Flattr this analysis!

Tags: None

Analysis

Category Started Completed Duration
FILE 2013-07-18 06:42:22 2013-07-18 06:44:37 135 seconds

File Details

File Name setup_fsu_cid.exe
File Size 251299 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 83954c128100ad89746811e92c1b4bf6
SHA1 c5758309136cd1e7e804d2003dc5ca27ae743ac3
SHA256 d101de2f14eedc021957ab651f336f95e2b401b58c478af816ea3c6a4d92a572
SHA512 43e598cec8892db1f0be78d7f3839d11d75366dcededed75474e232da71bed167d90c0e429586bd8d9cb78fbf1a0572d559de702eb83c853d8fb73dafe55db83
CRC32 8FCE5410
Ssdeep 6144:OC0bGVLSE+xt09E9x/2n1fp1/5z0Z3vh9NPYY/0L:OCtVLCxtYE6xr/aJZPjy
Yara
  • shellcode - Matched shellcode byte patterns
You need to login

Signatures

File has been identified by at least one AntiVirus on VirusTotal as malicious

Screenshots


Hosts

IP

Domains

No domains contacted.


Summary

IDE#CdRomVBOX_CD-ROM_____________________________1.0_____#42562d3231303037333036372020202020202020#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
MountPointManager
STORAGE#Volume#1&30a96598&0&Signature32B832B7Offset7E00Length27F4DB200#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
C:\DOCUME~1
C:\Documents and Settings\User
C:\Documents and Settings\User\LOCALS~1
C:\Documents and Settings\User\Local Settings\Temp
C:\DOCUME~1\User\LOCALS~1\Temp\nsz3.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\setup_fsu_cid.exe
C:\WINDOWS\system32\msctfime.ime
C:\Documents and Settings\User\Application Data\File Scout
C:\Documents and Settings\User\Application Data
C:\Documents and Settings
C:\Documents and Settings\User\Application Data\
C:\WINDOWS\Registration\R000000000007.clb
C:\DOCUME~1\User\LOCALS~1\Temp\nsi4.tmp
C:\DOCUME~1\User\LOCALS~1\Temp\nsi4.tmp\usvc.exe
C:\DOCUME~1\User\LOCALS~1\Temp\nsi4.tmp\nsProcess.dll
C:\Documents and Settings\User\Application Data\File Scout\filescout.exe
C:\Documents and Settings\User\Application Data\File Scout\uninst.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellCompatibility\Objects\{20D04FE0-3AEA-1069-A2D8-08002B30309D}
HKEY_CLASSES_ROOT\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\CPC\Volume\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7952-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{475c7950-e3d2-11e0-8d7a-806d6172696f}\
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions
HKEY_CLASSES_ROOT\Drive\shellex\FolderExtensions\{fbeb8a05-beee-4442-804e-409d6c4515e9}
HKEY_CLASSES_ROOT\Directory
HKEY_CLASSES_ROOT\Directory\CurVer
HKEY_CLASSES_ROOT\Directory\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_CLASSES_ROOT\Directory\\ShellEx\IconHandler
HKEY_CLASSES_ROOT\Directory\\Clsid
HKEY_CLASSES_ROOT\Folder
HKEY_CLASSES_ROOT\Folder\Clsid
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\IMM
HKEY_CURRENT_USER\SOFTWARE\Microsoft\CTF
HKEY_LOCAL_MACHINE\Software\Microsoft\CTF\SystemShared
HKEY_CURRENT_USER\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\windows\CurrentVersion\Explorer\AutoComplete
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\AutoComplete
HKEY_LOCAL_MACHINE\Software\Microsoft\COM3
HKEY_LOCAL_MACHINE\Software\Classes
HKEY_LOCAL_MACHINE\Software\Classes\CLSID
CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}
CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TreatAs
\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}
\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocServer32
\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocServerX86
\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\LocalServer32
\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocHandler32
\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\InprocHandlerX86
\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}
HKEY_CLASSES_ROOT\CLSID\{00BB2765-6A77-11D0-A535-00C04FD7D062}\TreatAs
CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}
CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TreatAs
\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}
\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServer32
\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocServerX86
\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\LocalServer32
\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocHandler32
\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InprocHandlerX86
\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\TreatAs
CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}
CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TreatAs
\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}
\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServer32
\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocServerX86
\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\LocalServer32
\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocHandler32
\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InprocHandlerX86
\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\LocalServer
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\TreatAs
HKEY_CLASSES_ROOT\CLSID\{03C036F1-A186-11D0-824A-00AA005B4383}\InProcServer32
HKEY_CLASSES_ROOT\CLSID\{00BB2763-6A77-11D0-A535-00C04FD7D062}\InProcServer32
HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes
HKEY_CLASSES_ROOT\Unknown\shell\openas\command
HKEY_CLASSES_ROOT\*\shell\filescout
HKEY_CLASSES_ROOT\*\shell\filescout\command
CTF.TimListCache.FMPDefaultS-1-5-21-1547161642-507921405-839522115-1004MUTEX.DefaultS-1-5-21-1547161642-507921405-839522115-1004
ShimCacheMutex

Sections

Name Virtual Address Virtual Size Size of Raw Data Entropy
.text 0x1000 0x6dae 0x6e00 6.50852956314
.rdata 0x8000 0x2a62 0x2c00 4.39053502099
.data 0xb000 0x67ebc 0x200 1.43086025975
.ndata 0x73000 0x89000 0x0 0.0
.rsrc 0xfc000 0x41f8 0x4200 6.00856941095
.reloc 0x101000 0xf32 0x1000 5.84440146268

Imports

Library KERNEL32.dll:
0x408060 SetFileTime
0x408064 CompareFileTime
0x408068 SearchPathW
0x40806c GetShortPathNameW
0x408070 GetFullPathNameW
0x408074 MoveFileW
0x40807c GetFileAttributesW
0x408080 GetLastError
0x408084 CreateDirectoryW
0x408088 SetFileAttributesW
0x40808c Sleep
0x408090 GetTickCount
0x408094 GetFileSize
0x408098 GetModuleFileNameW
0x40809c GetCurrentProcess
0x4080a0 CopyFileW
0x4080a4 ExitProcess
0x4080ac GetTempPathW
0x4080b0 GetCommandLineW
0x4080b4 SetErrorMode
0x4080b8 lstrcpynA
0x4080bc CloseHandle
0x4080c0 lstrcpynW
0x4080c4 GetDiskFreeSpaceW
0x4080c8 GlobalUnlock
0x4080cc GlobalLock
0x4080d0 CreateThread
0x4080d4 LoadLibraryW
0x4080d8 CreateProcessW
0x4080dc lstrcmpiA
0x4080e0 CreateFileW
0x4080e4 GetTempFileNameW
0x4080e8 lstrcatW
0x4080ec GetProcAddress
0x4080f0 LoadLibraryA
0x4080f4 GetModuleHandleA
0x4080f8 OpenProcess
0x4080fc lstrcpyW
0x408100 GetVersionExW
0x408104 GetSystemDirectoryW
0x408108 GetVersion
0x40810c lstrcpyA
0x408110 RemoveDirectoryW
0x408114 lstrcmpA
0x408118 lstrcmpiW
0x40811c lstrcmpW
0x408124 GlobalAlloc
0x408128 WaitForSingleObject
0x40812c GetExitCodeProcess
0x408130 GlobalFree
0x408134 GetModuleHandleW
0x408138 LoadLibraryExW
0x40813c FreeLibrary
0x408148 WideCharToMultiByte
0x40814c lstrlenA
0x408150 MulDiv
0x408154 WriteFile
0x408158 ReadFile
0x40815c MultiByteToWideChar
0x408160 SetFilePointer
0x408164 FindClose
0x408168 FindNextFileW
0x40816c FindFirstFileW
0x408170 DeleteFileW
0x408174 lstrlenW
Library USER32.dll:
0x408198 GetAsyncKeyState
0x40819c IsDlgButtonChecked
0x4081a0 ScreenToClient
0x4081a4 GetMessagePos
0x4081a8 CallWindowProcW
0x4081ac IsWindowVisible
0x4081b0 LoadBitmapW
0x4081b4 CloseClipboard
0x4081b8 SetClipboardData
0x4081bc EmptyClipboard
0x4081c0 OpenClipboard
0x4081c4 TrackPopupMenu
0x4081c8 GetWindowRect
0x4081cc AppendMenuW
0x4081d0 CreatePopupMenu
0x4081d4 GetSystemMetrics
0x4081d8 EndDialog
0x4081dc EnableMenuItem
0x4081e0 GetSystemMenu
0x4081e4 SetClassLongW
0x4081e8 IsWindowEnabled
0x4081ec SetWindowPos
0x4081f0 DialogBoxParamW
0x4081f4 CheckDlgButton
0x4081f8 CreateWindowExW
0x408200 RegisterClassW
0x408204 SetDlgItemTextW
0x408208 GetDlgItemTextW
0x40820c MessageBoxIndirectW
0x408210 CharNextA
0x408214 CharUpperW
0x408218 CharPrevW
0x40821c wvsprintfW
0x408220 DispatchMessageW
0x408224 PeekMessageW
0x408228 wsprintfA
0x40822c DestroyWindow
0x408230 CreateDialogParamW
0x408234 SetTimer
0x408238 SetWindowTextW
0x40823c PostQuitMessage
0x408240 SetForegroundWindow
0x408244 ShowWindow
0x408248 wsprintfW
0x40824c SendMessageTimeoutW
0x408250 LoadCursorW
0x408254 SetCursor
0x408258 GetWindowLongW
0x40825c GetSysColor
0x408260 CharNextW
0x408264 GetClassInfoW
0x408268 ExitWindowsEx
0x40826c IsWindow
0x408270 GetDlgItem
0x408274 SetWindowLongW
0x408278 LoadImageW
0x40827c GetDC
0x408280 EnableWindow
0x408284 InvalidateRect
0x408288 SendMessageW
0x40828c DefWindowProcW
0x408290 BeginPaint
0x408294 GetClientRect
0x408298 FillRect
0x40829c DrawTextW
0x4082a0 EndPaint
0x4082a4 FindWindowExW
Library GDI32.dll:
0x40803c SetBkColor
0x408040 GetDeviceCaps
0x408044 DeleteObject
0x408048 CreateBrushIndirect
0x40804c CreateFontIndirectW
0x408050 SetBkMode
0x408054 SetTextColor
0x408058 SelectObject
Library SHELL32.dll:
0x40817c SHBrowseForFolderW
0x408184 SHGetFileInfoW
0x408188 ShellExecuteW
0x40818c SHFileOperationW
Library ADVAPI32.dll:
0x408000 RegEnumKeyW
0x408004 RegOpenKeyExW
0x408008 RegCloseKey
0x40800c RegDeleteKeyW
0x408010 RegDeleteValueW
0x408014 RegCreateKeyExW
0x408018 RegSetValueExW
0x40801c RegQueryValueExW
0x408020 RegEnumValueW
Library COMCTL32.dll:
0x408028 ImageList_AddMasked
0x40802c ImageList_Destroy
0x408030 None
0x408034 ImageList_Create
Library ole32.dll:
0x4082bc CoTaskMemFree
0x4082c0 OleInitialize
0x4082c4 OleUninitialize
0x4082c8 CoCreateInstance
Library VERSION.dll:
0x4082b0 GetFileVersionInfoW
0x4082b4 VerQueryValueW

!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
@.reloc
PWSVh@
v#VhL2@
Instu`
softuW
NulluN
SUVWj 3
D$8PUhd
u}9-$.G
[j0Xjxf
D$$+D$
D$4+D$,P
PPPPPP
\u!f9O
v%Phd
QSUVWh
Ed+EL;E
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
u$9Mls
)Mh)Mlf
Ed+EL;E
]4;Mhr
E89E0}s
u$9Uls
-)Uh)Ul3
Ed+EL;E
)Mh)Mlf
u$9Mls
)Mh)Mlf
SHGetFolderPathW
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueW
OpenProcessToken
RegDeleteKeyExW
ADVAPI32
MoveFileExW
GetDiskFreeSpaceExW
KERNEL32
[Rename]
Module32NextW
Module32FirstW
Process32NextW
Process32FirstW
CreateToolhelp32Snapshot
Kernel32.DLL
GetModuleBaseNameW
EnumProcessModules
EnumProcesses
PSAPI.DLL
MulDiv
DeleteFileW
FindFirstFileW
FindNextFileW
FindClose
SetFilePointer
MultiByteToWideChar
ReadFile
WriteFile
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
GlobalFree
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
ExpandEnvironmentStringsW
lstrcmpW
lstrcmpiW
CloseHandle
SetFileTime
CompareFileTime
SearchPathW
GetShortPathNameW
GetFullPathNameW
MoveFileW
SetCurrentDirectoryW
GetFileAttributesW
GetLastError
CreateDirectoryW
SetFileAttributesW
GetTickCount
GetFileSize
GetModuleFileNameW
GetCurrentProcess
CopyFileW
ExitProcess
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
SetErrorMode
lstrcpynA
lstrlenW
lstrcpynW
GetDiskFreeSpaceW
GlobalUnlock
GlobalLock
CreateThread
LoadLibraryW
CreateProcessW
lstrcmpiA
CreateFileW
GetTempFileNameW
lstrcatW
GetProcAddress
LoadLibraryA
GetModuleHandleA
OpenProcess
lstrcpyW
GetVersionExW
GetSystemDirectoryW
GetVersion
lstrcpyA
RemoveDirectoryW
lstrcmpA
KERNEL32.dll
EndPaint
DrawTextW
FillRect
GetClientRect
BeginPaint
DefWindowProcW
SendMessageW
InvalidateRect
EnableWindow
LoadImageW
SetWindowLongW
GetDlgItem
IsWindow
FindWindowExW
SendMessageTimeoutW
wsprintfW
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextW
SetTimer
CreateDialogParamW
DestroyWindow
ExitWindowsEx
CharNextW
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetAsyncKeyState
IsDlgButtonChecked
ScreenToClient
GetMessagePos
CallWindowProcW
IsWindowVisible
LoadBitmapW
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
GetWindowRect
AppendMenuW
CreatePopupMenu
GetSystemMetrics
EndDialog
EnableMenuItem
GetSystemMenu
SetClassLongW
IsWindowEnabled
SetWindowPos
DialogBoxParamW
GetClassInfoW
CreateWindowExW
SystemParametersInfoW
RegisterClassW
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharNextA
CharUpperW
CharPrevW
wvsprintfW
DispatchMessageW
PeekMessageW
wsprintfA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectW
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationW
ShellExecuteW
SHGetFileInfoW
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetSpecialFolderLocation
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegEnumValueW
RegQueryValueExW
RegSetValueExW
RegCreateKeyExW
RegDeleteValueW
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueW
GetFileVersionInfoW
GetFileVersionInfoSizeW
VERSION.dll
P;?@@?
P;?@@@@?
DdEBA@@@@=
(*MXob
hpppiffT
ZaZaZXKJ
Z_ZT_PI
075kmn
_VTTPPI
)-.Yln
V_VPTPIG
&+,Nlo
!/45km
zzz||||
CDE*&&'
{{{s<.
{ssuBBs@@@<4
puqqqqq<770
punqq974.
O_mcs]0
NX\kqphZUQ3,
RYjgfW2+*
rlbA?4)
}7" 5!
z}z}z{v
wwwwww
wwwwww
wwwwwwp
wwwwwwp
wwwwww
wxwwwwww
wwwwwwwx
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
wwwwww
wwwwwx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
0.0;0I0]0j0
111;1D1Z1a1y1
4#464G4g4~4
5+5;5I5W5i5x5
6>6J6[6z6
797C7I7Y7|7
8,888J8e8y8
979D9L9w9
9::T:e:
;!;2;A;T;
;+<P<w<
?-?I?\?o?w?
020T0y0
1#101>1J1P1U1[1f1l1
2'2B2d2v2
4/4o4t4y4
4a5r5z5
7.7q7v7
8!808D8X8
9+9L9Z9
:-;[;c;l;
?1?<?X?t?
1 1$1(1,1014181<1@1D1H1L1P1T1X1\1`1d1h1l1p1t1x1|1
2 2$2(2,2024282<2@2D2H2l2
3"3*303I3O3r3x3
4/454=4C4H4^4f4l4
7F7M7q7x7
7Z8f8l8y8
99-9}9
:4:::Q:e:
;%;-;;;E;J;W;\;o;};
<B<R<k<
=!=2=8=c=i=p=
>=>W>a>u>z>
? ?,?2?8?>?n?
0-060?0Q0Z0`0
2!2-2L2
2!333I3
4E4R4Y4f4x4~4
6#6?6J6U6e6u6|6
7(858W8s8
9'9/959<9l9r9
:*:0:=:D:J:{:
=0>8>H>
?'?3?V?y?
<0J0Q0Y0_0z0
1:1I1Q1V1j1r1x1
2"2(2.2<2D2J2o2
3/373>3g3x3
44)4=4_4j4p4
5%595@5[5n5|5
66'6-686^6d6l6
7,7>7S7Y7o7v7|7
8 8&8,8?8I8T8Z8_8
949M9_9f9n9s9
: :>:E:P:
;$;3;];b;
<J<[<f<s<
=6>I>V>x>
>!?H?V?`?
0!0'030
1 1'1/171>1S1x1
22q2z2
3"3)3?3K3r3
3,4G4e4k4
5 5R5_5m5
7*757@7G7Y7j7
9'9Z9m9v9
;);?;D;I;O;Y;
;$<9<M<T<^<
=$=.=B=
>$>5>Y>p>
1%2B2L2
="=&=*=.=2=6=:=>=B=F=J=N=R=V=Z=^=b=f=j=
0 0$0(0`0d0h0l0p0t0x0|0
NullsoftInst
sF<;UR
*6=*o]T
aNGHE]Z
jTM7Y85l
W~t53$
s/C0lb
UJcT!x
BG:VU3
]8--dY)$
UA5VAf+
uijI7v
,R0<L}D;
V!C2w0@k]
vJhHqc
&aZNa^
@*g}L/
&hC(6&k$
Q{HPM?,P
T.#d*~
i&7T~7
yR!uAC&]
yV'Z\2
"e3XV>
6a!85f
uP@*:*
<EygUq
>6d'ei
1,:G:
0v9fM%
m-Kk8dA
?;>~[5
w2wHzu
zJAlg|
H3BjEEwG
eSWlBk
>6`(+t
HUJt
GrC'cdS
DfP<cY
Y-(-cwt<
S#[C6@
ok@yH{)d
RKX$y#S
*(YYr4q
WT@b-I*
>ENC']h
J{_}=Js8
:N/i1g
R$xoDlZJ
&V4/V_QyM
|_~Uma
q{B#4wQ
qy9h]4
,+2aSP
'gn8i4
sW2wA1
^lu+4Z1u
*)hSlwdtzee
i^{lk8
V(zXGb
x-f],4z
:R,f$V
A/1wU
zQCj:)
PxwQ$#<
-]I`MW
TKPBW<
SRTv8"
F<3&+P
|w>i-$
,cGDa#yu
;4>Yvl
"3[=K.>9,c
|A@yQO
( J\!$
]%I3(u ~l
~?Vjt)w
?3j"Bg
:/3;A
M_oUR
Q_l[mt%
Xhu XD
ZXO1cVw
A1*obd
}GN@|D
hC@L8bS
t,P|p:
uCzl6eS>
$=j48J]
;{Qld
VTt &B
o-W@uQ
&/(JRf
y~5@Y`t
]J;'hk/
N4{AX{
T5C8(lU
KbujJB
L&"u'Q
:d^+SW2
LU2?,GP
!T@AET
e4/-!?
*Hi+I]
l\O+~
&%M.hn
uW(q.CV
?Nhss
Knn`r%
R3HYff|
?\)S(R
XNvtz'^
m9{0q(f
5rlz-Z
,#a*@0
a~6E2)
kdpEg[Q
S;07PF&
_[[uXmF=
o]=/QQ
jC5.Ty
8}QQT-Nm
z^Xw_^
eT&8f(9:
r?rwxs
I3T"49a
EQ74O)
^4zonrh
3s{2ju
b"Tmoj
;,)G(4
41m:rkR
phJKE6
6Ff@8Q9
GtNa5y
7#C*?,<
D{$d/.
+bpRrf;J
**D\O7
jWQ|Ix
Wg}2B#
w,AQFnf}
3~<NVv
h}u/WB^
>;p'~vJ
>JdcKN
B!$*H=Q
T?bTV
[IZoo@f
'5CP;k
&!?PQ~
h'uFBL
ws_5s(
F wd +N
^attPs
R\Nm~.
(XZ8AX
p=juY
bV%RK/
6R]$zk(
x]Mlq
^o-dds
pT9<sqg
U72 rO
Xi4}!?
/E/4b_z
/_3{3`+
C{F*q\
{ruiVt-
:Eux,I(
m;D-Yo9
fx agt
o?sxM[B
6Run{@
xeFLK3
yFD@0K
HG\Kp~K
6!M~v`
Uy1(i5
q}1!"5
_'QoGEN
Q5IeMr
'_Q`)?&
U2!!oA
8jnGi(
E7ME4EE
_4w(/n~
*[fb]_
]V{@2z
#dLW6S
mIpSJ
Kp(}$!2SzdZ
mM.r{F
+IAa~
}^9p:q3
b>:UP$
~@yOU&[
+F_vLI/NP
^D)"{o
lWWCx#
5;[)6@
P+.n#r
'vxu}@
!'sOc[I
4bGCj3d[GM
6i19z3
{J5CxV
<irvZL
_f9Ma )
j0Fv$k
!(-(!I
<$9(|JT
q\zH}z
}ng?tq
I5\~!y]-
vfy4Nt
']U~2*
^myL #
%so:E!
N.4)\\b
P=B13h
rDIe~:N
xP(io/j
%Te0vi
tI{(m"
%P3&bI
a5#+;A
UW!~AnL>
`]K'ST
=T?(5d
tebSoj
PM*pP9z
]v!qq}w<Z}G
A09eU|:
ph),sq
r2bB+V5/
<'M'TB
kGxU/Ql
op3YmF
&"Zl;Q6
q=BW({
{z/Sis{b
{kwZAL
[:uzYO
>(\$7{
+7Gzz
~{vbdK)*
'^|-u}
I{-|z;
6 @aoT
%u|jRe
4,H'lyK
Sd?]Z]
nC|GI[
gVDgL
s-~f@Y
+($3If
z{J>(J
T8%")v~
VwCc(Q9dL
UoksNf
%r%ix_0
FifeTf
,S2Fl~
uK"\2F
0WH.8&H
9fo%]q
ROcbrq}+
wzRcS5
#sl9{Q8
L4}f#to
;1N4Jc
A,=5|O
m&38F*{}
z\>t_V|+
#[F},v
D3?NT%b
xC%-#q^Q
[juDX$
X?@/ez
wa\) b
#|#Bx\
A?L[hN
I=zt8B
T<4og"
/Bg|r_
KmJ0@\
6uJ7_MZU
yQzS9%5X
NullsoftInst
AK.VAD
03J{Y
Antivirus Signature
MicroWorld-eScan Clean
nProtect Clean
CAT-QuickHeal Clean
McAfee Clean
Malwarebytes Clean
K7AntiVirus Clean
K7GW Clean
TheHacker Clean
NANO-Antivirus Clean
F-Prot Clean
Symantec Clean
Norman Clean
TotalDefense Clean
TrendMicro-HouseCall TROJ_GEN.R092H01GF13
Avast Win32:Dropper-MYK [Drp]
eSafe Clean
ClamAV Clean
Kaspersky Trojan-Downloader.Win32.MultiDL.c
BitDefender Clean
Agnitum Clean
SUPERAntiSpyware Clean
Emsisoft Clean
Comodo Clean
F-Secure Clean
DrWeb Clean
VIPRE Clean
AntiVir Clean
TrendMicro Clean
McAfee-GW-Edition Clean
Sophos Clean
Jiangmin Clean
Antiy-AVL Clean
Kingsoft Win32.TrojDownloader.MultiDL.c.(kcloud)
Microsoft Clean
ViRobot Clean
AhnLab-V3 Clean
GData Win32.Trojan-Downloader.Qug.A
Commtouch Clean
ByteHero Clean
VBA32 Clean
PCTools Clean
ESET-NOD32 Clean
Rising Clean
Ikarus Clean
Fortinet Clean
AVG Clean

  • setup_fsu_cid.exe 1088
    • usvc.exe 2012
    • filescout.exe 572
setup_fsu_cid.exe, PID: 1088, Parent PID: 1824

network filesystem registry process services synchronization

usvc.exe, PID: 2012, Parent PID: 1088

network filesystem registry process services synchronization

filescout.exe, PID: 572, Parent PID: 1088

network filesystem registry process services synchronization

Domains

No domains contacted.

Hosts

IP

HTTP Requests

No HTTP requests performed.

IRC Traffic

No IRC traffic.

SMTP Requests

No SMTP requests performed.

File name usvc.exe
File Size 163328 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 249a44dcfa2500eb1c020e33a3e9f25b
SHA1 942860bedf408cc4c6a1831ef3744a3f9e68b375
SHA256 b2cad8322db85f67db6ea074d00c2ed56ce1fa92952d07b70baac249fa18236d
CRC32 1BFF7277
Ssdeep 3072:Nppw9wvwxqhCLTsurUXgJrNSu09jddIZsM1DnwA4xCkwK4rzWKSN/zIblN5FkA7Z:Nppw9wvwxqATsurUsrNSu09jddIZsM1N
Yara
  • shellcode - Matched shellcode byte patterns
File name filescout.exe
File Size 259584 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 038f640cde59742b01a38cb08e680b68
SHA1 4d5b1da43db2a4e3c2cc33ec25c142150a2a0415
SHA256 8d9ae55ff2aaa236f2560ef612de494946774a7aef10a3ddd6774fd515f33ac1
CRC32 219F9585
Ssdeep 3072:lMxTaWX+wyLbJHzvqvwEh11HknX+0eLQzP9TBfhw7JJj81jjjczOiM+:lMxzTUbJnEh11HP0eszP9TBydJgKOp+
Yara
  • shellcode - Matched shellcode byte patterns
File name nsz3.tmp
File Size 0 bytes
File Type empty
MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
CRC32 00000000
Ssdeep 3::
Yara None matched
File name uninst.exe
File Size 62902 bytes
File Type PE32 executable (GUI) Intel 80386, for MS Windows
MD5 8a4fc0c6d89a46bb1f074aedd6c19f3f
SHA1 2f3d4cca34befb548133d428ec9c9386a7fd8f80
SHA256 dcd7892a709d84d66d96de554d30c2e7372b1c1104207df4c5a2bd5a730be56b
CRC32 B60B8DB0
Ssdeep 1536:wErPZ3IBZcbTfu1HlrJFCPcbPnygdLeAyNxHsOPaG:/PC23aJFC0bPnyceAElCG
Yara
  • shellcode - Matched shellcode byte patterns
File name nsProcess.dll
File Size 4608 bytes
File Type PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
CRC32 C95C7C4B
Ssdeep 48:Sz4joMeH+Iwdf8Rom/L+rOnnk5/OCnXeAdbdOAa4GPI+CJ87eILzlq7gthwIsEQW:64c/eFdfS/SSnkxNa4G+ueqPuCtGsj
Yara
  • shellcode - Matched shellcode byte patterns
Bummer! No comments yet.

You have to login to comment.