Sample details: 4ebc3e0f90d4aeff9e5c7a3461515e12 --

Hashes
MD5: 4ebc3e0f90d4aeff9e5c7a3461515e12
SHA1: 66c19b248b6c22f0d6f7496abcb85282094bef99
SHA256: 2e0fecb31852c1f176552e74bfc80f1071ac0cbc9f82b63cfea66e7bb84e64ac
SSDEEP: 3072:WwJ52Y7ZoH5XJa06Q6VJkvQ3FdHnpzB2MgUGrvQxeXS7tnHeo1zTV5ZPJ9Cx+ZZF:WwHys0b0JkCdHpl2HUUGeC7JdV5Z8y
Details
File Type: PE32
Yara Hits
YRP/Nullsoft_PiMP_Stub_SFX | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/escalate_priv | YRP/screenshot | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/CRC32_poly_Constant |
Source
http://securedownload2.duckdns.org:7373/docs/RFQ6.exe
Strings
          	            !This program cannot be run in DOS mode.
iRichu
`.rdata
@.data
.ndata
SQSSSPW
v#VhB+@
Instu`
softuW
NulluN	E
D$(Ph,
D$,SPS
D$$+D$
D$,+D$$P
u49-L7B
PPPPPP
_^[t	P
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrlenA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
ReadFile
lstrcpyA
lstrcatA
GetSystemDirectoryA
GetVersion
GetProcAddress
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
ShellExecuteA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
verifying installer: %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error launching installer
... %d%%
SeShutdownPrivilege
~nsu.tmp
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
%u.%u%s%s
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteKeyExA
ADVAPI32
MoveFileExA
GetDiskFreeSpaceExA
KERNEL32
[Rename]
*?|<>/":
+++++++++
%++++#+#+#++++%
$$##%#%#%#%#%##$$$
$%##%#########%+%$$$$
$$##%#
#%$%$$$$
##$$$$
M#$$$$
LELFLLL
..(CK(.(!.(
..(CK(.(!.(
(!.."!".(
s'(.(((!''
'.((..
."!"'Qt
L'((!"'.
n''('!
#######
########$$
nnFIo.
wyw77wwwww
wwww3937w
ws390Y"" 
" "www
" "www
S""!!"wwy
wwr""( ww
in language table of language English
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInst
.:6Bi^
`0LZ:n-
+Q44Jl
IXV@i:
;1k("E
Ukb.q&
6Dp;kwv
18[*vyu
b+FUgO
~3kvM5
ILhTo|
\D8|UDd
,w	Tg\
.r:CF{
g{WVI"
}3Of<,
 d_3kH
|D)Ox`
e1@@o4
RY#%8}
>4c,(@
#)8,Y5j
o^4]pj
5q$nNF
BYId#ik
H&!=V{q&
%zQA)A
'-lx}v
~"ZHdcXsBD%
|uQeL,	
=gsTQa
C_aNaC
`xvM w
VTja"M
h<c	5#
\[)c%^
\_"4;t
.w qWg
|)=*<"
^~V'N56
1za~}}
COH(#i&
cU'EH?
N,R*m^
I-9A>aR)
f=l]$)K
@JGIRPH
9yY]*}
RGtT9Ur
}?kU#-
|=4Gp[
sFqM_xU
8	A2)K
#="0^	g
~p2y}v
dZd>B&4=
l;[V-$)
tgdFn=
s<eaJe
OnsGV4
-pZe3 
<G;#\&ok
GycqRgV'U
Qm UK0
{kWQoQ%	
s"}\kEl
/S gdu
Fv+fDp
j_"NbG
gi3h3\
`[,ht/]
{VZS?"
122+v2
%TY'*T
Qn gG+
'=QiDr
Ip7]@:&
.Rx\01f
Z=,={]NF
%6-RPW
 `r,Kd
)2hzTX
_1_mNC
Q}3+ok
VIiQ577
XR0!2Y
sh\|g{
^h_:%i
4F[>z~
D=y41MZ1
.YL"~ai7
gn~o- 
xUrM"a
6AL,tw
gEmLdB
F;Jy'e
r|K$!P
R2n"C	
C"^kqO0c
V $;^;
1so81P
%2aPQ]
.},GQU
}iELpz
h@UuU.
09_r32
ejHpTw
vCW[YfG
p\+{VU2P
fb]S:l
U8XAh[\
:<hgQ=
@RHC` 
y,p{`=9i
:^]n,&~J
Q%c~XY
ZAfXh\
+i~h7"
-}qc.v
g/%4BK
cDkqT_j
J,W	Zk
d$QDX~
(;+XL5R
PL}';p
nfj`?-
1~v6eM\6B~
b!:Uy3
kRN^w@
cl#.o`
E9M[ -'
z`Dou.
6%m+2w
nt3:;"
^7!%Ry
@%,3>\
ND]U:J*{
-U$@=sJ
uiBs{it
@v=ZC0jDJ
R#9ebrI
Ep][6F
0Ij}`)
l!fsgk#R
%Ru4Gz
:Ss:4e
e^2k9r
ye3OU%
<)}9g<
q'5pT?V
Dr	WC 
gZ`u8B{
(.!qqY
H;D0rP
FLzIO}
_N*d	/
s9V^$?|
iv|IjD5y
buV]Yj
I0mjZ	
!6=9t&
?v&*?d
Zx5jj7
aS&w H
]n:ixlp
7uPnvv
m"MKx:
MdARP`
`eA+HH
oOD1<	
OJzpmH
.D&Eoo
sJvqB8
zqA8Vb
o!aM;O
BPfW(m
L8&eCR
t1"0P:
A>%pXHs
t(8NIJ7
D[;c#_
M:OC>/7z4
/L>["Zb
i_5"p)
hPQ%t@
8[|t$O
0IbgGe
EshBhF
5 hw$Bb
|4**F:
 BoO+i
6(8mEi
f-Kq_b
rUw6mWj^
5~tWet
PH_Pz8
}y49}m
";-	JY]
*sRlai
@HwRLp#
~<3?TS
%z=QVN
t6('`x
Ph;?n@
@>yj0q
)l$si0
m0CEH 
5]Mogx
lXsE[c
8>`[-h
s{$P+H?<
n$;Cdh
DytY	w
Ixl5X<
lj0CGN*
43vZ[L
0EH\&VB$4
v\HUo/,
$.1MaKH
,dUxaE(dF
+Q^n.j
\{[D.bh
AgW|15
3L+36D
#Xnf%|`
f(z>Zt{
!:]?T%
_b@fi/
C/(...
QW	jZ"
=imqiVk
z<.%<@[
|	'xb@
o4VG<f.
wXVD(@
H{~amuU
G<8SK ,5P$
*=k4Ux;
n|t>!=?
D?Gu/"
X`vvq89
E 5!s2
2-2\rO#
gn,wdp
kI0q-U
|58]vh
<ELq'g
>Pl<x{
GL_SpQpf
{%bhl,
yZ1z@1
	JHE&lx:
MTYvt!<
} ?wj4H
Y2'Hl`
m)4qjM
N9rcQs
TyZ*n_,kK
c`	},>
?gtxAJ\
|0qD?cG
RY[#Q}
Ug0~"4k:
*~kHy54
/6I[dk
S$?ne=n$
S=&Ip[
kAC kR
Bs,X\U%
|i hhp
r<Hu4P
`-;*\\
7q'82){
|tOp<OH
a4rJ{l
LBAOdy
,`*0t~
i0!Ix8_
phb6,k
nuWimg
Haun7z
pMu+Q3e
,X3V=nfh
,}^\cA3W
|LP:f	
Gnrl+^?@
NullsoftInst
H\	nKM
&/]^d%