Skip to main content

Adware.Win32.Downware_bcda08c86e


not-a-virus:HEUR:AdWare.NSIS.TornTV.gen (Kaspersky), Adware.Win32.Downware.FD, Trojan.NSIS.StartPage.FD, AdwareDownware.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: bcda08c86e7c5b521faeb642a952d8f3

SHA1: c5f7c6ce0687b84d12410f8ebd6a79f5a4374dbb

SHA256: a6c25a044c385418219fa2c52f0c73cfc483fcefd71f3effa2c28621b5dd409a

SSDeep: 3072:nQIURTXJ445 zjDaeHUlrHwktLCLDa10AsS6/KfyBj8eXqEdmF0RwBwbl1s97VbH:nsi1X2emDwZ3a1hsa65vXql0Nl8CT8

Size: 263112 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:50:46

Analyzed on: Windows7 SP1 32-bit

Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Adware creates the following process(es):No processes have been created.The Adware injects its code into the following process(es):

%original file name%.exe:1916

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1916 makes changes in the file system.


The Adware creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\decline.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\MainPackFA2703[1].htm (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept3.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFFD2.tmp (13125 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\inetc3.dll (812 bytes)

The Adware deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nssFFB2.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\gC0 (0 bytes)

Registry activity

The process %original file name%.exe:1916 makes changes in the system registry.


The Adware creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKCU\Software\1ClickDownload]
"LastInstall0" = "30556234"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
"WpadDecisionTime" = "30 43 12 12 4A 40 D2 01"

"WpadNetworkName" = "Network 2"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASAPI32]
"MaxFileSize" = "1048576"
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\1ClickDownload]
"UID" = "284555269"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\bcda08c86e7c5b521faeb642a952d8f3_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "30 43 12 12 4A 40 D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Adware deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5 File path
c17103ae9072a06da581dec998343fc1c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\System.dll
9d8ce05f532dc7b5742831ec8a63c2d8c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\inetc3.dll
c10e04dd4ad4277d5adc951bb331c777c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
  2. Delete the original Adware file.
  3. Delete or disinfect the following files created/modified by the Adware:

    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\decline.bmp (784 bytes)
    %Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\System.dll (23 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\anon.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\skip.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\MainPackFA2703[1].htm (544 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll (21 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\save.bmp (2 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept3.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept1.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\1clogo.bmp (4992 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsxFFD2.tmp (13125 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\accept2.bmp (784 bytes)
    C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\inetc3.dll (812 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409623130235524.448410bc2ffd32265a08d72b795b18265828d
.rdata28672449646083.59163f179218a059068529bdb4637ef5fa28e
.data3686411048810243.26405975304d6dd6c4a4f076b15511e2bbbc0
.ndata14745637273600d41d8cd98f00b204e9800998ecf8427e
.rsrc52019216592168964.138748091b1378d82973015f802c93eb88bab

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 228
69a0a458647b3436892cf9f2f126c252
33831038fbcae724b5cdab63795dc4a7
9b15fde0f0e8b023fbe6560e854f08cf
f833ae516506cffa9cb7d72837ed0bb9
ccb12d7dba1b2dab50e190025702d274
e6ae846017240d71394220885136a8e2
7e8fd872b0cbc660318d3c7c66f7c14e
73ea48cc30e24153ad65fb9109b085e8
490448e7ee049f03a1c8bac663fb38f0
424bbeb38cb1e9053b7dc8f407ce51c0
b10eab344b40ed9da9b6becc272765ab
a3d34f8727df8b032c7a7eff2ee6ad3a
c508f2a47840631aa7b008b674957003
d6bb4e899911be9bc3d76d10954fc4a1
0cceb43bf4bfbdc58f5a90bffb0d6012
28dcf471727a78755bf75fbe4f3e9521
0ed34b18c7bc8271e9eec2ee5837499a
1bbd5b7272e0348684edbbea962ee5f2
1561a9303536298eeaea4ab712749930
8494573d9cde8480e3342f57b3de1911
75098bd8427ac62d0d2935a1e9839d4c
c2f62500fc6c049cad54bfec31ab5d45
79296123cb3a983f2897ea58411de5e3
8ebc38cc84268e080308d72125e87f87
f221cfbb2bb8351b73de8c0cab165414

Network Activity

URLs

URL IP
hxxp://files.download1click.ws/MainPackFA2703.exe64.70.19.203
data.downloadstarter.net146.148.42.217

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /MainPackFA2703.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: files.download1click.ws

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.3

Date: Wed, 16 Nov 2016 20:43:28 GMT

Content-Type: text/html; charset=ISO-8859-1

Content-Length: 544

Connection: keep-alive

<html>.<head>..<title>WEBSITE.WS - Your Internet Address For Life™</title>.</head>.<frameset rows="100%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" scrolling="auto">..<noframes>...<p> Your browser does not support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://www.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic</a>.</p>..</noframes>.</frameset>.</html>HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Wed, 16 Nov 2016 20:43:28 GMT..Content-Type: text/html; charset=ISO-8859-1..Content-Length: 544..Connection: keep-alive..<html>.<head>..<title>WEBSITE.WS - Your Internet Address For Life™</title>.</head>.<frameset rows="100%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" scrolling="auto">..<noframes>...<p> Your browser does not support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic</a>.</p>..</noframes>.</frameset>.</html>..

<<< skipped >>>

Map

The Adware connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1916:

.text

.text

`.rdata

`.rdata

@.data

@.data

.ndata

.ndata

.rsrc

.rsrc

uDSSh

uDSSh

.DEFAULT\Control Panel\International

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

GetWindowsDirectoryA

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

SHFileOperationA

SHFileOperationA

ShellExecuteA

ShellExecuteA

SHELL32.dll

SHELL32.dll

RegEnumKeyA

RegEnumKeyA

RegCreateKeyExA

RegCreateKeyExA

RegCloseKey

RegCloseKey

RegDeleteKeyA

RegDeleteKeyA

RegOpenKeyExA

RegOpenKeyExA

ADVAPI32.dll

ADVAPI32.dll

COMCTL32.dll

COMCTL32.dll

ole32.dll

ole32.dll

VERSION.dll

VERSION.dll

verifying installer: %d%%

verifying installer: %d%%

unpacking data: %d%%

unpacking data: %d%%

... %d%%

... %d%%

hXXp://nsis.sf.net/NSIS_Error

hXXp://nsis.sf.net/NSIS_Error

~nsu.tmp

~nsu.tmp

%u.%u%s%s

%u.%u%s%s

RegDeleteKeyExA

RegDeleteKeyExA

%s=%s

%s=%s

*?|/":

*?|/":

ers\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll

ers\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll

ach.exe,gr

ach.exe,gr

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp\nsDialogs.dll

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsd41.tmp

F%X)$qj

F%X)$qj

Windows

Windows

tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s

tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s

iles\1ClickDownload\1ClickDownloader.exe

iles\1ClickDownload\1ClickDownloader.exe

.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr

.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr

284555269

284555269

r.net/download.php?id=123178

r.net/download.php?id=123178

d=123178,longman_exam_coach.exe,gr

d=123178,longman_exam_coach.exe,gr

\%original file name%.exe

\%original file name%.exe

ownload.php?id=123178,longman_exam_coach.exe,gr

ownload.php?id=123178,longman_exam_coach.exe,gr

2845552

2845552

59532869

59532869

302318654

302318654

ownload.sweetpacks.com/simsdm/bundle/

ownload.sweetpacks.com/simsdm/bundle/

d.torrent

d.torrent

or.net/download.php?id=123178

or.net/download.php?id=123178

ram Files\Internet Explorer\iexplore.exe

ram Files\Internet Explorer\iexplore.exe

.php?id=123178

.php?id=123178

601.17514

601.17514

c:\%original file name%.exe

c:\%original file name%.exe

C:\Users\"%CurrentUserName%"\Desktop

C:\Users\"%CurrentUserName%"\Desktop

%Program Files%\1ClickDownload

%Program Files%\1ClickDownload

nsd41.tmp

nsd41.tmp

%original file name%.exe

%original file name%.exe

ers\"%CurrentUserName%"\AppData\Local\Temp\nssFFB2.tmp

ers\"%CurrentUserName%"\AppData\Local\Temp\nssFFB2.tmp

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\

hXXp://files.download1click.ws/MainPackFA2703.exe

hXXp://files.download1click.ws/MainPackFA2703.exe

hXXp://files.download1click.ws/gzip2.exe

hXXp://files.download1click.ws/gzip2.exe

hXXp://data.downloadstarter.net/

hXXp://data.downloadstarter.net/

hXXp://files.download1click.ws/ARURUSetup.exe

hXXp://files.download1click.ws/ARURUSetup.exe

hXXp://files.download1click.ws/ARUARSetup.exe

hXXp://files.download1click.ws/ARUARSetup.exe

hXXp://files.download1click.ws/BTB0612.exe

hXXp://files.download1click.ws/BTB0612.exe

hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe

hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe

hXXp://files.download1click.ws/FmoodsV21.exe

hXXp://files.download1click.ws/FmoodsV21.exe

hXXp://files.download1click.ws/IminentSetup5.exe

hXXp://files.download1click.ws/IminentSetup5.exe

hXXp://files.download1click.ws/.exe

hXXp://files.download1click.ws/.exe

hXXp://files.download1click.ws/weatherbugsetup.msi

hXXp://files.download1click.ws/weatherbugsetup.msi

hXXp://files.download1click.ws/IWantThisSetupRS.exe

hXXp://files.download1click.ws/IWantThisSetupRS.exe

hXXp://files.download1click.ws/ciuvoSetup.exe

hXXp://files.download1click.ws/ciuvoSetup.exe

hXXp://files.download1click.ws/incredibar_install3.exe

hXXp://files.download1click.ws/incredibar_install3.exe

hXXp://download.sterkly.com/DropDownDeals-S-Setup_Suite1.exe

hXXp://download.sterkly.com/DropDownDeals-S-Setup_Suite1.exe

hXXp://download.sterkly.com/FreeTwitTube-S-Setup_Suite1.exe

hXXp://download.sterkly.com/FreeTwitTube-S-Setup_Suite1.exe

hXXp://download.sterkly.com/yontoo-b2.exe

hXXp://download.sterkly.com/yontoo-b2.exe

hXXp://download.sterkly.com/ezLooker-S-Setup_Suite1.exe

hXXp://download.sterkly.com/ezLooker-S-Setup_Suite1.exe

hXXp://download.sterkly.com/BestVideoDownloader-S-Setup_Suite2.exe

hXXp://download.sterkly.com/BestVideoDownloader-S-Setup_Suite2.exe

hXXp://files.download1click.ws/GophotoExtSetup.exe

hXXp://files.download1click.ws/GophotoExtSetup.exe

hXXp://files.download1click.ws/OneClickExt1_filter03.exe

hXXp://files.download1click.ws/OneClickExt1_filter03.exe

hXXp://files.download1click.ws/OneClickExt1_filter13.exe

hXXp://files.download1click.ws/OneClickExt1_filter13.exe

Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)

Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)

Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload

Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload

218759841

218759841

3090437

3090437

ap180915,hXXp://dl7.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr

ap180915,hXXp://dl7.torrentreactor.net/download.php?id=123178,longman_exam_coach.exe,gr

ownload.php?id=123178

ownload.php?id=123178

hXXp://dl7.torrentreactor.net/download.php?id=123178

hXXp://dl7.torrentreactor.net/download.php?id=123178

ocmainpack.exe

ocmainpack.exe

319095878

319095878

319095884

319095884

285541449

285541449

453314345

453314345

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

302646790

302646790

118097131

118097131

319423563

319423563

201983218

201983218

118097133

118097133

235537459

235537459

436864558

436864558

1275725049

1275725049

671745274

671745274

-418774366

-418774366

1208616032

1208616032

longman_exam_coach.exe

longman_exam_coach.exe

30556234

30556234

VVV.oneclickdownloader.com

VVV.oneclickdownloader.com

sbiectrl.exe

sbiectrl.exe

vmtoolsd.exe

vmtoolsd.exe

prl_cc.exe

prl_cc.exe

coherence.exe

coherence.exe

VirtualBox.exe

VirtualBox.exe

VBoxSVC.exe

VBoxSVC.exe

DrWeb

DrWeb

%Program Files%\1ClickDownload\longman_exam_coach.magnet

%Program Files%\1ClickDownload\longman_exam_coach.magnet

)-.Yln

)-.Yln

Nullsoft Install System v2.46

Nullsoft Install System v2.46

%original file name%.exe_1916_rwx_10004000_00001000:

callback%d

callback%d