Trojan.NSIS.StartPage.FD, SearchProtectToolbar_pcap.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 5009cde07a384fad0d1d2ddb4fc03d6c
SHA1: 45f75610c8ad14ac43f98b28eda01fac5b99eb43
SHA256: b7d2698234a3ae196e4c43ccd30e0e06af9683f7374d118505000da0d3f666b6
SSDeep: 12288:f/wAfXETz9n2YwyuqlsnBj4W7rtV0nFwrO1jav95fT9bfYEsz91r5Wg0kU6iirfg:gAPg9n2BdBj4W/toFw0q95LtYEsz91di
Size: 674088 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-05-20 20:10:03
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:2016
%original file name%.exe:1336
The Trojan injects its code into the following process(es):
%original file name%.exe:1352
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1352 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\main.css (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\05d97e6e9834ccf063c552e404b9ecafc5e4d662.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c5bfcd4d85ffe4e22099630f8abb9b98b714e7e0.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cc9afe3271c429b15e72e21f6d4fb371283a4843.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\versioninfo.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\142f817c3ec0586de0f960c1c0483043b61a0d06.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\8171799b04351aef58c38f5109cd1ef7a43d20d0.lua (826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\default_logo.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\389da82bc55b853a5b301d1ded34c566dbac4d4f.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\051b9663e868ce31e198a113ab8583e4975333cc.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step1.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f49f0cb90d014cf5c8ac1925a9478d720c972747.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\72ed3d41d77b75b2612d44bc1df80903b476928b.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fe80be6cc93b6dd7bc3fadf2c043443a64eb487f.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fb9a971095becfd9b1e850eb6279c1348b614289.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\6ee341160694a1164db3bdcdb8a5bdf67cb8e295.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1d76390fb3b717cf3455968a560ca5420e3de218.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c6d51ab09f96b7569326130e860517b7d87e866d.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\632078f327839b0df0b12da37f835169172076ee.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepAdv.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\672305f73718cddf94bb13e3c100dc29b8397598.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\lua51.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c1c6244f2ae1702a3000c622f7096790af0fce54.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\364a4e2a5b8a1bf8e9d7bd8564dd4847bc2d4dda.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step2.lua (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1feb3ea612cdf9b90056427956a6421e260272ab.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\bf87348c373b422b894b2aa91466db367ea80aaa.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_off.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cf7afea710adf5a4494f7eea03db9c908baf9a8f.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\cancel.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7d4b85d62fb353e7a43256f40d539ceb6fd06006.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c27913efc6edcc938c504fa24651c7f3d95f51cc.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c9f011a4972686d5e6b3011c1f3d869999161f98.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\897d21056a341314b60764c31b36c1fad542e78a.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\526e1aa5c4ffd23f07dd88b5fb40e6f2e034caef.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\87a5250e7389d052be3fdc257872ebd873ef2deb.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\e7a170af4b32945995cc5d1f1aee630920f88095.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b2584cd1b859d0b92b2ad88463adbe6757e8ae1.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\extension.tlb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0ec81897a17fb0f84013e683b09bb6f0c8d42cd8.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7c5fb38f536c5e201a10ce382c0756a186346bc2.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\3dec5266be16767074bd7e633762711cad92c73c.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f45008e3c900e7920effac3ed6f377dd0caf0cf1.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin.zip (6532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a2a55e68a147ddb026454c38213bc01a3979f52c.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (49455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1370ebd534807c69ad0db6461cbf3f3fd03c434f.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f44b567e3a3a123bcabbee52004a1b32b680a84e.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\skin.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\21bf231e6241de6c31600941d84be38815e28488.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\920f8f5815b381ea692e9e7c2f7119f2b1aa620a.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepInt.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7a0c7559331d92414337ab9237a8a62c13d544ee.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a317db596f44efe64d2468fcc06f25e9e5c24881.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\083e81bd6d4ed3f8c712846787b4588d08f99e95.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b33b2bde409277581a53da83ac5b1bfdcf29afa.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\2ef40efb3ce47d8141682e9cd50f9848be24fcd8.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fcdcfb4437ad8599b23f499b563e237a464ff441.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f40368059830399ce8189100003d317f2739d087.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step_d.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\78e7626f746ee5577b52d70f6be23e4200f721f1.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\b67dd0daccce8aa22f9ae05b1ba94204e35079c1.lua (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\845c4cc600dfc06afce750ce6b8870433b7d47ec.lua (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\590f6cae552c6eb2859cbad0ffbdbd5571946df4.lua (12 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\026e996a3a5897970b058ffb093a163a1d763649.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1db41df8dccf7e3b03a1b1cd221519090170ae52.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\9ed037b84943c4caa3a520e48a5540181c46c98c.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\decline.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\__web.xml (259561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\00dd744df5073c5ea8e44a65021a773b42bddf79.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0016e501ecf62f9d1e0ea5ff98d62e9163b91e1a.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\options.json (200 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi7.tmp (0 bytes)
The process %original file name%.exe:2016 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (6428 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp (0 bytes)
The process %original file name%.exe:1336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (6428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp\LuaBridge.dll (1856 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp\LuaBridge.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw4.tmp (0 bytes)
Registry activity
The process %original file name%.exe:1352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Video" = ""
"NetHood" = "%Documents and Settings%\%current user%\NetHood"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Fonts" = "%WinDir%\Fonts"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"PrintHood" = "%Documents and Settings%\%current user%\PrintHood"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Templates" = "%Documents and Settings%\%current user%\Templates"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Administrative Tools" = ""
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"SendTo" = "%Documents and Settings%\%current user%\SendTo"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Music" = "%Documents and Settings%\%current user%\My Documents\My Music"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "3D A9 14 A3 24 11 0A 0E E6 87 B3 D2 2A 90 0C 67"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CD Burning" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\CD Burning"
"Recent" = "%Documents and Settings%\%current user%\Recent"
"Favorites" = "%Documents and Settings%\%current user%\Favorites"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:2016 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EA 77 71 BB 90 07 B3 D0 5E 01 92 28 17 B5 12 D6"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "61 AC 9A 95 9C C8 AF 8C 05 DC 01 C4 55 50 7D 40"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsh6.tmp\LuaBridge.dll,"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
| MD5 | File path |
|---|---|
| 0a29e1b270ccea61aba7d7cdd10e0388 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\026e996a3a5897970b058ffb093a163a1d763649.dll |
| 00e96680218c3a07510a44ddb9f158b0 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\0ec81897a17fb0f84013e683b09bb6f0c8d42cd8.dll |
| e390287499549de31da007f7f0ae4d10 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\1370ebd534807c69ad0db6461cbf3f3fd03c434f.dll |
| b991f57d815ca821cdb42d2792db366f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\1feb3ea612cdf9b90056427956a6421e260272ab.dll |
| e626f4baffc82488c1efd873c250fb09 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\672305f73718cddf94bb13e3c100dc29b8397598.dll |
| 4bf7db111acfa7c28ad36606107b3322 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\87a5250e7389d052be3fdc257872ebd873ef2deb.dll |
| 0f26c6d34d3841e93145dd00d0175651 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\FloatingProgress.dll |
| 4e08fe995ab74ba4d145ddb77ea095fc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\LuaBridge.dll |
| 7292b642bd958aeb7fd7cfd19e45b068 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\LuaXml_lib.dll |
| 7e3c808299aa2c405dffa864471ddb7f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\System.dll |
| d02a497be5f89c44827f142c4662f591 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\UACInfo.dll |
| 4a4845ba1666907f708c9c10a31ec227 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\f40368059830399ce8189100003d317f2739d087.dll |
| fceee0026aafd237afdb4aea4ecd3557 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\lua51.dll |
| 692479f7c07a64a6a632148e382f0e22 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\nsis7z.dll |
| 5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\nsisunz.dll |
| 5694e7daf20c47c8d5e73d4a838c2ee6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\un.package.exe |
| ebc5bb904cdac1c67ada3fa733229966 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd9.tmp\versioninfo.dll |
| 4e08fe995ab74ba4d145ddb77ea095fc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsh6.tmp\LuaBridge.dll |
| 4e08fe995ab74ba4d145ddb77ea095fc | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsw3.tmp\LuaBridge.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:2016
%original file name%.exe:1336 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\main.css (457 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\05d97e6e9834ccf063c552e404b9ecafc5e4d662.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsisunz.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c5bfcd4d85ffe4e22099630f8abb9b98b714e7e0.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cc9afe3271c429b15e72e21f6d4fb371283a4843.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\versioninfo.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\142f817c3ec0586de0f960c1c0483043b61a0d06.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\8171799b04351aef58c38f5109cd1ef7a43d20d0.lua (826 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\default_logo.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\389da82bc55b853a5b301d1ded34c566dbac4d4f.lua (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\051b9663e868ce31e198a113ab8583e4975333cc.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progressPause.gif (517 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress-bar.gif (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step1.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f49f0cb90d014cf5c8ac1925a9478d720c972747.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\72ed3d41d77b75b2612d44bc1df80903b476928b.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\jquery.js (6360 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Administrative Tools\desktop.ini (62 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fe80be6cc93b6dd7bc3fadf2c043443a64eb487f.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fb9a971095becfd9b1e850eb6279c1348b614289.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\6ee341160694a1164db3bdcdb8a5bdf67cb8e295.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.js (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\un.package.exe (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1d76390fb3b717cf3455968a560ca5420e3de218.lua (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\knockout.js (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c6d51ab09f96b7569326130e860517b7d87e866d.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\632078f327839b0df0b12da37f835169172076ee.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepAdv.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\.DS_Store (601 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept-lg.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\672305f73718cddf94bb13e3c100dc29b8397598.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\lua51.dll (9320 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c1c6244f2ae1702a3000c622f7096790af0fce54.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\364a4e2a5b8a1bf8e9d7bd8564dd4847bc2d4dda.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step2.lua (6584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1feb3ea612cdf9b90056427956a6421e260272ab.dll (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\bf87348c373b422b894b2aa91466db367ea80aaa.lua (310 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_off.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\cf7afea710adf5a4494f7eea03db9c908baf9a8f.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\cancel.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7d4b85d62fb353e7a43256f40d539ceb6fd06006.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c27913efc6edcc938c504fa24651c7f3d95f51cc.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\c9f011a4972686d5e6b3011c1f3d869999161f98.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\nsis7z.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\897d21056a341314b60764c31b36c1fad542e78a.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\526e1aa5c4ffd23f07dd88b5fb40e6f2e034caef.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\87a5250e7389d052be3fdc257872ebd873ef2deb.dll (2392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\e7a170af4b32945995cc5d1f1aee630920f88095.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b2584cd1b859d0b92b2ad88463adbe6757e8ae1.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\extension.tlb (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0ec81897a17fb0f84013e683b09bb6f0c8d42cd8.dll (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7c5fb38f536c5e201a10ce382c0756a186346bc2.lua (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\3dec5266be16767074bd7e633762711cad92c73c.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\next.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f45008e3c900e7920effac3ed6f377dd0caf0cf1.lua (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin.zip (6532 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\accept.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a2a55e68a147ddb026454c38213bc01a3979f52c.lua (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsx8.tmp (49455 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1370ebd534807c69ad0db6461cbf3f3fd03c434f.dll (7192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f44b567e3a3a123bcabbee52004a1b32b680a84e.lua (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\back.png (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\skin.png (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\System.dll (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\21bf231e6241de6c31600941d84be38815e28488.lua (302 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\920f8f5815b381ea692e9e7c2f7119f2b1aa620a.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\UACInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_bg.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\FloatingProgress.dll (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaXml_lib.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\stepInt.lua (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7a0c7559331d92414337ab9237a8a62c13d544ee.lua (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\a317db596f44efe64d2468fcc06f25e9e5c24881.lua (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\083e81bd6d4ed3f8c712846787b4588d08f99e95.lua (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\7b33b2bde409277581a53da83ac5b1bfdcf29afa.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\2ef40efb3ce47d8141682e9cd50f9848be24fcd8.lua (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\progress.gif (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\fcdcfb4437ad8599b23f499b563e237a464ff441.lua (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\close.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\f40368059830399ce8189100003d317f2739d087.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\step_d.lua (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\78e7626f746ee5577b52d70f6be23e4200f721f1.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\index.html (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\step_on.png (999 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\b67dd0daccce8aa22f9ae05b1ba94204e35079c1.lua (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\845c4cc600dfc06afce750ce6b8870433b7d47ec.lua (857 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\res\common.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\590f6cae552c6eb2859cbad0ffbdbd5571946df4.lua (12 bytes)
%Documents and Settings%\%current user%\My Documents\My Videos\Desktop.ini (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\026e996a3a5897970b058ffb093a163a1d763649.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\1db41df8dccf7e3b03a1b1cd221519090170ae52.lua (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\9ed037b84943c4caa3a520e48a5540181c46c98c.lua (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\assets\decline.png (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\__web.xml (259561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\00dd744df5073c5ea8e44a65021a773b42bddf79.lua (462 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\0016e501ecf62f9d1e0ea5ff98d62e9163b91e1a.lua (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd9.tmp\skin\options.json (200 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw3.tmp\LuaBridge.dll (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb2.tmp (6428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsr5.tmp (6428 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh6.tmp\LuaBridge.dll (1856 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 24196 | 24576 | 4.47434 | 537319dcfaf4d45886bc9abaea2c0db1 |
| .rdata | 28672 | 5734 | 6144 | 3.58506 | 54a5edb17eb9f223693068d3a6d9948a |
| .data | 36864 | 109968 | 512 | 1.65371 | 23b160b2b8c5b752bfc72cdef7cf2b55 |
| .ndata | 147456 | 147456 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
| .rsrc | 294912 | 9096 | 9216 | 3.14352 | b7b0fcf34af11aa79981952514c0aa4a |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0 | 50.22.63.140 |
| hxxp://a728.g.akamai.net/skins/da/06032014/megazord_skin_cancel.zip | |
| hxxp://service.downloadadmin.com/env?osVersion=XP&browserName=Firefox&brand=adsterra.com&pid=adsterra&bc=1185859&osName=Windows&country=UA | 50.22.63.140 |
| hxxp://mirror.downloadnet1049.com/skins/da/06032014/megazord_skin_cancel.zip | 87.245.221.88 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /env?osVersion=XP&browserName=Firefox&brand=adsterra.com&pid=adsterra&bc=1185859&osName=Windows&country=UA HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY
X-Exename: %original file name%.exe
X-Exe-Checksum: 0
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: no-cache
Pragma: no-cache
Expires: 0
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 14 Aug 2015 21:53:16 GMT
Age: 0
X-Cache: MISS
001af6..<?xml version="1.0" encoding="UTF-8" standalone="yes"?><Installer><Environment><Entry name="over-threshold:PremierOpinion (US) (1457)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1456)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1449)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1458)">true</Entry><Entry name="over-threshold:PremierOpinion (US) (1459)">true</Entry><Entry name="over-threshold:Pro PC Cleaner (US)">true</Entry><Entry name="over-threshold:MyPCBackup (US) (PPI)">true</Entry><Entry name="over-threshold:PremierOpinion (UK)">true</Entry><Entry name="over-threshold:PremierOpinion (UK) (1456)">true</Entry><Entry name="over-threshold:PremierOpinion (UK) (1457)">true</Entry><Entry name="over-threshold:PremierOpinion (UK) (1458)">true</Entry><Entry name="over-threshold:PremierOpinion (UK) (1459)">true</Entry><Entry name="over-threshold:Optimizer Pro (AR)">true</Entry><Entry name="over-threshold:Optimizer Pro (MX)">true</Entry><Entry name="over-threshold:Optimizer Pro (BR)">true</Entry><Entry name="over-threshold:Optimizer Pro (TR)">true</Entry><Entry name="over-threshold:Super Optimizer (DE)">true</Entry><Entry name="over-threshold:Super Optimizer (IN)">true</Entry><Entry name="over-threshold:Super Optimizer (RU)"&g
<<< skipped >>>
GET /install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0 HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY
X-Exename: %original file name%.exe
X-Exe-Checksum: 0
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: service.downloadadmin.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/xml;charset=UTF-8
Transfer-Encoding: chunked
Date: Fri, 14 Aug 2015 21:53:06 GMT
Age: 0
X-Cache: MISS
008000..<?xml version="1.0" encoding="UTF-8" standalone="yes"?>.<Installer>. <Bundle>. <LinkBelowEula>false</LinkBelowEula>. <OptInDefault>false</OptInDefault>. <ProductBinary embed="false" msioptions="/quiet" options="">hXXp://mirror.downloadnet1049.com/binstallers/BM2/uplayer/exe/uPlayer.msi</ProductBinary>. <ProductEula comboPrimary="false" embed="false">hXXp://mirror.downloadnet1049.com/binstallers/BM2/uplayer/ipage/uplayer_specs.mht</ProductEula>. <Primary>true</Primary>. <ProductId>4814</ProductId>. <ProductName>uPlayer Media Player</ProductName>. <Scramble>false</Scramble>. </Bundle>. <Bundle>. <Category>search, home, toolbar</Category>. <CustomParameter Name="advertisername">Findwide</CustomParameter>. <If>. <Or>. <Not>. <Env property="custom.invm" op="=" value="true"/>. </Not>. <Env property="custom.partner" op="=" value="test"/>. </Or>. <Or>. <Env property="custom.region" op="=" value="US"/>. <Env property="custom.region" op="=" value="us"/>. </Or>. <Not>. <Or>. <Env property="custom.partner" op="=" value="vitz
<<< skipped >>>
GET /skins/da/06032014/megazord_skin_cancel.zip HTTP/1.1
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: mirror.downloadnet1049.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: Apache
ETag: "e2f08c3face90861f5b3958d4df545ff:1401800438"
Last-Modified: Tue, 03 Jun 2014 13:00:38 GMT
Accept-Ranges: bytes
Content-Length: 42676
Content-Type: application/zip
Date: Fri, 14 Aug 2015 21:53:15 GMT
Connection: keep-alive
PK........dc.D{Z5p............index.html..io.6......h.#...d.=..Es...&....b..h..9.I...1...>..M..Lf.5`D...}g....|....Vj.......9.....o............p...L.^0..'.`py.L........F JR........t1.HQPU....8)..$..A...-V......".,W..9...~R...........I....K*...".....Wbx."y...8.[.$b.....h.S.h..m.7e...q...P.T....]...."S.....Z3...)Q.?g<.|.s).2Q7dM.....9.....9.R(.Z..L.E>....E....B......./..2*..w.j.*..:.L...o.y.`2...Zh...Ci4@M.jA..$...`.!(2..).4....]...`..._...Rf|.....%......Y.....$.."{|d...../.".d.;S...f8i.....gD.a.PD.x!....P4/...I.......R.._..!... .k.mh...u.i%S...!.VoQ0 n..*...~....4....;]. ....."... YAa...'.c.....N...Da.]xD.)W.S..I.....K--......wV.....v.W....].Za|..^c...#.C.&x%..1 ..T..\(.Y.....a....IX.....$........y[.z.5E1..N.V:.#..=.<G>Y..gZ...e.gY......?...EN.b.......ti.....G.....L.....Au...e1'..d..)K..P..\...qp..`..F...w9..#.My..dZd..SGD)y`-D4..@h.>H.A.....q..D.7L....<..:.w..@...q..........J.~]iZ..........&...j...l..5...........x.V.4.F...a......&u...yY.......Q3.`).F....?..DX$...dE....}.t.u.6...p...{.)...\ha..C..Z......Erh.=....S......kC*....3.h..k{.9.......86.....d2[.......7QJ.mc...T.I..`..7.....Bm0....0..CQ.V.bQf.v...1...A...Fl.........jE.8..|I.F.....w.....j.V_....`...L...-..Q\q........~/.B...Y)hF.ES.........."j...Zb........{f...h.....L(..I...9......B...C?!w..N!58.. |.b...........,-W..BHJ..p_..J....63F....W. ..........z..7.Q..a(..w...M.nfl..) .......q.S...|!.. ...%X..1r4".$.Y..Z..".......V, .["..^cL....(...x......j5......$I......F..E.d.&..C.ee.zhW.-Wj...~.*5...d|.o.O.w......O..$Z.:.M.mU.\....D.....T&._..1
<<< skipped >>>
POST /install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0 HTTP/1.1
X-WebInstallCode: complete url:hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY
Content-Type: application/x-www-form-urlencoded
X-WebInstallUrl: hXXp://service.downloadadmin.com/install?bc=1185859&pid=adsterra&brand=adsterra.com&country=EU&osName=Windows&osVersion=XP&browserName=Firefox&secure=true&p_tid=NjEzMHw0NDYxMHwyMjN8MTA3MzkyfDE0MzQ4MzMyOTd8NWFlMTQ1MDQtMTJlNS00MjUxLWMyNWEtMWU2NjUzNjI3YWUxfDUwLjE0OS4xOTMuMTk1fGRlY2Q4YTQxZjZkZmY2YTBhOTRjY&checksum=0
X-Exe-Checksum: 0
X-Exename: %original file name%.exe
Content-Length: 10
User-Agent: Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Host: service.downloadadmin.com
Connection: Keep-Alive
delta=4875
HTTP/1.1 200 OK
Transfer-Encoding: chunked
Date: Fri, 14 Aug 2015 21:53:05 GMT
Age: 0
X-Cache: MISS
0..
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_2016:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
ole32.dll
ole32.dll
comctl32.dll
comctl32.dll
GDI32.dll
GDI32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
VERSION.dll
VERSION.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
|i[].cA
|i[].cA
WINMM.dll
WINMM.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
msvcrt.dll
msvcrt.dll
CreatePipe
CreatePipe
LuaBridge.dll
LuaBridge.dll
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?execFile@LuaBridge@@YA_NPAUnamed_state_t@1@PBD@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
?processPipeCommands@LuaBridge@@YAHPAUnamed_state_t@1@PAX_N@Z
_luabridge_exec_file@8
_luabridge_exec_file@8
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
C:\Programming\GitHome\LuaBridge\Release\LuaBridge.pdb
6%6.676@6
6%6.676@6
242;2]2{2
242;2]2{2
4 4$4(4,40444
4 4$4(4,40444
.textbss
.textbss
.idata
.idata
@.reloc
@.reloc
ProxyForUrl
ProxyForUrl
Win32.Job
Win32.Job
Nsis.PluginCall
Nsis.PluginCall
Win32.Handle
Win32.Handle
Error:Unknown /state named %s
Error:Unknown /state named %s
evalResp{args=%x,stateName=%x}
evalResp{args=%x,stateName=%x}
evalLuaFile[state=%x/%s][thread=%d](%s)
evalLuaFile[state=%x/%s][thread=%d](%s)
nsLua.cpp
nsLua.cpp
WM_EXEC_FILE|File=
WM_EXEC_FILE|File=
LuaRemoteLoop[state=%x/%s][thread=%d]
LuaRemoteLoop[state=%x/%s][thread=%d]
com.luabridge.WndProcTable
com.luabridge.WndProcTable
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Error Handling Message(%d,%d,%d,%d):%s
[%s]Calling Global Function(%s)
[%s]Calling Global Function(%s)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to Get Exe Path(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to SetEnvironmentVariable(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Failed to Create Shared Data Block(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:Create process failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
checkIsChild:GetExitCodeProcess failed(rc=%d)
[%s]Error Evaluating %s
[%s]Error Evaluating %s
ERROR:%s
ERROR:%s
PipeName:
PipeName:
evalLuaString[state=%x/%s][thread=%d](%s)
evalLuaString[state=%x/%s][thread=%d](%s)
DBGHELP.DLL
DBGHELP.DLL
Saved dump file to '%s'
Saved dump file to '%s'
Failed to save dump file to '%s' (error %d)
Failed to save dump file to '%s' (error %d)
Failed to create dump file '%s' (error %d)
Failed to create dump file '%s' (error %d)
DBGHELP.DLL too old
DBGHELP.DLL too old
DBGHELP.DLL not found
DBGHELP.DLL not found
Thread named '%s' could not be found
Thread named '%s' could not be found
Expected async state name:%s
Expected async state name:%s
unknown state name '%s'
unknown state name '%s'
evalInState() error; no code passed
evalInState() error; no code passed
ERROR:Cannot post to state[%s] not async and note default
ERROR:Cannot post to state[%s] not async and note default
lua51.dll
lua51.dll
ShellExecute
ShellExecute
EnumRegKey
EnumRegKey
create_pipe
create_pipe
dm\LOCALS~1\Temp\nsw3.tmp\LuaBridge.dll
dm\LOCALS~1\Temp\nsw3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp
nsw3.tmp
nsw3.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsw3.tmp
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Install System vADK.1.0.0
Install System vADK.1.0.0
%original file name%.exe_1352:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
verifying installer: %d%%
verifying installer: %d%%
unpacking data: %d%%
unpacking data: %d%%
... %d%%
... %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
RegDeleteKeyExA
RegDeleteKeyExA
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
*?|/":
*?|/":
%s=%s
%s=%s
ole32.dll
ole32.dll
comctl32.dll
comctl32.dll
GDI32.dll
GDI32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegEnumKeyA
RegEnumKeyA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteA
ShellExecuteA
SHFileOperationA
SHFileOperationA
SHELL32.dll
SHELL32.dll
VERSION.dll
VERSION.dll
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
|i[].cA
|i[].cA
`'\%D,3
`'\%D,3
COMCTL32.dll
COMCTL32.dll
WININET.dll
WININET.dll
GetProcessHeap
GetProcessHeap
EnumChildWindows
EnumChildWindows
OLEAUT32.dll
OLEAUT32.dll
customnsWeb.dll
customnsWeb.dll
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
C:\Programming\GitHome\bm-core-main.git\25\Custom\Nsweb\Release\nsWeb.pdb
CustomNsWebForwarder
CustomNsWebForwarder
? ?1?8?|?
? ?1?8?|?
1!1/1@1}1
1!1/1@1}1
1 1$1(1,10141
1 1$1(1,10141
@.reloc
@.reloc
All Files|*.*
All Files|*.*
COMDLG32.dll
COMDLG32.dll
nsDialogs.dll
nsDialogs.dll
.reloc
.reloc
ButtonEvent.dll
ButtonEvent.dll
rowser-%s
rowser-%s
nswebForwarder
nswebForwarder
CustomNsWebContainer
CustomNsWebContainer
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
Z:\Programming\GitHome\master\Employers\Franco\TightRope-BundleManager\Custom\Scramble\Release\Scramble.pdb
#-,.mT:
#-,.mT:
!$"'(!((!$&
!$"'(!((!$&
##-,#1.#0- !%
##-,#1.#0- !%
! .76:76:*),
! .76:76:*),
#" *#1.#1.!#&
#" *#1.#1.!#&
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp\LuaBridge.dll
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp\LuaBridge.dll
ss.dll
ss.dll
100003d317f2739d087.dll
100003d317f2739d087.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp\LuaBridge.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd9.tmp
ns\UrlAssociations\http\UserChoice
ns\UrlAssociations\http\UserChoice
nsd9.tmp
nsd9.tmp
,0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/adk.exe.nsi:Line 1182.2
,0x00040000) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/adk.exe.nsi:Line 1182.2
/adk.exe.nsi:Line 1058.2
/adk.exe.nsi:Line 1058.2
.nsi:Line 965.2
.nsi:Line 965.2
et=4;startTime=1305530;pid=1352)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/adk.exe.nsi:Line 960.2
et=4;startTime=1305530;pid=1352)]]}) -- C:/BM/2.5/BINARIES/DownloadAdmin-Dynamic/production/popup/adk.exe.nsi:Line 960.2
Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
Tightrope Bundle Manager(ref=[c49c30a756120de340ecab79d86681323698ade4];windows=5.1;uac=false;ie=6;elevated=true;dotnet=4;startTime=1305530;pid=1352)
1179964
1179964
1245406
1245406
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi7.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
uplayer_adsterra,bc=1185859,pid=adsterra,brand=adsterracom,country=ua,osname=windows,osversion=xp,browsername=firefox
uplayer_adsterra,bc=1185859,pid=adsterra,brand=adsterracom,country=ua,osname=windows,osversion=xp,browsername=firefox
1305530
1305530
Install System vADK.1.0.0
Install System vADK.1.0.0
%original file name%.exe_1352_rwx_003E4000_00001000:
callback%d
callback%d
%original file name%.exe_1352_rwx_015B1000_0000A000:
Portions Copyright (c) 1999,2003 Avenger by NhT
Portions Copyright (c) 1999,2003 Avenger by NhT
KWindows
KWindows
GetProcessHeap
GetProcessHeap
.idata
.idata
.edata
.edata
P.reloc
P.reloc
P.rsrc
P.rsrc