not-a-virus:AdWare.Win32.ICLoader.agjy (Kaspersky), Gen:Variant.Mikey.54508 (B) (Emsisoft), Gen:Variant.Mikey.54508 (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 043b5becf3173c8b310c330f9e54bac0
SHA1: 8454593124bcf31fda427f8b2a46ff7c511d19fc
SHA256: 964eafc2244276cdf6434d67049e60411d7a55c70614e63e7922c313d6107690
SSDeep: 3072:KaaaQnlQ4OuVN2zPgy MA BC3K5eq8m3K0:V/QnlYRoK7pF
Size: 156408 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-01-23 22:35:17
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
FrameworkEngine.exe:668
gpedit.exe:4056
Updater.exe:1984
fservice.exe:296
ins1A34.tmp.exe:264
regsvr32.exe:2896
regsvr32.exe:2724
cscript.exe:3564
cscript.exe:1056
cscript.exe:1264
cscript.exe:240
cscript.exe:2952
updater.exe:3544
updater.exe:3444
updater.exe:2656
updater.exe:532
%original file name%.exe:3432
cservice.exe:3484
bservice.exe:4048
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process gpedit.exe:4056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)
The process Updater.exe:1984 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Tasks\bench-sys.job (328 bytes)
The process fservice.exe:296 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\FService\1.1\fhelper.dll (204 bytes)
The process ins1A34.tmp.exe:264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SafetySearch\framework\message_target.js (977 bytes)
%Program Files%\SafetySearch\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\context_menu.js (2 bytes)
%Program Files%\Bench\Wd\wd.exe (2526 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_messaging.js (730 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-left.png (310 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (8128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\get.dat (1 bytes)
%Program Files%\SafetySearch\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx49EE.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (1231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\ie_installer.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (2705 bytes)
%Program Files%\Bench\BService\1.1\bservice.exe (533 bytes)
%Program Files%\SafetySearch\framework\backgroundscript_engine.js (2 bytes)
%Program Files%\SafetySearch\framework\global.js (1 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\SafetySearch\icons\icon100.png (3 bytes)
%Program Files%\Bench\Updater\updater.exe (1175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\userscript_engine.js (2 bytes)
%Program Files%\SafetySearch\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systemreport.js (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\utils.js (5 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\webrequest.js (6 bytes)
%Program Files%\SafetySearch\framework\i18n.js (2 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\pz_info (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\framework\utils.js (5 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Program Files%\SafetySearch\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe (3419 bytes)
%Program Files%\SafetySearch\framework\browser.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\backgroundscript_engine.js (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas_content.js (1 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas.js (9 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\FService\1.1\fservice.exe (2951 bytes)
%Program Files%\SafetySearch\CanvasFramework\webrequest.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox_installer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafetySearch\Uninstall.lnk (1 bytes)
%Program Files%\SafetySearch\framework\xhr.js (3 bytes)
%Program Files%\SafetySearch\CanvasFramework\registry.js (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\install.rdf (1 bytes)
%Program Files%\SafetySearch\framework-ui\browser_button.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\migrate.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4625.tmp (15 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (10772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\console.js (1 bytes)
%Program Files%\SafetySearch\framework\lang.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\message_target.js (870 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_webrequest.js (129 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx49EF.tmp (595 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-top.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\io.js (1 bytes)
%Program Files%\Bench\BService\1.1\bhelper.dll (2719 bytes)
%Program Files%\SafetySearch\framework-ui\notifications.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsExec.dll (14 bytes)
%Program Files%\SafetySearch\framework\extension_info.js (836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\System.dll (23 bytes)
%Program Files%\SafetySearch\config.xml (2 bytes)
%Program Files%\Bench\FService\1.1\fhelper.dll (5261 bytes)
%Program Files%\Bench\CService\1.0\chelper.dll (7665 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_bg.js (892 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu_item_handler.html (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\main_installer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\md5dll.dll (14 bytes)
%Program Files%\SafetySearch\framework\loader.js (428 bytes)
%Program Files%\SafetySearch\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\chrome_windows.js (2 bytes)
%Program Files%\SafetySearch\framework\initialize.js (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\projectInstaller.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_workaround.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon128.png (4 bytes)
%Program Files%\SafetySearch\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\jquery.min.js (4587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (351 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-right.png (234 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\notifications.js (797 bytes)
%Program Files%\SafetySearch\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content.js (7 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-right.png (311 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsDownloadCv.dll (3577 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-middle.png (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_loader.js (906 bytes)
%Program Files%\SafetySearch\CanvasFramework\jquery.min.js (2735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\md5.js (3 bytes)
%Program Files%\Bench\CService\1.0\cservice.exe (3215 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu.js (1 bytes)
%Program Files%\SafetySearch\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns5588.tmp (15 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (4497 bytes)
%Program Files%\SafetySearch\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\icon.ico (32 bytes)
%Program Files%\SafetySearch\extension_info.json (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\invoke.js (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\userscript_engine.js (3 bytes)
%Program Files%\SafetySearch\FrameworkBHO.dll (9965 bytes)
%Program Files%\SafetySearch\framework\timer.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke.js (406 bytes)
%Program Files%\SafetySearch\framework-ui\notification.html (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\installer.js (898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns60FF.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\bootstrap.js (1 bytes)
%Program Files%\SafetySearch\framework\core.js (1 bytes)
%Program Files%\SafetySearch\framework\json2.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns49F0.tmp (14 bytes)
%Program Files%\SafetySearch\FrameworkBHO64.dll (12589 bytes)
%Program Files%\SafetySearch\framework\io.js (2 bytes)
%Program Files%\SafetySearch\framework\api.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4C13.tmp (15 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (18662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4D7A.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_installer.js (6 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-right.png (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns5326.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsExecCv.dll (15 bytes)
%Program Files%\SafetySearch\framework\storage.js (3 bytes)
%Program Files%\SafetySearch\framework\invoke_async.js (1 bytes)
%Program Files%\SafetySearch\framework\updater.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\canvas.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (5016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systeminfo.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess2.dll (838 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsr5B81.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsExecCv.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\get.dat (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\md5dll.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\System.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns49F0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns5588.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx402B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns5326.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\pz_info (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4625.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess2.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4D7A.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4C13.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns60FF.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsExec.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsDownloadCv.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsh5F3A.tmp (0 bytes)
The process regsvr32.exe:2896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SafetySearch\FrameworkBHO.dll (409 bytes)
The process regsvr32.exe:2724 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\SafetySearch\FrameworkBHO64.dll (491 bytes)
The process cscript.exe:1056 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\userscript_engine.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\bootstrap.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_loader.js (906 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_messaging.js (730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke.js (406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\message_target.js (870 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_browseraction.js (822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\jquery.min.js (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\notifications.js (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\webrequest.js (6 bytes)
The process cscript.exe:1264 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\NmHost\manifest.json (215 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (98 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (79 bytes)
%Program Files%\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo (1 bytes)
C:\Windows\System32\drivers\etc\hosts (1823 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (2 bytes)
The process cscript.exe:240 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (4 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (299 bytes)
%Program Files%\SafetySearch\extension_info.json (2 bytes)
The process cscript.exe:2952 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (77 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (126 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (495 bytes)
The process updater.exe:3544 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\Updater\products.xml (431 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx49EF.tmp (0 bytes)
The process updater.exe:3444 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (326 bytes)
The process updater.exe:2656 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (0 bytes)
The process updater.exe:532 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (328 bytes)
The process %original file name%.exe:3432 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ins1A34.tmp.exe (191109 bytes)
The process cservice.exe:3484 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\CService\1.0\chelper.dll (233 bytes)
The process bservice.exe:4048 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Program Files%\Bench\BService\1.1\bhelper.dll (90 bytes)
Registry activity
The process FrameworkEngine.exe:668 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\TypeLib]
"(Default)" = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"AppPath" = "%Program Files%\SafetySearch\"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}]
"(Default)" = "SafetySearch"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}]
"(Default)" = "IKangoEngine"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0]
"(Default)" = "EngineLib"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"AppName" = "FrameworkEngine.exe"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkEngine.exe"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{92ADCA6E-1D8C-4F50-BEBF-1480FD408251}\TypeLib]
"(Default)" = "{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\LocalServer32]
"ServerExecutable" = "%Program Files%\SafetySearch\FrameworkEngine.exe"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}]
"Policy" = "3"
[HKCR\CLSID\{92CECA0E-1DCB-4F42-BA4C-368094400351}\Version]
"(Default)" = "1.0"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafetySearch"
[HKCR\TypeLib\{13FFE26E-E2A4-4AC8-9E82-FFC1A3C3578A}\1.0\0\win32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkEngine.exe"
The process gpedit.exe:4056 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Google\Chrome\ExtensionInstallForceList]
"1" = "fjnoekdlmmjagmmlchagfonjgbioomoo;http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
"1" = "fjnoekdlmmjagmmlchagfonjgbioomoo;http://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}Machine\Software\Policies\Google\Chrome]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}Machine\Software\Policies]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}Machine\Software]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}Machine]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}Machine\Software\Policies\Google\Chrome\ExtensionInstallForcelist]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}Machine\Software\Policies\Google]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\{D5F7777F-4824-4206-AE00-FE454317531B}User]
The process ins1A34.tmp.exe:264 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayVersion" = "1.0"
[HKLM\SOFTWARE\SafetySearch]
"CDN" = "safetysearch-a.akamaihd.net"
[HKLM\SOFTWARE\Bench\NmHost]
"(Default)" = "%Program Files%\Bench\NmHost\nmhost.exe"
[HKLM\SOFTWARE\SafetySearch]
"InstallTime" = "1480107583"
[HKLM\SOFTWARE\Bench\CService]
"PID" = "2031"
[HKLM\SOFTWARE\Bench\FService]
"Path" = "%Program Files%\Bench\FService\1.1"
[HKLM\SOFTWARE\SafetySearch]
"straoi" = "nov 25, 2016"
[HKLM\SOFTWARE\AdvertisingSupport]
"Existing" = "1"
[HKLM\SOFTWARE\Bench\CService]
"ZoneId" = "14136871"
[HKLM\SOFTWARE]
"38989" = "SafetySearch"
[HKLM\SOFTWARE\Bench\CService]
"Version" = "1.0"
[HKLM\SOFTWARE\AdvertisingSupport]
"Seen" = "1"
[HKLM\SOFTWARE\Bench\CService]
"aoi" = "1480107583"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER]
"iexplore.exe" = "0"
[HKLM\SOFTWARE\Bench\CService]
"Path" = "%Program Files%\Bench\CService\1.0"
[HKLM\SOFTWARE\Bench\FService\38989]
"{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}" = ""
[HKLM\SOFTWARE\Bench\CService]
"straoi" = "nov 25, 2016"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"UninstallString" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe"
[HKLM\SOFTWARE\SafetySearch]
"SystemId" = "c62e94071dfd4f9df8f37d998ede05ad"
[HKLM\SOFTWARE\AdvertisingSupport]
"SystemId" = "c62e94071dfd4f9df8f37d998ede05ad"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayIcon" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch/icon.ico"
[HKLM\SOFTWARE\Bench\BService]
"Path" = "%Program Files%\Bench\BService\1.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"DisplayName" = "SafetySearch"
[HKLM\SOFTWARE\Bench\FService]
"Version" = "1.1"
[HKLM\SOFTWARE\Bench\CService\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Bench\Updater\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"InstallLocation" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch"
[HKLM\SOFTWARE\Bench\Wd\38989]
"(Default)" = ""
[HKLM\SOFTWARE\SafetySearch]
"UTCInstallTime" = "1480100383"
[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "11001"
[HKLM\SOFTWARE\SafetySearch]
"PID" = "2031"
[HKLM\SOFTWARE\Bench\Updater]
"Path" = "%Program Files%\Bench\Updater\updater.exe"
[HKLM\SOFTWARE\Bench\BService]
"Version" = "1.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"NoRepair" = "1"
[HKLM\SOFTWARE\SafetySearch]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch"
"FEATURE_DISABLE_INTERNAL_SECURITY_MANAGER_32" = "0"
[HKLM\SOFTWARE\Bench\FService\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"Publisher" = "Stunning Apps"
[HKLM\SOFTWARE\Bench\CService]
"Format" = "//{domain}/loaders/{pid}/l.js?pid={pid}&systemid={systemid}&ext={ext}&aoi={aoi}&zoneid={zoneid}&crr={crr}&type=d"
[HKLM\SOFTWARE\SafetySearch]
"ZoneId" = "14136871"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FrameworkEngine.exe" = "11001"
[HKLM\SOFTWARE\Bench\NmHost\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.bench.nmhost]
"(Default)" = "%Program Files%\Bench\NmHost\manifest.json"
[HKLM\SOFTWARE\Bench\CService]
"ext" = "SafetySearch"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess.dll,"
[HKLM\SOFTWARE\AdvertisingSupport]
"SeenDate" = "1480100383"
[HKLM\SOFTWARE\SafetySearch]
"Seen" = "1"
[HKLM\SOFTWARE\Bench\BService\38989]
"(Default)" = ""
[HKLM\SOFTWARE\Bench\CService]
"Domain" = "safetysearch-a.akamaihd.net"
[HKLM\SOFTWARE\SafetySearch]
"SeenDate" = "1480100383"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\38989_SafetySearch]
"NoModify" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\1.1\bservice.exe"
"FService" = "%Program Files%\Bench\FService\1.1\fservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js SafetySearch-repairJob"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe"
"CService" = "%Program Files%\Bench\CService\1.0\cservice.exe"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\SafetySearch]
"Seen"
[HKLM\SOFTWARE\AdvertisingSupport]
"Seen"
The Trojan disables automatic startup of the application by deleting the following autorun value:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SafetySearch-repairJob"
"Wd"
The process regsvr32.exe:2896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\0\win32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\Version]
"(Default)" = "1.0"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}]
"(Default)" = "IKangoToolbar"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}]
"(Default)" = "SafetySearch"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\HELPDIR]
"(Default)" = "%Program Files%\SafetySearch"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0]
"(Default)" = "Framework 1.0 Type Library"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7782DBE4-75A1-453D-B9FD-643F752E4532}" = "SafetySearch"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\InprocServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"
[HKCR\TypeLib\{B5D3A0F0-0BFE-429A-A322-95F076081845}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}]
"(Default)" = "IKangoBHO"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{7782DBE4-75A1-453D-B9FD-643F752E4532}\InprocServer32]
"(Default)" = "%Program Files%\SafetySearch\FrameworkBHO.dll"
"ThreadingModel" = "Apartment"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"(Default)" = "SafetySearch BHO"
[HKCR\Interface\{1EE70D1D-B150-4ACF-8498-4C5DE80CEAAC}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}\TypeLib]
"(Default)" = "{B5D3A0F0-0BFE-429A-A322-95F076081845}"
[HKCR\Interface\{7720DB57-7561-457F-B689-D03FB72E3932}\TypeLib]
"Version" = "1.0"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"NoExplorer" = "1"
"(Default)" = "SafetySearch BHO"
The process cscript.exe:3564 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Bench\InstalledExtensions]
"38989" = ""
The process cscript.exe:240 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Settings\{1EDE0D83-B129-4ABC-923B-725D5B0C0DAC}]
"Flags" = "0"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{7782DBE4-75A1-453D-B9FD-643F752E4532}"
The process cscript.exe:2952 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\SafetySearch]
"czoneid" = "12199"
The process %original file name%.exe:3432 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
"UNCAsIntranet" = "0"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
Dropped PE files
| MD5 | File path |
|---|---|
| 8e4be86a6eb429ec81eda3e027d0d29d | c:\Program Files\Bench\BService\1.1\bhelper.dll |
| e52deb34958a6b9c9defd04072ba320c | c:\Program Files\Bench\BService\1.1\bservice.exe |
| 59ee67deedd9086cbd4fa6b8d857ee70 | c:\Program Files\Bench\CService\1.0\chelper.dll |
| fffee0f36c519fa973cf697a65b22371 | c:\Program Files\Bench\CService\1.0\cservice.exe |
| 807855debcc9534020d05dbfba5dbf3a | c:\Program Files\Bench\FService\1.1\fhelper.dll |
| 8d5c6e316e1c04772e50ecc268a1d8da | c:\Program Files\Bench\FService\1.1\fservice.exe |
| 5820ed0b943181e5c0cd842d73698d60 | c:\Program Files\Bench\NmHost\nmhost.exe |
| 729975e07ead4a4b14d020c2bb446833 | c:\Program Files\Bench\Updater\1.7.0.0\updater.exe |
| 27862bc4eb31d1e68b866a9f32c87fd4 | c:\Program Files\Bench\Updater\updater.exe |
| b361e5282cbdd81b2222a3fe60f20b40 | c:\Program Files\Bench\Wd\wd.exe |
| ad69b3a081abef07d1886f35a45ba5c5 | c:\Program Files\SafetySearch\FrameworkBHO.dll |
| 589b0917e190658e3d96b89dc4bb2510 | c:\Program Files\SafetySearch\FrameworkBHO64.dll |
| 55adfd182e6e91dc2100dded4cddca61 | c:\Program Files\SafetySearch\FrameworkEngine.exe |
| ba251b19a0dcbcde8f910dc97dd5074f | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe |
| 2796990b18b323edd2446efec850a354 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe |
| 82771129b12517cf5c6e2244d14e8360 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe |
| 161f9defe2b6718d7773d964f5c6dfd2 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe |
| 6f939f486413d00f6a6c0d0169eefd47 | c:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe |
| 189068d160bbce2c3c78a54a4eff7993 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\ins1A34.tmp.exe |
| 05450face243b3a7472407b999b03a72 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess.dll |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 911 bytes in size. The following strings are added to the hosts file listed below:
| 127.0.0.1 | validation.sls.microsoft.com |
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
FrameworkEngine.exe:668
gpedit.exe:4056
Updater.exe:1984
fservice.exe:296
ins1A34.tmp.exe:264
regsvr32.exe:2896
regsvr32.exe:2724
cscript.exe:3564
cscript.exe:1056
cscript.exe:1264
cscript.exe:240
cscript.exe:2952
updater.exe:3544
updater.exe:3444
updater.exe:2656
updater.exe:532
%original file name%.exe:3432
cservice.exe:3484
bservice.exe:4048 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Windows\System32\GroupPolicy\gpt.ini (261 bytes)
C:\Windows\System32\GroupPolicy\Machine\Registry.pol (1208 bytes)
C:\Windows\Tasks\bench-sys.job (328 bytes)
%Program Files%\Bench\FService\1.1\fhelper.dll (204 bytes)
%Program Files%\SafetySearch\framework\message_target.js (977 bytes)
%Program Files%\SafetySearch\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\context_menu.js (2 bytes)
%Program Files%\Bench\Wd\wd.exe (2526 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_messaging.js (730 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-left.png (310 bytes)
%Program Files%\SafetySearch\FrameworkEngine.exe (8128 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\get.dat (1 bytes)
%Program Files%\SafetySearch\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx49EE.tmp (274 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\gpedit.exe (1231 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\ie_installer.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\extension_info.json (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\storageedit.exe (2705 bytes)
%Program Files%\Bench\BService\1.1\bservice.exe (533 bytes)
%Program Files%\SafetySearch\framework\backgroundscript_engine.js (2 bytes)
%Program Files%\SafetySearch\framework\global.js (1 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-left.png (307 bytes)
%Program Files%\SafetySearch\icons\icon100.png (3 bytes)
%Program Files%\Bench\Updater\updater.exe (1175 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\userscript_engine.js (2 bytes)
%Program Files%\SafetySearch\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systemreport.js (537 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\utils.js (5 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\webrequest.js (6 bytes)
%Program Files%\SafetySearch\framework\i18n.js (2 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\pz_info (26 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\framework\utils.js (5 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-middle.png (240 bytes)
%Program Files%\SafetySearch\icons\icon48.png (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\uninstall.exe (3419 bytes)
%Program Files%\SafetySearch\framework\browser.js (12 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\backgroundscript_engine.js (1 bytes)
%Program Files%\SafetySearch\CanvasFramework\canvas_content.js (1 bytes)
%Program Files%\Bench\NmHost\manifest.json (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas.js (9 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-right.png (308 bytes)
%Program Files%\Bench\FService\1.1\fservice.exe (2951 bytes)
%Program Files%\SafetySearch\CanvasFramework\webrequest.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox_installer.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\SafetySearch\Uninstall.lnk (1 bytes)
%Program Files%\SafetySearch\framework\xhr.js (3 bytes)
%Program Files%\SafetySearch\CanvasFramework\registry.js (863 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\install.rdf (1 bytes)
%Program Files%\SafetySearch\framework-ui\browser_button.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\migrate.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4625.tmp (15 bytes)
%Program Files%\Bench\Updater\1.7.0.0\updater.exe (10772 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\console.js (1 bytes)
%Program Files%\SafetySearch\framework\lang.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\message_target.js (870 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-left.png (316 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_webrequest.js (129 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsx49EF.tmp (595 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-top.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\io.js (1 bytes)
%Program Files%\Bench\BService\1.1\bhelper.dll (2719 bytes)
%Program Files%\SafetySearch\framework-ui\notifications.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsExec.dll (14 bytes)
%Program Files%\SafetySearch\framework\extension_info.js (836 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\System.dll (23 bytes)
%Program Files%\SafetySearch\config.xml (2 bytes)
%Program Files%\Bench\CService\1.0\chelper.dll (7665 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_bg.js (892 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu_item_handler.html (225 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\main_installer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\md5dll.dll (14 bytes)
%Program Files%\SafetySearch\framework\loader.js (428 bytes)
%Program Files%\SafetySearch\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\chrome_windows.js (2 bytes)
%Program Files%\SafetySearch\framework\initialize.js (532 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\projectInstaller.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_workaround.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon128.png (4 bytes)
%Program Files%\SafetySearch\framework\messaging.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\jquery.min.js (4587 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\info.xml (351 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-right.png (234 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework-ui\notifications.js (797 bytes)
%Program Files%\SafetySearch\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content.js (7 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\middle-left.png (235 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\bottom-right.png (311 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsDownloadCv.dll (3577 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\top-middle.png (240 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\includes\content_loader.js (906 bytes)
%Program Files%\SafetySearch\CanvasFramework\jquery.min.js (2735 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\md5.js (3 bytes)
%Program Files%\Bench\CService\1.0\cservice.exe (3215 bytes)
%Program Files%\SafetySearch\framework-ui\context_menu.js (1 bytes)
%Program Files%\SafetySearch\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns5588.tmp (15 bytes)
%Program Files%\Bench\NmHost\nmhost.exe (4497 bytes)
%Program Files%\SafetySearch\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\icon.ico (32 bytes)
%Program Files%\SafetySearch\extension_info.json (1 bytes)
%Program Files%\SafetySearch\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\invoke.js (505 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_browseraction.js (822 bytes)
%Program Files%\SafetySearch\framework\userscript_engine.js (3 bytes)
%Program Files%\SafetySearch\FrameworkBHO.dll (9965 bytes)
%Program Files%\SafetySearch\framework\timer.js (934 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\invoke.js (406 bytes)
%Program Files%\SafetySearch\framework-ui\notification.html (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\installer.js (898 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns60FF.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\bootstrap.js (1 bytes)
%Program Files%\SafetySearch\framework\core.js (1 bytes)
%Program Files%\SafetySearch\framework\json2.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess.dll (8 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns49F0.tmp (14 bytes)
%Program Files%\SafetySearch\FrameworkBHO64.dll (12589 bytes)
%Program Files%\SafetySearch\framework\io.js (2 bytes)
%Program Files%\SafetySearch\framework\api.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4C13.tmp (15 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-bottom.png (315 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\sqlite3.exe (18662 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns4D7A.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\chrome_installer.js (6 bytes)
%Program Files%\SafetySearch\framework-ui\theme\bubble\tail-right.png (304 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\ns5326.tmp (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsExecCv.dll (15 bytes)
%Program Files%\SafetySearch\framework\storage.js (3 bytes)
%Program Files%\SafetySearch\framework\invoke_async.js (1 bytes)
%Program Files%\SafetySearch\framework\updater.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\canvas.js (15 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\firefox\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\SoftwareDetector.exe (5016 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\systeminfo.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsm403B.tmp\nsProcess2.dll (838 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\browser.js (11 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\api.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\userscript_engine.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\chrome.manifest (57 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\xhr.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\bootstrap.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions.json (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content.js (7 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\browser_button.js (9 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\background.html (157 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_loader.js (906 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\extension_info.js (613 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\context_menu.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\timer.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_bg.js (892 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_common.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon32.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair_data.json (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon48.png (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke_async.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\i18n.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\framework_api.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\includes\content_messaging.js (730 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\loader.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\invoke.js (406 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\md5.js (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_webrequest.js (129 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\chrome_windows.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\io.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\core.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon100.png (3 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\console.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\install.rdf (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\icon128.png (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\uninstall.js (76 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\lang.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\messaging.js (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\message_target.js (870 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\registry.js (707 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\canvas_content.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\backgroundscript_engine.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\options.js (1 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\storage.js (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\AppFramework\appAPI_browseraction.js (822 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\extension_info.json (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\jquery.min.js (601 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework-ui\notifications.js (797 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\icons\button.png (517 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\framework\utils.js (5 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Mozilla\Firefox\Profiles\5a2ce8gs.default\extensions\{59DE4A3B-CC90-6CCB-2706-5ED9618EECEE}\CanvasFramework\webrequest.js (6 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Google\Chrome\User Data\Default\Preferences (79 bytes)
%Program Files%\Bench\NmHost\data\installer\fjnoekdlmmjagmmlchagfonjgbioomoo (1 bytes)
C:\Windows\System32\drivers\etc\hosts (1823 bytes)
%Program Files%\Bench\Updater\products.xml (431 bytes)
C:\Windows\Tasks\bench-S-1-5-21-732923889-1296844034-1208581001-1000.job (326 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\BenchUpdater\products.xml (497 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\ins1A34.tmp.exe (191109 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BService" = "%Program Files%\Bench\BService\1.1\bservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"FService" = "%Program Files%\Bench\FService\1.1\fservice.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"SafetySearch-repairJob" = "wscript.exe C:\Users\"%CurrentUserName%"\AppData\Local\SafetySearch\repair.js SafetySearch-repairJob"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WD" = "%Program Files%\Bench\Wd\wd.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CService" = "%Program Files%\Bench\CService\1.0\cservice.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.1.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.0
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: 1.1.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.0File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 70748 | 71168 | 4.59942 | 82c456d343592e9e366847f6b73b39d6 |
| .rdata | 77824 | 25020 | 25088 | 3.22801 | 2bde5eac7ad12da7ba53279929920a7d |
| .data | 106496 | 29660 | 21504 | 0.816513 | 604e239442f8b7da60746ee2c6a44683 |
| .rsrc | 139264 | 27456 | 27648 | 4.02543 | 1201cd04fb4d0015033ccad9ac736b35 |
| .reloc | 167936 | 4804 | 5120 | 4.43662 | 8d41a58665602d3c48e6a4ec841329f9 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://a1073.d.akamai.net/get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | |
| hxxp://54.225.95.126/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | |
| hxxp://a402.g.akamai.net/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/id-check/c62e94071dfd4f9df8f37d998ede05ad/ | |
| hxxp://d2rx3wo6u6259k.cloudfront.net/newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 | |
| hxxp://www.installping5.info/tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | 52.222.149.124 |
| hxxp://www.installping5.info/id-check/c62e94071dfd4f9df8f37d998ede05ad/ | 52.222.149.124 |
| hxxp://fjnoekdlmmjagmmlchagfonjgbioomoo/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | |
| hxxp://www.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 | 212.30.134.174 |
| hxxp://www.installping5.info/newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 | 52.222.149.124 |
| hxxp://www.vac-p2.info/get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc | 212.30.134.190 |
| hxxp://www.installping5.info/installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 | 52.222.149.124 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /id-check/c62e94071dfd4f9df8f37d998ede05ad/ HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 1
Connection: close
Server: nginx/1.8.0
Date: Fri, 25 Nov 2016 19:00:46 GMT
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 7f9337ef3a0e409fd3409fbbbcf08744.cloudfront.net (CloudFront)
X-Amz-Cf-Id: o-7twPwU2jmMpF_loZXBXiEW4f2c0SmTmXR5xn82NoADrL_zywjHjQ==
1..
GET /installer-run/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 26
Connection: close
Server: nginx/1.8.0
Date: Fri, 25 Nov 2016 19:00:39 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 25 Nov 2016 18:59:44 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 59574f77a7cf2d23d64904db278e5711.cloudfront.net (CloudFront)
X-Amz-Cf-Id: aWj8nYhF_gtO8oVqO8Wdyu--pQa8rRPTI29UNRGh01vJBFSDhtZYzw==
2031:14136871:nov 25, 2016..
GET /tbi-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/xriderexe/14136871/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Server: nginx/1.8.0
Date: Fri, 25 Nov 2016 19:00:46 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 25 Nov 2016 19:00:46 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 22e8ec6be29eb9755e0a8dfac5944c51.cloudfront.net (CloudFront)
X-Amz-Cf-Id: HPwoaft8g8BCMZ20M5WR6U96UxqRgtlsPxbcqOsPT2R1W8mtoZVzGw==
GET /latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: VVV.update-srv.info
HTTP/1.1 200 OK
Content-Type: application/json
Server: nginx/1.4.6 (Ubuntu)
Content-Length: 284
Date: Fri, 25 Nov 2016 18:59:48 GMT
Connection: keep-alive
{. "ext_id": "fjnoekdlmmjagmmlchagfonjgbioomoo", . "ip": "54.235.90.58", . "url": "hXXp://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4".}HTTP/1.1 200 OK..Content-Type: application/json..Server: nginx/1.4.6 (Ubuntu)..Content-Length: 284..Date: Fri, 25 Nov 2016 18:59:48 GMT..Connection: keep-alive..{. "ext_id": "fjnoekdlmmjagmmlchagfonjgbioomoo", . "ip": "54.235.90.58", . "url": "hXXp://fjnoekdlmmjagmmlchagfonjgbioomoo/check/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4".}..
GET /latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4 HTTP/1.1
Connection: Keep-Alive
Accept: */*
Accept-Language: en-us
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: fjnoekdlmmjagmmlchagfonjgbioomoo
HTTP/1.1 302 Moved Temporarily
Server: nginx/1.4.6 (Ubuntu)
Date: Fri, 25 Nov 2016 19:04:38 GMT
Content-Type: text/html
Content-Length: 169
Connection: keep-alive
Location: hXXp://VVV.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4
<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>..HTTP/1.1 302 Moved Temporarily..Server: nginx/1.4.6 (Ubuntu)..Date: Fri, 25 Nov 2016 19:04:38 GMT..Content-Type: text/html..Content-Length: 169..Connection: keep-alive..Location: hXXp://VVV.update-srv.info/latest/crx/.eJwNyU0KgCAQQOG7zFqitl4mTEdT5wfUIojunsv3vReG6xUs-LMpIxi4sfWsMmlb1tlZ-nBE2MCOdqEBfMaew_yxiGINxFxcYiZ_uhRVSjqyKqvC9wPfWyFM.t27mdaCQFGhlnavJHDQywkB4OJ4..<html>..<head><title>302 Found</title></head>..<body bgcolor="white">..<center><h1>302 Found</h1></center>..<hr><center>nginx/1.4.6 (Ubuntu)</center>..</body>..</html>....
GET /get/.eJwtjDEOgCAQBP-yNYV4RNDPEBIRiUQJUGn8u6exnZ2dCy5nG2dMZEYzCjRXN0yIe20uJV8gkN-570gKnMfuP1sqSYPRjH7TLsmFyp7SigSYBc-dXI6ZE2Xly_0AGrwgww.LjL5MHmwXlFPQLOaRKBOG_1NMQc HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
X-Builder-DL: 1
Host: VVV.vac-p2.info
HTTP/1.1 200 OK
Content-Disposition: attachment; filename="SafetySearch.exe"
Content-Type: application/octet-stream
Server: nginx/1.4.6 (Ubuntu)
Content-Length: 2962524
Date: Fri, 25 Nov 2016 18:59:41 GMT
Connection: keep-alive
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........................K.......[...............b.......R.......U.....Rich............................PE..L.....KU.................b...........3............@.......................................@................................. ................................0..8....................................................................................text....a.......b.................. ..`.rdata...............f..............@..@.data....\..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...p.@..K...SV.5..C.W.E.P.u...t.@..e...E..E.P.u...x.@..}..e....@.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...<.@..E..P.E..E.P.u...|.@..u....E..9}...n....~X.te.v4..P.@..E...tU.}.j.W.E......E.......T.@..vXW..X.@..u..5L.@.W..h ....E..E.Pj.h..C.W....@..u.W...u....E.P.u.....@._^3.[.....L$....C...i......T.....tUVW.q.3.;5..C.sD..i......D..S.....t.G.....t...O..t .....u...3....3...F.....;5..C.r.[_^...U..QQ
<<< skipped >>>
GET /newuser-ping/c62e94071dfd4f9df8f37d998ede05ad/b319454cdca1e6576b68b841c86cfcaf/0/xriderexe/14136871/0/?pid=38989&sub_id=default&uzid=14136871&subid=&pid=2031&os=7&admin=1&version=20150820 HTTP/1.0
Host: VVV.installping5.info
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Server: nginx/1.8.0
Date: Fri, 25 Nov 2016 19:00:46 GMT
X-Powered-By: PHP/5.3.3
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Fri, 25 Nov 2016 18:59:52 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Pragma: no-cache
X-Cache: Miss from cloudfront
Via: 1.1 300b920cc4a53d2daec2ba8180596d82.cloudfront.net (CloudFront)
X-Amz-Cf-Id: esFTnIZYodawIxznIbCITazVr7C-szUoirT2isxtF9VDyt4DbTJ94Q==
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
bservice.exe_4048:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
bservice.pdb
bservice.pdb
KERNEL32.dll
KERNEL32.dll
SetWindowsHookExW
SetWindowsHookExW
UnhookWindowsHookEx
UnhookWindowsHookEx
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
? ?$?(?,?0?4?8?
? ?$?(?,?0?4?8?
4 4@4`4|4
4 4@4`4|4
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
bhelper.dll
bhelper.dll
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_bhelper_mutex0
%Program Files%\Bench\BService\1.1\bservice.exe
%Program Files%\Bench\BService\1.1\bservice.exe
fservice.exe_296:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
D:\Work\canvas-kango\misc\FirefoxHook\bin\fservice.pdb
D:\Work\canvas-kango\misc\FirefoxHook\bin\fservice.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
:%Dv:%D
:%Dv:%D
9 9$9(9,90949~9
9 9$9(9,90949~9
8Ÿ9l9x9
8Ÿ9l9x9
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
fhelper.dll
fhelper.dll
lGlobal\{99C44C16-7756-43C1-8225-7AA442EA393E}_fhelper_mutex0
lGlobal\{99C44C16-7756-43C1-8225-7AA442EA393E}_fhelper_mutex0
%Program Files%\Bench\FService\1.1\fservice.exe
%Program Files%\Bench\FService\1.1\fservice.exe
cservice.exe_3484:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
D:\Users\craig\Documents\canvas-kango\framework\installer\cservice.pdb
D:\Users\craig\Documents\canvas-kango\framework\installer\cservice.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
UnhookWindowsHookEx
UnhookWindowsHookEx
SetWindowsHookExW
SetWindowsHookExW
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
9 9$9(9,90949~9
9 9$9(9,90949~9
8Ÿ9l9x9
8Ÿ9l9x9
: :<:>
: :<:>
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
chelper.dll
chelper.dll
lGlobal\{0CF04375-3346-4EF0-B153-8378FF716E2C}_chelper_mutex0
lGlobal\{0CF04375-3346-4EF0-B153-8378FF716E2C}_chelper_mutex0
%Program Files%\Bench\CService\1.0\cservice.exe
%Program Files%\Bench\CService\1.0\cservice.exe
wd.exe_2788:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
operator
operator
GetProcessWindowStation
GetProcessWindowStation
wd.pdb
wd.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
: :$:(:,:0:4:~:
: :$:(:,:0:4:~:
combase.dll
combase.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
kernel32.dll
kernel32.dll
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0
Global\{4B5DC379-ED06-4552-A736-414A1570C24F}_watchdog_mutex0
\bservice.exe
\bservice.exe
bservice.exe
bservice.exe
\bservice64.exe
\bservice64.exe
bservice64.exe
bservice64.exe
\cservice.exe
\cservice.exe
cservice.exe
cservice.exe
\cservice64.exe
\cservice64.exe
cservice64.exe
cservice64.exe
\fservice.exe
\fservice.exe
fservice.exe
fservice.exe
\fservice64.exe
\fservice64.exe
fservice64.exe
fservice64.exe
%Program Files%\Bench\Wd\wd.exe
%Program Files%\Bench\Wd\wd.exe