Installer.Win32.InnoSetup.2_89a77d5cff – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Installer creates the following process(es):

89a77d5cfff2583a2ae15184f87c21a1.tmp:1688
89a77d5cfff2583a2ae15184f87c21a1.tmp:1956
%original file name%.exe:1792

The Installer injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process 89a77d5cfff2583a2ae15184f87c21a1.tmp:1956 makes changes in the file system.

The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-7PQ9C.tmp\89a77d5cfff2583a2ae15184f87c21a1.tmp (54 bytes)

The process %original file name%.exe:1792 makes changes in the file system.

The Installer creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\is-DKDQP.tmp\89a77d5cfff2583a2ae15184f87c21a1.tmp (85 bytes)

Registry activity

The process 89a77d5cfff2583a2ae15184f87c21a1.tmp:1688 makes changes in the system registry.

The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "45 91 39 30 75 9C BE E5 3A 07 08 1C AB 3A 64 F9"

The process 89a77d5cfff2583a2ae15184f87c21a1.tmp:1956 makes changes in the system registry.

The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "28 A6 44 A4 7F E8 21 07 42 9E B4 39 D2 D3 0E 28"

The process %original file name%.exe:1792 makes changes in the system registry.

The Installer creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E4 6B D7 4C CF 33 85 45 88 C1 12 5E 75 DC 4D 0B"

Dropped PE files

MD5	File path
f78940628eb76ab6e654c19ee33f2f89	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\is1738232922\6C7EB1DE_stp.DAT

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
89a77d5cfff2583a2ae15184f87c21a1.tmp:1688
89a77d5cfff2583a2ae15184f87c21a1.tmp:1956
%original file name%.exe:1792
Delete the original Installer file.
Delete or disinfect the following files created/modified by the Installer:
%Documents and Settings%\%current user%\Local Settings\Temp\is-7PQ9C.tmp\89a77d5cfff2583a2ae15184f87c21a1.tmp (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-DKDQP.tmp\89a77d5cfff2583a2ae15184f87c21a1.tmp (85 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.5
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments: This installation was built with Inno Setup.
Language: Language Neutral

Company Name: Product Name: Product Version: 1.5 Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: This installation was built with Inno Setup.Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
CODE	4096	37732	37888	4.63786	bd2164094c09ca1891dd0a8be7e89508
DATA	45056	588	1024	1.8986	d5ea23d4ecf110fd2591314cbaa84278
BSS	49152	3720	0	0	d41d8cd98f00b204e9800998ecf8427e
.idata	53248	2384	2560	3.07115	bb5485bf968b970e5ea81292af2acdba
.tls	57344	8	0	0	d41d8cd98f00b204e9800998ecf8427e
.rdata	61440	24	512	0.14174	9ba824905bf9c7922b6fc87a38b74366
.reloc	65536	2228	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	69632	38228	38400	2.21635	946d1f63257f436c83fa682e5550b9e3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 14
4694a924f7445dbd501d856006060cc3
6b7327fa6162b1d617d0840e49307178
efd05eb55a49f9e734032cd1276ea538
f6a9712c15478578d313a889377402a9
f45523b35b23ac7b95ef4d8df6a52b05
c71d916e35be637e6f406efb32ee5ee4
b6eb5b4a8697c449bc468f67963f85f9
2c3671066918b2f51eb2b3dffc70344f
888c4feaab4e6b1ff3806594596d4f82
a4ca44923723653c2c17cdb9b11a8879
2d2f6d1f4117b1db01df3332ec863d39
926ea01e39746bc2ba1f0259dc399838
9b9254926a2eb776a4da6f50588d96a7
f13362bdd6f8d048b88d08761774a4b8

Network Activity

URLs

URL	IP
hxxp://rp.holipiheh.com/?pcrc=1196996250&v=2.0	176.34.251.10
hxxp://info.holipiheh.com/?v=1.02&c=4fb13fa6&at=1738232922&cntr=0	176.34.130.130
hxxp://rp.holipiheh.com/?pcrc=866590918&v=2.0	176.34.251.10
hxxp://os.holipiheh.com/FileHippo/?v=5.0&c=1528865781	52.31.134.147
hxxp://filehippo.com/download/file/f11a7ca119ea15ae9b82179394df822a4d8134da9a2696efc72f4281fc724946/
hxxp://filehippocache.lmgmedialtd.netdna-cdn.com/img/ex/108__vlc.png
hxxp://vip0x08b.ssl.hwcdn.net/9b27e3a87a8d4816aa88d6be934266b9/vlc-2.1.5-win32.exe?ttl=1462497114&token=09412570c9c5457bda50c6c5f17d3105
hxxp://os2.holipiheh.com/FileHippo/?v=5.0&c=1528865781	54.93.97.68
hxxp://dl1.filehippo.com/9b27e3a87a8d4816aa88d6be934266b9/vlc-2.1.5-win32.exe?ttl=1462497114&token=09412570c9c5457bda50c6c5f17d3105	205.185.208.139
hxxp://cache.filehippo.com/img/ex/108__vlc.png	108.161.189.5

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /9b27e3a87a8d4816aa88d6be934266b9/vlc-2.1.5-win32.exe?ttl=1462497114&token=09412570c9c5457bda50c6c5f17d3105 HTTP/1.1

Range: bytes=0-24743105

Accept: */*

Host: dl1.filehippo.com

User-Agent: download_manager

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Date: Thu, 05 May 2016 21:11:51 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1460597987"

Cache-Control: max-age=86400

Content-Length: 24743106

Content-Range: bytes 0-24743105/24743106

Content-Type: application/octet-stream

X-HW: 1462482712.dop010.fr7.t,1462482711.cds029.fr7.c

Last-Modified: Thu, 14 Apr 2016 01:39:47 GMT

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...#..O.....................P......'C............@........................................... ......................................0...a...........................................................................................................text...D........................... .0`.data...............................@.0..rdata...#.......$..................@.0@.bss..................................0..idata..............................@.0..ndata..............................@.0..rsrc....a...0...b..................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F.........{B..H...H.......M..E..5H{B..D$...$....B..M..E.....SS...E...$.D$... .B..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|.B..E..R...D$..E..D$...$....B.....<$....B..E..Q.}.;}...Q....~X........F4..$....B...W..........$.E......E......D$.........B.RR.FX..$.D$.....B..5..B.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$..{B.....B...|.......T$...$..QQ.<$....B.S.M..E..D$...$....B.PP1....D

<<< skipped >>>

GET /img/ex/108__vlc.png HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cache.filehippo.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Thu, 05 May 2016 21:11:52 GMT

Content-Type: image/png

Content-Length: 1245

Connection: keep-alive

x-amz-id-2: bEPxrIQjuW2p6lWf/Tw4iNxJo8NH0j 2BcHRbKtErdRqeQ p8m4p2 iwthW4/mPgVY9uT44CUNY=

x-amz-request-id: A396A68EF138ACC4

x-amz-version-id: lh.EMCtW6svAscxjjkHNu9.j4voCgoAa

Expires: Sat, 04 Jun 2016 21:11:52 GMT

Cache-Control: max-age=2592000

Last-Modified: Tue, 08 Apr 2014 12:01:32 GMT

ETag: "544e323e54f3baf821cb7d9c276578c5"

Server: NetDNA-cache/2.2

X-Cache: HIT

Accept-Ranges: bytes

.PNG........IHDR... ... .............sBIT.....O.....IDATx....oTU............Nwh.I.0.....`.D.|........O>..j.....`..S.PB..&...2]...,.....>......!..x.....`.@....W...z|..g~..b.Mj...o..._...o~.....$.....2w...8.\X.7i.:..)&.. .....#..F..-.8 ..r.o.1.8..........f..(8J..|}.}...FRJ..z.U..M...".u....Rnsc...0nMh#.oa...6....B.!.a.a........mc...]..c...KF.Z.p4..v.....*.l..XT........R_..E.....7\^.i..$..W.......}._.<p....@...e...;...M..$..=4(Q..d?O(c\.....9....F.4.P%..] T....%E.=......{...a.N.....b....\..D..yCNu..~fb\..:.....HQ...n.4.......1.v..P.U....(*..Y.....bwL..|...X.C=..J.......;._.. w...^...D.Qw......].=..j......]...QZ(.xH......J.oG..|.fD.~.J.g.P..&...xW....B.k...I......HI.P<`.Q...A.q.m.....u\....( Z..(. ..S..B5..,G.q@..,...F..m..<RZzb.....|...Vw.E....t..&...0 .qp".....@..y... U.X0.|2?....E.=..|.\%..k...kj\....M..@.;|.?...(.b.M6.. ....".1....=..G..?../...6.R...&cU..N...QH..J...)-U.t.j.....g/}v....H...N.....o...7.Jm...f(.....F...e....p%......Z.br*...3..^..Q.j.!....im.....eY.}..C......hOHm...(..E.. ....E.E.IOuf.......m...K..K.1.t.;.1MSQ.......;..-^L.bM...YE..5%....~............L&.J.......R..e...*.....{.O.3$..@......Sv6.....f..L...#..i/..J..X.4..M..4.......R.d..m....}}}....e%.IUU.... ...7.\......e.....eY.m...3c1EQ......h...Vl .....IEND.B`...

<<< skipped >>>

HEAD /9b27e3a87a8d4816aa88d6be934266b9/vlc-2.1.5-win32.exe?ttl=1462497114&token=09412570c9c5457bda50c6c5f17d3105 HTTP/1.1

Accept: */*

Host: dl1.filehippo.com

User-Agent: download_manager

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 May 2016 21:11:51 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1460597987"

Cache-Control: max-age=86400

Content-Length: 24743106

Content-Type: application/octet-stream

X-HW: 1462482712.dop015.fr7.t,1462482711.cds029.fr7.c

Last-Modified: Thu, 14 Apr 2016 01:39:47 GMT

POST /?v=1.02&c=4fb13fa6&at=1738232922&cntr=0 HTTP/1.1

Accept: */*

Host: info.holipiheh.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 172

Cache-Control: no-cache

6l7GU7LYt04pVHc/00d7Jk OPdt4A9XGXhOhdKo6W9lSbPks/cQ3fdsaVdhYvj3CGZDSnJQS3 EmYBVI6umWQKy/BlkwmlH/ 3ENbfFLVB1xoWfMl2qXKz2f3y FU7pbiaRqfteFuLpR5dhQW cikc zjcbKY01zOWsIU YSURE=

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Thu, 05 May 2016 21:11:51 GMT

Content-Length: 748

Connection: keep-alive

qkL62KPkRL1KuUEFlCuFHQcNW2EQy7S6/PE0jrAdO9i9flMwd4GxHwYRYwTTdfFWDKAPs3fNzkPLliSBwEFHMJiVjUUoZ0i09pC0bL2Po6wJbBoKAG29D9rWXMFrYPwt H 4cw2AGoSfdTQlYS/QIjlrmQmohYoqFmE07/Pd6SEL dyH1kxTGVZaRdtNOHwiCGaXH3neKa/sPmkTuRY39g7Oaxz0HBH4Q9sslk405bM6a MhqWeFrSworPx6z8lNVi4PHAy7uZk1Im3vbausnbVGMcva9k CJ8/rdycEqvq5dzi1poJ1Zrq67DO0LQPSI3yM3ZLqO/ZEbkpP3OgTW3ckXRmMI7gWoAv6nMPcAaqdpBy7ZeUY3BblOa Z XiixBVIsaEj9/Z2M/Jp4lE FFZTlKqy eTCO50Gt3YtLixBbVelLG9yWKD/ FZRHIvy7P4EFphAeETHUPXZiSlgyBXBNlzYdpLSOxwDfntC5tCSph0SD7J0qnYySBQCvdk9fDYyUJc1tbJfEHTtBjytp Ds3RMidhTpQjuR19cYTfyWTkkkz3w6m6n8SYHXl7I4i6Omj9C40N8wKAMTfnnyjeOa7apX3OC/aMc6oSVisO/F2EFk5H3k4K6p8UsXAME3Qocg0QHqgFbUt0Jqyjxuy5ojJrX8CBWfqqrgAKSdpOW XXUV/BPM/FixKLZ6OpY8A5DNJAeXdgmMhBgn8qZJCCdbCZGzXcryeZz2aK3JlLE=HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Thu, 05 May 2016 21:11:51 GMT..Content-Length: 748..Connection: keep-alive..qkL62KPkRL1KuUEFlCuFHQcNW2EQy7S6/PE0jrAdO9i9flMwd4GxHwYRYwTTdfFWDKAPs3fNzkPLliSBwEFHMJiVjUUoZ0i09pC0bL2Po6wJbBoKAG29D9rWXMFrYPwt H 4cw2AGoSfdTQlYS/QIjlrmQmohYoqFmE07/Pd6SEL dyH1kxTGVZaRdtNOHwiCGaXH3neKa/sPmkTuRY39g7Oaxz0HBH4Q9sslk405bM6a MhqWeFrSworPx6z8lNVi4PHAy7uZk1Im3vbausnbVGMcva9k CJ8/rdycEqvq5dzi1poJ1Zrq67DO0LQPSI3yM3ZLqO/ZEbkpP3OgTW3ckXRmMI7gWoAv6nMPcAaqdpBy7ZeUY3BblOa Z XiixBVIsaEj9/Z2M/Jp4lE FFZTlKqy eTCO50Gt3YtLixBbVelLG9yWKD/ FZRHIvy7P4EFphAeETHUPXZiSlgyBXBNlzYdpLSOxwDfntC5tCSph0SD7J0qnYySBQCvdk9fDYyUJc1tbJfEHTtBjytp Ds3RMidhTpQjuR19cYTfyWTkkkz3w6m6n8SYHXl7I4i6Omj9C40N8wKAMTfnnyjeOa7apX3OC/aMc6oSVisO/F2EFk5H3k4K6p8UsXAME3Qocg0QHqgFbUt0Jqy

<<< skipped >>>

POST /FileHippo/?v=5.0&c=1528865781 HTTP/1.1

Accept: */*

Host: os.holipiheh.com

User-Agent: ICAS

Content-Length: 1232

Cache-Control: no-cache

0A0Czu0F1L1I1P0H1L1E1E1FtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAtCyEzyyByCzztDtByDtN1L1B0A1Q1H1L1GzutCtN0T0KzuyEyCzytByCyDtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0U0I0D0N1P2WzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0M0G0U0I0DzuyByD1P1QzyyDyCyBtG1T1TyDzztGyE1Rzz1PtG1Tzz1P1TtGtA1R1T1QyB1RyEyB1T1StDtAtN0M0S0I0DzutCzzyEyEtBtAyByCtCyDtGtCzyyCtDyEtDzzzyyCtCtGtCzztDtCyCyByEyDtAtCtN0S0I0D0U0I0DzuyC0D0E0C0DyDtB0FyByE0DzyyByBzztCyC0ByCtAyD0FtBtA0Azz0AyCyB0AtByDtN0M0A0C1V0LzutDtDtD0CtBzyzz0Azz0BtAyBtOtA0AtCzytBtFtCyCzztFtCtCtFtCtAtCtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyCtDyDtDyCtDtDtCtCtAyEzytAyEtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzuyEyEtCtCzzyBtN1L1Q1B1RzutByCtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0Czzzy1TyByB1QyD1R1O1O1OtByDzztA1TtB1T1PtCyDtCzzyE1OzzyB1RtBtC1TtCtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutAtCtAtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutBtDtCtCtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu2X1I1R1V1H1P1Q1L1T1V1E1I1T2U1P1C1VtAtBtG1S1L2Z

HTTP/1.1 404 Not Found

Content-Type: text/html

Date: Thu, 05 May 2016 21:11:52 GMT

Server: nginx

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Thu, 05 May 2016 21:11:52 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive......

POST /FileHippo/?v=5.0&c=1528865781 HTTP/1.1

Accept: */*

Host: os.holipiheh.com

User-Agent: ICAS

Content-Length: 1232

Cache-Control: no-cache

0A0Czu0F1L1I1P0H1L1E1E1FtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAtCyEzyyByCzztDtByDtN1L1B0A1Q1H1L1GzutCtN0T0KzuyEyCzytByCyDtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0U0I0D0N1P2WzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0M0G0U0I0DzuyByD1P1QzyyDyCyBtG1T1TyDzztGyE1Rzz1PtG1Tzz1P1TtGtA1R1T1QyB1RyEyB1T1StDtAtN0M0S0I0DzutCzzyEyEtBtAyByCtCyDtGtCzyyCtDyEtDzzzyyCtCtGtCzztDtCyCyByEyDtAtCtN0S0I0D0U0I0DzuyC0D0E0C0DyDtB0FyByE0DzyyByBzztCyC0ByCtAyD0FtBtA0Azz0AyCyB0AtByDtN0M0A0C1V0LzutDtDtD0CtBzyzz0Azz0BtAyBtOtA0AtCzytBtFtCyCzztFtCtCtFtCtAtCtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyCtDyDtDyCtDtDtCtCtAyEzytAyEtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzuyEyEtCtCzzyBtN1L1Q1B1RzutByCtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0Czzzy1TyByB1QyD1R1O1O1OtByDzztA1TtB1T1PtCyDtCzzyE1OzzyB1RtBtC1TtCtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutAtCtAtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutBtDtCtCtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu2X1I1R1V1H1P1Q1L1T1V1E1I1T2U1P1C1VtAtBtG1S1L2Z

HTTP/1.1 404 Not Found

Content-Type: text/html

Date: Thu, 05 May 2016 21:11:54 GMT

Server: nginx

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Thu, 05 May 2016 21:11:54 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive..

POST /?pcrc=1196996250&v=2.0 HTTP/1.1

Accept: */*

Host: rp.holipiheh.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 816

Cache-Control: no-cache

...3E.Q)_l.y...K

ri.2......u....r....k.].W..-. .l.z.B..._vs....E.u3}...2t/ P...^.....vhLv!T.".....SC.[.G[.....".x..m..-....#lk...M...w.....".X....C....7*Qj..6..%.s..y....v.%}s.|.i.tm<*E..|..Rx../.;|...

n....Q.BQ........j...VJ.v...#.).....q.7........a.A.5`M.xQ.M.;.Eh.....=..e.>j.XY..k..y.[..y.......N7OZ(.9F=.0..L0.}.E<............l........M.{..%..5.......e..,".H.V.....d..X..d.X..l. ;.."P.........T.Z..`.h.....9n^.7.....iJ....U7d.iF:x......2..h.3O"e...[..@(....o.$.\3...f....'.......G.,x...

..e..O.<..=...Y.a.Xr..D0.29.BE,......'.f.l..ez.=......m.f...q.../G.......L.a.U.yQv...R....Q.(....i.P......L$\.n6......#........%.|....-.....b..~2x...&F7E.x..v..(..n

..y.md...[.....3.g...B"R.><...%./..U......-R.l!.\.X6........9.*..X.'.c..rb.%..v2...)X.`.n..QE...h..lD....07....T..;/.....rO.........,&E........(.

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 05 May 2016 21:11:50 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 05 May 2016 21:11:50 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE....

POST /?pcrc=866590918&v=2.0 HTTP/1.1

Accept: */*

Host: rp.holipiheh.com

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)

Content-Length: 1232

Cache-Control: no-cache

.I..~...$$.........D?.....2$^.....(.... l...e.[.C.

..kB.q.k..X.OG.M........1."....\.A...3_....P...?n...H.....2..p.^$"J..*#p...Y.......Xs.xt.....`..m.....mQ.......`......).k..k/ K..zsz<Z...'4!L.....gK..9C.d.4v.M...6?...l....I..S.$.v.........P.....!m.5...E.....

!.s9P:...g-.W.@.|......x...[.g.Q....*G.uRHn...yQ..X.......U....2... \.`.}.\..W.S..<..}?.pN..D..

.... k}...2.....}...].-....r..o!i..x.....i>A.....<.9.o......H.Z...I..Q[.f.g......R..D...fmXh$...@.,..V.......n.h8..A.sV..uW.&}....dg)P....X.4M....R.......C...z.A...2....../P......h...i..Y......T..M.y..q6Fp..oX~..h.......a.....\....d..m.I...(..zyU...?...l. K.4..........*.......W0....?L..!Z[.u...0..}...@..9..d.H]$.M.f.-Q..)..........385..{.Z7.=.'.A0....J.`Z.........,..t..*....]..2.J.I.?...G.883M..8..x..I.58 d.h.e.....<J.5_.....o1Z..x.E.......gd...u..g..b...)*a.....*......mt....YH.<...mq....Q.f...D9........R......B.N..... ...L....N2....vuT0/-.=..@...a7lQ @...U.. ..bEZ.&..o$.}~$...!.q..1H..j`.H..qv3.......$....y.U..W......k.h'e~......'

...E...."..].)...,B]K{9....v.x...s..o,~z...R@Wn..`.D..}.a.b..V^l.f.Cd.../I..*...|Oj......2..N.[.XV....`....p.4T........M..&...q..[..>A(.... .....&BP.

..=.`AoKx?..... ....up..1...g....r....._.,..t......NSej[)}.vW......%..,g

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Thu, 05 May 2016 21:11:51 GMT

Server: TornadoServer/4.0.2

Content-Length: 4

Connection: keep-alive

DONEHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Date: Thu, 05 May 2016 21:11:51 GMT..Server: TornadoServer/4.0.2..Content-Length: 4..Connection: keep-alive..DONE..

POST /FileHippo/?v=5.0&c=1528865781 HTTP/1.1

Accept: */*

Host: os2.holipiheh.com

User-Agent: ICAS

Content-Length: 1232

Cache-Control: no-cache

0A0Czu0F1L1I1P0H1L1E1E1FtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAtCyEzyyByCzztDtByDtN1L1B0A1Q1H1L1GzutCtN0T0KzuyEyCzytByCyDtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0U0I0D0N1P2WzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0M0G0U0I0DzuyByD1P1QzyyDyCyBtG1T1TyDzztGyE1Rzz1PtG1Tzz1P1TtGtA1R1T1QyB1RyEyB1T1StDtAtN0M0S0I0DzutCzzyEyEtBtAyByCtCyDtGtCzyyCtDyEtDzzzyyCtCtGtCzztDtCyCyByEyDtAtCtN0S0I0D0U0I0DzuyC0D0E0C0DyDtB0FyByE0DzyyByBzztCyC0ByCtAyD0FtBtA0Azz0AyCyB0AtByDtN0M0A0C1V0LzutDtDtD0CtBzyzz0Azz0BtAyBtOtA0AtCzytBtFtCyCzztFtCtCtFtCtAtCtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyCtDyDtDyCtDtDtCtCtAyEzytAyEtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzuyEyEtCtCzzyBtN1L1Q1B1RzutByCtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0Czzzy1TyByB1QyD1R1O1O1OtByDzztA1TtB1T1PtCyDtCzzyE1OzzyB1RtBtC1TtCtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutAtCtAtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutBtDtCtCtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu2X1I1R1V1H1P1Q1L1T1V1E1I1T2U1P1C1VtAtBtG1S1L2Z

HTTP/1.1 404 Not Found

Content-Type: text/html

Date: Thu, 05 May 2016 21:11:53 GMT

Server: nginx

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Thu, 05 May 2016 21:11:53 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive......

POST /FileHippo/?v=5.0&c=1528865781 HTTP/1.1

Accept: */*

Host: os2.holipiheh.com

User-Agent: ICAS

Content-Length: 1232

Cache-Control: no-cache

0A0Czu0F1L1I1P0H1L1E1E1FtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0W0VzuyDtFtCtN0W0S0PzutAtN0O0S0L1T1G1Nzu1P1GtN0E2V1P0C1M1J0S2Y1HzutAtCyEzyyByCzztDtByDtN1L1B0A1Q1H1L1GzutCtN0T0KzuyEyCzytByCyDtN0U0I0DzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0U0I0D0N1P2WzutDtDtD0CtBzyzz0Azz0BtAyByB0AtByDtN0M0G0U0I0DzuyByD1P1QzyyDyCyBtG1T1TyDzztGyE1Rzz1PtG1Tzz1P1TtGtA1R1T1QyB1RyEyB1T1StDtAtN0M0S0I0DzutCzzyEyEtBtAyByCtCyDtGtCzyyCtDyEtDzzzyyCtCtGtCzztDtCyCyByEyDtAtCtN0S0I0D0U0I0DzuyC0D0E0C0DyDtB0FyByE0DzyyByBzztCyC0ByCtAyD0FtBtA0Azz0AyCyB0AtByDtN0M0A0C1V0LzutDtDtD0CtBzyzz0Azz0BtAyBtOtA0AtCzytBtFtCyCzztFtCtCtFtCtAtCtOtA0AyCtOtA0AtCtN0S0D0TzutBtDtCyCtDyDtDyCtDtDtCtCtAyEzytAyEtN0V0M0Czu0V0M0WtN1L1B0V0M0D1P1OzutCtN0P0E1V0M0O0D0Ezu0D0L0LtN1I1L2ZzuyEyEtCtCzzyBtN1L1Q1B1RzutByCtN0D0E0P1V0M0O0DzutBtN1L1B0A1Q1H1L1GzutCtN1L1B0U1T1R0O1GzutDtN1L1B0U1B1P1C0A1Q1H1L1GzutCtN0R0N1T1H1Pzu1RtOtA0AtOyD0Czzzy1TyByB1QyD1R1O1O1OtByDzztA1TtB1T1PtCyDtCzzyE1OzzyB1RtBtC1TtCtF1P2V1PtN0O0S0L1T1G1Nzu1P1GtN0O0S0V1P1CzuyDtFtCtN0O0S0S0P0V1P1CzutAtN0O0S2VyCyEzutDtN0P0P0Nzu1B1T1G1Q1S1F2V1V1B2X1RtF1P2V1PtN0M1P1H0P1M0AzutAtCtAtN0M1P1H0P1M0TzuyDtCtCtN0M1P1H0V1L1C0AzutBtDtCtCtN0M1P1H0V1L1C0TzutBtDyEyBtN0P0R0O0D0U0C0T1V0T0I0T0L0Ezu2X1I1R1V1H1P1Q1L1T1V1E1I1T2U1P1C1VtAtBtG1S1L2Z

HTTP/1.1 404 Not Found

Content-Type: text/html

Date: Thu, 05 May 2016 21:11:56 GMT

Server: nginx

Content-Length: 0

Connection: keep-alive

HTTP/1.1 404 Not Found..Content-Type: text/html..Date: Thu, 05 May 2016 21:11:56 GMT..Server: nginx..Content-Length: 0..Connection: keep-alive..

GET /9b27e3a87a8d4816aa88d6be934266b9/vlc-2.1.5-win32.exe?ttl=1462497114&token=09412570c9c5457bda50c6c5f17d3105 HTTP/1.1

Range: bytes=13004800-24743105

Accept: */*

Host: dl1.filehippo.com

User-Agent: download_manager

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Date: Thu, 05 May 2016 21:11:52 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1460597987"

Cache-Control: max-age=86400

Content-Length: 11738306

Content-Range: bytes 13004800-24743105/24743106

Content-Type: application/octet-stream

X-HW: 1462482713.dop012.fr7.t,1462482712.cds029.fr7.c

Last-Modified: Thu, 14 Apr 2016 01:39:47 GMT

..........b1{.8]..g ..1.1cs.9n...2Vt.v.....@.r..O..sht.z..P..6.K..}....l=.....z ..{B.*...#.Zc.Rg7?...#..Y.\v..n..O...U@.=./W'w...p...;...*[...&....Ik.E'..........T....^?.:.u.-*P..|e.2........E"$...'u........#....K]...`..2cF^rk.=.......Y.?....>G-d....)..H.."Bnow.nA.MB]../.7.....P.E...................... ..$..|.?......KY....m....6e5M....a%<..Z..!.\S...%s.J.<.kX...}Uyq..r..?.... FZ. f<.`..q~.........Y.G.1..L..........?.....4.%Q_;..e.8.N....R....F(.f...d5..^..Q*..... ......-.O.0.2...2i....#.y.Rs.-BK.....\..f.S..q<...Xi.m.|.h.6..W/P...#...,].b...~..............U~.,.<.0(K." !....~....7.$...esB...I..76.........*E......t....&%..W.......(.....cG..m..G}.hs3.*07.-._.%z.:Gh$...... .....y.!...l..Xw..u....Jj>......-(Th.L6.....S...............(..|;'|."..C.r...2..r&..)..6.\P.eH=#E.l..y.......;.|~...1...$.[.Cw..Q _..x..;b.I...\k.kk..z".....*...9....P^.xR..0T..$`...Ti..8b....U....D.Z...M...`M.h....{.b..#.'..t....H...%.."......~..1$v|.o ..C.y.y..I.HV..w...?..........$.l..zp.y.....r}......2....*G..A....K....?D.S...@.....'.r.e...43..'%I...K...`jS.G/..o.C .,rA.^...E.q...._.w..yw.....G.8.>4h .sD.d.`..<....=a..,.$1.b......T...x.....0be..yp...7r......../......7..I..l.....}~.j.A`..;.....q.@._...35p....z......|}o....#y..y.....,...g....B....jr.].3..&...K.7n!.I....26..1l._...1..Ny.j.W...Cq9.........bZ..%....._....kR...L|V.....^...M.0O...(...X^.. O.m....L....}......{.H.....z.. U@>.6R...Z....z"..4.....*...A.C.x...<K.._.].Fm.[.Q.OO!~3I..:,.pH.".&. ..V.43..K1.97.2.O..>(F.z.._..._.(. .>.DL.....Z.C.........

<<< skipped >>>

HEAD /download/file/f11a7ca119ea15ae9b82179394df822a4d8134da9a2696efc72f4281fc724946/ HTTP/1.1

Accept: */*

Host: filehippo.com

User-Agent: download_manager

Content-Length: 0

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Cache-Control: private

Content-Length: 0

Content-Type: text/html

Location: hXXp://dl1.filehippo.com/9b27e3a87a8d4816aa88d6be934266b9/vlc-2.1.5-win32.exe?ttl=1462497114&token=09412570c9c5457bda50c6c5f17d3105

Accept-Ranges: bytes

Date: Thu, 05 May 2016 21:11:52 GMT

Via: 1.1 varnish

Connection: keep-alive

X-Served-By: cache-fra1221-FRA

X-Cache: MISS

X-Cache-Hits: 0

x-debug-output: filehippo.com

HTTP/1.1 301 Moved Permanently..Cache-Control: private..Content-Length: 0..Content-Type: text/html..Location: hXXp://dl1.filehippo.com/9b27e3a87a8d4816aa88d6be934266b9/vlc-2.1.5-win32.exe?ttl=1462497114&token=09412570c9c5457bda50c6c5f17d3105..Accept-Ranges: bytes..Date: Thu, 05 May 2016 21:11:52 GMT..Via: 1.1 varnish..Connection: keep-alive..X-Served-By: cache-fra1221-FRA..X-Cache: MISS..X-Cache-Hits: 0..x-debug-output: filehippo.com..

Map

The Installer connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1792:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.0)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

89a77d5cfff2583a2ae15184f87c21a1.tmp_1956:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.0)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

89a77d5cfff2583a2ae15184f87c21a1.tmp_1688:

.idata

.rdata

P.reloc

P.rsrc

kernel32.dll

.DEFAULT\Control Panel\International

File I/O error %d

lzmadecompsmall: Compressed data is corrupted (%d)

lzmadecompsmall: %s

LzmaDecode failed (%d)

shell32.dll

/SL5="$%x,%d,%d,

Inno Setup Setup Data (5.5.0)

Inno Setup Messages (5.5.0)

user32.dll

oleaut32.dll

advapi32.dll

RegOpenKeyExA

RegCloseKey

GetWindowsDirectoryA

MsgWaitForMultipleObjects

ExitWindowsEx

comctl32.dll

name="JR.Inno.Setup"

version="1.0.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

!'%s' is not a valid integer value('%s' is not a valid floating point value

'%s' is not a valid date

'%s' is not a valid time!'%s' is not a valid date and time

I/O error %d

Integer overflow Invalid floating point operation

Invalid pointer operation

Invalid class typecast0Access violation at address %p. %s of address %p

Operation aborted%Exception %s in module %s at %p.

Application Error1Format '%s' invalid or incompatible with argument

No argument for format '%s'

Invalid variant operation"Variant method calls not supported

External exception %x

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps