Trojan.NSIS.StartPage_4d8e89edd3 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wajam_validate.exe:1672

The Trojan injects its code into the following process(es):

%original file name%.exe:1812

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1812 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\close-btn.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer5.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\CompleteScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (136383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer1.zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseBA.tmp (172080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (164814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_243_FP_spws243[1].zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfferScreen_235_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\start-bullet.jpg (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\installog.txt (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB9.tmp (152335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_v4[1].htm (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\download.jpg (6025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\branding.jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\InstallScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\WelcomeScreen.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer4.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WS_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer2.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\but1.png (5574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferAssets.zip (736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BI_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer3.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\OfferScreen_291_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreen_38_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\skip.jpg (2490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBD.tmp (151604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DSS_IMapplication_mon_NV1_2[1].htm (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\LoadingBar.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html (3745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\click.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\trusted1.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_145_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB8.tmp (150063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DS_wrapper_details_v2[1].htm (476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmBC.tmp (148882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB7.tmp (137924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\unchecked.jpg (444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\output.txt (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\checked.jpg (503 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OK (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\success (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html.old (0 bytes)

Registry activity

The process wajam_validate.exe:1672 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 81 1D 53 43 49 D4 4A 9C A9 20 63 8F 46 64 89"

The process %original file name%.exe:1812 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheOptions" = "11"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080420140805\"

"CachePrefix" = ":2014080420140805:"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheLimit" = "8192"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheRepair" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1260053532"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 11 D5 BB 39 B9 CE 75 76 C4 7F F0 BA B8 D9 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
b9380b0bea8854fd9f93cc1fda0dfeac	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll
5264f7d6d89d1dc04955cfb391798446	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\GetVersion.dll
b140459077c7c39be4bef249c2f84535	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\Math.dll
c17103ae9072a06da581dec998343fc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\System.dll
7579ade7ae1747a31960a228ce02e666	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\UserInfo.dll
5afd4a9b7e69e7c6e312b2ce4040394a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\blowfish.dll
134b93f8bd1f82cd2f1b06c878580703	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\inetc.dll
94ba775c8a1f4d6c9bb1966eddce22b5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\manlib.dll
c10e04dd4ad4277d5adc951bb331c777	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll
a056772e31415e022147d5c4ffcfe22a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll
5f13dbc378792f23e598079fc1e4422b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsisunz.dll
2b7007ed0262ca02ef69d8990815cbeb	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\registry.dll
46f5c497f96e733176b010ff0ee56de3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe
46f5c497f96e733176b010ff0ee56de3	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
wajam_validate.exe:1672
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\close-btn.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer5.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\CompleteScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (136383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer1.zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseBA.tmp (172080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (164814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_243_FP_spws243[1].zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfferScreen_235_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\start-bullet.jpg (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\installog.txt (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB9.tmp (152335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_v4[1].htm (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\download.jpg (6025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\branding.jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\InstallScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\WelcomeScreen.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer4.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WS_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer2.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\but1.png (5574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferAssets.zip (736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BI_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer3.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\OfferScreen_291_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreen_38_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\skip.jpg (2490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBD.tmp (151604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DSS_IMapplication_mon_NV1_2[1].htm (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\LoadingBar.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html (3745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\click.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\trusted1.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_145_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB8.tmp (150063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DS_wrapper_details_v2[1].htm (476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmBC.tmp (148882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB7.tmp (137924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\unchecked.jpg (444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\output.txt (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\checked.jpg (503 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46304	c52a72deb0170941d392ec38c6aeafd0
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	298072	1024	3.32453	723ad80df002dc5421798f4307abe5cf
.ndata	335872	1908736	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	2244608	102848	102912	3.69799	0f65a45d68577e96223f6c630a739884

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://fglasspeast.com/FCL_Co_v4.php
hxxp://stsunsetwest.com/DS_wrapper_details_v2.php
hxxp://www.wajam.com/download/wajam_validate.exe
hxxp://www.wajam.com/install/valid?v=1&unique_id=0630F6DB1811B361E367028BD09FCCEB
hxxp://secure.goeastcdncache.com.cdngc.net/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip
hxxp://secure.goeastcdncache.com.cdngc.net/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg
hxxp://stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/OfferScreen_243_FP_spws243.zip	174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_291_EN.zip	174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_38_EN.zip	174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_235_EN.zip	174.35.73.156
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_145_EN.zip	174.35.73.156
hxxp://stsunsetwest.com/DS_trackstats_mon_v2.php
hxxp://www.stsunsetwest.com/DS_trackstats_mon_v2.php	50.19.102.217
hxxp://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip
hxxp://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip	174.35.73.156
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip	174.35.73.156
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip	174.35.73.156
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip	174.35.73.156
hxxp://www.fglasspeast.com/FCL_Co_v4.php
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip	174.35.73.156
hxxp://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg
hxxp://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php	50.19.102.217
hxxp://www.stsunsetwest.com/DS_wrapper_details_v2.php	50.19.102.217

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

POST /DS_trackstats_mon_v2.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.stsunsetwest.com

Content-Length: 158

Connection: Keep-Alive

Cache-Control: no-cache

from=wrapper&type=wrapper&pubid=12872&CbId=9342&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&subid=&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&wlc=1

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:49 GMT

Server: Apache/2.2.23 (CentOS)

X-Powered-By: PHP/5.3.28

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

POST /DSS_IMapplication_mon_NV1_2.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.stsunsetwest.com

Content-Length: 336

Connection: Keep-Alive

Cache-Control: no-cache

from=wrapper&type=wrapper&vid=3&pubid=12872&CbId=9342&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&subid=&lid=EN&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&advDetails=38~YES~0/145~YES~0/176~YES~0/226~YES~0/234~YES~0/235~YES~0/270~YES~0/239~YES~0/243~YES~0/251~YES~0/260~YES~0/275~YES~0/277~YES~0/283~YES~0/291~YES~0/301~NO~4//

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:39 GMT

Server: Apache/2.2.23 (CentOS)

X-Powered-By: PHP/5.3.28

Content-Length: 927

Connection: close

Content-Type: text/html; charset=UTF-8

243~hXXp://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~hXXps://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~hXXp://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~hXXp://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~hXXp://wajam-download.com/download/wajam_download_v2.exe~hXXp://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~hXXp://VVV.reghelper.com/rh/RegistryHelperSetupIM.exe~hXXp://VVV.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~hXXp://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0..

GET /install/valid?v=1&unique_id=0630F6DB1811B361E367028BD09FCCEB HTTP/1.1

Host: VVV.wajam.com

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:39 GMT

Server: Apache

Set-Cookie: PHPSESSID=shf3uases3advt3l3998fno5n0; path=/; domain=.wajam.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wau=14071530396341834; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=48,31,99,55,52,48,40,63,72,2; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 1

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w18|U99zk|U99zk; path=/; domain=.wajam.com

0..

GET /nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secure.goeastcdncache.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:39 GMT

Server: PWS/8.0.25

X-Px: ms h0-s2014.p9-jfk ( h0-s2028.p9-jfk), ht-d h0-s2028.p9-jfk.cdngp.net

ETag: "2c31b1-4f28-4fc460c2c9040"

Cache-Control: max-age=604800

Expires: Tue, 05 Aug 2014 12:55:07 GMT

Age: 514532

Content-Length: 20264

Content-Type: application/zip

Last-Modified: Fri, 20 Jun 2014 15:21:29 GMT

Connection: keep-alive

PK...........Bh=.r5...2 ......but1.png}yeP................2........!.........\.,!.38$...s.=.{.......k...w...1Z.JxO)....<...:.f.?=....XH...3Qx).zA...|.<...[7k(....=T.je..>.......u.....Dm.\y.........5q)_...3....j...`<..e.w..`4.P.U..A.._.{@!...6..6"..R........B...}]]`....... .g....H./.......2T...s......r......................@@^!n>^Q.!Q^>..4.?.y..... .g.?......\..........y...DDD.. .............y2..A..i....rt...e[Y.y{I02.}.W....<.S.?...Z..|<....TW......E{z.@..o........z.y{...8;...pQ9...........U.rp.r.tp...A.x....a.n>......*.<..`6Pey..?..GG[Q.........<H..O.$........).........w..v..........?r.....P..WP[E.7W...Y...s...\.....\.........]...?..k._..1. |(...=..:G.L....U....]:2...*.=N.M..f.Z...9...>k....}/_......>ag..[.W.....g..Pv..g/.u........9...r....z.~<...N]=.N..D].a..... ..O.=.z....Ni...$..'-n\....nD...f.../.......T.W.-.%{i....Cn..B\3Nws......:.h.j.J.L.A.\Y..~.7U..........=).... ....|.I...V.........'v....7X.M....U*RWw.4...0..75.k$y.g...Oi...A.?IL.Pp1.p_...V......._....g7.....%..!"..W.!..lK~.\..pQ..P=.GQ..C...5.T..C....`=b|..>b...O...V..B."j.?PCL..r.Y?..>=.SG.v.......U.q...aX..W..[..E.....= ...ws........@...8oz.I.....j.. /."@...h... ...p.jZ....Wyq...t..B..@r..%..6..w........VIus..d...LxE}..-.2B..A.@o...V.......]...0.^?......\....m..Q:G..s...L......&@.P.'...6.. .W..,.!y.F.V.o....U.8..Y.........~..N|..Cq..{J..Q%..%..(.c.]n.H.Ik.A.i.@C#.}"...I.....o.j.n...G......0.W...N......U.o..q..s$.h.zz-gdl......p.........5_.X.....6...)v......U*..}...Wk....%GL....EV..rV...O....m.....w'.

<<< skipped >>>

GET /BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secure.goeastcdncache.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:39 GMT

Server: PWS/8.0.25

X-Px: ms h0-s2014.p9-jfk ( h0-s2012.p9-jfk), ht-d h0-s2012.p9-jfk.cdngp.net

ETag: "4a278a-b46-4fc460c25d05d"

Cache-Control: max-age=604800

Expires: Sat, 09 Aug 2014 01:58:28 GMT

Age: 208331

Content-Length: 2886

Content-Type: image/jpeg

Last-Modified: Fri, 20 Jun 2014 15:21:28 GMT

Connection: keep-alive

....\.kwh.LV.......LI....n...E.8...........,....Ll............\..Q.{...f..=X\........8R[...)@...(...Rj...M ....qH....i.c}ri..1f.....9..?.egQ."...R...E6..&...#c...I..L...N... ...%B.O)3Xb:gN.....J....R.6..........Yh._D...8....I.<.)..4.....h....n.h..L.s.2$g......<g.`..ST.(sJ.T.......pZR.. .......}...........m"e*#..H<Z...|.o|LY.d..9.z.O..Y.}..o..."n.M.5...v...a......BR..N.H.$..D.......v..O...0.....t..g..<Q.!..{.D9M.8....&J..ZgU..wUa2..[.....d.YJ^x.V.J.........i.Dz.L.?...%...........I@.\{R$..<..._|.g|LX.f..9.z.O....}........E3..M...E. .A..<d..k...q.)*g..Gk.....s....-.i../...........u.R.......Exif..II*.................Ducky.......<.....)hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:01C2A6FFF88911E3996AB6FAF4E4B048" xmpMM:DocumentID="xmp.did:01C2A700F88911E3996AB6FAF4E4B048"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:01C2A6FDF88911E3996AB6FAF4E4B048" stRef:documentID="xmp.did:01C2A6FEF88911E3996AB6FAF4E4B048"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....

<<< skipped >>>

GET /os/OfferScreen_243_FP_spws243.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: cdn.cmatecdnfast.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:40 GMT

Server: PWS/8.0.25

X-Px: ms h0-s2070.p9-jfk ( h0-s2026.p9-jfk), ht-d h0-s2026.p9-jfk.cdngp.net

ETag: "2809b9-7b3c-4fa11b41c8a80"

Cache-Control: max-age=604800

Expires: Wed, 06 Aug 2014 20:34:43 GMT

Age: 400557

Content-Length: 31548

Content-Type: application/zip

Last-Modified: Fri, 23 May 2014 14:04:10 GMT

Connection: keep-alive

PK........ ..D.K.......7......OfferScreen_243.html.[.n.9..=.....:.{\..e[..A.$3Y$.l..... ..(...bu...1z......}.~.=....$;.X,..-.H..w.dU..y......o.L.........0.o....i....a?.............u,S..Zo...7.:..Z..2X...O[w..VH....G_WV...........'...B.3...r3Y....Bs..}.."~..nd.E...u&<..o... ...#..x...\......V2.o.fb.n.<.:.'UZk.........~.....L.:.W.S.y.............E...,.....-...eod...q.mk.o,.5{dc..Os.H...wm|....{......8....GQ.N.f,.-...I._#6..t..g...\y..X...A;[.......#..;pQ.$....~F,..=.#.-3$@.3...D....60.......<a. ......<..1..H...C~..@.W".'# ...%.T..)s....#...#n.....8.#Vr..R....EQ.....q.3.q".{ .X&......}..3.k....Y.-E..Q.@-......>......[....\..`.@..".W......a..Z.|.h8M...pZ.[..2............O..H.......13O.i:..."..e.....9i....<G..._..!.0..x.$B....G,.~.2.5...3.KH...I. .X..L #....Vp....Bh..8..k..b...}.M:....6tw.K..~.Pm...,... ..`..y.....|.y.{8....f.N..>.\%"i..L..........9....s02y"%.*.>....9kg G...j...X$..).f.x.............D.......9.gr.Gdo....A.ade<..... .r..Z.....A1....8.D:..8......Xj-...l...H.>.)h.......x...c..m.O..i2.x..R.X...D....7..&.8....4T.K/.Pl..>.h$b.oJH.P ;....PTD.....O..&..e........\.-...2..\.2..|..b...]6..Z..D...2.~....L..?..........1.u...|.v.T.6...L....r.\.L..c...Z..a7.c.......j...S.Re....[c...3....s......_..".ad.....f2..:..f2.].=.u._..JH.4.d<.A.U.k.1..B...7J..d..._`V.t...qK..*K.]......k......k.>.4. .k....M.1?...ky...n..F.l...v...;..;..............~..R&.Y.X=......>..$./b...r....vVfX.j.>...?..0.m..T.j%.....O.....|V...o..l`.D.H%..u.....c...9G..&..cw.@.5Z.j..Y.^..h...P......f....?..8

<<< skipped >>>

GET /os/js/OfferScreen_291_EN.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: cdn.cmatecdnfast.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:40 GMT

Server: PWS/8.0.25

X-Px: ms h0-s2070.p9-jfk ( h0-s2077.p9-jfk), ht-d h0-s2077.p9-jfk.cdngp.net

ETag: "2805b3-4476-4fe4f7d9aa180"

Cache-Control: max-age=604800

Expires: Sun, 10 Aug 2014 22:07:25 GMT

Age: 49395

Content-Length: 17526

Content-Type: application/zip

Last-Modified: Wed, 16 Jul 2014 13:27:50 GMT

Connection: keep-alive

PK...........DI..l*...........trusted1.jpg.T_o.V............R...i...66(...hy.V...W.7.J." ..M...}.{.......U?@...).U.}....{...HW:.s...........[c......A.,d.....{t.(P$x...i|.....a"8..G...q.D".$.l........GO......9..^....J.h.../.b....=....<....... .P.p..8L.q....D..E..\...oL/.o.......... ..S..lJZS...%(.P..v.Jz..K...O.....k..\.u.YS..H.)....P.4Q.EYn..Fr.....&...&J...R....;..$..|.B...Y...V...w............(.'..........sY5...O>.slb.$@a.cvyr#x..kv[Q-..Q..%Ch...... }.1.<.u..b...I..2!..M5..f4e.J..n...0I..E9..s;..\}.#'.......<<.)N.q......=.C......U.b.;..1...}u..........r....."...n).NSj.3.w]....G.")F.2,..L.T....n.<($........f..........t...@i........&...A.X,...R..I...J.\Y.U...j..e..n.fn....w....666.m..ZZZZ...3...5v...e.....l..CVh.....Yj..|.(.\.j...........Ze..1.....U.....nA.....OP.)R....oO....T.....3P...L..j.P..z...JQ...z[..>.z.>E..=W.y.gs..._..;....9.Y.....PK.........a.Bh=.r4...2 ......but1.png}YuT.]..R.V.;........kh..$.S...F.........fhPi.......u.z.Y......9....~1Z.JxO)....<...:.f.?=....XH...3Qx).zA...|.<...[7k(....=T.je..>.......u.....Dm.\y.........5q)_...3....j...`<..e.w..`4.P.U..A.._.{@!...6..6"..R.......\.^V....0OQ_......Y...2.....,...I..k...y@..xx.mx.....y..yE.E^..x.x.| ..7.....(/.......<l.Du...}........\..........y...DDD.. .............y2.. ....p.{9.....[Y.y{I02.}.W..da.......}..@>.^.......PW...=.t.v.?.S.....@=..=l.<..._d........C.....*j9.y.y:.... .<|...0[7......E.a.^V0..............HD^AV@HV.$..........dx..D.eE.......x.Ba^.sm.. .......l... ..... .........mp..}f.u....00....E

<<< skipped >>>

GET /os/js/OfferScreen_38_EN.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: cdn.cmatecdnfast.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:40 GMT

Server: PWS/8.0.25

X-Px: ms h0-s2070.p9-jfk ( h0-s2104.p9-jfk), ht h0-s2104.p9-jfk.cdngp.net

ETag: "2805fe-4546-4fe4f4fa61ac0"

Cache-Control: max-age=604800

Expires: Fri, 08 Aug 2014 22:45:56 GMT

Age: 219884

Content-Length: 17734

Content-Type: application/zip

Last-Modified: Wed, 16 Jul 2014 13:14:59 GMT

Connection: keep-alive

PK...........D...`.....N......OfferScreen_38.html.[ys.8..{R...0...#......]'vO..9&V.;.5......"8.hY..........{....v.]{.n..m[$...........7......,.......7,.{..v..z..s.....Wl...q.S-.T)Oz..w....d.^o.\v..]..z...;.5......fvc...O....w.$.'-t.GGGv..,x.?..p..C..B...oTjDj..*........;...#..y..9).4<.X.$..x.!......O.....X.7j.q#'..z.......$X..Td........Q8 ..4.8.L..I..?.*."../..q...Q.....w...5;WQ..F.w..O&*^.{6...,WE.......#...'.....g2......LgC.. .....>..................3.~......7HA.....x.U"c.<...K......Q....3v..D....>,6...S./x..@.7..Jg..I.. .[ad.;L..B-r9.....UK.*.H..#4`..H..q3..D..T.X.j.? ......K.%|5.)..'..n.g...l..k,..e.....GF.....H,...LV..o..G1..H#.....F*/.).o.f....J...dw.P....7.s.#.=....02Q...V..FV.<..t...D>bK...p0.[g...y..l0^....-7..H.a._..6KU..Lp.r\.Y..lJ.......k...Rod...<]_..B....E_NAG......t28B.8.B..v.#..)..._...!h)...e.3.e...-.~.....$...t:r....j^G......y.v.........w./F6...B../ZQ..............(.~...fX8..?."t..:d.s.%..n.....3|..|.-r.........FU~...Q....s..".9..^..!.i}0'jb.....%..k...]....C....cI..C.=).Q../....z~...|b.s.a.._.u-...nd.|.q<&..CS....o.3j.Y.=.1...ga.Yg2...O...I...i...- ..(e..D...........l.....*r.............|4.*`.X..Y&..k.L.2..........A..&.k......z....\`..../.......}...h....[.......=". <.I"....Et3Qw...: .I.D$>Ah.. k..e"..W...d.........6<..x.0-z.....L$b..`..0D...S7j..Rm.sS...........&6..\...,....} ..LeE.y... .....Z.'..~.9.s....".aM.t..{.u......~u..6.;..6.w.v;.5..%|..Hv(I.,L6@;b.......>..(....Y.....9?.Gm...# k...Q.z-3.}....l..W.0.b...]...}.4.........\.../.:.y)J...@..g............

<<< skipped >>>

GET /os/js/OfferScreen_235_EN.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: cdn.cmatecdnfast.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:40 GMT

Server: PWS/8.0.25

X-Px: ms h0-s2070.p9-jfk ( h0-s2117.p9-jfk), ht h0-s2117.p9-jfk.cdngp.net

ETag: "2806b3-46ef-4fe4f609399c0"

Cache-Control: max-age=604800

Expires: Fri, 08 Aug 2014 17:31:06 GMT

Age: 238774

Content-Length: 18159

Content-Type: application/zip

Last-Modified: Wed, 16 Jul 2014 13:19:43 GMT

Connection: keep-alive

PK...........D,..ZQ...xP......OfferScreen_235.html.[{o.H..{..;.0.l2...#.-;..V&.u..%.l.......5.....5...5...r.I..../..Y....x&...z......7..../..l...}.}.99g........]....?.>].A..f9OU.#....._y.[i...z.......|........7.......:..=.vJ...8Ug;......v.X...'Bs..}..".?..e.E...&.....3O.....C..x..> ..?.X.$.q6.....v....i:[.D..$.:..@...j6...y.....7.^.GG....$.....I.4.cv.9.a.. ..w.=s.V).......t..dP$ (.....\.....<.[..H......3d.<....Jx.......0.......,...E...l%..J..}.=T;.f......~.@T..C.2.E~2..J.Q.^..g.b..'.HD......=.2....~..-..'............(.x.a.E|/t...S....y....(YV.S......:..E s.qs.@3..Q*..b...H......#..|s......2....e...._...0..}H.>..U..y 5...(..........E..6.2l.d~OR....k...........*.){l.g.G1z..I..2.\........<...I.Q'.![G.^....m..A.......<~...k.^....?g..,.~.2.5...3...).w.Q..c.....z.e;X..6.........c.t..w.u.X....&6....=........_."-|.R X.9....d%.A....|aA.........iU.;.Uw.....l.{....N.........d.....a..o....pp.....Q...-.62...co..D...~..X.......9.W2.C28.... .....&G.....^h9,....,o..'.(.E:..9...t...Rk...O..BJ........~.........2......E.=/.S..Ko...V. .....B..K..h.........\...ru...H..B......6..X...~..Nt..Y..KC-=.r.........>j......... .J.El.....h..4....ox]?.....}..E..<.J|.%..5O.z.(L.2.......T..^..L.?.. c&M.q._A.{.......q...d..ZT.>..#G2..T.[ X..n...?5l@Y....].P....9dT..(.. u......0@1.op...s......_.."."....1L.8kW..Xk..n.....o@.*WL..:A{.b.e.D.4.F........Q.B....;......Zrb....-*.`..t-.G.u.U.......k......\o.no.....O.......-.V....~....t.....u.x..w..9...x.f....5.9.._..."t#..j>...".....*........-6...b...Q....a.S..X*.. .#c..

<<< skipped >>>

GET /os/js/OfferScreen_145_EN.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: cdn.cmatecdnfast.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:40 GMT

Server: PWS/8.0.25

X-Px: ms h0-s2070.p9-jfk ( h0-s2080.p9-jfk), ht h0-s2080.p9-jfk.cdngp.net

ETag: "280655-544d-4fe4f54f42300"

Cache-Control: max-age=604800

Expires: Wed, 06 Aug 2014 05:02:51 GMT

Age: 456469

Content-Length: 21581

Content-Type: application/zip

Last-Modified: Wed, 16 Jul 2014 13:16:28 GMT

Connection: keep-alive

PK........Z..D........"N......OfferScreen_145.html.[.r.8......Z.T.].......-YR.m.. .I{... ...S...%k\]5...r.$s..@Q......?...I.88...@..O.ag.p.c.......m..JN....S.v'].....[V...$.a. _.<.V{.. -.....z...O 2.W'......bs............i..e.&W.../...r=Yp......g;./...*ud.D...&.%......O...[.].8..*U3......O.............d!..#..W.4.Z..`..L.J....dJ...9?o\8u.L.*...a.x....Xz...|)>\V. .J.......x...M..(.....Tz.....}..2.....5.m.._.....<..a..D...p..c..l..zV...[...P...........1....=...<"..{"n..a"..co\.i.@.T..D....m..gW.2n...`......x..V."..)Pj.>.....VB../....$".g- ./...C.......4.....:.x~..|......3...h....c.....[-.:..8.!;.$...H.....l.?......X..`c ..H.g....../..7S..I....D<,.W7.#.U....03.\5.";..."...?... K.-..=.h..gE.*n.......88.8....A T.{4?f.tb...X..1M|...pe...z.k.&.R....V...... kY.......DU...1:._.N...y.'.....UC......h....u.#feh..J.E.....x..8.....t..o.P....'o.I.....Y..........X.A..AT...Z.d..5...}#..?...w.v....c4.u..o..........S|!..E...0...@.E..D.,|.4-.,H.n.T.V&]..6.r.....D.2J9.\..Fv.R).l.GO....`...1..9..?....3.h...........v....b.$.../.r.;..a...T...J...Q...f..).r....4.....$.....y.s...B........I.......F.V.O.2.....O.C gF..:...R.?yK........H.D..[.. a..c|.jM..[..z..S....Ix..D.k.]..q*.J.....8.S.......M.\.Q6........UN..t8B.....=...?....*.....[..A0.#..U/F5.f.....^...m.H.F..i...|........M$.4*..x..p...@.`..Q...:.........H..|6..t.R...w.....Ls..Awmwr..]^B..'\.sB..-b\I.CY.bq..........f]W.o...*..,...G....8..._... E.....j.a..A.y..x...Y.. ......w@.?.......m:`.........2..MU....W.1c'f...j/...G....2O3.H3.a.E..f..MFX.=.=K?...\;..,G.t...p..V..F

<<< skipped >>>

POST /DS_wrapper_details_v2.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.stsunsetwest.com

Content-Length: 47

Connection: Keep-Alive

Cache-Control: no-cache

CbId=9342&&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:35 GMT

Server: Apache/2.2.23 (CentOS)

X-Powered-By: PHP/5.3.28

Content-Length: 476

Connection: close

Content-Type: text/html; charset=UTF-8

Flash Player~hXXp://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg~EI~http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe~$BrowserToPop~0~0~~hXXp://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip~install_flashplayer11x32_mssd_aaa_aih.exe~hXXp://downloadupdates.in/MA1/flash_thankyou2.php~3C~1~1~1~~~~~0~0~~OW..

POST /FCL_Co_v4.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.fglasspeast.com

Content-Length: 180

Connection: Keep-Alive

Cache-Control: no-cache

from=wrapper&type=wrapper&vid=3&pubid=12872&CbId=9342&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&BundleVersionID=IM_210714@01

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:34 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 344

Connection: close

Content-Type: text/html; charset=UTF-8

hXXp://VVV.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php#hXXp://www.stsunsetwest.com/DS_trackstats_mon_v2.php#CA#hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php#hXXp://VVV.stsunsetwest.com/DS_wrapper_details_v2.php#hXXp://VVV.wajam.com/download/wajam_validate.exe#38/145/176/184/226/234/235/270/239/243/251/260/275/277/283/291/301/320/339/..

GET /download/wajam_validate.exe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 04 Aug 2014 11:50:35 GMT

Server: Apache

Last-Modified: Wed, 14 Aug 2013 20:48:34 GMT

ETag: "44414-2c00-4e3ee7b227727"

Accept-Ranges: bytes

Content-Length: 11264

Connection: close

Content-Type: application/x-msdos-program

X-Pad: avoid browser bug

Set-Cookie: APPSESSID=w5|U99zj|U99zj; path=/; domain=.wajam.com

Cache-control: private

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z~..;...;...;..D'...;../$...;../$...;../$...;..D3M..;...;...;../$...;../$...;..Rich.;..........PE..L...A..R.................0.......`.......p........@.................................................................................................................................................................................................UPX0.....`..............................UPX1.....0...p...&..................@...UPX2.................*..............@..............................................................................................................................................................................................................................................................................................................................................................................................................3.09.UPX!......X,)rA..u..."......&..b....U...E..@...M...U..._B..#Eg......A...........vT2.].?...%"....E.!..M.........?..k..n......}........j!...}w..Y.H.../.J....M..w.{..;s.LB......~.}.A.}..tq...B..@~..{k..@. fi.....w..{..U..P..Q M.L......Q.{<v...>.}..n?.X....*.. M.....R.{.u5P1.n...J..@..w.e......}.@|.>ns..f.Q)....&a.Z.R.7z.1....`..P.=/.k..*.Q.....3..`....Xa...t,aP...u.o..-MM...j@:.R.E.P]s..>.M..d.F..U..;|..E........onY.. ...}7X.3........3..B........I.......L.p......6.#....#...............x.j."B.a...4.X...!fu....'#U....?.....2<...

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1812:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

http://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|<>/":

ShowWebInPage

m\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll

html.old

void collision with other applications and/or components; and (b) operate in a proxy configuration as part of the Software and the Services. Proxy is a server that acts as an intermediary for requests from clients seeking resources from other servers. If you wish to revert back such proxy configuration to its original state, you have to completely uninstall the Software or use the opt out option that will be provided to you by us within some of the Services; (c) once the Software is installed we may, now or in the future, use features or components to counter third party attempts to modify or replace your then-current proxy configuration without notifying you or get your permission to do so; Such third parties may include (without limitation) malicious programs and other harmful code that, in some cases, may compromise your system (collectively or in separate

). You are hereby giving us your permission to use such features automatically without prior notification to you. Such features and components will act to protect your then-current proxy configurations, however we cannot guarantee 100% success and in no case we will be responsible for any Un-permitted Access or changes made to your system preferences or proxy configurations or to any damage that might have been caused to you due to Un-permitted Access; (d) periodically install automated updates to the Software on your computer as set forth in section 8; (e) place a small icon of the Software in your operating system

s icon tray, from which you will be able to launch the Website to switch on and off the operation of the Software, to change or update your preferences and account settings;<br />

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll

dm\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html

OfferScreen_145.html.old

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp

OfferScreen_145.html

but1.png

.PwF~

CompleteScreen.html

InstallScreen.html

LoadingBar.gif

`,..VWW

start-bullet.jpg

GetProcessHeap

nsisunz.dll

NL~%s

o7.6.3

0*%UP

q.ya!

%u X`i@

_$,ZS.db

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html.old

OF5A05~1.OLD

243.html#1?skipall=0buttons=1

matecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0

145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0

1953392

{E1070104-F404-44CE-B556-0622F9D63EE5}

AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport

ementById('btnJSClose').style.marginLeft="35px";

:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoBD.tmp

etElementById('btnJSClose').style.marginLeft="35px";

c:\%original file name%.exe

%original file name%.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB2.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

1704186

420088014

1638636

1835178

1507664

1638642

1638626

1114208

1966388

1245508

1507604

http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg

http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe

http://www.fglasspeast.com/FCL_Co_v4.php

http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php#http://www.stsunsetwest.com/DS_trackstats_mon_v2.php#CA#http://www.stsunsetwest.com/DS_AdvAffiliateId.php#http://www.stsunsetwest.com/DS_wrapper_details_v2.php#http://www.wajam.com/download/wajam_validate.exe#38/145/176/184/226/234/235/270/239/243/251/260/275/277/283/291/301/320/339/

http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php

http://www.stsunsetwest.com/DS_trackstats_mon_v2.php

http://www.stsunsetwest.com/DS_AdvAffiliateId.php

http://www.wajam.com/download/wajam_validate.exe

243~http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0

http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip

https://sp-storage.spccinta.com/sp-downloader.exe

http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip

https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe

http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip

http://wajam-download.com/download/wajam_download_v2.exe

http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe

http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip

http://www.reghelper.com/rh/RegistryHelperSetupIM.exe

http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip

http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe

zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0

~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0

\Program Files\Internet Explorer\iexplore.exe" -nohome

install_flashplayer11x32_mssd_aaa_aih.exe

http://downloadupdates.in/MA1/flash_thankyou2.php

http://www.stsunsetwest.com/DS_wrapper_details_v2.php

Flash Player~http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg~EI~http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe~$BrowserToPop~0~0~~http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip~install_flashplayer11x32_mssd_aaa_aih.exe~http://downloadupdates.in/MA1/flash_thankyou2.php~3C~1~1~1~~~~~0~0~~OW

http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip

fast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0

38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0

235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0

p://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip

970.exe

ps://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1

ge.exe~null~0~0

/s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0

<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v11-Jul-2014.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>

%original file name%.exe_1812_rwx_00DA4000_00001000:

callback%d

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps