Trojan.NSIS.StartPage_767d37ebbf

by malwarelabrobot on April 15th, 2018 in Malware Descriptions.

not-a-virus:HEUR:AdWare.Win32.Generic (Kaspersky), Adware.Downware.18220 (DrWeb), Trojan.NSIS.StartPage.FD (Lavasoft MAS)
Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

Dynamic Analysis

Static Analysis

Network Activity

Map

Strings from Dumps

Removals

MD5: 767d37ebbfd8b261b7b8427ddfee9c13
SHA1: 5154bb47996ef2c86b5a83409d49a0f04dcb94c8
SHA256: 21d18d5b03bb1bef4730f9abea5e1cd12918f502a0cac6fe8a471f4e27df1e09
SSDeep: 49152:6omiZ ix1/kubpEfpu3yAJ6ohyxM1aCSL0:61ijvtmhAJRhr15I0
Size: 1665048 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-04-02 06:20:13
Analyzed on: Windows7 SP1 32-bit

Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:2940

The Trojan injects its code into the following process(es):

%original file name%.exe:816

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process %original file name%.exe:816 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1974.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1891.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\LCLogo.bmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1802.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1973.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1956.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\p[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\3.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Banner.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Fusion.dll (31413 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\find[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1965.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1488.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\fUtil.dll (8523 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1747.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\fuser.dll (3696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1804.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\921.txt (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrA106.tmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1953.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\371.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1720.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb6EFB.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\915.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pixel[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\4.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Image.bmp (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB3EC.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9773.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata4[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\decline.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1975.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\49WEGXZA.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Image2.bmp (494 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[6].htm (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1838.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\eula3.rtf (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1543.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata3[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\BrowserSafer.ico (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\accept.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1533.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9772.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1957.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ipb[1].htm (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1763.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\2.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\33.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Dialogs.dll (1118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\23.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1803.txt (3 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB3EC.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9772.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBA.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[6].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrA106.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb6EFB.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[1].htm (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9773.tmp (0 bytes)

The process %original file name%.exe:2940 makes changes in the file system.
The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsg6E7C.tmp (0 bytes)

Registry activity

The process %original file name%.exe:816 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Classes\Local Settings\MuiCache\63\52C64B7E]
"LanguageList" = "en-US, en"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASAPI32]
"EnableConsoleTracing" = "0"
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3D 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASAPI32]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\767d37ebbfd8b261b7b8427ddfee9c13_RASMANCS]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
a748a0a7a7eb56ad356cce710968a380	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Banner.dll
68e124e38182aed9034e6e59a732cbdb	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Dialogs.dll
c54f2edc4fffeacd9f2dd22e5d88bbb6	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Fusion.dll
56a321bd011112ec5d8a32b2f6fd3231	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\System.dll
6288ff4016f3f20efa6da9f897c31815	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\fUtil.dll
d0c98c35dcc26263a15d533fa239c88e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\fuser.dll
e541458cfe66ef95ffbea40eaaa07289	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\inetc.dll
0745ff646f5af1f1cdd784c06f40fce9	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\md5dll.dll
f832e4279c8ff9029b94027803e10e1b	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\nsDialogs.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	24166	24576	4.46432	d22b359417726295d1d61eaac63c3d95
.rdata	28672	4770	5120	3.50617	68295528d67e59e0536c9d80519cbe96
.data	36864	154904	1536	2.90272	82232fd09381275af53acb18fd24a88b
.ndata	192512	192512	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	385024	22880	23040	2.37933	0f474e46707567766e5ca445978886e5

URLs

URL	IP
hxxp://cs9.wac.phicdn.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAYN1sHQZ5AbVHX8/8KeMTc=
hxxp://stp-1014845532.us-east-1.elb.amazonaws.com/p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1346754681	107.20.250.189
ocsp.digicert.com	93.184.220.29
savesetup.com	104.28.2.254

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers

Traffic

GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBTBL0V27RVZ7LBduom/nYB45SPUEwQU5Z1ZMIJHWMys+ghUNoZ7OrUETfACEAYN1sHQZ5AbVHX8/8KeMTc= HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: ocsp.digicert.com


HTTP/1.1 200 OK

Accept-Ranges: bytes

Cache-Control: max-age=168226

Content-Type: application/ocsp-response

Date: Sat, 14 Apr 2018 14:36:31 GMT

Etag: "5ad1e643-1d7"

Expires: Mon, 16 Apr 2018 12:54:20 GMT

Last-Modified: Sat, 14 Apr 2018 11:30:11 GMT

Server: ECS (waw/17C1)

X-Cache: HIT

Content-Length: 471
0..........0..... .....0......0...0........Y0.GX....T6.{:..M...2017111
5203433Z0s0q0I0... ........./Ev..Y..].....x.#......Y0.GX....T6.{:..M..
......g..Tu....17....20171115203433Z....20180514203433Z0...*.H........
.......CS.,e".}o?=.Spv.'U.rout.@....X...._[..f]..h._%.f....?...b..1..a
.SJ.N....|......g.4.?e%'....'c.....v.[.<ErJ.uVDT.z.L9.r....7...jI..
 >.-{.... .a~.O........!n.....2..4.......i.M.u..;6@5........:....$.
..L.N..,.<.'......vLx...)...Ch.TM.A..Rm..zL..K..s...`P..~HTTP/1.1 2
00 OK..Accept-Ranges: bytes..Cache-Control: max-age=168226..Content-Ty
pe: application/ocsp-response..Date: Sat, 14 Apr 2018 14:36:31 GMT..Et
ag: "5ad1e643-1d7"..Expires: Mon, 16 Apr 2018 12:54:20 GMT..Last-Modif
ied: Sat, 14 Apr 2018 11:30:11 GMT..Server: ECS (waw/17C1)..X-Cache: H
IT..Content-Length: 471..0..........0..... .....0......0...0........Y0
.GX....T6.{:..M...20171115203433Z0s0q0I0... ........./Ev..Y..].....x.#
......Y0.GX....T6.{:..M........g..Tu....17....20171115203433Z....20180
514203433Z0...*.H...............CS.,e".}o?=.Spv.'U.rout.@....X...._[..
f]..h._%.f....?...b..1..a.SJ.N....|......g.4.?e%'....'c.....v.[.<Er
J.uVDT.z.L9.r....7...jI.. >.-{.... .a~.O........!n.....2..4.......i
.M.u..;6@5........:....$...L.N..,.<.'......vLx...)...Ch.TM.A..Rm..z
L..K..s...`P..~..<<< skipped >>>

GET /p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1346754681 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: stp-1014845532.us-east-1.elb.amazonaws.com

Connection: Keep-Alive

Cache-Control: no-cache


HTTP/1.1 200 OK

Cache-Control: max-age=86400

Content-Type: image/gif

Date: Sat, 14 Apr 2018 14:36:39 GMT

Expires: Sun, 15 Apr 2018 14:36:39 GMT

Last-Modified: Sat, 14 Apr 2018 14:36:39 GMT

Pragma: no-cache

Server: nginx

Content-Length: 43

Connection: keep-alive

GIF89a.............!.......,..............;HTTP/1.1 200 OK..Cache-Cont
rol: max-age=86400..Content-Type: image/gif..Date: Sat, 14 Apr 2018 14
:36:39 GMT..Expires: Sun, 15 Apr 2018 14:36:39 GMT..Last-Modified: Sat
, 14 Apr 2018 14:36:39 GMT..Pragma: no-cache..Server: nginx..Content-L
ength: 43..Connection: keep-alive..GIF89a.............!.......,.......
.......;..

%original file name%.exe_816:

.text

`.rdata

@.data

.ndata

.rsrc

Vj%SSS

uDSSh

hu2.iu

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

%s%s.dll

ers\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp

s\UrlAssociations\http\UserChoice

\par \hich\af38\dbch\af31505\loch\f38 You may not use the database portion of the Software Product in connection with any s\hich\af38\dbch\af31505\loch\f38 oftware other than the Software Product.

s. You may not alter any files or libraries in any portion of the Software Product. You may not reproduce the database portion or create any tables or reports relating to the database portion.

r requirements or operate under your specific conditions of use. InstallerTech makes no warranty that operation of the Software Product will be secure, error free, or free from interruption. YOU MUST DETERMINE WHETHER THE SOFTWARE PRODUCT SUFFICIENTLY MEE

ITIVE, OR EXEMPLARY DAMAGES OF ANY KIND (INCLUDING LOST REVENUES OR PROFITS OR LOSS OF BUSINESS) RESULTING FROM THIS AGREEMENT, OR FROM THE FURNISHING, PERFORMANCE, INSTALLATION, OR USE OF THE SOFTWARE PRODUCT, WHETHER DUE TO A BREACH OF CONTRACT, BREACH

.WT#w

nX.qO

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB3EC.tmp

nsrB3EC.tmp

13160660

\"%CurrentUserName%"\AppData\Local\Temp\nsrB3EC.tmp

:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbB1B9.tmp

"c:\%original file name%.exe" /start=1 /path=

C:\Users\"%CurrentUserName%"\AppData\Local\prUp

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBA.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

c:\%original file name%.exe

1346754681

savesetup.com

hXXps://savesetup.com/installer.php?CODE=PUTGQ&UID=6461260B-EEB4-4A6E-BEC4-8433B531AAFB&quant=1346754681&action=

-888536346

453641637

-620101119

1711932208

AAjcM0WrUSlfbBR5EtcPS1b1d67LEhdHndovnNfbsp4dMHIEUAyU3KoPgrWUjsrAK1td7V69yPJhPpePm9dzzaCLAc1VCD3BE5KY3sfKXNNn/FVXtQg28uSgPFS40iXt/3S5hr1gY7yZNFYKBxqCv0X6wRPg6ftjUqzsmrkR9G/2KoXUC8paxjLqLRq64tiNkhqPwr8HI8/JiksVrkWN9t43Cd98W7yZmeOKncET2qTjBLPxYbZUQu6c48xiJwSQGioaZ4I8G4Qt7JGv2dAvWegidM28UMuK2ZKlmb1Rxo7EW83iqYE Vq8RS78lHZBjTPC5HMBZtscKNbmPvcGQvQ==

-838204930

1007289826

1309278894

487195170

1342834167

1460273685

50855936

hXXps://savesetup.com/info.php?&quant=1346754681

hXXp://stp-1014845532.us-east-1.elb.amazonaws.com/p.gif?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1346754681

6.1:7601:0

hXXps://savesetup.com/pixel.php?rs=i&h=&av=&aver=&osver=6.1&ossp=1&err=0&64=0&adm=1&quant=1346754681&cpu=Intel(R) Core(TM) i7-4770 CPU @ 3.40GHz&gpu=VMware SVGA 3D (Microsoft Corporation - WDDM)

6461260B-EEB4-4A6E-BEC4-8433B531AAFB

hXXps://savesetup.com/ipb.php?ID=9DC49B997895&ID2=5F321DAFF009&icount=23&rcount=43&ucount=1&m=a1ad721ad854452a97f7e2f16f6c43cc

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.51</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

3.01.25.1

%original file name%.exe_816_rwx_10004000_00001000:

callback%d

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):

%original file name%.exe:2940
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\md5dll.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1974.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1891.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\LCLogo.bmp (2784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1802.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1973.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1956.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (471 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\p[1].gif (43 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\3.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Banner.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1914.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[1].htm (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Fusion.dll (31413 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\find[1].htm (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1965.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1488.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[8].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\fUtil.dll (8523 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1747.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\fuser.dll (3696 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1804.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\921.txt (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrA106.tmp (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[6].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\System.dll (22 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1953.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\371.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1720.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[3].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsb6EFB.tmp (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\915.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\pixel[1].htm (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\4.txt (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Image.bmp (2104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsrB3EC.tmp (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Tar9773.tmp (2712 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[4].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata4[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\decline.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1975.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\49WEGXZA.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Image2.bmp (494 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[6].htm (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1838.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\eula3.rtf (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1543.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\postdata3[1].htm (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[9].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\BrowserSafer.ico (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\installer[5].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\accept.ico (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[2].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1533.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\Cab9772.tmp (53 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1957.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\ipb[1].htm (45 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[1].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1763.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\2.txt (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\installer[7].htm (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\6BADA8974A10C4BD62CC921D13E43B18_2BD85C712A72CD147177B036ACBEE38C (1640 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\33.txt (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\Dialogs.dll (1118 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\23.txt (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsq6EBB.tmp\1803.txt (3 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Permalink

Back to the blog

e-mail

Google+

Twitter

Facebook

Trojan.NSIS.StartPage_767d37ebbf

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet

Trojan.NSIS.StartPage_767d37ebbf

E-mail

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Discover the new adaware antivirus 12

Our best antivirus yet