not-a-virus:HEUR:AdWare.Win32.OutBrowse.heur (Kaspersky), Trojan.NSIS.StartPage.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan, Adware
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 60d0720fbe5f36b453e225c21c7c3b4b
SHA1: f5ea3a8c6ec2c6dd5e98b295c704cef1ed590696
SHA256: caa05e44704dea463e2ad2b72f0ebd2f3e02131337c66f357aef2ef085e13c72
SSDeep: 6144:3FJ0hMz9ASypwqiaB4RArmSRRCxln6z5UCU/f:mMzClyCaUOGKCU3
Size: 354896 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: OFEJP
Created at: 2009-12-06 00:52:12
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
TFFFL1BTSQ==10700.exe:1480
%original file name%.exe:204
wmic.exe:228
TFFFL1BTSQ==29820.exe:1180
The Trojan injects its code into the following process(es):
beeiachifd.exe:364
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process TFFFL1BTSQ==10700.exe:1480 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsx2.tmp (0 bytes)
The process beeiachifd.exe:364 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe (8606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\XPLimitChecker[1].exe (6932 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==29820.exe (3333 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (0 bytes)
The process %original file name%.exe:204 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\beeiachifd.exe (19192 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsb1.tmp (0 bytes)
The process wmic.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (238 bytes)
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (0 bytes)
The process TFFFL1BTSQ==29820.exe:1180 makes changes in the file system.
The Trojan deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\nsi3.tmp (0 bytes)
Registry activity
The process TFFFL1BTSQ==10700.exe:1480 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "E2 0B E6 3C EF 78 57 91 EF 3B 29 6C FE 0B C6 55"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\OperaOB]
"Install" = "1"
The process beeiachifd.exe:364 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 28 00 00 00 01 00 00 00 00 00 00 00"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "AD 9D C1 1A 23 F4 2B 01 D7 91 1A 4B 0F 9D C5 39"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"
The process %original file name%.exe:204 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C AE 17 34 B0 03 DC 45 BD 86 96 73 E5 E4 21 20"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
The process wmic.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "64 43 D9 D0 84 DE 80 8D 2D 00 75 BB 88 77 06 D5"
The process TFFFL1BTSQ==29820.exe:1180 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "20 99 AA 5C B3 0C BC 9C 25 B9 5C F2 90 74 F0 C0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKCU\xplmtOB]
"Install" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
Dropped PE files
MD5 | File path |
---|---|
10ffabc748d68c40b68f883058c9b932 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81449967959\TFFFL1BTSQ==10700.exe |
b6631cd12092841cac0763c854828c50 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\81449967959\TFFFL1BTSQ==29820.exe |
95ce063a236c0ae33feb9022a48c773a | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\beeiachifd.exe |
b6631cd12092841cac0763c854828c50 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\XPLimitChecker[1].exe |
10ffabc748d68c40b68f883058c9b932 | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
TFFFL1BTSQ==10700.exe:1480
%original file name%.exe:204
wmic.exe:228
TFFFL1BTSQ==29820.exe:1180 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\bodyImg[1].png (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\button[1].png (458 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\DynamicOfferScreen[1].htm (2083 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\OperaChecker25-6[1].exe (8606 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\button_over[1].png (921 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==10700.exe (50 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\dc[1].js (1327 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\XPLimitChecker[1].exe (6932 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959\TFFFL1BTSQ==29820.exe (3333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\beeiachifd.exe (19192 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\81449967959.txt (238 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name: OFEJP
Product Name: OFEJP
Product Version: 6392.151120.1377.7500
Legal Copyright: OFEJP
Legal Trademarks: OFEJP
Original Filename:
Internal Name:
File Version: 6392.151120.1377.7500
File Description: OFEJP
Comments: OFEJP
Language: English (United States)
Company Name: OFEJPProduct Name: OFEJPProduct Version: 6392.151120.1377.7500Legal Copyright: OFEJPLegal Trademarks: OFEJPOriginal Filename: Internal Name: File Version: 6392.151120.1377.7500File Description: OFEJPComments: OFEJPLanguage: English (United States)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46304 | c52a72deb0170941d392ec38c6aeafd0 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 298072 | 1024 | 3.32453 | 723ad80df002dc5421798f4307abe5cf |
.ndata | 335872 | 311296 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 647168 | 54360 | 54784 | 2.83672 | e06cbcd325c623d4b4736cfbb1363e3b |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 117
03654a08e7f65aec190ee7e37246bb5f
a212f888d46a7e2d8802888390ff3c63
470ab50ccb81409a49b2abb4c05af91f
ee0edf52085544dd5ffae3892bd06855
07da75d17d57e9bbfa0916a2ad8b95b6
e74d8056cde545c3960d49ca018101bb
e5c5fddf9ff161c0d6de11988f8358c7
38623bf8200680f3967022fd39f52daf
fad9fe2f4d34a9a3943bbf54dfc38c01
1b45146c52aa1976ffcf47b50c6e4c7c
27967ee4c772b29835d5dba868867879
22dc967254eef4719b3c514ab7029cdb
18ed19164cd0f258338a661057321695
e9197129bf89c13fa74f5e0219c735ae
32d708fbb109abf91c1a372351481a8e
cae50b748f98679ee3004f13687fdc34
7d4b556f36f5170d24469ffd6280298b
c2297a50a1f58665aa97177a0357616e
9398d852900b4c351c5b8e38699dcd70
2f81cfbd26709f9f88985ed83777256d
562eb5ad8564d3591007404a367df858
02c83ab655f98711ad1fbb3123b78438
6daeb82e5bcd31515b4a926d6cba88b3
f9b90420cd1aef0263de7ca339f8947b
63745fe6fef243a667c80f8d31228f33
ad9ae311a36924f84d2f4d7c9571f8a2
Network Activity
URLs
URL | IP |
---|---|
hxxp://cdn-ppdownload.outbrowse.netdna-cdn.com/Installer/OperaBrowser/OperaChecker25-6.exe | |
hxxp://d2vubraihqcany.cloudfront.net/Installer/XP/XPLimitChecker.exe | 216.137.59.80 |
hxxp://smartinstaller.elasticbeanstalk.com/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 | |
hxxp://smartinstaller.elasticbeanstalk.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& | |
hxxp://stats.l.doubleclick.net/dc.js | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topComp.png | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/topLine.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bgImg.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bodyImg.png | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/bottomLine.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/nextCase.jpg | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button_over.png | |
hxxp://staticrevenyou.outbrowse.netdna-cdn.com/offers/images/Theme12/button.png | |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 | |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12&nipids=-29408-28693-12929-28657-29219-29736&secondcall=1&reqid=379394606 | |
hxxp://static.revenyou.com/offers/images/Theme12/nextCase.jpg | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme12/bgImg.jpg | 198.232.124.224 |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12 | |
hxxp://static.revenyou.com/offers/images/Theme12/bodyImg.png | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme12/bottomLine.jpg | 198.232.124.224 |
hxxp://srv.DESK-TOP-APP.INFO/Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 | |
hxxp://stats.g.doubleclick.net/dc.js | 64.233.165.155 |
hxxp://static.revenyou.com/offers/images/Theme12/topComp.png | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme12/topLine.jpg | 198.232.124.224 |
hxxp://static.revenyou.com/offers/images/Theme12/button.png | 198.232.124.224 |
hxxp://cdn.download4desktop.com/Installer/OperaBrowser/OperaChecker25-6.exe | 198.232.124.192 |
hxxp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& | 54.235.116.119 |
hxxp://static.revenyou.com/offers/images/Theme12/button_over.png | 198.232.124.224 |
srv.desk-top-app.info | 50.19.230.190 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /dc.js HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: stats.g.doubleclick.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Strict-Transport-Security: max-age=10886400
Date: Sat, 12 Dec 2015 23:15:33 GMT
Expires: Sun, 13 Dec 2015 01:15:33 GMT
Last-Modified: Thu, 05 Nov 2015 22:24:16 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 15977
Cache-Control: public, max-age=7200
Age: 5833
...........}kW....w~........pk..f......Z.R..Y.C 8i.pi......b..}.>g..Kl...}4....d....O...-.....`~...E...]7..>..>....Pf.a.yU."HCC...i...T*..b.....'..Olf[.Y.[c6P/.....'n.m'..m.... !_XXll..&..(..E..V=/.u.X..%.w...i..rDoT.....?>z..1`.D...y...y7. \...5ZI...TA..........C...p3..A..x.k.q4.2...?L.k=.v....4.:sB[...l.w.o {.....?Nc....|..........q.........[.n..2..X~.......S.f.]h~....7:.n...m.C#6...........#....y...7.|..f.W.>..wS......)..Q....i......z......D.`...7N....y.C;....`1....x..p.tG.L..=..1r...M..2..)xa...{0!..5...^...7..."..........J8... ...5.O....l...r...|....R...P.0ok.8.Z.2....i|...S.y.od...~..k.>.....0vGr.mI.....0.&&yg.sf2......m.....G=0..B.6..u....A.h.A.0.V.:.-...j..L.....5.E.[...Q.{2imA......T........~. ...0*%.....>......hX...ga1./$......f.#..d,.|www5/XX...c5..D-.....p.h..8D.@./.X,.....&gTV..5..,.x..?.....(.>?6Sy.].`.]...'-"....-...........(.n.@_"p"`.*...T.1.$..t.....o?.."../.kX.)L.....-.....E1M.....@..T.F9.,HP........# ....d...-,.......-.j..BS....9...%.~Sug,...`."...4a..@.p]..yn.i(5.....U.r..$j..0{|.i.5........H}.......A=..&.Vq....4<..*7c.<b.....OQ8X...&..a/a.....aI.j.7.E.:cuV=.P.q..d.....X....#..@.T...q......U.T~.@.C......S.#....Q.....K......A.y._....z|..9...9.zM......%m........m).?4.Q...c.....PTDB&..7.-G....E.....E.7.t.V..G....._..!.....xt..}.......Ev..x..a.{...d.. .q./..OB|..6..{....a^.......@?.......o.....*T.;/Oa.......J..........I.)......J..#..A....FS.....t.H..h...W..|B.~..t.6..........t"<..z..||.......8..B9......x.a....m.V[.=...K!..\.....w."d...=>.B..(K...u.....~.".@b
<<< skipped >>>
GET /Installer/OperaBrowser/OperaChecker25-6.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: cdn.download4desktop.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2015 00:52:43 GMT
Content-Type: application/octet-stream
Content-Length: 50225
Connection: keep-alive
x-amz-id-2: SjMFw 8UHgzEB68ED0Ymo4B1uV3ZeKvkfyFPOEHgt9zswDSPkiO/ cPM83zCoJoO3W0D1nqXHoU=
x-amz-request-id: 2AD315F4FFF678D5
Last-Modified: Wed, 25 Jun 2014 14:41:23 GMT
ETag: "10ffabc748d68c40b68f883058c9b932"
Server: NetDNA-cache/2.2
Content-Disposition: attachment
X-Cache: HIT
Accept-Ranges: bytes
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^...........0.......p....@..........................................................................t..........PC...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X\...........v..............@....ndata...................................rsrc...PC.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.B..H.P.u..u..u...Hr@..B...SV.5p.B..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.B.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....B...Si.....VW.T.....tO.q.3.;5..B.sB..i......D.......t.G.....t...O..t .....u...3....3...F.....;5..B.r._^[...U..QQ.U.SV..i....
<<< skipped >>>
GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 13 Dec 2015 00:52:39 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 18436
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"8,$.Fmkcsez_oajgRvjdo"8.(.% O_fGew.2.AIBS^?UPM=IM]RMDN Qj^op_o_[XAkd_j.nsv.x FF=TXARLQANRZMN>P.Mnbtu\j`UZJ[hh.PpTW:kfanEnqoYgeco.qbr '.M^eH_x24 5.CDCVYBQRP@FOXSP?Q.SmalrZpbV[=mgbg.ity.{.HI@QZ<SOLDJT]PK@K.Piepw_m]WUK^ck*RsWT<fgdiHjsr\dg^p.len"*.J`imonM]mc.2.:kfan>rmrk`k ).Onobp[oBB.4154.3$.:jt[xoOda]m.8-&!EsU\ao?moCmot_gd.3/).DteSMD.3 ensl:-*Yhbel\hj.a_fhZgi(qq/?habhBfmsni`)]s^ ).DteSMD-.8.bspp8*'\fgdiaen,^\if_ff-nu-<ed`mAcrprg]&`qc.&!?okhYi]Jfhd.: ..<fgdiCesrma]'cu_.)-qdd`gr.',nfp8/32/43.)-s\Wm_p:=G=NL@DZ066 65 (e\dc*^dbasgl8*.*'o]rri]mXlbq^qrj8`omn7).iebdYghed_q*rs*Ykb-p[uaPmnl]Zah9skkci5hBA>mNLJ0ok!`sf^< _]BMD=$pcf9$]ZKD@$lpq9$]ZGQK$o_e9764)22$`bh`=00*3.a^cc925/.ornb7`iiej..% L`earSMD.3 ensl:-*kmo,P?QREP?9O:QOP-_ok*'j_dblr DwiYhbaL`earQ^j`^l<iebepd\8/12 onobp[obb:,8006!\dlrf^</01.0!ec^^o9270.0.alomprwd\8 4/ rus`dl8,0#]nkkg`hmhbr]sjak`5Pib^ndo&baZ8)$e\<1&gnYb`;. uarqdgi64 1"evo]mg_i7/., MYo^ 7'0("?_\dmglh`hD_oY.3 .&!=nrdndksp_rNeeF]tl 7.ZY"*.H\rmrn!6-/'.@_db]sevc.2(**.JqkmmoajgP^nd.: ,$.=gp]qap_i[tK_q_!6-/'.Necbj@btcmAilr^fk.:.'.Qbpqo`hOda]m<mjg`jdJdf`.8kokh, >YiKsk;r?hc^c]hv.4snuc'.MnlFh@cgp`knbtbCmot_gd`k 7.0., MmiBlO_fql_mAilr^fkar 5.,.*.JqaEv`J`lsinSark.2.) ).OneCs]M^qrfsRajp].3 -. .Pmnl@qcO_rqlrO]mf 7./., KgnmCu_QassglQZjr_!6"..$.ImpnQagI`q. 7.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWT<fgdi.lvz.t.AIBS^?UPM=IM]RMDN Qj^op_o_[XM_dd)K
<<< skipped >>>
GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=10700&z=1&offerscreenid=234&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 13 Dec 2015 00:52:43 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 13 Dec 2015 00:52:43 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK......
GET /Installer/Flow?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&version=6.12&nipids=-29408-28693-12929-28657-29219-29736&secondcall=1&reqid=379394606 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 13 Dec 2015 00:52:45 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 19375
Connection: keep-alive
..Sv.NlmsAxc.2..*.JqaEv`.5. ).Bkmnjf`grQsoa"83$.Fmkcsez_oajgRvjdo"8.(( .*,3)25(*,&02. .RcbC`r 7.!("P`_F^w3.!6" '.M^nllsJak`.5.?SI!("Nmg_naqCC.:/'.<eu^srKfd`j.3.).HoW_dlAhpFhrpajg.5**.?waUPG.5. ).DteSMD-.8.. .Cmhe\gbIcma"8..'.Mc`dnUPG.5.fqno6/-njq'QBLUARB<L<LPS(bkm-*ga_com.@yl\ed\Mc`dnSam]`g=l`earg_5/,/#jh`s;-1/)6*,7291()-206'14632%-20.3%`iqoa_61--24&j`Y_i;/3425$^gpgrosh`=01*!lwp\hp=1-.^hmhcdlrm_m^ml^gd9Un_Yo^q#^e^=.!`]63#cr]ge8)!ocomhkn;1&, $brsarl\d8) ).Q]tc.2(**.;c`irdgiZjA[s]"8.*4-.5'1467.%, 7/3,.840/( 7/ 8., <fobtfltoeqM]bDcvm!6" '.KZwlos.: ,$.>dc_bpit`.5&/).OnokjldhlO[sa"8()'.Bfmbnen\f^rP^nd.: ,$.Ljb_o=fr`jDgqq[kh"8 $.Ogont]lMa^`kAlgl]nbGai^ 7.!("A\fMnl>mBdeafZjq 7nqqe*.JpgGk;fcrcnkdocFhrpajg]m.8.. .RsiAiKcdok]rGikoZji_q.: .$.Ipb?waRcnmgmRbll.: .$.Ipb?waRcnmgmT^fta"8..'.NlmsAxcM]nnjqNdnm 5..% MirpEv`J`lsinU]ls`.5. ).OksrM]bDcv-1.: .$.ImpnQagI`q1- 7.!y,y.HjlrBrd.: .$.Ipb?wa"8..'.AlgokncilOrnb.9-, Hgibrft`pimiLticp.9.0 '.M^eH_x.: CC@R]@OQNELOWPLCO.RkfrrYm^ZY;legm.hqu.y.GGEWZ;PKPBHS[UQ@J.Lmcnv]rcWTHZgi(Qq\Z<ed`mFhrpajg]m.pcl!("P`_F^w3.!6"FF=TXARLQANRZMN>P.Mnbtu\j`UZ>ghco.knw.z.BJAY]>MMKCKN^QSCM.Nhdqq`neZWE\bj LtX\?habhGkms]lj`j.kdo. .RckgmmL^gd.: <ed`m?lnsscm.'.NoicqcrD<.306./4, <drZwpIebep.2 % FmV]irAgmBlpn`hl 5)'.Cu_TNL 5.cmrm4. akd_j[gk(b`nk\ag'pr)@iiej<dlroca*ev`.'.Cu_TNL0.2.arqj9 /_habh`fh-_dlhYde,oo.=mgbg?bqqlh^.c
<<< skipped >>>
GET /Installer/XP/XPLimitChecker.exe HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: d2vubraihqcany.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 50053
Connection: keep-alive
Date: Thu, 10 Dec 2015 04:01:33 GMT
Last-Modified: Mon, 04 May 2015 10:45:00 GMT
ETag: "b6631cd12092841cac0763c854828c50"
Accept-Ranges: bytes
Server: AmazonS3
Age: 68488
X-Cache: Hit from cloudfront
Via: 1.1 297739e3d74d139e546f90d2ef5a6887.cloudfront.net (CloudFront)
X-Amz-Cf-Id: sE99QuckcO4Q42fRgkRY8QxMtKVKoXn2caPc6WvTsjP1UygiKRcnEA==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......1..:u..iu..iu..i...iw..iu..i...i...id..i!..i...i...it..iRichu..i........................PE..L......K.................^....... ...0.......p....@..........................0...............................................t..........(C...........................................................................p...............................text...L\.......^.................. ..`.rdata.......p.......b..............@..@.data...X............v..............@....ndata....... ...........................rsrc...(C.......D...z..............@..@........................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H....h.E..H.P.u..u..u...Hr@..B...SV.5p.E..E.WP.u...Lr@..e...E..E.P.u...Pr@..}..e....Dp@........FR..VV..U... M.......M....3.....FQ.....NU..M..........VT..U.....FP..E...............E.P.M...Hp@..E...E.P.E.P.u...Tr@..u....E..9}...w....~X.te.v4..Lp@....E.tU.}.j.W.E......E.......Pp@..vXW..Tp@..u..5Xp@.W...E..E.h ...Pj.h`.D.W..Xr@..u.W...u....E.P.u...\r@._^3.[.....L$....E...Si.. ..VW.T.....tO.q.3.;5..E.sB..i.. ...D.......t.G.....t...O..t .....u...3....3...F.. ..;5..E.r._^[...U..QQ.U.SV..i.. .
<<< skipped >>>
GET /Installer/Track?pubid=16434&distid=30338&productid=29565&subpubid=0&campaignid=0&networkid=1&reqid=379394606&dfb=0&os=5.1&ospv=-1&iev=6.0&ffv=&chromev=&macaddress=00:50:56:3B:0E:71&netv=&d1=-1&d2=-1&d3=-1&d4=-1&d5=-1&ds1=&cookieproductname=85-112-100-97-116-101-115&cookieeula=&cookieprivacy=&hb=5&systembit=32&vm=1&machineguid=75ed9567-aa58-4c8e-a8ea-3cad7c47ab03&welcomeimgurl=&downloadip=212.178.30.28&downloadtime=11/20/2015 2:38:00 PM&clickid=&status=2&installedid=29820&z=1&offerscreenid=655&offerorder=-1&downloadduration=-1&installduration=-1&issecond=0 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Host: srv.DESK-TOP-APP.INFO
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 13 Dec 2015 00:52:44 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 8
Connection: keep-alive
..OK..HTTP/1.1 200 OK..Cache-Control: private..Content-Type: text/html; charset=utf-8..Date: Sun, 13 Dec 2015 00:52:44 GMT..Server: Microsoft-IIS/8.0..X-AspNet-Version: 4.0.30319..X-AspNetMvc-Version: 4.0..X-Powered-By: ASP.NET..Content-Length: 8..Connection: keep-alive....OK....
GET /offers/images/Theme12/topLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/bodyImg.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: image/png
Content-Length: 1914
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 10:27:32 GMT
ETag: "36dd864c691ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sun, 20 Dec 2015 00:52:47 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR.......:.....j.......sRGB.........gAMA......a.... cHRM..z&..............u0...`..:....p..Q<...0PLTE................................................{.......IDATx......:..`..p..J.4.ty.:......)v..\....,.fwv..U...!.....b.f.....Cy(..OW......w......]R..l..2My}<..]..8hn{*..X.).m..4w.U.J.....u..l.J...<...>uJ.....i.>o.%......I.\..S......U.D.}OK..J`......sJ`.}..M.9%..A....u.T.%........K....OQ..._..d.>..L....]I. U.].c.Je...|.W.U?..E.}...*.vZ...K...M....).W...^V..>).e(.].Z.}dg%@....S.*/...........Y.W.]}...|.SgO........rrj...4UY../..r.~.....Z.ep.wui.sP^..X.g%$(.......C........Ze....4yn}....U.({.V..{o..}O...w.G.Q.^..r..p....0y............8......6.v....zz~....-...F*..f.F]...R..*. -......e{mO.s.i.9.U....zz.6.f.T>.f.DQ%.. ...l.q\N."eA({_W7..Q.....d........>...Y.."e.\....s,.. .Li)%....R.o.....C.9wQ....8........KNY..t..)...k...v)P*.....I...4&../.{)..qe..R.'...2..*..d.z&.T;y..)Q*....)R..2..)Tj.B..)V..b..)W......QB!rj.B.J)..N)b*...R)q..<S...z%.LPr..%.LQ2.4e.....q&*c.De,..J.x& ig...g..b.(.g..p.)Qf..uf*1g..af .Y...... .;(.....s......r.v. ...s'...K.0wS.....sG%.......-.R..}......4S.....W.....=.9eN(..OS..Jt(...<...P.(..DJ;_)..Y. ..7.>.@.Bi....HS)eM.qi;...........$.z%.[..P...SJzT*E]......2zT.t..L%6.TJ..Y.a...}.V..J...,.....H... ....;..2_._/[.^/[.\.W.\.!..%oT*y.Z....#Q.Bw.FI.7...H..2Jt.*..../........2.F..X.....gqJ.q:.U.q.. V...B..s.(.J2.x..()#1@.'d4.Hh.h.J.I.i.G.#.;.J....*Q$Z..?.........sR..D.<...| ......2.1b.A3...v.....X.y{..R....{h..pzJ.I.).Y..Kn.z;%Jn..c.W...bL........t..!...A..(..*
<<< skipped >>>
GET /offers/images/Theme12/bottomLine.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/button_over.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: image/png
Content-Length: 921
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:05 GMT
ETag: "f072da2a092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sun, 20 Dec 2015 00:52:47 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...;IDATx..Z;o.1..Y.D...W."$=D..*=BPR@..5..........DHi...M.i...e.r............;..N.h..=.|..x6..f..pf...n...yX...>z......`87.3...t.e:.sh..e..z.A....G.p..IZ.z...?Ra8........Y......O.......[........sL..?@.o....y..-.....Lc.0......O..|z.O/...k.....e...n..!......G.p...9....3. .'?7 ..GD@..{.<....C$....N.........Q...<.,@...].;Q.'<.(.X.r.,.6.......QrB..h..d&r....6....G..Shr.... .....4r..= ..f.....B.qP..l.K........YB.Z....H....../:.l.(.S.D...nM7..P.%R........&_uR.H6A..(raP.H9...[\D. .(....d...`.8.A......r5Q..........:v.e....u.....-&.1.....&.........Z.|....).L...$....)K%a-....b..a*{<(W..P<..w7_Z.....h.%6.N........*\FB...A...#..f.N...C..(.p...........K.|..5d..3u-........(.k. 7..6..tsvP!.U0.q.......9z.e ..0.ALt..@l..2iR.2............. .>=...{WVim....f.c6.:...|.....0X.yk...../z..!.SHW.d......o.s........a..8..g.|zvg...o6......@..........n.^......IEND.B`.....
GET /offers/images/Theme12/button.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: image/png
Content-Length: 458
Connection: keep-alive
Cache-Control: max-age=604800
Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT
ETag: "1b5642f092ce1:0"
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
Expires: Sun, 20 Dec 2015 00:52:47 GMT
X-Cache: HIT
Accept-Ranges: bytes
.PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`.HTTP/1.1 200 OK..Date: Sun, 13 Dec 2015 00:52:47 GMT..Content-Type: image/png..Content-Length: 458..Connection: keep-alive..Cache-Control: max-age=604800..Last-Modified: Mon, 05 Aug 2013 17:21:12 GMT..ETag: "1b5642f092ce1:0"..X-Powered-By: ASP.NET..Server: NetDNA-cache/2.2..Expires: Sun, 20 Dec 2015 00:52:47 GMT..X-Cache: HIT..Accept-Ranges: bytes...PNG........IHDR...Y............m....tEXtSoftware.Adobe ImageReadyq.e<...lIDATx...1..p....at.`...[_)...&.........~...C..V$z.J.w.Wi........../..<........R.H)s..i....t.....}2M...9i.&..(..c.....l.&.0`.&a..f...p...R.Jr....bA....$.....cr....u....sq..x....?..> ..pu`.h..C.......$w$..gY. .....%9MS...V.....IF'..0].;..HF..]b..Hr..pW...k..{..EQD.....-L.....#..H.u.. ..lF....j".,<........<. ......18....\.....oI...^.....:..._......rU.<Z`..d..E.|.0.......B.....IEND.B`...
<<< skipped >>>
GET //offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0& HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: srv.serverdatasrv.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Cache-Control: private
Content-Type: text/html; charset=utf-8
Date: Sun, 13 Dec 2015 00:52:42 GMT
Server: Microsoft-IIS/8.0
X-AspNet-Version: 4.0.30319
X-AspNetMvc-Version: 4.0
X-Powered-By: ASP.NET
Content-Length: 12892
Connection: keep-alive
<html>. <head>. <title>5 - NonProduct (Download Manager)</title><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(['_setAccount', 'UA-37348037-1']);_gaq.push(['_setDomainName', 'ppdownload.com']);_gaq.push(['_setAllowLinker', true]);.. _gaq.push(['_trackPageview']);.. (function() {.. var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;.. ga.src = ('https:' == document.location.protocol ? 'hXXps://' : 'hXXp://') 'stats.g.doubleclick.net/dc.js';.. var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);.. })();</script><style type='text/css'>body { width:100%; height:100%; margin:0px; padding:0px; font-size:font-family:helvetica; font-size:12px;} .divLeadpName { border-bottom-style:groove;border-bottom-width: thin; padding-left:61px; padding-top:9px; font-size:font-family:helvetica; font-style:italic; font-size:25px; font-weight:bold; color:black; position:absolute; width: 100%; background-color: #fff; ba} #divTop {display: none} #divMiddle {background-color: #efecec; height: 100%;} #middle {background-color: #fff;} .divOnNext { position:absolute;
<<< skipped >>>
GET /offers/images/Theme12/topComp.png HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/bgImg.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>......
<<< skipped >>>
GET /offers/images/Theme12/nextCase.jpg HTTP/1.1
Accept: */*
Referer: hXXp://srv.serverdatasrv.com//offers/DynamicOfferScreen?offerid=5&distid=30338&leadp=29565&countryid=262&sysbit=32&imgurl=&cookieproductname=85-112-100-97-116-101-115&dfb=0&hb=5&isagg=1&version=6.12&external=0&
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: static.revenyou.com
Connection: Keep-Alive
HTTP/1.1 404 Not Found
Date: Sun, 13 Dec 2015 00:52:47 GMT
Content-Type: text/html
Content-Length: 1245
Connection: keep-alive
X-Powered-By: ASP.NET
Server: NetDNA-cache/2.2
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "hXXp://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">..<html xmlns="hXXp://VVV.w3.org/1999/xhtml">..<head>..<meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"/>..<title>404 - File or directory not found.</title>..<style type="text/css">..<!--..body{margin:0;font-size:.7em;font-family:Verdana, Arial, Helvetica, sans-serif;background:#EEEEEE;}..fieldset{padding:0 15px 10px 15px;} ..h1{font-size:2.4em;margin:0;color:#FFF;}..h2{font-size:1.7em;margin:0;color:#CC0000;} ..h3{font-size:1.2em;margin:10px 0 0 0;color:#000000;} ..#header{width:96%;margin:0 0 0 0;padding:6px 2% 6px 2%;font-family:"trebuchet MS", Verdana, sans-serif;color:#FFF;..background-color:#555555;}..#content{margin:0 0 0 2%;position:relative;}...content-container{background:#FFF;width:96%;margin-top:8px;padding:10px;position:relative;}..-->..</style>..</head>..<body>..<div id="header"><h1>Server Error</h1></div>..<div id="content">.. <div class="content-container"><fieldset>.. <h2>404 - File or directory not found.</h2>.. <h3>The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.</h3>.. </fieldset></div>..</div>..</body>..</html>..HTTP/1.1 404 Not Found..Date: Sun, 13 Dec 2015 00:52:47 GMT..Content-Type: text/html..Content-Length: 1245..Connection: keep-aliv
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_204:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beeiachifd.exe 7*6*7*6*6*7*5*2*0*1*0 KEpCPjcqMTIzMyAoTU48SkI/OzAfL0c/TVFJS0ZHRDwxGSk9Q01NREI9MjAsLTEaKTxEQj0vIChKS0k Tj5SX0hENiwyLzAuGy1TRFJPP0tZT0tHO2hzdGk0KClta3EsRERTRCdNSUomPE5QLUlHQEgaKTxHR0NKST03GSk KjgrMR8vPSw2JysZKkIzPC0qGig LjYoLyAuRC43JisaKEtQT0NVPE5YSkxCUT9DWD0ZKUlMST1QQVReRU5GOjcaKEtQT0NVPE5YSDtGQDtVb2Rabl5tGihAVkVeVUtGNmJubWs4Ly5kaHFnZmlaXytzZHJvX2ttKFxqay9SeWxDZ2BpKFFNU3N1Wyhecl8ZKkNYRF88Rz1GQ0dAOyAuSEhNTVk8S0pVU0RSNi8ZKU5BPExLWE9OWU5MRjYbLVZMPSsaKD5NKjgeL1FVR05CRz9YUkNMQk9GP0JHO0BAU1JLPRkpQk1ZS1BMVEhNPjdtbG9eGy1SRFROTEdDSEBaU1NEUlg OlNNNi0eL0dJPT9RNysZKkdTXkRSSDpHQzxaQ05CUlJKTT8 NmFfbHJlGSk9SVFHR01BQ19CSjYsKyspLzc3LiwqJywyGSpOQVFBRUY RllCSVFUQExFN21sb14bLVRITT43Ki4uMSsxMDE4KRooPklQSUpPQERYTkJHPzYsLy8xMCgsKSsvIy04Mzc6KSojSkc=
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beeiachifd.exe 7*6*7*6*6*7*5*2*0*1*0 KEpCPjcqMTIzMyAoTU48SkI/OzAfL0c/TVFJS0ZHRDwxGSk9Q01NREI9MjAsLTEaKTxEQj0vIChKS0k Tj5SX0hENiwyLzAuGy1TRFJPP0tZT0tHO2hzdGk0KClta3EsRERTRCdNSUomPE5QLUlHQEgaKTxHR0NKST03GSk KjgrMR8vPSw2JysZKkIzPC0qGig LjYoLyAuRC43JisaKEtQT0NVPE5YSkxCUT9DWD0ZKUlMST1QQVReRU5GOjcaKEtQT0NVPE5YSDtGQDtVb2Rabl5tGihAVkVeVUtGNmJubWs4Ly5kaHFnZmlaXytzZHJvX2ttKFxqay9SeWxDZ2BpKFFNU3N1Wyhecl8ZKkNYRF88Rz1GQ0dAOyAuSEhNTVk8S0pVU0RSNi8ZKU5BPExLWE9OWU5MRjYbLVZMPSsaKD5NKjgeL1FVR05CRz9YUkNMQk9GP0JHO0BAU1JLPRkpQk1ZS1BMVEhNPjdtbG9eGy1SRFROTEdDSEBaU1NEUlg OlNNNi0eL0dJPT9RNysZKkdTXkRSSDpHQzxaQ05CUlJKTT8 NmFfbHJlGSk9SVFHR01BQ19CSjYsKyspLzc3LiwqJywyGSpOQVFBRUY RllCSVFUQExFN21sb14bLVRITT43Ki4uMSsxMDE4KRooPklQSUpPQERYTkJHPzYsLy8xMCgsKSsvIy04Mzc6KSojSkc=
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp
beeiachifd.exe
beeiachifd.exe
8 8$8(8,80848
8 8$8(8,80848
Certification Services Division1806
Certification Services Division1806
hXXp://t2.symcb.com0
hXXp://t2.symcb.com0
!hXXp://t1.symcb.com/ThawtePCA.crl0
!hXXp://t1.symcb.com/ThawtePCA.crl0
hXXp://tl.symcb.com/tl.crl0
hXXp://tl.symcb.com/tl.crl0
hXXps://VVV.thawte.com/cps0/
hXXps://VVV.thawte.com/cps0/
!hXXps://VVV.thawte.com/repository0
!hXXps://VVV.thawte.com/repository0
hXXp://tl.symcd.com0&
hXXp://tl.symcd.com0&
hXXp://tl.symcb.com/tl.crt0
hXXp://tl.symcb.com/tl.crt0
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
.?AVCWebPage@@
:,:0:4:8:
:,:0:4:8:
9œ9P9g9
9œ9P9g9
9#9'9-91999
9#9'9-91999
9"9/999_9
9"9/999_9
="=&=*=.=
="=&=*=.=
Q.twz
Q.twz
.rwe:r
.rwe:r
?%xh |4
?%xh |4
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpOpen
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpReadData
WinHttpReadData
WinHttpWriteData
WinHttpWriteData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpSetOption
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WINHTTP.dll
WINHTTP.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
uQ.yZ
uQ.yZ
c:\%original file name%.exe
c:\%original file name%.exe
%original file name%.exe
%original file name%.exe
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb1.tmp
CUME~1\"%CurrentUserName%"\LOCALS~1\Temp\nsb1.tmp
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\
Nullsoft Install System v2.46
Nullsoft Install System v2.46
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}
00000000
00000000
6392.151120.1377.7500
6392.151120.1377.7500
beeiachifd.exe_364:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
tCPjB
tCPjB
r%f;M
r%f;M
j.Yf;
j.Yf;
_tcPVj@
_tcPVj@
.PjRW
.PjRW
%d/%d/%d %d:%d:%d
%d/%d/%d %d:%d:%d
X:X:X:X:X:X
X:X:X:X:X:X
\Google\Chrome\Appl
\Google\Chrome\Appl
ication\chrome.exe
ication\chrome.exe
Error %u in WinHttpQueryDataAvailable.
Error %u in WinHttpQueryDataAvailable.
Error %u in WinHttpReadData.
Error %u in WinHttpReadData.
Error %d has occurred.
Error %d has occurred.
F%D,3
F%D,3
operator
operator
GetProcessWindowStation
GetProcessWindowStation
function not supported
function not supported
operation canceled
operation canceled
address_family_not_supported
address_family_not_supported
operation_in_progress
operation_in_progress
operation_not_supported
operation_not_supported
protocol_not_supported
protocol_not_supported
operation_would_block
operation_would_block
address family not supported
address family not supported
broken pipe
broken pipe
inappropriate io control operation
inappropriate io control operation
not supported
not supported
operation in progress
operation in progress
operation not permitted
operation not permitted
operation not supported
operation not supported
operation would block
operation would block
protocol not supported
protocol not supported
WinHttpCrackUrl
WinHttpCrackUrl
WinHttpOpen
WinHttpOpen
WinHttpCloseHandle
WinHttpCloseHandle
WinHttpConnect
WinHttpConnect
WinHttpReadData
WinHttpReadData
WinHttpWriteData
WinHttpWriteData
WinHttpQueryDataAvailable
WinHttpQueryDataAvailable
WinHttpSetOption
WinHttpSetOption
WinHttpSetTimeouts
WinHttpSetTimeouts
WinHttpOpenRequest
WinHttpOpenRequest
WinHttpAddRequestHeaders
WinHttpAddRequestHeaders
WinHttpSendRequest
WinHttpSendRequest
WinHttpReceiveResponse
WinHttpReceiveResponse
WinHttpQueryHeaders
WinHttpQueryHeaders
WinHttpGetProxyForUrl
WinHttpGetProxyForUrl
WinHttpGetIEProxyConfigForCurrentUser
WinHttpGetIEProxyConfigForCurrentUser
WINHTTP.dll
WINHTTP.dll
PSAPI.DLL
PSAPI.DLL
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
CreateDialogIndirectParamW
CreateDialogIndirectParamW
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
RegCloseKey
RegCloseKey
RegCreateKeyExW
RegCreateKeyExW
RegEnumKeyExW
RegEnumKeyExW
RegOpenKeyExW
RegOpenKeyExW
RegQueryInfoKeyW
RegQueryInfoKeyW
ADVAPI32.dll
ADVAPI32.dll
ShellExecuteW
ShellExecuteW
SHELL32.dll
SHELL32.dll
ole32.dll
ole32.dll
OLEAUT32.dll
OLEAUT32.dll
URLDownloadToFileW
URLDownloadToFileW
urlmon.dll
urlmon.dll
IPHLPAPI.DLL
IPHLPAPI.DLL
GetCPInfo
GetCPInfo
zcÃ
zcÃ
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AV?$CAtlExeModuleT@VCSmartInstallerModule@@@ATL@@
.?AVCWebPage@@
.?AVCWebPage@@
:,:0:4:8:
:,:0:4:8:
9œ9P9g9
9œ9P9g9
9#9'9-91999
9#9'9-91999
9"9/999_9
9"9/999_9
="=&=*=.=
="=&=*=.=
8 8$8(8,80848
8 8$8(8,80848
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.142 Safari/535.19
\default.html
\default.html
*.txt
*.txt
SOFTWARE\Mozilla\Mozilla FireFox
SOFTWARE\Mozilla\Mozilla FireFox
Software\Mozilla\Mozilla FireFox
Software\Mozilla\Mozilla FireFox
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
SOFTWARE\Google\Update\Clients\{8A69D345-D564-463c-AFF1-A69D9E530F96}
Software\Mozilla\Mozilla Firefox
Software\Mozilla\Mozilla Firefox
firefox
firefox
chrome
chrome
opera
opera
@@exeurl
@@exeurl
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.html\UserChoice
ChromeHTML
ChromeHTML
FirefoxHTML
FirefoxHTML
IE.AssocFile.HTM
IE.AssocFile.HTM
Opera.HTML
Opera.HTML
http\shell\open\command
http\shell\open\command
Opera.exe
Opera.exe
Safari.exe
Safari.exe
HKEY_LOCAL_MACHINE
HKEY_LOCAL_MACHINE
HKEY_CURRENT_USER
HKEY_CURRENT_USER
4-1-0-2-3-1-9-2-2-8-5
4-1-0-2-3-1-9-2-2-8-5
AntivirusesRegKeys
AntivirusesRegKeys
RegKey32
RegKey32
RegKey64
RegKey64
ExeURL
ExeURL
ExeURL2
ExeURL2
RegKey
RegKey
ReportName
ReportName
PreExe
PreExe
PostExe
PostExe
PreExeResultTerm
PreExeResultTerm
PreExeResultValue
PreExeResultValue
PostExeResultTerm
PostExeResultTerm
PostExeResultValue
PostExeResultValue
PostRegKey32
PostRegKey32
PostRegKey64
PostRegKey64
n2d.exe
n2d.exe
downoad.exe
downoad.exe
WinHttpClient
WinHttpClient
Hmscoree.dll
Hmscoree.dll
- floating point support not loaded
- floating point support not loaded
- CRT not initialized
- CRT not initialized
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
kernel32.dll
kernel32.dll
USER32.DLL
USER32.DLL
portuguese-brazilian
portuguese-brazilian
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beeiachifd.exe
C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\beeiachifd.exe
{8856F961-340A-11D0-A96B-00C04FD705A2}
{8856F961-340A-11D0-A96B-00C04FD705A2}