The downloader first tries to kill McAfee Antivirus, Nod Antivirus and Kaspersky Antivirus.
In order to disable McAfee it searches for the service McService and closes it.
In order to disable Nod antivirus, it first checks to see if an executable belonging to this program is running in the system. It does that by hashsing all processes names in the system and comparing them to a specific hash. If it finds the executable, it will begin to write same xored string in HKLM\Software\Eset\Nod\CurrentVersion\Modules\Amon\Settings\Config000\Settings\exc. After that it will write 3 in that value.
After the registry part is complete it will kill nod antivirus process.
In order to hide the windows displayed by Kaspersky Antivirus when the executable tries to access the internet it closes the windows Avp.ProductNotification and AVP.Dialog. It then searches the registry for the path where the uninstaller for the Kaspersky Antivirus is located and executes it.
With the antiviruses down, the trojan tries to access the internet. It first creates a svchost.exe process,injects in it and deletes the original file. From there it decrypts some url’s located in a file dropped by the original files and tries to download the executables in the Temp Directory and executem them.
It tries to download files from the following location