Application.Bundler.InstallBrain.A_c471503e7b

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Application creates the following process(es):No processes have been created.The Application injects its code into the following process(es):

%original file name%.exe:1840

Mutexes

The following mutexes were created/opened:

ShimCacheMutexRasPbFile{69C867F8-341A-44a8-B8F2-AF392F12143A}804105trueZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetConnectionMutexWininetStartupMutexWininetProxyRegistryMutexc:!documents and settings!adm!local settings!history!history.ie5!mshist012014081720140818!_!SHMSFTHISTORY!_CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003

File activity

The process %original file name%.exe:1840 makes changes in the file system.

The Application creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3008.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3146.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_518.part (33029 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\cav.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3601.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3232.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\events.js (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\mask.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3941.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2985.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_519.part (5954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-top.gif (12 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader2.gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery-1.7.min.js (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2984.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2980.html (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg.gif (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3600.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2987.html (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2986.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main - копия.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\logo.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\smart.js (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-bottom.gif (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\conditions\conditions.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3145.html (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\check.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3364.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\old_smart.js (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\config.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3385.html (17 bytes)

The Application deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)

Registry activity

The process %original file name%.exe:1840 makes changes in the system registry.

The Application creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePrefix" = ":2014081720140818:"
"CacheLimit" = "8192"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheOptions" = "11"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheRepair" = "0"

[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081720140818\"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FE 13 8D F8 09 D4 F4 C6 F8 04 55 A5 32 96 81"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

Adds a rule to the firewall Windows which allows any network activity:

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"

The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Application modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Application deletes the following registry key(s):

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]

Dropped PE files

MD5	File path
375df55e6337e43b992bd3451802c6af	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ibtmpd366498\component_518
3ed0a2882d62a7bff0645be507757f4c	c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ibtmpd366498\component_519

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

1. Click (here) to download and install Ad-Aware Free Antivirus.
2. Update the definition files.
3. Run a full scan of your computer.

Manual removal*

1. Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
2. Delete the original Application file.
   
3. Delete or disinfect the following files created/modified by the Application:

   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b4.gif (661 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-right.jpg (468 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn.png (716 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3008.html (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b-bg.gif (295 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-right.jpg (694 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (12 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main.css (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg.jpg (333 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn4.png (130 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b3.gif (384 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3146.html (19 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.gif (207 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_518.part (33029 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\cav.xml (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3601.html (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3232.html (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-left.jpg (681 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\events.js (17 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\mask.bmp (42 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3941.html (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2985.html (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_519.part (5954 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (112 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.png (911 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-top.gif (12 bytes)
   %System%\wbem\Logs\wbemprox.log (76 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader2.gif (6 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery-1.7.min.js (94 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2984.html (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery.noselect.min.js (299 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2980.html (9 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg.gif (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\center2.jpg (305 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn2.png (402 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-left.jpg (460 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader.gif (3 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3600.html (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2987.html (4 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2986.html (7 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main - копия.css (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\mid.jpg (403 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\logo.png (13 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\smart.js (24 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-bottom.gif (8 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\conditions\conditions.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3145.html (18 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\check.jpg (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn3.png (138 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn2.png (136 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn1.png (139 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3364.html (5 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\old_smart.js (23 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\trust.gif (437 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act.jpg (380 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\config.js (1 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\template_40.png (110 bytes)
   %Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3385.html (17 bytes)

4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
   
5. Reboot the computer.
   

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

Company Name:
Product Name: Installer
Product Version: 15.9.28.27
Legal Copyright: Copyright 2012
Legal Trademarks:
Original Filename: installer.exe
Internal Name: installer
File Version: 15.9.28.27
File Description: Installer
Comments:
Language: English (United Kingdom)

Company Name: Product Name: InstallerProduct Version: 15.9.28.27Legal Copyright: Copyright 2012Legal Trademarks: Original Filename: installer.exeInternal Name: installerFile Version: 15.9.28.27File Description: InstallerComments: Language: English (United Kingdom)

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	106236	106496	4.73406	0d3d7e0f700194accb219396586936fc
.rdata	110592	32866	33280	4.19622	311ce55086569ba80d6319d3656afc11
.data	147456	13096	9216	3.31887	571cbf16e9add883bb2f2d2c11b35727
.rsrc	163840	650668	650752	5.47948	7b69a089de15cd17cfb99c129316a099
.reloc	815104	8574	8704	3.12516	5873e2cca4a559e776377b3f2a957fec

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 24
e72f1b26ccd11a61ab3b1d840c826e2b
99003cb09ca70d45fac4fb32e5399587
0f7a82d7763c300557e569886f4208fb
e6db1f885f501ce27db25bd0a5c619cd
c0bc5d6930dab81029531be2dc6e0308
f9c1eaba84f3ac6e8ff315eb937a79c2
655c4aa4b50967b716077b07c86e7d9b
24cd3c139ffc8fe1249149857614fbb3
7a660045686faa04e3788ef1ea77533d
93680d312fee389edaaa9cda383194b3
d218822401c7d2dc804cde1c6a019f98
ac9328fd619afcc68aa52ec124af2b74
de7446f0b0406391972be69770b41142
518b80d93ca9222fe27725d17a6bdd29
b37a9e45578a2136f36e189481c80065
af55e8b1ffa3a542c4c599f87ea1fa34
8f1f49bfff8cbdf8b3b59cecc1991990
ec5afbf9f7ae28d296c222579b4255b7
3546998e010e36772bde80ba5c51b938
042894e34888fd250e9c6dbc6d58dc6a
8971f6e3b4b5582dbd94c4b7537b4e3a
502399cc417fd64158205c76170043f3
2a5f05824ed03380ef5986a54692551b
72fbe038ab46bb9ba5f8522b7f225817

Network Activity

URLs

URL	IP
hxxp://174.36.241.169/track/ib-start?cid=4105
hxxp://174.36.241.169/track/ib-show?cid=4105&componentid=518
hxxp://174.36.241.169/track/ib-show?cid=4105&componentid=519
hxxp://173.192.190.226/files/components/sp-downloader.exe
hxxp://173.192.190.226/files/components/BuenoSearchTB.exe
hxxp://173.192.190.226/files/components/SearchShock.exe
hxxp://173.192.190.226/files/components/SearchAlgo.exe
hxxp://173.192.190.226/files/components/yandex_downloader_v3.exe
hxxp://173.192.190.226/files/components/CloudBackup.exe
hxxp://173.192.190.226/files/products/PCPerformerSetup-4.exe
hxxp://173.192.190.226/files/components/PortalMoreSetup.exe
hxxp://173.192.190.226/files/products/UnknownFile.exe
hxxp://173.192.190.226/files/components/SpeedanAlysisSetupW.exe
hxxp://173.192.190.226/files/products/ffdshow.exe
hxxp://173.192.190.226/files/products/MatroskaSplitter.exe
hxxp://www.appregis.com/files/components/BuenoSearchTB.exe
hxxp://www.appregis.com/files/products/ffdshow.exe
hxxp://api.ibario.com/track/ib-start?cid=4105
hxxp://www.appregis.com/files/components/SearchShock.exe
hxxp://www.appregis.com/files/components/CloudBackup.exe
hxxp://www.appregis.com/files/products/MatroskaSplitter.exe
hxxp://www.appregis.com/files/products/UnknownFile.exe
hxxp://www.appregis.com/files/components/PortalMoreSetup.exe
hxxp://www.appregis.com/files/components/yandex_downloader_v3.exe
hxxp://www.appregis.com/files/components/SearchAlgo.exe
hxxp://api.ibario.com/track/ib-show?cid=4105&componentid=519
hxxp://www.appregis.com/files/components/sp-downloader.exe
hxxp://api.ibario.com/track/ib-show?cid=4105&componentid=518
hxxp://www.appregis.com/files/products/PCPerformerSetup-4.exe
hxxp://www.appregis.com/files/components/SpeedanAlysisSetupW.exe

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /files/products/ffdshow.exe HTTP/1.1

Range: bytes=3821680-4777099

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:12 GMT

Content-Type: application/octet-stream

Content-Length: 955420

Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT

Connection: keep-alive

Content-Range: bytes 3821680-4777099/4777100

.hP.B...d... ........i..eD... }..m...rB...g.!..m..u........&.:...>.}.[...2..~tn...l..I..j-.!.-...d...[`.S.S.51..Qo.a.P..p.iBjY.(k..7......d...~>...]._&....&.n..7LP....sO...pG...}.u.%.......%......!...s. .......i..yoH)vN...0.@.L{.......A.V9..L..&.I...?F&.v.$ ......L...>.7!#zOdj>....!.M.O...~.!..&o...l.UY.c6D.....<..F.?.t...K...i.P\.A....B...Q...7..ZpS...!.\.4.,(..:.y-qY..o @Au?%.*.h.........8$.....v.........A&.8. .U....Wm....")..C.#..c.1.I..<Z.Y.....a..D.......b..B...H...5n........2!..w......F...F.#.er...k...s.M... ...3`!8u..........$..a!..P &._........M....X.....f......c.=.I..0........Mxs..i`.....HM4.....F...38..L.`.6.-]~..o.........K.E.~).\....V...{..gW...!'n$V2h..&5l..^.G..R..b.$.{..Z. /....AA.._.....l...`N.7t...c.....S..l(..y..X.`.:.............j....Cw...8.{h.E..8..4..u.bn..%..".'.C.....tC.o8[s>.Ey%...^........#W.A6....,th....L=?.........s...*..@!.l.df.|...au...J..p....bg."ZnuK..t..=h...kX....k...........~9.........sw/A#......X.d`.....`.}.......:n[.iV2p>.>..J.q./.S=..xQQ.._..MR..."x2............eZ.5...Je0.....d....gVj...rda..o.j..o9.S..*.eC...b.vI...RB.3.'h..Q.......'.Ev.....b....EAx...t....L5...0.u.....s?.C....^-...%............LM.X4........h`Wn....".M...%...&.,....Gf}.....T..D..?ob{....G.....UV.X.p.w...h.@./......N...SQ.YM..!d8`._ka..ZA.G...............VKE%...w.....&.[lqv...r.$...YE..y*X..=0...C...q.3.....(R..._..x.5....*......A@......a..u...Q..(.9.$..X$L^....x=....@P=.....p.7.....k]..`.5.{..*..h..7^....6j....n..{LCO...'W;.3y.....b....Q.(..P...v...{hp7.......S6.....Vk%zg:.t......

<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1

Range: bytes=557586-836378

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:17 GMT

Content-Type: application/octet-stream

Content-Length: 278793

Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT

Connection: keep-alive

Content-Range: bytes 557586-836378/1393969

..!.N.....LC......yu..O...J.V....5..XX.c(.~.0....L.bP.LE.R..]...S..x..%....{..>.0.1..n..i.:.v!.H.ub...j......w....mH4}A...;......LI....D.....T.-.*]&..Ir.....9.P...Tx.~.F.XW...-$....xfq...t....^..x.Y|,.x..]..._r..u...!.) ..$.o.....S........_.p...p8....J....K.u..........._.s....J..3..r..5/~..\*\..7.'.i..Ub.M2.C.h^e......B...rWf#W..q.t..~...v.-......~dZd.).qEg],...6.*.w.P.W.......<.....\.|n..[..3.0.!6...8C....D(2.....8).q......y............!.Z...f*,/.....zk..&.1.....j>..`...xL..cC_..W.B.b7.....=h...p..9O.i....yT.4.m..i.k...xSk.1..Ui.uG5.....F....F|.....n.g'..s...B.x..sg;.f...H va..GA.w_.g....._.!$..a..|....s.%*f8x....F..^....=7...M~ ...<........V..N.....|....@P,.".g.C..D.s6Sc%..m.i...t...px..w.........\.Vl....B..@...;f.9......KT....N...a....=0myH..|.. *..U.kn...6t...|!.\.....u.t~.n.)K....6......=.;..ps..N.Y:....3*_J.B..6..D;.}o..{l. d@c...".K/s.A.V.>k.v..s._}..~.......T...4.I...2z.............{.p(.....`J........Y.W...W=...K"...r....rA-u(...k.b9O.g...X.0.O...{/..2....4c....N.y....p.<Ad..s.]....i.D.7.....e..W..Q.g....{...... ..K....@...._.cR.l..a..?.Cse....?.5..n.]....... G.....[h[..Jr....1..Y..2.QZ.4.d.$'...n5.<.`8gW .l..(<...Hq5..F...@..D.. .cxbX#..W#..Q.o..u.n>/.,....(.U,..or....W;...*.h...b.y..FQ.BE.o.....Y...p?D.#.....o.......G....i.. .;....$x...b..B8..q....n...h.V6F.X..$T......iE.9t.n......q."4xK;...ugj1...?....~.=.....2.r..>.S.5.. L...1n....".....9....u,7.Gg/..YM)...knK.........O16..4....iJ.o....._.B........"..q.....[.........#....s.8.lT}n..Q.k]......Kp...i.A.D...........9V.....F

<<< skipped >>>

HEAD /files/products/PCPerformerSetup-4.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/octet-stream

Content-Length: 4254614

Last-Modified: Thu, 03 Jul 2014 07:06:18 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/components/SearchAlgo.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/octet-stream

Content-Length: 504024

Last-Modified: Fri, 01 Aug 2014 12:54:52 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/products/MatroskaSplitter.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:06 GMT

Content-Type: application/octet-stream

Content-Length: 1393969

Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/components/SpeedanAlysisSetupW.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:06 GMT

Content-Type: application/octet-stream

Content-Length: 1952505

Last-Modified: Tue, 17 Jun 2014 12:40:52 GMT

Connection: close

Accept-Ranges: bytes

GET /files/products/ffdshow.exe HTTP/1.1

Range: bytes=1910840-2866259

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:12 GMT

Content-Type: application/octet-stream

Content-Length: 955420

Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT

Connection: keep-alive

Content-Range: bytes 1910840-2866259/4777100

zP.{=&w|.....j...%v&p...d.}sz.....t..J..7....%.ZZ.$d.!.m.% ...._d..'......f.......#~....0k.....Oly...2..G.....jN..b...bj.A..z.....&...!.jA.t..4.!{.....I.N.....x.#.Y{.b.2...t._...d../...Hc..5Q.H.'...f...Ui..`0D....p.3....[...Z.{........`UXZ...&.......Kf.D.!...}j.|..O!..!.v....PSL.......w.G...../1.1...ue_..@.....F....|.K.|..N6w.....\..-\X.US.. ......6....y........ .....U&.:...x..r.P...%!&2.............aKD..6.z..X......'.{.._@k..d..A.H8....._.,,....k.1W{Z..rH..o.]/.N.....d..G...yi"..E.....GB.".0.HS.u.=....P...9....j....Z..S}..V...g...\mx..">.....<......"."a...|..?...D.....iy(........s.@...b9$...nbPy# tR.|U...}.q:.....2.GW..~.I...........e.....^.m|....]..p..b[x.<....@..RVU@....$.%...$!i.En-..._d...0YP......v....G..HHt.3.8..$z.O._.E..A.Q.T.o.]..RTld.)....x..g..!A. ...Fx..s.m....c..f....~,......!...E..TU.[s.92.ktx.MR.4B.C...l.p...cg ....=W.eog..7|.z.N...F.Y.-%7..........M..;p.../G.E.([.'..K1Y.......t=..>....... ...q.r.$....6wc.Sv.}..}....{.o...d|...#.......w.vp..6/..l.....:..!=*.u..?.N.......M^....S....6RSdz..CW.'dr%....1..M..6....=.1.....^.Q......m... _..cOB;,..z........e.2.........8a.&....s..~u.{z..<..m..&..L...}.#..n..6......h....$....9. ).._\gd...y.sc/.3.a.&.....F.O..W9.B............O...{..\.Wo.c..Q.wy..z.......Z&....U..C..|=..g.S'..:..*.]uO....X).'5@ E.X.............>.....4u..i..I....`A.bK]j....Ux..v..{.{..Q..?.dH..g......{..[.p..<.)...6A............ek....B....>...C...dv.9..?s..3..J../y.......@H}2...X@F....t.!(.o....~...:..>j.PNC.Y.P^.U.Nc..X........p.)."t....-..TS......T..........9...

<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1

Range: bytes=278793-557585

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:17 GMT

Content-Type: application/octet-stream

Content-Length: 278793

Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT

Connection: keep-alive

Content-Range: bytes 278793-557585/1393969

k...9}@.<-4..}.. wo`$ey......1..r..6f...r...%....*.....<....=.&...>K..9g...................a.C_._Mn.]W.b.2Y[....b.8...cl...Fj.....F32..C...5q=.>..Q...:.....%....vHJ.... h:....&.U._.@.9......`p....r.....DL.Z.*c.E-...)]...F..#Y.%..j2a,.......$..X5>z)..u....Px...k...cW1..>..o.....KK....x;...b.E.L.j:....<p25.4|^..e.s.............>.H....5......W..w.X(..S....X.d...]"7......M...4......g.."s........h..%.....-..m..- .H3..9u.#V|bn...&i..o..M.....Dj...7%..Pw..d?.M..GC.EfW..l.....0.c.....J...>9u>AxJ...l.!5.6".....U......u.G...V..Q*95..w.!..3....i..d?.*Q.:..*?y.?]RW...r<{.h...K....-XA.}.L.S..51Z.~......-.......b=...........W.@.^.(#........k#....N|.'c'.......Gl...<>........y%.RM..H..Z.t.y...4...o..;N..F.......O....ui.3...C..._.u.Ut...7f.........hXmZ......&C...... $...F..i..../sQ...n....y[..pU..)....R@..%*...(..gR..9t.. U!.....B./.QX.&.}.....l.v.R..o..J..-.b...*Qe.........m........!..._.%l.h.Cc.{.b.u(n!"aq.k.b[.v.9k.A.6[.$.F_P.`.E'........s. ..Ig.".l ...;.23C../.8..%g.....s........D.........v...... 9.....#..T...7.D.....;.,V.W..P..@'.0.......7...:.....miVjO.......\VM.`.4.p._...k..L..8..R.K@..E...(.;...9..A1. .u.c...........i.....H.Nv... ...#i....Pd...y...t... .........|..............-E......u..n&??..B..&.....EV..|...2d.x..1....'.V..k.!W.......K......5o..x.o..d.. .....~.d..)...SW.lY.\.....a....S.i.....J..ytC........B`.W...b.C.<O..3..Z..AR..E.;4....2F......S.f.QW..dK..iy...f..B..8.....`.l........'......4. ../.9....L..s.b>.<.m.M.....>............=..v#Z........6...A.U.s....AE`.uX

<<< skipped >>>

HEAD /files/components/SearchShock.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/octet-stream

Content-Length: 575323

Last-Modified: Fri, 01 Aug 2014 12:54:56 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/products/MatroskaSplitter.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:16 GMT

Content-Type: application/octet-stream

Content-Length: 1393969

Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT

Connection: close

Accept-Ranges: bytes

GET /files/products/ffdshow.exe HTTP/1.1

Range: bytes=0-955419

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:12 GMT

Content-Type: application/octet-stream

Content-Length: 955420

Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT

Connection: keep-alive

Content-Range: bytes 0-955419/4777100

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L....q.N.................d.......B...3............@..........................0....................................................... ..x............................................................................................................text...@b.......d.................. ..`.rdata...............h..............@..@.data...|f..........................@....ndata...................................rsrc...x.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.

<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1

Range: bytes=1115172-1393968

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:17 GMT

Content-Type: application/octet-stream

Content-Length: 278797

Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT

Connection: keep-alive

Content-Range: bytes 1115172-1393968/1393969

|j......."......h>.OY..b..C......r.B.?..... ...Uy..5K(.F./.:'=|R.")V.F..2.....hb`.O......:.M..^.......]...pTa.s..)[s{.Uj....M..5..9..<-..9C...(.J....\.........}<@..*.....Y......0/$-...@..K....Z../...K...kY0.._!.......P..'.......O....d..V...G..>J.0..,<.{......!...oU..-7E(...n.7.$4..j......YP..Um.......aP..7-[...R.>.T.r.Q......./F....#v..^l..)....R.Z.\{.cn....:...|!...........p....../....=]4....K.?..#...U7...b.%if......6..q..\.,1M.].{......j.O.TN.....@..l)1...L.i.u..$.w...}.u!=.xt.1..!..h..D..u.[,......zw.i....=.Z..p....".....EQ...s.K.K.......{.f..b.".. .s./....a...WZ.!........i.C.4L..2rFXA....5t.......x. ...9=#Q...`y......I(..b.......Z..,..Fv>O..`Nb.g...(..!...ZP2b.x..l,aO>$....!...G.'...6*..*...._..ieb....1..-.8.=...Zb.".D..KIL..?...VB...P.{.8.V5~./..Yl.p..U..N..)|.....s[b...G].m..E..>.....yQ..................bJE......;O{&&...Ph..5K3..&\o.....r .,.......^.Y1.W..nJ.^hP.StQtHG....[.=..M.:..2. ..@WV..x.Z].....x..].C...%.{.M...d".l8].-V...$.k.Am.......W.<st.8.~..V...A.E..........m.8..S.W........)1....C.mW].e..Yg.V.........=.Z7................k.....K/.."g...Jk....)TB...wi.......Q.>.4G..I...x?......s...[.7Z....... ...8.....K.#..f.S.l<L.-y<rhV.........7.3.'...v.z...H.....9(.U.-....3'......9x....4..n'w..N. :...........-1.J.0.#...0.1 !...h......Jp'H...O.H...TN}.5E.........M=.@.....i.=.8.......:.Ug.p..2.;.D(.-%Z#.W.y-..T..pu..z.a@[._.l&T.2.-0.kB.0.g.j.s0.|(...`.......:/r...}. J..V.d0.6..'....]!..Kw...M73:...zG].4.d.t.kz.c%.|...A..L...[......!....h..r..HM..!.....07.g.-~E...X..Z...)ha

<<< skipped >>>

HEAD /files/components/CloudBackup.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/octet-stream

Content-Length: 165000

Last-Modified: Tue, 22 Jul 2014 07:47:03 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/products/UnknownFile.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:06 GMT

Content-Type: application/octet-stream

Content-Length: 140443

Last-Modified: Tue, 22 Jul 2014 12:39:41 GMT

Connection: close

Accept-Ranges: bytes

GET /files/products/ffdshow.exe HTTP/1.1

Range: bytes=2866260-3821679

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:12 GMT

Content-Type: application/octet-stream

Content-Length: 955420

Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT

Connection: keep-alive

Content-Range: bytes 2866260-3821679/4777100

j..".i...7....18...d......=....G.<.x....(......`...0.n.0...R.c...:..F.4.*-.^...c...4.r.L..rE".O"..J@.Q.E]..X.R..|h.......5.S.^;...].|X.0X...P..&....Z..K`[...!..iOu...E5J...6.y.....UH\i..rP.....KV.B!Z..7Ej...9XN..8...Z ...LO..|.}..e...y....KJ.u}7.C.......i.P;Mi8N.....2..{2w..z.....y..a.bZ?..wu3...m.M.^..?...e.U.......N...Y.N$.U...J.P.w..X`\Y..x...DMz.0.......B..e.'.%^.. i..%....tB ...]_....io............;...<..".d.-.x,.X.....q..dYt...?V..0.1......%....e..5.....Wi:.w. ..(e.j..p..........I..Z.]-..P..^.L.(.Z.n%..jP.7..l..F4/.%..EPP..?...~.p..i....MZ..-~..........x..}&a.....H..;..[.;KI....i.7..).._.z\..h.K.2..8o}!..P.......Pgs......>.MC'y.b..>.pU.=...._)>..o....\...k.i.B.=C4.OOv..{..[6......n..u..O....Z....<.3/..L.:..,.:.W.....7.!.;iTK.....m..ss>|..&u.....\.....Z.lz..UG.M..o.......W......)...I(.....N5V.f{. ..#.1.m4ON......-..<h...!....Q_..k^ .....C..3nl.....LvP- ....V..`.2y]V..hR.q...._....3...6f.y..z....&...L.oUS.\.J......?lT.j.5.\R....w.e*9}r"O.3.ay.....V..Q..P...xU&K."cb..."Dq..Ji^.N.......J~...ww,..@...3./c..h..|X..4.w..s.<....u..Q....W.L.Z..3 .(..u..Kk. ............c.4n#D..)....W.....>.B..E.|h*'.!. 6....;....<..M.M...vp..G..5.,.-.4.S.n.#...~.oA;.lj...H...*].~..G.......9..]...<.F7r{..f...9..s..3..0.. 1.0.m..|..........m...f...!&...-2a?.9....I..j*%.j..M...G*f.P.'.M;.wK...ci....7......./d..rX.Q..?..n.9.a.h..P..n>.#....;.@.0.....e..@Ah.H..(&7.........W....\.Y....'h .....}>.:'.\.n .../.O....u;.y'....7...... .|..L...0"........Y..B|..5J..%..n...Q,....z.Y[.q.6.eM.;.L....Gq?.N..

<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1

Range: bytes=836379-1115171

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:17 GMT

Content-Type: application/octet-stream

Content-Length: 278793

Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT

Connection: keep-alive

Content-Range: bytes 836379-1115171/1393969

QC.#:..0.........z.;#-......#6.ZE^P.....1|..If..lE.$..r..>....5@..c..[.....F.....7q....C....J?..]%. .w.sR..2x.....-.-.Sw..i.).M.'n.......U.9.........C}..71..W].....\.A7.s...........;.[.F.'_(....=N.Z.....M..W.J=.8.l...V0..y._8?P. ......p. ......7..7O.........id...2..l......8.<.3..^3..'N.]\@...r.H.?......e{..;.o.J.s!.Sz.].=.G..@P....T..!t... ...c.ZuI. .f.x.M......d~..b...0S...>.....p.IRd.E.....m... ....`....V....*.G........qy...U\k..E"..5.{:S.t..v:{.m..z..../.JE.. .....t......U(S.s.....KL.Wfa(.)f.c....0..c...9.pQ............a3t2...C.u...5d..2-...QH......61.. .....L...%........q......Z7...K......j..uW..\nA.M.-..E....~e.#.g9....G.z......x.h..B.s...: L<.^..v...@..........D5.$.3.k....,/.G.t.q....^...|.n...KfJ;..y...B.W.......gU...d..#*..]2.f.Z.....S...).v).........F..QH......IE[y.W.6..D..4.p.........i...HK.......Z..k...8.KS':z.X...bl@......tZ.M.;.DU.~....!.)J...........D.8t.......p...e.)..-0...=.;).....8o.<hj.../8<T...X.....y...`K.2.4.1...Q....Q...z.1.2q.N....)...5...k.H...s..|,..t.U..R...........*...._..BF.7.LaWV.F=G#.W7.7...m...6.|....k_;Pz..$....?.......B.Y.....A......F[..wO>=._R-.T.....u.h...>.r.!..........$..x..dG. $....XV.%...\&...r..h....3u..Z..z.s.J.b......W)JP...u.%..!.f..F...Y$c....~1.g..]......,.4.-.T..0....3....~^...!......*6..%.2...........#..'.uiBIao. ..6...j.4 O..-0J.<A..3.-2...g^1..pzm~.*..3.c..d..r.d......~....h.eU'Ko,.A..D...8......m..3......-...[...6..B3\.!.\[....}'..3...x.,.#.....y-..(...O.%..Q......p.I....]......y.&H..Xo#0.;..Y.u[....GZR..g.......}.!.......|.`...P.q....

<<< skipped >>>

HEAD /files/products/ffdshow.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:12 GMT

Content-Type: application/octet-stream

Content-Length: 4777100

Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/products/ffdshow.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:06 GMT

Content-Type: application/octet-stream

Content-Length: 4777100

Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/components/sp-downloader.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:04 GMT

Content-Type: application/octet-stream

Content-Length: 145928

Last-Modified: Wed, 14 May 2014 15:11:00 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/components/BuenoSearchTB.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/octet-stream

Content-Length: 744136

Last-Modified: Mon, 16 Dec 2013 10:24:31 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/components/yandex_downloader_v3.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/octet-stream

Content-Length: 145792

Last-Modified: Wed, 17 Jul 2013 10:46:52 GMT

Connection: close

Accept-Ranges: bytes

HEAD /files/components/PortalMoreSetup.exe HTTP/1.1

Connection: close

Host: VVV.appregis.com

HTTP/1.1 200 OK

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/octet-stream

Content-Length: 582640

Last-Modified: Tue, 12 Aug 2014 12:10:04 GMT

Connection: close

Accept-Ranges: bytes

GET /files/products/ffdshow.exe HTTP/1.1

Range: bytes=955420-1910839

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:12 GMT

Content-Type: application/octet-stream

Content-Length: 955420

Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT

Connection: keep-alive

Content-Range: bytes 955420-1910839/4777100

..........:..5..v.v!.:..98 ._..c...9...|......b..}.....xm.u|.2>.....9...c......t0k;$ .;.....=...^.....^..W.$wN..i'...7....~&.t...1E..o..5........].>....q......O6. P.k..5...D...@.......... ..@z.a.z{.?.n.?....Q...x2>..i.E...........h.eL....SG.<Ax..O..mO.QE.P...V..%..Z.>..v.n....#m.....I$.^i.....Q.,....\....a..O...iY....k...Q/OI..w.C......@.&...s...}....0...A..M..6..p..V ..E8Tc_;f.P....D:7.-P..F5.QtY.3l..Y%r.;...k o.v[..k(.y"..}).....c....Kt.$<...2f".3y..)m...U..E.._".J.....s4..Sy.....[_..a.....zf...u.C ...x..E...5r...?a....p...Y...d?....... .. 4./...6.4..-.s..A.)..>$U...IE.f....A..].f.{/h......h.....0..~"..W(.....o..(S.E.A.....3.b{8.).(..%..rbH.9..c`.$.Y../.T. 9a..f...x...n..G.7....Q.3...z..h.{..W....E..5X..lyM.^.b.....#.......Z3.....n...&.V4../.#Ux.>.D.9....;..t.4........<..m.y...''.xV.5.....#.Bl...`..$.C5 ..=.....({Y#C.{.......l.W..!.$...6...Q.A ._....Qj.`....%4.........O....u26....U.<.e. .....u.........<....1}C.^b.qC.9./..=..0[.m....$RqU[J...t....Z.....\0.!...5`&.C_Tp....$V... jB.......X#.!....]'{...y&CV....DWR...u....[,................a......B.!..x........){J..n..V....b.lK.`C>.6L.*.....n4.a.....s..T...xo...F.....G..k.<.....4B...e.!.....',e.!6..e`7.x...S..dGj.J|.`....Q1.%.......\\P..u'd.....(....C6nFL..^......Y........@6.....l..S.1bI..1.......{/. .....................<.|.8....B.....U......g...... .....[.....X...>^U4b.. NJ.....v!.EC.0.........$u.._.I....&.eA....&....#...........yyIo/..T_..e$..6j...m..G....NG}...`BQ.....~..X>6...8.].......D..I@.#...v.......] .pA

<<< skipped >>>

GET /files/products/MatroskaSplitter.exe HTTP/1.1

Range: bytes=0-278792

Host: VVV.appregis.com

Connection: Keep-Alive

HTTP/1.1 206 Partial Content

Server: nginx/1.2.4

Date: Sun, 17 Aug 2014 02:07:17 GMT

Content-Type: application/octet-stream

Content-Length: 278793

Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT

Connection: keep-alive

Content-Range: bytes 0-278792/1393969

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L....q.N.................d.......B...3............@..........................0....................................................... ..x............................................................................................................text...@b.......d.................. ..`.rdata...............h..............@..@.data...|f..........................@....ndata...................................rsrc...x.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.

<<< skipped >>>

GET /track/ib-start?cid=4105 HTTP/1.1

Host: api.ibario.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 17 Aug 2014 02:07:04 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=2

Vary: Accept-Encoding

X-Powered-By: PHP/5.4.13

27..{"flash":{},"error":false,"status":200}..0......

GET /track/ib-show?cid=4105&componentid=518 HTTP/1.1

Host: api.ibario.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=2

Vary: Accept-Encoding

X-Powered-By: PHP/5.4.13

27..{"flash":{},"error":false,"status":200}..0......

GET /track/ib-show?cid=4105&componentid=519 HTTP/1.1

Host: api.ibario.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Server: nginx

Date: Sun, 17 Aug 2014 02:07:05 GMT

Content-Type: application/json

Transfer-Encoding: chunked

Connection: keep-alive

Keep-Alive: timeout=2

Vary: Accept-Encoding

X-Powered-By: PHP/5.4.13

27..{"flash":{},"error":false,"status":200}..0..

Map

The Application connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_1840:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

RC4 for x86, CRYPTOGAMS by

RC4 for x86, CRYPTOGAMS by

6-9'6-9'

6-9'6-9'

$6.:$6.:

$6.:$6.:

*?#1*?#1

*?#1*?#1

>8$4,8$4,

>8$4,8$4,

AES for x86, CRYPTOGAMS by

AES for x86, CRYPTOGAMS by

cwX_UcTB^DCRTf

cwX_UcTB^DCRTf

yTPAwCTT}^PUcTB^DCRT}^RZcTB^DCRTbXKT^WcTB^DCRT

yTPAwCTT}^PUcTB^DCRT}^RZcTB^DCRTbXKT^WcTB^DCRT

\PX_BTEnBGRnREC]nYP_U]TCP

\PX_BTEnBGRnREC]nYP_U]TCP

wX_UcTB^DCRTf

wX_UcTB^DCRTf

1.2.7

1.2.7

inflate 1.2.7 Copyright 1995-2012 Mark Adler

inflate 1.2.7 Copyright 1995-2012 Mark Adler

operator

operator

GetProcessWindowStation

GetProcessWindowStation

GetWindowsDirectoryW

GetWindowsDirectoryW

GetProcessHeap

GetProcessHeap

KERNEL32.dll

KERNEL32.dll

USER32.dll

USER32.dll

GDI32.dll

GDI32.dll

GetCPInfo

GetCPInfo

zcÁ

zcÁ

\u.bo

\u.bo

b7x.Kr

b7x.Kr

.vw$.]n

.vw$.]n

.Gkek

.Gkek

/x.aQ

/x.aQ

z)EJe-e}

z)EJe-e}

/%F)Y

/%F)Y

z.RA.

z.RA.

G.tiJ

G.tiJ

.se

.se

F.Qtu

F.Qtu

G.pP;

G.pP;

=ai?@.ef

=ai?@.ef

qB.Ay

qB.Ay

%sA2K

%sA2K

DC> '%d

DC> '%d

w.DDs

w.DDs

.tEpU

.tEpU

&.GO)'T

&.GO)'T

f.ATI

f.ATI

l%Uem

l%Uem

E%D,^

E%D,^

.C.qoU

.C.qoU

Q%c:N

Q%c:N

%f=esO0@

%f=esO0@

eL%F%u4

eL%F%u4

8%XGyvK

8%XGyvK

h.TS$w

h.TS$w

}qD.KX,

}qD.KX,

q.MbY

q.MbY

)5N %S

)5N %S

.yo0m,

.yo0m,

x.sU)

x.sU)

m%fIZ

m%fIZ

Y%xsc

Y%xsc

0.ekS

0.ekS

.Ea{;w

.Ea{;w

d*.rQ-

d*.rQ-

x7^U.Vj

x7^U.Vj

2V.xi]

2V.xi]

7*8084888

7*8084888

2 2$2(2,2

2 2$2(2,2

$0 0@0|0

$0 0@0|0

? ?%?,?1???

? ?%?,?1???

kernel32.dll

kernel32.dll

KERNEL32.DLL

KERNEL32.DLL

mscoree.dll

mscoree.dll

- Attempt to initialize the CRT more than once.

- Attempt to initialize the CRT more than once.

- CRT not initialized

- CRT not initialized

- floating point support not loaded

- floating point support not loaded

WUSER32.DLL

WUSER32.DLL

c:\%original file name%.exe

c:\%original file name%.exe

15.9.28.27

15.9.28.27

installer.exe

installer.exe

%original file name%.exe_1840_rwx_01570000_00001000:

.text

.text

`.rdata

`.rdata

@.data

@.data

.rsrc

.rsrc

@.reloc

@.reloc

%original file name%.exe_1840_rwx_0167E000_00004000:

c:\%original file name%.exe

c:\%original file name%.exe