not-a-virus:HEUR:AdWare.Win32.ConvertAd.heur (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5192c3af97a4752e8bd7c2909355edd7
SHA1: 2a8fb7da3f300d90d00c278c7377ca8be33757b7
SHA256: df21ff51aa51b0099c137bd10203e597731e0bb202e42b0ded41bd13cb698f08
SSDeep: 6144:hzfa0g0uidv3u5EFmTEZLq FvMNPKfFMlQ36:BduidvWOmCPF8k
Size: 524288 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: ?? 2014 ClientConnect Ltd.
Created at: 2009-12-06 00:50:35
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
nsq32.tmp:1260
nsq32.tmp:1468
nsh2B.tmp:1764
nsf21.tmp:1564
nsbF.tmp:140
%original file name%.exe:1216
nsi13.tmp:1968
nsh35.tmp:304
nsl1B.tmp:644
nsp5.tmp:412
nsv24.tmp:1488
nsv24.tmp:652
amisid.exe:944
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process nsh2B.tmp:1764 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (1568 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (26886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns30.tmp (9 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (991 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsExec.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns2F.tmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\CPUFeatures.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsProcess.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\UserInfo.dll (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns30.tmp (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\CPUFeatures.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsProcess.dll (0 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer (0 bytes)
The process nsf21.tmp:1564 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\Bundle_OperaRUnew[1].exe (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv24.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp\inetc.dll (20 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsg23.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp\inetc.dll (0 bytes)
The process nsbF.tmp:140 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn11.tmp (0 bytes)
The process %original file name%.exe:1216 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (7168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk8.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
The process nsi13.tmp:1968 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (8704 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd15.tmp (0 bytes)
The process nsh35.tmp:304 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd37.tmp (0 bytes)
The process nsp5.tmp:412 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (63926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf21.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA.tmp (12300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (105 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi13.tmp (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1B.tmp (224408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Yk7w7V[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\Cdn[1].exe (63926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbF.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\b7qlzd[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq32.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\cmmdWriter[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh35.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\xXCgbj[1] (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\7121923af824073a25b2b7e6ba0a6e0e[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (15 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh34.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf21.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk19.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1E.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp20.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi13.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspC.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbF.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse18.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq32.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx28.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq22.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa31.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy14.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (0 bytes)
The process nsv24.tmp:1488 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\checks.txt (544 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw26.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\checks.txt (0 bytes)
The process nsv24.tmp:652 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\inetc.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\nsisos.dll (5 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\post_reply.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\amisid.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh29.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\checks.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\registry.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\nsisos.dll (0 bytes)
Registry activity
The process nsq32.tmp:1260 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CA 79 2D 98 B0 85 FF 78 EA FA 13 11 49 FE C2 9A"
The process nsq32.tmp:1468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "17 7A 8E 22 E5 B8 45 29 5D 4C CA 7F E8 B5 66 C8"
The process nsh2B.tmp:1764 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DE DA 7F CE 93 DF 9E 8E 7D D1 36 7D B9 1B FD 0C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2A.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2A.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsu2E.tmp\nsProcess.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The Trojan deletes the following value(s) in system registry:
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ethminer"
The process nsf21.tmp:1564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "11 B8 AA EF C4 01 65 96 22 69 28 0E 9B 3D D2 04"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsbF.tmp:140 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3E B0 90 A5 00 DD E4 5F 41 E4 4B 34 EB 4A DF F2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\NlaSvc]
"CMPK" = "-imi-zxr-tot-mdh-wtp-cpm-opw-jot-agb"
The process %original file name%.exe:1216 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 C0 31 8B B2 29 15 65 F2 A8 4E FC 1C 73 93 1A"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsi13.tmp:1968 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C5 3E 3C 7C 7E B6 28 DC F9 80 EA 48 4F BD D4 1C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nsh35.tmp:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 4A 19 E3 D4 76 2F A6 E8 EE F5 76 22 8E 76 90"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process nsl1B.tmp:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsl1B\DEBUG]
"Trace Level" = ""
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Direct3D\MostRecentApplication]
"Name" = "nsl1B.tmp"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 B8 DE D3 A7 A5 86 F2 F5 EE 51 75 4F 5E 3A 25"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\nsl1B\DEBUG]
"Trace Level"
The process nsp5.tmp:412 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "66 C2 B2 0B BD 99 4C 15 F7 AC F2 73 57 FC 0F 65"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process nsv24.tmp:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 5D 37 B3 82 DB 59 1B 60 10 30 50 8D 76 4F 49"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\registry.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "M"
The process nsv24.tmp:652 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\registry.dll, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw27.tmp\, , \??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh2A.tmp\registry.dll,"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\InstallPath\Status]
"OperaRUnew" = "S"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "56 90 24 FC 89 1F 25 B5 85 F4 BC 51 B1 A0 4C 37"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\InternetTurbo]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process amisid.exe:944 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
[HKCU\Software\InternetTurbo]
"UID" = "D6A6947B24975DB6AB9DE8B171C5FA6E"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "93 F8 FC DD C2 B6 0D 89 BF C8 39 CD 9B 25 BA 0C"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level" = ""
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\amisid\DEBUG]
"Trace Level"
Dropped PE files
MD5 | File path |
---|---|
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\Uninstall.exe |
3b9ed8ac39dc6bf314cd0dddb190656e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd16.tmp |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh2A.tmp\registry.dll |
5226bd9b96d7bf9c97d1ea97ba98b940 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh35.tmp |
1b20ddb246e1431a00a485f6e12ab506 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsp5.tmp |
f02155fa3e59a8fc48a74a236b2bb42e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nspB.tmp\inetc.dll |
f5fde761873b4b45c4d6ad9ce3f95442 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsq32.tmp |
c8fa1fa3b18a3433cc051fc1dc8e4382 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2E.tmp\nsProcess.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsu2E.tmp\registry.dll |
3eff59fc48dd082035f2c09e2d45b0f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsv24.tmp |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw27.tmp\registry.dll |
3a729fcf9a3da7311a46e6eca2460308 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\cmmdWriter[1].exe |
c2f5fd7acdb061ce4e2adbdef360843a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\7121923af824073a25b2b7e6ba0a6e0e[1].exe |
3eff59fc48dd082035f2c09e2d45b0f8 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\Bundle_OperaRUnew[1].exe |
f5fde761873b4b45c4d6ad9ce3f95442 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\b7qlzd[1].exe |
2a5f246b97d00f77b78d15f72923839b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Validate[1].exe |
c9e8ed58ac86ef45228b4b7aa2cbf520 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Yk7w7V[1].exe |
cc192c10399a3fe91b80ee051a86c342 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\Cdn[1].exe |
5226bd9b96d7bf9c97d1ea97ba98b940 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\xXCgbj[1] |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
nsq32.tmp:1260
nsq32.tmp:1468
nsh2B.tmp:1764
nsf21.tmp:1564
nsbF.tmp:140
%original file name%.exe:1216
nsi13.tmp:1968
nsh35.tmp:304
nsl1B.tmp:644
nsp5.tmp:412
nsv24.tmp:1488
nsv24.tmp:652
amisid.exe:944 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\LICENSE.txt (1568 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\ethm.exe (26886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns30.tmp (9 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\clinfo.exe (991 bytes)
%Documents and Settings%\%current user%\Application Data\cpuminer\ethminer\start.cmd (303 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsExec.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\ns2F.tmp (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\CPUFeatures.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\nsProcess.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsu2E.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\Bundle_OperaRUnew[1].exe (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv24.tmp (8472 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv25.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk8.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf7.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp5.tmp (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj2.tmp (7168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd3.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse6.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst4.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd16.tmp (8704 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2B.tmp (63926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh34.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsf21.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk19.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsaA.tmp (12300 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB.tmp\inetc.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\vos[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp20.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (45 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1D.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk1A.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss12.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl33.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi13.tmp (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx36.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp1F.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv1C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsl1B.tmp (224408 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Yk7w7V[1].exe (12984 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy17.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\Uninstall.exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\Cdn[1].exe (63926 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbF.tmp (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspC.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\b7qlzd[1].exe (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\Validate[1].exe (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\ibf-cmi-1938953175.us-east-1.elb.amazonaws[1].htm (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq32.tmp (14960 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\7M8NPVEE\cmmdWriter[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx28.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh35.tmp (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsq22.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OYQ2RBR4\xXCgbj[1] (4152 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\7121923af824073a25b2b7e6ba0a6e0e[1].exe (3808 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nslE.tmp (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa31.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy14.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh10.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\A7S2YIDK\ibf-cmi-1938953175.us-east-1.elb.amazonaws[2].htm (60 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsqD.tmp (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw27.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\post_reply.htm (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\md5dll.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\amisid.exe (909 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\inetc.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\checks.txt (544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KZBSSVYX\thankyou[1].php (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh2A.tmp\nsisos.dll (5 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23462 | 23552 | 4.51398 | 9d64b6ac6eb1aa41e38f6cc8798b652e |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 3774424 | 1024 | 3.26654 | af685ae5a632e08acd6c90a62cdfc3bb |
.ndata | 3813376 | 1544192 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 5357568 | 1736 | 2048 | 2.02827 | ac13635e297440a66544fef02bec0bc6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 54
8002fc0d24128006d3d5381415ef9a4a
5787e3b1bc2fa34257cae258da777db5
6683a4b47a46d8fc259d765f6fdce9cc
e74b5a8b167fc8c7a9c396ae1a73093a
72f4a7184e46d99d5be4bfdddae0d514
b530e72eb9a095029f2e55b7305eb813
4f0cbaf64b2ebef09588dcd494daee69
56872bfc01badd5675c92f84b312b811
e6f4a5f15fa0073abdff4174cd6dea15
109debf147b07c65b68b5d2584df90ce
a5b36912e4ed7e7c2d48bc17ea03f9d9
d3ec96737a50aef3db9c736f2f883938
9449dffea7406c80e4dc276c922b3c8c
6875fc9e7774e2e512d01e8befd22db5
4500b18b0ca5f57fe922a113253cc36c
2f0443a8a710bc8c229112149ed4d824
8b010c94685afe127180ef030b63cf8e
fd5797de1ea0fadb3e595cd28cfbdd93
f90f8d317708fadfed5349db278545ea
a6044e2b133e09fc416a6d11bd02ab1d
5923fba5b478bea8809513e03605780b
57b308425604a3830b81e347802bf1b9
bf6250072014b593722f7dd9b12e54f2
4d1c4e9b1e39a709e8a4900719b78b82
0acf1aa93cfa9028a4cca637074f3a37
Network Activity
URLs
URL | IP |
---|---|
hxxp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com/ | |
hxxp://download-servers.com/SysInfo/Validate.exe | |
hxxp://download-servers.com/Generic/vos.php?ch=NOCHPC&rdsn=0&idn=1&sid=&isnw=2&civ=2&or=&pac=&guidv=2&vpname=&prdk=&tst= | |
hxxp://d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe | |
hxxp://download-servers.com/SysInfo/validator/timer.php | |
hxxp://y9807akgtzcrolb.nidetafzy.ru/Z2dpb21oeHRmbmp2c3VveGl7InNpZCI6IjYyNjIiLCJjb21wYW5pZXMiOnsiMTU1NCI6WzFdfSwic3ViX2lkIjoiMCIsInNpbGVudCI6IjEiLCJ2ZXIiOiIxIiwicm5kMCI6ImFhYTllMWJiMmVhMjc4ZjM1NmVmZDM3MjU1YmM1MDBhIn0 | |
hxxp://y9807akgtzcrolb.nidetafzy.ru/api | |
hxxp://d1mdi78qyff344.cloudfront.net/7121923af824073a25b2b7e6ba0a6e0e.exe | |
hxxp://cds.r5q6q4j7.hwcdn.net/OperaRUnew/Bundle_OperaRUnew.exe | |
hxxp://p-rumo00.kxcdn.com/Cdn.exe | |
hxxp://ils-front-balancer3-264552681.us-east-1.elb.amazonaws.com/thankyou.php | |
hxxp://download-servers.com/SysInfo/wthrcd.php | |
hxxp://download-servers.com/SysInfo/tem.php?sid=83837567483 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
nsp5.tmp_412:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
60TotalSecurity.exe
60TotalSecurity.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB.tmp\inetc.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB.tmp\inetc.dll
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
b7e6ba0a6e0e.exe&errorlevel=0
b7e6ba0a6e0e.exe&errorlevel=0
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
hXXp://download-servers.com/partners/360/360TotalSecurity.exe
u.Uj@
u.Uj@
MSVCRT.dll
MSVCRT.dll
HttpSendRequestA
HttpSendRequestA
HttpSendRequestExA
HttpSendRequestExA
HttpQueryInfoA
HttpQueryInfoA
FtpCreateDirectoryA
FtpCreateDirectoryA
FtpOpenFileA
FtpOpenFileA
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpEndRequestA
HttpEndRequestA
InternetCrackUrlA
InternetCrackUrlA
WININET.dll
WININET.dll
inetc.dll
inetc.dll
Open URL Error
Open URL Error
URL Parts Error
URL Parts Error
FtpCreateDir failed (550)
FtpCreateDir failed (550)
Error FTP path (550)
Error FTP path (550)
Downloading %s
Downloading %s
%dkB (%d%%) of %dkB @ %d.dkB/s
%dkB (%d%%) of %dkB @ %d.dkB/s
(%d %s%s remaining)
(%d %s%s remaining)
REST %d
REST %d
SIZE %s
SIZE %s
Content-Length: %d
Content-Length: %d
Content-Type: application/x-www-form-urlencoded
Content-Type: application/x-www-form-urlencoded
Authorization: basic %s
Authorization: basic %s
Proxy-authorization: basic %s
Proxy-authorization: basic %s
%s:%s
%s:%s
FtpCommandA
FtpCommandA
wininet.dll
wininet.dll
%u MB
%u MB
%u kB
%u kB
%u bytes
%u bytes
%d:d:d
%d:d:d
%s - %s
%s - %s
(Err=%d)
(Err=%d)
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
Filename: %s
Filename: %s
/password
/password
Uploading %s
Uploading %s
8!8-8B8I8}8
8!8-8B8I8}8
@.reloc
@.reloc
Q$.VIf>
Q$.VIf>
y-(5.wS
y-(5.wS
v{%fP
v{%fP
_(.EE
_(.EE
].EO:a
].EO:a
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx36.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx36.tmp
nsx36.tmp
nsx36.tmp
://livestatscounter.com/Generic/vos.php?ch=
://livestatscounter.com/Generic/vos.php?ch=
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp /idn
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
Uninstall.exe
Uninstall.exe
n.php?r=vu_vo2_
n.php?r=vu_vo2_
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
d2fpsq9kg43yka.cloudfront.net/cmmdWriter.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp /idn
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsp5.tmp
nsp5.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk9.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsk9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nspB.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsp5.tmp
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
{"table": "event_has_user","data": "{\"event_event_id\": \"1722\",\"channel_id\": \"NOCHPC\", \"utm_addition\":\"url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483&v=2\"}"}
e0e.exe&errorlevel=0&v=2\"}"}
e0e.exe&errorlevel=0&v=2\"}"}
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
hXXp://ibf-cmi-1938953175.us-east-1.elb.amazonaws.com
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
url=hXXp://mobilitydata5.com/SysInfo/tem.php?sid=83837567483
e6ba0a6e0e.exe
e6ba0a6e0e.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslE.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nslE.tmp
dlgen.php?r=vu_vo2_
dlgen.php?r=vu_vo2_
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
88888888888888
88888888888888
1.0.0.1
1.0.0.1
nsq32.tmp_1260:
.text
.text
`.rdata
`.rdata
@.data
@.data
.reloc
.reloc
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
portuguese-brazilian
portuguese-brazilian
operator
operator
GetProcessWindowStation
GetProcessWindowStation
d d d d d
d d d d d
USERENV.dll
USERENV.dll
KERNEL32.dll
KERNEL32.dll
ADVAPI32.dll
ADVAPI32.dll
WinHttpCrackUrl
WinHttpCrackUrl
WINHTTP.dll
WINHTTP.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
zcÃ
zcÃ
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
cmd_line
cmd_line
{84827536-2672-424B-9FFE-4E694EE174EC}
{84827536-2672-424B-9FFE-4E694EE174EC}
history.dat
history.dat
hXXp://counter99.com/Generic/test_gen/agn.php
hXXp://counter99.com/Generic/test_gen/agn.php
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq32.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsq32.tmp
nsh35.tmp_304:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
%Program Files%
%Program Files%
\System.dll
\System.dll
\nsExec.dll
\nsExec.dll
\inetc.dll
\inetc.dll
$$\wininit.ini
$$\wininit.ini
g.ZO||k[
g.ZO||k[
^2S%S
^2S%S
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
nsh35.tmp
nsh35.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd37.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd37.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh35.tmp
Nullsoft Install System v2.46
Nullsoft Install System v2.46