not-a-virus:HEUR:AdWare.Win32.BrainInst.heur (Kaspersky), Application.Bundler.InstallBrain.A (AdAware), Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: c471503e7b1ed1c4dd9abd2f71d7dae9
SHA1: a9916565f82eb4d2168dae635c569519f0d94560
SHA256: b1d81fd17170f40f6264248f1f923ba0b5d5f30a3a60fb639c67d4e971a4ec5c
SSDeep: 24576:f5qQTl4G1RcOQok7o93YbFJJGCcP7lxOyOi7Rd3N6:fQQT6GEOyo9kFLtcP7lxLnL3I
Size: 817824 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: AirInstaller
Created at: 2013-09-20 14:20:26
Analyzed on: WindowsXP SP3 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Application creates the following process(es):No processes have been created.The Application injects its code into the following process(es):
%original file name%.exe:1840
Mutexes
The following mutexes were created/opened:
ShimCacheMutexRasPbFile{69C867F8-341A-44a8-B8F2-AF392F12143A}804105trueZonesLockedCacheCounterMutexZonesCacheCounterMutexZonesCounterMutex_!MSFTHISTORY!_c:!documents and settings!adm!local settings!temporary internet files!content.ie5!c:!documents and settings!adm!cookies!c:!documents and settings!adm!local settings!history!history.ie5!WininetConnectionMutexWininetStartupMutexWininetProxyRegistryMutexc:!documents and settings!adm!local settings!history!history.ie5!mshist012014081720140818!_!SHMSFTHISTORY!_CTF.LBES.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Compart.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Asm.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.Layouts.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003CTF.TMD.MutexDefaultS-1-5-21-1844237615-1960408961-1801674531-1003
File activity
The process %original file name%.exe:1840 makes changes in the file system.
The Application creates and/or writes to the following file(s):
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3008.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3146.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_518.part (33029 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\cav.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3601.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3232.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\events.js (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\mask.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3941.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2985.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_519.part (5954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-top.gif (12 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader2.gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery-1.7.min.js (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2984.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2980.html (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg.gif (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3600.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2987.html (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2986.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main - úþÿøÑÂÂÂ.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\logo.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\smart.js (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-bottom.gif (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\conditions\conditions.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3145.html (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\check.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3364.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\old_smart.js (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\config.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3385.html (17 bytes)
The Application deletes the following file(s):
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021120130218 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013021820130225\index.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\MSHist012013030120130302\index.dat (0 bytes)
Registry activity
The process %original file name%.exe:1840 makes changes in the system registry.
The Application creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePrefix" = ":2014081720140818:"
"CacheLimit" = "8192"
[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache]
"@xpsp3res.dll,-20001" = "Diagnose Connection Problems..."
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheOptions" = "11"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CacheRepair" = "0"
[HKCU\Software\Microsoft\Windows Script\Settings]
"JITDebug" = "0"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012014081720140818]
"CachePath" = "%USERPROFILE%\Local Settings\History\History.IE5\MSHist012014081720140818\"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"
[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8B FE 13 8D F8 09 D4 F4 C6 F8 04 55 A5 32 96 81"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"
Adds a rule to the firewall Windows which allows any network activity:
[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\c:]
"%original file name%.exe" = "C:\%original file name%.exe:*:Enabled:%original file name%.exe (in)"
The Application modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"
The Application modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:
"ProxyBypass" = "1"
The Application modifies IE settings for security zones to map all urls to the Intranet Zone:
"IntranetName" = "1"
The Application deletes the following registry key(s):
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013030120130302]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021120130218]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012013021820130225]
Dropped PE files
MD5 | File path |
---|---|
375df55e6337e43b992bd3451802c6af | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ibtmpd366498\component_518 |
3ed0a2882d62a7bff0645be507757f4c | c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temp\ibtmpd366498\component_519 |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):No processes have been created.
- Delete the original Application file.
- Delete or disinfect the following files created/modified by the Application:
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b4.gif (661 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-right.jpg (468 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn.png (716 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3008.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b-bg.gif (295 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-right.jpg (694 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B2.tmp (12 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg.jpg (333 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn4.png (130 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\b3.gif (384 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3146.html (19 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.gif (207 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_518.part (33029 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\cav.xml (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3601.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3232.html (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act-left.jpg (681 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\events\events.js (17 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\mask.bmp (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3941.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2985.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\component_519.part (5954 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\B3.tmp (112 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\arrow.png (911 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-top.gif (12 bytes)
%System%\wbem\Logs\wbemprox.log (76 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader2.gif (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery-1.7.min.js (94 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2984.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\jquery.noselect.min.js (299 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2980.html (9 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg.gif (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\center2.jpg (305 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\btn2.png (402 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\pb-bg-left.jpg (460 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ajax-loader.gif (3 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3600.html (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2987.html (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\2986.html (7 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\main - úþÿøÑÂÂÂ.css (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\mid.jpg (403 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\logo.png (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\smart.js (24 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\lbg-bottom.gif (8 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\conditions\conditions.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3145.html (18 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\check.jpg (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn3.png (138 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn2.png (136 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\corn1.png (139 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3364.html (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\old_smart.js (23 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\ib\trust.gif (437 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\red-pb-act.jpg (380 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\js\config.js (1 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\template_40.png (110 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\ibtmpd366498\config\3385.html (17 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
Company Name:
Product Name: Installer
Product Version: 15.9.28.27
Legal Copyright: Copyright 2012
Legal Trademarks:
Original Filename: installer.exe
Internal Name: installer
File Version: 15.9.28.27
File Description: Installer
Comments:
Language: English (United Kingdom)
Company Name: Product Name: InstallerProduct Version: 15.9.28.27Legal Copyright: Copyright 2012Legal Trademarks: Original Filename: installer.exeInternal Name: installerFile Version: 15.9.28.27File Description: InstallerComments: Language: English (United Kingdom)
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 106236 | 106496 | 4.73406 | 0d3d7e0f700194accb219396586936fc |
.rdata | 110592 | 32866 | 33280 | 4.19622 | 311ce55086569ba80d6319d3656afc11 |
.data | 147456 | 13096 | 9216 | 3.31887 | 571cbf16e9add883bb2f2d2c11b35727 |
.rsrc | 163840 | 650668 | 650752 | 5.47948 | 7b69a089de15cd17cfb99c129316a099 |
.reloc | 815104 | 8574 | 8704 | 3.12516 | 5873e2cca4a559e776377b3f2a957fec |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Total found: 24
e72f1b26ccd11a61ab3b1d840c826e2b
99003cb09ca70d45fac4fb32e5399587
0f7a82d7763c300557e569886f4208fb
e6db1f885f501ce27db25bd0a5c619cd
c0bc5d6930dab81029531be2dc6e0308
f9c1eaba84f3ac6e8ff315eb937a79c2
655c4aa4b50967b716077b07c86e7d9b
24cd3c139ffc8fe1249149857614fbb3
7a660045686faa04e3788ef1ea77533d
93680d312fee389edaaa9cda383194b3
d218822401c7d2dc804cde1c6a019f98
ac9328fd619afcc68aa52ec124af2b74
de7446f0b0406391972be69770b41142
518b80d93ca9222fe27725d17a6bdd29
b37a9e45578a2136f36e189481c80065
af55e8b1ffa3a542c4c599f87ea1fa34
8f1f49bfff8cbdf8b3b59cecc1991990
ec5afbf9f7ae28d296c222579b4255b7
3546998e010e36772bde80ba5c51b938
042894e34888fd250e9c6dbc6d58dc6a
8971f6e3b4b5582dbd94c4b7537b4e3a
502399cc417fd64158205c76170043f3
2a5f05824ed03380ef5986a54692551b
72fbe038ab46bb9ba5f8522b7f225817
Network Activity
URLs
URL | IP |
---|---|
hxxp://174.36.241.169/track/ib-start?cid=4105 | |
hxxp://174.36.241.169/track/ib-show?cid=4105&componentid=518 | |
hxxp://174.36.241.169/track/ib-show?cid=4105&componentid=519 | |
hxxp://173.192.190.226/files/components/sp-downloader.exe | |
hxxp://173.192.190.226/files/components/BuenoSearchTB.exe | |
hxxp://173.192.190.226/files/components/SearchShock.exe | |
hxxp://173.192.190.226/files/components/SearchAlgo.exe | |
hxxp://173.192.190.226/files/components/yandex_downloader_v3.exe | |
hxxp://173.192.190.226/files/components/CloudBackup.exe | |
hxxp://173.192.190.226/files/products/PCPerformerSetup-4.exe | |
hxxp://173.192.190.226/files/components/PortalMoreSetup.exe | |
hxxp://173.192.190.226/files/products/UnknownFile.exe | |
hxxp://173.192.190.226/files/components/SpeedanAlysisSetupW.exe | |
hxxp://173.192.190.226/files/products/ffdshow.exe | |
hxxp://173.192.190.226/files/products/MatroskaSplitter.exe | |
hxxp://www.appregis.com/files/components/BuenoSearchTB.exe | |
hxxp://www.appregis.com/files/products/ffdshow.exe | |
hxxp://api.ibario.com/track/ib-start?cid=4105 | |
hxxp://www.appregis.com/files/components/SearchShock.exe | |
hxxp://www.appregis.com/files/components/CloudBackup.exe | |
hxxp://www.appregis.com/files/products/MatroskaSplitter.exe | |
hxxp://www.appregis.com/files/products/UnknownFile.exe | |
hxxp://www.appregis.com/files/components/PortalMoreSetup.exe | |
hxxp://www.appregis.com/files/components/yandex_downloader_v3.exe | |
hxxp://www.appregis.com/files/components/SearchAlgo.exe | |
hxxp://api.ibario.com/track/ib-show?cid=4105&componentid=519 | |
hxxp://www.appregis.com/files/components/sp-downloader.exe | |
hxxp://api.ibario.com/track/ib-show?cid=4105&componentid=518 | |
hxxp://www.appregis.com/files/products/PCPerformerSetup-4.exe | |
hxxp://www.appregis.com/files/components/SpeedanAlysisSetupW.exe |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=3821680-4777099
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 3821680-4777099/4777100
.hP.B...d... ........i..eD... }..m...rB...g.!..m..u........&.:...>.}.[...2..~tn...l..I..j-.!.-...d...[`.S.S.51..Qo.a.P..p.iBjY.(k..7......d...~>...]._&....&.n..7LP....sO...pG...}.u.%.......%......!...s. .......i..yoH)vN...0.@.L{.......A.V9..L..&.I...?F&.v.$ ......L...>.7!#zOdj>....!.M.O...~.!..&o...l.UY.c6D.....<..F.?.t...K...i.P\.A....B...Q...7..ZpS...!.\.4.,(..:.y-qY..o @Au?%.*.h.........8$.....v.........A&.8. .U....Wm....")..C.#..c.1.I..<Z.Y.....a..D.......b..B...H...5n........2!..w......F...F.#.er...k...s.M... ...3`!8u..........$..a!..P &._........M....X.....f......c.=.I..0........Mxs..i`.....HM4.....F...38..L.`.6.-]~..o.........K.E.~).\....V...{..gW...!'n$V2h..&5l..^.G..R..b.$.{..Z. /....AA.._.....l...`N.7t...c.....S..l(..y..X.`.:.............j....Cw...8.{h.E..8..4..u.bn..%..".'.C.....tC.o8[s>.Ey%...^........#W.A6....,th....L=?.........s...*..@!.l.df.|...au...J..p....bg."ZnuK..t..=h...kX....k...........~9.........sw/A#......X.d`.....`.}.......:n[.iV2p>.>..J.q./.S=..xQQ.._..MR..."x2............eZ.5...Je0.....d....gVj...rda..o.j..o9.S..*.eC...b.vI...RB.3.'h..Q.......'.Ev.....b....EAx...t....L5...0.u.....s?.C....^-...%............LM.X4........h`Wn....".M...%...&.,....Gf}.....T..D..?ob{....G.....UV.X.p.w...h.@./......N...SQ.YM..!d8`._ka..ZA.G...............VKE%...w.....&.[lqv...r.$...YE..y*X..=0...C...q.3.....(R..._..x.5....*......A@......a..u...Q..(.9.$..X$L^....x=....@P=.....p.7.....k]..`.5.{..*..h..7^....6j....n..{LCO...'W;.3y.....b....Q.(..P...v...{hp7.......S6.....Vk%zg:.t......
<<< skipped >>>
GET /files/products/MatroskaSplitter.exe HTTP/1.1
Range: bytes=557586-836378
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 557586-836378/1393969
..!.N.....LC......yu..O...J.V....5..XX.c(.~.0....L.bP.LE.R..]...S..x..%....{..>.0.1..n..i.:.v!.H.ub...j......w....mH4}A...;......LI....D.....T.-.*]&..Ir.....9.P...Tx.~.F.XW...-$....xfq...t....^..x.Y|,.x..]..._r..u...!.) ..$.o.....S........_.p...p8....J....K.u..........._.s....J..3..r..5/~..\*\..7.'.i..Ub.M2.C.h^e......B...rWf#W..q.t..~...v.-......~dZd.).qEg],...6.*.w.P.W.......<.....\.|n..[..3.0.!6...8C....D(2.....8).q......y............!.Z...f*,/.....zk..&.1.....j>..`...xL..cC_..W.B.b7.....=h...p..9O.i....yT.4.m..i.k...xSk.1..Ui.uG5.....F....F|.....n.g'..s...B.x..sg;.f...H va..GA.w_.g....._.!$..a..|....s.%*f8x....F..^....=7...M~ ...<........V..N.....|....@P,.".g.C..D.s6Sc%..m.i...t...px..w.........\.Vl....B..@...;f.9......KT....N...a....=0myH..|.. *..U.kn...6t...|!.\.....u.t~.n.)K....6......=.;..ps..N.Y:....3*_J.B..6..D;.}o..{l. d@c...".K/s.A.V.>k.v..s._}..~.......T...4.I...2z.............{.p(.....`J........Y.W...W=...K"...r....rA-u(...k.b9O.g...X.0.O...{/..2....4c....N.y....p.<Ad..s.]....i.D.7.....e..W..Q.g....{...... ..K....@...._.cR.l..a..?.Cse....?.5..n.]....... G.....[h[..Jr....1..Y..2.QZ.4.d.$'...n5.<.`8gW .l..(<...Hq5..F...@..D.. .cxbX#..W#..Q.o..u.n>/.,....(.U,..or....W;...*.h...b.y..FQ.BE.o.....Y...p?D.#.....o.......G....i.. .;....$x...b..B8..q....n...h.V6F.X..$T......iE.9t.n......q."4xK;...ugj1...?....~.=.....2.r..>.S.5.. L...1n....".....9....u,7.Gg/..YM)...knK.........O16..4....iJ.o....._.B........"..q.....[.........#....s.8.lT}n..Q.k]......Kp...i.A.D...........9V.....F
<<< skipped >>>
HEAD /files/products/PCPerformerSetup-4.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 4254614
Last-Modified: Thu, 03 Jul 2014 07:06:18 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/components/SearchAlgo.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 504024
Last-Modified: Fri, 01 Aug 2014 12:54:52 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/products/MatroskaSplitter.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 1393969
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/components/SpeedanAlysisSetupW.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 1952505
Last-Modified: Tue, 17 Jun 2014 12:40:52 GMT
Connection: close
Accept-Ranges: bytes
GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=1910840-2866259
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 1910840-2866259/4777100
zP.{=&w|.....j...%v&p...d.}sz.....t..J..7....%.ZZ.$d.!.m.% ...._d..'......f.......#~....0k.....Oly...2..G.....jN..b...bj.A..z.....&...!.jA.t..4.!{.....I.N.....x.#.Y{.b.2...t._...d../...Hc..5Q.H.'...f...Ui..`0D....p.3....[...Z.{........`UXZ...&.......Kf.D.!...}j.|..O!..!.v....PSL.......w.G...../1.1...ue_..@.....F....|.K.|..N6w.....\..-\X.US.. ......6....y........ .....U&.:...x..r.P...%!&2.............aKD..6.z..X......'.{.._@k..d..A.H8....._.,,....k.1W{Z..rH..o.]/.N.....d..G...yi"..E.....GB.".0.HS.u.=....P...9....j....Z..S}..V...g...\mx..">.....<......"."a...|..?...D.....iy(........s.@...b9$...nbPy# tR.|U...}.q:.....2.GW..~.I...........e.....^.m|....]..p..b[x.<....@..RVU@....$.%...$!i.En-..._d...0YP......v....G..HHt.3.8..$z.O._.E..A.Q.T.o.]..RTld.)....x..g..!A. ...Fx..s.m....c..f....~,......!...E..TU.[s.92.ktx.MR.4B.C...l.p...cg ....=W.eog..7|.z.N...F.Y.-%7..........M..;p.../G.E.([.'..K1Y.......t=..>....... ...q.r.$....6wc.Sv.}..}....{.o...d|...#.......w.vp..6/..l.....:..!=*.u..?.N.......M^....S....6RSdz..CW.'dr%....1..M..6....=.1.....^.Q......m... _..cOB;,..z........e.2.........8a.&....s..~u.{z..<..m..&..L...}.#..n..6......h....$....9. ).._\gd...y.sc/.3.a.&.....F.O..W9.B............O...{..\.Wo.c..Q.wy..z.......Z&....U..C..|=..g.S'..:..*.]uO....X).'5@ E.X.............>.....4u..i..I....`A.bK]j....Ux..v..{.{..Q..?.dH..g......{..[.p..<.)...6A............ek....B....>...C...dv.9..?s..3..J../y.......@H}2...X@F....t.!(.o....~...:..>j.PNC.Y.P^.U.Nc..X........p.)."t....-..TS......T..........9...
<<< skipped >>>
GET /files/products/MatroskaSplitter.exe HTTP/1.1
Range: bytes=278793-557585
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 278793-557585/1393969
k...9}@.<-4..}.. wo`$ey......1..r..6f...r...%....*.....<....=.&...>K..9g...................a.C_._Mn.]W.b.2Y[....b.8...cl...Fj.....F32..C...5q=.>..Q...:.....%....vHJ.... h:....&.U._.@.9......`p....r.....DL.Z.*c.E-...)]...F..#Y.%..j2a,.......$..X5>z)..u....Px...k...cW1..>..o.....KK....x;...b.E.L.j:....<p25.4|^..e.s.............>.H....5......W..w.X(..S....X.d...]"7......M...4......g.."s........h..%.....-..m..- .H3..9u.#V|bn...&i..o..M.....Dj...7%..Pw..d?.M..GC.EfW..l.....0.c.....J...>9u>AxJ...l.!5.6".....U......u.G...V..Q*95..w.!..3....i..d?.*Q.:..*?y.?]RW...r<{.h...K....-XA.}.L.S..51Z.~......-.......b=...........W.@.^.(#........k#....N|.'c'.......Gl...<>........y%.RM..H..Z.t.y...4...o..;N..F.......O....ui.3...C..._.u.Ut...7f.........hXmZ......&C...... $...F..i..../sQ...n....y[..pU..)....R@..%*...(..gR..9t.. U!.....B./.QX.&.}.....l.v.R..o..J..-.b...*Qe.........m........!..._.%l.h.Cc.{.b.u(n!"aq.k.b[.v.9k.A.6[.$.F_P.`.E'........s. ..Ig.".l ...;.23C../.8..%g.....s........D.........v...... 9.....#..T...7.D.....;.,V.W..P..@'.0.......7...:.....miVjO.......\VM.`.4.p._...k..L..8..R.K@..E...(.;...9..A1. .u.c...........i.....H.Nv... ...#i....Pd...y...t... .........|..............-E......u..n&??..B..&.....EV..|...2d.x..1....'.V..k.!W.......K......5o..x.o..d.. .....~.d..)...SW.lY.\.....a....S.i.....J..ytC........B`.W...b.C.<O..3..Z..AR..E.;4....2F......S.f.QW..dK..iy...f..B..8.....`.l........'......4. ../.9....L..s.b>.<.m.M.....>............=..v#Z........6...A.U.s....AE`.uX
<<< skipped >>>
HEAD /files/components/SearchShock.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 575323
Last-Modified: Fri, 01 Aug 2014 12:54:56 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/products/MatroskaSplitter.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:16 GMT
Content-Type: application/octet-stream
Content-Length: 1393969
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: close
Accept-Ranges: bytes
GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=0-955419
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 0-955419/4777100
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L....q.N.................d.......B...3............@..........................0....................................................... ..x............................................................................................................text...@b.......d.................. ..`.rdata...............h..............@..@.data...|f..........................@....ndata...................................rsrc...x.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>
GET /files/products/MatroskaSplitter.exe HTTP/1.1
Range: bytes=1115172-1393968
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278797
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 1115172-1393968/1393969
|j......."......h>.OY..b..C......r.B.?..... ...Uy..5K(.F./.:'=|R.")V.F..2.....hb`.O......:.M..^.......]...pTa.s..)[s{.Uj....M..5..9..<-..9C...(.J....\.........}<@..*.....Y......0/$-...@..K....Z../...K...kY0.._!.......P..'.......O....d..V...G..>J.0..,<.{......!...oU..-7E(...n.7.$4..j......YP..Um.......aP..7-[...R.>.T.r.Q......./F....#v..^l..)....R.Z.\{.cn....:...|!...........p....../....=]4....K.?..#...U7...b.%if......6..q..\.,1M.].{......j.O.TN.....@..l)1...L.i.u..$.w...}.u!=.xt.1..!..h..D..u.[,......zw.i....=.Z..p....".....EQ...s.K.K.......{.f..b.".. .s./....a...WZ.!........i.C.4L..2rFXA....5t.......x. ...9=#Q...`y......I(..b.......Z..,..Fv>O..`Nb.g...(..!...ZP2b.x..l,aO>$....!...G.'...6*..*...._..ieb....1..-.8.=...Zb.".D..KIL..?...VB...P.{.8.V5~./..Yl.p..U..N..)|.....s[b...G].m..E..>.....yQ..................bJE......;O{&&...Ph..5K3..&\o.....r .,.......^.Y1.W..nJ.^hP.StQtHG....[.=..M.:..2. ..@WV..x.Z].....x..].C...%.{.M...d".l8].-V...$.k.Am.......W.<st.8.~..V...A.E..........m.8..S.W........)1....C.mW].e..Yg.V.........=.Z7................k.....K/.."g...Jk....)TB...wi.......Q.>.4G..I...x?......s...[.7Z....... ...8.....K.#..f.S.l<L.-y<rhV.........7.3.'...v.z...H.....9(.U.-....3'......9x....4..n'w..N. :...........-1.J.0.#...0.1 !...h......Jp'H...O.H...TN}.5E.........M=.@.....i.=.8.......:.Ug.p..2.;.D(.-%Z#.W.y-..T..pu..z.a@[._.l&T.2.-0.kB.0.g.j.s0.|(...`.......:/r...}. J..V.d0.6..'....]!..Kw...M73:...zG].4.d.t.kz.c%.|...A..L...[......!....h..r..HM..!.....07.g.-~E...X..Z...)ha
<<< skipped >>>
HEAD /files/components/CloudBackup.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 165000
Last-Modified: Tue, 22 Jul 2014 07:47:03 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/products/UnknownFile.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 140443
Last-Modified: Tue, 22 Jul 2014 12:39:41 GMT
Connection: close
Accept-Ranges: bytes
GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=2866260-3821679
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 2866260-3821679/4777100
j..".i...7....18...d......=....G.<.x....(......`...0.n.0...R.c...:..F.4.*-.^...c...4.r.L..rE".O"..J@.Q.E]..X.R..|h.......5.S.^;...].|X.0X...P..&....Z..K`[...!..iOu...E5J...6.y.....UH\i..rP.....KV.B!Z..7Ej...9XN..8...Z ...LO..|.}..e...y....KJ.u}7.C.......i.P;Mi8N.....2..{2w..z.....y..a.bZ?..wu3...m.M.^..?...e.U.......N...Y.N$.U...J.P.w..X`\Y..x...DMz.0.......B..e.'.%^.. i..%....tB ...]_....io............;...<..".d.-.x,.X.....q..dYt...?V..0.1......%....e..5.....Wi:.w. ..(e.j..p..........I..Z.]-..P..^.L.(.Z.n%..jP.7..l..F4/.%..EPP..?...~.p..i....MZ..-~..........x..}&a.....H..;..[.;KI....i.7..).._.z\..h.K.2..8o}!..P.......Pgs......>.MC'y.b..>.pU.=...._)>..o....\...k.i.B.=C4.OOv..{..[6......n..u..O....Z....<.3/..L.:..,.:.W.....7.!.;iTK.....m..ss>|..&u.....\.....Z.lz..UG.M..o.......W......)...I(.....N5V.f{. ..#.1.m4ON......-..<h...!....Q_..k^ .....C..3nl.....LvP- ....V..`.2y]V..hR.q...._....3...6f.y..z....&...L.oUS.\.J......?lT.j.5.\R....w.e*9}r"O.3.ay.....V..Q..P...xU&K."cb..."Dq..Ji^.N.......J~...ww,..@...3./c..h..|X..4.w..s.<....u..Q....W.L.Z..3 .(..u..Kk. ............c.4n#D..)....W.....>.B..E.|h*'.!. 6....;....<..M.M...vp..G..5.,.-.4.S.n.#...~.oA;.lj...H...*].~..G.......9..]...<.F7r{..f...9..s..3..0.. 1.0.m..|..........m...f...!&...-2a?.9....I..j*%.j..M...G*f.P.'.M;.wK...ci....7......./d..rX.Q..?..n.9.a.h..P..n>.#....;.@.0.....e..@Ah.H..(&7.........W....\.Y....'h .....}>.:'.\.n .../.O....u;.y'....7...... .|..L...0"........Y..B|..5J..%..n...Q,....z.Y[.q.6.eM.;.L....Gq?.N..
<<< skipped >>>
GET /files/products/MatroskaSplitter.exe HTTP/1.1
Range: bytes=836379-1115171
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 836379-1115171/1393969
QC.#:..0.........z.;#-......#6.ZE^P.....1|..If..lE.$..r..>....5@..c..[.....F.....7q....C....J?..]%. .w.sR..2x.....-.-.Sw..i.).M.'n.......U.9.........C}..71..W].....\.A7.s...........;.[.F.'_(....=N.Z.....M..W.J=.8.l...V0..y._8?P. ......p. ......7..7O.........id...2..l......8.<.3..^3..'N.]\@...r.H.?......e{..;.o.J.s!.Sz.].=.G..@P....T..!t... ...c.ZuI. .f.x.M......d~..b...0S...>.....p.IRd.E.....m... ....`....V....*.G........qy...U\k..E"..5.{:S.t..v:{.m..z..../.JE.. .....t......U(S.s.....KL.Wfa(.)f.c....0..c...9.pQ............a3t2...C.u...5d..2-...QH......61.. .....L...%........q......Z7...K......j..uW..\nA.M.-..E....~e.#.g9....G.z......x.h..B.s...: L<.^..v...@..........D5.$.3.k....,/.G.t.q....^...|.n...KfJ;..y...B.W.......gU...d..#*..]2.f.Z.....S...).v).........F..QH......IE[y.W.6..D..4.p.........i...HK.......Z..k...8.KS':z.X...bl@......tZ.M.;.DU.~....!.)J...........D.8t.......p...e.)..-0...=.;).....8o.<hj.../8<T...X.....y...`K.2.4.1...Q....Q...z.1.2q.N....)...5...k.H...s..|,..t.U..R...........*...._..BF.7.LaWV.F=G#.W7.7...m...6.|....k_;Pz..$....?.......B.Y.....A......F[..wO>=._R-.T.....u.h...>.r.!..........$..x..dG. $....XV.%...\&...r..h....3u..Z..z.s.J.b......W)JP...u.%..!.f..F...Y$c....~1.g..]......,.4.-.T..0....3....~^...!......*6..%.2...........#..'.uiBIao. ..6...j.4 O..-0J.<A..3.-2...g^1..pzm~.*..3.c..d..r.d......~....h.eU'Ko,.A..D...8......m..3......-...[...6..B3\.!.\[....}'..3...x.,.#.....y-..(...O.%..Q......p.I....]......y.&H..Xo#0.;..Y.u[....GZR..g.......}.!.......|.`...P.q....
<<< skipped >>>
HEAD /files/products/ffdshow.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 4777100
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/products/ffdshow.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:06 GMT
Content-Type: application/octet-stream
Content-Length: 4777100
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/components/sp-downloader.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:04 GMT
Content-Type: application/octet-stream
Content-Length: 145928
Last-Modified: Wed, 14 May 2014 15:11:00 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/components/BuenoSearchTB.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 744136
Last-Modified: Mon, 16 Dec 2013 10:24:31 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/components/yandex_downloader_v3.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 145792
Last-Modified: Wed, 17 Jul 2013 10:46:52 GMT
Connection: close
Accept-Ranges: bytes
HEAD /files/components/PortalMoreSetup.exe HTTP/1.1
Connection: close
Host: VVV.appregis.com
HTTP/1.1 200 OK
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/octet-stream
Content-Length: 582640
Last-Modified: Tue, 12 Aug 2014 12:10:04 GMT
Connection: close
Accept-Ranges: bytes
GET /files/products/ffdshow.exe HTTP/1.1
Range: bytes=955420-1910839
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:12 GMT
Content-Type: application/octet-stream
Content-Length: 955420
Last-Modified: Sat, 11 Jan 2014 12:15:49 GMT
Connection: keep-alive
Content-Range: bytes 955420-1910839/4777100
..........:..5..v.v!.:..98 ._..c...9...|......b..}.....xm.u|.2>.....9...c......t0k;$ .;.....=...^.....^..W.$wN..i'...7....~&.t...1E..o..5........].>....q......O6. P.k..5...D...@.......... ..@z.a.z{.?.n.?....Q...x2>..i.E...........h.eL....SG.<Ax..O..mO.QE.P...V..%..Z.>..v.n....#m.....I$.^i.....Q.,....\....a..O...iY....k...Q/OI..w.C......@.&...s...}....0...A..M..6..p..V ..E8Tc_;f.P....D:7.-P..F5.QtY.3l..Y%r.;...k o.v[..k(.y"..}).....c....Kt.$<...2f".3y..)m...U..E.._".J.....s4..Sy.....[_..a.....zf...u.C ...x..E...5r...?a....p...Y...d?....... .. 4./...6.4..-.s..A.)..>$U...IE.f....A..].f.{/h......h.....0..~"..W(.....o..(S.E.A.....3.b{8.).(..%..rbH.9..c`.$.Y../.T. 9a..f...x...n..G.7....Q.3...z..h.{..W....E..5X..lyM.^.b.....#.......Z3.....n...&.V4../.#Ux.>.D.9....;..t.4........<..m.y...''.xV.5.....#.Bl...`..$.C5 ..=.....({Y#C.{.......l.W..!.$...6...Q.A ._....Qj.`....%4.........O....u26....U.<.e. .....u.........<....1}C.^b.qC.9./..=..0[.m....$RqU[J...t....Z.....\0.!...5`&.C_Tp....$V... jB.......X#.!....]'{...y&CV....DWR...u....[,................a......B.!..x........){J..n..V....b.lK.`C>.6L.*.....n4.a.....s..T...xo...F.....G..k.<.....4B...e.!.....',e.!6..e`7.x...S..dGj.J|.`....Q1.%.......\\P..u'd.....(....C6nFL..^......Y........@6.....l..S.1bI..1.......{/. .....................<.|.8....B.....U......g...... .....[.....X...>^U4b.. NJ.....v!.EC.0.........$u.._.I....&.eA....&....#...........yyIo/..T_..e$..6j...m..G....NG}...`BQ.....~..X>6...8.].......D..I@.#...v.......] .pA
<<< skipped >>>
GET /files/products/MatroskaSplitter.exe HTTP/1.1
Range: bytes=0-278792
Host: VVV.appregis.com
Connection: Keep-Alive
HTTP/1.1 206 Partial Content
Server: nginx/1.2.4
Date: Sun, 17 Aug 2014 02:07:17 GMT
Content-Type: application/octet-stream
Content-Length: 278793
Last-Modified: Sat, 11 Jan 2014 12:27:02 GMT
Connection: keep-alive
Content-Range: bytes 0-278792/1393969
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........#yd.B.7.B.7.B.7..z7.B.7..l7.B.7.B.7.B.7.:.7.B.7...7.B.7.:.7.B.7Rich.B.7........................PE..L....q.N.................d.......B...3............@..........................0....................................................... ..x............................................................................................................text...@b.......d.................. ..`.rdata...............h..............@..@.data...|f..........................@....ndata...................................rsrc...x.... ......................@..@................................................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u...|.@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ.U.
<<< skipped >>>
GET /track/ib-start?cid=4105 HTTP/1.1
Host: api.ibario.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 02:07:04 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
27..{"flash":{},"error":false,"status":200}..0......
GET /track/ib-show?cid=4105&componentid=518 HTTP/1.1
Host: api.ibario.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
27..{"flash":{},"error":false,"status":200}..0......
GET /track/ib-show?cid=4105&componentid=519 HTTP/1.1
Host: api.ibario.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 17 Aug 2014 02:07:05 GMT
Content-Type: application/json
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=2
Vary: Accept-Encoding
X-Powered-By: PHP/5.4.13
27..{"flash":{},"error":false,"status":200}..0..
Map
The Application connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_1840:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
RC4 for x86, CRYPTOGAMS by
RC4 for x86, CRYPTOGAMS by
6-9'6-9'
6-9'6-9'
$6.:$6.:
$6.:$6.:
*?#1*?#1
*?#1*?#1
>8$4,8$4,
>8$4,8$4,
AES for x86, CRYPTOGAMS by
AES for x86, CRYPTOGAMS by
cwX_UcTB^DCRTf
cwX_UcTB^DCRTf
yTPAwCTT}^PUcTB^DCRT}^RZcTB^DCRTbXKT^WcTB^DCRT
yTPAwCTT}^PUcTB^DCRT}^RZcTB^DCRTbXKT^WcTB^DCRT
\PX_BTEnBGRnREC]nYP_U]TCP
\PX_BTEnBGRnREC]nYP_U]TCP
wX_UcTB^DCRTf
wX_UcTB^DCRTf
1.2.7
1.2.7
inflate 1.2.7 Copyright 1995-2012 Mark Adler
inflate 1.2.7 Copyright 1995-2012 Mark Adler
operator
operator
GetProcessWindowStation
GetProcessWindowStation
GetWindowsDirectoryW
GetWindowsDirectoryW
GetProcessHeap
GetProcessHeap
KERNEL32.dll
KERNEL32.dll
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
GetCPInfo
GetCPInfo
zcÃ
zcÃ
\u.bo
\u.bo
b7x.Kr
b7x.Kr
.vw$.]n
.vw$.]n
.Gkek
.Gkek
/x.aQ
/x.aQ
z)EJe-e}
z)EJe-e}
/%F)Y
/%F)Y
z.RA.
z.RA.
G.tiJ
G.tiJ
.se
.se
F.Qtu
F.Qtu
G.pP;
G.pP;
=ai?@.ef
=ai?@.ef
qB.Ay
qB.Ay
%sA2K
%sA2K
DC> '%d
DC> '%d
w.DDs
w.DDs
.tEpU
.tEpU
&.GO)'T
&.GO)'T
f.ATI
f.ATI
l%Uem
l%Uem
E%D,^
E%D,^
.C.qoU
.C.qoU
Q%c:N
Q%c:N
%f=esO0@
%f=esO0@
eL%F%u4
eL%F%u4
8%XGyvK
8%XGyvK
h.TS$w
h.TS$w
}qD.KX,
}qD.KX,
q.MbY
q.MbY
)5N %S
)5N %S
.yo0m,
.yo0m,
x.sU)
x.sU)
m%fIZ
m%fIZ
Y%xsc
Y%xsc
0.ekS
0.ekS
.Ea{;w
.Ea{;w
d*.rQ-
d*.rQ-
x7^U.Vj
x7^U.Vj
2V.xi]
2V.xi]
7*8084888
7*8084888
2 2$2(2,2
2 2$2(2,2
$0 0@0|0
$0 0@0|0
? ?%?,?1???
? ?%?,?1???
kernel32.dll
kernel32.dll
KERNEL32.DLL
KERNEL32.DLL
mscoree.dll
mscoree.dll
- Attempt to initialize the CRT more than once.
- Attempt to initialize the CRT more than once.
- CRT not initialized
- CRT not initialized
- floating point support not loaded
- floating point support not loaded
WUSER32.DLL
WUSER32.DLL
c:\%original file name%.exe
c:\%original file name%.exe
15.9.28.27
15.9.28.27
installer.exe
installer.exe
%original file name%.exe_1840_rwx_01570000_00001000:
.text
.text
`.rdata
`.rdata
@.data
@.data
.rsrc
.rsrc
@.reloc
@.reloc
%original file name%.exe_1840_rwx_0167E000_00004000:
c:\%original file name%.exe
c:\%original file name%.exe