Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: PUP
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 0b7ac49072358260594f187d7c105e63
SHA1: 447fa1008e9850f0d8ac547b91255a4e1e89df72
SHA256: 65812345768cade83401b5682c78998216d86ba76af6fa5f4c293db79b276d2e
SSDeep: 24576:YVE AdZnHU9DPPPFAw2BaucwWboSh9ODCVS6QKOmoDeL:Ym AenFAndcwOnhyPYOmoQ
Size: 1040456 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:53:18
Analyzed on: WindowsAda SP3 32-bit
Summary: PUP. Potentially Unwanted Program. An application that does not display malicious behavior yet is installed without having first sought affirmative user consent for installation. Users may not realize, due to the nature of the installation procedure, that an application they have not explicitly agreed to has been installed. This category can also be used to classify other applications which in a certain context can be wanted e.g. remote administration tools or IRC clients.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
wmic.exe:3364
wmic.exe:2836
BrowsingHistoryView.exe:2620
%original file name%.exe:132
InstalledPrograms.exe:2608
update.exe:2720
IEHistory.exe:2596
WajamUpdaterV3.exe:2920
WajamUpdaterV3.exe:2884
msfeedssync.exe:1176
The Trojan injects its code into the following process(es):No processes have been created.
File activity
The process wmic.exe:3364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\TempWmicBatchFile.bat (0 bytes)
The process wmic.exe:2836 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Temp\TempWmicBatchFile.bat (0 bytes)
The process BrowsingHistoryView.exe:2620 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2B.tmp (134 bytes)
The process %original file name%.exe:132 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\P7FVQ6SQ.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Tesco.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\A35Y4S5C.txt (668 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Google.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\image.bmp (36848 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\HomeDepot.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Yahoo!.lnk (1 bytes)
%Program Files%\Wajam\Logos\ikea.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Ask.lnk (1 bytes)
%Program Files%\Wajam\Logos\tesco.ico (3 bytes)
%Program Files%\Wajam\Logos\wiki.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\MoreInfo.dll (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Sears.lnk (1 bytes)
%Program Files%\Wajam\Logos\bestbuy.ico (3 bytes)
%Program Files%\Wajam\Logos\argos.ico (3 bytes)
%Program Files%\Wajam\Logos\twitter.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstalledPrograms.exe (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Mercadolivre.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Bing.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\SZ663247.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Wajam Website.lnk (1 bytes)
%Program Files%\Wajam\Logos\yahoo.ico (3 bytes)
%Program Files%\Wajam\Logos\homedepot.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\DK34WMK6.txt (674 bytes)
%Program Files%\Wajam\Logos\mysearchweb.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp (4 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Walmart.lnk (1 bytes)
%Program Files%\Wajam\IE\favicon.ico (3 bytes)
%Program Files%\Wajam\install.log (237125 bytes)
%Program Files%\Wajam\Logos\walmart.ico (3 bytes)
%Program Files%\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi (784 bytes)
%Program Files%\Wajam\Logos\google.ico (3 bytes)
%Program Files%\Wajam\IE\priam_bho.dll (10136 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Zalando.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\MyShopping.lnk (1 bytes)
%Program Files%\Wajam\uninstall.exe (25072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\inetc.dll (784 bytes)
%Program Files%\Wajam\Logos\ebay.ico (3 bytes)
%Program Files%\Wajam\Updater\WajamUpdaterV3.exe (3616 bytes)
%Documents and Settings%\%current user%\Cookies\L21J4BXI.txt (672 bytes)
%Program Files%\Wajam\Logos\zalando.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Wajam\Chrome\wajam.crx (784 bytes)
%Documents and Settings%\%current user%\Cookies\EQXO57IY.txt (668 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Facebook.lnk (1 bytes)
%Program Files%\Wajam\Logos\tripadvisor.ico (3 bytes)
C:\end (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Argos.lnk (1 bytes)
%Program Files%\Wajam\Logos\ask.ico (3 bytes)
%Program Files%\Wajam\Logos\settings.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Twitter.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Uninstall Wajam\uninstall.lnk (1 bytes)
%Program Files%\Wajam\Logos\setting.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsisos.dll (5 bytes)
%Program Files%\Wajam\Logos\mercado.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\TripAdvisor.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\EFQIU8KS.txt (672 bytes)
%Program Files%\Wajam\Logos\bing.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Cookies\L6KPLR5E.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\imageClick.bmp (1 bytes)
%Program Files%\Wajam\Logos\favicon.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Lowe's.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\7M78CNKI.txt (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ikea.lnk (1 bytes)
%Program Files%\Wajam\IE\wajamLogo.bmp (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\IMDb.lnk (1 bytes)
%Program Files%\Wajam\Logos\searchresult.ico (3 bytes)
%Program Files%\Wajam\Logos\target.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk28.tmp (48616 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ebay.lnk (1 bytes)
%Program Files%\Wajam\Logos\myshopping.ico (3 bytes)
%Program Files%\Wajam\Logos\sears.ico (3 bytes)
%Program Files%\Wajam\Logos\lowes.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\OS1TLL8Q.txt (672 bytes)
%Documents and Settings%\%current user%\Cookies\R32V3M3J.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Target.lnk (1 bytes)
%Program Files%\Wajam\Logos\amazon.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\GLSRRIJR.txt (448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsJSON.dll (7 bytes)
%Documents and Settings%\%current user%\Cookies\F09WAPTW.txt (80 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Etsy.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\System.dll (11 bytes)
%Program Files%\Wajam\Logos\shopping.ico (3 bytes)
%Program Files%\Wajam\Chrome\nativeMessagingHost\NativeMessageHost.exe (4992 bytes)
%Program Files%\Wajam\Logos\etsy.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Shopping.com.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Settings.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\md5dll.dll (6 bytes)
%Program Files%\Wajam\Logos\wajam.ico (3 bytes)
%Program Files%\Wajam\Logos\imdb.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Amazon.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\QI6C88M5.txt (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\DcryptDll.dll (14 bytes)
%Documents and Settings%\%current user%\Cookies\XXPE3OH1.txt (674 bytes)
%Program Files%\Wajam\Chrome\nativeMessagingHost\host.json (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IEHistory.exe (8560 bytes)
%Program Files%\Wajam\Logos\facebook.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Wikipedia.lnk (1 bytes)
The Trojan deletes the following file(s):
%Program Files%\Wajam\install.log (0 bytes)
%Documents and Settings%\%current user%\Cookies\F09WAPTW.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\N59IS3V2.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\P7FVQ6SQ.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\EFQIU8KS.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\IpConfig.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\L6KPLR5E.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\dummy.htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsDialogs.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\DK34WMK6.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\MoreInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\GetVersion.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\7M78CNKI.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\SimpleSC.dll (0 bytes)
%Documents and Settings%\%current user%\Cookies\L21J4BXI.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\QI6C88M5.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\EQXO57IY.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsv27.tmp (0 bytes)
C:\end (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\DcryptDll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\image.bmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstalledPrograms.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IEHistory.exe (0 bytes)
%Documents and Settings%\%current user%\Cookies\SZ663247.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\R32V3M3J.txt (0 bytes)
%Documents and Settings%\%current user%\Cookies\OS1TLL8Q.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsJSON.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\imageClick.bmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\GLSRRIJR.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsisos.dll (0 bytes)
The process InstalledPrograms.exe:2608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Cookies\N59IS3V2.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2F.tmp (1653 bytes)
%Documents and Settings%\%current user%\Cookies\XV9YEEH2.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp\inetc.dll (20 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Cookies\A35Y4S5C.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2F.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp\inetc.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsi2E.tmp (0 bytes)
%Documents and Settings%\%current user%\Cookies\XV9YEEH2.txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp (0 bytes)
The process update.exe:2720 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\Cookies\08BKN1K7.txt (81 bytes)
%WinDir%\Temp\nsq32.tmp\nsRandom.dll (479 bytes)
%Documents and Settings%\LocalService\Cookies\7PETCTC0.txt (677 bytes)
%Documents and Settings%\LocalService\Cookies\ZR71P2D7.txt (229 bytes)
%WinDir%\Temp\nsq32.tmp\ns34.tmp (6 bytes)
%WinDir%\Temp\nsq32.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\LocalService\Cookies\6647XX2W.txt (677 bytes)
%Documents and Settings%\LocalService\Cookies\9KEYOQLI.txt (677 bytes)
%WinDir%\Temp\nsq32.tmp\inetc.dll (20 bytes)
%WinDir%\Temp\nsq32.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\LocalService\Cookies\SLDURU7H.txt (453 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\LocalService\Cookies\08BKN1K7.txt (0 bytes)
%WinDir%\Temp\nsq32.tmp\nsRandom.dll (0 bytes)
%WinDir%\Temp\nsb31.tmp (0 bytes)
%Documents and Settings%\LocalService\Cookies\ZR71P2D7.txt (0 bytes)
%WinDir%\Temp\nsq32.tmp\ns34.tmp (0 bytes)
%WinDir%\Temp\nsq32.tmp\ns33.tmp (0 bytes)
%Documents and Settings%\LocalService\Cookies\6647XX2W.txt (0 bytes)
%Documents and Settings%\LocalService\Cookies\9KEYOQLI.txt (0 bytes)
%WinDir%\Temp\nsq32.tmp\inetc.dll (0 bytes)
%WinDir%\Temp\nsq32.tmp (0 bytes)
%WinDir%\Temp\nsq32.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\LocalService\Cookies\SLDURU7H.txt (0 bytes)
The process IEHistory.exe:2596 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\BrowsingHistoryView.exe (7722 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\inetc.dll (20 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\ExecCmd.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2C.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nss2A.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2B.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BrowsingHistoryView.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\inetc.dll (0 bytes)
The process WajamUpdaterV3.exe:2920 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\LocalService\IETldCache\index.dat (16 bytes)
%Program Files%\Wajam\Updater\update.exe (2694 bytes)
The process msfeedssync.exe:1176 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (4472 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
%WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes)
Registry activity
The process wmic.exe:3364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "16 F8 E5 01 5E BB 2D 5D BF D3 62 E5 35 21 37 F2"
[HKU\.DEFAULT\Software\Microsoft\Wbem\WMIC]
"WMICLC" = "0"
[HKLM\SOFTWARE\Microsoft\WBEM\WMIC]
"Cli.mof" = "128526480000000000"
"CliEgAliases.mof" = "128526480000000000"
[HKU\.DEFAULT\Software\Microsoft\Wbem\WMIC]
"mofcompMUIStatus" = "0"
[HKLM\SOFTWARE\Microsoft\WBEM\WMIC]
"CliEgAliases.mfl" = "128526480000000000"
"mofcompstatus" = "1"
The process wmic.exe:2836 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "83 A0 6B FA FE 30 92 7E 89 3A 43 06 B3 D1 DE E3"
The process BrowsingHistoryView.exe:2620 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E6 6E 00 7C F1 55 30 35 84 16 4A 3E DD 90 CA 8D"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The process %original file name%.exe:132 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\NumMethods]
"(Default)" = "20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\VersionIndependentProgID]
"(Default)" = "wajam.WajamBHO"
[HKCU\Software\Wajam]
"nocancelremoval" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\AppID\priam_bho.DLL]
"AppID" = "{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}"
[HKCR\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32]
"ThreadingModel" = "Both"
[HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp]
"Path" = "%Documents and Settings%\%current user%\Local Settings\Application Data\Wajam\Chrome\wajam.crx"
[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\VersionIndependentProgID]
"(Default)" = "wajam.WajamDownloader"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"RegOwner" = "Wajam"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"HelpLink" = "http://www.wajam.com/contact_us.php"
[HKCR\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\InProcServer32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"Publisher" = "Wajam"
[HKLM\SOFTWARE\Wajam]
"MACHINE_ID" = "46aa385c6a8fd1eaaa3ec67152de086e"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"InstallSource" = "c:"
[HKCR\wajam.WajamBHO\CLSID]
"(Default)" = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCR\CLSID\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
"(Default)" = "PSFactoryBuffer"
[HKLM\SOFTWARE\Wajam\Update]
"UpdateURL" = "http://www.wajam.com/update/Updater/wajam_update.exe"
[HKLM\SOFTWARE\Google\Chrome\Extensions\jpmbfleldcgkldadpdinhjjopdfpjfjp]
"Version" = "1.32"
[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0]
"(Default)" = "wajam 1.0 Type Library"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\TypeLib]
"(Default)" = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"
[HKCU\Software\Wajam]
"unique_id" = "5781DBE94514B625F00A3444CF38C648"
[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "78 E7 48 2C 79 1F 61 5D D0 7E EC 04 3A 3A 0C DE"
[HKCR\wajam.WajamDownloader.1]
"(Default)" = "WajamDownloader Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib]
"(Default)" = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"DisplayVersion" = "2.15"
"UninstallString" = "%Program Files%\Wajam\uninstall.exe"
[HKCR\wajam.WajamDownloader.1\CLSID]
"(Default)" = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"
[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Wajam]
"affiliate_id" = "3672"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Wajam]
"rec" = "2"
"reb" = "3"
"red" = "4"
[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\ProgID]
"(Default)" = "wajam.WajamBHO.1"
[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"DisplayName" = "Wajam"
[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
"(Default)" = "Wajam"
[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}]
"(Default)" = "WajamDownloader Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"RegCompany" = "Wajam"
[HKLM\SOFTWARE\Wajam\Update]
"Status" = "-1"
[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCR\wajam.WajamBHO.1\CLSID]
"(Default)" = "{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCR\Interface\{431532BD-0AE1-4ABC-BE8C-919F3D1332E2}]
"(Default)" = "IWajamBHO"
[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\ProgID]
"(Default)" = "wajam.WajamDownloader.1"
[HKCR\wajam.WajamBHO.1]
"(Default)" = "Wajam"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"NoRepair" = "1"
[HKLM\SOFTWARE\Wajam]
"res" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCR\wajam.WajamDownloader\CLSID]
"(Default)" = "{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}"
[HKCU\Software\Wajam]
"no_trace" = "true"
[HKCR\wajam.WajamBHO\CurVer]
"(Default)" = "wajam.WajamBHO.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"URLInfoAbout" = "http://www.wajam.com"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCR\wajam.WajamDownloader]
"(Default)" = "WajamDownloader Class"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Wajam]
"Install_Dir" = "%Program Files%\Wajam"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCR\wajam.WajamBHO]
"(Default)" = "Wajam"
[HKCR\AppID\{1FAEE6D5-34F4-42AA-8025-3FD8F3EC4634}]
"(Default)" = "Wajam"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"DisplayIcon" = "%Program Files%\Wajam\IE\favicon.ico"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKLM\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.wajam.chrome.messaging.host]
"(Default)" = "%Program Files%\Wajam\Chrome\nativeMessagingHost\host.json"
[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\0\win32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"
[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\TypeLib]
"(Default)" = "{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}"
[HKCU\Software\Wajam]
"affiliate_id_2" = "none"
[HKLM\SOFTWARE\Wajam]
"mit" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCR\CLSID\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\CLSID\{5D64294B-1341-4FE7-B6D8-7C36828D4DD5}\InprocServer32]
"(Default)" = "%Program Files%\Wajam\IE\priam_bho.dll"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"NoModify" = "1"
[HKCU\Software\Mozilla\Firefox\Extensions]
"{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}" = "%Program Files%\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi"
[HKCR\wajam.WajamDownloader\CurVer]
"(Default)" = "wajam.WajamDownloader.1"
[HKCR\TypeLib\{095BFD3C-4602-4FE1-96F1-AEFAFBFD067D}\1.0\HELPDIR]
"(Default)" = "%Program Files%\Wajam\IE"
[HKCU\Software\Wajam]
"install_timestamp" = "1400860933"
"skip_new_tab" = "true"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Wajam]
"InstallLocation" = "%Program Files%\Wajam"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A7A6995D-6EE1-4FD1-A258-49395D5BF99C}]
"NoExplorer" = "1"
"(Default)" = "Wajam IE BHO"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Wajam]
"nocancelremoval"
The process InstalledPrograms.exe:2608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 F9 83 E8 96 F4 1B 18 FD 57 97 68 82 BA 7A 58"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 40 00 00 00 01 00 00 00 00 00 00 00"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process update.exe:2720 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EC 0D 31 6B D1 52 49 24 0F EE 5D 4F 94 13 4D 74"
[HKLM\SOFTWARE\Wajam]
"reb" = "6"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 04 00 00 00 01 00 00 00 00 00 00 00"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"
[HKLM\SOFTWARE\Wajam]
"rec" = "5"
"reb-x" = "6"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "0"
[HKLM\SOFTWARE\Wajam]
"rec-x" = "5"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F]
"BaseClass" = "Drive"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\A]
"BaseClass" = "Drive"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process IEHistory.exe:2596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 57 72 78 68 C6 10 E4 B8 0B 08 A6 90 C5 AA 2C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process WajamUpdaterV3.exe:2920 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldDllVersionLow" = "393305116"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheLimit" = "8192"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"StaleIETldCache" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheOptions" = "9"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%System%\config\systemprofile\Application Data"
[HKLM\SOFTWARE\Wajam\Update]
"ldts" = "Type: REG_QWORD, Length: 8"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\LocalService\Local Settings\Temporary Internet Files"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 03 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePath" = "%USERPROFILE%\IETldCache"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "0"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionHigh" = "1"
"IETldDllVersionHigh" = "524288"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\LocalService\Local Settings\History"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\IETld]
"IETldVersionLow" = "13"
[HKLM\SOFTWARE\Wajam\Update]
"last_update_check" = "Type: REG_QWORD, Length: 8"
"Status" = "-1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "2C AD 67 F7 68 34 D1 B3 07 A4 48 90 41 DB B0 07"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CachePrefix" = "ietld:"
[HKLM\SOFTWARE\Wajam\Update]
"update_pending" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\LocalService\Cookies"
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\ietld]
"CacheRepair" = "0"
[HKU\.DEFAULT\Software\Microsoft\Internet Explorer\BrowserEmulation]
"TLDUpdates" = "1"
[HKU\.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
"ParseAutoexec" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan deletes the following value(s) in system registry:
[HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
"AutoConfigURL"
"ProxyServer"
The process WajamUpdaterV3.exe:2884 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB 4D F7 12 FD 0F 9D 72 6C 76 75 EF 47 4E B6 7E"
[HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
"LocalService" = "WajamUpdaterV3"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\WajamUpdater]
"EventMessageFile" = "%Program Files%\Wajam\Updater\WajamUpdaterV3.exe"
"TypesSupported" = "7"
The Trojan deletes the following value(s) in system registry:
[HKCR\AppID\{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}]
"LocalService"
The process msfeedssync.exe:1176 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Internet Explorer\Suggested Sites]
"DeletePending" = "0"
"UploadDiagInfo" = "1C 5C 00 00 71 17 00 08 80 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
Dropped PE files
MD5 | File path |
---|---|
3f2412930321fa1ad84310c8adecb26a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\IEHistory.exe |
720e614a557d3b8a73d7f844177f2e30 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\InstalledPrograms.exe |
becf90c3b4ec8f3bef9d11855c0a86b0 | c:\Program Files\Wajam\Chrome\nativeMessagingHost\NativeMessageHost.exe |
eb10260824118b484fdd4f7daad43b23 | c:\Program Files\Wajam\IE\priam_bho.dll |
58e407df43ca11ade8aecfe629feacd1 | c:\Program Files\Wajam\Updater\WajamUpdaterV3.exe |
11fcb6824b912480af7d54a8547dfcb8 | c:\Program Files\Wajam\Updater\update.exe |
90419b495b8105f7a239c05a3ac0003f | c:\Program Files\Wajam\uninstall.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
wmic.exe:3364
wmic.exe:2836
BrowsingHistoryView.exe:2620
%original file name%.exe:132
InstalledPrograms.exe:2608
update.exe:2720
IEHistory.exe:2596
WajamUpdaterV3.exe:2920
WajamUpdaterV3.exe:2884
msfeedssync.exe:1176 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Temp\TempWmicBatchFile.bat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2B.tmp (134 bytes)
%Documents and Settings%\%current user%\Cookies\P7FVQ6SQ.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Tesco.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\A35Y4S5C.txt (668 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Google.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\image.bmp (36848 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\HomeDepot.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Yahoo!.lnk (1 bytes)
%Program Files%\Wajam\Logos\ikea.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Ask.lnk (1 bytes)
%Program Files%\Wajam\Logos\tesco.ico (3 bytes)
%Program Files%\Wajam\Logos\wiki.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\MoreInfo.dll (7 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Sears.lnk (1 bytes)
%Program Files%\Wajam\Logos\bestbuy.ico (3 bytes)
%Program Files%\Wajam\Logos\argos.ico (3 bytes)
%Program Files%\Wajam\Logos\twitter.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\InstalledPrograms.exe (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Mercadolivre.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Bing.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\SZ663247.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Wajam Website.lnk (1 bytes)
%Program Files%\Wajam\Logos\yahoo.ico (3 bytes)
%Program Files%\Wajam\Logos\homedepot.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\DK34WMK6.txt (674 bytes)
%Program Files%\Wajam\Logos\mysearchweb.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Walmart.lnk (1 bytes)
%Program Files%\Wajam\IE\favicon.ico (3 bytes)
%Program Files%\Wajam\install.log (237125 bytes)
%Program Files%\Wajam\Logos\walmart.ico (3 bytes)
%Program Files%\Wajam\Firefox\{5a95a9e0-59dd-4314-bd84-4d18ca83a0e2}.xpi (784 bytes)
%Program Files%\Wajam\Logos\google.ico (3 bytes)
%Program Files%\Wajam\IE\priam_bho.dll (10136 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Zalando.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\MyShopping.lnk (1 bytes)
%Program Files%\Wajam\uninstall.exe (25072 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\inetc.dll (784 bytes)
%Program Files%\Wajam\Logos\ebay.ico (3 bytes)
%Program Files%\Wajam\Updater\WajamUpdaterV3.exe (3616 bytes)
%Documents and Settings%\%current user%\Cookies\L21J4BXI.txt (672 bytes)
%Program Files%\Wajam\Logos\zalando.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Wajam\Chrome\wajam.crx (784 bytes)
%Documents and Settings%\%current user%\Cookies\EQXO57IY.txt (668 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Facebook.lnk (1 bytes)
%Program Files%\Wajam\Logos\tripadvisor.ico (3 bytes)
C:\end (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Argos.lnk (1 bytes)
%Program Files%\Wajam\Logos\ask.ico (3 bytes)
%Program Files%\Wajam\Logos\settings.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\SignIn with Twitter.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Uninstall Wajam\uninstall.lnk (1 bytes)
%Program Files%\Wajam\Logos\setting.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsisos.dll (5 bytes)
%Program Files%\Wajam\Logos\mercado.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\TripAdvisor.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\EFQIU8KS.txt (672 bytes)
%Program Files%\Wajam\Logos\bing.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\IpConfig.dll (4992 bytes)
%Documents and Settings%\%current user%\Cookies\L6KPLR5E.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\imageClick.bmp (1 bytes)
%Program Files%\Wajam\Logos\favicon.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Lowe's.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\7M78CNKI.txt (226 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\SimpleSC.dll (1856 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ikea.lnk (1 bytes)
%Program Files%\Wajam\IE\wajamLogo.bmp (5 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\IMDb.lnk (1 bytes)
%Program Files%\Wajam\Logos\searchresult.ico (3 bytes)
%Program Files%\Wajam\Logos\target.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk28.tmp (48616 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Ebay.lnk (1 bytes)
%Program Files%\Wajam\Logos\myshopping.ico (3 bytes)
%Program Files%\Wajam\Logos\sears.ico (3 bytes)
%Program Files%\Wajam\Logos\lowes.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\OS1TLL8Q.txt (672 bytes)
%Documents and Settings%\%current user%\Cookies\R32V3M3J.txt (674 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Target.lnk (1 bytes)
%Program Files%\Wajam\Logos\amazon.ico (3 bytes)
%Documents and Settings%\%current user%\Cookies\GLSRRIJR.txt (448 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsJSON.dll (7 bytes)
%Documents and Settings%\%current user%\Cookies\F09WAPTW.txt (80 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Etsy.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\System.dll (11 bytes)
%Program Files%\Wajam\Logos\shopping.ico (3 bytes)
%Program Files%\Wajam\Chrome\nativeMessagingHost\NativeMessageHost.exe (4992 bytes)
%Program Files%\Wajam\Logos\etsy.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Shopping.com.lnk (1 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Settings.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\nsDialogs.dll (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\md5dll.dll (6 bytes)
%Program Files%\Wajam\Logos\wajam.ico (3 bytes)
%Program Files%\Wajam\Logos\imdb.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Shopping\Amazon.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\QI6C88M5.txt (670 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsa29.tmp\DcryptDll.dll (14 bytes)
%Documents and Settings%\%current user%\Cookies\XXPE3OH1.txt (674 bytes)
%Program Files%\Wajam\Chrome\nativeMessagingHost\host.json (950 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\IEHistory.exe (8560 bytes)
%Program Files%\Wajam\Logos\facebook.ico (3 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Wajam\Explore Social Search\Wikipedia.lnk (1 bytes)
%Documents and Settings%\%current user%\Cookies\N59IS3V2.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2F.tmp (1653 bytes)
%Documents and Settings%\%current user%\Cookies\XV9YEEH2.txt (668 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nst30.tmp\inetc.dll (20 bytes)
%Documents and Settings%\LocalService\Cookies\08BKN1K7.txt (81 bytes)
%WinDir%\Temp\nsq32.tmp\nsRandom.dll (479 bytes)
%Documents and Settings%\LocalService\Cookies\7PETCTC0.txt (677 bytes)
%Documents and Settings%\LocalService\Cookies\ZR71P2D7.txt (229 bytes)
%WinDir%\Temp\nsq32.tmp\ns34.tmp (6 bytes)
%WinDir%\Temp\nsq32.tmp\ns33.tmp (6 bytes)
%Documents and Settings%\LocalService\Cookies\6647XX2W.txt (677 bytes)
%Documents and Settings%\LocalService\Cookies\9KEYOQLI.txt (677 bytes)
%WinDir%\Temp\nsq32.tmp\inetc.dll (20 bytes)
%WinDir%\Temp\nsq32.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\LocalService\Cookies\SLDURU7H.txt (453 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\BrowsingHistoryView.exe (7722 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\ExecCmd.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsn2D.tmp\inetc.dll (20 bytes)
%Documents and Settings%\LocalService\IETldCache\index.dat (16 bytes)
%Program Files%\Wajam\Updater\update.exe (2694 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\FeedsStore.feedsdb-ms (4472 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\Microsoft\Feeds\{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~\Internet Explorer Suggested Sites~.feed-ms (1088 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\SuggestedSites.dat (4 bytes)
%WinDir%\Tasks\User_Feed_Synchronization-{414D0F7C-B684-437B-B53E-8AB5AE32E070}.job (416 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
Company Name:
Product Name: Wajam
Product Version:
Legal Copyright: (c) Wajam. All right reserved.
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 2.15
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: WajamProduct Version: Legal Copyright: (c) Wajam. All right reserved.Legal Trademarks: Original Filename: Internal Name: File Version: 2.15File Description: Comments: Language: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 24996 | 25088 | 4.46593 | b43b45410a805db203e6093d29ea0c46 |
.rdata | 32768 | 4576 | 4608 | 3.67832 | 7ed6b8f2aebb0d5dd5fc04dbfc811968 |
.data | 40960 | 115704 | 3072 | 3.55605 | f6c933d6d1311c822ffc667d0085d96c |
.ndata | 159744 | 237568 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 397312 | 6264 | 6656 | 3.60082 | d984727e5d54b25ea0cf580750edb537 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 1
7fb92eaa3dcad178983d423ff89f4bff
Network Activity
URLs
URL | IP |
---|---|
hxxp://www.wajam.com/installer/progress?section=100&aid=&aid2=&mid=&unique_id=&tv=2.15-0&ts= | |
hxxp://www.wajam.com/installer/start?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 | |
hxxp://www.wajam.com/installer/installedProgramsLogs?unique_id=5781DBE94514B625F00A3444CF38C648&affiliate_id=3672 | |
hxxp://www.wajam.com/installer/post_install?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 | |
hxxp://www.wajam.com/index.php?firstrun=1&db=IEXPLORE.EXE&dbv=8.00.6001.18702&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&enabled=1&tv=2.15-0&ts=1400860933&clp=&bg=1 | |
hxxp://www.wajam.com/signup?aid=3672 | |
hxxp://www.wajam.com/update/Updater/wajam_update.exe?v=3&ldts=&mid=46aa385c6a8fd1eaaa3ec67152de086e | |
hxxp://dl.wajam.com/update/wajam_update.exe?v0.048 | |
hxxp://www.wajam.com/client_send_debug_info.php?v=i2.15&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&major_version=5&minor_version=1 | |
hxxp://www.wajam.com/installer/finish?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 | |
hxxp://www.wajam.com/update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=3672&aid2=none&unique_id=5781DBE94514B625F00A3444CF38C648&b=c | |
hxxp://www.wajam.com/update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /update/wajam_update.exe?v0.048 HTTP/1.1
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: dl.wajam.com
Connection: Keep-Alive
Cookie: PHPSESSID=u1si43vcbvq17r042cvfpb1p62; _wau=14008501444725886; _wal=1400850144; not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; _waab=81,69,70,94,11,32,38,61,50,5; APPSESSID=w38|U39G4|U39G4
HTTP/1.1 200 OK
Server: nginx/1.4.7
Date: Fri, 23 May 2014 13:02:25 GMT
Content-Type: application/octet-stream
Content-Length: 408392
Last-Modified: Thu, 22 May 2014 19:13:33 GMT
Connection: keep-alive
ETag: "537e4c5d-63b48"
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1p.:u..iu..iu..i...iw..iu..i...i...id..i!2.i...i...it..iRichu..i........PE..L...d..K.................d..........^5............@..........................0....................................................... ..............."...............................................................................................text....c.......d.................. ..`.rdata...............h..............@..@.data....p...........|..............@....ndata....... ...........................rsrc........ ......................@..@........................................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......C..H.P.u..u..u...T.@..B...SV.5..C..E.WP.u...X.@..e...E..E.P.u...\.@..}..e....D.@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...H.@..E...E.P.E.P.u...`.@..u....E..9}...w....~X.te.v4..L.@....E.tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W...E..E.h ...Pj.h..C.W..d.@..u.W...u....E.P.u...h.@._^3.[.....L$....C...Si.....VW.T.....tO.q.3.;5..C.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..C.r._^[...U..QQ.U.SV..i....
<<
<<< skipped >>>
GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850152; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:32 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
GET /update/Updater/wajam_update.exe?v=3&ldts=&mid=46aa385c6a8fd1eaaa3ec67152de086e HTTP/1.1
If-Modified-Since: Thu, 22 May 2014 13:02:23 0000
Accept: */*
User-Agent: Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Host: VVV.wajam.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Fri, 23 May 2014 13:02:24 GMT
Server: Apache
Set-Cookie: PHPSESSID=u1si43vcbvq17r042cvfpb1p62; path=/; domain=.wajam.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wau=14008501444725886; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850144; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=81,69,70,94,11,32,38,61,50,5; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850144; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Location: hXXp://dl.wajam.com/update/wajam_update.exe?v0.048
Set-Cookie: not_logged_unique_id=363eb39aa909c68a1ea2f26627e32b12; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850144; expires=Sat, 23-May-2015 13:02:24 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w38|U39G4|U39G4; path=/; domain=.wajam.com
POST /client_send_debug_info.php?v=i2.15&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&major_version=5&minor_version=1 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Filename: install.log
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Content-Length: 30418
Connection: Keep-Alive
Cache-Control: no-cache
Function: .OnInit
settings logging to 0
logging set to 1
DEFAULT: HKCR - Progid ''
DEFAULT: HKCR - Found '' in '\shell\open\command'
DEFAULT: Error - Could not extract browser from HKCR
settings logging to 0
logging set to 1
T: Found default using shell - %Program Files%\Internet Explorer\IEXPLORE.EXE
settings logging to 0
logging set to 1
DEFAULT: Finding the default browser in: %Program Files%\Internet Explorer\IEXPLORE.EXE
settings logging to 0
logging set to 1
DEFAULT: Default browser is IEXPLORE.EXE
settings logging to 0
logging set to 1
P: original ''
P: default_aid: '3672'
P: param_silent: 'false'
P: install_ie: 'true'
P: install_ch: 'true'
P: install_ff: 'true'
P: command_line_parameters: ''
P: decoded_argument_string: ''
P: param_aid: '3672'
P: param_no_restart_dialog: 'true'
P: param_sleep: ''
P: param_no_trace: 'true'
P: param_dont_use_post: 'true'
settings logging to 0
logging set to 1
TR: hXXp://VVV.wajam.com/installer/start?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648 (1)
C: Drive: 'C:\'
C: Mac Address was: '00:50:56:3E:C4:83'
C: Lo
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:29 GMT
Server: Apache
Set-Cookie: PHPSESSID=ot10b72j3uagl4mu7qotud7ob1; path=/; domain=.wajam.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wau=14008501509810981; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
GET /installer/post_install?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G2|U39G1; _wau=14008501319469817; _wal=1400850135; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:21 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850141; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850141; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850141; expires=Sat, 23-May-2015 13:02:21 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w14|U39G4|U39G1; path=/; domain=.wajam.com
GET /installer/progress?section=100&aid=&aid2=&mid=&unique_id=&tv=2.15-0&ts= HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:11 GMT
Server: Apache
Set-Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; path=/; domain=.wajam.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wau=14008501319469817; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850131; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850131; expires=Sat, 23-May-2015 13:02:11 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w14|U39G1|U39G1; path=/; domain=.wajam.com
POST /installer/installedProgramsLogs?unique_id=5781DBE94514B625F00A3444CF38C648&affiliate_id=3672 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Filename: nsy2F.tmp
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Content-Length: 953
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: _wau=14008501319469817; _wal=1400850134; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82
Adobe Flash Player 11 ActiveX
Google Chrome
Windows Internet Explorer 8
Update for Windows XP (KB2467659)
Update for Windows Internet Explorer 8 (KB2598845)
Update for Windows XP (KB898461)
Hotfix for Windows XP (KB954550-v5)
Microsoft .NET Framework 3.5 SP1
Microsoft .NET Framework 4 Client Profile
Mozilla Firefox 29.0.1 (x86 en-US)
Mozilla Maintenance Service
Total Commander (Remove or Repair)
WinPcap 4.0.1
Wireshark 0.99.6a
XML Paper Specification Shared Components Pack 1.0
Microsoft Visual C 2008 Redistributable - x86 9.0.30729.4148
Java(TM) 6 Update 18
WebFldrs XP
VMware Tools
Microsoft .NET Framework 4 Client Profile
Java Auto Updater
ActivePerl 5.16.2 Build 1602
Microsoft PowerPoint Viewer
Microsoft .NET Framework 3.0 Service Pack 2
Google Update Helper
Adobe Reader 9.3.4
Microsoft .NET Framework 2.0 Service Pack 2
Microsoft .NET Framework 3.5 SP1
Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595)
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:15 GMT
Server: Apache
Set-Cookie: PHPSESSID=1anbp2hlsktuq92t6kqq9kvpg1; path=/; domain=.wajam.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850135; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850135; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850135; expires=Sat, 23-May-2015 13:02:15 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w13|U39G2|U39G2; path=/; domain=.wajam.com
GET /installer/finish?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G4|U39G1; _wau=14008501319469817; _wal=1400850143; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=14,37,74,4,62,87,33,52,30,82
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:30 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850150; expires=Sat, 23-May-2015 13:02:30 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w14|U39G6|U39G1; path=/; domain=.wajam.com
GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=3672&aid2=none&unique_id=5781DBE94514B625F00A3444CF38C648&b=c HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:31 GMT
Server: Apache
Set-Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; path=/; domain=.wajam.com
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wau=14008501514911566; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w60|U39G6|U39G6; path=/; domain=.wajam.com
GET /installer/start?aid=3672&aid2=none&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&tv=2.15-0&ts=1400860933 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; _wau=14008501319469817; _wal=1400850131; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82; APPSESSID=w14|U39G1|U39G1
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:14 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850134; expires=Sat, 23-May-2015 13:02:14 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:14 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850134; expires=Sat, 23-May-2015 13:02:14 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Set-Cookie: APPSESSID=w14|U39G2|U39G1; path=/; domain=.wajam.com
GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850152; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:32 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850151; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:31 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850151; expires=Sat, 23-May-2015 13:02:31 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
GET /signup?aid=3672 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G4|U39G1; _wau=14008501319469817; _wal=1400850143; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=14,37,74,4,62,87,33,52,30,82
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:23 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850143; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 5443
Connection: close
Content-Type: text/html; charset=utf-8
<!DOCTYPE html>..<html xmlns="hXXp://VVV.w3.org/1999/xhtml" xmlns:fb="hXXp://ogp.me/ns/fb#" xml:lang="en" prefix="og: hXXp://ogp.me/ns#">...<head>....<meta http-equiv="Content-Type" content="text/html; charset=utf-8"/> ........<base href="hXXp://VVV.wajam.com" />....<title>Wajam.com | Download Wajam for Free</title> ....<meta name="title" content="Wajam.com | Download Wajam for Free" />...........<meta name="description" content="Enhance Your Search Experience With Results From Your Friends! Download Wajam and get Social Results and Recommendations in Your Regular Search Results | Wajam.com" />.....<meta name="keywords" content="Download Wajam, Wajam Download, Install Wajam, Get Wajam, Wajam, Social Search, Social results, Social Search Results, Recommendations from your friends, recommendations, Facebook friends recommendations, Find a Friend's Facebook Post, Find a Tweet" />..........<!-- Google Chrome Web Store Verification -->....<meta name="google-site-verification" content="5KnCIaGgQoFFL2URoeiXrg0xTbPK3qJZLbDJpbIoC9U" />........<link rel="shortcut icon" href="favicon.ico" type="image/x-icon" />.........<script type="text/javascript">.....var facebook_perms = 'email,user_likes,friends_likes,user_location,friends_location,user_checkins,friends_checkins,user_photos,friends_photos,read_stream,user_actions.music,friends_actions.music';.....var get_friend_url = '/user/friends.json';....</script>..........<script type=
<<
<<< skipped >>>
GET /index.php?firstrun=1&db=IEXPLORE.EXE&dbv=8.00.6001.18702&mid=46aa385c6a8fd1eaaa3ec67152de086e&unique_id=5781DBE94514B625F00A3444CF38C648&aid=3672&aid2=none&enabled=1&tv=2.15-0&ts=1400860933&clp=&bg=1 HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=sj4choofje5tvogdtuig6fact5; APPSESSID=w14|U39G4|U39G1; _wau=14008501319469817; _wal=1400850141; not_logged_unique_id=963b8c62777c6bf28bdb0227af92df01; _waab=14,37,74,4,62,87,33,52,30,82
HTTP/1.1 302 Found
Date: Fri, 23 May 2014 13:02:22 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850142; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=14,37,74,4,62,87,33,52,30,82; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com
Set-Cookie: not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850142; expires=Sat, 23-May-2015 13:02:22 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850143; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com
Location: /signup?aid=3672
Set-Cookie: _wal=1400850143; expires=Sat, 23-May-2015 13:02:23 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
GET /update/rec?v=5&as=2&rec=0&ep=0&pp=0&aid=none&aid2=none&unique_id=none&b=c HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.wajam.com
Connection: Keep-Alive
Cache-Control: no-cache
Cookie: PHPSESSID=r3bv67k032evbcb6fpfuuba0b0; _wau=14008501514911566; _wal=1400850151; not_logged_unique_id=5781DBE94514B625F00A3444CF38C648; _waab=63,94,37,68,77,42,44,10,13,97; APPSESSID=w60|U39G6|U39G6
HTTP/1.1 200 OK
Date: Fri, 23 May 2014 13:02:32 GMT
Server: Apache
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Set-Cookie: _waab=63,94,37,68,77,42,44,10,13,97; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Set-Cookie: _wal=1400850152; expires=Sat, 23-May-2015 13:02:32 GMT; path=/; domain=.wajam.com
Vary: Accept-Encoding
Content-Length: 0
Connection: close
Content-Type: text/html; charset=utf-8
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
WajamUpdaterV3.exe_2920:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%uEP3
8%uEP3
9>t.hxgA
9>t.hxgA
operator
operator
GetProcessWindowStation
GetProcessWindowStation
?v=%d&ldts=
?v=%d&ldts=
?v=%d&ldts=%ld
?v=%d&ldts=%ld
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
C:\Users\Jun\Documents\Git_branches\jun_updater_current_service_fix\Clients\Updater\Previous\Release\WajamUpdaterV3.pdb
C:\Users\Jun\Documents\Git_branches\jun_updater_current_service_fix\Clients\Updater\Previous\Release\WajamUpdaterV3.pdb
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
ReportEventW
ReportEventW
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
.?AV?$CAtlExeModuleT@VCWajamUpdateModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCWajamUpdateModule@@@ATL@@
val 'TypesSupported' = d 7
val 'TypesSupported' = d 7
Created by MIDL version 7.00.0555 at Tue Oct 22 16:03:52 2013
Created by MIDL version 7.00.0555 at Tue Oct 22 16:03:52 2013
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
<requestedExecutionLevel level="asInvoker" uiAccess="false"></requestedExecutionLevel>
3$3(3,3034383<3@3
3$3(3,3034383<3@3
4(4/44484<4]4
4(4/44484<4]4
4&5,5054585
4&5,5054585
2 3(333}3
2 3(333}3
1$1,141<1
1$1,141<1
3 3<3@3`3
3 3<3@3`3
909<9\9|9
909<9\9|9
; ;$;(;,;0;4;8;
; ;$;(;,;0;4;8;
? ?$?(?,?0?4?
? ?$?(?,?0?4?
nKERNEL32.DLL
nKERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
%sV%d
%sV%d
Ahttp://downloadfallback.wajam.com/update/Updater/wajam_update.exe
Ahttp://downloadfallback.wajam.com/update/Updater/wajam_update.exe
updateURL
updateURL
update.exe
update.exe
%a, %d %b %Y %H:%M:%S 0000
%a, %d %b %Y %H:%M:%S 0000
Msxml2.ServerXMLHTTP.3.0
Msxml2.ServerXMLHTTP.3.0
Advapi32.dll
Advapi32.dll
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
{D616A4A2-7B38-4DBC-9093-6FE7A4A21B17}
%Program Files%\Wajam\Updater\WajamUpdaterV3.exe
%Program Files%\Wajam\Updater\WajamUpdaterV3.exe
1.0.0.7
1.0.0.7
WajamUpdaterV3.exe
WajamUpdaterV3.exe