Gen.Variant.Application.Bundler.49_d47f08b688 – Adaware

Dynamic Analysis

Payload

Behaviour	Description
EmailWorm	Worm can send e-mails.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1412
%original file name%.exe:476

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutexZonesCounterMutexZonesCacheCounterMutexZonesLockedCacheCounterMutex_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetStartupMutexWininetConnectionMutexWininetProxyRegistryMutexRasPbFile

File activity

The process %original file name%.exe:476 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\dd.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-close-icon.png (359 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\view-icon.png (655 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\app-icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\getnowupdater_v1.0.1.9g_26[1].7z (1854871 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Yellow.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\about.html (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Gui.dll (42168 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Quick.dll (20863 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\css\main.css (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\dd_arrow.gif (204 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qquickwidget.dll (17 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\script.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\logo.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKit.dll (148191 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\favicon.ico (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjpeg.dll (3081 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\linesBorder.png (28 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\title-bg.gif (154 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.js (539 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-2.1.1.min.js (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdate.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RU.png (113 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.html (841 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qicns.dll (27 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcp100.dll (4053 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5OpenGL.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBGV3.png (6 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuuc52.dll (8917 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\magnifier.png (788 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlodbc.dll (1226 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ES.png (410 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFull.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qnativewifibearer.dll (1858 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdaterRecovery\recovery\GNUBootstrapper_Recovery.exe (11647 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\mobile-icon.png (426 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\close-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\adb.exe (7769 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qdeclarativeview.dll (16 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\notification_warning.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qsvg.dll (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qmng.dll (2816 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.js (256 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qgif.dll (21 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.js (1745 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcr100.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlpsql.dll (251 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\generic_icon.png (887 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlite.dll (8611 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\select-arrow.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\__TMPZipFolder\getnowupdater_v1.0.1.9g_26.7z (802289 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qaxwidget.dll (3548 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKitWidgets.dll (2714 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Network.dll (9329 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\IT.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\style.css (24 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBG.png (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\mainScripts.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeGrey.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_inspector.dll (785 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_qtquick2.dll (1221 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\reload-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\DE.png (117 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinApi.dll (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\mediaservice\dsengine.dll (42 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\settings-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5MultimediaWidgets.dll (589 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.js (546 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\FR.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RO.png (127 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\store.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.js (543 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\GetNowUpdater.exe (53300 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-app-icon.png (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\filenotfound.html (452 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuin52.dll (13544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe (8657 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlmysql.dll (1319 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeV3.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5PrintSupport.dll (3607 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_tcp_qtdeclarative.dll (437 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.js (544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qminimal.dll (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\newstyles.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qgenericbearer.dll (1711 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Widgets.dll (35758 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery-1.10.2.min.js (93 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.css (35 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\update-icon.png (502 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\feedback.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRam.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\minimize-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\PT.png (605 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Qml.dll (19674 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ranch-icon.png (401 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlow.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notifScripts.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\EN.png (156 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjp2.dll (4815 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Multimedia.dll (8145 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_tcp.dll (23 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Core.dll (32493 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qdds.dll (927 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\dbghelp.dll (11475 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\info-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\about-icon.png (994 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sensors.dll (2962 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\modernizr.js (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinUsbApi.dll (613 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Concurrent.dll (780 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\iconengines\qsvgicon.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Green.png (612 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Red.png (598 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\driver\readme.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sql.dll (2157 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Positioning.dll (3446 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icudt52.dll (214722 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\updater.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qoffscreen.dll (3461 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeW.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery.dd.min.js (20 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\script.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qico.dll (1755 bytes)

Registry activity

The process %original file name%.exe:1412 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 D6 8E AA 59 89 D6 13 CB FF C1 49 F0 2F A1 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\c:]
"%original file name%.exe" = "GetNowUpdater Installer"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The process %original file name%.exe:476 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"GlobalUserOffline" = "0"

[HKCU\Software\GetNowUpdater]
"AppInstanceUid" = "91B7FBA7-5912-4770-9D21-B07F52EB6320"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\GetNowUpdater]
"TrackInstall" = "eyJhZGRzaG9ydGN1dHMiOm51bGwsImFwcGluc3RhbmNldWlkIjpudWxsLCJicm93c2VydG9zZXRvbiI6bnVsbCwiY29uZmJyb3dzZXIiOm51bGwsImNvbmZpcm11cmwiOm51bGwsImNvdW50cnkiOm51bGwsImV4dGVuc2lvbmlkIjpudWxsLCJob21lcGFnZSI6bnVsbCwiaWNvbiI6bnVsbCwibGFuZ3VhZ2UiOm51bGwsImxheW91dGlkIjpudWxsLCJwcm9kdWN0bmFtZSI6IkdldE5vd1VwZGF0ZXIiLCJyZWZpZCI6IjEiLCJzZWFyY2giOm51bGwsInNlYXJjaGluZGV4IjpudWxsLCJzZXRkZWZhdWx0YnJvd3NlciI6bnVsbCwic2V0dXBuYW1lIjoiR2V0Tm93VXBkYXRlciIsInNpbGVudCI6bnVsbCwic2xvdCI6bnVsbCwidG9vbGJhciI6bnVsbCwidXJsaW50ZXJmYWNlIjpudWxsLCJ1c2VyZGVmYXVsdGJyb3dzZXIiOm51bGwsIndvcmtmbG93aWQiOiIwIn0K"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "32 0E EF CB D5 43 54 11 99 CA 46 9E 28 57 82 5A"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GetNowDownload" = "%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe /INSTALL /WAIT /IF=5"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:1412
%original file name%.exe:476
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\dd.css (4 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-close-icon.png (359 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\view-icon.png (655 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\app-icon.png (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\getnowupdater_v1.0.1.9g_26[1].7z (1854871 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Yellow.png (784 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\about.html (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Gui.dll (42168 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Quick.dll (20863 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\css\main.css (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\dd_arrow.gif (204 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qquickwidget.dll (17 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\script.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\logo.png (7 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKit.dll (148191 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\favicon.ico (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjpeg.dll (3081 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\linesBorder.png (28 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\title-bg.gif (154 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.js (539 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-2.1.1.min.js (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdateV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\appUpdate.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RU.png (113 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.html (841 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qicns.dll (27 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcp100.dll (4053 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5OpenGL.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBGV3.png (6 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuuc52.dll (8917 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\magnifier.png (788 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlodbc.dll (1226 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ES.png (410 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFull.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qnativewifibearer.dll (1858 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdaterRecovery\recovery\GNUBootstrapper_Recovery.exe (11647 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\mobile-icon.png (426 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\close-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\adb.exe (7769 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qdeclarativeview.dll (16 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\notification_warning.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qsvg.dll (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qmng.dll (2816 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.js (256 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qgif.dll (21 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.js (1745 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.js (538 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\msvcr100.dll (3459 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlpsql.dll (251 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\diskFullV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\generic_icon.png (887 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlite.dll (8611 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\select-arrow.png (214 bytes)
%Documents and Settings%\%current user%\Application Data\__TMPZipFolder\getnowupdater_v1.0.1.9g_26.7z (802289 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\designer\qaxwidget.dll (3548 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRamV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\diskfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5WebKitWidgets.dll (2714 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Network.dll (9329 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\IT.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\style.css (24 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\notificationBG.png (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\androidUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\mainScripts.js (9 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeGrey.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_inspector.dll (785 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_qtquick2.dll (1221 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\reload-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\DE.png (117 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinApi.dll (84 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\mediaservice\dsengine.dll (42 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\settings-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5MultimediaWidgets.dll (589 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.js (546 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\FR.png (123 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\RO.png (127 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\store.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\untrustedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.js (543 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\GetNowUpdater.exe (53300 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\android-app-icon.png (5 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\desktop_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\filenotfound.html (452 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icuin52.dll (13544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe (8657 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedApp.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\recommendedApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\sqldrivers\qsqlmysql.dll (1319 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeV3.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5PrintSupport.dll (3607 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qml1tooling\qmldbg_tcp_qtdeclarative.dll (437 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.js (544 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qminimal.dll (25 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\newstyles.css (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\bearer\qgenericbearer.dll (1711 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\workingSlow.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Widgets.dll (35758 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery-1.10.2.min.js (93 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\jquery-ui.css (35 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\update-icon.png (502 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\feedback.html (10 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\memoryRam.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\minimize-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\PT.png (605 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\cpufull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Qml.dll (19674 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\ranch-icon.png (401 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\recommendedAppV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlow.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notifScripts.js (8 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_0\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\EN.png (156 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\memfull_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\getnow_offer_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qjp2.dll (4815 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Multimedia.dll (8145 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\qmltooling\qmldbg_tcp.dll (23 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Core.dll (32493 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\uninstall_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qdds.dll (927 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\untrustedAppV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\dbghelp.dll (11475 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\info-icon.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\about-icon.png (994 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sensors.dll (2962 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\android_notifications.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\modernizr.js (15 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_1\randomApp.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\diskFull.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\AdbWinUsbApi.dll (613 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Concurrent.dll (780 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\iconengines\qsvgicon.dll (26 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Green.png (612 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\general_offer_notifications.css (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\img\Button_Red.png (598 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\adbF\driver\readme.txt (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\download_notifications.css (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Sql.dll (2157 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV3.png (3 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\memoryRam.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\Qt5Positioning.dll (3446 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\bin\icudt52.dll (214722 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\updater.html (12 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\platforms\qoffscreen.dll (3461 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\closeW.png (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\jquery.dd.min.js (20 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\js\script.js (2 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\skin_2\appUpdate.html (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\html_res\notif_system\images\workingSlowV2.png (1 bytes)
%Documents and Settings%\%current user%\Application Data\GetNowUpdater\plugins\imageformats\qico.dll (1755 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"GetNowDownload" = "%Documents and Settings%\%current user%\Local Settings\Application Data\getnowupdater\inst\Bootstrapper\GetNowUpdaterUninstall.exe /INSTALL /WAIT /IF=5"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name: LiveSoft Action
Product Name: GetNowUpdater Installer
Product Version: 9.26.1.1
Legal Copyright: (c) Live Soft Action. All rights reserved.
Legal Trademarks:
Original Filename: GNUBootstrapper.exe
Internal Name: GNUBootstrapper.exe
File Version: 9.26.1.1
File Description: GetNowUpdater Installer
Comments:
Language: English (United States)

Company Name: LiveSoft ActionProduct Name: GetNowUpdater InstallerProduct Version: 9.26.1.1Legal Copyright: (c) Live Soft Action. All rights reserved.Legal Trademarks: Original Filename: GNUBootstrapper.exeInternal Name: GNUBootstrapper.exeFile Version: 9.26.1.1File Description: GetNowUpdater InstallerComments: Language: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	1069622	1070080	4.83745	4e5a746ef59d026cba632b0fcb61b08b
.rdata	1077248	204070	204288	3.95453	da1ac2f3f1d392f731f864bfc6611c33
.data	1282048	43808	17408	3.16002	41a7700df8826c22a8ad6b9bdb507362
.rsrc	1327104	25528	25600	3.86268	89b5a27abf09ba114469aadf3f9ba444
.reloc	1355776	83486	83968	3.41496	d694b24962638708283a8b87c0465944

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://s3-1.amazonaws.com/Appscion-repository/GetNowUpdater_builds/getnowupdater_v1.0.1.9g_26.7z
hxxp://s3.amazonaws.com/Appscion-repository/GetNowUpdater_builds/getnowupdater_v1.0.1.9g_26.7z	54.231.9.80

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /Appscion-repository/GetNowUpdater_builds/getnowupdater_v1.0.1.9g_26.7z HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s3.amazonaws.com

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: JJWFrzuFxApAWBUbh4zPLnOEiJq11dODR5bPcR8 6KCny92MaiVOABYNZmzJW1/9i3xH1DkbXtM=

x-amz-request-id: 5E60C9F06CCE8264

Date: Tue, 07 Jul 2015 10:22:21 GMT

Cache-Control: Public

Last-Modified: Tue, 30 Jun 2015 14:51:04 GMT

ETag: "eaef717d7325de4fa4659aa55b276901"

Accept-Ranges: bytes

Content-Type: application/octet-stream

Content-Length: 21246705

Server: AmazonS3

7z..'....;U..2D.....&............#.D./.&......).;....E...j.D........V.......W...8.......|3..:..4=....n$.i..:es0.....k.n6na.../..jD..d..b..^.7..o.)...s........w..}(.:.....} .y...m.....G...q.~*....d.".0....7kg.6....Q.[....0.]......=I;......Kb.fq.,....O...?.V.Z.i.n..w...........*h..;.L..^....t5s.........y...1.5.i.N.l...t....S.... ..|....Q.Ho..t.|.....F.......n....[{...C...j.OO...<...$.w...o......6...'...3..A.Gt.......3..#.fwI*.CL........78.1...L5.wA ..-..1...z.G...u...c.8Z?....?.D.S....Z.m.L.....WF(Z.......>\G:";.Y..Vy.V...x....=*..z!....=H...N.r..@!......W......e..6..Q...a.mH.<>o..S.......:..@.}....H..1.2..&..%.*...,9......K...N.?VcZ...PFAg._t/.LN.._.`.... /:X|YBF......~.....H.Dw.a6}.T^0......:-....1`...b.......}d.E<....n....oY{l..X.*..2....f<...s.WZNZ.v[.v...k......u:..{.y...`..$.*b..{.W..9..w...... ..a...=(.K.\p..........u..5...Tz.X....s=..O.r...d...h..u......{.....M1....,..... .P..J.....X@g.'I'a.#..Kn.....Y^.S..bR..H !.{W.h.7.N....2....x%."G.6]r$....1'.. .7.s.O...b...).gS....Fb..XQ.....Nl[W....MK.-...%}.,.....V2..^Hw....^.21.C..NQ.2.a.C}c.;.......}...B........@....k.%%4..Dg........HQiK...I..)>n..h....?.y]F...N....\.k.G.*..\$v..U.. ...w.E..}.x:.~r.p........pj6......k...hh....o....r=..x.....s....UE... ..z.!..'Q{\e]....2.`'..4..QbV..........,i..%/.D......X..k&.....xF........[...1.,5M..._.;...$..... .{}......h....wkf5>b./S.n...U..~.....X..SW..3.4.e.....5)$.~<..u ..H@'.i..i..u......Bw.~e..... Qc,.2..)..........@.h.D{..T`..[.n.)..J..|.....*..... .u....3....O..z....).C..x....t.9.n..i.A)M@.,

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_476:

.text

`.rdata

@.data

.rsrc

@.reloc

[57.CE

w).ZY

D$ j.Xf

j.Yf;

_tcPVj@

.PjRW

K.BA@An

SSSSh

$WVSSh0EQ

t.Kt&Kt

t9Kt.Kt#Kt

.SG7.`:Le

t%F;s

.hUm}wvb

|$ ^;|$@

w=O?

I(j.Zf9

-H.IBk

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

?#%X.y

GetProcessWindowStation

operator

12:44:39

%d %d %d %d %.5f

%f %f %d %d

%f %d %f

%d %f %f

%d %f %d %f

%f %f %f

%d %d

L ]nqm"pKq_d%3#d^\%pba5trL( bq5~5dQd&p%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"pK$kqLTqnnd/d^\#d(]$~)a0usm(~*h%j%e)tr46und/d^\#d'innqmelKahd& %h^d/d^\#d(iplpLlsKiko'meq`(ko%dQd* 2~)0)}bTN|rl/trP'sMT5sMPL}b3/hnd#dcK/d^]Rd^\#d'i2ubp%j%e_lqT`oL jo`T]m^d/d^\#d(]$~)a0usm(~*h%j%e}qpPeo(iplp4hsLiaqaqlsLqnoaK%g^\#d^e`}N 1}bT$u`u2}bm(~%dQd(0poq]|nq]boK4`mqe d%3#d^\%m)T5tMq'ms$KurP6|rT1d& %mq$ad%3#d^\%oNqK~cqKpba5trK%j%ep}s]ousmL~`u,}bp%g^\#d^el~)T*~)q6~5dQd&h3d%3#d^\%pLm]oq]"lKTjm`(pnpTjd& % MT5|Mu/}N ,u^4$})m"}Ne"}*q/}^34d%\#"n3#dc/#d^\%lMT'undQd'i]sKiim^d/d^\#d'i0u`4,})p%j%e~d(0p}s]ousmL~`u,}bq s^d%g^\#d^eltse$}rqKuse6d& %d%3#d^\%lLeeq`(_lp3%jÃ“d%3#d^\%p'qmqp(nmqT]m`Leo%dQd(mnqpp%g^\#d^eoq`aipaT_oKP`nqmeoKO%j%eN}Ne.u)42 M('gba1uaT2~(T1 r4/g_`%d^]Tg^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"m'(hmnd/d^\#d(m$~) ( `u,}bqltsm d& %rLm0~ai( cq3m)(/uqK%g^\#d^e_p'(pnpi]o^dQd&\%g^\#d^eoq`aipaT_oKP`nqmeoKO%j%eN}Ne.u)42 M('gba1uaT2~(T1 r4/g_`%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"lKL`d%3#d^\%lML'ob(1undQd(3%rK(jpLm]o`4boK4`mqe sa4%|rP~sa0ar`qbnp4ao'aimqL~d%d/d^\#d(]$~)a0usm(~*h%jÃ’qpPeo(iplp4hlpmid%3#d^\%lLeeq`(_lp3%jÃ“d%3#d^\%p'qmqp(nmqT]m`Leo%dQd'u]oaiad%\#"n3#dc/#d^\%lMT'undQd'i]sL ]nqm"pKq_d%3#d^\%pba5trL( bq5~5dQd&d3d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e$ubd1us$(d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e}mq$am'(hmpP]opq d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#dc/#d^\%lMT'undQd'i]sK0eo`4"paeklKqop5d/d^\#d(]$~)a0usm(~*h%j%e}p'q_oLuap((ar`q d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#dc/#d^\%lMT'undQd'i]sKiim^d/d^\#d'i0u`4,})p%j%eptsi.|M(/}^d/d^\#d(]$~)a0usm(~*h%jÃ’m%\2m''#s^eeopacmpP]opp#us`#rKqtmpueo`qjlpLasq3%d%3#d^\%lLeeq`(_lp3%jÃ“d%3#d^\%oKPhrp(bsKa`op(jd& %qaeqmnd/d^\#d'(co'TnmndQd(mnqpp%d^]Tg^\#!5\#d^e_}Mm(d& %lKa"lKL`d%3#d^\%lML'ob(1undQd(m$~M0.|r4/d%3#d^\%pba5trL( bq5~5dQd%Tbd^Tbnn]~d'(ilp ao'aimn](~n]$ubd1us$(s^d%g^\#d^e_p'(pnpi]o^dQd&\%g^\#d^eko'4unpu"lpminpO%j%epp(qad%3#d^\%np joLead& %qaeqmnd#dcK/d^]Rd^\#d'i2ubp%j%enmp "m`qhsK0arnd/d^\#d(e(uL]$ b#%jÃnKiqsa4ooKupqKanmq4~or(&~)T6}MuKsa4s|rP'}N 6sa4_ se5urPKq)q5~M(2}(4~qrP,}*iKtr4/sa4cusmj}N q~bm$ bq5d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#dc/#d^\%lMT'undQd(eamLT`mp4"nKqud%3#d^\%p)q*pbaK|^dQd'$glLq~saikm(mslqeasa4]~c]6tM(2}(q3ubaKusd%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#d^\#d^]Rd^\#d'i2ubp%j%enmp "m`qhsK0arnd/d^\#d(e(uL]$ b#%jÃnKiqsa4ooKupqKanmq4~rL]noKmqlLmjlpLasnd/d^\#d'innqmelKahd& %h^d#dcK/d^\#d^\#dc/#d^\%lMT'undQd(eamLT`mp4"q'ahd%3#d^\%p)q*pbaK|^dQd'$glLq~saikm(mslqeasa4i|ri5}Ni2u*m~sa ,})m2 Ni~s`iL~*e(}*mruse6|rT1sa4n rO%g^\#d^ertr4LundQd' ( `P2 Lq3ubaKusd%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %p'qcsKmaoaTrlp3%g^\#d^enur ltsm d& %n`0_qq4~pKTbqa ]p'q~s`L,tNe2~MT) a4~qM(1ubTN~L4~lNq5~)q1 au(~*i,}MP~saeL}%d/d^\#d(u$}cq(d& %mMqKo)TNp)q&}Nu(~*'%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"qaeamnd/d^\#d(m$~) ( `u,}bqltsm d& %rK(jpLm]o`4boK4`mqe d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#dc/#d^\%lMT'undQd'uorqi"m`qhsLmnmpp%g^\#d^eptse*usmb|r4(pbaK|^dQd(0qo'(jpLm]o`4boK4`mqe d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#d^\#!5\#d^e_}Mm(d& %m(iupLT`mp4"qaeamnd/d^\#d(m$~) ( `u,}bqltsm d& %rLealKTrmqeum'Thm`qnsnd/d^\#d'innqmelKahd& %h^d#dcK#sn3#d(e(tMTMusePd&,}d^\#!5\#d^e_}Mm(d& %lKa"qKaeqaTomph%g^\#d^eltse$}rqKuse6d& %h6\3d%3#d^\%lLeeq`(_lp3%jÃ“d%3#d^\%np joLead& %qaeqmnd#dcK/d^]Rd^\#d'i2ubp%j%e_p'q]q`q"p'qcsK0arqTem(TboK4`mqd%g^\#d^eb rP& b(2}%dQd'PkqaTar`(oq^d/d^\#d'u2}bm(~%dQd(3%rK(jpLm]o`4boK4`mqe s^d%g^\#d^enur ltsm d& %n`0_qq4~pKTbqa ]p'q~s`L,tNe2~MT) a4~qM(1ubTN~L4~lNq5~)q1 au(~*i,}MP~saeL}%d/d^\#d(e(uL]$ b$"o)a0undQd' ( `P2 Lq3ubaKusd%g^\#d^enur ltsm sLmP~bp%j%enmp "pL %g^\#d^enur ltsm sKm$ b`%j%e~d(0eo(iplp4hm'Thm`qnsq4~t)(1sa4}mq$am'(hmpP]opq s^d#gNi,}bq1 aT6 ba5 cq3d%3#d^\%oNqK~cqKpba5trK%j%enmpi"nMqPlNe(tsm(u^d/d^\#d'innqmelKahd& %h^d#dcK/d^]Rd^\#d'i2ubp%j%enmpi"q`qoqaTfpKTjd%3#d^\%qba5uMqKm)(/uq]$ b#%j%e cm3j%S2~6h1trL$!)T1ts 6g)i2}nT]~c]6tM(2}%L5us]2~M(K}NePgK ( `P2 Lq3ubaKuse"~)q&}Nu(~*'2~)q&usu(~*(e})u2g),6}MO%g^\#d^ek sm3 smltse$}ndQd(ealLTb|r4(lru)uriKurl%g^\#d^e_p'(pnpi]o^dQd&\%d^]Tg^\#!5\#d^e_}Mm(d& %p'q_sLiao'm"mquao(l%g^\#d^ee}*]L a]$~)a0d& %rLealLTb|r4(lru)uriKurm d%3#d^\%nrP3 smnur~%j%e}p'q_sK0(!pi5uraKurm d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n] "lXXd^eq})(1~Nm$}b3%j(/#d^]Rd^\#d'i2ubp%jÃ«pL(osKmaoaTbnp4ad%3#d^\%qba5uMqKm)(/uq]$ b#%j%d(m`qonLmkp`uko`map%q~sa0lp'T`qpipo'aimqK1}bP.d%3#d^\%lLeeq`(_lp3%jÃ“d%\#"n3#dc/#d^\%lMT'undQd'i]s|P[Zz1hDLF^B&$V|Gn*1aW*f-`|%h[YhfAr=`ghl{gT8: 0>Zk 4F'sqMMZj]~s56PQJwSBQnx'|&J$i)gf1kn?t2hxjuwp,BF!}IO|c6vaMm%^3H)ktDa;JV9*grz9H>.cH1BZ7*Vby-oq=S#kpTfEF%`E,wi(

12:44:58

1.2.3

12:45:03

12:45:07

12:45:12

12:45:27

12:45:30

12:45:32

12:45:37

Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.2; WOW64; Trident/6.0)

9.26.1.1

12:45:43

12:45:46

12:45:55

12:46:19

12:46:30

00000000-0000-0000-0000-000000000000

12:46:32

12:46:41

12:46:58

12:47:22

12:47:31

12:47:40

12:47:43

12:47:46

12:48:04

12:49:29

12:48:07

Windows 2000

Windows XP

Windows Server 2003

Windows Server 2003 R2

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Windows 10

12:48:17

12:48:33

12:48:37

12:48:52

12:49:00

12:49:03

12:49:12

G6B:I:GH{:I%GD8:HH(=JI9DLC%6U=o,

6HM'SSO.ODM!

acgtcPcqnmlqcUglFrrnPcX#h

gJcpfngYkpJvvrEnqu.BO

aWinHttpWriteDatU

gjcTcpqgmlGldmUEcrD0Ep

SKTWRFYNTS9MWJFI3Y8JY.MD48

R>I.RBOV3FOQK

(%uw^"svdw&"

AC"CA8=6"42DA8CHr4B2A8?C>A#>"42DA8CHr4B2A8?C>A&q>=E4azIX%C

ODM*DX$W61DF.Zw

gS#*!%Qs"&y#uS ~%u)%

.AME7'ET5SER

$%r*~q}uwu%x

*~.nZ'%%x&{c!&|k'XO]y

1q'

12:49:18

12:49:20

12:41:45

12:41:53

12:41:38

12:43:36

Unsupported Windows version

12:41:47

12:41:51

12:41:48

12:41:32

12:41:42

12:42:31

12:42:06

12:41:54

12:41:41

12:41:39

12:43:10

12:44:34

Unsupported archive type

12:43:37

12:43:44

12:41:50

12:41:52

12:41:35

12:41:18

12:40:04

12:43:59

12:44:30

12:41:58

12:43:20

12:42:18

12:42:16

12:43:58

12:43:54

12:42:25

12:43:56

12:43:23

12:40:28

12:43:05

12:43:08

12:44:01

12:44:00

12:42:56

12:43:35

Unsupported Method

CRC Failed in encrypted file. Wrong password?

Data Error in encrypted file. Wrong password?

12:43:42

Can not open encrypted archive. Wrong password?

is not supported archive

12:43:29

12:43:25

update operations are not supported for this archive

12:39:51

12:43:46

RAM %s

MB, # %s =

12:43:39

12:40:10

12:43:18

12:44:29

12:44:12

12:42:38

12:42:10

12:40:48

12:41:07

12:40:59

12:41:15

12:41:26

12:43:51

12:42:50

12:42:47

12:42:43

12:43:22

12:40:11

12:42:58

12:39:56

12:43:07

12:43:28

12:43:33

12:42:33

12:42:57

12:42:21

12:39:47

12:39:59

12:39:46

12:39:55

12:39:45

12:42:36

12:39:57

12:42:34

12:40:15

12:39:58

12:42:05

12:40:07

12:40:25

12:44:24

12:44:21

12:40:45

12:41:29

12:42:00

12:40:51

lzma 7z ace arc arj bz bz2 deb lzo lzx gz pak rpm sit tgz tbz tbz2 tgz cab ha lha lzh rar zoo zip jar ear war msi 3gp avi mov mpeg mpg mpe wmv aac ape fla flac la mp3 m4a mp4 ofr ogg pac ra rm rka shn swa tta wv wma wav swf chm hxi hxs gif jpeg jpg jp2 png tiff bmp ico psd psp awg ps eps cgm dxf svg vrml wmf emf ai md cad dwg pps key sxi max 3ds iso bin nrg mdf img pdi tar cpio xpi vfd vhd vud vmc vsv vmdk dsk nvram vmem vmsd vmsn vmss vmtm inl inc idl acf asa h hpp hxx c cpp cxx rc java cs pas bas vb cls ctl frm dlg def f77 f f90 f95 asm sql manifest dep mak clw csproj vcproj sln dsp dsw class bat cmd xml xsd xsl xslt hxk hxc htm html xhtml xht mht mhtml htw asp aspx css cgi jsp shtml awk sed hta js php php3 php4 php5 phptml pl pm py pyo rb sh tcl vbs text txt tex ans asc srt reg ini doc docx mcw dot rtf hlp xls xlr xlt xlw ppt pdf sxc sxd sxi sxg sxw stc sti stw stm odt ott odg otg odp otp ods ots odf abw afp cwk lwp wpd wps wpt wrf wri abf afm bdf fon mgf otf pcf pfa snf ttf dbf mdb nsf ntf wdb db fdb gdb exe dll ocx vbx sfx sys tlb awx com obj lib out o so pdb pch idb ncb opt

12:41:01

12:41:21

12:43:14

12:40:23

12:40:14

12:42:24

12:42:11

12:41:57

12:40:50

12:42:12

12:41:24

12:41:27

12:42:03

12:42:09

12:42:14

12:40:57

USER32.dll

GetProcessHeap

KERNEL32.dll

RegCreateKeyW

RegOpenKeyExW

RegCloseKey

RegCreateKeyExW

RegDeleteKeyW

RegEnumKeyExW

RegOpenKeyW

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

GDI32.dll

GetCPInfo

PeekNamedPipe

GetWindowsDirectoryW

zcÃ

.?AVRegKey@@

.?AVCCmdLineParser@@

.?AVPipeClientServer@@

.?AUICryptoGetTextPassword@@

.?AUICryptoGetTextPassword2@@

!.G.HH"

25 ! 46768

/ !!! ! 44 !!

-, ,0($$'

#$$()* ,-#

GetNowUpdater Installer

6)616@6`6

2.2`243

2-2[2

9Â9[9

:!:(:/:6:

1&2F2e2x2

> >(>\>8?

8-9}:

3%3U3

4'5&656}6

0%0U0

4%5U5_5

8(8,8084888

5 5$5,5@5`5

1$1,181\1|1

=,=8=\=|=

mscoree.dll

- CRT not initialized

- Attempt to initialize the CRT more than once.

- floating point support not loaded

2.cmd

USER32.DLL

portuguese-brazilian

combase.dll

SOFTWARE\%s

HKEY_CURRENT_USER\SOFTWARE\

APPKEY

MYEXE

ÃžSKTOPFOLDER%

%s://%s/%s

%s\%s

__%d__%s

https

v1/log/%s?AppInstanceId=%s&Bagkey=%s&TargetUid=&EventType=%d&EventCode=%d&Properties=&Data=%s

logevent.getnow.com

Microsoft Windows NT %d.%d.%d %s

Mozilla/4.0 (compatible; MSIE 7.0; Trident/5.0;) IM CustomChannel;

dBAGKEY

/%s/json/RaiseInstallEventMethod/?callback=onRaiseInstallEvent&InstallFlags=%d&UserSettings=%d&BagKey=%s&AppInstanceId=%s&Version=%s&SessionCode=%d&Duration=%s&Slot=%d&OperatingSystem=%s&CDNCountryCode=%s&ErrorCode=%s&BrowserSettings=%d&DefaultBrowser=%s&MonetisationOption=%d&RefId=%s&ObjectUid=%s

/%s/json/RaiseInstallEventMethod/?callback=defaultRaiseInstall&InstallFlags=%d&UserSettings=%d&Bagkey=%s&AppInstanceId=%s&Version=%s&SessionCode=%d&Duration=%s&Slot=%d&OperatingSystem=%s&CDNCountryCode=%s&ErrorCode=%s&BrowserSettings=%d&DefaultBrowser=%s&MonetisationOption=%d&ClientType=%s&CommandLine=%s

installevent.getnow.com

installevent.iminent.com

logevent.iminent.com

%s%s%x

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

CA_CMD

ZZCMD_EXTRACT_DIR

REG_DEL_KEY

CREATE_REG_KEY_IF_FOLDER

CmdLine

ZipCmdParams

x|%s|%s|-o%s| %s

Operation

DAEA8F.);@6AIEQ &.tGDD7@F(7DE;A@y|}~.%!w&)r$v.~;52r,|

unknown:%d.%d.%d, cv:%s, pn: %s

Windows 10

Windows Vista

Windows Server 2008

Windows 7

Windows Server 2008 R2

Windows 8

Windows Server 2012

Windows 8.1

Windows Server 2012 R2

Web Server Edition

Windows Storage Server 2003

Windows Home Server

Windows XP Professional x64 Edition

Windows Server 2003,

Web Edition

Windows XP

Windows 2000

(build %d)

cmd.exe /c taskkill /f /fi "IMAGENAME eq %s" /fi "PID ne %d"

"%s" %s

%u.%u.%u.%u

crashdump.dmp

l.zip

7zCon.sfx

Mapi32.dll

7-Zip cannot load Mapi32.dll

kernel32.dll

c:\%original file name%.exe

GNUBootstrapper.exe

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps