Trojan.NSIS.StartPage_fe93c109f6

by malwarelabrobot on August 20th, 2014 in Malware Descriptions.

not-a-virus:AdWare.Win32.OutBrowse.g (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.IEDummy.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: fe93c109f65be7d36349f613149623a5
SHA1: 47e7d43d9588161e6e8e22a9d1550dd33b1b134c
SHA256: e9b098acbffcf28142d5f587c5c00648cdd97c2f13da0f2ecb56b597dc043508
SSDeep: 12288:2qUnYdbT2wW c1fFbftgCin2JI6J8bc1YT/AAUHnOiNh:2qUnY03lgd2J0bqAU
Size: 567000 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

wmic.exe:228
FreeCoinsApp.exe:1760
%original file name%.exe:1736
RegisterInstallStart.exe:1488
wyUpdate4.exe:2704
wyUpdate4.exe:3068
wyUpdate4.exe:3244
ping.exe:2420
find.exe:2428

The Trojan injects its code into the following process(es):

rdms.exe:1616
FCUI.exe:2528
SystemMonitor.exe:2520
FCUpdater.exe:2512
FCMonitor.exe:2340

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process rdms.exe:1616 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\jquery.min[1].js (6004 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\DynamicOfferScreen[1].htm (2676 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\DynamicOfferScreen[1].htm (850 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\FreeCoinsApp[1].exe (5452566 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\jquery-ui.min[1].js (10698 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\jquery-ui[1].css (1411 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\914084156970\FreeCoinsApp.exe (5234561 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\jquery-ui-1.8.19.custom[1].css (11061 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91408415697 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (0 bytes)

The process wmic.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (238 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (0 bytes)

The process FreeCoinsApp.exe:1760 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\gpi.bat (143 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\send_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\global.properties.xml (1638 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\close_btn.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\DAutils.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_horizontal_middle_slice.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\arrow.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\popup_multi.png (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\noInternet.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\coins_icon.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns6.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\body_ad_purple.png (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\FreeCoins\FreeCoins.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Interop.SHDocVw.dll (5568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\search_box.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\jquery.custom-scrollbar.css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\loading_img.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\query_link.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-2.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\openThankYou.bat (340 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\notifications_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\share_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\ok_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\SystemMonitor.exe.config (263 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert_1.png (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\arrow.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.min.js (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\down.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tray_icon_on.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\aPop.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\BG_settings.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RunAppMonitor.bat (102 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\background_body.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_16.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe (7168 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallAddiotionals.bat (575 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (4232 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\redeemed_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_OFF_settings_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email-30X1.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_bg.png (36 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\client.wyc (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg2.png (87 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_top.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\storageManager.js (2193 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\runApp.bat (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_48.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\production.properties.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_content_footer.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\installPath.txt (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\lock.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\uninst.exe (1965 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\alerts.xml (651 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_blue.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\coins_btn.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.dll (7384 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_center_slice.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\alert_skin_4.html (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_background.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.xml (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_bg.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\Thumbs.db (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.dll (14768 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\index_skin_4.html (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\BG_alert.png (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\Stumbleupon32X32.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\SystemMonitor.exe (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\up.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\main_v4.css (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\facebook_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_32.ico (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate4.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_gray.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-1.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallNet35xp.bat (446 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\client.wyc (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\settings_body.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\redeem_now.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery-1.9.1.min.js (6312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\time_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\lifeCycleManager.js (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\verifyUninstall.bat (464 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\setting_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\settings_link.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\BG_popUP.png (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\time_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_bottom.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\production.properties.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\DAutils.dll (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\json2.js (51 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionManager.js (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_64x64.ico (48 bytes)
%Documents and Settings%\%current user%\Desktop\FreeCoins.lnk (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_bottom.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionPopupUI.js (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-2.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\pcc.bat (82 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon_click.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.cookie.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\coupons_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\verifyUninstall.bat (464 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\googlePlus32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\search_noresults.png (63 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\borderItem.jpg (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\errorHandling.js (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\twitter32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\mail_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Thumbs.db (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\body.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\top.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\save_btn.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\lock.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\browsers.css (1428 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_ON_settings_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_48.ico (27 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\time_left_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_16.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_face.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\minimize_app.png (2997 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\close_app.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_32.ico (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.png (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\SetupNET35.exe (49498 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-1.png (2979 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\gmail32X32.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\locked_popup_face2.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\transparent.gif (126 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_icon.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\counter_all.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_logo.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\utils.js (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\image_2.jpg (33 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_left.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\email32X32.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_history_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon_click.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_empty.png (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe.config (270 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\locked_popup_bg.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\ourScrollBar.css (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.ico (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\invite_friends_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_icon.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn_click.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\global.properties.xml (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\yahoo32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.xml (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\close_btn_fBack.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\production.properties.xml (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\client.wyc (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\alertManager.js (2286 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\uiManager.js (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\home_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_64x64.ico (48 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_top.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\installPath.txt (73 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\header_image.png (6312 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\invite_friends_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\alerts.xml (1302 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\facebook32X32.png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_vertical_middle_slice.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\alerts.xml (651 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\down.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_right.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_gray.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\global.properties.xml (819 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\DAutils.dll (3136 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\promotionPopup_skin_4.html (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\down.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate4.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\up.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_body.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns7.tmp (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\close_btn.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg.png (4704 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email_bg.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate4.exe (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe.config (546 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_close.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.js (75 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_pointer.png (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\commManager.js (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon.png (6 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns7.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns6.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz3.tmp (0 bytes)

The process %original file name%.exe:1736 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdms.zip (57028 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Convert.dll (4583 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\rdms.zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nso1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp (0 bytes)

The process FCUI.exe:2528 makes changes in the file system.
The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Application Data\FreeCoins\fcud.dat (0 bytes)
%Documents and Settings%\%current user%\Application Data\FreeCoins (0 bytes)

The process wyUpdate4.exe:2704 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w010\desktopapp.wys (723 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w010\desktopapp.wys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w010 (0 bytes)

The process wyUpdate4.exe:3068 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w333\fcmonitor.wys (497 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w333\fcmonitor.wys (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w333 (0 bytes)

The process wyUpdate4.exe:3244 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w521\fcupdater.wys (294 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\w521 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\w521\fcupdater.wys (0 bytes)

Registry activity

The process rdms.exe:1616 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdms.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}]
"(Default)" = "CBrowserExternal Class"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\Version]
"(Default)" = "1.0"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\HELPDIR]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\TypeLib]
"(Default)" = "{03771AEF-400D-4A13-B712-25878EC4A3F5}"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0]
"(Default)" = "SmartInstallerLib"

[HKCR\Interface\{3408AC0D-510E-4808-8F7B-6B70B1F88534}]
"(Default)" = "IBrowserExternals"

[HKCR\CLSID\{6D4506CE-F855-4657-AA38-DB6B1F733982}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdms.exe"
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\rdms.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0A 29 AE E8 F7 54 B0 37 3A 26 4A 69 0B 60 C6 33"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKCR\TypeLib\{03771AEF-400D-4A13-B712-25878EC4A3F5}\1.0\FLAGS]
"(Default)" = "0"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process wmic.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "00 45 A7 B1 95 20 71 D8 B4 E6 5A E4 41 E2 21 75"

The process FreeCoinsApp.exe:1760 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Free Coins Desktop App]
"DisplayName" = "Free Coins Desktop App 1.26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Free Coins Desktop App]
"URLInfoAbout" = "http://www.freecoins.co"
"UninstallString" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\uninst.exe"
"Publisher" = "Free Coins."

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKCU\Software\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION]
"FCUI.exe" = "7000"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKCU\Software\FreeCoins]
"RegistrationStatus" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Uninstall\Free Coins Desktop App]
"DisplayVersion" = "1.26"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B3 26 38 70 DE 82 4E 5D E1 53 FA 21 F7 7E 41 D0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Programs" = "%Documents and Settings%\%current user%\Start Menu\Programs"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\FreeCoins]
"InstallPath" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins"

[HKCU\Software\Wow6432Node\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BROWSER_EMULATION]
"FCUI.exe" = "7000"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeCoinsUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe"

"FreeCoinsStartup" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe"

The process %original file name%.exe:1736 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0E 37 E4 E3 8A D3 EA C6 E7 59 5F 3E 64 0F 9E C7"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

The process RegisterInstallStart.exe:1488 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "09 A7 84 21 A1 47 3C FC C6 ED 2B E9 30 A3 F0 E6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\FreeCoins]
"GoogleAnalyticsJsoned" = "{""cm"":""(organic)""

The process FCUI.exe:2528 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CachePrefix" = ":2014081920140820:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "FCUI.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081920140820\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1407762306"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "43 0A 73 1B 26 04 B9 04 7D 32 FF 8A 83 C7 32 E5"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081920140820]
"CacheLimit" = "8192"

[HKCU\Software\FreeCoins]
"FreeCoinsUUID" = "1213d483-675f-429b-8b9c-7b4365d1e7f2"
"ver" = "1.26"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeCoinsUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"FreeCoinsStartup" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]

The process SystemMonitor.exe:2520 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A4 D1 10 BC 9D F5 E0 55 8A E9 D8 58 81 62 CF 1D"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process wyUpdate4.exe:2704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "46 A5 BD F9 47 23 FC 86 A4 01 F7 CC 4B F6 21 1F"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process wyUpdate4.exe:3068 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 6D DC 32 28 86 3A E3 43 66 47 03 2D 67 F4 90"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process wyUpdate4.exe:3244 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 65 33 15 78 C4 A1 DF 67 77 F8 5D 82 98 88 F3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

The process ping.exe:2420 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 EF F5 D1 0D 69 EC 63 68 1C 4D 94 97 9D 5D ED"

The process FCUpdater.exe:2512 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA 0D 14 B8 E5 AF 2D 7D 34 03 A9 73 6E A9 08 C0"

[HKCU\Software\FreeCoins]
"FreeCoinsIEExt" = "1"
"FreeCoinsFFExt" = "1"
"FreeCoinsInstall" = "2014-8-19-5-36"

The process FCMonitor.exe:2340 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 33 9B F3 EC 86 A8 85 EA 39 01 B6 B2 B8 E0 39"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

The process find.exe:2428 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC FF 25 4D E8 20 E2 0B 43 2F E4 C9 9E C2 2E 99"

Dropped PE files

MD5 File path
ab3c14a3c2884dcfe39c221bc3d7757f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\DAutils.dll
139d8945338e268d2455c4d3528b59a6 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\FCMonitor.exe
96bc18f8dee95af3771763dee0e15986 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\Newtonsoft.Json.dll
5f162857a195c2cea059622976035982 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\SystemMonitor.exe
37c753d5ab2dba14e7b7e1dc56b87c27 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\wyUpdate.exe
0776370846dfe1d108cbd098db162f35 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCM\wyUpdate4.exe
ab3c14a3c2884dcfe39c221bc3d7757f c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\DAutils.dll
73f678bcd29cba21689dfbaa0e063374 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\FCUpdater.exe
37c753d5ab2dba14e7b7e1dc56b87c27 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\wyUpdate.exe
0776370846dfe1d108cbd098db162f35 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FCU\wyUpdate4.exe
97156d3730ca295bceb65005e43e1556 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\DAutils.dll
462b4784eda015ee2222a685f54708fe c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\FCUI.exe
f2d9d327dd1c6f7242d279087d1b9a0c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\Interop.SHDocVw.dll
96bc18f8dee95af3771763dee0e15986 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.dll
410be2d16ea77628b919414213734785 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe
aafb99a979d4cbe4c0505408bd826f87 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe
9d40de3d6ebfcc6d8501c6629fa2b259 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\SetupNET35.exe
c1158f5765292618d0e23ff5b1b99e53 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\uninst.exe
37c753d5ab2dba14e7b7e1dc56b87c27 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\wyUpdate.exe
0776370846dfe1d108cbd098db162f35 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\FreeCoins\wyUpdate4.exe
91ec4108ee17d0a6800f49d6755138df c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\914084156970\FreeCoinsApp.exe
2a5ef58458b77e20115182851d0e4bf9 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\Convert.dll
5f13dbc378792f23e598079fc1e4422b c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsy2.tmp\nsisunz.dll
b950b7d00028a589f3a6b9889de51782 c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\rdms.exe
91ec4108ee17d0a6800f49d6755138df c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\FreeCoinsApp[1].exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: Setup.exe
Product Version: 1.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 23628 24064 4.46394 856b32eb77dfd6fb67f21d6543272da5
.rdata 28672 4764 5120 3.4982 dc77f8a1e6985a4361c55642680ddb4f
.data 36864 154712 1024 3.3278 7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata 192512 36864 0 0 d41d8cd98f00b204e9800998ecf8427e
.rsrc 229376 3120 3584 2.72195 ecb2f57811e1216779bf9790e5ace50c

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 48
55f698dfa9f4d0becb76c70b86a35e89
37a35826b44a6f7dc08f2efa7dc5edcb
98074817f9a780ea48cfd72a1247d983
6cb1e085f1893765d316b2ac3d0a7cb7
35d0d82e99ab227a8036a61f77ee390e
243184caa5aecebf185a6b99d9c3e08e
de5df25bad894c285472140860b2dd84
74112916e3582d7bab8e654f188506b8
6b3c2dd4ebcede91f226d82c1c6089c6
eaba4aaf1128a9ca05a39f34231c52bc
000054aeade704f5ca8b1a0493550b71
41140783f703a6df7462369dbe3f852d
bc786b8de7507076f13911c5809f8659
611a21c471eac31ccb70dc393a7c66fb
a1829913b550e46c3544a0605e40f862
d988f8070ab8f0bfd3e40845d3300874
c0106ff9927efd05d3e74d3cd79f6797
c0b58298dee466313a5e17b969d070ee
824ba00bf5cc85f85979a5b617716eb4
0c303f04c92ab2c13e92e90a1f21794e
2c4293931465af9d6cd990a3e8bf60d8
1c54228ca5c48ccb1d09875d39541b5e
84bd722fea6da21d35d2b9c5aad0561a
7554f68b2e1e2fbff6083e995b0787ea
d4232c4e272ef986fe85195221a9ba1f
20283c332f55101dceb6b874952fb88a

URLs

URL IP
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Flow?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.4
hxxp://freecoins.vo.llnwd.net/d/FreeCoinsApp.exe
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.5/jquery.min.js
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topLine.jpg
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png
hxxp://googleapis.l.google.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/topComp.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bgImg.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bottomLine.jpg
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&reqid=134427026&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=6303&offerscreenid=&offerorder=7&downloadduration=47937&installduration=47&issecond=0
hxxp://smartinstaller.elasticbeanstalk.com/Installer/TrackFinish?reqid=134427026&x=y&clickid=wHMQM6R5862BFPKD0S10G3CI
hxxp://www.freecoins.co/CA_Servlet/trackingServlet?getGAparams=1
hxxp://www.freecoins.co/CA_Servlet/trackingServlet
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=4&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/bodyImg.png
hxxp://www.google.com/collect
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/nextCase.jpg
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button_over.png
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme8/button.png
hxxp://smartinstaller.elasticbeanstalk.com/installer/thankyou?productid=6303&pubid=5492&distid=19036&countryid=262&reqid=134427026&sysbit=32&dfb=0&hb=0
hxxp://pagead46.l.doubleclick.net/tag/js/gpt.js
hxxp://www.gamehub.ws/index.php?&productname=Free Coins
hxxp://partnerad.l.doubleclick.net/gpt/pubads_impl_46.js
hxxp://www.gamehub.ws/css/index.css
hxxp://googleapis.l.google.com/ajax/libs/jquery/1.9.1/jquery.min.js
hxxp://www.gamehub.ws/js/jquery.cookie.js
hxxp://www.gamehub.ws/js/core-min.js
hxxp://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/images/free_coins_logo.png
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/css/index.css
hxxp://ib.anycast.adnxs.com/tt?id=3092585
hxxp://ib.anycast.adnxs.com/tt?id=3092599
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/images/desttop_bg.png
hxxp://www.freecoins.co/FreeCoinsLandingPage/themes/thankyou/images/bg_body.jpg
hxxp://flex.msn.com.nsatc.net/mstag/site/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/mstag.js
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=3092599
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=3092585
hxxp://ib.anycast.adnxs.com/tt?id=3095266
hxxp://flex.msn.com.nsatc.net/mstag/mstag.1003102000.js
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092585
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092599
hxxp://ib.anycast.adnxs.com/bounce?/tt?id=3095266
hxxp://a1961.g.akamai.net/p/a1/83/c9/56/a183c956bc259a9c8afeb3ac09ff6ece.jpg
hxxp://a1961.g.akamai.net/ANX_async_usersync.js
hxxp://ib.anycast.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3095266
hxxp://flex.msn.com.nsatc.net/mstag/tag/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/analytics.js?ver=1312081600
hxxp://a1961.g.akamai.net/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf
hxxp://pagead46.l.doubleclick.net/pagead/conversion.js
hxxp://a1961.g.akamai.net/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf?clickTAG=http://nym1.ib.adnxs.com/click?VQq0ldW_lz-aRSWxEcOSPxsv3SQGgaU_mkUlsRHDkj9UCrSV1b-XP5LkLklgBMhNaH3NEBvel0AnuPJTAAAAAHcwLwAQCgAAXwAAAAIAAABIgQkBVuMGAAAAAQBVU0QAVVNEANgCWgCdGAAAW9wAAgUAAQIAAJAAoCPDbwAAAAA./cnd=%21jwaPPwj_95UCEMiCpggY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyQamrEXsp6w4pkcplfnYGZt2VtnGTKgJWLZpiWXqF6lo9m%3Fdp%3D3092599%26dp2%3Dnym1COj6tYaxw_fLQBACGJLJu8mEjIHkTSIPMTkzLjEzOC4yNDQuMjMxKAEwp_DKnwU.%26dp3%3DCP4553727_S2576_C17400136_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599
hxxp://r.msn.com.nsatc.net/?type=1&domainId=2745850&dedup=1&actionid=207232
hxxp://a1961.g.akamai.net/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf
hxxp://a1961.g.akamai.net/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf?clickTAG=http://nym1.ib.adnxs.com/click?MuYNBGdlYD9FrjRT5edZP8uhRbbz_aQ_Ra40U-XnWT8y5g0EZ2VgP5w9g2LjLK18aH3NEBvel0AouPJTAAAAAOI6LwAQCgAAXwAAAAIAAADAmN0AVuMGAAAAAQBVU0QAVVNEAKAAWAKdGAAAhM8AAgUAAQIAAJAAeyZ6OQAAAAA./cnd=%210wbyPwigy_ABEMCx9gYY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyPYXDEXsp6w4pmaZhjn32Zt2ppnmTKe5eNYmmajZx6nY9ka5o%3Fdp%3D3095266%26dp2%3Dnym1COj6tYaxw_fLQBACGJz7jJS2nMvWfCIPMTkzLjEzOC4yNDQuMjMxKAEwqPDKnwU.%26dp3%3DCP3941792_S2576_C14522560_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266
hxxp://ib.anycast.adnxs.com/a_usersync?cbfn=ANX_async_load
hxxp://pagead46.l.doubleclick.net/pagead/conversion/976381674/?random=1408415760152&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
hxxp://www.google.com/analytics.js
hxxp://a.ssl.fastly.net/serve/52dfe62b6897d9bfcf00011e.js
hxxp://pagead46.l.doubleclick.net/pagead/viewthroughconversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://www.google.com/collect?v=1&_v=j24&a=1198451114&t=pageview&_s=1&dl=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ul=en-us&de=utf-8&dt=Thank You - For installing our free coins app!&sd=32-bit&sr=1276x846&vp=1256x693&je=0&fl=11.6 r602&_u=ME~&cid=1378333658.1408415761&tid=UA-46704880-1&z=1807395146
hxxp://ib.anycast.adnxs.com/px?t=2&id=157720&other=ADFuxS2HCsOBlbbe
hxxp://ib.anycast.adnxs.com/seg?t=2&add=1459541
hxxp://ib.anycast.adnxs.com/seg?t=2&add=1418586
hxxp://prod-pixel-collector-1097235636.us-east-1.elb.amazonaws.com/px/?id=157720&other=ADFuxS2HCsOBlbbe&a_id=7094
hxxp://prod-pixel-collector-1097235636.us-east-1.elb.amazonaws.com/seg/?add=1418586,1459541
hxxp://freecoins.vo.llnwd.net/updates/a/desktopapp.wys
hxxp://www.google.com/ads/conversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=3530791356
hxxp://c.live.com.nsatc.net/c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd
hxxp://ib.anycast.adnxs.com/a_usersync?c=9&cbfn=ANX_async_load
hxxp://ib.anycast.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://ib.anycast.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=2C0938180C976E9112D43E8308976D7B|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://www.google.com/ads/conversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=3530791356&ipr=y
hxxp://freecoins.vo.llnwd.net/updates/m/fcmonitor.wys
hxxp://www.googleadservices.com/pagead/conversion.js
hxxp://ib.adnxs.com/seg?t=2&add=1418586
hxxp://ib.adnxs.com/seg?t=2&add=1459541
hxxp://c.bing.com/c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd
hxxp://flex.msn.com/mstag/tag/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/analytics.js?ver=1312081600
hxxp://static.revenyou.com/offers/images/Theme8/button.png 198.232.124.224
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3095266
hxxp://cdn.freecoins.co/updates/a/desktopapp.wys
hxxp://ib.adnxs.com/bounce?/tt?id=3092585
hxxp://www.google.com.ua/ads/conversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&cdct=2&convclickts=0&random=3530791356&ipr=y
hxxp://ib.adnxs.com/px?t=2&id=157720&other=ADFuxS2HCsOBlbbe
hxxp://data.getserverinfo.com/Installer/Track?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&reqid=134427026&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&status=0&installedid=6303&offerscreenid=&offerorder=7&downloadduration=47937&installduration=47&issecond=0 54.83.205.127
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png 74.125.142.95
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://cdn.adnxs.com/p/a1/83/c9/56/a183c956bc259a9c8afeb3ac09ff6ece.jpg 23.15.4.16
hxxp://ib.adnxs.com/tt?id=3095266
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.9.1/jquery.min.js 74.125.142.95
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css 74.125.142.95
hxxp://cdn.adnxs.com/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf 23.15.4.16
hxxp://www.google-analytics.com/collect
hxxp://ib.adnxs.com/bounce?/tt?id=3095266
hxxp://static.revenyou.com/offers/ui/css/start/jquery-ui-1.8.19.custom.css 198.232.124.224
hxxp://cdn.freecoins.co/d/FreeCoinsApp.exe
hxxp://data.getserverinfo.com/Installer/Flow?pubid=5492&distid=19036&productid=6303&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:02:CD:FB&netv=&d1=NUMBER&d2=NUMBER&d3=NUMBER&d4=NUMBER&d5=NUMBER&ds1=&hb=0&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&version=4.4 54.83.205.127
hxxp://ib.adnxs.com/a_usersync?cbfn=ANX_async_load
hxxp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092585
hxxp://ib.adnxs.com/tt?id=3092585
hxxp://flex.msn.com/mstag/site/322eefce-0cd2-4a6e-ab4c-6b3b11ea2493/mstag.js
hxxp://static.revenyou.com/offers/images/Theme8/button_over.png 198.232.124.224
hxxp://pixel.prfct.co/seg/?add=1418586,1459541
hxxp://partner.googleadservices.com/gpt/pubads_impl_46.js
hxxp://cdn.adnxs.com/ANX_async_usersync.js 23.15.4.16
hxxp://2745850.r.msn.com/?type=1&domainId=2745850&dedup=1&actionid=207232
hxxp://flex.msn.com/mstag/mstag.1003102000.js
hxxp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=2C0938180C976E9112D43E8308976D7B|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/jquery-ui.min.js 74.125.142.95
hxxp://static.revenyou.com/offers/images/Theme8/bgImg.jpg 198.232.124.224
hxxp://data.getserverinfo.com/installer/thankyou?productid=6303&pubid=5492&distid=19036&countryid=262&reqid=134427026&sysbit=32&dfb=0&hb=0 54.83.205.127
hxxp://ajax.googleapis.com/ajax/libs/jquery/1.5/jquery.min.js 74.125.142.95
hxxp://static.revenyou.com/offers/images/Theme8/topLine.jpg 198.232.124.224
hxxp://www.google-analytics.com/collect?v=1&_v=j24&a=1198451114&t=pageview&_s=1&dl=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ul=en-us&de=utf-8&dt=Thank You - For installing our free coins app!&sd=32-bit&sr=1276x846&vp=1256x693&je=0&fl=11.6 r602&_u=ME~&cid=1378333658.1408415761&tid=UA-46704880-1&z=1807395146
hxxp://static.revenyou.com/offers/images/Theme8/bottomLine.jpg 198.232.124.224
hxxp://googleads.g.doubleclick.net/pagead/viewthroughconversion/976381674/?random=415034412&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&ctc_id=CAIVAgAAAB0CAAAA&ct_cookie_present=false&convclickts=0
hxxp://cdn.adnxs.com/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf?clickTAG=http://nym1.ib.adnxs.com/click?MuYNBGdlYD9FrjRT5edZP8uhRbbz_aQ_Ra40U-XnWT8y5g0EZ2VgP5w9g2LjLK18aH3NEBvel0AouPJTAAAAAOI6LwAQCgAAXwAAAAIAAADAmN0AVuMGAAAAAQBVU0QAVVNEAKAAWAKdGAAAhM8AAgUAAQIAAJAAeyZ6OQAAAAA./cnd=%210wbyPwigy_ABEMCx9gYY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyPYXDEXsp6w4pmaZhjn32Zt2ppnmTKe5eNYmmajZx6nY9ka5o%3Fdp%3D3095266%26dp2%3Dnym1COj6tYaxw_fLQBACGJz7jJS2nMvWfCIPMTkzLjEzOC4yNDQuMjMxKAEwqPDKnwU.%26dp3%3DCP3941792_S2576_C14522560_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3095266 23.15.4.16
hxxp://ib.adnxs.com/a_usersync?c=9&cbfn=ANX_async_load
hxxp://www.googleadservices.com/pagead/conversion/976381674/?random=1408415760152&cv=7&fst=1408415760152&num=1&fmt=2&value=0&label=PJzXCJ63zgcQ6s3J0QM&bg=ffffff&hl=en&guid=ON&u_h=846&u_w=1276&u_ah=818&u_aw=1276&u_cd=32&u_his=1&u_tz=180&u_nplug=0&u_nmime=0&frm=0&url=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
hxxp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=4&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
hxxp://www.google-analytics.com/analytics.js
hxxp://ib.adnxs.com/tt?id=3092599
hxxp://pixel.prfct.co/px/?id=157720&other=ADFuxS2HCsOBlbbe&a_id=7094
hxxp://cdn.wemempoclano.net/updates/m/fcmonitor.wys
hxxp://tag.perfectaudience.com/serve/52dfe62b6897d9bfcf00011e.js 23.235.44.130
hxxp://www.googletagservices.com/tag/js/gpt.js
hxxp://ib.adnxs.com/bounce?/tt?id=3092599
hxxp://static.revenyou.com/offers/images/Theme8/bodyImg.png 198.232.124.224
hxxp://static.revenyou.com/offers/images/Theme8/topComp.png 198.232.124.224
hxxp://ib.adnxs.com/ttj?ttjb=1&bdc=1408415783&bdh=osT5ZqFe6gW_K4xKa51ktmZlemE.&bdref=http://www.freecoins.co/FreeCoinsLandingPage/thankyou.jsp&bdtop=true&bdifs=1&id=3092599
hxxp://cdn.adnxs.com/p/5e/a8/7b/e4/5ea87be43c79529da335f14443dd2ffe.swf?clickTAG=http://nym1.ib.adnxs.com/click?VQq0ldW_lz-aRSWxEcOSPxsv3SQGgaU_mkUlsRHDkj9UCrSV1b-XP5LkLklgBMhNaH3NEBvel0AnuPJTAAAAAHcwLwAQCgAAXwAAAAIAAABIgQkBVuMGAAAAAQBVU0QAVVNEANgCWgCdGAAAW9wAAgUAAQIAAJAAoCPDbwAAAAA./cnd=%21jwaPPwj_95UCEMiCpggY1sYbIAI./referrer=http%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599/clickenc=http%3A%2F%2Fnetwork.adsmarket.com%2Fclick%2Fi2FvnGfKfJyQamrEXsp6w4pkcplfnYGZt2VtnGTKgJWLZpiWXqF6lo9m%3Fdp%3D3092599%26dp2%3Dnym1COj6tYaxw_fLQBACGJLJu8mEjIHkTSIPMTkzLjEzOC4yNDQuMjMxKAEwp_DKnwU.%26dp3%3DCP4553727_S2576_C17400136_Uhttp%3A%2F%2Fib.adnxs.com%2Fbounce%3F%252Ftt%253Fid%253D3092599 23.15.4.16
hxxp://cdn.adnxs.com/p/4b/6f/b7/39/4b6fb7395c34af84c2eee3bd1341e8c0.swf 23.15.4.16
hxxp://data.getserverinfo.com/Installer/TrackFinish?reqid=134427026&x=y&clickid=wHMQM6R5862BFPKD0S10G3CI 54.83.205.127
hxxp://static.revenyou.com/offers/images/Theme8/nextCase.jpg 198.232.124.224
hxxp://ajax.googleapis.com/ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_inset-hard_100_fcfdfd_1x100.png 74.125.142.95
cm.g.doubleclick.net 74.125.226.153


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET TROJAN VMProtect Packed Binary Inbound via HTTP - Likely Hostile
ET SHELLCODE Possible TCP x86 JMP to CALL Shellcode Detected

Traffic

GET /FreeCoinsLandingPage/themes/thankyou/images/desttop_bg.png HTTP/1.1
Accept: */*
Referer: hXXp://VVV.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.freecoins.co
Connection: Keep-Alive
Cookie: JSESSIONID=E27F5481B9C47ACFB10FC15D06243E0B


HTTP/1.1 200 OK
Server: Apache-Coyote/1.1
Accept-Ranges: bytes
ETag: W/"20943-1403623016000"
Last-Modified: Tue, 24 Jun 2014 15:16:56 GMT
Content-Type: image/png
Content-Length: 20943
Date: Tue, 19 Aug 2014 02:36:24 GMT
Connection: close
.PNG........IHDR...V.........5 ......pHYs................OiCCPPhotosho
p ICC profile..x..SgTS..=...BK...KoR.. RB....&*!..J.!...Q..EE.........
..Q,......!.........{.k........>...........H3Q5...B..........@..$p.
...d!s.#...~<< ".....x.....M..0.....B.\[email protected]..@F....
&S....`.cb..P-.`'........{..[.!..... .e.D.h;...V.E.X0..fK.9..-.0IWfH..
...........0Q..)..{.`.##x.....F.W<. ...*..x..<.$9E.[.-q.WW..(.I.
 [email protected]..._-...."[email protected]~..,/...;.
.m..%..h^[email protected].~<<E.........J.B[a.W}.g._.W.l.~<..
....$.2].G......L......b...G.......".Ib.X*..Q.q.D...2.".B.).%..d..,..&
gt;.5..j>.{.-.]c..K'.Xt.......o..(...h...w..?.G.%..fI.q..^D$.T..?..
..D..*.A....,.........`6.B$..B.B.d..r`)..B(....*`/[email protected]..=p..
a...(....A...a!...b.X#......!.H...$ ...Q"K.5H1R.T UH..=r.9.\F..;..2...
.G1...Q=...C..7..F...dt1......r..=.6....h...>C.0....3.l0...B.8,..c.
."......V.....c..w...E..6.wB a.AHXLXN.H. .$4...7...Q.'"..K.&.....b21.X
H,#..../.{.C.7$..C2'...I..T...F.nR#.,..4H.#...dk..9.,  .......3...!.[.
[email protected].(R.jJ....4..e.2AU..R...T.5.ZB...R.Q...4u.9...IK......h.h.i..t.
....N..W...G.....w.......g(.....g.w...L......T071......oUX*.*|.....J.&
..*/T.......U.U.T..^S}.FU3S......U..P.S.Sg.;...g.oT?.~Y...Y.L.OC.Q.._.
.. .c..x,!k...u.5.&...|v*......=...9C3J3W.R..f?...q..tN..(...~....).).
.4L.1e\k....X.H.Q.G..6......E.Y...A.J'\'Gg.....S.S.....M=:....k....Dw.
n.....^..Lo..y....}/.T.m...G.X...$.....<.5qo<./...QC][email protected]....
..<..F.F..i.\.$.m.m..&.&!&KM.M..RM..).;L;L........5.=1.2.......
<<< skipped >>>


GET /gpt/pubads_impl_46.js HTTP/1.1
Accept: */*
Referer: hXXp://data.getserverinfo.com/installer/thankyou?productid=6303&pubid=5492&distid=19036&countryid=262&reqid=134427026&sysbit=32&dfb=0&hb=0
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: partner.googleadservices.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript
Last-Modified: Tue, 29 Jul 2014 17:42:15 GMT
Date: Mon, 11 Aug 2014 23:55:22 GMT
Expires: Tue, 11 Aug 2015 23:55:22 GMT
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 33549
X-XSS-Protection: 1; mode=block
Cache-Control: public, max-age=31536000
Age: 614458
Alternate-Protocol: 80:quic
......n.....y..H.8..^E...H......"... .....3.'..e;>d,9......>..e`
....!V.wuUu.v....0.... >.../~>.fl....|...b>..J..vk....q..eW,.
..XY....8M..7Ll ...0.|?p .y...p..|.b.....:.-.c...yN...i;........<.S
l...g.|8.7C>.C[........i.^..'.jM.....C..Kk......jH.q<....]k1..d8
.#k.H.f.a.oJ....y~{..C....c..S.`[.2.Y.....r.U.k....ti.....U.H-....Y.-c
....Q..Ug.-P.._.buQ.b.X.k......C..Eu;...j...bWB.6...eu.g.... ...[.v...
..3$.s..SU.'..N...a`f] .p...i.....ata5......oy>h.9....<y....>
.[l`...,.@@.Q..f.[.7.8L....3.y.=.......N>......y:[email protected]...#...q.3
...,."[email protected]...?U......l0Lr9..E....p4..z.k...Y.......y5......k.lJ.P.v..
.oN.PMy>....4....pw...........m]....L.ko....E.X..9[d.....(]6......y
.7...r.6..i|... v[.w.rs.jZ.../^.m....h.....M.....,_...mai..../......5x
.c.....q<g.H......q..\..D>......c.Z...m.xg..T.A.....J......1.0..
q...t.sH....!K..4...=u...O.6X$.n..........t.R.......i..f...,........!^
l.)@j.4......a6.`...A.%V\.L.,......C.....3......M.$..g.,O'.n..RN?.:...
O.<;.....;..<.r:Z..u,.5Ze_.......1......_w........4...h.....?B.^
..]....~.J....'3...j....9...u...e^`.~]._._...0..EZ[./ku_c...{\.....Z p
C.Z._........)....~....~.....k...~o......9|w1.{........-...w,u",.9_:_.
.v../t.k.F.M......waY...0.z.\.T@[email protected],.O...{
x.'j;%.M....8..>?...#r..w...V.j.tX..o.6L.0{...}g...y...<.<...
...I.*...fk.._}|[email protected].........
i.A.[v=...._!......\.A.Z.....:...D\..{..paT,....,_.sW.bX......4.p..LF.
t.Mf......x....{.....;0...6....:?o..:..3...>......?..9...>s.
<<< skipped >>>


GET /c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd HTTP/1.1
Accept: */*
Referer: hXXp://VVV.freecoins.co/FreeCoinsLandingPage/thankyou.jsp
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.bing.com
Connection: Keep-Alive


HTTP/1.1 302 Redirect
Cache-Control: private, no-cache, proxy-revalidate, no-store
Pragma: no-cache
Location: hXXp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Set-Cookie: ANONCHK=1; domain=c.bing.com; expires=Tue, 19-Aug-2014 06:36:27 GMT; path=/;
Set-Cookie: MUID=1A7492F371996BC43D579468759968FA; domain=.bing.com; expires=Thu, 18-Aug-2016 02:36:27 GMT; path=/;
Date: Tue, 19 Aug 2014 02:36:26 GMT
Content-Length: 0
HTTP/1.1 302 Redirect..Cache-Control: private, no-cache, proxy-revalid
ate, no-store..Pragma: no-cache..Location: hXXp://ib.adnxs.com/pxj?bid
der=108&action=SetMSCookies("MUID=1A7492F371996BC43D579468759968FA
|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")..Server: 
Microsoft-IIS/8.0..X-Powered-By: ASP.NET..P3P: CP="BUS CUR CONo FIN IV
Do ONL OUR PHY SAMo TELo"..Set-Cookie: ANONCHK=1; domain=c.bing.com; e
xpires=Tue, 19-Aug-2014 06:36:27 GMT; path=/;..Set-Cookie: MUID=1A7492
F371996BC43D579468759968FA; domain=.bing.com; expires=Thu, 18-Aug-2016
 02:36:27 GMT; path=/;..Date: Tue, 19 Aug 2014 02:36:26 GMT..Content-L
ength: 0......


GET /c.gif?anx_uid=4654432947738082664&Red3=MSAN_pd HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://ib.adnxs.com/bounce?/tt?id=3092585
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: c.bing.com
Connection: Keep-Alive
Cookie: ANONCHK=1; MUID=2C0938180C976E9112D43E8308976D7B


HTTP/1.1 302 Redirect
Cache-Control: private, no-cache, proxy-revalidate, no-store
Pragma: no-cache
Location: hXXp://ib.adnxs.com/pxj?bidder=108&action=SetMSCookies("MUID=2C0938180C976E9112D43E8308976D7B|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
P3P: CP="BUS CUR CONo FIN IVDo ONL OUR PHY SAMo TELo"
Date: Tue, 19 Aug 2014 02:36:27 GMT
Content-Length: 0
HTTP/1.1 302 Redirect..Cache-Control: private, no-cache, proxy-revalid
ate, no-store..Pragma: no-cache..Location: hXXp://ib.adnxs.com/pxj?bid
der=108&action=SetMSCookies("MUID=2C0938180C976E9112D43E8308976D7B
|TOptOut=|EANON=A%3d%26E%3dFFF%26W%3d1")..Server: 
Microsoft-IIS/8.0..X-Powered-By: ASP.NET..P3P: CP="BUS CUR CONo FIN IV
Do ONL OUR PHY SAMo TELo"..Date: Tue, 19 Aug 2014 02:36:27 GMT..Conten
t-Length: 0..



GET /ajax/libs/jqueryui/1.8/themes/start/jquery-ui.css HTTP/1.1
Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/css; charset=UTF-8
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Tue, 19 Aug 2014 02:21:22 GMT
Expires: Tue, 19 Aug 2014 03:21:22 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 6091
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 846
Alternate-Protocol: 80:quic
[email protected]..~...e.#K.$.#A..=.!%J|iz...
;@Z.:...y..}..........X.H~{G...O~......-.M^[email protected]........
....!/.Ms.\\...'t.&qy..........hN.,fE..r*.V.f..O.>.."...G._.... s.W
O8f....v...dJ>O...H ..o..>..! v.o~y...gg.....#.D.,?BwgQ...&.,B.h
.%. .'.d.1...R...&.M...1..l.3.?.u..t.B.u...F....e....&q..7.bq.bv| ....
....... V..z;.j.A_.kr.I.J...e.z..A.yV0........0..5i.C.%,. .L..iY4Q.}..
.t......y..U.q.h.f..-K.....3.6...H..Y..|..u.....\d[T.........>.....
.|...Y...T.*...<..X..F.S.:.4..G.<.r`k.&?........0.p.w gEcN..=.'8
a...E......~...$OXJOy.s)...ud..\tQ.Z$$;..|.}[email protected]^...S2.gn.h......;V.
yy.!...{4..U%D>x....{...2.SV....!Y<....3..e...cMTb.5.,f...r..$Or
..%X...78.I.>[email protected].<.W 
EY.h.<.U.l2c.....V.J..T.^...owo.....(...|...Sh..~x..l..ovyY.7...M..
. ..v2.%.j....Np1_....4...M...9.~.,y.V..b.-...i.&i.q...W7......*1.QP.k
:C..^.k6..T.\.u,..LW.(S<)5.............X...ZW...#.UC*.:nT;.....\<
;._.. J.YK.:9.H}3....U.B..$..W..f$l]^[email protected].,(."
......l.%........:.A..y.'n.. ..j:.q2.]r..M...j.JSQ....i.8...J...".iZ.V
.....5..'S:.*..C..V.Y.!S.k*.:FT.tv...1.P.A.e..r.h......-..uGZ6.(.....l
..!5....z....2M!.?.G.........'....U>..-aH/ .E.D.T{J..C!...tK.!.a.v.
.~......$....5 ..xj.u...P...x.@ F{..S..R.O.<d#.E%PS.//......5fV.4..
.1..S.......mw..#..o Q. .....p_yI..ox.....UM.uP....b.v0GE.....A....X.!
pX4.......Y-o..f9.....L.p$.........;..P...Q.b........mZe..$s..].8..t..
.M...o......X...S".>..1A*.....2h......D.j8Y..wL..^.| ....1...`C
<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/jquery-ui.min.js HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Vary: Accept-Encoding
Content-Encoding: gzip
Content-Type: text/javascript; charset=UTF-8
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Tue, 19 Aug 2014 01:40:59 GMT
Expires: Tue, 19 Aug 2014 02:40:59 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 51558
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 3269
Alternate-Protocol: 80:quic
............iw...0....d...-.@......."...x{,y.<....n.M....ZB...w...A
P...9.L,.k_n..n.{.......V..G..<........}......n.........l..Y....z3.
.................E1.-.uz..........ZXI..rZm....../[email protected].....
.yUlB..U#..L...1p.>...2...].....M(...J.....e..I......5...9...e.....
&.........W..y...f./..j..}^....r...n.._7.j.o..v.i./a.7uq......r.%.,...
...j9..Y.s......@..$...... \...H...=....?....y...}W..b].G..|-....wG.N.
O<.H.Q...'w......H.....*.....?..Uo..n..Z=..U...I...*..,[email protected]...
..l.[@E1.....jq<..V.d.=.n......,..o... .gY.G....N%$f..u..."J.....xv
rR..$.q..i....l..m7....p...]./!.......JF0..^.. ...Q.....H..q...._wr"9.
.S].I/_.....~M...Z..U5..^q.z..U...k..........Q.........v...[.v..`:UJvI
o^-...........n.;..{o....p.CliS-J..w27...F.....v .{...t..........g._._
...~z......wz.......gP.K.....W....w/.ym......B.cH....?~..~/.~..../....
_.........4..s........x..z|...^|.../.._..?.z..............?.......?=..
....N......_<...3.n..I/..../ e.Rd../U...|...O.....Pi.~.....=.5..%~z
...oh..?.._~J.?.?.....0....g.. ....0....W...x....W.k|)....h....n...7Y.
...c..l.Y..._...3.D.f.,n..G?.'h...*.l...ZN...R...q..F.;.*/f6T.q-3.....
...Z.n..y\&.].......*.C..p..I.U.Z/....`..W..k<.Pn]....OtJR...P...j.
n...z]W''..z.o.b.....m...K...u.)..%.v{.8p9..T....4U......X..U.o'...T..
...D...G.tc.3o....8./.a.NK^...........q?I.0.....)-..m.\[email protected]......
\..{.>........D..n..Gp..)R:...>.D ....d.nV.......C....pWe.?Xl.B.
....6} .Q.4...j....^.6q..3..>5w\.....'.@....&6...?ok..$.;....[...!V
o........vx}{s.L.dA...6......8.r......bt.>"a........0...I~;....
<<< skipped >>>

GET /ajax/libs/jqueryui/1.8/themes/start/images/ui-bg_gloss-wave_75_2191c0_500x100.png HTTP/1.1


Accept: */*
Referer: hXXp://direct.the-apps-track.com//offers/DynamicOfferScreen?offerid=2&distid=19036&leadp=6303&countryid=262&sysbit=32&dfb=0&hb=0&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ajax.googleapis.com
Connection: Keep-Alive


HTTP/1.1 200 OK
Content-Type: image/png
Last-Modified: Fri, 12 Oct 2012 18:27:19 GMT
Date: Tue, 19 Aug 2014 02:35:29 GMT
Expires: Tue, 19 Aug 2014 03:35:29 GMT
Access-Control-Allow-Origin: *
Timing-Allow-Origin: *
X-Content-Type-Options: nosniff
Server: sffe
Content-Length: 3457
X-XSS-Protection: 1; mode=block
Cache-Control: public, must-revalidate, proxy-revalidate, max-age=3600
Age: 0
Alternate-Protocol: 80:quic
.PNG........IHDR.......d.....p..}...HIDATx...K..N................q..B.
...6...._.d.c.......*...V......|U.......w-...p..>Z..........`......
......`............`............`............`............`...........
.`............`.......@.....:n.K>.u.....X..V..G........l.9......j6.
x..xu..y...I... gZ.D.L...........4[OG.8.|d.....;.N[O..lz.M....{..ne.Z1
..VlO...e..k.g.........k.6.r..........be'`t#..zu39.|[..6=9....4..H."..
.-Cd.D.z.3c.g...S.,..D7.h.H=O.F6.{7.....H6G...S.......U.9.%w....`C....
.y.G^@......O..........0.l.....0.Z.4..H..[.k..Z..Z..zm].v.......J.$ZMZ
..yK.....Z.4.Z.Z.Z.Gr..M..j.b..Z^.1c.E........,....6&.9....3)....[W.vH
...a...k~....,.........1..k.R..........iWd....M.V..O)..?y.....W...._&l
t;....p.p....`............`..b.......:............:.............Xj)...
w.....-?M.bE|[...I.eki......&.U.6.........l4.[..N.F.....|...qc.Zj.7...
..;.f/..w..=......}L[...k.E.S/.x....3-...^.R....."Z.........[........:
.;...n.Z..~.....;.....%w....P7...'R^....E[?.C...X.$.^Y.Yj...}...iS.O..
...m........r%..4yy.r..I.....Io...'i..;..._....K.7.%.Q../.\......X....
3;_........[...[..ti.........._.-..Z.l;j)e.L.lyf"Dm..^4...-.|G.E VdRD.
.M....S[.{.i6G...~/7V.h....M..;^.1~.}.;......=9.]S2....y.w|Y.#s(..X..;
....:=....Y_#.\r......RkY.$.e.mk..n.E|..m|....kk...O.......'......-..n
.z..XZ}m\H.._e.....V.x9........!.../.xs......f.......5.Zl .......x....
.].?/..9r......h...]^}M....<....;..........p.p....`........}.....n.
.~....4............. ^=..kc...|j..4{u[.......H.2...Y1......R..|x.5M...
...j..4.%..x......!ij....bXcT..^ file.
  • Delete or disinfect the following files created/modified by the Trojan:
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\jquery.min[1].js (6004 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\DynamicOfferScreen[1].htm (2676 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\DynamicOfferScreen[1].htm (850 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\bodyImg[1].png (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\FreeCoinsApp[1].exe (5452566 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\jquery-ui.min[1].js (10698 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\ui-bg_gloss-wave_75_2191c0_500x100[1].png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\jquery-ui[1].css (1411 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\914084156970\FreeCoinsApp.exe (5234561 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\KHA2SI3U\button[1].png (458 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\ui-bg_inset-hard_100_fcfdfd_1x100[1].png (88 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\EOKHFVZV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\56OPVHOH\button_over[1].png (921 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\46GJLOEK\jquery-ui-1.8.19.custom[1].css (11061 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\91408415697.txt (238 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\gpi.bat (143 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\send_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\global.properties.xml (1638 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\close_btn.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\DAutils.dll (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_horizontal_middle_slice.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\arrow.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\popup_multi.png (87 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\noInternet.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_right.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\coins_icon.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns6.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\body_ad_purple.png (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\FreeCoins\FreeCoins.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Interop.SHDocVw.dll (5568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\search_box.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\jquery.custom-scrollbar.css (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\nsExec.dll (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\loading_img.png (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\query_link.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-2.png (2979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\openThankYou.bat (340 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\notifications_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\share_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\ok_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\SystemMonitor.exe.config (263 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert_1.png (87 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\arrow.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.min.js (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\down.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tray_icon_on.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\aPop.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\BG_settings.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RunAppMonitor.bat (102 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_right.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\background_body.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_16.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe (7168 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallAddiotionals.bat (575 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsz5.tmp (4232 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\left.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\redeemed_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_OFF_settings_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_left.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email-30X1.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_bg.png (36 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\FCUI.exe.config (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\client.wyc (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg2.png (87 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_top.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\storageManager.js (2193 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\runApp.bat (28 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_48.ico (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\production.properties.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_content_footer.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\installPath.txt (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\lock.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\uninst.exe (1965 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\alerts.xml (651 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_blue.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\coins_btn.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.dll (7384 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_center_slice.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\alert_skin_4.html (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_background.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\Newtonsoft.Json.xml (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_bg.png (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\Thumbs.db (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.dll (14768 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\index_skin_4.html (56 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\BG_alert.png (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\Stumbleupon32X32.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate.exe (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\up.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\main_v4.css (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\facebook_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_32.ico (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate4.exe (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_gray.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-1.png (2979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\InstallNet35xp.bat (446 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\client.wyc (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\settings_body.png (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\redeem_now.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\right.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery-1.9.1.min.js (6312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\time_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\lifeCycleManager.js (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\verifyUninstall.bat (464 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\setting_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\settings_link.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\notification\BG_popUP.png (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\time_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_bottom.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\production.properties.xml (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\DAutils.dll (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\json2.js (51 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionManager.js (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_64x64.ico (48 bytes)
    %Documents and Settings%\%current user%\Desktop\FreeCoins.lnk (1 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_left.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_bottom.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\promotionPopupUI.js (18 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\body-2.png (2979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\pcc.bat (82 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon_click.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterUninstall.exe.config (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.cookie.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\coupons_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\verifyUninstall.bat (464 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\googlePlus32X32.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\search_noresults.png (63 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\borderItem.jpg (30 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\errorHandling.js (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\twitter32X32.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\mail_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Thumbs.db (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\body.png (2979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Scroller\top.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\save_btn.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\lock.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\wyUpdate.exe (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\browsers.css (1428 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\setting_tab\frequency_ON_settings_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_48.ico (27 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\time_left_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_16.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\locked_popup_face.png (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\minimize_app.png (2997 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\close_app.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\desktop_icons\FCA_icon_32.ico (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.png (12 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\SetupNET35.exe (49498 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\body-1.png (2979 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\gmail32X32.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate.exe (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe (26 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\locked_popup_face2.png (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\transparent.gif (126 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\Share_icon.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\home_tab\counter_all.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_logo.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\utils.js (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe.config (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\image_2.jpg (33 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\left.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\thumb_left.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\email32X32.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\redeemed_history_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon_click.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_empty.png (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe.config (270 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\locked_popup_bg.png (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\ourScrollBar.css (9 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\coins_icon.ico (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_locked_popup\invite_friends_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_icon.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\coins_btn_click.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\config\global.properties.xml (819 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\yahoo32X32.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\Newtonsoft.Json.xml (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\close_btn_fBack.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\production.properties.xml (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\client.wyc (1568 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\alertManager.js (2286 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\uiManager.js (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\tab_bar\home_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\install_icons\FCA_icon_install_64x64.ico (48 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\track_top.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\installPath.txt (73 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\header_image.png (6312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\FreeCoinsApp_invite_popup\archive\invite_friends_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\config\alerts.xml (1302 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\right.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\icons\facebook32X32.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\vertical\thumb_vertical_middle_slice.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\alerts.xml (651 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\down.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\horizontal\track_right.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\share_btn_gray.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\config\global.properties.xml (819 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\DAutils.dll (3136 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\promotionPopup_skin_4.html (20 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroller\down.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCU\wyUpdate4.exe (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\scroll_bar\scroller\up.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_body.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsj4.tmp\ns7.tmp (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\Share_btn\close_btn.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\feedback_bg.png (4704 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\feedback\email_bg.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FCM\wyUpdate4.exe (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\RegisterInstallStart.exe.config (546 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\alert\alert_close.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\power_up_icon.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\libs\jquery.custom-scrollbar.js (75 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\hover_block\hover_block_pointer.png (3 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\js\commManager.js (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Application Data\FreeCoins\web\css\skins\4\images\redeemed_page\free_spin_icon.png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.exe (398737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\instructionsBv3.dat (8368 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\rdms.zip (57028 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\nsisunz.dll (211 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsy2.tmp\Convert.dll (4583 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\w010\desktopapp.wys (723 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\w333\fcmonitor.wys (497 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\w521\fcupdater.wys (294 bytes)
  • Delete the following value(s) in the autorun key (How to Work with System Registry):
    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "FreeCoinsUpdater" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCU\FCUpdater.exe"

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "FreeCoinsStartup" = "%Documents and Settings%\%current user%\Local Settings\Application Data\FCM\FCMonitor.exe"

  • Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  • Reboot the computer.
    • 
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.
    No votes yet


    Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
    © 2026 Lavasoft. All rights reserved.
    Terms Of Use |   Privacy Policy


    x

    Our best antivirus yet!

    Fresh new look. Faster scanning. Better protection.

    Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

    For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

    Download adaware antivirus 12
    No thanks, continue to lavasoft.com
    close x

    Discover the new adaware antivirus 12

    Our best antivirus yet

    Download Now