Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4187459c7ebd96538cb8b3138de6f16e
SHA1: f2dab5181b365f1e5534e9f9e4c3fda045a44f70
SHA256: eedf50c9e6cc3a08f87c9511f158731c4383f6464c2dd99adee985c4c08f055f
SSDeep: 12288:NxpJgJzNGqv7K8sobvmEenOnseuE6FkhGS3piBNY:/p23jDK8R7enOnb3GBY
Size: 810784 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-06-22 21:07:51
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):No processes have been created.The Trojan injects its code into the following process(es):
%original file name%.exe:312
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:312 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\downloads.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\core.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\packaged_app.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\__web.xml (239548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\sandbox.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\definitions.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (46579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\http.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\url.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\options.json (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\url.lua (10 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp (0 bytes)
Registry activity
The process %original file name%.exe:312 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 12 4A 38 4C 59 6E 76 C9 35 FA BE 5E DD DE B8"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
0f26c6d34d3841e93145dd00d0175651 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\FloatingProgress.dll |
ff60d18a83e7f2ad04a3c2260af6d4f3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaBridge.dll |
4a4845ba1666907f708c9c10a31ec227 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaSocket\mime\core.dll |
4bf7db111acfa7c28ad36606107b3322 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaSocket\socket\core.dll |
7292b642bd958aeb7fd7cfd19e45b068 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\LuaXml_lib.dll |
7e3c808299aa2c405dffa864471ddb7f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\System.dll |
d02a497be5f89c44827f142c4662f591 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\UACInfo.dll |
0a29e1b270ccea61aba7d7cdd10e0388 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\bit.dll |
dd8a05024e825f75d3d151ea84bf414e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\browserutils.dll |
e390287499549de31da007f7f0ae4d10 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\ffi.dll |
ae78815c8dbfcd6bd86b62fdd68665b4 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\lua51.dll |
b991f57d815ca821cdb42d2792db366f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\luacom.dll |
692479f7c07a64a6a632148e382f0e22 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\nsis7z.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\nsisunz.dll |
5694e7daf20c47c8d5e73d4a838c2ee6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\un.package.exe |
ebc5bb904cdac1c67ada3fa733229966 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nst3.tmp\version.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\downloads.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\service_registry.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bit.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\win32_constants.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\version.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\mime\core.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\core.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\bundleinstall.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\AdvancedTests.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wintypes.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\packaged_app.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\mime.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\__web.xml (239548 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadList.lua (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\notifyicon.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\main.css (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\utils.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\DownloadThread.lua (581 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skipall.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\GuiInit.lua (5520 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\uistate.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\sandbox.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\compat.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\definitions.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\cancel.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\socket\core.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\extension.tlb (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ftp.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\IntegratedOffer.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\decline.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luaxml.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\Events.lua (912 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\default_logo.png (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\browserutils.dll (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nse2.tmp (46579 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\http.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.png (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\http.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\run.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\eagerinstall.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin.zip (9476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\ftp.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\save.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\env.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\wininet_h.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\scheduler.lua (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\processfreefile.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\BrowserControl.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\ltn12.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\minify.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\luacom.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\url.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\lua51.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\skin.psd (42457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\callbackproxy.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\ffi.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\options.json (197 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\step_off.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\smtp.lua (8 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\tp.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\json.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\wininet\defs.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst3.tmp\LuaSocket\lua\socket\url.lua (10 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23294 | 23552 | 4.47651 | ad2ebf079e89cd95e3fda4bd0b869620 |
.rdata | 28672 | 5272 | 5632 | 3.56156 | 45097a769b809e006a7e5c1f08e7cba2 |
.data | 36864 | 109756 | 512 | 0.972488 | 4b5dfd97899e385b2193064eb045da6b |
.ndata | 147456 | 180224 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 327680 | 191864 | 192000 | 2.99247 | 554a7d3d339145a1303886e702c5b27f |
.reloc | 520192 | 2680 | 3072 | 0 | d2a70550489de356a2cd6bfc40711204 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 3128
6d3bbc565043d7929cd81a783602d884
90f04d8a51a0a3cdaff2a1f01d170cea
f30fc68ea9b4207c57c40d1965c5d702
2b93d36a95572e6965417e69e2464aa2
5ad05374c6610e5e4de4c2eba890a698
ae7cb79aecb54b2657ca96f385c1303f
9f5393496bb859ffc62ba5f9ec41ff69
798f68ebbc1488920db5eb37a62ea275
43ae1b0f05f57be0a99b1bcbe09ea63f
d7c9e333ec76b5c3cb3707f5d6e170fe
0f2dd2191e4863808f98790ef12a8e29
626b14c1fbbe3b2bbe11637cbc84f8c1
05c7d3c65047e2edcb0f6f49ebbfa6e5
259751cc9ee204a11452457d493793fd
97b19a1388f29328c27e17e96628e08d
f0dacacd5bd1347585ab2121138aad20
22cd201e43874c6ca1c900aebb413b3a
2bf2d68ae31577408d0e67b3edf440df
70199aa4565daef1bce8c399e92d0927
b4040f3fe7b175431b2fc0c656cd41dc
e468120633e2cf06f7889d91b99149a1
9a460acdce056fc4ed8c2da9fdef919d
10f37cfe5b57d6d96f53f68ddbfcee8b
682eb825d517008b6f68f39d81133883
03d0ef32e833b01440a5aece008d6609
Network Activity
URLs
URL | IP |
---|---|
hxxp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US | 50.22.63.140 |
hxxp://a728.g.akamai.net/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip | |
hxxp://service.downloadadmin.com/env?productKey=&s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=UA | 50.22.63.140 |
hxxp://mirror.downloadnet1210.com/skins/da/11122015/megazord_darkskin_nondlm_cancel.zip | 212.30.134.158 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /skins/da/11122015/megazord_darkskin_nondlm_cancel.zip HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)
Host: mirror.downloadnet1210.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "398d4b8eeb1f419a51f5c199a58139a2:1447358884"
Last-Modified: Thu, 12 Nov 2015 20:08:04 GMT
Accept-Ranges: bytes
Content-Length: 73310
Content-Type: application/zip
Date: Sun, 03 Apr 2016 09:15:08 GMT
Connection: keep-alive
PK........,nkG].\.............options.json].... .D.~......... .e..-4........t.o.&...=b.r.%s..Z..F0.....Qi.....t..Q...";..i..)..l{.E...v....O.F..s gsHK..P...of.v........}$G......:.;G.....PK.........`.Dj..m............assets/.DS_Store..1..0......M\:2v....!x./....{t%..i..j....oB..P..x..@..................f.t|?MD...>....k<...]...V.y......f...m^.Z........e...".............0..u.....'<.[7n......p..-le.W.."...PK........8d.D3.......%.......assets/accept.png.VwXSg......2d.....$.D.BB$@...A!$7.F.$.$ .Ph..V....`.2.Z.2..(.....".Td....._....?........9.y...7....[.4. ....5.^.g.^..r2i`..H...Z...@.P.....6..@.....=.dK......<..."ta..X.?.......@V...8.....P/.$.G......r.d.3..f.P.o.u..p.9....e..0s3...$3....P...O@..a..%.. .(..O../..WP...P....x.....`.........8...`Qh.C@`p$<..5.~j0.7>.C...>....0o.0..B.D".....O.0D"q.....i ....)F............. ..2gz.AB2..z......a..S.d)C...(.....G.j............e... >Kv......w...,..!>Wv)L?*....xB:.... .\6...YQ... .........[P.8#*.K....Wm...J..).cc.....X..X.pT,.m.AcM.F..X:O d.X.*...,._.$..`.A.#...V.aoP.....(.......c."....|...s..6...C../............@.2^97.K36..hh......a....'g(Y0..)..%Y...?..l..<.O.....Q#......t....{.........u....rHE.Q...J.l.w[$.X5N...3...G3>...)N.w7h.^...I.>.../Us2.}.l..........>R...B..fA|8.!^I....J....k.....oo.....1!M9.}.._|.,k.bj.&B.g...D.......g_....T.S3 .G.7.5...v..5...........n.&hy.u=1..h..K1...D...}.|.../.x....R.}..r..W..u53...x...(A.hy.s^..S..f....l.P...."......k.v............R^V....9...=..&../...o.w.p....t'=]96.G.!W...........;~.<@..". .-......*.6l
<<< skipped >>>
GET /install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US
User-Agent: Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Sun, 03 Apr 2016 09:15:02 GMT
Age: 0
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <LinkBelowEula>false</LinkBelowEula>. <OptInDefault>false</OptInDefault>. <ProductBinary embed="false" msioptions="" options="">hXXp://mirror.ramtransmission.info/binstallers/BM2/blank/exe/blank.upx.exe</ProductBinary>. <ProductEula comboPrimary="false" embed="false">hXXp://mirror.downloadnet1210.com/binstallers/BM2/winstat/ipage/browser_628.mht</ProductEula>. <Primary>true</Primary>. <ProductId>961486</ProductId>. <ProductName>Browser Update</ProductName>. <Scramble>false</Scramble>. </Bundle>. <Bundle>. <Category>toolbar, search, home</Category>. <CustomParameter Name="advertisername">Findwide</CustomParameter>. <If>. <Or>. <Not>. <Env property="custom.invm" op="=" value="true"/>. </Not>. <Env property="custom.partner" op="=" value="test"/>. </Or>. <Or>. <Env property="custom.region" op="=" value="US"/>. <Env property="custom.region" op="=" value="us"/>. </Or>. <Not>. <Env property="custom.browserName" op="=" value="Chrome"/>. </Not>.
<<< skipped >>>
GET /env?productKey=&s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=UA HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US
X-Exename: %original file name%.exe
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?s=41&c=16863824&brand=winstat.us&pid=adshore&aid=16841265&bc=965562&country=US
User-Agent: Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Sun, 03 Apr 2016 09:15:09 GMT
Age: 0
X-Cache: MISS
00d3c..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:SearchProtect (US) (Master) (Regkey)">true</Entry><Entry name="over-threshold:GeekBuddy (US)">true</Entry><Entry name="over-threshold:Wajam (US)">true</Entry><Entry name="over-threshold:Super Optimizer (US)">true</Entry><Entry name="over-threshold:Cassiopesa (CA)">true</Entry><Entry name="over-threshold:Cassiopesa (FR)">true</Entry><Entry name="over-threshold:CrimeWatch (CA)">true</Entry><Entry name="over-threshold:PremierOpinion (FR)">true</Entry><Entry name="over-threshold:WebDiscover (FR)">true</Entry><Entry name="over-threshold:Web Bar (FR)">true</Entry><Entry name="over-threshold:Lolliscan (FR)">true</Entry><Entry name="over-threshold:Cassiopesa (DE)">true</Entry><Entry name="over-threshold:SafeFinder (DE)">true</Entry><Entry name="over-threshold:SafeFinder (CA)">true</Entry><Entry name="over-threshold:Cassiopesa (IT)">true</Entry><Entry name="over-threshold:Cassiopesa (ES)">true</Entry><Entry name="over-threshold:SafeFinder (UA)">true</Entry><Entry name="over-threshold:SafeFinder (BR)">true</Entry><Entry name="over-threshold:SafeFinder (VN)">true</Entry><Entry name="over-threshold:SafeFinder (RU)">true</Entry><Entry name="over-threshold:
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_312:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
@.reloc
@.reloc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\LuaBridge.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\LuaBridge.dll
ss.dll
ss.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nst3.tmp
ns\UrlAssociations\http\UserChoice
ns\UrlAssociations\http\UserChoice
C:\Nsis\Browser-%s
C:\Nsis\Browser-%s
nswebForwarder
nswebForwarder
CustomNsWebContainer
CustomNsWebContainer
`'\%D,3
`'\%D,3
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
EnumChildWindows
EnumChildWindows
OLEAUT32.dll
OLEAUT32.dll
customnsWeb.dll
customnsWeb.dll
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
CustomNsWebForwarder
CustomNsWebForwarder
1 1$1(1,10141
1 1$1(1,10141
.reloc
.reloc
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
#-,.mT:
#-,.mT:
!$"'(!((!$&
!$"'(!((!$&
##-,#1.#0- !%
##-,#1.#0- !%
! .76:76:*),
! .76:76:*),
#" *#1.#1.!#&
#" *#1.#1.!#&
nst3.tmp
nst3.tmp
-exec
-exec
pdate]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/ComboScreen/setup.exe.nsi:Line 1221.2
pdate]],0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/ComboScreen/setup.exe.nsi:Line 1221.2
xe.nsi:Line 1096.2
xe.nsi:Line 1096.2
tartTime=519437;pid=312)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/ComboScreen/setup.exe.nsi:Line 999.2
tartTime=519437;pid=312)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/ComboScreen/setup.exe.nsi:Line 999.2
Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)
Tightrope Bundle Manager(ref=[592c855766057b95c4f77fda29f2cd1a2c183dc4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=519437;pid=312)
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsy1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
5334543
5334543
8664755
8664755
8760876
8760876
Nullsoft Install System vtightrope
Nullsoft Install System vtightrope
com.build.date
com.build.date
2/4/2014
2/4/2014
com.build.dir
com.build.dir
C:\BM\2.5\WebTemplates
C:\BM\2.5\WebTemplates
com.build.id
com.build.id
com.build.machine
com.build.machine
com.build.skin
com.build.skin
com.build.time
com.build.time
com.build.user
com.build.user
$%USER%
$%USER%
%original file name%.exe_312_rwx_10004000_00001000:
callback%d
callback%d