li><br><br>6<li>Use <b>Browse</b> button to select the destination4folder from the folders tree. It can be also entered
.exe
Extract
Extracting files to %s folder$Extracting files to temporary folder
Extracting from %s
Extracting %s
Extraction progress
File close error
folder is not accessiblelSome files could not be created.
GETPASSWORD1
<head><meta http-equiv="content-type" content="text/html; charset=
hRichEdit20W
</html>
<html>
.inf
Insert a disk with this volume and press "OK" to try again or press "Cancel" to break extraction
Install
Installation progress
jmsctls_progress32
kernel32
License
LICENSEDLG
LICENSEDLG	RENAMEDLG
.lnk
Look at the information window for more details
manually.</li><br><br>8<li>If the destination folder does not exist, it will be2created automatically before extraction.</li></ul>
*messages***
modified on
MS Shell Dlg 2
@&nbsp;
Next volume
Next volume is required
Not enough memory
No to A&ll
Overwrite
</p>
Packed data CRC failed in %s
Path
Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.
Please download a fresh copy and retry the installation	All files
Presetup
ProgramFilesDir
.rar
RarHtmlClassName
RarSFX
Read error in the file %s
Rename
&Rename
RENAMEDLG
Rename file
REPLACEFILEDLG
riched20.dll
riched32.dll
r%.*s(%d)%s
rtmp%d
runas
"%s"
SavePath
%s.%d.tmp
Select destination folder
SeRestorePrivilege
SeSecurityPrivilege
Setup
sfxcmd
sfxname
Shell.Explorer
Shortcut
Silent
Skipping %s
Software\Microsoft\Windows\CurrentVersion
Software\WinRAR SFX
%s %s
%s%s%d
%s %s %s
STARTDLG
STATIC
</style>
<style>
<style>body{font-family:"Arial";font-size:12;}</style>
TempMode
Text
The archive comment is corrupt
The archive header is corrupt
The archive is corrupt
The file "%s" header is corrupt%The archive comment header is corrupt
The following file already exists
The required volume is absent2The archive is either in unknown format or damaged
Title
__tmp_rar_sfx_access_check_%u
=Total path and file name length must not exceed %d characters
Unexpected end of archive
Unknown method in %s
Update
utf-8"></head>
WinRAR self-extracting archive
winrarsfxmappingfile.tmp
with this one?
Would you like to replace the existing file
Wrong password for %s5Write error in the file %s. Probably the disk is full
&Yes
Yes to &All
You need to have the following volume to continue extraction:
===\{{{
?*<>|"
)))0__`
0%|1=d
 (08@P`p
0Ant`w
1\3nWF
]158n*
1	AxGJh|
1*$ Xk
22xlRC
2Do?d@
2 /! M
--+2pps
	2PSX"^
2YVIV<a
333ippp
33!D	3
3DA=&,
3NDc^WI
3"PUw|q
 3!qL(
<3\u1WV
3w{Yb`
~=47pj
4f58LA5;
4iN(1E
)4M}rK
4p%;(Y
4u\vn\
4vX5k&y
4yMtuuY
;.59,R
5dM6zsV
			5FFF
5h5NNfhAM
5MHYi&
:5#tT$
65_pU^b.
666[NNN
6m\Rcg
6MXM4)
6xP/Fg
`#_)7[
7*9?/D
7bt5<q"
7iL=]n]!N
82~W*a^
)89acqw-^
8Je3@t
8l9ai2cY
8M)v.\t)q
%-8+[Rf
8V-Z[t\
98Oe[T
999/555Q===i@@@z@@@~AAA~AAA~AAA~@@@z===i555Q999/www
9ky]5+B&#n
9XU=kNB|
"A3s.eR
a7]&{Q
a 9oT/
AA@5iii{yyy
A!A_'r
AdjustTokenPrivileges
ADVAPI32.dll
AeTigBL
%:<aOgDr
  </application>
  <application>
A  "Ql
</asmv3:application>
<asmv3:application xmlns:asmv3="urn:schemas-microsoft-com:asm.v3">
  </asmv3:windowsSettings>
  <asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings">
</assembly>
<assemblyIdentity
    <assemblyIdentity
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0">
AV7:~\#
A%%%Y&&&_&&&_$$$Y
bad allocation
%b}cWH
<B@II;
` "B!L
brFA9OC
&B%Rk7fP
-BtGv4
BxyJf`
_$C56FVl
*-	cC{
]]],cccNNNNr[[[
CharToOemA
CharToOemBuffA
CharToOemBuffW
CharUpperA
CharUpperW
CloseHandle
CLSIDFromString
CoCreateInstance
COMCTL32.dll
COMDLG32.dll
CommDlgExtendedError
CompareStringA
CompareStringW
</compatibility>
<compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
CopyRect
CreateCompatibleBitmap
CreateCompatibleDC
CreateDirectoryA
CreateDirectoryW
CreateFileA
CreateFileMappingW
CreateFileW
CreateStreamOnHGlobal
CreateWindowExW
%csQ*S
cSy-k=
Cx)0;"
d^_7_{x
@.data
DDT]1&
DefWindowProcW
DeleteDC
DeleteFileA
DeleteFileW
DeleteObject
</dependency>
<dependency>
  </dependentAssembly>
  <dependentAssembly>
<description>WinRAR SFX module</description>
DestroyIcon
DestroyWindow
DialogBoxParamW
DispatchMessageW
D%;N=)
D /'Of^
DosDateTimeToFileTime
    <dpiAware>true</dpiAware>
d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb
dZE5xN
!! *eee
eee^			
eel,,Lcv
eFn`Bo
EnableWindow
EndDialog
e-NXEip
~<e{s(
eU]#~H
)?ewK=
ExitProcess
ExpandEnvironmentStringsW
F _^[]
F333wQQQ
f90u2h
FFF))EE	FFFF))))))
	F&fNn
FileTimeToLocalFileTime
FileTimeToSystemTime
fi%mp'
FindClose
FindFirstFileA
FindFirstFileW
FindNextFileA
FindNextFileW
FindResourceW
FindWindowExW
FQ	=q)
FreeLibrary
<F"t	@f9
fTGojO
fw.IvAn
g13~7D
g33WwQ
GDI32.dll
gECD8P
GetClassNameW
GetClientRect
GetCommandLineW
GetCPInfo
GetCurrentDirectoryW
GetCurrentProcess
GetDateFormatW
GetDeviceCaps
GetDlgItem
GetDlgItemTextW
GetFileAttributesA
GetFileAttributesW
GetFileType
GetFullPathNameA
GetFullPathNameW
GetLastError
GetLocaleInfoW
GetMessageW
GetModuleFileNameW
GetModuleHandleW
GetNumberFormatW
GetObjectW
GetOpenFileNameW
GetParent
GetProcAddress
GetProcessHeap
GetSaveFileNameW
GetStdHandle
GetSysColor
GetSystemMetrics
GetSystemTime
GetTempPathW
GetTickCount
GetTimeFormatW
GetVersionExW
GetWindow
GetWindowLongW
GetWindowRect
GetWindowTextW
>;G.I[
GlobalAlloc
[gPB&Eg'
(GQNg`
"""G%%%U
gUaZPly
gwS3	3
gwS37%w`	
G@zwM1{
,&;H=&
H61.cl%Q
HeapAlloc
HeapFree
HeapReAlloc
heaX`*
hhhcCCC
HHHk'''E
/(HM q
;;;hOOO4WWW
HtCHt<Ht5H
'!HtD0
HtEHt7
HtFHt8Ht*Ht
hT<O<<
HtoHt>
HtOHt^HtBHu#
huaF+0
hVd!@\
H`wR"u
hy#xhd
i3>GZS
iaN41t
I##C$q
	i{{fr
IIH	RRS2nnnjsss
):::\iii
InitCommonControlsEx
"^iQ(Z"O{
IsDBCSLeadByte
IsWindow
IsWindowVisible
"?iU{4
IWj\_f9>u?f9~
iX]'K&
|||J!!!	
!!!	|||J
 j5|]]
\J-5E?
jcx9ci
JJJmkkk
j[ko$Z
???jLLL+
jp6Z%rbft
J`Tll@
JVmT1%
]Jx&')d
j Y+L$
kC/4B:~\
k*#d\Q
KERNEL32.dll
K| G_+
K{H1rvq
ki_go`=
klPk<*
k[mCJU
k	OP5)
K})uWIW"
	=l16g
`L1tqO
-:l3)L
l50QR3
l6hiV! *
      language="*"/>
lHmfKO>D.MU
]LH[wz
LLM+>>=jppp
Ln5P`5
LoadBitmapW
LoadCursorW
LoadIconW
LoadLibraryW
LoadStringW
LocalFileTimeToFileTime
LookupPrivilegeValueW
@LR@`0
lrBD)NqPC
"Lu'?d
L,Z1|~
M!}1mR
<m7rv~2}
MapViewOfFile
MapWindowPoints
\mBjlF3
Mc.exe
McUtil.dll
McUtil.dll.url
MDCA1T
MessageBoxW
*messages***
Mg$O@?
m$Iyy[
mKE.YS
MoveFileExW
MoveFileW
,M',s$M
"MTKu!
MultiByteToWideChar
mY5*O	P$>
MZ\7fQ
mz|o2|+
      name="Microsoft.Windows.Common-Controls"
  name="WinRAR SFX"
Nig".6l
;;;Niii
NIZriI<L	!Hq8
nL{@_lH
NNM/VVW
NNN4:::hlll
nnn{@@@5HHH
NNu$j	
*{nPqKo?
npY+zbn
N-r72u
nTI	9<
Nue&z@[1
n&[{,v
--+Nvv|
n{wBDG
?\n-Z^d
"?-N\zg
nZ\m;/
~Nzr	E
o1>0&&#'
O2ZwGt
& O	7G
O7jZ(a8B
Od ~hp
\OdU^:gR$G
OemToCharA
OemToCharBuffA
&O =eS
]oJy{ni
olD3/!
ole32.dll
OLEAUT32.dll
OleInitialize
OleUninitialize
\omS]X
OOOreeeN]]],555
OpenFileMappingW
OpenProcessToken
O,/QP"
p4>%@3
P9]pu;
P9]pu+
PADDINGXXPADDINGPADDINGXXPADDINGRar!
<pceae
Pc>]nvV
PeekMessageW
p.^)F`
.pFRzq
PJC:m%
pNoTf8g
PostMessageW
      processorArchitecture="*"
  processorArchitecture="*"
PRRUIR
      publicKeyToken="6595b64144ccf1df"
PWhx8A
pYtt`B~
Q29Kmd
qboQul
Qc`h+*
QoMC)u
qqqiqqqi
qqqjTTT2HHH	
QQSVWh
Q]vk!r
<*q,Y@
]q]y|3
QYl*U}
__rar_
`.rdata
ReadFile
RegCloseKey
RegCreateKeyExW
RegisterClassExW
RegOpenKeyExW
RegQueryValueExW
RegSetValueExW
ReleaseDC
      <requestedExecutionLevel level="asInvoker"            
    </requestedPrivileges>
    <requestedPrivileges>
R$L9XK
rMEMoW1
rnU2}4
@.rsrc
r|taxF
R-wy+xB
rY^rf$
}s-|,]
s{8f*B)
%.*s(%d)%s
  </security>
  <security>
SelectObject
SendDlgItemMessageW
SendMessageW
SetCurrentDirectoryW
SetDlgItemTextW
SetDllDirectoryW
SetEndOfFile
SetEnvironmentVariableW
SetFileAttributesA
SetFileAttributesW
SetFilePointer
SetFileSecurityA
SetFileSecurityW
SetFileTime
SetFocus
SetForegroundWindow
SetLastError
SetWindowLongW
SetWindowPos
SetWindowTextW
SHAutoComplete
SHBrowseForFolderW
SHChangeNotify
SHELL32.dll
ShellExecuteExW
SHFileOperationW
SHGetFileInfoW
SHGetMalloc
SHGetPathFromIDListW
SHGetSpecialFolderLocation
SHLWAPI.dll
ShowWindow
SNp:: 
SQan0~
SRgt2G+
SSSJuuv
StretchBlt
s_U 7~
      <supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
      <supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
S,U*+ql
(SVWj 
`SVWjh
SW	)bng
SystemTimeToFileTime
t0ht6A
t0SSSj
t4SSVW
 tbC.[W{4&	
TC(ERC+P
tE -#aq
t	FAA;t$
tflsA:d
}tgP=`
T=)`GR
    <!--The ID below indicates application support for Windows 7 -->
    <!--The ID below indicates application support for Windows Vista -->
t!hh3A
!This program cannot be run in DOS mode.
TOPZIB
TranslateMessage
</trustInfo>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v2">
 tSj X
t<SSSS
<*t*<?t
twLo+#E
}<T]X.
      type="win32"
  type="win32"/>
U<*@:]
;\u0VW
(<\u$8F
ugV]>5
u h\3A
u!hp8A
      uiAccess="false"/>
UnmapViewOfFile
UpdateWindow
{URich
USER32.dll
{{{u{{{u
uu!1t[Er
U(u;4,
UUT%yyz|
UUUJIII
%%%U'''W
"&&-\v
v__>2Z
"v@4ew
V@@AAf
VaxAiH
)vcP>l
  version="1.0.0.0"
      version="6.0.0.0"
\VF#md
(|v|gid
VgyJXI&
vi/d5U
~V]j_A
V&k2}[=
***<---V///k///r///r///r///r///r...k,,,V)))<!!!
[vm{m#M
v	N+D$
?vNj@_+
Vr8}.y
VSSSSh
'`<vTQ1""<
vV96)j
&&&V&&&W
;?vWs=
VyJdht
-*`<{w
w01_l*
w5SSSS
(;w6:uw
WaitForInputIdle
WaitForSingleObject
W%%&d>B
@WhP6A
WHVVgbr(b
WideCharToMultiByte
wi,N+^:
WINRAR.SFX
Wj<_WS
W&L$R&
W?oGRa
'''W$$$P
WriteFile
%^WS9XD
wTjkz"
WuIxt^
&&&W'''V
wvsprintfA
wvsprintfW
Wwgu"'P
WwR"'P
WwS7'u
WWW~$$$
>\:?X^
x;28u2
_X4nKR
-_x58	o
[XB(!k
x])LN^
<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
xn.$	$=
x;OTVN
|X^%X?
y3FqZd
Y`d^ 	
YNANRC
yOo5-P
=+y}Rd
yRsy6M
\Y/S%l!
/y,}TV
Y^WA)7 
Z2fQ`E
Z)*3M}
zc'357
ZhA8\g
-ZSQ2]
zt4[:[F
zuFhl3A
Z+++v666
z)X^~	g