Skip to main content

Wajam_0b7ac49072


Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: PUP

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 0b7ac49072358260594f187d7c105e63

SHA1: 447fa1008e9850f0d8ac547b91255a4e1e89df72

SHA256: 65812345768cade83401b5682c78998216d86ba76af6fa5f4c293db79b276d2e

SSDeep: 24576:YVE AdZnHU9DPPPFAw2BaucwWboSh9ODCVS6QKOmoDeL:Ym AenFAndcwOnhyPYOmoQ

Size: 1040456 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2009-12-06 00:53:18

Analyzed on: WindowsAda SP3 32-bit

Summary: PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wmic.exe:3364
wmic.exe:2836
BrowsingHistoryView.exe:2620
%original file name%.exe:132
InstalledPrograms.exe:2608
update.exe:2720
IEHistory.exe:2596
WajamUpdaterV3.exe:2920
WajamUpdaterV3.exe:2884
msfeedssync.exe:1176

The Trojan injects its code into the following process(es):No processes have been created.

File activity

The process wmic.exe:3364 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\TempWmicBatchFile.bat (0 bytes)

The process wmic.exe:2836 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Temp\TempWmicBatchFile.bat (0 bytes)

The process BrowsingHistoryView.exe:2620 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsy2B.tmp (134 bytes)

The process %original file name%.exe:132 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\P7FVQ6SQ.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Tesco.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\A35Y4S5C.txt (668 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Google.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\image.bmp (36848 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\HomeDepot.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Yahoo!.lnk (1 bytes)
%Program Files%\Wajam\Logos\ikea.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Ask.lnk (1 bytes)
%Program Files%\Wajam\Logos\tesco.ico (3 bytes)
%Program Files%\Wajam\Logos\wiki.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\MoreInfo.dll (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Sears.lnk (1 bytes)
%Program Files%\Wajam\Logos\bestbuy.ico (3 bytes)
%Program Files%\Wajam\Logos\argos.ico (3 bytes)
%Program Files%\Wajam\Logos\twitter.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstalledPrograms.exe (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Mercadolivre.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Bing.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\SZ663247.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Wajam Website.lnk (1 bytes)
%Program Files%\Wajam\Logos\yahoo.ico (3 bytes)
%Program Files%\Wajam\Logos\homedepot.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\DK34WMK6.txt (674 bytes)
%Program Files%\Wajam\Logos\mysearchweb.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Walmart.lnk (1 bytes)
%Program Files%\Wajam\IE\favicon.ico (3 bytes)
%Program Files%\Wajam\install.log (237125 bytes)
%Program Files%\Wajam\Logos\walmart.ico (3 bytes)
%Program Files%\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi (784 bytes)
%Program Files%\Wajam\Logos\google.ico (3 bytes)
%Program Files%\Wajam\IE\priam_bho.dll (10136 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Zalando.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\MyShopping.lnk (1 bytes)
%Program Files%\Wajam\uninstall.exe (25072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\inetc.dll (784 bytes)
%Program Files%\Wajam\Logos\ebay.ico (3 bytes)
%Program Files%\Wajam\Updater\WajamUpdaterV3.exe (3616 bytes)
%Documents and Settings%\%current user%\Cookies\L21J4BXI.txt (672 bytes)
%Program Files%\Wajam\Logos\zalando.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Wajam\Chrome\wajam.crx (784 bytes)
%Documents and Settings%\%current user%\Cookies\EQXO57IY.txt (668 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Facebook.lnk (1 bytes)
%Program Files%\Wajam\Logos\tripadvisor.ico (3 bytes)
C:\end (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Argos.lnk (1 bytes)
%Program Files%\Wajam\Logos\ask.ico (3 bytes)
%Program Files%\Wajam\Logos\settings.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Twitter.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Uninstall Wajam\uninstall.lnk (1 bytes)
%Program Files%\Wajam\Logos\setting.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsisos.dll (5 bytes)
%Program Files%\Wajam\Logos\mercado.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\TripAdvisor.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\EFQIU8KS.txt (672 bytes)
%Program Files%\Wajam\Logos\bing.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Cookies\L6KPLR5E.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\imageClick.bmp (1 bytes)
%Program Files%\Wajam\Logos\favicon.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Lowe's.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\7M78CNKI.txt (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ikea.lnk (1 bytes)
%Program Files%\Wajam\IE\wajamLogo.bmp (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\IMDb.lnk (1 bytes)
%Program Files%\Wajam\Logos\searchresult.ico (3 bytes)
%Program Files%\Wajam\Logos\target.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk28.tmp (48616 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ebay.lnk (1 bytes)
%Program Files%\Wajam\Logos\myshopping.ico (3 bytes)
%Program Files%\Wajam\Logos\sears.ico (3 bytes)
%Program Files%\Wajam\Logos\lowes.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\OS1TLL8Q.txt (672 bytes)
%Documents and Settings%\%current user%\Cookies\R32V3M3J.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Target.lnk (1 bytes)
%Program Files%\Wajam\Logos\amazon.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\GLSRRIJR.txt (448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsJSON.dll (7 bytes)
%Documents and Settings%\%current user%\Cookies\F09WAPTW.txt (80 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Etsy.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\System.dll (11 bytes)
%Program Files%\Wajam\Logos\shopping.ico (3 bytes)
%Program Files%\Wajam\Chrome\nativeMessagingHost\NativeMessageHost.exe (4992 bytes)
%Program Files%\Wajam\Logos\etsy.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Shopping.com.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Settings.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\md5dll.dll (6 bytes)
%Program Files%\Wajam\Logos\wajam.ico (3 bytes)
%Program Files%\Wajam\Logos\imdb.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Amazon.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\QI6C88M5.txt (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\DcryptDll.dll (14 bytes)
%Documents and Settings%\%current user%\Cookies\XXPE3OH1.txt (674 bytes)
%Program Files%\Wajam\Chrome\nativeMessagingHost\host.json (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IEHistory.exe (8560 bytes)
%Program Files%\Wajam\Logos\facebook.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Wikipedia.lnk (1 bytes)

The Trojan deletes the following file(s):

%Program Files%\Wajam\install.log (0 bytes)
%Documents and Settings%\%current user%\Cookies\F09WAPTW.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\N59IS3V2.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\P7FVQ6SQ.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\EFQIU8KS.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\L6KPLR5E.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsDialogs.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\DK34WMK6.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\MoreInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\GetVersion.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\7M78CNKI.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\L21J4BXI.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\QI6C88M5.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\EQXO57IY.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv27.tmp (0 bytes)
C:\end (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\DcryptDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\image.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstalledPrograms.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IEHistory.exe (0 bytes)
%Documents and Settings%\%current user%\Cookies\SZ663247.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\R32V3M3J.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\OS1TLL8Q.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsJSON.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\imageClick.bmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\GLSRRIJR.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsisos.dll (0 bytes)

The process InstalledPrograms.exe:2608 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\N59IS3V2.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2F.tmp (1653 bytes)
%Documents and Settings%\%current user%\Cookies\XV9YEEH2.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp\inetc.dll (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\A35Y4S5C.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\XV9YEEH2.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp (0 bytes)

The process update.exe:2720 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\Cookies\08BKN1K7.txt (81 bytes)
%WinDir%\Temp\nsq32.tmp\nsRandom.dll (479 bytes)
%Documents and Settings%\LocalService\Cookies\7PETCTC0.txt (677 bytes)
%Documents and Settings%\LocalService\Cookies\ZR71P2D7.txt (229 bytes)
%WinDir%\Temp\nsq32.tmp\ns34.tmp (6 bytes)
%WinDir%\Temp\nsq32.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\LocalService\Cookies\6647XX2W.txt (677 bytes)
%Documents and Settings%\LocalService\Cookies\9KEYOQLI.txt (677 bytes)
%WinDir%\Temp\nsq32.tmp\inetc.dll (20 bytes)
%WinDir%\Temp\nsq32.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\LocalService\Cookies\SLDURU7H.txt (453 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\LocalService\Cookies\08BKN1K7.txt (0 bytes)
%WinDir%\Temp\nsq32.tmp\nsRandom.dll (0 bytes)
%WinDir%\Temp\nsb31.tmp (0 bytes)
%Documents and Settings%\LocalService\Cookies\ZR71P2D7.txt (0 bytes)
%WinDir%\Temp\nsq32.tmp\ns34.tmp (0 bytes)
%WinDir%\Temp\nsq32.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\LocalService\Cookies\6647XX2W.txt (0 bytes)
%Documents and Settings%\LocalService\Cookies\9KEYOQLI.txt (0 bytes)
%WinDir%\Temp\nsq32.tmp\inetc.dll (0 bytes)
%WinDir%\Temp\nsq32.tmp (0 bytes)
%WinDir%\Temp\nsq32.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\LocalService\Cookies\SLDURU7H.txt (0 bytes)

The process IEHistory.exe:2596 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\BrowsingHistoryView.exe (7722 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\inetc.dll (20 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\ExecCmd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BrowsingHistoryView.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\inetc.dll (0 bytes)

The process WajamUpdaterV3.exe:2920 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\LocalService\IETldCache\index.dat (16 bytes)
%Program Files%\Wajam\Updater\update.exe (2694 bytes)

The process msfeedssync.exe:1176 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (4472 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
%WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)

Registry activity

The process wmic.exe:3364 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 F8 E5 01 5E BB 2D 5D BF D3 62 E5 35 21 37 F2"

[HKU\.DEFAULT\Software\Microsoft\Wbem\WMIC]
"WMICLC" = "0"

[HKLM\SOFTWARE\Microsoft\WBEM\WMIC]
"Cli.mof" = "128526480000000000"
"CliEgAliases.mof" = "128526480000000000"

[HKU\.DEFAULT\Software\Microsoft\Wbem\WMIC]
"mofcompMUIStatus" = "0"

[HKLM\SOFTWARE\Microsoft\WBEM\WMIC]
"CliEgAliases.mfl" = "128526480000000000"
"mofcompstatus" = "1"

The process wmic.exe:2836 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 A0 6B FA FE 30 92 7E 89 3A 43 06 B3 D1 DE E3"

The process BrowsingHistoryView.exe:2620 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 6E 00 7C F1 55 30 35 84 16 4A 3E DD 90 CA 8D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The process %original file name%.exe:132 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods]
"(Default)" = "20"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID]
"(Default)" = "wajam.WajamBHO"

[HKCU\Software\Wajam]
"nocancelremoval" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\AppID\priam_bho.DLL]
"AppID" = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}"

[HKCR\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32]
"ThreadingModel" = "Both"

[HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Wajam\Chrome\wajam.crx"

[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID]
"(Default)" = "wajam.WajamDownloader"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"RegOwner" = "Wajam"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"HelpLink" = "http://www.wajam.com/contact_us.php"

[HKCR\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"Publisher" = "Wajam"

[HKLM\SOFTWARE\Wajam]
"MACHINE_ID" = "46aa385c6a8fd1eaaa3ec67152de086e"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"InstallSource" = "c:"

[HKCR\wajam.WajamBHO\CLSID]
"(Default)" = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCR\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
"(Default)" = "PSFactoryBuffer"

[HKLM\SOFTWARE\Wajam\Update]
"UpdateURL" = "http://www.wajam.com/update/Updater/wajam_update.exe"

[HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp]
"Version" = "1.32"

[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0]
"(Default)" = "wajam 1.0 Type Library"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"

[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib]
"(Default)" = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"

[HKCU\Software\Wajam]
"unique_id" = "5781DBE94514B625F00A3444CF38C648"

[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 E7 48 2C 79 1F 61 5D D0 7E EC 04 3A 3A 0C DE"

[HKCR\wajam.WajamDownloader.1]
"(Default)" = "WajamDownloader Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib]
"(Default)" = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"DisplayVersion" = "2.15"
"UninstallString" = "%Program Files%\Wajam\uninstall.exe"

[HKCR\wajam.WajamDownloader.1\CLSID]
"(Default)" = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"

[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Wajam]
"affiliate_id" = "3672"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Wajam]
"rec" = "2"
"reb" = "3"
"red" = "4"

[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID]
"(Default)" = "wajam.WajamBHO.1"

[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"DisplayName" = "Wajam"

[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
"(Default)" = "Wajam"

[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}]
"(Default)" = "WajamDownloader Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"RegCompany" = "Wajam"

[HKLM\SOFTWARE\Wajam\Update]
"Status" = "-1"

[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCR\wajam.WajamBHO.1\CLSID]
"(Default)" = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
"(Default)" = "IWajamBHO"

[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID]
"(Default)" = "wajam.WajamDownloader.1"

[HKCR\wajam.WajamBHO.1]
"(Default)" = "Wajam"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"NoRepair" = "1"

[HKLM\SOFTWARE\Wajam]
"res" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCR\wajam.WajamDownloader\CLSID]
"(Default)" = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"

[HKCU\Software\Wajam]
"no_trace" = "true"

[HKCR\wajam.WajamBHO\CurVer]
"(Default)" = "wajam.WajamBHO.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"URLInfoAbout" = "http://www.wajam.com"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCR\wajam.WajamDownloader]
"(Default)" = "WajamDownloader Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Wajam]
"Install_Dir" = "%Program Files%\Wajam"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCR\wajam.WajamBHO]
"(Default)" = "Wajam"

[HKCR\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}]
"(Default)" = "Wajam"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"DisplayIcon" = "%Program Files%\Wajam\IE\favicon.ico"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.wajam.chrome.messaging.host]
"(Default)" = "%Program Files%\Wajam\Chrome\nativeMessagingHost\host.json"

[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"

[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib]
"(Default)" = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"

[HKCU\Software\Wajam]
"affiliate_id_2" = "none"

[HKLM\SOFTWARE\Wajam]
"mit" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"NoModify" = "1"

[HKCU\Software\Mozilla\Firefox\Extensions]
"{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}" = "%Program Files%\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi"

[HKCR\wajam.WajamDownloader\CurVer]
"(Default)" = "wajam.WajamDownloader.1"

[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Wajam\IE"

[HKCU\Software\Wajam]
"install_timestamp" = "1400860933"
"skip_new_tab" = "true"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"InstallLocation" = "%Program Files%\Wajam"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
"NoExplorer" = "1"

"(Default)" = "Wajam IE BHO"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Wajam]
"nocancelremoval"

The process InstalledPrograms.exe:2608 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 F9 83 E8 96 F4 1B 18 FD 57 97 68 82 BA 7A 58"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process update.exe:2720 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 0D 31 6B D1 52 49 24 0F EE 5D 4F 94 13 4D 74"

[HKLM\SOFTWARE\Wajam]
"reb" = "6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

[HKLM\SOFTWARE\Wajam]
"rec" = "5"
"reb-x" = "6"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "0"
[HKLM\SOFTWARE\Wajam]
"rec-x" = "5"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process IEHistory.exe:2596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 57 72 78 68 C6 10 E4 B8 0B 08 A6 90 C5 AA 2C"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process WajamUpdaterV3.exe:2920 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionLow" = "393305116"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheLimit" = "8192"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"StaleIETldCache" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheOptions" = "9"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"

[HKLM\SOFTWARE\Wajam\Update]
"ldts" = "Type: REG_QWORD, Length: 8"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePath" = "%USERPROFILE%\IETldCache"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionHigh" = "1"
"IETldDllVersionHigh" = "524288"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionLow" = "13"

[HKLM\SOFTWARE\Wajam\Update]
"last_update_check" = "Type: REG_QWORD, Length: 8"
"Status" = "-1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C AD 67 F7 68 34 D1 B3 07 A4 48 90 41 DB B0 07"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePrefix" = "ietld:"

[HKLM\SOFTWARE\Wajam\Update]
"update_pending" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheRepair" = "0"

[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation]
"TLDUpdates" = "1"

[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan deletes the following value(s) in system registry:

[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"

The process WajamUpdaterV3.exe:2884 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 4D F7 12 FD 0F 9D 72 6C 76 75 EF 47 4E B6 7E"

[HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
"LocalService" = "WajamUpdaterV3"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\WajamUpdater]
"EventMessageFile" = "%Program Files%\Wajam\Updater\WajamUpdaterV3.exe"
"TypesSupported" = "7"

The Trojan deletes the following value(s) in system registry:

[HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
"LocalService"

The process msfeedssync.exe:1176 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Internet Explorer\Suggested Sites]
"DeletePending" = "0"
"UploadDiagInfo" = "1C 5C 00 00 71 17 00 08 80 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

Dropped PE files

MD5 File path
3f2412930321fa1ad84310c8adecb26ac:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IEHistory.exe
720e614a557d3b8a73d7f844177f2e30c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\InstalledPrograms.exe
becf90c3b4ec8f3bef9d11855c0a86b0c:\Program Files\Wajam\Chrome\nativeMessagingHost\NativeMessageHost.exe
eb10260824118b484fdd4f7daad43b23c:\Program Files\Wajam\IE\priam_bho.dll
58e407df43ca11ade8aecfe629feacd1c:\Program Files\Wajam\Updater\WajamUpdaterV3.exe
11fcb6824b912480af7d54a8547dfcb8c:\Program Files\Wajam\Updater\update.exe
90419b495b8105f7a239c05a3ac0003fc:\Program Files\Wajam\uninstall.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    wmic.exe:3364
    wmic.exe:2836
    BrowsingHistoryView.exe:2620
    %original file name%.exe:132
    InstalledPrograms.exe:2608
    update.exe:2720
    IEHistory.exe:2596
    WajamUpdaterV3.exe:2920
    WajamUpdaterV3.exe:2884
    msfeedssync.exe:1176

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Temp\TempWmicBatchFile.bat (0 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2B.tmp (134 bytes)
    %Documents and Settings%\%current user%\Cookies\P7FVQ6SQ.txt (674 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Tesco.lnk (1 bytes)
    %Documents and Settings%\%current user%\Cookies\A35Y4S5C.txt (668 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Google.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\image.bmp (36848 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\HomeDepot.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Yahoo!.lnk (1 bytes)
    %Program Files%\Wajam\Logos\ikea.ico (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Ask.lnk (1 bytes)
    %Program Files%\Wajam\Logos\tesco.ico (3 bytes)
    %Program Files%\Wajam\Logos\wiki.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\MoreInfo.dll (7 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Sears.lnk (1 bytes)
    %Program Files%\Wajam\Logos\bestbuy.ico (3 bytes)
    %Program Files%\Wajam\Logos\argos.ico (3 bytes)
    %Program Files%\Wajam\Logos\twitter.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\InstalledPrograms.exe (1856 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Mercadolivre.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Bing.lnk (1 bytes)
    %Documents and Settings%\%current user%\Cookies\SZ663247.txt (674 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Wajam Website.lnk (1 bytes)
    %Program Files%\Wajam\Logos\yahoo.ico (3 bytes)
    %Program Files%\Wajam\Logos\homedepot.ico (3 bytes)
    %Documents and Settings%\%current user%\Cookies\DK34WMK6.txt (674 bytes)
    %Program Files%\Wajam\Logos\mysearchweb.ico (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Walmart.lnk (1 bytes)
    %Program Files%\Wajam\IE\favicon.ico (3 bytes)
    %Program Files%\Wajam\install.log (237125 bytes)
    %Program Files%\Wajam\Logos\walmart.ico (3 bytes)
    %Program Files%\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi (784 bytes)
    %Program Files%\Wajam\Logos\google.ico (3 bytes)
    %Program Files%\Wajam\IE\priam_bho.dll (10136 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Zalando.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\MyShopping.lnk (1 bytes)
    %Program Files%\Wajam\uninstall.exe (25072 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\inetc.dll (784 bytes)
    %Program Files%\Wajam\Logos\ebay.ico (3 bytes)
    %Program Files%\Wajam\Updater\WajamUpdaterV3.exe (3616 bytes)
    %Documents and Settings%\%current user%\Cookies\L21J4BXI.txt (672 bytes)
    %Program Files%\Wajam\Logos\zalando.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Wajam\Chrome\wajam.crx (784 bytes)
    %Documents and Settings%\%current user%\Cookies\EQXO57IY.txt (668 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Facebook.lnk (1 bytes)
    %Program Files%\Wajam\Logos\tripadvisor.ico (3 bytes)
    C:\end (5 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Argos.lnk (1 bytes)
    %Program Files%\Wajam\Logos\ask.ico (3 bytes)
    %Program Files%\Wajam\Logos\settings.ico (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Twitter.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Uninstall Wajam\uninstall.lnk (1 bytes)
    %Program Files%\Wajam\Logos\setting.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsisos.dll (5 bytes)
    %Program Files%\Wajam\Logos\mercado.ico (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\TripAdvisor.lnk (1 bytes)
    %Documents and Settings%\%current user%\Cookies\EFQIU8KS.txt (672 bytes)
    %Program Files%\Wajam\Logos\bing.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\IpConfig.dll (4992 bytes)
    %Documents and Settings%\%current user%\Cookies\L6KPLR5E.txt (668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\imageClick.bmp (1 bytes)
    %Program Files%\Wajam\Logos\favicon.ico (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Lowe's.lnk (1 bytes)
    %Documents and Settings%\%current user%\Cookies\7M78CNKI.txt (226 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\SimpleSC.dll (1856 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ikea.lnk (1 bytes)
    %Program Files%\Wajam\IE\wajamLogo.bmp (5 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\IMDb.lnk (1 bytes)
    %Program Files%\Wajam\Logos\searchresult.ico (3 bytes)
    %Program Files%\Wajam\Logos\target.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsk28.tmp (48616 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ebay.lnk (1 bytes)
    %Program Files%\Wajam\Logos\myshopping.ico (3 bytes)
    %Program Files%\Wajam\Logos\sears.ico (3 bytes)
    %Program Files%\Wajam\Logos\lowes.ico (3 bytes)
    %Documents and Settings%\%current user%\Cookies\OS1TLL8Q.txt (672 bytes)
    %Documents and Settings%\%current user%\Cookies\R32V3M3J.txt (674 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Target.lnk (1 bytes)
    %Program Files%\Wajam\Logos\amazon.ico (3 bytes)
    %Documents and Settings%\%current user%\Cookies\GLSRRIJR.txt (448 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsJSON.dll (7 bytes)
    %Documents and Settings%\%current user%\Cookies\F09WAPTW.txt (80 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Etsy.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\System.dll (11 bytes)
    %Program Files%\Wajam\Logos\shopping.ico (3 bytes)
    %Program Files%\Wajam\Chrome\nativeMessagingHost\NativeMessageHost.exe (4992 bytes)
    %Program Files%\Wajam\Logos\etsy.ico (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Shopping.com.lnk (1 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Settings.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsDialogs.dll (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\md5dll.dll (6 bytes)
    %Program Files%\Wajam\Logos\wajam.ico (3 bytes)
    %Program Files%\Wajam\Logos\imdb.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\GetVersion.dll (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Amazon.lnk (1 bytes)
    %Documents and Settings%\%current user%\Cookies\QI6C88M5.txt (670 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\DcryptDll.dll (14 bytes)
    %Documents and Settings%\%current user%\Cookies\XXPE3OH1.txt (674 bytes)
    %Program Files%\Wajam\Chrome\nativeMessagingHost\host.json (950 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\IEHistory.exe (8560 bytes)
    %Program Files%\Wajam\Logos\facebook.ico (3 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Wikipedia.lnk (1 bytes)
    %Documents and Settings%\%current user%\Cookies\N59IS3V2.txt (668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2F.tmp (1653 bytes)
    %Documents and Settings%\%current user%\Cookies\XV9YEEH2.txt (668 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\LocalService\Cookies\08BKN1K7.txt (81 bytes)
    %WinDir%\Temp\nsq32.tmp\nsRandom.dll (479 bytes)
    %Documents and Settings%\LocalService\Cookies\7PETCTC0.txt (677 bytes)
    %Documents and Settings%\LocalService\Cookies\ZR71P2D7.txt (229 bytes)
    %WinDir%\Temp\nsq32.tmp\ns34.tmp (6 bytes)
    %WinDir%\Temp\nsq32.tmp\ns33.tmp (6 bytes)
    %Documents and Settings%\LocalService\Cookies\6647XX2W.txt (677 bytes)
    %Documents and Settings%\LocalService\Cookies\9KEYOQLI.txt (677 bytes)
    %WinDir%\Temp\nsq32.tmp\inetc.dll (20 bytes)
    %WinDir%\Temp\nsq32.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\LocalService\Cookies\SLDURU7H.txt (453 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\BrowsingHistoryView.exe (7722 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\ExecCmd.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\inetc.dll (20 bytes)
    %Documents and Settings%\LocalService\IETldCache\index.dat (16 bytes)
    %Program Files%\Wajam\Updater\update.exe (2694 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (4472 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1088 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
    %WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: Wajam
Product Version:
Legal Copyright: (c) Wajam. All right reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.15
File Description:
Comments:
Language: English (United States)

Company Name: Product Name: WajamProduct Version: Legal Copyright: (c) Wajam. All right reserved.Legal Trademarks: Original Filename: Internal Name: File Version: 2.15File Description: Comments: Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text409624996250884.46593b43b45410a805db203e6093d29ea0c46
.rdata32768457646083.678327ed6b8f2aebb0d5dd5fc04dbfc811968
.data4096011570430723.55605f6c933d6d1311c822ffc667d0085d96c
.ndata15974423756800d41d8cd98f00b204e9800998ecf8427e
.rsrc397312626466563.60082d984727e5d54b25ea0cf580750edb537

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 1
7fb92eaa3dcad178983d423ff89f4bff

Network Activity

URLs

URL IP
hxxp://www.wajam.com/installer/progress?section=100&aid=&aid2=&mid=&unique_id=&tv=2.15-0&ts=
hxxp://www.wajam.com/installer/start?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933
hxxp://www.wajam.com/installer/installedProgramsLogs?unique_id=5781DBE94514B625F00A3444CF38C648&affiliate_id=3672
hxxp://www.wajam.com/installer/post_install?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933
hxxp://www.wajam.com/index.php?firstrun=1&db=IEXPLORE.EXE&dbv=8.00.6001.18702&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&enabled=1&tv=2.15-0&ts=1400860933&clp=&bg=1
hxxp://www.wajam.com/signup?aid=3672
hxxp://www.wajam.com/update/Updater/wajam_update.exe?v=3&ldts=&mid=46aa385c6a8fd1eaaa3ec67152de086e
hxxp://dl.wajam.com/update/wajam_update.exe?v0.048
hxxp://www.wajam.com/client_send_debug_info.php?v=i2.15&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&major_version=5&minor_version=1
hxxp://www.wajam.com/installer/finish?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933
hxxp://www.wajam.com/update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=3672&aid2=none&unique_id=5781DBE94514B625F00A3444CF38C648&b=c
hxxp://www.wajam.com/update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /update/wajam_update.exe?v0.048 HTTP/1.1

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: dl.wajam.com

Connection: Keep-Alive

Cookie: PHPSESSID=u1si43vcbvq17r042cvfpb1p62; _wau=14008501444725886; _wal=1400850144; not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; _waab=81,69,70,94,11,32,38,61,50,5; APPSESSID=w38|U39G4|U39G4

HTTP/1.1 200 OK

Server: nginx/1.4.7

Date: Fri, 23 May 2014 13:02:25 GMT

Content-Type: application/octet-stream

Content-Length: 408392

Last-Modified: Thu, 22 May 2014 19:13:33 GMT

Connection: keep-alive

ETag: "537e4c5d-63b48"

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...d..K.................d..........^5............@..........................0....................................................... ..............."...............................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....p...........|..............@....ndata....... ...........................rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...T.@..B...SV.5..C..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h..C.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....C...Si.....VW.T.....tO.q.3.;5..C.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..C.r._^[...U..QQ.U.SV..i....

<<

<<< skipped >>>

GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850152; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:32 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

GET /update/Updater/wajam_update.exe?v=3&ldts=&mid=46aa385c6a8fd1eaaa3ec67152de086e HTTP/1.1

If-Modified-Since: Thu, 22 May 2014 13:02:23 0000

Accept: */*

User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

Host: VVV.wajam.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Fri, 23 May 2014 13:02:24 GMT

Server: Apache

Set-Cookie: PHPSESSID=u1si43vcbvq17r042cvfpb1p62; path=/; domain=.wajam.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wau=14008501444725886; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850144; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=81,69,70,94,11,32,38,61,50,5; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850144; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Location: hXXp://dl.wajam.com/update/wajam_update.exe?v0.048

Set-Cookie: not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850144; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w38|U39G4|U39G4; path=/; domain=.wajam.com

POST /client_send_debug_info.php?v=i2.15&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&major_version=5&minor_version=1 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Filename: install.log

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Content-Length: 30418

Connection: Keep-Alive

Cache-Control: no-cache

Function: .OnInit

settings logging to 0

logging set to 1

DEFAULT: HKCR - Progid ''

DEFAULT: HKCR - Found '' in '\shell\open\command'

DEFAULT: Error - Could not extract browser from HKCR

settings logging to 0

logging set to 1

T: Found default using shell - %Program Files%\Internet Explorer\IEXPLORE.EXE

settings logging to 0

logging set to 1

DEFAULT: Finding the default browser in: %Program Files%\Internet Explorer\IEXPLORE.EXE

settings logging to 0

logging set to 1

DEFAULT: Default browser is IEXPLORE.EXE

settings logging to 0

logging set to 1

P: original ''

P: default_aid: '3672'

P: param_silent: 'false'

P: install_ie: 'true'

P: install_ch: 'true'

P: install_ff: 'true'

P: command_line_parameters: ''

P: decoded_argument_string: ''

P: param_aid: '3672'

P: param_no_restart_dialog: 'true'

P: param_sleep: ''

P: param_no_trace: 'true'

P: param_dont_use_post: 'true'

settings logging to 0

logging set to 1

TR: hXXp://VVV.wajam.com/installer/start?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648 (1)

C: Drive: 'C:\'

C: Mac Address was: '00:50:56:3E:C4:83'

C: Lo

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:29 GMT

Server: Apache

Set-Cookie: PHPSESSID=ot10b72j3uagl4mu7qotud7ob1; path=/; domain=.wajam.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wau=14008501509810981; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

GET /installer/post_install?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G2|U39G1; _wau=14008501319469817; _wal=1400850135; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:21 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850141; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850141; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850141; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w14|U39G4|U39G1; path=/; domain=.wajam.com

GET /installer/progress?section=100&aid=&aid2=&mid=&unique_id=&tv=2.15-0&ts= HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:11 GMT

Server: Apache

Set-Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; path=/; domain=.wajam.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wau=14008501319469817; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850131; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850131; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w14|U39G1|U39G1; path=/; domain=.wajam.com

POST /installer/installedProgramsLogs?unique_id=5781DBE94514B625F00A3444CF38C648&affiliate_id=3672 HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Filename: nsy2F.tmp

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Content-Length: 953

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: _wau=14008501319469817; _wal=1400850134; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82

Adobe Flash Player 11 ActiveX

Google Chrome

Windows Internet Explorer 8

Update for Windows XP (KB2467659)

Update for Windows Internet Explorer 8 (KB2598845)

Update for Windows XP (KB898461)

Hotfix for Windows XP (KB954550-v5)

Microsoft .NET Framework 3.5 SP1

Microsoft .NET Framework 4 Client Profile

Mozilla Firefox 29.0.1 (x86 en-US)

Mozilla Maintenance Service

Total Commander (Remove or Repair)

WinPcap 4.0.1

Wireshark 0.99.6a

XML Paper Specification Shared Components Pack 1.0

Microsoft Visual C 2008 Redistributable - x86 9.0.30729.4148

Java(TM) 6 Update 18

WebFldrs XP

VMware Tools

Microsoft .NET Framework 4 Client Profile

Java Auto Updater

ActivePerl 5.16.2 Build 1602

Microsoft PowerPoint Viewer

Microsoft .NET Framework 3.0 Service Pack 2

Google Update Helper

Adobe Reader 9.3.4

Microsoft .NET Framework 2.0 Service Pack 2

Microsoft .NET Framework 3.5 SP1

Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:15 GMT

Server: Apache

Set-Cookie: PHPSESSID=1anbp2hlsktuq92t6kqq9kvpg1; path=/; domain=.wajam.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850135; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850135; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850135; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w13|U39G2|U39G2; path=/; domain=.wajam.com

GET /installer/finish?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G4|U39G1; _wau=14008501319469817; _wal=1400850143; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=14,37,74,4,62,87,33,52,30,82

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:30 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w14|U39G6|U39G1; path=/; domain=.wajam.com

GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=3672&aid2=none&unique_id=5781DBE94514B625F00A3444CF38C648&b=c HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:31 GMT

Server: Apache

Set-Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; path=/; domain=.wajam.com

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wau=14008501514911566; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w60|U39G6|U39G6; path=/; domain=.wajam.com

GET /installer/start?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; _wau=14008501319469817; _wal=1400850131; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82; APPSESSID=w14|U39G1|U39G1

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:14 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850134; expires=Sat, 23-May-2015 13:02:14 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:14 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850134; expires=Sat, 23-May-2015 13:02:14 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Set-Cookie: APPSESSID=w14|U39G2|U39G1; path=/; domain=.wajam.com

GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850152; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:32 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850151; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:31 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

GET /signup?aid=3672 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G4|U39G1; _wau=14008501319469817; _wal=1400850143; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=14,37,74,4,62,87,33,52,30,82

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:23 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850143; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 5443

Connection: close

Content-Type: text/html; charset=utf-8

<!DOCTYPE html>..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xmlns:fb="hXXp://ogp.me/ns/fb#" xml:lang="en" prefix="og: hXXp://ogp.me/ns#">...<head>....<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> ........<base href="hXXp://VVV.wajam.com" />....<title>Wajam.com | Download Wajam for Free</title> ....<meta name="title" content="Wajam.com | Download Wajam for Free" />...........<meta name="description" content="Enhance Your Search Experience With Results From Your Friends! Download Wajam and get Social Results and Recommendations in Your Regular Search Results | Wajam.com" />.....<meta name="keywords" content="Download Wajam, Wajam Download, Install Wajam, Get Wajam, Wajam, Social Search, Social results, Social Search Results, Recommendations from your friends, recommendations, Facebook friends recommendations, Find a Friend's Facebook Post, Find a Tweet" />..........<!-- Google Chrome Web Store Verification -->....<meta name="google-site-verification" content="5KnCIaGgQoFFL2URoeiXrg0xTbPK3qJZLbDJpbIoC9U" />........<link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />.........<script type="text/javascript">.....var facebook_perms = 'email,user_likes,friends_likes,user_location,friends_location,user_checkins,friends_checkins,user_photos,friends_photos,read_stream,user_actions.music,friends_actions.music';.....var get_friend_url = '/user/friends.json';....</script>..........<script type=

<<

<<< skipped >>>

GET /index.php?firstrun=1&db=IEXPLORE.EXE&dbv=8.00.6001.18702&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&enabled=1&tv=2.15-0&ts=1400860933&clp=&bg=1 HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G4|U39G1; _wau=14008501319469817; _wal=1400850141; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82

HTTP/1.1 302 Found

Date: Fri, 23 May 2014 13:02:22 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850142; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com

Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850142; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850143; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com

Location: /signup?aid=3672

Set-Cookie: _wal=1400850143; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.wajam.com

Connection: Keep-Alive

Cache-Control: no-cache

Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850151; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6

HTTP/1.1 200 OK

Date: Fri, 23 May 2014 13:02:32 GMT

Server: Apache

Expires: Thu, 19 Nov 1981 08:52:00 GMT

Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0

Pragma: no-cache

Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com

Vary: Accept-Encoding

Content-Length: 0

Connection: close

Content-Type: text/html; charset=utf-8

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

WajamUpdaterV3.exe_2920:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

8%uEP3

8%uEP3

9>t.hxgA

9>t.hxgA

operator

operator

GetProcessWindowStation

GetProcessWindowStation

?v=%d&ldts=

?v=%d&ldts=

?v=%d&ldts=%ld

?v=%d&ldts=%ld

RegCreateKeyTransactedW

RegCreateKeyTransactedW

RegOpenKeyTransactedW

RegOpenKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

RegDeleteKeyExW

C:\Users\Jun\Documents\Git_branches\jun_updater_current_service_fix\Clients\Updater\Previous\Release\WajamUpdaterV3.pdb

C:\Users\Jun\Documents\Git_branches\jun_updater_current_service_fix\Clients\Updater\Previous\Release\WajamUpdaterV3.pdb

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

RegCloseKey

RegCloseKey

RegCreateKeyExW

RegCreateKeyExW

RegDeleteKeyW

RegDeleteKeyW

RegQueryInfoKeyW

RegQueryInfoKeyW

RegEnumKeyExW

RegEnumKeyExW

RegOpenKeyExW

RegOpenKeyExW

ReportEventW

ReportEventW

ADVAPI32.dll

ADVAPI32.dll

ole32.dll

ole32.dll

OLEAUT32.dll

OLEAUT32.dll

GetCPInfo

GetCPInfo

.?AV?$CAtlExeModuleT@VCWajamUpdateModule@@@ATL@@

.?AV?$CAtlExeModuleT@VCWajamUpdateModule@@@ATL@@

val 'TypesSupported' = d 7

val 'TypesSupported' = d 7

Created by MIDL version 7.00.0555 at Tue Oct 22 16:03:52 2013

Created by MIDL version 7.00.0555 at Tue Oct 22 16:03:52 2013

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>

3$3(3,3034383<3@3

3$3(3,3034383<3@3

4(4/44484<4]4

4(4/44484<4]4

4&5,5054585

4&5,5054585

2 3(333}3

2 3(333}3

1$1,141<1

1$1,141<1

3 3<3@3`3

3 3<3@3`3

909<9\9|9

909<9\9|9

; ;$;(;,;0;4;8;

; ;$;(;,;0;4;8;

? ?$?(?,?0?4?

? ?$?(?,?0?4?

nKERNEL32.DLL

nKERNEL32.DLL

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

%sV%d

%sV%d

Ahttp://downloadfallback.wajam.com/update/Updater/wajam_update.exe

Ahttp://downloadfallback.wajam.com/update/Updater/wajam_update.exe

updateURL

updateURL

update.exe

update.exe

%a, %d %b %Y %H:%M:%S 0000

%a, %d %b %Y %H:%M:%S 0000

Msxml2.ServerXMLHTTP.3.0

Msxml2.ServerXMLHTTP.3.0

Advapi32.dll

Advapi32.dll

HKEY_CURRENT_CONFIG

HKEY_CURRENT_CONFIG

HKEY_DYN_DATA

HKEY_DYN_DATA

HKEY_PERFORMANCE_DATA

HKEY_PERFORMANCE_DATA

HKEY_USERS

HKEY_USERS

HKEY_LOCAL_MACHINE

HKEY_LOCAL_MACHINE

HKEY_CURRENT_USER

HKEY_CURRENT_USER

HKEY_CLASSES_ROOT

HKEY_CLASSES_ROOT

{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}

%Program Files%\Wajam\Updater\WajamUpdaterV3.exe

%Program Files%\Wajam\Updater\WajamUpdaterV3.exe

1.0.0.7

1.0.0.7

WajamUpdaterV3.exe

WajamUpdaterV3.exe