Submission Summary:

What's been foundSeverity Level
Downloads/requests other files from Internet.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).

 

Technical Details:

NOTICE: The content shown in the above window is captured automatically and is not controlled or endorsed by ThreatExpert.
Please contact us on this link should any material be offensive or inappropriate and we will ensure any such content is blocked from future viewers of the report.

 

File System Modifications

#Filename(s)File SizeFile HashAlias
1 %CommonPrograms%\CutePDF\PDF Writer\Readme.lnk 820 bytes MD5: 0x8BC2A96FDB21C3632076F40FC157D2B7
SHA-1: 0x1E61388183B480EA2ABC6CBAA0E54B16E6A9C44B
(not available)
2 %CommonPrograms%\CutePDF\PDF Writer\Uninstall CutePDF Writer.lnk 838 bytes MD5: 0xEE14DA909CAE78373C8AA90441F1A4E9
SHA-1: 0x4E29DF1E10EFE74C458793B9A7E833862A4D6879
(not available)
3 %Temp%\AskSearch\partnercobranding.dat 27 bytes MD5: 0x607E975C32E9D966799573985B124EE1
SHA-1: 0x1EECF8713A91443D9DD805D0CAE8364F1A67838B
(not available)
4 %Temp%\ASKSUTBLOG 357,082 bytes MD5: 0xFD5C17FB97611D46F3DD8A9DA3DCC6AE
SHA-1: 0x3D752F25209F34764A293DB2AD71A3714EA796A9
(not available)
5 %Temp%\captura.bmp 136,502 bytes MD5: 0xFF83CED7C95F4AFE808927C1DD6F9E1A
SHA-1: 0xD79E33A531A0829869EC5FC6EC16A8BBD43C7C3F
(not available)
6 %Temp%\ffunzip.exe 167,936 bytes MD5: 0x75375C22C72F1BEB76BEA39C22A1ED68
SHA-1: 0xE1652B058195DB3F5F754B7AB430652AE04A50B8
(not available)
7 %Temp%\GLF21.tmp.ConduitEngineSetup.exe 157,536 bytes MD5: 0x4AE8A3249D951EB5F46799F852A5F66D
SHA-1: 0x8BD30A2FB7091E3968C3C5FF3D0CA8E764F7C7C7
packed with WiseSFXDropper [Kaspersky Lab]
8 %Temp%\GLF21.tmp.tbPHPN.dll
%Temp%\GLF30.tmp.ConduitEngine.dll
%ProgramFiles%\ConduitEngine\ConduitEngine.dll
%ProgramFiles%\PHPNukeEN\tbPHPN.dll
3,911,776 bytes MD5: 0xD9A0CE26ADA5BD15B1B03A752DDF14A6
SHA-1: 0x419716F712489099B040AB846B565D808119B5E8
(not available)
9 %Temp%\installer.exe 3,760,464 bytes MD5: 0xB5CA3492665D54AD22022F974F5A22D3
SHA-1: 0x8D64040C488298FCC96A15E22555C1407AE59D1A
(not available)
10 %Temp%\install_log.log 93 bytes MD5: 0x90DBE1ED0A4690C4211C62F6036FDC84
SHA-1: 0xD5635141A265808FD908866733F4025A0EBE8AB6
(not available)
11 %Temp%\is-MJJJG.tmp\AskInstallChecker.exe 248,664 bytes MD5: 0x8F9B5F4F87207BE1CF810DDC95124F92
SHA-1: 0xF5CEC54C9AAC59167BA95EC8077438BE381FBA3D
(not available)
12 %Temp%\is-MJJJG.tmp\Ask_Logo.bmp 4,158 bytes MD5: 0x55062581982A2CC075D1BE3EEF0D704A
SHA-1: 0x6D5E74B45C958F2955687979D4FC8064FA073FBF
(not available)
13 %Temp%\is-MJJJG.tmp\Ask_Toolbar.bmp 12,418 bytes MD5: 0x421C602CD1ABE693F368462AC8C92179
SHA-1: 0xC690B569BEC5303E267627086027FF0807FF4588
(not available)
14 %Temp%\is-MJJJG.tmp\WizModernSmallImage-IS.bmp 4,158 bytes MD5: 0x7BC0B44D3436036541CFB00429FCC69A
SHA-1: 0x83060DC13FA8016CF247497CF1F80B8968D03DB5
(not available)
15 %Temp%\is-MJJJG.tmp\_isetup\_RegDLL.tmp 4,096 bytes MD5: 0x0EE914C6F0BB93996C75941E1AD629C6
SHA-1: 0x12E2CB05506EE3E82046C41510F39A258A5E5549
(not available)
16 %Temp%\is-MJJJG.tmp\_isetup\_shfoldr.dll 23,312 bytes MD5: 0x92DC6EF532FBB4A5C3201469A5B5EB63
SHA-1: 0x3E89FF837147C16B4E41C30D6C796374E0B8E62C
(not available)
17 %Temp%\is-U1MT9.tmp\installer.tmp 711,168 bytes MD5: 0xF0CCFB46F867443700D31C969BDCF552
SHA-1: 0xF2474D5D7A906DE3BC3381CA79BB1EA60F0D6697
(not available)
18 %Temp%\nsq2.tmp\NSISdl.dll 14,848 bytes MD5: 0xA5F8399A743AB7F9C88C645C35B1EBB5
SHA-1: 0x168F3C158913B0367BF79FA413357FBE97018191
(not available)
19 %Temp%\nsq2.tmp\pantallatoolbar 1,216 bytes MD5: 0xB882849BF6B3CA196C5028BEC5336C8A
SHA-1: 0xE1415035303696ADEB0BC136A036CFB56534307E
(not available)
20 %Temp%\nsq2.tmp\UAC.dll 17,408 bytes MD5: 0x09CAF01BC8D88EEB733ABC161ACFF659
SHA-1: 0xB8C2126D641F88628C632DD2259686DA3776A6DA
(not available)
21 %Temp%\tbff.xpi 1,836,539 bytes MD5: 0x6BB4123F84C8AFEE2ABAAFEFAFE67E04
SHA-1: 0xC87ED1A29A12342984B205381943761EADC27784
(not available)
22 %Temp%\Toolbar.exe 203,264 bytes MD5: 0x5A82A45F2E0AAF617C8D511D43100FE1
SHA-1: 0x515AA5B88B8C129046706D8542BEE3699F62968C
packed with WiseSFXDropper [Kaspersky Lab]
23 %ProgramFiles%\Acro Software\CutePDF Writer\CPWSave.exe 239,104 bytes MD5: 0x5DFCFCF37F243456C19776B16106D2F6
SHA-1: 0x3BCE2BBE6EA2CD0AD171ACAFD077722E187AB5F6
(not available)
24 %ProgramFiles%\Acro Software\CutePDF Writer\PDFWrite.rsp 116 bytes MD5: 0x67C164CACF0813E37980D65C16B5AD16
SHA-1: 0xD8484C05CB6EE3F27F15E601E05FB6DA8E6E837C
(not available)
25 %ProgramFiles%\Acro Software\CutePDF Writer\README.HTM 5,582 bytes MD5: 0x3CEDB4E225158EAD770834B847114FAE
SHA-1: 0x4033E24015E2E0AD031C1F5303E43A9DB0E0FD22
(not available)
26 %ProgramFiles%\Acro Software\CutePDF Writer\uninscpw.exe 54,784 bytes MD5: 0x3A202ECD329FE2F9B703979B9A56F4A6
SHA-1: 0x335A66BD57BE30C01DE372C859C81655101E3FFD
(not available)
27 %ProgramFiles%\Ask.com\cobrand.ico 1,150 bytes MD5: 0x3A2621535E6A482B2783AA692B103D04
SHA-1: 0xDA713269297ACB71BA5485FACA76AA9D670315F3
(not available)
28 %ProgramFiles%\Ask.com\config.xml 11,544 bytes MD5: 0xB7FFA20918AA145D5199D56EAF96F234
SHA-1: 0x8D751281F8C3735B5A21859E58C347970E0B9171
(not available)
29 %ProgramFiles%\Ask.com\favicon.ico
%ProgramFiles%\Ask.com\fv_32.ico
60,262 bytes MD5: 0x7C66682BD652288DD786936C1D2859AE
SHA-1: 0x600D367CD1692146F9CE8A4122E4E55B1B9024BF
(not available)
30 %ProgramFiles%\Ask.com\GenericAskToolbar.dll 1,385,864 bytes MD5: 0x08202BD62AF19667CCF6D736EAA147A9
SHA-1: 0x15A79C1A0A7E872997254A717F12E5F07D5A3830
(not available)
31 %ProgramFiles%\Ask.com\mupcfg.xml 528 bytes MD5: 0x3C6CBB5473BF1F782D9CBB49485FDF55
SHA-1: 0x68EA54E58A20582BC01535607FDFBF41280BB497
(not available)
32 %ProgramFiles%\Ask.com\SaUpdate.exe 162,184 bytes MD5: 0x11BBB1DE60D3823F8CCAE4CDB0741C73
SHA-1: 0x1ECA56765E0D5D5348EA79A879C1CBAF32DC42E1
(not available)
33 %ProgramFiles%\Ask.com\UpdateTask.exe 96,136 bytes MD5: 0x95B44F3CCAC43A47649C1F1BC84ED517
SHA-1: 0x83EB905E29CF4C74E1AD6E86159A465E62FC422D
(not available)
34 %ProgramFiles%\Conduit\Community Alerts\Alert.dll 532,064 bytes MD5: 0x2A2935CE273513F881439D2FECA78E51
SHA-1: 0x743CF6F7C346A3CF7BB0B81442DC14A7F3DA352D
(not available)
35 %ProgramFiles%\ConduitEngine\appContextMenu.xml 6,560 bytes MD5: 0x68451D444D8AF7483B9A5A6A244B9540
SHA-1: 0xAA4B354AB24C483A9C8A951611F8EFB87C7F98A6
(not available)
36 %ProgramFiles%\ConduitEngine\ConduitEngineHelper.exe
%ProgramFiles%\PHPNukeEN\PHPNukeENToolbarHelper.exe
38,496 bytes MD5: 0xA320DF2B47CFCAF98D06EB59CD72084C
SHA-1: 0xED0A3155E7256B1EE3DAEA9B5251A4A3141592DC
(not available)
37 %ProgramFiles%\ConduitEngine\ConduitEngineUninstall.exe 23,648 bytes MD5: 0xDF465BE110DC0F7E5329D1B8065A405F
SHA-1: 0x4CBEA1ADF328E3DAF17DE451C4DEDB9FF17DEA43
(not available)
38 %ProgramFiles%\ConduitEngine\engineContextMenu.xml 4,013 bytes MD5: 0x2185FA6EB24E54A78F1913C33B5408BC
SHA-1: 0xCAD066F69CB76BD4CB2BA79D2DED45F8DC299688
(not available)
39 %ProgramFiles%\ConduitEngine\EngineSettings.json 2,999 bytes MD5: 0x09BE516C4F7713E594A437E852293C92
SHA-1: 0x7187E49DF00C790F692ACB022A298969D2148DFB
(not available)
40 %ProgramFiles%\ConduitEngine\INSTALL.LOG 304 bytes MD5: 0xEA5AFEF2ED5AB00B951EFC884A03ECC8
SHA-1: 0x06A9689175F7BF9409297046425467A9841E985B
(not available)
41 %ProgramFiles%\ConduitEngine\toolbar.cfg 25 bytes MD5: 0x7BBB07039B2B2CC073E44F50FAFDAF11
SHA-1: 0x72EFF70D121CD84307401973BD33114AF0246C67
(not available)
42 %ProgramFiles%\PHPNukeEN\GottenAppsContextMenu.xml 7,044 bytes MD5: 0xCE0449AC66B68DD896965167D460B135
SHA-1: 0xAB7C13818BE707B1599690FB84D4FFDBCAB821DD
(not available)
43 %ProgramFiles%\PHPNukeEN\INSTALL.LOG 300 bytes MD5: 0xEB3F631CE7EF042C194326A3EE7FF802
SHA-1: 0x0B1CA65C0FD91D4996E3A0D398641D79DC662171
(not available)
44 %ProgramFiles%\PHPNukeEN\OtherAppsContextMenu.xml 5,738 bytes MD5: 0xA9CAA49F5C0DDD88168E857E3670EBDF
SHA-1: 0x8500953B2600EFDB42EFFFC03FB9D7CC03F22CCC
(not available)
45 [pathname with a string SHARE]\SharedAppsContextMenu.xml 6,588 bytes MD5: 0x6816D08A668E0D9A3A79831400177C04
SHA-1: 0xA90B7303F688679A4065879E1E50B0F865D0AB05
(not available)
46 %ProgramFiles%\PHPNukeEN\toolbar.cfg 21 bytes MD5: 0xB560F723571B2B9C4A039FC23452C545
SHA-1: 0x1E3E70B2EAF307C8611DBF8F8B3C9B458B7F1CB2
(not available)
47 %ProgramFiles%\PHPNukeEN\ToolbarContextMenu.xml 5,737 bytes MD5: 0x815C07C40CEC4CF53861DA7A7C6EC639
SHA-1: 0xD48FA137FD2D543B555470BDFC46D2D5D637B877
(not available)
48 %ProgramFiles%\PHPNukeEN\UNWISE.EXE 153,088 bytes MD5: 0x973567B98CDFC147DF4E60471D9DF072
SHA-1: 0x3C4735750C99C63E6861170A8C459A608594211E
(not available)
49 %Windir%\Installer\2369b.msi 1,904,640 bytes MD5: 0x0C3F86415F0197BF6DB9AEDAC44E2FD1
SHA-1: 0x35CE36B5D54F1FC38306C0183A0B860CE4EBD985
(not available)
50 %Windir%\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\1033.MST 3,584 bytes MD5: 0xB79100B4A86071A780B6000E19E9A972
SHA-1: 0x222BB8BEAC7CB068B8D13325D2829F767417A056
(not available)
51 %Windir%\Installer\{86D4B82A-ABED-442A-BE86-96357B70F4FE}\ARPPRODUCTICON.exe 102,400 bytes MD5: 0x6E79C2CF2BA094BFFCEAAF5233632E19
SHA-1: 0x530C91F6354982AE84F4E27848BD3A9270D6D8CA
(not available)
52 %System%\cpwmon2k.dll 87,552 bytes MD5: 0x58C8D45C571AA9235FB296B383B89887
SHA-1: 0x37D9535DFF5C4855F8A065EF059B3853E55629ED
(not available)
53 %Windir%\Tasks\Scheduled Update for Ask Toolbar.job 240 bytes MD5: 0x3F23A27CB34F0A099933ED7EAFD49343
SHA-1: 0x525756E5914D97A093E83150C8B5BD0C89C6FEB3
(not available)

 

Memory Modifications

Process NameProcess FilenameMain Module Size
[filename of the sample #1][file and pathname of the sample #1]290,816 bytes
installer.exe%Temp%\installer.exe81,920 bytes
installer.tmp%Temp%\is-U1MT9.tmp\installer.tmp774,144 bytes

Process NameProcess FilenameAllocated Size
installer.tmp%Temp%\is-u1mt9.tmp\installer.tmp8,388,608 bytes

Module NameModule FilenameAddress Space Details
PS5UI.DLL%System%\spool\DRIVERS\W32X86\3\PS5UI.DLLProcess name: spoolsv.exe
Process filename: %System%\spoolsv.exe
Address space: 0x32000000 - 0x320B5000
cpwmon2k.dll%System%\cpwmon2k.dllProcess name: spoolsv.exe
Process filename: %System%\spoolsv.exe
Address space: 0xEB0000 - 0xEC5000

Service NameDisplay NameNew StatusService Filename
MSIServerWindows Installer"Running"%System%\msiexec.exe /V

 

Registry Modifications

 

Other details

Remote HostPort Number
208.50.81.15480
66.235.120.11780
66.235.120.9480
66.77.197.1880
74.113.233.6180
87.98.225.4280
96.16.245.16580

 

 

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.

Copyright © 2014 ThreatExpert. All rights reserved.