HEUR:Trojan.Win32.Generic (Kaspersky), Trojan.Generic.9176938 (B) (Emsisoft), Trojan.Generic.9176938 (AdAware), Trojan.Win32.IEDummy.FD, VirusVirut.YR (Lavasoft MAS)Behaviour: Trojan, Virus
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a3aa5a0ba8b429d63d59e40c4f9fe471
SHA1: b3917a7bad5b38cb7862437f7caea02a5a10c4ab
SHA256: f8d128ad8f8f08866175b39a031d4dad672f3b078faec69d25dc4880840d2f92
SSDeep: 6144:K7ouwJmT6pNUOGSZatv8MH tZPPJFuBf:KzwJmT6bU/ltvdHkZPxFu
Size: 615424 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 1976-09-11 21:14:18
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:492
The Trojan injects its code into the following process(es):
Rundll32.exe:704
iexplore.exe:472
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Rundll32.exe:704 makes changes in the file system.
The Trojan deletes the following file(s):
C:\~0002ftd.tmp (0 bytes)
C:\a3aa5a0ba8b429d63d59e40c4f9fe471 (0 bytes)
The process %original file name%.exe:492 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%System%\rundll32.exe (4185 bytes)
C:\~0002ftd.tmp (37 bytes)
%System%\rundII32.exe (57 bytes)
%System%\msng.exe (4185 bytes)
Registry activity
The process Rundll32.exe:704 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\VB and VBA Program Settings\Svchost\Open]
"times" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "92 70 7B 48 1F 50 C4 63 2B CB C5 F2 AB 51 3A 31"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msng" = "%System%\msng.exe"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:492 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A7 66 98 92 6B F2 BC C1 60 D7 5B 54 3D D3 1A 6C"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
"Personal" = "%Documents and Settings%\%current user%\My Documents"
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%System%]
"Rundll32.exe" = "Rundll32"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"HideFileExt" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msng" = "%System%\msng.exe"
Dropped PE files
MD5 | File path |
---|---|
ac2c9bc35a7ad096fe1a5173e50c7af6 | c:\WINDOWS\system32\rundII32.exe |
HOSTS file anomalies
The Trojan modifies "%System%\drivers\etc\hosts" file which is used to translate DNS entries to IP addresses. The modified file is 734 bytes in size. The following strings are added to the hosts file listed below:
127.0.0.1 | www.Brenz.pl |
Rootkit activity
The Trojan installs the following user-mode hooks in ntdll.dll:
NtQueryInformationProcess
ZwOpenFile
NtDeviceIoControlFile
NtCreateProcessEx
NtCreateProcess
NtCreateFile
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Scan a system with an anti-rootkit tool.
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:492
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%System%\rundll32.exe (4185 bytes)
C:\~0002ftd.tmp (37 bytes)
%System%\rundII32.exe (57 bytes)
%System%\msng.exe (4185 bytes) - Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msng" = "%System%\msng.exe" - Restore the original content of the HOSTS file (%System%\drivers\etc\hosts): 127.0.0.1 localhost
- Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
4096 | 122880 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e | |
126976 | 16384 | 15872 | 5.4557 | 93d309fa36e44d38c4f31bfc14f0fec3 | |
.rsrc | 143360 | 328110 | 328192 | 4.71376 | 074d5103dc8a9945ea3ca55cb33b6165 |
vnnahww | 475136 | 28672 | 28672 | 5.12838 | 67c1479411c9153e750ade8f593fdd19 |
nbmrrhn | 503808 | 28672 | 28672 | 0 | cf845a781c107ec1346e849c9dd1b7e8 |
zbebicl | 532480 | 28672 | 28672 | 0 | cf845a781c107ec1346e849c9dd1b7e8 |
enpxzut | 561152 | 32768 | 31232 | 0 | 9cc544b7333c1f741765ce8afc8b8f27 |
owylroe | 593920 | 184320 | 153088 | 0 | d94085b36c265d5e7f49c6b6e817c992 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://openclose.ir/ | |
hxxp://openclose.ir/wp-includes/js/wp-emoji-release.min.js?ver=4.5.3 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/style.css?ver=4.5.3 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/genericons/genericons.css?ver=3.4.1 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/css/ie.css?ver=20160412 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/css/ie8.css?ver=20160412 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/css/ie7.css?ver=20160412 | |
hxxp://openclose.ir/wp-content/plugins/wordpress-popup/css/animate.min.css?ver=4.5.3 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/js/html5.js?ver=3.7.3 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/genericons/Genericons.eot?") format("embedded-opentype | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/genericons/Genericons.svg | |
hxxp://openclose.ir/wp-includes/js/jquery/jquery.js?ver=1.12.4 | |
hxxp://openclose.ir/wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 | |
hxxp://openclose.zamenhost.org/?dm=cf124e2f14154e4ef1608115b6c316c6&action=load&blogid=2&siteid=1&t=1613335257&back=http://openclose.ir/ | 8.5.1.51 |
hxxp://pagead.l.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211 | |
hxxp://openclose.ir/wp-content/themes/twentysixteen/js/skip-link-focus-fix.js?ver=20160412 | |
hxxp://0.gravatar.com/avatar/ca85fd9144386f4e7420fdaa29adef2f?s=49&d=mm&r=g | 192.0.73.2 |
hxxp://openclose.ir/wp-content/themes/twentysixteen/js/functions.js?ver=20160412 | |
hxxp://openclose.ir/wp-content/plugins/wordpress-popup/js/public.min.js?ver=4.5.3 | |
hxxp://openclose.ir/wp-includes/js/wp-embed.min.js?ver=4.5.3 | |
hxxp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211 | 173.194.113.217 |
hxxp://zamenhost.org/?dm=cf124e2f14154e4ef1608115b6c316c6&action=load&blogid=2&siteid=1&t=1613335257&back=http://openclose.ir/ | 8.5.1.51 |
hxxp://www.openclose.ir/ | 78.47.178.19 |
fonts.googleapis.com | 74.125.131.95 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /?dm=cf124e2f14154e4ef1608115b6c316c6&action=load&blogid=2&siteid=1&t=1613335257&back=http://openclose.ir/ HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: zamenhost.org
Connection: Keep-Alive
HTTP/1.1 302 Found
Cache-Control: private
Content-Length: 310
Content-Type: text/html; charset=utf-8
Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211
Server: Microsoft-IIS/8.5
X-AspNet-Version: 4.0.30319
p3p: CP="CAO PSA OUR"
Set-Cookie: SessionID=54ad317b-41da-4d03-bec2-a01bb990df11; path=/
Set-Cookie: VisitorID=76e34220-2856-42a9-8684-bd935ada2fb8&Exp=10/16/2019 9:47:25 PM; expires=Thu, 17-Oct-2019 04:47:25 GMT; path=/
X-Powered-By: ASP.NET
Date: Mon, 17 Oct 2016 04:47:25 GMT
<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211">here</a>.</h2>..</body></html>..HTTP/1.1 302 Found..Cache-Control: private..Content-Length: 310..Content-Type: text/html; charset=utf-8..Location: hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211..Server: Microsoft-IIS/8.5..X-AspNet-Version: 4.0.30319..p3p: CP="CAO PSA OUR"..Set-Cookie: SessionID=54ad317b-41da-4d03-bec2-a01bb990df11; path=/..Set-Cookie: VisitorID=76e34220-2856-42a9-8684-bd935ada2fb8&Exp=10/16/2019 9:47:25 PM; expires=Thu, 17-Oct-2019 04:47:25 GMT; path=/..X-Powered-By: ASP.NET..Date: Mon, 17 Oct 2016 04:47:25 GMT..<html><head><title>Object moved</title></head><body>..<h2>Object moved to <a href="hXXp://dp.g.doubleclick.net/apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211">here</a>.</h2>..</body></html>....
<<< skipped >>>
GET /wp-content/themes/twentysixteen/css/ie8.css?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 3475
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Description: IE8 specific style..*/..code {..background-color: transparent;..padding: 0;.}...entry-content a,..entry-summary a,..taxonomy-description a,..logged-in-as a,..comment-content a,..pingback .comment-body > a,..textwidget a,..entry-footer a:hover,..site-info a:hover {..text-decoration: underline;.}...entry-content a:hover,..entry-content a:focus,..entry-summary a:hover,..entry-summary a:focus,..taxonomy-description a:hover,..taxonomy-description a:focus,..logged-in-as a:hover,..logged-in-as a:focus,..comment-content a:hover,..comment-content a:focus,..pingback .comment-body > a:hover,..pingback .comment-body > a:focus,..textwidget a:hover,..textwidget a:focus,..entry-content .wp-audio-shortcode a,..entry-content .wp-playlist a,..page-links a {..text-decoration: none;.}...site {..margin: 21px;.}...site-inner {..max-width: 710px;.}...site-header {..padding-top: 3.9375em;..padding-bottom: 3.9375em;.}...site-branding {..float: left;..margin-top: 1.3125em;..margin-bottom: 1.3125em;.}...site-title {..font-size: 28px;..line-height: 1.25;.}...site-description {..display: block;.}...menu-toggle {..float: right;..font-size: 16px;..margin: 1.3125em 0;..padding: 0.8125em 0.875em 0.6875em;.}...site-header-menu {..clear: both;..margin: 0;..padding: 1.3125em 0;.}...site-header .main-navigation .social-navigation {..margin-top: 2.625em;.}...header-image {..margin: 1.3125em 0;.}...site-main {..margin-bottom: 5.25em;.}...post-navigation {..margin-bottom: 5.25em;.}...post-navigati
<<< skipped >>>
GET /avatar/ca85fd9144386f4e7420fdaa29adef2f?s=49&d=mm&r=g HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: 0.gravatar.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Mon, 17 Oct 2016 04:47:26 GMT
Content-Type: image/jpeg
Content-Length: 1124
Connection: keep-alive
Last-Modified: Wed, 11 Jan 1984 08:00:00 GMT
Link: <hXXps://VVV.gravatar.com/avatar/ca85fd9144386f4e7420fdaa29adef2f?s=49&d=mm&r=g>; rel="canonical"
Access-Control-Allow-Origin: *
Content-Disposition: inline; filename="ca85fd9144386f4e7420fdaa29adef2f.png"
X-nc: HIT fra 2
Accept-Ranges: bytes
Expires: Mon, 17 Oct 2016 04:52:26 GMT
Cache-Control: max-age=300
Source-Age: 154900
......JFIF.............;CREATOR: gd-jpeg v1.0 (using IJG JPEG v80), quality = 90....C....................................................................C.......................................................................1.1.."............................................................}........!1A..Qa."q.2....#B...R..$3br........%&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz..............................................................................................................................w.......!1..AQ.aq."2...B.....#3R..br...$4.%.....&'()*56789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz....................................................................................?...4...5.....6.!y.`.....9..k.|?..J.-..P%..>y&.\..<c.V....... ...L|..(B..8?..x>h..{D.....7./...GS............g.]W....&V~f3.M........[5=...W.OlYn#p....<}h..<....-F.S."...K...4O..w...Y.....Yb.{..r..@f>....|c1..nYc.o..o....^...jx.S.......hn.`...,....Y......\.z(. .>.x.=6.-R.0.......Jz~'...2......ah...(q..S.._D...p.lP..........r.:.l>%.iaEMF%.n8.?....xs)F*....=E}5...|E..M.m.........?.h...E....:O...9i............A...(.........#L......QE.qTQE......
<<< skipped >>>
GET /wp-includes/js/jquery/jquery.js?ver=1.12.4 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 21 Jun 2016 18:03:33 GMT
Accept-Ranges: bytes
Content-Length: 97184
Connection: close
Content-Type: application/javascript
/*! jQuery v1.12.4 | (c) jQuery Foundation | jquery.org/license */.!function(a,b){"object"==typeof module&&"object"==typeof module.exports?module.exports=a.document?b(a,!0):function(a){if(!a.document)throw new Error("jQuery requires a window with a document");return b(a)}:b(a)}("undefined"!=typeof window?window:this,function(a,b){var c=[],d=a.document,e=c.slice,f=c.concat,g=c.push,h=c.indexOf,i={},j=i.toString,k=i.hasOwnProperty,l={},m="1.12.4",n=function(a,b){return new n.fn.init(a,b)},o=/^[\s\uFEFF\xA0] |[\s\uFEFF\xA0] $/g,p=/^-ms-/,q=/-([\da-z])/gi,r=function(a,b){return b.toUpperCase()};n.fn=n.prototype={jquery:m,constructor:n,selector:"",length:0,toArray:function(){return e.call(this)},get:function(a){return null!=a?0>a?this[a this.length]:this[a]:e.call(this)},pushStack:function(a){var b=n.merge(this.constructor(),a);return b.prevObject=this,b.context=this.context,b},each:function(a){return n.each(this,a)},map:function(a){return this.pushStack(n.map(this,function(b,c){return a.call(b,c,b)}))},slice:function(){return this.pushStack(e.apply(this,arguments))},first:function(){return this.eq(0)},last:function(){return this.eq(-1)},eq:function(a){var b=this.length,c= a (0>a?b:0);return this.pushStack(c>=0&&b>c?[this[c]]:[])},end:function(){return this.prevObject||this.constructor()},push:g,sort:c.sort,splice:c.splice},n.extend=n.fn.extend=function(){var a,b,c,d,e,f,g=arguments[0]||{},h=1,i=arguments.length,j=!1;for("boolean"==typeof g&&(j=g,g=arguments[h]||{},h ),"object"==typeof g||n.isFunction(g
<<< skipped >>>
GET /wp-content/themes/twentysixteen/js/skip-link-focus-fix.js?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:24 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 1059
Connection: close
Content-Type: application/javascript
/**. * Makes "skip to content" link work correctly in IE9, Chrome, and Opera. * for better accessibility.. *. * @link hXXp://VVV.nczonline.net/blog/2013/01/15/fixing-skip-to-content-links/. */.. ( function() {..var isWebkit = navigator.userAgent.toLowerCase().indexOf( 'webkit' ) > -1,...isOpera = navigator.userAgent.toLowerCase().indexOf( 'opera' ) > -1,...isIE = navigator.userAgent.toLowerCase().indexOf( 'msie' ) > -1;...if ( ( isWebkit || isOpera || isIE ) && document.getElementById && window.addEventListener ) {...window.addEventListener( 'hashchange', function() {....var id = location.hash.substring( 1 ),.....element;.....if ( ! ( /^[A-z0-9_-] $/.test( id ) ) ) {.....return;....}.....element = document.getElementById( id );.....if ( element ) {.....if ( ! ( /^(?:a|select|input|button|textarea)$/i.test( element.tagName ) ) ) {......element.tabIndex = -1;.....}......element.focus();......// Repositions the window on jump-to-anchor to account for admin bar and border height......window.scrollBy( 0, -53 );....}...}, false );..}.} )();...
GET /wp-includes/js/wp-embed.min.js?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:25 GMT
Server: Apache
Last-Modified: Thu, 25 Feb 2016 10:23:27 GMT
Accept-Ranges: bytes
Content-Length: 1403
Connection: close
Content-Type: application/javascript
!function(a,b){"use strict";function c(){if(!e){e=!0;var a,c,d,f,g=-1!==navigator.appVersion.indexOf("MSIE 10"),h=!!navigator.userAgent.match(/Trident.*rv:11\./),i=b.querySelectorAll("iframe.wp-embedded-content");for(c=0;c<i.length;c )if(d=i[c],!d.getAttribute("data-secret")){if(f=Math.random().toString(36).substr(2,10),d.src ="#?secret=" f,d.setAttribute("data-secret",f),g||h)a=d.cloneNode(!0),a.removeAttribute("security"),d.parentNode.replaceChild(a,d)}else;}}var d=!1,e=!1;if(b.querySelector)if(a.addEventListener)d=!0;if(a.wp=a.wp||{},!a.wp.receiveEmbedMessage)if(a.wp.receiveEmbedMessage=function(c){var d=c.data;if(d.secret||d.message||d.value)if(!/[^a-zA-Z0-9]/.test(d.secret)){var e,f,g,h,i,j=b.querySelectorAll('iframe[data-secret="' d.secret '"]'),k=b.querySelectorAll('blockquote[data-secret="' d.secret '"]');for(e=0;e<k.length;e )k[e].style.display="none";for(e=0;e<j.length;e )if(f=j[e],c.source===f.contentWindow){if(f.removeAttribute("style"),"height"===d.message){if(g=parseInt(d.value,10),g>1e3)g=1e3;else if(200>~~g)g=200;f.height=g}if("link"===d.message)if(h=b.createElement("a"),i=b.createElement("a"),h.href=f.getAttribute("src"),i.href=d.value,i.host===h.host)if(b.activeElement===f)a.top.location.href=d.value}..
GET /wp-content/themes/twentysixteen/genericons/Genericons.svg HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 76980
Connection: close
Content-Type: image/svg xml
<?xml version="1.0" standalone="no"?>.<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "hXXp://VVV.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd" >.<!--.2015-9-18: Created with FontForge (hXXp://fontforge.org).-->.<svg xmlns="hXXp://VVV.w3.org/2000/svg" xmlns:xlink="http://VVV.w3.org/1999/xlink" version="1.1">.<metadata>.Created by FontForge 20150618 at Fri Sep 18 10:24:13 2015. By Joen Asmussen.Copyright (c) 2015, Joen Asmussen.</metadata>.<defs>.<font id="Genericons" horiz-adv-x="2048" >. <font-face . font-family="Genericons". font-weight="400". font-stretch="normal". units-per-em="2048". panose-1="2 0 5 3 0 0 0 0 0 0". ascent="2048". descent="0". bbox="-0.0140489 0 2048.01 2048". underline-thickness="102.4". underline-position="-204.8". unicode-range="U 0020-F517". />. <missing-glyph />. <glyph glyph-name="space" unicode=" " horiz-adv-x="200" . />. <glyph glyph-name="uniF413" unicode="" .d="M256 1280c565.504 0 1024 -458.496 1024 -1024h-256c0 423.552 -344.448 768 -768 768v256zM256 1792c848.256 0 1536 -687.744 1536 -1536h-256c0 705.792 -574.208 1280 -1280 1280v256zM448 640c106.112 0 192 -86.0156 192 -192s-85.8877 -192 -192 -192.s-192 86.0156 -192 192s85.8877 192 192 192z" />. <glyph glyph-name="uniF462" unicode="" .d="M618.502 1337l-213.004 142.004l-303.335 -455.002l303.335 -455.002l213.004 142.004l-208.665 312.998zM1642.5 1479l-213.004 -142.004l208.665 -312.998l-208.665 -312.998l213.
<<< skipped >>>
GET /wp-content/themes/twentysixteen/genericons/genericons.css?ver=3.4.1 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 28266
Connection: close
Content-Type: text/css
/**...Genericons..*/.../* IE8 and below use EOT and allow cross-site embedding. . IE9 uses WOFF which is base64 encoded to allow cross-site embedding.. So unfortunately, IE9 will throw a console error, but it'll still work.. When the font is base64 encoded, cross-site embedding works in Firefox */.@font-face {. font-family: "Genericons";. src: url("./Genericons.eot");. src: url("./Genericons.eot?") format("embedded-opentype");. font-weight: normal;. font-style: normal;.}..@font-face {. font-family: "Genericons";. src: url("data:application/x-font-woff;charset=utf-8;base64,d09GRgABAAAAADakAA0AAAAAVqwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABGRlRNAAA2iAAAABoAAAAcdeu6KE9TLzIAAAGgAAAARQAAAGBkLHXFY21hcAAAAogAAACWAAABsqlys6FjdnQgAAADIAAAAAQAAAAEAEQFEWdhc3AAADaAAAAACAAAAAj//wADZ2x5ZgAABFQAAC7AAABIkKrsSc5oZWFkAAABMAAAAC8AAAA2C2BCV2hoZWEAAAFgAAAAHQAAACQQuAgGaG10eAAAAegAAACfAAABOFjwU3Jsb2NhAAADJAAAATAAAAEwy4vdrm1heHAAAAGAAAAAIAAAACAA6QEZbmFtZQAAMxQAAAE5AAACN1KGf59wb3N0AAA0UAAAAjAAAAXo9iKXv3jaY2BkYGAAYqUtWvLx/DZfGbg5GEDgkmLVWhj9/ycDAwcbWJyDgQlEAQABJgkgAHjaY2BkYOBgAIIdHAz/fwLZbAyMDKiAFQBE7gLWAAAAAAEAAACXAOgAEAAAAAAAAgAAAAEAAQAAAEAALgAAAAB42mNgYf/MOIGBlYGB1Zh1JgMDoxyEZr7OkMYkxMDAxMDKzAADjAIMCBCQ5prC0MCg8FWcA8TdwQFVg6REgYERAPvTCMQAAAB42i1PsRXCUAg8SAprl7FN4QZqb2WZGRjAIVLrHj4be4ews7OJHAd54cMBd Af7JHmt3RPYAOHAYFweFhmYE4jlj uVb8nshCzd/qVeNUCLysG8lgwrojfSW/pcTK6o7rWX82En6HJwIEv wbi28IwpndxRu/JaJGStHRDq5EB OKCNumZLlSVl2TnOFVtl9nR5t7woR0QzVT D7cKLeIAeNpjYGBgZoBgGQZGBhBYA QxgvksDBOAtAIQsoDoj5yfOD9JflL7zPGF84vkF80vll88v0R yfxS9lX8
<<< skipped >>>
GET /wp-content/themes/twentysixteen/js/functions.js?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:25 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 6820
Connection: close
Content-Type: application/javascript
/* global screenReaderText */./**. * Theme functions file.. *. * Contains handlers for navigation and widget area.. */..( function( $ ) {..var body, masthead, menuToggle, siteNavigation, socialNavigation, siteHeaderMenu, resizeTimer;...function initMainNavigation( container ) {....// Add dropdown toggle that displays child menu items....var dropdownToggle = $( '<button />', {....'class': 'dropdown-toggle',....'aria-expanded': false...} ).append( $( '<span />', {....'class': 'screen-reader-text',....text: screenReaderText.expand...} ) );....container.find( '.menu-item-has-children > a' ).after( dropdownToggle );....// Toggle buttons and submenu items with active children menu items....container.find( '.current-menu-ancestor > button' ).addClass( 'toggled-on' );...container.find( '.current-menu-ancestor > .sub-menu' ).addClass( 'toggled-on' );....// Add menu items with submenus to aria-haspopup="true"....container.find( '.menu-item-has-children' ).attr( 'aria-haspopup', 'true' );....container.find( '.dropdown-toggle' ).click( function( e ) {....var _this = $( this ),.....screenReaderSpan = _this.find( '.screen-reader-text' );.....e.preventDefault();...._this.toggleClass( 'toggled-on' );...._this.next( '.children, .sub-menu' ).toggleClass( 'toggled-on' );.....// jscs:disable...._this.attr( 'aria-expanded', _this.attr( 'aria-expanded' ) === 'false' ? 'true' : 'false' );....// jscs:enable....screenReaderSpan.text( screenReaderSpan.text() === screenReaderText.expand ? screenReaderText.
<<< skipped >>>
GET /wp-content/themes/twentysixteen/css/ie7.css?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 2565
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Description: IE7 specific style..*/...site-inner {..max-width: 656px;.}...post-navigation,..pagination,..image-navigation,..entry-header,..entry-summary,..entry-content,..entry-footer,..page-header,..page-content,..post-thumbnail,..content-bottom-widgets,..comments-area {..margin-right: 28px;..margin-left: 28px;..max-width: 100%;.}...site-header,..sidebar,..site-footer,..widecolumn {..padding-right: 28px;..padding-left: 28px;.}...search-submit {..height: auto;..margin-top: 28px;..padding: 15px 0 8px;..position: relative;..width: auto;.}...search-submit .screen-reader-text {..height: auto;..position: relative !important;..width: auto;.}...image-navigation .nav-previous,..image-navigation .nav-next,..comment-navigation .nav-previous,..comment-navigation .nav-next {..*display: inline;..zoom: 1;.}...image-navigation .nav-previous .nav-next,..comment-navigation .nav-previous .nav-next {..margin-left: 14px;.}...pagination .nav-links {..padding: 0;.}...pagination .page-numbers {..line-height: 1;..margin: -4px 14px 0;..padding: 18px 0;.}...pagination .prev,..pagination .next {..display: inline-block;..font-size: 16px;..font-weight: 700;..height: auto;..left: 0;..line-height: 1;..margin: 0;..padding: 18px 14px;..position: relative;..right: 0;..text-transform: none;..width: auto;.}...dropdown-toggle {..display: none;.}...main-navigation ul ul {..display: block;.}...social-navigation {..margin-top: 1.75em;.}...social-navigation a {..height: auto;..padding: 3px 7px;..width: auto;.}...socia
<<< skipped >>>
GET /wp-includes/js/jquery/jquery-migrate.min.js?ver=1.4.1 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 21 Jun 2016 18:03:33 GMT
Accept-Ranges: bytes
Content-Length: 10056
Connection: close
Content-Type: application/javascript
/*! jQuery Migrate v1.4.1 | (c) jQuery Foundation and other contributors | jquery.org/license */."undefined"==typeof jQuery.migrateMute&&(jQuery.migrateMute=!0),function(a,b,c){function d(c){var d=b.console;f[c]||(f[c]=!0,a.migrateWarnings.push(c),d&&d.warn&&!a.migrateMute&&(d.warn("JQMIGRATE: " c),a.migrateTrace&&d.trace&&d.trace()))}function e(b,c,e,f){if(Object.defineProperty)try{return void Object.defineProperty(b,c,{configurable:!0,enumerable:!0,get:function(){return d(f),e},set:function(a){d(f),e=a}})}catch(g){}a._definePropertyBroken=!0,b[c]=e}a.migrateVersion="1.4.1";var f={};a.migrateWarnings=[],b.console&&b.console.log&&b.console.log("JQMIGRATE: Migrate is installed" (a.migrateMute?"":" with logging active") ", version " a.migrateVersion),a.migrateTrace===c&&(a.migrateTrace=!0),a.migrateReset=function(){f={},a.migrateWarnings.length=0},"BackCompat"===document.compatMode&&d("jQuery is not compatible with Quirks Mode");var g=a("<input/>",{size:1}).attr("size")&&a.attrFn,h=a.attr,i=a.attrHooks.value&&a.attrHooks.value.get||function(){return null},j=a.attrHooks.value&&a.attrHooks.value.set||function(){return c},k=/^(?:input|button)$/i,l=/^[238]$/,m=/^(?:autofocus|autoplay|async|checked|controls|defer|disabled|hidden|loop|multiple|open|readonly|required|scoped|selected)$/i,n=/^(?:checked|selected)$/i;e(a,"attrFn",g||{},"jQuery.attrFn is deprecated"),a.attr=function(b,e,f,i){var j=e.toLowerCase(),o=b&&b.nodeType;return i&&(h.length<4&&d("jQuery.fn.attr( props, pass ) is deprecated"),b&&!l.test(o)&&
<<< skipped >>>
GET /wp-content/themes/twentysixteen/genericons/Genericons.eot?") format("embedded-opentype HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:23 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 22374
Connection: close
Content-Type: application/vnd.ms-fontobject
fW...V............................LP.........................*."....................G.e.n.e.r.i.c.o.n.s.....R.e.g.u.l.a.r... .V.e.r.s.i.o.n. .0.0.1...0.0.0. .....G.e.n.e.r.i.c.o.n.s................PFFTMu..(..V.....OS/2d,u....X...`cmap.r..........cvt .D..........gasp......V.....glyf..I.......H.head.`BW.......6hhea...........$hmtxX.Sr.......8loca...........0maxp.......8... nameR.....Nh...7post."....P.............".*._.<..........!z......!z..................................................................................@.................3.......3.......f..............................PfEd... ........................... .....D.........................................................................................................U.....................................`.........S.............................................................................f...................................@.....7...T.n............................................................... . ..... .......&.......).9.I.Y.i.v....... ....... ....... .0.@.P.`.p...............).2.,.&. .....................................................................................................................................................................................................................................................................................................................D.....,.,.,.,.Z...........F.........L...........b...0.....$.H.......8...........<.~...$.F.b.......2.....0.f.....H.......@.^.z....... .X.........J.........
<<< skipped >>>
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.openclose.ir
Connection: Keep-Alive
HTTP/1.1 301 Moved Permanently
Date: Mon, 17 Oct 2016 04:47:00 GMT
Server: Apache
X-Powered-By: PHP/5.5.35
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: PHPSESSID=3691cdf9ddd4c88824ebbe538153b99d; path=/
Location: hXXp://openclose.ir/
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
GET /wp-content/plugins/wordpress-popup/css/animate.min.css?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Thu, 26 May 2016 08:55:22 GMT
Accept-Ranges: bytes
Content-Length: 52287
Connection: close
Content-Type: text/css
/*! PopUp Free - v4.7.11. * hXXps://wordpress.org/plugins/wordpress-popup/. * Copyright (c) 2015; * Licensed GPLv2 */../*!.Animate.css - http://daneden.me/animate.Licensed under the MIT license - hXXp://opensource.org/licenses/MIT..Copyright (c) 2014 Daniel Eden.hXXps://raw.githubusercontent.com/daneden/animate.css/master/animate.css.*/.animated{-webkit-animation-duration:1s;animation-duration:1s;-webkit-animation-fill-mode:both;animation-fill-mode:both}.animated.infinite{-webkit-animation-iteration-count:infinite;animation-iteration-count:infinite}.animated.hinge{-webkit-animation-duration:2s;animation-duration:2s}@-webkit-keyframes bounce{0%,20%,53%,80%,100%{transition-timing-function:cubic-bezier(0.215,.61,.355,1);-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}40%,43%{transition-timing-function:cubic-bezier(0.755,.05,.855,.06);-webkit-transform:translate3d(0,-30px,0);transform:translate3d(0,-30px,0)}70%{transition-timing-function:cubic-bezier(0.755,.05,.855,.06);-webkit-transform:translate3d(0,-15px,0);transform:translate3d(0,-15px,0)}90%{-webkit-transform:translate3d(0,-4px,0);transform:translate3d(0,-4px,0)}}@keyframes bounce{0%,20%,53%,80%,100%{transition-timing-function:cubic-bezier(0.215,.61,.355,1);-webkit-transform:translate3d(0,0,0);transform:translate3d(0,0,0)}40%,43%{transition-timing-function:cubic-bezier(0.755,.05,.855,.06);-webkit-transform:translate3d(0,-30px,0);transform:translate3d(0,-30px,0)}70%{transition-timing-function:cubic-bezier(0.755,.05,.855,.06);-webkit-transform
<<< skipped >>>
GET /wp-content/themes/twentysixteen/js/html5.js?ver=3.7.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:11 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 10330
Connection: close
Content-Type: application/javascript
/**.* @preserve HTML5 Shiv 3.7.3 | @afarkas @jdalton @jon_neal @rem | MIT/GPL2 Licensed.*/.;(function(window, document) {./*jshint evil:true */. /** version */. var version = '3.7.3';.. /** Preset options */. var options = window.html5 || {};.. /** Used to skip problem elements */. var reSkip = /^<|^(?:button|map|select|textarea|object|iframe|option|optgroup)$/i;.. /** Not all elements can be cloned in IE **/. var saveClones = /^(?:a|b|code|div|fieldset|h1|h2|h3|h4|h5|h6|i|label|li|ol|p|q|span|strong|style|table|tbody|td|th|tr|ul)$/i;.. /** Detect whether the browser supports default html5 styles */. var supportsHtml5Styles;.. /** Name of the expando, to work with multiple documents or to re-shiv one document */. var expando = '_html5shiv';.. /** The id for the the documents expando */. var expanID = 0;.. /** Cached data for each document */. var expandoData = {};.. /** Detect whether the browser supports unknown elements */. var supportsUnknownElements;.. (function() {. try {. var a = document.createElement('a');. a.innerHTML = '<xyz></xyz>';. //if the hidden property is implemented we can assume, that the browser supports basic HTML5 Styles. supportsHtml5Styles = ('hidden' in a);.. supportsUnknownElements = a.childNodes.length == 1 || (function() {. // assign a false positive if unable to shiv. (document.createElement)('a');. var frag = document.createDocumentFragment();. return (. typeof fra
<<< skipped >>>
GET /wp-content/themes/twentysixteen/css/ie.css?ver=20160412 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 748
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Description: Global Styles for older IE versions (previous to IE10)..*/...site-header-main:before,..site-header-main:after,..site-footer:before,..site-footer:after {..content: "";..display: table;.}...site-header-main:after,..site-footer:after {..clear: both;.}..@media screen and (min-width: 56.875em) {...site-branding,...site-info {...float: left;..}....site-header-menu,...site-footer .social-navigation {...float: right;..}....site-footer .social-navigation {...margin-left: 7px;..}....rtl .site-branding,...rtl .site-info {...float: right;..}....rtl .site-header-menu,...rtl .site-footer .social-navigation {...float: left;..}....rtl .site-footer .social-navigation {...margin-right: 7px;...margin-left: 0;..}.}...
GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:01 GMT
Server: Apache
X-Powered-By: PHP/5.5.35
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Link: <hXXp://openclose.ir/wp-json/>; rel="hXXps://api.w.org/"
Set-Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9; path=/
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=UTF-8
68..<!DOCTYPE html>.<html lang="en-US" prefix="og: hXXp://ogp.me/ns#" class="no-js">.<head>..<meta charset="..fc..UTF-8">..<meta name="viewport" content="width=device-width, initial-scale=1">..<link rel="profile" href="hXXp://gmpg.org/xfn/11">...<script>(function(html){html.className = html.className.replace(/\bno-js\b/,'js')})(document.documentElement);</script>...42..<title>openclose - Just another parking system Sites site</title>...6d...<!-- This site is optimized with the Yoast SEO plugin v3.2.5 - hXXps://yoast.com/wordpress/plugins/seo/ -->...4c..<meta name="description" content="Just another parking system Sites site"/>...26..<meta name="robots" content="noodp"/>...34..<link rel="canonical" href="hXXp://openclose.ir" />...24..<meta property="og:locale" content="..38..en_US" />.<meta property="og:type" content="website" />...23..<meta property="og:title" content="..47..openclose - Just another parking system Sites site" />.<meta property="..2dd2..og:description" content="Just another parking system Sites site" />.<meta property="og:url" content="hXXp://openclose.ir" />.<meta property="og:site_name" content="openclose" />.<meta name="twitter:card" content="summary" />.<meta name="twitter:description" content="Just another parking system Sites site" />.<meta name="twitter:title" content="openclose - Just another parking system Sites site" />.<script type='application/l
<<< skipped >>>
GET /apps/domainpark/domainpark.cgi?client=ca-dp-demandmedia_test_js&channel=mobile&domain_name=zamenhost.org&output=html&drid=as-drid-oo-1750951074443211 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Keep-Alive
Host: dp.g.doubleclick.net
HTTP/1.1 200 OK
P3P: policyref="hXXp://googleads.g.doubleclick.net/pagead/gcn_p3p_.xml", CP="CURa ADMa DEVa TAIo PSAo PSDo OUR IND UNI PUR INT DEM STA PRE COM NAV OTC NOI DSP COR"
Content-Type: text/html; charset=UTF-8
X-Content-Type-Options: nosniff
Content-Encoding: gzip
Date: Mon, 17 Oct 2016 04:47:26 GMT
Server: domainserver
Cache-Control: private
Content-Length: 3281
X-XSS-Protection: 1; mode=block
...........[.....~.B..dI.v.-..}....B.,..H.E....@fr.....y.`&.23....7J.)uK.-...$...nq......*u.S..1.0.L.....;...|`.k...... ...%..{..w:.......3..78L.y....l.3.~1..0..f...u...<.`.k...9..J3_.~.l.[.zk.`..:.....~...xKx.H.....I].1...32Ap.tU.^.K.....v...:..... .d.9.........bxK'.............:.d....c._..!....{.....mhy.0.M$r...k.).`6..e.7......{..... .i....yO{2......#..@.TC>H.77..1..tT...Ed.."..@.<.p....><$$....Rj..KT(}V..UK<%.....W..<).7a.m....../..r...T......1...h./.<..].U!^....$.q.=....a...........0....6.X.1.)......7..V".u.Xp.......A.{.%c.......6%ZH...ds..X2...!.RW@.~...{...v...*.W".kh.....nLm...,.QW.1'r0..G|S.q$Wv.......w.}....g.....A......F...W...6.x._..V2..e_...-.KbV..$.!.1.3..?N....P&.t.zN....(.c|... ..S.9~p..tVU....3.px.^.d.d..D..U.......p..........L.Jy....|$.3..l;.8.5..|..*..\.a9".\....a.Q.f.G.#.O.jh...2....YPb4..DA.!..!.H6...!.d...f,..L.0.:e...P$JA...$..1u...C.E......TT[p...;...2.9../*[&.}F 9..c....0....!..;.#q*..#.=K/!.1.{V.5.."M...d.....bzQS.E..8.L..KH..a.k....h....zhS<..0..,....$.......`F......-..F-..$..g1.....lw.3@..!T....A.........H.A.$ED'^.CI.S.m<....D/b..,.*I^.w2..W.F..vn.G..........;(Y..D(.%.l:...X,..p...}..b..u....7.....m^....R .-..............`..E..........u ...&T3.)..."ocb..h.Z...6.jO..t.3..l.#A.....`.....S..JHn...... S/..... ya.?J....t.}.......kly.z.7.H..j2...jK.....;*.tj ...^%...N.F.Jx....Bz.....Q,8...M...m.'h.0l;..,..T....CRG..~K.i$If. O.L....[..2t62.I...o.-.....7..y.%....."}...t.P.....c.b..D.Q...b.##..<...<U.Dm...2. >P3..&mG5.0......o.vgm.|^.........#..u%...|.R)
<<< skipped >>>
GET /wp-content/themes/twentysixteen/style.css?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Tue, 12 Apr 2016 18:33:03 GMT
Accept-Ranges: bytes
Content-Length: 68939
Connection: close
Content-Type: text/css
/*.Theme Name: Twenty Sixteen.Theme URI: hXXps://wordpress.org/themes/twentysixteen/.Author: the WordPress team.Author URI: hXXps://wordpress.org/.Description: Twenty Sixteen is a modernized take on an ever-popular WordPress layout ... the horizontal masthead with an optional right sidebar that works perfectly for blogs and websites. It has custom color options with beautiful default color schemes, a harmonious fluid grid using a mobile-first approach, and impeccable polish in every detail. Twenty Sixteen will make your WordPress look beautiful everywhere..Version: 1.2.License: GNU General Public License v2 or later.License URI: hXXp://VVV.gnu.org/licenses/gpl-2.0.html.Tags: black, blue, gray, red, white, yellow, dark, light, one-column, two-columns, right-sidebar, fixed-layout, responsive-layout, accessibility-ready, custom-background, custom-colors, custom-header, custom-menu, editor-style, featured-images, flexible-header, microformats, post-formats, rtl-language-support, sticky-post, threaded-comments, translation-ready.Text Domain: twentysixteen..This theme, like WordPress, is licensed under the GPL..Use it to make something cool, have fun, and share what you've learned with others..*/.../**. * Table of Contents. *. * 1.0 - Normalize. * 2.0 - Genericons. * 3.0 - Typography. * 4.0 - Elements. * 5.0 - Forms. * 6.0 - Navigation. * 6.1 - Links. * 6.2 - Menus. * 7.0 - Accessibility. * 8.0 - Alignments. * 9.0 - Clearings. * 10.0 - Widgets. * 11.0 - Content. * 11.1 - Header. * 11.2 - Posts and pages. *
<<< skipped >>>
GET /wp-includes/js/wp-emoji-release.min.js?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:02 GMT
Server: Apache
Last-Modified: Sun, 13 Mar 2016 20:30:27 GMT
Accept-Ranges: bytes
Content-Length: 9802
Connection: close
Content-Type: application/javascript
// Source: wp-includes/js/twemoji.min.js.var twemoji=function(){"use strict";function a(a){return document.createTextNode(a)}function b(a){return a.replace(u,h)}function c(a,b){return"".concat(b.base,b.size,"/",a,b.ext)}function d(a,b){for(var c,e,f=a.childNodes,g=f.length;g--;)c=f[g],e=c.nodeType,3===e?b.push(c):1!==e||v.test(c.nodeName)||d(c,b);return b}function e(a){return o(a.indexOf(t)<0?a.replace(s,""):a)}function f(b,c){for(var f,g,h,i,j,k,l,m,n,o,p,q,s,t=d(b,[]),u=t.length;u--;){for(h=!1,i=document.createDocumentFragment(),j=t[u],k=j.nodeValue,m=0;l=r.exec(k);){if(n=l.index,n!==m&&i.appendChild(a(k.slice(m,n))),p=l[0],q=e(p),m=n p.length,s=c.callback(q,c)){o=new Image,o.onerror=c.onerror,o.setAttribute("draggable","false"),f=c.attributes(p,q);for(g in f)f.hasOwnProperty(g)&&0!==g.indexOf("on")&&!o.hasAttribute(g)&&o.setAttribute(g,f[g]);o.className=c.className,o.alt=p,o.src=s,h=!0,i.appendChild(o)}o||i.appendChild(a(p)),o=null}h&&(m<k.length&&i.appendChild(a(k.slice(m))),j.parentNode.replaceChild(i,j))}return b}function g(a,c){return m(a,function(a){var d,f,g=a,h=e(a),i=c.callback(h,c);if(i){g="<img ".concat('class="',c.className,'" ','draggable="false" ','alt="',a,'"',' src="',i,'"'),d=c.attributes(a,h);for(f in d)d.hasOwnProperty(f)&&0!==f.indexOf("on")&&-1===g.indexOf(" " f "=")&&(g=g.concat(" ",f,'="',b(d[f]),'"'));g=g.concat(">")}return g})}function h(a){return q[a]}function i(){return null}function j(a){return"number"==typeof a?a "x" a:a}function k(a){var b="string"==typeof a?parseInt(
<<< skipped >>>
GET /wp-content/plugins/wordpress-popup/js/public.min.js?ver=4.5.3 HTTP/1.1
Accept: */*
Referer: hXXp://openclose.ir/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: openclose.ir
Connection: Keep-Alive
Cookie: PHPSESSID=84b02cf9faa9f552894cfff1bcc862c9
HTTP/1.1 200 OK
Date: Mon, 17 Oct 2016 04:47:25 GMT
Server: Apache
Last-Modified: Thu, 26 May 2016 08:55:22 GMT
Accept-Ranges: bytes
Content-Length: 9740
Connection: close
Content-Type: application/javascript
/*! PopUp Free - v4.7.11. * hXXps://wordpress.org/plugins/wordpress-popup/. * Copyright (c) 2015; * Licensed GPLv2 */.(function(){function e(e){"closed"===l?e._show()?(h=e,l="open"):t(e):c[c.length]=e}function t(){if(l="closed",h=null,c.length>0){var t=c.shift();e(t)}}function i(e,t,i){var o,r,a=0,l=s("" window.location),c=s("" document.referrer),h=null,u=function u(t){h=jQuery.extend({},e),h.popup=t,n(h)};return void 0!==window.force_popover&&(a="" window.force_popover),void 0!==t&&(a="" t),e.ajax_data=e.ajax_data||{},r=jQuery.extend({},e.ajax_data),r.action="inc_popup",r["do"]=e["do"],r.thefrom=l,r.thereferrer=c,a&&(r.po_id=a),i&&(r.data=i),e.preview&&(r.preview=!0),o={url:e.ajaxurl,dataType:"jsonp",jsonpCallback:"po_data",data:r,success:function(e){u(e)},complete:function(){jQuery(document).trigger("popup-load-done",[h])}},jQuery.ajax(o)}function n(e){if(void 0!==e){var t=function t(e){void 0!==e&&(void 0!==e.popup&&void 0!==e.popup.html&&(jQuery('<style type="text/css">' e.popup.styles "</style>").appendTo("head"),jQuery(e.popup.html).appendTo("body").hide()),window.inc_popup=new a(e),window.inc_popups[window.inc_popups.length]=window.inc_popup,jQuery(document).trigger("popup-initialized",[window.inc_popup]),e.noinit||e.preview||window.inc_popup.init())};if(e.popup instanceof Array)for(var i=0;e.popup.length>i;i =1){var n=jQuery.extend({},e);n.popup=e.popup[i],t(n)}else e instanceof Object&&t(e)}}function s(e){for(var t=[],i=0;e.length>i;i ){if(e.length>i 1){var n=e.charCodeAt(i),s
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
Rundll32.exe_704:
.rsrc
.rsrc
WgM[A V?V5%SM=
WgM[A V?V5%SM=
x=.UVY5@
x=.UVY5@
a%SbeQ
a%SbeQ
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
VBA6.DLL
VBA6.DLL
RegCreateKeyA
RegCreateKeyA
shell32.dll
shell32.dll
wininet.dll
wininet.dll
ShellExecuteA
ShellExecuteA
.text
.text
.data
.data
.tN@2NH
.tN@2NH
3333333330
3333333330
3333330
3333330
333333333333330
333333333333330
.LjR=W
.LjR=W
.Jbjx=
.Jbjx=
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
^_^\^_\^[__^^_^^__^^^^___^__^\_\\_^^^^\^^_[__^^__^_^__^^\[^^_^_^^_^\_^_^^\^\^[^[[__^\^^^\-
4444444
4444444
333333333333333
333333333333333
444444444
444444444
33333333333333
33333333333333
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
.r~.uQv
.r~.uQv
$YZ.mC
$YZ.mC
1by%X
1by%X
ADVAPI32.DLL
ADVAPI32.DLL
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ru.brans.pl
ru.brans.pl
core.ircgalaxy.pl
core.ircgalaxy.pl
NICK zabfersu
NICK zabfersu
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
%.6x . . :%c%.8x%x %s
JOIN
JOIN
windowsupdate
windowsupdate
drweb
drweb
ilo.brenz.pl
ilo.brenz.pl
ant.trenz.pl
ant.trenz.pl
NICK slbqoipf
NICK slbqoipf
.fe`/
.fe`/
2007.04.30
2007.04.30
Scripting.FileSystemObject
Scripting.FileSystemObject
msng.exe
msng.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rundll32.exe
rundll32.exe
Rundll32.exe
Rundll32.exe
rundII32.exe
rundII32.exe
RundII32.exe
RundII32.exe
explorer.exe hXXp://VVV.OpenClose.ir
explorer.exe hXXp://VVV.OpenClose.ir
C:\~0002ftd.tmp
C:\~0002ftd.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
iexplore.exe*
iexplore.exe*
firefox.exe*
firefox.exe*
explorer.exe
explorer.exe
Rundll32.exe_704_rwx_00401000_00022000:
advapi32.dll
advapi32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
VBA6.DLL
VBA6.DLL
RegCreateKeyA
RegCreateKeyA
shell32.dll
shell32.dll
wininet.dll
wininet.dll
ShellExecuteA
ShellExecuteA
.text
.text
.data
.data
.rsrc
.rsrc
.tN@2NH
.tN@2NH
2007.04.30
2007.04.30
Scripting.FileSystemObject
Scripting.FileSystemObject
msng.exe
msng.exe
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
SOFTWARE\Microsoft\Windows\CurrentVersion\Run
rundll32.exe
rundll32.exe
Rundll32.exe
Rundll32.exe
rundII32.exe
rundII32.exe
RundII32.exe
RundII32.exe
explorer.exe hXXp://VVV.OpenClose.ir
explorer.exe hXXp://VVV.OpenClose.ir
C:\~0002ftd.tmp
C:\~0002ftd.tmp
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
iexplore.exe*
iexplore.exe*
firefox.exe*
firefox.exe*
explorer.exe
explorer.exe
Rundll32.exe_704_rwx_00436000_00001000:
KERNEL32.DLL
KERNEL32.DLL
MSVBVM60.DLL
MSVBVM60.DLL
Rundll32.exe_704_rwx_00458000_00016000:
ADVAPI32.DLL
ADVAPI32.DLL
\USERINIT.EXE
\USERINIT.EXE
%s:*:enabled:@shell32.dll,-1
%s:*:enabled:@shell32.dll,-1
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer
ru.brans.pl
ru.brans.pl
core.ircgalaxy.pl
core.ircgalaxy.pl
NICK zabfersu
NICK zabfersu
SFC.DLL
SFC.DLL
SFC_OS.DLL
SFC_OS.DLL
USER32.DLL
USER32.DLL
SHLWAPI.DLL
SHLWAPI.DLL
WSOCK32.DLL
WSOCK32.DLL
WININET.DLL
WININET.DLL
%.6x . . :%c%.8x%x %s
%.6x . . :%c%.8x%x %s
JOIN
JOIN
KERNEL32.DLL
KERNEL32.DLL
windowsupdate
windowsupdate
drweb
drweb
ilo.brenz.pl
ilo.brenz.pl
ant.trenz.pl
ant.trenz.pl
NICK slbqoipf
NICK slbqoipf
iexplore.exe_472:
%?9-*09,*19}*09
%?9-*09,*19}*09
.text
.text
.data
.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
ADVAPI32.dll
ADVAPI32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
IExplorer.EXE
IExplorer.EXE
IIIIIB(II<.fg>
IIIIIB(II<.fg>
7?_____ZZSSH%
7?_____ZZSSH%
)z.UUUUUUUU
)z.UUUUUUUU
,....Qym
,....Qym
````2```
````2```
{.QLQIIIKGKGKGKGKGKG
{.QLQIIIKGKGKGKGKGKG
;33;33;0
;33;33;0
8888880
8888880
8887080
8887080
%U#`JU
%U#`JU
.koZsL
.koZsL
P-.WNd
P-.WNd
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512
iexplore.exe_472_rwx_00401000_00002000:
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
IE-X-X
rsabase.dll
rsabase.dll
System\CurrentControlSet\Control\Windows
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
dw15 -x -s %u
watson.microsoft.com
watson.microsoft.com
IEWatsonURL
IEWatsonURL
%s -h %u
%s -h %u
iedw.exe
iedw.exe
Iexplore.XPExceptionFilter
Iexplore.XPExceptionFilter
jscript.DLL
jscript.DLL
mshtml.dll
mshtml.dll
mlang.dll
mlang.dll
urlmon.dll
urlmon.dll
wininet.dll
wininet.dll
shdocvw.DLL
shdocvw.DLL
browseui.DLL
browseui.DLL
comctl32.DLL
comctl32.DLL
IEXPLORE.EXE
IEXPLORE.EXE
iexplore.pdb
iexplore.pdb
msvcrt.dll
msvcrt.dll
ADVAPI32.dll
ADVAPI32.dll
KERNEL32.dll
KERNEL32.dll
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
USER32.dll
USER32.dll
SHLWAPI.dll
SHLWAPI.dll
SHDOCVW.dll
SHDOCVW.dll
IExplorer.EXE
IExplorer.EXE
browseui.dll
browseui.dll
shdocvw.dll
shdocvw.dll
iexplore.exe_472_rwx_00418000_00007000:
%U#`JU
%U#`JU
.koZsL
.koZsL
P-.WNd
P-.WNd
6.00.2900.5512 (xpsp.080413-2105)
6.00.2900.5512 (xpsp.080413-2105)
IEXPLORE.EXE
IEXPLORE.EXE
Windows
Windows
Operating System
Operating System
6.00.2900.5512
6.00.2900.5512