ThreatExpert Report: Worm.Win32.VBNA.isu, W32/SillyFDC-DV, Worm.Win32.Vobfus, Downloader-BWS

Visit ThreatExpert web site

Close Report

Submission Summary:

Submission details:

Submission received: 15 October 2009, 13:43:01
Processing time: 10 min 57 sec
Submitted sample:

File MD5: 0x0B8AAE0A3DDAAD38684E8211996F2205
File SHA-1: 0xC51528CBFBEA175569357E743B3742BE191CCBCE
Filesize: 49,152 bytes
Alias:

Worm.Win32.VBNA.isu [Kaspersky Lab]
W32/SillyFDC-DV [Sophos]
Worm.Win32.Vobfus [Ikarus]

Summary of the findings:

What's been found	Severity Level
Produces outbound traffic.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Registers a 32-bit in-process server DLL.
Registers a Browser Helper Object (Microsoft's Internet Explorer plugin module).
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

Attention! Characteristics of the following security risks were identified in the system:

Security Risk	Description
Adware.BHO.GEN	Adware.BHO.GEN is adware that use BHOs to display ads or can be used for malicious purposes like gathering info on your surfing habits. It also has the functionality to download and install further malicious files from remote servers.
Trojan.FakeAlert	Trojan.FakeAlert will hijack the desktop background with an image alerting the user that their computer system has been infected with spyware. It also changes some settings of windows which include:- disabling permissions for the user to change the background image and setting the active desktop to 'show web content'. It is usually installed in conjunction with a rogue anti-spyware application.

Attention! The following threat category was identified:

Threat Category	Description
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#specificclick.net\settings.sol	87 bytes	MD5: 0xC1388F8EB3F4352973844EB87B6C5FA7 SHA-1: 0x3112A3C277888EE54C9887B1A941FC9CFDE98433	(not available)
2	%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#suitesmart.com\settings.sol	84 bytes	MD5: 0x7252078074940B57CF20BF0D157C258B SHA-1: 0x0BF827D6509588C79DC0BAD4120F1C466D25FF03	(not available)
3	%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\settings.sol	204 bytes	MD5: 0x426042EA272BD1FA9368ADEA009ADA9A SHA-1: 0xEA22B9696F44DAA617C3FD9027D8E70085C6C180	(not available)
4	%AppData%\Macromedia\Flash Player\specificclick.net\img\gu.sol	69 bytes	MD5: 0xB9B848DEC1F832A2A5F69B66A07C46C8 SHA-1: 0xC8FEC63FFA5B3751B260947898D8012C2A532D31	(not available)
5	%AppData%\Macromedia\Flash Player\suitesmart.com\6thElement.sol	151 bytes	MD5: 0x9972C6D17B811E13E7FFCD5E97467741 SHA-1: 0x2895CBDF0617DF4396CC197B1260EE1161109CEB	(not available)
6	%Temp%\4.tmp	76,800 bytes	MD5: 0xD669F6DDEB953B31ABCFA6E62F932CC2 SHA-1: 0xFB8C09365FBADB64B057E982F6E404B6A6E95EA7	(not available)
7	%Temp%\a.dat	78,444 bytes	MD5: 0xBAF79D526F474216F7EAA5BD577999BA SHA-1: 0x6CC0EDE0F0E10B535F8B4B79EEA39FB98A40900F	(not available)
8	%Temp%\a.exe	298,500 bytes	MD5: 0xF0C0636A810D15D229B16D773ABAB1C1 SHA-1: 0x7DD9B7C00E4E5F3B8D52186926BCE2FB1D43E19F	Downloader-BWS [McAfee]
9	%Temp%\b.exe	167,936 bytes	MD5: 0x54C1B2B1E6B0E767AD9768EC7F4DAFA9 SHA-1: 0xD73400E6E156D533010423B376D83207DB536767	Downloader-BWS [McAfee]
10	%Temp%\c.exe %Windir%\msa.exe	163,328 bytes	MD5: 0xD38573BDBB21112CCF50EE60D71C020D SHA-1: 0xBE31A3826185DFC56704897713E3E2E3C2AB94EC	Downloader-BWS [McAfee]
11	%Temp%\msxml71.dll %System%\msxml71.dll	225,796 bytes	MD5: 0x4F14B8D2EC80D72A2809BD0080A81D50 SHA-1: 0xA4020016C3EEA2DE309328B86394F3E5824EAD6F	(not available)
12	%UserProfile%\qktier.exe	49,152 bytes	MD5: 0xBABFCD0A98FEFEC9FF4845FFF405E8B7 SHA-1: 0x9E6EC413A066B4302200BECAA66C8BB82E7076F6	Worm.Win32.VBNA.isu [Kaspersky Lab] W32/SillyFDC-DV [Sophos]
13	%UserProfile%\UserData\45SPQRWX\pmocntr[1].xml	40 bytes	MD5: 0xB5E7F68B51A5B80BF635C3E757E86A83 SHA-1: 0x653054857448A4FC53EF22C6B3762D4DEAB16A73	(not available)
14	%UserProfile%\UserData\index.dat	32,768 bytes	MD5: 0x537C10CFA371EFE2EB5884D5818CD2DA SHA-1: 0x5C2FD5A82795C4DD0F737C0F3A33EC22EC7B5F51	(not available)
15	[file and pathname of the sample #1]	49,152 bytes	MD5: 0x0B8AAE0A3DDAAD38684E8211996F2205 SHA-1: 0xC51528CBFBEA175569357E743B3742BE191CCBCE	Worm.Win32.VBNA.isu [Kaspersky Lab] W32/SillyFDC-DV [Sophos] Worm.Win32.Vobfus [Ikarus]
16	%Windir%\Tasks\{7B02EF0B-A410-4938-8480-9BA26420A627}.job	330 bytes	MD5: 0xC8552BA703CD499063C218D2596944F4 SHA-1: 0x04FD0CE6D6D374EF1218D32B59A8D30BF984EC0C	(not available)
17	%Windir%\Tasks\{BB65B0FB-5712-401b-B616-E69AC55E2757}.job	290 bytes	MD5: 0xE36297952166744FBED59A76F49CF0D7 SHA-1: 0x9B84E7DCED990A21659745B508996EB9187C7804	(not available)

Notes:

%AppData% is a variable that refers to the file system directory that serves as a common repository for application-specific data. A typical path is C:\Documents and Settings\[UserName]\Application Data.
%Temp% is a variable that refers to the temporary folder in the short path form. By default, this is C:\Documents and Settings\[UserName]\Local Settings\Temp\ (Windows NT/2000/XP).
%Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.
%System% is a variable that refers to the System folder. By default, this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
%UserProfile% is a variable that specifies the current user's profile folder. By default, this is C:\Documents and Settings\[UserName] (Windows NT/2000/XP).

The following directories were created:

%AppData%\Macromedia
%AppData%\Macromedia\Flash Player
%AppData%\Macromedia\Flash Player\macromedia.com
%AppData%\Macromedia\Flash Player\macromedia.com\support
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#specificclick.net
%AppData%\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#suitesmart.com
%AppData%\Macromedia\Flash Player\specificclick.net
%AppData%\Macromedia\Flash Player\specificclick.net\img
%AppData%\Macromedia\Flash Player\suitesmart.com
%UserProfile%\UserData
%UserProfile%\UserData\45SPQRWX
%UserProfile%\UserData\IF2ZI163
%UserProfile%\UserData\OP4NO7CR
%UserProfile%\UserData\YH0JULM5

Memory Modifications

There was a new process created in the system:

Process Name	Process Filename	Main Module Size
[filename of the sample #1]	[file and pathname of the sample #1]	57,344 bytes

Registry Modifications

The following Registry Keys were created:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\Programmable
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\?.0
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML\CurVer
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML.1
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Health
HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\188590E94878478E33B6194E59FBBB28FF0888D5
HKEY_CURRENT_USER\Software\NordBull
HKEY_CURRENT_USER\Software\PopRock
HKEY_CURRENT_USER\Software\XML

The newly created Registry Values are:

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\VersionIndependentProgID]

(Default) = "XML.XML"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\TypeLib]

(Default) = "{9233C3C0-1472-4091-A505-5580A23BB4AC}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\ProgID]

(Default) = "XML.XML.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}\InprocServer32]

(Default) = "%System%\msxml71.dll"
ThreadingModel = "Apartment"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{500BCA15-57A7-4eaf-8143-8C619470B13D}]

(Default) = "XML Class"
Install = "OK"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\TypeLib\{9233C3C0-1472-4091-A505-5580A23BB4AC}\?.0]

(Default) = "%System%\msxml71.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML\CurVer]

(Default) = "XML.XML.1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML\CLSID]

(Default) = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML]

(Default) = "XML Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML.1\CLSID]

(Default) = "{500BCA15-57A7-4eaf-8143-8C619470B13D}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\XML.XML.1]

(Default) = "XML Class"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{500BCA15-57A7-4eaf-8143-8C619470B13D}]

(Default) = "XML module"

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

ProxyEnable = 0x00000000

[HKEY_CURRENT_USER\Software\Microsoft\SystemCertificates\CA\Certificates\188590E94878478E33B6194E59FBBB28FF0888D5]

Blob = 03 00 00 00 01 00 00 00 14 00 00 00 18 85 90 E9 48 78 47 8E 33 B6 19 4E 59 FB BB 28 FF 08 88 D5 14 00 00 00 01 00 00 00 14 00 00 00 6F EC AF A0 DD 8A A4 EF F5 2A 10 67 2D 3F 55 82 BC D7 EF 25 04 00 00 00 01 00 00 00 10 00 00 00 2A C8 48 C0 85 F3 27 D

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]

qktier = "%UserProfile%\qktier.exe"
PopRock = "%Temp%\b.exe"

so that qktier.exe runs every time Windows starts

so that b.exe runs every time Windows starts

[HKEY_CURRENT_USER\Software\NordBull]

Az3 = "FOqkUNfIRBTc8A=="
Az0 = "Gbv+C4eSExjnyIpWf4+pYXAo/2QGxA/X94OiMMEM3fg23rLn0kVI9YcTSRoffLGHycxraJm1ufEnpdfBqGrOrjLo/LjV1Zr+/rGYLrJ7eJrt46LyThpDYY+cxMWSz91dRwXpJsHsy7V7dgBBmi3NT68mL9q/Phdk6EMKXhoes+5/kg235gBrKZc8UGgZcw=="
Av2 = 0x0000000A
Av5 = 0x00000E10
Av3 = 0x000000FA
Av4 = 0x00000064
Av6 = 0x00000023
Av0 = 0x01CA4EA1
Av1 = 0x6520F3C0
Az1 = ""
Az2 = "ZuLNIa64IWuvvLI2X46gM04m4XVnqi/6lPGZOoQgs7J0x4Dgk1NI9w=="
Az5 = "QbnlBNyuOG7blc0iRrv1DWIou3RathOLsvSwFdkIr4V8hp3J3AMd8pQZLjc1IOuz2/QoYJPj8M8DoISrvFrn/Gi7k+HpzL2T64qFM79+bbj3+bewbRsFKuHcm6/K3+VicEjzRpu/85V5VyJLhlOXcKtmO/aOHzwl7z0ZeT8RqPlBiUPooWsWAYI3WVlGNMHRf+kkGR8OxdiqB93h0j9OqgbA5jR44a8rumYaRhJ038DsdFwAcCbHEti0G

[HKEY_CURRENT_USER\Software\PopRock]

Az2 = "xC7aKZ+O6wyPlq1krRM4sG7m2LFGsYtHjHOagBf10Uk/n4gL8s8xs9LeD5KQVh3/j+XFa0mnr175UElKKyciA2gn6tUEA721Fj4P"
Az0 = "tSLPLpWL7R22spR48AI743bz2Kge8sER1Vj7sD2gyQRgyYcu/tI6sNDZRrOqWFi5zuLKTW36qnPdFzBreQhQOTxhtN8FGeDjXGBLsDEcMbWAXu2H0qZ61FYX5n9D2QXxqbEnBnzwpjYL9yRfp/EQSAbsyAraONgJB3/6OPp3GyHDTYChr8PguY4j4pJthYfaRms7fPCm0Mlqtrjsf+OJeoep7vUvxofslXBQmsIhlArgQ5PN"
Az1 = "tSbFNJuL/h22spR48AI743bz2Kge8sEPyV+7qjr4iAljzcY5ttYwvovOQLHrFEej2ruXSzHm/A7rMXlsZ1pjW0EpsZdGCOX2UHkc/HIHOrvUXPGDibExxFYWvGlFxA+6q6p5Sjv16HVAiEJolo5rGFP91lPJPpxbHCz6afwhUTmNFt/644/8qZQl8pttmZ3bCXw9frH61tVo9a/3ZOiCJoTv7qFwj9r12RFkq+d+1APjXpyaamg="
Av4 = 0x00015180
Av5 = 0x00000002
Av2 = 0x01CA4EA1
Av3 = 0x591AF300
Av6 = 0x00000001
Av0 = 0x01CA4DDA
Av1 = 0x72FFDAA0
Az4 = "7SDUIc7NyUn+3v4U1kYCuFW1zbQUrrs91Uiwuz65qx9Nk5xk/cwysdaVeIiwR0SEi7WoDWq93ivkK298QjAhKyFXr6IFUaa1ckpl/G1LF6efcsqayrFNxHEr+lJFjx+OlIwiUDTQg25XinoX3slUXmrIkTzgIpdtHiHpU/MsOCmfU9i5+pXDu9UR7p420oCQL2ZlZuz7+v9Ij4/uVb22OrOI16VL4YzYmTMo758Gv1LTb4fFLiaNtaUpn

Other details

There were registered attempts to establish connection with the remote hosts. The connection details are:

Remote Host	Port Number
209.12.183.104	80
64.120.164.40	80
64.120.164.41	80
64.191.30.57	80
64.210.72.27	80
64.210.72.49	80
64.210.72.51	80
64.241.242.90	80
66.197.207.41	80
66.199.229.230	80

The following GET request was made:

/imp?Z=728x90&pop_nofreqcap=1&s=621191&_salt=3308053703&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0

The data identified by the following URLs was then requested from the remote web server:

http://feed.validclick.com/check.php?affid=30613
http://feed.validclick.com/implog.php?affid=30613
http://feed.validclick.com/result.php?key=tag-30613-1-20091015134838773894864402006&affID=30613&sid=6&id=LFPvAffVC1&sitehost=www.OnlineSavingsAccount.org
http://feed.validclick.com/result_redir.php?key=tag-30613-1-20091015134838773894864402006&affID=30613&sid=6&id=LFPvAffVC1&sitehost=www.OnlineSavingsAccount.org
http://maximclock.com/resolution.php
http://search-online-web.com/borders.php
http://inforavel.com/ad_type.php
http://js.worthathousandwords.com/IA.jsh?pid=5400.29&subid=clicker
http://static.suitesmart.com/cs/84863/tags/dfa.js?SIT=767479;PLA=37147627;CRE=31572269;ADI=215172560
http://content.yieldmanager.edgesuite.net/atoms/ce/f1/45/d5/cef145d5051dd565c5774a4911a445c4.gif
http://content.yieldmanager.edgesuite.net/atoms/e2/2b/f9/9c/e22bf99c9a3358836808ec30e1b7ad61.gif
http://content.yieldmanager.edgesuite.net/atoms/63/fe/5d/51/63fe5d51c20359649b58257c077a0b0e.jpg
http://content.yieldmanager.edgesuite.net/atoms/f1/92/61/c0/f19261c0f30f24ab7d70f93d37feb2fe.jpg
http://content.yieldmanager.com/ak/q.gif
http://content.yieldmanager.com/ak/q.gif?01AD=2-2-636D060255153C4137A4AE619C79C829B76F03032DB5B4399461D464502D6D50-E916CFAF60BCD141C68953B30A7A0FF98C91DA67A43EB5B58CFADBACA2912F23&01RI=CD8367737739245&01NA=na
http://content.yieldmanager.com/ak/q.gif?01AD=2-2-45BF680B99087315A804A0647AB30730E6E76D3230D890251627821200AA9652-B9463626537764D6842BB8D0B01D28224DBD7298B4A332F2804774B0A74E6F61&01RI=CDB97EA641E0207&01NA=
http://content.yieldmanager.edgesuite.net/atoms/cb/42/7e/9c/cb427e9c52932069c25593188e3e62a7.gif
http://content.yieldmanager.edgesuite.net/atoms/86/e3/90/c9/86e390c90880a8eb0a705e975baafa23.gif
http://solofilmworks.com/werber/2488e482570/217.gif
http://bolo-arts.com/report.php?data=v26MmjSySdemWGR07AUYFbNtPre/J4A4OtEMTid8fk4EXFSGikbVmTenB0qSdQXfhJic7Z4WeA==
http://disciplinearts.com/item/20001c0dd11a3470b480de7b144bf85dbe32fa2cb6675ef80648614216e4ef42ec044bc91c7e3cd0f/04581452477/titem.gif
http://cookex.amp.yahoo.com/v2/cexposer/SIG=13rn8evst/*http%3A//ad.yieldmanager.com/imp?Z=120x600&s=429563&_salt=1470508392&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://soloartsworld.com/perce/00c06c3dd17a94d084001eabc4bb48adce42ba1c16679eb8f6a8718246346f52fcc49bd94c3eacc04/c4780482c7a/qwerce.gif
http://iar.worthathousandwords.com/iar.gif?key=global&pid=5400.29&ia_subid=clicker
http://maps.google.com/maps?file=api&v=2&key=ABQIAAAAC6gTWC_esbtP6EbW_eqFphT0ky76OxGktJ4Hb5QiI-GWtWBhqRSkJNc0y7OXCV-eyOUmDS6-NPKErw
http://ad.yieldmanager.com/imp?Z=120x600&s=429563&_salt=1470508392&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=160x600&s=502898&_salt=3456182054&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=728x90&s=502898&_salt=2915627188&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.yieldmanager.com/max.gif
http://ad.yieldmanager.com/imp?Z=120x600&s=429563&_salt=1470508392&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0&SIG=10vspgbtf;x-cookie=2iez1pg5qrewi&o=4&f=oo
http://ad.adserverplus.com/st?ad_type=iframe&ad_size=160x600&section=604561
http://ad.adserverplus.com/imp?Z=160x600&s=604561&_salt=1453254522&B=10&u=http%3A%2F%2Fad.adserverplus.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=160x600&s=604561&_salt=1453254522&B=10&u=http%3A%2F%2Fad.adserverplus.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=300x250&s=502905&_salt=1549715630&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=120x600&s=681706&_salt=3901269416&B=10&u=http%3A%2F%2Fwww.berkshireeagle.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=120x600&s=639283&_salt=1177189052&B=10&u=http%3A%2F%2Fad.media-servers.net%2F&r=0
http://ad.yieldmanager.com/imp?Z=120x600&s=429300&_salt=2924060066&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=160x600&s=681706&_salt=2710357925&B=10&u=http%3A%2F%2Fwww.berkshireeagle.com%2F&r=0
http://ad.yieldmanager.com/imp?Z=300x250&s=601669&_salt=197415433&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0
http://ad.harrenmedianetwork.com/imp?Z=120x600&s=429563&_salt=1470508392&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=160x600&section=502898
http://ad.harrenmedianetwork.com/imp?Z=160x600&s=502898&_salt=3456182054&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=728x90&section=502898
http://ad.harrenmedianetwork.com/imp?Z=728x90&s=502898&_salt=2915627188&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=300x250&section=502905
http://ad.harrenmedianetwork.com/imp?Z=300x250&s=502905&_salt=1549715630&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=728x90&section=621191&pop_nofreqcap=1
http://ad.harrenmedianetwork.com/imp?Z=728x90&pop_nofreqcap=1&s=621191&_salt=3308053703&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=728x90&section=429063
http://ad.harrenmedianetwork.com/imp?Z=728x90&s=429063&_salt=267144311&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=468x60&section=621193
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=120x600&section=429300
http://ad.harrenmedianetwork.com/imp?Z=120x600&s=429300&_salt=2924060066&B=10&u=http%3A%2F%2Fad.harrenmedianetwork.com%2F&r=0
http://ad.scanmedios.com/st?ad_type=iframe&ad_size=300x250&section=601669
http://ad.scanmedios.com/imp?Z=300x250&s=601669&_salt=197415433&B=10&u=http%3A%2F%2Fad.scanmedios.com%2F&r=0
http://ad.harrenmedianetwork.com/st?ad_type=iframe&ad_size=120x600&section=429563
http://www.findbanks.org/Local
http://www.findbanks.org/local/
http://www.findbanks.org/includes/ajax.js
http://www.findbanks.org/includes/getResults.js
http://www.findbanks.org/images/head_bg.jpg
http://www.findbanks.org/images/head_logo.jpg
http://www.findbanks.org/includes/getContent.php?keywords=Internet%2BBank%2BAccounts&results=2&showHeading=&affid=30613&layout=head&tracking=off&rndval=1255639452090
http://www.findbanks.org/includes/getContent.php?keywords=High%2BSavings%2BRates&results=3&showHeading=1&affid=30613&layout=n&tracking=on&rndval=1255639452278
http://www.findbanks.org/includes/getContent.php?keywords=Money%2BMarket%2BAccounts&results=3&showHeading=1&affid=30613&layout=n&tracking=on&rndval=1255639452262
http://www.findbanks.org/includes/getContent.php?keywords=Best%2BCD%2BRates&results=3&showHeading=1&affid=30613&layout=n&tracking=on&rndval=1255639452278
http://www.findbanks.org/includes/getContent.php?keywords=Internet%2BBank%2BAccounts&results=1&showHeading=1&affid=30613&layout=n&tracking=on&rndval=1255639452278
http://www.findbanks.org/includes/getContent.php?keywords=Online%2BSavings%2BAccounts&results=3&showHeading=1&affid=30613&layout=n&tracking=on&rndval=1255639452294
http://www.findbanks.org/images/blank.jpg
http://imagexw.cn/1/

Outbound traffic (potentially malicious)

There was an outbound traffic produced on port 80:

All content ("Information") contained in this report is the copyrighted work of Threat Expert Ltd and its associated companies ("ThreatExpert") and may not be copied without the express permission of ThreatExpert.

The Information is provided on an "as is" basis. ThreatExpert disclaims all warranties, whether express or implied, to the maximum extent permitted by law, including the implied warranties that the Information is merchantable, of satisfactory quality, accurate, fit for a particular purpose or need, or non-infringing, unless such implied warranties are legally incapable of exclusion. Further, ThreatExpert does not warrant or make any representations regarding the use or the results of the use of the Information in terms of their correctness, accuracy, reliability, or otherwise.