SearchProtectToolbar_pcap_5009cde07a

by malwarelabrobot on August 16th, 2015 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5009cde07a384fad0d1d2ddb4fc03d6c
SHA1: 45f75610c8ad14ac43f98b28eda01fac5b99eb43
SHA256: b7d2698234a3ae196e4c43ccd30e0e06af9683f7374d118505000da0d3f666b6
SSDeep: 12288:f/wAfXETz9n2YwyuqlsnBj4W7rtV0nFwrO1jav95fT9bfYEsz91r5Wg0kU6iirfg:gAPg9n2BdBj4W/toFw0q95LtYEsz91di
Size: 674088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-20 20:10:03
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2016
%original file name%.exe:1336

The Trojan injects its code into the following process(es):

%original file name%.exe:1352

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:1352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\main.css (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\05d97e6e9834ccf063c552e404b9ecafc5e4d662.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c5bfcd4d85ffe4e22099630f8abb9b98b714e7e0.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cc9afe3271c429b15e72e21f6d4fb371283a4843.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\versioninfo.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\142f817c3ec0586de0f960c1c0483043b61a0d06.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\8171799b04351aef58c38f5109cd1ef7a43d20d0.lua (826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\default_logo.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\389da82bc55b853a5b301d1ded34c566dbac4d4f.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\051b9663e868ce31e198a113ab8583e4975333cc.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step1.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f49f0cb90d014cf5c8ac1925a9478d720c972747.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\72ed3d41d77b75b2612d44bc1df80903b476928b.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fe80be6cc93b6dd7bc3fadf2c043443a64eb487f.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fb9a971095becfd9b1e850eb6279c1348b614289.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\6ee341160694a1164db3bdcdb8a5bdf67cb8e295.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1d76390fb3b717cf3455968a560ca5420e3de218.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c6d51ab09f96b7569326130e860517b7d87e866d.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\632078f327839b0df0b12da37f835169172076ee.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepAdv.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\672305f73718cddf94bb13e3c100dc29b8397598.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\lua51.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c1c6244f2ae1702a3000c622f7096790af0fce54.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\364a4e2a5b8a1bf8e9d7bd8564dd4847bc2d4dda.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step2.lua (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1feb3ea612cdf9b90056427956a6421e260272ab.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\bf87348c373b422b894b2aa91466db367ea80aaa.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_off.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cf7afea710adf5a4494f7eea03db9c908baf9a8f.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\cancel.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7d4b85d62fb353e7a43256f40d539ceb6fd06006.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c27913efc6edcc938c504fa24651c7f3d95f51cc.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c9f011a4972686d5e6b3011c1f3d869999161f98.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\897d21056a341314b60764c31b36c1fad542e78a.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\526e1aa5c4ffd23f07dd88b5fb40e6f2e034caef.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\87a5250e7389d052be3fdc257872ebd873ef2deb.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\e7a170af4b32945995cc5d1f1aee630920f88095.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b2584cd1b859d0b92b2ad88463adbe6757e8ae1.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\extension.tlb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0ec81897a17fb0f84013e683b09bb6f0c8d42cd8.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7c5fb38f536c5e201a10ce382c0756a186346bc2.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\3dec5266be16767074bd7e633762711cad92c73c.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f45008e3c900e7920effac3ed6f377dd0caf0cf1.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin.zip (6532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a2a55e68a147ddb026454c38213bc01a3979f52c.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (49455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1370ebd534807c69ad0db6461cbf3f3fd03c434f.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f44b567e3a3a123bcabbee52004a1b32b680a84e.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\skin.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\21bf231e6241de6c31600941d84be38815e28488.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\920f8f5815b381ea692e9e7c2f7119f2b1aa620a.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepInt.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7a0c7559331d92414337ab9237a8a62c13d544ee.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a317db596f44efe64d2468fcc06f25e9e5c24881.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\083e81bd6d4ed3f8c712846787b4588d08f99e95.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b33b2bde409277581a53da83ac5b1bfdcf29afa.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\2ef40efb3ce47d8141682e9cd50f9848be24fcd8.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fcdcfb4437ad8599b23f499b563e237a464ff441.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f40368059830399ce8189100003d317f2739d087.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step_d.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\78e7626f746ee5577b52d70f6be23e4200f721f1.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\b67dd0daccce8aa22f9ae05b1ba94204e35079c1.lua (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\845c4cc600dfc06afce750ce6b8870433b7d47ec.lua (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\590f6cae552c6eb2859cbad0ffbdbd5571946df4.lua (12 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\026e996a3a5897970b058ffb093a163a1d763649.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1db41df8dccf7e3b03a1b1cd221519090170ae52.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\9ed037b84943c4caa3a520e48a5540181c46c98c.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\decline.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\__web.xml (259561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\00dd744df5073c5ea8e44a65021a773b42bddf79.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0016e501ecf62f9d1e0ea5ff98d62e9163b91e1a.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\options.json (200 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7.tmp (0 bytes)

The process %original file name%.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (6428 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp (0 bytes)

The process %original file name%.exe:1336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (6428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp\LuaBridge.dll (1856 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp\LuaBridge.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw4.tmp (0 bytes)

Registry activity

The process %original file name%.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D A9 14 A3 24 11 0A 0E E6 87 B3 D2 2A 90 0C 67"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 77 71 BB 90 07 B3 D0 5E 01 92 28 17 B5 12 D6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 AC 9A 95 9C C8 AF 8C 05 DC 01 C4 55 50 7D 40"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh6.tmp\LuaBridge.dll,"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

Dropped PE files

MD5 File path
0a29e1b270ccea61aba7d7cdd10e0388 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\026e996a3a5897970b058ffb093a163a1d763649.dll
00e96680218c3a07510a44ddb9f158b0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\0ec81897a17fb0f84013e683b09bb6f0c8d42cd8.dll
e390287499549de31da007f7f0ae4d10 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\1370ebd534807c69ad0db6461cbf3f3fd03c434f.dll
b991f57d815ca821cdb42d2792db366f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\1feb3ea612cdf9b90056427956a6421e260272ab.dll
e626f4baffc82488c1efd873c250fb09 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\672305f73718cddf94bb13e3c100dc29b8397598.dll
4bf7db111acfa7c28ad36606107b3322 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\87a5250e7389d052be3fdc257872ebd873ef2deb.dll
0f26c6d34d3841e93145dd00d0175651 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\FloatingProgress.dll
4e08fe995ab74ba4d145ddb77ea095fc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\LuaBridge.dll
7292b642bd958aeb7fd7cfd19e45b068 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\LuaXml_lib.dll
7e3c808299aa2c405dffa864471ddb7f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\System.dll
d02a497be5f89c44827f142c4662f591 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\UACInfo.dll
4a4845ba1666907f708c9c10a31ec227 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\f40368059830399ce8189100003d317f2739d087.dll
fceee0026aafd237afdb4aea4ecd3557 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\lua51.dll
692479f7c07a64a6a632148e382f0e22 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\nsis7z.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\nsisunz.dll
5694e7daf20c47c8d5e73d4a838c2ee6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\un.package.exe
ebc5bb904cdac1c67ada3fa733229966 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\versioninfo.dll
4e08fe995ab74ba4d145ddb77ea095fc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh6.tmp\LuaBridge.dll
4e08fe995ab74ba4d145ddb77ea095fc c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw3.tmp\LuaBridge.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 24196 24576 4.47434 537319dcfaf4d45886bc9abaea2c0db1
.rdata 28672 5734 6144 3.58506 54a5edb17eb9f223693068d3a6d9948a
.data 36864 109968 512 1.65371 23b160b2b8c5b752bfc72cdef7cf2b55
.ndata 147456 147456 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 294912 9096 9216 3.14352 b7b0fcf34af11aa79981952514c0aa4a

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0 50.22.63.140
hxxp://a728.g.akamai.net/skins/da/06032014/megazord_skin_cancel.zip
hxxp://service.downloadadmin.com/env?osVersion=XP&browserName=Firefox&brand=adsterra.com&pid=adsterra&bc=1185859&osName=Windows&country=UA 50.22.63.140
hxxp://mirror.downloadnet1049.com/skins/da/06032014/megazord_skin_cancel.zip 87.245.221.88


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /env?osVersion=XP&browserName=Firefox&brand=adsterra.com&pid=adsterra&bc=1185859&osName=Windows&country=UA HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY
X-Exename: %original file name%.exe
X-Exe-Checksum: 0
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 14 Aug 2015 21:53:16 GMT
Age: 0
X-Cache: MISS
001af6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>&
lt;Installer><Environment><Entry name="over-threshold:Prem
ierOpinion (US) (1457)">true</Entry><Entry name="over-thre
shold:PremierOpinion (US) (1456)">true</Entry><Entry name=
"over-threshold:PremierOpinion (US) (1449)">true</Entry><E
ntry name="over-threshold:PremierOpinion (US) (1458)">true</Entr
y><Entry name="over-threshold:PremierOpinion (US) (1459)">tru
e</Entry><Entry name="over-threshold:Pro PC Cleaner (US)">
true</Entry><Entry name="over-threshold:MyPCBackup (US) (PPI)
">true</Entry><Entry name="over-threshold:PremierOpinion (
UK)">true</Entry><Entry name="over-threshold:PremierOpinio
n (UK) (1456)">true</Entry><Entry name="over-threshold:Pre
mierOpinion (UK) (1457)">true</Entry><Entry name="over-thr
eshold:PremierOpinion (UK) (1458)">true</Entry><Entry name
="over-threshold:PremierOpinion (UK) (1459)">true</Entry><
Entry name="over-threshold:Optimizer Pro (AR)">true</Entry>&l
t;Entry name="over-threshold:Optimizer Pro (MX)">true</Entry>
<Entry name="over-threshold:Optimizer Pro (BR)">true</Entry&g
t;<Entry name="over-threshold:Optimizer Pro (TR)">true</Entry
><Entry name="over-threshold:Super Optimizer (DE)">true</E
ntry><Entry name="over-threshold:Super Optimizer (IN)">true&l
t;/Entry><Entry name="over-threshold:Super Optimizer (RU)"&g
<<< skipped >>>


GET /install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0 HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY
X-Exename: %original file name%.exe
X-Exe-Checksum: 0
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: service.downloadadmin.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 14 Aug 2015 21:53:06 GMT
Age: 0
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.
<Installer>.    <Bundle>.        <LinkBelowEula>fals
e</LinkBelowEula>.        <OptInDefault>false</OptInDef
ault>.        <ProductBinary embed="false" msioptions="/quiet" o
ptions="">hXXp://mirror.downloadnet1049.com/binstallers/BM2/uplayer
/exe/uPlayer.msi</ProductBinary>.        <ProductEula comboPr
imary="false" embed="false">hXXp://mirror.downloadnet1049.com/binst
allers/BM2/uplayer/ipage/uplayer_specs.mht</ProductEula>.       
 <Primary>true</Primary>.        <ProductId>4814<
/ProductId>.        <ProductName>uPlayer Media Player</Pro
ductName>.        <Scramble>false</Scramble>.    </B
undle>.    <Bundle>.        <Category>search, home, too
lbar</Category>.        <CustomParameter Name="advertisername
">Findwide</CustomParameter>.        <If>.            &
lt;Or>.                <Not>.                    <Env prop
erty="custom.invm" op="=" value="true"/>.                </Not&g
t;.                <Env property="custom.partner" op="=" value="tes
t"/>.            </Or>.            <Or>.               
 <Env property="custom.region" op="=" value="US"/>.             
   <Env property="custom.region" op="=" value="us"/>.           
 </Or>.            <Not>.                <Or>.      
              <Env property="custom.partner" op="=" value="vitz
<<< skipped >>>


GET /skins/da/06032014/megazord_skin_cancel.zip HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: mirror.downloadnet1049.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Server: Apache
ETag: "e2f08c3face90861f5b3958d4df545ff:1401800438"
Last-Modified: Tue, 03 Jun 2014 13:00:38 GMT
Accept-Ranges: bytes
Content-Length: 42676
Content-Type: application/zip
Date: Fri, 14 Aug 2015 21:53:15 GMT
Connection: keep-alive
PK........dc.D{Z5p............index.html..io.6......h.#...d.=..Es...&.
...b..h..9.I...1...>..M..Lf.5`D...}g....|....Vj.......9.....o......
......p...L.^0..'.`py.L........F JR........t1.HQPU....8)..$..A...-V...
...".,W..9...~R...........I....K*...".....Wbx."y...8.[.$b.....h.S.h..m
.7e...q...P.T....]...."S.....Z3...)Q.?g<.|.s).2Q7dM.....9.....9.R(.
Z..L.E>....E....B......./..2*..w.j.*..:.L...o.y.`[email protected].
.$...`.!(2..).4....]...`..._...Rf|.....%......Y.....$.."{|d...../.".d.
;S...f8i.....gD.a.PD.x!....P4/...I.......R.._..!... .k.mh...u.i%S...!.
VoQ0 n..*...~....4....;]. ....."... YAa...'.c.....N...Da.]xD.)W.S..I..
...K--......wV.....v.W....].Za|..^c...#.C.&x%..1 ..T..\(.Y.....a....IX
.....$........y[.z.5E1..N.V:.#..=.<G>Y..gZ...e.gY......?...EN.b.
......ti.....G.....L.....Au...e1'..d..)K..P..\...qp..`..F...w9..#.My..
dZd..SGD)y`-D4..@h.>H.A.....q..D.7L....<..:[email protected].
~]iZ..........&...j...l..5...........x.V.4.F...a......&u...yY.......Q3
.`).F....?..DX$...dE....}.t.u.6...p...{.)...\ha..C..Z......Erh.=....S.
.....kC*....3.h..k{.9.......86.....d2[.......7QJ.mc...T.I..`..7.....Bm
0....0..CQ.V.bQf.v...1...A...Fl.........jE.8..|I.F.....w.....j.V_....`
...L...-..Q\q........~/.B...Y)hF.ES.........."j...Zb........{f...h....
.L(..I...9......B...C?!w..N!58.. |.b...........,-W..BHJ..p_..J....63F.
...W. ..........z..7.Q..a(..w...M.nfl..) .......q.S...|!.. ...%X..1r4"
.$.Y..Z..".......V, .["..^cL....(...x......j5......$I......F..E.d.&..C
.ee.zhW.-Wj...~.*5...d|.o.O.w......O..$Z.:.M.mU.\....D.....T&._..1
<<< skipped >>>


POST /install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0 HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY
Content-Type: application/x-www-form-urlencoded
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0
X-Exe-Checksum: 0
X-Exename: %original file name%.exe
Content-Length: 10
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: service.downloadadmin.com
Connection: Keep-Alive

delta=4875
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Fri, 14 Aug 2015 21:53:05 GMT
Age: 0
X-Cache: MISS
0..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_2016:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
%s=%s
ole32.dll
comctl32.dll
GDI32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
VERSION.dll
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
|i[].cA
WINMM.dll
IPHLPAPI.DLL
msvcrt.dll
CreatePipe
LuaBridge.dll
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
_luabridge_exec_file@8
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
6%6.676@6
242;2]2{2
<'<-<4<9<
4 4$4(4,40444
.textbss
.idata
@.reloc
ProxyForUrl
Win32.Job
Nsis.PluginCall
Win32.Handle
Error:Unknown /state named %s
evalResp{args=%x,stateName=%x}
evalLuaFile[state=%x/%s][thread=%d](%s)
nsLua.cpp
WM_EXEC_FILE|File=
LuaRemoteLoop[state=%x/%s][thread=%d]
com.luabridge.WndProcTable
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Calling Global Function(%s)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
[%s]Error Evaluating %s
ERROR:%s
PipeName:
evalLuaString[state=%x/%s][thread=%d](%s)
DBGHELP.DLL
Saved dump file to '%s'
Failed to save dump file to '%s' (error %d)
Failed to create dump file '%s' (error %d)
DBGHELP.DLL too old
DBGHELP.DLL not found
Thread named '%s' could not be found
Expected async state name:%s
unknown state name '%s'
evalInState() error; no code passed
ERROR:Cannot post to state[%s] not async and note default
lua51.dll
ShellExecute
EnumRegKey
create_pipe
dm\LOCALS~1\Temp\nsw3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp
nsw3.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
<assemblyIdentity processorArchitecture="X86" name="Adk.Installer.exehead" type="win32" version="1.0.0.0" />
<description>Install System vADK.1.0.0
<dependency><dependentAssembly><assemblyIdentity name="Microsoft.Windows.Common-Controls" version="6.0.0.0" type="win32" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

%original file name%.exe_1352:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
.DEFAULT\Control Panel\International
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
%s=%s
ole32.dll
comctl32.dll
GDI32.dll
RegDeleteKeyA
RegCloseKey
RegEnumKeyA
RegOpenKeyExA
RegCreateKeyExA
ADVAPI32.dll
ShellExecuteA
SHFileOperationA
SHELL32.dll
VERSION.dll
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
|i[].cA
`'\%D,3
COMCTL32.dll
WININET.dll
GetProcessHeap
EnumChildWindows
OLEAUT32.dll
customnsWeb.dll
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
CustomNsWebForwarder
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
? ?1?8?|?
1!1/1@1}1
1 1$1(1,10141
@.reloc
All Files|*.*
COMDLG32.dll
nsDialogs.dll
.reloc
ButtonEvent.dll
rowser-%s
nswebForwarder
CustomNsWebContainer
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
#-,.mT:
!$"'(!((!$&
##-,#1.#0- !%
!  .76:76:*),
#" *#1.#1.!#&
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp\LuaBridge.dll
ss.dll
100003d317f2739d087.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp
ns\UrlAssociations\http\UserChoice
nsd9.tmp
,0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/adk.exe.nsi:Line 1182.2
/adk.exe.nsi:Line 1058.2
.nsi:Line 965.2
et=4;startTime=1305530;pid=1352)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/adk.exe.nsi:Line 960.2
Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
1179964
1245406
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
uplayer_adsterra,bc=1185859,pid=adsterra,brand=adsterracom,country=ua,osname=windows,osversion=xp,browsername=firefox
1305530
<assemblyIdentity processorArchitecture="X86" name="Adk.Installer.exehead" type="win32" version="1.0.0.0" />
<description>Install System vADK.1.0.0
<dependency><dependentAssembly><assemblyIdentity name="Microsoft.Windows.Common-Controls" version="6.0.0.0" type="win32" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1">
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>

%original file name%.exe_1352_rwx_003E4000_00001000:

callback%d

%original file name%.exe_1352_rwx_015B1000_0000A000:

Portions Copyright (c) 1999,2003 Avenger by NhT
KWindows
GetProcessHeap
.idata
.edata
P.reloc
P.rsrc


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:2016
    %original file name%.exe:1336

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\main.css (457 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\05d97e6e9834ccf063c552e404b9ecafc5e4d662.lua (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsisunz.dll (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c5bfcd4d85ffe4e22099630f8abb9b98b714e7e0.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cc9afe3271c429b15e72e21f6d4fb371283a4843.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\versioninfo.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\142f817c3ec0586de0f960c1c0483043b61a0d06.lua (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\8171799b04351aef58c38f5109cd1ef7a43d20d0.lua (826 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\default_logo.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\389da82bc55b853a5b301d1ded34c566dbac4d4f.lua (1552 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\051b9663e868ce31e198a113ab8583e4975333cc.lua (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progressPause.gif (517 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress-bar.gif (2281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step1.lua (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f49f0cb90d014cf5c8ac1925a9478d720c972747.lua (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\72ed3d41d77b75b2612d44bc1df80903b476928b.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\jquery.js (6360 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fe80be6cc93b6dd7bc3fadf2c043443a64eb487f.lua (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fb9a971095becfd9b1e850eb6279c1348b614289.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\6ee341160694a1164db3bdcdb8a5bdf67cb8e295.lua (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.js (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\un.package.exe (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1d76390fb3b717cf3455968a560ca5420e3de218.lua (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\knockout.js (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c6d51ab09f96b7569326130e860517b7d87e866d.lua (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\632078f327839b0df0b12da37f835169172076ee.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepAdv.lua (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\.DS_Store (601 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept-lg.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\672305f73718cddf94bb13e3c100dc29b8397598.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\lua51.dll (9320 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c1c6244f2ae1702a3000c622f7096790af0fce54.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\364a4e2a5b8a1bf8e9d7bd8564dd4847bc2d4dda.lua (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step2.lua (6584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1feb3ea612cdf9b90056427956a6421e260272ab.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\bf87348c373b422b894b2aa91466db367ea80aaa.lua (310 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_off.png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cf7afea710adf5a4494f7eea03db9c908baf9a8f.lua (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\cancel.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7d4b85d62fb353e7a43256f40d539ceb6fd06006.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c27913efc6edcc938c504fa24651c7f3d95f51cc.lua (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c9f011a4972686d5e6b3011c1f3d869999161f98.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsis7z.dll (6360 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\897d21056a341314b60764c31b36c1fad542e78a.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\526e1aa5c4ffd23f07dd88b5fb40e6f2e034caef.lua (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\87a5250e7389d052be3fdc257872ebd873ef2deb.dll (2392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\e7a170af4b32945995cc5d1f1aee630920f88095.lua (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b2584cd1b859d0b92b2ad88463adbe6757e8ae1.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\extension.tlb (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0ec81897a17fb0f84013e683b09bb6f0c8d42cd8.dll (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7c5fb38f536c5e201a10ce382c0756a186346bc2.lua (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\3dec5266be16767074bd7e633762711cad92c73c.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\next.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f45008e3c900e7920effac3ed6f377dd0caf0cf1.lua (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin.zip (6532 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a2a55e68a147ddb026454c38213bc01a3979f52c.lua (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (49455 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1370ebd534807c69ad0db6461cbf3f3fd03c434f.dll (7192 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f44b567e3a3a123bcabbee52004a1b32b680a84e.lua (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\back.png (145 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\skin.png (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\21bf231e6241de6c31600941d84be38815e28488.lua (302 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\920f8f5815b381ea692e9e7c2f7119f2b1aa620a.lua (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\UACInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_bg.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\FloatingProgress.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaXml_lib.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepInt.lua (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7a0c7559331d92414337ab9237a8a62c13d544ee.lua (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a317db596f44efe64d2468fcc06f25e9e5c24881.lua (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\083e81bd6d4ed3f8c712846787b4588d08f99e95.lua (7 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b33b2bde409277581a53da83ac5b1bfdcf29afa.lua (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\2ef40efb3ce47d8141682e9cd50f9848be24fcd8.lua (10 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress.gif (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fcdcfb4437ad8599b23f499b563e237a464ff441.lua (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\close.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f40368059830399ce8189100003d317f2739d087.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step_d.lua (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\78e7626f746ee5577b52d70f6be23e4200f721f1.lua (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\index.html (769 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_on.png (999 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\b67dd0daccce8aa22f9ae05b1ba94204e35079c1.lua (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\845c4cc600dfc06afce750ce6b8870433b7d47ec.lua (857 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.css (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaBridge.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\590f6cae552c6eb2859cbad0ffbdbd5571946df4.lua (12 bytes)
    %Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\026e996a3a5897970b058ffb093a163a1d763649.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1db41df8dccf7e3b03a1b1cd221519090170ae52.lua (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\9ed037b84943c4caa3a520e48a5540181c46c98c.lua (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\decline.png (25 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\__web.xml (259561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\00dd744df5073c5ea8e44a65021a773b42bddf79.lua (462 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0016e501ecf62f9d1e0ea5ff98d62e9163b91e1a.lua (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\options.json (200 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp\LuaBridge.dll (1856 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (6428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (6428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp\LuaBridge.dll (1856 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now