Adware.Generic.259489 (B) (Emsisoft), Adware.Generic.259489 (AdAware)Behaviour: Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 86f456399a185db1537dfcb373e6488f
SHA1: e586a37877337dbf2bc831fa12350b2fa7364902
SHA256: 35f9094fdc2439b01ab3893ba1e5fa9f444df7ba23b93ad00ef70186f8661d81
SSDeep: 3072:NLZG6 Q9PrTWF/IzIslqd w54PhHzskUtLU4JCcW:xQ6 GfWuMlUw54pHYXR9W
Size: 137016 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: BorlandDelphi30, UPolyXv05_v6
Company: no certificate found
Created at: 2010-11-09 21:31:05
Analyzed on: Windows7Ada SP1 64-bit
Summary: Adware. Delivers advertising content in a manner or context that may be unexpected and unwanted by users. Many adware applications also perform tracking functions. Users may want to remove adware if they object to such tracking, do not wish to see the advertising caused by the program or are frustrated by its effects on system performance.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Adware creates the following process(es):
%original file name%.exe:4048
The Adware injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:4048 makes changes in the file system.
The Adware creates and/or writes to the following file(s):
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (4449 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DL_ (3 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL (1617 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL (52 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DL_ (82 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DL_ (16 bytes)
Registry activity
The process %original file name%.exe:4048 makes changes in the system registry.
The Adware creates and/or sets the following values in system registry:
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0]
"(Default)" = "Installer 1.0 Type Library"
[HKCR\Wow6432Node\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"Version" = "1.0"
[HKCR\Wow6432Node\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "If3InstallerStart"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "If3InstallerStart"
[HKLM\SOFTWARE\Wow6432Node\FunWebProducts\Installer]
"sr" = "0"
[HKCR\FunWebProductsInstaller.Start.1]
"(Default)" = "Fun Web Products Installer Start"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\InprocServer32]
"(Default)" = "%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL"
[HKCR\Wow6432Node\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "_If3InstallerStartEvents"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus\1]
"(Default)" = "131473"
[HKCR\FunWebProductsInstaller.Start]
"(Default)" = "Fun Web Products Installer Start"
[HKLM\SOFTWARE\Wow6432Node\FunWebProducts\Installer]
"dir" = "%Program Files% (x86)\FunWebProducts\Installr\"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}]
"(Default)" = ""
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\Version]
"(Default)" = "1.0"
[HKCR\Wow6432Node\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@funwebproducts.com/Plugin\MimeTypes\application/x-f3-funwebplugin]
"Suffixes" = "f3p"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@funwebproducts.com/Plugin]
"Path" = "%Program Files% (x86)\FunWebProducts\Installr\1.bin\NPFunWeb.dll"
[HKCR\Wow6432Node\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}]
"(Default)" = "_If3InstallerStartEvents"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@funwebproducts.com/Plugin]
"Description" = "Fun Web Products Plugin"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"Version" = "1.0"
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"
[HKLM\SOFTWARE\Wow6432Node\FunWebProducts\Installer]
"PluginPath" = "%Program Files% (x86)\FunWebProducts\Installr\1.bin\"
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\HELPDIR]
"(Default)" = "%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL\"
[HKCR\Wow6432Node\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\VersionIndependentProgID]
"(Default)" = "FunWebProductsInstaller.Start"
[HKCR\FunWebProductsInstaller.Start\CurVer]
"(Default)" = "FunWebProductsInstaller.Start.1"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\ProgID]
"(Default)" = "FunWebProductsInstaller.Start.1"
[HKCR\Wow6432Node\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Wow6432Node\FunWebProducts\Installer]
"CurInstall" = "1"
[HKCR\FunWebProductsInstaller.Start.1\CLSID]
"(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}"
[HKLM\SOFTWARE\Wow6432Node\FunWebProducts\Installer]
"pl" = "9"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47a3-BD87-1E41684E07BB}"
[HKCR\Wow6432Node\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"(Default)" = "{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}"
[HKCR\Interface\{1D4DB7D3-6EC9-47A3-BD87-1E41684E07BB}\ProxyStubClsid32]
"(Default)" = "{00020420-0000-0000-C000-000000000046}"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}\MiscStatus]
"(Default)" = "0"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@funwebproducts.com/Plugin]
"Version" = "1.1.0.0"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@funwebproducts.com/Plugin\MimeTypes\application/x-f3-funwebplugin]
"Description" = "Fun Web Products Plugin"
[HKCR\Interface\{1D4DB7D1-6EC9-47A3-BD87-1E41684E07BB}\TypeLib]
"Version" = "1.0"
[HKCR\FunWebProductsInstaller.Start\CLSID]
"(Default)" = "{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}"
[HKLM\SOFTWARE\Wow6432Node\MozillaPlugins\@funwebproducts.com/Plugin]
"vendor" = "Fun Web Products"
[HKCR\Wow6432Node\CLSID\{1D4DB7D2-6EC9-47a3-BD87-1E41684E07BB}]
"(Default)" = "Fun Web Products Installer Start"
[HKCR\TypeLib\{1D4DB7D0-6EC9-47A3-BD87-1E41684E07BB}\1.0\0\win32]
"(Default)" = "%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL\1"
The Adware deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Wow6432Node\FunWebProducts\Installer]
"ConfigDateStamp"
Dropped PE files
MD5 | File path |
---|---|
9727a64ac5dd2bd66f123cf086f2f5d2 | c:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL |
be6f4aacf6885035e6cf0fa3e9fa192f | c:\Program Files (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL |
69ede6c6c8718f4e0dbae6d8167b03dc | c:\Program Files (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:4048
- Delete the original Adware file.
- Delete or disinfect the following files created/modified by the Adware:
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DLL (4449 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DL_ (3 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DLL (1617 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\NPFUNWEB.DLL (52 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3EZSETP.DL_ (82 bytes)
%Program Files% (x86)\FunWebProducts\Installr\1.bin\F3PLUGIN.DL_ (16 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 6000 | 8192 | 3.60734 | 876d466dbacef588a8a73ff15bb60234 |
.rdata | 12288 | 2032 | 4096 | 2.09893 | 6e2f28c39c5ea31e92ac92addaf434d3 |
.data | 16384 | 566 | 4096 | 0.465708 | 756a42feccfde4006040f9434b4390b8 |
.rsrc | 20480 | 107248 | 110592 | 5.47299 | 1fb4cad456d2d7b1aa9593b271c52273 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?63186accc62d1bdd | |
hxxp://a1363.g.akamai.net/pki/crl/products/WinPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicrosoftTimeStampPCA.crl | |
hxxp://a1363.g.akamai.net/pki/crl/products/microsoftrootcert.crl | |
hxxp://a1621.g.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a65b489dcf97c7b7 | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | |
hxxp://a1363.g.akamai.net/pki/crl/products/MicCodSigPCA_08-31-2010.crl | |
hxxp://e8218.ce.akamaiedge.net/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?63186accc62d1bdd | 87.245.202.24 |
hxxp://crl.microsoft.com/pki/crl/products/microsoftrootcert.crl | 87.245.202.16 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= | 23.43.139.27 |
hxxp://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab?a65b489dcf97c7b7 | 87.245.202.24 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/WinPCA.crl | 87.245.202.16 |
hxxp://ocsp.verisign.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= | 23.43.139.27 |
hxxp://crl.microsoft.com/pki/crl/products/MicrosoftTimeStampPCA.crl | 87.245.202.16 |
hxxp://crl.microsoft.com/pki/crl/products/MicCodSigPCA_08-31-2010.crl | 87.245.202.16 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEEES5jLHsYoCmjofrIA6uJ8= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=602865, public, no-transform, must-revalidate
Last-Modified: Mon, 5 Jan 2015 18:44:32 GMT
Expires: Mon, 12 Jan 2015 18:44:32 GMT
Date: Mon, 05 Jan 2015 19:20:57 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150105184432Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5.......A..2.....:...:......20150105184432Z....20150112184432Z0...*.H.............P*........D..)..Ex/.......P?)...K...BJ..G..x. \2....6y....\..t..0.1,y..S...{.....:..<... vn....&.$[.3...I...\ ...._.L..1@=cZ;..J....w.o.]s.n.......F.3.....V...P..NA/......\... ..%.`p...AA....W.?..@UI..3pi..E....%w.Z:~.C............`..:...:....UE..x...x.......#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab?a65b489dcf97c7b7 HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Fri, 12 Sep 2014 18:47:05 GMT
If-None-Match: "805a83f2b9cecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT
ETag: "805a83f2b9cecf1:0"
Cache-Control: max-age=604800
Date: Mon, 05 Jan 2015 19:20:21 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Fri, 12 Sep 2014 18:47:05 GMT..ETag: "805a83f2b9cecf1:0"..Cache-Control: max-age=604800..Date: Mon, 05 Jan 2015 19:20:21 GMT..Connection: keep-alive..
GET /msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab?63186accc62d1bdd HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 03 Jul 2014 23:34:12 GMT
If-None-Match: "0b2464b1797cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: ctldl.windowsupdate.com
HTTP/1.1 304 Not Modified
Content-Type: application/octet-stream
Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT
ETag: "0b2464b1797cf1:0"
Cache-Control: max-age=86400
Date: Mon, 05 Jan 2015 19:19:34 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/octet-stream..Last-Modified: Thu, 03 Jul 2014 23:34:12 GMT..ETag: "0b2464b1797cf1:0"..Cache-Control: max-age=86400..Date: Mon, 05 Jan 2015 19:19:34 GMT..Connection: keep-alive..
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBRIt2RJ89X++hEzqoBeQg8PymQ2UQQUANhaTCXBIuWLMe9tuvPMXynxDWECEGVSJuGyLhjhWQ8phawi51w= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1453
content-transfer-encoding: binary
Cache-Control: max-age=483443, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 09:34:14 GMT
Expires: Sun, 11 Jan 2015 09:34:14 GMT
Date: Mon, 05 Jan 2015 19:20:35 GMT
Connection: keep-alive
0..........0..... .....0......0...0......T3t.%..O.E..~..F.=....20150104093414Z0s0q0I0... ........H.dI.....3..^B...d6Q....ZL%."..1.m..._)..a..eR&.....Y.)..".\....20150104093414Z....20150111093414Z0...*.H.................P.OK.w3.B.R..9_*..-....][\....5'.A.jL..=.OZ...|.......?..R..#YB.6q|...'.P..G ..h...I.H9.`G.M.}..M...3.......p.."Ug....U...7.3.?.......$.._Q.\_./.....|.L..[......gzO'.C..6.....B.sK.D..H[......iPI.... ...Xp.T.]..LR....R:.m.J..T...lDP..p....J..d./D.F....2....0...0...0..3......./...b.v..-....l}0...*.H........0_1.0...U....US1.0...U....VeriSign, Inc.1705..U....Class 3 Public Primary Certification Authority0...141202000000Z..151216235959Z0..1.0...U....US1.0...U....Symantec Corporation1.0...U....Symantec Trust Network1?0=..U...6Symantec Class 3 PCA - G1 OCSP Responder Certificate 30.."0...*.H.............0..........'......Y..x.3B1.7..Q..`..d.. ....s..t.$a.....j2R.{ ,*..c{.3.....H..3-; ).....0._...*..9M..V...... ...{m...-.......)..tR..{D....~...M...T..pS.p..^|o....S..v.).).....r.v.qo$......C.V!....@.h#qh...u1T.].G0.]E...=._...... ........TE...Sa.s4........r...3.............0..0...U....0.0l..U. .e0c0a..`.H...E....0R0&.. .........hXXp://VVV.symauth.com/cps0(.. .......0...hXXp://VVV.symauth.com/rpa0...U.%..0... .......0...U........0... .....0......0!..U....0...0.1.0...U....TGV-B-2730...*.H.............$..H......oU....Y!.z{*.V.M..u.._z..3>.. 0....3..m.....e.......a..D...........e..F6:.y.....di.......<y.Z.......x}..q.2....UZ1 :,....
<<< skipped >>>
GET /MFEwTzBNMEswSTAJBgUrDgMCGgUABBSpuCE3aK3GivZPzGQJ6L5BRyZofwQUl9BrqCZwyKE/lB8ILcQ1m6ShHvICEAxNF3PJUX7iAOhAP2oGxcI= HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: ocsp.verisign.com
HTTP/1.1 200 OK
Server: nginx/1.4.7
Content-Type: application/ocsp-response
Content-Length: 1790
content-transfer-encoding: binary
Cache-Control: max-age=531981, public, no-transform, must-revalidate
Last-Modified: Sun, 4 Jan 2015 23:04:05 GMT
Expires: Sun, 11 Jan 2015 23:04:05 GMT
Date: Mon, 05 Jan 2015 19:20:41 GMT
Connection: keep-alive
0..........0..... .....0......0...0........6?s....V....OlL".O..20150104230405Z0s0q0I0... ..........!7h....O.d...AG&h.....k.&p..?...-.5........M.s.Q~...@?j.......20150104230405Z....20150111230405Z0...*.H................G..z./....,FS?..1..H.b*.!\..U.X)._...\d.V.....a.....). ......;..9.pD.o4.....!...........5.O*....Gt...DM'...a.S../......<{;.Q#....*..~g...p.._WB.:1.....~T....=.1...w'.p#*q..]$.NO..!..e5.`Ic..@.kd. ..v....~......F.....l.........3U..T...^p3.....q..i,RMX%&....#0...0...0..........<o&S.-S..}...e.30...*.H........0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)09100...U...'VeriSign Class 3 Code Signing 2009-2 CA0...141205000000Z..150305235959Z0..1.0...U....US1.0...U....VeriSign, Inc.1.0...U....VeriSign Trust Network1;09..U...2Terms of use at hXXps://VVV.verisign.com/rpa (c)091<0:..U...3VeriSign Class 3 Code Signing 2009-2 OCSP Responder0.."0...*.H.............0.........{(..t....2.Vf.....&;6).i*FK....W@....F....jnb.w._p.E.6.|.mk....(..........p...........X.DF....^0N....b9.:..J. ZK.".^..\..p.'.$..JA..~QG.d.}...r...gv... f...z.#..}..J...r9h.........LI-..^.......PUD.h<.l....(n..i.....E.....2....^./Y......Y.m...'...hz..y..E..........0...0...U....0.0....U. ...0..0....`.H...E....0..0(.. .........hXXps://VVV.verisign.com/CPS0b.. .......0V0...VeriSign, Inc.0.....=VeriSign's CPS incorp. by reference liab. ltd. (c)97 VeriSign0...U.%..0... .......0...U........0... .....0......0"..U....0...0.1.0...U....TGV-B-24710...*.H...
<<< skipped >>>
GET /pki/crl/products/WinPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Mon, 06 Oct 2014 05:06:02 GMT
If-None-Match: "3e1c83923e1cf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT
Accept-Ranges: bytes
ETag: "d2e35dc7e31cd01:0"
Server: Microsoft-IIS/8.5
VTag: 791633315200000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 561
Cache-Control: max-age=900
Date: Mon, 05 Jan 2015 19:19:40 GMT
Connection: keep-alive
0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A......L.o...)R.......V.u..V.../.Q..(L.].....uki~..HTTP/1.1 200 OK..Content-Type: application/pkix-crl..Last-Modified: Sun, 21 Dec 2014 06:03:02 GMT..Accept-Ranges: bytes..ETag: "d2e35dc7e31cd01:0"..Server: Microsoft-IIS/8.5..VTag: 791633315200000000..P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"..X-Powered-By: ASP.NET..Content-Length: 561..Cache-Control: max-age=900..Date: Mon, 05 Jan 2015 19:19:40 GMT..Connection: keep-alive..0..-0......0...*.H........0..1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1 0)..U..."Microsoft Windows Verification PCA..141220223154Z..150321105154Z._0]0...U.#..0.......p............<.J0... .....7.......0...U......30... .....7......150320224154Z0...*.H.............h.~oH#i.J.vh_.....A'B..g...........F....9c.{.m@Q.M.p...g.^ 4.r..Wv.Q.0.w..j....c9..w....I..%.~.l..F.......xo...._...o...7BR.;<..\R/ .....b.(....~..]|.v.u.i.X.B....I......./*...P..A..fi.}& .x.v{TFP[.G......A.
<<< skipped >>>
GET /pki/crl/products/MicrosoftTimeStampPCA.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Sat, 04 Oct 2014 05:06:12 GMT
If-None-Match: "58cddbea90dfcf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Fri, 19 Dec 2014 06:02:00 GMT
Accept-Ranges: bytes
ETag: "9a9a44d511bd01:0"
Server: Microsoft-IIS/8.0
VTag: 279252244600000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 550
Cache-Control: max-age=900
Date: Mon, 05 Jan 2015 19:19:45 GMT
Connection: keep-alive
0.."0......0...*.H........0w1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1!0...U....Microsoft Time-Stamp PCA..141218221600Z..150319103600Z._0]0...U.#..0...#4..RFp..@.v.. ..5..0... .....7.......0...U......10... .....7......150318222600Z0...*.H............./..0Q~.r.}.E....&\....F.Z.C..#..F.s........<&\..9G..-....j..N... .C.Fk....;l.....2.K5D.........-.>...(...g.0.S.[?...T4q>.ln...z..L.......5.5s@d.q.('..e...Y..Bo..q..........I....'....i>..y:.eH@h`..\...UA.m#.~.. ;.3..d..;..<..........p..s..J..N `Az......@..l..
GET /pki/crl/products/microsoftrootcert.crl HTTP/1.1
Cache-Control: max-age = 900
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 23 Oct 2014 05:05:32 GMT
If-None-Match: "a2f3ff97eeecf1:0"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 304 Not Modified
Content-Type: application/pkix-crl
Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT
ETag: "a2f3ff97eeecf1:0"
Cache-Control: max-age=879
Date: Mon, 05 Jan 2015 19:20:16 GMT
Connection: keep-alive
HTTP/1.1 304 Not Modified..Content-Type: application/pkix-crl..Last-Modified: Thu, 23 Oct 2014 05:05:32 GMT..ETag: "a2f3ff97eeecf1:0"..Cache-Control: max-age=879..Date: Mon, 05 Jan 2015 19:20:16 GMT..Connection: keep-alive..
GET /pki/crl/products/MicCodSigPCA_08-31-2010.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.microsoft.com
HTTP/1.1 200 OK
Content-Type: application/pkix-crl
Last-Modified: Thu, 13 Nov 2014 06:02:42 GMT
Accept-Ranges: bytes
ETag: "88cab6f7ffcf1:0"
Server: Microsoft-IIS/8.5
VTag: 791936916300000000
P3P: CP="ALL IND DSP COR ADM CONo CUR CUSo IVAo IVDo PSA PSD TAI TELo OUR SAMo CNT COM INT NAV ONL PHY PRE PUR UNI"
X-Powered-By: ASP.NET
Content-Length: 554
Cache-Control: max-age=900
Date: Mon, 05 Jan 2015 19:20:50 GMT
Connection: keep-alive
0..&0......0...*.H........0y1.0...U....US1.0...U....Washington1.0...U....Redmond1.0...U....Microsoft Corporation1#0!..U....Microsoft Code Signing PCA..141112173206Z..150211055206Z.a0_0...U.#..0..........X..7.3...L...0... .....7.........0...U......W0... .....7......150210174206Z0...*.H................].`...D..9.>LO.ey...Qx%.^.P.& ...D.......b}.K..[.....5.m....).....H..6R....G/ju.........:..A.#.9!......D5...|".w.x..=.u..X6.7{..).XN....g......B.8.!&...........<7fS$..........t<X)%.b(0.L@..i..Kn.......fX... ,...K\....U1cp).........y.T..?rm.t..Y.}.E..-@...
Map
The Adware connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_2868:
.text
.text
`.data
`.data
.rsrc
.rsrc
@.reloc
@.reloc
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
msvcrt.dll
msvcrt.dll
imagehlp.dll
imagehlp.dll
ntdll.dll
ntdll.dll
?.ulf
?.ulf
.ue9]
.ue9]
ole32.dll
ole32.dll
_amsg_exit
_amsg_exit
_wcmdln
_wcmdln
rundll32.pdb
rundll32.pdb
name="Microsoft.Windows.Shell.rundll32"
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
version="5.1.0.0"
name="Microsoft.Windows.Shell.rundll32"
name="Microsoft.Windows.Shell.rundll32"
version="5.1.0.0"
version="5.1.0.0"
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
{00000000-0000-0000-0000-000000000000}
{00000000-0000-0000-0000-000000000000}
\\?\Volume
\\?\Volume
\\?\UNC\
\\?\UNC\
rundll32.exe
rundll32.exe
Windows host process (Rundll32)
Windows host process (Rundll32)
6.1.7600.16385 (win7_rtm.090713-1255)
6.1.7600.16385 (win7_rtm.090713-1255)
RUNDLL32.EXE
RUNDLL32.EXE
Windows
Windows
Operating System
Operating System
6.1.7600.16385
6.1.7600.16385