Sample details: 18fde6a6b23966862405400929aafda7 --

Hashes
MD5: 18fde6a6b23966862405400929aafda7
SHA1: 2a7c7307c49e69b4f6288e451d6f976ba2034ef1
SHA256: ba56f8bc5b16eab6a7895f6b0a2775287df60dbb7f17f436f604813db8cfece5
SSDEEP: 6144:6MTCPa7WDvT5sW0+qZ+n9NwS9ePiK+qJui:Ga7svTKW0v3Dui
Details
File Type: PE32
Yara Hits
YRP/Nullsoft_PiMP_Stub_SFX | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/escalate_priv | YRP/screenshot | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/CRC32_poly_Constant |
Source
http://securedownload2.duckdns.org:7373/docs/RFQ2.exe
http://securedownload2.duckdns.org:7373/docs/RFQ3.exe
Strings
		!This program cannot be run in DOS mode.
`.rdata
@.data
.ndata
 s495,
SQSSSPW
v#VhB+@
Instu`
softuW
NulluN	E
D$(Ph,
D$,SPS
D$$+D$
D$,+D$$P
PPPPPP
_^[t	P
A@;E |
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrlenA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
ReadFile
lstrcpyA
lstrcatA
GetSystemDirectoryA
GetVersion
GetProcAddress
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
ShellExecuteA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
verifying installer: %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error launching installer
... %d%%
SeShutdownPrivilege
~nsu.tmp
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
%u.%u%s%s
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteKeyExA
ADVAPI32
MoveFileExA
GetDiskFreeSpaceExA
KERNEL32
[Rename]
*?|<>/":
RRRRRRRRRR
RRRRRRRRR
RRRRRRRRR
RRRRRRR
RRRRRRR
RRRRRRRRR
RRRRRRR
RRRRRR
RRRRRRR
3333www
3333737w
3333ps3
3373733
3s3333s
3s73303
333733337
73373s33
7733373
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInst
hd0&FL
ue)(W)
dF..~i
PFG-0X
]8.bw3
6&0lu&M*
k!ae;8F
viN<N]
'XaQef
a(M&Nf
Vv`5rT
lUx\F0
!_7eNt
$]{~;_
nQ)XO`O
S+nu1k
7ue8jG
1$4PvB
?S-j%	
3LJc/~N
@ X?k%
Ac<Tt96
y0I uzn
8>XtX5f
$T+$p'
v	l'v)
:	vR_9|0
!E|Sj8
YaM!/8B
QyaJ|'
oUkjjp
^!6LXl
#KC H&
p]G]gjl
'_8S2Q
rdI:O"K
kD43"S!
JDAh;R
gCf2Wrli&
;w3:'(:3
YhcCmQ
p^5nK+
yS7N4c
G7Qqqu
s{avRO*
nffh1;
tXGf7$jf
RV>6Az}
I-=21,G
vF.Df%
BCts/m
*='pkh	l
(;^n(Ix
'&p}O~
ag	)[v
^4}#]3
|,mx#1F
fQYr``
AK[yM$
7/%}Y|
sa}5		
ZyH_V>
.+.Xrp=dpJS
bAi^^7|
\U>r]V
b}]F9cI
_3O&/i
SvyNB$cpW
HD|d%	
puEdfX
Q'KtO_
wM{^N(
#'6lY.yqC
j[EV]k
@l4H:<.
/ViA%/
&L06TL
|1}x4	
}/Emr.H
Lak7pou
F0?}-7|,s
8Mm7bP\D
29("V}
JM*%abc
.|BU-("d^H
[@u@UxK
57<	Njh@yy
vmIqOW
.*@5zS^
Ye=yDu8
W[/>k9i
7XIQ]m`
*`&l|'F
~~YJLe
2>+v&#
?Gm+j_
OrGEOd
}F>zRn
pCUlb0n
[vmc02zW
c2h&"+
NDx_}6{
	#2Jk|zD
/%|l(m
J{3]2D
x1+K9.D+>
s(TCR2e
k\oBjk
%zmM/F
Q; E~7q
'WjRok
[s$+(J
R|s3AEuN
`=A#+f
)t4a8J
\i\r{Q
]^~uUw
?wAnkv
L*gnA2I~L
{4HAFEV
q+:y$2
W%d9T1
%r 5#n'&
qP(*)?
qqCa8:
t<TCn$
-n/O!H
<ARoba
BQmq=1
'Fn1{=
_Wl<O;
("D~7&K
45D)>1
MD.)w1
VO{Pp&k
.XFg +
~3:iJZ
KwInde
&4',Nw!
LhEmh]Q5
CSRw'C2~
J9_;sZ$^p8F
SS4f6|
G")_dB
znf!L!w
,5b"+Z
[RtR\gk
TX"YF</
$3*2|u}
gxQUVJ
3}.!QU
h!87FN
B_Za#<
,*I{Xn
&xq<{Z
]vT1(tC
6>H?PH
h(i#.sv).
*]~3wZ
FqXT*t
*wj!( 
[l17$A
K~{v{-
^OL{]Um
5'gL>aQC
m\{y?w
n9LAB)
`3X-Ys
|s3I\y
%g >!7
oM`c;x
;STNZc<
x P5k!
>BZU+z
X9sf$7
:?Uc2G0#f'
%B$.,]
oA\iDf)
o"lnH{
&XQs&E
R82m$CroD
v' K>q
/+ Uo>.
";lb$l
O8WiTPW
WaT};M
:(BRc>
Mx=hM!
}X=Jew
azfczN
x]cTOT
F/l<FU
F2X?eI
O$/GB'O
HO,`4#
7e|k:d
?S,{7.k|
c_V?#!%w
}tjh~:\
v"HLv6@
	k::"vB
~bCuM	
QeEg%4
tMSreH
ZzL=zlW]}
zjL	ShV
)](+6\
4dba0F
ORzaOL
L@hh5O
OM2J~O*
KrPqj	IQ
,l@F-J
M@3clRO
'4d&VH
t]#l@@
bMuN;e"
VX809.C
PTfVsH
X1P@*t
+4+H~7M
B.)xvR
IVVb>(
 W&R;z
_;D0UH
P~b5SV
XAHP(%
$agaa>\>
5P4x|_
aV@bXw
6~<LNr
+z${!JB
b)B)Yl
F!eIDh
pqL<f#
 N$T*2}
ewx5xp
Q4+nF0{N
(+i+.*cm
uM;U6d
D5P) (Hu
D.8taN
=}Mp)V
gLL/XP
?S6#L#v
l{xpO_
x_X<U}i
^Tu7R:
@pKwdx
B;<OpDP
Wmo%9hf
,4W]E^"
~*<M^j
x\.;vwh
[pEO9=
yAK.=N
6^Td[\IS
pPW-!f
5H5(UL?k
EZ"3eN.n
n>$B]{
u]iSb`b
i#np'}
Dc&l>3z*
|d6!W-
<kdf>`n
lMdYQ."7"
o>5:~r
*Z>(hr
EYkQ9XNU\
EZW^lL#
:N3ri}/
-#"aFf
MQ*'PB
N\hVmPzM
+"H~6"1
v?Zjkw
E^a@Ag
P-V1Yf`
=O)<L5L
a;pE6dr
a'Yh2{
)D|[ $DB"q
DdO$G!;GT%
j>>>%O
5m1C9n
;[KPX/{
0mjva({
oiD"x"
'5{$sC
MC0"cX
|K$KX<
1(ft+?Z
z"Ja"C
*=="C}G
M2dO*{S
MO j0OJx
%?@L44
M=OPyM4
M14hF)
=@z4jbm@= 
!<55=G
6Pd444
GEEMIDS
*fQUATF
(41=ii
N&%Xb[
<)(!D1V
xepcyT
^P3w|	-N@
mL2S5o]
k	zi:`
ps!_`45
BE:$/J
,U}ja0
@/Ek[qD]
z(dYt6
l1Vo%B
ki]k[N
egHpj'%f
QQ{ntEq
NullsoftInst
2zCM44
DDA2j4
!2`-.%J2~9
2;Fa<$
(U66V}gR.
z&L`"w
viN<N]
'XaQef
a(M&Nf