not-a-virus:HEUR:AdWare.Win32.DealPly.gen (Kaspersky), Installer.Win32.InnoSetup.2.FD, Trojan.Win32.Sasfis.FD, BankerGeneric.YR (Lavasoft MAS)Behaviour: Banker, Trojan, Installer, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: cfbb641242fd16c0a4ece6125b83ae85
SHA1: ee9b5e66c61503aec6b4401e01c53230c5bf24ec
SHA256: 72d8101ffa579d6f5d46bbda075f920cf2242907e4d9195982226e94f98786f4
SSDeep: 24576:BxikB7ylZTkJbMG/YLsVnFFufh01punC8xW/P4ZfR6qx gn8jlxESlvcAb Hpp:BgkmoJbHYIVnFFAh8f8xI8J6zBBx1eA
Size: 1255944 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: Gatut
Created at: 1992-06-20 01:22:17
Analyzed on: Windows7 SP1 32-bit
Summary: Installer. An installation package.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Installer creates the following process(es):No processes have been created.The Installer injects its code into the following process(es):
%original file name%.exe:264
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:264 makes changes in the file system.
The Installer creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bar7[1].png (1114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\CH_logo_new[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG_FS[1].jpg (15417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\css[1].css (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\KO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ID.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_tb.png (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Cazurazihiz[1].png (1301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\CS.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg2[1].jpg (6063 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\IE_logo_new[1].png (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AdobeFlash_32[1].png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EL.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp.CIS.part (723 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\BG[1].png (7834 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067C21.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\TR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logo_b[1].png (3614 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\truste[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logo[1].png (2793 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\SV.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\FF_logo_new[1].png (845 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067B85.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FI.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ZH.locale (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_wi.png (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_V3-BG[1].jpg (4417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\run.vbs (147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\osutils.vbs (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\bootstrap_8792.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp.CIS (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG[1].jpg (30738 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FS_BG[1].png (5283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\BG.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Nininininon[1].png (90581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg1[1].jpg (39379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close.png (207 bytes)
The Installer deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067C21.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067B85.log (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\bootstrap_8792.html (0 bytes)
Registry activity
The process %original file name%.exe:264 makes changes in the system registry.
The Installer creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "708992537"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"ConsoleTracingMask" = "4294901760"
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"EnableConsoleTracing" = "0"
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASMANCS]
"FileTracingMask" = "4294901760"
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\cfbb641242fd16c0a4ece6125b83ae85_RASAPI32]
"MaxFileSize" = "1048576"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Installer deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Installer file.
- Delete or disinfect the following files created/modified by the Installer:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\bar7[1].png (1114 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\CH_logo_new[1].png (922 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG_FS[1].jpg (15417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\css[1].css (186 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Resume_Button.png (718 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\KO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Color_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ID.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_tb.png (19 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button_Hover.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\JA.locale (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Cazurazihiz[1].png (1301 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Grey_Button.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\CS.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DA.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg2[1].jpg (6063 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\IE_logo_new[1].png (1302 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\AdobeFlash_32[1].png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\ProgressBar.png (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\checkbox.css (190 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EL.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ES.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\main.css (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp.CIS.part (723 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\BG[1].png (7834 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\button-bg.png (131 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067C21.log (16 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\TR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\logo_b[1].png (3614 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\truste[1].png (200 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\logo[1].png (2793 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\DE.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\SV.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\25FDO7QC\FF_logo_new[1].png (845 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FR.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Quick_Specs.png (221 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\00067B85.log (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\sponsored.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\NO.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\FI.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg2.png (978 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Icon_Generic.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Progress.png (104 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\ZH.locale (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\PL.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\default_wi.png (28 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\1_V3-BG[1].jpg (4417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Pause_Button.png (577 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\browse.css (337 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\run.vbs (147 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\button.css (417 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\in1CDA95C6\3C390442_stp\osutils.vbs (18 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\form.bmp.Mask (244 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\progress-bar.css (506 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\bootstrap_8792.html (156 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\ie6_main.css (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\EN.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close_Hover.png (207 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\RU.locale (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\css\sdk-ui\images\progress-bg-corner.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JYNOWECL\BG[1].jpg (30738 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\FS_BG[1].png (5283 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\csshover3.htc (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\BG.png (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\Nininininon[1].png (90581 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Loader.gif (10 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\locale\IT.locale (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\8D93UTC3\bg1[1].jpg (39379 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\inH4248373863\images\Close.png (207 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: Gatut
Product Name: Lac
Product Version: 3.7.9
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description: Lac Setup
Comments: This installation was built with Inno Setup.
Language: German (Germany)
Company Name: Gatut Product Name: Lac Product Version: 3.7.9 Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Lac Setup Comments: This installation was built with Inno Setup.Language: German (Germany)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| CODE | 4096 | 40240 | 40448 | 4.59279 | cd69ad1ce8f5c40699b55e1a9b23e828 |
| DATA | 45056 | 592 | 1024 | 1.90942 | beee52f18301950f82460d9ffe5aec7e |
| BSS | 49152 | 3728 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .idata | 53248 | 2384 | 2560 | 3.07115 | bb5485bf968b970e5ea81292af2acdba |
| .tls | 57344 | 8 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rdata | 61440 | 24 | 512 | 0.14174 | 9ba824905bf9c7922b6fc87a38b74366 |
| .reloc | 65536 | 2244 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 69632 | 11264 | 11264 | 3.17321 | aaaed3c366d61391e53d1fafdb25f30f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 72
d5ff36f584b97bdcc49a6d362f380942
740a7d7dfc598cecc27db1d2e5debb6a
6aa59f6087ae640d5f313e326ece9552
8f5a53dee454fc6c92fa628c5e85ecd7
c93329add844a78d22d56c5659e45da0
e3385335b36211739484123c27f2267b
abfc5b122ff97d787f5da49fd5c7b329
ff535bf777204d1a1ba2a08d4a214765
7aebe85eacb1510193662bf5c1ee2bfd
eb306d047c53a3e403715de16ca6fb80
df91873c18e56e4bb64ffe51ee4494f5
aa103dcef46351a9081459f3a0744ec7
e0b9b584bc9f464a54f30bcf52cdbe89
0e43fb20b5c474c70b59ba4582163167
3f32ee503a7f5e3118e6a753a9484ecc
39c8fd353849f1a4c0dfd523b6d4a7db
3b78790b3b608e68be4de745fce1dfe7
168d977d0ad5ca3eede5edc261dcae3c
5253478b876893bed43d41e200e86b3c
52848e1e149ce89b1933f623e55c7c79
880b3720515f833b2caea0362a8e3ea6
c7edde7529e8061e06058a2dc15eb0ce
c1ee754f4c7375ceada6a8d69dbe7785
97043e8abc96316f5620281869f62802
7a8e31c4fae093319af45a1d57fb1792
81a5301ef480a7fea7490394bf924f4d
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://rp.conicono.com/ | 52.30.226.196 |
| hxxp://info.conicono.com/?ttulex=0 | 176.34.130.130 |
| hxxp://os.conicono.com/CoinisRevShare/ | 52.213.148.235 |
| hxxp://s3-1-w.amazonaws.com/icons/lps/images/icons/AdobeFlash_32.png | |
| hxxp://googleadapis.l.google.com/css?family=Open Sans | |
| hxxp://cdneu.conicono.com/ofr/Solululadul/osutils.cis | 95.211.184.67 |
| hxxp://img.conicono.com/img/Malaromoro/bg2.jpg | 50.115.122.45 |
| hxxp://cdnus.conicono.com/ofr/Solululadul/osutils.cis | 199.58.87.155 |
| hxxp://img.conicono.com/img/Malaromoro/bg1.jpg | 50.115.122.45 |
| hxxp://img.conicono.com/img/Tuburera/logo.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Tuburera/truste.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Tuburera/bar7.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Tuburera/logo_b.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Rewudaw/BG.jpg | 50.115.122.45 |
| hxxp://img.conicono.com/img/Rewudaw/BG_FS.jpg | 50.115.122.45 |
| hxxp://img.conicono.com/img/IE_logo_new.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/FF_logo_new.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/CH_logo_new.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Cazurazihiz/Cazurazihiz.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Nininininon/Nininininon.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Fividof/BG.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Fividof/FS_BG.png | 50.115.122.45 |
| hxxp://img.conicono.com/img/Xoxoxop/1_V3-BG.jpg | 50.115.122.45 |
| hxxp://fonts.googleapis.com/css?family=Open Sans | 172.217.20.170 |
| hxxp://instcoina38q6v9z2k.s3.amazonaws.com/icons/lps/images/icons/AdobeFlash_32.png | 54.231.114.138 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Installer connects to the servers at the folowing location(s):