Home » Virus List
PUP.Generic
Risk Level 1
 
File Size : 579408 KB
File Type : Portable Executable 32
File Name

shareware-de_Spintires_1.0.exe

MD5

af8106e4ef02ecc42e149e2b14490478

SHA1

2672be3caf6a232eb4423e0c6ec804eda609dba2

SHA256

e1424d782664a072791768e3533c6caecdebf3747e7d8748f7

General information:

* File name: C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe

Changes to registry :

* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\af8106e4ef02ecc42e149e2b14490478_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASAPI32
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASAPI32
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASAPI32
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASAPI32
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "FileTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASMANCS
* Creates value "ConsoleTracingMask=FFFF0000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASMANCS
* Creates value "MaxFileSize=00100000" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASMANCS
* Creates value "FileDirectory=%windir%\tracing" in key HKEY_LOCAL_MACHINE\software\microsoft\Tracing\cos_setup_RASMANCS
binary data=2500770069006E0064006900720025005C00740072006100630069006E0067000000
* Creates value "NukeOnDelete=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "UseGlobalSettings=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\CurrentVersion\Explorer\BitBucket
* Creates value "DontShowUI=00000001" in key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting
* Creates Registry key HKEY_LOCAL_MACHINE\software\microsoft\Windows\Windows Error Reporting\LocalDumps
* Modifies value "NukeOnDelete=00000001" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Explorer\BitBucket\Volume\{c9d04f3b-1c7e-11e6-979c-806e6f6e6963}
old value empty
* Modifies value "SavedLegacySettings=4600000025000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F" in key HKEY_CURRENT_USER\software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections
old value "SavedLegacySettings=4600000022000000090000000000000000000000000000000400000000000000909F87AE2BBED101000000000000000000000000020000001700000000000000FE800000000000001466833CA0278AEB0B00000020CFAA0FB8CDAA0FB8CDAA0F18CEAA0F18CEAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F10CDAA0F10CDAA0F10D9AA0F10D9AA0F28D3AA0F28D3AA0FB8CDAA0FB8CDAA0F98CFAA0F98CFAA0F90CEAA0F90CEAA0F08CFAA0F08CFAA0FB8CDAA0FB8CDAA0F02000000C0A8BA80000000000000000000B3AA0F00B3AA0F40CDAA0F40CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0FA0B8AA0FA0B8AA0FB8CDAA0FB8CDAA0FB8CDAA0FB8CDAA0F78CEAA0F78CEAA0FB8CDAA0FB8CDAA0F00CEAA0F00CEAA0F60CEAA0F60CEAA0FB8CDAA0FB8CDAA0F48CEAA0F48CEAA0FB8CDAA0FB8CDAA0F"
* Creates value "(Default)=31" in key HKEY_CURRENT_USER\software\SandboxAutoExec
* Creates value "SandboxieRpcSs.exe=Sandboxie COM Services (RPC)" in key HKEY_CURRENT_USER\software\classes\Local Settings\Software\Microsoft\Windows\Shell\MuiCache\C:\Program Files\Sandboxie
binary data=530061006E00640062006F00780069006500200043004F004D002000530065007200760069006300650073002000280052005000430029000000

Changes to filesystem:

* Modifies file C:\Windows\system32\CatRoot2\edb.chk
* Modifies file (hidden) C:\Users\cognus\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
* Modifies file (hidden) C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
* Creates file C:\Users\cognus\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\YYDMVD30\spintires-icon-546ac4be44d75[1].png
* Creates file C:\Users\cognus\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc\cos_setup.exe
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1BB09BEEC155258835C193A7AA85AA5B_3F063C218B2B5BA5549765751C207C25
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0060A9F9287878B15AB61E0E47645E5
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\1BB09BEEC155258835C193A7AA85AA5B_3F063C218B2B5BA5549765751C207C25
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3B6E683A7A45CC59BF035C9BA8C7AB9D
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\696F3DE637E6DE85B458996D49D759AD
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7396C420A8E1BC1DA97F1AF0D10BAD21
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8A574ED5927B3CEC9626151D220C7448
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B8CC409ACDBF2A2FE04C56F2875B1FD6
* Modifies file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CC42971B7939A9CA55C44CFC893D7C1D
* Creates file C:\Users\cognus\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0060A9F9287878B15AB61E0E47645E5

Network services:

* Looks for an Internet connection.
* Queries DNS "clients4.google.com".
* Queries DNS "dlg-configs.buzzrin.de".
* Queries DNS "dlg-messages.buzzrin.de".
* Queries DNS "az687722.vo.msecnd.net".
* Queries DNS "www.shareware.de".
* Queries DNS "ocsp.comodoca.com".
* Queries DNS "crl.comodoca.com".
* Queries DNS "crl.usertrust.com".
* Queries DNS "crl.microsoft.com".
* Queries DNS "pki.google.com".
* Queries DNS "safebrowsing.google.com".
* Queries DNS "safebrowsing-cache.google.com".
* Queries DNS "d3j30ujq5cgnz5.cloudfront.net".
* Queries DNS "d3d5rryrijbudj.cloudfront.net".
* Queries DNS "d3pa4xcf10sh05.cloudfront.net".
* Queries DNS "d1139uuzpj6eq0.cloudfront.net".
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "104.41.149.192" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "104.40.188.185" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "68.232.45.201" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "78.47.247.6" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "78.47.247.6" on port 443 (TCP - HTTPS).
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "178.255.83.1" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "104.16.91.188" on port 80 (TCP - HTTP).
* C:\Program Files\Sandboxie\SandboxieCrypto.exe Connects to "178.255.83.2" on port 80 (TCP - HTTP).
* C:\Program Files\Sandboxie\SandboxieCrypto.exe Connects to "23.211.135.10" on port 80 (TCP - HTTP).
* C:\Program Files\Sandboxie\SandboxieCrypto.exe Connects to "216.58.199.174" on port 80 (TCP - HTTP).
* C:\Users\cognus\Desktop\Analyzed Viruses\6 June 2016\New folder\Sample\af8106e4ef02ecc42e149e2b14490478.exe Connects to "54.230.175.10" on port 80 (TCP - HTTP).
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc\cos_setup.exe Connects to "52.85.245.56" on port 80 (TCP - HTTP).
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc\cos_setup.exe Connects to "52.85.245.57" on port 80 (TCP - HTTP).
* C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc\cos_setup.exe Connects to "52.85.245.183" on port 80 (TCP - HTTP).
* Downloads file from "google.com/".
* Downloads file from "dlg-configs.buzzrin.de /config-from-production".
* Downloads file from "dlg-messages.buzzrin.de /1/dg/3/error".
* Downloads file from "dlg-messages.buzzrin.de /1/dg/3".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/shareware-de-flow-5-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/last.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/yessearches-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/progress.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/base.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/pcspeedup-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/opera-single-text-en-us.zip".
* Downloads file from "az687722.vo.msecnd.net/public-source/downloadguide/shareware-de/1.0/default/campaigns/product+website/ui/my-pc-backup-single-text-en-us.zip".
* Downloads file from "www.shareware.de/images/software_icon_large/spintires-icon-546ac4be44d75.png".
* Downloads file from "crl.comodoca.com/COMODORSADomainValidationSecureServerCA.crl".
* Downloads file from "ocsp.comodoca.com/MFIwUDBOMEwwSjAJBgUrDgMCGgUABBR64T7ooMQqLLQoy%2BemBUYZQOKh6QQUkK9qOpRaC9iQ6hJWc99DtDoo2ucCEQDKfgk4eFlnv9iV6q4yK2qS".
* Downloads file from "d3j30ujq5cgnz5.cloudfront.net/main/cos_setup.exe".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/gzi4nvrb?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/u2z5hyl2?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.1".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.1".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.start.010".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.start.010".
* Downloads file from "d3pa4xcf10sh05.cloudfront.net /i4/22".
* Downloads file from "d1139uuzpj6eq0.cloudfront.net/r6/22_4c47b1a5000031b75208dcf163ffc9fd/1.n.7z".
* Downloads file from "yahoo.com/setting.doc".
* Downloads file from "www.yahoo.com/setting.doc".
* Downloads file from "crl.usertrust.com/AddTrustExternalCARoot.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/microsoftrootcert.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl".
* Downloads file from "pki.google.com/GIAG2.crl".
* Downloads file from "crl.microsoft.com/pki/crl/products/WinPCA.crl".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2".
* Downloads file from "d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2".
* Uses POST methods in HTTP.
* Opens next URLs:
HtTp://d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,
HtTp://d3d5rryrijbudj.cloudfront.net/gzi4nvrb?uid=B3A57DB7115B1E428081695633F67282&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,
HtTp://d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,
HtTp://d3d5rryrijbudj.cloudfront.net/u2z5hyl2?uid=262929407_198339_B84975D2&update0=version,201606061059&update1=sys,Windows.7.Professional&update4=ref,cos&update5=mode,&update6=sys0,Windows&update7=sys1,7&update8=sys2,Professional&update9=sys3,&update10=sys4,
HtTp://d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2
HtTp://d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.prestart4.448fbbb8135cfae740b9d9d720815259.2
HtTp://d3d5rryrijbudj.cloudfront.net/q5t17hcl?uid=B3A57DB7115B1E428081695633F67282&a=visit.dl.winmain.start.010
HtTp://d3d5rryrijbudj.cloudfront.net/q26tzhy6?uid=262929407_198339_B84975D2&a=visit.dl.winmain.start.010

Process/window/string information:

* Gets user name information.
* Gets input locale identifiers.
* Gets volume information.
* Decrypts data.
* Checks for debuggers.
* Anti-Malware Analyzer routine: Disk information query.
* Creates a mutex "DlgCpp".
* Opens a service named "rasman".
* Opens a service named "Sens".
* Creates a mutex "IESQMMUTEX_0_208".
* Creates a mutex "Local\!IETld!Mutex".
* Creates a mutex "Local\!PrivacIE!SharedMemory!Mutex".
* Opens a service named "WSearch".
* Opens a service named "AudioSrv".
* Creates a mutex "Local\MidiMapper_modLongMessage_RefCnt".
* Injects code into process "C:\Program Files\Sandboxie\SandboxieCrypto.exe".
* Opens a service named "WinHttpAutoProxySvc".
* Starts a service.
* Opens a service named "CryptSvc".
* Creates process "C:\Users\cognus\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc\cos_setup.exe, "C:\Users\cognus\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc\cos_setup.exe" /c=cos /i=22 /s, C:\Users\cognus\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc".
* Injects code into process "C:\Sandbox\cognus\DefaultBox\user\current\AppData\Local\Temp\DLG\exe\618609b78ddc2f9ad06b5b204799c1fc\cos_setup.exe".
* Writes directly to disk.
* Sleeps 27000 seconds.

Additional Information:

How To Remove shareware-de_Spintires_1.0.exe

1.Download Sniper Antivirus
2.Install the exe file on your system.
3.Full Scan your Computer OR Folder where shareware-de_Spintires_1.0.exe located.
4.Once the scan is finished, you’ll get the message “scan is complete”.
Click OK button to get the results.
5.Then Delete the threat from table.

Top