Technical Information
Modifies file system
Creates the following files
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\metadata\f0accf77cdcbff39f6191887f6d2d357
- %WINDIR%\serviceprofiles\networkservice\appdata\locallow\microsoft\cryptneturlcache\content\f0accf77cdcbff39f6191887f6d2d357
Network activity
TCP
HTTP GET requests
- http://ro##log.com/include/rozblog_ads_js.php?si########
- http://up##ty.ir/images2/18222391121262911536.jpg
- http://www.up###dax.com/?f
- http://ro##log.com/temp/skinak/zigil/images/date.png
- http://ro##log.com/temp/skinak/zigil/images/social.png
- http://up.##love.ir/up/mamadzar/Pictures/menu/ghalbe-man-love.jpg
- http://up.##love.ir/up/mamadzar/img/alone_butterflies_girl_Favim_com_188909.jpg
- http://pc##rsi.com/uploaded/pca1646fcd67095779360f4e3690fea0e1_country_house_11.jpg
- http://pc##rsi.com/uploaded/pccc9012359e00b53a895eeca653774aea_country_house_01.jpg
- http://ro##log.com/temp/skinak/zigil/images/ballon2.png
- http://ro##log.com/temp/skinak/zigil/images/ballon3.png
- http://ro##log.com/temp/skinak/zigil/images/list_bullet.png
- http://ro##log.com/temp/skinak/zigil/images/more_bull.png
- http://pc##rsi.com/uploaded/pcd6887b341761e537af747a6492cb95f0_country_house_06.jpg
- http://pc##rsi.com/uploaded/pc76fa05f8fb30725d902262761fc5a354_country_house_03.jpg
- http://ro##log.com/temp/skinak/zigil/images/categories.png
- http://ro##log.com/temp/skinak/zigil/images/post.png
- http://up.##love.ir/up/mamadzar/Pictures/Fall%20in%20love.jpg
- http://up.##love.ir/up/mamadzar/Pictures/Feeling-agitated.jpg
- http://1a##ar.ir/abzar/tools/support/1abzar.php?ad################
- http://en####.webgozar.ir/counter/xstat.aspx?t=##################################################################################################################################################...
- http://www.we###zar.com/counter/pic/stat6.gif
- http://ro##log.com/temp/skinak/zigil/images/post_date.png
- http://ro##log.com/temp/skinak/zigil/images/post_view.png
- http://1a##ar.ir/statx.htm
- http://ro##log.com/temp/skinak/zigil/images/1433.png
- http://ro##log.com/temp/skinak/zigil/images/overlay2.png
- http://ro##log.com/temp/skinak/zigil/images/home.png
- http://ro##log.com/temp/skinak/zigil/images/ballon1.png
- http://ro##log.com/temp/skinak/zigil/images/box_top.png
- http://up.####e.kangavaria.ir/s2/021545454.jpg
- http://ro##log.com/temp/skinak/zigil/images/c.png
- http://up.##love.ir/up/mamadzar/Pictures/menu/bizaram-98love.jpg
- http://ro##log.com/temp/skinak/all/icon_servertime.png
- http://ro##log.com/temp/skinak/zigil/style1.css
- http://og####oos1.rzb.ir/js/site.js
- http://ro##log.com/temp/skinak/all/skinak_ajax.css
- http://ro##log.com/temp/skinak/all/skinak_ajax.js
- http://ad#.rzb.ir/admin/banners/333260.gif
- http://ro##log.com/temp/skinak/zigil/images/bg.jpg
- http://og####oos1.rzb.ir/user/oghyanoos1.jpg
- http://ro##log.com/temp/skinak/zigil/fonts/yekan.eot?
- http://ro##log.com/temp/skinak/zigil/images/top_menu_sep.jpg
- http://www.pc##rsi.com/uploaded/pccc9012359e00b53a895eeca653774aea_country_house_01.jpg
- http://www.pc##rsi.com/uploaded/pca1646fcd67095779360f4e3690fea0e1_country_house_11.jpg
- http://dl.###icserver.in/hossein2/94/5/26/Morteza%20Pashaei%20-%20Esmesh%20Eshghe.jpg
- http://ro##log.com/images/refresh.gif
- http://s4.##cofile.com/file/7859404080/zwemrgn0syvwrnj8r68l.gif
- http://up.###ghdooni.ir/up/eshghdooni/eshghdooni/picture/ein_saitidart_saz.png
- http://up.##love.ir/up/mamadzar/Pictures/menu/Cleaning.jpg
- http://up.##love.ir/up/mamadzar/Pictures/eshqet-98love.jpg
- http://up.####e.kangavaria.ir/s2/0397946144.jpg
- http://up.###gavaria.ir/94/s5/579757204.jpg
- http://up.####e.kangavaria.ir/10/10-04-678970.jpg
- http://www.pc##rsi.com/uploaded/pc76fa05f8fb30725d902262761fc5a354_country_house_03.jpg
- http://www.pc##rsi.com/uploaded/pcd6887b341761e537af747a6492cb95f0_country_house_06.jpg
- http://ro##log.com/temp/skinak/all/easymoblog.png
- http://ag##iya.com/wp-content/uploads/2015/11/heaven__s_postman_by_bluemoon214-agagiya-735x400.jpg
- http://dl.##p-music.ir/images/1393/Ordibehesht/Morteza%20Pashaei.jpg
- http://ro##log.com/temp/skinak/all/li.gif
- http://www.up###dax.com/images/16308122733186292192.gif
- http://www.we##ozar.ir/c.aspx?Co####################
- http://ro##log.com/temp/skinak/all/stats.gif
- http://up.##love.ir/up/mamadzar/Pictures/menu/aghoshat.jpg
- http://www.microsoft.com/pki/certs/MicRooCerAut_2010-06-23.crt
UDP
- DNS ASK ro##log.com
- DNS ASK 1a##ar.ir
- DNS ASK en####.webgozar.ir
- DNS ASK up##ty.ir
- DNS ASK we##ozar.ir
- DNS ASK up###dax.com
- DNS ASK dl.###icserver.in
- DNS ASK dl.##p-music.ir
- DNS ASK we###zar.com
- DNS ASK pc##rsi.com
- DNS ASK up.###gavaria.ir
- DNS ASK up.####e.kangavaria.ir
- DNS ASK s4.##cofile.com
- DNS ASK up.###ghdooni.ir
- DNS ASK up.##love.ir
- DNS ASK ad#.rzb.ir
- DNS ASK og####oos1.rzb.ir
- DNS ASK ag##iya.com
- DNS ASK go#####agmanager.com
Miscellaneous
Searches for the following windows
- ClassName: 'MS_AutodialMonitor' WindowName: ''
- ClassName: 'MS_WebCheckMonitor' WindowName: ''
