Skip to main content

Trojan.Win32.IEDummy_51ec3fce4b


Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 51ec3fce4b3b1b8500a829ae622d66fe

SHA1: 54274dafdcb1ebe4ac2d6fe50ef9fffd7568b6db

SHA256: 4168e0a0fcac71bf96f1d6aaa5ba44665e00bbb9fafe2d5a6452220fff4fea3f

SSDeep: 98304:APU2Q6kf8LfGIQ23HveCcuhsJ06eZ/cNJ9i:APU3hkfeC7A99i

Size: 3501384 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 1992-06-20 01:22:17

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1216

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:1216 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9GFGDK9\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WX6ZOH6Z\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PQJ41IV\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U3JTJU0C\desktop.ini (67 bytes)

Registry activity

The process %original file name%.exe:1216 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\ProgID]
"(Default)" = "51ec3fce4b3b1b8500a829ae622d66fe.DynamicNS"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}]
"(Default)" = "DynamicNS"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKCR\CLSID\{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCR\51ec3fce4b3b1b8500a829ae622d66fe.DynamicNS\Clsid]
"(Default)" = "{C379EAD1-CB34-4B09-AF6B-7E587F8BCD80}"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCR\51ec3fce4b3b1b8500a829ae622d66fe.DynamicNS]
"(Default)" = "DynamicNS"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F6 F8 74 68 59 CE 28 3E 34 F1 C3 2A B0 44 84 6A"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\51ec3fce4b3b1b8500a829ae622d66fe\DEBUG]
"Trace Level" = ""

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Program Files%\Internet Explorer]
"iexplore.exe" = "Internet Explorer"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\51ec3fce4b3b1b8500a829ae622d66fe\DEBUG]
"Trace Level"

Dropped PE files

There are no dropped PE files.

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    %original file name%.exe:1216

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\C9GFGDK9\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WX6ZOH6Z\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\8PQJ41IV\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\U3JTJU0C\desktop.ini (67 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
  5. Reboot the computer.
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.0.0.0
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.0.0.0
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: 1.0.0.0Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.0.0.0File Description: Comments: Language: Language Neutral

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
UPX04096506675200d41d8cd98f00b204e9800998ecf8427e
UPX15070848219136021893125.4666569cb46e5a076df8603a704db358f0eeb
.rsrc726220820480199683.7086441232c5a6d20f79595ed25bf83af4614

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:


Total found: 60
5fcbaf02490d0250b4c97a0723d68f89
8d91272c7cf6da1c9320593ef53163b5
f79ac263c1c666b64e3dea8889e684ed
daaa4bbd3878b142bd7b44021f4e2df6
3afea2457cc21ca882e9b9b46aa54bbf
7c47438678284bde74331ee3b3004680
5de1de90473093e01c746ae4e0958bb2
847c174897146766d01e901dcc4c48ae
a539f1bde649d07a165144bfd3163dbc
712faeb490e88ba6915db48e0244568b
95fdbc72fc798b7ac6cf2668341256d6
c60a87c36fbc20ae608bd4dc2e072184
7ef3c22fb72b6acdcf6fe958faa3a75f
a1d1ac50aa3c0054b558a0c9e9a0c138
835a9b389119ebe4f67837a1f54ba5e9
0adac57a2af5d7eafefa697ebefdbbe5
f7805152e36f892b44df30763e064d2b
5af8464592f3c11933b14fe1964084e0
d801744002fc0ef21b6ab8a40ef73286
62d5c7a3623cf46dc8418527aaaa7e4b
4b18d9b5bad038a827e7306db8551864
bb3a9d04bcfa79692e2515dd39ca38e0
56e13a29b9ac9d4fd29257d9ec6b232e
8240cd7e17af14bb97ab20ee3c81007a
153de264a345a6b326caed278aa3cce4

Network Activity

URLs

URL IP
hxxp://download.torrentex.ru/download.php5.149.254.68
hxxp://fplr.biz/FFPsetup.exe89.207.132.103
hxxp://download1.torrentex.ru/download/torrentex0.1.4b.exe5.149.255.181
hxxp://digimatic.biz/pages/displayCore2_russian/typ2-1.html
hxxp://tundra.site/pages/displayCore2_russian/typ2-1.html148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/css/style.css148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/images/icon2-green.png148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/images/icon1-green.png148.62.4.84
hxxp://tundra.site/pages/displayCore2_russian/images/icon3-green.png148.62.4.84
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/scripts/1/adnl.min.js
hxxp://neu-dl-api.cloudapp.net/api/vv/1?callback=cb_1457784295343&ts=1457784295343&sessionId=YoKWB&rfr=&siteId=9306&aus=3958,1,0
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/layouts/graphic_300x250.js?v=4.4.28
hxxp://cast-prod-dlv-pull.ironsrc.netdna-cdn.com/images/d00f789b-95d8-4133-8eb1-0fd872f98e9b.gif
hxxp://tundra.site/pages/displayCore2_russian/148.62.4.84
hxxp://neu-dl-api.cloudapp.net/api/vp/1?clk=cITwNtK7dLjmnNLKCZ67hVzZ3SvoRt2Pk2hlCm23M_uZ4lOxJBYLG7-hzg76kOsowQBq3n7X9lRj_hEZiqPUwHrZTLuGgqMtuNksJAlsXfD0PrhLXThXxNmH0DfEUb9dm3KuZbcSBTytWUnKSBgQH9D0a3c8vhcEOPQ1-Ug47wfYxmykEihLWdT4ePiIkzpoadD7ei7qAO4m1mcg69KTHBD1pthuUvOdmUAQ1PxRfN2m24oik7WdX_rvzJUzLrWEHa9hY_obyo9lsz7vYdPEJIw7UuepBkBS6jLVrcZyz2kejduna3mY9to9VUFhaq6D65loPuxElTBVTk8dU8rNtFcRsAxyysK0_NFuC05hMY9Ld9Hj89jJpJrX9z0MW0jt4KjGkgzuLBTiSavERnANO6yi7RIhy7dBF7UGw0avx-Eks7DwyuaN4ckUlCUqrg93cr-0crx5DaoFNXlZBfP7QQ&rfr=
hxxp://d.castplatform.com/api/vv/1?callback=cb_1457784295343&ts=1457784295343&sessionId=YoKWB&rfr=&siteId=9306&aus=3958,1,040.127.174.50
hxxp://cdn.castplatform.com/scripts/1/adnl.min.js198.232.124.20
hxxp://cdn.castplatform.com/images/d00f789b-95d8-4133-8eb1-0fd872f98e9b.gif198.232.124.20
hxxp://cdn.castplatform.com/layouts/graphic_300x250.js?v=4.4.28198.232.124.20
hxxp://d.castplatform.com/api/vp/1?clk=cITwNtK7dLjmnNLKCZ67hVzZ3SvoRt2Pk2hlCm23M_uZ4lOxJBYLG7-hzg76kOsowQBq3n7X9lRj_hEZiqPUwHrZTLuGgqMtuNksJAlsXfD0PrhLXThXxNmH0DfEUb9dm3KuZbcSBTytWUnKSBgQH9D0a3c8vhcEOPQ1-Ug47wfYxmykEihLWdT4ePiIkzpoadD7ei7qAO4m1mcg69KTHBD1pthuUvOdmUAQ1PxRfN2m24oik7WdX_rvzJUzLrWEHa9hY_obyo9lsz7vYdPEJIw7UuepBkBS6jLVrcZyz2kejduna3mY9to9VUFhaq6D65loPuxElTBVTk8dU8rNtFcRsAxyysK0_NFuC05hMY9Ld9Hj89jJpJrX9z0MW0jt4KjGkgzuLBTiSavERnANO6yi7RIhy7dBF7UGw0avx-Eks7DwyuaN4ckUlCUqrg93cr-0crx5DaoFNXlZBfP7QQ&rfr=40.127.174.50

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /scripts/1/adnl.min.js HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.castplatform.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 12 Mar 2016 12:07:25 GMT

Content-Type: text/javascript; charset=utf-8

Content-Length: 59620

Connection: keep-alive

Vary: Accept-Encoding

Content-MD5: /T8nMvFG2QmEs5mdNjYJVQ==

Last-Modified: Tue, 01 Mar 2016 14:18:31 GMT

ETag: 0x8D341DC5DDFDAAE

X-Node: cdn1

Server: NetDNA-cache/2.2

X-Cache: HIT

// CAST Delivery Agent v4.4.28 #14:18.!function(global,undefined){Array.prototype.indexOf||(Array.prototype.indexOf=function(e,t){if(this===undefined||null===this)throw new TypeError('"this" is null or not defined');var n=this.length>>>0;for(t= t||0,1/0===Math.abs(t)&&(t=0),0>t&&(t =n,0>t&&(t=0));n>t;t )if(this[t]===e)return t;return-1}),"object"!=typeof window.JSON&&(window.JSON={},window.JSON.stringify=function(e){if("[object Array]"===Object.prototype.toString.call(e)){if(e.length>0){for(var t=e.length,n=[],a=0;t>a; a)n.push(this.stringify(e[a]));return"[" n.join(", ") "]"}return"[]"}if("object"==typeof e&&null!==e){var n=[];for(a in e)n.push('"' a '": ' this.stringify(e[a]));return"{" n.join(", ") "}"}return"string"==typeof e?'"' e.replace(/"/g,'\\"') '"':e},window.JSON.parse=function(text,reviver){function walk(e,t){var n,a,i=e[t];if(i&&"object"==typeof i)for(n in i)Object.prototype.hasOwnProperty.call(i,n)&&(a=walk(i,n),a!==undefined?i[n]=a:delete i[n]);return reviver.call(e,t,i)}var cx=/[\u0000\u00ad\u0600-\u0604\u070f\u17b4\u17b5\u200c-\u200f\u2028-\u202f\u2060-\u206f\ufeff\ufff0-\uffff]/g,j;if(text=String(text),cx.lastIndex=0,cx.test(text)&&(text=text.replace(cx,function(e){return"\\u" ("0000" e.charCodeAt(0).toString(16)).slice(-4)})),/^[\],:{}\s]*$/.test(text.replace(/\\(?:["\\\/bfnrt]|u[0-9a-fA-F]{4})/g,"@").replace(/"[^"\\\n\r]*"|true|false|null|-?\d (?:\.\d*)?(?:[eE][ \-]?\d )?/g,"]").replace(/(?:^|:|,)(?:\s*\[) /g,"")))return j=eval("(" text ")"),"function"==typeof reviv

<<< skipped >>>

GET /layouts/graphic_300x250.js?v=4.4.28 HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.castplatform.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 12 Mar 2016 12:07:26 GMT

Content-Type: text/javascript; charset=utf-8

Content-Length: 2972

Connection: keep-alive

Vary: Accept-Encoding

Content-MD5: KiIZm6dlzklWp1p98ApFMQ==

Last-Modified: Tue, 01 Mar 2016 13:07:06 GMT

ETag: 0x8D341D2640D8BFE

X-Node: cdn1

Server: NetDNA-cache/2.2

X-Cache: HIT

cb_layout({transformer:{name:["Graphic_300x250"],mainLayout:"graphic_300_250_combo",subLayouts:["graphic_300_250_single_inner"]},addZoneTypes:function(e,a){a.graphic_layout={family:"layout_base",style:a.layout_base.style ".namespace{overflow:hidden;background:#fff;border-top:solid 30px #39393a;border-bottom:solid 1px #f6f6f6}.namespace .slots{background-color:#f9f9f9;overflow:hidden}.namespace .ca-sec-title{color:#fff;font-weight:400;line-height:30px;margin:0;font-size:12px;position:absolute;padding-left:10px;top:0}",template:'<div class="header ca-sec-title cstm-title">{{adunit_title|default:we_recommend}}</div><div class="slots cstm-bg"></div>'},a.graphic_inner=e.extend({},a.inner_base,{style:a.inner_base.style ".namespace{display:block;overflow:hidden;position:relative;margin:0;border-bottom:solid 1px #3d3c3d;border-right:solid 1px #3d3c3d;border-left:solid 1px #3d3c3d}.namespace h1,.namespace h2,.namespace h3,.namespace h4,.namespace h5,.namespace p{margin:0}.namespace a{right:14px;bottom:12px;color:#2bb22f;font-size:12px;font-weight:700}.namespace a.download_now_placeholder{text-decoration:none}.namespace img{position:absolute;border:0}.namespace .ca-title{font-weight:700;color:#4d4d4d;margin:0;height:auto}.namespace .ca-company{color:#768797;font-weight:400;font-size:14px;line-height:24px}.namespace .ca-description{color:#5d5d5d;font-size:14px}.namespace .ca-stars-rating{margin-top:12px}.namespace .download_now{position:absolute;top:auto;right:auto;left:12px;bottom:9px}.namespace i

<<< skipped >>>

GET /images/d00f789b-95d8-4133-8eb1-0fd872f98e9b.gif HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: cdn.castplatform.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Sat, 12 Mar 2016 12:07:26 GMT

Content-Type: image/gif; charset=utf-8

Content-Length: 5997

Connection: keep-alive

Vary: Accept-Encoding

Content-MD5: M7d1PaTMMt6h052RjEVrbw==

Last-Modified: Thu, 24 Dec 2015 14:45:03 GMT

ETag: 0x8D30C70CEB7CAB4

X-Node: cdn1

Server: NetDNA-cache/2.2

X-Cache: HIT

GIF89ad.d....@........[........]..:v{............J..I..h.....2{....8.....Y.....C..r.....C..M.....;|.y.....F..............5}....e..H.....B..i..O.....L.....6~.<..........................L|....b..............u........W........E.....Bx|...>.....Y..T.....c........4|.b..............[.....:..?.....s..L..{..[..R..x..=...........V..R..T..t..X..C..W.....U..Y.....U..i..6}.8..z..P.....Q........n........V.....I.....S.....4ptI..Q..^..}.....N.....|..=..m...........^........P..N.....7........"RX;..Z........I..............^.....T.....B..?.....O..R..............U......rxV.....7|.,ekT..L..W..>..K..V..9..C..E..Y..W..N..[..[../pv...^.._..1z.0y.5~.3|.\..[..Z..C.....B....................M..Q.....S..;..=..N........=..[..$]aD..`..S.....6y._..B..............O..L...........2z.V..Q..O........Q..W..!..XMP DataXMP<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.6-c111 79.158325, 2015/09/10-01:10:20 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmpMM="hXXp://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmpMM:OriginalDocumentID="xmp.did:54521e55-5d95-f641-bd02-1debd9140b99" xmpMM:DocumentID="xmp.did:5E315AD2AA4B11E593128CCF1E300019" xmpMM:InstanceID="xmp.iid:5E315AD1AA4B11E593128CCF1E300019" xmp:CreatorTool="Adobe Photoshop CC 2014 (Windows)"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:DB3131D

<<< skipped >>>

GET /pages/displayCore2_russian/images/icon1-green.png HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tundra.site

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 12 Mar 2016 12:01:02 GMT

Content-Type: image/png

Content-Length: 3392

Last-Modified: Thu, 12 Jun 2014 09:04:00 GMT

Connection: keep-alive

ETag: "53996d00-d40"

Accept-Ranges: bytes

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[{l[W.?..g..fvR.]..2.4.z.N..?jOC......C....IS[....%Y............i].@..c.@.?Hs%.:&.....&..c.............#YIS...;.w.....cB.O......GE.l.3.n7.2Rv..FQ..JF. ...Lt.....?..m.cN...'yK...k..Y..l..........j...qO:.?.......n...8K........K7<9X.db.$.....b.............=-........<uhB..2......-/VI.Hzy.$."..?y...<.....-.iF..x.. ...N..ke....)......!._.mJc..p,a.Z.Gd.x.(...p.......j....~3.. .I..a....~4...S...NN0f.W..2.I.....t....i`..1d.6....E...^.oKGb$qm.}..;.f...g...h%x..t.K ..'.......(X...W.:...]#.p......>.._;.>j..{..V.(k.W...O\....oj..^.....K.lq>.<.......eJ........?..Yp.`.Ic........F............OV.../...n.....u.3...F..`... .....oj..b.......7"..;]i.B.. ...K.A{..W.^.g....9..?}..p....R.M....i..N.D....;......QK..,".....9.....ub>...P.....g:9/...:?.y?..a8...L....L.b.s............W...O|.S...w*...3=..J.,...:...3ok..mz....W....E.S.F.N...99K.v.S.P.......].!ey:]#C..!.8 .W...D;dq.......>;...|Y.,3D.Gq.Mg.D..i.|..X.......[.@.s8.8sVD.*cYmj.=.3..2........W...vw...fy9^.....z......pEQ. ...Q....T....#.[/..t.0z.h!..>t.....%".Bl.{.<.{.JW.....?.3h.{w...(...DF..p...dV.}X....PJ...n.A.....o. p.(..........H..3....H...N....F)p8....$.......Y....z:Tn.....W.q....6..D..G.Ud.f.....C.X....D......N..{..T.j......../."..=...g..)..<(hwX.rf...0...Z=J..=....1B..n.$U\.P.re.ku.u&8.nC.........W........so..../.O5...G.....OB#%...x...~..`.;.....^.m."...........q..S]..T.....Fj)>...|.jZ...['.....:.s.x..O.m.....[....\$0..{..&.r...^.U...?.o..Y.......ZW].

<<< skipped >>>

GET /pages/displayCore2_russian/ HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tundra.site

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 12 Mar 2016 12:01:03 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

Content-Encoding: gzip

114...............n. .......{BpRi.(.....hC..M..uy.A.i..ia.,0..l0L....OLI.r.t0...V........I..5b..N......#.|.32........r.M.v..t.x..k.c$S.3...@.....%.<.FDR.r....d....U].....6.....1....S...'..l^..s........"{.\..l".K......E@S.......f/...^f.0..zg..........9s}}9.*2.....I.-.....~...........0..HTTP/1.1 200 OK..Server: nginx/1.8.0..Date: Sat, 12 Mar 2016 12:01:03 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Vary: Accept-Encoding..Content-Encoding: gzip..114...............n. .......{BpRi.(.....hC..M..uy.A.i..ia.,0..l0L....OLI.r.t0...V........I..5b..N......#.|.32........r.M.v..t.x..k.c$S.3...@.....%.<.FDR.r....d....U].....6.....1....S...'..l^..s........"{.\..l".K......E@S.......f/...^f.0..zg..........9s}}9.*2.....I.-.....~...........0..

GET /FFPsetup.exe HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: fplr.biz

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sat, 12 Mar 2016 12:07:20 GMT

Content-Type: application/octet-stream

Content-Length: 3378400

Last-Modified: Tue, 15 Dec 2015 16:17:36 GMT

Connection: keep-alive

Accept-Ranges: bytes

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......8...|O..|O..|O..u7..nO..|O...O...8 .{O..u7..ZO..u7..$O..b...}O..u7..}O..Rich|O..................PE..L....v.U.....................<.......m............@..........................@........3.....................................d...P.... ..|............n3..............................................3..@............................................text............................... ..`.data............ ..................@....rsrc...|.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................................................................................................`...p...|....................................... ...,...@...P...^...n...~...........................................0...<...N...............v...d...R...B...............................0...L...j...~...........................................2...J...X...f...~...................................,...F...`...r...................................................t.......Z...L...6... .......................................r........................o@..s@...@...@.........................Setup log-file with an err

<<< skipped >>>

GET /download.php HTTP/1.0

Connection: keep-alive

Host: download.torrentex.ru

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 302 Found

Server: nginx/1.4.6 (Ubuntu)

Date: Sat, 12 Mar 2016 11:57:04 GMT

Content-Type: text/html

Content-Length: 0

Connection: keep-alive

Location: hXXp://download1.torrentex.ru/download/torrentex0.1.4b.exe

GET /api/vv/1?callback=cb_1457784295343&ts=1457784295343&sessionId=YoKWB&rfr=&siteId=9306&aus=3958,1,0 HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d.castplatform.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Length: 1209

Content-Type: text/javascript; charset=utf-8

Server: Microsoft-HTTPAPI/2.0

X-Country: UA

P3P: CP='NON UNI COM NAV STA OUR IND'

Set-Cookie: cuuid=b1db55e5-f5ee-4c98-bb3f-01bcc0aebec2; expires=Thu, 12 Mar 2026 12:07:25 GMT; domain=d.castplatform.com; path=/

X-Elapsed: 403

X-Node: NEU3940D8

Date: Sat, 12 Mar 2016 12:07:24 GMT

cb_1457784295343 && cb_1457784295343({"zones":[{"id":3958,"status":200,"enabled":true,"template":"Graphic_300x250","data":[{"title":"Windows PC Repair","description":"Scan your PC for Windows errors with 1 click to diagnose and Repair damages!","button":"Download Now","company":"Reimage","rating":3.5,"clk":"cITwNtK7dLjmnNLKCZ67hVzZ3SvoRt2Pk2hlCm23M_uZ4lOxJBYLG7-hzg76kOsowQBq3n7X9lRj_hEZiqPUwHrZTLuGgqMtuNksJAlsXfD0PrhLXThXxNmH0DfEUb9dm3KuZbcSBTytWUnKSBgQH9D0a3c8vhcEOPQ1-Ug47wfYxmykEihLWdT4ePiIkzpoadD7ei7qAO4m1mcg69KTHBD1pthuUvOdmUAQ1PxRfN2m24oik7WdX_rvzJUzLrWEHa9hY_obyo9lsz7vYdPEJIw7UuepBkBS6jLVrcZyz2kejduna3mY9to9VUFhaq6D65loPuxElTBVTk8dU8rNtFcRsAxyysK0_NFuC05hMY9Ld9Hj89jJpJrX9z0MW0jt4KjGkgzuLBTiSavERnANO6yi7RIhy7dBF7UGw0avx-Eks7DwyuaN4ckUlCUqrg93cr-0crx5DaoFNXlZBfP7QQ","width":300,"height":250,"cUrl":"hXXp://d.castplatform.com/api/c/1?clk=%clk%","trackers":[{"type":"Url","content":"hXXp://d.castplatform.com/api/vp/1?clk=%clk%"}],"category":null,"assets":[{"assetDisplayType":2,"width":96,"height":96,"url":"//cdn.castplatform.com/images/d00f789b-95d8-4133-8eb1-0fd872f98e9b.gif","javascript":"","clickTagVar":""}]}],"styles":null,"settings":{"adUnitTitle":""},"displayType":"Size"}],"ts":403});....

<<< skipped >>>

GET /api/vp/1?clk=cITwNtK7dLjmnNLKCZ67hVzZ3SvoRt2Pk2hlCm23M_uZ4lOxJBYLG7-hzg76kOsowQBq3n7X9lRj_hEZiqPUwHrZTLuGgqMtuNksJAlsXfD0PrhLXThXxNmH0DfEUb9dm3KuZbcSBTytWUnKSBgQH9D0a3c8vhcEOPQ1-Ug47wfYxmykEihLWdT4ePiIkzpoadD7ei7qAO4m1mcg69KTHBD1pthuUvOdmUAQ1PxRfN2m24oik7WdX_rvzJUzLrWEHa9hY_obyo9lsz7vYdPEJIw7UuepBkBS6jLVrcZyz2kejduna3mY9to9VUFhaq6D65loPuxElTBVTk8dU8rNtFcRsAxyysK0_NFuC05hMY9Ld9Hj89jJpJrX9z0MW0jt4KjGkgzuLBTiSavERnANO6yi7RIhy7dBF7UGw0avx-Eks7DwyuaN4ckUlCUqrg93cr-0crx5DaoFNXlZBfP7QQ&rfr= HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: d.castplatform.com

Connection: Keep-Alive

Cookie: cuuid=b1db55e5-f5ee-4c98-bb3f-01bcc0aebec2

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-Length: 43

Content-Type: image/gif

Server: Microsoft-HTTPAPI/2.0

Set-Cookie: cuuid=99b9560a-cae8-4946-ad9b-07d03d527edc; expires=Thu, 12 Mar 2026 12:07:25 GMT; domain=d.castplatform.com; path=/

P3P: CP='NON UNI COM NAV STA OUR IND'

X-Elapsed: 0

Date: Sat, 12 Mar 2016 12:07:24 GMT

GIF89a.............!.......,...........L..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-Length: 43..Content-Type: image/gif..Server: Microsoft-HTTPAPI/2.0..Set-Cookie: cuuid=99b9560a-cae8-4946-ad9b-07d03d527edc; expires=Thu, 12 Mar 2026 12:07:25 GMT; domain=d.castplatform.com; path=/..P3P: CP='NON UNI COM NAV STA OUR IND'..X-Elapsed: 0..Date: Sat, 12 Mar 2016 12:07:24 GMT..GIF89a.............!.......,...........L..;..

GET /download/torrentex0.1.4b.exe HTTP/1.0

Connection: keep-alive

Host: download1.torrentex.ru

Accept: text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8

Accept-Encoding: identity

User-Agent: Mozilla/3.0 (compatible; Indy Library)

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sat, 12 Mar 2016 12:07:20 GMT

Content-Type: application/octet-stream

Content-Length: 18698056

Last-Modified: Fri, 13 Nov 2015 04:59:52 GMT

Connection: keep-alive

ETag: "56456e48-11d4f48"

Accept-Ranges: bytes

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L......U..................................... ....@................................../...........@..................................................xA...............................................................................................text...4........................... ..`.itext..D........................... ..`.data........ ......................@....bss.....V...0...........................idata..............................@....tls.....................................rdata..............................@..@.rsrc................ ..............@..@....................................@..@..................................................................................................................................................................@...AnsiChar............@...string(.@...AnsiString......@...............................@......... 9@.(9@..9@..9@..9@..9@..9@..9@.,8@.H8@..8@..TObject.%..A....%..A....%..A....%..A....%..A....%..A....%(.A....%..A....%$.A....%..A....%..A....%..A....%..A....%..A....%|.A....%x.A....%t.A....%p.A....%l.A....%h.A....% .A....%d.A....%`.A....%\.A....%..A....%..A....%..A....%X.A....%T.A....%..A....%..A....%..A....%P.A....%L.A....%H.A....%D.A....%@.A...S..........$D...T.J....D$,.t...\$0....D[..@..%<.A....%8.A....

<<< skipped >>>

GET /pages/displayCore2_russian/typ2-1.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: digimatic.biz

Connection: Keep-Alive

HTTP/1.1 301 Moved Permanently

Server: nginx/1.8.0

Date: Sat, 12 Mar 2016 12:01:01 GMT

Content-Type: text/html

Content-Length: 184

Connection: keep-alive

Location: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.8.0</center>..</body>..</html>..HTTP/1.1 301 Moved Permanently..Server: nginx/1.8.0..Date: Sat, 12 Mar 2016 12:01:01 GMT..Content-Type: text/html..Content-Length: 184..Connection: keep-alive..Location: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html..<html>..<head><title>301 Moved Permanently</title></head>..<body bgcolor="white">..<center><h1>301 Moved Permanently</h1></center>..<hr><center>nginx/1.8.0</center>..</body>..</html>....

GET /pages/displayCore2_russian/typ2-1.html HTTP/1.1

Accept: */*

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tundra.site

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx/1.8.0

Vary: Accept-Encoding

Content-Type: text/html

Content-Encoding: gzip

Date: Sat, 12 Mar 2016 12:01:01 GMT

Transfer-Encoding: chunked

ETag: W/"558c0294-8c3"

Connection: keep-alive

Set-Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A; path=/

Last-Modified: Thu, 25 Jun 2015 13:31:00 GMT

37d.............V.n.0......f..& ..ARit.@..........18N.;..!.q....B.A.......7.8i........9>?.w...................c..{.k&.Db..8.D:F"..k..2..q...7...!7..rI8x.0.Rr.....<.....t.K....(..bV..f..L..T2R..1.......;..r.........B...>!...I.1\!.Lk..(.m....C.7.K.........4.h..h..Z.a.:1!....,............`...%l.QS../.O......H}Q}..7....G.W?...d*....r.$..hH.....u...{......m..v..9r.b;..Y.F......O...X`(Dul0.V.....W...H......j.M....%h..C.:...52:I..7...P..`q..y..CY........D..h..XA^.i.A"v...p".E.J...5#.1.f....D..8..B.y.....b..6.....X....3`.....D..O..4k....^.W..O....J.t..:c.n.vb..........*.U..h...W......'.....Zur.di...\.G...6.5...-j.....u..O.K.!..\;AP?]......r......V.Q"....Wy=.Bb...d4.....;..V}k......7../....h.......z.t...............0....6.....h........W..f.p1.....L.yD....r.vV.R;......-...|....{....K..H.....o...tH....:..V.AX.Ko..Pn>...x.....>s.}<...........L....4K...{&."...O.W.Sl.-...$....{$O8...8..Y....%.........0......

GET /pages/displayCore2_russian/css/style.css HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tundra.site

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 12 Mar 2016 12:01:01 GMT

Content-Type: text/css

Last-Modified: Mon, 16 Jun 2014 11:19:00 GMT

Transfer-Encoding: chunked

Connection: keep-alive

Vary: Accept-Encoding

ETag: W/"539ed2a4-71e"

Content-Encoding: gzip

291.............U.n.0.}._a...R..$...mv.....X1...$...;6..K.u.)....3.D".\.UAe....o...I......TvJ../!....... .).....em. Y.f....A...}AH.]u.%'`Y.BR.YP.R.geS.2...T Q...dH.. ..N.... .N.m.@..KT....5n:.6....S.l....e99..$.=G]*D..... g.JT..mdv.={A.<h...%.%..8.TF\..i....JC......D....)&...N...D...%.s.....I..HD.c&ES&.a........o`.....a?.l.........e...........)DB...W.I-8K0.........@-uC h..is..:@.m&......T.eZl1......{[.6........1.IS....Btd..q.m`...]c...z....N$. ..&|h.!4J.i.C.j7...........oc..@......o.........X.....M.=R...S&yp..7.-.w.m..j%......&...u....j4v~..~9.FgP.:......N...........p.q....%...gh.rA1....6.......2.....x!...v.|.FF...l.h.....yP...B$x..%Y..Mu.....;..q.........0......

GET /pages/displayCore2_russian/images/icon2-green.png HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tundra.site

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 12 Mar 2016 12:01:02 GMT

Content-Type: image/png

Content-Length: 3782

Last-Modified: Thu, 12 Jun 2014 09:05:00 GMT

Connection: keep-alive

ETag: "53996d3c-ec6"

Accept-Ranges: bytes

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<...hIDATx..[kl#W....yO......?..u..H..P..J...$@..K...l. .}..}P@@..J........q..H@3.E.u@.".Zg7.$..$q..f..\...c;....(W;.].x.~......;....?......c.|X........B...;D...rv&.M..eE...eZ..1Ts5....E?..{O.x....B.. ..=B...D...~.,,..p.493...XB.R...2&......1...., .5.....b[.B`ae...oF...p.FZ.,."..zh......p...yH.l>!4:. .[aXi.3.... |.. ..t.....J...../4...(T.meL..'9ceC.]R//...FkW.Z...vpb6d..?......=.x..M.RO....P..p[c-..K.p.,v........K.|.=......:!..2............<`....j....Mq...C<{*L2j.^05g.q=}qy`..sy ]3.UK.j.....o.Z.......2&u5{.fw.}6.Oe8cuCO._..<.Jd.9.;.......[4.2.i....y.K.Z.......q..J.A^..g......1..|.lN.)8............f.q]...4............I..c...=.2..[..2LZ.1rIf....3.....M...2.M.f..R siU..i..0.....9_.?.'...S.R#.sN.{.s.........@7...%..{........w>....A.V...{?..V9.*G.....,.......lA.:7.........E.q.C..._W.Dd.k;&D..4..E}3.}..X.c.)`.!.$...R.........X.<....^.PH..NO.)...^KM-.......:.8...Q..S7.`. ...V...D.@.'.<..x!..1.PU.ktr<R.@.W.......t....l..'d..n.'|v*...R..=.uau0..uC...S.......G....F............f...h.XN.h..-(..../....l.f..fI..`G.|.....\...bf..Q*...p....Y..R......w........\aj.TR..IUA.d.6...@.DqNi..8.#.l!)l(,V....6m.<...E..../.y....P.......y.........O.f....-.....Y....B.(.s..r....z<jf....m...[Hc...%5.....$..x.Z...u2.....h.........94{.....9...\.wE.?....!E.\l..S...).....A...2FV.y..Z..d.HEPsy....!.*X.......?s|.qM..y..U.s.......m....Zi.T......C....m.nB.......4.....Q.........) ...Ph..'.~|..nZ'.Fpk..:....3...)_|.~....H..gnM.J?k....$y......-.....

<<< skipped >>>

GET /pages/displayCore2_russian/images/icon3-green.png HTTP/1.1

Accept: */*

Referer: hXXp://tundra.site/pages/displayCore2_russian/typ2-1.html

Accept-Language: en-us

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: tundra.site

Connection: Keep-Alive

Cookie: X-Mapping-fjhppofk=3E8E1A8CCA3BD46AD95C5D4A4E8F490A

HTTP/1.1 200 OK

Server: nginx/1.8.0

Date: Sat, 12 Mar 2016 12:01:02 GMT

Content-Type: image/png

Content-Length: 1519

Last-Modified: Thu, 12 Jun 2014 09:06:00 GMT

Connection: keep-alive

ETag: "53996d78-5ef"

Accept-Ranges: bytes

.PNG........IHDR...>...E......$UF....tEXtSoftware.Adobe ImageReadyq.e<....IDATx..[.O[u.........(.E....o..............U0...Q`.%...}0..$..d....%&=<.H.|q.sNZ..R..=7.._/P...Z.....rN.....;..0`.......0`.....S<q..x.6...8. .....4=A].....Y...L<y~&\".I.G..X.Y,......L\{......./..s.Id.1L....si6o@.c.4.h...5:8.....!...............j..W.h..UvZ...bC.B....1..j\YZ..9...9....r0..8......V...\..[.HO.y..`.{w..SQ.[.m..L.V.nli.....L..`..n&...\.bZ.U.@.q...u.......wJ.~.f......:.......x.i.g.......s...>4...J...z .^r.z..3....RO<y.wI.).Z..v......^p.u.y"H....W*6Q..tX."?..w...'...%. .......f.|o....3.s......:.Zz].2.............|.v..U....c..z.b....i........>....q.S .....'k3...6.......>D.qY.E............................1e1=.Ff)..o..|_..O...z...P6. ... ....?O.S...=.DtU..c.-C....SG.%.Y....*.......#.=y.K.quyM.......g.(....\9y.Y..s\v....!.......>@..d............I..d{.m...!..zFR..........._#rr9.g....ut~....!..;....-....*w...Hx.E.C]........}.....c.n"..>.".._.ZQ.C.."....q.j"...... ......._I....S.g.....f...o3..Q...jpf......s.)...1B].SO..3..$N..].g(.z......D.......T...C/......u.a}....`. ":m.-m..W.....4..JJ.}...%.U.T....-.N.....m."..?YE...q=....|P.....X.H,.......|..J.F.#M.......w.t...Xrr&..e=;.a......R.e.RN...2....n-....g..8d../;....b......p..).&.0Xm.._.Gs.T..V.y.mo..3....h...F.-.^HH......k....2i...v..&.......j..s,...~ok......=......n.`.x..1.-.I...G..V...F...,U.K...Hb".;p...A/...s.V/.._....7q.S.|....&.~81v-..../...!.G.Q.m............\./*.$h...>..*.u.@b.ZM~h1yH..W.E...Wp].a.'{....8r.A,...r.....).hY...?.KE.u.........._...d

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

iexplore.exe_1088:

%?9-*09,*19}*09

%?9-*09,*19}*09

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

USER32.dll

USER32.dll

SHLWAPI.dll

SHLWAPI.dll

SHDOCVW.dll

SHDOCVW.dll

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess

IE-X-X

IE-X-X

rsabase.dll

rsabase.dll

System\CurrentControlSet\Control\Windows

System\CurrentControlSet\Control\Windows

dw15 -x -s %u

dw15 -x -s %u

watson.microsoft.com

watson.microsoft.com

IEWatsonURL

IEWatsonURL

%s -h %u

%s -h %u

iedw.exe

iedw.exe

Iexplore.XPExceptionFilter

Iexplore.XPExceptionFilter

jscript.DLL

jscript.DLL

mshtml.dll

mshtml.dll

mlang.dll

mlang.dll

urlmon.dll

urlmon.dll

wininet.dll

wininet.dll

shdocvw.DLL

shdocvw.DLL

browseui.DLL

browseui.DLL

comctl32.DLL

comctl32.DLL

IEXPLORE.EXE

IEXPLORE.EXE

iexplore.pdb

iexplore.pdb

ADVAPI32.dll

ADVAPI32.dll

MsgWaitForMultipleObjects

MsgWaitForMultipleObjects

IExplorer.EXE

IExplorer.EXE

IIIIIB(II<.fg>

IIIIIB(II<.fg>

7?_____ZZSSH%

7?_____ZZSSH%

)z.UUUUUUUU

)z.UUUUUUUU

,....Qym

,....Qym

````2```

````2```

{.QLQIIIKGKGKGKGKGKG

{.QLQIIIKGKGKGKGKGKG

;33;33;0

;33;33;0

8888880

8888880

8887080

8887080

browseui.dll

browseui.dll

shdocvw.dll

shdocvw.dll

6.00.2900.5512 (xpsp.080413-2105)

6.00.2900.5512 (xpsp.080413-2105)

Windows

Windows

Operating System

Operating System

6.00.2900.5512

6.00.2900.5512