not-a-virus:HEUR:AdWare.NSIS.TornTV.gen (Kaspersky), Adware.Win32.Downware.FD, Trojan.NSIS.StartPage.FD, AdwareDownware.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 75098bd8427ac62d0d2935a1e9839d4c
SHA1: 7eff336d40d0af824c74e939cdf46b1ecb6c2353
SHA256: 319f7e2763a4cae88b45a889f10727e6d0c9dceab022a12defa51e4d26ca72cb
SSDeep: 6144:Usi1UxL5tTc9DNVel 6QXWZ4t8bHUmgKaA7cUGg:O1yF5c9DNgs6QftSgo
Size: 263128 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:46
Analyzed on: Windows7 SP1 32-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):No processes have been created.The Adware injects its code into the following process(es):
%original file name%.exe:2264
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2264 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept3.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\decline.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA3AE.tmp (14947 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\inetc3.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MainPackFA2703[1].htm (544 bytes)
The Adware deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA3AD.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\gC0 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp (0 bytes)
Registry activity
The process %original file name%.exe:2264 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\1ClickDownload]
"LastInstall0" = "30551019"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3B 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\1ClickDownload]
"UID" = "284555269"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\75098bd8427ac62d0d2935a1e9839d4c_RASAPI32]
"EnableFileTracing" = "0"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Adware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
c17103ae9072a06da581dec998343fc1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\System.dll |
9d8ce05f532dc7b5742831ec8a63c2d8 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\inetc3.dll |
c10e04dd4ad4277d5adc951bb331c777 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\nsDialogs.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept3.bmp (784 bytes)
%Program Files%\1ClickDownload\ocmainpack.exe (544 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\skip.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\nsDialogs.dll (21 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\save.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\decline.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\1clogo.bmp (4992 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept1.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept2.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nslA3AE.tmp (14947 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\inetc3.dll (812 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\anon.bmp (2 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\accept.bmp (784 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4ZZNMJGQ\MainPackFA2703[1].htm (544 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 372736 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 520192 | 16592 | 16896 | 4.13874 | 8091b1378d82973015f802c93eb88bab |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 211
69a0a458647b3436892cf9f2f126c252
1bbd5b7272e0348684edbbea962ee5f2
1561a9303536298eeaea4ab712749930
8494573d9cde8480e3342f57b3de1911
c2f62500fc6c049cad54bfec31ab5d45
79296123cb3a983f2897ea58411de5e3
8ebc38cc84268e080308d72125e87f87
f221cfbb2bb8351b73de8c0cab165414
5fc7622692ec13a3893315fe73120b75
eb1a83a5875666814ffcec89c3ad9d23
aebda7c9ddaac919bc3f9ab3183ea289
b227a9bfb9825c2b8c59297230aaeac3
492632b789c2a9a5e35c360f5ee95780
9e2bbae241e56c984f398c5f657ea4bc
22ccc6edb6b978cf5de0a9894bab032b
fb68c49d954bcbeac53780483cb51cde
b2bf087539b9641f1a4e2f5df7930dc0
a0eeacd32ace94bb1913e15138e8e9e1
acea608203043a43077b17286f1248a0
810d1532145dcec36b117cae2bf7e911
c75f787090d58b9c7b899a784943fd31
5753bb9f093a9b5cbacd1d002761292c
275c8239d77d92054013fa788f005ad0
d9ee891e88f8a55825fa2352f0259fc3
9247257668b3ae3619a3056b68d0a48d
Network Activity
URLs
URL | IP |
---|---|
hxxp://data.downloadstarter.net/country.asp?st=-1&uid=284555269&tuid=3090537&sref=1CD_16_28_trze7&vmdt=|vm|&bld=16CJ | 146.148.42.217 |
hxxp://files.download1click.ws/MainPackFA2703.exe | 64.70.19.203 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /MainPackFA2703.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: files.download1click.ws
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.3
Date: Fri, 21 Oct 2016 22:33:57 GMT
Content-Type: text/html; charset=ISO-8859-1
Content-Length: 544
Connection: keep-alive
<html>.<head>..<title>WEBSITE.WS - Your Internet Address For Life™</title>.</head>.<frameset rows="100%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" scrolling="auto">..<noframes>...<p> Your browser does not support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://www.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic</a>.</p>..</noframes>.</frameset>.</html>HTTP/1.1 200 OK..Server: nginx/1.6.3..Date: Fri, 21 Oct 2016 22:33:57 GMT..Content-Type: text/html; charset=ISO-8859-1..Content-Length: 544..Connection: keep-alive..<html>.<head>..<title>WEBSITE.WS - Your Internet Address For Life™</title>.</head>.<frameset rows="100%,*" border="0" frameborder="0">..<frame src="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic" scrolling="auto">..<noframes>...<p> Your browser does not support frames. Continue to <a href="hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic">hXXps://VVV.worldsite.ws/idn-orderflow/index.dhtml?view=advanced&sponsor=idntraffic</a>.</p>..</noframes>.</frameset>.</html>..
<<< skipped >>>
Map
The Adware connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2264:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
ers\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\nsDialogs.dll
ers\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\nsDialogs.dll
.magnet
.magnet
ectly,John_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
ectly,John_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp\nsDialogs.dll
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsbA3BF.tmp
M.QE*d
M.QE*d
H%cXvE
H%cXvE
%%8X,
%%8X,
Windows
Windows
F.tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s
F.tmp\skip.bmp", i 0, i 0, i 0, i 0x2000|0x0010) i.s
hn_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
hn_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
iles\1ClickDownload\1ClickDownloader.exe
iles\1ClickDownload\1ClickDownloader.exe
5XU4RDGCJT3Q¬e=1clickdownloader_is_NOT_downloading_any_file_directly,John_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
5XU4RDGCJT3Q¬e=1clickdownloader_is_NOT_downloading_any_file_directly,John_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
284555269
284555269
41305306
41305306
427ac62d0d2935a1e9839d4c.exe
427ac62d0d2935a1e9839d4c.exe
2845552
2845552
59532869
59532869
1929708805
1929708805
ownload.sweetpacks.com/simsdm/bundle/
ownload.sweetpacks.com/simsdm/bundle/
ram Files\Internet Explorer\iexplore.exe
ram Files\Internet Explorer\iexplore.exe
n_Looking_For_Alaska_[AudioBook]_rar.exe
n_Looking_For_Alaska_[AudioBook]_rar.exe
601.17514
601.17514
c:\%original file name%.exe
c:\%original file name%.exe
C:\Users\"%CurrentUserName%"\Desktop
C:\Users\"%CurrentUserName%"\Desktop
%Program Files%\1ClickDownload
%Program Files%\1ClickDownload
nsbA3BF.tmp
nsbA3BF.tmp
%original file name%.exe
%original file name%.exe
ers\"%CurrentUserName%"\AppData\Local\Temp\nslA3AD.tmp
ers\"%CurrentUserName%"\AppData\Local\Temp\nslA3AD.tmp
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/MainPackFA2703.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://files.download1click.ws/gzip2.exe
hXXp://data.downloadstarter.net/
hXXp://data.downloadstarter.net/
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARURUSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/ARUARSetup.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://files.download1click.ws/BTB0612.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://cdn.download.sweetpacks.com/simsdm/bundle/BundleSweetIMSetup.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/FmoodsV21.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/IminentSetup5.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/.exe
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/weatherbugsetup.msi
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/IWantThisSetupRS.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/ciuvoSetup.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://files.download1click.ws/incredibar_install3.exe
hXXp://download.sterkly.com/DropDownDeals-S-Setup_Suite1.exe
hXXp://download.sterkly.com/DropDownDeals-S-Setup_Suite1.exe
hXXp://download.sterkly.com/FreeTwitTube-S-Setup_Suite1.exe
hXXp://download.sterkly.com/FreeTwitTube-S-Setup_Suite1.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/yontoo-b2.exe
hXXp://download.sterkly.com/ezLooker-S-Setup_Suite1.exe
hXXp://download.sterkly.com/ezLooker-S-Setup_Suite1.exe
hXXp://download.sterkly.com/BestVideoDownloader-S-Setup_Suite2.exe
hXXp://download.sterkly.com/BestVideoDownloader-S-Setup_Suite2.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/GophotoExtSetup.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter03.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
hXXp://files.download1click.ws/OneClickExt1_filter13.exe
Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)
Inetc3 (Mozilla; FW 4; WinNT 6.1; msi 5.0.7601.17514; dbw ie; yo ;)
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
Software\Microsoft\Windows\CurrentVersion\Uninstall\1ClickDownload
1409943333
1409943333
3090537
3090537
trze7,magnet:?xt=urn:btih:MQYT4KGSTDFTB5Z6LDCE5XU4RDGCJT3Q¬e=1clickdownloader_is_NOT_downloading_any_file_directly,John_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
trze7,magnet:?xt=urn:btih:MQYT4KGSTDFTB5Z6LDCE5XU4RDGCJT3Q¬e=1clickdownloader_is_NOT_downloading_any_file_directly,John_Green_Looking_For_Alaska_[AudioBook]_rar.exe,ca
ocmainpack.exe
ocmainpack.exe
889521367
889521367
268764302
268764302
268764312
268764312
352651078
352651078
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
285869200
285869200
285869212
285869212
285869201
285869201
386531899
386531899
386531855
386531855
252314145
252314145
319423643
319423643
285869189
285869189
185206273
185206273
503973363
503973363
1862926919
1862926919
John_Green_Looking_For_Alaska_[AudioBook]_rar.exe
John_Green_Looking_For_Alaska_[AudioBook]_rar.exe
30551019
30551019
VVV.oneclickdownloader.com
VVV.oneclickdownloader.com
sbiectrl.exe
sbiectrl.exe
vmtoolsd.exe
vmtoolsd.exe
prl_cc.exe
prl_cc.exe
coherence.exe
coherence.exe
VirtualBox.exe
VirtualBox.exe
VBoxSVC.exe
VBoxSVC.exe
DrWeb
DrWeb
%Program Files%\1ClickDownload\John_Green_Looking_For_Alaska_[AudioBook]_rar.magnet
%Program Files%\1ClickDownload\John_Green_Looking_For_Alaska_[AudioBook]_rar.magnet
)-.Yln
)-.Yln
Nullsoft Install System v2.46
Nullsoft Install System v2.46
%original file name%.exe_2264_rwx_10004000_00001000:
callback%d
callback%d