Gen.Variant.Application.Bundler.Jaik.5699_a371cd1d3e

by malwarelabrobot on April 9th, 2015 in Malware Descriptions.

Gen:Variant.Application.Bundler.Jaik.5699 (BitDefender), AirInstaller (fs) (VIPRE), Trojan.DownLoader12.14838 (DrWeb), Artemis!A371CD1D3E28 (McAfee), Gen:Variant.Application.Bundler (FSecure), Generic.D52 (AVG), Gen:Variant.Application.Bundler.Jaik.5699 (AdAware)
Behaviour: Trojan, Installer


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The sample has been submitted by Lavasoft customers.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a371cd1d3e283d35ca2394f322e56e1c
SHA1: 9603632b93c04cf2bc5debf91565e9ced98e296f
SHA256: 13b8ab9441859a68dfe2e384885ca8f95e5e1b7c5d91b03e9e7f89fbf6c11114
SSDeep: 24576:LbFdxlYmY5Kq2w7R0zUSh8wV1EzwlA5rGnK4S8eciG5/RTjW:LZdabezUSh8wV1EzwlUGnK4S85/Q
Size: 807208 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: Download Manager, LLC
Created at: 2015-01-28 21:30:21
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Setup.exe:392
%original file name%.exe:1972

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:

23f1833664d3b658b5782dd014c9dd98
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ZonesLockedCacheCounterMutex
ZonesCacheCounterMutex
ZonesCounterMutex

File activity

The process %original file name%.exe:1972 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\a2Xdc7Q7nH\Wc6wlCSd\Setup.exe (5873 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

Registry activity

The process Setup.exe:392 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3C 39 59 5E C2 EB D4 E8 10 93 A3 8C 89 18 45 D9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SECURITYBAND]
"setup.exe" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS]
"setup.exe" = "1"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN]
"setup.exe" = "0"

The process %original file name%.exe:1972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A9 3E 46 83 9A 96 CC E4 AD 4C 6F 09 18 AB 0D F8"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name: Download Manager, LLC
Product Name: MalwareBytes
Product Version: 3.0.0.73
Legal Copyright: (c) Download Manager, LLC
Legal Trademarks:
Original Filename: malwarebytes.exe
Internal Name: malwarebytes.exe
File Version: 3.0.0.73
File Description: MalwareBytes
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 482304 482304 4.71958 149e63c29ec0099730256a183b8a8192
.rdata 487424 139264 139264 4.24437 7215344e9f07d64c89d0d49bd82f18f8
.data 626688 53124 9216 2.8472 54b9106d6a0751971f1712f70e4330c4
.rsrc 679936 170436 170496 5.44521 99762b78b5313795d5633b65967029fb

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 14
7110d4223f11285cee1bac3fc4254832
ab5b5fde76ae0ce01e5a356371ecaa40
aa040b3d62dc94777a8f66fbe284722d
54965ec29ab51ff912de20ee306eb641
417046fb1a8695cd97dbb7c50acecfc4
204dc6cae13f40143a0c09caa4fb9ac2
7facd8628e317e9eba49af4acff2975c
8099e58a87d7af8ff17f2329c537da66
41dab257a87128e0d85021292c1e5f06
ab3fea929e598e33187ce5c734913bdb
5b9a3fc8049384e760541c830919a748
32ad4003622f045ec4749b2db9ab1209
549854fa805525b65136fad66c11d074
389dfd9a5f54de94beba8a6ab57c9b44

URLs

No activity has been detected.

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

Web Traffic was not found.

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1972:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
>.YYu
VWj%S
?%u/F
xSSSh
FTPjKS
FtPj;S
C.PjRV
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
function <%s:%d>
function '%s'
(...tail calls...)
%s:%d:
%s: %s
stack overflow (%s)
cannot %s %s: %s
%s: %p
name conflict for module '%s'
PANIC: unprotected error in call to Lua API (%s)
version mismatch: app. needs %f, Lua core provides %f
bad argument #%d to '%s' (%s)
calling '%s' on bad self (%s)
bad argument #%d (%s)
%s expected, got %s
@invalid option '%s'
$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $
%s:%d: %s
attempt to %s %s '%s' (a %s value)
attempt to %s a %s value
attempt to compare %s with %s
attempt to compare two %s values
invalid option '%%%c' to 'lua_pushfstring'
attempt to load a %s chunk (mode is '%s')
error in __gc metamethod (%s)
Ainvalid key to 'next'
upvaluejoin
_HKEY
invalid capture index %%%d
missing '[' after '%%f' in pattern
^$* ?.([%-
invalid use of '%c' in replacement string
invalid replacement value (a %s)
\d
invalid option '%%%c' to 'format'
@field '%s' missing in date table
invalid conversion specifier '%%%s'
cannot open file '%s' (%s)
standard %s file is closed
invalid value (%s) at index %d in table for 'concat'
system error %d
no file '%s'
'package.%s' must be a string
error loading module '%s' from file '%s':
luaopen_%s
no module '%s' in file '%s'
no field package.preload['%s']
module '%s' not found:%s
'package.searchers' must be a table
!\?.dll;!\loadall.dll;.\?.dll
!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua
too many %s (limit is %d)
char(%d)
%s near %s
%s expected
too many %s (limit is %d) in %s
function at line %d
%s expected (to close %s at line %d)
<goto %s> at line %d jumps into the scope of local '%s'
no visible label '%s' for <goto> at line %d
<%s> at line %d not inside a loop
label '%s' already defined on line %d
%s: %s precompiled chunk
Visual C   CRT: Not enough memory to complete call to strerror.
cmd.exe
Broken pipe
Inappropriate I/O control operation
Operation not permitted
?#%X.y
%S#[k
portuguese-brazilian
GetProcessWindowStation
operator
?456789:;<=
!"#$%&'()* ,-./0123
bit library self-test failed (%s)
crash report crypt failed
) on url:
CoInternetParseUrl failed (
unsupported
Unsupported data type
POWRPROF.dll
CoInternetParseUrl
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
dbghelp.dll
VERSION.dll
SHFileOperationW
ShellExecuteExW
SHELL32.dll
SHDeleteKeyW
SHLWAPI.dll
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
HttpQueryInfoA
InternetCrackUrlW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
GetCPInfo
CreatePipe
GetProcessHeap
zcÁ
.?AVlast_error_t@stl@http@@
c:\%original file name%.exe
io.stdout:setvbuf('no')
package.path = ''
local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)
package.path=''
local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)
if r ~= nil then r = ml.tstring(r) end
foundation.encoding
foundation._http
foundation.logic
foundation.misc
foundation.zip
join
key_exists
create_key
enumerate_subkeys
enumerate_subkeys_next
enumerate_subkeys_close
shell_execute_ex
load_exe_resource
y.XDMo
.Pg213
.FS5A
"<}af%D
%0So?r
}.Zmy
.tY]Z
yw%sN
 .iK=
F%xudn3
nTcP^)
S"CMD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
nKERNEL32.DLL
WUSER32.DLL
IDispatch error #%d
" --crash_report="
crash_report
errorUrl
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
3.0.0.73
malwarebytes.exe

Setup.exe_392:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
>.YYu
VWj%S
?%u/F
xSSSh
FTPjKS
FtPj;S
C.PjRV
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
function <%s:%d>
function '%s'
(...tail calls...)
%s:%d:
%s: %s
stack overflow (%s)
cannot %s %s: %s
%s: %p
name conflict for module '%s'
PANIC: unprotected error in call to Lua API (%s)
version mismatch: app. needs %f, Lua core provides %f
bad argument #%d to '%s' (%s)
calling '%s' on bad self (%s)
bad argument #%d (%s)
%s expected, got %s
@invalid option '%s'
$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $
%s:%d: %s
attempt to %s %s '%s' (a %s value)
attempt to %s a %s value
attempt to compare %s with %s
attempt to compare two %s values
invalid option '%%%c' to 'lua_pushfstring'
attempt to load a %s chunk (mode is '%s')
error in __gc metamethod (%s)
Ainvalid key to 'next'
upvaluejoin
_HKEY
invalid capture index %%%d
missing '[' after '%%f' in pattern
^$* ?.([%-
invalid use of '%c' in replacement string
invalid replacement value (a %s)
\d
invalid option '%%%c' to 'format'
@field '%s' missing in date table
invalid conversion specifier '%%%s'
cannot open file '%s' (%s)
standard %s file is closed
invalid value (%s) at index %d in table for 'concat'
system error %d
no file '%s'
'package.%s' must be a string
error loading module '%s' from file '%s':
luaopen_%s
no module '%s' in file '%s'
no field package.preload['%s']
module '%s' not found:%s
'package.searchers' must be a table
!\?.dll;!\loadall.dll;.\?.dll
!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua
too many %s (limit is %d)
char(%d)
%s near %s
%s expected
too many %s (limit is %d) in %s
function at line %d
%s expected (to close %s at line %d)
<goto %s> at line %d jumps into the scope of local '%s'
no visible label '%s' for <goto> at line %d
<%s> at line %d not inside a loop
label '%s' already defined on line %d
%s: %s precompiled chunk
Visual C   CRT: Not enough memory to complete call to strerror.
cmd.exe
Broken pipe
Inappropriate I/O control operation
Operation not permitted
?#%X.y
%S#[k
portuguese-brazilian
GetProcessWindowStation
operator
?456789:;<=
!"#$%&'()* ,-./0123
bit library self-test failed (%s)
crash report crypt failed
) on url:
CoInternetParseUrl failed (
unsupported
Unsupported data type
POWRPROF.dll
CoInternetParseUrl
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
dbghelp.dll
VERSION.dll
SHFileOperationW
ShellExecuteExW
SHELL32.dll
SHDeleteKeyW
SHLWAPI.dll
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
HttpQueryInfoA
InternetCrackUrlW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
GetCPInfo
CreatePipe
GetProcessHeap
zcÁ
.?AVlast_error_t@stl@http@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2Xdc7Q7nH\Wc6wlCSd\Setup.exe
io.stdout:setvbuf('no')
package.path = ''
local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)
package.path=''
local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)
if r ~= nil then r = ml.tstring(r) end
foundation.encoding
foundation._http
foundation.logic
foundation.misc
foundation.zip
join
key_exists
create_key
enumerate_subkeys
enumerate_subkeys_next
enumerate_subkeys_close
shell_execute_ex
load_exe_resource
y.XDMo
.Pg213
.FS5A
"<}af%D
%0So?r
}.Zmy
.tY]Z
yw%sN
 .iK=
F%xudn3
nTcP^)
S"CMD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
nKERNEL32.DLL
WUSER32.DLL
IDispatch error #%d
" --crash_report="
crash_report
errorUrl
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
3.0.0.73
malwarebytes.exe

%original file name%.exe_1644:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
>.YYu
VWj%S
?%u/F
xSSSh
FTPjKS
FtPj;S
C.PjRV
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
function <%s:%d>
function '%s'
(...tail calls...)
%s:%d:
%s: %s
stack overflow (%s)
cannot %s %s: %s
%s: %p
name conflict for module '%s'
PANIC: unprotected error in call to Lua API (%s)
version mismatch: app. needs %f, Lua core provides %f
bad argument #%d to '%s' (%s)
calling '%s' on bad self (%s)
bad argument #%d (%s)
%s expected, got %s
@invalid option '%s'
$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $
%s:%d: %s
attempt to %s %s '%s' (a %s value)
attempt to %s a %s value
attempt to compare %s with %s
attempt to compare two %s values
invalid option '%%%c' to 'lua_pushfstring'
attempt to load a %s chunk (mode is '%s')
error in __gc metamethod (%s)
Ainvalid key to 'next'
upvaluejoin
_HKEY
invalid capture index %%%d
missing '[' after '%%f' in pattern
^$* ?.([%-
invalid use of '%c' in replacement string
invalid replacement value (a %s)
\d
invalid option '%%%c' to 'format'
@field '%s' missing in date table
invalid conversion specifier '%%%s'
cannot open file '%s' (%s)
standard %s file is closed
invalid value (%s) at index %d in table for 'concat'
system error %d
no file '%s'
'package.%s' must be a string
error loading module '%s' from file '%s':
luaopen_%s
no module '%s' in file '%s'
no field package.preload['%s']
module '%s' not found:%s
'package.searchers' must be a table
!\?.dll;!\loadall.dll;.\?.dll
!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua
too many %s (limit is %d)
char(%d)
%s near %s
%s expected
too many %s (limit is %d) in %s
function at line %d
%s expected (to close %s at line %d)
<goto %s> at line %d jumps into the scope of local '%s'
no visible label '%s' for <goto> at line %d
<%s> at line %d not inside a loop
label '%s' already defined on line %d
%s: %s precompiled chunk
Visual C   CRT: Not enough memory to complete call to strerror.
cmd.exe
Broken pipe
Inappropriate I/O control operation
Operation not permitted
?#%X.y
%S#[k
portuguese-brazilian
GetProcessWindowStation
operator
?456789:;<=
!"#$%&'()* ,-./0123
bit library self-test failed (%s)
crash report crypt failed
) on url:
CoInternetParseUrl failed (
unsupported
Unsupported data type
POWRPROF.dll
CoInternetParseUrl
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
dbghelp.dll
VERSION.dll
SHFileOperationW
ShellExecuteExW
SHELL32.dll
SHDeleteKeyW
SHLWAPI.dll
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
HttpQueryInfoA
InternetCrackUrlW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
GetCPInfo
CreatePipe
GetProcessHeap
zcÁ
.?AVlast_error_t@stl@http@@
c:\%original file name%.exe
io.stdout:setvbuf('no')
package.path = ''
local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)
package.path=''
local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)
if r ~= nil then r = ml.tstring(r) end
foundation.encoding
foundation._http
foundation.logic
foundation.misc
foundation.zip
join
key_exists
create_key
enumerate_subkeys
enumerate_subkeys_next
enumerate_subkeys_close
shell_execute_ex
load_exe_resource
y.XDMo
.Pg213
.FS5A
"<}af%D
%0So?r
}.Zmy
.tY]Z
yw%sN
 .iK=
F%xudn3
nTcP^)
S"CMD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
nKERNEL32.DLL
WUSER32.DLL
IDispatch error #%d
" --crash_report="
crash_report
errorUrl
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
3.0.0.73
malwarebytes.exe

Setup.exe_640:

.text
`.rdata
@.data
.rsrc
@.reloc
PSSSSSSh
>.YYu
VWj%S
?%u/F
xSSSh
FTPjKS
FtPj;S
C.PjRV
&&&&6666????
""""****
2222::::
$$$$\\\\
00006666
####====
function <%s:%d>
function '%s'
(...tail calls...)
%s:%d:
%s: %s
stack overflow (%s)
cannot %s %s: %s
%s: %p
name conflict for module '%s'
PANIC: unprotected error in call to Lua API (%s)
version mismatch: app. needs %f, Lua core provides %f
bad argument #%d to '%s' (%s)
calling '%s' on bad self (%s)
bad argument #%d (%s)
%s expected, got %s
@invalid option '%s'
$LuaVersion: Lua 5.2.3 Copyright (C) 1994-2013 Lua.org, PUC-Rio $$LuaAuthors: R. Ierusalimschy, L. H. de Figueiredo, W. Celes $
%s:%d: %s
attempt to %s %s '%s' (a %s value)
attempt to %s a %s value
attempt to compare %s with %s
attempt to compare two %s values
invalid option '%%%c' to 'lua_pushfstring'
attempt to load a %s chunk (mode is '%s')
error in __gc metamethod (%s)
Ainvalid key to 'next'
upvaluejoin
_HKEY
invalid capture index %%%d
missing '[' after '%%f' in pattern
^$* ?.([%-
invalid use of '%c' in replacement string
invalid replacement value (a %s)
\d
invalid option '%%%c' to 'format'
@field '%s' missing in date table
invalid conversion specifier '%%%s'
cannot open file '%s' (%s)
standard %s file is closed
invalid value (%s) at index %d in table for 'concat'
system error %d
no file '%s'
'package.%s' must be a string
error loading module '%s' from file '%s':
luaopen_%s
no module '%s' in file '%s'
no field package.preload['%s']
module '%s' not found:%s
'package.searchers' must be a table
!\?.dll;!\loadall.dll;.\?.dll
!\lua\?.lua;!\lua\?\init.lua;!\?.lua;!\?\init.lua;.\?.lua
too many %s (limit is %d)
char(%d)
%s near %s
%s expected
too many %s (limit is %d) in %s
function at line %d
%s expected (to close %s at line %d)
<goto %s> at line %d jumps into the scope of local '%s'
no visible label '%s' for <goto> at line %d
<%s> at line %d not inside a loop
label '%s' already defined on line %d
%s: %s precompiled chunk
Visual C   CRT: Not enough memory to complete call to strerror.
cmd.exe
Broken pipe
Inappropriate I/O control operation
Operation not permitted
?#%X.y
%S#[k
portuguese-brazilian
GetProcessWindowStation
operator
?456789:;<=
!"#$%&'()* ,-./0123
bit library self-test failed (%s)
crash report crypt failed
) on url:
CoInternetParseUrl failed (
unsupported
Unsupported data type
POWRPROF.dll
CoInternetParseUrl
URLDownloadToFileW
urlmon.dll
IPHLPAPI.DLL
dbghelp.dll
VERSION.dll
SHFileOperationW
ShellExecuteExW
SHELL32.dll
SHDeleteKeyW
SHLWAPI.dll
KERNEL32.dll
GetKeyState
USER32.dll
GDI32.dll
RegOpenKeyExA
RegCloseKey
RegCreateKeyExW
RegQueryInfoKeyW
RegOpenKeyExW
RegEnumKeyExW
ADVAPI32.dll
ole32.dll
OLEAUT32.dll
HttpQueryInfoA
InternetCrackUrlW
HttpSendRequestW
HttpAddRequestHeadersW
HttpOpenRequestW
WININET.dll
GetCPInfo
CreatePipe
GetProcessHeap
zcÁ
.?AVlast_error_t@stl@http@@
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\a2QU3nBENE\abPp62aH\Setup.exe
io.stdout:setvbuf('no')
package.path = ''
local s, r = xpcall(function() return require('%M').main(__args) end, debug.traceback)
package.path=''
local s,r,e = xpcall(function() return require('%M').%F(%A) end, debug.traceback)
if r ~= nil then r = ml.tstring(r) end
foundation.encoding
foundation._http
foundation.logic
foundation.misc
foundation.zip
join
key_exists
create_key
enumerate_subkeys
enumerate_subkeys_next
enumerate_subkeys_close
shell_execute_ex
load_exe_resource
y.XDMo
.Pg213
.FS5A
"<}af%D
%0So?r
}.Zmy
.tY]Z
yw%sN
 .iK=
F%xudn3
nTcP^)
S"CMD
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS>
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
nKERNEL32.DLL
WUSER32.DLL
IDispatch error #%d
" --crash_report="
crash_report
errorUrl
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_USERS
HKEY_CURRENT_CONFIG
HKEY_CLASSES_ROOT
3.0.0.73
malwarebytes.exe


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Setup.exe:392
    %original file name%.exe:1972

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\a2Xdc7Q7nH\Wc6wlCSd\Setup.exe (5873 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now