not-a-virus:AdWare.Win32.Lollipop.qn (Kaspersky), Gen:Variant.Application.Bundler.DomaIQ.3 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour:
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fa62aa8779bfbe9a3a135c6427a40c01
SHA1: 010712d3f87d10868a260f40a870f7f0cd5da091
SHA256: dabe2f91804f1cb73d4de85bcde320b33bcb7efb4dccd34a6ee380a89dc31a04
SSDeep: 12288:4MKMxKOU2lU7LXCl8EzBbjEtyYRHQQsfs1vRr:XNB2XX1FwQsfs1V
Size: 502104 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-04-25 20:58:16
Analyzed on: WindowsXP SP3 32-bit
Summary:
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Malware creates the following process(es):
android.exe:304
android.exe:1556
The Malware injects its code into the following process(es):
%original file name%.exe:1068
File activity
The process android.exe:1556 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (30321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\SQLite.Interop.dll (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\android.exe.config (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\android.exe (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\System.Data.SQLite.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\Newtonsoft.Json.dll (15168 bytes)
The Malware deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsz2.tmp (0 bytes)
The process %original file name%.exe:1068 makes changes in the file system.
The Malware creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\Dockings.dfe (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\box.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\android.exe (8656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateDisplays.dfe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\doma[1].js (73 bytes)
%System%\wbem\Logs\wbemprox.log (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].html (1031 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_app[1].png (4174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[1] (1008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\loading[1].css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateStyle.dfe (5160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@images.imagesdownloader[1].txt (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfs1.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\base.css (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafplayer.png (784 bytes)
Registry activity
The process android.exe:304 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7C CA 4E 73 98 48 5A 01 FA 93 66 FA 84 25 88 85"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\anset\com.mobilesoftdroid.videoplayer]
"can" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process android.exe:1556 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "96 D6 B5 AF 85 E7 E1 B1 62 DC 8D 8E A9 FB 0A BC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process %original file name%.exe:1068 makes changes in the system registry.
The Malware creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227]
"android.exe" = "android"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1398448696"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E8 F0 20 BC 37 A9 4B DB 44 92 39 69 F5 01 9C 1F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Malware modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Malware modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Malware modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Malware deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 56f46da99169a5f7aa239a47b5c9a01f | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\Newtonsoft.Json.dll |
| 2f7c03e1030040c8b76c7f1018595eec | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\SQLite.Interop.dll |
| b18a5f2d68be257d48748b42f20ff1d6 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\System.Data.SQLite.dll |
| f19b37bddd81b527667742e73257ac05 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\android\android.exe |
| 427739ef23cd55fd0bff302e47fff230 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\android.exe |
| 8b2376ab901ac90c9d8799f4b454b3de | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\dfs1.tmp |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
android.exe:304
android.exe:1556 - Delete the original Malware file.
- Delete or disinfect the following files created/modified by the Malware:
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (30321 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\SQLite.Interop.dll (20624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\android.exe.config (769 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\System.Data.SQLite.dll (6360 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\android\Newtonsoft.Json.dll (15168 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position1A.css (421 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\Dockings.dfe (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin.dmc (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2C.css (578 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check-close.png (243 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton_xl.jpg (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3C.css (638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\box.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet-short.gif (54 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-ifish.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-miul.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\finish.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\android.exe (8656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-printpdf.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butpause.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\group.html (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\welcome.html (151 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\logo-win.jpg (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\jquery.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\hide.png (160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\butplay.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-zipper.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress.png (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-geaudioconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\style.css (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateDisplays.dfe (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\boton.jpg (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bullet.gif (58 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\doma[1].js (73 bytes)
%System%\wbem\Logs\wbemprox.log (225 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\cross.jpg (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\close.html (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\loading[1].gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position2B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.png (398 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\box[1].html (1031 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\show.png (235 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3D.css (539 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\check.jpg (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\instalando.html (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position3B.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\bg_app[1].png (4174 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\New_Player[1] (1008 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\progress_small.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\box[1].htm (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\loading[1].css (337 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\less.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\temp\templateStyle.dfe (5160 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-gevideoconverter.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\exe\options.html (965 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-olivebrowser.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\bg_app.png (1856 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@images.imagesdownloader[1].txt (252 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\dfs1.tmp (291 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\config.dmc (1 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (964 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\percentage-bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\base.css (265 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\position4A.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\more.png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafmusic.png (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\d8f783b1-a1a6-458d-bffd-855e14bfc227\bin\css\images\screen-vafplayer.png (784 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 111040 | 111104 | 4.53141 | a2187127065cd8daad8384d86ccb55c3 |
| .rdata | 118784 | 42500 | 43008 | 3.51028 | fd4e38eb2d9d9ac009e547b4daa9993b |
| .data | 163840 | 25588 | 16896 | 3.96452 | 1c3be92f843fca6b4403c1d0f45bbcb3 |
| .rsrc | 192512 | 307216 | 307712 | 4.50324 | e95bab7400346fd9510b94f5f2b1afdf |
| .reloc | 503808 | 16560 | 16896 | 2.75723 | 9744f113d2c482da8ecc8b9dd3156811 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 249
2973c273d3e50711e55ac50894ea66a9
b6e486b55cc560d109a826429669207e
b622e88106dadead0d89fbb813ca3bf0
f1a709e60dd4d57b676cb15e79179dec
da62f81a47f4b113d71ebde818f40cd7
9a752f4bbc949a82dc647da9205c0ca3
ab776de4cb2fca47681df90885554acb
cc441eec85a2ef3132833051cca0ede6
90143f82d5c49380ca4e17240cd13d73
8fc71a6655e98dfc0d88c714902baac6
f8ad8dd9f0cae9ad6e326da30cc44ab2
371ec40b606cb3d93064a3cfb6e1b9a8
8a719c547fe8210ae71a0b941aa7d45d
2c75b449da24ea4436218681a0b5f9d5
4b40f0d512e324cf0f726bb3f90e1f84
4502714c66639a4e4e9808466cde7ba1
b174f068a58fde6df828ba67af9244f3
d9ec2e0ac602ba62cc2bacee8b8b40d4
68a8550590b1136238fd7bb0098275e8
a6e1a1d2d9e574229411d32f8f2d3f50
e0e7b9573af88fbaf25626bf11d25816
5b81d6fb885d04964ed99a12f9ca19de
23208ed95a5afe04399f05dda385fa3e
f274b843dd83513d2c355d64de568af6
b1d4a481c78f7d742d358a480eb8cc2d
53f09804957654fc8aad66e1a774005b
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/apiLoading/737.html | |
| hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/box.html | |
| hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/loading.css | |
| hxxp://staticrr.tgusrv.com/sdb/doma.js | |
| hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/images/bg_app.png | |
| hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/icon/%mapp% | |
| hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/380x220/%mapp% | |
| hxxp://staticrr.tgusrv.com/Loading/ab3232d7_loading_green/images/loading.gif | |
| hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/icon/New_Player | |
| hxxp://landings-ss-1797368240.us-west-2.elb.amazonaws.com/screenshot/380x220/New_Player | |
| hxxp://API-XML-1918203848.us-west-2.elb.amazonaws.com/index.php/api/151/New_Player/604/737/English/WW.xml | |
| hxxp://staticrr.tgusrv.com//Styles/Templates/e9c1a9ca_Win_A_Banner_DeclineLink.zip | |
| hxxp://staticrr.tgusrv.com//Displays/Templates/8a204893_Win_A_Banner_DeclineLink.zip | |
| hxxp://staticrr.tgusrv.com//Docking/Docking.zip | |
| hxxp://staticrr.tgusrv.com/Apps/toolbars/apkSetup4.exe | |
| hxxp://awstrack01.tguhost.com/debug/android/9/can/0 | |
| staticrr.allfiles134.com | 85.12.8.28 |
| api.v2.secdls.com | 54.213.138.138 |
| tb.myappupdate.com | 85.12.8.28 |
| dtrack.secdls.com | 54.218.7.114 |
| staticrr.safetydownload.net | 192.99.46.67 |
| staticrr.paleokits.net | 85.12.5.2 |
| images.imagesdownloader.com | 54.213.178.50 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic