Sample details: 9922db76e6d1c4e6f673da5ac3ac4a1f --

Hashes
MD5: 9922db76e6d1c4e6f673da5ac3ac4a1f
SHA1: 57dc2ab7935d0d9fcbb4d729baffa829e31eea0c
SHA256: 018d8c0d1568867fdb041b3b29e1de53f9b0c6c5024f9b1aeba9aed766117f56
SSDEEP: 3072:WwJ52Y7ZoH5XJaxO8Z2VSZ94KSsiw+eayllnVxPx80BmXCdhM2zomo1zTV5ZPJ9e:WwHystlbVJn/VbLVMGQV5Z8J
Details
File Type: PE32
Yara Hits
YRP/Nullsoft_PiMP_Stub_SFX | YRP/IsPE32 | YRP/IsWindowsGUI | YRP/IsPacked | YRP/HasOverlay | YRP/HasRichSignature | YRP/domain | YRP/IP | YRP/url | YRP/contentis_base64 | YRP/escalate_priv | YRP/screenshot | YRP/win_registry | YRP/win_token | YRP/win_private_profile | YRP/win_files_operation | YRP/CRC32_poly_Constant |
Source
http://securedownload2.duckdns.org:7373/docs/RFQ6.exe
Strings
          	            !This program cannot be run in DOS mode.
iRichu
`.rdata
@.data
.ndata
SQSSSPW
v#VhB+@
Instu`
softuW
NulluN	E
D$(Ph,
D$,SPS
D$$+D$
D$,+D$$P
u49-L7B
PPPPPP
_^[t	P
RichEdit
RichEdit20A
RichEd32
RichEd20
.DEFAULT\Control Panel\International
Control Panel\Desktop\ResourceLocale
Software\Microsoft\Windows\CurrentVersion
\Microsoft\Internet Explorer\Quick Launch
MulDiv
DeleteFileA
FindFirstFileA
FindNextFileA
FindClose
SetFilePointer
WriteFile
GetPrivateProfileStringA
WritePrivateProfileStringA
MultiByteToWideChar
FreeLibrary
LoadLibraryExA
GetModuleHandleA
GetExitCodeProcess
WaitForSingleObject
GlobalAlloc
GlobalFree
ExpandEnvironmentStringsA
lstrcmpA
lstrcmpiA
CloseHandle
SetFileTime
CompareFileTime
SearchPathA
GetShortPathNameA
GetFullPathNameA
MoveFileA
SetCurrentDirectoryA
GetFileAttributesA
GetLastError
CreateDirectoryA
SetFileAttributesA
GetTickCount
GetFileSize
GetModuleFileNameA
GetCurrentProcess
CopyFileA
ExitProcess
SetEnvironmentVariableA
GetWindowsDirectoryA
GetTempPathA
GetCommandLineA
SetErrorMode
LoadLibraryA
lstrlenA
lstrcpynA
GetDiskFreeSpaceA
GlobalUnlock
GlobalLock
CreateThread
CreateProcessA
RemoveDirectoryA
CreateFileA
GetTempFileNameA
ReadFile
lstrcpyA
lstrcatA
GetSystemDirectoryA
GetVersion
GetProcAddress
KERNEL32.dll
EndPaint
DrawTextA
FillRect
GetClientRect
BeginPaint
DefWindowProcA
SendMessageA
InvalidateRect
EnableWindow
ReleaseDC
LoadImageA
SetWindowLongA
GetDlgItem
IsWindow
FindWindowExA
SendMessageTimeoutA
wsprintfA
ShowWindow
SetForegroundWindow
PostQuitMessage
SetWindowTextA
SetTimer
CreateDialogParamA
DestroyWindow
ExitWindowsEx
CharNextA
DialogBoxParamA
GetClassInfoA
CreateWindowExA
SystemParametersInfoA
RegisterClassA
EndDialog
ScreenToClient
GetWindowRect
EnableMenuItem
GetSystemMenu
SetClassLongA
IsWindowEnabled
SetWindowPos
GetSysColor
GetWindowLongA
SetCursor
LoadCursorA
CheckDlgButton
GetMessagePos
LoadBitmapA
CallWindowProcA
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
TrackPopupMenu
AppendMenuA
CreatePopupMenu
GetSystemMetrics
SetDlgItemTextA
GetDlgItemTextA
MessageBoxIndirectA
CharPrevA
DispatchMessageA
PeekMessageA
USER32.dll
SelectObject
SetTextColor
SetBkMode
CreateFontIndirectA
CreateBrushIndirect
DeleteObject
GetDeviceCaps
SetBkColor
GDI32.dll
SHFileOperationA
ShellExecuteA
SHGetFileInfoA
SHBrowseForFolderA
SHGetPathFromIDListA
SHGetSpecialFolderLocation
SHELL32.dll
RegEnumValueA
RegEnumKeyA
RegQueryValueExA
RegSetValueExA
RegCreateKeyExA
RegCloseKey
RegDeleteValueA
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
ImageList_Destroy
ImageList_AddMasked
ImageList_Create
COMCTL32.dll
CoCreateInstance
OleUninitialize
OleInitialize
CoTaskMemFree
ole32.dll
VerQueryValueA
GetFileVersionInfoA
GetFileVersionInfoSizeA
VERSION.dll
verifying installer: %d%%
Installer integrity check has failed. Common causes include
incomplete download and damaged media. Contact the
installer's author to obtain a new copy.
More information at:
http://nsis.sf.net/NSIS_Error
Error launching installer
... %d%%
SeShutdownPrivilege
~nsu.tmp
NSIS Error
Error writing temporary file. Make sure your temp folder is valid.
%u.%u%s%s
SHGetFolderPathA
SHFOLDER
SHAutoComplete
SHLWAPI
GetUserDefaultUILanguage
AdjustTokenPrivileges
LookupPrivilegeValueA
OpenProcessToken
RegDeleteKeyExA
ADVAPI32
MoveFileExA
GetDiskFreeSpaceExA
KERNEL32
[Rename]
*?|<>/":
UUU!WWW/WWW8YYY<XXXRXXX
YYYSXXX=YYY9ZZZ3WWW&UUU
WWW5XXXKYYYvYYY
YYYyXXXQVVV>WWW&UUU
UUU!ZZZ
WWW&UUU
___-hhh
___-___
dddxddd
sss!{{|
IIIF222
vvw6~~
||}3||}
QQRY22202220222022202220222+222
}}~l}}~
}}~l}}~
XXX WWW%XXX0VVV[VVVwVVV
WWWxWWW]VVV1VVV&WWW"\\\
VVV*WWWLXXX
XXXQVVV2VVV
[[[2ggg
\\\6jjk
QQSBqt
<Gg=tz
qqq	zzz
VVV!WWWJ[[[
YYYMVVV(sss	
iii3{{{
rfjz"]aq
 not set in language table of language English
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b0</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>
NullsoftInst
!R?e+52D
lp\Bwu
bO/-)aHC\H[
[Kh	S`V
J/H2!a6L
yX=LY[
MS7v51
xtfL@k
f2VD:	V
I;o8s(
zVQy918O
`ND1i7
7mC+v"
#niC9V
? ro8	
JN}=6~l|
gat	Iu'=
7sxc{B
<~8_{B
:q4]ZHf
eY&3o+
Igsc&a
zm^8U)
f'n\FW
BQvC;+
T(euQ3
'ycQ#K
R)OO&C
4qe$1a
p.:`Xx
4rB/pr
4eDk&u
k#o%7uG
To95P5
'G@m@v
tt!9&AN
,$O;fq
]6@Zpd
Q'jg.}
_2oq5R
LXt2aI
T#e@w$E
vA$[A/
	/VCuB
9-b7:bI
-OkfvV
6WV~PK
2RUv C#
S5i(|7
5*YD7D@
2KtS*4
|+q^kp
Mk,o!w{
QGYAY$
?M:NYgOsA
TZOr[fD
/9:g6{
!.E!3K
&RPX4C
{Af[)	v1w
g2R$a3
$M6m~& 
q^[!UL
WAd8zl
SsTFp+
CDS.4%`F
UugGG-
9]_mg`A
/.k122[
Uql@WE
GN9_H,
~Q* H{.f
\#$lpG
@}^{~W
bcO8"/
hq(mBz
ej4	n[
qu0s5x
](y}NYv
.vog<7
90)`]'
R&4#DIi$
,	>' L
P0z`)$
]	+3%rY
ZSW406}
bLve@kV
g8^6!/
Yhmm~fm
OB9EL{
2dpDbq
}95)m'
Hp~E}&
&.C}'k
_@:ImF
G)0yJMQ
F|%wF>
CDp]v)
` ,#t%
-u9I{F$
DZx*re
E~Tdq11
Z'wc2Wm
77J[H0
XoKCuFq{
Kn5wwe
{J]*Z"=
,ArbWK
[wf&n3P>
NYpN8,m
6t|CIL;
H!RuPT
t{FNC1
+auXfF'
vG8:#x
|21VC-bJ
;Hpk58
zN8m1Z0|&
s=l#'fj@V$
YYgco_cy
cL<C>*
Ai1dyI
=N<+?j
yvO4 +
N)q|<E
	KW0	i
|]S6a9
cKG$+I
Zp8*%(
bIiPFK
m2mq/S
tKRw[.
Ge6zDb
N:k]pq
LYt@g'Q;
<- SXw
kJ;-B}N]OQ*\
j<LP.N\
6bCz. 
/%N,oE
e aDcp
*)MB~j+
#VbeX5-
 ^2y"<N
X\FSk;
zKzAnB
444yhK
#fY@.VQ
%t+S=:
{qTc:+
g%Up-C
oA{-uC
jr/OKm
-0,;6Mp
#fwdhp
w>"H '5
%=Q4lS
lgerxm
Phvrxy;
r5a;Z{
CD;=&U
L7s.e'	Cw
^Gw@^g
2fdtU9
}uFBre
T6	"m1F	
so(wN|T
Y58ErII,
xXb70,t
6"C2Xc
8D{.q9M<j"\Q
Q2u	tl>
&ePTmJ
1@Gu+^m
{f	Iz&
6hft4h2
E\U$Q?
^}_]S 
.TuS.u8.
Nj?%CeHt
sI9RYOc
5F?dH4
AN1p|0
jl	@fP
P^3Q>b
x^Q!E!y
pbHrrj
s	I8(*
NNY<=c
co\W6Ts
&98Tj^
x\E;sn
{^zg/JDHi
=(S?D1
y?M 17
r*`B<Q
pY!$g<L
O<oKE>
a-TOH3
~yI;uYY
?C:>5fAIF
NN|=[[
u,ru6N
SD$BP~
}q*EP7
5-0<X{
5v";_	^
<qg,1W
8\)=ZQ	2i^o
x\Y@D%/
XWa3v1
*{.v:F
<j0_^K
9^\p(s
s>_8QZC
>{AtXM
Sj=C)#
K;A*m 
<=*>]k~
"Ty=H@
S?ZQ) .
FfgZ\{
'@Y, y
ty-Ke1
].@]u;2t
%+2DOc~
vJZYbg
=?KQx@
=c9]OQ
E,DY~T
T:n<3M
{CRyb+
n[aVmf
_FROD6
ScD=	Q
x3oh4jfZ
5]Mogx
lXsE[c
8>`[-h
s{$P+H?<
n$;Cdh
DytY	w
Ixl5X<
lj0CGN*
43vZ[L
0EH\&VB$4
v\HUo/,
$.1MaKH
,dUxaE(dF
+Q^n.j
\{[D.bh
AgW|15
3L+36D
#Xnf%|`
f(z>Zt{
!:]?T%
_b@fi/
C/(...
QW	jZ"
=imqiVk
z<.%<@[
|	'xb@
o4VG<f.
wXVD(@
H{~amuU
G<8SK ,5P$
*=k4Ux;
n|t>!=?
D?Gu/"
X`vvq89
E 5!s2
2-2\rO#
gn,wdp
kI0q-U
|58]vh
<ELq'g
>Pl<x{
GL_SpQpf
{%bhl,
yZ1z@1
	JHE&lx:
MTYvt!<
} ?wj4H
Y2'Hl`
m)4qjM
N9rcQs
TyZ*n_,kK
c`	},>
?gtxAJ\
|0qD?cG
RY[#Q}
Ug0~"4k:
*~kHy54
/6I[dk
S$?ne=n$
S=&Ip[
kAC kR
Bs,X\U%
|i hhp
r<Hu4P
`-;*\\
7q'82){
|tOp<OH
a4rJ{l
LBAOdy
,`*0t~
i0!Ix8_
phb6,k
nuWimg
Haun7z
pMu+Q3e
,X3V=nfh
,}^\cA3W
|LP:f	
Gnrl+^?@
NullsoftInst