Trojan.Win32.Swrort.3.FD, SearchProtectToolbar_pcap.YR, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 3646819e562b6eff842e1ebc880d203b
SHA1: 3ee3e33af7094145ef00fbf92f6c72ed035efe85
SHA256: 8d949986257b14c8fc3b1206ecc8901a76efb163d89f890beca3a85544bceb9a
SSDeep: 12288:GvWoBObcObcSkP CVuVX1HxUMWtC7uVB9:W5IcI7s 1VFRzt7uV7
Size: 471568 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2014-07-11 10:40:11
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
spidentifierimpl.exe:1080
The Trojan injects its code into the following process(es):
%original file name%.exe:772
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process spidentifierimpl.exe:1080 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\SPtool.dll (180359 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (30 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\SPtool.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (0 bytes)
The process %original file name%.exe:772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\e0ed048e90a6cd1636f19b7a343cf5600.12176183264327789 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\progress.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\index.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\last.zip (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\uifile.zip (6740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress.png (784 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\progress[1].zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\spidentifierimpl[1].exe (303947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress-bar.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\cfg.txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\css\style.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\base.zip (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\base[1].zip (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\last[1].zip (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\config-from-production[1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\progress.html (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google.com[1].txt (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\requirements\spidentifierimpl.exe (303947 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\css\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\css\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\noconnection.html (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\soft32-flow-5-text-en-us[1].zip (6740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\css\style.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\img1.png (784 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\progress[1].zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\soft32-flow-5-text-en-us[1].zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\spidentifierimpl[1].exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\last[1].zip (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\error[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\config-from-production[1].txt (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\error[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\error[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\3[1].htm (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\base[1].zip (0 bytes)
Registry activity
The process spidentifierimpl.exe:1080 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DA DB 31 3A 80 19 D6 EC 3B 40 CA D4 4F BC A2 06"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\DLG\requirements]
"spidentifierimpl.exe" = "Search Protect Identifier by conduit"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CacheRepair" = "0"
"CachePrefix" = ":2016040420160405:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1A 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012016040420160405\"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "9F 7B 5A 24 DA 9F 6E 71 29 B2 19 AE 86 B8 92 EF"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012016040420160405]
"CacheOptions" = "11"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014031720140318]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 484003524ef2000db83cb16ced0a48a1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\DLG\requirements\spidentifierimpl.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
spidentifierimpl.exe:1080
- Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\SPtool.dll (180359 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsm2.tmp\inetc.dll (30 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\e0ed048e90a6cd1636f19b7a343cf5600.12176183264327789 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\progress.zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-rb.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\index.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\css\style.css (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-lb.png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-bg.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-lb.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\last.zip (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress-bar.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\uifile.zip (6740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\img\img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress.png (784 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google[1].txt (381 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\bar-rb.png (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\progress[1].zip (11948 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\loadingImage\loadingImage.bmp (55014 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\spidentifierimpl[1].exe (303947 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\progress-bar.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\cfg.txt (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\progress.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\css\style.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\151.gif (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\base.zip (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-b.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\base[1].zip (4708 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\icon.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\index.html (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\img\img1.png (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\M5WHGLUX\last[1].zip (5572 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\br-bg.png (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\454VKZUL\config-from-production[1].txt (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\progress.html (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@google.com[1].txt (387 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\last\js\jquery-1.10.2.min.js (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\requirements\spidentifierimpl.exe (303947 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (788 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\base\css\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\css\style.css (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\initWindow\noconnection.html (905 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QZMXKP41\soft32-flow-5-text-en-us[1].zip (6740 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\offers\soft32\css\style.css (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\DLG\ui\common\progress\img\img1.png (784 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version:
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version:
File Description:
Comments:
Language: English (United States)
Company Name: Product Name: Product Version: Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: File Description: Comments: Language: English (United States)
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 174705 | 175104 | 4.5853 | b11564b9a66cc14556c1fb6b27fc44cd |
| .rdata | 180224 | 61868 | 61952 | 3.29895 | c5d3ef72250fda3ae79eeab4d2067f72 |
| .data | 245760 | 24096 | 15360 | 3.34806 | 55c8ef91dfc32b1f66b2a27ef426eb41 |
| .rsrc | 270336 | 193368 | 193536 | 5.1131 | 979ac1d6303f700668d678d6df4175bf |
| .reloc | 466944 | 21524 | 22016 | 3.47792 | 10c466d9b71044c843cf08b399008926 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 6
b291fc7a9931280d887b05f90c515a69
2b1dcb9e32b6aac471b3d93af8313a69
85aa416ae581b5784403bd5337216c56
8b1d518011e9f6d27182ea3cafbb916d
083344c3ecc91f885dfda259aad4916d
111c1af1ccaf646a235ca3e903ce01a8
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://dlg-configs-eus.cloudapp.net/config-from-production | |
| hxxp://e6337.g.akamaiedge.net/spidentifier/1.0.2.0/spidentifierimpl.exe | |
| hxxp://dlg-messages-weu.cloudapp.net/1/dg/3 | |
| hxxp://e9287.g.akamaiedge.net//spidentifier/1.0.2.0/spidentifierimpl.exe | |
| hxxp://jazz-1846647836.us-east-1.elb.amazonaws.com/ | |
| hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/base.zip | |
| hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/soft32-flow-5-text-en-us.zip | |
| hxxp://dlg-messages-weu.cloudapp.net/1/dg/3/error | |
| hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/progress.zip | |
| hxxp://cs3.wpc.v0cdn.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/last.zip | |
| hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/progress.zip | 93.184.221.200 |
| hxxp://dlg-configs.buzzrin.de/config-from-production | |
| hxxp://dlg-messages.buzzrin.de/1/dg/3/error | |
| hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/soft32-flow-5-text-en-us.zip | 93.184.221.200 |
| hxxp://dlg-messages.buzzrin.de/1/dg/3 | |
| hxxp://sp-storage.spccinta.com//spidentifier/1.0.2.0/spidentifierimpl.exe | 23.43.143.98 |
| hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/base.zip | 93.184.221.200 |
| hxxp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/last.zip | 93.184.221.200 |
| hxxp://sp-storage.conduit-services.com/spidentifier/1.0.2.0/spidentifierimpl.exe | 23.43.131.152 |
| hxxp://sp-installer.conduit-data.com/ | 23.23.99.139 |
| www.google.com | 173.194.113.211 |
| www.google.com.ua | 173.194.113.223 |
| wac.wac.b0f4.edgecastcdn.net | 93.184.220.43 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/last.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close
HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: CdWKjo25ViQq30NolnCXKg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:46 GMT
Etag: 0x8D1E7FA33CE34EB
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: fd6750c6-0001-0026-71fc-8dfe84000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 37780
Connection: close
PK.........[.E.\......-.......index.html.Wmo.6.......[.2Z.K1.."....[...6.#E.,&.....#............X...9>.;R..o.X^....)]%....tw.WR.........H...'..1....|n.:.K..(7...@.o.R....=...%3.\...../..L.uK..v..ZJ...Z..`K.GIi.H)..a4.Z.............o>7`6......M\...X.si..p2Iz...Q.(..V..<.....b.uY.$%....ZA..2.q..La.t...76.^........!LDA........|...Mj......-.t..j2..*.w1z....Y]..\bX#...b 0q.l../.......F..w.*_Jm..&..]..-...8..&..z{...RS.X.U...Y....bB]...X....$...Nv8.....R...."..L..92<%.... r:......= .E.'.J#.s.D.S...t,.d.J{..h..R`|N.j..Z......OO.C..y}c.8...e(B..4......`.0I.8.E.F.(99R.o{.|2.L}..i4}.a..f..G.}B?......8.<..oh~t........9|%Vh..i......I.P..m.;o.4..%5........n....zlN...{..L...g......6.m.I.........c..Y..1...(Js.Vc..;...Ts(m..\........$...... z*..GD.:?T..( "Oi..aM..L..?...bU..<d~....vH._.....$3#.W5.....[.#.1..I.X.... .g.a.d.a/....=7.....'...._].B.. ..H5S..C..C...g*..E.q@PO`.)7.=..O.#Q]c({.]|mXN..n..-...:%%.$...#~=.x,..p.....6..B..%lI...N@............_.D.....N...z...<.. _...yr..D.v...n..$..Xfv..4O.._@j.t5X!Y...\.. d..^...........&.[.GQ.fY..PK.........`nE-.b.....C.......css\style.css.V...0.]'R..mT.]..y4%......Xq.e...^..;~....TP..3...9.'.. z[-.\..U...ipI...O....."..bqG........{..eI...'$p.....W....j.=~....Z..r...U...K.(......M*.B....{.s"........r..}.M...c..$..:....RI(.'....o..h...dcn....!xC-?N.....\n4WU....s.h{..N......;p..qU..?q.$n..c"I...2 .n.-.g. ..(.S.8.e..@c...........I..."..`.5A..%.R...I.....$.;..|....I...w...K..A.....^=...BY.u.....A}v........A..*z.x.]...y|...).....W...h#.....` . X.L....7p..$.`...?..'.....
<<< skipped >>>
POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close
{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:46 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1932 S:1 D:57.46.415} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0
GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/progress.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close
HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: GbHVwCUrfRP/evGXlYdWmg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:46 GMT
Etag: 0x8D1E7FA33C8B687
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 4cb7ad3f-0001-0041-36fc-8d4d23000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 85600
Connection: close
PK.........[.E...R............index.html..mO.8.s'.?x.m..&... .icLB.....t...I..%u2.i.P..=v...).l."..~....O..q|......<.?~.WO..?.$....d2.c. ....J..d6........K....:............#..D.T...x;...........>.s..MF8....cJ%F.....3O........`.D..Gx.{.O.....;.w..9..,..K.....o.{O.I.C.R........=.e"....( ..\.....gs")...Irzd..r../).j..n..b.....4s.G..@E.&..y..../..k.T..6......,..._...?....Z.... .j..QK......5.....M..V.>..*.....&.m)).c.^S..P#f.m...~......1N.....F.! -e...i.e.~.d|`3.M..h...G............r.'3..v...i.......W..f.I p....I..,........$qI..eZ.s..y..Ry\..9}......QM0.DH...4N'.a.GOF#......4...s..Yku.......P7(:\.O.@y.e. e8.Q...G.....rn.-.t.@6..........$.R...~......" q........L.....'[..W1...}.t.{....C.:.4...Z..../..E......d.jv., ..14UX4.|...U.6..bMq.(.md.u.....a.".4.H.!.O..._f....a....{..{]H..x..6R.......w.C...D..,...6.o.%OR....^ ...V..:%..[h..v........L.y.....|.........4s.g..U.EE(9.S......~./.L....<K..{ bx......._T.`@..t..a[e'...{.q...b..-..........).30Y.3............=.....('.."..0zH....{9....>zS..0.T@..VV.&.I*...t.....^L.t...2...] ..jT..-.~`...B.K......8..z.a.M.h./n ..mG{~..........U...u...W..{...u.w.Z]...Jw...C..CD..y..[... ....!S.OU...Fd....Fh?!.M.>.Y!.....m.;.tp....4......{....`.,..`8T..)..xg.".fSu...Qt|...........:....=V.l...4(....Ma,.Q.........-...U.{.....u...@..0)"..Z..12gm....RgfYM..y.t....8....m......3...3kT........f.>vo|@...i.........J.Um.....Q....1....8...k.....bC........]w.aS%...O.&.e....Y`....k.... ...^i..u..7.|3...(...q......}.;N...qu...zZ.l.f..... ....#Mh(....W.^..1.F.L7.....rNy.>-o.".@aB.|..B
<<< skipped >>>
GET /spidentifier/1.0.2.0/spidentifierimpl.exe HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: sp-storage.conduit-services.com
Connection: Close
HTTP/1.1 301 Moved Permanently
Location: hXXp://sp-storage.spccinta.com//spidentifier/1.0.2.0/spidentifierimpl.exe
Server: BigIP
Content-Length: 0
Cache-Control: private, max-age=900
Expires: Sun, 03 Apr 2016 23:12:39 GMT
Date: Sun, 03 Apr 2016 22:57:39 GMT
Connection: close
POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 402
Connection: Close
{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:45 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckSuccessful","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"clickmein ltd/vuupc soft32/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0
POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 408
Connection: Close
{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:45 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckSuccessful","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0
POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close
{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:47 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1584 S:1 D:57.47.868} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:48 GMT
Connection: close
Content-Length: 0
POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close
{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:45 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1616 S:1 D:57.45.868} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0
POST /config-from-production HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-configs.buzzrin.de
Content-Length: 209
Connection: Close
{"os":"WinNT","osver":"5.1.2600 (Service Pack 3) SP: 3.0","lang":"en-US","uid":"75ed9567-aa58-4c8e-a8ea-3cad7c47ab03","prod":"soft32/1.0/campaigns/paid content/","expiresOn":"2114-07-12T09:08:46.150774 00:00"}
HTTP/1.1 200 OK
Content-Type: text/plain
Server: Microsoft-IIS/8.5
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:38 GMT
Connection: close
Content-Length: 6540
{"certificate":"cyberservices","productSetup":"downloadguide/temp/89caaac7-fda7-4fd8-b3b0-944bf51fd3ae/DoNothing.exe","windowHeight":389,"windowWidth":506,"product":{"version":"1.0","displayName":"Soft32","installCodeJs":"","installTest":"true","files":[{"url":"hXXp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/exe/DoNothing.exe","localFile":"DoNothing.exe","cmdParametersJs":"''","fileType":{"name":"Product","assemblyQualifiedName":"Freemium.Domain.Campaign.Product, Freemium.Domain"},"etag":null,"hash":null,"isExternalFile":false,"region":"default","version":"1.0","id":"soft32/1.0/default","name":"Soft32","isEncoded":false}],"uiFile":"hXXp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/soft32-flow-5-text-en-us.zip","logo":"hXXp://az687722.vo.msecnd.net/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/DoNothing.png","installationPath":"","infoText":"<p>We will not save either your IP address or other user data. We will only evaluate anonymised statistics for the optimization of the usability and our product. By using the downloader you agree to the usage of such data according to our strict privacy policy guidelines. Please read our detailed licence agreement (EULA) as well.</p><p>In order to finance our service we permit software producers to advertise their products in the downloader. Before the integration every product of our advertising partners has to pass a security
<<< skipped >>>
POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 401
Connection: Close
{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:48 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"LoadingPrerequisitesFailed","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"clickmein ltd/vuupc soft32/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:49 GMT
Connection: close
Content-Length: 0
POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 587
Connection: Close
{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:48 03:00","ExceptionName":"","Message":"cpp: {P:0772 T:1852 S:1 D:57.48.447} - fail connect, hr=0x80070057","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:49 GMT
Connection: close
Content-Length: 0
POST /1/dg/3/error HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 730
Connection: Close
{"ApplicationName":"DownloadGuide2","ApplicationVersion":"3.0.0.135","Client":"freemium","Culture":"en-US","Region":"default","ExceptionDateBinary":"2016-04-03T22:57:47 03:00","ExceptionName":"","Message":"Can't load the file: errorCode=2147942487 url=[cdnUrl]/public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/search-protect-single-text-en-us.zip","MethodName":"","OsName":"WinNT","OsPlatform":"x32","OsVersion":"5.1.2600 (Service Pack 3) SP: 3.0","StackTrace":"","BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","Product":"soft32","ProductVersion":"1.0","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:49 GMT
Connection: close
Content-Length: 0
GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/base.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close
HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: yfeb6HeSX7QcohHPlnHtCg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:46 GMT
Etag: 0x8D1E7FA33C226AC
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: 8499791d-0001-0003-30fc-8d6637000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 34496
Connection: close
PK.........`nEP...............index.html.VQ..8.~...a..........&=q.Ew.`.....M..wS;........N....p.....=.?.3cO...W..O....y1~.(n.A.#..F.[a.....>~.....r2...?W.!a.%-J;.Y.. ......F5...9..m.........B..%.f~j...E..].hrD. .8M..E.7.gE. pDM.Ei..4aw&..\.^....a.,.....F.......k..*[.AL5.#|u].Bd6...g......Q.r;....}..}kW.,.r6.ac5.z&.h.1..v..../.V2.BI.R....k.3.Vs.5...,.n...;.1......H`!d..!I.Z.".e..5.9...o.....0...{ga..5.m&U.q.. ..z.k)..Z...I..RQ.It..jN......."#....zwRM.v...B.\-...bo..%uk.@......}....l1.....$...I@.f.....e....2v.I.....r..J.9-..#.w...........G.:9P.X.-............>4.........;.............g} p..G5O._...d.t#`..e..|O.H.vE..VZ....[?...@#................Ai......q#..*....,j.wY.......O....).0.i....H...e........v..N.o.J.7.gn..\U.;3... v7....Y..Eu......H.n.].T...P.....g...1au..|9.Jb.N.........-l0B....\...*.9n...Q.JSp..{.z..Q9...%.....0..W..ug......q.G.L....]%lg6.<qD<v............k%_j....TMc.....2...G....{.T7..k...C2.'.9....T..Tj...:N.C.M..?..C.DD=...mR:.uD.Ymd9..qYp..qSz.J&_>.J.>.V.-?......U:C..!...*..$B..uA.5...PK.........`nE....m...5.......css\style.css...n.0...C... .@aLZw.a..&..H.(...../M...].............4q.......n..YXL...x4k....g<z..v..X.,.(...q3*.7&./M.2T..P.,-H.....L)YT.....y].>.p......)Y.....|.) U.oCp&..Y./....EL...q..m........C....s..;.e2.@...x..6....>..=5..".....9...5O.d.;d7K..h;.aUH.'.. ..K-.u.s4nX'. ...W.|...6.W.W........?#...............Q.^..y.h.m...n.4L_.i=.....................R._A....W.... sC.1]V...PK.........`nE.H}.1....k......js\jquery-1.10.2.min.js..i....0.}....D4m@.f...'.]....N....;
<<< skipped >>>
POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 407
Connection: Close
{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:47 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"LoadingPrerequisitesFailed","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:48 GMT
Connection: close
Content-Length: 0
POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 399
Connection: Close
{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:45 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckStarted","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"clickmein ltd/vuupc soft32/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:47 GMT
Connection: close
Content-Length: 0
GET /public-source/downloadguide/soft32/1.0/default/campaigns/paid content/ui/soft32-flow-5-text-en-us.zip HTTP/1.1
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: az687722.vo.msecnd.net
Connection: Close
HTTP/1.1 200 OK
Cache-Control: public, max-age=3600
Content-MD5: rToHOmlZfbh7Kn10hOCSFg==
Content-Type: application/octet-stream
Date: Sun, 03 Apr 2016 22:57:45 GMT
Etag: 0x8D1E7FA33F9D9E9
Last-Modified: Wed, 17 Dec 2014 10:20:23 GMT
Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
x-ms-blob-type: BlockBlob
x-ms-lease-status: unlocked
x-ms-request-id: f3a05e8d-0001-001f-51fc-8dbe20000000
x-ms-version: 2009-09-19
x-ms-write-protection: false
Content-Length: 49236
Connection: close
PK........}d.D-.b.....C.......css/style.css.V...0.]'R..mT.]..y4%......Xq.e...^..;~....TP..3...9.'.. z[-.\..U...ipI...O....."..bqG........{..eI...'$p.....W....j.=~....Z..r...U...K.(......M*.B....{.s"........r..}.M...c..$..:....RI(.'....o..h...dcn....!xC-?N.....\n4WU....s.h{..N......;p..qU..?q.$n..c"I...2 .n.-.g. ..(.S.8.e..@c...........I..."..`.5A..%.R...I.....$.;..|....I...w...K..A.....^=...BY.u.....A}v........A..*z.x.]...y|...).....W...h#.....` . X.L....7p..$.`...?..'......E,..i]N.N.....=e.....^.U..._...i\do....#2.]..v..=.m...X..d....3K...3.G..4{......5S...n...,.....Ui...x..v.m......qn.A.).!.w..:#.N.........;.....f...[.U...O..0.4......E...m.D....m/V.D>....P......W.bI..z..-Qg..c)....`..........G.......4{a...n....x.$^8.7=/z.).,o....8.............).8.g..~{.h..MPo.wi...H..M.B..<..uv...W....2R "gOS.A.vr..PK........}d.DY........@......img/img1.png..yT........RQ^E..!T.b.dB.II..jP.,Q.meH&0..$.v..Dy.u)..Z".....(..j...B..EZ.P.-...E.o."..s...;g.d.....~....;....._biak..../...}......)v.Z3s..5%.......`?.... .... ...rf.@.v............i...W.\"B.......D..rU.\A..p...\.J..p.*......JdVDD]....R..ysNP...5.k....K..n31a..?J...t....e....>...b....::.4.K...... #.;... ..l.^19......Z...y....)u.eY..L..k....../..O..Ke...cB7.z...eA...A.m6..HI.N.9.....%..;.<%d.':.l....6.7..,.. .~...l.z.M......k.}.p.tc7.j....(.H.....i....6.......T.3#.u..^.I......s..|....t.i.9.Psqy_........^...f..o.;........B..|?.P.u.E.H.5A........,.E..H$.....g...T."...d...D..$%.../.&..."."..g..3."j.. ..T.......... ...E.."z.......G.D.4W.IH...............)T.L.)T..b..
<<< skipped >>>
GET //spidentifier/1.0.2.0/spidentifierimpl.exe HTTP/1.1
Host: sp-storage.spccinta.com
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Connection: Close
HTTP/1.1 200 OK
Last-Modified: Mon, 04 Apr 2016 01:57:39 GMT
Accept-Ranges: bytes
ETag: "bd95aafde34a6270e612f226404df5e3"
Server: Microsoft-IIS/7.5
X-Powered-By: ASP.NET
P3P: CP="IDC DSP COR CURa ADMa DEVa TAIa OUR BUS IND UNI COM NAV INT"
Content-Length: 2592168
Date: Sun, 03 Apr 2016 22:57:39 GMT
Connection: close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...z...B...8............@...................................'...@.................................@...........0............t'. ....`.......................................................................................text....r.......t.................. ..`.rdata..n .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc...0...........................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>
POST / HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: sp-installer.conduit-data.com
Content-Length: 225
Connection: Keep-Alive
Cache-Control: no-cache
{"event_type":"SPidentifier", "environment":"", "machine_ID":"X6DXB5LA8TCXW1SVVBM5RK8SRPSWASASMB3FBWLZVGDSK5SY8EJGP WASHJODV4YYUFBGJQOD3NWH/WF QMGXW", "result": "success", "failure_reason": "clean_machine", "SP_version": ""}
HTTP/1.1 202 Accepted
Date: Sun, 03 Apr 2016 22:57:44 GMT
P3P: CP="NOI ADM DEV COM NAV OUR STP"
Server: Apache-Coyote/1.1
Content-Length: 0
Connection: keep-alive
POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 355
Connection: Close
{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:38 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"ApplicationStarted","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:40 GMT
Connection: close
Content-Length: 0
POST /1/dg/3 HTTP/1.1
Cache-Control: no-cache
Content-Type: application/json
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: dlg-messages.buzzrin.de
Content-Length: 405
Connection: Close
{"BuildId":"297e4c29-a109-4000-b455-ca4a46ad8038","Client":"freemium","DlgVersion":"3.0.0.135","Culture":"en-US","LocalTime":"2016-04-03T22:57:38 03:00","SessionId":"a1a9191f-87a9-4e3d-85e3-10e7eb851e11","MessageName":"RequirementsCheckStarted","Product":"soft32","ProductVersion":"1.0","Region":"default","Campaign":"paid content","Offer":"conduit ltd/ultra search protect/1.0/default","TrackBackUrl":""}
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.0
X-Powered-By: ASP.NET
Date: Sun, 03 Apr 2016 22:57:40 GMT
Connection: close
Content-Length: 0
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_772:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
8%uEP3
8%uEP3
9^4t.VhD
9^4t.VhD
Wh,%C
Wh,%C
RhX%C
RhX%C
QhX%C
QhX%C
operator
operator
GetProcessWindowStation
GetProcessWindowStation
%s [this=0x%p]
%s [this=0x%p]
%s [this=0x%p, root=lx, path='%s', f=0xlx] -> %d
%s [this=0x%p, root=lx, path='%s', f=0xlx] -> %d
- destroy/wait %d/%d self-living objects
- destroy/wait %d/%d self-living objects
- cancel %d timeouts
- cancel %d timeouts
%s '%s' [err=%d]
%s '%s' [err=%d]
%s [f='%s']
%s [f='%s']
%s [n=%d] -> hr=0xx
%s [n=%d] -> hr=0xx
%s [f=0x%p,t=%u]->id=%u
%s [f=0x%p,t=%u]->id=%u
- replace active timeout #%u!
- replace active timeout #%u!
%s [url='%s',f='%s']
%s [url='%s',f='%s']
- fail, hr=0xx
- fail, hr=0xx
%s [path='%s',mode=%d]
%s [path='%s',mode=%d]
%s -> watch for self-living object 0x%p
%s -> watch for self-living object 0x%p
%s -> self-living object 0x%p has finished the work -> wait when it is done
%s -> self-living object 0x%p has finished the work -> wait when it is done
%s -> drop self-living object 0x%p as it is done
%s -> drop self-living object 0x%p as it is done
%s -> auto quit.
%s -> auto quit.
- got tag of %d bytes
- got tag of %d bytes
%s [id=%u,call=%d]
%s [id=%u,call=%d]
- unknown timeout #%d!
- unknown timeout #%d!
- hr=0xx
- hr=0xx
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
F3.0.0.135
F3.0.0.135
DLG ENTRY v%s WIN%d.%d.%d ÛIT IE%d.%d
DLG ENTRY v%s WIN%d.%d.%d ÛIT IE%d.%d
!>%s [name='%s']
!>%s [name='%s']
%s fail [f='%s',err=%d]
%s fail [f='%s',err=%d]
%s, f='%s'
%s, f='%s'
- %s failed: %d
- %s failed: %d
%s [f='%s',len(d)=%d]
%s [f='%s',len(d)=%d]
%s [id=%s,type=%s]
%s [id=%s,type=%s]
- size: %d
- size: %d
!>%s [this=0x%p]
!>%s [this=0x%p]
- call end, this=0x%p, ret=%d
- call end, this=0x%p, ret=%d
JsFileExecution::JsFileExecution
JsFileExecution::JsFileExecution
JsFileExecution::~JsFileExecution
JsFileExecution::~JsFileExecution
JsFileExecution::doWorkRoutine
JsFileExecution::doWorkRoutine
- can't validate exe, this=0x%p, err=%d, f='%s'
- can't validate exe, this=0x%p, err=%d, f='%s'
- ShellExecuteEx failed, this=0x%p, err=%d
- ShellExecuteEx failed, this=0x%p, err=%d
- queue #%d: %d items, add 0x%p
- queue #%d: %d items, add 0x%p
- queue #%d: %d items, run 0x%p
- queue #%d: %d items, run 0x%p
- request start: this=0x%p (v=%d)
- request start: this=0x%p (v=%d)
- request end: this=0x%p, hr=0xx
- request end: this=0x%p, hr=0xx
- drop cache for '%s'
- drop cache for '%s'
- request stop: this=0x%p, hr=0xx, err='%s'
- request stop: this=0x%p, hr=0xx, err='%s'
- fail connect, hr=0xx
- fail connect, hr=0xx
HTTP/1.1
HTTP/1.1
- fail open, hr=0xx
- fail open, hr=0xx
- fail add headers, hr=0xx
- fail add headers, hr=0xx
- enum http_response_headers: '%s' (0xx)
- enum http_response_headers: '%s' (0xx)
- enum http_response_headers -> '%s'
- enum http_response_headers -> '%s'
%s, this=0x%p
%s, this=0x%p
%s, this=0x%p, auto=%d
%s, this=0x%p, auto=%d
- send, counter=%d
- send, counter=%d
- fail get status, hr=0xx
- fail get status, hr=0xx
- status: %d
- status: %d
- need auth %d, counter=%d
- need auth %d, counter=%d
- decide to repeat: %d
- decide to repeat: %d
- repeat, counter=%d
- repeat, counter=%d
- fail create file, hr=0xx, f='%s'
- fail create file, hr=0xx, f='%s'
- fail write file, hr=0xx
- fail write file, hr=0xx
- read %lu bytes by %lu portions
- read %lu bytes by %lu portions
- fail %s, hr=0xx [url='%s',dtTot=%lld,dtCur=%lld]
- fail %s, hr=0xx [url='%s',dtTot=%lld,dtCur=%lld]
%s, this=0x%p, handle=0x%p, status=%d
%s, this=0x%p, handle=0x%p, status=%d
^-- server IP is '%s'
^-- server IP is '%s'
^-- host is '%s'
^-- host is '%s'
^-- redirect to '%s'
^-- redirect to '%s'
!>%s [this=0x%p,f='%s',d='%s']
!>%s [this=0x%p,f='%s',d='%s']
%s failed: %d
%s failed: %d
- DefWinProc -> %d
- DefWinProc -> %d
%s [this=0x%p,show=%d]
%s [this=0x%p,show=%d]
%s [file='%s']
%s [file='%s']
- can't load image [e=%d,f='%s']
- can't load image [e=%d,f='%s']
- bad image size (%d,%d) [e=%d,f='%s']
- bad image size (%d,%d) [e=%d,f='%s']
- bad image type [p=%d,bpp=%d,f='%s']
- bad image type [p=%d,bpp=%d,f='%s']
- fail to %s key [err=%d]
- fail to %s key [err=%d]
- ID:='%s'
- ID:='%s'
!>%s [len(code)=%d]
!>%s [len(code)=%d]
- error in script, hr=0xx
- error in script, hr=0xx
!>%s [f='%s']
!>%s [f='%s']
%s, count=%d
%s, count=%d
%s, name='%s'
%s, name='%s'
- no JScript progid, hr=0xx
- no JScript progid, hr=0xx
- no JScript object, clsid=%s, hr=0xx
- no JScript object, clsid=%s, hr=0xx
- can't create typical JScript object, hr=0xx
- can't create typical JScript object, hr=0xx
- register JScript, hr=0xx
- register JScript, hr=0xx
- can't create JScript object manually, hr=0xx [%s]
- can't create JScript object manually, hr=0xx [%s]
- no parse interface, hr=0xx
- no parse interface, hr=0xx
- can't set site, hr=0xx
- can't set site, hr=0xx
- can't init parser, hr=0xx
- can't init parser, hr=0xx
Eval, len(expr)=%d, ns='%s', hr=0xx
Eval, len(expr)=%d, ns='%s', hr=0xx
- no disp '%s', hr=0xx
- no disp '%s', hr=0xx
ScriptError [scode=0xx, desc=%s, ctx=%d, line=%d, char=%d, src=%s]
ScriptError [scode=0xx, desc=%s, ctx=%d, line=%d, char=%d, src=%s]
CScriptSiteObj::GetItemInfo, name='%s'
CScriptSiteObj::GetItemInfo, name='%s'
%s, start [this=0x%p]
%s, start [this=0x%p]
%s, done [this=0x%p]
%s, done [this=0x%p]
- unpack `this`, hr=0xx
- unpack `this`, hr=0xx
%d.%d
%d.%d
{P:d T:d S:%d D:d.d.d} %s
{P:d T:d S:%d D:d.d.d} %s
%s [this=0x%p,main=%d,url='%s']
%s [this=0x%p,main=%d,url='%s']
%s [url='%s']
%s [url='%s']
%s, hwnd=0x%p
%s, hwnd=0x%p
F%D,3
F%D,3
C:\TeamCity\BuzzrinAgent_2\work\ab5ba43f5f73927\DownloadGuide2\Release\DownloadGuide2.pdb
C:\TeamCity\BuzzrinAgent_2\work\ab5ba43f5f73927\DownloadGuide2\Release\DownloadGuide2.pdb
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
COMDLG32.dll
COMDLG32.dll
RegCloseKey
RegCloseKey
RegOpenKeyExW
RegOpenKeyExW
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegDeleteKeyW
RegDeleteKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteExW
ShellExecuteExW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
DeleteUrlCacheEntryW
DeleteUrlCacheEntryW
HttpOpenRequestA
HttpOpenRequestA
HttpAddRequestHeadersA
HttpAddRequestHeadersA
HttpQueryInfoA
HttpQueryInfoA
HttpSendRequestA
HttpSendRequestA
InternetCrackUrlW
InternetCrackUrlW
WININET.dll
WININET.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
GetProcessHeap
GetProcessHeap
GetCPInfo
GetCPInfo
MsgWaitForMultipleObjects
MsgWaitForMultipleObjects
.?AV?$CJsExportObject@VJsDllCaller@@UIJsAsyncWorkerSLO@@@@
.?AV?$CJsExportObject@VJsDllCaller@@UIJsAsyncWorkerSLO@@@@
.?AV?$CJsExportObject@VJsFileUnpacking@@UIJsAsyncWorkerSLO@@@@
.?AV?$CJsExportObject@VJsFileUnpacking@@UIJsAsyncWorkerSLO@@@@
.?AV?$CComCoClass@VJsFileExecution@@$1?GUID_NULL@@3U_GUID@@B@ATL@@
.?AV?$CComCoClass@VJsFileExecution@@$1?GUID_NULL@@3U_GUID@@B@ATL@@
.?AV?$CJsExportObject@VJsFileExecution@@UIJsAsyncWorkerSLO@@@@
.?AV?$CJsExportObject@VJsFileExecution@@UIJsAsyncWorkerSLO@@@@
.?AV?$AsyncWorkerSLO@VJsFileExecution@@UIJsAsyncWorkerSLO@@@@
.?AV?$AsyncWorkerSLO@VJsFileExecution@@UIJsAsyncWorkerSLO@@@@
.?AVJsFileExecution@@
.?AVJsFileExecution@@
.?AV?$CComObject@VJsFileExecution@@@ATL@@
.?AV?$CComObject@VJsFileExecution@@@ATL@@
.?AV?$CJsExportObject@VJsFileRequest@@UIJsAsyncWorkerSLO@@@@
.?AV?$CJsExportObject@VJsFileRequest@@UIJsAsyncWorkerSLO@@@@
.?AUCJsExportObjectBase@@
.?AUCJsExportObjectBase@@
.?AV?$CJsExportObject@VJsRegistryAccessor@@UIJsRegistryAccessor@@@@
.?AV?$CJsExportObject@VJsRegistryAccessor@@UIJsRegistryAccessor@@@@
.?AV?$CJsExportObject@VApp@@UIJsApp@@@@
.?AV?$CJsExportObject@VApp@@UIJsApp@@@@
.?AVDownloadStatus@?1??CallURLDownloadToFile@JsFileRequest@@AAEJABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0V?$CComPtr@UIDispatch@@@ATL@@@Z@
.?AVDownloadStatus@?1??CallURLDownloadToFile@JsFileRequest@@AAEJABV?$basic_string@_WU?$char_traits@_W@std@@V?$allocator@_W@2@@std@@0V?$CComPtr@UIDispatch@@@ATL@@@Z@
.?AV?$CJsExportObject@VJsImageWindow@@UIJsImageWindow@@@@
.?AV?$CJsExportObject@VJsImageWindow@@UIJsImageWindow@@@@
.?AV?$CJsExportObject@VJsSysInfo@@UIJsSysInfo@@@@
.?AV?$CJsExportObject@VJsSysInfo@@UIJsSysInfo@@@@
.?AV?$CJsExportObject@VScriptManager@@UIJsScriptGlobal@@@@
.?AV?$CJsExportObject@VScriptManager@@UIJsScriptGlobal@@@@
.?AV?$CJsExportObject@VHtmlWindow@@UIJsHtmlWindow@@@@
.?AV?$CJsExportObject@VHtmlWindow@@UIJsHtmlWindow@@@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$_IDispEventLocator@$00$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventSimpleImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B@ATL@@
.?AV?$IDispEventImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IDispEventImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@ATL@@
.?AV?$IJsDispEventImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@@
.?AV?$IJsDispEventImpl@$00VHtmlWindow@@$1?DIID_DWebBrowserEvents2@@3U_GUID@@B$1?LIBID_SHDocVw@@3U3@B$00$0A@VCComTypeInfoHolder@ATL@@@@
zcÃ
zcÃ
E60%xA
E60%xA
.WHH`
.WHH`
(}onlogmsg
(}onlogmsg
hkeyt
hkeyt
/keyRootW
/keyRootW
%ZkeyPathW
%ZkeyPathW
.defValWW
.defValWW
enumKeyW
enumKeyW
psKeyWWWt
psKeyWWWt
recurseDeleteKey
recurseDeleteKey
PsubKeyWW
PsubKeyWW
Created by MIDL version 7.00.0555 at Fri Jul 11 09:39:56 2014
Created by MIDL version 7.00.0555 at Fri Jul 11 09:39:56 2014
base64.js
base64.js
json2.js
json2.js
md5.js
md5.js
scriptLib.js
scriptLib.js
scriptMain.js
scriptMain.js
FTPu
FTPu
@.%U^eyB
@.%U^eyB
-e}[f
-e}[f
.bPvK
.bPvK
css/style.css
css/style.css
noconnection.html
noconnection.html
progress.htmluTMo
progress.htmluTMo
jE%dP
jE%dP
progress.html
progress.html
loadingImage.bmp
loadingImage.bmp
@b.PD;e
@b.PD;e
CfU-Gn}X
CfU-Gn}X
A:.wH
A:.wH
C:.wH
C:.wH
B:.wH
B:.wH
E:.WH
E:.WH
Td.wu
Td.wu
2$2(2,2024282
2$2(2,2024282
3(3/34383
3(3/34383
3&4,4044484
3&4,4044484
4 4$4(4|7
4 4$4(4|7
5 5
5 5
: :(:4:|:
: :(:4:|:
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
mscoree.dll
mscoree.dll
KERNEL32.DLL
KERNEL32.DLL
WUSER32.DLL
WUSER32.DLL
Advapi32.dll
Advapi32.dll
@HKEY_CURRENT_CONFIG
@HKEY_CURRENT_CONFIG
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_USERS
HKEY_USERS
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
This Windows system is unsupported.
This Windows system is unsupported.
Windows XP or higher and InternetExplorer 6 or higher are required.
Windows XP or higher and InternetExplorer 6 or higher are required.
zResData.zip
zResData.zip
kernel32.dll
kernel32.dll
http_response_headers
http_response_headers
http_response_status
http_response_status
yjscript.dll
yjscript.dll
user32.dll
user32.dll
c:\%original file name%.exe
c:\%original file name%.exe
ZRESDATA.ZIP
ZRESDATA.ZIP
INITWINDOW.ZIP
INITWINDOW.ZIP
LOADINGIMAGE.ZIP
LOADINGIMAGE.ZIP
3.0.0.135
3.0.0.135