Sample details: 21178cbe8332f97d92d1cf1cf7cea1c6 --

Hashes
MD5: 21178cbe8332f97d92d1cf1cf7cea1c6
SHA1: 8fc1c370d2686aa70bf0b015e610e1ac60c3d394
SHA256: e58d34c3fad3b7c67d0aa80068afac6232cfdc8a787714eba569fdeb50e71257
SSDEEP: 3072:nAsj8MBX8s0oXJ4645nEdp6MfVuZtA5Pb3nolVh3iH3cyZgmgH7dDyf7SQsZIZPe:nAsBZC6cYpqXWcVYrg9HRDyz8gof
Details
File Type: PE32
Yara Hits
YRP/Nullsoft_PiMP_Stub_SFX | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/escalate_priv | YRP/screenshot | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/CRC32_poly_Constant |
Source
http://attahadi.com/wp-content/plugins/svchost.exe
http://yhhub.it/wp-content/w3tc-config/svchost.exe
http://yhhub.it/wp-content/w3tc-config/svchost.exe
http://attahadi.com/wp-content/plugins/svchost.exe
Strings
		!This program cannot be run in DOS mode.
iRichu
`.rdata
@.data
.ndata
 s495,7B
SQSSSPW
#VhB+@
Instu_
softuV
NulluM	E
D$,SPS
Vj%SSS
D$$+D$
D$,+D$$P
PPPPPP
_^[t	P
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
GetTickCount
CreateFileA
GetFileSize
GetModuleFileNameA
ReadFile
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrlenA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
GetTempFileNameA
lstrcpyA
lstrcatA
GetSystemDirectoryA
GetVersion
GetProcAddress
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
ShellExecuteA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error writing temporary file. Make sure your temp folder is valid.
Error launching installer
SeShutdownPrivilege
~nsu.tmp
NSIS Error
%u.%u%s%s
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
InitiateShutdownA
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteKeyExA
ADVAPI32
GetUserDefaultUILanguage
MoveFileExA
GetDiskFreeSpaceExA
KERNEL32
[Rename]
*?|<>/":
P;?@@?
P;?@@@@?
DdEBA@@@@=
(*MXob
hpppiffT
ZaZaZXKJ
Z_ZT_PI
075kmn
_VTTPPI
)-.Yln
V_VPTPIG
&+,Nlo
!/45km
zzz||||
CDE*&&'
{{{s<.
{ssuBBs@@@<4
puqqqqq<770
punqq974.
O_mcs]0
NX\kqphZUQ3,
RYjgfW2+*
rlbA?4)
z}z}z{v
wwwwww
wwwwww
wwwwwwp
wwwwwwp
wwwwww
wxwwwwww
wwwwwwwx
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
fffffox
wwwwww
wwwwwx
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b1</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInst
Q=I\PI
bf"Rp#!
L,,p	q-4
nd~F&_.9
":=cYK
eJ%Q\++>,
I])h	oo
|Z'yK`
R|g!kC
~7{9G*
H!$~dO(
[4n-nz
}I&gQa
&"4P[	
EC8zLf
l;QO+'
!:v*{jp+W
KDl^I,
2/zI\IVf	L\
Cr'XfgG
uU/<!U~
,x]v*J
AgQZ\z0
{'/<lL
FVG["A
1IcT&`
6`\|[~
$zkj(n
Waw1Co,
KgN9ZpM=
_*x?kNV
c>z.lf
n_4!Pi
osn.B*
-^8C.y>
Aj#!*Ca
jA~Z2)
W9~<mD.
,rzX|8+P
>l/mZ	
GBwoUQ2
BcB'%"z
K'<qW|
wu/C26
Pj]\{N{
>-KXP&]
l|t"['
o5s7Aup
Y]|ZB:
$X|&;1?
5Wg5vI
mey'(7m6|)
i	BLcu
cfz^-w
^{Mn'%
0$6><6l
[~0?(J
YM:u#(
F3NcC)
<a62N?
$15N+}$
^I~cI<
	?Ct}`
\4Sd_{!
3h4!eN
/.jb3_I8)Kw
;M?&CS
sR87A%
4s;Yhk
!9UNUS
:(`/lZL
k~JUmH
FPg)aY
{~O	#;=
j|Pu4l
_lL Vy
ks0we_
h#/G6M
%>vH-0d
6/4Y^0
F,:DC(h
#D\"oD
T`?9eDY
A@kqojqA
G;-<d!
!8=;i#[
KItm)3*Kr
yh|7?C
d!g/R&
&jQi5T
fcKV5NB
2r =-PQ
PgpKC.
[+)"}2F
:_;N.}
WA14<'
2^/,Eh
Nl(#Mr
yg.dPx
.FkjSLD
v!3N#`$E
K^}=aBA
[6?!94
2X$g$e
FsnLfE
Uv	81H
Am>k:kJ
X]	1Xn
;{WdV4
`HJ1Q8
e]H_3j
mQU\h%
%:5F.'
w`16hP
Lg/PY]hs
XhW gy
"/@^[+
M&"h/;
I&%Rr0R
b(usYK
AB"nG$h
')YvNf#
v0SK(YD
56hd&e
*S#;/U
<(uq	z
i^,%Y5O
|pld88
{\DOWe
)SUS.R
M0Ql36Z
/sQ$w-
:$`Fm<
,[%&_H
(#]x`e
EV-H)Uv
24;`qi
\v\ROt
`G|>A#
Y /#F,
euU?%1
k3yJ!ir}
Z&4g]#
Xd{E	]E
'`n8xM
%fmnC?
|gNW?HL}
LrFn S6
AkfvTJ
;-lo4R
yNG" <:
@n'hMT,I
K5>\-H
N\dZIy
7,WO>8
jeIIk:%+1
DAep!o
}VZN3l
/DXtK!
`r0b@X:
(E3J`\
iD2G.g
).erlU
nbG&&.
lf'W[X@
 *7FB_
krs1	~
CPJ>1:
f(/Jd`
]C%((r
p.'fKHW3N
)tOCm{
t2[!e=
\(O'e"
6M?$~s
@$ 	<o
c2\rKWg
eoVkuIK&
6.fmMn
2~x@]3
F5vp}V
C@P?6'
/!]:,z
):q_d]+%
U^p^r,
C[V%z	-
h>bTnP
)"H!g^f
CR>P[m
.q?Czf
.g*'t	
zisl?x^q,%
y4'=BG
u)t#0|
zBve-!
*p>B0?V
s+`4gD
$RKY>r
[E<$9O
<W}^[%
xC9%KG
 An}1k
i?	-sZ
xWhH01
77_f}#
_cFfP+$
hX;hJ\p
~~Lv"EJq
:u+Y$RI
#Hp2ex
@ h#Q$T
'Z-D|A+
]!o7pg
civ6_.yq
b4A+FT-
}i"/&K
*FASNV
d1?fK:1
X5DL]^$Mo
m5aXnom
VF0qeg
<Z<p^;
-?e{	#
a	T-?x
G3_u%y()
>\*HW+
F:Jft`
Jw1QN{
']h4-d
mQI7TD
eQ;80P6
OgJ!J_?
DtYVpW|2
hl~#:e42Z
#;?vDy
.|XmKl
l`nzM+
x!^I p
s&4H37
//qfkWX
nwA^r2
c9\SVh
[_f+tP
t8&v.I=
:gG3^W
H.=gIh;
Qsek @R
4)ipY5
a=Q7s'
>V[t#'
(u{?ke
9,lQAhi
\t7)CB
 +0i/"{1
u8yYV@
-x_A1W$`
My"0Wl
:W[Kh=
l#55km
x>#xOL
?0a&U)
5e2BE%
%`LMKH
&ZiU8'X
xkV<uy?
ZuOl/@
vm`IB 
)UL	rk
QdpYYPR
 f!4n(
Gu<A`N%V
U~V)\'
u`Cb4b
%~6+Dx
1BkV/h
]Sm+{)qsX3
\Z?`vp
M(NMGZz{i/]=?SF
7YjlXD
6dzZ2t4
)XDkoF
Qr:h$t
uxb{$O|
t8r^_;
E3L8W|
n/cB6.
lix^B2g
V:ygS-\
 4'NH2T
LKKFy6
!	{8]&\_zv4
# !1f1<
Y^*k3K
c@CuOY&c
>R}g?9